Skip to main content

Crate dpapi_forensic

Crate dpapi_forensic 

Source
Expand description

dpapi4n6 — forensic CLI over the dpapi_core decoders.

The on-disk auditor for DPAPI-protected stores: Chrome/Edge (Local State cookie key + v10/v20 cookies), Credential Manager, Vault (VPOL/VCRD), and Wi-Fi (Wlansvc PSK). Every secret is recovered through dpapi_core (all crypto is audited RustCrypto), and the master key is the analyst’s input — when it is unavailable the CLI reports the store as present but locked with the offending master-key GUID and a non-zero exit, never a guessed secret.

Decision logic lives in this library (the testable decode_* functions + Cli::run); main.rs is a thin shell (Humble Object).

Re-exports§

pub use dpapi_core;

Structs§

Cli
dpapi4n6 — recover DPAPI-protected secrets from acquired Windows artifacts.
CliReport
The CLI’s overall result: the recovered items across the requested stores.
MasterKeyArg
The master-key material, shared by every subcommand: the 64-byte user/SYSTEM master key as hex (e.g. impacket’s -key 0x... value, sans 0x).
StoreResult
A recovered secret from one store (the unit of CLI output).

Enums§

CliError
CLI error: a clear, typed failure surfaced to the user (never a guessed secret).
Command

Functions§

decode_browser
Decode the browser cookie key from Local State JSON, optionally decrypting a v10/v20 cookie blob.
decode_credman
Decode a Credential Manager file’s blob.
decode_vault
Decode a Vault VPOL policy + one VCRD record into its web credentials.
decode_wifi
Decode a Wi-Fi profile XML’s PSK.
parse_master_key_hex
Decode a 64-byte master key from hex, erroring loudly on bad input.
render_text
Render a CliReport as a human-readable table.