MDD also known as Memory Dump by ManTech is a forensic software tool used to take a snapshot or an image of a computer's memory. Nowadays with increasing loopholes in a system, software memory leaks have become common, programmers forget to deallocate dynamic memory or ensure that sensitive data is not left behind when a software exists. Since movement of data to and fro a regular memory is very high it becomes very difficult to store and map an accurate description of it. Fortunately MDD is a tool which is able to create a somewhat stable image. Tools such as MDD have very interesting applications.You will be amazed to see the amount of information which can be extracted from a memory dump.
You can download MDD from this link. To run MDD open cmd in Windows and using administrator privileges and type the command
mdd.exe -o
Please make sure that your drive has sufficient drive space. Right now I will treat this 'dump' as a normal text file and therefore to read the output file you need a special kind of a text editor since normal text editors such as notepad/++ simply refuse to open such large files. I searched on the net and found LTF(large text file) viewer 5.2 which claims to open huge files within seconds. The memory dump, you will find, is full of interesting stuff. Although most of the file will appear as gibberish words there will be lines in clear ascii and you will be amazed to see the contents. I have provided a screenshot of my PCs memory dump.
Unfortunately searching is very slow in LTF and therefore I had to resort to good ol' cmd and command line interface to search. Use the find utility to search for keywords.
find "[string]" [filename]
You will be amazed to see the amount of information available in the output file..
Hint: Try searching for some interesting words like password, username or your name.
Infact Putty has a small vulnerability which can be exploited using this tool. More about it in some future article.
Installing and running MDD:
You can download MDD from this link. To run MDD open cmd in Windows and using administrator privileges and type the command
mdd.exe -o
Please make sure that your drive has sufficient drive space. Right now I will treat this 'dump' as a normal text file and therefore to read the output file you need a special kind of a text editor since normal text editors such as notepad/++ simply refuse to open such large files. I searched on the net and found LTF(large text file) viewer 5.2 which claims to open huge files within seconds. The memory dump, you will find, is full of interesting stuff. Although most of the file will appear as gibberish words there will be lines in clear ascii and you will be amazed to see the contents. I have provided a screenshot of my PCs memory dump.
Unfortunately searching is very slow in LTF and therefore I had to resort to good ol' cmd and command line interface to search. Use the find utility to search for keywords.
Usage:
find "[string]" [filename]
You will be amazed to see the amount of information available in the output file..
Hint: Try searching for some interesting words like password, username or your name.
Infact Putty has a small vulnerability which can be exploited using this tool. More about it in some future article.