Re: [Vol-users] Recover password from memory dump
2 May
2016
2 May
'16
2:10 p.m.
Hey Massimo,
Welcome to the Volatility community!
I would start by seeing if the password is even in memory -- I have
never looked at ChatSecure specifically, but many other "secure" apps
will wipe/zero the password from memory after it is used. This will
effectively kill the password from process memory, so at that point you
have to hope the password is left over in kernel memory, but that is
difficul too b/c you don't know what to search for initially.
So to start - I would use the linux_yarascan plugin like this:
python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD"
The yarascan plugin will then scan process and kernel memory looking for
where "THE PASSWORD" is in memory. For any hits, it will report the
process (PID), virtual address, and some context of the hit. Assuming
this is testing and you use a temp password, feel free to paste the
output if any hits are found and I can explain them to you.
Thanks,
Andrew (@attrc)
On 04/29/2016 10:53 AM, Massimo Canonico wrote:
Hi all,
I'm new on volatility so sorry if this question does not fit the purpose
of this mailing list.
I was starting play with LiME (Linux Memory Extract)[1] and I was able
to dump a memory image of an Android Emulator where ChatSecure[2] was
running.
ChatSecure asked a master password at the first run and this password is
stored by using a library called CacheWord [3].
Here the question: in order to find out if ChatSecure stores this
password in memory, how should I use volatility?
A doc/tutorial link or any suggestion are more than welcome.
Thanks,
Massimo
[1] https://github.com/504ensicsLabs/LiME
[2] https://github.com/guardianproject/ChatSecureAndroid
[3] https://github.com/guardianproject/cacheword
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users