11/15/2011 - students.cs.uri.edu
Transcript of 11/15/2011 - students.cs.uri.edu
11/15/2011
1
Passwords & Encryption
CSC 485/585
Objectives
Understand the various types of passwords and/or
encryption a Computer Forensic examiner must deal
with.
Be able to identify and use the appropriate tool(s) and/or
process for obtaining, removing, or changing the various
types of passwords.
Understand the limitations of password cracking.
2
I need a password….now what?
In some cases a computer may be protected at startup with either a BIOS password and/or ATA hard drive security password. How do I deal with this?
Earlier in this course you learned how to find files with various search techniques, but what if they are encrypted or password protected and you can’t open them?
You restored a seized computer image into a virtual machine and need to boot the VM. How do I log in when it is asking for a username and password?
Worse of all, my entire forensic image is gibberish because the seized computer was using Full Disk Encryption. What are my options?
In this module we will address the many aspects of passwords and encryption and related issues and limitations, were we will look at the above questions one at a time.
3
The easiest solution is to find or otherwise obtain the password:
inside a file on their computer called “passwords”
taped to bottom of keyboard
inside software manuals
desk plotters
calendar pads
yellow sticky notes
desk drawers
Interviewing
(Always ask for
the password!!!)
Interviewing
4
Interviewing
Ask if they know of any encryption or password protection
software is being used (i.e. BitLocker, PGP, TrueCrypt, etc.)
Always ask for any and all passwords on all systems (logon, file
access, email, etc.)
Ask if there is any file on the system, cell phone or physically
printed that contains passwords
Ask about physical token devices that may be used in place of
or in conjunction with passwords (i.e. dongles, smart card, etc.)
Have your search teams looking for dongles & smart cards.
If possible, get or ask for biographical data that may be used as
passwords (i.e. birthdays, pets, girlfriend or boyfriend, wife or
husband, children, etc.)
5
Covert Password Options???
There will be encryption that you cannot break without
the proper password or passphrase.
In an investigation where access to the encrypted files is
critical you may consider some options:
Covert installation of video/web cam focused on keyboard.
Covert installation of a “keylogger” or other monitoring
program on the subject’s computer to capture the typed
password or passphrase.
Discuss legal issues with your ADA, AG, AUSA, CTC,
CHIP or other CCIPS attorney!
6
11/15/2011
2
Check the manuals for access, usually online…
Motherboard jumper
Disconnecting CMOS battery
Manufacturer backdoor/device/diskette
3rd party solutions
Bypassing BIOS Passwords
7
Motherboard Jumper or Battery
8
Removal of CMOS battery will reset RTC (Real-Time Clock)
and in most cases clear password and all other BIOS settings.
Battery may be soldered in place.
Jumper or manual shorting of pins on MB when power applied
to MB will reset most passwords (see user manual or online
“hacker” tips.)
Example: Award BIOS
Password
“AWARD_SW”
Lists maintained online on
many sites. Google “BIOS
backdoor password list”
Manufacturer’s Backdoor
BIOS Passwords
9
ATA HD passwords common on laptops
Dell laptops
Dell will provide a unique unlock key specifically for each
laptop with “Service Tag” and verification of your
ownership of the product or proper LE authority.
Manufacturer’s Backdoor
HD Passwords
10
http://www.vogon-
investigation.com/password-
cracker-solution.htm
ATA HD Password 3rd Party Solutions
11
http://www.hdd-
tools.com/products/rrs/
And others – Google “ATA HDD
password removal”
A few minutes of Googling for “BIOS password reset” or similar will result in hits for many free tools that claim to be able to reset or remove BIOS passwords, however:
1. Beware of free “hacking” tools and always test in safe environment to find out what they really do to your system before using for anything important.
2. Many of these tools are Windows or Linux tools designed to remove the BIOS password on a computer that is already up and running.
3. Many other tools run from a bootable DOS or Linux boot disk and claim to remove/reset a BIOS password.
4. Items 2 & 3 above are impossible in real life if the BIOS password is preventing you from being able to boot the suspect machine to a boot disk or to the machine’s installed OS without first putting in the BIOS password.
