Question

How can I use PRTK/DNA recover stored passwords and form data from Internet Explorer 10-11 (Windows Vault)?

 

Prerequisites

  • The contents of the user's Microsoft Vault folder (typically at "C:\Users\\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28") all stored in a single, local folder.  This should include a "Policy.vpol", a ".vsch" file, and one or more ".vcrd" files.
  • The user's "Protect" folder, exported with all of its children, retaining folder structure (found in "C:\Users\\AppData\Roaming\Microsoft"")
  • The user's Windows password

 

Procedure

  1. Add the "Policy.vpol" to PRTK/DNA
  2. When prompted, choose which profile to use (this is a decryption attack, so the profile doesn't really matter), and click "Next"
  3. Next to the field that prompts for "The full path to the master key" click "Browse"
  4. Find and open the "Protect" folder, highlight the folder inside (should have a name like "S-1-5-21-... "), and click "Select Directory"
  5. Type the user's Windows password in the appropriate field
  6. Click "Finish"
  7. When the process is complete, the recovered passwords will be listed in the Properties window for the job