Encrypted PDF

What PDF version? This depends entirely on what kind of password is used.

John the Ripper, with jumbo patch 5, supports at least some. Of course, it's a question of time, compute power, dictionaries, etc, as usual. I'd use this one, mainly because the flexibility I have to structures the attack.

There are other, of course, Elcomsoft has its Advanced PDF Password Recovery product, which is somewhat faster, but less flexible.

Passware (http//www.lostpassword.com/) has always worked for me in the past. I haven't had a need to use it for quite a while but have recetly run across the need once again so the newest version is on order. I will let you know how it works once we get it.

It is is pretty inexpensive considering how powerful it is.

Great, thanks for the info, I'll try that.

OSforensics also does it.
Free edition is single threaded. Paid edition is multithreaded & thus faster.
Can also take make an index of all words on the hard drive (from other non encrypted documents) then use that index in a brute force attack on the encrypted files.

I am currently working a case where there are 3 encrypted PDF files that was captured by FTK. I was going to use PRTK but PRTK does not do PDF files. Does anyone have a good program or way to decrypt PDF files?

Why do you think PRTK does not do PDF? I checked and mine does - through Acrobat v9.1

I would recommend some tuning on PRTK and using an exported wordlist as others mentioned.

/M

What version of PRTK are you using. I have 6.5.1 and when I tried loading them into PRTK, the program advised they were unrecognized files. I checked the file list of files (under Help)and Adobe was not on the list, which led me to my conclusion?? Maybe I'm wrong.
Although, I looked through my mound of disk and noticed I received a copy of Passware Kit in one class I took with a license for…….PDF code breaking…….what are the chances. I loaded the files into Passware Kit and within 5 minutes broke the code.

I have 6.5.2

You checked Help > Recovery Modules and did not see it? This opens an HTML file in your browser. Do an CTRL-F and search for Adobe. You should find it above PFX and below PCEncrypt.

Did passware recover the password, or just decrypt w/o password? If password, how many characters and was it a dictionary word?

The last part is just because I am curious due to the 5 minutes/

Thanks

They show as encrypted pdf files. What I did was exported then and tried to dbl click, which brought the prompt asking for a password. That's when I tried with PRTK and received the response I explained. I also checked as you described and no Adobe was found. I will check with accessdata site and d/l the newer version. Maybe they added PDF for the mix with 6.5.2???