In your previous work with FTK, you may have come across encrypted files but were unclear how to break the encryption. Now, you will work through a number of decryption techniques in an effort to obtain access to encrypted files located on the Mantooth and Washer disk images as well as obtain other passwords that may be recoverable.
Create a new case in FTK named MantoothWasherDecryption. Add both the Mantooth and Washer images to the case and then process the case.
The first thing that needs to be done after processing the case is to identify the encrypted files. This can be done in FTK 6 by navigating to the Overview tab > File Status > Encrypted Files. You should see a list of encrypted files from Washer and Mantooth:
- Mantooth: C money plates.doc, CC nums.xls, John.doc, Secring.skr, Those who owes.xls, Wes.doc
- Washer: Allstate Credit Agency.pdf, Bad day.jpg, How to Steal Credit Cards.doc, jpg, Pee limit.jpg, The Dealz.doc, X marks the spot.doc, SLIST.doc
Export one copy of each of these files to a new directory named Encrypted Files for later reference.
The Windows registry also contains account and password information for various applications and other uses. We are also interested in the registry files. In FTK 6, navigate to File Category > OS/File System Files > Windows NT Registry. There you will see a list of OS files.
Export a copy of the NTUSER, SAM, SECURITY, and SYSTEM registry files from the Washer image into the newly created Encrypted Files\Washer directory. Export the same registry files from the Mantooth image into the newly created Encrypted Files\Mantooth.
Our next step in the decryption process is to create a wordlist. In FTK 6, from the Explore tab, highlight Mantooth and Washer HDD and select File > Export Wordlist. Select all of the Mantooth and Washer files, Export and create MantoothWasher_index in a folder named FTK Export Wordlist.
After creating a wordlist, it is time to create a dictionary to be used by PRTK in the attack process. Create a dictionary in PRTK by navigating to Tools > Dictionary Utility. Figure 1 shows the dictionary utility.
Figure 1. Dictionary Utility
Source: PRTK
Create a dictionary for the MantoothWasher_index wordlist. This dictionary is to be used to create an attack profile. To create the attack profile in PRTK, navigate to Edit > Profiles > Highlight “PRTK” > New From Selected. Place a checkmark next to the mantooth washer dictionary that was created previously. Name the attack profile MantoothWasherProfile.
In the Dictionaries Order tab in the Profile editor, move up the MantoothWasher wordlists to the top dictionary in terms of order (shown in Figure 2). Then this will be used first in the attacks.
Figure 2. Profile Editor
Source: PRTK
Now it is time to use PRTK for Decryption. In PRTK navigate to File > New Case and name it MantoothWasher. The Help > Recovery Modules provides documentation on PRTK modules. This will help in creating attacking specific files based on type of encryption suspected. Modify the attack profile so that MantoothWasherProfile will be executed first.
Add two encrypted files (Those who owes.xls and X marks the spot.doc) to the PRTK workspace from the Encrypted Files directory that you previously created. We are only going to process these two files due to time constraints. You can attempt to process other files, but realize that processing each one may take many minutes to many hours. The process to decrypt them is the same, but we are limited in time for this lab. When time is a consideration, single files can be decrypted one at a time, or perhaps files that are anticipated to be easier to crack can be worked on first. If you have more time available it is common to process all encrypted files at once.
When you add encrypted files to PRTK, a series of windows may pop up. Select the default/OK and continue. It may take several minutes for the password space to calculate. A series of pop-up windows similar to Figures 3 and 4 will appear as encrypted files are added to PRTK.
Figure 3. Add Job Wizard
Source: PRTK
Figure 4. Calculating Password Space
Source: PRTK
Once you have add files to PRTK and begin the attacks, the workspace will look similar to Figure 5.
Figure 5. PRTK performing password recovery
Source: PRTK
After working through the two encrypted files (Those who owes.xls and X marks the spot.doc), you could add the NTUSER, SAM, and SYSTEM registry files from the Encrypted Files\Washer and Encrypted Files\Mantooth to the PRTK workspace to obtain account information. In the interest of time and lab resources, it may not be possible to process these registry files.
Document each of the passwords that you obtain, as you will need to create a master password list for FTK. The master password list can be created in FTK > Evidence > Additional Analysis > Perform Automatic Decryption.
To use the master password list, navigate to the following: FTK > Evidence > Additional Analysis > Select Automatic Decryption. The results can be found in FTK > Overview tab > File Status > Decrypted Files
Once you have completed the decryption process create a report of your findings. Your report should contain a title page, an executive summary, detailed findings that explain what you found and the tools/processes that you employed, and an accurate presentation of your results. You'll include this lab report in your Final Decryption Report.