PaulDotCom mailing list archives
Re: Carving Excel file from memory
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Fri, 9 Sep 2011 04:52:32 +0300
Wow! how did I miss that CLKF post! Thanks for pointing to it. @Andrew: thnx for the info. @marc : any updates? On Sep 9, 2011 4:31 AM, <byte.bucket () 4a44 com> wrote:
This bit of commandline kung-fu is quite useful when dealing with tools like foremost and scalpel: http://blog.commandlinekungfu.com/2010/07/episode-105-file-triage.html -- byte_bucketCreate a memory dump, then run it through "foremost" or "scalpel"? This works for jpg and the like. If this works, beware that xlsx files will show up as "zip" files when carved by these tools. Interesting experiment! Sharing the results with us will be highly appreciated. Sherif eldeeb. On Sep 8, 2011 11:56 PM, "Marc Wickenden" <marc.wickenden () gmail com> wrote:I wondered if anyone had any experience "carving" MS Office files out of memory on a Windows box. Specifically I have SYSTEM access on a Windows 7 Pro box. The target data is contained in a Microsoft Excel 2007 file which is protected by Microsoft Office's AES encryption. I have tried brute-forcing the password with no success. At times the file is opened by the user. If I dump and analyse the process memory it seems the file is decrypted there but I was wondering if it is possible to take that data from memory and create a useable MicrosoftExcelfile without the encryption? If there are forensic tools that can do this I'd prefer FOSS but it is good to know of commercial options too. FYI, I have already recorded keystrokes entered by the user to decrypt the file. This is really just an exercise in seeing how far I can take post-exploitation. Any thoughts? Cheers, Wicky_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Carving Excel file from memory Marc Wickenden (Sep 08)
- Re: Carving Excel file from memory Andrew Case (Sep 08)
- Re: Carving Excel file from memory Sherif El-Deeb (Sep 08)
- Re: Carving Excel file from memory Andrew Case (Sep 08)
- Re: Carving Excel file from memory Bugbear (Sep 08)
- Re: Carving Excel file from memory byte . bucket (Sep 08)
- Re: Carving Excel file from memory Bugbear (Sep 09)
- Re: Carving Excel file from memory Michael Lubinski (Sep 09)
- <Possible follow-ups>
- Re: Carving Excel file from memory Sherif El-Deeb (Sep 09)
- Re: Carving Excel file from memory Marc Wickenden (Sep 12)