March 6, 2020
Our customers have been sending us great feedback about how valuable Arsenal Image Mounter’s (“AIM’s”) virtual machine launching and Windows password bypassing have been to their cases. Of course we concur, not only because we built AIM but because we leverage its powerful and unique functionality in our ongoing casework – from reverse engineering malware to running unusual applications in their native environments.
While Windows password bypassing (particularly with AIM, which can bypass all types of Windows passwords) provides digital forensics practitioners with great opportunities, there are certain things in Windows such as EFS-encrypted files and cached login credentials that require passwords to be cracked rather than bypassed.
So, if you need to access EFS-encrypted files, you do not have the user’s Windows password, and you may even be dealing with an “IT gone rogue” (i.e. you cannot rely on help from IT – e.g. one or more may be suspects!) scenario, what are your options? Of course you could compel the user to provide their password or you could crack their password… but what about other options? Putting aside some of the more devious options, a great one remains – if the workstation in question was attached to a Windows domain controller, you can use a method refined by Olof Lagerkvist which leverages AIM in interesting ways.
Let’s see Olof’s method in action, using a Windows Server 2016 domain controller and an attached Windows 10 workstation graciously provided by SANS (please note that the following screenshots are based on the latest internal build of AIM):
1. Use AIM to launch a disk image of the domain controller into a virtual machine, with networking isolated between virtual machines only
2. Bypass the domain controller’s administrator password with AIM Virtual Machine Tools
3. Use the domain controller’s “Active Directory Users and Computers” (ADUC) “Microsoft Management Console” (MMC) snap-in to reset the user’s password
4. Use AIM to launch a disk image of the user’s workstation into a virtual machine, with networking isolated between virtual machines only (so the workstation can connect to the domain controller), and login with the new password you set from the domain controller
5. Access protected content which includes EFS-encrypted files and cached credentials! (Our screenshot here would be more exciting, but someone at SANS seems very wary of caching credentials… and also fond of using password management tools)
Remember earlier when we mentioned bypassing the domain controller’s administrator password with AIM Virtual Machine Tools and then running the ADUC MMC after logging in? Well, you can actually make this process even more efficient by simply using AIM Virtual Machine Tools to open an administrative console at the domain controller’s logon screen and running “dsa.msc” to launch the ADUC MMC – no need to actually login to the domain controller!
On another side note, there are many combinations of Windows versions that this process works with… try it yourself! For example, as a fun exercise you could try using the SANS Windows Server 2008 R2 domain controller and Nick Fury’s Windows 7 workstation that was attached to it.
You can also try this process with the GrrCON 2017 Domain Controller and various workstations that were attached to it. You can watch us do it in this video.
Even if you are already familiar with this concept in a general sense, we hope we have demonstrated something new to you in terms of how AIM can be leveraged in an efficient and powerful way to access protected content in challenging situations.
If you enjoyed this Insights article and would like to be informed when we publish new articles, please join our mailing list here.
You may find (like Allan did) that immediately after launching disk images from Windows servers and workstations on the same network into virtual machines, they start talking to each other normally… or, much less often in our experience, you may find that they do not.
At Arsenal we know that questions can not only be dumb (we are reformed offenders), but given our experience in litigation, misleading and even weaponized to harm… without answers ever being involved. Lawyers know this, and if you are a digital forensics practitioner, you should too.
We have been working aggressively for the last month on an extension to our Windows authentication bypass that some of our colleagues in digital forensics will find quite shocking. While we continue this work, we have decided to launch another version of AIM with some new features requested by our customers.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions