PassDetective
Overview
Section titled “Overview”PassDetective is a forensic analysis tool designed to extract sensitive information from memory dumps. It scans raw memory files for patterns matching credentials, API keys, encryption keys, and other sensitive strings. Used in authorized penetration testing and incident response, PassDetective helps identify potential credential leakage in compromised systems.
Key Capabilities:
- Extract plaintext passwords from memory
- Identify encryption keys and tokens
- Search for sensitive patterns (credit cards, API keys)
- Support multiple memory dump formats
- Cross-platform memory analysis
- Batch processing of multiple dumps
Installation
Section titled “Installation”Linux/macOS
Section titled “Linux/macOS”# Clone repository
git clone https://github.com/sec-tools/passdetective.git
cd passdetective
# Install dependencies
pip install -r requirements.txt
# Or compile from source
make
sudo make installWindows
Section titled “Windows”# Download binary from releases
https://github.com/sec-tools/passdetective/releases
# Or build from source
git clone https://github.com/sec-tools/passdetective.git
cd passdetective
pip install -r requirements.txt
python setup.py installHomebrew (macOS)
Section titled “Homebrew (macOS)”brew tap sec-tools/tools
brew install passdetectiveBasic Usage
Section titled “Basic Usage”Simple Memory Dump Analysis
Section titled “Simple Memory Dump Analysis”# Analyze a memory dump file
passdetective memory.dump
# Scan specific memory region
passdetective memory.dump --start 0x00400000 --end 0x00500000
# Save results to file
passdetective memory.dump --output results.txtMemory Extraction Commands
Section titled “Memory Extraction Commands”| Command | Purpose |
|---|---|
passdetective dump.bin | Basic memory scan for sensitive strings |
passdetective dump.bin -v | Verbose output with memory addresses |
passdetective dump.bin --json | Output in JSON format |
passdetective dump.bin -p passwords.dict | Use custom pattern dictionary |
passdetective dump.bin --hex | Display hexadecimal output |
Pattern Recognition
Section titled “Pattern Recognition”Built-in Pattern Types
Section titled “Built-in Pattern Types”# Scan for specific pattern types
passdetective memory.dump --patterns passwords
passdetective memory.dump --patterns keys
passdetective memory.dump --patterns allCustom Pattern Definitions
Section titled “Custom Pattern Definitions”# Create custom pattern file (patterns.yaml)
---
password:
- regex: 'password[=:]\s*["'\'']?([^"'\''\s]+)'
description: "Password assignments"
- regex: 'pwd[=:]\s*["'\'']?([^"'\''\s]+)'
description: "pwd field matches"
api_key:
- regex: 'api[_-]?key[=:]\s*["'\'']?([a-zA-Z0-9]{32,})'
description: "API key patterns"
credentials:
- regex: '(?:[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}):([^\s]+)'
description: "Email:password pairs"
# Run with custom patterns
passdetective memory.dump -p patterns.yamlPattern Matching Examples
Section titled “Pattern Matching Examples”# Search for credential pairs
passdetective memory.dump --pattern-type credentials
# Extract Windows NTLM hashes
passdetective memory.dump --pattern-type ntlm
# Find SSL/TLS certificates
passdetective memory.dump --pattern-type certificates
# Search for database connection strings
passdetective memory.dump --pattern-type connectionsAdvanced Analysis
Section titled “Advanced Analysis”Filtering and Refinement
Section titled “Filtering and Refinement”# Reduce false positives with entropy filter
passdetective memory.dump --entropy 4.0
# Filter by minimum pattern length
passdetective memory.dump --min-length 12
# Exclude common false positives
passdetective memory.dump --exclude-common
# Case-sensitive matching
passdetective memory.dump --case-sensitiveMemory Region Analysis
Section titled “Memory Region Analysis”# Scan only heap memory
passdetective memory.dump --regions heap
# Scan only stack memory
passdetective memory.dump --regions stack
# Scan executable regions only
passdetective memory.dump --regions executable
# Scan all regions
passdetective memory.dump --regions allProcess-Specific Dumps
Section titled “Process-Specific Dumps”# Analyze specific process memory dump
passdetective -p chrome memory.dump
# Search for browser-related credentials
passdetective memory.dump --process-type browser
# Database process memory
passdetective memory.dump --process-type database
# Search for running service credentials
passdetective memory.dump --service-credentialsOutput Formats
Section titled “Output Formats”Standard Text Output
Section titled “Standard Text Output”passdetective memory.dump --output results.txt --format textSample output:
[PASSWORD] @ 0x00123456: admin123
[API_KEY] @ 0x00234567: sk_live_abc123def456
[EMAIL_PASSWORD] @ 0x00345678: user@example.com:SecurePass123
[ENCRYPTION_KEY] @ 0x00456789: 256-bit key detected
[DATABASE_STRING] @ 0x00567890: Server=db.internal;User=sa;Password=DBA_PassJSON Output
