PaulDotCom mailing list archives

Re: Carving Excel file from memory


From: Andrew Case <andrew () digitalforensicssolutions com>
Date: Thu, 8 Sep 2011 19:52:19 -0500

Your best bet would be to use the memdump command of Volatility:

http://code.google.com/p/volatility/wiki/CommandReference#memdump

It will grab all the pages of a particular proces and dump them to
disk contiguously.

you can then run photorec (be sure to get a recent version which has
specific docx support) over the output of memdump

On Thu, Sep 8, 2011 at 3:50 PM, Marc Wickenden <marc.wickenden () gmail com> wrote:
I wondered if anyone had any experience "carving" MS Office files out of
memory on a Windows box.  Specifically I have SYSTEM access on a Windows 7
Pro box. The target data is contained in a Microsoft Excel 2007 file which
is protected by Microsoft Office's AES encryption.  I have tried
brute-forcing the password with no success.
At times the file is opened by the user.  If I dump and analyse the process
memory it seems the file is decrypted there but I was wondering if it is
possible to take that data from memory and create a useable Microsoft Excel
file without the encryption?  If there are forensic tools that can do this
I'd prefer FOSS but it is good to know of commercial options too.
FYI, I have already recorded keystrokes entered by the user to decrypt the
file.  This is really just an exercise in seeing how far I can take
post-exploitation.
Any thoughts?
Cheers,
Wicky
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Andrew Case
Senior Security Analyst @ Digital Forensics Solutions
http://www.digitalforensicssolutions.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


Current thread: