Tips on finding a p...
 
Notifications
Clear all

Tips on finding a password  

  RSS
StreetForensics
(@streetforensics)
Member

I have a case in which I have several compressed files that are using some password protection, 7z, and Rar files in particular. I know my suspect opened the files since a file named the same as the archive but as an AVI appears minutes after the archive is downloaded.

I'm using EnCase for the exam, I've indexed and have searched for the 'I don't know what else to search for term' of "password" and filtered to the date of the files being downloaded but not finding anything that seems like its of note.

Assuming the password could have been provided in a number of ways, email, sms, website, etc. what are some tips/ideas/strategies I can use to try and find them. Maybe he saved them somehow. Maybe they're in unallocated space, but what term should I try searching for?

I am using PRTK to try and crack one of the files with a dictionary attack. If/when that fails I will see if I can export the index from EnCase and build a dictionary with it for PRTK but I'm not sure how easy/compatible that will be. (I'm very unfamiliar with PRTK)

Any suggestions are welcome.. other tools maybe? Ophcrack?

Quote
Posted : 26/03/2018 11:39 pm
Bunnysniper
(@bunnysniper)
Active Member

Any suggestions are welcome.. other tools maybe? Ophcrack?

bulk_extractor is a nice tool to generate wordlists from strings found on the suspects computer. Have a look at pagefile and hiberfil, he or she might have used the clipboard to copy and paste the password. Last but not least check for password managers like KeePass or Lastpass to win the Jackpot.

Happy Hunting!

ReplyQuote
Posted : 27/03/2018 12:27 am
Kenobyte
(@kenobyte)
Junior Member

Since this is an exam do you know anything about the password at all? Can you explore the compressed folder and see file names at all and are just not able to open them using using Encase? I have had success using hashcat on 7zip and rar files however i will tell you we are running a box with 5 gpu's to do it relatively quickly and i doubt they would require something like this for an exam. I would also try pw or pw= as a search term if its a relatively simple exam it couldn't hurt.

ReplyQuote
Posted : 27/03/2018 10:08 pm
redcat
(@redcat)
Active Member

I have a case in which I have several compressed files that are using some password protection, 7z, and Rar files in particular. I know my suspect opened the files since a file named the same as the archive but as an AVI appears minutes after the archive is downloaded.

Be cautious about that statement unless you have other context about the computer user's actions that you aren't revealing. It might be reaching unless you have strong proof of whose fingers were on the keyboard at the time. Was the RAM captured or has that horse bolted? Since you have a fairly tight window of a few minutes to look at, have you scanned through all artefacts in a timeline from a few minutes prior to the archives appearing to just after they were opened to see what changed across the entire system?

Any idea of where the archives came from? That might give some more avenues to explore - is the password sitting in plaintext with the original archives in a Dropbox or FTP server or on a thumb drive? You're absolutely right that the password might have been sent entirely separately - that would be reasonable security practice. Have you got the SoI's other exhibits to work with? Where did the extracted AVI go afterwards? Even if you can't carve a working AVI out, there might be a media player's SQLite DB with a story to tell about what happened next or a jump list or whatever. Most people want to do something with their AVI once extracted, like check it plays.

In terms of tools, PRTK's pretty good, Passware's better if you can afford it. Of course, the most trivial and cost effective solution hasn't been mentioned - have you asked for the password(s) nicely and/or with a legislative stick to beat them with? In UK criminal cases we have RIPA requests if it's proportionate, no idea what your local legislation would be.

ReplyQuote
Posted : 27/03/2018 10:36 pm
StreetForensics
(@streetforensics)
Member

Thanks for the tips so far. I have some user passwords for this case, profile accounts mostly, but since it appears these files were downloaded as PW protected, I doubt the passwords are related to any my target uses.

No, I can not open the compressed archives, EnCase actually asks for a PW when attempting this.

I'll give the terms you provided a try though. Thanks.

ReplyQuote
Posted : 27/03/2018 10:36 pm
redcat
(@redcat)
Active Member

No, I can not open the compressed archives, EnCase actually asks for a PW when attempting this

Try opening a copy in 7-zip. It should allow you to see the contents, albeit not extract them.

ReplyQuote
Posted : 27/03/2018 10:38 pm
StreetForensics
(@streetforensics)
Member

Excellent reply Redcat! Great advice. Yes, you're right. A 'user' certainly knew the PW in order to open it. My stretch that it's my suspect is just that. I'm going to give looking around the system for the clues you pointed out as well.

No RAM Captured.

PRTK is churning away. This is more of an exercise in a PW hunt for me, the case is very much in favor of the state (in my opinion). Not getting into these files won't hurt the case at all. Just a rabbit hole I'm wandering down for the next case I have where this may be important.

ReplyQuote
Posted : 27/03/2018 10:43 pm
StreetForensics
(@streetforensics)
Member

No, I can not open the compressed archives, EnCase actually asks for a PW when attempting this

Try opening a copy in 7-zip. It should allow you to see the contents, albeit not extract them.

/Insert Facepalm/ I should have known this - haha. Thanks, Yup worked like a charm! Not on the rar files, but good enough. One more nail in the coffin!

ReplyQuote
Posted : 28/03/2018 12:43 am
Share: