Today, a major newspaper, VG announced that the progress in the of a missing person case may be set back
because they are lacking the persons social media password (Link to article in Norwegian). In this post I will take a closer look into what techniques may be done on the persons machine in order to try retrieve relevant passwords.
These tips and tricks have already been submitted to the newspaper in a chance to possibly aid the investigation.
6 steps to retrieve relevant information
Some of the steps are specific for Windows OS. Many of the steps will possibly return the users password which can either be the same or a similar password for e.g. a facebook password. Chances are the person is using the same password several places!
The different techniques is recommended doing while mounting the disk in a different OS while in read-only mode. This can be done by either mounting the drive in another computer or booting the machine with a live CD like Backtrack. The file-system can then be easily accessed without restrictions on permissions or other similar restrictions.
1) The SAM file
As I’ve written about before, the SAM file contains account information on Windows OS. This file can trivially be dumped when physical access to the machine is in hand. The hashes, in some cases weak LANMAN, can then be proceeded to be attacked in order to reveal the clear-text password.
Cain & Able also have the possibility to dump passwords from machines local system account, often called LSA secrets.
2) Check cookie and temporary internet files
Cookie information on any kind of site which the person has logged into may be able to provide valuable information. In many cases a session ID may be captured and be used to spoof the person. If for example we are able to impersonate the users email session, we may have an excellent chance to use password retrieval functions on sites to either gain a new password for the user, or be emailed back the actual clear-text password.
This site passwordfail.com contains a list over sites that will actually send back your password in clear-text. Sites which contains session information could be washed against the list and be potentially used to retrieve the users password.
Some sites stores session information in hidden fields which in turn could be discovered in temporary internet files.
Even if you cannot retrieve the password in clear-text there is a chance that you may successfully session hijack the persons older sessions and thus potentially revealing relevant information.
3) Recover deleted files
It is not unlikely that deleted files on the machine may contain potentially relevant information to aid the investigation. Deleted cookies, logs or downloaded files are files that would seem interesting for an investigation.
Recouva is an excellent tool for just such a ting, and on top of it all is free without any bullshit that you can only recover a fixed number of files! Very much recommended.
4) Discover logs from chat clients stored locally
Chat clients may very well contain tons of relevant information in regards to an investigation. Applications like MSN Messenger, Yahoo Messenger or IRC usually stores the chat logs on the local file-system.
5) Discover stored passwords in browser or other applications
Very many applications provide some sort of “remember password” logic to provide easier access to resources that is password protected. Most people will recognize this function in our browsers. They provide an option to store the users password in a database and automatically fill inn these when the user navigates to a login form the browser remember.
There is also other applications than just browsers that offer to store passwords for the user. For example many popular games are known to store the users password, or other software like Filezilla has been known to do the same.
SecurityXploded.com currently has a list over 47 applications and where they store their passwords. To mention a few:
- MSN Messenger
- Windows Live Messenger
- Microsoft Outlook
- Heroes of Newerth
Courtesy to Øyvind in the comments for providing me with this link that I previously requested help in finding!
6) Check information from previous breaches
If the person for example had a LinkedIn account the password may very well already be cracked. The blog Security Nirvana say they have cracked over 90% of all the LinkedIn passwords which was disclosed in the hack. Our persons account may very well be one of these 6.5 million accounts and thus we may already have the password ready available.
I am sure there is more…
While this is only the points I came up on top of my head early this morning, when I sent a mail to the newspaper 15 minutes after publication, I am sure there is also several other methods in order to retrieve the persons password.
Hopefully the police investigating these cases make use of techniques like this in their investigations.
If you have any good ideas on other ways to do this process, please leave a comment below or send me an email!