March 6, 2020
Our customers have been sending us great feedback about how valuable Arsenal Image Mounter’s (“AIM’s”) virtual machine launching and Windows password bypassing have been to their cases. Of course we concur, not only because we built AIM but because we leverage its powerful and unique functionality in our ongoing casework – from reverse engineering malware to running unusual applications in their native environments.
While Windows password bypassing (particularly with AIM, which can bypass all types of Windows passwords) provides digital forensics practitioners with great opportunities, there are certain things in Windows such as EFS-encrypted files and cached login credentials that require passwords to be cracked rather than bypassed.
So, if you need to access EFS-encrypted files, you do not have the user’s Windows password, and you may even be dealing with an “IT gone rogue” (i.e. you cannot rely on help from IT – e.g. one or more may be suspects!) scenario, what are your options? Of course you could compel the user to provide their password or you could crack their password… but what about other options? Putting aside some of the more devious options, a great one remains – if the workstation in question was attached to a Windows domain controller, you can use a method refined by Olof Lagerkvist which leverages AIM in interesting ways.
Let’s see Olof’s method in action, using a Windows Server 2016 domain controller and an attached Windows 10 workstation graciously provided by SANS (please note that the following screenshots are based on the latest internal build of AIM):
1. Use AIM to launch a disk image of the domain controller into a virtual machine, with networking isolated between virtual machines only
2. Bypass the domain controller’s administrator password with AIM Virtual Machine Tools
3. Use the domain controller’s “Active Directory Users and Computers” (ADUC) “Microsoft Management Console” (MMC) snap-in to reset the user’s password
4. Use AIM to launch a disk image of the user’s workstation into a virtual machine, with networking isolated between virtual machines only (so the workstation can connect to the domain controller), and login with the new password you set from the domain controller
5. Access protected content which includes EFS-encrypted files and cached credentials! (Our screenshot here would be more exciting, but someone at SANS seems very wary of caching credentials… and also fond of using password management tools)
Remember earlier when we mentioned bypassing the domain controller’s administrator password with AIM Virtual Machine Tools and then running the ADUC MMC after logging in? Well, you can actually make this process even more efficient by simply using AIM Virtual Machine Tools to open an administrative console at the domain controller’s logon screen and running “dsa.msc” to launch the ADUC MMC – no need to actually login to the domain controller!
On another side note, there are many combinations of Windows versions that this process works with… try it yourself! For example, as a fun exercise you could try using the SANS Windows Server 2008 R2 domain controller and Nick Fury’s Windows 7 workstation that was attached to it.
You can also try this process with the GrrCON 2017 Domain Controller and various workstations that were attached to it. You can watch us do it in this video.
Even if you are already familiar with this concept in a general sense, we hope we have demonstrated something new to you in terms of how AIM can be leveraged in an efficient and powerful way to access protected content in challenging situations.
If you enjoyed this Insights article and would like to be informed when we publish new articles, please join our mailing list here.
I am announcing today, thanks to some gentle nudging from my team, that Arsenal is dramatically expanding our educational program. We are now providing free subscriptions each semester not only to professors at colleges and universities, but to students as well.
Digital forensics practitioners may not be aware of the nuances of what happens when introducing various BitLocker activities into the mix of hibernation and in-file TRIM.
Once you think through the implications of what can be done not only with multiple document versions extracted from FSD files as ODC Recon has always done, but what can be done with the granular revision information that can be found within FSD files and temporary collaboration data, you should be having a “lean back in the chair” moment.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions