I wondered if anyone had any experience "carving" MS Office files out of memory on a Windows box. Specifically I have SYSTEM access on a Windows 7 Pro box. The target data is contained in a Microsoft Excel 2007 file which is protected by Microsoft Office's AES encryption. I have tried brute-forcing the password with no success.
At times the file is opened by the user. If I dump and analyse the process memory it seems the file is decrypted there but I was wondering if it is possible to take that data from memory and create a useable Microsoft Excel file without the encryption? If there are forensic tools that can do this I'd prefer FOSS but it is good to know of commercial options too. FYI, I have already recorded keystrokes entered by the user to decrypt the file. This is really just an exercise in seeing how far I can take post-exploitation. Any thoughts? Cheers, Wicky
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
