Wednesday, January 28, 2009

Using Volatility (1.3_Beta), Volatility Plugin from Moyix, a test RAM Image (xp-laptop-2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel) identify the passwords for the following users: Sarah, phoenix and the Administrator.

1. Run hivescan to get hive offsets

command: python volatility hivescan -f "C:\Dump\xp-laptop-2005-06-25.img"

Offset (hex)
42168328 0x2837008
42195808 0x283db60
47592824 0x2d63578
207677272 0xc60e758
207736840 0xc61d008
207759192 0xc622758
207822 ***** Truncated to save some space

2.Run hivelist with the first hivescan offset

command: python volatility hivelist -f "C:\Dump\xp-laptop-2005-06-25.img" -o 0x2837008

Address Name
0xe1ecd008 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1eff758 \Documents and Settings\Sarah\NTUSER.DAT
0xe1bf9008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c26850 \Documents and Settings\LocalService\NTUSER.DAT
0xe1bf1b60 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c2a758 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1982008 \WINDOWS\system32\config\software
0xe197f758 \WINDOWS\system32\config\default
0xe1986008 \WINDOWS\system32\config\SAM
0xe197a758 \WINDOWS\system32\config\SECURITY
0xe1558578 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]

3. Find Password Hash (-y System Hive Offset)(-s SAM Hive Offset) and Send to Text File.

Command: volatility hashdump -f "C:\Dump\xp-laptop-2005-06-25.img" -y 0xe1035b60 -s 0xe1986008>Password_Hash.txt


4.Import Password_Hash.txt into a Password Finder (SamInside, Cain and Abel...).

User: Sarah Password: Empty
User: phoenix Password: Neon96
User: Administrator Password: Neon1996


CG said...

awesome post!

Warlock said...

Excellent post !

volfenstein said...

Hello! Very interesting article.
At test image (xp-laptop-2005-06-25.img), all is fine, but otherwise images gives an errors:
ERR: Couldn't find subkey Select of SAM or
ERR: Couldn't find subkey ControlSet001 of SAM.
Please help. We are grateful.

Sean said...

In response to volfenstein, I noticed the same failure, but the image was from Windows XP SP3. I'd imagine this has something to do with it.

Anonymous said...

When I execute hib2mem it simply crashes... have no idea why! I get one of those windows where it says "Would you like to send Microsoft a report with all the information about the disaster that just happened?? We care about it... ¬_¬'". Can't get a dd image from hiberfil.sys :'(

ForensicZone said...

Anonymous- Goto to convert a hiberfil.sys to dd style output. It is an 4w3s0m3 program (and I don't use the word awesome very much!!!)

Anonymous said...

Thanks so much for the tip ForensicZone but the same happens with hibrshell. When I execute the command it crashes while "Retrieving Kernel Image base". I tried with 3 different hiberfil.sys files so I guess it's not the file. The bad thing is that I also tried with different pcs and it crashed too, this means that I have no idea of what it can be. Do I need any extra software? Has anyone the same problem?

Jon said...

Any ideas on this error:

C:\Python25>python volatility hashdump -f "C:\Dump\xp-laptop-2005-06-25.img" -y
0xe1035b60 -s 0xe1986008>Password_Hash.txt
Traceback (most recent call last):
File "volatility", line 219, in module
File "volatility", line 215, in main
File "memory_plugins\registry/", line 78, in execute
dump_memory_hashes(addr_space, types, self.opts.syshive, self.opts.samhive,
File "C:\Python25\forensics\win32\", line 302, in dump_memory_hashe
dump_hashes(sysaddr, samaddr, profile)
File "C:\Python25\forensics\win32\", line 290, in dump_hashes
hbootkey = get_hbootkey(samaddr,bootkey,profile)
File "C:\Python25\forensics\win32\", line 155, in get_hbootkey
md5 =
AttributeError: 'module' object has no attribute 'new'


On the line 219 area I had to take out a less than and great sign around the word module because the blog thought it was unacceptable html code

I've tried this with both python 2.5 and 2.6. I was also using volatility 1.3 beta.

I was following the article step by step even copy and pasting commands.

Thanks in advance.

Kush Wadhwa said...

Why we are taking the first value only as "0x2837008". We can take the other values as well as the hex values of system hive offset and SAM hive offset comes out to be the same. If there is any other reason, then please let me know and if its a stupid question, then I am sorry for that. Looking forward for the answer


2nd birthday party ideas said...
This comment has been removed by a blog administrator.
Hcg weight loss said...
This comment has been removed by a blog administrator.