Is autosave enabled in excel with default location and if so is it
encrypted? Thinking out loud here

On 9/8/11, Sherif El-Deeb <[email protected]> wrote:
> Create a memory dump, then run it through "foremost" or "scalpel"? This
> works for jpg and the like.
>
> If this works, beware that xlsx files will show up as "zip" files when
> carved by these tools.
>
> Interesting experiment! Sharing the results with us will be highly
> appreciated.
>
> Sherif eldeeb.
> On Sep 8, 2011 11:56 PM, "Marc Wickenden" <[email protected]> wrote:
>> I wondered if anyone had any experience "carving" MS Office files out of
>> memory on a Windows box. Specifically I have SYSTEM access on a Windows 7
>> Pro box. The target data is contained in a Microsoft Excel 2007 file which
>> is protected by Microsoft Office's AES encryption. I have tried
>> brute-forcing the password with no success.
>>
>> At times the file is opened by the user. If I dump and analyse the process
>> memory it seems the file is decrypted there but I was wondering if it is
>> possible to take that data from memory and create a useable Microsoft
> Excel
>> file without the encryption? If there are forensic tools that can do this
>> I'd prefer FOSS but it is good to know of commercial options too.
>>
>> FYI, I have already recorded keystrokes entered by the user to decrypt the
>> file. This is really just an exercise in seeing how far I can take
>> post-exploitation.
>>
>> Any thoughts?
>>
>> Cheers,
>>
>> Wicky
>

-- 
Sent from my mobile device
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to