Professional Documents
Culture Documents
###################################################################
1.- Introduction.
2.- Dependencies installation and Microsoft Windows use tips.
3.- Sintax.
4.- Options.
5.- Examples of use.
############################################################### [ Introduction ]
################################################################
Dumpzilla application is developed in Python 3.x and has as purpose extract all
forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be
analyzed. Due to its Python 3.x developement, might not work properly in old Python
versions, mainly with certain characters. Works under Unix and Windows 32/64 bits
systems. Works in command line interface, so information dumps could be redirected
by pipes with tools such as grep, awk, cut, sed... Dumpzilla allows to visualize
following sections, search customization and extract certain content.
Dumpzilla will show SHA256 hash of each file to extract the information and finally
a summary with totals.
Sections which date filter is not possible: DOM Storage, Permissions / Preferences,
Addons, Extensions, Passwords/Exceptions, Thumbnails and Session
Dependencies:
============
set PYTHONIOENCODING=UTF-8
Why? http://wiki.python.org/moin/PrintFails#Windows
$ cd python-magic-master/
# python setup.py install
################################################################# [ Sintax ]
##################################################################
Options:
--All (Show everything but the DOM data. Doesn't extract thumbnails or HTML 5
offline)
--Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access
<date> -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create
<start> <end>]
--Permissions [-host <string>]
--Downloads [-range <start> <end>]
--Forms [-value <string> -range_forms <start> <end>]
--History [-url <string> -title <string> -date <date> -range_history <start> <end>
-frequency]
--Bookmarks [-range_bookmarks <start> <end>]
--Cacheoffline [-range_cacheoff <start> <end> -extract <directory>]
--Thumbnails [-extract_thumb <directory>]
--Range <start date> <end date>
--Addons
--Passwords (Decode only in Unix)
--Certoverride
--Session
--Watch [-text <string>] (Only Unix: Show in daemon mode the URLs and text form in
real time. -text' Option allow filter, support all grep Wildcards. Exit: Ctrl +
C).
################################################################# [ Options ]
##################################################################
=====================================
Cookies with Wildcards and data range:
=====================================
Domain: google.com
Host: www.google.com
Name: GAPS
Value: 1:IvFZXoV-6ihRuP658dfr7FjLQcnrhw:0X5FWx6hkt0Fp77C
Path: /accounts
Expiry: 2015-03-04 02:35:14
Last acess: 2013-03-04 02:35:14
Creation Time: 2013-03-04 02:35:14
Secure: 0
HttpOnly: 1
This command print domains and their DOM data with accessed cookies between two
given dates.
Domain: google.de
Host: .google.de
Name: PREF
Value:
ID=e59d6b724e975713:U=ed7938110e81ef61:FF=0:LD=en:TM=1361492092:LM=1361492092:S=XE3
J6pRySWKjnNuT
Path: /
Expiry: 2015-02-22 01:14:52
Last acess: 2013-03-04 01:28:11
Creation Time: 2013-02-22 01:14:52
Secure: 0
HttpOnly: 0
Domain: secure.shared.live.com
DOM data: 1361915953829
==================================
Use of escape characters to filter:
==================================
Domain: objectmix.com
Host: .objectmix.com
Name: Xagads
Value: 0
Path: /
Expiry: 2014-02-22 01:15:01
Last acess: 2013-03-04 14:44:55
Creation Time: 2013-03-04 14:44:55
Secure: 0
HttpOnly: 0
Domain: objectmix.com
Host: .objectmix.com
Name: _agads
Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow
Path: /
Expiry: 2015-02-22 01:14:59
Last acess: 2013-03-04 14:44:13
Creation Time: 2013-03-04 14:44:13
Secure: 0
HttpOnly: 0
==================================================================
Audit real time surfing filtering Yahoo, hotmail and Gmail content:
==================================================================
Remember that "-text" option of "--Watch" can use grep wildcards. This command
prints all the windows / tabs that contain "-text".
