Hi all,
I can't quite see what's wrong with my logic here, but I must be missing something.
Hoping someone can help me out.
I'm looking for a private key in a memory sample (WinXPSP2x86).
Specifically, to find out which process/es is/are accessing it.
I can find the key by searching the raw memory dump (memory.dmp).
As you might expect it's between:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
I generated an offset:string file by using strings.
Then, using the strings plugin I get this output:
$ python vol.py -f memory.dmp --profile=WinXPSP2x86 strings -s pk.txt
Volatility Foundation Volatility Framework 2.4
188435934 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
188435968 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
317375704 [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY-----
317376575 [kernel:d2ab283f] -----END RSA PRIVATE KEY-----
417203416 [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY-----
417204287 [123:75b6b83f] -----END RSA PRIVATE KEY-----
419888606 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
419888640 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
Lovely. So I now do a memdump of process 123:
$ python vol.py -f memory.dmp --profile=WinXPSP2x86 memdump --pid=123 --dump-dir=123
Volatility Foundation Volatility Framework 2.4
************************************************************************
Writing myapp.exe [ 123] to 123.dmp
However, if I search 123.dmp neither the BEGIN or END strings are present.