+1 for that CLKF post. On Fri, Sep 9, 2011 at 11:13 AM, Bugbear <[email protected]> wrote:
> To Answer my own question on AutoSave via default location of > C:\Users\usernameAppData\Roaming\Microsoft\Excel - seems the autosave is > also encrypted > > T > > > On Thu, Sep 8, 2011 at 9:31 PM, <[email protected]> wrote: > >> This bit of commandline kung-fu is quite useful when dealing with tools >> like foremost and scalpel: >> http://blog.commandlinekungfu.com/2010/07/episode-105-file-triage.html >> >> -- >> byte_bucket >> > Create a memory dump, then run it through "foremost" or "scalpel"? This >> > works for jpg and the like. >> > >> > If this works, beware that xlsx files will show up as "zip" files when >> > carved by these tools. >> > >> > Interesting experiment! Sharing the results with us will be highly >> > appreciated. >> > >> > Sherif eldeeb. >> > On Sep 8, 2011 11:56 PM, "Marc Wickenden" <[email protected]> >> > wrote: >> >> I wondered if anyone had any experience "carving" MS Office files out >> of >> >> memory on a Windows box. Specifically I have SYSTEM access on a Windows >> >> 7 >> >> Pro box. The target data is contained in a Microsoft Excel 2007 file >> >> which >> >> is protected by Microsoft Office's AES encryption. I have tried >> >> brute-forcing the password with no success. >> >> >> >> At times the file is opened by the user. If I dump and analyse the >> >> process >> >> memory it seems the file is decrypted there but I was wondering if it >> is >> >> possible to take that data from memory and create a useable Microsoft >> > Excel >> >> file without the encryption? If there are forensic tools that can do >> >> this >> >> I'd prefer FOSS but it is good to know of commercial options too. >> >> >> >> FYI, I have already recorded keystrokes entered by the user to decrypt >> >> the >> >> file. This is really just an exercise in seeing how far I can take >> >> post-exploitation. >> >> >> >> Any thoughts? >> >> >> >> Cheers, >> >> >> >> Wicky >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
