passwords and RAM
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: passwords and RAM

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    2

    passwords and RAM

    Greetings,
    Throwing this out to the informed masses... What is the best way to recover passwords, logins, etc from machines where these items are not saved to the computer like the registry - but merely typed in and the person "hits enter.". I am guessing they are in RAM, but things like dd_img does not capture them (using a windows forensics toolkit approach). Based on the scenario, keyloggers are not an option because the deed is done by the time I find out about it - but I do have access to any machine immediately after the events (corporate environment). Much appreciated...

  2. #2
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I made a batch file that does this for me on Windows 9X.

    copy C:\WINDOWS\*.pwl a:

    I popped that into a batch file on a floppy disk. Works great. this should give you at least a start.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  3. #3
    Gore... that was the most retarded answer you have ever given.


    SASJohnson, you're not trying to get local logins? You are talking more like websites and whatnnot? Something where the hash is not stored locally?

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I second Synja with regard to Gore's comment.... *sigh*

    You may find the passwords or thier hashes in the page file. You may also find them in the browser history as part of the url sent after the password has been entered. Hell, they may have even said "remember me" and you _might_ find them stored in cookies...

    My question is though... Why do you need their password... If they went to hotmail to check thier personal email and that is against policy then you already have them by the short and curlies... There's no reason to see if they received any new email... Pummel them on the policy breach...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Lol What, it said passwords in RAM... Lol. Damn no one appreciates a good one anymore.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    "Based on the scenario, keyloggers are not an option because the deed is done by the time I find out about it - but I do have access to any machine immediately after the events (corporate environment)."

    This sentence is not making sense to me. You can't use a keylogger "because the deed is done by the time I find out about it...," but then you go on to say, "but I do have access to any machine immediately after the events...." If you need to stop some illicit deed beforehand, how is any method someone could give you going to help you afterward?
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Sounds like you are maybe trying to get sonmeones "network" logon password?
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Preacher:

    Policy doesn't allow him to put keyloggers on his boxes but, through whatever means, he may discover activity that requires him to investigate it... Hence the after the fact investigation...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by Nokia
    Sounds like you are maybe trying to get sonmeones "network" logon password?
    That's why I toyed with him. But that got ruined by the no sense of humor duo.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  10. #10
    That's why I toyed with him. But that got ruined by the no sense of humor duo.
    I have a sense of humor. I just usually prefer jokes involving flatulence or boobies.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •