[Vol-dev] Finding Truecrypt passphrases
Jesse Kornblum
research at jessekornblum.com
Mon Sep 14 16:53:43 CDT 2009
Hi Michael, hi list,
Please take a look at http://jessekornblum.livejournal.com/
253772.html. You are correct that when the user forces password
caching the password is in fact cached. On the other hand, there are
so many false positives that it's difficult to find only TC passphrases.
On Sep 14, 2009, at 10:47 AM, Michael Felber , Steufa Chemnitz, IT-
Forensik wrote:
> Hello Jesse, hello list,
>
> today I have given a try to the cryptoscan-plugin. The dump comes
> from an XP with SP3. That should not be problematic because the
> structure the plugin looks for is os-independent, isn’t it?
> In the case I forced Truecrypt (v6.2a) to cache the passphrases in
> memory I saw it as plain text:
> <image003.jpg>
> XWF was not able to allocate that offset (phys. 0x18218c84) to a
> single process.
> But I was not able to find the described structure neither with the
> plugin nor manually. The dump is from a test case I use for forensic
> classes. So I could provide it for further analysis.
> It additionally includes cached domain credentials, waiting for
> extraction….
>
> Cu
>
> Michael
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
--
Jesse
research at jessekornblum.com
More information about the Vol-dev
mailing list