pdgmail: Backtrack: Forensics: RAM Forensics Tools: pdgmail

We received a request for an article for pdgmail which is a Python script that analyzes Windows and Linux browser process dumps where the browser had Gmail open. I was able to test on 32-bit Windows 7, 64-bit Ubuntu 10.04 LTS, and 32-bit Ubuntu 10.04 LTS. Unfortunately the methods I was using did not work properly on the 64-bit Ubuntu however it worked perfectly on both 32-bit operating systems I tested. Below I describe how pdgmail can be used to dump Firefox process memory using Process Dumper on Backtrack Linux which is technically Ubuntu 10.04 LTS.

Dump Ubuntu Firefox Process Memory:

Before we get into describing how to dump the process memory from a browser process on a remote Windows server we will first explain how to dump the browser process memory locally and analyze that dump for Gmail data using pdgmail.py located in /pentest/forensics/pdgmail/ on Backtrack 5. The first thing you want to do is download this process memory dumper onto Backtrack. Once downloaded unpack the process memory dumper called simply Process Dumper, unpack the Process Dumper, and change the extracted file to be world executable. These three steps are shown in the below example.

Download Process Dumper, Unpack Process Dumper, & Make Process Dumper Executable:


  1. root@bt:/pentest/forensics/pdgmail# wget http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2
  2. --2012-04-19 05:50:12--  http://www.trapkit.de/research/forensic/pd/pd_v1.1_lnx.bz2
  3. Resolving www.trapkit.de..., 2a01:238:20a:202:1086::86
  4. Connecting to www.trapkit.de||:80... connected.
  5. HTTP request sent, awaiting response... 200 OK
  6. Length: 212175 (207K) [application/x-bzip2]
  7. Saving to: `pd_v1.1_lnx.bz2'
  9. 100%[===========================================================================================================================================>] 212,175      217K/s   in 1.0s
  11. 2012-04-19 05:50:13 (217 KB/s) - `pd_v1.1_lnx.bz2' saved [212175/212175]
  12. root@bt:/pentest/forensics/pdgmail# bzip2 -d pd_v1.1_lnx.bz2
  13. root@bt:/pentest/forensics/pdgmail# chmod +x pd_v1.1_lnx

Now that pd_v1.1_1nx is executable you should open Firefox and login to Gmail. Once logged into Gmail I suggest navigating through a couple pages of email to generate more output data to parse through. Once Firefox is running you will need to locate the PID or Process ID to feed to the Process Dumper so it knows which PID’s memory to dump. You can locate Firefox’s PID using ps as shown in the below example.

Locate Firefox PID/Process ID On Backtrack Linux:


  1. root@bt:/pentest/forensics/pdgmail# ps -ef | grep fire
  2. root      1885     1 22 05:50 tty1     00:00:09 /opt/firefox/firefox-bin
  3. root      1933  1885  2 05:50 tty1     00:00:00 /opt/firefox/plugin-container /usr/lib/flashplugin-installer/libflashplayer.so -greomni /opt/firefox/omni.ja 1885 true plugin
  4. root      1940  1853  0 05:51 pts/0    00:00:00 grep --color=auto fire
  5. root@bt:/pentest/forensics/pdgmail#

Now that you have the PID it is time to dump the process memory and then finally time to analyze with the Python pdgmail script. As you can see below the output of the Process Dump script is output to a file to later be analyzed by pdgmail.py.

Use Process Dumper To Output Firefox Process Memory To File:


  1. root@bt:/pentest/forensics/pdgmail# ./pd_v1.1_lnx -p 1885 > 1885.dump
  2. pd, version 1.1 tk 2006, www.trapkit.de
  4. Dump complete.
  6. root@bt:/pentest/forensics/pdgmail#

Be sure to be patient while Process Dumper is working as it can take awhile sometimes and you want to make sure it finishes so you get the most data possible from the Firefox process. Now that we have the dump file we want to analyze it with pdgamil so if the .dump file previously created by Process Dumper is not in the /pentest/forensics/pdgmail directory move it there now. With the dump file in place issue a command similar to the below to analyze the dump file for Gmail data including Gmail email addresses, Gmail last accessed time, Gmail last accessed IP, etc.

Analyze Firefox Process Dump Using pdgmail On Backtrack:


  1. root@bt:/pentest/forensics/pdgmail# strings -el 1885.dump| ./pdgmail.py > 1885.out
  2. root@bt:/pentest/forensics/pdgmail#

Now there is readable Gmail data within the 1885.out file. I am not going to display the example output I have since the data is real and sensitive. The type of data that will show is very similar to the few examples that are displayed below.

pdgmail.py Example Output From Analyzed Ubuntu Firefox Process Dump:


  1. last access: "5:51 am" from IP "", most recent access Thu Apr 1 05:51:06 2012 from IP ""
  2. last access: "5:51 am" from IP "", most recent access Thu Apr 1 05:51:06 2012 from IP ""
  3. message header: ["ms","13383aaa44446223","",4,"some-email@example.com","","email2@example.com",1444448930220,"Hi wayne, How Goes? ...",["^all","^i","^iim","^io_im","^io_imc2","^smartlabel_notification"]

There should be a lot more lines than the above depending on how many Gmail pages that were browsed within Firefox attached to that PID. You can download the Windows Process Dumper in the same location as the Linux Process Dumper or by clicking here.

Advanced Windows Debugging (Paperback)

List Price: $64.99 USD
New From: $39.98 USD In Stock
Used from: $2.41 USD In Stock

Memory Dump Analysis Anthology, Vol. 4 (Paperback)

List Price: $40.00 USD
New From: $21.66 USD In Stock
Used from: $26.80 USD In Stock