Article: Password Managers in Digital Forensics
Document: Creating a Process to Extract Relevant Artefacts from Bitwarden and KeePass by Sascha Hähni
Github: GitHub - shaehni/password-manager-forensics: Password Manager Forensics (PMF). Extracting relevant forensic artefacts from Bitwarden and KeePass.
Source: reddit post
The present work addresses this gap and presents a process to extract forensically relevant data from two password manager applications – Bitwarden and KeePass – by extending an existing forensic framework called Vision.
Using design science, a forensic extraction process was developed by thoroughly analysing the inner workings of the mentioned password managers. The artefact was named Password Manager Forensics (PMF) and consists of a four-step extraction process with different Python modules to automate the extraction of relevant data. PMF was tested against three scenarios in a laboratory setting to evaluate its applicability in an investigative context.
The results show that the artefact is able to extract forensically relevant information related to password managers that would otherwise not be readily available to investigators. PMF is capable to identify and extract relevant files, to extract master passwords from a memory dump, to parse configuration files for relevant data, to brute-force master passwords and PIN codes, to decrypt, extract, and validate password manager vault data, and to create summary reports.
PMF is the first comprehensive forensic process to extract relevant data from password managers. This brings new opportunities for digital forensics examiners and a potential to improve the handling of devices that contain password manager data in digital investigations.
The current version of PMF only supports Windows desktop applications of Bitwarden and KeePass
4 Likes
Good reminder to:
- boot Linux with
init_on_alloc=1 init_on_free=1 lockdown=confidentiality
- use zram over disk backed swap space
- encrypt your disks
- set discard (or preferably discard=async) on ssd mounts
- disable hibernation (lockdown does this anyway)
- disable coredumps:
sysctl -w kernel.core_pattern=|/bin/false
- disable ptrace:
sysctl -w kernel.yama.ptrace_scope=1
- use a security oriented memory allocator like the GrapheneOS hardened_malloc which zeros on free, I have a package for Arch and Fedora here: GitHub - divestedcg/rpm-hardened_malloc: Unofficial micro-architecture optimized hardened_malloc package
- enable transparent system memory encryption (TSME) in your UEFI if you’re on a modern AMD system
- this largely works on non-Pro systems despite what they say
- true ryzen 6000 systems and 7000+ properly exposes TSME state through the PSP to the host, and in this case
sudo fwupdmgr security --force can accurately show the state of it
- for laptops you may need to enable hidden settings first:
- on Lenovo with Insyde, from off: hitting F4-4-R-F-V, F5-5-T-G-B, F6-6-Y-H-N, then power and hold F2
- on MSI with AMI: right shift + right Ctrl + left alt + F2 + (FN)
- bonus: mesa can zero video ram on alloc on amd cards, helpful if you like to show passwords in clear:
export R600_DEBUG=zerovram;
export AMD_DEBUG=zerovram;
export RADV_DEBUG=zerovram;
10 Likes
Nice! I think it would be really interesting to have a separate thread for this!
1 Like
I don’t have deep technical knowledge to judge the source, but the first thing I see in the page is that it’s a master thesis. I have masters in a non-computer science field, bur generally it’s hard to find revealing things in a master’s thesis.
Looking at the scenarios, in all cases, your device needs to be seized. Personally, there would be other things than Bitwarden if my device is taken from me.
3 Likes
