Re: [Vol-dev] Finding Truecrypt passphrases
Jesse Kornblum
14 Sep
2009
14 Sep
'09
5:53 p.m.
Hi Michael, hi list,
Please take a look at http://jessekornblum.livejournal.com/
253772.html. You are correct that when the user forces password
caching the password is in fact cached. On the other hand, there are
so many false positives that it's difficult to find only TC passphrases.
On Sep 14, 2009, at 10:47 AM, Michael Felber , Steufa Chemnitz, IT-
Forensik wrote:
Hello Jesse, hello list,
today I have given a try to the cryptoscan-plugin. The dump comes
from an XP with SP3. That should not be problematic because the
structure the plugin looks for is os-independent, isn’t it?
In the case I forced Truecrypt (v6.2a) to cache the passphrases in
memory I saw it as plain text:
<image003.jpg>
XWF was not able to allocate that offset (phys. 0x18218c84) to a
single process.
But I was not able to find the described structure neither with the
plugin nor manually. The dump is from a test case I use for forensic
classes. So I could provide it for further analysis.
It additionally includes cached domain credentials, waiting for
extraction….
Cu
Michael
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
--
Jesse
research(a)jessekornblum.com