Rsakeyfind
Overview
Section intitulée « Overview »Rsakeyfind is a forensic analysis tool that scans memory dumps, core files, hibernation files, and raw binary data to locate RSA private key material. During incident response, memory forensics, and penetration testing, this tool helps identify unencrypted cryptographic keys left in memory by applications, enabling forensic reconstruction of sensitive key material.
Installation
Section intitulée « Installation »# Install via apt (Debian/Ubuntu - included in Kali)
sudo apt-get install rsakeyfind
# From source (GitHub)
git clone https://github.com/kmesis/rsakeyfind
cd rsakeyfind
gcc -o rsakeyfind rsakeyfind.c
# Manual compilation
gcc -Wall -Werror -O2 rsakeyfind.c -o rsakeyfind
# Verify installation
rsakeyfind --version
which rsakeyfindCore Concepts
Section intitulée « Core Concepts »RSA Key Structure in Memory:
- RSA private keys contain multiple components (p, q, n, d, dp, dq, qinv)
- Keys maintain specific mathematical relationships that can be detected
- Prime number pairs (p, q) have distinctive patterns
- Large numbers (1024-bit, 2048-bit keys) occupy significant memory
Key Signatures:
- Specific byte patterns identify key components
- Mathematical properties allow verification
- Modulus (n) equals p × q
- Private exponent (d) has known relationships with p and q
Recovery Sources:
- Running process memory (via /proc/[pid]/mem)
- Core dumps from crashed applications
- Swap files and hibernation files
- Disk images and forensic duplicates
- Memory dumps from virtualization snapshots
Basic Usage
Section intitulée « Basic Usage »| Command | Purpose |
|---|---|
rsakeyfind memory.dump | Scan dump for RSA keys |
rsakeyfind -v memory.dump | Verbose output with details |
rsakeyfind -d memory.dump | Debug mode with extensive logging |
rsakeyfind --help | Display help and options |
Memory Dump Acquisition
Section intitulée « Memory Dump Acquisition »Linux Process Memory
Section intitulée « Linux Process Memory »# Create memory dump of running process
PID=$(pgrep -f "target_process")
sudo cat /proc/$PID/maps # View memory map
sudo gcore -o core $PID # Create core dump
# Dump entire process memory
sudo dd if=/proc/$PID/mem of=process_memory.dump bs=4096
# Dump with offset and size
sudo dd if=/proc/$PID/mem of=memory.dump bs=1 skip=$START count=$SIZECore Dump Collection
Section intitulée « Core Dump Collection »# Enable core dumps
ulimit -c unlimited
# Create core dump on crash
echo "kernel.core_pattern=/tmp/core.%e.%p" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Manually generate core
sleep 100 &
SLEEP_PID=$!
sudo gcore $SLEEP_PIDSwap File Recovery
Section intitulée « Swap File Recovery »# Find swap partitions
sudo swapon --show
cat /proc/swaps
# Create dump of swap
sudo dd if=/dev/sda2 of=swap.dump bs=4096 # Example swap partition
# Identify swap location
lsblk # Show block devices
sudo fdisk -l # Show partition detailsHibernation File Recovery
Section intitulée « Hibernation File Recovery »# Windows hibernation file (on Linux filesystem analysis)
strings /mnt/windows/hiberfil.sys > hiberfil_strings.txt
rsakeyfind hiberfil_strings.txt
# Linux hibernation (if using swsusp)
sudo cat /sys/power/image_sizeScanning for Keys
Section intitulée « Scanning for Keys »Single File Scan
Section intitulée « Single File Scan »# Basic scan
rsakeyfind memory.dump
# Verbose mode (more detail)
rsakeyfind -v memory.dump
# Debug mode (maximum detail)
rsakeyfind -d memory.dump
# With output file
rsakeyfind memory.dump > results.txt 2>&1Multiple Dumps
Section intitulée « Multiple Dumps »# Scan multiple files
for dump in *.dump; do
echo "=== Scanning $dump ==="
rsakeyfind "$dump" > "${dump}.results.txt"
done
# Parallel scanning
ls *.dump | parallel "rsakeyfind {} > {}.results.txt"Key Identification and Extraction
Section intitulée « Key Identification and Extraction »Output Analysis
Section intitulée « Output Analysis »# Standard output shows:
