PassDetective
Overview
Abschnitt betitelt „Overview“PassDetective is a forensic analysis tool designed to extract sensitive information from memory dumps. It scans raw memory files for patterns matching credentials, API keys, encryption keys, and other sensitive strings. Used in authorized penetration testing and incident response, PassDetective helps identify potential credential leakage in compromised systems.
Key Capabilities:
- Extract plaintext passwords from memory
- Identify encryption keys and tokens
- Search for sensitive patterns (credit cards, API keys)
- Support multiple memory dump formats
- Cross-platform memory analysis
- Batch processing of multiple dumps
Installation
Abschnitt betitelt „Installation“Linux/macOS
Abschnitt betitelt „Linux/macOS“# Clone repository
git clone https://github.com/sec-tools/passdetective.git
cd passdetective
# Install dependencies
pip install -r requirements.txt
# Or compile from source
make
sudo make installWindows
Abschnitt betitelt „Windows“# Download binary from releases
https://github.com/sec-tools/passdetective/releases
# Or build from source
git clone https://github.com/sec-tools/passdetective.git
cd passdetective
pip install -r requirements.txt
python setup.py installHomebrew (macOS)
Abschnitt betitelt „Homebrew (macOS)“brew tap sec-tools/tools
brew install passdetectiveBasic Usage
Abschnitt betitelt „Basic Usage“Simple Memory Dump Analysis
Abschnitt betitelt „Simple Memory Dump Analysis“# Analyze a memory dump file
passdetective memory.dump
# Scan specific memory region
passdetective memory.dump --start 0x00400000 --end 0x00500000
# Save results to file
passdetective memory.dump --output results.txtMemory Extraction Commands
Abschnitt betitelt „Memory Extraction Commands“| Command | Purpose |
|---|---|
passdetective dump.bin | Basic memory scan for sensitive strings |
passdetective dump.bin -v | Verbose output with memory addresses |
passdetective dump.bin --json | Output in JSON format |
passdetective dump.bin -p passwords.dict | Use custom pattern dictionary |
passdetective dump.bin --hex | Display hexadecimal output |
Pattern Recognition
Abschnitt betitelt „Pattern Recognition“Built-in Pattern Types
Abschnitt betitelt „Built-in Pattern Types“# Scan for specific pattern types
passdetective memory.dump --patterns passwords
passdetective memory.dump --patterns keys
passdetective memory.dump --patterns allCustom Pattern Definitions
Abschnitt betitelt „Custom Pattern Definitions“# Create custom pattern file (patterns.yaml)
---
password:
- regex: 'password[=:]\s*["'\'']?([^"'\''\s]+)'
description: "Password assignments"
- regex: 'pwd[=:]\s*["'\'']?([^"'\''\s]+)'
description: "pwd field matches"
api_key:
- regex: 'api[_-]?key[=:]\s*["'\'']?([a-zA-Z0-9]{32,})'
description: "API key patterns"
credentials:
- regex: '(?:[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}):([^\s]+)'
description: "Email:password pairs"
# Run with custom patterns
passdetective memory.dump -p patterns.yamlPattern Matching Examples
Abschnitt betitelt „Pattern Matching Examples“# Search for credential pairs
passdetective memory.dump --pattern-type credentials
# Extract Windows NTLM hashes
passdetective memory.dump --pattern-type ntlm
# Find SSL/TLS certificates
passdetective memory.dump --pattern-type certificates
# Search for database connection strings
passdetective memory.dump --pattern-type connectionsAdvanced Analysis
Abschnitt betitelt „Advanced Analysis“Filtering and Refinement
Abschnitt betitelt „Filtering and Refinement“# Reduce false positives with entropy filter
passdetective memory.dump --entropy 4.0
# Filter by minimum pattern length
passdetective memory.dump --min-length 12
# Exclude common false positives
passdetective memory.dump --exclude-common
# Case-sensitive matching
passdetective memory.dump --case-sensitiveMemory Region Analysis
Abschnitt betitelt „Memory Region Analysis“# Scan only heap memory
passdetective memory.dump --regions heap
# Scan only stack memory
passdetective memory.dump --regions stack
# Scan executable regions only
passdetective memory.dump --regions executable
# Scan all regions
passdetective memory.dump --regions allProcess-Specific Dumps
Abschnitt betitelt „Process-Specific Dumps“# Analyze specific process memory dump
passdetective -p chrome memory.dump
# Search for browser-related credentials
passdetective memory.dump --process-type browser
# Database process memory
passdetective memory.dump --process-type database
# Search for running service credentials
passdetective memory.dump --service-credentialsOutput Formats
Abschnitt betitelt „Output Formats“Standard Text Output
Abschnitt betitelt „Standard Text Output“passdetective memory.dump --output results.txt --format textSample output:
[PASSWORD] @ 0x00123456: admin123
[API_KEY] @ 0x00234567: sk_live_abc123def456
[EMAIL_PASSWORD] @ 0x00345678: user@example.com:SecurePass123
[ENCRYPTION_KEY] @ 0x00456789: 256-bit key detected
[DATABASE_STRING] @ 0x00567890: Server=db.internal;User=sa;Password=DBA_PassJSON Output
