Just wondering if anyone could recommend a tool or technique for extracting either passwords or cryptographic keys from memory. Preferably a tool that could be run on a Windows platform.
So far I've got Volatility's Cryptoscan/Keyboardbuffer/Suspicious (although Suspicous just crashes when I run it), FTK Imager "Obtain protected files - Password recovery and all registry files", and Interrogate (although I could use something simpler - or more brains). Then there's Strings, or Strings+Find to create dictionary files, but that's pretty messy.
Any idea, for instance, if there are any EnScripts out there?
Thanks for any suggestions.
One thing I have done in the past, although not when analysing memory, is use FTK to export the word list of an image once indexed. This can then be used in PRTK as a dictionary. In the particular case I had it worked perfectly, used it on a password protected zip file and it found the password in about 3 seconds.
I don't see why this cannot be used on a memory dump too, seeing as you can now use imager to acquire memory and I believe also use FTK2/3 to analyse it.
Hi
As the SAM file is loaded into RAM at boot time you can use the Volreg plugins (http//
Obviously the final result depends on the size of rainbow tables you have. Free tables that cover just alphanumeric characters can be downloaded from http//
If you need help with the Volatility commands just respond.
Cheers
Nick Furneaux
Just wondering if anyone could recommend a tool or technique for extracting either passwords or cryptographic keys from memory. Preferably a tool that could be run on a Windows platform.
http//
http//
I'm sure a Google search or two of your own will turn up even more…
Dear brothers and sisters.
When i read many forensic articles they claim that, you can find passwords and encrypted key in the memory but i am try to dump my memory many times but i could not find my passwords.
can any way give me the good methodology to use.
in order to support that claims.
I will appreciate to hear from you guys.
thanks
Dear brothers and sisters.
When i read many forensic articles they claim that, you can find passwords and encrypted key in the memory but i am try to dump my memory many times but i could not find my passwords.
can any way give me the good methodology to use.
thanks
Alawi,
are you looking for any passwords in particular?
Bear in mind that some vendors adapted to RAM scraping attacks, and now do not store their passwords in plain RAM anymore (ie. truecrypt).
Also, how are you dumping your memory?
Roland
Thanks for your reply.
I actually now am just look my password means I know what password i need to find. but latter on i will be interested on looking any potential password or encrypted keys.
I used Mdd.exe tool to dump my memory by using this command.
mdd -o filename
Thanks
Hello everybody,
could anybody guide me with extracting encrypted keys from physical memory. I am trying to writing a theses about it. How I could ensure correctness of the encrypted keys in memory? and what processes and DLL are responsible of these thing in memory?
Thanks in advance.
F.
Thanks for your reply.
I actually now am just look my password means I know what password i need to find. but latter on i will be interested on looking any potential password or encrypted keys.
I used Mdd.exe tool to dump my memory by using this command.
mdd -o filename
Thanks
Hello, i'm just at the beginning so i'm not sure about more specific tecniques that can be used to extract passwords and keys from memory, but actually finding a plain text password is pretty easy if you look for strings, you can also try a process analysis if the system memory structure is well-known (like xp sp2) and check for the heap of the process with volatility or similar tools.
for the keys it's pretty different, and i don't exactly know how to recognize a key in a raw memory dump, you can check out the "cold boot attack" sources, i remember there were a software that was designed to extract keys from memory.
by the way many softwares vulnerable to memory dump key extraction are taking precautions in their new versions, like truecrypt that now spreads the key across different area of memory in small chunks to prevent its extraction and reconstruction.
thank you very much rampage