Category: How-To / How to extract website passwords from hibernation file or memory image
Passware Kit recovers passwords for Facebook, Gmail, and other websites by analyzing a memory image or a system hibernation file. Such memory images can be acquired using third-party tools, such as Belkasoft Live RAM Capturer, ManTech Physical Memory Dump Utility, Perlustro IXImager, Magnet RAM Capture, MacQuisition, osxpmem or win32dd.
Here is how it’s done.
Launch Google Chrome browser on a target machine and open a new Incognito window (Ctrl+Shift+N). In Incognito mode Chrome does not save your passwords, but still, they are present in computer memory.
Fill in email and password and click 'Log In'.
Close Google Chrome. Now you can put your computer into hibernation or create a memory image.
When a computer hibernates, Windows writes all the physical RAM memory contents to C:\hiberfil.sys file, creating a memory image. As hiberfil.sys file is locked by Windows, you might need to use special tools in order to access the file.
Launch Passware Kit and select “Analyze Memory and Decrypt Hard Disk”, then select “Websites”:
The software scans a hibernation file (or a memory image) for Facebook, Google or websites passwords, as shown below:
And displays a list of websites and passwords:
The same results could be achieved by using a live memory image acquired while the computer was running, instead of the hibernation file.
Please note that there is no guarantee that passwords will be in memory, but our tests show that passwords reside in memory for extended time.