Password Recovery Can be Practical

Guidance Software’s Tableau Unit recently released Tableau™ Password Recovery, a hardware + software solution to accelerate password attacks on protected files, disks, and other containers.

It’s always fun to play with new toys, and when the new hotness is a purpose-built, linearly scalable, password-cracking behemoth, how can one not share? I did a bit of digging while running a two-server Tableau Password Recovery setup through its paces in our labs here in Pasadena, California, and while I found many good tools and tutorials for password cracking, I found it difficult to differentiate the theoretically possible from the actually practical. Here are some thoughts from that process.

Digital Forensic Notables and Top-flight Instructors On Tap at CEIC 2015

(This is Part 3 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC 2015.)

The first post in this series talked about how we're expanding on the core competency of the EnCase community who converge on CEIC each year. The second post drilled down into the plethora and diversity of digital artifacts and showcased sessions designed to address these exploding challenges. In this final post, we present the marquee of acclaimed industry experts who will be on hand to teach new technologies and tools and share hard-earned insight from decades of experience in digital investigations.

Ask the Expert: Amber Schroader of Paraben Corporation

Recently, Amber Schroader, the CTO of Paraben Corporation, joined us for a well-attended webinar, Six Keys to Conducting Effective Mobile Forensic Investigations. A number of our attendees had questions that we wanted to capture here along with Amber's answers.

What do you recommend when dealing with the drivers on pay-as-you-go devices?

EnCase 7.09.04: Extracting Passwords from OS X Keychains

Ken Mizota

EnCase 7.09.04 is now available and contains several enhancements to make your investigations more efficient and comprehensive. Today’s digital investigators face a constant struggle to maintain comprehensive investigative skill sets, while continuously improving efficiency in the face of overwhelming growth of evidence and diversity of malfeasance. EnCase 7.09.04 makes reporting more efficient with the Flexible Reporting Template and reduces investigator effort by enabling decryption of McAfee Endpoint Encryption devices with the 64-bit EnCase Examiner. EnCase 7.09.04 expands on the strongest Windows-based investigation capabilities of OS X machines, adding the ability to decrypt and extract passwords from OS X keychains.

To gain access to this release register your dongle and you’ll receive a MyAccount email with download links.

In this article, I'll walk through the information that can be extracted from keychains and also provide sample EnScript-based techniques to expose this data in EnCase.

Passware Kit Forensic - Now Available for Purchase

Guidance Software

During the v7 roadshow last year one of the most talked about new features was our Passware integration. The question I heard over and over was "Can I buy Passware from Guidance Software?". At the time unfortunately you could not but I am glad to say that now you can. Before getting into how you can purchase the product, let's talk a little about our integration and what exactly you can do with Passware Kit Forensic.

With EnCase® Forensic v7 you can perform protected file analysis in the evidence processor. Using Passware's Encryption Analyzer, EnCase will identify encrypted and password-protected files. Once protected file analysis is complete, you will be able to see what files are protected as well as the complexity of the protection, pretty cool stuff.

To do what I have briefly described you do not need a license for Passware, this capability is part of v7, no strings attached. However if you want to take the next step and actually decrypt the files you do need the Passware Kit Forensic product, which you can now purchase directly from Guidance.

For those of you not familiar with this product, Passware Kit Forensic is a complete encrypted evidence discovery & decryption solution for computer forensics. It recovers or resets passwords for more than 200 different types of files, as well as decrypts hard drives, PGP archives, and unlocks Windows and Mac accounts. Complete with FireWire Memory Imager, Passware Kit Forensic is the first and only commercial software that decrypts BitLocker, TrueCrypt and FileVault hard disks, and instantly recovers or bypasses Mac and Windows login passwords of seized computers.

The latest version of Passware Kit Forensic, v11.3 includes the following capabilities, to name a few:

• Decrypts 200+ file types
• Decrypts FDE: TrueCrypt, BitLocker, FileVault and PGP
• Recovers Mac user passwords
• Acquires and analyzes live memory images
• Distributed and Cloud Computing acceleration
• Hardware acceleration: NVIDIA & ATI GPU, TACC, multi-cores

As Dmitry Sumin, President of Passware, Inc. said, “Encryption is becoming a major obstacle for digital investigations. We are excited to provide EnCase customers with an efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.” By the way, if you don't already follow Passware on Twitter, you should.

Dmitry and his team have been great to work over this past year and we look forward to providing further integration in the future.