OK, so deciding that the lord helps those who help themselves, I picked this problem up again last night and had another crack at it.
The shadow file is definitely not on the casper.squashfs root filesystem image when the filesystem is first mounted, and combing through the startup scripts on the filesystem yielded nothing, so I figured the answer had to be on the initramfs miniroot that init uses to bootstrap the system with before it mounts the root filesystem.
People who are unfamiliar with the boot process but who want to follow along can access the contents of the miniroot like so:
Note that this is just for the initramfs for the default boot off the iso image - if you are interested in the boot sequence for forensics mode or for the 800x600 framebuffer mode, then use the appropriate initrd file.
root@bt:~# mount -o loop /mnt/host-shared/bt4-final.iso /media/cdrom
root@bt:~# mkdir initrd && cd initrd
root@bt:~/initrd# gunzip -c /media/cdrom/boot/initrd.gz | cpio -id
bin/ bootsplash conf/ etc/ init* initrd lib/ sbin/ scripts/ var/
root@bt:~/initrd# umount /media/cdrom
Before I made my original post, I had previously given the image a quick (ie. lazy) scan for likely sounding keywords such as "shadow", "passwd", etc. and I hadn't had much luck.
This time around, I tried a different tack: I booted off the live image, noted down the shadow password entry, then searched for that instead and the answer just popped right out:
Now that's looking much more promising.
root@bt:~/initrd# find . -type f | xargs egrep -l U6aMy0wojraho
OK, so that looks like the answer to my question - the script /scripts/casper-bottom/10adduser on the miniroot attempts to chroot to the root filesystem and set the root password using debconf, then it chroots again, this time so that it can run /usr/lib/user-setup/user-setup-apply, which (among other things) enables shadow passwords and sets the encrypted root password to 'U6aMy0wojraho'.
root@bt:~/initrd# egrep -A 7 U6aMy0wojraho ./scripts/casper-bottom/10adduser
# U6aMy0wojraho is just a blank password
chroot /root debconf-communicate -fnoninteractive casper > /dev/null <<EOF
set passwd/root-password-crypted *
set passwd/user-password-crypted U6aMy0wojraho
set passwd/user-fullname $USERFULLNAME
set passwd/username $USERNAME
set passwd/user-uid 999
chroot /root /usr/lib/user-setup/user-setup-apply > /dev/null
It's a pretty easy hack to try out a new password (I used 'test1' as the new password - note the first three characters of the new password hash ), to roll it up into a new initrd.gz, to test it out with qemu, and finally to copy it overtop of the initrd.gz that I use on my custom USB live image and try it out.
It all works great. It's a lot of effort to go to just for the sake of a safer root password (next thing to try - MD5 password hashes instead of the old-school UNIX DES password hashes) but, meh, learning is it's own reward and I now know a hell of a lot more about Linux bootstrapping.
root@bt:~/initrd# sed -i s/U6aMy0wojraho/BT4AauaAzyUyU/ scripts/casper-bottom/10adduser
root@bt:~/initrd# find . | cpio -o -H newc | gzip -c >../newinitrd.gz
root@bt:~/initrd# mount /dev/sdc2 /mnt/usb
root@bt:~/initrd# mv /mnt/usb/boot/initrd.gz /mnt/usb/boot/initrd.gz.old
root@bt:~/initrd# cp ../newinitrd.gz /mnt/usb/boot/initrd.gz
root@bt:~/initrd# cd /mnt/usb
root@bt:/mnt/usb# find . -type f | xargs md5sum >md5sum.txt
root@bt:~# umount /mnt/usb