Question
How can I use PRTK/DNA recover stored passwords and form data from Internet Explorer 10-11 (Windows Vault)?
Prerequisites
- The contents of the user's Microsoft Vault folder (typically at "C:\Users\\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28") all stored in a single, local folder. This should include a "Policy.vpol", a ".vsch" file, and one or more ".vcrd" files.
- The user's "Protect" folder, exported with all of its children, retaining folder structure (found in "C:\Users\\AppData\Roaming\Microsoft"")
- The user's Windows password
Procedure
- Add the "Policy.vpol" to PRTK/DNA
- When prompted, choose which profile to use (this is a decryption attack, so the profile doesn't really matter), and click "Next"
- Next to the field that prompts for "The full path to the master key" click "Browse"
- Find and open the "Protect" folder, highlight the folder inside (should have a name like "S-1-5-21-... "), and click "Select Directory"
- Type the user's Windows password in the appropriate field
- Click "Finish"
- When the process is complete, the recovered passwords will be listed in the Properties window for the job