Retrieving Passwords from Memory Dumps
Dulal Kar, Ph.D.
Associate Professor of Computer Science, Texas A&M University Corpus Christi
Randy R. DeLeon
Computer Science Graduate, Texas A&M Un iversity Corpus Christi
Steven J. Mariani Jr.
Computer Science Undergraduate, Texas A&M University Corpus Christi
Abstract
Abstract – The password-based user authentication mechanism is widely used to gain access various services available on the Internet. In this work, we report how to obtain passwords from memory dumps of popular Internet or network applications such as Internet Explorer, Mozilla Firefox, SSH Secure Shell Client, and Microsoft Outlook Express. It may not be easy to recover a password from an encrypted password file or from an encrypted communication message containing a password. However, we find that it is relatively easy to obtain a password from the memory dump of such applications. In most cases, a password in memory is held in clear text form next to or in close proximity of the user name (user ID). In some cases, we observe multiple occurrences of the same User-ID and password in clear text form in the application’s memory dump. Even in the case where a password cannot be found in close proximity of the corresponding user ID, we show that using a systematic approach such as focusing on ASCII consecutive characters of certain length and their combinations and features, one can narrow down the search to a small set of words. This information is evidently useful for a digital forensic professional. However, as far as a user’s security is concerned, the work also exposes weaknesses of the applications in password handling, which can be exploited by a hacker.