Abschnitt betitelt „JSON Output“passdetective memory.dump --output results.json --format jsonSample output:
{
"scan_results": [
{
"type": "PASSWORD",
"value": "admin123",
"address": "0x00123456",
"entropy": 3.87
},
{
"type": "API_KEY",
"value": "sk_live_abc123def456",
"address": "0x00234567",
"entropy": 4.92
}
],
"statistics": {
"total_findings": 42,
"high_confidence": 18
}
}CSV Export
Abschnitt betitelt „CSV Export“passdetective memory.dump --output results.csv --format csvBatch Processing
Abschnitt betitelt „Batch Processing“Process Multiple Dumps
Abschnitt betitelt „Process Multiple Dumps“# Batch analysis with glob pattern
passdetective "dumps/*.bin" --output batch_results.txt
# Process directory recursively
passdetective ./memory_dumps --recursive --output all_results.txt
# Process with parallel threads
passdetective dumps/*.bin --threads 4 --output results.txtBatch Configuration
Abschnitt betitelt „Batch Configuration“# batch_config.yaml
dumps:
- path: "./process1.dump"
process_type: apache
- path: "./process2.dump"
process_type: mysql
- path: "./process3.dump"
process_type: sshd
output:
format: json
file: results.json
include_stats: true
options:
entropy_threshold: 3.5
min_length: 8
threads: 4Run batch:
passdetective --batch batch_config.yamlForensic Workflow
Abschnitt betitelt „Forensic Workflow“Memory Capture to Analysis
Abschnitt betitelt „Memory Capture to Analysis“# 1. Capture process memory (Linux)
gdb -p <PID>
(gdb) generate-core-file
(gdb) quit
# 2. Extract with PassDetective
passdetective core.<PID> -v --output analysis.txt
# 3. Post-process results
grep -E '(PASSWORD|API_KEY|CERTIFICATE)' analysis.txt > sensitive.txt
# 4. Generate forensic report
passdetective core.<PID> --json --output forensic_report.jsonWindows Memory Analysis
Abschnitt betitelt „Windows Memory Analysis“# 1. Capture memory with Dumpit
Dumpit.exe /y
# 2. Analyze with PassDetective
passdetective DumpIt.raw --json --output findings.json
# 3. Filter high-confidence findings
passdetective DumpIt.raw --confidence 0.95Performance Optimization
Abschnitt betitelt „Performance Optimization“Large Dump Processing
Abschnitt betitelt „Large Dump Processing“# Process in chunks
passdetective memory.dump --chunk-size 100MB
# Use memory mapping for huge files
passdetective memory.dump --mmap
# Parallel scanning threads
passdetective memory.dump --threads 8Resource Monitoring
Abschnitt betitelt „Resource Monitoring“# Limit memory usage
passdetective memory.dump --max-memory 2GB
# Progress indicator
passdetective memory.dump --progress
# Detailed timing
passdetective memory.dump --timingComparison with Similar Tools
Abschnitt betitelt „Comparison with Similar Tools“| Feature | PassDetective | strings | Volatility |
|---|---|---|---|
| Pattern Matching | Advanced regex | Basic | Plugins |
| Credentials | Yes | Limited | Plugin-dependent |
| Performance | Optimized | Fast | Variable |
| Cross-platform | Yes | Yes | Python-based |
| Custom Patterns | Yes | No | Yes |
Troubleshooting
Abschnitt betitelt „Troubleshooting“Common Issues
Abschnitt betitelt „Common Issues“High false positives:
# Use entropy filtering
passdetective memory.dump --entropy 4.0 --min-length 12Slow processing:
# Enable parallel processing
passdetective memory.dump --threads $(nproc)Out of memory:
# Process in chunks
passdetective memory.dump --chunk-size 50MB --mmapValidation
Abschnitt betitelt „Validation“# Verify results
passdetective memory.dump --validate
# Compare against known credentials
passdetective memory.dump --dictionary creds.txt --verifySecurity Considerations
Abschnitt betitelt „Security Considerations“Safe Handling
Abschnitt betitelt „Safe Handling“- Store memory dumps securely (encrypted storage)
- Limit result file access to authorized personnel
- Use strong encryption for output files
- Document chain of custody
- Sanitize results before sharing
Report Generation
Abschnitt betitelt „Report Generation“# Generate sanitized report (removes values)
passdetective memory.dump --sanitize-output --json > report.json
# Generate with annotations only
passdetective memory.dump --metadata-only > summary.txtIntegration Examples
Abschnitt betitelt „Integration Examples“Python Integration
Abschnitt betitelt „Python Integration“from passdetective import MemoryAnalyzer
analyzer = MemoryAnalyzer()
results = analyzer.scan_dump('memory.bin')
for finding in results:
print(f"{finding.type}: {finding.value} @ {finding.address}")Automation Script
Abschnitt betitelt „Automation Script“#!/bin/bash
# Automated forensic analysis
DUMP_DIR="/evidence/memory_dumps"
OUTPUT_DIR="/analysis/results"
for dump in $DUMP_DIR/*.bin; do
echo "Analyzing: $dump"
passdetective "$dump" \
--json \
--entropy 3.8 \
--output "$OUTPUT_DIR/$(basename $dump).json"
doneLegal and Ethical Use
Abschnitt betitelt „Legal and Ethical Use“PassDetective is a legitimate forensic tool for:
- Authorized penetration testing
- Incident response investigations
- Compliance audits
- Security research (with consent)
- Malware analysis in sandbox environments
Always obtain proper authorization before analyzing any system or memory dumps.