Wednesday, January 9, 2013

Backtrack Forensics: pdgmail

Menu: Forensics -> RAM Forensics Tools
Directory: /pentest/forensics/pdgmail

This is the pair of the pdfbook python script, this one can extract gmail related information from a memory dump.
Again here are two ways to get a memory dump from Windows:

1. From Vista we can use the Task Manager as described here:
2. We can use the following process dumper (this can be used for Linux as well):

I created 1 dump this time:

pd -p 5900 > ff-gmail.dump

Before running the script we need to extract strings first:

strings -el ff-gmail.dump > ff-gmail.txt

Then run the script:

./ -f ff-gmail.txt 

I created a sample Gmail account for the test. This script is much much better, it could extract account name, message headers, and complete messages as well.

Official website:

No comments: