Extracting Facebook passwords from memory image or hibernation file

Passware Kit 12.3 recovers passwords for Facebook, Gmail, and other websites by analyzing a memory image or a system hibernation file.

Here is how it’s done.

Launch Google Chrome browser on a target machine and open a new Incognito window (Ctrl+Shift+N). In Incognito mode Chrome does not save your passwords, but still they are present in computer memory.

Fill in email and password and click Log In:
Google Chrome in Incognito mode

Close Google Chrome. Now you can put your computer into hibernation or create a memory image.

When a computer hibernates, Windows writes all the physical RAM memory contents to C:\hiberfil.sys file, creating a memory image. As hiberfil.sys file is locked by Windows, you might need to use special tools in order to access the file. You can follow detailed instructions on creating a copy of the hibernation file.

Launch Passware Kit and select “Analyze Memory and Decrypt Hard Disk”, then select “Websites”:
Select Websites

The software scans a hibernation file (or a memory image) for Facebook, Google or websites passwords:
Scan progress

And displays a list of websites and  passwords:
Passwords found:

The same results could be achieved by using using a live memory image acquired while the computer was running, instead of the hibernation file.

Please note that there is no guarantee that passwords will be in memory, but our tests show that passwords reside in memory for extended time.

 

This entry was posted in How To, Passware and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.