Rsakeyfind
Overview
Section titled “Overview”Rsakeyfind is a forensic analysis tool that scans memory dumps, core files, hibernation files, and raw binary data to locate RSA private key material. During incident response, memory forensics, and penetration testing, this tool helps identify unencrypted cryptographic keys left in memory by applications, enabling forensic reconstruction of sensitive key material.
Installation
Section titled “Installation”# Install via apt (Debian/Ubuntu - included in Kali)
sudo apt-get install rsakeyfind
# From source (GitHub)
git clone https://github.com/kmesis/rsakeyfind
cd rsakeyfind
gcc -o rsakeyfind rsakeyfind.c
# Manual compilation
gcc -Wall -Werror -O2 rsakeyfind.c -o rsakeyfind
# Verify installation
rsakeyfind --version
which rsakeyfindCore Concepts
Section titled “Core Concepts”RSA Key Structure in Memory:
- RSA private keys contain multiple components (p, q, n, d, dp, dq, qinv)
- Keys maintain specific mathematical relationships that can be detected
- Prime number pairs (p, q) have distinctive patterns
- Large numbers (1024-bit, 2048-bit keys) occupy significant memory
Key Signatures:
- Specific byte patterns identify key components
- Mathematical properties allow verification
- Modulus (n) equals p × q
- Private exponent (d) has known relationships with p and q
Recovery Sources:
- Running process memory (via /proc/[pid]/mem)
- Core dumps from crashed applications
- Swap files and hibernation files
- Disk images and forensic duplicates
- Memory dumps from virtualization snapshots
Basic Usage
Section titled “Basic Usage”| Command | Purpose |
|---|---|
rsakeyfind memory.dump | Scan dump for RSA keys |
rsakeyfind -v memory.dump | Verbose output with details |
rsakeyfind -d memory.dump | Debug mode with extensive logging |
rsakeyfind --help | Display help and options |
Memory Dump Acquisition
Section titled “Memory Dump Acquisition”Linux Process Memory
Section titled “Linux Process Memory”# Create memory dump of running process
PID=$(pgrep -f "target_process")
sudo cat /proc/$PID/maps # View memory map
sudo gcore -o core $PID # Create core dump
# Dump entire process memory
sudo dd if=/proc/$PID/mem of=process_memory.dump bs=4096
# Dump with offset and size
sudo dd if=/proc/$PID/mem of=memory.dump bs=1 skip=$START count=$SIZECore Dump Collection
Section titled “Core Dump Collection”# Enable core dumps
ulimit -c unlimited
# Create core dump on crash
echo "kernel.core_pattern=/tmp/core.%e.%p" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Manually generate core
sleep 100 &
SLEEP_PID=$!
sudo gcore $SLEEP_PIDSwap File Recovery
Section titled “Swap File Recovery”# Find swap partitions
sudo swapon --show
cat /proc/swaps
# Create dump of swap
sudo dd if=/dev/sda2 of=swap.dump bs=4096 # Example swap partition
# Identify swap location
lsblk # Show block devices
sudo fdisk -l # Show partition detailsHibernation File Recovery
Section titled “Hibernation File Recovery”# Windows hibernation file (on Linux filesystem analysis)
strings /mnt/windows/hiberfil.sys > hiberfil_strings.txt
rsakeyfind hiberfil_strings.txt
# Linux hibernation (if using swsusp)
sudo cat /sys/power/image_sizeScanning for Keys
Section titled “Scanning for Keys”Single File Scan
Section titled “Single File Scan”# Basic scan
rsakeyfind memory.dump
# Verbose mode (more detail)
rsakeyfind -v memory.dump
# Debug mode (maximum detail)
rsakeyfind -d memory.dump
# With output file
rsakeyfind memory.dump > results.txt 2>&1Multiple Dumps
Section titled “Multiple Dumps”# Scan multiple files
for dump in *.dump; do
echo "=== Scanning $dump ==="
rsakeyfind "$dump" > "${dump}.results.txt"
done
# Parallel scanning
ls *.dump | parallel "rsakeyfind {} > {}.results.txt"Key Identification and Extraction
Section titled “Key Identification and Extraction”Output Analysis
Section titled “Output Analysis”# Standard output shows:
# - Offset in file (hex)
# - Key bit length
# - Components found (n, p, q, d, etc.)
# - Confidence level
# Example output:
# found RSA key at offset 0x12345678
# key length: 2048 bits
# components: n e d p qExtracting Keys
Section titled “Extracting Keys”# Parse output for offsets
rsakeyfind memory.dump | grep "found RSA key"
# Extract specific key data
rsakeyfind -v memory.dump | grep -E "offset|length|components"
# Count found keys
rsakeyfind memory.dump | grep "found RSA key" | wc -lAdvanced Scanning Techniques
Section titled “Advanced Scanning Techniques”Targeted Offset Scanning
Section titled “Targeted Offset Scanning”# Scan specific section of dump
rsakeyfind memory.dump --start 0x1000 --end 0x100000
# Jump by offsets (faster for large files)
rsakeyfind memory.dump --offset-jump 0x100Signature-Based Detection
Section titled “Signature-Based Detection”# Look for specific key sizes
rsakeyfind memory.dump --min-keysize 1024
rsakeyfind memory.dump --min-keysize 2048
# Maximum size limitation
rsakeyfind memory.dump --max-keysize 4096Validation and Verification
Section titled “Validation and Verification”# Verify found keys
rsakeyfind -v memory.dump | tee scan_output.txt
# Manual verification of key components
strings memory.dump | grep -E "^-----BEGIN RSA"Processing Large Files
Section titled “Processing Large Files”Chunked Scanning
Section titled “Chunked Scanning”#!/bin/bash
# Split large dump into chunks and scan in parallel
DUMP="large_memory.dump"
CHUNK_SIZE=$((512*1024*1024)) # 512MB chunks
split -b $CHUNK_SIZE "$DUMP" chunk_
for chunk in chunk_*; do
rsakeyfind "$chunk" > "${chunk}.results" &
done
wait
# Combine results
cat chunk_*.results > final_results.txtPerformance Optimization
Section titled “Performance Optimization”# Use faster hardware-accelerated scanning
rsakeyfind --fast memory.dump
# Reduce output verbosity for speed
rsakeyfind --quiet memory.dump
# Memory-mapped I/O for large files
rsakeyfind --mmap memory.dumpForensic Analysis Workflow
Section titled “Forensic Analysis Workflow”Step 1: Acquire Memory
Section titled “Step 1: Acquire Memory”# Dump process memory immediately after identifying target
sudo gcore -o core$(date +%s) $TARGET_PID
ls -lh core*Step 2: Initial Scan
Section titled “Step 2: Initial Scan”# Quick initial scan
rsakeyfind memory.dump | head -20
# Full scan with logging
rsakeyfind -v memory.dump | tee forensic_scan_$(date +%s).logStep 3: Verify Findings
Section titled “Step 3: Verify Findings”# Check offset locations
hexdump -C memory.dump | head -n 100
# Extract around found offset
dd if=memory.dump bs=1 skip=$OFFSET count=1024 | xxdStep 4: Extract Keys
Section titled “Step 4: Extract Keys”# Extract key components at found offset
dd if=memory.dump bs=1 skip=$OFFSET count=2048 of=extracted_key.bin
# Convert to usable format (requires additional processing)
openssl rsa -in extracted_key.bin -text -nooutIntegration with Analysis Tools
Section titled “Integration with Analysis Tools”Volatility Framework (Memory Analysis)
Section titled “Volatility Framework (Memory Analysis)”# List processes
volatility -f memory.dump pslist
# Dump specific process
volatility -f memory.dump memdump -p PID -D output/
# Analyze dump
rsakeyfind output/[PID].dmpStrings and Grep Analysis
Section titled “Strings and Grep Analysis”# Extract printable strings
strings memory.dump > memory_strings.txt
# Look for key indicators
grep -E "RSA|PRIVATE|SECRET|KEY" memory_strings.txt
# Combine with rsakeyfind
strings memory.dump | rsakeyfind --stdinAutopsy/The Sleuth Kit
Section titled “Autopsy/The Sleuth Kit”# Extract memory from disk image
icat image.dd inode_number > extracted.mem
# Scan extracted memory
rsakeyfind extracted.mem > autopsy_results.txtKey Reconstruction
Section titled “Key Reconstruction”From Found Components
Section titled “From Found Components”#!/bin/bash
# Reconstruct RSA key from found components
OFFSET=$1
# Extract n (modulus)
dd if=memory.dump bs=1 skip=$OFFSET count=256 of=n.bin
# Extract e (public exponent)
dd if=memory.dump bs=1 skip=$((OFFSET+256)) count=8 of=e.bin
# Extract d (private exponent)
dd if=memory.dump bs=1 skip=$((OFFSET+512)) count=256 of=d.bin
# Use OpenSSL to reconstruct
openssl rsa -inform DER -in key.der -text -nooutOpenSSL Verification
Section titled “OpenSSL Verification”# Check extracted key validity
openssl rsa -in extracted.key -check
# Display key components
openssl rsa -in extracted.key -text -noout
# Export in different format
openssl rsa -in extracted.key -outform PEM -out key.pemAdvanced Forensic Scenarios
Section titled “Advanced Forensic Scenarios”SSL/TLS Certificate Recovery
Section titled “SSL/TLS Certificate Recovery”# Extract from web server memory
sudo gcore -o nginx_core $(pgrep nginx)
rsakeyfind nginx_core
# Identify certificate chains
strings nginx_core | grep -E "BEGIN|END CERTIFICATE"Database Encryption Key Recovery
Section titled “Database Encryption Key Recovery”# Dump database process
sudo gcore -o mysql_core $(pgrep mysqld)
rsakeyfind mysql_core
# Correlate with database files
ls -la /var/lib/mysql/VPN/SSH Key Recovery
Section titled “VPN/SSH Key Recovery”# SSH daemon memory dump
sudo gcore -o sshd_core $(pgrep sshd)
rsakeyfind sshd_core
# VPN process
sudo gcore -o openvpn_core $(pgrep openvpn)
rsakeyfind openvpn_coreOutput Processing
Section titled “Output Processing”Parse Results to CSV
Section titled “Parse Results to CSV”#!/bin/bash
# Convert rsakeyfind output to CSV
echo "offset,keysize,components,confidence" > results.csv
rsakeyfind memory.dump | while read line; do
if [[ $line =~ found\ RSA\ key\ at\ offset\ ([0-9a-f]+) ]]; then
OFFSET="${BASH_REMATCH[1]}"
echo "$OFFSET,unknown,unknown,found" >> results.csv
fi
doneGenerate Report
Section titled “Generate Report”#!/bin/bash
# Comprehensive forensic report
DUMP="$1"
OUTPUT="rsakeyfind_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "=== RSA Key Forensic Analysis Report ==="
echo "File: $DUMP"
echo "Date: $(date)"
echo "MD5: $(md5sum $DUMP | awk '{print $1}')"
echo "SHA256: $(sha256sum $DUMP | awk '{print $1}')"
echo ""
echo "=== Scan Results ==="
rsakeyfind -v "$DUMP"
echo ""
echo "=== Statistics ==="
echo "Total keys found: $(rsakeyfind $DUMP | grep -c 'found RSA')"
echo "Keys by size:"
rsakeyfind $DUMP | grep "key length" | cut -d: -f2 | sort | uniq -c
} | tee "$OUTPUT"
echo "Report saved to $OUTPUT"Troubleshooting
Section titled “Troubleshooting”# Permission issues with memory dumps
sudo -i
rsakeyfind /tmp/memory.dump
# File too large errors
# Solution: Use chunked approach (see above)
# No keys found
# Check: Is application actually using RSA?
# Check: Is key in memory at scan time?
# Corrupted dump handling
file memory.dump
head -c 100 memory.dump | xxdLegal and Ethical Considerations
Section titled “Legal and Ethical Considerations”- Only acquire and analyze memory from systems you own or have authorization to test
- Key recovery may be illegal without authorization in some jurisdictions
- Use findings responsibly and confidentially
- Document chain of custody for forensic evidence
- Follow responsible disclosure practices
- Comply with applicable data protection regulations
Best Practices
Section titled “Best Practices”- Always create write-protected copies of original dumps
- Document acquisition time, method, and system state
- Cross-reference findings with application logs
- Verify key validity before considering incident resolved
- Maintain secure storage of recovered keys
- Use cryptographic hash verification for dump integrity
- Document all findings with timestamps and methods
Performance Considerations
Section titled “Performance Considerations”- Large dumps (>10GB) require chunking or overnight scanning
- Hardware acceleration (if available) speeds processing
- Memory dumps larger than available RAM need streaming approach
- Parallel processing effective for multiple dumps
- SSD significantly faster than rotational disk
Related Tools
Section titled “Related Tools”- Volatility - Memory forensics framework
- GDB - Debugger for live process analysis
- Strings - Extract printable strings from binaries
- Binwalk - Binary analysis and extraction
- OpenSSL - Cryptographic key analysis
- Autopsy/TSK - Digital forensics suite
- memdump - Memory dumping utilities