aeskeyfind
Tool for locating 128-bit and 256-bit AES keys in a captured memory image. Uses algorithms and entropy tests to identify keys even with some bit corruption.
Description
aeskeyfind is a program that illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image. It is particularly useful for forensics investigations where memory dumps need to be analyzed for cryptographic keys.
The tool employs various algorithms and performs a simple entropy test to filter out blocks that are not keys by counting repeated bytes and skipping those with too many repeats. This method remains effective even if several bits of the key schedule have been corrupted due to memory decay.
It locates scheduled AES keys, providing output on potential keys and constraints when used with verbose mode.
How It Works
The program scans the memory image for candidate 128-bit and 256-bit AES keys using multiple algorithms. It applies an entropy test that counts repeated bytes in blocks, skipping those with excessive repeats as unlikely keys. It tolerates up to a configurable number of bit errors (default 10) in the key schedule due to memory decay, and can output extended keys with row constraints in verbose mode.
Installation
sudo apt install aeskeyfindFlags
Examples
aeskeyfind MEMORY-IMAGEaeskeyfind -v MEMORY-IMAGEaeskeyfind -q MEMORY-IMAGEaeskeyfind -t 5 MEMORY-IMAGEaeskeyfind -t 20 MEMORY-IMAGEaeskeyfind -v -q MEMORY-IMAGEaeskeyfind -h