Rsakeyfind
Overview
Rsakeyfind is a forensic analysis tool that scans memory dumps, core files, hibernation files, and raw binary data to locate RSA private key material. During incident response, memory forensics, and penetration testing, this tool helps identify unencrypted cryptographic keys left in memory by applications, enabling forensic reconstruction of sensitive key material.
Installation
# Install via apt (Debian/Ubuntu - included in Kali)
sudo apt-get install rsakeyfind
# From source (GitHub)
git clone https://github.com/kmesis/rsakeyfind
cd rsakeyfind
gcc -o rsakeyfind rsakeyfind.c
# Manual compilation
gcc -Wall -Werror -O2 rsakeyfind.c -o rsakeyfind
# Verify installation
rsakeyfind --version
which rsakeyfindCore Concepts
RSA Key Structure in Memory:
- RSA private keys contain multiple components (p, q, n, d, dp, dq, qinv)
- Keys maintain specific mathematical relationships that can be detected
- Prime number pairs (p, q) have distinctive patterns
- Large numbers (1024-bit, 2048-bit keys) occupy significant memory
Key Signatures:
- Specific byte patterns identify key components
- Mathematical properties allow verification
- Modulus (n) equals p × q
- Private exponent (d) has known relationships with p and q
Recovery Sources:
- Running process memory (via /proc/[pid]/mem)
- Core dumps from crashed applications
- Swap files and hibernation files
- Disk images and forensic duplicates
- Memory dumps from virtualization snapshots
Basic Usage
| Command | Purpose |
|---|---|
rsakeyfind memory.dump | Scan dump for RSA keys |
rsakeyfind -v memory.dump | Verbose output with details |
rsakeyfind -d memory.dump | Debug mode with extensive logging |
rsakeyfind --help | Display help and options |
Memory Dump Acquisition
Linux Process Memory
# Create memory dump of running process
PID=$(pgrep -f "target_process")
sudo cat /proc/$PID/maps # View memory map
sudo gcore -o core $PID # Create core dump
# Dump entire process memory
sudo dd if=/proc/$PID/mem of=process_memory.dump bs=4096
# Dump with offset and size
sudo dd if=/proc/$PID/mem of=memory.dump bs=1 skip=$START count=$SIZECore Dump Collection
# Enable core dumps
ulimit -c unlimited
# Create core dump on crash
echo "kernel.core_pattern=/tmp/core.%e.%p" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Manually generate core
sleep 100 &
SLEEP_PID=$!
sudo gcore $SLEEP_PIDSwap File Recovery
# Find swap partitions
sudo swapon --show
cat /proc/swaps
# Create dump of swap
sudo dd if=/dev/sda2 of=swap.dump bs=4096 # Example swap partition
# Identify swap location
lsblk # Show block devices
sudo fdisk -l # Show partition detailsHibernation File Recovery
# Windows hibernation file (on Linux filesystem analysis)
strings /mnt/windows/hiberfil.sys > hiberfil_strings.txt
rsakeyfind hiberfil_strings.txt
# Linux hibernation (if using swsusp)
sudo cat /sys/power/image_sizeScanning for Keys
Single File Scan
# Basic scan
rsakeyfind memory.dump
# Verbose mode (more detail)
rsakeyfind -v memory.dump
# Debug mode (maximum detail)
rsakeyfind -d memory.dump
# With output file
rsakeyfind memory.dump > results.txt 2>&1Multiple Dumps
# Scan multiple files
for dump in *.dump; do
echo "=== Scanning $dump ==="
rsakeyfind "$dump" > "${dump}.results.txt"
done
# Parallel scanning
ls *.dump | parallel "rsakeyfind {} > {}.results.txt"Key Identification and Extraction
Output Analysis
# Standard output shows:
# - Offset in file (hex)
# - Key bit length
# - Components found (n, p, q, d, etc.)
# - Confidence level
# Example output:
# found RSA key at offset 0x12345678
# key length: 2048 bits
# components: n e d p qExtracting Keys
# Parse output for offsets
rsakeyfind memory.dump | grep "found RSA key"
# Extract specific key data
rsakeyfind -v memory.dump | grep -E "offset|length|components"
# Count found keys
rsakeyfind memory.dump | grep "found RSA key" | wc -lAdvanced Scanning Techniques
Targeted Offset Scanning
# Scan specific section of dump
rsakeyfind memory.dump --start 0x1000 --end 0x100000
# Jump by offsets (faster for large files)
rsakeyfind memory.dump --offset-jump 0x100Signature-Based Detection
# Look for specific key sizes
rsakeyfind memory.dump --min-keysize 1024
rsakeyfind memory.dump --min-keysize 2048
# Maximum size limitation
rsakeyfind memory.dump --max-keysize 4096Validation and Verification
# Verify found keys
rsakeyfind -v memory.dump | tee scan_output.txt
# Manual verification of key components
strings memory.dump | grep -E "^-----BEGIN RSA"Processing Large Files
Chunked Scanning
#!/bin/bash
# Split large dump into chunks and scan in parallel
DUMP="large_memory.dump"
CHUNK_SIZE=$((512*1024*1024)) # 512MB chunks
split -b $CHUNK_SIZE "$DUMP" chunk_
for chunk in chunk_*; do
rsakeyfind "$chunk" > "${chunk}.results" &
done
wait
# Combine results
cat chunk_*.results > final_results.txtPerformance Optimization
# Use faster hardware-accelerated scanning
rsakeyfind --fast memory.dump
# Reduce output verbosity for speed
rsakeyfind --quiet memory.dump
# Memory-mapped I/O for large files
rsakeyfind --mmap memory.dumpForensic Analysis Workflow
Step 1: Acquire Memory
# Dump process memory immediately after identifying target
sudo gcore -o core$(date +%s) $TARGET_PID
ls -lh core*Step 2: Initial Scan
# Quick initial scan
rsakeyfind memory.dump | head -20
# Full scan with logging
rsakeyfind -v memory.dump | tee forensic_scan_$(date +%s).logStep 3: Verify Findings
# Check offset locations
hexdump -C memory.dump | head -n 100
# Extract around found offset
dd if=memory.dump bs=1 skip=$OFFSET count=1024 | xxdStep 4: Extract Keys
# Extract key components at found offset
dd if=memory.dump bs=1 skip=$OFFSET count=2048 of=extracted_key.bin
# Convert to usable format (requires additional processing)
openssl rsa -in extracted_key.bin -text -nooutIntegration with Analysis Tools
Volatility Framework (Memory Analysis)
# List processes
volatility -f memory.dump pslist
# Dump specific process
volatility -f memory.dump memdump -p PID -D output/
# Analyze dump
rsakeyfind output/[PID].dmpStrings and Grep Analysis
# Extract printable strings
strings memory.dump > memory_strings.txt
# Look for key indicators
grep -E "RSA|PRIVATE|SECRET|KEY" memory_strings.txt
# Combine with rsakeyfind
strings memory.dump | rsakeyfind --stdinAutopsy/The Sleuth Kit
# Extract memory from disk image
icat image.dd inode_number > extracted.mem
# Scan extracted memory
rsakeyfind extracted.mem > autopsy_results.txtKey Reconstruction
From Found Components
#!/bin/bash
# Reconstruct RSA key from found components
OFFSET=$1
# Extract n (modulus)
dd if=memory.dump bs=1 skip=$OFFSET count=256 of=n.bin
# Extract e (public exponent)
dd if=memory.dump bs=1 skip=$((OFFSET+256)) count=8 of=e.bin
# Extract d (private exponent)
dd if=memory.dump bs=1 skip=$((OFFSET+512)) count=256 of=d.bin
# Use OpenSSL to reconstruct
openssl rsa -inform DER -in key.der -text -nooutOpenSSL Verification
