Presented at
Black Hat USA 2011,
Aug. 3, 2011, 1:45 p.m.
(75 minutes).
You recovered a bunch of files from a used hard drive and now what ? If you ever wanted to push Windows offline forensic to the next level, come to our talk where we will show you how to use our open source tool OWADE (Offline Windows Analyzer and Data Extractor) to recover many interesting information from a used hard drive including web credentials, instant messaging credentials and user habits information. We will walk you through the entire recovery chain process and demonstrate how to use OWADE to handle Windows various level of encryption (Syskey, DPAPI…) and extract the maximum information from used drives. OWADE is based on our work on DPAPIck our tool to decrypt DPAPI secrets.
We will present various statistics we computed on the data we gathered from the eBay used hard drive we bought to test and develop OWADE. At the end of the talk we will release OWADE so you can play with it.
Presenters:
Links:
Similar Presentations: