One of the key things to realize is that you can perform your analysis more efficiently and effectively if you know what tools and features are available to you and how to properly leverage them when doing your analysis. To help illustrate why REMnux should be something in your toolkit let’s take a look at how we can use it to analyze a Portable Executable (PE) file and try to determine if it is malicious or benign.

In the field of Incident Response (IR), time is of the essence and a locked system may cause an investigation to become delayed, or even worse, over. For the purpose of this paper, a locked system should be considered either a live or a dead system that requires authentication on the Operating System (OS) level. Over the years there have been a few tricks to get around this type of restraint, however, some methods are not maintained by the community, do not work because of system updates, or the responder is simply not aware of them.

The intent of this article is to inform the IR community of current techniques available to overcome these types of situations while also providing a brief technical overview of what each technique involves. Although this paper includes techniques that will also work on Macintosh and Linux platforms, the primary focus of this paper will be unlocking a Windows system. Windows is still the most dominant platform on the market and is what an incident responder is most likely to encounter.