I thought GMail gave up quite a bit of information revealed through pdgmail. Little did I know how much was in Yahoo! mail!
pdymail is the sister script to pdgmail for gathering Yahoo! email artifacts from memory.
The good thing about web2.0 with it's AJAX, JSON, etc., interfaces is that most of it is text and even more is XML which is nicely discoverable in memory. Yahoo! mail classic interface artifacts are easily found on the hard disk in browser cache files. The new Yahoo! mail interface uses XML and while it doesn't leave much behind on the disk, it leaves tons in memory.
Like pdgmail, pdymail is a rather simple Python script tested mostly against a pddump of a process in memory. It also works against Mantech dd memory images, and pretty much any other way you can get memory and run strings against it.
The difference in Yahoo! mail is the vast amount of information that is retrievable! It's already in XML in memory and rather than parse it and lose something precious to the investigator pdymail simply finds XML artifacts and presents them in a XML document.
You can use this XML document to rather easily reconstruct the contents of an inbox including, dates, senders, receipients and even the IP addresses of the host who sent the email. Flags for spam, ham, read, unread, forwarded, sender in the address book, etc., are also available per message. Note that the one thing I haven't found yet is the actual body of an email. Maybe you can? If so send me an example and I'll revise the script.
Here's how to run it:
on the subject machine, use pd from www.trapkit.de like so:
pd -p 1234> 1234.dump
where 1234 is the processID of a running instance of IE, or some other browser you think might have Yahoo! mail artifacts in its memory.
Then on your analysis box do:
strings -el 1234.dump> memorystrings.txt pdymail -f memorystrings.txt
It'll spit out an XML document that you can analyze for whatever you're looking for. In my next post I'll detail some use cases using XML parsing using XML Starlet on Linux, but for now...happy hunting!
Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis. He just re-upped on GCFA and is now cramming for GCIH re-cert.