Is PKCrack an acceptable forensic method for cracking into zip files? or is it frownd upon and other methods should be used? Would presenting evidence gathered through the use of PKcrack be valid?
What an odd question.
You copy the target file and run your password cracking tool against it, which gives you the password, you then use that password to open a copy of the zip file.
Its all done on copies, you end up with the password and a checksummed copy of the original file… what more could you ask for?
All results obtained by Password crackers tools can be acceptable in court if you follow a proper legal forensics methodology. I haven't use PKcrack, but I don't see the difference between that tool, and other password crackers. The only difference might be that freeware tools sometimes are discredited by authorities.
when I used PKcrack it didnt supply me with the password it just produced and decrypted version of the zip file.
There are a few different ways to crack files.
For encrypted files, the password gets converted into an encryption key. But with older 40bit encryption you can decrypt the files without the password by directly testing all possible keys. Using this method you skip the requirement for a password.
But if you are lucky enough to know some of the plain text contents of the encrypted Zip file then you can do a quicker known plain text attack to get the key. This is what PKcrack does. Once the key is found, you can then run "findkey" which is part of the PKcrack package to generate a working password. But findkey will take very long to find long passwords from a key. But there is no real need for the password as you can do direct decryption with the key.
You were lucky that PKcrack worked. It will only work on old Zip files.
I would think that most authorities would see having the password as being the same as having the key.
In that case you might have an issue. If the only way you can repeat the results is by using that (closed source) program its possible that the defence might gleefully point out that the evidence could easily be placed there by this program.
And unless you pick it apart you cant show that to be the bullshit we all know it is. To be honest I can only think of a single company who would try that on - and its pretty quick to rip the allegation in half.
As long as you document and explain the process and what is actually happening - with a test example zip file that you created to verify the soundness of the technique you'll be fine.
In that case you might have an issue. If the only way you can repeat the results is by using that (closed source) program ….
Actually Pkcrack (NOT PKCrack) is Open Source and simply implements a published article
http//
(there is an earlier software named PKCRACK)
http//
@tootypegs
Pkcrack attempts also to recover the password, this may or may not work, but have you tried it?
Example
http//
jaclaz
Brilliant. If you compile the program yourself then you can just provide the source if anyone raises any issues with your methodology. Everyone loves open source.
I hope you sent a post card to the PKcrack author.
Here are the license conditions,
"send me a postcard if you want to use this program. This is not just a polite request, it is a requirement. If you do not fulfil this requirement, you are not allowed to use the program, and I may sue you in court"
Recompiling might sound great until you actually try and do it. The source code hasn't been touched for about 8 years. It was compiled with Djgpp, which also hasn't had a major release in ~15 years (and was really designed back in the Win95 16bit era) and doesn't list Vista or Win7 as being compatible. Doesn't even come with a IDE, and they suggest using a DOS port of GNU Emacs instead.
So the chances of doing this quickly are low. Sadly this often the case with open source. Software is rarely well maintained.
You could equally be attacked by someone claiming that this tool was never designed for nor tested on anything after WinXP.
Don't forget the post card -)
In that case you might have an issue. If the only way you can repeat the results is by using that (closed source) program its possible that the defence might gleefully point out that the evidence could easily be placed there by this program.
There seems to be a habit in this industry of making mountains out of mole hills.
It is very unlikely that you would be challenged by using such a tool and if you did then getting the otherside to point the program a a few known zip files that they had password protected would be sufficient to allay their fears.
While there are sometimes some dodgy defence issues raised by some experts (and dodgy prosecution cases - but thats another thread) in my experience Counsel will rarely (never) run with a no hoper such as this. Counsel will want to put their strongest case forward and this means keeping the message simple.