Monday, August 3, 2015

Password Recovery Can be Practical


Guidance Software’s Tableau Unit recently released Tableau™ Password Recovery, a hardware + software solution to accelerate password attacks on protected files, disks, and other containers.


It’s always fun to play with new toys, and when the new hotness is a purpose-built, linearly scalable, password-cracking behemoth, how can one not share? I did a bit of digging while running a two-server Tableau Password Recovery setup through its paces in our labs here in Pasadena, California, and while I found many good tools and tutorials for password cracking, I found it difficult to differentiate the theoretically possible from the actually practical. Here are some thoughts from that process.


Data protection is ancient
Each step forward in communication technology has been accompanied by a corresponding technology to protect the idea itself. Ancient Greeks used a scytale, a rod wrapped with a strip of parchment, to protect messages on the battlefield. Presumably, cryptanalysts of the day had to be moderately talented at woodwork.



While data protection is ancient, our tools don’t have to be. Modern cryptography and cryptanalysis is not the stuff of whittlers, but rather mathematicians and statisticians. One can’t throw a scytale these days without hitting protected data, increasingly protected by strong cryptography: more math than most computers can deal with effectively. The domain of the problem is massive, making it costly to solve in terms of compute and duration. The good news is we know the math, and there are established techniques we can use.


The problem in practice decomposes into a few pieces:

How to detect protected data?
How to expose protected contents for human review?
How to scale and manage effectively?
Disk and file encryption
Full-disk encryption is commonplace and arguably in in most enterprises is the norm. We know detecting full disk encryption is useful to investigators, because one of the most consistently popular blog posts here is Graham Jenkins’Spotting Full Disk Encryption. Graham points out how EnCase® provides visibility to the encrypted data itself, which can inform the investigator of appropriate next steps. EnCase also determines the encryption provider and prompts for credentials. The screenshot below appears when I attempt to preview my own encrypted OS drive:



Our team works with major disk encryption solutions such as: Check Point Full Disk Encryption, Credant Mobile Guardian and Dell Data Protection, GuardianEdge, McAfee Endpoint Encryption, Microsoft BitLocker, Sophos SafeGuard, Symantec PGP, Symantec Endpoint Encryption, and WinMagic SecureDoc. This is made possible through direct collaboration with the individual encryption vendors, and it's well worth the effort.


What are we dealing with? Detecting protected files
Getting access to the volume itself is just one step. In EnCase, we use file signature analysis to examine the file extensions, headers and footers of files to determine if their appearance in the file system is consistent with the data they truly represent.


Let’s say we have a password-protected Excel 2010 workbook. The workbook is still recognizable by signature analysis as an Excel workbook, but if you tried to open the file, you’d be asked for a password. If you examine the contents of the workbook in Hex or Text views, you’d see seemingly meaningless data.





But is this file actually protected? If so, how is it protected? We can answer this by running Protected File Analysis in the EnCase Processor. EnCase uses the Passware Encryption Analyzer to identify encrypted and password-protected files. Protected file analysis is available in all EnCase editions, including EnCase® eDiscovery, where protected files are automatically identified as exceptions during processing.





After Protected File Analysis, we can see which files are protected, and also what type of password recovery method is required to unlock the contents.





Even just these two pieces of data inform the next steps of our case.


Peering inside: Using Passware and EnCase
Now that we’ve identified the file as protected, and we know specifically how it is protected, all we have to do is to open it! Unfortunately, this is where the “more math than computers can handle efficiently” issue appears. Fortunately, we have a few options within arm’s reach.


We can decrypt the file with Passware Kit Forensic directly. Passware Kit Forensic is one of the most comprehensive, well-maintained, and supported password recovery tools commercially available. If you have Passware Kit Forensic installed on your workstation, you can export the file from EnCase or add Passware as a file viewer for right-click efficiency.





Passware Kit Forensic provides decryption capabilities for over 200 file types and implements a full spectrum of attacks, from instantaneous decryption to brute force. I won’t provide a full treatment of Passware Kit Forensic here, so take a look at the Passware site for more resources.


One approach worth mentioning is the dictionary attack. Dictionary attacks are a relatively intelligent solution to a vast problem: If we’re trying all the potential permutations of a password, where shall we begin? Conveniently, humans think and communicate in words, so words are a reasonable place to start when looking for decryption keys or passwords used by humans. Dictionary attacks use word lists as inputs to determine a decryption key.



If a general set of words are a reasonable place to start, then wouldn’t words found within a specific data set be that much better? Wouldn’t including passwords found within a case, extracted from Windows or from OS X keychains also be a good starting point?


After processing and indexing evidence in a case, EnCase enables export of words discovered in the case for use by Passware Kit Forensic dictionary attacks. It’s always wise to start with a good dictionary whenever possible, and Passware Kit Forensic makes sure the dictionary informs the attack execution plan.




Adding it all up: Efficient, Manageable, Scalable
Of course, the principal problem of password recovery is not determining what you can recover, nor using the right technique. Inevitably, any standing password recovery capability needs to make computationally expensive tasks efficient and manageable.





I have two Tableau Password Recovery servers in the lab. Working together, they accelerate password recovery attacks by orders of magnitude relative to use of a CPU alone. Each server comes outfitted with four Tableau Accelerator Gen2 PCI boards (TACC2). Protected files, like PGP self-decrypting archives can be attacked at rates exceeding 1.5 million passwords/second. Multiple Tableau Password Recovery servers can operate in parallel with linear performance scalability. If you need greater acceleration, simply add another server.


Tableau Password Recovery has been directly integrated into EnCase, making recovering password protected files a few clicks away. Select files to recover, submit them to the Tableau Password Recovery server, and monitor the status.










When password recovery has completed a job, the recovered file can be retrieved and automatically added to the case, including the recovered password and execution log for further review. The decrypted file is automatically linked to the original protected file. It’s a minor thing, but we know it makes for one less thing to track.


Any treatment of practical password recovery would be incomplete without mentioning GPU-based acceleration. GPUs effectively accelerate many password-recovery algorithms. But that performance comes at a cost. Today’sSINGLEcard solutions consume 300W under load, and multi-GPU configurations require power supplies in excess of 1000W. Greater power consumption increases operational costs in the form of cooling and component failure. Reliably sourcing compatible replacement parts can be challenging, creating ongoing maintenance, testing and other hidden costs. GPUs excel at high-end throughput, but top-end speed can’t be the only factor in a practical password recovery.







The table above compares passwords-per-second versus passwords-per-second-per-watt for three different password-recovery solutions. Passwords-per-watt turns out to be a good way to describe not only top-end speed, but also the inherent reliability and manageability of the system. Tableau Password Recovery achieves acceleration on par with multi-GPU solutions, while sipping watts.


Finally, Tableau Password Recovery is a Tableau forensic product to the core. The FPGA-based accelerator technology not only allows the system to run cooler, but also enables future flexibility. As with all Tableau products, Tableau Password Recovery will receive no-cost software updates without requiring hardware changes. These updates will add new algorithms for acceleration as well as improve efficiency of existing accelerators.

0 comments: