A password recovery program available from AccessData

Use Robust Passwords

With the increased processing power of our computers and password-cracking software such as the Passware products47 and AccessData's Password Recovery Toolkit,48 cracking passwords is fairly simple and straightforward. For this reason it is extremely important to create robust passwords. Complex passwords are hard for users to remember, though, so it is a challenge to create passwords that can be remembered without writing them down. One solution is to use the first letter of each word in a phrase, such as “I like to eat imported cheese from Holland.” This becomes IlteicfH, which is an eight-character password using upper- and lowercase letters. This can be made even more complex by substituting an exclamation point for the letter I and substituting the number 3 for the letter “e,” so that the password becomes !lt3icfH. This is a fairly robust password that can be remembered easily.

Defragmentation as anti-forensic technique

Defragmentation, or defragging as it’s commonly called, is often done to improve computer performance. Defragging is the process of moving clusters as close together as possible to speed up the system. This procedure involves moving data from one location on the drive to another. Data can be overwritten in the process. These overwritten (destroyed) data may have had some evidentiary value.

The defragmentation process can occur in three ways—it can be user-scheduled, manually initiated by the user, or done automatically by the operating system (Casey, 2009).

There are a few different ways you can attempt to determine whether a drive has been recently defragmented. One way is to boot the drive image in Windows and look at the amount of file fragmentation. Drives in regular use normally show a significant amount of file fragmentation. Drives that show otherwise, without a plausible explanation, would be suspect.

Q & A with Nephi Allred, Cryptanalyst with AccessData, the Maker of Password Recovery Toolkit (PRTK)

By now it should be clear that encryption is a major concern to the digital forensics community. That means we must be prepared to deal with encrypted data. Decryption tools are one weapon we can bring to the fight. One of the premier decryption tools on the market is Password Recovery Toolkit (PRTK) from AccessData. PRTK is widely used worldwide by law enforcement, intelligence agencies, and private corporations such as large financial institutions. U.S. users include the FBI, CIA, and Secret Service, just to name a few. In this Q&A, we get a closer look inside PRTK and the encryption it aims to break.

About how many passwords per second does PRTK guess on a “standard” machine?

We get this question a lot. It’s impossible to answer, as it stands because the question itself has an implicit assumption, which is wrong. Namely: All password schemes are not the same. It’s a bit like asking how fast animals can go. Which animal? Every program or application or other system that uses passwords does it differently. The way they do it makes all the difference in the world in how much computation is required to test a password.

For example, a “typical” machine might guess 2 million passwords per second trying to crack an Office 97 file, while the same machine might only guess 500 passwords per second in cracking an Office 2010 file.

And, of course, the answer also depends on what you mean by a “typical” machine (and that changes as time goes on, too).

PRTK guesses passwords in a certain order to improve the speed and efficiency. Can you talk a little about how that works and why it’s important?

Not all passwords are created equal. In the space of all possible passwords, some are more likely to be used by humans than others. (For example, “Br1tn3y” is much more likely to be used than “H(i3}-aV.K = TyG7”). So, if you are trying to guess passwords, you will be faster and more successful on average if you guess the more probable passwords first.

Of course, which passwords are more probable is not always easy to determine, and certainly varies from person to person. PRTK defines a default ordering of passwords that we have tried to make as effective as possible, given what is known about how people tend to choose passwords. But an investigator often has specific knowledge about a suspect and can use that to make a password ordering more tailored to that individual. This is why PRTK gives its users a great deal of password space customization. For example, rather than going with the default, you can specify that a job first try all the passwords in a (possibly customized) dictionary, then all of those words in reverse order, then all of those words with “123,” “4eva,” or “asdf” appended. And lots more.

I know that PRTK also relies on identified patterns of passwords (roots and appendages). What are those based on and how does that work?

Based on various password lists that we’ve obtained over the years (some from clients of ours, others freely available), we’ve tried to make password “rules” that generate passwords that people actually use in real life. At this point, this is still more an art than a science. That is, there is no deep statistical analysis going on (yet)—mostly we eyeball the lists and look for patterns. For example, a lot of passwords seem to end with 1. So one of our password rules is “Dictionary followed by common suffixes” and 1 is one of those common suffixes.

Do you know just how effective PRTK is in breaking passwords?

Again, this varies widely over the kinds of files and suspects. I don’t have any numbers for you, unfortunately. You should probably talk to people who use PRTK (or DNA) on real cases.

It’s worth noting that not all attacks PRTK does are password-guessing attacks. Some crypto systems have flaws that allow their passwords to be recovered instantly, with no “guessing” involved. For example, PRTK can instantly recover the master password on the Whisper32 password manager. This was not uncommon in applications a decade ago, but these days, it’s becoming much more rare as software developers become more crypto-savvy.

Is there anything that slows down the decryption process? Can you talk about that and why that is?

Yes, there is. These days, most developers of password using applications are aware of tools like PRTK, and they will use measures to slow down password-guessing attacks. As I explained in #1, the speed at which we can guess passwords all depends on how the application uses the password.

