Wow! how did I miss that CLKF post! Thanks for pointing to it.

@Andrew: thnx for the info.
@marc : any updates?
On Sep 9, 2011 4:31 AM, <[email protected]> wrote:
> This bit of commandline kung-fu is quite useful when dealing with tools
> like foremost and scalpel:
> http://blog.commandlinekungfu.com/2010/07/episode-105-file-triage.html
>
> --
> byte_bucket
>> Create a memory dump, then run it through "foremost" or "scalpel"? This
>> works for jpg and the like.
>>
>> If this works, beware that xlsx files will show up as "zip" files when
>> carved by these tools.
>>
>> Interesting experiment! Sharing the results with us will be highly
>> appreciated.
>>
>> Sherif eldeeb.
>> On Sep 8, 2011 11:56 PM, "Marc Wickenden" <[email protected]>
>> wrote:
>>> I wondered if anyone had any experience "carving" MS Office files out of
>>> memory on a Windows box. Specifically I have SYSTEM access on a Windows
>>> 7
>>> Pro box. The target data is contained in a Microsoft Excel 2007 file
>>> which
>>> is protected by Microsoft Office's AES encryption. I have tried
>>> brute-forcing the password with no success.
>>>
>>> At times the file is opened by the user. If I dump and analyse the
>>> process
>>> memory it seems the file is decrypted there but I was wondering if it is
>>> possible to take that data from memory and create a useable Microsoft
>> Excel
>>> file without the encryption? If there are forensic tools that can do
>>> this
>>> I'd prefer FOSS but it is good to know of commercial options too.
>>>
>>> FYI, I have already recorded keystrokes entered by the user to decrypt
>>> the
>>> file. This is really just an exercise in seeing how far I can take
>>> post-exploitation.
>>>
>>> Any thoughts?
>>>
>>> Cheers,
>>>
>>> Wicky
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to