?

Log in

Volatility Plugins for TrueCrypt passphrases, suspicious processes - A Geek Raised by Wolves [entries|archive|friends|userinfo]
jessekornblum

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

Volatility Plugins for TrueCrypt passphrases, suspicious processes [Oct. 21st, 2008|10:19 pm]
jessekornblum
[Tags|, , , ]

I've written two plugins for the Volatility memory analysis framework:
  • cryptoscan - Scans a memory image (or really anything) for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, RAM is Key, Extracting Disk Encryption Keys From Volatile Memory, pages 22-23. According to that paper, passphrases are stored in a structure containing a passphrase length and then 64 bytes of passphrase data. The data must contain exactly length ASCII characters and all remaining bytes must be zeros.

  • suspicious - Displays the command line from 'suspicious' processes. A process is considered to be suspicious by this plugin if it contains the phrase 'TrueCrypt' or starts with a lowercase drive letter. You are of course welcome to expand that definition!
To use these plugins, save them to the memory_plugins file in the Volatility distribution. From the command line, type:

C:\> python volatility cryptoscan -f [FILENAME]

These plugins only work on one file at a time. Enjoy!
LinkReply

Comments:
From: (Anonymous)
2009-06-15 05:41 pm (UTC)

Re: nvalid module [cryptoscan.py]

Hi,

I have been evaluating Volatility Framework and the cryptoscan plugin is a great development considering that it reveals the truecrypt passphrase.

Just would like to find out under what conditions would the cryptoscan plugin works? I have tested on a target system with a hidden volume created by truecrypt v6.2a. The acquired memory image is then loaded in Volatility with the cryptoscan plugin but there are no passphrases detected.
(Reply) (Parent) (Thread)
[User Picture]From: jessekornblum
2009-06-15 05:47 pm (UTC)

Re: nvalid module [cryptoscan.py]

As noted in the paper, this method only works on older versions of TrueCrypt.
(Reply) (Parent) (Thread)
From: (Anonymous)
2009-07-06 12:59 pm (UTC)

Re: nvalid module [cryptoscan.py]

Apparently, I have tested with TrueCrypt v4.3 and even the earliest version of TrueCrypt v1.0 but unable to reveal the TrueCrypt passphrase.

The memory is dumped out by Mantech MDDv1.3 and the option in TrueCrypt to cache the password in memory is checked also. Please do advice me on this. Thanks.
(Reply) (Parent) (Thread)
[User Picture]From: jessekornblum
2009-07-06 01:22 pm (UTC)

Re: nvalid module [cryptoscan.py]

I'm sorry, I'm not sure what's going wrong for you.
(Reply) (Parent) (Thread)