More Evaluations & Final Report! Recently we’ve focused on evaluating more Elcomsoft applications as well as putting together our final report. We continued to use the same scoring criteria from our previous blog to test these tools. The applications we tested include Advanced PDF Password Recovery, Proactive System Password Recovery, Advanced Archive Password Recovery, Elcomsoft System Recovery, Elcomsoft Cloud eXplorer, Elcomsoft Internet Password Breaker, and Distributed Password Recovery. Advanced PDF Password Recovery: Advanced PDF Password Recovery is another helpful program by Elcomsoft and can decrypt any password protected PDF files. This program is nearly identical to Advanced Archive Password Recovery in the way it looks and operates. The only notable difference about the two tools is that Advanced PDF Password Recovery has a few more attack options. These are: brute force, mask, dictionary, plain-text, winzip recovery, and password from keys. Similar to Advanced Archive Password Recovery, the user will have to read through the available manual to understand all the functions and attacks.

(interface of Advanced PDF Password Recovery)

Once the user has input the encrypted PDF into the program, it will get to work. Depending on the type of attack and the set specifications, it can take a fair amount of time to finish. The program will get the password and decrypt the document as long as the password fits within the set parameters.   We have tested this program with multiple passwords ranging in length character types, and we have come to a conclusion about the program. We give this tool a score of 5. The program is completely functional and will get the task done; however, in order to be certain of which attack to use, as well as the capabilities of the program, the user will want to reference the help manual and a few online tutorials to fully understand the tool. Because this application is almost identical to Advanced Archive Password Recovery, it seems appropriate they should receive the same score. They are both well-made tools, but could use improvement in the same areas. Proactive System Password Recovery:

Using the same scale, we would rate Proactive System Password Recovery a 3. This tool is simple to use and its tasks can be performed with the touch of a button. There are five different sections of information to find and use on the program. The sections include main menu, advanced features, revelation, misc, and Recover PWL. Each section has a unique purpose and finds different information.

We accessed this information easily. The tool does everything on its own since it just takes the information from the system. With administrator access, the use can do more  with the tool. They can decrypt some of the information found from the system like hashes, passwords, and more. The information will all save to a file to reference later which shows all the information captured from each tool.

Advanced Archive Password Recovery:

Advanced Archive Password Recovery is a useful program that can obtain the password of encrypted ZIP and RAR files. After spending some time evaluating, we’ve become familiar with the ins and outs of this tool. The interface of the program reminded us of the Advanced Office Password Recovery program, also distributed by Elcomsoft, but with fewer options for types of attacks. These attack choices include brute force, dictionary, mask, and key search. Since each of these attacks usually takes a significant amount of time, the user will have options to narrow down the specifications a bit in ways such as password length, range options (i.e. lower-case, upper-case, numbers, symbols, etc.), and dictionary types.

(interface of Advanced Archive Password Recovery)

To break the encryption, the user will need to choose the specific ZIP or RAR file and then specify how the attack should approach the file. Once the process has started, the tool will notify the user how long it will take until all the password possibilities have been exhausted. 

After testing this program with multiple password protected files, we have decided to give the program a 5. The tool will definitely retrieve the password as long as the user inputs the correct specifications and uses it on either a ZIP or RAR files. The program interface and tool options are clustered and someone with no experience in the field would most likely not know how to run the program. They would need to browse the manual to understand the process and it would take a significant amount of time studying the program to understand all the available features in the tool. Overall, however, the tool works well and isn’t too complex to the point where it is not usable with a bit of extra spare time to understand it.

Elcomsoft System Recovery:

Following the same evaluation process, we would rate Elcomsoft System Recovery a 5. This tool requires some work that will take experience. However, the interface is easy to read and understand. In order to download the system files, the user has to create a partition of a drive for a USB to download the files to. After, the user can open the tool, navigate throughout the wizard, and create the ESR bootable disk on the USB. The tool will download a copy image of the files.

Once everything is copied onto the USB, it’s safe to remove and power down the computer completely. The USB needs to be plugged back into the computer which then needs to be powered on again. The user needs to quickly gain access to the BIOS screen which will pop-up the Elcomsoft version of the BIOS screen from the USB. From there, the user will have multiple options of what to do with the system files. Under the CMD.EXE, they can change the local user account, dump password hashes, dump domain cached credentials, backup SAM (where you can change computer passwords to get access to computer systems as though they are yours), and restore SAM (in case something goes wrong) and SAM editor.

