Question
How can I use PRTK/DNA recover stored passwords and form data from Internet Explorer 7-9 (Intelliforms)?
Prerequisites
- The user's NTUSER.DAT (found in C:\Users\ or C:\Documents and Settings\)
- The Index.dat you wish to attack (there may be several of these in various locations)
- The user's "Protect" folder, exported with all of its children, retaining folder structure (found in "C:\Users\\AppData\Roaming\Microsoft" or "C:\Documents and Settings\\Application Data\Microsoft")
- The user's Windows password
- An empty text file where the recovered data will be stored
Procedure
- Add the NTUSER.DAT to PRTK/DNA
- When prompted, choose which profile to use (this is a decryption attack, so the profile doesn't really matter), and click "Next"
- If prompted, choose to use the "ProtectedRegistryMarshall," and click "OK"
- Next to the field that prompts for "The full path to the master key" click "Browse"
- Find and open the "Protect" folder, highlight the folder inside (should have a name like "S-1-5-21-... "), and click "Select Directory"
- Type the user's Windows password in the appropriate field
- In the next field, browse to the index.dat file
- In the last field, browse to the empty TXT file you created
- Click "Finish"
Note: If the TXT file is still blank after the attack, it usually means that you used the wrong Index.dat