Forensic Recovery of Chrome Based Browser Passwords

Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Open in app Sign up Sign in
Search
Forensic Recovery of Chrome Based Browser

Passwords
Palmenas Diniz · Follow
6 min read · Jul 10, 2023
Listen Share
R ecently John Hammond have release this excellent video [1] showing how
threat actors leverage tools to harvest credentials stored in Chrome
browser. I recommend checking his video and youtube channel for other cyber
security topics. During an investigation, the credentials stored in Chrome based
browsers (Chrome, Edge, Brave, etc) may be a critical piece of information to
support and/or solve the case under analysis. Few tools are able to parse that
information and extract such a relevant data to forensic investigator. Inspired by
John’s video and the tool created by Jayden Oh Yicong [2], I challenged myself to
adapt the python script, and in conjunction with other tools, be able to decrypt
sensitive data stored into chromium browsers.
Disclaimer
All the information shared here are should be used carefully. Please be advised
that you should not use this tool or knowledge without the proper authorization.
Use at your own risk.
Requirements
In order to successfully proceed with the passwords decryption, you will need to
have the following evidence previously preserved during your acquisition phase
of the forensic process:
• Memory dump of the machine
• Files Local State and Default\Login Data collected from \User Data\
1 of 15 6/25/24, 8:38 PM
chromium path. See some references:
• Edge: C:\Users\user\AppData\Local\Microsoft\Edge\User Data
• Chrome: C:\Users\user\AppData\Local\Google\Chrome\User Data
• Brave: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User
Data\
Scenario
Imagine that during a digital forensic investigation you have acquired the
mentioned data, you’re lucky. I have created a test environment using Microsoft
Edge and saved this fake credential into the browser settings. The credential is
encrypted using AES algorithm and the key is encrypted with windows data
protection API (DPAPI). That’s the reason when I click the ‘eye’ icon to show the
password, Edge will ask for my credentials before displaying my saved password.
Microsoft Edge — Saved Passwords
Process
As previously mentioned, the password is encrypted with a key stored into json
Local State file. In older chrome browser versions, this was the key used to
decrypt the passwords in local SQLite database Login Data file. The newer
chrome versions improved the security and now this key is encrypted with
DPAPI, using user’s masterkey to create a new layer of security. This is how you
will see the password stored in `Login Data` database file, table logins:
Login Data — Encrypted Saved Passwords
2 of 15 6/25/24, 8:38 PM
Since we were prepared for this case, we were able to collect the required files,
including the memory dump. We can now mount our memory file with
MemProcFS [3] and extract the minidump from lsass process.
C:\Cases>c:\Binaries\MemProcFS\MemProcFS.exe -device Evidence\MEM.dmp

Initialized 64-bit Windows 10.0.19041
[PLUGIN] Python initialization failed. Python 3.6 or later not found.
============================== MemProcFS ==============================
- Author: Ulf Frisk - [email protected]
- Info: https://github.com/ufrisk/MemProcFS
- License: GNU Affero General Public License v3.0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MemProcFS is free open source software. If you find it useful please
become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Version: 5.7.0 (Windows)
- Mount Point: M:\
- Tag: 19041_ac62bdf1
- Operating System: Windows 10.0.19041 (X64)
==========================================================================
The memory will be mounted as a network share, drive letter `M:`. Navigate to
M:\name\lsass-PID.exe\minidump dir. Into this path, you should see a file named
minidump.dmp. This is the memory dump of lsass process. I’ll not go into details
here, but LSASS (Local Security Authority Subsystem Service) is the process
responsible for authentication, auditing and policy enforcement in Windows OS.
This gives us a hint why this process memory is so important to our analysis. Let’s
continue.
lsass.exe — Minidump
3 of 15 6/25/24, 8:38 PM
M:\name\lsass.exe-652\minidump>dir
Volume in drive M is DOKAN
Volume Serial Number is 1983–1116
Directory of M:\name\lsass.exe-652\minidump
07/08/2023 12:10 PM 390 readme.txt
07/08/2023 12:11 PM 49,352,704 minidump.dmp
07/08/2023 12:12 PM <DIR> ..
07/08/2023 12:12 PM <DIR> .
2 File(s) 49,353,094 bytes
2 Dir(s) 536,870,912 bytes free
Once copied the file, we will open the minidump.dmp with mimikatz [4] and
export the masterkey for the user being investigated. Save the MasterKey value.
This is the first part of the secret we need to provide to our tool to decrypt the
chrome encryption key. We will use this information in the future, as you will see.
mimikatz # sekurlsa::minidump C:\Cases\Exports\minidump.dmp

