EL TEXTO DICE, EXISTE

Valuable information may reside in password-protected documents or on passworded computers. You may be able to recover those passwords and perform further analysis to establish whether or not you’ve been attacked. Before we get rolling on this topic, however, I have a very, very important warning for you.

Privacy laws are extremely strict about presumption of privacy when the owner of the computer or information has gone to the trouble to password it. Unless your company has an explicit, acknowledged policy to the contrary, don’t perform any password recovery unless the employee has left the company and you need to recover corporate information. In that case, be sure to destroy any information that is not explicitly for company-use only. When in doubt, wipe it out! Don’t expose yourself to a lawsuit over invasion of privacy. If you can get the employee’s written permis- sion, of course, go ahead and do whatever you need to. That’s what this topic is about. There are three basic ways to recover passwords, none of which is guaranteed to work. The first is physical, the second is by cracking them, and the third is through inference. We’ll take each in turn.

Physical Password Recovery

Physical password recovery relates to passwords that are embedded in CMOS and can’t be recovered in any other manner. CMOS passwords are used during the bootup of the PC and, often, can be recovered by using password cracking programs. If the PC is passworded, however, you probably won’t be able to boot it, even from your DOS floppy boot disk.

Different computers have different ways to defeat the boot password. For exam- ple, Dell notebooks often have a small sliding door that, once removed, reveals two prongs extending from the circuit board. Shorting those prongs will clear the pass- word. Other PCs may need to have their CMOS cleared. This can be a pretty touchy process because clearing the CMOS also clears such things as the hard drive type recognition. The process is, simply, to open the case and remove the CMOS battery. Leave it out for about five minutes, replace it, and boot the PC from your floppy.

If the PC won’t configure its memory and drive types, go into the setup program — it’s different for most PCs, so try several combinations, such as [F2], [Ctrl][Alt][Esc], etc. On most PCs, you’ll be told what to do as soon as the PC discovers that it’s misconfigured. Watch the screen during bootup and act quickly. You should observe whatever information about the hard drive you can find on the drive’s cover when you open the PC. You’ll need it at this point.

Password Cracking

To crack passwords, you’ll need password cracking programs and, usually, a good cracking dictionary. There are several types of passwords you’ll need to crack. Some

are for the PC, some are for documents created by programs, like Word or Excel, and some are for compressed files that have been passworded.

For Windows95 passwords, Glide is indispensable. ZipCrack will crack files encrypted and compressed with PKZip. PCUPC and Cracker Jack are for Unix password files you are cracking on a DOS PC. Decrypt will break WordPerfect documents, as will WPCrack, and WordCrack will do the same for MSWord documents.

For network operating systems, try NetCrack on Novell and lOphtCrack for NT. Both of these require second programs to extract the passwords in a Unix-like password file format and superuser privileges. If you plan to use them to get superuser passwords, you’re probably out of luck. If you need to extract the password from a PC using AMI Bios, try AMI Decode. The trick, of course, is that you need to be on the PC to use it. That means you will need to catch the PC while it is still turned on. Always run it from the floppy, never the hard drive. I recommend that you add a complete set of password crackers to your tool kit. A skilled intruder will always encrypt and password.

By Inference

Here’s the tough one. You won’t be able to crack files encrypted with strong encryption, such as PGP or DES. You will need to find the password some other way. For this, we’ll take a page from the hackers who use sniffers to capture IDs and passwords. However, we won’t actually use sniffers. We’ll “sniff” the hard disk using our forensic utilities. This doesn’t always work, of course, but I have found passwords stuffed in out-of-the-way places on PCs that work on networks, encrypted files, and all sorts of other computers and systems. In fact, finding a password for a stolen account on a suspect’s PC is a pretty good way to establish that they accessed the victim containing that account.

If you have a physical image of your PC, try this. Use any word processor that can search for text and have it search for your password(s). You’ll be surprised how many instances of passwords it will find — those you thought you’d never saved. The problem, of course, is that you know your password, so you know what to search for. You haven’t any idea what you’re looking for when you search for someone else’s password. Here’s how I go about it.

First, I get a good image of the computer I’m going to investigate. Next, I need to get a file without any binary “junk” in it, so I use the NTI FILTER_I program. It will give me a file with only ASCII characters in it. I usually start by building a file with probable English words. Most people do not use strong passwords. How- ever, there is a strong possibility that a skilled intruder will know how to make passwords that are very hard to crack. Those will have characters that don’t look like any English word. It’s a good idea to try, though. You might get lucky (surprising how often we depend upon luck to get us through a sticky problem, isn’t it?) and find a password or two.

Next, I just get rid of the binary characters and scan the rest for probable passwords. The scan is, of course, visual. There is nothing that can do that tedious job for you. If we are sharp-eyed, we’ll often find passwords that work this way.

They will usually be in slack space or swap files. We can use the NTI GETSLACK and GETFREE programs to cut down on the possible disk space we have to analyze if we use them on the reconstructed test disk. They won’t help us on the raw, unrestored image file.

Once we have found a password or two, we should try them everywhere we need to unlock our suspect’s secrets. It is amazing how often people use the same passwords for everything. Finding a password that is used for a Windows screen saver (using the Glide utility, perhaps) could cause a PGP-encrypted file to yield immediately. Always try the obvious first. This means to use your crackers and then see if any passwords found work on other things. Resort to forensics only if all else fails. It is tedious, slow, eye-crossing work to infer passwords out of the millions of characters on a multi-gigabyte disk, even with the help of the NTI utilities.

Where does this fit into our discussion of deciding if you have a crime? Many careful, well-trained computer users do all of the things the bad guys (and girls) do, for different reasons. If the owner of the PC is not available (on vacation, sick, temporarily suspended pending completion of your investigation, no longer with your organization, etc.), you may have to resort to breaking into their PC to complete your investigation. Remember the earlier warning, however: privacy laws are strict and the consequences of breaking them can be severe.