Showing posts from 2014

Digital Forensics Tools Bookmarks

We want to share with you a list of bookmarks related to hardware and software tools for Digital Forensics acquisition and analysis. The bookmark file is in Mozilla Firefox, so it can be directly imported into it. You can download the file from If you are interested in adding a tool to our list, please contact me at mattia @

mimikatz offline addendum

I must admit I did not expect so many acknowledgments by writing the  volatility mimikatz plugin . I want to say thanks to all people that tweeted, emailed - and so on - me: it is just a piece of the puzzle, and the big pieces are those from  volatility  and from  mimikatz . First, I want to say thanks to  Andrew Case , for the support and for having tweeted about the plugin: probably all those  acks  are because Andrew is an uber-well-known DFIR expert! Then I want to say thanks to  Kristinn Gudjonsson , my favorite  plaso  “ harsh ” reviewer, who spotted some “ devil ” (you wrote it! ;) issues in my code, as the multiple inheritance I used… lol, I will fix it! Last but not least I want to once again say thanks to  Benjamin  aka  gentilkiwi , who wrote an e-mail to me making the congratulations for the plugin. With this post, I want to point out some  features of mimikatz  that I had not considered in the first instance. mimikatz can work offline In the previous post

et voilà le mimikatz offline

In one of my recent cases, I needed to recover the windows user password: I had different OSes with various levels of cryptography, mainly at file level. Usually I think it's a good approach to recover as many hints as possible, to derive a scheme and/or to find a way to access the data.  ODI I like to call it ODI ( Offensive Digital Investigations , in Italian "odi" means hear , find out ). I remember an old case where I got 500+ strong encrypted archives... too many without a password catalog. I searched for the weakest protection and I found three zip-crypto (not a strong protection) archives: I cracked them in few days and then I was able to derive the schema to access all of them. I was lucky. This time I felt that the Windows user password was the... key. Usually the dirty work is made with rainbow tables, but no way: I was unable to crack the Windows 7 user password. mimikatz I don't remember exactly why I was playing with mimikatz (hem, c