Wednesday, January 9, 2013

Backtrack Forensics: pdgmail

Menu: Forensics -> RAM Forensics Tools
Directory: /pentest/forensics/pdgmail

This is the pair of the pdfbook python script, this one can extract gmail related information from a memory dump.
Again here are two ways to get a memory dump from Windows:


1. From Vista we can use the Task Manager as described here: http://support.microsoft.com/kb/931673
2. We can use the following process dumper (this can be used for Linux as well): http://www.trapkit.de/research/forensic/pd/index.html

I created 1 dump this time:

pd -p 5900 > ff-gmail.dump

Before running the script we need to extract strings first:

strings -el ff-gmail.dump > ff-gmail.txt

Then run the script:

./pdfbook.py -f ff-gmail.txt 

I created a sample Gmail account for the test. This script is much much better, it could extract account name, message headers, and complete messages as well.



Official website: http://www.jeffbryner.com/code/pdgmail

No comments: