±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 100

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

User passwords in the Registry

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

chrism
Senior Member
 

User passwords in the Registry

Post Posted: Mar 19, 10 14:10

Hey all,

How do you know if a user had a password on their account?

Seems like a simple question but I've been trying to understand the 'Last Reset' time in the SAM\Domains\Account\Users\

Will this time also change if the user removed their password? As technically it has 'changed' from having a password to not having one.

I just want to know if the user had a password or not, any help or guidance to find where this is stored I'd be very grateful.  
 
  

ssenyl
Member
 

Re: User passwords in the Registry

Post Posted: Mar 19, 10 15:49

If you look in the HKLM\SAM\SAM\Domains\Account\Names you will find a list of all user accounts on the machine. Select the one you are interested in and you will find the key contains a value (e.g 0x3E8). This is the Relative Identifier (RID).

Using that information go to HKLM\SAM\SAM\Domains\Account\Users which will contain a number of folders named such as 000003E8.

In this example this relates to the user 'Rob' identified in stage 1.

Select that key and you will find it contains a subkey named 'V'. Double click it and scroll doen to the location 00AC. If the value is 14 then a password is set.

Another subkey may be UserPasswordHint. Double click it and you will be able to read what the hint is.

Hope this helps?  
 
  

chrism
Senior Member
 

Re: User passwords in the Registry

Post Posted: Mar 19, 10 16:14

I've found the subkey 'V' but what do you mean by 'location 00AC'?

I've found the value 00 AC in HEX and there are a few 14's scattered around the place, but these 14's are in HEX so I'm not sure - where do you find this location?

I'm using Access Data's Registry Viewer by the way.  
 
  

ssenyl
Member
 

Re: User passwords in the Registry

Post Posted: Mar 19, 10 17:04

00AC refers to the offset (172 decimal). I can't remember if Access Data Registry Viewer shows offsets in decimal or hex, but either way, if you have the V key open and get to the offset mentioned, the value 14 indicates that a password is present.  
 
  

woany
Member
 

Re: User passwords in the Registry

Post Posted: Mar 19, 10 23:22

Try my ForensicUserInfo tool, which was written for exactly this purpose:

www.woanware.co.uk/for...cuserinfo/

To use it, you need to extract the SAM, SYSTEM and SOFTWARE hives. When you select the File->Open option, it will prompt three times once for each hive, it will tell you the required hive in the title bar of the Open File dialog.

There is a column called "Password Required" which will tell you the current password requirement for each user.

It is not as simple as just looking at the registry values, the stored registry values need to be deobfuscated using a number of algorithms including RC4 and DES, along with the SYSKEY to retrieve the NTLM and LANMAN hashes. Only then can it be determined if a password is required for a user.  
 
  

sierraindia
Member
 

Re: User passwords in the Registry

Post Posted: Mar 21, 10 20:27

If you can get the image to boot in a virtual machine then you can try to logon using each user account and see if you get a password prompt.  
 
  

paulo111
Member
 

Re: User passwords in the Registry

Post Posted: Mar 23, 10 16:30

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case... The free rainbow tables are available, but I am not sure on the charge for the larger tables..  
 

Page 1 of 3
Page 1, 2, 3  Next