New Plugins: suspicious, cryptoscan
- suspicious: “The plugin considers a command line to be suspicious if it contains the word “TrueCrypt” or if it starts with a lower case drive letter. The latter is indicative of a manually typed command line.
- cryptoscan: “The plugin scans for TrueCrypt passphrases using the method described in Brian Kaplan’s thesis, ‘RAM is Key, Extracting Disk Encryption Keys From Volatile Memory’”.
Thanks for the contributions, Jesse! Note: I have not tested either of these plugins.