Hey Folks.. I am currently examining a Vista Box in which the user was using IE7 as his browser of choice. Poking around the NTUSER registry file for my target I see the entries in the IntelliForms Key (Software\Microsoft\Internet Explorer\IntelliForms) are now encrypted (Nice eh?). I have AD's registry viewer but it doesn't seem to be able to decrypt it. Is there a way using PRTK.. and maybe the SAM file..or something… that will decrypt those entries?? I'm just throwing stuff out there and hoping something will stick.
I know there are utilities that will show the Encrypted entries but the Owner/User must be logged on at the time. So something's tied in with that account I assume…
Thanks for any input..
Rob
IntelliForms uses DPAPI.
To recover you need User's Logon password, contents of the Protect folder, and the actual address of the form data, password logon, query or whatever you are trying to view.
The URL in question is part of the encryption.
Lovely.. And the form data is Encrypted so I have no idea what I'm really looking at (URL etc..) Nice… I do know there is no password assigned to the account so I guess I could boot it live and poke around abit..
Maybe after forfeiture..eh?
Thanks
Rob