How to find hidden passwords (and how to protect them)

While preparing to teach a computer forensic workshop, I discovered a new live Linux distribution entitled C.A.IN.E, (Computer Aided Investigative Environment.) This software is one of a few live Linux distributions that allows a user to boot Linux from a CD or DVD and start a forensic investigation. The distribution includes tools to make forensic and analyze forensic images. Since it is freeware, it is easy to make use of the software as part of the workshop.

In addition to Linux tools, NBCAINE version 2.5 includes WinTaylor, a set of tools that are designed to run on a Windows system.This software can be loaded onto a USB through the “dd” utility. (Once loaded on the USB,  a user can boot the live distro off of the USB and not access the WinTaylor tools or plug the USB into a running Windows system and access the WinTaylor tools.) Included in the WinTaylor section of the software are Windows based tools from NirSoft that allow a user to recover passwords saved in popular web browsers, view recent file activity on the Windows system, view information about USB drives attached to the computer and more.

The NirSoft tools include some noteworthy ones that are designed to uncover passwords stored on Windows systems. For example, when you log into a password protected website, Internet Explorer (and other browsers) give you the option to save the login information so that you don’t need to enter it the next time. A Nirsoft utility, iepv.exe(Internet Explorer Password Viewer), retrieves and displays the userids and passwords. If you use Microsoft Outlook and save your POP3 or IMAP password,  the Nirsoft utility mailpv.exe will retrieve and display the accounts and passwords saved in Outlook. And, WirelessKeyView.exe will display the wireless network names and associated passwords that are stored in your system.

I encourage you to obtain these tools and run them on your system to reveal how many passwords are stored on your system. If you discover sensitive passwords stored on your system and you allow others to use your system, you will want to ensure that you clean out the stored passwords.

While you might not be able to delete all of the saved passwords, at least you will now have a better handle on all of the passwords stored on your system that are recoverable.