pdymail: Yahoo! mail in memory

I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!

pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.

The good thing about web2.0 with it’s AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn’t leave much behind on the disk, it leaves tons in memory.

Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against Mantech dd memory images, and pretty  much any other way you can get memory and run strings against it.

The difference in Yahoo! mail is the vast amount of information that is retrievable! It’s already in XML in memory and rather than parse it and lose something precious to the investigator pdymail simply finds XML artifacts and presents them in a XML document.

You can use this XML document to rather easily reconstruct the contents of an inbox including, dates, senders, receipients and even the IP addresses of the host who sent the email. Flags for spam, ham, read, unread, forwarded, sender in the address book, etc., are also available per message. Note that the one thing I haven’t found yet is the actual body of an email. Maybe you can? If so send me an example and I’ll revise the script.

Here’s how to  run it:

on the subject machine, use pd from www.trapkit.de like so:
pd -p 1234> 1234.dump

where 1234 is the processID of a running instance of IE, or some other browser you think might have Yahoo! mail artifacts in it’s memory.

Then on your analysis  box do:
strings -el 1234.dump> memorystrings.txt
pdymail -f memorystrings.txt

It’ll spit out an XML document that you can analyze for whatever you’re looking for. In my next post I’ll detail some use cases using XML parsing using XML Starlet on Linux, but for now…happy hunting!

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis. He just re-upped on GCFA and is now cramming for GCIH re-cert.

This entry was written by jeffbryner and posted on January 12, 2009 at 8:44 am and filed under Browser Forensics, Computer Forensics, Email Investigations, Evidence Analysis, Memory Analysis with tags . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.

3 Comments

  1. johnmccash
    Posted January 23, 2009 at 1:28 pm | Permalink

    Jeff, any idea why this doesn’t work under cygwin? I get the following error:

    $ ./pdymail.txt -V
    Traceback (most recent call last):
    File “./pdymail.txt”, line 40, in
    import xml.dom.ext
    ImportError: No module named ext

    Pdgmail works fine. I suspect I need some kind of a python extension for this, but I’ve got everything supplied with the cygwin distribution installed. I probably need to compile something else. Any idea what?
    Thanks
    John

  2. jeffbryner
    Posted January 23, 2009 at 1:52 pm | Permalink

    Doh, forgot to mention the dependencies! Since it outputs xml (and looks for xml in the mem dump) it needs pyxml. You can get it at http://sourceforge.net/project/showfiles.php?group_id=6473

    Sorry!

  3. johnmccash
    Posted January 23, 2009 at 1:52 pm | Permalink

    Nevermind. Downloading and installing PyXML from http://pyxml.sourceforge.net/topics/download.html did the trick.


Post a Comment

You must be logged in to post a comment.