The Random Access Memory (RAM) is where system components, applications and other data is kept, while the computer is working with it. It is placed there often in clear text for fast access, but there is a security risk involved in this, which is often ignored. In this tutorial, we’ll try dumping the content of the memory to the hard drive and find username and password information stored in the file.
Start by logging in to your email, Microsoft account or whatever, to make sure that the information is placed in the memory. You can log out, close your browser afterwards – doesn’t matter.
Now we need to dump the memory to the hard drive. For this, we need the tool DumpIt from MoonSol. It’s a single executable file which will take a snapshoot of the host’s physical memory and save it to the folder where the program is placed. Note that if your computer has 8GB of memory then a memory dump file from your machine will be 8GB in size as well, so make sure to run the program from a location with some free space.
1. Download MoonSols DumpIt
2. Unzip the zip file and run dumpIt.exe
3. Press y when prompted
Ones the program is finished writing the memory to the file you can close the program. The will be a file created called .raw Now it’s time to have a look at this file. This can be done with any Hex Editor, but I prefer WinHex.
4. Open the .raw file with WinHex
5. Press the Simultaneous Search button in the toolbar
The dialog box Simultaneous Search opens.
6. Type the search term passwd
7. Check the checkbox List search hits
8. Press the OK bottom
The dialog box Simultaneous Search closes. The search is performed, when finished the dialog box Search complete results opens and show the total results of the search.
9. Click the OK bottom
The dialog box Search complete closes. Go through the search results until you find the one that contains the username and password used.
After writhing this tutorial I played around with the file a bit. Turns out using grep from a shell works quite god a well. Ea. strings BUUJA-3DD02732A-20130327-133508.raw | grep ‘passwd’