=========================
Combining mutiple options:
=========================
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Cookies [SHA256 hash:
d05199c0ff5db35bedb47e536076d0aeda108940edb47e536076d0aeda108940]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Domain: filldisk.com
Host: .filldisk.com
Name: __utmz
Value: 30275752.1362488826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Path: /
Expiry: 2013-09-04 05:32:18
Last acess: 2013-03-05 16:32:18
Creation Time: 2013-03-05 14:07:05
Secure: 0
HttpOnly: 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
DOM Storage [SHA256 hash:
d2edb47e536076d0aeda1089408004d7a11e361a45c660dd507d2aed2b10061b]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Domain: secure.shared.live.com
Domain: 2.filldisk.com
Domain: 1.filldisk.com
Domain: secure.shared.live.com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Permissions [SHA256 hash:
1448abfa05363d0b68bcaeb75bb1bbf2bf873edb47e536076d0aeda10894019c]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Host: addons.cdn.mozilla.net
Type: sts/subd
Permission: 2
ExpiteType: 0
ExpiteTime: 1970-01-01 01:00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Preferences [SHA256 hash:
eedb47e536076d0aeda108940371076d8be30ae13751ddd3e42e793cda78a4fd]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
History [SHA256 hash:
edb47e536076d0aeda108940f9cabf311389c5b79810a2ac7369bc797307a80e]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Total information
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Total Cookies: 3
Total DOM Data: 14
WARNING: For show the DOM storage data , use the option -showdom
Total Permissions: 2
Total urls in History: 1
================================
Get the Passwords (NO python3.x):
================================
Show configured webs in order to not save credentials, encoded credentials and
their decoded. (Only executing dumpzilla under 2.x brach)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++
Exceptions/Passwords [SHA256 hash:
15ba116a979ba4edb47e536076d0aeda1089401cce582b2d78c2fa5fb24a570c]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++
Web: http://www.shodanhq.com
User field: username
Password field: password
User login (crypted):
MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECE5kYU15qEEzBBA0nPH2m3bNM3wVEziqY02u
Password login (crypted):
MEoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECE+XsaqLhIfIBCBoHtRGHjQ/Vq3FbPZgq2sGDL/
YT9P5PHiUZ0QW6vktew==
Encripton type: 1
Created: 2013-03-05 13:19:22
Last used: 2013-03-05 13:19:22
Change: 2013-03-05 13:19:22
Frequency: 21
Web: https://www.facebook.com
User field: email
Password field: pass
User login (crypted):
MEoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECIkQJPfZJbL/BCB/lc86x0KEyhw8NBwR/dhJGdX
uV0QDCcLqaFg/rVayBw==
Password login (crypted):
MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNHMNFUnu2I+BAiA6BBtclMuFQ==
Encripton type: 1
Created: 2013-03-05 13:21:07
Last used: 2013-03-05 13:21:07
Change: 2013-03-05 13:21:07
Frequency: 9
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++
Decode Passwords
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++
Web: http://www.shodanhq.com:
Username: Bladimir
Passsword: Вакансиидерьмо
Web: https://www.facebook.com:
Username: justinbieber@hotmail.com
Passsword: 12345
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Total information
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Total passwords: 2
Total passwords decode: 2
========================
Dumpzilla with grep pipe:
========================
Type: theme
Descriptor: C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-
a285-3208198ce6fd}
Version: 19.0
--
Type: extension
Descriptor: C:\Documents and Settings\jasminpc\Application
Data\Mozilla\Firefox\Profiles\5s28qo2r.default\extensions\exif_viewer@mozilla.dosla
sh.org.xpi
Version: 2.00
--
APP: chrome://exif/content/exif.xul#history-loc-1
URL/PATH:
C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\beach.jpg"
--
APP: chrome://exif/content/exif.xul#history-loc-1
URL/PATH:
C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\ricorico.jpg"
################################################################# [ CopyLeft ]
##################################################################