Digital Forensic Science

Attacking Zip File Passwords from the Command Line

There was recently a question on SuperUser linking back to CybercrimeTech’s article about cracking passwords, with an issue about zip files using ZipCrypto, and never finding the password. I left an answer, saying that I guess zip2john does not know how to accurately extract the hash from zip files using that particular algorithm.

<div class="separator" style="clear: both; text-align: center;"></div>In such a case, you can either 1) figure out the data structure, and update zip2john (https://github.com/magnumripper/JohnTheRipper), or use the same approach that we have used before with LUKS to attack the file directly from the command line.

Definitely, attempting to crack the hash is faster, but if you are stuck and don’t have time to reverse engineer a new file type, this would eventually work for you.

See the code below as an example of having John generate the password then passing it to 7zip to try. This should work regardless of chosen encryption, unless you have to specify it when opening the archive. It is not clean, but it should be enough to illustrate.

#!/bin/bash # Using john the ripper to brute-force a zip container startTime=$(date) if [ $(file $1 | grep -c "Zip archive data") ]; then john -i --stdout | while read i; do # this is john generating password to stdout echo -ne "\rtrying \"$i\" "\\r 7z -p$i -so e $1 2>&1> /dev/null # this is your zip command STATUS=$? if [ $STATUS -eq 0 ]; then echo -e "\nPassword is: \"$i\"" break # if successful, print the password and quit fi done echo "Start time $startTime" echo "End time $(date)" else echo "The file does not appear to be a zip file" fi

This approach should work when you are unable to extract the hash, but is much, much slower (not really practical for most applications). See the results below.

... trying "pmc" 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-1 Processing archive: test.zip Extracting Sample_memo.pdf Data Error in encrypted file. Wrong password? **Sub items Errors: 1** trying "1234" 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 Processing archive: test.zip Extracting Sample_memo.pdf **Everything is Ok** Size: 60936 Compressed: 51033 Password is: "1234" Start time 2015. 01. 03. (토) 19:02:51 KST End time 2015. 01. 03. (토) 19:02:51 KST

PRNewsWire Quotes CybercrimeTech

PRNewsWire, when writing about Passware’s new LUKS GPU-assisted brute force cracker, referenced our work on L UKS password cracking with John the Ripper.

<div class="separator" style="clear: both; text-align: center;"></div>Just to be clear, prior tests with JoT were with multi-CPU - not GPU - enabled password generation. Also, we basically had only one thread attempting to access the LUKS device. Multi-threading may be able to increase practical guessing to a few a second, but probably still not as many as Passware’s 300 guesses claim.

While their title is not exactly accurate, thanks for mentioning us!

Full article can be found here:

http://www.prnewswire.com/news-releases/passware-first-to-enable-computer-forensics-to-crack-linux-disk-encryption-luks-300004871.html

Korea Linux Forum 2014: Linux and Law Enforcement

On November 11, 2014 Joshua James of CybercrimeTech.com gave a presentation at the Korea Linux Forum on Linux and Law Enforcement: Challenges and Opportunities. Presentation slides can be found at the link.
<div>
A bit about the talk can be found below.

<div class="separator" style="clear: both; text-align: center;"></div>Overall, I thought the Korea Linux Forum 2014 was very interested. I’d never been to that kind of conference before, and I think it was not so usual to have a speaker talking about how criminals and Law Enforcement are using Linux / Open Source. I think most engineers were maybe not so interested, but I seemed to get a bit of interest from the legal side. All-in-all, definitely a conference I will try to attend next year.

</div><div>Linux and Law Enforcement: Challenges and Opportunities</div>
Abstract
Like all technology, Linux can be used for good or evil. Cybercrime and digital forensic investigators must be able to investigate Linux-based systems that have been attacked, or have been used for criminal purposes. While hackers have adopted Linux for its power and flexibility, Law Enforcement have mixed feelings about Linux and open source projects in general. This talk will discuss how both Law Enforcement and criminals are using Linux, current perceptions of Law Enforcement toward the use of Linux and community-developed software, and legal considerations about the use of open source tools in digital investigations.

