取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.



Usually we will use LiveView or VFC to "boot up" the evidence files acquired from suspect's computer or laptop. What if his/her OS is Win10? Win10 has two account types. One is Local User Account, and the other is Live ID Account.  For VFC to bypass Local User Account is just a piece of cake(Sorry,not including Win10~). Let's see if VFC could bypass the password of Live ID Account. Unfortunately VFC failed to bypass and the error messges is as below:



Now I show you another option "Lazesoft". Let's use it to take care of Win10 Local User Account first. I use Lazesoft to create a bootable Live CD/ISO so as to take care of Win10 logon password. Of course you should change boot priority first to boot from disc without fail.



Let's proceed to reset Win10 logon password.



Now we'd like to reset the password of a local user account "Rick".


Good job~ It works~


Now the password is "empty" for this local user account "Rick". So we could log in and conduct a Live forensic.


What about Live ID account? The LiveID account credential "may" exist in this computer/laptop after user logging in.


Unfortunately either Lazesoft or Elcomsoft failed to reset the password of a Live ID account.


What about domain user account? If this computer/laptop is a member of a Active Directory domain, Lazesoft could not reset  password of a domain user account. You should use Elcomsoft possword recovery to handle domain user account password.


posted on 2017-08-05 08:50  Pieces0310  阅读(852)  评论(0编辑  收藏  举报