Question

How can I use PRTK/DNA recover stored passwords and form data from Internet Explorer 7-9 (Intelliforms)?

 

Prerequisites

  • The user's NTUSER.DAT (found in C:\Users\ or C:\Documents and Settings\)
  • The Index.dat you wish to attack (there may be several of these in various locations)
  • The user's "Protect" folder, exported with all of its children, retaining folder structure (found in "C:\Users\\AppData\Roaming\Microsoft" or "C:\Documents and Settings\\Application Data\Microsoft")
  • The user's Windows password
  • An empty text file where the recovered data will be stored

 

Procedure

  1. Add the NTUSER.DAT to PRTK/DNA
  2. When prompted, choose which profile to use (this is a decryption attack, so the profile doesn't really matter), and click "Next"
  3. If prompted, choose to use the "ProtectedRegistryMarshall," and click "OK"
  4. Next to the field that prompts for "The full path to the master key" click "Browse"
  5. Find and open the "Protect" folder, highlight the folder inside (should have a name like "S-1-5-21-... "), and click "Select Directory"
  6. Type the user's Windows password in the appropriate field
  7. In the next field, browse to the index.dat file
  8. In the last field, browse to the empty TXT file you created
  9. Click "Finish"

Note: If the TXT file is still blank after the attack, it usually means that you used the wrong Index.dat