Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 100 views

    Handling Encrypted Evidence & Password Recovery: Nataly Koukoushkina June 2010 CCFC 2010, Workshop

    Uploaded by

    patopick
    The document discusses handling encrypted evidence and password recovery. It describes Passware Kit Forensic software, which can recover passwords for over 180 encrypted file types and decrypt encrypted hard disks. The presentation covers discovering encrypted evidence, techniques for recovering easy and strong passwords, and using hardware acceleration. It also discusses acquiring memory images to extract encryption keys and decrypting encrypted hard disks and volumes.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Handling Encrypted Evidence & Password Recovery: Nataly Koukoushkina June 2010 CCFC 2010, Workshop

    Uploaded by

    patopick
    100 views36 pages
    The document discusses handling encrypted evidence and password recovery. It describes Passware Kit Forensic software, which can recover passwords for over 180 encrypted file types and decrypt encrypted hard disks. The presentation covers discovering encrypted evidence, techniques for recovering easy and strong passwords, and using hardware acceleration. It also discusses acquiring memory images to extract encryption keys and decrypting encrypted hard disks and volumes.

    Original Title

    CCFC2010-Passware

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses handling encrypted evidence and password recovery. It describes Passware Kit Forensic software, which can recover passwords for over 180 encrypted file types and decrypt encrypted hard disks. The presentation covers discovering encrypted evidence, techniques for recovering easy and strong passwords, and using hardware acceleration. It also discusses acquiring memory images to extract encryption keys and decrypting encrypted hard disks and volumes.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    100 views36 pages

    Handling Encrypted Evidence & Password Recovery: Nataly Koukoushkina June 2010 CCFC 2010, Workshop

    Uploaded by

    patopick
    The document discusses handling encrypted evidence and password recovery. It describes Passware Kit Forensic software, which can recover passwords for over 180 encrypted file types and decrypt encrypted hard disks. The presentation covers discovering encrypted evidence, techniques for recovering easy and strong passwords, and using hardware acceleration. It also discusses acquiring memory images to extract encryption keys and decrypting encrypted hard disks and volumes.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 36

    Handling Encrypted Evidence &

    Password Recovery
    Nataly Koukoushkina
    June 2010
    CCFC 2010, Workshop
     Passware
    ◦ In business for 12 years
    ◦ Offices in USA and Russia
    ◦ Products included in Certified Computer Examiner (CCE)
    training

     Passware Kit Forensic


    ◦ Password recovery & decryption for 180 file types
    and hard disks
    ◦ Scans computers for encrypted data
    ◦ Acquires memory images over FireWire
    ◦ Supports Tableau TACC and GPU to speed up password
    recovery
    ◦ Supports Distributed Password Recovery
    ◦ Includes USB Portable version

    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     Stored passwords
    ◦ Internet browsers, etc.
     Files
    ◦ Passwords
     Disks
    ◦ Full Disk Encryption
     Software
     BitLocker
     PGP
     TrueCrypt
     Hardware

    www.lostpassword.com
     No more „homegrown‟ encryption
     Standard and widely accepted encryption
    algorithms are used
     Password is hashed, i.e. with SHA1 and then
    the key is used of encryption (AES)
     “Key strengthening” – SHA1 is used 10,000
    times.
     Office 2010, WinZip, RAR – use SHA1/AES

    This is secure!

    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
    Passware Encryption Analyzer

    www.lostpassword.com
     Scans computers and network for password
    protected files
     Detects over 160 different file types
     Scan speed over 4,000 files per minute
     Detailed reports, lists encryption types and
    how difficult it might be to decrypt the file

    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     Password (or encryption key) attacks
     Surprise seizure of the running computer

    www.lostpassword.com
    For password attacks with encryption getting
    more secure it is important to find the weakest
    link.
     Same (or similar) passwords are used
     Find the least secure encryption type first

    www.lostpassword.com
    Finding the weakest link:
     Start with file types that are easy to decrypt
     Build a good dictionary
     Use wizard if password pattern is known