Audience
All technologies are vulnerable to criminal abuse. This talk will help the community understand what Law Enforcement are doing about current cybercrime cases, and what role Linux (and the community) play in both supporting and preventing digital crime. It is hoped that if developers, administrators and users are more aware of the challenges Law Enforcement face, then not only can the security of the ecosystem be improved, but also justice when the ecosystem is criminally abused.

Experience Level
Any

Benefits to the Ecosystem
All technologies are vulnerable to criminal abuse. This talk will help the community understand what Law Enforcement are doing about current cybercrime cases, and what role Linux (and the community) play in both supporting and preventing digital crime. It is hoped that if developers, administrators and users are more aware of the perspective of Law Enforcement, then not only can the security of the ecosystem be improved, but also justice when the ecosystem is abused.

World Forensic Festival, Digital Forensic Masters and the Korea Linux Forum

A pretty busy day preparing for the World Forensic Festival next week. If you are going, please be sure to catch me on Thursday and Friday for the Digital Forensics talk and singleer sessions. I will be talking about event reconstruction with no-prior information. Just a sort piece of work I touched on in my dissertation.

We also have an open house in SoonChunHyang University tomorrow to introduce potential students
to the Master’s in Digital Forensic Investigation. It is a combination degree with the SCH Graduate
School of Forensic Science. The session on digital forensics is short, but should be interesting. If you are in Asan tomorrow after, please let me know.

Finally, we are also getting ready for the Korea Linux Forum where we will talk about Linux in crime and criminal investigation. I’ve never been to the event before, but it should be interesting to meet developers and users. Hopefully I can give them some insight into how the Law Enforcement community (and criminals) is using their work. There are some interesting parallels between the idea of open source, and requirements by courts. Much of which was talked about by Brian Carrier a while ago in “Open Source Digital Forensic Tools - The Legal Argument”.

All together, a pretty interesting few months ahead.
<div>
</div>

[CFP] DFRWS EU 2015 - Submission Deadline Approaching

Just a reminder that the submission deadline for DFRWS EU 2015 (hosted in Dublin, Ireland) is September 22nd, 2014!

<div class="separator" style="clear: both; text-align: center;"></div>Topics of Interest:

<ul><li>“Big data” approaches to forensics, including data collection, data mining, and large scale visualization</li><li>Addressing forensic challenges of Systems-on-a-chip</li><li>Anti-forensics and anti-anti-forensics</li><li>Case studies and trend reports</li><li>Data hiding and discovery</li><li>Data recovery and reconstruction</li><li>Database forensics</li><li>Digital evidence and the law</li><li>Digital evidence storage and preservation</li><li>Event reconstruction methods and tools</li><li>Incident response and live analysis</li><li>Interpersonal communications and social network analysis</li><li>Malware and targeted attacks: analysis, attribution</li><li>Memory analysis and snapshot acquisition</li><li>Mobile and embedded device forensics</li><li>Multimedia analysis</li><li>Network and distributed system forensics</li><li>Non-traditional forensic scenarios and approaches (e.g. vehicles, control systems, and SCADA)</li><li>Storage forensics, including file system and Flash</li><li>Tool testing and development</li><li>Triage, Prioritization, Automation: Efficiently processing large amounts of data in digital forensics</li><li>Virtualized environment forensics, with specific attention to the cloud and virtual machine introspection</li><li>The above list is only suggestive. We welcome new, original ideas from people in academia, industry, government, and law enforcement who are interested in sharing their results, knowledge, and experience.</li></ul>
Authors are encouraged to demonstrate the applicability of their work to practical issues. Questions about submission topics can be sent via email to: eu-papers dfrws org

[How To] Installing LIBEWF in Ubuntu Trusty

Installing LIBEWF is normally straightforward. Usually the most difficult part is remembering which packages are required for the dependencies. When running configure, I always like to have “support” dependencies filled out. While some of these are not necessary, you may find yourself needing them someday, and having to recompile.

<div class="separator" style="clear: both; text-align: center;"></div>On a almost-brand-new install of Ubuntu Trusty (64bit), these are the required packages:

apt-get install build-essential autoconf automake libfuse-dev uuid-dev libbz2-dev zlib1g-dev

Then you just download LIBEWF, untar, and run ./configure. All dependencies should be filled out.

From there it is just a simple make to start working with forensic file formats.