±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35883
New Yesterday: 1 Visitors: 176

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Password-Protected Windows 10

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

Armando0
Newbie
 

Re: Password-Protected Windows 10

Post Posted: Jun 22, 18 01:03

- JimC
Thank you @Jaclaz for the helpful summary of the different methods.

Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim

www.binarymarkup.com


If you don't want to lose access to EFS encrypted files or stored network/browser passwords, you have no other way but to recover the old password. Besides using Ophcrack to crack the password using rainbow tables, you can also use the following softwares to recover your password with GPU hardware acceleration:

RainbowCrack - project-rainbowcrack.com/
HashCat - hashcat.net/hashcat/
Password Recovery Bundle - www.top-password.com/g...overy.html
Proactive System Password Recovery - www.elcomsoft.com/pspr.html

A high-end graphics card can boost the cracking speed a lot.  
 
  

Burgesinz
Newbie
 

Re: Password-Protected Windows 10

Post Posted: Jul 17, 18 02:40

- Armando0
- JimC
Thank you @Jaclaz for the helpful summary of the different methods.

Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim

www.binarymarkup.com


If you don't want to lose access to EFS encrypted files or stored network/browser passwords, you have no other way but to recover the old password. Besides using Ophcrack to crack the password using rainbow tables, you can also use the following softwares to recover your password with GPU hardware acceleration:

RainbowCrack - project-rainbowcrack.com/
HashCat - hashcat.net/hashcat/
Password Recovery Bundle - www.passmoz.com/bypass...sword.html
Proactive System Password Recovery - www.elcomsoft.com/pspr.html

A high-end graphics card can boost the cracking speed a lot.


Elcomsoft is too expensive. There are many free options to reset Windows password. A few good ones are Ophcrack, Offline NT Password & Registry Editor and Ultimate Boot CD.  
 
  

joakims
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Jul 19, 18 15:10

One thing about the hibernation method suggested. I agree that it is of course disasterous for the purpose of finding data in unallocated on disk. But the level of disasterousness may actually be slightly lower than first anticipated. The reason is that even though Windows writes a hiberfil.sys at the size of RAM to disk, the actual hibernation data that overwrites is much less. This is because the data written is only the actively used memory pages that are anyway compressed before written to disk. For a 16 GB RAM situation, that would likely result in roughly 1 GB actual data. The last 15 GB of (previously unallocated) data is still recoverable, but now from within the slack part of hiberfil.sys. But in the end, lots of data is still overwritten, which may be unacceptable.
_________________
Joakim Schicht

github.com/jschicht 
 
  

jaclaz
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Jul 19, 18 16:26

- joakims
One thing about the hibernation method suggested. I agree that it is of course disasterous for the purpose of finding data in unallocated on disk. But the level of disasterousness may actually be slightly lower than first anticipated. The reason is that even though Windows writes a hiberfil.sys at the size of RAM to disk, the actual hibernation data that overwrites is much less. This is because the data written is only the actively used memory pages that are anyway compressed before written to disk. For a 16 GB RAM situation, that would likely result in roughly 1 GB actual data. The last 15 GB of (previously unallocated) data is still recoverable, but now from within the slack part of hiberfil.sys. But in the end, lots of data is still overwritten, which may be unacceptable.


I am not sure to understand. Question

There is in practice no risk of overwriting unallocated space, unless the machine was never hibernated before (which was the "edge" case proposed), but if the machine was previouslty hibernated, the *whatever* is after the first GB will be pointless/outdated.

Let's say that the SAME machine is used, with 16 GB RAM.
The hiberfil file is created (the first time hibernation is used/triggered) 16 GB in size.
The first (roughly) 1 GB of it is written with "active" pages, compressed.
The last (roughly) remaining 15 GB of it remain 00's (or *whatever* was in the "chunk" of until then unallocated space).
If (at next use of the hibernation feature) what is saved is still roughly 1 GB in size, after n cycles you will still have a 16 GB file where roughly the last 15 GB are still 00's (or the same *whatever* it was before).

So past the first 1 GB we should have a "snapshot" of an area that was once unallocated, but that was allocated by the hiberfil.sys file and that NEVER changed.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

joakims
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Jul 19, 18 20:28

Yes you're right. I forgot to mention that it applies only for the edge case mentioned where system had not been hibernated previously. That said and given what I previously described, it is thus potentially possible to recover larger pieces of data (multiple GB) from the slack parts within hibernation file, which are parts of unallocated dating back to a point in time before hiberfil.sys existed. That point in time on the disk may be just 00 if there has only been 1 installation on the machine, or it could be non-zero data from unallocated originating from a previous installation if the system was upgraded/reinstalled. Anyways, that was a slight deviation from the topic here.
_________________
Joakim Schicht

github.com/jschicht 
 
  

jaclaz
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Jul 21, 18 11:35

- joakims
Yes you're right. I forgot to mention that it applies only for the edge case mentioned where system had not been hibernated previously. That said and given what I previously described, it is thus potentially possible to recover larger pieces of data (multiple GB) from the slack parts within hibernation file, which are parts of unallocated dating back to a point in time before hiberfil.sys existed. That point in time on the disk may be just 00 if there has only been 1 installation on the machine, or it could be non-zero data from unallocated originating from a previous installation if the system was upgraded/reinstalled. Anyways, that was a slight deviation from the topic here.


As I see it it is a nice and useful consideration Smile , and potentially very useful in some edge cases.

Hypothetical set of prerequisites:
1) the OS is installed
2) it is used for whatever activity that may later become "interesting"
3) the relative files are deleted (not wiped)
4) the hibernation is invoked (for the first time)
5) by pure chance the hiberfil file is created comprising (partially) the area where files in #3 resided
6) the other "interesting" files are overwritten, possibly after a defrag command or similar by other new files generated by the OS or by the user in "normal" usage

Surely it would be not a "common" case, but if the prerequisites apply the thingy might well be a sort of "time machine capsule", a real treasure trove.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

passcodeunlock
Senior Member
 

Re: Password-Protected Windows 10

Post Posted: Jul 21, 18 15:04

If I got it right, having or not EFS is just a presumption, not a fact. Why not simply create a binary copy to another HDD or SSD, replace the .dll file for password bypass on the clone, boot the clone.

If anything goes wrong, you will always have the original drive in it's current state, so there is nothing to loose ?!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next