Directory: /pentest/forensics/pdgmail
This is the pair of the pdfbook python script, this one can extract gmail related information from a memory dump.
Again here are two ways to get a memory dump from Windows:
1. From Vista we can use the Task Manager as described here: http://support.microsoft.com/kb/931673
2. We can use the following process dumper (this can be used for Linux as well): http://www.trapkit.de/research/forensic/pd/index.html
I created 1 dump this time:
pd -p 5900 > ff-gmail.dump
Before running the script we need to extract strings first:
strings -el ff-gmail.dump > ff-gmail.txt
Then run the script:
./pdfbook.py -f ff-gmail.txt
I created a sample Gmail account for the test. This script is much much better, it could extract account name, message headers, and complete messages as well.
Official website: http://www.jeffbryner.com/code/pdgmail
No comments:
Post a Comment