# - Offset in file (hex)
# - Key bit length
# - Components found (n, p, q, d, etc.)
# - Confidence level
# Example output:
# found RSA key at offset 0x12345678
# key length: 2048 bits
# components: n e d p qExtracting Keys
Section intitulée « Extracting Keys »# Parse output for offsets
rsakeyfind memory.dump | grep "found RSA key"
# Extract specific key data
rsakeyfind -v memory.dump | grep -E "offset|length|components"
# Count found keys
rsakeyfind memory.dump | grep "found RSA key" | wc -lAdvanced Scanning Techniques
Section intitulée « Advanced Scanning Techniques »Targeted Offset Scanning
Section intitulée « Targeted Offset Scanning »# Scan specific section of dump
rsakeyfind memory.dump --start 0x1000 --end 0x100000
# Jump by offsets (faster for large files)
rsakeyfind memory.dump --offset-jump 0x100Signature-Based Detection
Section intitulée « Signature-Based Detection »# Look for specific key sizes
rsakeyfind memory.dump --min-keysize 1024
rsakeyfind memory.dump --min-keysize 2048
# Maximum size limitation
rsakeyfind memory.dump --max-keysize 4096Validation and Verification
Section intitulée « Validation and Verification »# Verify found keys
rsakeyfind -v memory.dump | tee scan_output.txt
# Manual verification of key components
strings memory.dump | grep -E "^-----BEGIN RSA"Processing Large Files
Section intitulée « Processing Large Files »Chunked Scanning
Section intitulée « Chunked Scanning »#!/bin/bash
# Split large dump into chunks and scan in parallel
DUMP="large_memory.dump"
CHUNK_SIZE=$((512*1024*1024)) # 512MB chunks
split -b $CHUNK_SIZE "$DUMP" chunk_
for chunk in chunk_*; do
rsakeyfind "$chunk" > "${chunk}.results" &
done
wait
# Combine results
cat chunk_*.results > final_results.txtPerformance Optimization
Section intitulée « Performance Optimization »# Use faster hardware-accelerated scanning
rsakeyfind --fast memory.dump
# Reduce output verbosity for speed
rsakeyfind --quiet memory.dump
# Memory-mapped I/O for large files
rsakeyfind --mmap memory.dumpForensic Analysis Workflow
Section intitulée « Forensic Analysis Workflow »Step 1: Acquire Memory
Section intitulée « Step 1: Acquire Memory »# Dump process memory immediately after identifying target
sudo gcore -o core$(date +%s) $TARGET_PID
ls -lh core*Step 2: Initial Scan
Section intitulée « Step 2: Initial Scan »# Quick initial scan
rsakeyfind memory.dump | head -20
# Full scan with logging
rsakeyfind -v memory.dump | tee forensic_scan_$(date +%s).logStep 3: Verify Findings
Section intitulée « Step 3: Verify Findings »# Check offset locations
hexdump -C memory.dump | head -n 100
# Extract around found offset
dd if=memory.dump bs=1 skip=$OFFSET count=1024 | xxdStep 4: Extract Keys
Section intitulée « Step 4: Extract Keys »# Extract key components at found offset
dd if=memory.dump bs=1 skip=$OFFSET count=2048 of=extracted_key.bin
# Convert to usable format (requires additional processing)
openssl rsa -in extracted_key.bin -text -nooutIntegration with Analysis Tools
Section intitulée « Integration with Analysis Tools »Volatility Framework (Memory Analysis)
Section intitulée « Volatility Framework (Memory Analysis) »# List processes
volatility -f memory.dump pslist
# Dump specific process
volatility -f memory.dump memdump -p PID -D output/
# Analyze dump
rsakeyfind output/[PID].dmpStrings and Grep Analysis
Section intitulée « Strings and Grep Analysis »# Extract printable strings
strings memory.dump > memory_strings.txt
# Look for key indicators
grep -E "RSA|PRIVATE|SECRET|KEY" memory_strings.txt
# Combine with rsakeyfind
strings memory.dump | rsakeyfind --stdinAutopsy/The Sleuth Kit
Section intitulée « Autopsy/The Sleuth Kit »# Extract memory from disk image
icat image.dd inode_number > extracted.mem
# Scan extracted memory
rsakeyfind extracted.mem > autopsy_results.txtKey Reconstruction
Section intitulée « Key Reconstruction »From Found Components
Section intitulée « From Found Components »#!/bin/bash
# Reconstruct RSA key from found components
OFFSET=$1
# Extract n (modulus)
dd if=memory.dump bs=1 skip=$OFFSET count=256 of=n.bin
# Extract e (public exponent)
dd if=memory.dump bs=1 skip=$((OFFSET+256)) count=8 of=e.bin
# Extract d (private exponent)
dd if=memory.dump bs=1 skip=$((OFFSET+512)) count=256 of=d.bin
# Use OpenSSL to reconstruct
openssl rsa -inform DER -in key.der -text -nooutOpenSSL Verification
Section intitulée « OpenSSL Verification »# Check extracted key validity
openssl rsa -in extracted.key -check
# Display key components
openssl rsa -in extracted.key -text -noout
# Export in different format
openssl rsa -in extracted.key -outform PEM -out key.pemAdvanced Forensic Scenarios
Section intitulée « Advanced Forensic Scenarios »SSL/TLS Certificate Recovery
Section intitulée « SSL/TLS Certificate Recovery »# Extract from web server memory
sudo gcore -o nginx_core $(pgrep nginx)
rsakeyfind nginx_core
# Identify certificate chains
strings nginx_core | grep -E "BEGIN|END CERTIFICATE"Database Encryption Key Recovery
Section intitulée « Database Encryption Key Recovery »# Dump database process
sudo gcore -o mysql_core $(pgrep mysqld)
rsakeyfind mysql_core
# Correlate with database files
ls -la /var/lib/mysql/VPN/SSH Key Recovery
Section intitulée « VPN/SSH Key Recovery »# SSH daemon memory dump
sudo gcore -o sshd_core $(pgrep sshd)
rsakeyfind sshd_core
# VPN process
sudo gcore -o openvpn_core $(pgrep openvpn)
rsakeyfind openvpn_coreOutput Processing
Section intitulée « Output Processing »Parse Results to CSV
Section intitulée « Parse Results to CSV »#!/bin/bash
# Convert rsakeyfind output to CSV
echo "offset,keysize,components,confidence" > results.csv
rsakeyfind memory.dump | while read line; do
if [[ $line =~ found\ RSA\ key\ at\ offset\ ([0-9a-f]+) ]]; then
OFFSET="${BASH_REMATCH[1]}"
echo "$OFFSET,unknown,unknown,found" >> results.csv
fi
doneGenerate Report
Section intitulée « Generate Report »#!/bin/bash
# Comprehensive forensic report
DUMP="$1"
OUTPUT="rsakeyfind_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "=== RSA Key Forensic Analysis Report ==="
echo "File: $DUMP"
echo "Date: $(date)"
echo "MD5: $(md5sum $DUMP | awk '{print $1}')"
echo "SHA256: $(sha256sum $DUMP | awk '{print $1}')"
echo ""
echo "=== Scan Results ==="
rsakeyfind -v "$DUMP"
echo ""
echo "=== Statistics ==="
echo "Total keys found: $(rsakeyfind $DUMP | grep -c 'found RSA')"
echo "Keys by size:"
rsakeyfind $DUMP | grep "key length" | cut -d: -f2 | sort | uniq -c
} | tee "$OUTPUT"
echo "Report saved to $OUTPUT"Troubleshooting
Section intitulée « Troubleshooting »# Permission issues with memory dumps
sudo -i
rsakeyfind /tmp/memory.dump
# File too large errors
# Solution: Use chunked approach (see above)
# No keys found
# Check: Is application actually using RSA?
# Check: Is key in memory at scan time?
# Corrupted dump handling
file memory.dump
head -c 100 memory.dump | xxdLegal and Ethical Considerations
Section intitulée « Legal and Ethical Considerations »- Only acquire and analyze memory from systems you own or have authorization to test
- Key recovery may be illegal without authorization in some jurisdictions
- Use findings responsibly and confidentially
- Document chain of custody for forensic evidence
- Follow responsible disclosure practices
- Comply with applicable data protection regulations
Best Practices
Section intitulée « Best Practices »- Always create write-protected copies of original dumps
- Document acquisition time, method, and system state
- Cross-reference findings with application logs
- Verify key validity before considering incident resolved
- Maintain secure storage of recovered keys
- Use cryptographic hash verification for dump integrity
- Document all findings with timestamps and methods
Performance Considerations
Section intitulée « Performance Considerations »- Large dumps (>10GB) require chunking or overnight scanning
- Hardware acceleration (if available) speeds processing
- Memory dumps larger than available RAM need streaming approach
- Parallel processing effective for multiple dumps
- SSD significantly faster than rotational disk
Related Tools
Section intitulée « Related Tools »- Volatility - Memory forensics framework
- GDB - Debugger for live process analysis
- Strings - Extract printable strings from binaries
- Binwalk - Binary analysis and extraction
- OpenSSL - Cryptographic key analysis
- Autopsy/TSK - Digital forensics suite
- memdump - Memory dumping utilities