Sorry if I'm off the mark here - I'm not really experience in this field. But if the drive is remotely accessed, how about looking for traces of related network traffic? Surely there must be some traces of the exchanged traffic between the hosting machine and the client you are investigating? (VPN, Windows fileshare, RD, ssh…) Timestamps and IP location might prove the connection between a location stateside and the machine in Canada?
Also, regarding the USB lead, some MB layouts hook other types of hardware to the USB bus/controller in addition to the actual USB hubs. (Like biometric readers, etc.) Not sure if it's relevant though. Just throwing it out there.
Final thought There is a webservice called Z Drive offering virtual online storage. I was unable to try it out to see if it's relevant to your investigation, but it might be worth checking out.
Good luck!
chrisprickaerts,
Have a look in the registry. IF USB storage devices were attached, the registry should show at least A) when the devices was first connected and B) give extra info on the device, sometimes including brand and serial number etc.
Cool. Can you specify where in the Registry this info would be found?
Thanks,
H
…using the security software preinstalled on my Dell laptop,…
What is the name of that software?
Wave Systems
As it turns out the"Z\" is a PGP Virtual Volume, that has been "unmounted", which would require the PGP Password. Anyone ever figure out how to crack one of these?
re getting the windows login password - try the ophcrack live cd
Relating to this subject, I've found in several cases the way to obtain the password for the local users (including de administrator). However, I am currently working on a case I would like to get the uss/pass for a user that initiates session with a network profile. I understand that when connected to the local network, the authentication is possible because there is an "Authentication Server". However, when unplugged… where does Windows checks the password? I know that I can find the hashes for the local users in SAM and system, but… how can I get those for network users?
how can I get those for network users?
EnCase and other tools will pull those. There is a "cachedump" tool that will do this live.
Please not that the hashes are not NT/LM hashes. They are MD5's of the SID and the MD5 of the password.
They are in the security hive in the "Cache" folder. They are encrypted by a LSA secret. That one is protected by the syskey.
By now this is all public knowledge.
Or you could get those from the AD. There are scripts for that stort of thing.
Note that you can disable cached network credentials.
Also in VISTA some of the algorithms and things have changed - so not all tools will work there.
Uhmmm… seems not that easy! Thanks anyway guys.
Going back to the original question-do you need to know the password itself or did you want to be able to reset the password?
I'm guessing that you're hoping you'll be able to maybe use it later down the track, either to work out if he has a password method or to use it on something else that may require auth.