    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     Multiple-core CPUs
     Tableau TACC Hardware Accelerator - x25
     GPU-based attacks (nVidia cards) – x20
     Distributed password recovery

    www.lostpassword.com
    www.lostpassword.com
     Multiple-core CPUs
     Tableau TACC Hardware Accelerator - x25
     GPU-based attacks (nVidia cards) – x20
     Distributed password recovery

    www.lostpassword.com
    5000

    4000

    3000 CPU

    2000 CPU+GPU

    1000

    0
    MS Office 2007 RAR 3

    www.lostpassword.com
     Linear performance scalability
     Each computer supports CPUs, GPUs, and
    TACC accelerators simultaneously
     Uses all types of password recovery attacks

    www.lostpassword.com
    www.lostpassword.com
     Know the enemy - find out what is encrypted
    and how

     Find the weakest link first – it will help to


    defeat stronger encryption

     Use the most effective tool – both software


    and hardware

    www.lostpassword.com
    Questions?

    Nataly Koukoushkina
     +1 (650) 472-3716 x 101
     nataly@passware.com
     www.lostpassword.com/kit-forensic.htm

    www.lostpassword.com
    Handling Encrypted Evidence &
    Password Recovery
    Nataly Koukoushkina
    June 2010
    CCFC 2010, Workshop
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     BitLocker Drive Encryption is a full disk
    encryption feature included with Windows
    7/Vista Ultimate and Enterprise, and Server
    2008. Provides encryption for entire volumes.

    Also encrypts removable drives – BitLocker ToGo.

     TrueCrypt is a free software application used


    for real-time encryption. Creates a virtual
    encrypted disk within a file or an encrypted volume on
    either an individual partition or an entire storage device.

    www.lostpassword.com
     Encryption keys are located in computer
    memory, while the volume is mounted, even
    if the computer is locked

     Passware Kit Forensic:


    ◦ acquires the memory image of the seized “hot”
    computer;
    ◦ analyzes the memory image and extracts the
    encryption keys;
    ◦ decrypts the TrueCrypt volume

    www.lostpassword.com
     Preserve the state - do not turn off the computer

     BitLocker and TrueCrypt keep the encryption keys


    in memory

    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     Passware Kit Forensic creates a bootable USB
    flash drive with a portable memory imaging
    tool (FireWire Memory Imager), which can be
    used on any computer with a FireWire port

     Passware FireWire Memory Imager acquires a


    memory image of the target computer over
    FireWire port

    www.lostpassword.com
    www.lostpassword.com
     Part I. Encrypted Evidence Discovery &
    Decryption.
    ◦ Overview of encryption types
    ◦ Discovering encrypted evidence
    ◦ Recovering easy and strong passwords
    ◦ Hardware acceleration methods

     Part II. Hard Disk Decryption.


    ◦ Overview of hard disk encryption
    ◦ Acquiring memory image
    ◦ Decrypting hard disk

    www.lostpassword.com
     Extract encryption keys from the memory
     Decrypt the disk with the keys

    www.lostpassword.com
     Original password recovery:
    • Dictionary attack
    • Xieve attack
    • Brute-force attack
    • Previous Passwords attack
    • Any combination of attacks above

    www.lostpassword.com
     Don’t power off the target computer
     HD encryption keys are stored in RAM
     If the computer is shut down, use brute-force
    password recovery attacks

    www.lostpassword.com
     Know the enemy - find out what is encrypted and
    how

     Find the weakest link first – it will help to defeat


    stronger encryption

     Use the most effective tool – both software and


    hardware

     Don’t power off the target computer

     HD encryption keys are stored in RAM

     If the computer is shut down, use brute-force

    www.lostpassword.com
    Questions?

    Nataly Koukoushkina
     +1 (650) 472-3716 x 101
     nataly@passware.com
     www.lostpassword.com/kit-forensic.htm

    www.lostpassword.com

    You might also like