PassDetective

Overview

PassDetective is a forensic analysis tool designed to extract sensitive information from memory dumps. It scans raw memory files for patterns matching credentials, API keys, encryption keys, and other sensitive strings. Used in authorized penetration testing and incident response, PassDetective helps identify potential credential leakage in compromised systems.

Key Capabilities:

Extract plaintext passwords from memory
Identify encryption keys and tokens
Search for sensitive patterns (credit cards, API keys)
Support multiple memory dump formats
Cross-platform memory analysis
Batch processing of multiple dumps

Installation

Linux/macOS

# Clone repository
git clone https://github.com/sec-tools/passdetective.git
cd passdetective

# Install dependencies
pip install -r requirements.txt

# Or compile from source
make
sudo make install

Windows

# Download binary from releases
https://github.com/sec-tools/passdetective/releases

# Or build from source
git clone https://github.com/sec-tools/passdetective.git
cd passdetective
pip install -r requirements.txt
python setup.py install

Homebrew (macOS)

brew tap sec-tools/tools
brew install passdetective

Basic Usage

Simple Memory Dump Analysis

# Analyze a memory dump file
passdetective memory.dump

# Scan specific memory region
passdetective memory.dump --start 0x00400000 --end 0x00500000

# Save results to file
passdetective memory.dump --output results.txt

Memory Extraction Commands

Command	Purpose
`passdetective dump.bin`	Basic memory scan for sensitive strings
`passdetective dump.bin -v`	Verbose output with memory addresses
`passdetective dump.bin --json`	Output in JSON format
`passdetective dump.bin -p passwords.dict`	Use custom pattern dictionary
`passdetective dump.bin --hex`	Display hexadecimal output

Pattern Recognition

Built-in Pattern Types

# Scan for specific pattern types
passdetective memory.dump --patterns passwords

passdetective memory.dump --patterns keys

passdetective memory.dump --patterns all

Custom Pattern Definitions

# Create custom pattern file (patterns.yaml)
---
password:
  - regex: 'password[=:]\s*["'\'']?([^"'\''\s]+)'
    description: "Password assignments"
  - regex: 'pwd[=:]\s*["'\'']?([^"'\''\s]+)'
    description: "pwd field matches"

api_key:
  - regex: 'api[_-]?key[=:]\s*["'\'']?([a-zA-Z0-9]{32,})'
    description: "API key patterns"

credentials:
  - regex: '(?:[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}):([^\s]+)'
    description: "Email:password pairs"

# Run with custom patterns
passdetective memory.dump -p patterns.yaml

Pattern Matching Examples

# Search for credential pairs
passdetective memory.dump --pattern-type credentials

# Extract Windows NTLM hashes
passdetective memory.dump --pattern-type ntlm

# Find SSL/TLS certificates
passdetective memory.dump --pattern-type certificates

# Search for database connection strings
passdetective memory.dump --pattern-type connections

Advanced Analysis

# Reduce false positives with entropy filter
passdetective memory.dump --entropy 4.0

# Filter by minimum pattern length
passdetective memory.dump --min-length 12

# Exclude common false positives
passdetective memory.dump --exclude-common

# Case-sensitive matching
passdetective memory.dump --case-sensitive

Memory Region Analysis

# Scan only heap memory
passdetective memory.dump --regions heap

# Scan only stack memory
passdetective memory.dump --regions stack

# Scan executable regions only
passdetective memory.dump --regions executable

# Scan all regions
passdetective memory.dump --regions all

Process-Specific Dumps

# Analyze specific process memory dump
passdetective -p chrome memory.dump

# Search for browser-related credentials
passdetective memory.dump --process-type browser

# Database process memory
passdetective memory.dump --process-type database

# Search for running service credentials
passdetective memory.dump --service-credentials

Output Formats

Standard Text Output

passdetective memory.dump --output results.txt --format text

Sample output:

[PASSWORD] @ 0x00123456: admin123
[API_KEY] @ 0x00234567: sk_live_abc123def456
[EMAIL_PASSWORD] @ 0x00345678: user@example.com:SecurePass123
[ENCRYPTION_KEY] @ 0x00456789: 256-bit key detected
[DATABASE_STRING] @ 0x00567890: Server=db.internal;User=sa;Password=DBA_Pass

JSON Output

passdetective memory.dump --output results.json --format json

Sample output:

