Join Us!

Notifications
Clear all

recovering Users Password from Forensic image  

  RSS
psalmtopzy
(@psalmtopzy)
New Member

Good day Everyone, my name is George Samuel from Nigeria.I'm a second year student studying Cyber security science in the Federal University of Technology of Akure,Nigeria. I choose Digital Forensics to be my best choice of cyber security and still a beginner. I'm analyzing a data-leakage case.

I want to recover Users password from the data-leakage case. I got the SAM file of the Registry hive but am unable to locate the syskey,i checked almost all the directories and folder but couldn't locate it.I only came across syskey.exe.I'm using Autopsy 4.6.0 to analyze the forensic image and access data registry viewer to analyze the registry files but it requires that syskey should be loaded with the SAM file when i wanted to check if a particular user set a password protection and also the NT hash, LM hash,old LM hash and Old NT hash values…i would be glad if someone could help explain how i can extract the syskey for the password recovery.Thanks.

Quote
Posted : 10/07/2018 3:30 pm
jaclaz
(@jaclaz)
Community Legend

It seems like you are looking for a "Syskey" file (or possibly Registry key).

There isn't any.

"Syskey" is actually a Boot Key (Startup Key) generated by the Syskey.exe and stored inside the SYSTEM registry backing file, but it is not an actual key, but it is actually "scrambled into subkeys of the following registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"

See
http//www.oxid.it/cain.html
http//www.oxid.it/ca_um/topics/nt_hashes_dumper.htm
http//www.oxid.it/ca_um/topics/syskey_decoder.htm

Here is a step-by-step (under Linux) that should clear the matter to you
http//epyxforensics.com/recovering-a-windows-7-password-by-cracking-the-syskey-and-the-sam-hive-using-linux-ubuntu-11-10/

jaclaz

ReplyQuote
Posted : 10/07/2018 3:58 pm
AmNe5iA
(@amne5ia)
Active Member

Try ophcrack.

Recover the main registry hives to one directory.

After loading the rainbow tables, select "Load–>Encrypted SAM" and select the directory containing the hives.

The usernames and hashes should populate the list.

Then click "Crack" and wait…

ReplyQuote
Posted : 10/07/2018 9:09 pm
psalmtopzy
(@psalmtopzy)
New Member

@AmNe5ia thanks for answering but….i didnt see any encrypted SAM except the normal SAM hive.
@Jaclaz thanks for you help i have SIFT workstation so i am also working towards the step you gave me.

ReplyQuote
Posted : 11/07/2018 6:05 am
jaclaz
(@jaclaz)
Community Legend

@AmNe5ia thanks for answering but….i didnt see any encrypted SAM except the normal SAM hive.

Don't worry, it is the "normal" SAM file, it is only called "encrypted" in Ophcrack, mainly because the "relevant" part is actually encrypted.

Some tools want you to load (in two steps) the SAM and SYSTEM files, some will work if you point them to a directory where both a SAM and SYSTEM file are present.

But besides and before the usage of a specific tool, you should become familiar with the theory behind.

jaclaz

ReplyQuote
Posted : 11/07/2018 10:44 am
MDCR
 MDCR
(@mdcr)
Active Member

One alternative is to boot the image as a VM, then break in by creating a separate account (using a copy of the original image, not the original!) or an exploit (i.e. modifying the windows installation to spawn a command prompt), run volatility, dump the credentials and then crack em. Everything would be open as a book in memory for the taking.

As i said, do this against a COPY of the disk image as this would be an active measure which will change the evidence on disk.

ReplyQuote
Posted : 11/07/2018 11:13 am
jaclaz
(@jaclaz)
Community Legend

One alternative is to boot the image as a VM, …

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before ( ).

jaclaz

ReplyQuote
Posted : 11/07/2018 11:47 am
keydet89
(@keydet89)
Community Legend

Ophcrack, Cain & Abel, and maybe even John the Ripper can be used (per pp 74 & 75 of "Windows Registry Forensics", 2/e.

