Passwords

Computer users must commonly provide a user ID to log on to, or otherwise access, a system. User IDs identify a specific user and tell the security subsystem what permissions to grant to that user. Unfortunately, some computer users attempt to impersonate other users by fraudulently providing another person’s user ID. By doing so, the impersonator can perform actions that will point back to the stolen user ID owner’s account when audited. As a forensic investigator, you’ll need to determine the difference between actions taken using a valid user ID and actions conducted by an impersonator using a stolen or otherwise compromised user ID.

Who Are You, Really?

Fred is an enterprising university student who enjoys testing the limits of his school’s computer use policy. The policy clearly states that users may only use their own user IDs to access the computer system. If Fred wants to create some mischief on the university’s computer system, he could ignore the policy and use Mary’s user ID to access the system. In effect, he could pretend to be Mary. With no controls in place to stop him, Fred could cause many problems and to the untrained eye, it would appear that Mary was the guilty party. A control is anything that stands between Fred and his unauthorized actions. In this case, there actually is at least one control to deter him—the university’s computer use and access policy. The university’s computer use policy is an administrative control. While administrative controls dictate proper behavior and the penalty of noncompliance, they don’t stop unauthorized actions by those who are determined to ignore such policies (as in Fred’s case).

There is a simple solution. User IDs provide identification for users. Another piece of information that only the real user should know provides authentication that the user is who he or she claims to be. The most common method of authentication is a password. To authenticate using a password, users provide not only a user ID, but the proper password as well during login. The security system then validates that the password provided matches by comparing it to the stored value for that user ID. If the two match, the security system authenticates and trusts the user and allows access to the computer system.

There are two main reasons for investigators to crack passwords. First, you may need a password to log in to a computer or access a resource. Second, you may need a password or key to access encrypted data that may be vital to the success of the investigation.

During an investigation, forensic investigators commonly need access to one or more computer accounts. When a suspect or other knowledgeable user cooperates with an investigation, obtaining a user ID and password can be as easy as asking for it. Never forget to try the simple approach: When users cooperate, it can save valuable time. Always ask for any needed user IDs and passwords. When passwords aren’t readily available, here are three alternative methods to acquire them:

1. Find passwords

2. Deduce passwords

3. Crack passwords

Forensic investigators not only understand what each of these three techniques is, but know when and how to use each one as well.

Although passwords are the most common user authentication technique, they aren’t always secure. In the next sections, we’ll examine each password recovery technique and show you how quickly and easily some passwords can become available.

Finding Passwords

By far, the easiest way to obtain a password is simply to ask someone who knows the password to provide it to you. If asking nicely doesn’t work, try social engineering. Build trust with a person who knows information you need to further the investigation. This person could be anyone who knows the password. The password or other information sought could be as simple as a phone call away.

For example, you could call and pretend to be a member of the network administrator team. A simple statement like, “Hi, this is Tom from network support. Your computer looks like it is sending out a virus to other computers. I need to log on to stop it. What is the user ID and password you used to log on this morning?” Fortunately for the forensic investigator, far too many people are only too willing (and in fact, often eager) to help and quickly provide the requested information. Mission accomplished! When using social engineering techniques to gather information, experienced forensic investigators will ensure they have permission to conduct these types of activities before proceeding. As long as you abide by any applicable security policies, encouraging a suspect to give you the information you need is perfectly fine. Law enforcement officials are good at doing this. Ask them for help, especially if this is a criminal investigation.

If social engineering isn’t an option, or the person who knows the password won’t cooperate, then there are other simple approaches you can try. There are two basic types of passwords: those that are easy to remember and those that are hard to remember. With more people becoming aware of security issues, passwords now tend to be more secure than in the past. Most people equate password complexity with security. That is, long, hard-to-remember passwords appear to be more secure than simple ones.

Longer passwords can be less secure than shorter ones. Passwords that expire frequently can be less secure as well. The reason is that when a user must use a password that is too hard to remember, he will often write it down. The hassle of retrieving a lost password often encourages users to keep sticky notes with passwords written on them. When encouraging the use of strong passwords, allow users to create ones they can remember.

Because a password is a string of characters that authenticates a user’s identity, it is important that the user always have access to the password. The more complex a password is, the more likely it is that the user has it written down or otherwise recorded somewhere. Look around the computer for written notes. It’s not uncommon for forensic investigators to find sticky notes with passwords written on them in plain sight, or in some cases, even taped to the computer system itself. You’ll find that this phenomenon occurs in a surprisingly large percentage of the sites you investigate. As a forensic investigator, you’ll become an expert at recognizing common “hiding places” for password notes, such as:

• On the monitor (front, sides, top, etc.)
• Under the keyboard
• In drawers (look under pencil holders and organizers)
• Attached to the underside of drawers
• Anywhere that is easily accessible from the seat in front of the computer but not readily visible
• Personal digital assistants (PDAs) and smartphones
• Obvious files on the hard disk (such as passwords.txt)

While this approach may seem too simple and obvious, never dismiss this important method for finding passwords. Few people trust their memories for important passwords. There is a good chance some users you’ll be investigating wrote down their passwords and put them somewhere handy.

Deducing Passwords

So, you’ve looked all around the physical hardware and desk but you still can’t find the password you are looking for. What next? Don’t worry—there are still other options available to obtain passwords. In spite of all the common rules for creating “strong” passwords, many users routinely break the rules. If you are trying to guess a password, try the obvious ones. The more the forensic investigator knows about the user, the better the chances of guessing the password. Try some of these ideas:

• User ID
• Birth date
• Social security number
• Home address
• Telephone number
• Spouse/children/friend name
• Pet name
• Favorite team name or mascot
• Common word or name from a hobby

Use this section as a lesson for creating your own passwords. Because so many people ignore password best practices, take it upon yourself to be unique. Take the time to create strong passwords and keep them secure. Passwords can also easily be secured through the use of password vault programs such as RoboForm Pro (www.roboform.com).

Although guessing a password is possible, it isn’t very productive in most cases. Don’t spend a lot of time trying to guess a password. This method is most effective if you have a strong hunch that you will be successful. It may be possible for forensic investigators to solve password puzzles by piecing several pieces of information together. People often hide the real password but leave clues that can help you to guess the password contents. For example, during an investigation, a note was found that read “me 4 her -7.” After trying several combinations, we hit on a password that consisted of the subject’s initials, “ajd,” and his wife’s initials, “rgd.” The password was “ajd4rgd7. (Just in case you’re wondering, this wasn’t the actual password—the initials were changed to protect the innocent!)

Even though you might get lucky occasionally, really “guessing” a password isn’t very common. It looks good in the movies, but it doesn’t happen that often in the real world. Deduced passwords normally come from piecing several pieces of information together. For instance, when analyzing a subject’s activity, keep track of visited Web sites and locally protected applications. Cookies for recently visited Web sites may be left behind that store an unprotected password. People are creatures of habit and many tend to use the same passwords repeatedly, so if you find an unprotected password for one resource, try it in other areas.

As much as it violates good security practices and common sense, the same password is often used to protect both secured servers and to subscribe to a Web site’s news services. If you find a password, see if the user also uses it elsewhere.

When poking around and guessing passwords, forensic investigators might end up locking the resource they are attempting to access owing to excessive failed logon attempts. Always make sure you have at least two copies of media. If one copy is corrupted, you can always make a new working copy from your second image. You never want to explain to the judge that you had to check out the original media from the evidence locker twice because you messed up the first copy.

Up to now, our password discussion has focused on nonspecific strategies. Finding, guessing, or deducing a password is more of an art than a science. It involves knowing your subject and knowing how people think. It might take a lot of homework, but it is fun and can yield that gold nugget that opens up the evidence you need.

Cracking Passwords

The last method of obtaining a password is the most technical and complete. When a password can’t be obtained by any other means, forensic investigators try a process known as password cracking. Cracking a password involves trying every possible combination, or every combination in a defined subset, until the right one is found.

Different utilities allow forensic investigators to crack passwords online or offline. These utilities employ several different methods. Because older UNIX systems stored encoded passwords in a single file, the /etc/passwd file, several utilities emerged that tried different combinations of password strings until they found a match for each line in the file. All forensic investigators had to do was copy the /etc/passwd file to their own computer, launch the password cracker, and let it run.

This approach became so popular and dangerous that newer flavors of UNIX, and now Linux, go to great lengths to hide encoded passwords in another file. Most UNIX and Linux systems store passwords in the /etc/shadow file. This file has highly restricted access permissions and requires super user permission to access. If you are investigating a computer system running UNIX or Linux, look at the /etc/passwd file. An x character between two colons indicates that the actual password is stored in the shadow file. For example, here is what a line from the /etc/passwd file looks like if password shadowing is in use (notice the “x” after the user name, msolomon):

Tales from the Trenches: The Contract Ends Now!

Several contractors were working at a manufacturing plant in southern California. These contractors filled various functions, including project management and application development. The project goal was to modify a manufacturing software package to meet the client’s specific needs. One morning, the company’s system administrator noticed that his assigned IP address was in use when he booted his computer. After a couple comments under his breath, he rebooted again and found that the IP address was available. He took note of the people who were in the office that morning and started doing a little investigative work on his own to find out if anyone was using his IP address. He found that a particular contractor had installed a common password cracker in his home directory. A further look at the contractor’s history file showed that he had been engaging in attempts to crack the system’s password file.

The system administrator immediately removed the contractor’s access and had him terminated. The company’s policy regarding appropriate use of computing systems forbade any use of password-cracking software and provided grounds for immediate termination.

There are many password-cracking utilities available to forensic investigators. Some commons ones include:

• Cain and Abel (http://www.oxid.it/cain.html)
  • Cain and Abel is a free (donation requested) password recovery utility for Microsoft Windows operating systems that uses several techniques to find passwords.
• John the Ripper (http://www.openwall.com/john/)
  • John the Ripper is an open source password cracker that reveals weak passwords in most operating systems.
• Hydra (http://freeworld.thc.org/thc-hydra/)
  • Hydra is a free, fast network authentication cracker. Hydra can attack the most common network protocols.
• ElcomSoft (http://www.elcomsoft.com/)
  • ElcomSoft produces a variety of commercial software that recovers passwords from operating systems and application software.
• LastBit (http://lastbit.com/)
  • LastBit produces a variety of commercial software that recovers passwords from operating systems and application software.
• L0phtCrack (http://www.l0phtcrack.com/)
  • L0phtCrack is a commercial tool that recovers passwords and more from computers running multiple operating systems.
• RainbowCrack (http://project-rainbowcrack.com/)
  • RainbowCrack is a free tool for cracking Linux and Windows passwords using precomputed hash tables, called rainbow tables.

Anytime passwords are found stored in a file or database, forensic investigators can use offline password-cracking techniques. Online password cracking methods are used if the password repository can’t be found or you don’t have access to it (it might reside on another system). Online password cracking is much slower and may fail more frequently (and for more reasons) than offline cracking. Online password-cracking utilities attempt to pass logon credentials to target systems until it finds a successful user ID/password pair. The number of attempts that are necessary to find a password is the same as an offline cracking utility, but the act of passing the logon credentials to another process requires substantially more time. If the target computer is remote to the client password-cracking utility, network propagation further slows the process and adds to the possibility of failure.

Regardless of the type of utility used, there are three basic approaches, or “attack types,” that password-cracking utilities commonly employ.

Dictionary Attack

A dictionary attack is the simplest and fastest attack. The cracking utility uses potential passwords from a predefined list of commonly used passwords. The password dictionary stores the list of passwords. The larger the dictionary, the higher the probability the utility will succeed (but the longer it will take to attempt the entire dictionary file). A little research on the Internet will yield several dictionaries of common passwords.

An offline dictionary attack calculates hashed values of passwords from a password dictionary. The utility compares the hashed value with stored passwords to find a match. Since the cracking utility spends most of its time calculating hash values, there is an opportunity to speed up the process. If you plan to use a password dictionary for several attempts at password cracking, you can precompute the password hashes from the password dictionary. These precalculated password hashes, or rainbow tables, make offline dictionary attack processes much faster. As a forensic investigator you’ll find that passwords are statistically located halfway through any given process. For example, if given the choice to choose a password between 1 and 100, 50 percent of people will choose a password below the number 50 while the other half will choose a password above 50.

The reason this type of attack works so well lies in human nature. People tend to use common, easy-to-remember passwords. Most would be surprised to find their favorite password in a password dictionary. Any passwords found in a password dictionary are too weak and should be changed.

AccessData’s Password Recovery Toolkit offers a great benefit when used with their FTK software. The investigator exports a “dictionary” file from FTK and then uses it as the dictionary file to crack encrypted files found on the suspect hard drives. The dictionary file is made up of every word found on the suspect hard drive. This enables you to crack a password by using a list of every word on the suspect computer, potentially including when the user entered the password (as is the case with a password that was cached from memory).

Brute Force Attack

On the other end of the spectrum is the brute force attack. A brute force attack simply attempts every possible password combination until it finds a match. If the utility attempts to use every possible combination, it will eventually succeed. However, the amount of time required depends on the complexity of the password. The longer the password, the more time it will take to crack.

Brute force attacks should never be your primary method for cracking passwords for two reasons. First, brute force attacks are slow. They can take a substantial amount of investigative time. Also, the length of the password may not be known. In this case, the utility will have to try many, many combinations that won’t succeed before finding the right one.

Second, the client, resource server, or authentication credentials (passwords) may be located on different computers. If so, the brute force attack will generate a huge volume of network traffic. Excessive network traffic and multiple failed logon attempts may make a tangible impact on the network. Unless you can set up a copy of the suspect network in your lab, you may not be able to secure permission to launch a brute force attack.

Hybrid Attack

The final type of attack, the hybrid attack, combines the dictionary and brute force attack methods. In a hybrid attack, the utility starts with a dictionary entry and tries various alternative combinations. For example, if the dictionary entry were “lord,” the hybrid attack utility would look for these possible alternatives:

• Lord
• l0rd
• 1ord
• 10rd

And many, many others. As you can see from this list, it is common to obscure passwords derived from dictionary words by replacing the letter “l” with the digit “1,” or replacing the letter “o” with the digit “0.” Don’t do this with your own passwords. Even simple cracking utilities know this trick.

Regardless of the type of utility used, there are tools that can help you get the passwords you need to access evidence.

The next section addresses one of the methods of protecting data from disclosure—encryption.