WinTeNTLM Issues

 

kitten cat rush lucky cat
Mini Cats! It will make sense later…

It’s not uncommon to be asked whether a user had a login password or to need it to login to a virtualised copy of a suspects computer. In the case of the later, you can usually just clear the password and proceed, but sometimes knowing the password may be important.

I played with a few tools that I had on hand to get a local user’s NTLM hash during Dave and Matt’s DFIR CTF at DEF CON and documented my findings (and finally got around to finishing this up)

Read More »

Playing with the iOS Powerlog

2_Man-Caraves-Arsdgdsgnold-Schwarzenegger-From-Oak.jpg

I have recently started looking at the wealth of data that can be obtained from file system iPhone extractions; a lot of which has already been explored by Sarah Edwards in her iOS of Sauron presentation, and also recently in her post on the KnowledgeC database.

Based on that I decided to take a look at the powerlog PLSQL SQLite databases on a jailbroken iPhone running iOS 10.2. I would have to double check, but I don’t think this file will get exported from a standard backup, and as a result you’ll have to jail break the device to get at this file.Read More »

Zone Identifier == kMDItemWhereFroms?

A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.

Finally decided to do a little bit more digging!

For background on Zone Identifiers, you can see the paper by Paul Sanderson here.

Read More »