Forensic Technology Approaches

Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...

Part of the series (1 of 2) cracking password protected MS Office files. When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file.  What is hash? Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post. MS Office hashing algorithm formats For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format:  MS Office ⇐ 2003 MD5 + RC4, oldoffi...