Lastpass and LUKS
I am working on a case where the suspect has a Windows 10 PC that is not encrypted, and is using an offline account that is password protected.
He provided us the Windows password when asked for it.
He primarily uses the Firefox web browser and has the lastpass Firefox extension installed.
We found that once the Firefox browser is launched, the lastpass extension automatically logs into his lastpass account because he ticked the "remember password" box however, I know this would not be forensically sound to go looking inside his password vault this way.
What would be the best option at finding out his master password in a forensically sound way in these circumstances?
Suspect also has a laptop protected with LUKS encryption, and we hope his lastpass master password and vault may shed some light on what his LUKS passphrase could be.
Any help would be appreciated.
I am not understanding.
If the suspect is collaborating and already provided the Windows Login password, why not asking him/her the other *needed* passwords?
About LastPass autologin not being "forensic sound", what is the problem?
As I see it the Lastpass account is a "container" and you can access its contents (how you are able to access them doesn't seem to me relevant).
In which way is it different from a plain text file (that requires no password) or from - say - a .zip encrypted file which (in some cases) you can access with a plain text attack, i.e. decrypting it with generated keys without knowing the actual password?