
AES Finder – the utility to find AES keys in running process memory - based2
https://github.com/MantechUser/aes-finder
======
mabbo
I remember many years ago, as I was thinking about going into technology as a
career, I was chatting with a family friend who worked in computer security. I
was asking him what he did. He said "If I have physical access to a computer,
it's almost certain I will be able to get whatever data is on it. Especially
if it's still running and logged in." (or something to that effect).

Stuff like this always reminds me of that guy (haven't seen him in decades,
sadly). Oh, you used AES encryption? That's lovely, but your computer knows
the key and I can trick it into telling me it.

Truecrypt likely changed the game on some of the claims he made, but that
conversations predated it's existence.

Today the angle of attack seems to be around OTP + Password with a timeout on
the credentials generated. It narrows the window, but doesn't completely block
it.

~~~
dtech
Truecrypt doesn't change that if the user has the volume open. When computers
still had Firewire if they had a warrant for child porn they would use FW and
DMA to pull a complete copy of the memory if it was on and get any encryption
keys to the Truecrypt volume. They would actually announce that they were
coming in on suspicion of child porn because people had a tendency to boot the
computer and open Truecrypt to delete all their files.

I suspect similar techniques are still used today, like we see with this tool.
If you can get a dump of the computer active memory you can ultimately get the
decryption keys on consumer hardware.

~~~
Drip33
>If you can get a dump of the computer active memory you can ultimately get
the decryption keys on consumer hardware

What methods are available to get a memory dump if Firewire is disabled? Feds
couldn't break my encryption after ~1.5 years but my devices were all off when
they showed up. Ironically the one device they did get into was a cell phone
powered on but it had little evidentiary value and in one funny way was partly
exculpatory.

~~~
koolba
You can freeze the computer, remove the DIMMs, and then pop them into a
different machine to read them:
[https://electronics.stackexchange.com/questions/32189/freezi...](https://electronics.stackexchange.com/questions/32189/freezing-
dram-for-forensics-coldboot)

~~~
Drip33
I thought that wasn't possible since DDR3 or 4?

~~~
ATsch
Smaller capacitors will keep their charge less long, which makes this more
difficult, but I understand that there are no fundamental mitigations.

~~~
jleahy
The fundamental mitigation is full memory encryption using a randomly
generated key that changes each time the CPU boots. That exists for some CPUs.

~~~
Spivak
Where do you store the key?

~~~
danielheath
CPU registers - much harder to pull off and reattach elsewhere.

------
hn_throwaway_99
Can someone explain how this works? I thought AES keys were just random bytes,
but obviously there must be more to them if this tool is able to detect them.

~~~
EE84M3i
I took a skim of the source[1] -- I think that it's looking for an expanded
set of round keys[2] using their expected layout in memory (accounting for
endian flips, forward/reverse ordering, 128/192/256 bit variants, and
enc/dec). If a matching region of memory is found, the first round key is the
main key.

[1]: [https://github.com/MantechUser/aes-finder/blob/master/aes-
fi...](https://github.com/MantechUser/aes-finder/blob/master/aes-finder.cpp)
[2]:
[https://en.wikipedia.org/wiki/AES_key_schedule](https://en.wikipedia.org/wiki/AES_key_schedule)

~~~
makomk
Yeah, it's a trick that's been around for a while. The thing that makes it a
little fiddly is that the various ways to store a key schedule, especially for
decryption - it could be in either order, and there's some optimization to do
with whether InvMixColumn is pre-applied to the values that I can't remember
the details of. I actually had a fork of the classic aeskeyfind that added
some of these tricks, though apparently it's broken at higher compiler
optimizations now and I probably need to look into that:
[https://github.com/makomk/aeskeyfind](https://github.com/makomk/aeskeyfind)
Could just have used this instead if I'd known about it.

~~~
dunham
Also sqlite3's encryption seems to be a byte swapped AES.

E.g. look for a byte swapped AES key schedule in dropbox process memory and
you should find its sqlite3 encryption key.

------
alcover
The TRESOR[1] kernel patch was proposed to prevent these attacks.

It stores keys in privileged registers.

[1][https://en.wikipedia.org/wiki/TRESOR](https://en.wikipedia.org/wiki/TRESOR)

------
natch
Sort of feel like such posts should link directly to the original repo the
repo was forked from, if any.

[https://github.com/mmozeiko/aes-finder](https://github.com/mmozeiko/aes-
finder)

Unless there’s some newsworthy aspect to the child repo being a special
different fork.

~~~
jonstewart
This source file provides a better history for looking for AES keys. It looks
like Sam Trenholme developed the technique originally but I know of it because
of Jesse Kornblum’s subsequent work. Simson Garfinkel then embedded relevant
code inside of bulk_extractor. The technique is over a decade old:

[https://github.com/simsong/bulk_extractor/blob/master/src/sc...](https://github.com/simsong/bulk_extractor/blob/master/src/scan_aes.cpp)

~~~
makomk
It looks like this particular fork of this code has a few nice features that
aren't in older versions, such as support for dumping memory and actually
knowing about the other common formats of AES key schedule that are commonly
found in the wild. It's really annoying to run a search over a dump that you
suspect contains an AES key schedule and coming up with nothing because the
encryption library used a slightly different way of storing it than the one
expected by the tool.

------
heavenlyblue
There were also tools about 15 years ago to find the entry point to encryption
routines by finding the SBox constants.

~~~
tptacek
There's lots of those, and they're _much_ easier to write, since you're
literally just grepping memory for a fixed string.

------
based2
[https://www.reddit.com/r/netsec/comments/innmgn/a_utility_to...](https://www.reddit.com/r/netsec/comments/innmgn/a_utility_to_find_aes_keys_in_running_process/)

------
knorker
Also see this from 2007:
[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87....](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87.7761&rep=rep1&type=pdf)

I believe I also saw that talk at a CCC camp back then.

Edit: ah yes, here it is:
[https://media.ccc.de/v/cccamp07-en-2002-Cryptographic_key_re...](https://media.ccc.de/v/cccamp07-en-2002-Cryptographic_key_recovery_from_Linux_memory_dumps)

------
based2
[https://github.com/susam/aes.vbs](https://github.com/susam/aes.vbs)

------
onigiri69
Someone please run this on matlab...

