PDGmail

Description

PDGmail is a Python script that analyzes Windows and Linux browser process dumps where the browser had Gmail open.It’ll find what it can out of the memory image including contacts, emails, last acccess times, IP addresses etc. You can actually run strings against your memory dump, and then use a tool called pdgmail to extract gMail artifacts.

Usage

Syntax

pdgmail.py [OPTIONS]

Options

   -f, --file       the file to use (stdin if no file given)
   -b, --bodies	    don't look for message bodies (helpful if you're getting too many false positives on the mb regex)
   -h, --help	    prints this 
   -v,--verbose	    be verbose (prints filename, other junk)
   -V,--version     prints just the version info and exits.

Example

Find Process ID of Firefox:

cyborg@cyborg:~$ ps -ef | grep fire
cyborg    3287  2511 14 10:14 ?        00:00:02 /usr/lib/firefox/firefox
cyborg    3337  3225  0 10:14 pts/11   00:00:00 grep --color=auto fire

Dump Firefox Memory  to a File:

cyborg@cyborg:~$ sudo gcore -o fire.dmp 3287
[New LWP 3335]
[New LWP 3333]
[New LWP 3332]
[New LWP 3329]
[New LWP 3328]
[New LWP 3327]
[New LWP 3326]
[New LWP 3325]
[New LWP 3324]
[New LWP 3323]
[New LWP 3321]
[New LWP 3320]
[New LWP 3319]
[New LWP 3318]
[New LWP 3317]
[New LWP 3316]
[New LWP 3312]
[New LWP 3310]
[New LWP 3309]
[New LWP 3308]
[New LWP 3304]
[New LWP 3303]
[New LWP 3302]
[New LWP 3301]
[New LWP 3300]
[New LWP 3299]
[New LWP 3298]
[New LWP 3297]
[New LWP 3296]
[New LWP 3295]
[New LWP 3294]
[New LWP 3293]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f3891c6ecbd in poll () at ../sysdeps/unix/syscall-template.S:81

Dump Compelete!

Go to PDGmail Location with root privilege :

cyborg@cyborg:~$ sudo -s
root@cyborg:~# cd /pentest/forensics/pdg mail/
root@cyborg:/pentest/forensics/pdg mail#

Analyze Firefox Process Dump Using pdgmail:

root@cyborg:/pentest/forensics/pdg mail# strings -el /home/cyborg/fire.dmp| ./pdgmail.py > 3287.out

Output From Analyzed Ubuntu Firefox Process Dump:

last access: "5:51 pm" from IP "192.168.1.12", most recent access Thu Oct 1 05:51:06 2015 from IP "192.168.1.12"
last access: "5:51 pm" from IP "192.168.1.12", most recent access Thu Oct 1 05:51:06 2015 from IP "192.168.1.12"
message header: ["ms","13383aaa44446223","",4,"****@gmail.com","","****@gmail.com",1444448930220,"Hi, How Are You? ...",["^all","^i","^iim","^io_im","^io_imc2","^smartlabel_notification"]
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?