Memory can be acquired via a number of means, perhaps the easiest being DMA access over PCI with something like PCILeech https://github.com/ufrisk/pcileech "PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system"
USB3380EVB (USB3380 Evaluation Board) http://www.hwtools.net/Adapter/USB3380EVB.html
PicoDMA: DMA Attacks at Your Fingertips - https://www.youtube.com/watch?v=j8pCjgaByVo https://i.blackhat.com/USA-19/Wednesday/us-19-Sandin-PicoDMA-DMA-Attacks-At-Your-Fingertips.pdf
https://shop.lambdaconcept.com/home/40-screamer-m2.html "Screamer M.2 replaces PCIe Screamer R02 with an M.2 form factor and PCIe x4 connectivity"
It may be possible to exploit a software vulnerability in order to gain access to install LeechAgent https://blog.frizk.net/2019/04/LeechAgent.html
"The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments."
There is even a possibility you can get fancy and exploit the IME for DMA access. That is way beyond the scope of this document however! https://github.com/ptresearch/IntelTXE-PoC IME of course "has full access to the whole DRAM (by using its own DMA engine)" https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-Stealth-Breakthrough-wp.pdf
"Intel Management Engine (Intel ME) is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices. Therefore, Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform... By exploiting the vulnerability that we found in the bup module, we were able to turn on a mechanism, PCH red unlock, that opens full access to all PCH devices for their use via the DFx chain—in other words, using JTAG. One such device is the x86 ME processor itself, and so we obtained access to its internal JTAG interface. With such access, we could debug code executed on ME, read memory of all processes and the kernel, and manage all devices inside the PCH. We found a total of about 50 internal devices to which only ME has full access, while the main processor has access only to a very limited subset of them." https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf
https://www.synacktiv.com/posts/pentest/practical-dma-attack-on-windows-10.html "In order to proceed to a straightforward DMA attack, many prerequisites must be met"
A number of academic articles on attacking TrueCrypt seem applicable, there was so much news hype on weaknesses within the platform. How do they play out in the real world? How do they impact Sega's implementation? Lets examine a few of the papers: Detecting the use of TrueCrypt - http://docs.media.bitpipe.com/io_10x/io_102267/item_885954/RH%203%20Davies.pdf "Of greatest use to a forensic investigator is the Registry location “HKEY_ LOCAL_MACHINE \system\MountedDevices”. The data stored in this key could confirm that a mounted volume is indeed a TrueCrypt volume. But it does not differentiate between the standard and hidden TrueCrypt volume types"
Error Correction and the Cryptographic Key - ftp://ftp.cs.princeton.edu/techreports/2011/897.pdf "LRW implementations commonly precompute a large multiplication table generated from the tweak key, each entry of which is generated by shifting and possibly XORing with a known value. An entire multiplication table will contain many copies of nearly all of the bits of K2... rueCrypt 4 precomputes a 4048-byte multiplication table consisting of 16 blocks of 16 lines of 4 words of 4 bytes each. Line 0 of block 14 contains the tweak key... The multiplication table is generated line by line from the LRW key by iteratively applying the shift-and-XOR multiply function to generate four new values, and then XORing all combinations of these four values to create 16 more lines of the table."
