PaulDotCom mailing list archives
Carving Excel file from memory
From: Marc Wickenden <marc.wickenden () gmail com>
Date: Thu, 8 Sep 2011 21:50:25 +0100
I wondered if anyone had any experience "carving" MS Office files out of memory on a Windows box. Specifically I have SYSTEM access on a Windows 7 Pro box. The target data is contained in a Microsoft Excel 2007 file which is protected by Microsoft Office's AES encryption. I have tried brute-forcing the password with no success. At times the file is opened by the user. If I dump and analyse the process memory it seems the file is decrypted there but I was wondering if it is possible to take that data from memory and create a useable Microsoft Excel file without the encryption? If there are forensic tools that can do this I'd prefer FOSS but it is good to know of commercial options too. FYI, I have already recorded keystrokes entered by the user to decrypt the file. This is really just an exercise in seeing how far I can take post-exploitation. Any thoughts? Cheers, Wicky
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Carving Excel file from memory Marc Wickenden (Sep 08)
- Re: Carving Excel file from memory Andrew Case (Sep 08)
- Re: Carving Excel file from memory Sherif El-Deeb (Sep 08)
- Re: Carving Excel file from memory Andrew Case (Sep 08)
- Re: Carving Excel file from memory Bugbear (Sep 08)
- Re: Carving Excel file from memory byte . bucket (Sep 08)
- Re: Carving Excel file from memory Bugbear (Sep 09)
- Re: Carving Excel file from memory Michael Lubinski (Sep 09)
- <Possible follow-ups>
- Re: Carving Excel file from memory Sherif El-Deeb (Sep 09)
- Re: Carving Excel file from memory Marc Wickenden (Sep 12)