±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 3 Visitors: 122

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Password-Protected Windows 10

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

jaclaz
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 11, 18 17:38

- MDCR
I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.

Yep Smile , and that again is resetting the password, not bypassing it and not cracking it.

A number of recovery/forensic oriented distro's may include the Offline NT Password and Registry Editor:
pogostick.net/~pnh/ntpasswd/
or chntpw:
en.wikipedia.org/wiki/Chntpw
Which is included (example) in Kali and SystemRescueCD:
en.wikipedia.org/wiki/...it_is_used

that you can get also for most "standard" distro's
pkgs.org/download/chntpw


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

benfindlay
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 12, 18 09:52

- jaclaz
@benfindlay
Reset is different from bypass

<SNIP>



Indeed, however the two terms are often used interchangeably as, absent certain situational conditions, they can in fact be equivalent.

It may be, in the case of what mhibert is trying to achieve, that a reset will be sufficient, hence the suggestion.

mhibert, can you provide a little more information please?
_________________
Ben Findlay. BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MInstISP
Course Leader BSc Computer and Digital Forensics
School of Science, Engineering and Design
Teesside University 
 
  

JimC
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 12, 18 12:26

Thank you @Jaclaz for the helpful summary of the different methods.

Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim

www.binarymarkup.com  
 
  

benfindlay
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 12, 18 12:48

- JimC
<SNIP>

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?


Jim,

Great point. EFS is indeed one of the specific scenarios in which bypass and reset are NOT equivalent. However, the question still remains: what exactly is the end goal of the bypass/reset? If it is simply to gain access to the user account and files NOT protected by Windows' credential manager, then bypass & reset are for all intents and purposes equivalent.

Speaking from my own experience, in six and a half years I never once encountered EFS on a case I examined, nor am I aware of it being present on any cases my colleagues examined during this time period.

I do however recall reading a news article some years ago about a terrorism case in which EFS was enabled and the investigators had to devote significant time and resources in cracking it to gain access (apologies, I can't recall/find the specific article now).

Ben
_________________
Ben Findlay. BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MInstISP
Course Leader BSc Computer and Digital Forensics
School of Science, Engineering and Design
Teesside University 
 
  

jaclaz
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 12, 18 13:08

Yep Smile , the whole point is the different level of "changes" made by this (or that) method and amount of difficulty/inconvenience.

The #1 either modify the password (that then is lost forever, no "way back") or needs the creation of a new user (which is OK in most cases BUT that is not exactly "forensically sound"), the very little on volume activity to make a copy of the two .exe's and renaming them is minimal but still exists.

The #2 DOES NOT modify the password BUT it creates anyway some files on the volume because of the SYSTEM account, and anyway the access is more limited AFAICR.

The #3 DOES NOT modify the password nor in practice changes anything on the volume different from a "normal" boot with the user credentials, the patched .dll can be binary restored, so it is the less intrusive of all.
KONBOOT AFAIK/AFAICR uses anyway, method #3, possibly even bettered, because the .dll is patched in memory, I believe.

The actual "right" method of dumping the SAM and decrypting/cracking the password (while having the advantage of actually making the original password known) has on volume/filesystem exactly the same impact of #3, but it is obviously much slower[1] and setting up Ophcrack or similar and creating (or accessing) Rainbow Tables is not exactly easy-peasy.

Evidently this latter approach (again the "right" one in theory) will provide access to EFS.

As I see it (and not so casually I was among the people creating PassPass, from an original idea dating back to Windows NT 4 or 2000 by Damian Bakowski) method #3- when possible - is fast, easy , (besdes being IMHO also "elegant") and since it doesn't modify *anything* it could be a "first step" not preventing in any way the later adoption - if needed - of the "right" method of decrypting the password.

As another single datapoint, NOT related to forensics, more related to "clueless people that manage to lock themselves out of the system and ask for help in recovery" which is more my field of experience/interest, I never found anyone using EFS.
Lots of senselessly (hidden or non-hidden) encrypted containers like Truecrypt and similar, and a few bitlockered drives, but never EFS.

@JimC
Just in case, yet another possible issue (Syskey) loosely related to EFS:
www.forensicfocus.com/...c/t=11839/


jaclaz

[1] I mean if "admin", "password" and "123456" don't work Wink
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Mar 12, 18 13:22; edited 1 time in total
 
  

JimC
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 12, 18 13:22

One other related scenario springs to mind, although I accept it may not be that useful in practice:

There is a difference between a locked workstation and one with no user logged in. If you have access to a system level command prompt or similar, it is relatively easy to unlock a locked workstation without the password. This could be useful if a workstation was seized that was locked or was hibernated whilst locked. In such a case, the workstation could be unlocked and fully accessed without the password.

Based on this, I could argue that if a live image was not possible the next best thing would be to hibernate (rather than shutdown) a live workstation before seizing it. This would preserve the OS state and leave further options for future examination. This would of course overwrite the existing hibernation file which may not be desirable...

Apologies if this is telling old hands how to suck eggs.

Jim

www.binarymarkup.com  
 
  

jaclaz
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Mar 12, 18 15:17

- JimC

Based on this, I could argue that if a live image was not possible the next best thing would be to hibernate (rather than shutdown) a live workstation before seizing it. This would preserve the OS state and leave further options for future examination. This would of course overwrite the existing hibernation file which may not be desirable...


Well, I could argue that IF the system has never been hybernated before the effects of writing a new hyberfil.sys file may be detrimental to the amount of data that can be carved from allocated and given how (often) hybernate is mal- or non- functioning, it represents IMHO a risk.

I guess it needs to be decided if the possible trade-offs are worth it depending on the specific case *needs*, I mean if the scope is knowing if in the last few minutes/hours a given program has been run, then having a hyberfil.sys is very meaningful, if the scope is finding (say) deleted correspondence it would be safer to shut down the system.

...decisions, always decisions ... Wink

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next