"From 2004 to 2006, drafts of the P1619 standards used the Advanced Encryption Standard (AES) in LRW mode. In the 30 Aug 2006 meeting of the SISWG, a straw poll showed that most members would not approve P1619 as it was" https://en.wikipedia.org/wiki/IEEE_P1619#LRW_issue
"RE: pay attention to P1619 so-called 'Pink herrings'" - https://web.archive.org/web/20160303184448/http://grouper.ieee.org/groups/1619/email/msg00923.html
"P1619: how serious is the leak of K2?" https://web.archive.org/web/20170405155232/http://grouper.ieee.org:80/groups/1619/email/msg00962.html
https://citp.princeton.edu/our-work/memory/code "These prototype applications are intended to illustrate the techniques described in the paper (Error Correction and the Cryptographic Key)"
Security Analysis of TrueCrypt 7.0a with an Attack on the Keyfile Algorithm - https://cyberside.net.ee/truecrypt/misc/truecrypt_7.0a-analysis-en.pdf "Up to version 4.0 TrueCrypt applied the Cipher Block Chaining mode (CBC)... This mode, however, has considerable weaknesses if applied in the context of a volume encryption... In order to close that security breach TrueCrypt replaced the CBC mode with the LRW mode in version 4.1. The CBC mode was further supported for backward compatibility but new containers were only created with the LRW mode. The LRW mode is named after its inventers Liskov, Rivest and Wagner . In this mode a second key of the same length as the block length is multiplied with a block counter in a Galois field and the result of this mathematical operation is added as well to the plain text before encryption of the block as to the cipher text after that encryption... In version 5.0 TrueCrypt introduced the XTS mode as a replacement for the LRW mode . The XTS mode is a slight modification of the LRW mode designed to compensate for a theoretical little weakness of the LRW mode"
Mastering TrueCrypt: Windows 8 and Server 2012 Memory Forensics - https://downloads.volatilityfoundation.org/omfw/2013/OMFW2013_Ligh.pdf "Force it to use ./master.key which came from the RAM dump... Patch based on code by Michael Weissbacher hpp://mweissbacher.com/blog/tag/truecrypt/"
#TrueCrypt PlaidCTF Writeup: Fun with Firewire - https://mweissbacher.com/tag/truecrypt "Remember that TrueCrypt first decrypts the header with the password, and then reads the AES-key from the decrypted header. Reading in the header is done in Volume/VolumeHeader.cpp:VolumeHeader::Deserialize(.,.,.). We patch the code there, right after the master and secondary key was read from the decrypted header, and replace it with the hard-coded key value we found in the previous step"
A Security Analysis of TrueCrypt: Detecting hidden volumes and operating systems - https://www.ma.rhul.ac.uk/static/techrep/2014/RHUL-MA-2014-10.pdf "TrueCrypt system volume layout containing a hidden operating system... "
truecrypt second encryption of the master and XTS key with a back door password - https://security.stackexchange.com/questions/19764/truecrypt-second-encryption-of-the-master-and-xts-key-with-a-back-door-password "Since version 4.2a the format of TrueCrypt headers changed three times with the versions 5.0, 6.0 and 7.0"
TrueCrypt Master Key Extraction And Volume Identification - https://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html "The truecryptsummary plugin gives you a detailed description of all TrueCrypt related artifacts in a given memory dump."
TrueCrypt Security: Securing Yourself against Practical TrueCrypt Attacks - https://resources.infosecinstitute.com/defeating-truecrypt-practical-attacks-truecrypt-security/#gref "‘Aeskeyfind’ implements this approach, and we use it to search for AES keys in our memory image... Alternatively, you can use ‘bulk extractor’ to locate keys in memory... We now need to “patch” TrueCrypt so that it accepts the discovered AES keys. Here, we have patched TrueCrypt 7.1. For this purpose, we modify the ‘VolumeHeader.cpp’ file and hard code the AES keys in there"
Recovery of Encryption Keys from Memory Using a Linear Scan - https://www.researchgate.net/publication/221548532_Recovery_of_Encryption_Keys_from_Memory_Using_a_Linear_Scan "TrueCrypt encrypted containers appear to contain nothing but random data and have no file signature. However, the first 512 bytes of a TrueCrypt container are actually a header, but are encrypted using a Header Key so still appears to be random data... TrueCrypt decrypts the header using a user-supplied password or keyfile, salt from offset 0-64 (bytes) and then the process of trial and error using different encryption and key derivation algorithms, modes of encryption (CBC, LRW etc.) and key derivation algorithms. Successful decryption of the header is when bytes 64-68 decrypt to the ASCII string ‘TRUE’. The entire header is then decrypted which in the case of LRW mode, contains the Master Key and Secondary Master Key (Tweak Key) needed to decrypt the actual contents of the container, from the ‘Data Area’ which begins at offset 512."
The following tools also provide intellectual reading on the subject at hand. tckfs: This tool seeks asynchronously TrueCrypt key file using combinations of provided key files with provided password. - https://github.com/Octosec/tckfc Untrue: Tool for checking passwords against TrueCrypt encrypted volumes and disks, and/or decrypting the data. - https://github.com/nccgroup/Untrue Master Key Decryptor: is a python script to assist with decrypting encrypted volumes using the recovered masterkey for various truecrypt type encrypted volumes. https://github.com/AmNe5iA/MKDecrypt Truecrypt volume parsing library - https://github.com/4144414D/pytruecrypt Interrogate: https://sourceforge.net/projects/interrogate/ Bulk Extractor: https://github.com/simsong/bulk_extractor.git Aes-Finder: https://github.com/mmozeiko/aes-finder.git AesKeyFind: https://github.com/makomk/aeskeyfind Stark aes_keyschedule: https://github.com/SideChannelMarvels/Stark/blob/master/aes_keyschedule.c
"I have used the Truecrypt plugins in Volatility but they simply do not work" https://www.forensicfocus.com/Forums/viewtopic/p=6582443/
We can use Volatility framework to examine a memory dump. https://github.com/volatilityfoundation/volatility/wiki/Command-Reference This shows the lineage of the processes
$ python vol.py -f /Volumes/UNTITLED11/memdump.raw pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8a711a00:System 4 0 80 2636 1970-01-01 00:00:00 UTC+0000
...
