Automate Linux Swap Analysis: swap_digger

ID N0WHERE:172140
Type n0where
Reporter N0where
Modified 2017-08-15T05:01:57


swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.


Use the following commands to download and run the script on your machine:

git clone
cd swap_digger
chmod +x
sudo ./ -vx

If you only need to recover clear text Linux user passwords, simply run:

sudo ./

Available options

All options:

 ./ [ OPTIONS ]
 Options : 
  -x, --extended    Run Extended tests on the target swap to retrieve other interesting data
        (web passwords, emails, wifi creds, most accessed urls, etc)
  -g, --guessing  Try to guess potential passwords based on observations and stats
        Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
  -h, --help    Display this help.
  -v, --verbose Verbose mode.
  -l, --log Log all outputs in a log file (protected inside the generated working directory).
  -c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
  -r PATH, --root-path=PATH   Location of the target file-system root (default value is /)
        Change this value for forensic analysis when target is a mounted file system.
        This option has to  be used along the -s option to indicate path to swap device.
  -s PATH, --swap-path=PATH   Location of swap device or swap dump to analyse
        Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
        This option should be used with the -r option where at least /<root-path>/etc/shadow exists.
  -S, --swap-search   Search for all available swap devices (use for forensics).

Automate Linux Swap Analysis: swap_digger

Automate Linux Swap Analysis: swap_digger Download