Need help with scho...
 
Notifications
Clear all

Need help with school lab

13 Posts
5 Users
0 Likes
1,016 Views
(@scoperoc)
Posts: 6
Active Member
Topic starter
 

I need help with a forensics lab I am doing, I am not asking for the answer, just a little guidance. If you don't want to help I understand. I have a disk image that I am working with for this lab. I am just going to start with a small part of the lab that I am most confused with, FYI I have access to WinHex, FTK, and EnCase.

Encryption. Several of the Microsoft Office files have been encrypted using a file open password and AES-256 encryption. Two of the passwords that you need are hidden in pieces in the image along with a simple algorithm for reconstructing the passwords. The third password that you need is not found in the image.

The file in question is a PowerPoint file that is password protected, I have PRTK but apparently I am supposed to find the password in a different manner and PRTK would take too long anyway (so the lab info says). I have no clue what exactly I am looking for to find the password.

 
Posted : 04/07/2015 4:16 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Well as this is a educational type scenario, they often hide passwords in various places around the image file, so sometimes something as simple as a search for password might help.
Failing that, try looking for passwords that are saved on the system, for example in Internet browsers. It may be that the same passwords are use for the document you have.
One other suggestion is that you could still attempt to use PRTK but run it from a index file of all the words in the image file. I'm fairly sure you can do this using Encase, a quick Google should provide enough information, though I'm sure someone on here will have done this process before.

 
Posted : 04/07/2015 11:17 am
(@athulin)
Posts: 1156
Noble Member
 

Well as this is a educational type scenario, they often hide passwords in various places around the image file, so sometimes something as simple as a search for password might help.

In some situations, a lab comes with a back-story a scenario, with people and computers, in some particular place, at some particular time, sometimes even with email records or photos of the papers found in the wastepaper basket of the suspected person. That story may be a useful source for passwords.

In a presumed corporate setting, the names of the people involved, the projects affected, the company or department name may be part of a password. Or even the host name or names of computers related to the case.

In private settings, names of people, pets, artists, films, places and taken from books etc. may be used as part of a password.

Be systematical and keep records – or you'll find yourself doing the same thing over and over just because you forgot exactly what or how much you did the previous time.

 
Posted : 04/07/2015 1:34 pm
(@scoperoc)
Posts: 6
Active Member
Topic starter
 

Thanks for the replies, I appreciate it. There really is not back story, the image is of a USB drive, there are 2 files that are password protected and I solved one really easy but the other (PowerPoint) is the one that supposedly has "Two of the passwords that you need are hidden in pieces in the image along with a simple algorithm for reconstructing the passwords. The third password that you need is not found in the image." I really don't know what I should be looking for as far as an algorithm though or even how to find it, unfortunately some of the directions are a little unclear and I don't remember reading anything about that. I did look at the file in the Hex portion of FTK but nothing jumped out at me.

Here is the only thing that I think means something but I am not quite sure what I am looking at

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<encryption xmlns="http//schemas.microsoft.com/office/2006/encryption" xmlnsp="http//schemas.microsoft.com/office/2006/keyEncryptor/password"><keyData saltSize="16" blockSize="16" keyBits="128" hashSize="20" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA1" saltValue="6uB4hpFgMDWQZ007+1Ik5g=="/><dataIntegrity encryptedHmacKey="3IVGyHITQJ59pAmNEw/iBOOOl

And this

"ÝÍGQx9OyrbjWyVj14G47s=" encryptedHmacValue="p1NqaCZxitjFdIe5vEU1NnVibuHeTxrg4mML2ZhHZ8A="/><keyEncryptors><keyEncryptor uri="http//schemas.microsoft.com/office/2006/keyEncryptor/password"><pencryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="128" hashSize="20" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA1" saltValue="5PUxH9ye1/Qm0EqyMvJn4g==" encryptedVerifierHashInput="VR/A7DBdyAYEK/dP2F873A==" encryptedVerifierHashValue="ZLR9RITDVbWODMp+GVEaoPlY/ypEdPP4nBbYH/RkL+Y=" encryptedKeyValue="MPYsywZ6JP+8lDZGd433MA=="/></keyEncryptor></keyEncryptors></encryption>

 
Posted : 05/07/2015 12:36 am
(@bithead)
Posts: 1206
Noble Member
 

Have you created a word list in PRTK and tried that?

 
Posted : 05/07/2015 4:49 am
(@scoperoc)
Posts: 6
Active Member
Topic starter
 

No, I am new to all of this, what will that do for me?

 
Posted : 05/07/2015 4:51 am
(@bithead)
Posts: 1206
Noble Member
 

It may be an avenue to attack the password. Password cracking is as much art as science.

http//null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/

 
Posted : 07/07/2015 7:24 am
(@scoperoc)
Posts: 6
Active Member
Topic starter
 

Thanks, that is good info for the future but that is not quite how I need to do this.

 
Posted : 07/07/2015 7:26 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thanks, that is good info for the future but that is not quite how I need to do this.

Maybe, or maybe not.

The sheer moment you believe that you know "how" it should be done you are excluding other possible ways to solve a problem.

On this specific case, it is well possible that you are absolutely right ) , but as a "general rule" you shouldn't assume that one given approach (and not another) is the "right" one.

jaclaz

 
Posted : 07/07/2015 3:23 pm
(@scoperoc)
Posts: 6
Active Member
Topic starter
 

The instructions say how it is supposed to be done, that is how I know or else I would try everything else, just trying to do it the way they want it done. It's kind of like math problems in school, sure there are multiple ways to do it but you have to do it a certain way to get full credit and show your work.

 
Posted : 07/07/2015 7:54 pm
Page 1 / 2
Share: