I've been currently working on recovering a passphrase to an encrypted volume from a memory dump. The memory dump was taken using MoonSols DumpIt on Windows XP SP3 with TrueCrypt v7.1. To do so I used Cryptoscan written by Jesse Kornblum (aka Computer Forensics Research Guru). Thanks to Jesse for the great work!
I’ve encountered some problems while trying to get it running because, as it turned out later, Windows’s built-in ZIP extractor missed some of the files when I closed the explorer’s window. So if you’re getting any errors, I recommend trying to extract it all over again and making sure you have Python 2.6 as opposed to version 2.7 (from my experience it works on both though).
Once you copy the cryptoscan.py to the folder memory_plugins, you’re ready to go.
To test it out run a command prompt, enter the folder with your copy of Volatility and type in the following command:
C:\Volatility-1.3_Beta> python volatility cryptoscan --help
Usage: cryptoscan [options] (see --help)
-h, --help show this help message and exit
-f FILENAME, --file=FILENAME
(required) XP SP2 Image file
-b BASE, --base=BASE (optional, otherwise best guess is made) Physical
offset (in hex) of directory table base
-t TYPE, --type=TYPE (optional, default="auto") Identify the image type
(pae, nopae, auto)
If instead of the message above you’re getting an error saying "'python' is not recognized as an internal or external command, operable program or batch file." then it probably means you haven’t set up the environmental variable Path correctly (page 4 of installation document). You can check it by writing 'echo %Path%' in a command prompt.
That’s it for now. If you have any questions then leave a comment.
In the next post I’ll cover how to update Cryptoscan to get it working with the current version of TrueCrypt.