..... 0x89ff49e0:mxstartup.exe 252 1212 0 ------ 2020-05-05 08:28:12 UTC+0000
...... 0x89f04838:mxmaster.exe 488 252 3 61 2020-05-05 08:28:13 UTC+0000
....... 0x89efe898:mxstorage.exe 512 488 1 36 2020-05-05 08:28:13 UTC+0000
....... 0x89ef67e8:nxMount.exe 520 488 1 32 2020-05-05 08:28:13 UTC+0000
....... 0x89e91368:mxgcatcher.exe 640 488 2 41 2020-05-05 08:28:15 UTC+0000
....... 0x89e9cbc8:mxgdeliver.exe 292 488 2 44 2020-05-05 08:28:15 UTC+0000
....... 0x89ef7b98:mxnetwork.exe 504 488 1 68 2020-05-05 08:28:13 UTC+0000
....... 0x89e9d578:mxgfetcher.exe 476 488 3 44 2020-05-05 08:28:15 UTC+0000
....... 0x89ef9598:mxkeychip.exe 496 488 1 677 2020-05-05 08:28:13 UTC+0000
....... 0x89e95880:mxinstaller.exe 632 488 6 53 2020-05-05 08:28:15 UTC+0000
....... 0x89deb748:nxAuth.exe 2068 488 3 105 2020-05-05 08:28:41 UTC+0000
$ python vol.py -f /Volumes/UNTITLED11/memdump.raw truecryptsummary
Volatility Foundation Volatility Framework 2.6.1
Service truecrypt state SERVICE_RUNNING
Kernel Module truecrypt.sys at 0xb31f8000 - 0xb3225000
Symbolic Link P: -> \Device\TrueCryptVolumeP mounted 2020-05-05 08:28:36 UTC+0000
Symbolic Link Volume{556d4862-8eaa-11ea-93eb-00d0f1164195} -> \Device\TrueCryptVolumeO mounted 2020-05-05 08:28:35 UTC+0000
Symbolic Link P: -> \Device\TrueCryptVolumeP mounted 2020-05-05 08:28:36 UTC+0000
Symbolic Link S: -> \Device\TrueCryptVolumeS mounted 2020-05-05 08:28:13 UTC+0000
Symbolic Link O: -> \Device\TrueCryptVolumeO mounted 2020-05-05 08:28:36 UTC+0000
Symbolic Link Volume{556d485f-8eaa-11ea-93eb-00d0f1164195} -> \Device\TrueCryptVolumeS mounted 2020-05-05 08:28:13 UTC+0000
Symbolic Link S: -> \Device\TrueCryptVolumeS mounted 2020-05-05 08:28:13 UTC+0000
Symbolic Link Volume{556d4862-8eaa-11ea-93eb-00d0f1164195} -> \Device\TrueCryptVolumeO mounted 2020-05-05 08:28:35 UTC+0000
Symbolic Link P: -> \Device\TrueCryptVolumeP mounted 2020-05-05 08:28:36 UTC+0000
Symbolic Link Volume{556d4863-8eaa-11ea-93eb-00d0f1164195} -> \Device\TrueCryptVolumeP mounted 2020-05-05 08:28:36 UTC+0000
Symbolic Link O: -> \Device\TrueCryptVolumeO mounted 2020-05-05 08:28:35 UTC+0000
Symbolic Link P: -> \Device\TrueCryptVolumeP mounted 2020-05-05 08:28:36 UTC+0000
Symbolic Link S: -> \Device\TrueCryptVolumeS mounted 2020-05-05 08:28:13 UTC+0000
...
File Object \Device\TrueCryptVolumeP\RE2multi\menu\imageformats\qico.dll at 0x9947360
File Object \Device\TrueCryptVolumeO\Games\Blade Arcus from Shining [SDAF]\Blade-Arcus-from-Shining.jpg at 0x994d778
File Object \Device\TrueCryptVolumeP\RE2multi\menu\theme\CyberPunk\480p.style at 0x994dc58
File Object \Device\TrueCryptVolumeP᱘E2multi\assets\JVSDll.dll at 0x994e648
File Object \Device\TrueCryptVolumeP\RE2multi\assets\JVSDll.dll at 0x994e778
File Object \Device\TrueCryptVolumeP\RE2multi\menu\imageformats\qjpeg.dll at 0x994e980
File Object \Device\TrueCryptVolumeP孠E2multi\menu\plugins\video_output\libdirect2d_plugin.dll at 0x994ea80
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\video_output\libcaca_plugin.dll at 0x994eb18
File Object \Device\TrueCryptVolumeP鄈�multi\menu\plugins\video_output\libyuv_plugin.dll at 0x994f260
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\video_output\libwingdi_plugin.dll at 0x994f2f8
File Object \Device\TrueCryptVolumeP䞈៰multi\menu\plugins\video_output\libwingdi_plugin.dll at 0x994f570
File Object \Device\TrueCryptVolumeP\RE2multi\menu\theme\CyberPunk\bg_480p.jpg at 0x994f980
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\video_output\libglwin32_plugin.dll at 0x994fb80
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\video_output\libyuv_plugin.dll at 0x9951300
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\plugins.dat at 0x9951ae8
...
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\access\librar_plugin.dll at 0xa1ed2a8
File Object \Device\TrueCryptVolumeP\RE2multi\menu\plugins\access\libudp_plugin.dll at 0xa1edb68
Driver \Driver\truecrypt at 0x9c56d78 range 0xb31f8000 - 0xb3224340
Device TrueCryptVolumeP at 0x8a645030 type FILE_DEVICE_DISK
Container Path: <HIDDEN>
Device TrueCryptVolumeO at 0x8a644808 type FILE_DEVICE_DISK
Container Path: \??\C:\Documents and Settings\k8team\Start Menu\Programs\Startup\desktop.ini?
Device TrueCryptVolumeS at 0x89f06030 type FILE_DEVICE_DISK
Container Path: \??\C:\System\Execute\System
Device TrueCrypt at 0x89f9bcb0 type FILE_DEVICE_UNKNOWN
$ python vol.py -f /Volumes/UNTITLED11/memdump.raw dumpfiles --dump-dir /tmp/zzzz
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x8a11ab50 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SYSTEM
SharedCacheMap 0x8a11ab50 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SYSTEM
DataSectionObject 0x8a0abdd0 4 \Device\HarddiskVolume1\WINDOWS\system32\config\DEFAULT
SharedCacheMap 0x8a0abdd0 4 \Device\HarddiskVolume1\WINDOWS\system32\config\DEFAULT
DataSectionObject 0x8a0a9af0 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
SharedCacheMap 0x8a0a9af0 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
DataSectionObject 0x8a610a10 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SOFTWARE
SharedCacheMap 0x8a610a10 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SOFTWARE
DataSectionObject 0x8a134a50 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
SharedCacheMap 0x8a134a50 4 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
...
ImageSectionObject 0x89f88618 496 \Device\TrueCryptVolumeS\mxkeychip.exe
DataSectionObject 0x89f88618 496 \Device\TrueCryptVolumeS\mxkeychip.exe
ImageSectionObject 0x89f866d0 504 \Device\TrueCryptVolumeS\mxnetwork.exe
DataSectionObject 0x89f866d0 504 \Device\TrueCryptVolumeS\mxnetwork.exe
ImageSectionObject 0x89efb318 512 \Device\TrueCryptVolumeS\mxstorage.exe
DataSectionObject 0x89efb318 512 \Device\TrueCryptVolumeS\mxstorage.exe
ImageSectionObject 0x89f02b80 520 \Device\TrueCryptVolumeS\nxMount.exe
DataSectionObject 0x89f02b80 520 \Device\TrueCryptVolumeS\nxMount.exe
ImageSectionObject 0x89e9f768 632 \Device\TrueCryptVolumeS\mxinstaller.exe
DataSectionObject 0x89e9f768 632 \Device\TrueCryptVolumeS\mxinstaller.exe
ImageSectionObject 0x89e9c2b8 640 \Device\TrueCryptVolumeS\mxgcatcher.exe
DataSectionObject 0x89e9c2b8 640 \Device\TrueCryptVolumeS\mxgcatcher.exe
ImageSectionObject 0x8a5e3c28 476 \Device\TrueCryptVolumeS\mxgfetcher.exe
DataSectionObject 0x8a5e3c28 476 \Device\TrueCryptVolumeS\mxgfetcher.exe
ImageSectionObject 0x89e98358 292 \Device\TrueCryptVolumeS\mxgdeliver.exe
DataSectionObject 0x89e98358 292 \Device\TrueCryptVolumeS\mxgdeliver.exe
...
