Finding a passphras...
 
Notifications
Clear all

[Solved] Finding a passphrase in a .mem file.

freki
(@freki)
New Member

Hello guys. 

Before you ask me, I am learning memory forensics so some questions may be silly for you. 

So, I have installed a software wallet for cryptocurrencies on a virtual machine running windows. Once I started the software, this showed me a passphrase that allows me to restore the wallet. Of course, I took note of that passphrase (screenshot) and saved it. After that, I closed the software and made a memory dump.

From that file, I am trying to recover that passphrase and if I use strings + grep, I can locate the passphrase because I know the words that composed that passphrase in advanced. The question is, how can I obtain the passphrase in the case that I don't know it beforehand??. Like in a real scenario.

Quote
Topic starter Posted : 12/03/2021 4:10 pm
freki
(@freki)
New Member

I solved it. 🙂

ReplyQuote
Topic starter Posted : 14/03/2021 11:05 am
TuckerHST
(@tuckerhst)
Active Member

@freki

Congratulations on solving it. Care to share your solution?

ReplyQuote
Posted : 18/03/2021 4:52 pm
freki
(@freki)
New Member

Hello @tuckerhst

What I did is to identify the processes related to the application and then I used Volatiliy's plugin called procump in each process, and from there I started to look for the string. I'm not sure if there is a better way to do this, if so, let me know, please. 

Still, the way I did it is very manual and time-consuming but it worked.

ReplyQuote
Topic starter Posted : 20/03/2021 8:27 am
azrael liked
Share:
Share to...