±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35980
New Yesterday: 5 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Extract live data from a memory dump

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

banderas20
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 17, 19 06:40

- deeFIR
If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.


Hi. Yes, it yields the following:

Code:
25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
affd67a85f33c38e95a4d6ca39b97578
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
74c49a8db21d10bc39c71178cb55c4dd
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
Keyfind progress: 100%

How do I use this?

Thanks!  
 
  

deeFIR
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 17, 19 07:20

- banderas20


Hi. Yes, it yields the following:

Code:
25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab

How do I use this?

Thanks!


github.com/AmNe5iA/MKDecrypt

They're likely your 256bit AES keys. Combine them for your 512bit AES key and use MKD to mount it.  
 
  

AmNe5iA
Senior Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 17, 19 07:48

Try

Code:
25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f88925204e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d

and then try:

Code:
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
 
 
  

banderas20
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 18, 19 15:53

I'll give it a try and post the results.

Thanks! Very Happy  
 

Page 2 of 2
Page Previous  1, 2