SANS Digital Forensics and Incident Response Blog

pdymail: Yahoo! mail in memory

I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!

pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.

The good thing about web2.0 with it's AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn't leave much behind on the disk, it leaves tons in memory.

Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against Mantech dd memory images, and pretty much any other way you can get memory and run strings against it.

The difference in Yahoo! mail is the vast amount of information that is retrievable! It's already in XML in memory and rather than parse it and lose something precious to the investigator pdymail simply finds XML artifacts and presents them in a XML document.

You can use this XML document to rather easily reconstruct the contents of an inbox including, dates, senders, receipients and even the IP addresses of the host who sent the email. Flags for spam, ham, read, unread, forwarded, sender in the address book, etc., are also available per message. Note that the one thing I haven't found yet is the actual body of an email. Maybe you can? If so send me an example and I'll revise the script.

Here's how to run it:

on the subject machine, use pd from www.trapkit.de like so:
pd -p 1234> 1234.dump

where 1234 is the processID of a running instance of IE, or some other browser you think might have Yahoo! mail artifacts in it's memory.

Then on your analysis box do:
strings -el 1234.dump> memorystrings.txt
pdymail -f memorystrings.txt

It'll spit out an XML document that you can analyze for whatever you're looking for. In my next post I'll detail some use cases using XML parsing using XML Starlet on Linux, but for now...happy hunting!

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis. He just re-upped on GCFA and is now cramming for GCIH re-cert.

3 Comments

Posted January 23, 2009 at 1:28 PM | Permalink | Reply

johnmccash

Jeff, any idea why this doesn't work under cygwin? I get the following error:
$ ./pdymail.txt -V
Traceback (most recent call last):
File "./pdymail.txt", line 40, in
import xml.dom.ext
ImportError: No module named ext
Pdgmail works fine. I suspect I need some kind of a python extension for this, but I've got everything supplied with the cygwin distribution installed. I probably need to compile something else. Any idea what?
Thanks
John

Posted January 23, 2009 at 1:52 PM | Permalink | Reply

jeffbryner

Doh, forgot to mention the dependencies! Since it outputs xml (and looks for xml in the mem dump) it needs pyxml. You can get it at http://sourceforge.net/project/showfiles.php?group_id=6473
Sorry!

Posted January 23, 2009 at 1:52 PM | Permalink | Reply

johnmccash

Nevermind. Downloading and installing PyXML from http://pyxml.sourceforge.net/topics/download.html did the trick.