[Vol-users] Plugin to find TrueCrypt passphrases

Jesse Kornblum jessek at speakeasy.net
Fri Oct 17 08:59:19 CDT 2008

Attached please find a Volatility plugin to scan for TrueCrypt passphrases using
the method described in Brian Kaplan's thesis, 'RAM is Key, Extracting Disk
Encryption Keys From Volatile Memory', pages 22-23. You can downlaod the thesis
at http://www.andrew.cmu.edu/user/bfkaplan/.


python volatility cryptoscan -f [FILE]

The output will look like:

Found TrueCrypt passphrase "8964h khI@*TGUIG!!" at offset 0x65f8094

jessek at speakeasy.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptoscan.py
Type: application/octet-stream
Size: 5720 bytes
Desc: not available
Url : https://lists.volatilesystems.com/pipermail/vol-users/attachments/20081017/4664dc01/cryptoscan.obj

More information about the Vol-users mailing list