Hi all,
A colleague of mine is looking at a Windows 7 machine and needs to find out whether one of the user accounts has a password or not. The account is showing (according to Encase's Case Processor) as a domain account, with another account as a local user. It's just a normal home laptop and no other computers were found at the address so we're not sure if something was missed or if something else is going on.
There is internet history under the domain user account, which is why we'd like to show a password was in place, but there's nothing in the user folders like Pictures etc.
Does anyone know of a way to determine if there was a password on the domain account? We've tried cloning the drive but we're only presented with the local user account to log on to - there's no Switch User and it doesn't appear in the User Accounts control panel. I've tried looking in the HKLM\Security\Cache registry key, which is apparently where Windows will sometimes cache domain passwords, but there's no such key.
Thanks for any ideas!
Does anyone know of a way to determine if there was a password on the domain account?
At what particular time?
In general, though, the AD is where that information exists. In the absence of a study that demonstrates that some information on the client is sufficiently well correlated with the AD, I doubt that you can say anything.
We've tried cloning the drive but we're only presented with the local user account to log on to …
Did you see any attempts to locate a DC in the specified domain on the net (Wireshark or other net sniffer) as it boots? If it tries but doesn't find one, there seems to be little reason to prompt for a password for a non-reachable domain account. And if it doesn't even look for one … there's something else going on.
You refer to EnCase Case Processor, but that may not mean anything without version and release information.
Cached Credentials.
Image to Liveview, fire it up, try logging in with a blank password. If it works - you have your answer.
Cached credentials are turned on by default.
Is the domain account that EnCase is picking up from the same OS installation?
Could EnCase be showing a previously existing account (deleted), check the dates associated with that account and it's activity.
Have you got a test machine you can install Win 7 on, join it to a domain and see what changes are made.
When you booted into the cloned install were you able to log in with the local user account? Did you check the management console and see what user accounts were listed there?
Have you checked for this key in the registry?
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
ValueName CachedLogonsCount
Data Type REG_SZ
Values 0 - 50
source http//