AccessData – DNA Password Cracking & Amazon EC2

I had a whim to see what I could do with my license of AccessData’s DNA password cracking tool.  It is the Distributed version of their PRTK for the FTK Forensics package.

They have an agent for Windows, Mac, Sony PS3 and Redhat/Fedora Linux.  But could it run under Ubuntu? Perhaps under the WINE windows emulator?  I found the answer to be yes.  I built a local VMWare instance in Fusion on my Mac using Ubuntu 10.10 Desktop.  I added Wine, then copied over the DNA Worker.msi installer and ran it.  Sure enough it reported into my DNA Manager which I had also running in a VMware instance, though that one is Windows XP to ensure the license dongle can be attached.

So my next question is how hard would it be to get a DNA worker, or a batch of them whipped up on the Amazon EC2 cloud and have them report back to my DNA Manager in vmware where my license dongle was attached.  The answer was not too bad.  And yes it works.  I cracked a zip file with the password “Scooby44” in 19 minutes with a combination of my local vmware Ubuntu instance and a Medium dual CPU instance on Amazon EC2.    I also ran the job briefly against a small base level instance on EC2 to see the average passwords per second.

Read more to see the basic stats.  I will soon decide if I make some screen cast tutorials or a written PDF of the whole setup process.  I will put together a tutorial regardless of which medium I choose.

Continue reading “AccessData – DNA Password Cracking & Amazon EC2”


TwitPic – Scraping Exif Data

A couple of days ago Dr. Johannes Ullrich did a real interesting post on scraping gps data from twitpic posted photos from twitter users.  You can read the original post with graphs over at the Internet Storm Center blog. He wrote a couple of perl scripts for use with the exiftags tool.

So I was inspired to do a similar trick without the perl script and using my favorite, Exiftool by Phil Harvey.  So here comes yet another one of my automators for OSX.  You can download it in the zip below.  Just copy the imagecsv.txt to the root of your user home folder.   Then run the automator app.  You can of course edit the app in Automator to see how it works.  It will prompt you for the twitter user name of your target.  Then it goes to twitpic, scrapes their rss feed of all full sized images and runs exiftool on them.  It makes all the output in a folder on your desktop using the twitter user name.  You may alter what fields the exiftool puts to the exifdump.txt file by editing the imagecsv.txt.  It is just a print format file under the rules of exiftool setup to be tab delimited.

Just make sure you have exiftool installed or you wont get the tag dump.  You will end up just getting all the pictures scraped from the user’s rss feed.

OSX Automator – TwitPic – ExifScrape


crowbarPGP – Version 1.0.1

I have finally released my crowbarPGP Cocoa application.  Included in the Install DMG you can download below is a folder called Extras.  I put several OSX Automators in it that I have found useful or mentioned in other blog posts.  You can edit them in Automator to see how they work.

I also added a new preference that lets you choose not to growl notify the found password while still getting a notification.  Soon I will add that to the other crowbar apps.  I also finally fixed the code to automatically ignore the carriage return character that comes from dictionary files originating on the Windows OS.  This too I will shortly add to the other crowbar apps and release through the auto updates mechanism.

crowbarPGP is a dictionary attack tool for cracking PGP ( Whole Disk Encryption and PGD virtual PGP Disk files.  It requires 10.5 or 10.6 OSX.  One key thing. I included the PGD attack feature.  However I found a memory leak in the pgpdisk command last year.  I informed PGP of it and provided them the backup material.  Unfortunately my contact is no longer with PGP and the memory leak is still there in the recent v10.0 PGP for Mac OSX.  So I strongly suggest you do not use that feature until they patch it.  When they do I will post a blog update and likely do a small version increment to the program through the automatic updates feature.

Thanks again to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks as well to the following code and frameworks:

crowbarPGP - Download

Rough Draft OSX Automator – Password Extraction

I have had various discussions with other forensics folks about password dictionaries and their use with my crowbar tools.  So I am doing some experimentation using Automator plus shell script and perl script.  I really think a lot of forensics folks who use Mac OSX forget or underestimate Automator.  In my case I am using it to draft some password extraction tests.

You can download the automator app with a sample text file to run it on.  You can get it from here:PasswordExtractor Automator

Of course it is easy for you to edit the automator app in Automator and see/edit my scripts.  Here is a summary of what it does.  And it becomes more clear if you run it on the included text file.

It has you select a file and runs it through strings.  It sorts it and drops out duplicate strings.  Then it runs that base dictionary file through a perl script several times each time is a slightly different variant.  It is looking for certain flag strings then grabs all the remaining text on the line after that flag text and makes it into a stack of passwords.

It looks for all case insensitive occurrences of pw, pwd, pass and password and they can be followed by any of the three symbols. = – or :

It then takes the text following those text strings and starts at the first letter and dumps that to a line as a password and increments one letter at a time till it hits the full length.

So in essence if the password you really need is embedded in say a URL with pass=supersecretpassword then you will actually get a file where ONLY supersecretpassword occurs on a line in a dictionary.  Perfect for your dictionary attack tools.


Mac Forensics – Automator Love – Make a Dictionary

I really really love Automator on the mac.  It just makes it so easy to setup scripts you can run again later.  More importantly it lets you write a script solution that is point and click for someone else when they need help.

I had an email from a Detective that does forensics work on child exploitation cases.  He wanted a simple way to build a dictionary from a selection of folders and files.  He wanted to use that dictionary with my crowbar tools to go after a filevault from a mac.

Here is what I did.

Continue reading “Mac Forensics – Automator Love – Make a Dictionary”


Mac Shell Script – Crack PGP WDE

While I am working on a crowbar version for PGP whole disk encryption.  I took a few minutes to modify the previous script for PGP virtual disk files to hit wde drives in case you need something right away.  Keep in mind you need to determine the drive number with something like df, diskutil etc.

When running the script you will see output like

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Here is the script.  Obviously you will need to change the path to your dictionary and the number after the –disk to match the drive you are attacking.  If  you are clever the command for pgpwde is the same under windows with pgp installed.  You could build a similar script there.


for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)


echo -n $word | pgpwde –auth-disk –passphrase $word –disk 0

if [[ $? = 0 ]]


echo “Password found!”

echo $word

exit 0



echo “password not found :(“

exit 1


crowbar BMG/KC Alerts on your iPhone

One of the things I built into my crowbar dictionary attack tools for DMG and keychain files from the start was Growl.  Growl is a free add on notification framework for your mac. MANY popular mac programs support growl so this is not just some odd plug in.   I recommend in the crowbar apps making it popup the notifications for password found and not found at least go to your screen.  The password found is even better when set to sticky.  This means the alert stays on the screen until you click on it.

Now if you have an iPhone you can get the alert notifications right to your iPhone.  There is a great iPhone application called Prowl (App Store Link).  The developer’s site lets you create a login to his site which you set in the Prowl program.  You download and install a Growl plugin for Prowl.  The Prowl iPhone app is $2.99.  The service and plugin are free.  Last all you do is customize the alert settings for the crowbar apps to send to Prowl just using the growl preference pane control.

Now when you leave those real large dictionaries running you can leave them minimized and even leave the office or home knowing you will get the status when the job finishes.

You can find out everything at the Prowl developer’s site: