Hello, I was wondering if there is a way to discover if a PC with Windows has the User password or not.
Obviously I mean searching this information through an image file of the hard drive of the PC.
At least for local accounts you need to check the SAM and other Registry files
https://www.forensicfocus.com/Forums/viewtopic/t=5539/
If you are looking for an automated tool
https://
jaclaz
If you are looking for an automated tool
https://github.com/woanware/ForensicUserInfo
I haven't played with Mark's tool but it hasn't been updated in 4 years, so won't deal with the new location for the NTLM hash.
Microsoft moved the location in Win10 anniversary update (wrote about it
You can pull the hashes with some tools, and I think it's reasonable to say that if there's a hash that isn't blank then a password is currently set. Caveats here are I don't know what happens if someone has a password and then removes it, or has a standard account and then changes it to a Microsoft online account (edge cases so havent tested).
The guaranteed way to check the password settings is to boot a VM/restored copy of the drive. GetData Forensic Explorer, VFC, and Arsenal Image Mounter (current tool of choice) have the capability of booting a VM. That will tell you pretty quickly that there's a password set or not.
Do not rely on the output of a registry parser that says password not required
Thank you for your infor.