Password Cracking in Digital Forensics
With the rise of technology, Digital crime is becoming an increasing issue. Companies are being bombarded with Cyber attacks. Passwords still represent the most common form of authentication to access computer systems. But instead of cracking passwords to access sensitive information and commit a crime, this blog post focuses on using several password cracking techniques not only to recover forgotten passwords but rather how can help solve the crime as well. These approaches are especially important when trying to conduct a digital forensic investigation. Let’s have a look at it.
Dictionary Attack
This is a technique where you try to access a system by using every word that is available in a dictionary. You systematically use the wordlist to compare it to the user's password. As you can picture, this is not necessarily the most effective technique. However, many businesses insist on having ordinary passwords, which makes this technique so popular. When using more complex passwords that are either made up or contain upper and lower case letters in combination with numbers, the dictionary attack will most likely not succeed. Nowadays, Cybersecurity attacks are increasing rapidly which ultimately forces companies and users to raise their security standards. This brings this attack quickly to its limits. Since it has a predetermined library you will quickly reach the end of the wordlist. The dictionary attack is a basic approach and shares some similarities with a brute-forcing attack. It uses passwords such as "123", "abcd" or password123". It is important to mention that these wordlists can vary for different regions. For example, the words used for cracking passwords in Germany, vary from the words used in other areas such as Los Angeles. Attacker adapts the dictionary to a specific group, meaning if you are a basketball fan you might use the following: "lakers", "clippers123", "lalakers2022".
Brute Forcing Attack
Brute forcing is a technique where all possible password combinations are tried to get access to a computer system. You can imagine, that this can take a large amount of time. All legal characters are used in different sequences until access is granted. A common approach for hackers is to use brute-forcing for accessing websites or networks where they then perform malicious activities such as installing malware or shutting down the entire system. Since all possible combinations are tested, the waiting time can reach from a second to days or weeks.
There are different types of brute-forcing attacks, including dictionary attacks. Another one is credential stuffing. This happens when the attacker has already been successful and tries to use the same password and user name for other accounts.
Reverse brute-forcing is when the hacker knows the password but not the user name. He will then continue to use the password across the system for various usernames until he gains access. Reverse brute force does not only relate to usernames but also to encrypted files.
Brute forcing has its positive side too. It is used to improve security standards by testing network security. That means, that if you use a variety of tools to brute force into your system, which ultimately leads you to detect vulnerabilities in your system, you can improve will improve your overall security and give hackers a hard time accessing your system.
Common tools:
- John the Ripper
- Hashcat
- Aircrack-ng
- L0phtCrack
Rainbow Table attack
Password applications are not stored in plaintext, but as hashes, meaning the passwords will be encrypted and ultimately result in a hash. The rainbow table represents a table that contains hash values of the password. The hash values of every single plain text character that was used during the authentication process are stored and then compared with the hashes on the server. If they find the correct match, they are authenticated and can log on to the system. To be successful here, the attacker has to get access to the list of password hashes. If they do so, they can quickly crack all passwords.
For hackers to successfully execute this attack, they first have to get access to leaked hashes. These hashes are stored in databases. This means that you first have to get access to another secured environment. Many databases were not properly secured which made it easy for the attacker. Another way is social engineering. Pretending to be someone you are not and tricking the responsible person into giving you access is a very common approach (Phishing). However, since there have been so many scandals in the last years, it is known that millions of people's data are available on the dark web which is another option to get ahold of the needed information.
Once the hash has been acquired, the rainbow attack can be executed and used as a decryption tool.
That sounds pretty simple, right? Well, fortunately, this is not as easy as it sounds, due to a technique called "Salting". This technique is a very efficient antidote. So what it does is, it adds an extra layer of protection to the hash, by inserting extra values that are completely random to the hash. This transforms the outcome of the hash and the attacker ends up with a password that is not real. This technique is responsible for a huge decrease in rainbow table attacks.
As you can see, these methods are used to attack individuals and perform malicious activities, but knowing about these tools will eventually benefit you since you know how they function which will then motivate you to implement measures to prevent them from harming you. Also, if you need to investigate a crime, you need information. Criminals use passwords and encryption to protect their malicious activities which can lead to great harm to people. Gaining access to their data is crucial for acquiring evidence so that justice can be done. The seriousness of the proper use of those tools is not to underestimate, since the failure of cracking passwords/encryption can result in wrongful convictions or the pursuit of crime.
Challenges for Investigators
Digital Forensic Investigators face huge challenges. Not only do they have a huge responsibility, but cracking a password can uptake a large amount of time, and ultimately, it is not safe that the password will be found. Although they are working with the newest tools and the latest technology, there is no measure of the probability of finding the right password since there are countless combinations that can be used. It is no rarity that the investigator simply cannot access the system due to slow speed and the legal case can therefore not properly be resolved. Subsequently, you will have to increase the time for the case to be resolved which leads to an increase in cost. Money is involved in almost everything and we know, that the resources are limited. So not only is this process time-consuming, but also very expensive in the long run. Managing time and money for password recovery belongs to one of the biggest challenges in the digital forensics field.