Programs that remove BIOS passwords
12
11/15/2011
3
Password Protected Files
Not very common these days. Usually found in database
applications.
File data remains intact.
The software application (or front end application for a
database) that created the file is unable to access the file
without the proper password.
Using a HEX editor or other forensic tools, you can view
the unencrypted contents of the raw file data.
13
Password Protected Files
Some older programs that password protect files:
• DBASE
• RBASE
• Q & A
• Quicken
• AccPac Plus
Most newer version of these and other programs now
“encrypt” the file data.
14
Password Protected Files
Some options for gaining access to password protected files:
• Swap password file (or in some cases just replace the
password hash in the file) with your own password file/hash
of a known password.
• Manufacturer back door or setup disk.
• Compare file differences with HEX editor (before and after
password protection applied to your own test file) to
identify where/how password is stored within a protected
file.
• Memory dump during password attempt (password you
typed in may be compared against the correct stored
password in RAM)
15
Password Encrypted Files
Password Encrypted Files
Common
File data is converted to unreadable data.
Raw file data can be viewed using a HEX editor or other
forensic tool, however the contents of file is encrypted and
meaningless.
Software application that created the file is unable to access
file without the correct password.
17
Password Cracking/Decryption
To Decrypt a File:
Password breaking software
Decryption (various techniques depending on type of
encrypted file)
Dictionary and Xieve attacks
Rainbow Tables
Brute Force (Stand-alone or Distributed)
Create an index of all “words” on the seized drive/media
and use that index as a dictionary of passwords to try.
Debugging tools (http://www.ollydbg.de) and memory
dumps. *way beyond the scope of this class!
18
11/15/2011
4
Password Cracking/Decryption
Elcomsoft
Passware (LostPassword.com)
Access Data Password Recovery Toolkit (PRTK), Distributed Network Attack (DNA) & Rainbow Tables
Many others out there…..Google it when you have a need for a file type not covered by your issued tools!
19
ElcomSoft
Advanced Office Password Recovery
20
ElcomSoft
Advanced Archive Password Recovery
21
Individual file encryption can be accomplished though OS
features and 3rd party applications, in addition to the native
application that created the file.
22
Other Methods of File Encryption
New security feature with Windows 2000 and improved
with Windows XP and later.
Only exists on NTFS partitions
EFS is a file/folder attribute that encrypts the files and or
directories on disk.
Can only be opened by user that encrypted the file(s) or
a designated “recovery agent”.
23
Windows Encrypted File System (EFS)
Recovery agent created by default with Win2k, not with
WinXP.
Only need to log on to system as user (with the correct
password) that encrypted the file(s) to gain access.
Can “force” a password change in Win2k and log on with
new password.
“Forced” password changes on XP and later lock you out
of EFS encrypted files.
24
Windows Encrypted File System (EFS)
11/15/2011
5
Can use ntpasswd by ~pnordahl and several other tools
to change or remove Windows logon passwords for local
user accounts.
The Windows Passware Key Enterprise boot disk will also
change Active Directory admin user accounts (and is the
only tool to currently do so.)
In XP and later, these forced changes will lock EFS files.
Elcomsoft and Passware currently offer EFS cracking
modules.
25
Windows Encrypted File System (EFS)
26
Windows Encrypted File System (EFS)
27
Windows Logon Passwords
Do you need to know the logon password or simply
change or remove it?
If password is crackable, you may find that the same
password is used for other protected files.
If you only need to log on and don’t need the password
(remember the EFS issue), then change the password with
a reset boot disk.
28
Windows Logon Passwords
29
Using automated Windows logon password reset tools,
you simply replace/remove the stored password hash.
Changing Windows Logon Passwords
Password hashes (not actual password) stored in “SAM” file located in c:\windows\system32\config folder (part of the Windows registry)
“System” file (another registry hive) contains “SYSKEY” hash encryption info.
Extract SAM & System files.
30
Cracking Windows Logon Passwords
11/15/2011
6
Cracked by comparing computed hashes against the one stored in the SAM file, until a match is found.
Load the SAM file (or hashes exported from a SAM file into PWDUMP text format) into your cracking software(i.e. l0phtCrack, SamInside, PRTK, rainbow tables, etc.)
