This is why I suggested using photorec, it has specific support for docx files, and will produce more precise results than scalpel/foremost which are just header/footer file carvers
On Thu, Sep 8, 2011 at 7:53 PM, Sherif El-Deeb <[email protected]> wrote: > Create a memory dump, then run it through "foremost" or "scalpel"? This > works for jpg and the like. > > If this works, beware that xlsx files will show up as "zip" files when > carved by these tools. > > Interesting experiment! Sharing the results with us will be highly > appreciated. > > Sherif eldeeb. > > On Sep 8, 2011 11:56 PM, "Marc Wickenden" <[email protected]> wrote: >> I wondered if anyone had any experience "carving" MS Office files out of >> memory on a Windows box. Specifically I have SYSTEM access on a Windows 7 >> Pro box. The target data is contained in a Microsoft Excel 2007 file which >> is protected by Microsoft Office's AES encryption. I have tried >> brute-forcing the password with no success. >> >> At times the file is opened by the user. If I dump and analyse the process >> memory it seems the file is decrypted there but I was wondering if it is >> possible to take that data from memory and create a useable Microsoft >> Excel >> file without the encryption? If there are forensic tools that can do this >> I'd prefer FOSS but it is good to know of commercial options too. >> >> FYI, I have already recorded keystrokes entered by the user to decrypt the >> file. This is really just an exercise in seeing how far I can take >> post-exploitation. >> >> Any thoughts? >> >> Cheers, >> >> Wicky > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Andrew Case Senior Security Analyst @ Digital Forensics Solutions http://www.digitalforensicssolutions.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
