CryptoScan issues

[GoogleCodeExporter]

Hello, 

Im using Volatility 1.4 RC1 on windows 7 32bits. I installed python 2.6 and 
Pycrypto 2.3.
I want to use Volativity in order to get the TrueCrypt Passphrase. I downloaded 
cryptoscan.py and i put it into the volatility/plugins directory. 

When i run the command "python vol.py cryptoscan -f ram.img voici le message 
d'erreur que j'ai :
"
C:\Python26>python.exe C:\Volatility-1.4_rc1\vol.py cryptoscan -f C:\ram.i
Volatile Systems Volatility Framework 1.4_rc1
*** Failed to import volatility.plugins.vutils (ImportError: No module nam
pes)
*** Failed to import volatility.plugins.cryptoscan (ImportError: No module
 vtypes)
ERROR   : __main__            : You must specify something to do (try -h)"

Anyone can help me ?

I've been trying this script under linux (back track 4 R 2) and i get the same 
error. 
I also ran the software with REMnux but still get the same error.

What am i (not ?) doing ?

Thanks for your help

Original issue reported on code.google.com by rat9...@gmail.com on 11 Mar 2011 at 12:33

[GoogleCodeExporter]

Hi there,

Cryptoscan is a third party plugin that was written a little while ago, and 
therefore only runs on Volatility-1.3.  I don't think it's been ported to 
volatility-1.4 yet, you'd have to contact the author to determine that.  I 
believe that the latest version of remnux comes with a development version of 
Volatility-1.4, and the same may be true of Backtrack 4 R2.

The best I can suggest is to try this with Volatility 1.3.  If you find you're 
still experiencing errors then the author of the plugin would be the best 
person to contact about it...

Original comment by mike.auty@gmail.com on 11 Mar 2011 at 1:11

[GoogleCodeExporter]

Hey ya, 

Thanks for the advice I'm gonna give a try with Volatility 1.3 or i will write 
to the author.

One other thing : 

I'm having trouble with the hashdump command. yeah I know maybe i should open a 
new issue but... It'll be faster this way.
After running hivescan and hivelist, i run this command :
C:\Python26>python.exe C:\Volatility-1.4_rc1\vol.py hashdump -f C:\ram.img -y 0x
e1018388 -s 0xe14146b8

And here's the output :
Volatile Systems Volatility Framework 1.4_rc1
*** Failed to import volatility.plugins.vutils (ImportError: No module named vty
pes)
*** Failed to import volatility.plugins.cryptoscan (ImportError: No module named
 vtypes)
WARNING : volatility.win32.rawreg: Couldn't find subkey Lsa of Control

I get a warning concerning a subkey... Do i have a missing file or smth ?

Thanks for you help.

Original comment by rat9...@gmail.com on 11 Mar 2011 at 2:05

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[Reposting this, since I sent prematurely]

It could be that the Lsa subkey is not available in the memory image you have 
there.  You can verify like so (borrowing from your commandline above) using 
printkey against your system hive:

C:\Python26>python.exe C:\Volatility-1.4_rc1\vol.py -f C:\ram.img -o 0xe14146b8 
printkey -K 'ControlSet001\Control'

If it is there, you will see 'Lsa' in your listing.  If not, then it is not 
available.

Original comment by jamie.l...@gmail.com on 11 Mar 2011 at 2:19

[GoogleCodeExporter]

Ok, I hope the cryptscan plugin works out!

As Jamie mentioned, it sounds like you've provided a hive that doesn't contain 
the necessary information for the plugin.  Nothing about the error message 
suggests you're missing a file, but you may not have provided the right hive 
offset for the plugin.  Be aware that both hashdump and lsadump take a -y and 
-s parameter, but the -s parameter refers to the sam hive in hashdump and the 
sec hive in lsadump.  

I'm going to mark this issue as invalid simply because it's about a plugin that 
we can't really help with.  If you need further help with the hashdump plugin, 
you might want to drop in on the #volatility IRC channel on freenode, there's 
many people on there who can help with all sorts of volatility issues, whether 
they're bugs or not (I believe the cryptscan author is sometimes online there 
too).

If you believe you've found a bug in the hashdump plugin, do please open a new 
issue and we'll try and help you out there.  5:)

Original comment by mike.auty@gmail.com on 11 Mar 2011 at 2:26

• Changed state: Invalid

[GoogleCodeExporter]

I gave a try on the 1.3 version but it still doesn't work. I wrote an email to 
the cryptoscan author i hope i'll hear from him sooner or later.

Concerning Hashdump, you might be right about the offset, since volatility 
gives now the physical and virtual memory offset i don't know which one to pick 
:)

Thanks for helping me out, i'll go on the IRC channel to see if there's anyone 
who has a solution to my problems.

Original comment by rat9...@gmail.com on 11 Mar 2011 at 2:59

[GoogleCodeExporter]

About the LSA, i typed in the command you gave me and it turns out that there's 
no LSA key in my memory image. Thanks for the tip.

Original comment by rat9...@gmail.com on 11 Mar 2011 at 3:41

[GoogleCodeExporter]

Got a reply from the author : "
The cryptoscan plugin is now deprecated. I am not maintaining it nor updating 
it. The plugin worked on Volatility 1.3 and will not work on the 1.4 branch.

sorry,
"

I ran out of luck this time... 

Original comment by rat9...@gmail.com on 11 Mar 2011 at 3:43

[GoogleCodeExporter]

I'm glad you figured out what the problem was with the Lsa key.

About the cryptoscan plugin, you could always try to port the plugin yourself.  
We have a guide on how to do that:

http://code.google.com/p/volatility/wiki/CovertingPluginsFromVol13toVol14

though I'm not sure the plugin works with newer versions of TrueCrypt, so it 
might not be worth it... 

Original comment by jamie.l...@gmail.com on 11 Mar 2011 at 3:59