Recover a (forgotten) password in a process memory

Published: Jan 15 2015

Updated: Jan 15 2015

Today, I managed to forget a password but I had a Icedove (Thunderbird) process running containing the password.

The first thing to do is to take a core dump of the process:

# I don't want other people to read my core dump:
umask 022

# I don't want my core dump to be written on disk, let's go on a tmpfs:
cd /tmp

gcore -o core $(pgrep icedove)

The basic idea is to use use strings to extract all the strings in the core dump and filter out as much entries as possible: you look start strings core | uniq | less and add filters in the pipeline to remove as many entries as possible.

I ended up with something similar to this:

strings core.2169 |
# Remove some useless stuff:
grep -v ZZZ | grep -v /usr | grep -v /lib | grep -v /bin |
# Add constraints on the characters used in the password:
grep [0-9] | grep [a-z] | grep [A-Z] |
# Add constraints on the length of the password:
grep -Ev '.{20}' | grep -E '.{5}' |
# Let's look at what is left:
uniq | less

There were still, more than 36000 entries but I searched a password that I remembered and the forgotten password was a few line around the other one. 😊

Don't forget to remove (or shred) the core file:

rm core