Forensic Technology Approaches

Zip2john is a useful tool for both extracting and cracking password protected zip files. Since it is not included in default john the ripper package, downloading it might be little bit tricky especially in Ubuntu - like Linux distributions. Downloading Zip2John Here is how the additional zip2j ohn package can be installed on ubuntu using mighty terminal; Step 1: Clone the app from github repository using following code git clone https://github.com/openwall/john -b bleeding-jumbo john && cd john/src/ && ./configure   If you get an error on previous step, add --without-openssl after ./configure then type the following; make -s clean && make -sj4 Extracting hash of the zip file Step 2: If you have succesfully completed installation, you can extract the hash file using following steps: Move to /run file using cd/home/user/john/run Step 3: Type the following code piece; ./zip2john ./test.zip > hash.txt  Hash file must be be automatically exported i...

Part of the series (2 of 3) Windows artifact analysis. LNK files, also called link lists in some sources, are created automatically by Windows operating system when user interacts with documents, apps and folders. LNK file is also can be described as the list of shortcut files which is shown when user right clicks on the file explorer image on the taskbar, as shown below, as these shortcut files are shown based on latest access time and frequency: As we all know, that list up here is modifiable and limited with recently accessed few files. So how are LNK files can help us from the forensic perspective? Even though user is able to remove that list shown above, Windows still keeps trace of those files and also the list is lot longer that it appears on the taskbar. Complete list of recently accessed files, docs, apps and folders can be found in "C:\Users\%User%\Recent" location, or simply click Windows, type "run" and enter "recent" to the command window.  La...

Part of the series (1 of 3) Windows artifact analysis. When it comes to detect recently accessed files, Windows offers wide variety of artifacts which may be helpful for enlighting forensic investigations. As there are many items -so called artifacts- exist for that particular reason, one of those artifacts, which is automatically created by Windows is called jumplist. Jumplists are system artifacts that are created to keep track of recently accessed files. As those files can be viewed typing "recent" on the run command, the list which comes up might be the whole thing. Especially during forensic investigations, it is important to make sure that all the available information is collected completely. For that very reason, all jumplist files must be reached from the custodian's computer and inspected throughly. Two types of jumplists are created when user opens up a file; automatic (.automaticDestinations-ms) file and custom (.customDestinations-ms) file. The main differenc...

Part of the series (2 of 2) cracking password protected MS Office files. Whether it is a forensic investigation or even in private life, we might need to open a password protected file which might contain a personal information or information that can change the direction of investigation. For those files, unlike common belief, depending on the length of password, it is actually possible to crack the file reach the data inside. But in order to that, we must have the correct tools and right approach.  In this article, I am going to show how to crack a password protected MS office file using Hashcat on Linux Ubuntu OS step by step. Extracting password hash from the file In our case, we are going to have example.xlsx file which is protected with password. The first thing to do here is to extract the hash of the password which can be done using John The Ripper. This step is explained in my previous article, which can be found here . Note that we are going to need the text file that is...

Part of the series (1 of 2) cracking password protected MS Office files. When we encrypt a document such as xls, xlsx, docx etc., the password we use for encryption is usually kept (embedded) as a calculated hash inside source code of the file. Hence, the most important thing here is to define the correct approach which will be the most useful for detecting and extracting that hash file.  What is hash? Hash is a product of a information that is calculated using a hashing algorithm. Saying that, each hashing algorithm has different calculation methods, so that aspects and calculating times vary for each of them. I prefer to keep that section short, as we will take a detailed look into it in another post. MS Office hashing algorithm formats For protected office files, usually combined hashing algorithms are preferred. As they vary on the MS office version, a hashing file belonging to MS Office 2013 will usually look like the following format:  MS Office ⇐ 2003 MD5 + RC4, oldoffi...