To Answer my own question on AutoSave via default location of C:\Users\usernameAppData\Roaming\Microsoft\Excel - seems the autosave is also encrypted
T On Thu, Sep 8, 2011 at 9:31 PM, <[email protected]> wrote: > This bit of commandline kung-fu is quite useful when dealing with tools > like foremost and scalpel: > http://blog.commandlinekungfu.com/2010/07/episode-105-file-triage.html > > -- > byte_bucket > > Create a memory dump, then run it through "foremost" or "scalpel"? This > > works for jpg and the like. > > > > If this works, beware that xlsx files will show up as "zip" files when > > carved by these tools. > > > > Interesting experiment! Sharing the results with us will be highly > > appreciated. > > > > Sherif eldeeb. > > On Sep 8, 2011 11:56 PM, "Marc Wickenden" <[email protected]> > > wrote: > >> I wondered if anyone had any experience "carving" MS Office files out of > >> memory on a Windows box. Specifically I have SYSTEM access on a Windows > >> 7 > >> Pro box. The target data is contained in a Microsoft Excel 2007 file > >> which > >> is protected by Microsoft Office's AES encryption. I have tried > >> brute-forcing the password with no success. > >> > >> At times the file is opened by the user. If I dump and analyse the > >> process > >> memory it seems the file is decrypted there but I was wondering if it is > >> possible to take that data from memory and create a useable Microsoft > > Excel > >> file without the encryption? If there are forensic tools that can do > >> this > >> I'd prefer FOSS but it is good to know of commercial options too. > >> > >> FYI, I have already recorded keystrokes entered by the user to decrypt > >> the > >> file. This is really just an exercise in seeing how far I can take > >> post-exploitation. > >> > >> Any thoughts? > >> > >> Cheers, > >> > >> Wicky > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