An application could deliberately choose a very slow password-to-key methodology. It might hash the password 10,000 times, for example, instead of just once, while transforming the password into a key. (This is a simplification, but you get the idea). This forces the password-guessing tool to also hash the password 10,000 times per password guessed, which leads to many fewer passwords per second.

How is encryption changing? What do you see is the “next big thing” in cryptography? What challenges do you see ahead?

Cryptography is a big subject, and I’m hardly an expert in any of the cutting edges of new research. But in the arena of password-based encryption, things are changing.

It’s not exactly a new insight, but people are becoming more and more aware that passwords as a security device are often inadequate. What we’ll use instead of them (or, more likely, in addition to them) is not yet entirely clear, but encryption providers are trying new things.

For example, several applications, like TrueCrypt, allow users to enhance their password with “key files.” A key file can be any file, and it is used to scramble a password before use. This means that to run a successful password-guessing attack, PRTK needs to have any and all key files used. It may not be easy for the investigator to figure out what key files were used, if any.

AccessData Certified Examiner

This is a certification offered industry-wide through AccessData, the developers of forensic software products, including Forensic Toolkit (FTK), to those qualified applicants completing the certification process. To learn more about the AccessData Certified Examiner (ACE) and AccessData, visit their web site at www.accessdata.com.

The ACE certification from AccessData Group, LLC validates an exam candidate’s proficiency with using AccessData’s FTK, Password Recovery Toolkit (PRTK), FTK Imager, and Registry Viewer products. FTK is one of the more recognized tools in computer forensics. AccessData recommends that anyone needing to demonstrate proficiency with FTK acquires the ACE certification.

The ACE exam is a 90-min, multiple choice exam that is free to take either online or at the conclusion of an AccessData training class. The exam contains both written and practical assignments based on a case that is created and processed from an image file provided to the exam candidate. ACE Credential Maintenance requires that a renewal exam be taken every 1 or 2 years.

There are free preparation videos and an exam study guide available on the AccessData web site. AccessData recommends that the certification be taken in conjunction with their AccessData Boot Camp and Windows Forensics courses, but it is not required. You can find out more about the ACE certification process at the AccessData web site.

Encryption and Steganography

Encryption can present a significant challenge for digital forensic practitioners, particularly full disk encryption (Casey & Stellatos, 2008). Even when full disk encryption is not used or can be circumvented, additional effort is required to salvage data from password protected or encrypted files (Casey, 2002). When dealing with individually protected files, it is sometimes possible to use a hexadecimal editor like WinHex to simply remove the password within a file. There are also specialized tools that can bypass or recover passwords of various files. Currently, the most powerful and versatile tools for salvaging password protected and encrypted data are PRTK and DNA from AccessData. The Password Recovery Toolkit can recover passwords from many file types and is useful for dealing with encrypted data. Also, it is possible for a DNA network to try every key in less time by combining the power of several computers. Distributed Network Attack (DNA) can brute-force 40-bit encryption of certain file types including Adobe Acrobat and Microsoft Word and Excel. Using a cluster of approximately 100 off-the-shelf desktop computers and the necessary software, it is possible to try every possible 40-bit key in five days. Rainbow tables can be used to accelerate the password guessing process. Some vendors also have hardware decryption platforms based on implementation of field programmable gate arrays that can increase the speed of brute force attacks.

When strong encryption is used such as BestCrypt, PGP, or Windows Encrypting File System, a brute-force approach to guessing the encryption key is generally infeasible. In such cases, it may be possible to locate unencrypted versions of data in unallocated space, swap files, and other areas of the system. For instance, printer spool files on Windows and UNIX systems can contain data from files that have been deleted or encrypted. Alternatively, it may be possible to obtain an alternate decryption key. For instance some encryption programs advise users to create a recovery disk in case they forget their password. When EFS is used, Windows automatically assigns an encryption recovery agent that can decrypt messages when the original encryption key is unavailable (Microsoft, 1999). In Windows 2000, the built-in administrator account is the default recovery agent (an organization can override the default by assigning a domainwide recovery agent provided the system is part of the organization's Windows 2000 domain).

Notably, prior to Windows XP, EFS private keys were weakly protected and it was possible to gain access to encrypted data by replacing the associated NT logon password with a known value using a tool like ntpasswd and logging into a bootable/virtualized clone of the system with the new password.

When investigating a child exploitation case, it is advisable to be on the lookout for other forms of data concealment such as steganography. Forensic analysts can make educated guesses to identify files containing hidden data—the presence of steganography software and uncharacteristically large files should motivate examiners to treat these as special files that require additional processing. In such cases, it may be possible to salvage the hidden data by opening the files using the steganography software and providing a password that was obtained during the investigation. More sophisticated techniques are available for detecting hidden data. Even if encryption or steganography cannot be bypassed, documenting which files are concealing data can help an investigator, attorney, or trier-of-fact determine the intent of the defendant.

Presentation