SANS Digital Forensics and Incident Response Blog: Author - jeffbryner

pdymail: Yahoo! mail in memory

I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!

pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.

The good thing about web2.0 with it's AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn't leave much behind on the disk, it leaves tons in memory.

Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against


pdgmail: new tool for gmail memory forensics

I saw John McCash's artical on GMail forensics ... I was hooked and created pdgmail.

I've been messing around with the volatile toolkit for memory forensics and thought I'd try my hands at GMail memory forensics since, as John says, the GMail data isn't supposed to end up on disk anyways, maybe it's in the the browser memory?

Boy is it!

I used the pd dump tool from www.trapkit.de, available here, and tested against my meager GMail account, Windows XP, 2000, IE 6, IE 7 and Firefox 3. In all cases I was able to retrieve contact data, last login times and IP addresses, basic email headers and email bodies. Even if the browser was 'logged out' of GMail, they all still retained this

...


Bring Me My Pipe

[caption id="attachment_298" align="alignleft" width="180" caption="Pipes photo courtesy of tanakawho at flickr.com "]//flickr.com/photos/28481088@N00/[/caption]

Often used and under appreciated, the pipe feature in unix/linux/dos has to be my favorite tool in incident response and forensics.

Need the device at /dev/sda imaged with progress indicators and an md5sum?

dd if=/dev/sda| pipebench | tee sda.dd | md5sum >sda.md5.txt

Need a summary of the unique hosts from Internet Explorer's index.dat history file?

pasco index.dat | grep -v 'javascript\\:' | egrep -i 'ftp|http' | sort -k 4 | awk '{print $3}' | awk

...


Open Sesame

Sometimes little gems come across mailing lists. Like this little
footnote announcement in Microsoft's MSDN email this
week
:

Open Specifications

Microsoft is providing
open connections to its high-volume products -
Windows Vista (including the .NET Framework), Windows Server 2008, SQL
Server 2008, Office 2007, Exchange Server 2007, and Office SharePoint
Server 2007. As a developer, you now have full access to information
about protocols, binary file formats, and other specifications for
these products that can be used to create solutions

Microsoft? Open protocols? Sure enough the