Wow! how did I miss that CLKF post! Thanks for pointing to it.
@Andrew: thnx for the info. @marc : any updates? On Sep 9, 2011 4:31 AM, <[email protected]> wrote: > This bit of commandline kung-fu is quite useful when dealing with tools > like foremost and scalpel: > http://blog.commandlinekungfu.com/2010/07/episode-105-file-triage.html > > -- > byte_bucket >> Create a memory dump, then run it through "foremost" or "scalpel"? This >> works for jpg and the like. >> >> If this works, beware that xlsx files will show up as "zip" files when >> carved by these tools. >> >> Interesting experiment! Sharing the results with us will be highly >> appreciated. >> >> Sherif eldeeb. >> On Sep 8, 2011 11:56 PM, "Marc Wickenden" <[email protected]> >> wrote: >>> I wondered if anyone had any experience "carving" MS Office files out of >>> memory on a Windows box. Specifically I have SYSTEM access on a Windows >>> 7 >>> Pro box. The target data is contained in a Microsoft Excel 2007 file >>> which >>> is protected by Microsoft Office's AES encryption. I have tried >>> brute-forcing the password with no success. >>> >>> At times the file is opened by the user. If I dump and analyse the >>> process >>> memory it seems the file is decrypted there but I was wondering if it is >>> possible to take that data from memory and create a useable Microsoft >> Excel >>> file without the encryption? If there are forensic tools that can do >>> this >>> I'd prefer FOSS but it is good to know of commercial options too. >>> >>> FYI, I have already recorded keystrokes entered by the user to decrypt >>> the >>> file. This is really just an exercise in seeing how far I can take >>> post-exploitation. >>> >>> Any thoughts? >>> >>> Cheers, >>> >>> Wicky >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
