Encryption
DIGITAL INVESTIGATIONS OF ANY KIND Advanced Decryption Techniques Rob Attoe Forensic Analysis
Incident Response
Litigation Support
Information Assurance
Workshop Objectives • What is encryption
• Challenges of large keyspaces • AccessData Decryption Methodology
What is Encryption ? • Cryptography: Private Communication • Origin Authenticity • Destination Authenticity • Integrity Authenticity
• Encryption: • Transformation of data into unreadable form • Decryption: • Reverse of Encryption
Types of Encryption • Password Protection • “Knock Knock, Who’s There?” • Easy to gain access to the data
• Data Encryption • Uses a Cryptographic System • Difficult but not impossible
Symmetric Key Encryption Also referred to as Single Key Encryption, Secret Key Encryption, or One Key Algorithms
Plaintext
File Encryption Key
Cipher Text
Cipher Text
SOFTWARE File Encryption Key
Plaintext
SOFTWARE
Asymmetric Key Encryption
Plaintext
Cipher Text Rob is the Recipient
Rob’s PUBLIC Key ‘1234’
Rob’s PRIVATE Key ‘98765’
Max is the Sender
Cipher Text
Plaintext
Basic Cryptographic System Password
FEK RC4
00
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
10
11
12
13
Bit Strength Classification Easy Moderate Difficult DNA !! &%@# !!!
20 30 32 33 40 50 56 60 70 80 90 100 110 120 128 160
1,048,576 1,073,741,824 4,294,967,296 8,589,934,592 1,099,511,627,776 1,125,899,906,842,620 72,057,594,037,927,900 1,152,921,504,606,850,000 1,180,591,620,717,410,000,000 1,208,925,819,614,630,000,000,000 1,237,940,039,285,380,000,000,000,000 1,267,650,600,228,230,000,000,000,000,000 1,298,074,214,633,710,000,000,000,000,000,000 1,329,227,995,784,920,000,000,000,000,000,000,000 340,282,366,920,938,000,000,000,000,000,000,000,000 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000
Brute Force Challenges Password Search Calculation Spreadsheet Lower Alpha: Lower and Upper Alpha: Lower and Upper Alpha w/ #'s: Alpha w/ #'s and Puncuation:
26 52 62 96
Character in Domain Length of Password Size of Key Space
26 6 308,915,776
Keys Tested Per Second
256,000
Best Practices to Decrypt Data
• AccessData Decryption Methodology • • • • •
Using Wordlists Registry data Suspect Intelligence Rainbow Tables Entropy
Special Ops Online Resources
Wordlists
Rainbow Tables
Environment Artifacts
Passphrase Generator
Suspect Intel Web Artifacts
Password Recovery Toolkit
Distributed Network Attack Rainbow Tables
Windows Logon Password Recovery
• Windows stores the user PASSKEY in the SAM file • Double encrypted with SYSKEY
• Identifying the password to: • Break EFS encrypted files • Potentially decrypt IntelliForms data • Use to open other encrypted files
SAM Passkey - Special Ops
Export The Wordlist
Web Artifacts
Registry Data – PSSP – IE6 Decrypted Queries / Account Passwords, etc !!
Protected Storage and IE7 ~ IE9
• •
IE Version 7 and Vista no longer us the PSSP Protected Data Stored now in 2 Keys in NTUSER.DAT
-Storage 1 (auto-complete form data) -Storage 2 (passwords) •
Encryption Scheme Modified to Comply with Windows DPAPI -Data Protection Application Programming Interface
•
DPAPI
-Cryptographic system built into Windows since Win2K -Function of the user’s login password
Questions ? • What is encryption • Challenges of large keyspaces • AccessData Decryption
Methodology
LAB Time Rob Attoe [email protected]
Incident Response
Litigation Support
Information Assurance
Workshop Objectives • What is encryption
• Challenges of large keyspaces • AccessData Decryption Methodology
What is Encryption ? • Cryptography: Private Communication • Origin Authenticity • Destination Authenticity • Integrity Authenticity
• Encryption: • Transformation of data into unreadable form • Decryption: • Reverse of Encryption
Types of Encryption • Password Protection • “Knock Knock, Who’s There?” • Easy to gain access to the data
• Data Encryption • Uses a Cryptographic System • Difficult but not impossible
Symmetric Key Encryption Also referred to as Single Key Encryption, Secret Key Encryption, or One Key Algorithms
Plaintext
File Encryption Key
Cipher Text
Cipher Text
SOFTWARE File Encryption Key
Plaintext
SOFTWARE
Asymmetric Key Encryption
Plaintext
Cipher Text Rob is the Recipient
Rob’s PUBLIC Key ‘1234’
Rob’s PRIVATE Key ‘98765’
Max is the Sender
Cipher Text
Plaintext
Basic Cryptographic System Password
FEK RC4
00
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
10
11
12
13
Bit Strength Classification Easy Moderate Difficult DNA !! &%@# !!!
20 30 32 33 40 50 56 60 70 80 90 100 110 120 128 160
1,048,576 1,073,741,824 4,294,967,296 8,589,934,592 1,099,511,627,776 1,125,899,906,842,620 72,057,594,037,927,900 1,152,921,504,606,850,000 1,180,591,620,717,410,000,000 1,208,925,819,614,630,000,000,000 1,237,940,039,285,380,000,000,000,000 1,267,650,600,228,230,000,000,000,000,000 1,298,074,214,633,710,000,000,000,000,000,000 1,329,227,995,784,920,000,000,000,000,000,000,000 340,282,366,920,938,000,000,000,000,000,000,000,000 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000
Brute Force Challenges Password Search Calculation Spreadsheet Lower Alpha: Lower and Upper Alpha: Lower and Upper Alpha w/ #'s: Alpha w/ #'s and Puncuation:
26 52 62 96
Character in Domain Length of Password Size of Key Space
26 6 308,915,776
Keys Tested Per Second
256,000
Best Practices to Decrypt Data
• AccessData Decryption Methodology • • • • •
Using Wordlists Registry data Suspect Intelligence Rainbow Tables Entropy
Special Ops Online Resources
Wordlists
Rainbow Tables
Environment Artifacts
Passphrase Generator
Suspect Intel Web Artifacts
Password Recovery Toolkit
Distributed Network Attack Rainbow Tables
Windows Logon Password Recovery
• Windows stores the user PASSKEY in the SAM file • Double encrypted with SYSKEY
• Identifying the password to: • Break EFS encrypted files • Potentially decrypt IntelliForms data • Use to open other encrypted files
SAM Passkey - Special Ops
Export The Wordlist
Web Artifacts
Registry Data – PSSP – IE6 Decrypted Queries / Account Passwords, etc !!
Protected Storage and IE7 ~ IE9
• •
IE Version 7 and Vista no longer us the PSSP Protected Data Stored now in 2 Keys in NTUSER.DAT
-Storage 1 (auto-complete form data) -Storage 2 (passwords) •
Encryption Scheme Modified to Comply with Windows DPAPI -Data Protection Application Programming Interface
•
DPAPI
-Cryptographic system built into Windows since Win2K -Function of the user’s login password
Questions ? • What is encryption • Challenges of large keyspaces • AccessData Decryption
Methodology
LAB Time Rob Attoe [email protected]
