Programs as Encase with the EDS module and Secret Explorer from Lastbit can read from protected storage on a not-live machine i.e. imported protected storage from another machine (ntuser.dat) to the program. Can anyone explain how this is possible and how they do it?
tnx in advance
Sure, see the Encase white papers on the guidance software site. It explains everything.
I am not quite sure what you are asking.
1. "Protected Storage" is a Windows 2000/XP concept and is not "that protected" as it happens.
2. As the file you refer to is on another machine, reading it should be a trivial matter. I would personally consider it to be more "undocumented" than "protected"
It should not be confused with the "protected areas" that HDD manufacturers use or the "hidden partitions" used by OEMs for their recovery software.
It is certainly not along the lines of password protecting a laptop HDD which usually encrypts the data as well.