AlicKlaar's Solution described on forensicfocus.com (breaks some Windows features but gets EFS data back):
Re: Syskey password on startup
Posted: Sun Jun 08, 2014 11:35 am
- jaclaz
Care to share some info on this?
jaclaz
I was waiting for Jamie to review this thread. Last time I revealed a workaround for a program the software company demanded the thread be removed Lesson learned etc.
Anyhow, it's not rocket science, just joined up some dots. For EFS it's
documented that if the password is changed offline, then access is lost.
However, if you can restore the original password then it all works
again.
So,
1. obtain user login password by asking in my scenario / cracking with usual tools if required.
2. remove syskey (and blank password)
3. reset user password as per #1
4. reboot & login
5. access EFS / Export keys
I used Passcape's Reset Windows Password tool www.passcape.com/reset...s_password to reset the syskey. The free tool from Petter Hagen pogostick.net/~pnh/ntpasswd/ is next on the list.
Pascape warn that "After you reset the password, you may temporary lose
access to your Web site passwords, file share credentials, Wireless
connection passwords, EFS-encrypted files, e-mails encrypted with your
private keys, other personal data encrypted with DPAPI"
As Dr.McCoy said " it's worse than that..."
Somethings are definitely broken in the windows crypto as highlighted
with wifi security. WiFi can connect to open APs but WireShark shows no
packets are transmitted when you attempt to join WEP / WPA / WPS
networks. Normal LAN works fine but as this is in a VM or just a test
then it doesn't matter if you can get the files. I have tried resetting
perms on the Registry and Windows folder. I guess comparing before /
after reg is a logical step.
Insecurety Research has a write up on SAMSRV.dll insecurety.net/?p=768
Well that's it. It works for me. Hopefully it may be of some use for you too.
alice
