pdgmail: Backtrack: Forensics: RAM Forensics Tools: pdgmail
We received a request for an article for pdgmail which is a Python script that analyzes Windows and Linux browser process dumps where the browser had Gmail open. I was able to test on 32-bit Windows 7, 64-bit Ubuntu 10.04 LTS, and 32-bit Ubuntu 10.04 LTS. Unfortunately the methods I was using did not work properly on the 64-bit Ubuntu however it worked perfectly on both 32-bit operating systems I tested. Below I describe how pdgmail can be used to dump Firefox process memory using Process Dumper on Backtrack Linux which is technically Ubuntu 10.04 LTS.
Dump Ubuntu Firefox Process Memory:
Before we get into describing how to dump the process memory from a browser process on a remote Windows server we will first explain how to dump the browser process memory locally and analyze that dump for Gmail data using pdgmail.py located in /pentest/forensics/pdgmail/ on Backtrack 5. The first thing you want to do is download this process memory dumper onto Backtrack. Once downloaded unpack the process memory dumper called simply Process Dumper, unpack the Process Dumper, and change the extracted file to be world executable. These three steps are shown in the below example.
Download Process Dumper, Unpack Process Dumper, & Make Process Dumper Executable:
root@bt:/pentest/forensics/pdgmail# wget http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2 --2012-04-19 05:50:12-- http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2 Resolving www.trapkit.de... 220.127.116.11, 2a01:238:20a:202:1086::86 Connecting to www.trapkit.de|18.104.22.168|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 212175 (207K) [application/x-bzip2] Saving to: `pd_v1.1_lnx.bz2' 100%[===========================================================================================================================================>] 212,175 217K/s in 1.0s 2012-04-19 05:50:13 (217 KB/s) - `pd_v1.1_lnx.bz2' saved [212175/212175] root@bt:/pentest/forensics/pdgmail# bzip2 -d pd_v1.1_lnx.bz2 root@bt:/pentest/forensics/pdgmail# chmod +x pd_v1.1_lnx
Now that pd_v1.1_1nx is executable you should open Firefox and login to Gmail. Once logged into Gmail I suggest navigating through a couple pages of email to generate more output data to parse through. Once Firefox is running you will need to locate the PID or Process ID to feed to the Process Dumper so it knows which PID’s memory to dump. You can locate Firefox’s PID using ps as shown in the below example.
Locate Firefox PID/Process ID On Backtrack Linux:
root@bt:/pentest/forensics/pdgmail# ps -ef | grep fire root 1885 1 22 05:50 tty1 00:00:09 /opt/firefox/firefox-bin root 1933 1885 2 05:50 tty1 00:00:00 /opt/firefox/plugin-container /usr/lib/flashplugin-installer/libflashplayer.so -greomni /opt/firefox/omni.ja 1885 true plugin root 1940 1853 0 05:51 pts/0 00:00:00 grep --color=auto fire root@bt:/pentest/forensics/pdgmail#
Now that you have the PID it is time to dump the process memory and then finally time to analyze with the Python pdgmail script. As you can see below the output of the Process Dump script is output to a file to later be analyzed by pdgmail.py.
Use Process Dumper To Output Firefox Process Memory To File:
root@bt:/pentest/forensics/pdgmail# ./pd_v1.1_lnx -p 1885 > 1885.dump pd, version 1.1 tk 2006, www.trapkit.de Dump complete. root@bt:/pentest/forensics/pdgmail#
Be sure to be patient while Process Dumper is working as it can take awhile sometimes and you want to make sure it finishes so you get the most data possible from the Firefox process. Now that we have the dump file we want to analyze it with pdgamil so if the .dump file previously created by Process Dumper is not in the /pentest/forensics/pdgmail directory move it there now. With the dump file in place issue a command similar to the below to analyze the dump file for Gmail data including Gmail email addresses, Gmail last accessed time, Gmail last accessed IP, etc.
Analyze Firefox Process Dump Using pdgmail On Backtrack:
root@bt:/pentest/forensics/pdgmail# strings -el 1885.dump| ./pdgmail.py > 1885.out root@bt:/pentest/forensics/pdgmail#
Now there is readable Gmail data within the 1885.out file. I am not going to display the example output I have since the data is real and sensitive. The type of data that will show is very similar to the few examples that are displayed below.
pdgmail.py Example Output From Analyzed Ubuntu Firefox Process Dump:
last access: "5:51 am" from IP "192.168.1.1", most recent access Thu Apr 1 05:51:06 2012 from IP "192.168.1.1" last access: "5:51 am" from IP "192.168.1.1", most recent access Thu Apr 1 05:51:06 2012 from IP "192.168.1.1" message header: ["ms","13383aaa44446223","",4,"firstname.lastname@example.org","","email@example.com",1444448930220,"Hi wayne, How Goes? ...",["^all","^i","^iim","^io_im","^io_imc2","^smartlabel_notification"]
There should be a lot more lines than the above depending on how many Gmail pages that were browsed within Firefox attached to that PID. You can download the Windows Process Dumper in the same location as the Linux Process Dumper or by clicking here.