We have received a case(OSWin XP prof) involving examination of accounting software (tally) and email analysis. We have imaged the HD for analysis and restored another copy of it by using EnCase.
When the restored HD was attached to the workstation it was asking logon password. The lon on password is created by Contl+Alt+Del key sequence.
Any suggestions regarding how to logon?
where the logon password resides created by Contl+Alt+Del key sequence?
sachin
Sachin
Use the NT Access Utility that came with the Accessdata UTK you have - alternatively pls contact me off list.
ERD commander disk can change NT passwords as well.
I have successfully used
I have successfully used
Ophcrack to recover Windows passwords. When it works, I feel it is better than changing an unknown password (as with ERD).
I could see some nice side effects to cracking the windows hash.
You may get some insite to the user, potentialy the password for many other relevant accounts/usernames.
Example What could you guess about a user with the follwing passwords…
sy$t3m.5 (maybe there are more systems 1-4, perhaps).
id4s!teXYZ (maybe the password for site ABC is id4s!teABC)
ciogoufiofae or
naawoaroakau or
guefaasiocooye (these are randomly generated but PRONOUNCEABLE passwords…maybe there is a password file protected by one other password, on a palm pilot or on USB key)
p7ak5as@^gionu (maybe it is written down some where)
and so on and so fourth….
If you have the time, crack it.
The passware kit from lostpasswords.com has a module for cracking windows logins. I have used this in the past and its works very well.
Alan
The location of the password (or more accurately, its hash) is in the SAM hive. There are many passwords crackers that just need the SAM and SYSTEM hive.
Or you could run EnCase with the EDS module.
Nik
SamInside is a good program for recovering NT and LM passwords. Extract the SAM and System files from your image and use it. Better still if you can get hold of some Rainbow tables……
I can't see the use of EnCase EDS here. Isn't it useful just for EFS? I don't think you can get a Windows logon password from it.
I can't see the use of EnCase EDS here. Isn't it useful just for EFS? I don't think you can get a Windows logon password from it.
That is correct, EDS allows you to view files encrypted using EFS within Encase, but does not provide you with the user's password.