[Vol-users] Plugin to find TrueCrypt passphrases

Attached please find a Volatility plugin to scan for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, 'RAM is Key, Extracting Disk Encryption Keys From Volatile Memory', pages 22-23. You can downlaod the thesis at http://www.andrew.cmu.edu/user/bfkaplan/. Usage: python volatility cryptoscan -f [FILE] The output will look like: Found TrueCrypt passphrase "8964h khI@*TGUIG!!" at offset 0x65f8094 cheers, -- Jesse jessek(a)speakeasy.net