Need help with scho...
 
Notifications
Clear all

Need help with school lab

scoperoc
(@scoperoc)
New Member

I need help with a forensics lab I am doing, I am not asking for the answer, just a little guidance. If you don't want to help I understand. I have a disk image that I am working with for this lab. I am just going to start with a small part of the lab that I am most confused with, FYI I have access to WinHex, FTK, and EnCase.

Encryption. Several of the Microsoft Office files have been encrypted using a file open password and AES-256 encryption. Two of the passwords that you need are hidden in pieces in the image along with a simple algorithm for reconstructing the passwords. The third password that you need is not found in the image.

The file in question is a PowerPoint file that is password protected, I have PRTK but apparently I am supposed to find the password in a different manner and PRTK would take too long anyway (so the lab info says). I have no clue what exactly I am looking for to find the password.

Quote
Topic starter Posted : 04/07/2015 5:16 am
minime2k9
(@minime2k9)
Active Member

Well as this is a educational type scenario, they often hide passwords in various places around the image file, so sometimes something as simple as a search for password might help.
Failing that, try looking for passwords that are saved on the system, for example in Internet browsers. It may be that the same passwords are use for the document you have.
One other suggestion is that you could still attempt to use PRTK but run it from a index file of all the words in the image file. I'm fairly sure you can do this using Encase, a quick Google should provide enough information, though I'm sure someone on here will have done this process before.

ReplyQuote
Posted : 04/07/2015 12:17 pm
athulin
(@athulin)
Community Legend

Well as this is a educational type scenario, they often hide passwords in various places around the image file, so sometimes something as simple as a search for password might help.

In some situations, a lab comes with a back-story a scenario, with people and computers, in some particular place, at some particular time, sometimes even with email records or photos of the papers found in the wastepaper basket of the suspected person. That story may be a useful source for passwords.

In a presumed corporate setting, the names of the people involved, the projects affected, the company or department name may be part of a password. Or even the host name or names of computers related to the case.

In private settings, names of people, pets, artists, films, places and taken from books etc. may be used as part of a password.

Be systematical and keep records – or you'll find yourself doing the same thing over and over just because you forgot exactly what or how much you did the previous time.

ReplyQuote
Posted : 04/07/2015 2:34 pm
scoperoc
(@scoperoc)
New Member

Thanks for the replies, I appreciate it. There really is not back story, the image is of a USB drive, there are 2 files that are password protected and I solved one really easy but the other (PowerPoint) is the one that supposedly has "Two of the passwords that you need are hidden in pieces in the image along with a simple algorithm for reconstructing the passwords. The third password that you need is not found in the image." I really don't know what I should be looking for as far as an algorithm though or even how to find it, unfortunately some of the directions are a little unclear and I don't remember reading anything about that. I did look at the file in the Hex portion of FTK but nothing jumped out at me.

Here is the only thing that I think means something but I am not quite sure what I am looking at

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<encryption xmlns="http//schemas.microsoft.com/office/2006/encryption" xmlnsp="http//schemas.microsoft.com/office/2006/keyEncryptor/password"><keyData saltSize="16" blockSize="16" keyBits="128" hashSize="20" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA1" saltValue="6uB4hpFgMDWQZ007+1Ik5g=="/><dataIntegrity encryptedHmacKey="3IVGyHITQJ59pAmNEw/iBOOOl

And this

"ÝÍGQx9OyrbjWyVj14G47s=" encryptedHmacValue="p1NqaCZxitjFdIe5vEU1NnVibuHeTxrg4mML2ZhHZ8A="/><keyEncryptors><keyEncryptor uri="http//schemas.microsoft.com/office/2006/keyEncryptor/password"><pencryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="128" hashSize="20" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA1" saltValue="5PUxH9ye1/Qm0EqyMvJn4g==" encryptedVerifierHashInput="VR/A7DBdyAYEK/dP2F873A==" encryptedVerifierHashValue="ZLR9RITDVbWODMp+GVEaoPlY/ypEdPP4nBbYH/RkL+Y=" encryptedKeyValue="MPYsywZ6JP+8lDZGd433MA=="/></keyEncryptor></keyEncryptors></encryption>

ReplyQuote
Topic starter Posted : 05/07/2015 1:36 am
BitHead
(@bithead)
Community Legend

Have you created a word list in PRTK and tried that?

ReplyQuote
Posted : 05/07/2015 5:49 am
scoperoc
(@scoperoc)
New Member

No, I am new to all of this, what will that do for me?

ReplyQuote
Topic starter Posted : 05/07/2015 5:51 am
BitHead
(@bithead)
Community Legend

It may be an avenue to attack the password. Password cracking is as much art as science.

http//null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/

ReplyQuote
Posted : 07/07/2015 8:24 am
scoperoc
(@scoperoc)
New Member

Thanks, that is good info for the future but that is not quite how I need to do this.

ReplyQuote
Topic starter Posted : 07/07/2015 8:26 am
jaclaz
(@jaclaz)
Community Legend

Thanks, that is good info for the future but that is not quite how I need to do this.

Maybe, or maybe not.

The sheer moment you believe that you know "how" it should be done you are excluding other possible ways to solve a problem.

On this specific case, it is well possible that you are absolutely right ) , but as a "general rule" you shouldn't assume that one given approach (and not another) is the "right" one.

jaclaz

ReplyQuote
Posted : 07/07/2015 4:23 pm
scoperoc
(@scoperoc)
New Member

The instructions say how it is supposed to be done, that is how I know or else I would try everything else, just trying to do it the way they want it done. It's kind of like math problems in school, sure there are multiple ways to do it but you have to do it a certain way to get full credit and show your work.

ReplyQuote
Topic starter Posted : 07/07/2015 8:54 pm
jaclaz
(@jaclaz)
Community Legend

The instructions say how it is supposed to be done, that is how I know or else I would try everything else, just trying to do it the way they want it done. It's kind of like math problems in school, sure there are multiple ways to do it but you have to do it a certain way to get full credit and show your work.

Well, it depends. 😯

Gauss solved the problem of the sum of the first 100 integers (which was reportedly given to the class by the professor with the intent to be able to take a nap while they manually added all numbers one by one) and this is still often reported as an example of smart, lateral thinking. )

http//nrich.maths.org/2478
http//mathcentral.uregina.ca/QQ/database/QQ.02.06/jo1.html

jaclaz

ReplyQuote
Posted : 07/07/2015 11:00 pm
scoperoc
(@scoperoc)
New Member

If I was smart I would not be looking for help.

ReplyQuote
Topic starter Posted : 07/07/2015 11:03 pm
jaclaz
(@jaclaz)
Community Legend

If I was smart I would not be looking for help.

Or maybe you are smart EXACTLY because you understood that you can't make it on your own and thus ask for assistance. )

jaclaz

ReplyQuote
Posted : 08/07/2015 3:57 pm
Share:
Share to...