Section titled “JSON Output”passdetective memory.dump --output results.json --format jsonSample output:
{
"scan_results": [
{
"type": "PASSWORD",
"value": "admin123",
"address": "0x00123456",
"entropy": 3.87
},
{
"type": "API_KEY",
"value": "sk_live_abc123def456",
"address": "0x00234567",
"entropy": 4.92
}
],
"statistics": {
"total_findings": 42,
"high_confidence": 18
}
}CSV Export
Section titled “CSV Export”passdetective memory.dump --output results.csv --format csvBatch Processing
Section titled “Batch Processing”Process Multiple Dumps
Section titled “Process Multiple Dumps”# Batch analysis with glob pattern
passdetective "dumps/*.bin" --output batch_results.txt
# Process directory recursively
passdetective ./memory_dumps --recursive --output all_results.txt
# Process with parallel threads
passdetective dumps/*.bin --threads 4 --output results.txtBatch Configuration
Section titled “Batch Configuration”# batch_config.yaml
dumps:
- path: "./process1.dump"
process_type: apache
- path: "./process2.dump"
process_type: mysql
- path: "./process3.dump"
process_type: sshd
output:
format: json
file: results.json
include_stats: true
options:
entropy_threshold: 3.5
min_length: 8
threads: 4Run batch:
passdetective --batch batch_config.yamlForensic Workflow
Section titled “Forensic Workflow”Memory Capture to Analysis
Section titled “Memory Capture to Analysis”# 1. Capture process memory (Linux)
gdb -p <PID>
(gdb) generate-core-file
(gdb) quit
# 2. Extract with PassDetective
passdetective core.<PID> -v --output analysis.txt
# 3. Post-process results
grep -E '(PASSWORD|API_KEY|CERTIFICATE)' analysis.txt > sensitive.txt
# 4. Generate forensic report
passdetective core.<PID> --json --output forensic_report.jsonWindows Memory Analysis
Section titled “Windows Memory Analysis”# 1. Capture memory with Dumpit
Dumpit.exe /y
# 2. Analyze with PassDetective
passdetective DumpIt.raw --json --output findings.json
# 3. Filter high-confidence findings
passdetective DumpIt.raw --confidence 0.95Performance Optimization
Section titled “Performance Optimization”Large Dump Processing
Section titled “Large Dump Processing”# Process in chunks
passdetective memory.dump --chunk-size 100MB
# Use memory mapping for huge files
passdetective memory.dump --mmap
# Parallel scanning threads
passdetective memory.dump --threads 8Resource Monitoring
Section titled “Resource Monitoring”# Limit memory usage
passdetective memory.dump --max-memory 2GB
# Progress indicator
passdetective memory.dump --progress
# Detailed timing
passdetective memory.dump --timingComparison with Similar Tools
Section titled “Comparison with Similar Tools”| Feature | PassDetective | strings | Volatility |
|---|---|---|---|
| Pattern Matching | Advanced regex | Basic | Plugins |
| Credentials | Yes | Limited | Plugin-dependent |
| Performance | Optimized | Fast | Variable |
| Cross-platform | Yes | Yes | Python-based |
| Custom Patterns | Yes | No | Yes |
Troubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”High false positives:
# Use entropy filtering
passdetective memory.dump --entropy 4.0 --min-length 12Slow processing:
# Enable parallel processing
passdetective memory.dump --threads $(nproc)Out of memory:
# Process in chunks
passdetective memory.dump --chunk-size 50MB --mmapValidation
Section titled “Validation”# Verify results
passdetective memory.dump --validate
# Compare against known credentials
passdetective memory.dump --dictionary creds.txt --verifySecurity Considerations
Section titled “Security Considerations”Safe Handling
Section titled “Safe Handling”- Store memory dumps securely (encrypted storage)
- Limit result file access to authorized personnel
- Use strong encryption for output files
- Document chain of custody
- Sanitize results before sharing
Report Generation
Section titled “Report Generation”# Generate sanitized report (removes values)
passdetective memory.dump --sanitize-output --json > report.json
# Generate with annotations only
passdetective memory.dump --metadata-only > summary.txtIntegration Examples
Section titled “Integration Examples”Python Integration
Section titled “Python Integration”from passdetective import MemoryAnalyzer
analyzer = MemoryAnalyzer()
results = analyzer.scan_dump('memory.bin')
for finding in results:
print(f"{finding.type}: {finding.value} @ {finding.address}")Automation Script
Section titled “Automation Script”#!/bin/bash
# Automated forensic analysis
DUMP_DIR="/evidence/memory_dumps"
OUTPUT_DIR="/analysis/results"
for dump in $DUMP_DIR/*.bin; do
echo "Analyzing: $dump"
passdetective "$dump" \
--json \
--entropy 3.8 \
--output "$OUTPUT_DIR/$(basename $dump).json"
doneLegal and Ethical Use
Section titled “Legal and Ethical Use”PassDetective is a legitimate forensic tool for:
- Authorized penetration testing
- Incident response investigations
- Compliance audits
- Security research (with consent)
- Malware analysis in sandbox environments
Always obtain proper authorization before analyzing any system or memory dumps.