The following transcript was generated by AI and may contain inaccuracies.
Keith Lockhart: Okay guys, I’m back for part two of Keys to the Kingdom. That’s a play on words because part one was all about Key Scout. Part two is about Key Diver, and some Key Scout thrown in because what we’re going to do in this part is talk about breaking things open.
If you don’t know what Key Diver is, Key Diver is up on the screen right here and over on the right-hand side I’ve got Detective open. I’m just gonna scroll down to the tools section on the home screen where we have Oxygen Forensic Key Diver.
You will probably remember Passware built into Detective—some OEM Passware Kit Mobile technology where we could throw an iTunes backup in there or an Android backup and work on decrypting those things, or at least getting access to them by dictionary attacks and things like that.
Now, common question: “Hey, do you guys decrypt Word documents or other stuff?” The answer was not really, the focus being on mobile. However, Key Diver has grown up to start hashing all kinds of things. And what I mean by hash is let’s use the simple analogy that I’m gonna create a password, and the algorithm used to protect whatever I’m protecting is going to store a hash of that password somewhere inside the document or the file.
We know how to find that and compare it against things. Here’s a stored hash of the password—don’t know the password, gotta guess against it. Maybe I guess in a key space, I can try to brute force all the available keys in an algorithm. It’s not gonna work most of the time. I’ll show you why here in a second.
So we need good dictionaries to break things open. That’s pretty much the name of the game today. Now here’s where Keys to the Kingdom come together with E01. Let me not leave that out of it because the big focus of this conversation is based on some recent functionality in Detective—we can now export word lists from our extractions.
What that means is, well, let’s think about this. A word list—where could you get a word list? In my past I was all about indexing a hard drive with FTK and AccessData. If you could index all the strings on a hard drive, you had one of the best user-defined dictionaries ever.
Social engineering: I could sit down and take somebody and say, “Hey somebody, you’re in trouble. Actually, you’re under arrest. What’s your social security number?” And, “I don’t have to shoot your dog when it jumps back over the fence and we’re sitting here in your front yard. What’s your pets’ names?” And, “When your kids come home—I want to tell them you’re not gonna go to prison forever. What are their names?”
What am I gathering from you right now, or this person? Things they use for passwords, right? A user-defined dictionary of socially engineered stuff that people use when they sit down at a computer and are told to protect something—whether it’s your autocomplete data in your browser, your bank account login. Because you’re lazy or human, we store everything. So if we can find those lists—rather than taking every random word in the universe and trying them—let’s at least try to focus our effort.
Alright, let me throw back in time here a little bit. I’m gonna open the good old-fashioned key space calculator. I probably took this thing around the world for 20 years. So much fun.
There’s two facets to protecting something: the available key space of the algorithm—so I could have 52 quadrillion keys—and the entropy of your password. Which means, look, you can have the best lock in the world, but if you make a really small number of keys for it, you don’t really have to try a whole lot.
If your password’s two characters long, that’s not good. If your password’s 40 characters long, all random and not one word that’s known from a dictionary, now you’re talking. But let’s talk about key space to illustrate a problem.
If my algorithm is two bits, well, two bits gives you a potential of four keys. And if my computer guesses 250,000 guesses per second, well, guess what? One machine doesn’t even blink—it gets that done.
Let’s take a massive leap in time. We can play the game. What does an eight-bit system look like? You got 256 keys, 250,000 guesses a second, one machine—yeah, anyway, okay.
What about a 16-bit system? Because every time we add a bit, the number of choices doubles. You can go all the way back to FAT16, which could keep track of 65,536 things—zero to 65,535. Hey, one computer can still guess through that at 250,000 guesses a second in no time.
So let’s jump up to 40-bit encryption where we have—oh wow, now we’re talking—now we’ve got 1,099,511,627,776. Well hey, one computer guessing 250,000 guesses a second could do that in about 50 days. Okay, now that’s completely unrealistic today.
Let’s say your machine’s guessing a million guesses per second against the derivation of that key. Technology’s a lot faster—Moore’s Law, whatever you wanna say. Look, we could guess through, if you had the best possible password ever, all the keys that could be generated by that best possible password. We could still get through it in 12.7 days.
Okay, we’re not at 40-bit anymore. Now watch this. There are 2048-bit algorithms out there. I’m gonna throw down a 256-bit algorithm and—wow—okay, we just went off the chart. This number just says, “die, human.” I mean, you’re never gonna—okay, wait, I know what you’re saying. “Well Keith, you only got one machine.”
