Forensic specialists may encounter different protection systems for data access. The most common and simple system of protection is compressing archives by a password. At present, ZIP and RAR are two most commonly used archive managers. Russian archive manager (RAR) has a stronger encryption mechanism (AES-128 standard) which implies 128 bits encryption. This archive manger protects not only the access to files, but to other sensitive information like file name, time of creation, etc. Although their purpose is to protect data, these mechanisms sometimes must be removed. In terms of computer forensics, the reason is obvious, as otherwise potential evidence would be inaccessible.
However, there is also a need for password-based access to business information. It often happens that employees under term of notice refuse to give their password to the mother company although all password-based data belong to the employer. In this case figuring out the password is considered as legitimate password cracking.
Passwords are also used for other purposes, like accessing the operating system, network environment, distant disks, distant servers, particular partitions/devices, particular databases, particular applications…
In order to overcome all obstacles that might arise in the course of investigation, examiners need to develop their password cracking skills. Sometimes simply cracking the password won’t work, but you need to make valid identification to the system. Valid system access implies both valid user name and password.
There are three main ways to validate the user’s identity.
The first one is through a valid password.
The second one is through a physical possession of particular object.
There are several different dongle objects, the most commonly used is a smart card or a memory card; however there are many other types of protection keys such as HASP and others. Such keys are based either on time (TIME HASP) or memory (MEMO HASP). The third validation method, at the same time the most sophisticated and most advanced method, refers to usage of biometrical data for user identification (cornea scanning, finger print…).
Password cracking means finding the code in order to make a valid access without making unauthorized entry.
Data Solutions Laboratory offers its services in this area, in all cases which are legal and/or legitimate.
There are several attack methods:
PASSWORDS STORED ON THE SYSTEM
Although far from elegant solution, this approach is very effective, particularly when it comes to inobservance of minimum password length.
In other words, brute force algorithms try combinations of all possible letters, numbers, and special characters. This method tests a set of characters in a given length one after another until right combination is found.
Another option is a dictionary attack that tries all possible combinations of words listed in a dictionary. This option has shown better results in practice, as most of the time passwords are combinations of meaningful words and phrases, hence number of potential combinations and time required for such search is significantly lesser.
PASSWORDS STORED ON THE SYSTEM
This approach is based on weak points of operating systems. If a copy of hard disc is available to investigator, by searching through sectors he can find system files used for saving passwords (pwl files in Windows 98 are least protected, Linux/Unix uses stronger encryption method for /etc/passwd files, Novell Net/Ware NETSBALL/VAL.SYS files or NDS database on more recent versions, WindowsNT/XP use a mechanism similar to Unix, while passwords are stored in SAM base).
Such passwords are protected by HASH mechanism. Hash function is actually used by the system to compare entered and stored values on a disc. In this way, correct password is never read into memory, but there is only a resulting function. Although it seems impeccable, such mechanism turned out to be very weak in practice.
Comparative analysis method may be used to break password protection. Namely, if there is a file with codes, any hash function used by operating system can be applied in order to encrypt possible passwords (generated brute force / dictionary attack) and determine the correct password through simple comparison.
In case of files with weak encryptions, decryption applications actually do not disable the protection, but only skip the instruction. However, more powerful algorithms require brute force with all available characters. As it takes a lot of time for decryption attack, this cannot be done manually. Decryption application is the fastest way to test possible combinations.
Unlike other attack methods, this approach does not require any technological knowledge at all. This concept is best explained in a movie “Hackers” dated 1995. This approach exploits human weaknesses, usage of particular phrases, passwords jotted down on post-it scattered on the computer desk.
Social engineering may be defined as ‘acquiring confidential information through human interaction.
In most cases, this is the easiest method for obtaining valid access to data.