I am doing a course and at the moment have a disk to examine with 8 windows partitions, 2 deleted windows partitions and 1 linux partition. The gentleman (and i use the term in the loosest sense) who set the assignment is a specially devious sort of chap and has renamed and hidden a.pgd encrypted drive on one of the windows partitions. I have tried all ways to find the password for it spending hours searching the file slack, swap file and unallocated and everything else to no avail. Have created text files for dictionary in FTK and the password cracker has been running for 9 days using 6 networked machines and still nothing. I am now looking to see if the password may be hidden in an image file using steganography (God i hope it is) and I was wondering if any one knew of any tools that i could use to check image (or any other file) for stegonography. Any ideas would be gratefully appreciated.
? evil x
There is a hash set available for steg software from I believe the NSRL. I used it a few months back in Winhex and was able to match up against some deleted files from a previous installation of s-tool.
Sorry I donâ€™t have the link, googling steganography hash sets should do the trick.
Pretty hard core if the pwd ends up being hidden using the means you suspectâ€¦.sounds extreme. What kind of course if I may ask?
Thanks for the pointer. The course I am doing is the PG Cert in Forensic computing at Cranfield university
Thanks for that but it has been running for 6 days with no luck so far
I'm going on the theory that the lecturer wouldn't expect you to have a Cray supercomputer at home trying to brute force a password for xx years.
I'd think I would have missed something and would go back to basics-
Is it really a pgd file? Is it something else that has been renamed etc to look like a .pgd?
Is there anything in the text of the assignment that gives you a clue as to the password itself? e.g "law enforcement raided Mr Blair's cottage "rosebud" and removed a number of laptops, CD roms and a hard disk labelled 123?" (Use rosebud and 123 as possible passwords)
What have you found so far? These might provide clues.
Was there a hidden encrypted word or excel file (or simple plain word, .jpg, .gif file etc). Use 'strings' on these files.
Is there something embedded in the file that doesn't show up when it is normally displayed on screen e.g. pwd=rosebud etc.
I hope this helps - happy hunting
Brian A Crawford