Learn how to use the ADF Quick Saved Credentials Profile to uncover Web credentials in this short video tutorial. Collecting saved credentials quickly gives investigators access to accounts that may have previously been unknown and allows investigators to request preservation orders and search warrants.
ADF's Quick - Saved Credentials profile is a powerful digital forensic triage profile that extracts the usernames and passwords from Web Browsers. It is the only Search Profile that may trigger the anti-virus on the machine.
When this happens, depending on the settings of Windows Security, it could quarantine the file needed to run the search profile, or just block it. If it quarantines it be ready with a second Collection Key (CKY). Remember we now can prepare a CKY for capture selection on scene.
As a digital investigator, you want to be prepared and ready for anything on-scene so in this video, digital forensic specialist and trainer, Rich Frawley, shows you how to temporarily disable Windows Defender.
- From the task tray hover over the icons until you see the shield or Windows Security (Defender).
- Click on the Shield, this will open the security program
- Select Virus and threat protection
- Under Virus and threat protection Settings - Select Manage Settings
- Turn off real-time protection (This will automatically turn back on) Read Warning
- Now run your scan.
Remember to keep track of the steps you took and add them to your report. Now that you have disabled security, insert the CKY prepared without Search Profiles:
- Select the Web Browsing category and then Saved Credentials
- You will be able to run the profile with no intervention from Windows antivirus.
Also remember to go on scene with multiple collection keys so you can scan multiple computers with one license.