Access to encrypted information can be gained through various methods, including live system analysis (1 and 2), using bootable forensic tools, analysis of sleep/hibernation files, and exploiting TPM vulnerabilities, with password recovery being the last option on the list. Each method has different resource requirements and should be used in order of least resource-intensive to most time-consuming, with password recovery as the last resort. Familiarize yourself with the different encryption recovery strategies and learn about data formats with weak protection or known vulnerabilities.

Why password recovery is your last resort

When presented encrypted evidence, one’s immediate thought is “I need to break a bunch of passwords”. However, decrypting protected information by recovering the original plain-text password is the most straightforward approach, but also the least efficient one. Since most encryption formats are designed to withstand password attacks with hundreds thousands rounds of hashing, the time required to break even a simple password could be days, months, or years. In real life, the chance of successfully breaking encryption by attacking passwords is low. For example, the authors of When Encryption Baffles the Police: A Collection of Cases describe as many as 55 criminal cases that involved data encryption. In 17 cases, encryption was fully or partially broken, which results in an approximately 30% success rate.

You may be able to improve this success rate by employing alternative techniques to decrypt information other than attacking plain-text passwords. If access to encrypted digital evidence takes precedence over retrieving the plain-text password (which is not always the case, e.g. Windows Account Passwords: Why and How to Break NTLM Credentials), a number of more efficient solutions may be available. The recovery methods for accessing protected pose very different resource requirements such as the time spent by the expert to set up the attack, and the time required to carry out the attack. We recommend trying the least resource-intensive methods first and only resorting to more time-consuming methods (such as brute force) when all other options have been exhausted. The following are our preferred recovery methods:

1. Encrypted disks and virtual machines: Live system analysis. This method, if available, enables the retrieval of binary encryption keys and/or imaging of the file system of a mounted disk without the need for lengthy brute-force attacks.
2. Live system analysis: If you have access to an authenticated user session, make the most of it before shutting down the computer. Even if full-disk encryption is not used, some data (such as DPAPI-protected items) will only be accessible when the user signs in with their password. DPAPI-protected items include passwords saved in web browsers (Chrome, Edge, etc.), passwords for network shares, keys, tokens, and certificates.
3. Computer in sleep/hibernation: Analyze page/hibernation files for disk encryption keys (using Elcomsoft Forensic Disk Decryptor). Keep in mind that volatile virtual machine images may also be stored in RAM.
4. Consider using bootable forensic tools (such as Elcomsoft System Recovery) to quickly image built-in storage media and extract encryption metadata.
5. BitLocker disks: Consider using TPM vulnerabilities to unlock the BitLocker boot drive before removing storage media for imaging.
6. Encrypted disks: Analyze hibernation and page files with Elcomsoft Forensic Disk Decryptor (searching for encryption keys). An authenticated user session is not necessary for this analysis.
7. Some data formats have weak protection or known vulnerabilities. Familiarize yourself with these formats (such as Microsoft Office documents saved in legacy formats like .doc/.xls instead of .docx/.xlsx); e.g. Decrypting Password-Protected DOC and XLS Files in Minutes.
8. Use the “low hanging fruit” strategy and prioritize files with weak protection.
9. Password recovery. This should only be used as a last resort, but you may have options such as a smart attack and/or custom dictionaries made up of the user’s other passwords (for example, extracted from the keychain/web browsers).

More information:

• What is Password Recovery and How It Is Different from Password Cracking
• A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption
• How Long Does It Take to Crack Your Password?
• How to Break 70% of Passwords in Minutes