Re: [Vol-users] Recover password from memory dump
Massimo Canonico
3 May
2016
3 May
'16
9:33 a.m.
Dear Andrew,
thank you very much for your suggestion.
Unfortunately, the command that you suggested did not produce any output
(I test the same command with "pass" as string to search and I saw some
output -- this just to be sure that volatility and yara are correctly
working). I was wondering if this could be due to the type used to store
the password. I was looking into the source code of ChatSecure and also
asking to ChatSecure mailing list.
From the mailing-list of chatsecure, when I asked if the password were
stored in the memory, they reply me with this:
Yes, the service instance keeps it here in the
ICachedSecrets variable:
https://github.com/guardianproject/cacheword/blob/master/cachewordlib/src/i…
By looking around the source code, I think that the actual key is stored
in a byte[] java variable, as suggested by this method:
public byte[] getEncryptionKey() {
final ICachedSecrets s = getCachedSecrets();
if (s instanceof PassphraseSecrets) {
return ((PassphraseSecrets) s).getSecretKey().getEncoded();
}
return null;
}
Maybe, I have to figure out how the password set is written by using
byte[] and then I should try to search for this sequence.
Right now, I do not have much ideas on how to proceed the investigation,
so any hint/suggestion is more than welcome.
Thank in advance for you patience and time
Massimo
On 02/05/16 20:10, Andrew Case wrote:
Hey Massimo,
Welcome to the Volatility community!
I would start by seeing if the password is even in memory -- I have
never looked at ChatSecure specifically, but many other "secure" apps
will wipe/zero the password from memory after it is used. This will
effectively kill the password from process memory, so at that point you
have to hope the password is left over in kernel memory, but that is
difficul too b/c you don't know what to search for initially.
So to start - I would use the linux_yarascan plugin like this:
python vol.py -f ... --profile=... linux_yarascan -Y "THE PASSWORD"
The yarascan plugin will then scan process and kernel memory looking for
where "THE PASSWORD" is in memory. For any hits, it will report the
process (PID), virtual address, and some context of the hit. Assuming
this is testing and you use a temp password, feel free to paste the
output if any hits are found and I can explain them to you.
Thanks,
Andrew (@attrc)
On 04/29/2016 10:53 AM, Massimo Canonico wrote:
> Hi all,
> I'm new on volatility so sorry if this question does not fit the purpose
> of this mailing list.
>
> I was starting play with LiME (Linux Memory Extract)[1] and I was able
> to dump a memory image of an Android Emulator where ChatSecure[2] was
> running.
>
> ChatSecure asked a master password at the first run and this password is
> stored by using a library called CacheWord [3].
>
> Here the question: in order to find out if ChatSecure stores this
> password in memory, how should I use volatility?
>
> A doc/tutorial link or any suggestion are more than welcome.
>
> Thanks,
> Massimo
>
> [1] https://github.com/504ensicsLabs/LiME
> [2] https://github.com/guardianproject/ChatSecureAndroid
> [3] https://github.com/guardianproject/cacheword
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>