Expand description
Roadmap for the step-2 on-disk auditor. Not yet implemented — this module exists to anchor the plan.
Reader/enumeration auditors (each enumerates a DPAPI-protected store on an
acquired filesystem, decrypts it through dpapi_core, and emits graded
forensicnomicon report::Findings):
- Chrome/Edge:
Login Datasaved passwords + theLocal Statecookie key, thenCookiesdecryption viadpapi_core::detect_chrome_cookie_encoding/dpapi_core::decrypt_v10_cookie. - Credential Manager:
%APPDATA%\Microsoft\Credentials\blobs. - Vault:
%APPDATA%\Microsoft\Vault\/%LOCALAPPDATA%\Microsoft\Vault\. - Wi-Fi keys:
Wlansvcprofile blobs.
Key-source layer (the disk counterpart of memf’s LSASS dpapi_keys.rs):
masterkey.rsindpapi-core: parse master-key files at%APPDATA%\Microsoft\Protect\<SID>\<GUID>and derive the key-protection key from the user password (SHA1 -> PBKDF2-HMAC) or the domain backup key (pbkdf2crate). Same consumer as the existing decrypt path, different source of keys.
CLI:
dpapi4n6binary per the fleet*4n6pattern.