$ file /tmp/zzzz/*
/tmp/zzzz/file.1044.0x89fa3490.img: PE32 executable (DLL) (console) Intel 80386, for MS Windows
/tmp/zzzz/file.1044.0x8a098380.img: PE32 executable (GUI) Intel 80386, for MS Windows
/tmp/zzzz/file.1100.0x89fa30c8.img: PE32 executable (DLL) (console) Intel 80386, for MS Windows
/tmp/zzzz/file.1100.0x89ff9b08.dat: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
/tmp/zzzz/file.1100.0x8a0ae738.img: PE32 executable (DLL) (console) Intel 80386, for MS Windows
/tmp/zzzz/file.1100.0x8a0b13e0.img: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
/tmp/zzzz/file.1100.0x8a605290.img: PE32 executable (DLL) (console) Intel 80386, for MS Windows
/tmp/zzzz/file.1100.0x8a690f30.img: PE32 executable (DLL) (console) Intel 80386, for MS Windows
...
One theoretical way to obtain an unencrypted TrueCrypt image is by using the master key pulled from memory.
./Common/Crypto.h:226: unsigned __int8 master_keydata[MASTER_KEYDATA_SIZE]; /* ... For LRW (deprecated/legacy), it contains the tweak key before the master key(s). */
Take a memory dump by using mdd.exe, then lets search it for AES keys.
$ src/bulk_extractor -o /tmp/TC_keys -E aes /Volumes/UNTITLED11/memdump.raw
bulk_extractor version: 1.6.0
Hostname: xxx
Input file: /Volumes/UNTITLED11/memdump.raw
Output directory: /tmp/TC_keys
Disk Size: 2070982656
Threads: 4
Attempt to open /Volumes/UNTITLED11/memdump.raw
16:02:40 Offset 67MB (3.24%) Done in 0:01:05 at 16:03:45
16:02:42 Offset 150MB (7.29%) Done in 0:00:53 at 16:03:35
...
MD5 of Disk Image: f1b7aef524504e1253bc1299d6d5e6cf
Phase 2. Shutting down scanners
Phase 3. Creating Histograms
Elapsed time: 51.3567 sec.
Total MB processed: 2070
Overall performance: 40.3254 MBytes/sec (10.0814 MBytes/sec/thread)
$ cat /tmp/TC_keys/aes_keys.txt
# BANNER FILE NOT PROVIDED (-b option)
# BULK_EXTRACTOR-Version: 1.6.0 ($Rev: 10844 $)
# Feature-Recorder: aes_keys
# Filename: /Volumes/UNTITLED11/memdump.raw
# Feature-File-Version: 1.1
161230888 5c 52 f8 f0 ec 65 38 dc bc 94 6d 70 41 b0 84 f1 4f ea f9 54 5f 28 a3 e9 ac f7 01 16 3c c4 83 43 AES256
161427496 0d 0f cf 25 93 61 00 36 25 f7 cd 26 df 74 cd 22 e7 c2 41 3d 4a 90 e3 b9 9c 45 2e 8d 69 a7 c4 45 AES256
163037224 f3 5c 32 3e 77 d8 81 b7 f3 45 a0 c8 c4 ba 16 8e a4 5a 3b 43 b3 25 1b a2 e6 bb 25 1f 51 8e a6 2b AES256
1825566060 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f AES256
1942490476 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f AES256
2019151212 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f AES256
$ ./aeskeyfind -t 50 -v /Volumes/UNTITLED11/memdump.raw
Keyfind progress: 0%
FOUND POSSIBLE 256-BIT KEY AT BYTE 99c3028
KEY: 5c52f8f0ec6538dcbc946d7041b084f14feaf9545f28a3e9acf701163cc48343
EXTENDED KEY:
5c52f8f0ec6538dcbc946d7041b084f1
4feaf9545f28a3e9acf701163cc48343