Elcomsoft Cloud eXplorer:

After testing Elcomsoft Cloud eXplorer, we believe this program is everything anyone could ask for in a tool like this. Upon opening, the user will be greeted with a clean looking program with hardly any options and zero clutter. The user’s only options (besides changing the settings and checking the help manual) are to add a Google snapshot or to download a Google Drive file. Upon selecting either of these choices, the user will be asked to enter the Google account information or a Google Token to gain access to the info. If that’s successful, the program will allow them to choose what they want to download from the account, including the drive, computer, and deleted and shared files.

(interface of Elcomsoft Cloud eXplorer)

The important thing to note about this program is that its job is not to figure out the password to the Google Account. It assumes the user has the password already and simply wants to download the files from the account.

After all of that is done and the download location has been selected, all the files can be viewed. Everything is presented in an organized file format so the user can find exactly what they are looking for. We’ve used this program for multiple Google accounts and it completes the task at a relatively fast pace every time. Seeing as the program is extremely simple and how well it functions, we give this tool a score of 1. We feel most anyone would be able to use it on their first attempt without any assistance and that there isn’t a better program out there to download Google Drive files and Google Snapshots. This is one of Elcomsoft’s best products we’ve tested so far and is worthy of earning a coveted score of 1.

Elcomsoft Internet Password Breaker:

Using the above scale, we would rate Elcomsoft Internet Password Breaker a 3. This tool does everything really simply. The user can open a PST file, Web Browsers or Mail. The web Browsers work for Internet Explorer, Microsoft Edge, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and Yandex Browser. For mail accounts, the tool uses OE News Accounts, OE Mail Accounts, OE Identities, Outlook accounts, Thunderbird, W[L]M Mail Accounts and W[L]M News Accounts.

We accessed this information by using different account information on Microsoft Edge and Google Chrome. While using one of the accounts, we found that one can lead to more than one username and password. It is possible that any username or passwords saved to an account in Google can access any saved passwords . The passwords are easy to extract. We pressed ‘Web Passwords’ and choose which web browser we used and got all the information for the accounts, as long as the passwords were saved to the browser.

It is easy to access individual passwords and export the passwords into a file with a click of a button as well. Recovery of usernames and passwords are easy if the tool has access from the web browser. It is most useful when downloaded onto a computer to access or recover passwords. This tool is user-friendly and effective with some prior knowledge of its purpose and capabilities.

Distributed Password Recovery:

Distributed Password Recovery is a very unique password cracking tool in that it supports many different types of file formats instead of just a single program. Due to its elaborate looking setup, the user might be intimidated by the program. There are many options available including tasks, agents, connection, messages, and dictionaries. Most of these tabs won’t be necessary in the password restoration process. If the user wishes to learn all of the functions, they can refer to a manual installed on the program.

(interface of Distributed Password Recovery)

To start the process, the user will import the file they want cracked and have a list of attacks they may want to use: dictionary, mask, or brute force. Once they’ve chosen an attack, the process begins, and it will inform the user how long the tests will take. Then it will let the user know whether it was able to recover the password or not. This is where we faced an issue with the program. From what we can see, there is no way to view the recovered password. We have read through the manual, watched tutorials, read online materials; however, despite all of our best efforts, we can’t figure out how to access the cracked document.

We couldn’t get the program to function properly and many of its unnecessary features require reading through the manual. As a result, we are giving this tool a score of 13. On the surface, it may not look too bad, but we haven’t found any other program from Elcomsoft as complex and difficult as this one. We will continue to try to figure out more about how to use this program. At this point, however, we’ll stick with this score, given the password seems unattainable. Conclusion Elcomsoft has produced an array of quality tools that all impress us as we continue to individually test them. They all prove to be useful in some capacity and luckily none of them are too complex. With a little bit of reading and research, we have been able to figure out just about every component. In the upcoming weeks, we will see if there are any other tools we think would be crucial to evaluate. We will also focus on getting our final report to near completion. Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to see other important information pertaining to our project!

 

The post Elcomsoft Tool Evaluation Blog 3 appeared first on The Leahy Center for Digital Investigation.

First evaluations!

Our Elcomsoft Tool Evaluation team started out the next sprint by setting off to evaluate the tools relating to phones, computers, and office products. To catch up on the beginning of our process, read our first blog post here. The new tools we evaluated included Advanced Office Password Recovery, Advanced WordPerfect Office Password Recovery, Elcomsoft Phone Viewer, Elcomsoft eXplorer for WhatsApp, and Elcomsoft Password Digger.

We used the following scoring system to evaluate the tools:

1- Beginner: user can navigate the program without any prior knowledge

3- Novice: user requires basic knowledge of the program and how it works

5- Intermediate: user needs some previous experience working with the program

8- Advanced: user must have a lot of experience working with the program

13- Superior: user must be an expert on the program and capable of  teaching others how to use it

Advanced Office Password Recovery

Advanced Office Password Recovery proved to be an extremely useful tool. The program opens with an interface that is simple and easy to understand. This interface includes a log window so the user can see what is processing as they are using the tool. There’s also a help tab with an instruction manual that’s found right inside the program for new users. Another advantage is that it accepts different document file types so the user doesn’t have to worry about any conversions.

The interface of Advanced Office Password Recovery

When the user wants to start an attack, they will have many different options ranging from a bruteforce attack to combination and hybrid attacks (these can all be read about in the manual). This gives the user many different options depending on the type of encryption they are dealing with. When the user selects the type of attack they want, a window will pop-up allowing them to enter specifications for the encryption that can allow the tool to work faster, e.g. password size, character parameters.

AOPR takes a good amount of time to decipher the password based on size and the type of attack. As the process is running, the tool will let the user know the passwords that are being tried and how many passwords are being tried per second. This is nice for the user so they can see how efficient the program is working and make sure they entered the right parameters so the tool can find the right password. In order to test the tool’s capabilities, we tested a range of different passwords that varied in complexity from six characters with only English characters, twelve characters that included numbers, and eighteen characters that included numbers and symbols.

Overall, this tool earns a 3 because only limited experience required in order to operate most of the processes. The part that requires the most knowledge is deciding which attack to use for a specific password. Although the password apprehension process might take a long time, it is functional and can recover any password, no matter the complexity.

Elcomsoft Phone Viewer

After using the Elcomsoft Phone Viewer, we would rate it a score of 3, or novice. The program gives multiple options to access backup information from an iPhone, BlackBerry, and Microsoft account data. The need for basic understanding comes in when trying to figure out which backup works best with the tool. The process we are using for the tool is an iTunes backup. We downloaded iTunes onto the desktop and synced the phone to the computer. Once complete, we clicked on iTunes backup and chose the iPhone 8 device. Then we allowed access to all information from the iPhone. After typing in the encrypted passcode, it took only twenty-seven seconds to download the iTunes backup and get access to the main interface of the tool. The time can vary due to the size of the backup.

The interface of Elcomsoft Phone Viewer

The main interface is very user-friendly. With only some knowledge on these devices, our team had an easy time evaluating this tool. It shows the iPhone user, the type of phone, iOS version, Serial Number, GUID, IMEI, Unique Identifier, and last backup date. The Elcomsoft Phone Viewer gives us access to the applications, calendar, calls, contacts, locations, media, messages, notes, notifications, Wallet, Web and Wi-Fi. Within each category, it goes into depth with information that can be filtered to find more exact information. For example, in applications, the user can search for a specific app without looking through the list. This allows the tool to be efficient in finding the information the user wants.  This tool also has a help option that explains the tool in great detail that is understandable for anyone with limited knowledge.

Advanced WordPerfect Office Password Recovery

Advanced WordPerfect Office Password Recovery is an extremely simple yet useful tool. When first opened, the tool presents an interface with only four options that include: open file, help contents, about, and quit. For convenience, there is an instruction manual under the help contents section if the user needs. In order to recover a password, all the user has to do is open a WordPerfect file and the tool will do the rest. There were multiple documents tested with passwords varying in complexity and the tool was still able to decipher the passwords in a matter of seconds. The complexity of the passwords included six characters with only English characters, twelve characters that included numbers, and eighteen characters that included numbers and symbols.

The interface of Advanced WordPerfect Office Password Recovery

Not only does the tool output the password of the document but it also shows the equivalent in hexadecimal which is a nice addition. The status window only shows what is absolutely necessary and doesn’t overstimulate the user with too many statistics. Our only objection with the program is that it only accepts WordPerfect files and it doesn’t convert other documents for the user. However, his really isn’t an issue with the tool as its purpose is only to decipher WordPerfect files.

We would rank this tool a 1. The tool does everything as promised and is extremely simple and user-friendly. It works very fast and efficiently and can be navigated without any knowledge of the tool or password recovery in general.

Elcomsoft eXplorer for WhatsApp

After using the Elcomsoft eXplorer for WhatsApp, we would rank this tool a 3, or novice. The tool gives multiple ways to access the WhatsApp account for Apple and Android users. Depending on the device, the user needs some knowledge of the device and the best way to download the accounts. For the Elcomsoft eXplorer for WhatsApp, we used the iTunes backup. We have found this to be the most useful way to access the information for the tools involving Apple. In the tool, we clicked on the Apple icon and pressed the option to load the iTunes/iCloud backup. We clicked on the iPhone 8 device and entered the password for the encrypted backup. It took about thirty-two seconds to download, but it can vary due to the size of the download.

The interface of Elcomsoft eXplorer for WhatsApp

The main interface is very user-friendly and the main purpose of the tool is easily conveyed. Our team found our way around the tool with the basic knowledge we learned from the videos on Elcomsoft’s website. The built-in viewer gives great information that is easy to follow. It shows the account’s phone number and when the account was created. It also includes information about the device, product type, full user name, client version, and the size of the information used on the account. The tool gives access to WhatsApp calls, contacts, media, and messages and we could easily search for information with the filtering application. If there are questions, there is a help button with clear instructions that are easy to follow.

Advanced Office Password Breaker

We found Advanced Office Password Breaker to be an efficient and useful tool would recommend it to certain users. Upon opening the tool, the user will be greeted with a simplistic design. This includes a way to select the encrypted file the user wishes to crack, an area allowing the user to choose where the info about the process can be saved after it is completed, and a box that tells the user the remaining time left. In order to be able to understand the entirety of the interface as well as all the features of the application, a user will have to read through the available manual l and spend some time getting to know it  better.

The interface of Advanced Office Password Breaker

Documents with different passwords were tested in this tool. These passwords ranged in complexity from six lowercase characters all the way to eighteen characters with uppercase characters, numbers, and symbols. The tool was able to break into all the documents regardless of the password. It should be noted that the longer and more complex the password, the longer the tests took. On the upside of this, the program does notify the user the estimated time remaining which is a nice feature.

After this program had been put through its tests, we decided to give it a score of 5. The tool is very useful and by all means accomplishes all the features it promises in the description. However, it does require a fair amount of experience to use to its full capabilities. This can be achieved by reading through the manual or by trial and error testing in the program. Whatever the case, this program will need a user who knows  what they are doing to operate the tool as well as understand everything on the interface.

Elcomsoft Password Digger

After using the Elcomsoft Password Digger, we would rate this a 3, or novice. Our team had a basic understanding of the tool and learned more as we used it. In order to extract the passwords from Mac OS X, we had to gain access to the user keychain file of the computer. In order to test this tool, we had access to a Mac computer and download the keychain file onto a USB. Along with access to the file, we needed the password to the computer. Next, we extracted the user keychain file. It had twenty user keychains, no decryption results, and processed twenty passcodes. We exported the passwords to an XML file. Our team decided where we would save the document and then pressed new task. The XMl file opened in Internet Explorer and accessed the passwords.

Keychain extraction of the encrypted XML file with important information blocked off

The Password Digger’s main interface is very straight forward. The tool meets all the requirements and provides information on how to use the tool if needed. Elcomsoft Password Digger was able to extract, decrypt, and export the content of the keychains. The file created can be used to build a custom dictionary attack with the user’s real passwords to improve password recovery attacks. Also, the tool was able to export full keychain data into an encrypted XML file.

Elcomsoft Phone Breaker

One obstacle that our team came across was using the Elcomsoft Phone Breaker. Unfortunately, we could not rate this tool since we could not evaluate its use. The issue we ran into was the iCloud backups had been temporarily disabled. The tool is able to sign in to the iCloud account, but cannot download the information into the tool. Elcomsoft explains that:

“Apple is instantly improving access and download protocols for backups. Our research and develop teams do their best to fix this problem as soon as possible. Please ensure that you have the latest version of Elcomsoft Phone Breaker and feel free to contact our support team if you have any questions.”

The interface of Elcomsoft Phone Breaker

With the access that we do have to the tool, the interface is easy to understand. There are two tabs that show up; the Password Recovery Wizard and Tools. The tool is designed to break passwords and decrypt iOS backups, decrypt iCloud Keychain and Messages with media files and documents from iCloud, obtain synchronized data from Apple and Microsoft accounts, and download iCloud backups and synced data with or without Apple ID passwords. Testing the iCloud backup is where our issue occurred. When working properly, this tool is great when used with Elcomsoft’s other password recovery tools.  

Conclusion

Our team learned a lot about Elcomsoft’s tools from our evaluation. Each tool has its own unique functions that can help users in many ways. So far, these tools are user-friendly and meet the requirements set forth by Elcomsoft. Our team had a basic understanding of how to use these tools, which made evaluating them much easier. For the future, our team will continue to evaluate the Advanced Archive Password Recovery, Advanced PDF Password Recovery, Distributed Password Recovery, Elcomsoft Cloud eXplorer, Elcomsoft Internet Password Breaker, Proactive System Password Recovery, and Elcomsoft System Recovery. We will continue to produce comprehensive results for the LCDI and Elcomsoft.

 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our evaluations!

The post Elcomsoft Tool Evaluation Blog 2 appeared first on The Leahy Center for Digital Investigation.