On Thursday of this week I was fortunate enough to work along side a colleague of mine as we were conducting a forensic investigation. We had retrieved a active laptop and wanted to conduct a live memory dump of the system. Unfortunately there was a password on the screen saver and we didn’t want to compromise the data in anyway. His solution to achieve our goals was to utilize a program called winexe on a *nix system.
Winexe allows a person to connect to the IPC$ share of an active host. Now you might say “whats the point”. Take a moment and look at it from a corporate investigative standpoint. If you have a system that you possess a local admin account for (perhaps a standard one utilized by the company help desk) you can utilize this to access that IPC$ share.
