rsakeyfind

rsakeyfind is a specialized forensics tool designed to extract BER-encoded RSA private keys from memory images. This capability is particularly valuable in digital forensics investigations where attackers or malware may have stored private keys in memory during operations.

The tool scans the provided memory image file for RSA key structures. When a modulus file is specified, rsakeyfind enhances its precision by only reporting private and public keys that match the specific hex-encoded modulus read from that file, making it effective for targeted key recovery.

This package proves useful across various security activities, particularly in memory forensics scenarios where traditional disk-based analysis fails to uncover cryptographic material.

rsakeyfind parses memory images to identify BER-encoded ASN.1 structures containing RSA private keys. It searches for the characteristic byte patterns and length fields of RSA key components (n, e, d, p, q). When provided with a MODULUS-FILE, it computes a cryptographic modulus match against discovered keys, filtering results to only those matching the specified hex-encoded modulus value.