recovering Users Pa...
 
Notifications
Clear all

recovering Users Password from Forensic image

12 Posts
5 Users
0 Likes
10.8 K Views
(@psalmtopzy)
Posts: 5
Active Member
Topic starter
 

Good day Everyone, my name is George Samuel from Nigeria.I'm a second year student studying Cyber security science in the Federal University of Technology of Akure,Nigeria. I choose Digital Forensics to be my best choice of cyber security and still a beginner. I'm analyzing a data-leakage case.

I want to recover Users password from the data-leakage case. I got the SAM file of the Registry hive but am unable to locate the syskey,i checked almost all the directories and folder but couldn't locate it.I only came across syskey.exe.I'm using Autopsy 4.6.0 to analyze the forensic image and access data registry viewer to analyze the registry files but it requires that syskey should be loaded with the SAM file when i wanted to check if a particular user set a password protection and also the NT hash, LM hash,old LM hash and Old NT hash values…i would be glad if someone could help explain how i can extract the syskey for the password recovery.Thanks.

 
Posted : 10/07/2018 2:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It seems like you are looking for a "Syskey" file (or possibly Registry key).

There isn't any.

"Syskey" is actually a Boot Key (Startup Key) generated by the Syskey.exe and stored inside the SYSTEM registry backing file, but it is not an actual key, but it is actually "scrambled into subkeys of the following registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"

See
http//www.oxid.it/cain.html
http//www.oxid.it/ca_um/topics/nt_hashes_dumper.htm
http//www.oxid.it/ca_um/topics/syskey_decoder.htm

Here is a step-by-step (under Linux) that should clear the matter to you
http//epyxforensics.com/recovering-a-windows-7-password-by-cracking-the-syskey-and-the-sam-hive-using-linux-ubuntu-11-10/

jaclaz

 
Posted : 10/07/2018 2:58 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Try ophcrack.

Recover the main registry hives to one directory.

After loading the rainbow tables, select "Load–>Encrypted SAM" and select the directory containing the hives.

The usernames and hashes should populate the list.

Then click "Crack" and wait…

 
Posted : 10/07/2018 8:09 pm
(@psalmtopzy)
Posts: 5
Active Member
Topic starter
 

@AmNe5ia thanks for answering but….i didnt see any encrypted SAM except the normal SAM hive.
@Jaclaz thanks for you help i have SIFT workstation so i am also working towards the step you gave me.

 
Posted : 11/07/2018 5:05 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@AmNe5ia thanks for answering but….i didnt see any encrypted SAM except the normal SAM hive.

Don't worry, it is the "normal" SAM file, it is only called "encrypted" in Ophcrack, mainly because the "relevant" part is actually encrypted.

Some tools want you to load (in two steps) the SAM and SYSTEM files, some will work if you point them to a directory where both a SAM and SYSTEM file are present.

But besides and before the usage of a specific tool, you should become familiar with the theory behind.

jaclaz

 
Posted : 11/07/2018 9:44 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

One alternative is to boot the image as a VM, then break in by creating a separate account (using a copy of the original image, not the original!) or an exploit (i.e. modifying the windows installation to spawn a command prompt), run volatility, dump the credentials and then crack em. Everything would be open as a book in memory for the taking.

As i said, do this against a COPY of the disk image as this would be an active measure which will change the evidence on disk.

 
Posted : 11/07/2018 10:13 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

One alternative is to boot the image as a VM, …

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before ( ).

jaclaz

 
Posted : 11/07/2018 10:47 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Ophcrack, Cain & Abel, and maybe even John the Ripper can be used (per pp 74 & 75 of "Windows Registry Forensics", 2/e.

 
Posted : 11/07/2018 10:59 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

One alternative is to boot the image as a VM, …

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before ( ).

jaclaz

Who said forensics should be easy? There is always something new to learn, a new tool pops up every day and if you're lucky it comes with a description of what it actually does, if you are really lucky it comes with a PDF manual.

Gaining access often a part of the investigations that i have taken part in, it's not just image drive, waity-waity, look - there is the evidence, start Microsoft word, writey-writey - done.

You learn to circumvent the user, even use exploits if necessary.

(And i'll reiterate - always against a COPY of the disk image)

 
Posted : 11/07/2018 3:21 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Who said forensics should be easy? There is always something new to learn, a new tool pops up every day and if you're lucky it comes with a description of what it actually does, if you are really lucky it comes with a PDF manual.

Sure ) , noone said that, but the OP is a second year student, and he should do at this stage what is more simple and linear (and before that understand the underlying theory), it is surely a good thing to suggest alternative ways, but with the warning that they are not the straightest path possible (unless they actually are).

OT, but not much, it is like when I try to help kids with their math problems, I always need to focus on what they have been taught till then, even if (to me) a much simpler solution would be using some (say) algebra, I cannot use that.

jaclaz

 
Posted : 11/07/2018 4:00 pm
Page 1 / 2
Share: