Here is a great article on why 1Password uses their own keychain like file to store files now. They started out using the OSX keychain file format but have expanded into their own. The application still supports the OSX native format but they give great reasons why they changed. Read the current blog post explaining the difference HERE.
The main item of interest to a forensic investigator who has not fully read up on the keychain file format? ONLY the password field is encrypted. Nothing else in the file is. So before you use something like my crowbarKC to run for hours or days to attack the keychain just run it through strings to decide if there is anything worth the time to recover. Use a command like the below and flip through the output to decide if there are any entries relevant to your case.
Today I was not up for doing any full program code. On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption. One of the things we talked about was PGP for Mac. I got to wondering. What are the odds that they provide a command line option for mounting PGP encrypted discs? Can I do yet another dictionary attack script?
Here is what I have initially found. Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication. You must have the commercial Mac PGP Whole Disk Encryption application installed.
There is a pgpdisk –mount command. So can we toss it in a loop like we did for DMG files? Why of course we can! Note that you need to change to the desired dictionary path and file. Same for the target .PGD file you want. Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.
You will notice when you run your attack that you see some text about “Error -11998 – buffer too small” This is because normally if the passphrase you enter is wrong it will prompt you three more times. The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.
for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)
I decided to make a quick version of crowbarDMG that works on OSX Keychain files. So here you go. Right now in v1.0 it only works exactly as crowbarDMG does and finds the main unlock password. It is a good deal faster testing keychain files than disc images. Like crowbarDMG it is Leopard only. I am looking out a way to dump the contents of a keychain once it unlocks. If I can come up with a good solution I will release an update via the auto update mechanism.
While I work out an updated copy of crowbarDMG to go after keychains I wanted to give you a quick shell script to achieve the same thing. Long time ago I posted a script for going after DMG files. It takes only a slight edit to make it work for keychain files. You will want to change the test.txt file for your dictionary file and keytest.keychain for your desired file.
It is a common forensics technique to run strings against a disc image. One issue I ran into in testing my crowbarDMG tool was that often this leaves a lot of control characters in the file. So here is a way to remove the non-printable characters out of your dictionary file. I also added the “%@” string to the scrape since I found that would crash my program. In a future update I will provide an automatic filtering of those problem character. It uses the tr command instead of sed or awk.
Well here we are. Finally, my very first full Cocoa program. One that does not come from a book.
crowbarDMG is a dictionary attack tool for DMG and Spareimage files for Macs. It does require 10.5 Leopard. It really wasn’t worth the trouble to redo things to work on Tiger. It is completely free, so enjoy. Be sure to read the included PDF readme file. I address an issue if you use strings to pull out a dictionary from a disc image. Some control characters need to be scrubbed else it will crash crowbarDMG. Give it a shot if you need to recover a password for a dmg or filevault file.
*UPDATE* – Please make sure to run Check for Updates to obtain the latest build. I have released v1.0.1 that implements garbage collection to help prevent memory leaks for long duration projects.
Thanks to Paul Figgiani for his patience in making GUI layout and improvement suggestions.
Thanks to Big Nerd Ranch for the fun bootcamp last October. I would have never had the time to get up to speed on Xcode and ObjectiveC purely on my own.
Thanks as well to the following code and frameworks:
I was working on some exercises for the Sans SEC-508 forensics class. Being the lazy person that I am. Rather than manually extract exif data from the recovered images I made an automator to do it for me. I had some issues trying to use some code that previously worked under Tiger. So here it is for Leopard. Only down side is that it breaks if the path or filename has a space in it.
I realize it has been a while since I posted on the full blog. I do minor things via twitter. Toss in the holidays, then lots of stuff to start the year = lazy on the blog.
I have been writing my first real program on OSX in Cocoa. A disc image (DMG) dictionary attack tool. It is coming along nicely and once done I will throw it out to the public intended as a free tool to Mac based forensics examiners. I have posted on here before about a shell script to do this. Making the program native in Cocoa means a lot more options etc. Not to mention fun for me to learn.
Filevault is nothing but an encrypted sparseimage disc image file. So in my testing I wanted to see if my tool could crack my own filevault. To do this I needed a reasonably targeted dictionary file. So in a pinch here is a fun way to make a simple attack dictionary.
This command shows disc usage and what discs are mounted. Lets say this ipod is actually my other laptop connected via firewire target disc mode. Notice below the root drive is shown and it is is disk0s2.
Wait a good long time if the drive is large. You are streaming the drive level blocks through the strings command to extract all readable ascii strings into a nice text file.
So I used that file for going after the filevault spareimage file from my old laptop using my dictionary attack tool. I got lucky my password was in the strings but not by itself. It was embedded in some other text. I had to find it with grep against myDictionary.txt. It was cached way back in time in the unencrypted space on my hard drive by some third party tool. So without some extra work it would not have actually cracked my filevault. But it sure came close. And from a 40GB old powerbook drive it would have only taken 3 days to run the full myDictionary.txt file against my filevault.