Join Us!

how long to wait fo...
 
Notifications
Clear all

how long to wait for password-protected files?  

  RSS
yunus
(@yunus)
Active Member

Hello,

While examining a digital device, e.g hard drive for a crime, you come across password-protected files like doc, xls, rar files. And you have no idea about the password. So you start password-cracking and brute-forcing, however your examination finishes e.g in a week, but password cracking still continues, and will have to continue for an unknown period of time, and you will have to just wait, and you will never know will it ever be completed in a reasonable amout of time, it will probably months or years depending on the complexity of the password.

So, you can't finalize your report as you are still waiting for the password-cracking without knowing when to finish or ever finish. However, you can't keep the completed examination in the lab for months just because you have a password-protected file which is unknown in terms of ever being cracked.

However how much time should you wait? How much time would be reasonable to wait for the password-cracking to complete.

Law says forensic examination in general should be delivered in 1 month and could be extended up to 3 months if extra time needed, and could still be extended for another 3 months if still extra time needed.

But in password cracking, nobody can give fixed set of time period and noone can say "ok, we will crack this in 6 months time". so you can't ask for a fixed time extension from prosecutor.

And if you keep the case for months just becuase of password-cracking, new cases will pile up.

So my question is, if you have such an examination which was completed except for waiting for password-protected files- how long you should you wait and keep the case for those files at most? 1 month, 3 months, 9 months,…..?

What do you think?

Quote
Posted : 01/08/2016 3:35 pm
passcodeunlock
(@passcodeunlock)
Senior Member

So my question is, if you have such an examination which was already completed - but waiting for password-protected files- how long you should you wait and keep the case for those files at most? 1 month, 3 months, 9 months,…..?

These files have to contain important data, otherwise it wouldn't be important cracking them. How can an examination be completed, if you are waiting for password-protected files ?

In our practice it takes what it takes, the judge might postpone the case until the needed data is all gathered, but the case remains open, so the examination remains also open.

…or just use a bigger hammer for faster results )

ReplyQuote
Posted : 01/08/2016 4:32 pm
randomaccess
(@randomaccess)
Active Member

Depends on the algorithm and your setup but if the password is longer than 8 characters or so things get a lot harder. So it's a lot harder to justify holding up a workstation (or more) on a "potential crack" when you may have others in the queue.

I'd say that you should really rely on your wordlists, or building them up based on the users other passwords. Sometimes they write them down, or store them on devices you have access to.

If they've used a 20 character password, then I'd say you'll have more success finding a flaw in the algorithm before your computer can crack it 😉

ReplyQuote
Posted : 01/08/2016 6:02 pm
jaclaz
(@jaclaz)
Community Legend

Depends on the algorithm and your setup but if the password is longer than 8 characters or so things get a lot harder. So it's a lot harder to justify holding up a workstation (or more) on a "potential crack" when you may have others in the queue.

I'd say that you should really rely on your wordlists, or building them up based on the users other passwords. Sometimes they write them down, or store them on devices you have access to.

If they've used a 20 character password, then I'd say you'll have more success finding a flaw in the algorithm before your computer can crack it 😉

Sure, and how exactly one would know in advance if the password is 123456 or (say) a 20 character string containing any amount of "special characters"?

Maybe you are just one hour away from unencrypting a very relevant piece of evidence (or maybe you are 1 or 2 centuries away), there is no way to know AFAIK ( .

A strategy might be a policy to brute-force up to 8 character plain 0-9/A-Z/a-z strings, but then soon all criminals would use !#ç°§ in password or make them 10 characters long….

Personally - in a LE situation - I would ask this question to the supervisor or to the prosecutor, each case might have its implications, its relevance and its priorities.

Also, someone in charge may determine the probable relevance of a single document over another and thus create a sort of priority rating or triage.

After you have hooked a workstation 24/7 to crack a Word document for - say - three months, what if it comes out as containing the Metterling list #4?
http//www.nytimes.com/2007/11/18/books/review/1st-chapter-insanity-defense.html?_r=0

List No. 4

7 prs. shorts
6 handkerchiefs
6 undershirts
7 prs. black socks
No Starch
Special One-Day Service

jaclaz

ReplyQuote
Posted : 01/08/2016 7:06 pm
yunus
(@yunus)
Active Member

Thanks for the comments passcodeunlock.

However, you can't know whether or not a file contain important data, unless as you crack the password and see the contents.

Examination being completed means, it is completed in terms of all other procedures like keyword searching, data carving, etc. and there is nothing left except for the password-protected file that needs to be cracked, which might require unknown period of time, years, decades etc.

As for your idea that "judge might postpone the case until the needed data is all gathered"; A judge can not postpone a case for an unknown period of time. Some passwords might require years to crack, and there are time limits for legal cases to be processed.

ReplyQuote
Posted : 01/08/2016 7:16 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Some cases are postponed even for decades, those are called the dead-files. And if/when some new evidence is found, the case continues… or not, depending on it's importance.

Still, I get your question, it is not reasonable waiting for decades for unsure results . I can't simply say which amount of time would be considered optimal for such cases, but luckily I'm not the prosecutor or the judge who has to decide it )

Sometimes it is worth waiting. When I got the first truecrypt container for forensic analysis, it was said impossible to gather the data without knowing the password. That was in 2004, now I smile at it. Mostly it took around 10 years to turn from impossible to possible…

ReplyQuote
Posted : 03/08/2016 1:19 am
mark_adp
(@mark_adp)
Member

Hey,

The answer appears as though it would be very dependent on the legislation of the country you are in. The law in some countries will allow you to examine, view and analyze devices/data from devices at any point after a case is closed, some have tighter restrictions requiring additional legal permission to re-open a case.

ReplyQuote
Posted : 03/08/2016 11:53 am
randomaccess
(@randomaccess)
Active Member

A strategy might be a policy to brute-force up to 8 character plain 0-9/A-Z/a-z strings, but then soon all criminals would use !#ç°§ in password or make them 10 characters long….

Yep, that's pretty much it.
I'd say start by loading up a dictionary attack and then brute force up to 8-10 chars all characters
then whilst that is running go through all the places where passwords can be stored (ie chrome, or login.keychain, or passwords.txt) concurrently
have had success with both approaches
Also had success going online and entering NTLM hashes into a couple of the password cracking/lookup websites and been successful with that.

theres no real set rule but with some passwords i've "broken" recently I would not have been able to do it with a brute-force approach because they were too long, or out of the usual character set, or the algorithm was just slow in general

ReplyQuote
Posted : 03/08/2016 2:28 pm
jaclaz
(@jaclaz)
Community Legend

Yep, one of the myths about indians (American indians or Native Americans to be PC), is/was about their attitude when deer hunting, the idea being that once you got a deer with an arrow (rarely an arrow hit is deadly ) and he starts running away you follow him until you can either catch him as he is blooding to death OR you stop and just hunt another deer (there are/were so many of them).
The underlying philosophy is admirable (and also a good kind of practical advice) but I guess that is something a bit hard to convince a prosecutor or judge about. roll

jaclaz

ReplyQuote
Posted : 03/08/2016 6:26 pm
Red1
 Red1
(@red1)
New Member

I'm going to have to agree with Jaclaz,

I can't tell you how many cases I've let go (computer cases or otherwise) because that evidence was not there and we don't have the time to build the perfect case. Sometimes its more efficient to catch them on the next one. Habitual offender laws help my office in that regards, because sometimes catching the criminal on the big case is just not going to happen.

On the other side of that If you already have a good case what benefit (if any) will adding another charge bring? if it's a CP case and you've got 5000 images what more can you bring? Maybe you might get lucky and crack some serial killer or something, but I don't have experience doing that.

So I guess I'll say for me it's a balancing act. Effort vs reward. (and caseload)

ReplyQuote
Posted : 05/08/2016 4:59 am
randomaccess
(@randomaccess)
Active Member

On the other side of that If you already have a good case what benefit (if any) will adding another charge bring? if it's a CP case and you've got 5000 images what more can you bring? Maybe you might get lucky and crack some serial killer or something, but I don't have experience doing that.

I'm aware of cases where an encrypted volume was broken into and what was previously just a possession offence was upgraded to a contact or grooming offence. Sometimes you hit a goldmine I suppose.

Overall, it's a difficult line to walk because on one hand it's just easier to let it go, and on the other, what if you let the person go and they do something.

ReplyQuote
Posted : 05/08/2016 1:18 pm
Red1
 Red1
(@red1)
New Member

@randomaccess I totally agree, Its a fine to walk, and there's no easy answer, especially when you throw supervisors and deadlines into the mix.

ReplyQuote
Posted : 08/08/2016 8:31 pm
Jmundy
(@jmundy)
New Member

I'm going to have to agree with Jaclaz,

I can't tell you how many cases I've let go (computer cases or otherwise) because that evidence was not there and we don't have the time to build the perfect case. Sometimes its more efficient to catch them on the next one. Habitual offender laws help my office in that regards, because sometimes catching the criminal on the big case is just not going to happen.

On the other side of that If you already have a good case what benefit (if any) will adding another charge bring? if it's a CP case and you've got 5000 images what more can you bring? Maybe you might get lucky and crack some serial killer or something, but I don't have experience doing that.

So I guess I'll say for me it's a balancing act. Effort vs reward. (and caseload)

I agree Red. If there's enough known evidence to charge it would seem to be a poor use of resources to keep hammering away at encrypted files. What do the rest of you think?

ReplyQuote
Posted : 05/02/2020 5:25 pm
Rich2005
(@rich2005)
Active Member

Happens all the time.
If you can't get in you can't get in.
At the end of the day it's a resource issue and resources are finite.
Majority of the time you can build a successful case without even getting into the encrypted item.
You can only try (with all the various tricks at your disposal), then flag up you couldn't get into it, and leave/suggest others to go down any legal avenue if applicable (i.e. RIPA pt3 if warranted).
But hey, if your powers that be want to keep paying for you (in time/money) to keep trying to crack it, that's THEIR choice.
As an examiner, it's not for you to worry about (I think often the newer you are the more you worry), and you can only do what's possible, or more importantly what's instructed within the allotted time/funding.

ReplyQuote
Posted : 05/02/2020 9:33 pm
Share: