Incident responders frequently capture RAM of compromised machines. Core-decrypt can isolate encrypted process memory (e.g., from a VirtualAlloc call) and decrypt it using keys found elsewhere in the dump.
# Decrypt with known key (hex format)
core-decrypt -i encrypted.dat -o plaintext.pdf -a AES-256-CBC -k 0123456789abcdef0123456789abcdef
Any decryption process depends on well-understood cryptographic primitives: symmetric ciphers (e.g., AES), asymmetric schemes (e.g., RSA, elliptic-curve algorithms), authenticated encryption modes (e.g., AES-GCM, ChaCha20-Poly1305), and supporting algorithms (e.g., key derivation functions such as HKDF or PBKDF2, and message authentication codes). Core-decrypt emphasizes correctness: decryption must reliably invert the encryption operation when provided with valid keys and inputs, and must fail predictably and safely on tampered or malformed data. core-decrypt
Authenticated encryption is central to this correctness. Without integrity checks, a decryption routine can produce malformed plaintext or trigger downstream vulnerabilities. Core-decrypt therefore assumes the use of authenticated modes or explicit integrity verification steps, ensuring that data authenticity is validated before any sensitive processing or exposure. asymmetric schemes (e.g.