Digital Forensics, Part 11: Recovering Stored Passwords from the Browser

Digital Forensics

Welcome back, my aspiring cyber warriors!

When conducting a forensic investigation on a suspect’s computer, the first step, of course, is to make a forensically sound image of the storage devices and if the system is running, make a forensically sound image of the RAM, as well.

Sometimes, we may want to gain access to the suspects’s online accounts including their banking, Facebook, email and other accounts. These may help us to determine what the suspect was doing, planning or thinking before or during the commission of the crime. Since many people store their passwords in the browser (remember me?), you may be able to recover the passwords to all these accounts and access these accounts.

Stored Passwords

When you login to Facebook, your bank, your email account or any online account, you may be asked whether you want the site to “remember you”. Although this is not a best practice for keeping your credentials safe, a great many people use it for convenience. When the individual clicks “yes”, the credentials are then stored in the browser.

If we have the suspect’s computer password (see password recovery with mimikatz), we should be able to access ALL of their online accounts passwords that are stored in the browser.

Each of the browsers store the passwords slightly differently, so let’s look at each of the major browser; Chrome, Firefox and IE and Edge.

1. Google Chrome

To access the stored passwords in Google’s Chrome, click on the three stacked dots at the upper right hand corner of the browser. This will open a menu like below.

Click on Settings. This will open a screen of all the accounts, usernames and passwords stored in Chrome. As you can see below, this suspect has their Facebook and bank accounts stored in this browser. To recover the password, simply click on the eye-like icon.

This opens a Window asking for the user’s system password. Remember, you can recover the user’s password from RAM using mimikatz.

Enter the user’s system password and the password to the account will be revealed!

2. Mozilla Firefox

In Mozilla’s Firefox, one doesn’t even need the user’s system password to recover the individual account passwords stored in Mozilla. Click on the three bar icon on the upper right of the browser and the menu below appears.

Click on “Logins and Passwords” and all of the accounts with stored credentials appear with the stored passwords in clear text!

3. Internet Explorer and Edge

Internet Explorer and Edge work slightly differently. Since these browsers are built by Microsoft, recovery of stored account passwords is integrated into the operating system.

First, click on Control Panel.

Then click on User Accounts.

This opens a window like below. Click on “Manage your credentials”.

This opens a window similar to Chrome asking you for the user’s password (remember, mimikatz can recover the password among other applications).

Enter the user’s system password here and a Window will open displaying all the users accounts. Simply click on the down arrow next the account you want the password from.

Now click “Show”.

Here we can see that the browser displays for us the user’s (suspect@cybercrime.com) saved password on their Dropbox account. We can access all their material on DropBox.

Summary

When conducting an investigation of running computer systems, after taking images of the RAM and the storage media, you may be able to recover online account passwords from the browser. This may help to find evidence of the suspect’s activities before the computer system was seized and provide further evidence from their email, social media accounts or bank accounts.