Forensicsrsaprivate-keymemoryforensicsber-encoded

rsakeyfind

Locates BER-encoded RSA private keys in memory images. Optionally matches keys against a specified hex-encoded modulus from a file.

Description

rsakeyfind is a specialized forensics tool designed to extract BER-encoded RSA private keys from memory images. This capability is particularly valuable in digital forensics investigations where attackers or malware may have stored private keys in memory during operations.

The tool scans the provided memory image file for RSA key structures. When a modulus file is specified, rsakeyfind enhances its precision by only reporting private and public keys that match the specific hex-encoded modulus read from that file, making it effective for targeted key recovery.

This package proves useful across various security activities, particularly in memory forensics scenarios where traditional disk-based analysis fails to uncover cryptographic material.

How It Works

rsakeyfind parses memory images to identify BER-encoded ASN.1 structures containing RSA private keys. It searches for the characteristic byte patterns and length fields of RSA key components (n, e, d, p, q). When provided with a MODULUS-FILE, it computes a cryptographic modulus match against discovered keys, filtering results to only those matching the specified hex-encoded modulus value.

Installation

bash
sudo apt install rsakeyfind

Flags

MEMORY-IMAGEPath to the memory image file to scan for RSA private keys
MODULUS-FILEOptional file containing hex-encoded modulus; only matching keys will be reported

Examples

Scans the memory.dump file for all BER-encoded RSA private keys
rsakeyfind memory.dump
Locates RSA private keys in the specified memory image path
rsakeyfind /path/to/mem-image
Finds private and public keys matching the modulus from modulus.hex file
rsakeyfind memory.img modulus.hex
Searches vmemory.raw for keys matching the hex modulus in target.mod
rsakeyfind vmemory.raw target.mod
Extracts RSA private keys from forensic crashdump memory image
rsakeyfind crashdump.mem
Filters full.mem for keys matching specific known modulus
rsakeyfind full.mem known_modulus.txt
Updated 2026-04-16kali.org ↗