[Vol-users] Plugin to detect suspicious command lines

Hi everybody, Here's a Volatility plugin to first recover the command line for each process and then find any suspicious ones. I wrote it to get a feel for the framework's Object model. Please note that the current version of the framework has a (soon to be corrected) bug that can result in a crash. Don't panic! The plugin considers a command line to be suspicious if it contains the word "TrueCrypt" or if it starts with a lower case drive letter. The latter is indicative of a manually typed command line. I've found it handy to examine TrueCrypt command lines because they can contain the filename of a mounted protected volume. cheers, -- Jesse jessek(a)speakeasy.net