March 6, 2020
Our customers have been sending us great feedback about how valuable Arsenal Image Mounter’s (“AIM’s”) virtual machine launching and Windows password bypassing have been to their cases. Of course we concur, not only because we built AIM but because we leverage its powerful and unique functionality in our ongoing casework – from reverse engineering malware to running unusual applications in their native environments.
While Windows password bypassing (particularly with AIM, which can bypass all types of Windows passwords) provides digital forensics practitioners with great opportunities, there are certain things in Windows such as EFS-encrypted files and cached login credentials that require passwords to be cracked rather than bypassed.
So, if you need to access EFS-encrypted files, you do not have the user’s Windows password, and you may even be dealing with an “IT gone rogue” (i.e. you cannot rely on help from IT – e.g. one or more may be suspects!) scenario, what are your options? Of course you could compel the user to provide their password or you could crack their password… but what about other options? Putting aside some of the more devious options, a great one remains – if the workstation in question was attached to a Windows domain controller, you can use a method refined by Olof Lagerkvist which leverages AIM in interesting ways.
Let’s see Olof’s method in action, using a Windows Server 2016 domain controller and an attached Windows 10 workstation graciously provided by SANS (please note that the following screenshots are based on the latest internal build of AIM):
1. Use AIM to launch a disk image of the domain controller into a virtual machine, with networking isolated between virtual machines only
2. Bypass the domain controller’s administrator password with AIM Virtual Machine Tools
3. Use the domain controller’s “Active Directory Users and Computers” (ADUC) “Microsoft Management Console” (MMC) snap-in to reset the user’s password
4. Use AIM to launch a disk image of the user’s workstation into a virtual machine, with networking isolated between virtual machines only (so the workstation can connect to the domain controller), and login with the new password you set from the domain controller
5. Access protected content which includes EFS-encrypted files and cached credentials! (Our screenshot here would be more exciting, but someone at SANS seems very wary of caching credentials… and also fond of using password management tools)
Remember earlier when we mentioned bypassing the domain controller’s administrator password with AIM Virtual Machine Tools and then running the ADUC MMC after logging in? Well, you can actually make this process even more efficient by simply using AIM Virtual Machine Tools to open an administrative console at the domain controller’s logon screen and running “dsa.msc” to launch the ADUC MMC – no need to actually login to the domain controller!
On another side note, there are many combinations of Windows versions that this process works with… try it yourself! For example, as a fun exercise you could try using the SANS Windows Server 2008 R2 domain controller and Nick Fury’s Windows 7 workstation that was attached to it.
You can also try this process with the GrrCON 2017 Domain Controller and various workstations that were attached to it. You can watch us do it in this video.
Even if you are already familiar with this concept in a general sense, we hope we have demonstrated something new to you in terms of how AIM can be leveraged in an efficient and powerful way to access protected content in challenging situations.
If you enjoyed this Insights article and would like to be informed when we publish new articles, please join our mailing list here.
Arsenal is unlike other digital forensics software vendors in the sense that we are consultants involved in casework first and software developers second. We build tools when we find valuable information being left behind by existing tools and techniques.
In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.
BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions