32
Data Decryption & Password Recovery How Special Tools Facilitate Investigations

Data Decryption & Password Recovery

Embed Size (px)

Citation preview

Page 1: Data Decryption & Password Recovery

Data Decryption & Password Recovery

How Special Tools Facilitate Investigations

!"#$%&'()"*

+,-.&/0,1%"23$3"(3,4",5/667%$&6,8,5!96

:3(3;<3$,=.>?,-@A@

BC3,D3E;3$,13"#3$?,F")G3$6)#0,%2,H3$*3"?,9%$7/0

I

J3,(/"K#,$3/EE0,#C)"L,%2,/"0<%&0,73,L"%7,7C%,&%36"K#,'63,M/667%$&6,%$,5!9,(%&36,2$3N'3"#E0O,

+E;%6#,3G3$0,&/0,)",2/(#O,5/667%$&6,8,5!96,/$3,3G3$07C3$3O,P/"0,03/$6,C/G3,M/663&,6)"(3,<3##3$,

/'#C3"#)(/#)%",#3(C"%E%*)36,73$3,;/&3,/G/)E/<E3?,6'(C,/6,-.2/(#%$,/'#C3"#)(/#)%",/"&,<)%;3#$)(6O,

D#)EE,73,C/G3,;%$3,/"&,;%$3,M/667%$&6,/"&,5!96,#%,$3;3;<3$O,JC0Q

BC/#,N'36#)%",M$%</<E0,7%"K#,<3,/"673$3&,C3$3O

JC/#,73,7)EE,&%,)6,#%,M$363"#,%"*%)"*,$363/$(C?,#3(C"%E%*)36,/"&,#3(C")N'36,#C/#,/)&6,)",#C3,

$3(%G3$0,%2,M/667%$&6O,B3(C"%E%*)36,#C/#,(/",<3,'63&,2%$,*%%&,.,/"&,2%$,3G)EO,J)#C,#3(C"%E%*)36,

6'(C,/6,R$/MC)(6,5$%(366)"*,F")#6,/"&,S/)"<%7,B/<E36,<3)"*,'#)E)T3&,#%,*$3/#E0,);M$%G3,$3(%G3$0,

6M33&6,%2,M/667%$&6?,$363/$(C3$6,/$3,"%7,#/EL)"*,/<%'#,A-.(C/$/(#3$,E3"*#C,M/667%$&6,/6,#C3,

;)");';,2%$,<3)"*,U63('$3VO

BC/#K6,/,<)*,6#3M,2$%;,7C/#,M3%ME3,/$3,'6)"*,#%&/0O,!"#$%&,W'6#,7%"K#,&%,/"0;%$3,/6,0%'$,M/667%$&O

BC3,'6/<)E)#0,/6M3(#,%2,M/667%$&6,/"&,5!96,/$3,<3(%;)"*,)"($3/6)"*E0,);M%$#/"#O,P/"0,03/$6,/*%,

#C3,!"#3$"3#,7/6,/,6/23,ME/(3,#%,<3O,J3,&)&"K#,$3/EE0,&%,;'(C,<'6)"366,%$,63($3#,6#'22,#C3$3O,

9%7/&/06,73,M/0,%'$,<)EE6?,M'$(C/63,"37,*/&*3#6,/"&,#/EL,#%,%'$,2/;)E0?,(%EE3/*'36,/"&,63($3#,

E%G3$6,I,$)*C#,#C3$3,%",#C3,!"#3$"3#O,D#)EE?,63('$)#0,/#,;/"0,6)#36,)6,/E;%6#,3"#)$3E0,E32#,)",#C3,C/"&6,%2,

#C3,3"&.'63$,I,"%,*'/$/"#336,/##/(C3&O,DM3/L)"*,%2,7C)(CX,7C3",&)&,0%',E/6#,(C/"*3,0%'$,5!96Q

I

J3,7%'E&,E)L3,#%,73E(%;3,0%',#%,'())*+,-).!/O,

1%G3$)"*,/##/(L6?,&323"636,/"&,'6/<)E)#0,%2,5/667%$&6,/"&,5!96O

I

!"#$%&'(#)#'%#$*+$+,&'+&)#-$./$0120#34'&

0*1223,45()52(67489())*+,-)!/

Page 2: Data Decryption & Password Recovery

Who are we?

• Founded in 1990

• In password recovery since 1998

• Privately owned

• HQ and Dev in Moscow, Russia

• Four US patents issued, more to come

Page 3: Data Decryption & Password Recovery

ProductsOverview

Page 4: Data Decryption & Password Recovery

Stored Passwords

Browsers IMsMail

Page 5: Data Decryption & Password Recovery

Protected Files

Office PDF Archives

Page 6: Data Decryption & Password Recovery

Protected Files

PGP WordPerfect Accounting

Page 7: Data Decryption & Password Recovery

Distributed Recovery

Many file types

Works over LANs and WANs

Up to 10’000 nodes

Hardware acceleration

Page 8: Data Decryption & Password Recovery

Audit

Windows Domains Wireless Networks

Page 9: Data Decryption & Password Recovery

Technology

Page 10: Data Decryption & Password Recovery

Thunder Tables®

Page 11: Data Decryption & Password Recovery

• Recovers encryption key

• Password remains unknown

• Works only with 40-bit encryption

‣ MS Word 97-2003, Adobe PDF

‣ Word 2007/2010 when saving in .doc

• Can be applied to passwords

Page 12: Data Decryption & Password Recovery

• Based on Rainbow Tables

• TT = RT + Keys not in RT

• Provides guaranteed decryption

(except for MS Excel files)

• Data fits on DVD or 4 Gb USB stick

• Average key search time is 25 seconds

Page 13: Data Decryption & Password Recovery

0%

25%

50%

75%

100%

1 sec. 2 sec. 5 sec. 10 sec. 20 sec. 30 sec. 1 min. 2 min. 5 min. 10 min. 15 min.

17.4%

25.3%

40.2%

54.7%

69.7%

77.6%

89.4%

95.7%99.4% 99.9% 100%

Key

s re

cove

red

Attack duration

This is dual-core CPU with tables on HDD

Quad-core with tables on SSD will be way faster!

Page 14: Data Decryption & Password Recovery

Demo

Page 15: Data Decryption & Password Recovery

GPU Acceleration

Page 16: Data Decryption & Password Recovery

• Order of magnitude faster than CPU

• Competing vendors: NVIDIA and ATI

• Hardware readily available

‣ Consumer- and enterprise-grade solutions

‣ Very competitive hardware pricing

Page 17: Data Decryption & Password Recovery

Core i7-920

GeForce 295

GeForce 480

Radeon 5970

0 10,000 20,000 30,000 40,000

39,000

11,300

8,200

1,000

Office 2007, Passwords per Second

Page 18: Data Decryption & Password Recovery

TACC Acceleration

Page 19: Data Decryption & Password Recovery

• Times faster than CPU

• Very easy to use

‣ No drivers

‣ Portable

• Low power consumption (⇒no overheating)

• Scales easily

Page 20: Data Decryption & Password Recovery

Core i7-920

TACC1441

Tesla C1060

0 1,250 2,500 3,750 5,000

$1,500

$4,000

$250

5,000

2,500

1,000

Office 2007, Passwords per Second

Page 21: Data Decryption & Password Recovery

Technology letsdo more in less time!

Page 22: Data Decryption & Password Recovery

New Products & Features

Page 23: Data Decryption & Password Recovery

Elcomsoft Phone Password Breaker

Page 24: Data Decryption & Password Recovery

Elcomsoft Phone Password Breaker

• Recovers passwords for mobile devices backups

• Works offline (device is not needed)

• Decrypts backups (you can use favorite mobile forensics tools)

• Recovers passwords stored in Keychain

• GPU & TACC acceleration

Page 25: Data Decryption & Password Recovery

iOS 4.x Backup Security

• Password verification is done on the device‣ PBKDF2-SHA1 with 10’000 iterations‣ Was 2000 iterations in iPhoneOS 3.x

• No data leaves device unencrypted‣ AES-256, per-file key and IV

Page 26: Data Decryption & Password Recovery

Backup password

Backup master key

FEK encryption keyEncrypted FEK and IV

Backup keybag

AES-256 key and IV to decrypt file

Page 27: Data Decryption & Password Recovery

iOS 4.x Keychain Security

• Keychain is system-wide storage for secrets‣ Sort of Protected Storage for iOS

• Encrypted with device-specific key

• Plain backups include keychain “as-is”

• Encrypted backups include keychain re-encrypted on key derived from password‣ The only reliable way to get stored secrets

Page 28: Data Decryption & Password Recovery

Blackberry Backup Security

• Password verification is done on the PC‣ PBKDF2-SHA1 with 1 (one) iteration‣ Generating 256 bytes of key data, using

256 bits

• Data encryption done on PC‣ AES-256, single file

Still think Blackberry is more secure?

Page 29: Data Decryption & Password Recovery

Demo

Page 30: Data Decryption & Password Recovery

Questions?

Page 31: Data Decryption & Password Recovery

Thank you

Page 32: Data Decryption & Password Recovery

Data Decryption & Password Recovery

How Special Tools Facilitate Investigations

!"#$%&'()"*

+,-.&/0,1%"23$3"(3,4",5/667%$&6,8,5!96

:3(3;<3$,=.>?,-@A@

BC3,D3E;3$,13"#3$?,F")G3$6)#0,%2,H3$*3"?,9%$7/0

I

J3,(/"K#,$3/EE0,#C)"L,%2,/"0<%&0,73,L"%7,7C%,&%36"K#,'63,M/667%$&6,%$,5!9,(%&36,2$3N'3"#E0O,

+E;%6#,3G3$0,&/0,)",2/(#O,5/667%$&6,8,5!96,/$3,3G3$07C3$3O,P/"0,03/$6,C/G3,M/663&,6)"(3,<3##3$,

/'#C3"#)(/#)%",#3(C"%E%*)36,73$3,;/&3,/G/)E/<E3?,6'(C,/6,-.2/(#%$,/'#C3"#)(/#)%",/"&,<)%;3#$)(6O,

D#)EE,73,C/G3,;%$3,/"&,;%$3,M/667%$&6,/"&,5!96,#%,$3;3;<3$O,JC0Q

BC/#,N'36#)%",M$%</<E0,7%"K#,<3,/"673$3&,C3$3O

JC/#,73,7)EE,&%,)6,#%,M$363"#,%"*%)"*,$363/$(C?,#3(C"%E%*)36,/"&,#3(C")N'36,#C/#,/)&6,)",#C3,

$3(%G3$0,%2,M/667%$&6O,B3(C"%E%*)36,#C/#,(/",<3,'63&,2%$,*%%&,.,/"&,2%$,3G)EO,J)#C,#3(C"%E%*)36,

6'(C,/6,R$/MC)(6,5$%(366)"*,F")#6,/"&,S/)"<%7,B/<E36,<3)"*,'#)E)T3&,#%,*$3/#E0,);M$%G3,$3(%G3$0,

6M33&6,%2,M/667%$&6?,$363/$(C3$6,/$3,"%7,#/EL)"*,/<%'#,A-.(C/$/(#3$,E3"*#C,M/667%$&6,/6,#C3,

;)");';,2%$,<3)"*,U63('$3VO

BC/#K6,/,<)*,6#3M,2$%;,7C/#,M3%ME3,/$3,'6)"*,#%&/0O,!"#$%&,W'6#,7%"K#,&%,/"0;%$3,/6,0%'$,M/667%$&O

BC3,'6/<)E)#0,/6M3(#,%2,M/667%$&6,/"&,5!96,/$3,<3(%;)"*,)"($3/6)"*E0,);M%$#/"#O,P/"0,03/$6,/*%,

#C3,!"#3$"3#,7/6,/,6/23,ME/(3,#%,<3O,J3,&)&"K#,$3/EE0,&%,;'(C,<'6)"366,%$,63($3#,6#'22,#C3$3O,

9%7/&/06,73,M/0,%'$,<)EE6?,M'$(C/63,"37,*/&*3#6,/"&,#/EL,#%,%'$,2/;)E0?,(%EE3/*'36,/"&,63($3#,

E%G3$6,I,$)*C#,#C3$3,%",#C3,!"#3$"3#O,D#)EE?,63('$)#0,/#,;/"0,6)#36,)6,/E;%6#,3"#)$3E0,E32#,)",#C3,C/"&6,%2,

#C3,3"&.'63$,I,"%,*'/$/"#336,/##/(C3&O,DM3/L)"*,%2,7C)(CX,7C3",&)&,0%',E/6#,(C/"*3,0%'$,5!96Q

I

J3,7%'E&,E)L3,#%,73E(%;3,0%',#%,'())*+,-).!/O,

1%G3$)"*,/##/(L6?,&323"636,/"&,'6/<)E)#0,%2,5/667%$&6,/"&,5!96O

I

!"#$%&'(#)#'%#$*+$+,&'+&)#-$./$0120#34'&

0*1223,45()52(67489())*+,-)!/