[Solved] Finding a passphrase in a .mem file.
Before you ask me, I am learning memory forensics so some questions may be silly for you.
So, I have installed a software wallet for cryptocurrencies on a virtual machine running windows. Once I started the software, this showed me a passphrase that allows me to restore the wallet. Of course, I took note of that passphrase (screenshot) and saved it. After that, I closed the software and made a memory dump.
From that file, I am trying to recover that passphrase and if I use strings + grep, I can locate the passphrase because I know the words that composed that passphrase in advanced. The question is, how can I obtain the passphrase in the case that I don't know it beforehand??. Like in a real scenario.
I solved it. 🙂
What I did is to identify the processes related to the application and then I used Volatiliy's plugin called procump in each process, and from there I started to look for the string. I'm not sure if there is a better way to do this, if so, let me know, please.
Still, the way I did it is very manual and time-consuming but it worked.