Windows user login

http//elliottback.com/wp/archives/2006/04/26/cracking-windows-passwords-with-ophcrack-and-rainbow-tables/

There are probably better tutorials but this is one of the first hits on google. The short answer is yes and it is very simple. If you care about getting the actual password you will need to do as the link above shows. If you want to change the password for it you can use a boot disc like ERD to reset it.

I don't know whether that works, but I would be slightly dubious of someone whose first post looks like they are asking how to hack someone else's account.

> Does anyone know a trick to decipher a Windows user login password?

The encryption on passwords is one-way…you cannot decrypt it. You can, however, perform brute force password guessing. Of course, depending upon your needs and access, there may be other ways to accomplish the same thing.

> Can this be viewed somewhere in the registry?

User passwords for the local system are kept in the SAM file, which is a part of the Registry.

You can export the Sam data and throw rainbow tables at the export.

A rainbow table is essentially a pre-computed hash table of passwords. Using a rainbow table means you do not need to bruteforce the password, which might be a lengthy process.

Just to set your minds at ease this is a Forensic Case, using Live View and VMWare to reconstruct a "user's eye view" of a laptop RAID. We are able to see a "z\ drive throughout the diskview in the form of a .lnk file, however the logical partition "z\" does not exist and we do not find any partitions that have been Fdisked or formatted. However, PGP is installed, but to what capacity, we do not know. We are hoping to reconstruct a Windows enviroment to see what possibilities exist in this view.

The Z drive is probably mapped to a location on another box.

I agree and what we are hoping to do, through the Windows view is determine how that drive is accessed. This is an international case where we believe the mapped drive is located in Canada. Canadian Officials are in the process of seizing all digital media from the Canadian location, however concerns lie in that this perp is coming to the states to manufacture CP and then bring it back to Canada where it is distributed. As such we are determined to find critical evidence while he is in US custody. Our relationship with Canadian officals are good, however we may not be able to use evidence seized in Canada unless we can identify specific victims in the US.

The Z drive is probably mapped to a location on another box.

Im not sure where those mappings are saved in the registry, but I assume you might. In order for drives to map like that to a different location there should (usually) be a VPN involved as well. Have you found anything related to a VPN on the machine?

No, but I have not looked in detail either. Our other thoughts are that "Z" may be a web server or web storge.

Interesting note, however….using one of the forensic software's we see "z" routinely prefaced with "usb". However several of the border agents are adamant that no devices were connected to the machine at the time of seizure. Any thoughts on this?

Just a note - using the security software preinstalled on my Dell laptop, I created an encrypted "vault". It defaulted to z and is shown as a disconnected network drive (in Windows Explorer) when not in use. Lnk files mapped to z are created when I access files within the vault.

Not sure if something similar occurred in your case.

mtouchet

We are able to see a "z\ drive throughout the diskview in the form of a .lnk file, however the logical partition "z\" does not exist and we do not find any partitions that have been Fdisked or formatted.

…and…

several of the border agents are adamant that no devices were connected to the machine at the time of seizure. Any thoughts on this?

Have you checked the Registry for removable storage devices? If you search this forum or my blog, you'll see that a great deal of info is maintained in the Registry regarding USB removable storage devices…even after they've been disconnected.

Also, do you see the Z\ drive mapped in the MountedDevices key? You should be able to get some info from that entry.

debaser_,

I'm not sure where those mappings are saved in the registry,…

Depending upon how they were mapped, and by whom, you may find some info in

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

dcso…

…using the security software preinstalled on my Dell laptop,…

What is the name of that software?

Thanks,

H

Have a look in the registry. IF USB storage devices were attached, the registry should show at least A) when the devices was first connected and B) give extra info on the device, sometimes including brand and serial number etc.