±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34193
New Yesterday: 1 Visitors: 144

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

recovering Users Password from Forensic image

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

recovering Users Password from Forensic image

Post Posted: Tue Jul 10, 2018 8:30 am

Good day Everyone, my name is George Samuel from Nigeria.I'm a second year student studying Cyber security science in the Federal University of Technology of Akure,Nigeria. I choose Digital Forensics to be my best choice of cyber security and still a beginner. I'm analyzing a data-leakage case.

I want to recover Users password from the data-leakage case. I got the SAM file of the Registry hive but am unable to locate the syskey,i checked almost all the directories and folder but couldn't locate it.I only came across syskey.exe.I'm using Autopsy 4.6.0 to analyze the forensic image and access data registry viewer to analyze the registry files but it requires that syskey should be loaded with the SAM file when i wanted to check if a particular user set a password protection and also the NT hash, LM hash,old LM hash and Old NT hash values...i would be glad if someone could help explain how i can extract the syskey for the password recovery.Thanks.  

psalmtopzy
Newbie
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Tue Jul 10, 2018 8:58 am

It seems like you are looking for a "Syskey" file (or possibly Registry key).

There isn't any.

"Syskey" is actually a Boot Key (Startup Key) generated by the Syskey.exe and stored inside the SYSTEM registry backing file, but it is not an actual key, but it is actually "scrambled into subkeys of the following registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"

See:
www.oxid.it/cain.html
www.oxid.it/ca_um/topi...dumper.htm
www.oxid.it/ca_um/topi...ecoder.htm

Here is a step-by-step (under Linux) that should clear the matter to you:
epyxforensics.com/reco...ntu-11-10/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Tue Jul 10, 2018 2:09 pm

Try ophcrack.

Recover the main registry hives to one directory.

After loading the rainbow tables, select "Load-->Encrypted SAM" and select the directory containing the hives.

The usernames and hashes should populate the list.

Then click "Crack" and wait...  

AmNe5iA
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Tue Jul 10, 2018 11:05 pm

@AmNe5ia thanks for answering but....i didnt see any encrypted SAM except the normal SAM hive.
@Jaclaz thanks for you help i have SIFT workstation so i am also working towards the step you gave me.  

psalmtopzy
Newbie
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Wed Jul 11, 2018 3:44 am

- psalmtopzy
@AmNe5ia thanks for answering but....i didnt see any encrypted SAM except the normal SAM hive.


Don't worry, it is the "normal" SAM file, it is only called "encrypted" in Ophcrack, mainly because the "relevant" part is actually encrypted.

Some tools want you to load (in two steps) the SAM and SYSTEM files, some will work if you point them to a directory where both a SAM and SYSTEM file are present.

But besides and before the usage of a specific tool, you should become familiar with the theory behind.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Wed Jul 11, 2018 4:13 am

One alternative is to boot the image as a VM, then break in by creating a separate account (using a copy of the original image, not the original!) or an exploit (i.e. modifying the windows installation to spawn a command prompt), run volatility, dump the credentials and then crack em. Everything would be open as a book in memory for the taking.

As i said, do this against a COPY of the disk image as this would be an active measure which will change the evidence on disk.  

MDCR
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Wed Jul 11, 2018 4:47 am

- MDCR
One alternative is to boot the image as a VM, ...

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before Sad ).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next