[Vol-users] Plugin to detect suspicious command lines

Jesse Kornblum jessek at speakeasy.net
Fri Oct 17 09:03:11 CDT 2008

Hi everybody,

Here's a Volatility plugin to first recover the command line for each process and
then find any suspicious ones. I wrote it to get a feel for the framework's
Object model. Please note that the current version of the framework has a (soon
to be corrected) bug that can result in a crash. Don't panic!

The plugin considers a command line to be suspicious if it contains the word
"TrueCrypt" or if it starts with a lower case drive letter. The latter is
indicative of a manually typed command line. I've found it handy to examine
TrueCrypt command lines because they can contain the filename of a mounted
protected volume.


jessek at speakeasy.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: suspicious.py
Type: application/octet-stream
Size: 6180 bytes
Desc: not available
Url : https://lists.volatilesystems.com/pipermail/vol-users/attachments/20081017/c48965ed/suspicious.obj

More information about the Vol-users mailing list