±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35520
New Yesterday: 6 Visitors: 127

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Windows 10 Virtualisation & Microsoft user accounts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Brevs11
Member
 

Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 28, 19 11:09

Morning all.

I've been attempting for a while to find a way to login to a Microsoft user account on a Windows 10 computer when that computer has been virtualised (FTK Imager to mount the forensic image, VFC and VMWare to create and run the VM). This has to be completed in a forensically sound manner as possible.

So the scenario I'm finding more often these days is that the user has either created from new, or migrated an existing local account to a Microsoft based password protected account. I know that when Windows 10 is installed Microsoft tries very hard to force users down the path of creating a Microsoft account rather than using a local account. A Microsoft based account must be protected with a password or PIN.

I have used the following 'hack' which allows you to enable and login to the local Administrator account, assuming that the user has not previously enabled it and added a password.

Enable Hidden Administrator Account in Windows 10 without Login

However, even logging in to the local Administrator account does not allow the changing or removal of another users's Microsoft created account.

All of the tools I'm currently using to examine the SAM incorrectly report Microsoft created accounts as having no password set, likewise running various boot disks to blank the NT password fail because there isn't one.

Depending on how the account was created when attempting to login to the account you will sometimes get "Your device is offline, please enter old password." Some online research for this message shows that there are numerous users who report either that they never set an earlier password or, they enter their old password and it doesn't work. If Windows does store an old password for offline local use, where is it?

Asking the user for the password is not always possible and of course the password could always be reset by logging into the Microsoft account on a different device, again not possible in this scenario.

I wondered if anyone has any success or ideas as to whether what I'm trying to achieve is possible, without the options available in the preceding paragraph.  
 
  

keydet89
Senior Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 28, 19 12:00

"...report Microsoft created accounts as having no password set..."

I'm curious...what tools are you using, and what are they telling you? What I mean is, what is the message, exactly worded, that you're seeing?

That might be helpful.

Thanks.  
 
  

Brevs11
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 28, 19 12:15

AccessData Registry Viewer, ophcrack, IEF, EnCase v6 & v8 all show the NT hash and password as empty in the SAM.

I did another little bit of research a while back and I stand to be corrected but this has been the case since Windows Version 1607 (Anniversary Update). I discovered it by accident, the tools were reporting no password set on the account but when I virtualised it there was a password, if it was a Microsoft based account.

Thanks  
 
  

mjpetersen
Newbie
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 28, 19 19:04

The reason you are not seeing the account is because the passwords are not stored locally.

Have you tried the VFC Password Bypass? Did that work or did it only allow you to view the local files and not the on-line files?  
 
  

Brevs11
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 29, 19 08:52

- mjpetersen
The reason you are not seeing the account is because the passwords are not stored locally.

Have you tried the VFC Password Bypass? Did that work or did it only allow you to view the local files and not the on-line files?


VFC reports that there is no password set on the account so the password bypass does not work.

I have a Microsoft account on a PC at home. I know the current and old (local account) passwords so I'll disconnect from the Internet and see if I get the "Your device is offline, please enter old password." message, although I've never been able to get it to work previously. And even if this does work I would imagine that it wouldn't work if the account was created from scratch as a Microsoft account.

If the old password is present, it must be stored somewhere but it doesn't seem to be in the SAM, certainly not where a normal local user account password is stored anyway.  
 
  

randomaccess
Senior Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 29, 19 12:05

Microsoft moved the location of the passwords for local systems last year.
Many tools haven't been updated. Mimikatz works though.

I wrote a post about it here

Unfortunately I haven't figured out the problem you're seeing.
I'm thinking that it stores the password the same way that it would cache it for a domain.
I ran mimikatz over a live-account-enabled test image today and didn't get very far.

I'll have to think through the problem; the password is stored somewhere, just where I don't know yet.  
 
  

Brevs11
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 29, 19 12:57

- randomaccess
I'll have to think through the problem; the password is stored somewhere, just where I don't know yet.


Many thanks for the info.

It makes you wonder how many people are reporting that no password is set on an account based on the 'industry standard' tools when one is actually set. This is why I've been trying to run a VM in every case....to be sure.  
 

Page 1 of 3
Page 1, 2, 3  Next