Hi All,
I have a E.01 disk image. I restore this image and now I have a evidence disk too. (vista OS in disk)
I want a find all usernames and passwords in disk.( IE, Mozilla, Messenger etc.)
If advice a finder software(easy usage) for all passwords I will happy. Thanks.
I am not sure there is an application that will do that. IE will require a combination of Registry analysis and password recovery, Firefox takes Registry and SQL and password recovery, etc. Each application you want to examine will require some combination of attack to discover the key, and some may not be found.
Well, I think the simplest solution is to emulate your restored image in vmware. After you log in just mount CD with Helix/Cain and use Nirsoft’s Password Recovery Utilities MailPassView, MessenPass, NetworkPasswordRecovery, ProtectedStoragePassView…
Asterisk Logger can also be useful for retrieving passwords from unusual applications…
Good luck!
Well, I think the simplest solution is to emulate your restored image in vmware.
I would advice Qemu as it is usually easier to boot in it a pre-made image (less problems with mass-storage drivers) AND it can use RAW images directly.
Under Windows Qemu Manager
http//
makes using Qemu as easy as any other VM.
It will probably be slowish, though.
jaclaz
Re Michalwrp I understand, I think only RAW images are emulated vmware. I convert E01 image to RAW now.
Re jaclaz I think my converting is enough for your method. I will try it. Thanks.
Not quite,
You don’t have to convert it into raw, (vmware doesn’t support raw), just plug in disk with restored image (e.g. USB connection), and create new machine with your physical disk (this tutorial can help http//
(vmware doesn’t support raw)
Yes it does, as long as you write a .pln (old format) or .vmdk descriptor file for it.
http//
A RAW image is simply a "monolithic-flat" without descriptor.
Just in case a .pln making batch is here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1489&postdays=0&postorder=asc&start=38
jaclaz