The former way to acquire the Windows logon password of user is to get a NTML hash value through the Windows logon session and registry then crack it. Figure 1 shows the well-known ways to get a NTML hash value of user’s windows logon password. All of the obtained information using these methods is NTLM hash and it needs to be cracked with password crack tools. If the password is too long and even hard to crack, it is difficult to acquire the user’s Windows logon password. However, the tool called “Mimikatz” [1] has been announced in 2012 to solve the problem. It uses DLL injection on live status so that it can print out the user’s Windows logon password as a plaintext even though the password is long.
In this article, we’ll apply one of the methods used in “Mimikatz” called “extracting user’s Windows logon password using Wdigest” to memory dump, so we can help out the investigators with memory forensics…