Recovering application data from core files

Post date: Jan 26, 2011 5:24:48 AM

So, I was writing an email today in Outlook Web Access, and after hitting send, the "Sending" box popped up... and stayed there.

I noticed my SSL VPN had disconnected. I frantically tried to reconnect and hope the email goes through... but no dice. Then I think, no worries, I'll just copy the email to my clip board and paste it into a new email. If only it were that easy. The designers thought that little sending box should stop all controls from being highlighted so I couldn't copy and paste. Now what!? I'm lazy so F&(*& typing that email again. There were a lot of statistics and stuff in it. I had to think. That was a lot of effort!

I know! I can just pull the email out of memory by taking a core dump of the running firefox process! Luckily I am running Linux.

Actually you can do this same concept in FreeBSD, windows too, and on a mac, and pretty much every operating system - except you're on your own.

First, look up the process ID of the running Firefox:

jayme@Jayme2:~$ ps auwwx|grep firefox-bin

jayme 2067 0.0 0.0 4148 96 ? S Jan24 0:00 /bin/sh /usr/lib/firefox-3.6.13/ /usr/lib/firefox-3.6.13/firefox-bin

jayme 2071 4.3 22.8 1085160 469216 ? Sl Jan24 111:51 /usr/lib/firefox-3.6.13/firefox-bin

jayme 14681 0.0 0.0 8956 876 pts/1 S+ 10:00 0:00 grep firefox-bin

Second, core the process:

jayme@Jayme2:~$ sudo gcore -o firefox2 2071

[Thread debugging using libthread_db enabled]

[New Thread 0x7f0733bff700 (LWP 12285)]

[New Thread 0x7f07380ff700 (LWP 11904)]

[New Thread 0x7f07736f1700 (LWP 10897)]

[New Thread 0x7f073dcfe700 (LWP 10791)]

[New Thread 0x7f07705ca700 (LWP 2155)]

[New Thread 0x7f07614b4700 (LWP 2086)]

[New Thread 0x7f0761cb5700 (LWP 2085)]

[New Thread 0x7f07624b6700 (LWP 2084)]

[New Thread 0x7f076e8ff700 (LWP 2082)]

[New Thread 0x7f076f239700 (LWP 2081)]

[New Thread 0x7f07715ff700 (LWP 2077)]

[New Thread 0x7f07724e5700 (LWP 2076)]

[New Thread 0x7f0772ce6700 (LWP 2075)]

[New Thread 0x7f07742fa700 (LWP 2073)]

[New Thread 0x7f0774cff700 (LWP 2072)]

0x00007f077ece4203 in poll () from /lib/

Saved corefile firefox2.2071

Third, investigate the contents of the dump file for the email contents:

jayme@Jayme2:~$ cat -t firefox2.2071|sed 's/\^.//g'|less

/contents of email

I found the contents, all in tact, copied them to a new email and as they say here in Dubai, khalas.

Actually, looking at memory dumps can give you a lot of useful information.

Like recovering stored encrypted/passwords keys, recovering deleted files still in memory etc.

It was easy, try it. It may save you in the future.