Notifications
Clear all

Google chrome login

13 Posts
3 Users
0 Likes
1,697 Views
(@driver170)
Posts: 7
Active Member
Topic starter
 

Non forensic analyst here. Just seeking expertise advice, as i was recommended to post my query on this forum.

Ok lets get started,

1. I would just like to know how login details are extracted from the C drive? is it taking from the internet browser only? Google chrome is being used in this case.

2. If a report was generated and this came back -

https://www.crewdock.com/pport/web/Login/AGERLU

AGERLU is the username, no dates or passwords are mention in the report. Its obvious people would say this website was accessed. The site belongs to Ryanair and is used for pilots.

3. I found that Google chrome saves wrong usernames and passwords, if entered into this site or if you request to save login details into any other site. So, surely the above report could possibly be showing a wrong attempt login with wrong username and/or password, which has then been saved in google chrome and cookies?

4. How accurate / reliable are these software tools that extract internet data if google chrome is saving a random username and password?

I hope i have provided enough details for you guys to go off on and i certainly appreciate any help given.

 
Posted : 23/03/2018 10:29 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

1. I would just like to know how login details are extracted from the C drive? is it taking from the internet browser only? Google chrome is being used in this case.

No, there are several options to get a password. How and where to find them is a looong story. Jaclaz might write this tale, but i will not 😉

In case of Chrome in Windows 10 you can find them in a SQLite 3 database at
C\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Login Data

2. If a report was generated and this came back -

Where did it come from? Source?

3. I found that Google chrome saves wrong usernames and passwords,

No, this is wrong. username_value has a correct entry.

4. How accurate / reliable are these software tools that extract internet data if google chrome is saving a random username and password?

They are not wrong or random, passwords are encrypted, username and URL are clear text!

I hope i have provided enough details for you guys to go off on and i certainly appreciate any help given.

What kind of case is this? From what i can see from your questions, you should learn a lot about Digital Forensics before you can do such an investigation on your own. Or you ask an expert. Please stop here before you come to a conclusion with any kind of negative impact on the suspect.

best regards, Robin

 
Posted : 23/03/2018 1:49 pm
(@driver170)
Posts: 7
Active Member
Topic starter
 

Hi Robin,

This is involving me and another Ex pilot from Ryanair.

The case is a civil matter in court which i need to defend myself that i never had access to Crewdock and company material.

About google saving passwords - If i enter a made up username and password this gets saved under google saved passwords if you wish to save this, even though its wrong? I used Belkasoft and that even extracted the made up login details.

The report has already been filed and its only the URL that got found on my laptop without any time / date and passwords. So it seems there is a tenuous link from my computer to that site.

I’m in the UK so whatever software companies use in the UK I don’t know?

 
Posted : 23/03/2018 2:13 pm
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

If it is a civil matter being heard in a UK Court then do you currently have legal counsel? If so have they instructed any digital forensic specialists onto your case? Have they requested access or been provided access to the relevant material?

Sounds like this may be prudent if not… without knowing the ins and outs it is pretty difficult to comment too much.

 
Posted : 23/03/2018 2:36 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

About google saving passwords - If i enter a made up username and password this gets saved under google saved passwords if you wish to save this, even though its wrong?

Sorry, i cant help you with any foreign law, especially in the UK. A lawyer might be helpful here.
Make some tests yourself and you will find out, that Google Chrome only offers the possiblity to save passwords one second after a successful login! I am using Chrome Version 65.0.3325.181- the latest one. The password itself can`t be changed in the questioning box. So it is very unlikely Chrome stores a wrong password. Other possibility Chrome stores password 1 on Computer A. Computer B is later used to change the password on the site from 1 to 2. Then Computer A has a wrong (better said old) password if you did not allow Google to syncronize passwords.
If you want to play around with Google Chrome passwords, i can recommend two tools

- Hindsight from Obsidian Forensics https://github.com/obsidianforensics/hindsight/tree/master/dist
- Chromepass from Nirsoft http//www.nirsoft.net/utils/chromepass.html

Just close Chrome and start Chromepass, it will find the password file and decrypt it for you. But i have some doubts this procedure and your findings will be recognized by any court as evidence.

Good luck and don`t forget the lawyer!
Robin

 
Posted : 23/03/2018 4:01 pm
(@driver170)
Posts: 7
Active Member
Topic starter
 

Hi Hectic,

I have a criminal lawyer for my case and i’ve had my laptop examined already. Only finding was that URL. No other evidence like company material on my electronic devices!

Hi Robin,

About google and saving passwords - i forgot to mention in my first post is that you can save random passwords by clicking on the small key symbol at the top right of the URL bar. If you click this key symbol it then asks if you would like to save these details. Even though they are random generated.

 
Posted : 23/03/2018 6:46 pm
(@driver170)
Posts: 7
Active Member
Topic starter
 

Later tonight i can show you an example with a random login into that site in question and then show it saves into google saved passwords. I will then run Belkasoft and that will extract that login details.

 
Posted : 23/03/2018 6:53 pm
(@driver170)
Posts: 7
Active Member
Topic starter
 

Below is a link to my drop box and within this folder, i have provided three screen shots.

As you can see i have entered a random login details and clicked on the small key, which i have highlighted in a thick black border, that then asks you if you would like to save these details.

I also ran Belkasoft and this recovers these random login details.

https://www.dropbox.com/sh/kpiq9w2r5jaz3hz/AADBIYHziJTOXYvXHzgpQ-YTa?dl=0

 
Posted : 24/03/2018 10:26 am
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

Can you clarify what exactly the issue is here? I'm not 100% certain on what it is you are asking or trying to challenge?

By understanding the question or the relied upon 'fact' you are taking issue with, we will be able to answer this better…

 
Posted : 26/03/2018 10:53 am
(@driver170)
Posts: 7
Active Member
Topic starter
 

Ok, basically i’m getting accused for entering Ryanair pilot website and distributing company material.

 
Posted : 26/03/2018 10:57 am
Page 1 / 2
Share: