Tools used:
Forensic Toolkit (FTK)
Password Recovery Toolkit (PRTK)

Target Operating System:
Windows XP, Windows Vista and Windows 7

In this guide I assume that you already know the fundamentals of Forensic Toolkit and Password Recovery Toolkit.
You should know how to create a case, add evidence (in this case, a raw image of a hard drive) and navigate yourself through the filesystem structure in FTK. If not, I recommend that you visit AccessDatas YouTube channel for basic video guides.

Before we begin, we have to open FTK and export a word list from the case. This will be our template for the PRTK dictionary attack that will be performed at a later stage. The word list contains all strings of a hard drive or image which is very useful in a dictionary attack. The dictionary attack uses strings as a base for recovering the plain text password from the stored hashes.
You can export the word list from FTK by choosing File -> Export Word List make sure that you select all the NTUSER entries before exporting the word list. Now start the export, remember where you saved the word list.

Now we have to export the two hive files from our evidence to our hard drive using FTK. Navigate yourself to [root]\Windows\System32\config using the “Explorer View” tab. In the config directory you should be able to find registry hive files, we need to export SAM and SYSTEM to our hard drive. Make sure that SAM and SYSTEM are the only files checked and right click on any file and click “Export”. In “Items to include”, make sure that you select the “All checked” option. Choose where to save the hive files and click OK to start the export.


Now its time to open up Password Recovery Toolkit and generate our new dictionary based on the exported word list from the FTK case. In PRTK, select Tools -> Dictionary Utility. Choose your exported word list and click on “Generate” to start building up a new dictionary.
When the dictionary has been successfully generated, click “Manage Profiles” and select the “PRTK” profile and click the button “New from selected”.
Now you should see a new window containing different dictionaries and rules that you can select, it should look something like this:


Give the new profile a fitting name and select ONLY the dictionaries that you have generated from the dictionary menu (myWordList in this case). The rules are ordered and the one that is the highest on the list will run first. There are many different effective combinations, but in this case, we order them by (the rules mentioned below should be the only ones selected):

1. BAS 1-01 One digit search
2. BAS 1-07 Two digit search
3. BAS 1-05 Three digit search
4. BAS 2-17 Dictionary Primary search
OR (BAS-3-10) Uses entries ‘AS-IS’ from selected dictionaries (faster but not as many combinations).

Click “OK” to create the new profile. Now select “Add files”, and choose the SAM hive file which you exported to your hard drive in a previous step. Make sure that you choose the correct profile to work with (the profile you created in the previous step):


Now click “Next” to continue. Look for the row where it asks for the presence of the the SYSKEY. Click the “Browse” button and point out the SYSTEM hive file which you exported to your hard drive in a previous step. Click “OK” to start the password recovery process, the process might take a while.

If the password recovery is unsuccessful, you should edit your profile, add more rules to it and try again.

Two Windows account passwords (NT hashes) recovered for users “Bilbo Baggins” and “Frodo Baggins” below:

NOTE! The same process can be done with the free tool Cain & Abel and others (excluding the word list export from the hard drive image). Use at your own risk!

Happy cracking! 😉