Home‎ > ‎

Recovering application data from core files

posted Jan 25, 2011, 9:24 PM by Jayme Snyder   [ updated Apr 28, 2011, 3:31 PM ]
So, I was writing an email today in Outlook Web Access, and after hitting send, the "Sending" box popped up... and stayed there.
I noticed my SSL VPN had disconnected. I frantically tried to reconnect and hope the email goes through... but no dice. Then I think, no worries, I'll just copy the email to my clip board and paste it into a new email. If only it were that easy. The designers thought that little sending box should stop all controls from being highlighted so I couldn't copy and paste. Now what!? I'm lazy so F&(*& typing that email again. There were a lot of statistics and stuff in it. I had to think. That was a lot of effort!

I know! I can just pull the email out of memory by taking a core dump of the running firefox process! Luckily I am running Linux.
Actually you can do this same concept in FreeBSD, windows too, and on a mac, and pretty much every operating system - except you're on your own.

First, look up the process ID of the running Firefox:
jayme@Jayme2:~$ ps auwwx|grep firefox-bin
jayme     2067  0.0  0.0   4148    96 ?        S    Jan24   0:00 /bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin
jayme     2071  4.3 22.8 1085160 469216 ?      Sl   Jan24 111:51 /usr/lib/firefox-3.6.13/firefox-bin
jayme    14681  0.0  0.0   8956   876 pts/1    S+   10:00   0:00 grep firefox-bin

Second, core the process:
jayme@Jayme2:~$ sudo gcore -o firefox2 2071
[Thread debugging using libthread_db enabled]
[New Thread 0x7f0733bff700 (LWP 12285)]
[New Thread 0x7f07380ff700 (LWP 11904)]
[New Thread 0x7f07736f1700 (LWP 10897)]
[New Thread 0x7f073dcfe700 (LWP 10791)]
[New Thread 0x7f07705ca700 (LWP 2155)]
[New Thread 0x7f07614b4700 (LWP 2086)]
[New Thread 0x7f0761cb5700 (LWP 2085)]
[New Thread 0x7f07624b6700 (LWP 2084)]
[New Thread 0x7f076e8ff700 (LWP 2082)]
[New Thread 0x7f076f239700 (LWP 2081)]
[New Thread 0x7f07715ff700 (LWP 2077)]
[New Thread 0x7f07724e5700 (LWP 2076)]
[New Thread 0x7f0772ce6700 (LWP 2075)]
[New Thread 0x7f07742fa700 (LWP 2073)]
[New Thread 0x7f0774cff700 (LWP 2072)]
0x00007f077ece4203 in poll () from /lib/libc.so.6
Saved corefile firefox2.2071

Third, investigate the contents of the dump file for the email contents:
jayme@Jayme2:~$ cat -t firefox2.2071|sed 's/\^.//g'|less
/contents of email

I found the contents, all in tact, copied them to a new email and as they say here in Dubai, khalas.

Actually, looking at memory dumps can give you a lot of useful information.
Like recovering stored encrypted/passwords keys, recovering deleted files still in memory etc.

It was easy, try it. It may save you in the future.