# Check extracted key validity
openssl rsa -in extracted.key -check
# Display key components
openssl rsa -in extracted.key -text -noout
# Export in different format
openssl rsa -in extracted.key -outform PEM -out key.pemAdvanced Forensic Scenarios
SSL/TLS Certificate Recovery
# Extract from web server memory
sudo gcore -o nginx_core $(pgrep nginx)
rsakeyfind nginx_core
# Identify certificate chains
strings nginx_core | grep -E "BEGIN|END CERTIFICATE"Database Encryption Key Recovery
# Dump database process
sudo gcore -o mysql_core $(pgrep mysqld)
rsakeyfind mysql_core
# Correlate with database files
ls -la /var/lib/mysql/VPN/SSH Key Recovery
# SSH daemon memory dump
sudo gcore -o sshd_core $(pgrep sshd)
rsakeyfind sshd_core
# VPN process
sudo gcore -o openvpn_core $(pgrep openvpn)
rsakeyfind openvpn_coreOutput Processing
Parse Results to CSV
#!/bin/bash
# Convert rsakeyfind output to CSV
echo "offset,keysize,components,confidence" > results.csv
rsakeyfind memory.dump | while read line; do
if [[ $line =~ found\ RSA\ key\ at\ offset\ ([0-9a-f]+) ]]; then
OFFSET="${BASH_REMATCH[1]}"
echo "$OFFSET,unknown,unknown,found" >> results.csv
fi
doneGenerate Report
#!/bin/bash
# Comprehensive forensic report
DUMP="$1"
OUTPUT="rsakeyfind_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "=== RSA Key Forensic Analysis Report ==="
echo "File: $DUMP"
echo "Date: $(date)"
echo "MD5: $(md5sum $DUMP | awk '{print $1}')"
echo "SHA256: $(sha256sum $DUMP | awk '{print $1}')"
echo ""
echo "=== Scan Results ==="
rsakeyfind -v "$DUMP"
echo ""
echo "=== Statistics ==="
echo "Total keys found: $(rsakeyfind $DUMP | grep -c 'found RSA')"
echo "Keys by size:"
rsakeyfind $DUMP | grep "key length" | cut -d: -f2 | sort | uniq -c
} | tee "$OUTPUT"
echo "Report saved to $OUTPUT"Troubleshooting
# Permission issues with memory dumps
sudo -i
rsakeyfind /tmp/memory.dump
# File too large errors
# Solution: Use chunked approach (see above)
# No keys found
# Check: Is application actually using RSA?
# Check: Is key in memory at scan time?
# Corrupted dump handling
file memory.dump
head -c 100 memory.dump | xxdLegal and Ethical Considerations
- Only acquire and analyze memory from systems you own or have authorization to test
- Key recovery may be illegal without authorization in some jurisdictions
- Use findings responsibly and confidentially
- Document chain of custody for forensic evidence
- Follow responsible disclosure practices
- Comply with applicable data protection regulations
Best Practices
- Always create write-protected copies of original dumps
- Document acquisition time, method, and system state
- Cross-reference findings with application logs
- Verify key validity before considering incident resolved
- Maintain secure storage of recovered keys
- Use cryptographic hash verification for dump integrity
- Document all findings with timestamps and methods
Performance Considerations
- Large dumps (>10GB) require chunking or overnight scanning
- Hardware acceleration (if available) speeds processing
- Memory dumps larger than available RAM need streaming approach
- Parallel processing effective for multiple dumps
- SSD significantly faster than rotational disk
Related Tools
- Volatility - Memory forensics framework
- GDB - Debugger for live process analysis
- Strings - Extract printable strings from binaries
- Binwalk - Binary analysis and extraction
- OpenSSL - Cryptographic key analysis
- Autopsy/TSK - Digital forensics suite
- memdump - Memory dumping utilities