Decrypting Intelliforms 9 8 08
2012-09-26
: Pdf Decrypting Intelliforms 9-8-08 Decrypting Intelliforms 9-8-08
Open the PDF directly: View PDF 
.
Page Count: 9
| Download | |
| Open PDF In Browser | View PDF |
A CCESSDATA SUPPLEMENTAL APPENDIX Steps for Decrypting IntelliForms Data in Windows Vista This appendix reviews the process required to decrypt the protected information located in the IntelliForms subkey. STEP 1—EXPORT THE NTUSER.DAT REGISTRY FILE Create a folder to hold the necessary objects and export the NTUSER.DAT of the particular user of interest to this folder. The NTUSER.DAT in Vista is located at: C:\Users\STEP 2—EXPORT 9-2-08 THE ENTIRE PROTECT FOLDER ©2008 AccessData Corporation. All Rights Reserved 1 AccessData Supplemental Appendix In Windows Vista, the Protect folder is located at: C:\Users\ \AppData\Roaming\Microsoft\Protect In Windows XP, this path would be: C:\Document and Settings\ \Application Data\ Microsoft\Protect STEP 3—EXPORT THE “LOW” HISTORY INDEX.DAT FILE One of the pieces of entropy for Web login passwords is the actual URL that the password was entered into. In order to harvest as many URLs as 2 ©2008 AccessData Corporation. All Rights Reserved 9-2-08 Steps for Decrypting IntelliForms Data in Windows Vista possible, use that users History index.dat. Export the one located in the Low folder, as this will likely have the most up to date URLs. By exporting this file, then later pointing PRTK to it, PRTK will carve all of the URLs from the file and use them like a dictionary to attack any stored passwords. If this doesn’t work, more URLs should be carved from the system and placed into a file. PRTK can be pointed to the file to harvest the URLs for testing. In Windows Vista, the Low history is located at: C:\Users\ \AppData\Local\Microsoft\Windows\History\Low\ History.IE5 In Windows XP, use: C:\Documents and Settings\ \Local Settings\History\History.IE5 STEP 4—EXPORT THE SAM AND SYSTEM REGISTRY FILES The SAM and SYSTEM registry files will be needed in order to break the user’s login password prior to breaking the protected data in the IntelliForms. The SAM and SYSTEM registry files are in the same location: C:\Windows\System32\config STEP 5—BREAK 9-2-08 THE USER’S LOGIN PASSWORD ©2008 AccessData Corporation. All Rights Reserved 3 AccessData Supplemental Appendix To break the user’s login password: 1 Drag-and-drop the SAM file into PRTK. After PRTK identifies the SAM file it will display a dialog box requesting further information. STEP 6—CREATE 4 2 Select the user(s) whose password(s) you want to break. 3 Next, below the usernames, browse to the location of the exported SYSTEM file from the suspect’s system. PRTK needs this file to harvest the Syskey which protects the SAM file. 4 Click OK. 5 PRTK will next request an attack profile. It is preferable to use the full text index from the suspect’s system as one of the dictionaries in this attack. Also include any other pertinent dictionaries, including a biographical dictionary if available. Create the profile including the dictionaries, languages, characters, and levels desired and break out the user’s login password. A TEXT FILE TO OUTPUT THE RESULTS TO ©2008 AccessData Corporation. All Rights Reserved 9-2-08 Steps for Decrypting IntelliForms Data in Windows Vista Once the three objects are in the folder, create a text file to output the results to. This file will contain all of the data that is retrievable from the IntelliForms. The data can be viewed in PRTK, but the text file makes it easier to collate and place into the final FTK report. Drop the NTUSER.DAT file into PRTK. PRTK will identify the data in the file and report whether or not breakable data exists. If no data is in the IntelliForms to break, PRTK will return a dialog box indicating the that file is unidentifiable. If data is available, PRTK will display the Module Options dialog box. Use this box to point to the required objects. STEP 7—SPECIFY 9-2-08 THE USER’S MASTER KEY AND SID ©2008 AccessData Corporation. All Rights Reserved 5 AccessData Supplemental Appendix The first entry is the Protect folder. Browse to the folder you placed it into and open the Protect folder. Click the user’s SID, then the Preferred file. Once this is done, you will have the full path entered into the text box. Navigate to the end of the path and delete the “Preferred” from the preferred file. This will leave the full path with the SID intact, which is what PRTK needs to harvest the key data. STEP 8—ENTER THE USER’S LOGIN PASSWORD The next requirement is the user’s login password. Enter it into the password text box. STEP 9—BROWSE 6 TO THE USER’S URL HISTORY FILE ©2008 AccessData Corporation. All Rights Reserved 9-2-08 Steps for Decrypting IntelliForms Data in Windows Vista Browse to the index.dat harvested from the suspect’s system. STEP 10—POINT TO THE TEXT FILE FOR RESULT DOCUMENTATION Browse to the text file that you created to hold the attack’s results. STEP 11—SELECT 9-2-08 AN ATTACK PROFILE ©2008 AccessData Corporation. All Rights Reserved 7 AccessData Supplemental Appendix Once you have pointed to the text file, click OK. PRTK will prompt you for the attack profile. PRTK uses the objects that you supplied to it to break whatever it can from the IntelliForms registry subkey. This is a decryption attack, since the login password has been supplied. Any profile can be used; even a profile with no dictionaries, characters, or languages can be applied. All PRTK needs is a single level to initiate itself and break the data. STEP 12—VIEW 8 THE RESULTS ©2008 AccessData Corporation. All Rights Reserved 9-2-08 Steps for Decrypting IntelliForms Data in Windows Vista The results are visible in PRTK; however, it is better to view them in the text file used to hold the results of the attack. STEP 13—VIEW THE RESULTS The text file will show the different passwords, search terms, and form data that PRTK was able to decrypt. Any other data that was still encrypted, such as a password that required a URL that wasn’t in the History index.dat, will also be indicated. 9-2-08 ©2008 AccessData Corporation. All Rights Reserved 9
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Mode : UseOutlines XMP Toolkit : 3.1-702 Producer : Acrobat Distiller 7.0.5 (Windows) Create Date : 2004:01:06 13:47:21Z Creator Tool : FrameMaker 7.2 Modify Date : 2008:09:04 23:24:28-06:00 Metadata Date : 2008:09:04 23:24:28-06:00 Format : application/pdf Creator : kg Title : Decrypting Intelliforms.fm Document ID : uuid:a4344545-8dc2-4deb-b4a2-cd945d289c22 Instance ID : uuid:1e14209c-5254-48ba-85d4-3639e148efb1 Has XFA : No Page Count : 9 Author : kgEXIF Metadata provided by EXIF.tools