Forensics Tips

Any useble information for forensics researchers about methods for obtaining varilus types of forensics data

Learn more »

Areas of Expertee

We specilize in applications forensics, information security and Windows operating system.

Chrome Credentials

Chrome credentials are sotred inside an SQLite3 database

Chrome stores the user’s credentials inside a special folder called “the profile folder”. It contains several files for various purposes among them the 'Web Data' file where credentials are stored. In newer versions of Chrome, the file used is: 'Login Data' which is a SQLite3 database with many tables which can be used in conjunction to get an accurate snapshot of the user’s activity since Chrome has been installed. Among the forensics details that can be found there are auto complete entries, logins, search keywords and more. For the purpose of stored credentials, the ‘logins’ table is examined.

 

Wi-Fi Credentials

When you connect to a Wifi network and choose to save the credentials, they can be later fetched not only by Windows but by anyone who knows where and how to look for them.

When you connect to a Wi-Fi network and choose to save the credentials, they can be later fetched not only by Windows but by anyone who knows where and how to look for them. The location is different among different versions of Windows.

The more recent Windows “Native Wifi” provides a better way to access the Wifi credentials as it is the front end of any API call to automatically configure component configures, to connect or disconnect from / to a Wifi network. Further, Windows Native Wifi can store profiles on the networks it interacts with in the form of XML documents.

 

 

Internet Explorer Credentials

Internet Explorer allows two methods of credentials storage: web sites credentials (for example: your facebook user and password) and autocomplete data. Since version 10, instead of using the Registry a new term was introduced: Windows Vault. Windows Vault is the default storage vault for the credential manager information.

Our tool is able to fetch all stored Internet Explorer credentials.

Firefox Credentials

Firefox has become much more secure in recent versions comparing to previous versions but also comparing to other browsers. In the past, it was enough to fetch the signons.txt file located in the Firefox profile directory and find all stored credentials there. . From version 3.5, the textual format has been replaced with a combination of SQLite database and JSON file (namely ‘logins.json’). In addition, if a “master key” is set, there is no way to decrypt the stored credentials without knowing this key first. When a master key isn't set, you can find the data in logins.json and decrypt the credentials. Both user and password per each credential are encrypted using PK#11,

Our tool is able to fetch all stored Firefox credentials if there is no Master Password set, or if there is one set and it is know to the operator running our tool, or if it isn't know and can be found using brute-force and dictionary attack based methods.



WHO WE ARE

Secured Globe redefines corporate security by integrating corporate tools with security appliances, placing it ahead of cyber threats. Our mission is to provide endpoint security solutions for each need. As threats are always changing, it is important we always stay ahead in the game. Are vision and mission are to contain all possible threats, Create a safe working and product environment and scale all threats in a manageable way. We believe bridging the latest cyber technology with your organization's every day needs empowers your business. We are here to offer a state-of-the-art solution with unique Inside and Out™ technology for your organization.

GET IN TOUCH

Secured Globe, Inc.
1501 Broadway ave. Suite 1200, New York,
NY, 10036, US
P: (646) 480-0506

NEWSLETTER