PaulDotCom mailing list archives

Carving Excel file from memory

From: Marc Wickenden <marc.wickenden () gmail com>
Date: Thu, 8 Sep 2011 21:50:25 +0100

I wondered if anyone had any experience "carving" MS Office files out of
memory on a Windows box.  Specifically I have SYSTEM access on a Windows 7
Pro box. The target data is contained in a Microsoft Excel 2007 file which
is protected by Microsoft Office's AES encryption.  I have tried
brute-forcing the password with no success.

At times the file is opened by the user.  If I dump and analyse the process
memory it seems the file is decrypted there but I was wondering if it is
possible to take that data from memory and create a useable Microsoft Excel
file without the encryption?  If there are forensic tools that can do this
I'd prefer FOSS but it is good to know of commercial options too.

FYI, I have already recorded keystrokes entered by the user to decrypt the
file.  This is really just an exercise in seeing how far I can take
post-exploitation.

Any thoughts?

Cheers,

Wicky

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Carving Excel file from memory Marc Wickenden (Sep 08)
- Re: Carving Excel file from memory Andrew Case (Sep 08)
- Re: Carving Excel file from memory Sherif El-Deeb (Sep 08)
  - Re: Carving Excel file from memory Andrew Case (Sep 08)
  - Re: Carving Excel file from memory Bugbear (Sep 08)
  - Re: Carving Excel file from memory byte . bucket (Sep 08)
    - Re: Carving Excel file from memory Bugbear (Sep 09)
    - Re: Carving Excel file from memory Michael Lubinski (Sep 09)
- <Possible follow-ups>
- Re: Carving Excel file from memory Sherif El-Deeb (Sep 09)
  - Re: Carving Excel file from memory Marc Wickenden (Sep 12)