Scribd
Upload
174 views36 pages

Handling Encrypted Evidence & Password Recovery: Nataly Koukoushkina June 2010 CCFC 2010, Workshop

The document discusses handling encrypted evidence and password recovery. It describes Passware Kit Forensic software, which can recover passwords for over 180 encrypted file types and decrypt encrypted hard disks. The presentation covers discovering encrypted evidence, techniques for recovering easy and strong passwords, and using hardware acceleration. It also discusses acquiring memory images to extract encryption keys and decrypting encrypted hard disks and volumes.

Uploaded by

patopick
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
174 views36 pages

Handling Encrypted Evidence & Password Recovery: Nataly Koukoushkina June 2010 CCFC 2010, Workshop

The document discusses handling encrypted evidence and password recovery. It describes Passware Kit Forensic software, which can recover passwords for over 180 encrypted file types and decrypt encrypted hard disks. The presentation covers discovering encrypted evidence, techniques for recovering easy and strong passwords, and using hardware acceleration. It also discusses acquiring memory images to extract encryption keys and decrypting encrypted hard disks and volumes.

Uploaded by

patopick
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Handling Encrypted Evidence &

Password Recovery
Nataly Koukoushkina
June 2010
CCFC 2010, Workshop
 Passware
◦ In business for 12 years
◦ Offices in USA and Russia
◦ Products included in Certified Computer Examiner (CCE)
training

 Passware Kit Forensic


◦ Password recovery & decryption for 180 file types
and hard disks
◦ Scans computers for encrypted data
◦ Acquires memory images over FireWire
◦ Supports Tableau TACC and GPU to speed up password
recovery
◦ Supports Distributed Password Recovery
◦ Includes USB Portable version

www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 Stored passwords
◦ Internet browsers, etc.
 Files
◦ Passwords
 Disks
◦ Full Disk Encryption
 Software
 BitLocker
 PGP
 TrueCrypt
 Hardware

www.lostpassword.com
 No more „homegrown‟ encryption
 Standard and widely accepted encryption
algorithms are used
 Password is hashed, i.e. with SHA1 and then
the key is used of encryption (AES)
 “Key strengthening” – SHA1 is used 10,000
times.
 Office 2010, WinZip, RAR – use SHA1/AES

This is secure!

www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
Passware Encryption Analyzer

www.lostpassword.com
 Scans computers and network for password
protected files
 Detects over 160 different file types
 Scan speed over 4,000 files per minute
 Detailed reports, lists encryption types and
how difficult it might be to decrypt the file

www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 Password (or encryption key) attacks
 Surprise seizure of the running computer

www.lostpassword.com
For password attacks with encryption getting
more secure it is important to find the weakest
link.
 Same (or similar) passwords are used
 Find the least secure encryption type first

www.lostpassword.com
Finding the weakest link:
 Start with file types that are easy to decrypt
 Build a good dictionary
 Use wizard if password pattern is known

www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 Multiple-core CPUs
 Tableau TACC Hardware Accelerator - x25
 GPU-based attacks (nVidia cards) – x20
 Distributed password recovery

www.lostpassword.com
www.lostpassword.com
 Multiple-core CPUs
 Tableau TACC Hardware Accelerator - x25
 GPU-based attacks (nVidia cards) – x20
 Distributed password recovery

www.lostpassword.com
5000

4000

3000 CPU

2000 CPU+GPU

1000

0
MS Office 2007 RAR 3

www.lostpassword.com
 Linear performance scalability
 Each computer supports CPUs, GPUs, and
TACC accelerators simultaneously
 Uses all types of password recovery attacks

www.lostpassword.com
www.lostpassword.com
 Know the enemy - find out what is encrypted
and how

 Find the weakest link first – it will help to


defeat stronger encryption

 Use the most effective tool – both software


and hardware

www.lostpassword.com
Questions?

Nataly Koukoushkina
 +1 (650) 472-3716 x 101
 nataly@passware.com
 www.lostpassword.com/kit-forensic.htm

www.lostpassword.com
Handling Encrypted Evidence &
Password Recovery
Nataly Koukoushkina
June 2010
CCFC 2010, Workshop
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 BitLocker Drive Encryption is a full disk
encryption feature included with Windows
7/Vista Ultimate and Enterprise, and Server
2008. Provides encryption for entire volumes.

Also encrypts removable drives – BitLocker ToGo.

 TrueCrypt is a free software application used


for real-time encryption. Creates a virtual
encrypted disk within a file or an encrypted volume on
either an individual partition or an entire storage device.

www.lostpassword.com
 Encryption keys are located in computer
memory, while the volume is mounted, even
if the computer is locked

 Passware Kit Forensic:


◦ acquires the memory image of the seized “hot”
computer;
◦ analyzes the memory image and extracts the
encryption keys;
◦ decrypts the TrueCrypt volume

www.lostpassword.com
 Preserve the state - do not turn off the computer

 BitLocker and TrueCrypt keep the encryption keys


in memory

www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 Passware Kit Forensic creates a bootable USB
flash drive with a portable memory imaging
tool (FireWire Memory Imager), which can be
used on any computer with a FireWire port

 Passware FireWire Memory Imager acquires a


memory image of the target computer over
FireWire port

www.lostpassword.com
www.lostpassword.com
 Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods

 Part II. Hard Disk Decryption.


◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk

www.lostpassword.com
 Extract encryption keys from the memory
 Decrypt the disk with the keys

www.lostpassword.com
 Original password recovery:
• Dictionary attack
• Xieve attack
• Brute-force attack
• Previous Passwords attack
• Any combination of attacks above

www.lostpassword.com
 Don’t power off the target computer
 HD encryption keys are stored in RAM
 If the computer is shut down, use brute-force
password recovery attacks

www.lostpassword.com
 Know the enemy - find out what is encrypted and
how

 Find the weakest link first – it will help to defeat


stronger encryption

 Use the most effective tool – both software and


hardware

 Don’t power off the target computer

 HD encryption keys are stored in RAM

 If the computer is shut down, use brute-force

www.lostpassword.com
Questions?

Nataly Koukoushkina
 +1 (650) 472-3716 x 101
 nataly@passware.com
 www.lostpassword.com/kit-forensic.htm

www.lostpassword.com

You might also like