At the 2008 Cansec West Conference, Tom Liston and I released a prototype “memory sniffer” called “memsniff“. Our ultimate goal was create a program which would produce output similar to dsniff, searching memory and spitting out likely passwords and other interesting data.
This prototype memory sniffer is designed to find data in live memory or a memory dump. One program outputs the hex bytes before and/or after known interesting data, in order to assist with development of signatures which will be used as a catalog. The second program will then find data in memory based on these predetermined signatures.
During the conference, we released a challenge and demonstrated a signature for Microsoft Outlook Express 6, which consistently locates the email username, mail server and password in memory.
This research was inspired by the “cold boot” paper released by Princeton, the EFF and Wind River, which revealed that memory is not as volatile as commonly expected. These researchers demonstrated that it is possible to reboot a system and still recover data from memory even after a few seconds without power.
Our work has been focused on creating practical tools which penetration testers can use to quickly recover passwords from memory.
Check out our Sourceforge project!