Question

A drive you’re investigating contains several password-protected files and other files with headers that don’t match the extension. Write a report describing the procedures for retrieving the evidence with some of the forensics tools and hexadecimal editors discussed in this chapter(NSRL Hashes and Winhex). Explain how to identify the file headers and determine how their extensions are mismatched. Then discuss what techniques and tools you can use for recovering passwords from the protected files.

Answer 1

While documenting these type of cases we have to follow some basic procedure for recovering the evidence with some of the forensics tools.

• For target drives, utilized recently cleaned media that have been reformatted and investigated for viruses or malware.
• Tally the hardware on the suspect's pc, and note condition of seized pc
• For static acquisitions, eliminate original drive and check the date and time values in system's CMOS
• Document every single step that will help you to obtain information from the suspect drive
• List all folders and files on the image or drive
• Inspect contents of all data files in all folders
• Retriever file contents for all passsword-protected files •
• Identify function of every, executable file that doesn't match hash values
• Maintain control of all proof and discoveries

Approving with Hexadecimal Editors

• Advanced hex editors offer highlights not accessible in computerized legal sciences instruments, for example, Hashing explicit records or areas
• With assistance of hash an incentive close by You can utilize a crime scene investigation device to look for suspicious record that may have its name changed to resemble a harmless document
• WinHex gives MD5 and SHA-1 hashing calculations

Distinguishing the file headers and determine how their extensions are mismatched

• The most common is hide the data by changing file extensions
• Another hiding technique is Selecting the Hidden aspects in a file's Properties dialog box.
• There is another way to check file headers by using advance forensic tools will compare the file mRension to verify that it's correct, If there's a discrepancy the tool flags the file as a possible changed file.

Techniques and tools you can use for recovering passwords from the protected files

1. Brute-force attacks :- Use every possible combinations. This method requirse a lot of time and computing power.
2. To decrypt any encrypted file, user can provide a password
3. We can use key escrow to recover encrypted data,It is used when if user forget their passwords.
4. Dictionary attack :- Uses most common words found in the dictionary and tries them as passwords.
5. Password-cracking tools are available for handling password-protected data. Some are integrated into digital forensics tools like Last Bit, AccessData PRTK, Oph cradle, John the Ripper, Passware etc
6. Salting passwords :- Change hash values and makes cracking passwords more difficult.
7. Rainbow table :-A file containing the hash values for every possible password that can be generated from a computer's keyboard, No conversion necessary, so it is faster than a brute-force or dictionary attack.

For recovering passwords you can use some of the techniques like
• Dictionary attacks
• Rainbows tables
• Brute-force attacks