Think that just because you run over HTTPS no one could ever see your emails? Well, think again. Behold again the power of memory, which actually stores portions of your gmail unencrypted. I am not doing video today, a lot of this is just waiting around... so please bear with the screenshots :)
So let's say you have a memory dump from your investigation and you know this user uses GMail a lot and you think maybe its contents could be integral to your investigation. Remember good ol strings? Well you can actually run strings against your memory dump, and then use a tool called pdgmail to extract gMail artifacts. How to do this? Read on!
So, once again showing how powerful memory can truly be. I tried this in XP while running IE, I will run a test with Mozilla and see if I get the same results.
UPDATE: It works a charm with Mozilla, and in Vista! I did notice that it does not contain the address book e-mails, but it does have e-mails from my inbox... if you scroll down the link I have for pdgmail someone else noticed this. Will have to do some research...
So let's say you have a memory dump from your investigation and you know this user uses GMail a lot and you think maybe its contents could be integral to your investigation. Remember good ol strings? Well you can actually run strings against your memory dump, and then use a tool called pdgmail to extract gMail artifacts. How to do this? Read on!
- Filename: XP.vmem
- Size: 500MB
Ok, first step is to run strings on this badboy, depending on the size of your memory dump this could take a while (still quicker than a subpoena I would imagine).
So the parameters for strings is -q (quiet), you can use -o for offset if you'd like, but its not necessary.
Almost done! Now assuming you have Python installed, go ahead and fire up the pdgmail script, created by Jeff Bryner (read about his analysis and grab the code here). Jeff does a great job with commenting so even a programming n00b (such as myself) can follow along. Make sure you output to a file because this can be beastly!
The one required witch is -f, which is the strings output from your previous command. Other switches you can include are -b (ignore message bodies, apparently the search expressions for this can reveal many false positives) and -v for verbose. The result? About 100K file with a decent amount of data involved... for the sake of my privacy (and my colleagues), email addresses have been blacked out.
So as you can see, the tool parsed out quite a lot of info. A lot of those emails are in my address book- I have not used them in ages... I moved from DC two years ago. I don't remember the last time I emailed Ed Skoudis (I think it was after BlackHat Federal). So, pretty thorough.
Same with e-mails, although it looked like emails from much more recent activity than the email addresses. As you can see, I am supposed to meet at the park at noon and wear one red shoe (does anyone get the reference?--SHHH!!), subscribe to DailyCandy (yes I am a girl, I am intrigued by sample sales), I can never remember by Keynoir password, something about SecretCinema (which is awesome), and even though I live thousands of miles away... still get email about happenings in Buffalo.
You can even put these into a Excel spreadsheet, which would seem useful for filtering.
UPDATE: It works a charm with Mozilla, and in Vista! I did notice that it does not contain the address book e-mails, but it does have e-mails from my inbox... if you scroll down the link I have for pdgmail someone else noticed this. Will have to do some research...
1 comment:
Interesting post! This is so beneficial... can't wait to read your next post. Godspeed!
Post a Comment