Forensics -> RAM Forensics Tool
/pentest/forensics/pdfbook
This is a small python script to gather facebook information from a pd process memory dump.
Here are two ways to get a memory dump from Windows:
1. From Vista we can use the Task Manager as described here: http://support.microsoft.com/kb/931673
2. We can use the following process dumper: http://www.trapkit.de/research/forensic/pd/index.html
I created 2 dumps from 2 browsers, each of them having only facebook opened:
pd -p 1580 > firefox.dump
pd -p 6916 > ie.dump
I also created a 3rd dump with the Windows build-in utility, as described above.
Before running the script we need to extract strings first:
strings -el ie.dump > iestrings.txt
Then run the script:
./pdfbook.py -f iestrings.txt
Unfortunately I have no luck in extracting any facebook info. The reason probably is that the script is 4 years old, and the regular expressions it uses are out of date. If you have more luck please comment, and I will retry.
Official Website: http://jeffbryner.com/pdfbook
No comments:
Post a Comment