±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34193
New Yesterday: 1 Visitors: 144

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

recovering Users Password from Forensic image

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: recovering Users Password from Forensic image

Post Posted: Wed Jul 11, 2018 4:59 am

Ophcrack, Cain & Abel, and maybe even John the Ripper can be used (per pp 74 & 75 of "Windows Registry Forensics", 2/e.  

keydet89
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Wed Jul 11, 2018 9:21 am

- jaclaz
- MDCR
One alternative is to boot the image as a VM, ...

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before Sad ).

jaclaz



Who said forensics should be easy? There is always something new to learn, a new tool pops up every day and if you're lucky it comes with a description of what it actually does, if you are really lucky it comes with a PDF manual.

Gaining access often a part of the investigations that i have taken part in, it's not just image drive, waity-waity, look - there is the evidence, start Microsoft word, writey-writey - done.

You learn to circumvent the user, even use exploits if necessary.

(And i'll reiterate - always against a COPY of the disk image)  

MDCR
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Wed Jul 11, 2018 10:00 am

- MDCR

Who said forensics should be easy? There is always something new to learn, a new tool pops up every day and if you're lucky it comes with a description of what it actually does, if you are really lucky it comes with a PDF manual.


Sure Smile , noone said that, but the OP is a second year student, and he should do at this stage what is more simple and linear (and before that understand the underlying theory), it is surely a good thing to suggest alternative ways, but with the warning that they are not the straightest path possible (unless they actually are).

OT, but not much, it is like when I try to help kids with their math problems, I always need to focus on what they have been taught till then, even if (to me) a much simpler solution would be using some (say) algebra, I cannot use that.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Sat Jul 14, 2018 8:46 am

Hello,thanks for helping.I got the four users password hash already...and i was able to decrypt two using an on-line hash-cracker...but unable to decrypt two yet....i used the ophcrack..but i couldn't decrypt the password tried using cain and abel still the same,but i was also thinking john the ripper should be okay...but i have been unable to install john the ripper on my sift workstation.These are the list of command i ran to install john-the-ripper:$sudo apt-get install john
$sudo aptitude john
$sudo apt-get install john-the-ripper.
after trying this command i was still unable to download john the ripper. Though i have ophcrack on my sift i dont know if i will be able to decrypt the passowrd hash on sift even though i have tried it on windows ophcrack also if i could get another hash decypter.Looking forward to you answers.THANKS A LOT  

psalmtopzy
Newbie
 
 
  

Re: recovering Users Password from Forensic image

Post Posted: Sat Jul 14, 2018 10:11 am

- psalmtopzy
Hello,thanks for helping.I got the four users password hash already...and i was able to decrypt two using an on-line hash-cracker...but unable to decrypt two yet....i used the ophcrack..but i couldn't decrypt the password tried using cain and abel still the same,but i was also thinking john the ripper should be okay...but i have been unable to install john the ripper on my sift workstation.These are the list of command i ran to install john-the-ripper:$sudo apt-get install john
$sudo aptitude john
$sudo apt-get install john-the-ripper.
after trying this command i was still unable to download john the ripper. Though i have ophcrack on my sift i dont know if i will be able to decrypt the passowrd hash on sift even though i have tried it on windows ophcrack also if i could get another hash decypter.Looking forward to you answers.THANKS A LOT


That's OK, as it won't likely do anything.

John the Ripper is essentially a "brute force and dictionary password cracker" (though with some very good features/additions/options), see:
www.win.tue.nl/~aeb/li.../john.html

It will either take forever or find nothing (or find exactly the same that Ophcrack will find) in a "reasonable" time.

The Ophcrack approach is usually faster, but since it failed (partially) in your case, you may want to try Hashcat/oclhashcat:
hashcat.net/wiki/doku....id=hashcat
hashcat.net/wiki/doku....shcat_lite
see also:
www.reddit.com/r/crypt...shcatlite/

or RainbowCrack:
project-rainbowcrack.com/

Of course actual performance will depend on what hardware you have available.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 2 of 2
Go to page Previous  1, 2