Handling Encrypted Evidence &
Password Recovery
Nataly Koukoushkina
June 2010
CCFC 2010, Workshop
� Passware
◦ In business for 12 years
◦ Offices in USA and Russia
◦ Products included in Certified Computer Examiner (CCE)
training
Passware Kit Forensic
◦ Password recovery & decryption for 180 file types
and hard disks
◦ Scans computers for encrypted data
◦ Acquires memory images over FireWire
◦ Supports Tableau TACC and GPU to speed up password
recovery
◦ Supports Distributed Password Recovery
◦ Includes USB Portable version
[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� Stored passwords
◦ Internet browsers, etc.
Files
◦ Passwords
Disks
◦ Full Disk Encryption
Software
BitLocker
PGP
TrueCrypt
Hardware
[Link]
� No more „homegrown‟ encryption
Standard and widely accepted encryption
algorithms are used
Password is hashed, i.e. with SHA1 and then
the key is used of encryption (AES)
“Key strengthening” – SHA1 is used 10,000
times.
Office 2010, WinZip, RAR – use SHA1/AES
This is secure!
[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
�Passware Encryption Analyzer
[Link]
� Scans computers and network for password
protected files
Detects over 160 different file types
Scan speed over 4,000 files per minute
Detailed reports, lists encryption types and
how difficult it might be to decrypt the file
[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� Password (or encryption key) attacks
Surprise seizure of the running computer
[Link]
�For password attacks with encryption getting
more secure it is important to find the weakest
link.
Same (or similar) passwords are used
Find the least secure encryption type first
[Link]
�Finding the weakest link:
Start with file types that are easy to decrypt
Build a good dictionary
Use wizard if password pattern is known
[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� Multiple-core CPUs
Tableau TACC Hardware Accelerator - x25
GPU-based attacks (nVidia cards) – x20
Distributed password recovery
[Link]
�[Link]
� Multiple-core CPUs
Tableau TACC Hardware Accelerator - x25
GPU-based attacks (nVidia cards) – x20
Distributed password recovery
[Link]
�5000
4000
3000 CPU
2000 CPU+GPU
1000
0
MS Office 2007 RAR 3
[Link]
� Linear performance scalability
Each computer supports CPUs, GPUs, and
TACC accelerators simultaneously
Uses all types of password recovery attacks
[Link]
�[Link]
� Know the enemy - find out what is encrypted
and how
Find the weakest link first – it will help to
defeat stronger encryption
Use the most effective tool – both software
and hardware
[Link]
�Questions?
Nataly Koukoushkina
+1 (650) 472-3716 x 101
nataly@[Link]
[Link]/[Link]
[Link]
�Handling Encrypted Evidence &
Password Recovery
Nataly Koukoushkina
June 2010
CCFC 2010, Workshop
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� BitLocker Drive Encryption is a full disk
encryption feature included with Windows
7/Vista Ultimate and Enterprise, and Server
2008. Provides encryption for entire volumes.
Also encrypts removable drives – BitLocker ToGo.
TrueCrypt is a free software application used
for real-time encryption. Creates a virtual
encrypted disk within a file or an encrypted volume on
either an individual partition or an entire storage device.
[Link]
� Encryption keys are located in computer
memory, while the volume is mounted, even
if the computer is locked
Passware Kit Forensic:
◦ acquires the memory image of the seized “hot”
computer;
◦ analyzes the memory image and extracts the
encryption keys;
◦ decrypts the TrueCrypt volume
[Link]
� Preserve the state - do not turn off the computer
BitLocker and TrueCrypt keep the encryption keys
in memory
[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� Passware Kit Forensic creates a bootable USB
flash drive with a portable memory imaging
tool (FireWire Memory Imager), which can be
used on any computer with a FireWire port
Passware FireWire Memory Imager acquires a
memory image of the target computer over
FireWire port
[Link]
�[Link]
� Part I. Encrypted Evidence Discovery &
Decryption.
◦ Overview of encryption types
◦ Discovering encrypted evidence
◦ Recovering easy and strong passwords
◦ Hardware acceleration methods
Part II. Hard Disk Decryption.
◦ Overview of hard disk encryption
◦ Acquiring memory image
◦ Decrypting hard disk
[Link]
� Extract encryption keys from the memory
Decrypt the disk with the keys
[Link]
� Original password recovery:
• Dictionary attack
• Xieve attack
• Brute-force attack
• Previous Passwords attack
• Any combination of attacks above
[Link]
� Don’t power off the target computer
HD encryption keys are stored in RAM
If the computer is shut down, use brute-force
password recovery attacks
[Link]
� Know the enemy - find out what is encrypted and
how
Find the weakest link first – it will help to defeat
stronger encryption
Use the most effective tool – both software and
hardware
Don’t power off the target computer
HD encryption keys are stored in RAM
If the computer is shut down, use brute-force
[Link]
�Questions?
Nataly Koukoushkina
+1 (650) 472-3716 x 101
nataly@[Link]
[Link]/[Link]
[Link]
