Hey all,
I have a file that is of importance, and I need to know what user account it belonged to (i.e. who created it) I also want to know if this user account had a password on it.
Any ideas on how I go about this? I've loaded the SAM file into FTK's RV and looked at the keys I think are important in Domains/Account/Users and looked at the F values to see the last logged in time etc etc. Could anyone give me clarification on this?
Anyway of knowing if file xxx.jpg was created before of after the password was put on the account?
Compare the create dates. I would assume, if i file is in a user profile…then that file was created in that user profile. Do a scan of when the password was changed last vs the file create date.
What if the user removed their password? Would the last changed date be updated even if the user didn't technically change their password?
I have a file that is of importance, and I need to know what user account it belonged to (i.e. who created it) I also want to know if this user account had a password on it.
I'd suggest SAMInside or pwdump7 to get the hashes from the SAM and System hive. From there, you can try to crack the password using SAMInside, John the Ripper, L0phtCrack, etc.
Any ideas on how I go about this? I've loaded the SAM file into FTK's RV and looked at the keys I think are important in Domains/Account/Users and looked at the F values to see the last logged in time etc etc. Could anyone give me clarification on this?
RegRipper's samparse plugin will parse the SAM hive and provide you with the Password Reset Date for the user account.
Anyway of knowing if file xxx.jpg was created before of after the password was put on the account?
I'm sure that you have the MFT and the MACE times for the file…that's all you need, really.