You’re right. Let’s do 50 machines guessing a million guesses a second. Yeah. And you’re like, “But no, no, technology’s really great.” I agree with you. Let’s add a couple more zeros on there. Let’s say we have all the computers in the country—5 million computers guessing 100 million guesses a second. Not a change. Good luck with that.
Okay, let’s say we’ve got DNA with all the computers around the world and they are supercomputers like crazy from Planet Krypton. So we are not gonna get through that key space. If you see where I’m hovering with that cell, that’s probably more grains of sand than all the beaches in the universe. I don’t know—any good ChatGPT answer will tell you you’re not getting through the number of keys. You can’t brute force all these keys with technology we have today.
So what do we need? The password, right? So let’s think about this: if I take a password and I provide it to whatever I’m protecting, and it says, “Oh great, I’m gonna take that password and do some things to it, hash it up and store the hash somewhere.” So when you come back later and put your password back in the box, I can do what I do to it and make sure it matches what’s stored, and I’ll give you access to that.
So this comes back to: we need good dictionaries. We need good dictionaries to go after things. Again, where do we get those dictionaries?
Let me pop open Detective here real quick. I’ve got one extraction in here and this is a PC, by the way. This is an E01. And I bring that up again—there are tons of E01s laying around out there in storage, not cold storage. Old cases, maybe you’re working on them now and you need another way to generate a word list because maybe you’re trying to break something open.
Okay, accounts and passwords. You all would recognize accounts and passwords from Detective already saying, “Hey, we got a phone extraction or anything we can do—we always go after whatever accounts and passwords and tokens we can display.” That’s from known locations and known applications—not word lists from things like message content or browser search histories or things like that. Hey, five’ll get you ten—things you’re searching for on the internet are things you like and may very well possibly be passwords.
Okay, now here’s the thing. I’m just going to—actually, let’s get rid of this. I will remove this extraction out of here. And in Detective, I’m going to use the option to load a Windows, Mac, or Linux physical image. And you can see E01 is one of those options because when I do that, one of the Keys to the Kingdom comes into play—Key Scout pops up.
You can see I’ve already been here to find this E01 file because it’s gonna load through Key Scout. So let me open that and click Next. And it’s gonna say, “What operating system is this?” just to help me be clear on that. And I’ll pick Windows, and I’m just gonna go ahead and pick application system artifacts, passwords, and tokens by default paths.
But if we were gonna create a profile, here’s where this gets really interesting. Look at all the applications that are supported. Matter of fact, I can sort by Windows since we’re playing a Windows game right now and apply that. And any of the content and any of the cool stuff we can find from these Windows applications might very well give us word list content. So I’ll cancel that.
I’m gonna take the default for everything and I’ll start a search. I’m just gonna let it go against this E01. I can hyper-speed us through the process here, but you can already see—oh look, DuckDuckGo, Google Chrome, Microsoft Edge, Discord, Signal, Phone Link. It’s just going to town, finding all kinds of things.
And then we’re gonna pull this into Detective to recreate what I just deleted a second ago. But this Key to the Kingdom allows us to go grab E01s that we have laid anywhere and pull them in like this. So I’ll get them in Detective, and then we’re gonna see what it looks like to export that word list and give it to Key Diver to use as a dictionary. Find out how that becomes super valuable to us.
Okay, let’s open this thing up. It looks like the one I just got rid of a minute ago. And here, watch this. I can right-click and create a word list from words and numbers. This little algorithmic script-type thing goes through and it says, “Okay, listen, what applications do you wanna export data from?”
And I’m gonna pick all of them just to see what we get here. Do you wanna limit your word length in any particular fashion? Two and 255, that’s fair. So it’s saying, “Find me strings separated by non-word characters like spaces.” Let’s save that and I’m just gonna call it on my desktop—well that’s a long name—how about “Keys to Kingdom Word list,” KTKW.txt. And I’ll save that out to my desktop there.
And I’ll tell you this, I’m gonna cheat and show you something. Here in Chrome, I actually went out and searched for—yes, this is me doing this—I searched for Klingon and Gowron, who’s a Klingon. If you have any Star Trek lore inside of you, or know me and my affinity for science fiction, those are some keywords searched on the internet. And like I said earlier, look, five’ll get you ten—things I searched for, I’m interested in and could very well be a password. Good enough on that.
I’ll minimize Detective out of the way. I’ve already got Key Scout done, so I’ll minimize that. And then I’ve got Key Diver up here waiting on me. Now I’ve also got an encrypted Word document up here.
So let’s look at Key Diver for any of this other Key to the Kingdom. Just a quick rundown, and hey, pay attention in 2026—we’re gonna build some Key Diver “let’s break into things” training dedicated to how to use this and get those great dictionaries and get into things we can’t get into.
So there’s some efficiency settings—temperature thresholds that tell the machine to back off a little bit, queue management for things, recovery rates, dictionary management. Enable CPUs or selections or GPUs and things like that. And this is pretty cool because not only can we do GPU, we can do CPU, and sometimes technologies don’t incorporate both like that. So this is a good thing.
We have a dashboard here of in-progress jobs, in the queue, paused, successful, errors or fails. Create new attacks—I just got some things in here from playing around before. We can also look at different columns we’d like to see in our dashboard here.
I’m just gonna create a new attack. Let’s look at how this works. To create a new attack, upload an attack settings file or select a supported object type from the list. Let’s look at the list: ZIP, NTLM, 1Password, PDF, 7-Zip, Huawei, Telegram, BitLocker, Android, FileVault—all kinds of fun stuff.
As this continues to grow, it’s like watching Cloud Extractor have updates or Detective have new features. I’m always looking for Key Diver to have new things in the list to go attack. So I’m just gonna pick Word.
And it says, “Okay, when creating a document, the user could set a password. The password can be brute forced by extracting the encryption information.” Which means let’s load this encrypted Word document I have sitting on my desktop. And hashcat goes out and finds the stored value it wants to compare against. So I’ll click Next.
And here we go. How are we gonna attack this? Well, I want to select method. I’m not doing a template right now. Do I wanna make a mask? Which allows you to do all kinds of brute force switch-aroos and different ways to variations of combinations and everything to brute force all the potential combinations.
Do I wanna use a dictionary? Or an extraction-based dictionary? And this is just taking the passwords and account list from any of our extractions in Detective. But no, we’re gonna do this one right now—a straight-up dictionary. “This method involves trying passwords from a downloaded dictionary, which can be compiled by the user or found in the relevant resources.”
And “relevant resources” is a super keyword right there, because now that we can pull a word list from an E01—somebody’s hard drive—that is a relevant resource. That’s like sitting down and writing down the social engineer dictionary list, or going out to the internet and getting RockYou, which is like 100,000 or 10,000 of the most common passwords in the universe that are always used or whatever. It’s wherever you can get good dictionaries to guess with—better for you.
So I’m gonna pick dictionary here, and it says “Select dictionary.” My list right now is the 100,000 most popular—comes by default in the tool. All kind of variations of PINs: 4-5, 4-9, 4-4, 4-6, 4-5-6. Just hey, if you’re using a phone and you gotta put in a six-digit PIN, what are all the combinations there? Let’s go through them.
Or previously acquired passwords—call that the Golden Dictionary. In my old life, I’ll call it the Golden Dictionary here too. Hey, if I recover a password, that is a golden nugget of information. You know why? Because people use the same passwords over and over. I work here—I worked at AccessData with Password Recovery Toolkit and Distributed Network Attack technology—and I still use the same passwords. I’m human. We all do it. So if you can recover one, chances are it will break into other things. We’re gonna keep track of those.
But in this case, I’m gonna add a new dictionary because I’m gonna use the one we just made—KTKW. I’ll open that. It’s in there. Terrific. So in my list, let me make sure I pick it. There we go. And I’ll click Next. You can see there’s 14,625 strings in here—things to guess in our list.
Well, I actually want to have some demonstrative showcasing of Key Diver here. So let me go back. I’m actually gonna add in here the most popular 100,000. So now we’re up to 114,625. So I’ve got both of those dictionaries selected and I’ll click Next.
Now, what do I want to do here? There’s a lot of functionality involved in how far you want to take this. I could add suffixes to the word, prefixes to the word, I can change character order around, I can skip characters, I can use upper/lowercase. I mean, you can use all kinds of permutations of these dictionaries to replicate what the human was thinking, right?
So I’m sitting at the keyboard and 25 years ago I was asked, “Hey, gimme a password.” “Ah, well my pet’s name’s R2-D2. Nobody’s ever gonna guess that.” Even though Star Wars was super popular and probably everybody’s pet’s name is R2-D2. Nobody guesses that. So I put it in, and of course somebody guesses that.
So the next time it says, “Hey, I need a password.” Like, “Well I got burned by R2-D2 back in the day, so I’m gonna put the last four digits of my phone number.” And nobody’s gonna guess that because they wouldn’t even think that. Well, of course they do.
So the next time I put R2-D2 and the last four digits of my phone number together, because nobody would ever come up with that. Of course they come up with that. You see what I’m saying?
Here we are trying to replicate what the human’s thinking. So we have all kinds of different parameters we can apply to even the simplest list. Think of that social engineering example I just gave you. What’s your pet’s name? What’s your social security number? What’s your kids’ names? What’s your phone number? What’s your address? Things that are right at the tip of everybody’s tongue when they need a password on the spot. And then we can take those and mix and match them together.
Man, help our tools help us become better breakers of things. I would say, let me help my technology help me—help us both become a better investigative team. This works with this kind of stuff too.
Right now I’m not gonna pick any of this because it would exponentially increase my time to do things. So I’ll click Next.
And here I get to say, “Okay, how do you wanna go about this? You know, throw down as hard as your computer can do it, or just average.” What temperature you gotta start at—60 degrees Celsius is the minimum you can make the threshold. I don’t think we’ll hit that during this, but I’m gonna leave it at 60.
And I’m gonna pick, you know what, I’ll use my Intel GPU, I’ll use my NVIDIA stuff, I’ll use my Intel CPU, and then I think the NVIDIA’s listed twice because of a driver up there. I think I’ll pick it all. I’m just gonna go hog wild and pick every resource I have. Okay, let’s start that and see what happens.
Now I am a crazy addict of watching speed—things go fast. So I’m just gonna come here and watch. Well, I’ll watch right here. Here we go. I’m looking at the Intel graphics card and the attack.
So what Key Diver’s doing in the background is saying, “Okay, out of these 114,000 passwords, you picked a Word document. Okay, I gotta do this to each one to try to match that hash.” Let’s see—figuring out what it’s doing, essentially.
And you’ll watch in a second, it’s gonna take off guessing and formulating all the derivations that it has to formulate to make the guess against what’s stored in that file. Oh, and there we go.
So my attack is in progress. My CPU, GPU is at 53 degrees Celsius. Wow, look at that—this is what I love to see. I mean, don’t waste a cycle type thing. So I’ve got the Intel GPU kicked off right here. The NVIDIA’s not even being touched right now. What’s the CPU doing? Hey, I got a bunch of cores—mid-ranging it. I picked average, so that’s about fair.
But I love watching that right there. That’s crazy. Oh, we’re kicking up to 55. This’ll be interesting. We’re at 3% now. I got some passwords checked here. Oh wow, 44%—got passwords checked, got time elapsed and remaining. Ooh, it’s the waiting game. 56%, 75%, 86,000 passwords checked, 19 seconds remaining.
Oh, look at that—100,000 passwords checked, 10 seconds remaining, and “Klingon” is the password!
Now you might recall that was one of the search terms. I look at everything dropping off back to normal over here. That was one of the search terms in our word list. Let’s just check in there. I will go in here and let’s do a Control-F for “Klingon.” Oh, and there it is. Matter of fact, I think there might be a couple examples—there’s an uppercase K and “3D Klingon.” Yeah, but certainly the “Klingon” I was looking for was right there.
Okay, let’s recap what we just did in a Keys to the Kingdom conversation. I used Key Scout to open an existing E01 to generate a word list through Detective from the parsed apps from Key Scout against the E01. I gave that word list to Key Diver as a dictionary to attack a targeted file.
Because listen, the target of my attack here is a Star Trek fan. Now I don’t know—in this case, look, all the intel I can give the tool, the Key Diver tool, to guess against this encryption, the better. The better dictionary I have, the better chances I have of success, because we’re not gonna exhaust some of those massive key spaces.
Again, you could have the most killer lock in the world with the most voluminous number of keys ever available, but if you have a three-character password, you’re not doing yourself any good. Or if you have a known word—100,000 of the best-known passwords like password123, or Klingon.
What would’ve been better would’ve been percent-upside-down-character Klingon 1-2-9-6-8-4-2-H-J-Q-L-M. I mean, some fractal password from Hades would be the way to do that.
But in this case, we were able to use a couple of Keys to the Kingdom together to get a super killer word list to break something open. There you go. Happy Oxygen Technology.
