When you find a ZIP/RAR file with password protected in the evidence, you may try dictionary attack or brute force attack or Rainbow tables… Usually those attack will take a very very long time and end with fail. What will you do then? Allow me to remind you that there is still one thing you can do"known plaintext attack".
What is "known plaintext attack"? Let's say when you use ZIP/RAR archiver to archive some files, and set password to protect this archive file. Those files in this archive now have something in common the "key" generated when archiving.
So we could assume that some of files in that password-protected ZIP/RAR file are still in the hard drive. What we need is only one of those files so we could start known plaintext attack. Maybe some would say "I don't know which file is one of them?". Fine, all you need to do is gather some documents/pictures that have something to do with our suspect. Use the same ZIP/RAR archiver, of course the same version and the same method, to archive those files you gathered from suspect's hard drive. Remember do not set password!!!
We have two files. One is the password-protected ZIP/RAR file, and the other is the ZIP/RAR file with no password-protected. Now you could understand why "known plaintext attack" works because all we have to do is to compare these two archive files, then we could get the key generated in the first place.
You could use Passware kit or Advanced Archive Password Recovery to proceed known plaintext attack. You will be very surprise that the speed is very fast. It won't take long and you could see the result on the screen. To everybody's surprise, it only takes one minute and forty-two seconds. You guys could take a look at my blog
http//
Next time you find any password-protected ZIP/RAR files in the evidence, don't forget "known plaintext attack"!!!
Last time I checked some .zip files were vulnerable to Plain Text Attack whilst .rar never were.
Do you have any specific info besides using the provision of one or the other Commercial tools you mentioned?
jaclaz
Last time I checked some .zip files were vulnerable to Plain Text Attack whilst .rar never were.
It's the 'Traditional PKWARE Encryption' method that's vulnerable. Unfortunately a lot of people still use it, probably because the support for encrypted zip files in Windows 7 and earlier (haven't tested later versions) doesn't work too well with other methods than 'traditional' encryption. (Or at least not with what in PKZIP is labelled 'Strong Encryption' – guessing AES – just tested that one.)
It's the 'Traditional PKWARE Encryption' method that's vulnerable.
Yes ) but also some WinZip made archives were vulnerable (if enough files are inside the archive) to another non-dictionary/non-bruteforce attack.
And a similar attack is also possible with some Winzip 9.0 archives
https://
And not *all* .zip archives are vulnerable only those conforming to certain pre-requisites.
Point was that RAR archives have no such vulnerabilities (that I know of), and the two formats simply cannot be "mixed together".
jaclaz
Sorry Advanced Archive Password Recovery only works on ZIP password protect files…it's my mistake..I thought it also works on RAR files. I'm still looking for a solution for RAR password protected files…
Sorry Advanced Archive Password Recovery only works on ZIP password protect files…it's my mistake..I thought it also works on RAR files. I'm still looking for a solution for RAR password protected files…
At the cost of seeming more picky than I actually am 😯 (and I am picky wink ), not really-really.
The point is that the .zip encryption has a vulnerability, i.e. the algorithm is subject to the "known plain text" attack.
There are several tools can take advantage of this vulnerability, not only the one you mentioned/referenced.
As said some Winzip archives may have different kinds of vulnerabilities (that are not connected to the ZIP algorithm but rather to the poor implementation in some versions of Winzip).
As well there is more than one tool that can take advantage of these.
The .rar algorithm AND it's implementation have no (known/published) vulnerabilities (again that I know of) and as such there are NO tools capable of taking a similar "shortcut", you have only available "dictionary" and "brute force" attacks with those.
Obviously then the difference between one tool and the other is only the speed with which they can operate.
jaclaz