October182008

New Plugins: suspicious, cryptoscan

If your looking for new Volatility plugins, you may want to check out the vol-users mailing list. Jesse Kornblum just released two new plugins:

  • suspicious: “The plugin considers a command line to be suspicious if it contains the word “TrueCrypt” or if it starts with a lower case drive letter. The latter is indicative of a manually typed command line.
  • cryptoscan: “The plugin scans for TrueCrypt passphrases using the method described in Brian Kaplan’s thesis, ‘RAM is Key, Extracting Disk Encryption Keys From Volatile Memory’”.

Thanks for the contributions, Jesse! Note: I have not tested either of these plugins.

Page 1 of 1