310 | Page
Ch a p t e r 2 7 – L i v e B o o t
Copyright GetData Forensics Pty Ltd 2010 - 2015, All rights reserved.
LIVE BOOT AND WINDOWS USER PASSWORDS
In many cases when Windows starts in Live Boot access to the virtual computer will
be blocked by the Windows user account login screen. If passwords for the user
accounts are unknown, there are two options:
Password recovery; or
Described in more detail below.
WINDOWS USER PASSWORD RECOVERY
The advantages of password recovery are:
A known password may be of evidentiary value to a case. For example, a
unique password may tie an individual to a computer.
A known password may assist in other avenues of investigation. For
example, the password may be used in the decryption user files.
The disadvantages of password recovery are:
Password recovery requires the use of third-party software.
Password recovery can be resource and time intensive.
Strong passwords may not be recovered.
Ophcrack is a free open source program that recovers Windows passwords by
processing LM hashes through rainbow tables (see
http://en.wikipedia.org/wiki/Ophcrack). Ophcrack can be used to recover passwords
from Win XP, Vista, Win7 and Win8 operating systems.
Ophcrack ISO image files are available for download from
http://Ophcrack.sourceforge.net/download.php. These include:
Ophcrack-xp-livecd-3.6.0.iso (for LM hashes of Windows XP and earlier);
Ophcrack-vista-livecd-3.6.0.iso (for NT hashes of Windows Vista and 7).
To recover a password with Ophcrack:
Follow the instructions provided in 0 above to mount the image file and run
In the Boot Options tab, check ͚ oot to ISO͛ and select the relevant
Ophcrack ISO image, as shown in Figure 238 below: