11/15/2011

1

Passwords & Encryption

CSC 485/585

Objectives

Understand the various types of passwords and/or

encryption a Computer Forensic examiner must deal

with.

Be able to identify and use the appropriate tool(s) and/or

process for obtaining, removing, or changing the various

types of passwords.

Understand the limitations of password cracking.

2

I need a password….now what?

In some cases a computer may be protected at startup with either a BIOS password and/or ATA hard drive security password. How do I deal with this?

Earlier in this course you learned how to find files with various search techniques, but what if they are encrypted or password protected and you can’t open them?

You restored a seized computer image into a virtual machine and need to boot the VM. How do I log in when it is asking for a username and password?

Worse of all, my entire forensic image is gibberish because the seized computer was using Full Disk Encryption. What are my options?

In this module we will address the many aspects of passwords and encryption and related issues and limitations, were we will look at the above questions one at a time.

3

The easiest solution is to find or otherwise obtain the password:

inside a file on their computer called “passwords”

taped to bottom of keyboard

inside software manuals

desk plotters

calendar pads

yellow sticky notes

desk drawers

Interviewing

(Always ask for

the password!!!)

Interviewing

4

Interviewing

Ask if they know of any encryption or password protection

software is being used (i.e. BitLocker, PGP, TrueCrypt, etc.)

Always ask for any and all passwords on all systems (logon, file

access, email, etc.)

Ask if there is any file on the system, cell phone or physically

printed that contains passwords

Ask about physical token devices that may be used in place of

or in conjunction with passwords (i.e. dongles, smart card, etc.)

Have your search teams looking for dongles & smart cards.

If possible, get or ask for biographical data that may be used as

passwords (i.e. birthdays, pets, girlfriend or boyfriend, wife or

husband, children, etc.)

5

Covert Password Options???

There will be encryption that you cannot break without

the proper password or passphrase.

In an investigation where access to the encrypted files is

critical you may consider some options:

Covert installation of video/web cam focused on keyboard.

Covert installation of a “keylogger” or other monitoring

program on the subject’s computer to capture the typed

password or passphrase.

Discuss legal issues with your ADA, AG, AUSA, CTC,

CHIP or other CCIPS attorney!

6

11/15/2011

2

Check the manuals for access, usually online…

Motherboard jumper

Disconnecting CMOS battery

Manufacturer backdoor/device/diskette

3rd party solutions

Bypassing BIOS Passwords

7

Motherboard Jumper or Battery

8

Removal of CMOS battery will reset RTC (Real-Time Clock)

and in most cases clear password and all other BIOS settings.

Battery may be soldered in place.

Jumper or manual shorting of pins on MB when power applied

to MB will reset most passwords (see user manual or online

“hacker” tips.)

Example: Award BIOS

Password

“AWARD_SW”

Lists maintained online on

many sites. Google “BIOS

backdoor password list”

Manufacturer’s Backdoor

BIOS Passwords

9

ATA HD passwords common on laptops

Dell laptops

Dell will provide a unique unlock key specifically for each

laptop with “Service Tag” and verification of your

ownership of the product or proper LE authority.

Manufacturer’s Backdoor

HD Passwords

10

http://www.vogon-

investigation.com/password-

cracker-solution.htm

ATA HD Password 3rd Party Solutions

11

http://www.hdd-

tools.com/products/rrs/

And others – Google “ATA HDD

password removal”

A few minutes of Googling for “BIOS password reset” or similar will result in hits for many free tools that claim to be able to reset or remove BIOS passwords, however:

1. Beware of free “hacking” tools and always test in safe environment to find out what they really do to your system before using for anything important.

2. Many of these tools are Windows or Linux tools designed to remove the BIOS password on a computer that is already up and running.

3. Many other tools run from a bootable DOS or Linux boot disk and claim to remove/reset a BIOS password.

4. Items 2 & 3 above are impossible in real life if the BIOS password is preventing you from being able to boot the suspect machine to a boot disk or to the machine’s installed OS without first putting in the BIOS password.

Programs that remove BIOS passwords

12

11/15/2011

3

Password Protected Files

Not very common these days. Usually found in database

applications.

File data remains intact.

The software application (or front end application for a

database) that created the file is unable to access the file

without the proper password.

Using a HEX editor or other forensic tools, you can view

the unencrypted contents of the raw file data.

13

Password Protected Files

Some older programs that password protect files:

• DBASE

• RBASE

• Q & A

• Quicken

• AccPac Plus

Most newer version of these and other programs now

“encrypt” the file data.

14

Password Protected Files

Some options for gaining access to password protected files:

• Swap password file (or in some cases just replace the

password hash in the file) with your own password file/hash

of a known password.

• Manufacturer back door or setup disk.

• Compare file differences with HEX editor (before and after

password protection applied to your own test file) to

identify where/how password is stored within a protected

file.

• Memory dump during password attempt (password you

typed in may be compared against the correct stored

password in RAM)

15

Password Encrypted Files

Password Encrypted Files

Common

File data is converted to unreadable data.

Raw file data can be viewed using a HEX editor or other

forensic tool, however the contents of file is encrypted and

meaningless.

Software application that created the file is unable to access

file without the correct password.

17

Password Cracking/Decryption

To Decrypt a File:

Password breaking software

Decryption (various techniques depending on type of

encrypted file)

Dictionary and Xieve attacks

Rainbow Tables

Brute Force (Stand-alone or Distributed)

Create an index of all “words” on the seized drive/media

and use that index as a dictionary of passwords to try.

Debugging tools (http://www.ollydbg.de) and memory

dumps. *way beyond the scope of this class!

18

11/15/2011

4

Password Cracking/Decryption

Elcomsoft

Passware (LostPassword.com)

Access Data Password Recovery Toolkit (PRTK), Distributed Network Attack (DNA) & Rainbow Tables

Many others out there…..Google it when you have a need for a file type not covered by your issued tools!

19

ElcomSoft

Advanced Office Password Recovery

20

ElcomSoft

Advanced Archive Password Recovery

21

Individual file encryption can be accomplished though OS

features and 3rd party applications, in addition to the native

application that created the file.

22

Other Methods of File Encryption

New security feature with Windows 2000 and improved

with Windows XP and later.

Only exists on NTFS partitions

EFS is a file/folder attribute that encrypts the files and or

directories on disk.

Can only be opened by user that encrypted the file(s) or

a designated “recovery agent”.

23

Windows Encrypted File System (EFS)

Recovery agent created by default with Win2k, not with

WinXP.

Only need to log on to system as user (with the correct

password) that encrypted the file(s) to gain access.

Can “force” a password change in Win2k and log on with

new password.

“Forced” password changes on XP and later lock you out

of EFS encrypted files.

24

Windows Encrypted File System (EFS)

11/15/2011

5

Can use ntpasswd by ~pnordahl and several other tools

to change or remove Windows logon passwords for local

user accounts.

The Windows Passware Key Enterprise boot disk will also

change Active Directory admin user accounts (and is the

only tool to currently do so.)

In XP and later, these forced changes will lock EFS files.

Elcomsoft and Passware currently offer EFS cracking

modules.

25

Windows Encrypted File System (EFS)

26

Windows Encrypted File System (EFS)

27

Windows Logon Passwords

Do you need to know the logon password or simply

change or remove it?

If password is crackable, you may find that the same

password is used for other protected files.

If you only need to log on and don’t need the password

(remember the EFS issue), then change the password with

a reset boot disk.

28

Windows Logon Passwords

29

Using automated Windows logon password reset tools,

you simply replace/remove the stored password hash.

Changing Windows Logon Passwords

Password hashes (not actual password) stored in “SAM” file located in c:\windows\system32\config folder (part of the Windows registry)

“System” file (another registry hive) contains “SYSKEY” hash encryption info.

Extract SAM & System files.

30

Cracking Windows Logon Passwords

11/15/2011

6

Cracked by comparing computed hashes against the one stored in the SAM file, until a match is found.

Load the SAM file (or hashes exported from a SAM file into PWDUMP text format) into your cracking software(i.e. l0phtCrack, SamInside, PRTK, rainbow tables, etc.)

31

Cracking Windows Logon Passwords for

Local Accounts

Starting with Windows NT 4.0 SP3, then 2K and XP, SYSKEY further encrypted the password hashes stored in the SAM file.

Must remove SYSKEY to get crackable hashes….using the “SYSTEM” registry file.

SamInside can export un-SYSKEY’d hashes to load into other cracking tools.

Can circumvent SYSKEY if grabbing hashes from a “live” system and you have admin privileges.

32

Cracking Windows Logon Passwords for

Local Accounts

Windows can use either LM or NT passwords. When LM hashes are used (the default for many Windows versions), the hashes are relatively easy to crack: Passwords are converted to all uppercase

Password is then truncated at 14 characters

Breaks password into 2 – 7 character lengths

So a 10 character mixed-case password (i.e. ThisIsTufF) becomes “THISIST” and “UFF”…not very hard to crack on a fast machine.

NT passwords do not have the “flaws” above and are much harder to BruteForce.

Unfortunately LM Passwords are now disabled by default in Windows 7 and later.

33

Cracking Windows Logon Passwords for

Local Accounts

Cached domain logon credentials are more difficult to crack

Not stored in the SAM file, need System and Security hives instead.

34

Cracking Cached Windows Domain

Account Passwords

Password hash stored in “/etc/passwd” or “/etc/shadow” text files.

Remove the password hash and you remove the password,

Or replace hash with the hash of a known password.Using any text editor, remove the password hash for the “root” user leaving the first line of the “/etc/shadow” text file looking something like:

root::12499:0:10000::::

instead of

root:8X$254dh%a10&%5243AE2f:12499:0:10000::::

Brute force or rainbow tables John the Ripper: http://www.openwall.com/john/

FSCrack (front end GUI for JtR): http://www.foundstone.com

L0phtCrack

35

Linux Logon Passwords

Full Disk/Volume Encryption

(FDE/FVE) exists in many forms.

Hardware Based

Seagate

Software Based

PGP

BestCrypt

OS Based

Bitlocker

MS Vista

BitLocker To Go

Win7

36

Disk/Volume Encryption

11/15/2011

7

Full Disk/Volume Encryption

How do I detect whether or not encryption exists and

we should be concerned about it?

What can/should I do if we detect encryption on a

running computer?

What can I do if a FDE/FVE encrypted computer is

already off when I get there, or I have an image of an

FDE/FVE encrypted drive?

37

BitLocker (Detection & Key Export)

38

Manually check: Control

Panel\System & Security\BitLocker

Drive Encryption\ applet for current

use of BitLocker.

If enabled and unlocked, Admin user

can save/print a copy of the recovery

key.

BitLocker(Decryption With Recovery Key)

39

Attach any “foreign” BitLocker

disk to your forensic Vista or

Win7 workstation to decrypt

and work with it.

BitLocker (Decryption With Recovery Key – cont.)

40

BitLocker (Decryption With Passware)

Passware Password Recovery Kit – Forensic allow for the

decryption of BitLocker encrypted volumes with a RAM

dump containing the Encryption Key in memory.

42

BitLocker (Detection with Forensic Tools)

11/15/2011

8

FDE/FVE – cont.

There are hundreds of encryption programs out there

and they are all different.

Learning how to deal with them is typically done on a

case-by-case basis, and impossible to cover in this

module.

Always look for FDE indications on running computers

(i.e. desktop icons, icons in task tray, etc.)

Seek out online resources and the assistance of senior

forensic examiners.

http://en.wikipedia.org/wiki/Comparison_of_disk_encrypt

ion_software

43

Password Cracking Limitations

Encryption and password/passphrase strength gets

continuously harder to crack and grows exponentially faster

than the speed of our cracking machines.

Brute Force requires you to select a “Character Set” to use in

the cracking attempt (i.e. ABC…abc…123…!@#...).

With up to 256 possible character choices for each character

in a password, cracking can take days, weeks, or Zillions of

years on some file types depending on the password length.

Faster hardware-based GPU and FPGA cracking technology,

plus distributed network cracking grids greatly improve

cracking speed.

44

Questions ???

…as usual, use the discussion board!