ReplyQuote
Posted : 11/07/2018 11:59 am
MDCR
 MDCR
(@mdcr)
Active Member

One alternative is to boot the image as a VM, …

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before ( ).

jaclaz

Who said forensics should be easy? There is always something new to learn, a new tool pops up every day and if you're lucky it comes with a description of what it actually does, if you are really lucky it comes with a PDF manual.

Gaining access often a part of the investigations that i have taken part in, it's not just image drive, waity-waity, look - there is the evidence, start Microsoft word, writey-writey - done.

You learn to circumvent the user, even use exploits if necessary.

(And i'll reiterate - always against a COPY of the disk image)

ReplyQuote
Posted : 11/07/2018 4:21 pm
jaclaz
(@jaclaz)
Community Legend

Who said forensics should be easy? There is always something new to learn, a new tool pops up every day and if you're lucky it comes with a description of what it actually does, if you are really lucky it comes with a PDF manual.

Sure ) , noone said that, but the OP is a second year student, and he should do at this stage what is more simple and linear (and before that understand the underlying theory), it is surely a good thing to suggest alternative ways, but with the warning that they are not the straightest path possible (unless they actually are).

OT, but not much, it is like when I try to help kids with their math problems, I always need to focus on what they have been taught till then, even if (to me) a much simpler solution would be using some (say) algebra, I cannot use that.

jaclaz

ReplyQuote
Posted : 11/07/2018 5:00 pm
psalmtopzy
(@psalmtopzy)
New Member

Hello,thanks for helping.I got the four users password hash already…and i was able to decrypt two using an on-line hash-cracker…but unable to decrypt two yet….i used the ophcrack..but i couldn't decrypt the password tried using cain and abel still the same,but i was also thinking john the ripper should be okay…but i have been unable to install john the ripper on my sift workstation.These are the list of command i ran to install john-the-ripper$sudo apt-get install john
$sudo aptitude john
$sudo apt-get install john-the-ripper.
after trying this command i was still unable to download john the ripper. Though i have ophcrack on my sift i dont know if i will be able to decrypt the passowrd hash on sift even though i have tried it on windows ophcrack also if i could get another hash decypter.Looking forward to you answers.THANKS A LOT

ReplyQuote
Posted : 14/07/2018 3:46 pm
jaclaz
(@jaclaz)
Community Legend

Hello,thanks for helping.I got the four users password hash already…and i was able to decrypt two using an on-line hash-cracker…but unable to decrypt two yet….i used the ophcrack..but i couldn't decrypt the password tried using cain and abel still the same,but i was also thinking john the ripper should be okay…but i have been unable to install john the ripper on my sift workstation.These are the list of command i ran to install john-the-ripper$sudo apt-get install john
$sudo aptitude john
$sudo apt-get install john-the-ripper.
after trying this command i was still unable to download john the ripper. Though i have ophcrack on my sift i dont know if i will be able to decrypt the passowrd hash on sift even though i have tried it on windows ophcrack also if i could get another hash decypter.Looking forward to you answers.THANKS A LOT

That's OK, as it won't likely do anything.

John the Ripper is essentially a "brute force and dictionary password cracker" (though with some very good features/additions/options), see
https://www.win.tue.nl/~aeb/linux/john/john.html

It will either take forever or find nothing (or find exactly the same that Ophcrack will find) in a "reasonable" time.

The Ophcrack approach is usually faster, but since it failed (partially) in your case, you may want to try Hashcat/oclhashcat
https://hashcat.net/wiki/doku.php?id=hashcat
https://hashcat.net/wiki/doku.php?id=oclhashcat_lite
see also
https://www.reddit.com/r/crypto/comments/yuqyi/john_the_ripper_vs_oclhashcatlite/

or RainbowCrack
http//project-rainbowcrack.com/

Of course actual performance will depend on what hardware you have available.

jaclaz

ReplyQuote
Posted : 14/07/2018 5:11 pm
Share: