SAM Juicer is one of the tools in the Meterpreter suite.
A part of the Meterpreter Anti-Forensic Investigation Arsenal (MAFIA), the Sam Juicer runs over a memory/LSASS channel to dump password hashes on a Windows system. Many people think that you need SYSTEM Privileges to access the SAM Database, this is not the case. Any account, service or program running with access to the memory and LSASS channels will do. In fact, the majority of accounts are still given the debug privilege to make life easier for developers (and crackers).
Why is this tool a problem for many "traditional" digital forensic practitioners?
It never hits the disk and it never hits the registry. Without leaving a signiture on the disk or opening a registry call, many forensic tools just do not have a hope. By using an existing Meterpreter channel, there is no need to start a service, open a network port or to leave all that easy to find evidence that PWCrack for instance creates.
Using direct memory injection techniques, tools like Encase have no hope. EnCase Enterprise allows the examiner to see current processes, open ports, file system, and other such volatile system areas.
As Metasploit’s Meterpreter does not leave a track on the disk but rather exploits a running process and creates threads, Encase is blind to it. (This is where a good old fashion dd.exe dump of the memory in Windows still beats the high end tools).
Metasploit Anti-Forensic (AF) Tools
The toolset includes the following AF Tools:
- Transmogrify, and
- Sam Juicer
So what exactly does MAFIA (and similar tools) mess up for the tools based analyst?
- Temporal locality (through the alteration of time stamps)
- Spatial locality (using the modification of file location)
- Data recovery
- File signatures
- Reverse engineering
- Effectiveness/info overload
- Disk access/hiding in memory