jessekornblum (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} jessekornblum) wrote,@ 2008-10-21 22:19:00 |
|
| Entry tags: | forensics, memory analysis, python, volatility |
Volatility Plugins for TrueCrypt passphrases, suspicious processes
I've written two plugins for the Volatility memory analysis framework:
- cryptoscan - Scans a memory image (or really anything) for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, RAM is Key, Extracting Disk Encryption Keys From Volatile Memory, pages 22-23. According to that paper, passphrases are stored in a structure containing a passphrase length and then 64 bytes of passphrase data. The data must contain exactly length ASCII characters and all remaining bytes must be zeros.
- suspicious - Displays the command line from 'suspicious' processes. A process is considered to be suspicious by this plugin if it contains the phrase 'TrueCrypt' or starts with a lowercase drive letter. You are of course welcome to expand that definition!
C:\> python volatility cryptoscan -f [FILENAME]
These plugins only work on one file at a time. Enjoy!
