4 STEPS TO FORENSIC WINDOWS

PASSWORD CRACKING
4 STEPS TO FORENSIC WINDOWS
PASSWORD CRACKING

In late 2016, Microsoft introduced a large anniversary update for Windows 10.
In addition to improvements such as a Linux shell, pure re-installation, improved
Cortana intelligence, new biometric login options based on Windows Hello, and
other features1 , Windows addressed a vulnerability that allowed malicious users
to deploy a certain form of ransomware.
More specifically, Microsoft changed the standard Windows 10 login workflow, as
well as the location where the password hash is stored. While the hash is still stored
in the Security Account Manager (SAM) hive, the offset within the key has changed,
so the use of most hacker tools specifically designed to pull this data will not work.
To counteract the impact to digital forensics examiners, Magnet Forensics
developed a new, free tool. The AXIOM Wordlist Generator offers a repeatable
process for determining and retrieving user passwords based on keywords from
a Magnet AXIOM case file.
Why is doing it this way important? Humans are wired to complete tasks using
minimal effort. This includes the number of passwords we have to remember.2
Thus, the average individual might use the same password in multiple locations.
Even the more sophisticated, security-minded among us tend to rely on variations
of a single password, or other easy-to-remember password scheme.

Magnet Forensics developed a new, free tool.

The AXIOM Wordlist Generator offers a repeatable
process for determining and retrieving user passwords
based on keywords from a Magnet AXIOM case file.
Even so, trying to brute-force this password manually could take days or even weeks,
depending on its length and complexity. The AXIOM Wordlist Generator, and the
methodology described in the rest of this white paper, are designed to reduce that
time to less than a day.

Kaelin, Mark, “New security features make Windows 10 Anniversary Update a must,” TechRepublic, July 16, 2016,
1 

https://www.techrepublic.com/article/new-security-features-make-windows-10-anniversary-update-a-must/
accessed January 11, 2018
2 
Help Net Security, “The psychological reasons behind risky password practices,” September 29, 2016,
https://www.helpnetsecurity.com/2016/09/29/risky-password-practices/ accessed January 11, 2018

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 1

SOME BACKGROUND ON THE PASSWORD CHANGES
These changes may have been motivated by Microsoft’s desire to discontinue
support for legacy and vulnerable cryptographic algorithms, including the RC4 cipher.3
Although we know the new location of the 56-byte NT LAN Manager (NTLM) hash
and the offset to the pointer to the location (Offset 168 for a length of 4 bytes), it is
still protected by an encryption key which is stored in the SYSTEM hive.
Prior to the 2016 Windows 10 Anniversary update, System Key (SYSKEY) was
the utility that encrypted the hashed password information in a SAM database in
Windows systems. To do this, it used a 128-bit RC4 encryption key, which was stored
in the Windows SYSTEM registry by default. SYSKEY could optionally be configured
to require the user to enter the key at boot time as a startup password, or load it on
removable storage media.
SYSKEY comes with Microsoft Windows, and was first introduced with Windows
NT 4.0 Service Pack 3.4 It was meant to protect against offline password
cracking attacks by preventing the possessor of an unauthorized copy of the
SAM from extracting useful information from it.
However, SYSKEY is now commonly misused by scammers to lock victims out of
their own computers in order to coerce them into paying a ransom. This is one of
the many ways they employ ransomware.

Because SYSKEY is now commonly misused by scammers to lock victims

out of their own computers and coerce them into paying a ransom, Microsoft
changed the standard Windows 10 login workflow, as well as the location
where the password hash is stored. While the hash is still stored in the Security
Account Manager (SAM) hive, the offset within the key has changed, so the use
of most hacker tools specifically designed to pull this data will not work.

The hash is still stored in the SAM hive located in the following key:
HKLM/SAM/SAM/Domains/Account/Users/<<<RID>>> (000003E9 in this case)
in the “V” key, but the offset within that key has changed.
When you log into a computer with the Windows OS, Windows is not actually passing
the password you entered to compare against the stored password. Remember:
there is no stored password. Instead when you type in the password, Windows
converts it to the NTLM hash and requests the system decrypt the encrypted NTLM
hash from the SAM hive.5
Windows then compares the NTLM hash of the password you typed with the NLTM
that is unencrypted from the SAM hive using the AES algorithm stored in the
SYSTEM hive. If they match, you are allowed access. If they do not match, you are
not allowed access.

