Skip to main content

dpapi_forensic/
lib.rs

1//! Forensic auditor for DPAPI-protected stores, built on [`dpapi_core`].
2//!
3//! Step 1 ships the byte-oriented decrypt primitives via the re-exported
4//! [`dpapi_core`]. The on-disk enumeration + grading layer is step 2 (see the
5//! [`todo` module](crate::todo)).
6
7pub use dpapi_core;
8
9/// Roadmap for the step-2 on-disk auditor. Not yet implemented — this module
10/// exists to anchor the plan.
11///
12/// Reader/enumeration auditors (each enumerates a DPAPI-protected store on an
13/// acquired filesystem, decrypts it through [`dpapi_core`], and emits graded
14/// `forensicnomicon` `report::Finding`s):
15///
16/// - **Chrome/Edge**: `Login Data` saved passwords + the `Local State` cookie
17///   key, then `Cookies` decryption via
18///   [`dpapi_core::detect_chrome_cookie_encoding`] /
19///   [`dpapi_core::decrypt_v10_cookie`].
20/// - **Credential Manager**: `%APPDATA%\Microsoft\Credentials\` blobs.
21/// - **Vault**: `%APPDATA%\Microsoft\Vault\` / `%LOCALAPPDATA%\Microsoft\Vault\`.
22/// - **Wi-Fi keys**: `Wlansvc` profile blobs.
23///
24/// Key-source layer (the disk counterpart of memf's LSASS `dpapi_keys.rs`):
25///
26/// - **`masterkey.rs`** in `dpapi-core`: parse master-key files at
27///   `%APPDATA%\Microsoft\Protect\<SID>\<GUID>` and derive the key-protection
28///   key from the user password (SHA1 -> PBKDF2-HMAC) or the domain backup key
29///   (`pbkdf2` crate). Same *consumer* as the existing decrypt path, different
30///   *source* of keys.
31///
32/// CLI:
33///
34/// - **`dpapi4n6`** binary per the fleet `*4n6` pattern.
35pub mod todo {}