There’s been a minor update to the batch script that I’ve provided with Cryptoscan as previous version was limited to only work with versions of Windows supported by Volatility 1.3 beta. I know that to truly solve the problem I should have ported the module to Volatility 2.0 but I already tried it and I miserably failed. Anyone wants to help? ;>
The new batch script runs Cryptoscan using version 1.3 and then the other two modules (i.e. Strings and Modules) using version 2.0.
To get it working here are 3 simple steps:
2. Extract 'Volatility-2.0.standalone' to the same folder as before.
You can run ‘Cryptoscan.cmd’ now and enjoy! ;)
If you have some problems getting it working then check my previous post or leave a comment.
If you have some problems getting it working then check my previous post or leave a comment.
PS. There's been a small change to the provided binaries. Instead of using GnuWin32, the batch script uses UnxUtils since they do exactly the same job and are smaller in size.
Hi, looks like a great idea but it it isn't working for me.
ReplyDeleteI tried it with Win7 and TrueCrypt 7.0a, but no passwords were found, and the following errors occured:
Please enter the image path (e.g. C:\John-PC.raw, without quotation marks)
: a.raw
What Windows was it taken from (e.g. WinXPSP3x86, VistaSP2x86, Win7SP1x86) ?
: Win7SP1x86
(1/3) Running Cryptoscan.
(2/3) Associating strings with the processes they belong to.
Volatile Systems Volatility Framework 2.0
ERROR : volatility.plugins.strings: String file format invalid.
(3/3) Eliminating strings that don't belong to the TrueCrypt's driver.
Volatile Systems Volatility Framework 2.0
Finished extracting data.
Press any key to continue . . .
And on a virtual Win XP SP2 with True Crypt 6.3a
Please enter the image path (e.g. C:\John-PC.raw, without quotation marks)
: a.raw
What Windows was it taken from (e.g. WinXPSP3x86, VistaSP2x86, Win7SP1x86) ?
: WinXPSP2x86
(1/3) Running Cryptoscan.
(2/3) Associating strings with the processes they belong to.
Volatile Systems Volatility Framework 2.0
ERROR : volatility.plugins.strings: String file format invalid.
(3/3) Eliminating strings that don't belong to the TrueCrypt's driver.
Volatile Systems Volatility Framework 2.0
Finished extracting data.
Press any key to continue . . .
Re my earlier message, I was running the wrong version of python.
ReplyDeleteHi Shooflypie,
ReplyDeleteIs it working for you now?
Should you receive the same error again, it means that the results of the Cryptoscan plugin returned some empty strings, which when the Strings module tries to associate with a memory offset makes it crash. You can fix it by modyfing the line 89 in 'memory_plugins\cryptoscan.py' to this
if length > maxLength or length < 4:
This basically tells the Cryptoscan module that the password has to be at least 4 characters long. It's a dirty hack but should help.
Thanks for your feedback and please let me know if you still encounter any problems.
Bart
Thanks for your help Bart. I'm looking at adapting cryptoscan to work for other OTFE such as BitLocker and FreeOTFE.
ReplyDeleteI've had to make a couple of small changes to get the script to work for me, I've put an upload including python at christopherdoman.com/files/cryptoscan.zip
I had to edit the last line to remove the awk script, I'm not sure what it does but it seems to not print out the key:
type "output\passwords_vol.txt" | grep kernel | sed "s/\[kernel://g" | gawk --non-decimal-data "{ if(($2)+0 >= \"\" && ($2)+0 <= \"\") print $3 }"
Whereas without the last bit, it will:
type "output\passwords_vol.txt" | grep kernel | sed "s/\[kernel://g"
I also had to change the second stage to use volatility 1.3, otherwise I get the error:
(2/3) Associating strings with the processes they belong to.
Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
File "", line 135, in
File "", line 126, in main
File "../volatility\build\pyi.win32\pyinstaller\vol.pkz/volatility.commands",
line 101, in execute
File "C:\volatility\volatility\plugins\strings.py", line 88, in render_text
ValueError: need more than 1 value to unpack
Which leads to a slightly different Cryptoscan.cmd-
::CHANGES HERE - WAS volatility.exe strings --profile=%profile% -f "%file%" -s "%pwd_output%" > "%str_output%"
python volatility strings --profile=%profile% -f "%file%" -s "%pwd_output%" > "%str_output%"
::CHANGED HERE - WAS type "%str_output%" | grep %grep_param% | sed %sed_param% | gawk --non-decimal-data "{ if(%awk_lcondition% && %awk_rcondition%) print $3 }"
type "%str_output%" | grep %grep_param% | sed %sed_param%
When I run the amended batch file, I get the key, along with a couple of extra options
Found passwords:
125768196 b2c85204 ] truefish88 <--- This is the key
360230888 d113cfe8 ] Device Parameters
362397688 d11f2ff8 ] 0001
362495984 d121cff0 ] ImapiService
Press any key to continue . . .
Hi Bart,
ReplyDeleteI promise this will be the last time I fill your blog with my ramblings! Don't know your e-mail but if e-mail me at chris.doman@cantab.net I'll send you over that article. I know how busy things are right now so don't worry if you don't have time.
chris