I have been looking at a machine, the person is using web based mail, so they enter their email address and password.
I have checked the chache of internet explorer and found the link, however, when I click on the link it takes me to the web page but still requires the password to be put in.
Is the password stored somewhere else?
could it be in the NTuser.dat file?
Thanks
Passwords can sometimes be found in the Protected Storage System Provider in the NTUSER.dat file. This section can be decrypted by using a program like AccessData's Registry Viewer.
However, I would be careful as to logging into someone else's account. This brings up a whole slew of ethical and legal issues.
However, I would be careful as to logging into someone else's account. This brings up a whole slew of ethical and legal issues.
Exactly - unless cardrb has legal authorisation to access someone elses's account then it is a no-no.
Passwords can sometimes be found in the Protected Storage System Provider in the NTUSER.dat file. This section can be decrypted by using a program like AccessData's Registry Viewer.
However, I would be careful as to logging into someone else's account. This brings up a whole slew of ethical and legal issues.
Indeed, this is a clear violation of the owner's expectation of privacy. Do it, and he can sue you, own your house, your company, etc… not a wise move. If it is crucial to the case, then get a judge to sign off on it.
Do not consider this as legal advice. I would consult appropriate legal counsel for proceeding.
I think this subject needs some clarification. Viewing private email (ISP, Yahoo, Google, MSN, etc) without proper legal authorization is a violation of the Electronic Communication Privacy Act.
However, if the e-mail is a corporate e-mail service; e-mail services owned and operated by the employer and provided to the employee for the purpose of conducting the business of the corporation. The e-mail service shall be considered a corporate asset and is governed by established business standards aka. corporate policy. This still does not mean you (the investigator) are authorized to access the communications in the account. You should contact and consult legal counsel before you venture down this path. Some gray areas of concern leased corporate e-mail services such as, leased Yahoo, ISP or hosted services, use of private e-mail from corporate resources.
Personally, I would never login to anyone's account for any reason. [This could be considered as hacking - unauthorized access [on third party resources.] There are too many other ways too legally and ethically obtain the required information. Using a person's userid and password with an on-line system is the quickest way to blow your credability as a forensic analyst (hacker tactic). Ask for a copy of the latest backup's or a dump of the message store.
I shall repeat the warning to stress the importance of this information!
I would always consult legal advisors (corporate) before accessing, viewing or revealing contents of messaging queues and undelivered e-mail traffic (e-mail server mail queue contents) due to ECPA restrictions or review the search warrant or subpoena as appropriate for judicial restrictions or limitations.
careful )
You don't want to access the account, but maybe the fact that the site is possibly stored in the link or favorite section is enough to support the claim that this user is accessing the site?
MAybe also, the browser is set to save these user name and passwords? If so, shouldn't that be enough to prove that pc has accessed that site?
If the browser is set to store the passwords, then you could install Firefox on that pc and import all IE settings. Then you can simply view the passwords.
BUT, you have been given the best advise already!!!
DO NOT access that web account. As you will surely be breaking some law somewhere.
-SS