10:47 a.m.
Hello Jesse, hello list,
today I have given a try to the cryptoscan-plugin. The dump comes from an XP
with SP3. That should not be problematic because the structure the plugin
looks for is os-independent, isn't it?
In the case I forced Truecrypt (v6.2a) to cache the passphrases in memory I
saw it as plain text:
XWF was not able to allocate that offset (phys. 0x18218c84) to a single
process.
But I was not able to find the described structure neither with the plugin
nor manually. The dump is from a test case I use for forensic classes. So I
could provide it for further analysis.
It additionally includes cached domain credentials, waiting for extraction..
Cu
Michael
5:53 p.m.
Hi Michael, hi list,
Please take a look at http://jessekornblum.livejournal.com/
253772.html. You are correct that when the user forces password
caching the password is in fact cached. On the other hand, there are
so many false positives that it's difficult to find only TC passphrases.
On Sep 14, 2009, at 10:47 AM, Michael Felber , Steufa Chemnitz, IT-
Forensik wrote:
Hello Jesse, hello list,
today I have given a try to the cryptoscan-plugin. The dump comes
from an XP with SP3. That should not be problematic because the
structure the plugin looks for is os-independent, isn’t it?
In the case I forced Truecrypt (v6.2a) to cache the passphrases in
memory I saw it as plain text:
<image003.jpg>
XWF was not able to allocate that offset (phys. 0x18218c84) to a
single process.
But I was not able to find the described structure neither with the
plugin nor manually. The dump is from a test case I use for forensic
classes. So I could provide it for further analysis.
It additionally includes cached domain credentials, waiting for
extraction….
Cu
Michael
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
--
Jesse
research(a)jessekornblum.com
5540
days inactive
5540
days old
vol-dev@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Jesse Kornblum -
Michael Felber , Steufa Chemnitz, IT-Forensik