Notifications
Clear all

Live volatile data

6 Posts
3 Users
0 Likes
398 Views
zikmik
(@zikmik)
Posts: 28
Eminent Member
Topic starter
 

Hi,
How to collect live volatile data if Computer Locked (The computer is in use and has been locked)
and account is under password?

I don`t thnik that e-fense Live Response cover this situation…

 
Posted : 31/07/2009 10:43 am
(@benclelland)
Posts: 21
Eminent Member
 

Does the computer have firewire that you could use? It's possible to use firewire to make it so that the Windows locked screen doesn't need a password by making a change to the memory.

 
Posted : 03/08/2009 3:19 pm
zikmik
(@zikmik)
Posts: 28
Eminent Member
Topic starter
 

benclelland

Thank you for replying!
Mine question was hypothetical but I am trying to be preper for such situation.
I find a way with RemoteUnlock but trick works only if locked PC is already LAN connected.
It will be nice if you describe your approach with Firewire IEEE 1394 Port
and making change in memory.

 
Posted : 04/08/2009 12:16 pm
(@benclelland)
Posts: 21
Eminent Member
 

We have used it successfully before on machines, as far as I remember it just changes the memory as the firewire has direct access to memory. You can then get in using no password and on system reboot it will need a password again (because it isn't changing the actual password).

The project can be found here with the script that you need.

You basically connect a computer via firewire to the target machine and then run the script to modify the memory and then you will get in. We have tried it on various different Windows machines without a problem.

Here is a link on Youtube showing how easy it actually is when you have things setup - http//www.youtube.com/watch?v=5N-C5s_07Ts&fmt=18

 
Posted : 04/08/2009 1:19 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

http//www.storm.net.nz/projects/16

 
Posted : 04/08/2009 4:14 pm
zikmik
(@zikmik)
Posts: 28
Eminent Member
Topic starter
 

Thank you again!
It will take some time for me to test it roll …

I find Winlockpwn to support Vista and XP SP3
http//forums.remote-exploit.org/tutorials-guides/13922-tutorial-winlockpwn-3.html#post98201

 
Posted : 04/08/2009 4:42 pm
Share: