Likely locations for passwords?

I am going to be a little vague since you are a student! You cannot always run to the internet for help when i comes to computer forensics. )

1) Registry
2) Index of the drive
3) Maybe you do not a forensic tool to find the pw.

Good luck!

Thanks for the input, I know not to run to the internet for answers ) I was just wondering if there may have been any place I may have overlooked that experienced examiners might recommend (that weren't for example listed in my textbook). Thanks!

@tpeoples

Maybe you need to make a step back and have a look at the thing in perspective.

Sometimes summing up and make explicit a problem in all it's details, even the most minute ones, helps in finding the solution.

Examples
The file you have does (or does not) have a .zip extension?
The file you have does (or does not) have the "PK" file signature in header?
Where/how did you get that 7zip was used?
Where/how did you get that Truecrypt was used?

JFYI 7-zip is one of the zillion programs that can make a .zip file, but by default it uses it's own (BTW much better than zip) compression format .7z.
It would be peculiar that an "evolved" user (i.e. one using 7-zip) would use the otherwise obsolete/less efficient (and also easier to "crack") PKZIP format.

Truerypt has a completely different usage paradigm, but nothing prevents someone to make a Truecrypt container and then rename it to *something*.zip (but you would most probably have an error about corrupted archive).

On the other hand, NO matter if the .zip file was created using 7-zip or another program, try using 7-zip to open it.
Rest assured that if you supply it a wrong password you will get an error
0 Data error in encrypted file '<nameofthefileinsidethearchive>'. Wrong password?and a file named '<nameofthefileinsidethearchive>' will be created (extracted) nonetheless BUT 0 bytes in size.

jaclaz

Hi Jaclaz, thanks so much for your input just to clarify to your points -

-the file does have a .zip extension

-the file does have a PK signature in its header
50 4B 03 04 33 00 01 00 63
PK–3—

-i cannot confirm if 7zip was used, only that it and truecrypt were present on the example machine

I attempted to use 7zip to open the file, and to your point it opened the avi file with that error message (and a 0 size).

I guess my question is, is truecrypt even a consideration at this point, or is that only for volume encryption (as opposed to individual file).

Additionally, I've tried reviewing the rest of the user's documents/emails/history etc to identify any recurring terms or themes but no luck yet /

I guess my question is, is truecrypt even a consideration at this point, or is that only for volume encryption (as opposed to individual file).

I would say that it is "out of question" (at least a the moment) you have a .zip password protected file (maybe the .avi inside it can be a truecrypt container renamed to .avi, but until you don't find the password or anyway crack the .zip there is no way to know).

The idea of Truecrypt is that it is a "container".
It is not entirely unlike a .zip file.
A .zip file is a file that acts as container for (compressed) files.
A truecrypt container is a file that acts as container for (encrypted) volumes, or more correctly for files representing images of encrypted volumes.
Have a quick look at this
http//www.truecrypt.org/docs/tutorial
and you'll have the intended usage of Truecrypt much clearer.

jaclaz

-the file does have a .zip extension

-the file does have a PK signature in its header
50 4B 03 04 33 00 01 00 63
PK–3—

-i cannot confirm if 7zip was used, only that it and truecrypt were present on the example machine

How were you able to determine this? Was this part of an assignment (the instructor told you that the software was on the system?) or was it as a result of your own examination?

If you found this as a result of an examination, are you examining an image taken of a system? I ask, because if that is the case, it's pretty trivial to determine if either application was used…start with
http//windowsir.blogspot.com/2013/07/howto-determine-program-execution.html

For TrueCrypt, if the user accessed a Truecrypt volume that was mounted as a volume, you'll find indications of this in the MountedDevices key within the System Registry hive.

Additionally, I've tried reviewing the rest of the user's documents/emails/history etc to identify any recurring terms or themes but no luck yet /

Try exporting the pagefile and running strings.

You haven't really shared any information regarding the specifications of what you're looking at…which OS and version, from where the data/image originated, etc…but if you're examining an image of a Windows system taken from a laptop, look for a hibernation file, and try using Volatility to look for passwords.

HTH

Where do you normally go to find likely passwords that the user may have used/reused?

Other passwords. There's often an MO in selecting passwords. If you can crack some user account or other encrypted file, you may have clues to how other passwords may have been selected. There is an EnCase encryption addon (or perhaps it's a built-in with version 7) that helps you find some of them easily.

In password storage applications / password managers. If you're looking at Windows, say, look for software like PasswordSafe or 1Password or such. Or web-based applications like Clipperz.

After that, it's the usual things where people get their passwords celebrities, vacation spots, artists, sports, popular media and culture, etc. If the user has screensavers with motorcycles … try motorcycle brands and models. If the user has children, try their names. In general, personal names are not uncommon.

And of course, what one person selects for a password has almost certainly been used by someone else, somewhere. If you're serious about guessing passwords, you need to collect known passwords, and study them, and build your own collection of probable passwords. Look at tools like John The Ripper and others – many come with useful password lists, and may provide pointers to other sources for them.

Often, though, extracting words from whatever user-related files are on the disk, and using them as the basis for password guessing works pretty well for more simple-minded users. (And if you're really lucky, you may find that the user *has* a file with passwords somewhere.) Requires some work to set up, but it is often worth the effort.

Thank you all for your responses, I think I may have found the password as it was used on a few other .zip files however it doesn't seem to be working on this one.

I found one zip file that had its file extension changed to mask it (had a PK in its signature header) and this password worked (its also hinted at in the assignment). However, I think this file was created with 7-zip and I'm wondering if that may have something to do with why its not working. Are 7z's a different extension than .zip? Are the passwords in a particular format, or require specific criteria?

I feel like I'm getting close to figuring this out!

However, I think this file was created with 7-zip and I'm wondering if that may have something to do with why its not working. Are 7z's a different extension than .zip? Are the passwords in a particular format, or require specific criteria?

I feel like I'm getting close to figuring this out!

As said 7 zip can create BOTH .zip (which will have the PK header) and .7z (it's own compression format).
The header for a .7z file is 377ABCAF271C
http//filesignatures.net/index.php?page=search&search=377ABCAF271C&mode=SIG

A valid password will obviously unlock a protected file, no matter the compression/format used, and no there are no "specific" formats or criteria for passwords in any of them.

jaclaz