Hi,
I have a case where the email password is saved by outlook. Is there a tool or method that allow the investigator to restore the password!
I understand that the email password is stored in the registry. Is that right?
Regards…
Hi there,
Just more information.
I found that the password is stored in the following registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
What is the best tool to decrypt/decode the password there?
regards..
There are many tools for getting passwords, PRTK/DTA, Passware, Advanced Office Password Recovery, etc. There is not a "best" as far as I can tell, there is just the one that happens to work with your current case. I have had all fail on one or another attempts. In those cases you just try another program.
Thanks for replying.
I found that most of the tools work only on live system. When I tried on a forensics image these tools do not allow me to load files from the image and try to read the analysis workstation files.
Do you know a specific tool that read file from system image?
Thanks for replying.
I found that most of the tools work only on live system. When I tried on a forensics image these tools do not allow me to load files from the image and try to read the analysis workstation files.
Do you know a specific tool that read file from system image?
Just export the file from the image and then work on it.
outlook express? or outlook 200X?
Here is a article on Outlook Passwords(include source code)
http//
Passwords are stored using Protected Storage in Windows 2k and XP. This program will reveal -
Outlook Passwords
Deleted Outlook Account passwords
IE Password-Protected sites passwords
MSN Explorer Signup passwords
IE AutoComplete Passwords
IE Auto Complete Fields in 9x it will show the cached dialup passwords
The image that I am working on is windows 7 and the outlook version is 2010.
I tired PRTK with the registry files and it did not decrypt the passwords.
The password registry hives for outlook password is stored in the NTUSER.DAt of the user.
Tools such as OutlookPasswordDecryptor and MailPassView work only on live systems. I tried to load registry files to these tools but there is no option to import files.
I found a code to decrypt the outlook password but it also reads from live system and not from a registry file. I am working to change it to allow me to read files. The code is in this page
http//
Thanks to you all for relying.
The image that I am working on is windows 7 and the outlook version is 2010.
I tired PRTK with the registry files and it did not decrypt the passwords.
The password registry hives for outlook password is stored in the NTUSER.DAt of the user.
Unless there has been an update PRTK does not work with Office 2010.