Tuesday, January 8, 2013

Backtrack Forensics: pdfbook

Forensics -> RAM Forensics Tool

This is a small python script to gather facebook information from a pd process memory dump.

Here are two ways to get a memory dump from Windows:

1. From Vista we can use the Task Manager as described here: http://support.microsoft.com/kb/931673
2. We can use the following process dumper: http://www.trapkit.de/research/forensic/pd/index.html

I created 2 dumps from 2 browsers, each of them having only facebook opened:

pd -p 1580 > firefox.dump
pd -p 6916 > ie.dump

I also created a 3rd dump with the Windows build-in utility, as described above.

Before running the script we need to extract strings first:

strings -el ie.dump > iestrings.txt

Then run the script:

./pdfbook.py -f iestrings.txt 

Unfortunately I have no luck in extracting any facebook info. The reason probably is that the script is 4 years old, and the regular expressions it uses are out of date. If you have more luck please comment, and I will retry.

No comments: