Question Memory Dump contains sensitive info?

[icel3oi]

Not sure which is the correct sub forum to post this:

If I were to send a complete dump(to debug a BSOD or an issue), is an automatic/complete memory dump created by Windows safe to send to strangers? Does it contain any sensitive information like passwords etc?

 

[clarkjd]

Depends on what programs and/or data was in use prior to the dump. There may be passwords, but they probably aren't identified as such, or what they are passwords to.

 

[jojesa]

Not sure which is the correct sub forum to post this:

If I were to send a complete dump(to debug a BSOD or an issue), is an automatic/complete memory dump created by Windows safe to send to strangers? Does it contain any sensitive information like passwords etc?

A complete memory dump in Windows will contain all data from memory when the computer stopped and it could contain sensitive information including user names and passwords.
You just need a couple of tools to extract information from it.

 

[gardenman]

Post it on a personal website where you have control of the files (such as Google Drive, or OneDrive). That way once the dump file reaches it's intended target, it can then be deleted. You could even password protect it on such a site (and send a private message to the target with the password).

For the most part, the people who actually read the dump file could care less about looking in your dumps for passwords or personal info. I've personally seen 1000's of dump files here and never even thought of doing such a thing, but that's not saying that some other person could stumble upon a thread and try to get such info.

Another option is to have some type of binary editor that allows you to search and replace the text (without screwing the file up). With this idea, you could search for some of the passwords you think might have been in memory at the time, and replace the password with another word (of the same length). This can't be done in your average text editor, it will not re-save the file correctly. You would need a binary editor.

Minidumps don't contain that much memory. They contain the stack info, driver info, BIOS info and are usually only a few megabytes long.

A full dump, like said above, might contain everything in memory at the time of the crash.

I personally prefer minidumps over the full memory.dmp files but that's because I'm no expert at reading dump files and many times the full memory dumps are corrupted.

 

[Satan-IR]

I don't think it's that easy to extract information specially from minidumps. These dumps even verbose ones contain memory addresses that processes and drivers use and don't really contain the data in those addresses. RAM is a dynamic space changing all the time, in order to extract data like passwords and such you'd need to capture the actual memory contents in real time and even then it's not that easy because decent code is supposed NOT to store/handle passwords as plain text.

Plus in other OSs and from Vista onward in Windows there's ASLR or Address Space Layout Randomization in place to randomly arranges the address space positions of data areas of a process, including base of the executable code and the positions of the stack, heap and libraries etc. Although it's only active for EXE and DLL files in Windows unless you change some registry entries and not really sure if how it's handled in Win 10 is different now.

Anyway I'm not saying it's absolutely impossible, some data may be possible to extract from full dumps but it's not that easy. I think it's fairly safe for a home user to post minidumps online. A full dump maybe a couple of GB but a minidump is usually 200KB to a few megabytes. You can't cram all of, for example, 3GB of data in the RAM at the time of computer stopping in 2MB anyway.