Password Managers in Digital Forensics: Creating a Process to Extract Relevant Artefacts from Bitwarden and KeePass

Article: Password Managers in Digital Forensics

Document: Creating a Process to Extract Relevant Artefacts from Bitwarden and KeePass by Sascha Hähni

Github: GitHub - shaehni/password-manager-forensics: Password Manager Forensics (PMF). Extracting relevant forensic artefacts from Bitwarden and KeePass.

Source: reddit post

The present work addresses this gap and presents a process to extract forensically relevant data from two password manager applications – Bitwarden and KeePass – by extending an existing forensic framework called Vision.

Using design science, a forensic extraction process was developed by thoroughly analysing the inner workings of the mentioned password managers. The artefact was named Password Manager Forensics (PMF) and consists of a four-step extraction process with different Python modules to automate the extraction of relevant data. PMF was tested against three scenarios in a laboratory setting to evaluate its applicability in an investigative context.

The results show that the artefact is able to extract forensically relevant information related to password managers that would otherwise not be readily available to investigators. PMF is capable to identify and extract relevant files, to extract master passwords from a memory dump, to parse configuration files for relevant data, to brute-force master passwords and PIN codes, to decrypt, extract, and validate password manager vault data, and to create summary reports.

PMF is the first comprehensive forensic process to extract relevant data from password managers. This brings new opportunities for digital forensics examiners and a potential to improve the handling of devices that contain password manager data in digital investigations.

The current version of PMF only supports Windows desktop applications of Bitwarden and KeePass


Good reminder to:

  • boot Linux with init_on_alloc=1 init_on_free=1 lockdown=confidentiality
  • use zram over disk backed swap space
  • encrypt your disks
  • set discard (or preferably discard=async) on ssd mounts
  • disable hibernation (lockdown does this anyway)
  • disable coredumps: sysctl -w kernel.core_pattern=|/bin/false
  • disable ptrace: sysctl -w kernel.yama.ptrace_scope=1
  • use a security oriented memory allocator like the GrapheneOS hardened_malloc which zeros on free, I have a package for Arch and Fedora here: GitHub - divestedcg/rpm-hardened_malloc: Unofficial micro-architecture optimized hardened_malloc package
  • enable transparent system memory encryption (TSME) in your UEFI if you’re on a modern AMD system
    • this largely works on non-Pro systems despite what they say
    • true ryzen 6000 systems and 7000+ properly exposes TSME state through the PSP to the host, and in this case sudo fwupdmgr security --force can accurately show the state of it
    • for laptops you may need to enable hidden settings first:
      • on Lenovo with Insyde, from off: hitting F4-4-R-F-V, F5-5-T-G-B, F6-6-Y-H-N, then power and hold F2
      • on MSI with AMI: right shift + right Ctrl + left alt + F2 + (FN)
  • bonus: mesa can zero video ram on alloc on amd cards, helpful if you like to show passwords in clear:
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;

Nice! I think it would be really interesting to have a separate thread for this!

1 Like

I don’t have deep technical knowledge to judge the source, but the first thing I see in the page is that it’s a master thesis. I have masters in a non-computer science field, bur generally it’s hard to find revealing things in a master’s thesis.
Looking at the scenarios, in all cases, your device needs to be seized. Personally, there would be other things than Bitwarden if my device is taken from me.


The author did a good thesis here. :clap: This article is essentially just a reference on what information you’re likely to get from password managers from a physical extraction of a suspect’s PC. It’s nothing that people don’t already know, but it’s a good read nonetheless.

KeePass typically encrypts memory and erases memory, but as seen in the thesis that didn’t appear to work. It may be due to how he performed the memory extraction as he used a VirtualBox VM physical memory dump rather than a Windows OS memory dump artefact, would have liked to see him examined those types of dumps.

Should be worth noting that judging by the literature review and that the latest article he captured was around March of this year, he likely worked on this investigation within that timeframe. That tool is likely to not work anymore now due to some changes in how KeePass manages passwords in memory. KeePass now creates dummy material in memory the same length as the original key.

In May, another researcher disclosed a security vulnerability relating to capturing the KeePass master password in memory.

Thread: KeePass / Discussion / Open Discussion: Security - Dumping Master Password from Memory, Even When Locked

CVE: CVE - CVE-2023-32784

I memory dumped my latest KeePass with the PMF script and my password was apparently ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/.

Likewise mitigations like these are more to protect KeePass databases from malware, not forensics, if your PC is undergoing a forensics extraction you’d probably have a hundred more things to worry about before your password database.

See also: Security - KeePass

Strongly agree. In pretty much all masters digital forensics papers they are done in a consent-based extraction / scenario where a compromise like bruteforcing was successful, since “we were unable to perform extraction” wouldn’t be a good thesis to read.