Re: Carving Excel file from memory

[Bugbear <gbugbear () gmail com>]

Is autosave enabled in excel with default location and if so is it
encrypted? Thinking out loud here

On 9/8/11, Sherif El-Deeb <archeldeeb () gmail com> wrote:
> Create a memory dump, then run it through "foremost" or "scalpel"? This
> works for jpg and the like.
>
> If this works, beware that xlsx files will show up as "zip" files when
> carved by these tools.
>
> Interesting experiment! Sharing the results with us will be highly
> appreciated.
>
> Sherif eldeeb.
> On Sep 8, 2011 11:56 PM, "Marc Wickenden" <marc.wickenden () gmail com> wrote:
> > I wondered if anyone had any experience "carving" MS Office files out of
> > memory on a Windows box. Specifically I have SYSTEM access on a Windows 7
> > Pro box. The target data is contained in a Microsoft Excel 2007 file which
> > is protected by Microsoft Office's AES encryption. I have tried
> > brute-forcing the password with no success.
> >
> > At times the file is opened by the user. If I dump and analyse the process
> > memory it seems the file is decrypted there but I was wondering if it is
> > possible to take that data from memory and create a useable Microsoft
> Excel
> > file without the encryption? If there are forensic tools that can do this
> > I'd prefer FOSS but it is good to know of commercial options too.
> >
> > FYI, I have already recorded keystrokes entered by the user to decrypt the
> > file. This is really just an exercise in seeing how far I can take
> > post-exploitation.
> >
> > Any thoughts?
> >
> > Cheers,
> >
> > Wicky

-- 
Sent from my mobile device
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com