Switch to MINIDUMP : 'C:\Cases\Exports\minidump.dmp'
mimikatz # sekurlsa::dpapi
Authentication Id : 0 ; 803867 (00000000:000c441b)
Session : Interactive from 1
User Name : jdoe
Domain : DESKTOP
Logon Server : DESKTOP
Logon Time : 7/8/2023 12:46:44 PM
SID : S-1–5–21–1446339068–3897733333–3874546977–1001
[00000000]
* GUID : {35df93df-4eea-430a-89b7-a329d854bfb6}
* Time : 7/8/2023 12:49:33 PM
* MasterKey : 4da03d*****************************************01a3a51
* sha1(key) : 766**********************04c
Now, open local state file from your chromium browser. In this example, since
I’m using Microsoft Edge, the path will be C:\Users\ jdoe\AppData\Local
\Microsoft\Edge\User Data\Local State. Search (Ctrl+F) for “encrypted” and copy
the encrypted_key value. This value is encoded with base64. Decode the
information using your preferred tool (I’m using Cyberchef). Save the output to
the disk in binary format (enckey.dat).
4 of 15 6/25/24, 8:38 PM
Microsoft Edge — Local State
Base64 decode of encrypted_key
Open and edit the saved file (enckey.dat) with your favorite hex editor and
remove the DPAPI string in the beginning of the file. Save it. This is how it should
look:
Before
5 of 15 6/25/24, 8:38 PM
enckey.dat — With DPAPI string
After
enckey.dat — After removing DPAPI string
6 of 15 6/25/24, 8:38 PM
After saving the modified binary key, we have our encrypted key that will be used
to decrypt the saved chrome passwords, but we have one more problem here.
This key is encrypted with user’s DPAPI masterkey. To proceed with decryption
process, go back to mimikatz and this time use the dpapi module to decrypt the
encrypted blob:
mimikatz # dpapi::blob /in:"C:\Cases\Exports\enckey.dat" /unprotect /masterkey:4da03d*

**BLOB**
dwVersion : 00000001–1
guidProvider : {df9d8cd0–1501–11d1–8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001–1
guidMasterKey : {35df93df-4eea-430a-89b7-a329d854bfb6}
dwFlags : 00000010–16 (audit ; )
dwDescriptionLen : 0000001e - 30
szDescription : Microsoft Edge
algCrypt : 00006610–26128 (CALG_AES_256)
dwAlgCryptLen : 00000100–256
dwSaltLen : 00000020–32
pbSalt : a3f63******************************************1f49503
dwHmacKeyLen : 00000000–0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200–512
dwHmac2KeyLen : 00000020–32
pbHmack2Key : c903***************************************************************50cf
dwDataLen : 00000030–48
pbData : 9a30d***********************************************************************
dwSignLen : 00000040–64
pbSign : b942c***********************************************************************
* using CryptUnprotectData API
* masterkey : 4da03d***********************************01a3a51
description : Microsoft Edge
data: d9 11 1e e3 5b 80 5b 52 c3 6d a2 5b 53 da 42 a6 10 73 d2 c4 ad 59 2a 29 5b ba 7c
Now we have the key used to encrypt the password in Login Data database.
• Key:
d9111ee35b805b52c36da25b53da42a61073d2c4ad592a295bba7c9f58164a20
Decrypt the Passwords

We’re almost there, just keep with me. Using all the information we collected
during the previous steps, going through decryption process of our key, we can
7 of 15 6/25/24, 8:38 PM
now use the script I tweaked to decrypt the passwords stored in our browser [7].
Run the python script with the key you collected:
$ python3 dcp.py -S 'd9111ee35b805b52c36da25b53da42a61073d2c4ad592a295bba7c9f58164a20'

Sequence: 0
URL: https://gmail.com/
User Name: [email protected]
Password: MySecretPassword_918!!!
**************************************************
Bingo, here is our password:
• MySecretPassword_918!!!
Summary
Again, one more interesting scenario where a digital forensic investigator can use
different techniques to extract critical information that may be extremely
relevant to the case under analysis. Of course there are other methods one could
use to acquire the same information, including collecting the masterkey from
disk [5], but this will only works if we have access to user’s password. The other
option would be to upload the script [2], execute it and collect the resulting CSV
file. In in some cases you might just being presented with the evidences and have
no other option to go back to the scenario and execute other tools. I hope this
article can help digital forensic community to recover important information that
can be relevant to a case.
Final words, when you don’t have the tool you need to do the job, just remember
Bear Grylls:
8 of 15 6/25/24, 8:38 PM
References
[1] https://www.youtube.com/watch?v=CIOsemj3kl4
[2] https://github.com/ohyicong/decrypt-chrome-passwords
Follow
[3] https://github.com/ufrisk/MemProcFS
Written by Palmenas Diniz

[4] https://github.com/gentilkiwi/mimikatz/
4 Followers
[5] https://nandynarwhals.org/sieberrsec-ctf-3.0-digginginthedump/
[6] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-
escalation/dpapi-extracting-passwords
More from Palmenas Diniz
[7] https://github.com/palmenas/dcp
9 of 15 6/25/24, 8:38 PM
Palmenas Diniz
C81 — AzurePot — Writeup

One more week, one more challenge. This time, we’re jumping into linux forensics world. The
author (Twitter — Tyler Hudak (@SecShoggoth))…
Jun 4, 2023
10 of 15 6/25/24, 8:38 PM
Palmenas Diniz
C83—Nintendo Hunt—Writeup
Summary
May 8, 2023
Palmenas Diniz
Automatizando força bruta HTTP [API] com Hydra

Neste domingo eu estava aproveitando para estudar um poucos sobre o protocolo HTTP e
autenticação web. Eu estava analisando as portas que…
Nov 9, 2020
Recommended from Medium
See all from Palmenas Diniz
11 of 15 6/25/24, 8:38 PM
Mikołaj Prus ( nullorx )
Click me & get hacked: SFX archive malware

Opening a normal zip file is totally safe, right?
Dec 31, 2023
ShadowPyre in REDTACTICTEAMACADEMY
Macros Unleashed: Redefining Red Teaming with Advanced Macro

Strategies-Part 2
Alright, Red Team enthusiasts, strap in because we’re about to take another deep dive into
the thrilling world of macros! I realize I might…
Jan 25
Lists
Staff Picks
671 stories · 1086 saves
Stories to Help You Level-Up at Work

Self-Improvement 101
12 of 15 6/25/24, 8:38 PM
Productivity 101
@cryptax
Android/Phoenix authors, claims, sample identification and trends

The Android/Phoenix botnet (see reverse engineering post here) was advertised
underground in May 2023, and on GitHub and Telegram. The…
Feb 8
13 of 15 6/25/24, 8:38 PM
n4d
Interesting AV/EDR bypass.

Long story short: I pulled up a bunch of techniques and code together and it worked
(again). :P
Feb 20
RED TEAM
Malware Development : Part 1

Where do I start, and what are all the things I need to learn.
Mar 7
14 of 15 6/25/24, 8:38 PM
Marcel Rick-Cen
ICS/OT Penetration Testing of Siemens Simatic S7–1200: A Beginner’s

Guide
A spoiler free beginners guide to ICS penetration testing of Siemens devices.
Mar 15
See more recommendations
15 of 15 6/25/24, 8:38 PM

Forensic Recovery of Chrome Based Browser Passwords

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forensic Recovery of Chrome Based Browser Passwords

Uploaded by

Copyright:

Available Formats

Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...

Open in app Sign up Sign in

Forensic Recovery of Chrome Based Browser

• Memory dump of the machine

chromium path. See some references:

• Edge: C:\Users\user\AppData\Local\Microsoft\Edge\User Data

• Chrome: C:\Users\user\AppData\Local\Google\Chrome\User Data

Microsoft Edge — Saved Passwords

Login Data — Encrypted Saved Passwords

C:\Cases>c:\Binaries\MemProcFS\MemProcFS.exe -device Evidence\MEM.dmp

mimikatz # sekurlsa::minidump C:\Cases\Exports\minidump.dmp

Microsoft Edge — Local State

Base64 decode of encrypted_key

enckey.dat — With DPAPI string

enckey.dat — After removing DPAPI string

mimikatz # dpapi::blob /in:"C:\Cases\Exports\enckey.dat" /unprotect /masterkey:4da03d*

Decrypt the Passwords

$ python3 dcp.py -S 'd9111ee35b805b52c36da25b53da42a61073d2c4ad592a295bba7c9f58164a20'

Bingo, here is our password:

Written by Palmenas Diniz

C81 — AzurePot — Writeup

Automatizando força bruta HTTP [API] com Hydra

Recommended from Medium

See all from Palmenas Diniz

Mikołaj Prus ( nullorx )

Click me & get hacked: SFX archive malware

Dec 31, 2023

Macros Unleashed: Redefining Red Teaming with Advanced Macro

Stories to Help You Level-Up at Work

Android/Phoenix authors, claims, sample identification and trends

Interesting AV/EDR bypass.

Malware Development : Part 1

ICS/OT Penetration Testing of Siemens Simatic S7–1200: A Beginner’s

See more recommendations

You might also like