RAR files - protect...
 
Notifications
Clear all

RAR files - protected

4 Posts
3 Users
0 Likes
986 Views
(@p38cyq)
Posts: 44
Trusted Member
Topic starter
 

Gents,

I've been looking for several hours on this forum (as I am more an OS guy), but to no avail. for a solution.

Recently I was asked to investigate a Win 7 laptop from an embassy-employee; this employee is now on LOA and the management asked to find out any sensitive data on it.

It concerns a Toshiba laptop, protected with a BIOS-password and an admin-login. These hurdles were taken quickly, and then the real work began using PW Kit Forensics. A search on password-protected files showed a series of MS Office files, Acrobat (.pdf) and .rar files.

PW Forensics had no problem whatshowever to find out almost immediately the Office and Acrobat passwords; the .rar archives turned out to be a different story. (They are of the WinRar 3.0 type)

Even using 5 multiple GPU's/ HW acceleration (resulting , depending on the lenght of the password, in speeds exceeding 1.500 pswds/sec), our machines spent some serious overtime. Presently, we foresee another 2 years (approximately) in order to complete.

Using the obtained Office/Acrobat passwords was of no help, apparently the .rar password(s) are not the same and certainly longer in characters/figures/ etc.

My questions to the good people here
- How can .rar protected files be decrypted in the absence of a password?
- When some of you need to present these files as "evidence", I presume these protected files are of no evidence at all? So they cannot be used in any case? I can difficultly go to my customer with this kind of evidence.

Thank you for your replies.

 
Posted : 31/12/2011 9:44 pm
(@athulin)
Posts: 1156
Noble Member
 

… the .rar archives turned out to be a different story. (They are of the WinRar 3.0 type)

That probably means AES-128, and that should be explanation enough.

Using the obtained Office/Acrobat passwords was of no help, apparently the .rar password(s) are not the same and certainly longer in characters/figures/ etc.

But what can you see from the existing passwords? Any particular system used? Many pople tend to stick to a MO, also when creating passwords. If there is such a pattern, or seems to be one, use it to create a password list. Even if it becomes some billions of passwords, it's still better than a brute-force attack.

How can .rar protected files be decrypted in the absence of a password?

With AES it's brute force – don't think there are any known-plaintext attacks. (Or, very, very improbably, by finding a weakness in the crypto. However, that's almost certainly a job for someone who specializes in crypto cracking,)

Your best chance is, I think, to do a good job on the passwords you already have, and from all the password candidates you can dig out of the systems you already have access to. Even if all you find out is that the user likes to place a special character in the first position, it should helps, provided that you use a tool that allows you provide that kind of information.

Added Or use the workplace where the passwords probably were applied book titles, posters, books, CD's, … etc.

Look out for password storage applications. It may be you should be attacking that instead. I think some are available as apps on smartphones.

 
Posted : 31/12/2011 10:13 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

RAR files are among the hardest to crack quickly.

The (relatively short) user password is converted into a key. And the key is used to encrypt the file with AES.

Brute forcing the passwords is very slow due to the complex way RAR converts the user password into a 128bit key. Each password attempted requires the hashing of 5.7MB of data with SHA-1. Which is slow. Some details are here,
http//anrieff.net/ucbench2011/technical_qna.html#sec3

You could instead try and guess the key, but with the key being 128bits, there are too many possibilities.

You also can't do rainbow tables as there is a salt used to make each RAR file unique.

So best remaining solution is A) Massive amounts of hardware or B) Making a dictionary of possible passwords then hoping the password is in the dictionary.

For B) you can build a dictionary from the content of the hard drive, by extracting the text from all documents and unallocated disk space. You then use the dictionary against the RAR file. This is done in the hope that the password (or a variant of it) was used elsewhere. e.g. it might be part of an address, a family member's name, in an E-mail, etc..

 
Posted : 03/01/2012 3:10 am
(@p38cyq)
Posts: 44
Trusted Member
Topic starter
 

Thank you for your answers.

Tried the proposed solutions…. nothing found out so far.

Any more suggestions?

Thanks.

 
Posted : 14/01/2012 1:27 pm
Share: