I am failing to understand what the problem is (final goal).
Re-accessing data on a system where a third party (maliciously and without user knowing it) has setup Syskey encryption of the SAM?
Re-accessing the actual system (i.e. booting to it)?
Re-accessing the system without blanking all user's passwords?
There is a rather straightforward procedure to decrypt a syskey hash, see here:
http://epyxforensics.com/node/34
that I believe works for other versions of the OS besides the 7 on which the article is based.
But there are several different tools/methods, another example:
http://www.oxid.it/cain.html
http://www.oxid.it/ca_um/topics/nt_hashes_dumper.htm
http://www.oxid.it/ca_um/topics/syskey_decoder.htm
The point worth of note IMHO is that if the "added" Syskey encryption (and I believe change of password) has been carried out "maliciously" by a malware of some kind, the system is compromised, i.e. you have no way to know "what else" the malware may have done.
As such the system should NOT be trusted for *anything* (if not extracting the data that was not backed up prior to the infection/attack) and possibly not even booted at all.
Can you try better explaining the scenario/case at hand?
jaclaz
↧