31
Cracking Windows Logon Passwords for
Local Accounts
Starting with Windows NT 4.0 SP3, then 2K and XP, SYSKEY further encrypted the password hashes stored in the SAM file.
Must remove SYSKEY to get crackable hashes….using the “SYSTEM” registry file.
SamInside can export un-SYSKEY’d hashes to load into other cracking tools.
Can circumvent SYSKEY if grabbing hashes from a “live” system and you have admin privileges.
32
Cracking Windows Logon Passwords for
Local Accounts
Windows can use either LM or NT passwords. When LM hashes are used (the default for many Windows versions), the hashes are relatively easy to crack: Passwords are converted to all uppercase
Password is then truncated at 14 characters
Breaks password into 2 – 7 character lengths
So a 10 character mixed-case password (i.e. ThisIsTufF) becomes “THISIST” and “UFF”…not very hard to crack on a fast machine.
NT passwords do not have the “flaws” above and are much harder to BruteForce.
Unfortunately LM Passwords are now disabled by default in Windows 7 and later.
33
Cracking Windows Logon Passwords for
Local Accounts
Cached domain logon credentials are more difficult to crack
Not stored in the SAM file, need System and Security hives instead.
34
Cracking Cached Windows Domain
Account Passwords
Password hash stored in “/etc/passwd” or “/etc/shadow” text files.
Remove the password hash and you remove the password,
Or replace hash with the hash of a known password.Using any text editor, remove the password hash for the “root” user leaving the first line of the “/etc/shadow” text file looking something like:
root::12499:0:10000::::
instead of
root:8X$254dh%a10&%5243AE2f:12499:0:10000::::
Brute force or rainbow tables John the Ripper: http://www.openwall.com/john/
FSCrack (front end GUI for JtR): http://www.foundstone.com
L0phtCrack
35
Linux Logon Passwords
Full Disk/Volume Encryption
(FDE/FVE) exists in many forms.
Hardware Based
Seagate
Software Based
PGP
BestCrypt
OS Based
Bitlocker
MS Vista
BitLocker To Go
Win7
36
Disk/Volume Encryption
11/15/2011
7
Full Disk/Volume Encryption
How do I detect whether or not encryption exists and
we should be concerned about it?
What can/should I do if we detect encryption on a
running computer?
What can I do if a FDE/FVE encrypted computer is
already off when I get there, or I have an image of an
FDE/FVE encrypted drive?
37
BitLocker (Detection & Key Export)
38
Manually check: Control
Panel\System & Security\BitLocker
Drive Encryption\ applet for current
use of BitLocker.
If enabled and unlocked, Admin user
can save/print a copy of the recovery
key.
BitLocker(Decryption With Recovery Key)
39
Attach any “foreign” BitLocker
disk to your forensic Vista or
Win7 workstation to decrypt
and work with it.
BitLocker (Decryption With Recovery Key – cont.)
40
BitLocker (Decryption With Passware)
Passware Password Recovery Kit – Forensic allow for the
decryption of BitLocker encrypted volumes with a RAM
dump containing the Encryption Key in memory.
42
BitLocker (Detection with Forensic Tools)
11/15/2011
8
FDE/FVE – cont.
There are hundreds of encryption programs out there
and they are all different.
Learning how to deal with them is typically done on a
case-by-case basis, and impossible to cover in this
module.
Always look for FDE indications on running computers
(i.e. desktop icons, icons in task tray, etc.)
Seek out online resources and the assistance of senior
forensic examiners.
http://en.wikipedia.org/wiki/Comparison_of_disk_encrypt
ion_software
43
Password Cracking Limitations
Encryption and password/passphrase strength gets
continuously harder to crack and grows exponentially faster
than the speed of our cracking machines.
Brute Force requires you to select a “Character Set” to use in
the cracking attempt (i.e. ABC…abc…123…!@#...).
With up to 256 possible character choices for each character
in a password, cracking can take days, weeks, or Zillions of
years on some file types depending on the password length.
Faster hardware-based GPU and FPGA cracking technology,
plus distributed network cracking grids greatly improve
cracking speed.
44
Questions ???
…as usual, use the discussion board!