Hey Massimo, Welcome to the Volatility community!
I would start by seeing if the password is even in memory -- I have never looked at ChatSecure specifically, but many other "secure" apps will wipe/zero the password from memory after it is used. This will effectively kill the password from process memory, so at that point you have to hope the password is left over in kernel memory, but that is difficul too b/c you don't know what to search for initially. So to start - I would use the linux_yarascan plugin like this: python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD" The yarascan plugin will then scan process and kernel memory looking for where "THE PASSWORD" is in memory. For any hits, it will report the process (PID), virtual address, and some context of the hit. Assuming this is testing and you use a temp password, feel free to paste the output if any hits are found and I can explain them to you. Thanks, Andrew (@attrc) On 04/29/2016 10:53 AM, Massimo Canonico wrote: > Hi all, > I'm new on volatility so sorry if this question does not fit the purpose > of this mailing list. > > I was starting play with LiME (Linux Memory Extract)[1] and I was able > to dump a memory image of an Android Emulator where ChatSecure[2] was > running. > > ChatSecure asked a master password at the first run and this password is > stored by using a library called CacheWord [3]. > > Here the question: in order to find out if ChatSecure stores this > password in memory, how should I use volatility? > > A doc/tutorial link or any suggestion are more than welcome. > > Thanks, > Massimo > > [1] https://github.com/504ensicsLabs/LiME > [2] https://github.com/guardianproject/ChatSecureAndroid > [3] https://github.com/guardianproject/cacheword > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
