Module 05 Deere) . Presented by Professionals.Define anti-forensics and list the goals of anti-forensics Review anti-forensics techniques Extract evidence from deleted files/partitions, password protected files, and stego material Identify trial obfuscation, artifact wiping, data/metadata overwriting, and encryption Identify encrypted network protocols, program packers, rootkits and detection methods Examine different techniques attackers use to avoid detection during investigation Interpret anti-forensics countermeasures Understand challenges faced by Investigators to defeat anti-forensics een a Ree ee7 ATA rk hme Ey @ Anti-forensics (also known as counter forensics) is a common term for a set of techniques aimed at hindering or preventing a proper forensics investigation process @ They may reduce the quantity and quality of digital evidence available © To interrupt and prevent information collection Goals of Anti- @ To make difficult the investigator’s task of finding evidence Forensics © To hide traces of crime or illegal activity © To compromise the accuracy of a forensics report or testimony @ Forcing the forensics tool to reveal its presence © To.use the forensics tool itself for attack purpose @ To delete evidence that an anti-forensics tool has been run toeData/File Deletion Password Protection Steganography Data Hi ing in File System Structures Trail Obfuscation Artifact Wiping Overwriting Data/Metadata Encryption Encrypted Network Protocols Program Packers Rootkits Minimizing Footprint Exploiting Forensics Tool Bugs Detecting Forensics Tool Activities eeAnti-Forensics Techniques: © Covering tracks of their illegal activity is often a concern for intruders. As a part of it, intruders will delete files which they believe maybe incriminating ‘@_ Investigators can, however, probably get those files back by using various data recovery tools, depending w on the operating system the computer is running antWhat Happens When a File is Deleted in ‘ FAT File System @ The OS replaces the first letter of a deleted file name with a hex byte code: ESh @ EShis a special tag that indicates that the file has been deleted |@ The corresponding cluster of that file in FAT is marked as unused, although it will continue to contain the inform: NTFS File System @ When a user deletes a file, the OS marks the file as deleted in the master file table (MFT) @ The clusters allocated to the deleted file are marked as free in the $BitMap ($BitMap file is a record of all used and unused clusters) ©@ The computer now notices those empty clusters and avails that space for storing a new file |@ The deleted file can be recovered if the space is not allocated to any other file Note: On a Windows system, performing normal Delete operation sends the files to the Recycle Bin. Whereas performing the Shift+Delete operation bypasses the Recycle Bin. toeThe Recycle Bin is a temporary storage place for deleted files, which is located on the Windows desktop Items can be restored to their original positions with the help of the Restore all items option of the a | The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file e Recycle Bin as 7S fom PS Steen tg yt cone Bee Tall : t ttn | H oe Note: Deleting a file or folder from a network drive or from a USB drive may delete them permanently instead of being stored in the Recycle Bin eta I Rights Reserved. Reprod epeeStorage Locations of Recycle Bin in FAT and NTFS Systems Bin depends on the type of OS and file system. 8 and prion, it is located in @ te ‘On NTFS file systems: ESS= On Windows 2000, NT, and XP itis located in Drive:\RECYCLER On Windows Vista and later versions, it is located in Drive \$Recycle.Bin All recycled files on the FAT system are dumped into a single C:\RECYCLED directory, while recycled files on the NTFS system are categorized into directories named as C:\RECYCLER\S-.... a © (prior to Windows Vista) and C:\$Recycle.Bin\S-.... based on the user's Windows Security E Identifier (SID) There is no size limit for Recycle Bin in Vista and later versions of the Windows, whereas in older versions it was limited to a maximum of 3.99 GB; items larger than the storage capacity of the Recycle Bin cannot be stored in the Recycle Bin Note: On attaining maximum storage limit of Recycle Bin, the system permanently deletes the oldest files to make space Peea How the Recycle Bin Each hard disk has a hidden folder named: © Recycled (FAT file system ~ Windows 88 and prior) © Recycler (NTFS file system - Windows 2000, NT, and xP) © $Recycle.Bin (NTFS file system - Windows Vista and later versions) This folder contains files deleted in Windows Explorer or My Computer, ‘or in Windows-based programs Each deleted file in the folder is renamed When a file is deleted, the complete path of the file and its name is stored in a hidden file called INFO or INFO2 (Windows 98) in the Recycled folder. This information is used to restore the deleted files to their original locations. Prior to Windows Vista, a file in the Recycle Bin was stored in its physical location and renamed as Dxy.ext © Denotes that a file has been deleted © xis the letter of the drive where the file is located © ydenotes a sequential number starting from 0 © ext denotes the original file ‘extension, such as doc or .pdf Since the advent of Windows Vista, the metadata of each file is saved as ‘Sicnumber>. and the original file is renamed to ‘$R. eta ne eeeHow the Recycle Bin (Cont'd) © Prior to Windows Vista, the deleted file was renamed using the syntax: Deoriginal drive letter of file>c#>. © Example: De7.doe = [File is deleted from E drive, itis the eighth file received by recycle bin, and is a doc file) © The information about the deleted file is stored ina master database file named INFO2 located at c:\Recycler\\ © INFO2 contai © Original file name © Original file size © The date and time the file was deleted © The files unique identifying number in the recycle bin © The drive number that the file came from In Windows Vista and later versions, the deleted file is renamed using the syntax: $R<#>., where <#> represents a set of random letters and numbers ‘At the same time, a corresponding metadata file is created which is named as: $tc#>-, where represents a set of random letters and numbers the same as used for $R The $R and $1 files are located at C:\$Recycle.Bin\\ Si file contains: © Original file name © Original file size © The date and time the file was deleted eta eeeTy If the INFO2 file is damaged or deleted, no file appears in the Recycle Bin The files in the Recycled folder have been renamed x If the INFO2 file is deleted, it is re-created when you restart Windows The INFO2 file is a hidden file. To delete the INFO2 file, follow these steps: Open a command prompt window Type cd C: \RECYCLER\S-..User SID (Change directory to Recycle Bin folder) Type attrib -h infor e2eco Type del info2 eta nen ee!Damaged Files in '@ Damaged files in the Recycle Bin folder (C:\RECYCLER, C:\RECYCLER\S-... or C:\$Recycle.Bin\s-.... ) do not appear in the Recycle Bin |@ To restore the deleted files, follow this process: Greate a copy of the Desktop.inifile in the Recycle Bin folder and save it in an another folder Delete all files in the Recycle Bin > Restore the Desktop.ini file to the Recycle Bin folder s iby adding the following information to a blank Desktop. ni file: If the Desktop.ini file is not present or is damaged, you can re-create [.SheliClasstn£o] cLSrD=(6457F040-5081-1018-9F08-00AA002F9545) val OO® nen eeeee | The Recycle Bin folder itself can be damaged Files are moved to the folder, and the Recycle Bin appears full, but you cannot view the contents and the “Empty The Recycle Bin” command is unavailable Deleting this folder and restarting Windows will re-create this folder and restore functionality: In Windows, prior to Vista: © Open a command prompt with administrative privileges © Type attrib -s -h recycler (the Recycle Bin folder) © Type del recycler © Restart the computer In Windows, Vista and later: © pena command prompt with administrative privileges ® Run rd /s /q C:\SRecycle. command © Restart the computer ary en eee!File Recovery Tools Recover My Files |@ Recovers deleted files emptied from the Windows Recycle Bin, files lost due to the format or reinstall of a hard drive, or files removed by a virus, Trojan infection, unexpected system shutdown or software failure @ Hard drive data recovery software to. recover lost data from PC, laptop or other storage media due to deleting, formatting, partition loss, OS crash, virus attacks, etc. puns recovermyies cam ‘ete fo easeuscom en eee ae.File Recovery Tools: (Cont'd) DiskDigger tnt/eaktgger.og Handy Recovery etp,/ ws hanéyrecovery.com Quick Recovery tp anew recoveryurdete.com Stellar Phoenix Windows Data Recovery rtpi//wsv.stelorinfo.com Total Recall ut:/ www totalrecal.com Advanced Disk Recovery t/a systwedkcom Software ‘etps//www dlskdoctors.net R-Studio Windows Data Recovery | ‘nto://uwedoterecovey-software.net | Orion File Recovery Software ‘etoi//www rehsofeware.com Data Rescue PC ‘meoi//www prosofteng.com eeFile Recovery Tools: (Cont'd) Smart Undeleter pif /wwwirecoverdeletecfestool.com DDR Professional Recovery Software utp/ wus recoverybull.com Data Recovery Pro mep/ fuse paretologiccom GetDataBack aig://wwwaruntime.org UndeletePlus ttf fundeleteptus.com File Scavenger ntsc Fa.quete.com VirtualLab ‘eep:/fuww binaryblecom ‘ety fwunw actve-undeletecom WinUndelete ‘tn://www.winundelete.com R-Undelete ‘tp: fwwec-undelete.com | | Acive@ UNDELETE | | | etoFile Recovery Tools: (Cont'd) Seagate File Recovery Recoverdall Professional Software naps fwu.recovertlicom ‘hetp://www.seagate.com Recuva Wise Data Recovery ‘hitp://www.piriform.com/recuva ‘hetp://www.wisecleaner.com | | Gir Undelete | | | Active@ File Recovery nep/ us flerecovry. net eof glarysofecom Pandora Recovery Disk Drill ntp://woeu pandorarecovery.com ‘nto://uww.cevefes.com Ontrack® EasyRecovery PhotoRec ips une rotontrck.com Into:/Pamew.cosecurty.org eeA SC Tele aia bal © Deleting a file in Mac just removes it from the directory of files in the folder © This de-allocates the space allocated to the file deleted, creating free space to store a new file Methods to recover deleted files in MAC OS X: © The deleted files are moved to the “Trash” folder in MAC. To restore, right-click the file and click on the Put Back option Time Machine is the built-in backup feature of MAC 0S X 10.5 or newer versions. Investigator has to check if he/she can restore files from the Time Machine backup Other way to restore deleted files is using third-party software (recovers files emptied from the trash bin) such as FILERECOVERY® 2016 (http://filerecovery.com), Mac Data Recovery (http://www. kerneldatarecovery.com), Mackeeper Files Recovery (http://www.data-retrieval.net), Soomerang Data Recovery (https://www.boomdrs.com), Data Recovery for Mac (https://www.binarybiz.com), etc. eeeFile Recovery Tools: E Ea [ aK ¢ 2 6) - AppleXsoft File Recovery eG for Mac ta ip://wroma-opplensoftcom ej) Disk Doctors Mac Data Recovery is ‘http://www.diskdoctors.net R-Studio for Mac t/a t.com Data Rescue 4 35 eo omaprespen com Stellar Phoenix Mac Data Lid Recovery ftw stelorif.com FileSalvage nt: favorosesotcom 321Soft Data Recovery heeps/fwwwe 321s0fecom ‘eto://wwwcleverfiles.com Mac Data Recovery Guru ‘ttp://macossflerecovery.com Cisdem DataRecovery 3 ‘ety fwwwcisdem.com | | | |File Recovery in Linux In Linux, files that are deleted using the command remain on the disk If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space The second extended file system (ext2) is designed in such a way that it shows several places where data can be hidden It is worthwhile to note that if an executable erases itself, its contents can be retrieved froma memory image. The command creates a copy of a file in Third-party tools such as Stellar Phoenix Linux Data Recovery, R-Studio for Linux, TestDisk, PhotoRec, Kernel for Linux Data Recovery, etc. can be used to recover deleted files fromRecovering Deleted Partitions @ What Happens When a ? © When an intruder deletes a partition on a logical drive, © When an intruder deletes a partition on a dynamic disk, |, thus corrupting the disk @ Deleting a hard drive partition @ The deleted partition can be does not mean deleting |, ast is not originally » everything, but just the deleted, by using a software that mark how that reestablishes those the partition is setup parameters reRecovering Deleted Partitions (Cont’d) Method 1 Method 2 Method 3 Mtl Restart the system with a Windows install DVD in the system Hit the keys listed on the screen to go to the BIOS In the BIOS, check the menu for “boot priority” or “boot order” to set the DVD as the first boot device Restart the system and let Windows start the installation process ] Accept all the choices to let Windows install, but opt “Repair” rather than “Install” Now when a DOS-like screen appears, type “fixboot” and press “enter” ©) Restart the system and check if the deleted partition is restoredRecovering Deleted Partitions (Cont’d) Method 1 Method 2 Method 3 © Shut down the system and take the hard drive out © Install the hard drive as a slave to another drive cane wy © Now attempt to recover the deleted partition av on the original system Note: This method is not the safest way to avoid losing dataRecovering Deleted Partitions (Cont’d) Method 1 Method 2 Method 3 —_" 2 Use a third-party partition recovery software to recover the drive © Run the program and follow the instructions to recover the partition € ng © Once restored, copy the files of the drive that had the partition recovered onto another drive. This prevents corruption of filesPartition Recovery Tools: Active@ Partition Recovery © The Active@ Partition Recovery tool allows you to within DOS, Windows, WinPE (recovery boot disk) and Linux (recovery LiveCD) environments ee 7" Ce ee) Pe eee es}7-Data Partition Recovery tp /néatarecovery.com Acronis Disk Director Suite epy//anun.ccronis. com RS Partition Recovery tp recover. com Partition Find & Mount ‘ug://findandmountcom Advance Data Recovery Software Tools for NTFS etp/ was recoverdototook.com Mac Data Recovery Intoi//macpowerdetorecovery.com ‘eep:/fvw recoveryourdata.com Stellar Phoenix Linux Data Recovery Software ‘nto://uwe.stelarinfocom NTFS Data Recovery Toolkit eeo://www.tfscom TestDisk for Windows Quick Recovery for Linux | no:/ Pane cosecurty.org |Stellar Phoenix Windows Data Recovery ‘http://wurw.stellorinfo.com EaseUS Partition Master apres oseus.com Hetman Partition Recovery tps//retmanrecouery.com MiniTool Power Data Recovery Free ‘ta: /usnu powerdatarecovery.com Remo Recover (Mac) - Pro ntp://w.remosofiwore.com/ Tools (Cont'd) TestDisk for Mac ‘tp://ww casecurity.org ii ‘Starus Partition Recovery PQ sommes . Disk Drill ‘eto://www cleverfiles.com te Stellar Phoenix Mac Data Recovery Ser ttP://w ww steltarinfo.com ZAR Windows Data Recovery ‘etpiffwwwaerecovery.comi-Forensics Techniques: @ Investigators often come across the password protected systems or files during the investigation process |@ In such cases, they use specialized password order to circumvent the protection i Time taken to crack passwords depends on their strength '@ Weak passwords could be broken in less than a second, while strong passwords would take years to crack eee)Password Types Cleartext Passwords © Acleartext password is sent over the wire (and also over wireless) or stored on some media as itis typed without any alteration Ex: Windows Registry houses automatic logon password (BREY_LOCAL_MACHINE \SOFTWARE\Microsoft \Windows NT\ CurrentVersion\ Winlogon) © Cain and Ettercap can be used to sniff cleartext passwords > © Obfuscated passwords are those that are stored or communicated after being more or less transformed © Transformation is reversible. After applying an algorithm the password becomes unreadable and after applying a reverse algorithm it returns to cleartext. This process is called as obfuscation Obfuscated Passwords a Hashed Passwords Hashed passwords are similar to obfuscated passwords, but the latter are reversible Passwords are hashed using hash algorithms (MDS, SHA, etc.) that are not reversible Note: Only hashed passwords need cracking, while the other password types can assist in cracking phase Pe eePassword Cracker and its Working CY @ Password cracker is a software program that is used to = recover passwords of a system, network resource, or an \ app, when lost or forgotten IN @ Aword list is created with the help of a dictionary generator program or dictionaries ., @ Thelist of dictionary words is hashed or encrypted How it Works? © The hashed wordlist is compared against the target hashed password, generally one word at a time @ fit matches, that password has been cracked and the password cracker displays the unencrypted version of the password Note: The target hashed password can be obtained by sniffing it from a wired network, wireless network, directly from the Security Accounts Manager (SAM) database, or shadow password files on the hard drive of a system PeePassword Cracking e Dictionary a Attack Brute Forcing Attacks Rule- based | Attack A dictionary file is loaded into the cracking application that runs against user accounts The program tries every combination of characters until the password is broken This attack is used when some information about the password is known etaatta @ A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, and routers) that is password protected @ You can use default passwords from the list of words or dictionary that is used to perform password guessing attack Online tools to search default passwords: 7c : Fe eee Gocoete ne kid Le ORCL Cu) Prenensame | [recwmoverseon | Cty All Rights Reserved, Reproduction is Strictly ProhibitedUsing Rainbow Tables to Crack Hashed Passwords | Rainiow Table Compare the Hashes Easy to Recover A rainbow table is a Capture the hash of a Itis easy to recover precomputed table which password and compare it with passwords by comparing contains word lists like the precomputed hash table. captured password hashes dictionary files and brute if a match is found, then the to precomputed tables force lists and their hash password is cracked values e Pare i Raa » 4259c034599c530b2 8a6a8£225d668590 nh021da » e744b1716cb£8d4dd0f£4ce31a177151 SdaSdast > 3c4696a8571a843cda453a2294741843 sodifo8st » ¢744b1716cb£8d4dd0££4ce31a177151 right © by EC-Councll. Al Right ReproductoTools to Create Rainbow Tables: rtgen and Winrtgen rtgen @ The rtgen program needs several parameters to generate a rainbow table. The syntax of the ‘command line is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table index = aes ni owes 170000000 - os http /oroject-rainbowerack.com Ces Winrtgen Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, UMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MDS, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes ‘anbow Table proseries a hite//owwwrorid it ne eee aneSecurity Accounts Manager (SAM) database ‘Windows stores user passwords in SAM, or in the Active Directory database in domains. Passwords are never stored in clear text; passwords are hashed and the results are stored in SAM © NTLM Authentica’ in © The typology of NTLM authentication protocols: 1. NTLM authentication protocol 2. LMauthentication protocol © These protocols store user passwords in the SAM database using different hashing methods O Kerberos Authentication Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM © Authentication PY em vsreracoon © rected ntnetpemnrinn nt am Windows 8 eteHow Hash Passwords Are Stored in Windows SAM? Password hash using LM/NTLM Shiela:1005:NO PASSWORD**** Anwaasanaeas AHHH: 0CBE94880 5F797BF2A82807973B89537: 1: SWieaeriam c: \windows\system32\config\SAM Administrator :500:NO PASSHORD####+##444s4444408%4+ 6188089853734 75C8140A7108ACB3031::: Guest :501:NO PASSWORD*##¥¥eeewuveedwueweH:NO PASSNORDH## Hie RAHHOeRAHHO RE: Admin:1001:NO PASSNORD*##4+++#44s 4440448444 :BE40C450AB9971 3DF1EDCSE40C25AD47: Martin: 1002:NO PASSHORD*+¥++##00+ +aseewwesss:BF4A502DA294ACBC175B394R080DEE79 Jugayboy:1003:NO PASSHORD*+*##4#+e44swsssssss:488CDCDD2225312793ED6967828C1025: Jason:1004:NO PASSNORD*#*#++s4s4s00s#888%; 2020D252A479F4 8SCDP5E171D939852F Ghielal {Loos} {io PASSNORD**a+ssuwneeuwavewenns) v User name User ID LM Hash NTLM Hash “LM hashes have been disabled in Windows Vista and later Windows operating systems; LM will be blank in those systems.” CeaSystem Software Password Cracking System software includes (such as OSs, compilers, utilities that manage system resources, etc.) that interact with the PC at a basic level System software password cracking is defined as cracking the © and all other that enable a computer to P Passwords for system software are created to to system 7 o files and other secured that is used during a system’s boot process Ways to access a system by cracking passwords: Peet© BIOS (Basic Input Output System) is a firmware code run by a system when powered on. It is a type of boot loader © The main function of BIOS is to identify and initialize system component hardware (such as hard disk, floppy drive, and video display card) Methods to Bypass/Reset BIOS Password Using a manufacturer's Resetting the CMOS 4] backdoor passwordto DQ singpassword B__ssng umpers or slser access the BIOS beads Removing the CMOS |. battery for at least 10 minutes 5 Oetloading the Be = Professional keyboard buffer serviceUsing Manufacturer’s Backdoor Password to Access the BIOS © BIOS manufacturers provide a backup password that can be used to access the BIOS setup if the password is lost The passwords that manufacturers provide are case sensitive. If a particular backdoor password does not work, then various case- sensitive combinations of the password should be tried. The combinations may include alphanumeric characters The manufacturers’ documentation must be read before trying the backdoor passwords, because BIOS combinations will lock the system completely if the password is typed wrong three times c— cc —_ —_ Ee Few BIOS manufacturers and their default passwords are listed below: fea VOBIS & IBM merlin Dell - Dell Biostar — Biostar Compaq — Compaq Enox - xo11nE. Epox- central Freetech - Posterie Iwill - will Jetway - spoon! Packard Bell - bell Qpi- ap! ne erUsing Password Cracking Software CmosPwd Decrypts password stored in CMOS, which is used to access BIOS SETUP en Reread grenieracgaecurity.org mere lntp://worwcosecurity.org cone aa i ( DaveGrohl are ier a eres eRe Tree anette FeceeerichestesRet tet tesg tt aera eterno aes a Fae eeceeay ag <<] fear It isa multithreaded, distributed password cracker. It aims at brute- forcing OS X user passwords. ‘nto /dovearoh.org Note: If your PC is locked with a BIOS administrator password that does not allow access to the floppy drive, these utilities may not work Ce en ene aneo o Resetting the CMOS using or Resetting the CMOS using Jumpers By adjusting the jumpers or dipswitches ona motherboard, all custom settings, including BIOS passwords, will be cleared Check the computer or motherboard manufacturer’s documentation to locate the jumpers/dip switches Ifthe documentation is not available, by default the jumper position is across pins 1 and 2 Shut down the system and unplug the power cord Move the jumper from its default position so that itis across pins 2 and 3; this clears the BIOS/CMOS settings Now, turn on the machine to verify that the password has been reset Once cleared, turn off the computer and return the jumper to its original position o Resetting the CMOS using Solder Beads Connecting or jumping specific solder beads on the chipset is likely to reset the CMOS There are too many chipsets to do a breakdown of which points to jump on individual chipsets, and the location of these solder beads can vary according to the manufacturer, so please check the computer and motherboard documentation for details epeeo o Resetting the CMOS using or Resetting the CMOS using Jumpers By adjusting the jumpers or dipswitches ona motherboard, all custom settings, including BIOS passwords, will be cleared Check the computer or motherboard manufacturer’s documentation to locate the jumpers/dip switches Ifthe documentation is not available, by default the jumper position is across pins 1 and 2 Shut down the system and unplug the power cord Move the jumper from its default position so that itis across pins 2 and 3; this clears the BIOS/CMOS settings Now, turn on the machine to verify that the password has been reset Once cleared, turn off the computer and return the jumper to its original position o Resetting the CMOS using Solder Beads Connecting or jumping specific solder beads on the chipset is likely to reset the CMOS There are too many chipsets to do a breakdown of which points to jump on individual chipsets, and the location of these solder beads can vary according to the manufacturer, so please check the computer and motherboard documentation for details epeeOverloading the and Using a Overloading the keyboard buffer e (On some older systems, you can force the CMOS to enter its setup screen on boot by overloading the keyboard buffer, This is achieved by hitting the ESC key over 100 times in rapid succession, or by booting with the keyboard or mouse unattached to the systems o etry Using a professional service Professional services can be used if the manufacturer of the laptop or desktop PC would not reset the BIOS password Password Crackers, Inc., offers a variety of services for desktop and laptop computers; all you need to provide is legitimate proof of ownership @ ee enTool to Reset Admin Password: Active@ Password Changer © Active@ Password Changer is designed for resetting local administrators and user passwords on Windows operating system in case an Administrator's password is forgotten or lost © With Active@ Password Changer, you can log in as an Administrator or a particular user with a blank password As Pesos canse Pot a eine Patna Changer eons a eon elSenchseevecaepee ns auny “SG tts uname 0 PTool to Reset Admin Password: jows Password Recovery Bootdisk removes the password and, thus, allows login to the account |@ The program creates a bootdisk or a bootable USB stick, and writes a special Linux-like OS there |@ Booting from such a disk allows to remove a Windows account password, or recover its hash for further retrieval of lost passwords oe mS | | ered (ui ses) Create boots aak Windows caswords [| Coote boots to cack wodows pasos | Tepe ho te hk taney se Wd ‘pmoneaes aro rnove yeaa of my Wide YD rte sent ove tency as | e “Weta hown tilercom vright © by etoTool to Reset Admin Password: Windows Password Recovery Lastic @ Windows Password Recovery Lastic allows the removing of a password for a specific Windows user, or recovering the hash of a password, thus providing one with the possibility of restoring the original password PeApplication Password Cracking Tools Applications software, also known as end-user programs (such as Web design software, word processors, graphics software, etc.) allow an user to perform their everyday tasks on the PC like sending email, editing an image, creating a webpage, etc. peed Electronic evidence discovery solution that reports all password- _ Recovers passwords for Windows, Excel, Word, Access, Bester seen eee eae ee rere PowerPoint, PST, Outlook, Outlook Express, RAR/WinRAR, ZIP/WinZIP, POF, IE Browser, SQL, e-mail, online websites, etc sop ae ae ad Tito lostoossW0ra.com Tt Fecoveriosipassword com ee eee esApplication Password Cracking Tools (Cont’d) Advanced Office Password Recovery Recovers, replaces, removes or circumvents passwords instantly, protecting or locking documents created with Microsoft Office applications Se Powe Psd Race a ee ieet ened Ce eat! arg Office Password Recovery Toolbox Acomprehensive solution for recovering MS Word, Excel, Outlook, Access, PowerPoint, and VBA passwords (SSCs SSS cE | fansite fc 1 One | |e] a re Daten eee Fn Geta ack eed Perea eePassword Cracking Tools (Cont’d) Office Multi-document Password Cracker =a ©@ Recovers lost or forgotten passwords to multiple MS Office documents @ Itscans the drive for protected documents, and restores or deletes passwords from all Word, Excel, PowerPoint, Access, and Outlook files it finds [leat word bocoments hetovjwn rite com tryWord Password Recovery Tools Word Password Recovery Master Accent WORD Password Recovery eer ees ‘Accent WORD Password Recovery = EM [la ricrosote word ocument Open | |x] cee dn Paar open Pronto nodty Dosceattaiinpd ‘Arie psanrd hito:/fpesswordrecovertoo's.comPowerPoint Password Recovery Tools PowerPoint Password vi7.0 DeMo ' 1 htto://onu recovertosipassword.com hitp/fpasswordtoalscom pee! CoadExcel Password Recovery Tools | PDS Excel Password Recovery a | Accent EXCEL Password Recovery [© Fosbaeinaono ecomyoeroverss - = MEME | ‘Accent XCEL PessvraReeery - = Excel Password Recovery #|@ @ 9°e Tite) fawn ence possworderoker omPDF Password Recovery Tools Advanced PDF Password Recovery | PDF Pz @ Recover POF Pec by Ekim Sofa = anor uccestuly covered xa! {2 Recover POF Pasucaby ima Stivae Gor san 06) 2 Esa Intes/funmw.ekcomsefcomPassword Recovery Tool: & ARCHPR 4:54 - 93% = i. a e@es@ 58 Se Ardose He tout Enrpind PRARIACE DB Re Typ fain Advanced Archive Password Recovery recovers protection passwords, and EES unlocks encrypted ZIP and RAR Tapa leer archives etl ie — avege peed Gases oad === a frlsove. SM WON Ba Val pasword frase . ‘spans Gurentpasnecd: wom Averagespeed: 9.76206 imeelepaeds tie Tie remarier Password length = 3, tot: 14,608, rocesed: 13,828 2% [ARCHER veraon 4.59 (2 19977012 EkonSoR Ca. id. Tipsy eleomaopecom I Rights Reserved, Reprod: eeOffice Password Cracking Software Stellar Phoenix Office Password Recovery eto stellaringo.com Online Password Recovery ntp//unouposiword fin. com Office Password Genius ap fwnwwisunshare.com Office Password Recovery Lastic http://w: posswordlesti.com ‘SmartKey Office Password Recovery http://www tecoverlostpassword.com PDF Cracking Software PDF Password Recovery ‘http://wwew.top-password.com PDF Password Genius ntp://mmwisunshore.com ‘SmartKey PDF Password Recovery hntp/ fam tecoveestpasword.com Recovery term tenorihore com Guaranteed PDF Decrypter Tenorshare PDF Password | tt://wwoew quod com |ZIP Password Cracking Software Accent ZIP Password Recovery tts://passwordrecoverytools.com ZIP Password Genius tep/fwouwisunshare.com SmartKey ZIP Password Recovery hn cecoverlsipasswordcom kRyLack ZIP Password Recovery Its /achelckcom Stellar Phoenix Zip Password Recovery ees//owwstellaringo.com Tools (Cont’d) RAR Cracking Software Accent RAR Password Recovery fat: /fpasenordsecoertookcom RAR Password Genius ntp://wuisunshore.com aap /wuncvarkanet SmartKey RAR Password Recovery ter recoveestoasnerd com kRyLack RAR Password Recovery cRARK 5.1. | etp:/ fous keylack.com |LOphtCrack Ophcrack LOphtCrack is a password auditing and recovery Ophcrack is a Windows password cracker application packed with features such as scheduling, based on rainbow tables. It comes with a hash extraction from 64-bit Windows versions, and Graphical User Interface and runs on vv networks monitoring and decoding multiple platforms(Cont’d) Cain & Abi @ Itallows recovery of various kind of passwords @ RainbowCrack cracks hashes with rainbow by sniffing the network, and cracking tables. It uses time-memory tradeoff encrypted passwords using dictionary, brute- algorithm to crack hashes force, and cryptanalysis attacks 25 ommeeoss Or ih Tipp oxide htt //orject-ainbowcrock com vright © byOther Password Cracking Tools (Cont’d) pwdump7 and fgdump pwdump7 exe ‘edump works like pwdump but also extracts cached credentials and allows remote network exeeution oe me Ms ining Sire muse Attacker or ator ‘fggump.exe