Notifications
Clear all

winlogon Password

13 Posts
12 Users
0 Likes
662 Views
sachin
(@sachin)
Posts: 28
Eminent Member
Topic starter
 

We have received a case(OSWin XP prof) involving examination of accounting software (tally) and email analysis. We have imaged the HD for analysis and restored another copy of it by using EnCase.
When the restored HD was attached to the workstation it was asking logon password. The lon on password is created by Contl+Alt+Del key sequence.
Any suggestions regarding how to logon?
where the logon password resides created by Contl+Alt+Del key sequence?

sachin

 
Posted : 01/11/2006 1:54 pm
(@samirdatt)
Posts: 24
Eminent Member
 

Sachin

Use the NT Access Utility that came with the Accessdata UTK you have - alternatively pls contact me off list.

 
Posted : 01/11/2006 5:42 pm
(@stevegut78)
Posts: 44
Eminent Member
 

ERD commander disk can change NT passwords as well.

 
Posted : 01/11/2006 7:39 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

I have successfully used Ophcrack to recover Windows passwords. When it works, I feel it is better than changing an unknown password (as with ERD).

 
Posted : 02/11/2006 12:01 am
skip
 skip
(@skip)
Posts: 57
Trusted Member
 

I have successfully used Ophcrack to recover Windows passwords. When it works, I feel it is better than changing an unknown password (as with ERD).

I could see some nice side effects to cracking the windows hash.
You may get some insite to the user, potentialy the password for many other relevant accounts/usernames.

Example What could you guess about a user with the follwing passwords…

sy$t3m.5 (maybe there are more systems 1-4, perhaps).
id4s!teXYZ (maybe the password for site ABC is id4s!teABC)
ciogoufiofae or
naawoaroakau or
guefaasiocooye (these are randomly generated but PRONOUNCEABLE passwords…maybe there is a password file protected by one other password, on a palm pilot or on USB key)
p7ak5as@^gionu (maybe it is written down some where)

and so on and so fourth….

If you have the time, crack it.

 
Posted : 02/11/2006 12:33 am
Alan
 Alan
(@alan)
Posts: 53
Trusted Member
 

The passware kit from lostpasswords.com has a module for cracking windows logins. I have used this in the past and its works very well.

Alan

 
Posted : 02/11/2006 2:49 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

The location of the password (or more accurately, its hash) is in the SAM hive. There are many passwords crackers that just need the SAM and SYSTEM hive.

Or you could run EnCase with the EDS module.

Nik

 
Posted : 02/11/2006 11:07 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

SamInside is a good program for recovering NT and LM passwords. Extract the SAM and System files from your image and use it. Better still if you can get hold of some Rainbow tables……

 
Posted : 03/11/2006 3:27 am
iruiper
(@iruiper)
Posts: 145
Estimable Member
 

I can't see the use of EnCase EDS here. Isn't it useful just for EFS? I don't think you can get a Windows logon password from it.

 
Posted : 06/11/2006 2:12 pm
(@echo6)
Posts: 87
Trusted Member
 

I can't see the use of EnCase EDS here. Isn't it useful just for EFS? I don't think you can get a Windows logon password from it.

That is correct, EDS allows you to view files encrypted using EFS within Encase, but does not provide you with the user's password.

 
Posted : 06/11/2006 2:28 pm
Page 1 / 2
Share: