Passware Kit User Guide

(1)

Passware

Kit

User

Guide

(2)

Overview of the Passware Kit

You can use the Passware Kit to recover lost file, e-mail, and Internet passwords, as well as search for password-protected files.

What do you want to do?

Learn more about the Passware Kit Quick Start

(3)

Quick Start

Recovering a lost password is easy with the Passware Kit. Simply follow these basic steps:

1. Launch the Passware Kit application.

2. Click the link on the Start Page that relates to the type of password you want to recover (file, e-mail and network, or Windows Administrator). 3. Follow the instructions on the screen -- for some types of passwords, such

as file passwords, you have to fill out a few fields; for other types, such as Outlook Express account passwords, the password recovery process starts immediately.

4. When the password recovery process is complete, the results are displayed in the window.

5. You can then save and print the results.

NOTE: At any time when using Passware Recovery Kit, you can click the Start Page button at the top of the screen to cancel out of what you are doing and start over.

Recover a lost file password

Recover a lost e-mail, Internet, or network password Reset your Windows Admin password

(4)

Search for password-protected files

Recover a lost password for encrypted hard drive

Recover lost passwords for a standalone computer (registry analysis) Recover passwords from Windows/Unix/Mac hash files

Work with Passware Kit Portable

Use Passware Kit Forensic with EnCase Test password recovery settings

(5)

Getting Around in the Passware Kit Application

(6)

Important Buttons

Here are a few of the most commonly used buttons.

Takes you to the Start Page (the page that appears when you launch the application).

Starts the currently selected action, such as a password attack or search for protected file.

Takes you to the previously displayed page, just as in an Internet browser.

Takes you to the next page in your browsing sequence.

(7)

Window Arrangement

The main application window is divided into two main parts. The left pane lists available actions (these vary, depending on what you are doing), and details about the currently viewed action, if there are any.

The wider, right pane is where you select choices, enter values, and view password recovery and protected file search results.

At the bottom of the window is a status bar that may contain hints on how to proceed.

(8)

Working with Passware Kit

You can use the Passware Kit to recover lost passwords, wherever they are --file passwords, e-mail account passwords, Internet passwords, and VPN and network passwords.

Recover a lost file password

Recover a lost e-mail, Internet, or network password Reset your Windows Admin password

Search for password-protected files

Recover a lost password for encrypted hard drive

Recover lost passwords for a standalone computer (registry analysis) Recover passwords from Windows/Unix/Mac hash files

Work with Passware Kit Portable Work with Decryptum Portable

Use Passware Kit Forensic with EnCase Test password recovery settings

(9)

Recovering File Passwords

Not being able to open or use a file because you can't remember its password can be frustrating. The Passware Kit can help you recover passwords for many types of files.

The quickest way to start password recovery for a file is to click the Recover

button on the Start Page, or press Ctrl+O.

Once the Passware Kit discovers the password for a file, it remembers that password. If you ever forget the same password, you don't have to run all the attacks again - simply select the file, and the Passware Kit displays the

password immediately.

If one or more passwords in the original file were reset (changed) or removed (for example, QuickBooks QBW passwords to open or MS Excel Workbook and Worksheet passwords), the Passware Kit creates an unprotected file that is listed in the results of the password recovery process. If the Passware Kit recovers all original passwords, it doesnt create the unprotected file (for example, MS Excel passwords to open and MS Access passwords).

Use the Password Recovery Wizard - best for users who know something about their passwords, but are new to password recovery.

Run the default attacks - best for users who know nothing about their passwords.

Use the Attack Editor - best for advanced users and who are decrypting strong passwords.

(10)

Using the Attack Wizard

The Attack Wizard walks you through setting up your search for a lost file password, step-by-step. The Attack Wizard is best for situations where you know something about the password, but are new to password recovery. When you complete the Wizard, Passware Kit automatically sets up the proper password recovery attacks, based on your answers.

(11)

Starting the Attack Wizard

2. Click Recover File Password (or press Ctrl+O). This displays the Open dialog box.

3. Choose the file for which you want to find the password, and click Open. This displays the screen shown below:

(12)

Filling Out the Attack Wizard Information

The Attack Wizard consists of several screens, asking you to supply as much information about your password as possible.

NOTE: At any point in the Attack Wizard, you can click the Skip and Start

button to simply start recovering your password - but bear in mind that the recovery process may take longer, or be less successful, than if you had completed the wizard.

Specifying the General Password Format

The first Attack Wizard screen, shown below, asks you to supply the general format of the password. For example, does it consist of one dictionary word, or more than one? Choose the best selection and click Next.

NOTE: If you choose I know nothing about my password, there are no "Next" screens - simply click Finish to start the password recovery process with the default settings.

From this point forward, the Attack Wizard screens differ, depending on which general format you choose.

Single Dictionary Word Multiple Dictionary Words

(13)

Symbols

Non-dictionary, but Similar to a Dictionary Word Other

(14)

Running the Default Attacks

If you do not know anything about a missing password, you can simply run the default attacks to find the password.

(15)

Starting the Default Attacks

4. Click Use Pre-defined Default Attacks (or press Ctrl+D).

The attacks start immediately, and when finished, the results appear in the window.

(16)

Which Attacks Are Run

The following list describes the default attacks, in the order in which they are run, and gives examples of the sort of password each attack is best at finding, where appropriate.

1. Previous Passwords Attack (with modifiers Original Password, Normal Casing, Upper Casing, and Lower Casing)

2. Decryptum Attack (if applicable) - free demo preview of decrypted Word or Excel file

3. SureZip Attack (if applicable) - instant decryption of Zip archives up to version 8.0

4. Brute-force Attack (English, 1-4 characters, full symbol set: lowercase letters, uppercase letters, numbers, symbols, space)

Sample password: "Pw5@"

5. Dictionary Attack (English words up to 15 letters, with all possible Casing modifiers)

Sample password: "Specialization"

6. Xieve Attack (passwords similar to English words, from 5 to 9 letters, lowercase, level "Medium" - checks common combinations of letters only) Sample password: "mycomp"

7. Brute-force Attack (Numbers only, from 5 to 8 characters) Sample password: "23012009"

8. Join Attacks group:

1. Dictionary Attack (English words from 1 to 9 letters) +

2. Append Attacks group:

1. Brute-force Attack (from 1 to 2 characters, symbols+numbers) 2. Brute-force Attack (from 3 to 4 characters, numbers only) Sample password: "open123"

9. Join Attacks group:

1. Dictionary Attack (English words from 1 to 9 letters) +

2. Dictionary Attack (English words from 1 to 9 letters) Sample password: "greenapple"

(17)

numbers)

Sample password: "qw3erty"

11. Xieve Attack (passwords similar to English words, from 10 to 11 letters, lowercase, level "Low" - checks almost all combinations of letters) Sample password: "sweetemily"

(18)

Using the Attack Editor

The Attack Editor allows you great control over the password recovery process. You can choose which attacks you want to use, modify attack settings, and combine attacks. The Attack Editor is best used if you are an experienced IT person who knows a lot about password recovery.

(19)

Starting the Attack Editor

4. Click Use Attack Editor (or press Ctrl+E).

(20)

The Attack Editor window is divided into three parts. On the left, you see available actions and details. In the middle are the attacks which will be run, and on the right is an "attack tree" which lists available attacks and attack modifiers.

Once you have the attacks the way you want them, start the attacks by clicking the Start button at the top of the window

clicking the Start Recovery button in the bottom right corner of the Attack Editor window

clicking on the Start Recovery selection in the Actions area of the left pane.

What do you want to do? Add an attack Remove an attack Rearrange Attacks Use Attack Modifiers

Reset attack settings to their default values Save or load attacks

(21)

Reports and Log Files

The Passware Kit provides several reports and log files that track its activity during a password recovery operation. You can print and save these files for future reference.

(22)

Passwords Found Report

Once an attack is complete, the Passware Kit displays the results of the password recovery process in the Passwords Found Report, a sample of which is shown below:

In the report, you'll see any recovered passwords. Click on a "copy" link to copy a password to the Windows Clipboard. For files with instant unprotection, you can click on a filename to open a protected or unprotected file

(23)

Attacks Report

The Passware Kit also reports which attacks it used, how long they took, their state (such as started, successful, or unsuccessful), and what passwords were recovered by which attacks. To view this report, click the Attacks tab at the bottom of the window. A sample Attacks Report is shown below:

(24)

Log

A third type of information provided by the Passware Kit is a log that tracks each attack's start and stop time, and other useful information. To view the log, click the Log tab at the bottom of the window. A sample Log is shown below:

What do you want to do? Print a report or log Save a report or log

(25)

Recovering Passwords for Multiple Files

Passware Kit supports batch file processing, recovering passwords for multiple files, one-by-one, in an automated way.

(26)

How to Start

Select multiple files for decryption using the Recover File Password option at the Start Page.

You can also initiate password recovery for multiple files from the results of

the Search for Protected Files option. Select the files that you want to

decrypt from the list of encrypted files displayed by Passware Kit. Then click

(27)

Groups and Settings

Once you have selected the files to decrypt, Passware Kit groups them according to the decryption options, i.e., Known Password, Instant,

Default. You can add, modify, or delete groups.

For each group (except for Known Password and Instant groups, for which the password is recovered instantly regardless of its settings) you can use the Predefined settings, or customize them in Attack Editor. Click the Save

Settings and Return button to save the changes and return to the list of

(28)

Recovering the Passwords

Once you have set up the list of files and password recovery attacks, click the

Recover button to start the batch password recovery process:

While the password recovery is in progress, you can pause, resume, or stop it, as well as skip attacks, files, or groups.

As a result, Passware Kit displays the passwords recovered, as well as a log file. A sample result is shown below:

(29)

You can enable the option to create unprotected files automatically when a password is recovered or reset at Tools | Options | Folders. When batch file processing is complete, unprotected copies of the files will be saved in a single folder. Supported file types: MS Office, Zip, FileMaker, SQL, MYOB, and

(30)

Searching for Protected Files

Using an Explorer-like interface and clicking a few checkboxes and buttons, you can find your password-protected files quickly and easily. Encrypted volumes and hard disk images, such as BitLocker, TrueCrypt, PGP, etc., are also detected.

What do you want to do? Select the files to scan Monitor scan progress Work with scan results Start a new scan

(31)

Searching for Protected Files - Quick Start

To find password-protected files on your computer system:

1. Click Search for Protected Files on the Passware Kit start page:

You will see the following screen:

2. Click the Start Scan button in the bottom-right corner of the window. This scans your entire computer system for password-protected files.

(32)

Click OK to close this dialog box. After the scan is complete, you can

Save the list Save the scan log Recover passwords Start a new scan

(33)

Selecting the Files to Scan

You can scan specific files -- from your entire computer system to one or two selected folders.

You can also select the type of scan you want to use. A full scan includes

scanning system folders, slow file types, encrypted containers and disk images, and calculating MD5 values. You can disable these options if you need a less complete, but much faster scan.

What do you want to do? Choose scan type Choose what to scan

After you have chosen the type of scan and the folders and/or drives to scan, start the scan by clicking the Start button on the toolbar, which looks like this:

(34)

Scan Options

The software offers four options of the scan. Which one you use depends on what type of password-protected file you are looking for, and how fast you want the scan to run.

Scan

Option When to Use

Scan system folders

System folders and registry files are unlikely to contain any encrypted items. It is appropriate to use this option only if you need the full system scan.

Scan slow

file types Some file types, such as MS SQL and ACT! databases, or anyunknown types of files, are slow to analyze. Disable this option to make the scan faster, or enable it if you need the complete scan of the file system.

Scan for encrypted containers and disk images

Use this option if you assume that your system has TrueCrypt containers and other disk images. There might be false

positives with this option. Calculate

MD5

Use this option if you need your reports completed with MD5 hash values for each encrypted file detected. Otherwise, disable it as it slows down the scan speed.

Enable or disable these options in the Scan Options area of the window, shown below:

(35)

Next, you can choose what to scan.

NOTE: The settings you choose in the Scan Options area are saved when you

(36)

Monitoring Scan Progress

You can track the progress of the scan in several ways:

The Scan Progress area at the top of the main window displays a

graphical progress bar, and lists time elapsed and time-to-completion. A sample Scan Progress area is shown here:

The Status Bar, visible along the bottom of the window, gives a summary of the number of protected items found and the total number of items scanned.

The Scan Status area summarized the scan status. A sample is shown

here:

NOTE: If you want, you can turn off the Status Bar.

(37)

Canceling or Pausing a Scan

You can temporarily pause a scan at any time by clicking the Pause button in the toolbar:

To resume a paused scan, click the Resume button in the toolbar:

(38)

Working with the Scan Results

After scanning the selected folders, the application displays a both a list of password-protected files (in the right pane of the window) and a summary of the scan results (in the Last Scan area on the left side of the window). An sample scan result is shown below:

NOTE: Clicking on the Items Skipped line in the Last Scan area displays the

scan log.

Work with selected files from the scan results Customize the appearance of the scan results Save the file list

(39)

Recovering File Passwords

Once you have found one or more password-protected files, you can recover the password using the Passware Kit.

(40)

Start a New Scan

When you click Search for Protected Files on the Start Page, the window defaults to the new scan display.

To start a new scan after another scan has already completed: 1. Click Start a New Scan in the Actions area of the window.

2. A dialog box, shown below, appears, asking if you want to start a new scan.

3. Click Yes. to start a new scan.

Another way to start a new Scan is to click the Back button on the toolbar.

CAUTION: The results of the previous scan are cleared from the screen when

you click Yes. If you want to save the results for future use, be sure to save the file list before starting a new scan.

(41)

Analyzing Memory and Decrypting Hard Disks

You can use the Passware Kit to decrypt hard disks encrypted with BitLocker, TrueCrypt or FileVault 2.

BitLocker is a data protection feature available in Windows systems starting from Vista. TrueCrypt is a software application that creates virtual hard disks with real-time encryption.

FileVault 2 is a system which encrypts files on a Macintosh computer. It can be found in the Mac OS X Lion operating systems.

To get started, display the Passware Kit Start Page, and click Analyze

Memory and Decrypt Hard Disk (or press Ctrl+D). This displays the

following window:

Recover BitLocker encryption keys Decrypt a TrueCrypt volume Decrypt a FileVault volume

(42)

Recovering BitLocker Encryption Keys

Passware Kit recovers encryption keys for hard drives encrypted with BitLocker. BitLocker is a data protection feature available in Windows Vista and Windows 7.

The software scans the physical memory image file (created while the

encrypted disk was mounted) and extracts all the encryption keys for a given volume.

To recover BitLocker encryption keys, two images of the target system are required:

The image file of the encrypted volume.

The physical memory image file or hiberfil.sys file from the target system (with the encrypted volume mounted).

Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the BitLocker volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.

NOTE: If the target computer is turned off and the BitLocker volume was

dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

Once the images are created, follow these steps to recover the password: 1. Click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D)

(43)

2. Click BitLocker (or press Ctrl+B). This displays the screen shown below:

3. Click Browse and locate the image file of the BitLocker encrypted volume or partition.

4. Click Browse and locate the physical memory image (memory.bin) or the hiberfil.sys file from the computer to which your encrypted volume was mounted. If you do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the

(44)

on-screen instructions.

NOTE: If the target computer is turned off and the BitLocker volume was

dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant

decryption of the volume is impossible. In this case, switch to The

BitLocker volume is dismounted option, and Passware Kit will assign

Brute-force attacks to recover the password for the volume. 5. Click Next.

This procedure initiates the encryption key recovery process. The recovery might take several minutes depending on the size of the memory image file. The results are displayed when the recovery is complete. The figure below shows a sample result.

(45)

Decrypting a TrueCrypt Volume

Passware Kit decrypts hard disk volumes encrypted with TrueCrypt. TrueCrypt is a software application that creates virtual hard disks with real-time

encryption.

The software scans the physical memory image file (created while the encrypted disk was mounted), extracts all the encryption keys, decrypts the given volume, and saves the image of the decrypted volume.

To decrypt a TrueCrypt volume, the physical memory image file or hiberfil.sys file from the target system (with the encrypted volume mounted) is required. The Passware Kit can work with either a TrueCrypt volume file (encrypted file container), or with its image.

Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the TrueCrypt volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.

NOTE: If the target computer is turned off and the TrueCrypt volume was

dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

Once the images are created, follow these steps to recover the password: 1. Click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D)

(46)

2. Click TrueCrypt (or press Ctrl+T). This displays the screen shown below:

3. Click Browse and locate the TrueCrypt volume file or its image file. 4. Click Browse and locate the physical memory image (memory.bin) or the

hiberfil.sys file from the computer to which your encrypted volume was mounted. If you do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the on-screen instructions.

(47)

NOTE: If the target computer is turned off and the TrueCrypt volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant

decryption of the volume is impossible. In this case, switch to The

TrueCrypt volume is dismounted option, and Passware Kit will assign

Brute-force attacks to recover the password for the volume.

5. Click Browse and select the location and name of the destination file (the image of the decrypted volume).

6. Click Next.

This procedure initiates the decryption process. The decryption might take several minutes depending on the size of the memory image file. The results are displayed when the decryption is complete. The figure below shows a sample result.

(48)

Decrypting a PGP WDE Volume

Passware Kit decrypts hard disk volumes encrypted with PGP Whole Disk Encryption.

The software scans the physical memory image file (created while the encrypted disk was mounted), extracts all the encryption keys, decrypts the given volume, and saves the image of the decrypted volume.

To decrypt a PGP volume, the physical memory image file or hiberfil.sys file from the target system (with the encrypted volume mounted) is required. PGP volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the PGP volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.

NOTE: If the target computer is turned off and the PGP volume was

dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume.

Once the images are created, follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk (or press Ctrl+D) on the

(49)

2. Click PGP WDE (or press Ctrl+P). This displays the screen shown below:

3. Click Browse and locate the encrypted PGP volume image file.

4. Click Browse and locate the physical memory image (memory.bin) or the hiberfil.sys file from the computer to which your encrypted volume was

(50)

mounted. If you do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the on-screen instructions.

NOTE: If the target computer is turned off and the PGP volume was

dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant

decryption of the volume is impossible. In this case, switch to The PGP

disk is dismounted option, and Passware Kit will assign brute-force

attacks to recover the password for the volume.

5. Click Browse and select the location and name of the destination folder (the folder to save decrypted volume to).

6. Click Next.

(51)

Recovering Mac Passwords

You can use Passware Kit to recover the following passwords for Mac OS: user login passwords and keychain file passwords.

Decrypt a FileVault2 volume

Recover login passwords for Mac OS

(52)

Decrypting a Mac FileVault2 Volume

Passware Kit recovers encryption keys for hard drives encrypted with FileVault2. FileVault2 is a data protection feature available in MAC OS X starting from v.10.7.

The software scans the physical memory image file (created when the encrypted disk was mounted), extracts all the encryption keys, decrypts the given volume, and saves an image of the decrypted volume.

To recover FileVault2 encryption keys, two images of the target system are required:

the image file of the encrypted volume

the physical memory image file from the target system (with the encrypted volume mounted and at least one user logged in)

Disk-volume images can be created using third-party tools such as Guidance EnCase, Free EASIS Drive Cloning, DD, and Apple Disk Utility. Physical-memory images can be created using Passware FireWire Memory Imager.

NOTE: If the target computer is turned off, the memory image will not contain

the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume.

Once the images are created, follow these steps to recover the encryption key: 1. Click Analyze Memory and Decrypt Hard Disk on the Passware Kit

(53)

2. Click FileVault. This displays the screen shown below:

3. Click Browse... and locate the image of the FileVault2 encrypted volume or partition.

4. Click Browse... and locate the physical memory image (memory.bin) file from the computer in which your encrypted volume was mounted. If you

(54)

do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the on-screen instructions.

NOTE: If the target computer is turned off, the memory image will not

contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to the FileVault volume is dismounted

option, and Passware Kit will assign regular brute-force attacks to recover the password for the volume.

5. Click Browse... and select the location and name of the destination file (the image of the decrypted volume).

6. Click Next.

(55)

Recovering a Mac FileVault2 Password

If the instant decryption option through memory analysis is not applicable, e.g., if the target computer is turned off or the memory image does not

contain the encryption keys for some reason, Passware Kit can still recover the original password for the FileVault disk.

To recover the password, Passware Kit requires a FileVault Wipekey file. To access and copy this file from the target computer, follow the steps below, depending on whether you have direct access to the target computer or just the hard disk image.

If you have access to the target computer:

1. Boot the target Mac computer with a Setup/Recovery CD; 2. Launch the Terminal tool from the Setup CD;

3. Type command: defaults write com.apple.DiskUtility

DUDebugMenuEnabled 1;

4. Open the tool Disk Utility;

5. In the Debug menu, choose Show every partition, then choose

Recovery HD and click Mount;

6. Locate the Wipekey file (normally named EncryptedRoot.plist.wipekey) at:

com.apple.boot.R/System/Library/Caches/com.apple.corestorage/

NOTE: The directory name can also be com.apple.boot.S or

com.apple.boot.P;

7. Copy the EncryptedRoot.plist.wipekey file to the computer on which you run Passware Kit.

If you have the target disk image:

Mount it with any disk-mounting tool and proceed to step 7. Steps 1 - 6 refer to mounting the disk image using Guidance EnCase.

1. Run Guidance EnCase;

2. Click New Case and choose the name and location of the case file; 3. Click Add Evidence;

(56)

4. Click Add Local Device, then click Next;

5. Pick up the device with the label Apple and click Finish; 6. In the Table window, double-click the target disk;

7. In the Evidence tab, locate the Recovery HD partition;

8. Locate the Wipekey file (normally named EncryptedRoot.plist.wipekey) at:

com.apple.boot.R/System/Library/Caches/com.apple.corestorage/

NOTE: The directory name can also be com.apple.boot.S or

com.apple.boot.P;

9. Copy the EncryptedRoot.plist.wipekey file to the computer on which you run Passware Kit.

Once you have copied the Wipekey file to your computer, run Passware Kit and follow these steps to recover the password:

1. Click Analyze Memory and Decrypt Hard Disk on the Passware Kit Start Page. This displays the screen shown below:

(57)

2. Click FileVault. This displays the screen shown below:

3. Click Browse... and locate the image of the FileVault2 encrypted volume or partition;

4. Click the FileVault volume is dismounted option;

5. Click Browse... and select the location of the Wipekey file as shown below:

(58)

This procedure initiates the decryption process. It might be accelerated using NVIDIA and AMD GPU cards, as well as Distributed Password Recovery. The results are displayed when the decryption is complete. The figure below shows a sample result.

(59)

Recovering Mac Login Passwords

You can use Passware Kit to recover login passwords for Mac OS users in a matter of minutes, regardless of the password length and use of a FileVault encryption. The following operating systems are supported:

Mac OS X Version 10.5 (Leopard), 10.6 (Snow Leopard), 10.7 (Lion) The software scans the physical memory image file (acquired while the target system is running and at least one user remains logged in, even if the user is currently logged out or the account is locked) and extracts all the login

passwords for a given system.

Physical memory images can be created using Passware FireWire Memory Imager. If the target Mac computer is powered off, login passwords are not stored in its memory, and therefore it is impossible to recover them. To get started, display the Passware Kit Start Page, and click Analyze

Memory and Decrypt Hard Disk | Mac User (or press Ctrl+M). This displays

the following window:

(60)

If you do not have this memory image, follow these steps to acquire it using Passware Kit:

1. At the Passware Kit Start Page click Analyzing Memory and Decrypting

Hard Disk.

2. Click Passware FireWire Memory Imager. 3. Follow the on-screen instructions.

Once the image is created, follow these steps to recover the password:

1. Click Recover Mac Password (or press Ctrl+M) on the Passware Kit Start Page.

2. Locate the physical memory image (memory.bin) from the target computer and click Open.

This procedure initiates the password recovery process, as shown below:

The recovery might take several minutes depending on the size of the memory image file. The results are displayed when the recovery is complete. The figure below shows a sample result.

(61)

(62)

Recovering Mac Keychain Passwords

You can use Passware Kit to recover passwords for Mac OS keychain files. Files from the following operating systems are supported:

Mac OS X Version 10.5 (Leopard), 10.6 (Snow Leopard), 10.7 (Lion)

Mac keychain files are usually stored at /Users//Library/Keychains and are protected with a password. By default, the keychain password is the same as the corresponding Mac user login password, but it may also be different. By recovering this password, you gain access to the following user information contained in the keychain file: saved passwords (for websites, network shares, wireless networks), private keys, certificates, etc.

NOTE: Passware Kit does not support System.keychain files.

To get started, display the Passware Kit Start Page, then click the Recover

button, or press Ctrl+O.

Locate the keychain file (by default this file is named login.keychain) and click

Open.

This displays the following window:

Choose one of the following options for password recovery, depending on the available information about the password:

(63)

This procedure initiates the password recovery process. The results are displayed when the recovery is complete. The figure below shows a sample result.

(64)

Recovering Windows Login Passwords

You can use Passware Kit to recover login passwords for Windows users in a matter of minutes, regardless of the password length and use of a BitLocker encryption. The solution works on all versions of Windows, including Windows 8.

The software scans the physical memory image file (acquired while the target system is running, even if the user is currently logged out or the account is locked) and extracts all the login passwords for a given system.

Physical memory images can be created using Passware FireWire Memory Imager. If the target computer is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. In other cases, it is impossible to recover the user passwords instantly.

Memory and Decrypt Hard Disk | Windows User (or press Ctrl+W). This

displays the following window:

(65)

(hiberfil.sys) of the target Windows computer. If you do not have this memory image, follow these steps to acquire it using Passware Kit:

Hard Disk.

Once the image is created, follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk | Windows User (or

press Ctrl+W) on the Passware Kit Start Page.

2. Locate the physical memory image (memory.bin) or the hibernation file (hiberfil.sys) from the target computer and click Open.

(66)

(67)

Recovering Website Passwords from Memory

You can use Passware Kit to recover passwords for Facebook, Google, and other websites in a matter of minutes, regardless of the password length and whether the password was saved in the browser or not.

The software scans the physical memory image file (acquired while the target system is running, even if the user is currently logged out or the account is locked) and extracts all the websites' passwords which the user had typed during the last session.

Physical memory images can be created using Passware FireWire Memory Imager. If the target computer is powered off, the passwords are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.

Memory and Decrypt Hard Disk | Websites (or press Ctrl+S). This displays

the following window:

Locate the physical memory image (memory.bin) or the hibernation file

(68)

image, follow these steps to acquire it using Passware Kit:

Hard Disk.

Once the image is created, follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk | Websites (or press

Ctrl+S) on the Passware Kit Start Page.

2. Locate the physical memory image (memory.bin) or the hibernation file (hiberfil.sys) from the target computer and click Open.

(69)

(70)

Passware FireWire Memory Imager

To recover BitLocker and TrueCrypt encryption keys, Passware Kit requires a physical memory image file of a target computer that was created while the BitLocker or TrueCrypt encrypted disk was mounted.

Passware Kit includes Passware FireWire Memory Imager, which creates a bootable memory-imaging USB drive. This USB drive acquires a memory image of the target computer connected with a FireWire (IEEE 1394) cable. The overall steps on acquiring the memory image with Passware FireWire Memory Imager are:

1. Create a bootable Passware FireWire Memory Imager USB drive 2. Acquire the memory image of the target computer with the USB drive

NOTE:

If the target computer is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the

hiberfil.sys file, which is automatically created when a system

hibernates.

If the target computer is powered off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

(71)

Creating Passware FireWire Memory Imager USB

Drive

Below are the steps to create a memory-imaging USB drive.

1. On the Start Page click Analyzing Memory and Decrypting Hard Disk

(or press Ctrl+D), and then click Passware FireWire Memory Imager. The following screen appears:

1. Insert a USB flash drive and select it in the Select USB drive pull-down menu. Recommended size of the USB flash drive is 8GB and more.

2. Click Next.

NOTE: All the files on the USB flash drive will be erased. If you are using

Windows Vista, you may need to run Passware Kit as the Administrator in order to create a memory-imaging USB drive.

2. The recording process starts. Passware Kit copies the necessary files on the USB flash drive.

(72)

3. The bootable Passware FireWire Memory Imager USB drive is now ready.

NOTE: Passware FireWire Memory Imager files are created on a hidden

partition of the USB flash drive, while the open partition of the drive, which can be viewed in Windows Explorer, is blank.

Now that you have created the memory-imaging USB drive, you are ready to acquire the memory image of the target computer.

(73)

Acquiring Memory Image with Passware FireWire

Memory Imager USB Drive

Once you have created the bootable Passware FireWire Memory Imager USB drive, you are ready to acquire the memory image of the target computer by following the steps below.

Requirements:

The target computer is turned on and the encrypted volume is mounted Both the target computer and the computer used for acquisition have FireWire (IEEE 1394) ports

A FireWire cable

1. Insert the memory-imaging USB drive and restart your computer. 2. Passware FireWire Memory Imager starts:

3. Make sure the FireWire cable is unplugged and press Next.

4. Connect the target computer with a FireWire cable. If the target computer is not detected after 30 seconds, you may need to unplug and re-connect the FireWire cable.

(74)

Press Next.

5. The memory imaging process starts:

The progress screen displays the time of the imaging process and the size of the acquired target memory. Upon completion of the process, press

Next.

6. Unplug the FireWire cable, remove the USB flash drive, and press Reboot

to restart your PC.

(75)

on the USB flash drive:

Once you have created the memory image of the target computer, you are ready to decrypt BitLocker or TrueCrypt volumes using Passware Kit.

(76)

Recovering Passwords for Mobile Data

You can use the Passware Kit to acquire iCloud backups, recover passwords for Apple iPhone and iPad backups, Android backups, and Android images.

To get started, display the Passware Kit Start Page and click Mobile

Forensics. This displays the following window:

Recover a password for Apple iTunes or Android backup file Recover a password for an Android device image

(77)

Recovering Apple iTunes and Android Backup

Passwords

Apple stores iPhone and iPad backups in an iTunes backup file (*.PLIST). This file, named Manifest.plist, is normally located in the Apple Computer

directory. For example, for Windows 8, the full path is:

C:\Documents and Settings\User\AppData\Roaming\Apple Computer\MobileSync\Backup\BackupID\Manifest.plist

Android backup files are usually created with an ADB tool from Android SDK and normally have an *.AB extension.

Passwords for iTunes and Android backup files are recovered using regular password-recovery attacks. The process can be accelerated with GPU cards and distributed computing.

To start the password-recovery process, click Mobile Forensics on the Start Page, choose either the iPhone Backup or Android Backup option and locate your file. Refer to the Recovering File Passwords section for further

(78)

Recovering Passwords for Android Images

Passware Kit recovers passwords for Android physical images acquired from the encrypted devices using third-party tools, such as Oxygen Forensic Passware Analyst.

Passwords for Android image files are recovered using regular password-recovery attacks. The process can be accelerated with GPU cards and distributed computing.

To start the password-recovery process, click Mobile Forensics on the Start Page, choose the Android Image option and locate your file. Refer to the Recovering File Passwords section for further recommendations.

(79)

Acquiring iCloud Backups

Passware Kit acquires full iOS backups from iCloud if Apple ID credentials are known. The backups are downloaded in iTunes format (readable by Apple software and Oxygen Forensic Suite Passware Analyst) and plain readable format. All versions of iOS, including the latest 8.1, are supported.

Below are the steps to acquire an iOS backup from iCloud.

1. On the Start Page click Mobile Forensics, then choose the iCloud

Backup option

2. Enter your iCloud login. Both Apple ID and password should be entered as shown on the screen below:

(80)

4. Choose the backup snapshots you want to download. The latest snapshot is listed first. By selecting other snapshots you will be able to download all previous versions of the backup.

5. Choose where to save the backup (make sure you have enough space on your disk. Passware Kit will display the size of the backup to be

downloaded).

6. Choose the format you want to save the backup in. By default, it is the "iTunes default format" readable by Apple iTunes. You can also save the backup in plain readable format, i.e. without iTunes default folders, but as a plain list of files.

7. Click Next.

8. The acquisition process starts. Passware Kit downloads the necessary backup files from iCloud to your local computer.

(81)

9. The full iOS backup is now downloaded.

Now that you have acquired the iOS backup from iCloud, you are ready to analyze it with Oxygen Forensic Passware Analyst or open it with Apple iTunes to see the device data.

(82)

Recovering Lost Internet and Network Passwords

You can use the Passware Kit to recover your e-mail account, Internet, and Network connection passwords.

To get started, display the Passware Kit Start Page, and click Recover

Internet and Network Passwords (or press Ctrl+I). This displays the

following window:

Recover a lost e-mail password Recover a lost Internet password Recover a lost network password

(83)

Recovering E-mail Passwords

The Passware Kit can recover e-mail passwords associated with Microsoft Outlook and Outlook Express accounts, data files and identies.

To recover one of these passwords, follow these steps: 1. Display the Passware Kit Start Page.

2. Click Recover Internet and Network Passwords (or press Ctrl+I). 3. Click on the appropriate choice in the Email Passwords area of the

window.

The password recovery process begins. The results are displayed when it is finished. The figure below shows a sample result.

(84)

Recovering Internet Passwords

The Passware Kit can recover passwords associated with websites in browsers and with Internet Explorer Content Advisor.

2. Click Recover Internet and Network Passwords (or press Ctrl+I). 3. Click on the appropriate choice in the Internet Passwords area of the

window.

(85)

Recovering Network Connection Passwords

The Passware Kit can recover passwords associated with VPN and dialup accounts as well as remote desktop accounts.

2. Click Recover Internet and Network Passwords (or press Ctrl+I). 3. Click on the appropriate choice in the Network Passwords area of the

window.

(86)

Resetting a Windows Administrator Password

Learn how to reset a Windows password with Passware Kit CD / USB disk

(87)

Using a Password Reset CD / USB Disk

With Passware Kit, you can reset a password for any local or Active Directory Administrator account.

The overall steps are as follows:

1. Create a password reset CD/USB image and burn it on a disk 2. Reset the password with the CD or USB disk

(88)

Creating a Password Reset CD Image / USB Disk

Below are the steps to create an ISO image file for a password reset CD or USB disk.

1. On the Start Page click Reset Windows Administrator Password. The following screen appears.

2. Insert your Windows Setup CD.

NOTE: Both Windows 32-bit and 64-bit Setup CDs are supported.

Browse for either a TXTSETUP.SIF or a BOOT.WIM file. The TXTSETUP.SIF file is usually located in the 'I386' folder of the Windows XP/2003 Setup CD. The BOOT.WIM file is usually located in the 'Sources' folder of the Windows 8/7/Vista/2008 Setup CD.

The Make password reset image from field should contain the

location of the TXTSETUP.SIF or BOOT.WIM file;

You can protect the Windows Key password reset media with a password by enabling the Set a password on the Windows

Password Reset CD/USB disk check-box and typing your own

password in the field;

Check Add drivers for SCSI/RAID hard drives, if you need to reset a Windows password for a SCSI/RAID/IDE hard drive. The field Copy

drivers from should contain the location of the additional drivers for

your hard drive. These drivers should be listed in the Pick up the

drivers for your hard drive field. For example, drivers for Intel hard

(89)

3. Click Next.

NOTE: If you do not have a Windows Setup CD, you can request a

Windows Key .ISO download.

4. Choose what password reset device to create:

Select CD/DVD if you want to make a password reset CD or DVD disk; Select USB flash if you want to make a password reset USB flash drive.

5. Specify the CD or USB burning drive from the pull-down list of the CD/DVD or USB flash options.

6. Click Next.

NOTE: To create a Windows password reset CD, a CD-ROM drive capable

of burning is required.

7. The burning process starts. Passware Kit copies the necessary files from the Windows Setup CD into the ISO image file.

(90)

8. After Passware Kit creates a password reset ISO image, it prompts you to insert a blank CD/DVD disk into the CD-ROM drive so that it could burn the image on this disk. Insert a blank CD/DVD disk into the CD-ROM drive. Click OK.

(91)

Now that you have created the Windows Password Reset CD or USB disk, you are ready to reset the password on the locked computer.

(92)

Resetting the Password

NOTE: If you used a Windows XP/2003 Setup CD (TXTSETUP.SIF file) to

create a Windows Key password reset disk, follow these instructions to reset the password. If you used a Windows 8/7/Vista/2008 Setup CD (BOOT.WIM

file) to create a Windows Key password reset disk, follow the steps below to reset the password.

1. Reboot your system with this CD or USB disk.

NOTE: To reboot your PC with a USB Flash Drive you may need to set the

following options for the BIOS Setup Utility: after rebooting your PC please press 'Del' or 'F2' to run BIOS Setup Utility, go to the 'Boot' section and press 'F6' to move the 'Hard Drive' device up, then press 'Enter' on the 'Hard Drive' option and press 'F6' to move the 'USB Drive' device up. After all the changes are set, press 'F10' to exit and save the settings.

2. After all the required files are loaded from the CD or USB drive, Windows Key process starts.

3. Enter the protection password that you have set while creating the Windows Password Reset CD\USB disk. Click Next. If you have not set any password, go to the next step.

4. Select the Windows installation to be unlocked. If there are several installations, use additional information from the table to choose the one you need to unlock. Click Next.

(93)

5. Select the local Windows account or Active Directory Administrator

account for which you want to reset the password. Click Next.

6. Review the list of tasks to complete. Click Next.

7. To reset passwords for other Windows installations or accounts, click Back

To Start and repeat the process from Step 4.

(94)

9. Remove the Windows Key bootable CD or USB disk to restart your PC.

NOTE: For Microsoft Live ID accounts, passwords are reset to "12345678", as the system does not allow to set blank passwords.

(95)

Versions of Windows Supported

All Passware products support Windows 8/7/2008/Vista/2003/XP/2000/NT systems.

(96)

What Version of Windows Setup CD Should You Use?

It is recommended to use a Windows 8, 7, Vista or Server 2008 Setup CD to create a bootable password reset CD/USB disk for all versions of

Windows.

It is possible to use a Windows XP SP2 and Server 2003 Setup CD to create a bootable password reset CD/USB disk for Windows XP, 2003, and earlier versions.

(97)

Recovering Passwords for a Standalone System

You can use Passware Kit to recover saved passwords for standalone systems from registry files.

The quickest way to start password extraction from registry files is to click the

Recover Passwords for a Standalone System option on the Start Page, or

press Ctrl+S.

Password extraction from registry files is supported for Windows 7, Vista, Server 2008, Server 2003, and XP. The following system directories are

required for the password extraction: Documents and Settings (for Windows XP) or Users (for Windows 7/Vista), and Windows\system32\config. What do you want to do?

Recover passwords for Windows accounts

Recover passwords for email accounts, websites and network connections

(98)

Recovering Windows User Passwords for a

Standalone System

You can use Passware Kit to recover Windows user login passwords of standalone systems from a SAM file copied from these systems. The following system directory is required:

- Windows\system32\config\

NOTE: Recovery of cached login passwords requires a

Windows\system32\config\SECURITY system file, and might also require

SOFTWARE and SYSTEM files.

To get started, display the Passware Kit Start Page, click Recover Passwords

for a Standalone System (or press Ctrl+S) and locate the system directory

of a standalone computer, as shown below:

(99)

Follow these steps to recover passwords for Windows accounts:

1. Click Recover Windows User Passwords for a Standalone System. This displays the following window:

2. Choose one of the following options for password recovery, depending on the available information about the password:

(100)

This procedure initiates the password recovery process. The results are displayed when the recovery is complete. The figure below shows a sample result.

(101)

Recovering Internet and Network Passwords for a

Standalone System

You can use Passware Kit to recover saved passwords for email accounts, websites, network and remote desktop connections of standalone systems from the user directories copied from these systems.

The following system directory is required:

- Documents and Settings (for Windows XP) or Users (for Windows 7/Vista) To get started, display the Passware Kit Start Page, click Recover Passwords

for a Standalone System (or press Ctrl+S) and locate the system directory,

as shown below:

(102)

Follow these steps to recover the internet and network passwords for the standalone system:

1. Click Recover Internet and Network Passwords for a Standalone

System. This displays the following window:

2. Click Browse... and locate the Windows User directory, which is usually named as Documents and Settings.

3. In the Windows Users list select the account you want to recover the internet and network passwords for.

4. If the account you selected is protected with a Windows login password, Passware Kit will ask you to choose one of the two options below. If the account is not password-protected, click Next and continue to step 6.

(103)

If you know a Windows login password for this account, switch to the I

know the password option. Type the known password in this field.

If you do not know a Windows login password for this account, switch to the I don't know the password option. The recovery process for the Windows login password will be initiated. Once the password is recovered, type it in the I know the password field and continue to the next step.

5. Click Next. This displays the following window:

6. Click on the appropriate choice, depending on what password you would like to recover.

(104)

(105)

Recovering Windows/Unix/Mac Hash Passwords

With Passware Kit you can recover passwords from Windows/Unix/Mac hashes. The following hashing algorithms are supported:

Raw MD4, MD5, SHA1 Windows NT/LanMan

Unix DES/MD5/SHA256/SHA512 MAC OS X salted SHA1, SHA 512

The following hashing algorithms allow instant password recovery using a Rainbow Tables Attack:

Raw unsalted MD5, SHA1 Windows NT/LanMan

Windows stores local user names and their hashed passwords in a SAM (Security Account Manager) registry file.

To dump Windows NTLM hashes, you need administrative access to the target computer.

Learn how to reset Windows Administrator password

Once you have logged in as an Administrator, you can use third-party tools like PWDUMP and FGDUMP to dump the hash file from the system.

NOTE: To recover Windows hash passwords, you can also use the Recover

passwords for a standalone system option. In this case the recovery is

instant and does not require dumping the hash file from the system.

Unix-like operating systems use a shadow password database mechanism to increase the security level of passwords by restricting all but the highly

privileged users' access to encrypted password data. Typically, that data is kept in hash files owned by and accessible only by, the super user (i.e., on Unix-like systems, the root user, and on many other systems, the Administrator

account).

These hash files are located at: /etc/shadow (Linux systems) /etc/master.passwd (BSD systems) /var/db/shadow/hash (Mac systems)

(106)

Once you have dumped the hash file, you are ready to recover the user names and passwords that it contains.

To get started, display the Passware Kit Start Page, then click the Recover

button, or press Ctrl+O.

Locate the hash file and click Open. This displays the following window:

Choose one of the following options for password recovery, depending on the available information about the password:

This procedure initiates the password recovery process. The results (i.e., user account names and login passwords) are displayed when the recovery is complete. The figure below shows a sample result.

(107)

(108)

Working with Passware Kit Portable

You can use the Passware Kit to find encrypted files and recover lost passwords on other computers without installing the software there. The Portable Version can be installed on any removable device, i.e., a USB drive or a CD (USB recommended), and then used directly from this device on a target computer. Passware Kit Portable does not modify settings or files on a target computer (registry records, patched or unprotected files, etc.).

The overall steps are:

1. Prepare a portable version on a CD or USB disk 2. Run a portable version on a target computer

(109)

Preparing Passware Kit Portable

To create a portable version of Passware Kit, click Create Portable Version in the File menu:

This displays the screen shown below:

Choose the folder in which to install the portable version. It can be installed directly on a removable USB thumb drive. Click OK.

Passware Kit installs its portable version in the specified folder. Once installed, you can copy this folder onto a CD or USB drive.

(110)

Passware Kit Portable is now ready to be used directly from your removable CD or USB drive.

(111)

Running Passware Kit Portable

Once you have prepared the portable CD or USB drive, you are ready to use Passware Kit Portable on a target computer by following these steps:

1. Insert the portable CD or USB drive to the target computer. 2. Run PasswareKitForensic.exe file from the portable CD/USB. 3. Passware Kit starts:

Use Passware Kit Portable like a regular version of the software.

NOTE: Passware Kit Portable does not make any changes to the original file

system or registry of the target computer. This means that after encryption scanning, password recovery, or decryption of files on the target computer, all items and original passwords remain unaffected. Passware Kit Portable does not save any log files, reports, or unprotected files on a target computer. All data is saved on a portable USB drive. It is recommended to run Passware Kit Portable from a USB drive instead of a CD; otherwise, the program will be unable to save any data due to writing restrictions on a CD drive.

(112)

Using Passware Kit Forensic with EnCase

All Guidance EnCase users can now utilize Passware Kit Forensic to detect

encrypted files in a case. Thanks to integration with Passware Kit Forensic, EnCase can detect over 200 encrypted file types and initiate a password recovery process if required.

Requirements:

EnCase 7.x or later (32-bit).

(113)

How-To for EnCase v7 and Higher

1. Launch EnCase and open a case file.

2. Click "Process Evidence". The information about encrypted files will be displayed in the "Protected" and "Protection complexity" columns of EnCase.

3. Right-mouse click on the file you would like to open:

4. Choose Open With -> Passware Kit. Passware Kit Forensic will be launched as a File Viewer and the password recovery process will start automatically.

5. After the file is decrypted or the password is recovered, you can open the file directly from Passware Kit Forensic.

(114)

How-To for EnCase v6

If you are using EnCase v6, you can still use the encryption detection capabilities of Passware Kit Forensic via EnScript. The sample EnScript

bookmarks all the password-protected or encrypted files for further analysis. Passware Kit Forensic 10.3 or later is required in this case.

1. Launch EnCase and open a case file

2. Add C:\Program Files (x86)\Passware\Passware Kit\EnCase\PasswareSample.EnScript

3. Select Entries you would like to scan 4. Run PasswareSample.EnScript

5. All the encrypted or password protected entries are bookmarked and additional information is displayed at the Console. A sample report is shown below: