Live Forensics – Extracting Credentials on Windows and Linux Systems

’Post-mortem’ analysis of a system can be greatly simplified if the correct information is gathered in the live analysis stage. In this paper I’ve described Windows’ data protection APIs available for developers, some simplified versions of the API (LSA Secrets, Protected Storage), different methods used by applications to store their passwords safely and comparisons between them. As an example, I’ve built tools to dump passwords saved by browsers (Chrome, IE, Firefox) and an extractor of the login password (if available) from the registry. The basic concepts of how passwords may be stored apply to majority of applications that run on Windows and store passwords (protected or not) and understanding this makes possible recovery of other credentials also (messaging software, mail clients ...). On the Linux side, I’ve analyzed a general method of storing passwords – keyrings, and the methods adopted by Chrome browser, and built extraction command line tools for both of them, in the form of a python script and a C++ application.