{
  "scan_results": [
    {
      "type": "PASSWORD",
      "value": "admin123",
      "address": "0x00123456",
      "entropy": 3.87
    },
    {
      "type": "API_KEY",
      "value": "sk_live_abc123def456",
      "address": "0x00234567",
      "entropy": 4.92
    }
  ],
  "statistics": {
    "total_findings": 42,
    "high_confidence": 18
  }
}

CSV Export

passdetective memory.dump --output results.csv --format csv

Batch Processing

Process Multiple Dumps

# Batch analysis with glob pattern
passdetective "dumps/*.bin" --output batch_results.txt

# Process directory recursively
passdetective ./memory_dumps --recursive --output all_results.txt

# Process with parallel threads
passdetective dumps/*.bin --threads 4 --output results.txt

Batch Configuration

# batch_config.yaml
dumps:
  - path: "./process1.dump"
    process_type: apache
  - path: "./process2.dump"
    process_type: mysql
  - path: "./process3.dump"
    process_type: sshd

output:
  format: json
  file: results.json
  include_stats: true

options:
  entropy_threshold: 3.5
  min_length: 8
  threads: 4

Run batch:

passdetective --batch batch_config.yaml

Forensic Workflow

Memory Capture to Analysis

# 1. Capture process memory (Linux)
gdb -p <PID>
(gdb) generate-core-file
(gdb) quit

# 2. Extract with PassDetective
passdetective core.<PID> -v --output analysis.txt

# 3. Post-process results
grep -E '(PASSWORD|API_KEY|CERTIFICATE)' analysis.txt > sensitive.txt

# 4. Generate forensic report
passdetective core.<PID> --json --output forensic_report.json

Windows Memory Analysis

# 1. Capture memory with Dumpit
Dumpit.exe /y

# 2. Analyze with PassDetective
passdetective DumpIt.raw --json --output findings.json

# 3. Filter high-confidence findings
passdetective DumpIt.raw --confidence 0.95

Performance Optimization

Large Dump Processing

# Process in chunks
passdetective memory.dump --chunk-size 100MB

# Use memory mapping for huge files
passdetective memory.dump --mmap

# Parallel scanning threads
passdetective memory.dump --threads 8

Resource Monitoring

# Limit memory usage
passdetective memory.dump --max-memory 2GB

# Progress indicator
passdetective memory.dump --progress

# Detailed timing
passdetective memory.dump --timing

Comparison with Similar Tools

Feature	PassDetective	strings	Volatility
Pattern Matching	Advanced regex	Basic	Plugins
Credentials	Yes	Limited	Plugin-dependent
Performance	Optimized	Fast	Variable
Cross-platform	Yes	Yes	Python-based
Custom Patterns	Yes	No	Yes

Troubleshooting

Common Issues

High false positives:

# Use entropy filtering
passdetective memory.dump --entropy 4.0 --min-length 12

Slow processing:

# Enable parallel processing
passdetective memory.dump --threads $(nproc)

Out of memory:

# Process in chunks
passdetective memory.dump --chunk-size 50MB --mmap

Validation

# Verify results
passdetective memory.dump --validate

# Compare against known credentials
passdetective memory.dump --dictionary creds.txt --verify

Security Considerations

Safe Handling

Store memory dumps securely (encrypted storage)
Limit result file access to authorized personnel
Use strong encryption for output files
Document chain of custody
Sanitize results before sharing

Report Generation

# Generate sanitized report (removes values)
passdetective memory.dump --sanitize-output --json > report.json

# Generate with annotations only
passdetective memory.dump --metadata-only > summary.txt

Integration Examples

Python Integration

from passdetective import MemoryAnalyzer

analyzer = MemoryAnalyzer()
results = analyzer.scan_dump('memory.bin')

for finding in results:
    print(f"{finding.type}: {finding.value} @ {finding.address}")

Automation Script

#!/bin/bash
# Automated forensic analysis

DUMP_DIR="/evidence/memory_dumps"
OUTPUT_DIR="/analysis/results"

for dump in $DUMP_DIR/*.bin; do
    echo "Analyzing: $dump"
    passdetective "$dump" \
        --json \
        --entropy 3.8 \
        --output "$OUTPUT_DIR/$(basename $dump).json"
done

Legal and Ethical Use

PassDetective is a legitimate forensic tool for:

Authorized penetration testing
Incident response investigations
Compliance audits
Security research (with consent)
Malware analysis in sandbox environments

Always obtain proper authorization before analyzing any system or memory dumps.