Your best bet would be to use the memdump command of Volatility: http://code.google.com/p/volatility/wiki/CommandReference#memdump
It will grab all the pages of a particular proces and dump them to disk contiguously. you can then run photorec (be sure to get a recent version which has specific docx support) over the output of memdump On Thu, Sep 8, 2011 at 3:50 PM, Marc Wickenden <[email protected]> wrote: > I wondered if anyone had any experience "carving" MS Office files out of > memory on a Windows box. Specifically I have SYSTEM access on a Windows 7 > Pro box. The target data is contained in a Microsoft Excel 2007 file which > is protected by Microsoft Office's AES encryption. I have tried > brute-forcing the password with no success. > At times the file is opened by the user. If I dump and analyse the process > memory it seems the file is decrypted there but I was wondering if it is > possible to take that data from memory and create a useable Microsoft Excel > file without the encryption? If there are forensic tools that can do this > I'd prefer FOSS but it is good to know of commercial options too. > FYI, I have already recorded keystrokes entered by the user to decrypt the > file. This is really just an exercise in seeing how far I can take > post-exploitation. > Any thoughts? > Cheers, > Wicky > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Andrew Case Senior Security Analyst @ Digital Forensics Solutions http://www.digitalforensicssolutions.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
