Archive for the ‘Cryptography’ category

Tally ERP 9 is a “new-age business management software for new-age businesses” that is “tailor-made to delight”. With more than two million users, Tally is one of the most popular tools of its kind in India. The product includes the company’s implementation of secure storage named Tally Vault. How secure is Tally Vault, and what does one need to break in? In this article, we’ve provided some insights on how ElcomSoft researchers work when adding support for a new file format.

Support for Tally Vault is available since Elcomsoft Distributed Password Recovery 4.20.

Breaking Tally Vault

Tally Vault can be protected with a password. The password can be configured at the time one adds a new company; it is also possible to assign a password at a later time.

Once the password is set, ERP 9 creates a new protected vault. The old one (if any) can be deleted. If both encrypted and unencrypted versions of the company profile exist, one can select the right profile.


The new versions of Tally ERP 9 store the data in the following folder:


If a password is specified for Tally Vault, the product encrypts all files with the .900 extensions that are over 512 bytes in size. However, the majority of the data is stored in a single file named Company.900. This file also stores information about the users if the “Use security control” option is enabled.

Unencrypted data is represented in the following way:

Once encrypted, the data looks as follows:

The file is comprised of 512-byte blocks. Each block starts with a 4-byte (32-bit) CRC checksum. When verifying the block, the tool calculates a CRC of the rest of the data (512 bytes less the 4-byte CRC) and compares the result with the checksum.

Now to the encryption. Tally uses an encryption algorithm derived from DES with a 64-bit encryption key. The DES algorithm used to be an industry standard originally introduced in 1977; in 2001, DES was superseded by AES, which is still used today. The 64-bit encryption key is derived straight from the user’s password (the concept of separate Media Encryption and Key Encryption keys is never heard of). Moreover, a slight modification of the user’s password leads to a similarly slight modification of the encryption key, which suggests a horribly weak implementation of key derivation. Considering that cryptographically strong hash functions (e.g. SHA-512) exist for a very long time, this result is truly amazing (as in “amazingly bad”). The encryption deals with 8-byte blocks.

Verifying the password is implemented by calculating the encryption key, decrypting the encrypted page and calculating the CRC of the decrypted data. The CRC is then compared with the check sum stored at the beginning of the page. Theoretically, decrypting the page and verifying the password would require decrypting some 64 blocks of 8 bytes each.

Reality is different. Each page includes a few bytes of fixed metadata. For example, immediately following the CRC there are four bytes containing the fixed value of 0x00000001. This is what’s considered a “known plain text”. As a result, the attacker does not have to decrypt the entire 512-byte page or calculate its checksum. Instead, decrypting the 4 bytes and comparing them with a known value of 0x00000001 is enough to try a password. Of course, collisions are unavoidable; for this reason, once the fixed four bytes are successfully decrypted, the attacker must verify the rest of the content by following the original algorithm (e.g. decrypting the entire page and calculating its CRC).

This value is not the only fixed metadata stored in encrypted pages. The offset 12 apparently stores the page number (unless it’s the last page), so even if Tally fixes this issue, other possibilities for fast attacks would remain.

So how does the speed of the known plaintext attack compare to the speed of the more straightforward attack that requires decrypting the whole page?

Whole page decryption, passwords per second Known plain text attack as used in EDPR, passwords per second
Intel Core i7 6700 170 000 5 400 000
Intel Core i7 9700K 345 000 11 400 000



The “tailor-made to delight” software for “new-age businesses” delivers the worst implementation of data protection we’ve seen in the last 20 years. It’s so bad we don’t know where to start from; there is no single aspect that’s done right. The encryption key is directly derived from the user’s password instead of using separate media encryption and key encryption keys. The homegrown algorithm deriving the encryption key from the user’s password is weak beyond imaginable; we couldn’t write as bad a hash function even if we tried. The DES-like encryption algorithm is outdated, while the 64-bit encryption key is way too short considering the outdated encryption algorithm. The known plain text metadata embedded in every encrypted page is icing on the cake. We just hope that new-age businesses will remain delighted if their encrypted data falls into the wrong hands.

Why wasting time recovering passwords instead of just breaking in? Why can we crack some passwords but still have to recover the others? Not all types of protection are equal. There are multiple types of password protection, all having their legitimate use cases. In this article, we’ll explain the differences between the many types of password protection.

The password locks access

In this scenario, the password is the lock. The actual data is either not encrypted at all or is encrypted with some other credentials that do not depend on the password.

  • Data: Unencrypted
  • Password: Unknown
  • Data access: Instant, password can be bypassed, removed or reset

A good example of such protection would be older Android smartphones using the legacy Full Disk Encryption without Secure Startup. For such devices, the device passcode merely locks access to the user interface; by the time the system asks for the password, the data is already decrypted using hardware credentials and the password (please don’t laugh) ‘default_password’. All passwords protecting certain features of a document without encrypting its content (such as the “password to edit” when you can already view, or “password to copy”, or “password to print”) also belong to this category.

A good counter-example would be modern Android smartphones using File-Based Encryption, or all Apple iOS devices. For these devices, the passcode (user input) is an important part of data protection. The actual data encryption key is not stored anywhere on the device. Instead, the key is generated when the user first enters their passcode after the device starts up or reboots.

Users can lock access to certain features in PDF files and Microsoft Office documents, disabling the ability to print or edit the whole document or some parts of the document. Such passwords can be removed easily with Advanced Office Password Recovery (Microsoft Office documents) or Advanced PDF Password Recovery (PDF files).


Home users and small offices are served by two major manufacturers of network attached storage devices (NAS): QNAP and Synology, with Western Digital being a distant third. All Qnap and Synology network attached storage models are advertised with support for hardware-accelerated AES encryption. Encrypted NAS devices can be a real roadblock on the way of forensic investigations. In this article, we’ll review the common encryption scenarios used in home and small office models of network attached storage devices made by Synology. (more…)

The first Microsoft Office product was announced back in 1988. During the past thirty years, Microsoft Office has evolved from a simple text editor to a powerful combination of desktop apps and cloud services. With more than 1.2 billion users of the desktop Office suite and over 60 million users of Office 365 cloud service, Microsoft Office files are undoubtedly the most popular tools on the market. With its backward file format compatibility, Microsoft Office has become a de-facto standard for documents interchange.

Since Word 2.0 released in 1991, Microsoft has been using encryption to help users protect their content. While certain types of passwords (even in the latest versions of Office) can be broken in an instant, some passwords can be extremely tough to crack. In this article we’ll explain the differences between the many types of protection one can use in the different versions of Microsoft Office tools, and explore what it takes to break such protection.


Full-disk encryption presents an immediate challenge to forensic experts. When acquiring computers with encrypted system volumes, the investigation cannot go forward without breaking the encryption first. Traditionally, experts would remove the hard drive(s), make disk images and work from there. We are offering a faster and easier way to access information required to break full-disk system encryption by booting from a flash drive and obtaining encryption metadata required to brute-force the original plain-text passwords to encrypted volumes. For non-system volumes, experts can quickly pull the system’s hibernation file to extract on-the-fly encryption keys later on with Elcomsoft Forensic Disk Decryptor.

What’s It All About?

It’s about an alternative forensic workflow for accessing evidence stored on computers protected with full-disk encryption. Once the system partition is encrypted, there is nothing one can do about it but break the encryption. Elcomsoft System Recovery helps launch password recovery attacks sooner compared to the traditional acquisition workflow, and offers a chance of mounting the encrypted volumes in a matter of minutes by extracting the system’s hibernation file that may contain on-the-fly encryption keys protecting the encrypted volumes.

This new workflow is especially handy when analyzing ultrabooks, laptops and 2-in-1 Windows tablet devices such as the Microsoft Surface range featuring non-removable, soldered storage or non-standard media. With just a few clicks (literally), experts can extract all information required to launch the attack on encrypted volumes.

Elcomsoft System Recovery offers unprecedented safety and compatibility. The use of a licensed Windows PE environment ensures full hardware compatibility and boot support for systems protected with Secure Startup. The tool mounts the user’s disks and storage media in strict read-only mode to ensure forensically sound extraction. (more…)

Health data is among the most important bits of information about a person. Health information is just as sensitive as the person’s passwords – and might be even more sensitive. It is only natural that health information is treated accordingly. Medical facilities are strictly regulated and take every possible security measure to restrict access to your medical records.

Since several versions of iOS, your health information is also stored in Apple smartphones, Apple cloud and various other devices. In theory, this information is accessible to you only. It’s supposedly stored securely and uses strong encryption. But is that really so? What if Apple uploads this data to the cloud? Is it still secure? If not, can we extract it? Let’s try to find out.


We’ve just updated Elcomsoft Distributed Password Recovery with the ability to break master passwords protecting encrypted vaults of the four popular password keepers: 1Password, KeePass, LastPass and Dashlane. In this article, we’ll talk about security of today’s password managers, and provide insight on what exactly we did and how to break in to encrypted vaults. (more…)

This article opens a new series dedicated to breaking passwords. It’s no secret that simply getting a good password recovery tool is not enough to successfully break a given password. Brute-force attacks are inefficient for modern formats (e.g. encrypted Office 2013 documents), while using general dictionaries can still be too much for speedy attacks and too little to actually work. In this article, we’ll discuss the first of the two relatively unknown vectors of attack that can potentially break 30 to 70 per cent of real-world passwords in a matter of minutes. The second method will be described in the follow-up article. (more…)

As you may already know, we’ve added Android support to our WhatsApp acquisition tool, Elcomsoft Explorer for WhatsApp. While the updated tool can now extract WhatsApp communication histories directly from Android smartphones with or without root access, how do you actually use it, and how does it work? In this blog post we’ll be looking into the technical detail and learn how to use the tool.


In the world of Windows dominance, Apple’s Mac OS X enjoys a healthy market share of 9.5% among desktop operating systems. The adoption of Apple’s desktop OS (macOS seems to be the new name) is steadily growing. This is why we are targeting Mac OS with our tools.

This time, let’s talk about Mac OS X user account passwords. Not only will a user password allow accessing their Mac, but it will also allow decrypting FileVault 2 volumes that are otherwise securely encrypted with virtually unbreakable XTS-AES.

Attacking FileVault 2

FileVault 2 is Apple’s take on whole-disk encryption. Protecting the entire startup partition, FileVault 2 volumes can be unlocked with either of the following:

  • 256-bit XTS-AES key
  • Recovery Key
  • User password from any account with “unlock” privileges

There is also an additional unlock method available called Institutional Recovery Key. These recovery keys are created when system administrators enable FileVault 2 encryption with FileVaultMaster.keychain. This method requires additional steps to activate, and is typically used in organizations with centralized keychain management.