Skip to main content

Module todo

Module todo 

Source
Expand description

Roadmap for the step-2 on-disk auditor. Not yet implemented — this module exists to anchor the plan.

Reader/enumeration auditors (each enumerates a DPAPI-protected store on an acquired filesystem, decrypts it through dpapi_core, and emits graded forensicnomicon report::Findings):

Key-source layer (the disk counterpart of memf’s LSASS dpapi_keys.rs):

  • masterkey.rs in dpapi-core: parse master-key files at %APPDATA%\Microsoft\Protect\<SID>\<GUID> and derive the key-protection key from the user password (SHA1 -> PBKDF2-HMAC) or the domain backup key (pbkdf2 crate). Same consumer as the existing decrypt path, different source of keys.

CLI:

  • dpapi4n6 binary per the fleet *4n6 pattern.