41bee21baddbdac7114fb7b750ff3346
1cfc3a0e43d499e7ef2398f1d3e71bb2
d711d57d7aca0fba6b85b80d3b7a8b4b
fe2607bdbdf29e5a52d106ab81361d19
d6b50171ac7f0ecbc7fab6c6fc803d8d
4eeb20e0f319bebaa1c8b81120fea508
65b331c6c9cc3f0d0e3689cbf2b6b446
c7a5adba34bc13009574ab11b58a0e19
0b18e513c2d4da1ecce253d53e54e793
7585396641392a66d44d817761c78f6e
ed6b7afc2fbfa0e2e35df337dd0914a4
b484c32ff5bde94921f0683e4037e750
37ff29f518408917fb1d7a2026146e84
CONSTRAINTS ON ROWS:
0000001400000000000000000000000000000000000000000000000000000000
0000009900000000000000000000000000000000000000000000000000000000
000000f300000000000000000000000000000000000000000000000000000000
0000004800000000000000000000000000000000000000000000000000000000
0000002a00000000000000000000000000000000000000000000000000000000
0000001000000000000000000000000000000000000000000000000000000000
000000f6000000000000000000000000
3531f08e4ba2466d72eaf0e0ae086d7cec3596d9394d8c2c8e95b8b7bec5eb84
029086c67ec9a2027011adbf75f6a1feb08153874ef6869ca47a0c37902307b4
14afee4f0828648045decc8d05e70c41f4f5a4fffd983fb69f08b6e534590b83
fe38635b943d818e9c13b8274039c0cc5ce4ff6e225aa69f4121a6f4ab51bd66
07b56cfbc4681f781f4b86d5dc2a78eb0e4e34067feab1ea916abe38ea701b92
902530d818631955b2c11adfc361fe3e90ecbcf4fcda64b7538822917b1aa5aa
9450c89d1b14e4edc9eafa0571a0e4e142bcde268a434ebf2880f951cb00d419
$ ./interrogate -a aes -k 256 /Volumes/UNTITLED11/memdump.raw
Interrogate Copyright (C) 2008 Carsten Maartmann-Moe <carmaa@gmail.com>
This program comes with ABSOLUTELY NO WARRANTY; for details use `-h'.
This is free software, and you are welcome to redistribute it
under certain conditions; see bundled file licence.txt for details.
Using key size: 256 bits.
Using input file: /Volumes/UNTITLED11/memdump.raw.
Attempting to load entire file into memory, please stand by...
Success, starting search.
--------------------------------------------------------------------------------
Found (probable) AES key at offset 099c3028:
5c 52 f8 f0 ec 65 38 dc bc 94 6d 70 41 b0 84 f1
4f ea f9 54 5f 28 a3 e9 ac f7 01 16 3c c4 83 43
Expanded key:
5c 52 f8 f0 ec 65 38 dc bc 94 6d 70 41 b0 84 f1
4f ea f9 54 5f 28 a3 e9 ac f7 01 16 3c c4 83 43
41 be e2 1b ad db da c7 11 4f b7 b7 50 ff 33 46
1c fc 3a 0e 43 d4 99 e7 ef 23 98 f1 d3 e7 1b b2
d7 11 d5 7d 7a ca 0f ba 6b 85 b8 0d 3b 7a 8b 4b
fe 26 07 bd bd f2 9e 5a 52 d1 06 ab 81 36 1d 19
d6 b5 01 71 ac 7f 0e cb c7 fa b6 c6 fc 80 3d 8d
4e eb 20 e0 f3 19 be ba a1 c8 b8 11 20 fe a5 08
65 b3 31 c6 c9 cc 3f 0d 0e 36 89 cb f2 b6 b4 46
c7 a5 ad ba 34 bc 13 00 95 74 ab 11 b5 8a 0e 19
0b 18 e5 13 c2 d4 da 1e cc e2 53 d5 3e 54 e7 93
75 85 39 66 41 39 2a 66 d4 4d 81 77 61 c7 8f 6e
ed 6b 7a fc 2f bf a0 e2 e3 5d f3 37 dd 09 14 a4
b4 84 c3 2f f5 bd e9 49 21 f0 68 3e 40 37 e7 50
37 ff 29 f5 18 40 89 17 fb 1d 7a 20 26 14 6e 84