IT Pro Today editorial staff, “How Do I Use the SYSKEY Functionality of Service Pack 3?” IT Pro Today, September 12, 2000, http://www.itprotoday.com/
4 

security/how-do-i-use-syskey-functionality-service-pack-3 accessed January 11, 2018

Hall, Justin, and Liza Poggemeyer, “Preventing Kerberos change password that uses RC4 secret keys,” Microsoft Windows IT Pro Center, November 9, 2016,
5

https://docs.microsoft.com/en-us/windows-server/security/kerberos/preventing-kerberos change-password-that-uses-rc4-secret-keys, accessed

January 11, 2018
Microsoft Support, “RC4 cipher is no longer supported in Internet Explorer 11 or Microsoft Edge,” January 7, 2017, https://support.microsoft.com/
3

en-us/help/3151631/rc4-cipher-is-no-longer-supported-in-internet-explorer-11-or-microsoft accessed January 11, 2018

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 2

A REPEATABLE PASSWORD CRACKING METHODOLOGY
To obtain a usable password to boot the Windows 10 computer with the 2016
or later Anniversary update applied, follow these steps:
1. Obtain the SAM and SYSTEM hives from the forensic image.
2. Utilize a tool to employ the new AES Block Cipher stored in the SYSTEM hive
to unencrypt the NTLM encrypted hash.
3. Utilize a tool to create a dictionary file of the words contained in the case file
that has been processed.
4. Utilize a tool to run a dictionary attack against the NTLM to recover the password.
(If the password is not in the dictionary, then the same tool can be used to
brute-force the password.)

1. Obtain the SAM and SYTEM hives from the forensic image
Open the case file within Magnet AXIOM. Using the file system view, browse to the
Windows\System32\Config\ folder and highlight the SAM and SYSTEM registry
hives. Right-click on the highlighted files and choose the option “Save file/folder
to…”, to save the files to the desktop.
Rename those files to something that shows they are the extracted files; for example,
SYSTEM_e and SAM_e.

Figure 1: Copy out SAM and SYTEM hives to Desktop

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 3

2. Unencrypt the NTLM encrypted hash
Unencrypting the NTLM hash, now that you have the files they are stored in, involves
the tool MIMIKATZ. However, antivirus sees this as a hacker tool—not because by
itself it is nefarious, but because it could be used for nefarious purposes. Before
extracting MIMIKATZ, then, it’s necessary to turn off antivirus on access scan, along
with Windows Defender Real-Time Protection.
Disabling on-access scanning depends on which antivirus product is installed. To
disable real-time protection—which is likely on by default—open Windows Defender
Security Center and open the Virus & Threat Protection settings. Look for the Real-
Time Protection setting and click to turn “OFF.”

Figure 2: Disabling Windows Defender Real-Time Protection

Once this is done, you can proceed with downloading MIMIKATZ. Find it at
https://github.com/gentilkiwi/mimikatz/releases and download. Then, extract
it to a folder on your desktop. Open an administrator command prompt by typing
CMD in the box on the bottom left of your desktop. Right-click on the resulting
CMD.exe when the search is complete, and choose “Run as administrator.”

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 4

Copy the renamed hives extracted from the evidence file to the directory on your
desktop where you extracted MIMIKATZ, adjacent to the MIMIKATZ.exe executable file.
In the Command prompt, change directories to the MIMIKATZ directory. Then, type
mimikatz, which will start the MIMIKATZ program and provide a shell for you to
run additional commands.
After you get the “mimikatz #” prompt, type in the following command:
lsadump::sam /system:SYSTEM_e /SAM:SAM_e
SYSTEM_e and SAM_e are the files copied and renamed in Step 1.
After it executes this command, MIMIKATZ will present a list of all the unencrypted
NTLM password hashes for the accounts on the system, as seen in Figure 5.

Figure 4: MIMIKATZ program unencrypting the NTLM hash Figure 3: Administrator level command prompt

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 5

 Figure 5: Unencrypted
NTLM hashes of
accounts stored in
the SAM hive

Figure 6: NTLM.txt file containing the unencrypted NTLM has

of the user Instruct

Focus on the user named “Instruct” as seen in Figure 5. This user has a RID of
000003e9, which is the hexadecimal representation of the decimal value of 1001.
Right-click in the command prompt and choose the option to “Mark” and then
highlight the NTLM hash of the Instruct user. When you have highlighted only the
hash “07d46719881c9357cfaf6a909f175717” right-click on it. This automatically
copies it to the clipboard. Open Notepad and paste the hash there. Then, save the file
to your desktop, naming it NTLM.txt.

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 6

3. Create a dictionary file of the words contained in the processed
case file
Magnet Forensics’ AXIOM Wordlist Generator is the next tool in the Windows
10 password cracking methodology. AXIOM Wordlist Generator extracts all the
words from a Magnet AXIOM case file to prepare a dictionary file for the next
step: cracking the hash to obtain the password.
Download the AXIOM Wordlist Generator from https://www.magnetforensics.com/free-
digital-forensics-software-tools/. When you run the program, you will need to select
both the folder containing the pertinent case file, and the output file for the wordlist.

AXIOM Wordlist Genorator extracts all the words from a

Magnet AXIOM case file to prepare a dictionary file for the
next step: cracking the hash to obtain the password.

After you have browsed to the folder containing your case file, choose the option to
browse to the location you want to save your wordlist. Then, save it to the desktop,
naming it “DICTIONARY.txt”. Click Start.

Figure 7: AXIOM Wordlist Generator

Figure 8: AXIOM Wordlist Generator Complete

There is a “words added” indicator next to the start option, which grows incrementally
as words are populated into the DICTIONARY.txt file. When the list-building process
is complete, a pop-up will appear, indicating the wordlist was generated and the total
word count added from the number of cases selected.

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 7

4. Run a dictionary attack against the NTLM
to recover the password
GPU DRIVER REQUIREMENTS:
A program called hashcat (https://hashcat.net/hashcat/)
• AMD GPUs on Linux require
uses the dictionary list to try to conduct first a dictionary attack
“RadeonOpenCompute
and then, if that doesn’t work, a brute force attack against the (ROCm)” Software Platform
NTLM hash. Hashcat is the tool of choice because not only (1.6.180 or later)
does it utilize the power of the CPU on the motherboard; it also, • AMD GPUs on Windows require
if it meets the requirements outlined in the side bar, utilizes the “AMD Radeon Software Crimson
graphics card GPU—which is much more adept at handling Edition” (15.12 or later)
mathematical computations than the CPU. • Intel CPUs require “OpenCL
Runtime for Intel Core and Intel
After downloading the hashcat utility, unzip it into a folder on
Xeon Processors” (16.1.1
your desktop. Copy the NTLM.txt file and the DICTIONARY.txt or later)
file from your desktop inside the “hashcat4.0.1” folder.
• Intel GPUs on Linux require
Change directories in your command prompt to the hashcat-4.0.1 “OpenCL 2.0 GPU Driver
folder and type the following command as seen in Figure 9: Package for Linux” (2.0 or later)
• Intel GPUs on Windows require
hashcat64.exe –a 0 –m 1000 NTLM.txt DICTIONARY.txt “OpenCL Driver for Intel Iris and
Intel HD Graphics”
As seen in Figure 9, at the time the image was taken, hashcat
utilized the computer’s GPU. • NVIDIA GPUs require “NVIDIA
Driver” (367.x or later)
The –m 1000 is for the type of hash attempting to be cracked
and in this case 1000 = NTLM
The –a 0 is for trying and attack type of dictionary attack with
all words in a list; also called “straight” mode (attack mode 0)
For a hybrid attack type (–a 6), the command would look
like this:
hashcat64.exe –a 6 –m 1000 NTLM.txt DICTIONARY.txt
?d?d?d?d
This would use all the words in the dictionary and append 4 digits
to the end of the word found in the dictionary.
Examples would be
• password0000
• password0001
• password0002
• password9999
In figure 9, a detailed information section indicates whether
the password was cracked. In this case, it was. The Windows
password for the user “instruct” was “8675309NERD”

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 8

Figure 9: hashcat64.exe cracking Windows NTLM hash to discover password

In the hashcat folder is a file named hashcat.potfile. If the password was obtained,
it will be recorded in plain text in this file. Open hashcat.potfile in Notepad to see the
contents. The passwords are stored in the following format: “NTLM unencrypted
hash:password”

Figure 10: Contents of hashcat.potfile

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING -9

Also, opening the dictionary file created by the AXIOM Wordlist
Generator will produce the password used in the attack. Google
MS
8675309NERD
Two
Obtaining a Windows 10 NET
Nick
user’s password can aid an Day
Net
investigation in multiple ways. Signature
CISCO
CCENT
CISSP
This is not the end. Obtaining a Windows 10 user’s password
CCNA
can aid an investigation in multiple ways. It can be used to: A
• Restore the image to a new hard disk drive and put it in Certified
the suspect computer, boot it and enter windows with this Microsoft
password. This can be very useful in court to show the jury Figure 10: Contents of DICTIONARY.
what the suspect was seeing, exactly the way he or she txt containing the password
saw it.
• Use a third-party tool to mount the evidence file as a physical
disk on the forensic workstation such as MountImage Pro,
and then use a virtual computing tool like VirtualBox, VMWare,
or VirtualPC to boot the system without restoring the drive.
• Get into a Truecrypt container or other encrypted files that
use this same password.
• Understand how the suspect thinks, including what went
into creating the passwords. This can help you guess
other passwords for future devices or containers.

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 10

COLLECT, ANALYZE, AND PRESENT DIGITAL EVIDENCE WITH
MAGNET AXIOM
Both Magnet AXIOM and Magnet IEF have become among the most widely
used digital forensics tools for the recovery of evidence from hard drives, mobile
devices, and the internet. You can improve the efficiency and effectiveness of your
investigation by using AXIOM to:
• Integrate and analyze images acquired from third-party tools for a more
comprehensive examination. Queue multiple devices and device types for
automated image acquisition.
• Decrypt full disks encrypted with BitLocker, PGP, and TrueCrypt (and more to
follow) within the investigative workflow.
• Recover more artifacts from unstructured data sources such as unallocated
space, pagefile.sys, hibernation files, and volume shadow copies; extract data
from fragmented files and databases that are not sequential, out of order, or
missing entirely
• Automatically connect the artifacts to show the relationships between them,
helping to establish—or disprove—intent.
• Trace app and file artifact evidence back to its source location within storage
media, verifying in one click that it exists as reported.
• Aggregate event, location, source and artifact data from multiple devices and
the cloud into one case file to create a fully interactive, exportable timeline.
• Tell the evidentiary story through searching and filtering, using visualization
techniques such as mapping, rebuilding webpages and chat threads. Layer in
filters for geotag information, dates and times, browsing history, and more.
• Identify possible child luring intent in chat messages with integrated Magnet.AI.
• Import and export pictures between AXIOM and Project VIC and ICSE to process
them against known hash sets; and between AXIOM and Griffeye to integrate
uncategorized-to-categorized data back into AXIOM.
• Share all found or a targeted subset of evidence in a Portable Case to stakeholders
at all technical skill levels – whether they have a license or not. Merge their
comments and tags back in quickly and easily for the best collaboration.
• Take our four-day Magnet AXIOM Examinations (AX200) training course to learn
how to maximize these capabilities for your investigations. Skilled trainers bring
context and value of their extensive practical experience.

MAGNET FORENSICS - 4 STEPS TO FORENSIC WINDOWS PASSWORD CRACKING - 11

Find out how Magnet AXIOM can help
If you’d like to learn more about Magnet AXIOM and how it can help you, visit
magnetaxiom.com. While you’re there, you can learn more about the product,
request an in-depth personal demo from an AXIOM expert, and request a free
30-day trial version.

Learn more at magnetforensics.com

For more information call us at 1-844-638-7884

or email sales@magnetforensics.com

© 2018 Magnet Forensics Inc. All rights reserved. Magnet Forensics®, Internet Evidence Finder®, IEF®, Magnet™, AXIOM™,
Magnet.AI™, ACQUIRE™ and related trademarks, names and logos are the property of Magnet Forensics and are registered and/
or used in the U.S. and countries around the world. All other trademarks cited herein are the property of their respective owners.