Friday, March 27, 2009

WinRAR

WinRAR is often used to protect information by compressing and encrypting various files. Since January 2002, WinRAR offers Advanced Encryption Standard [(AES) 128 bits] and it takes a considerable amount of time to decrypt/crack WinRAR files created with WinRAR version 3 and later. Usual techniques are to use Dictionary or Brute force attack utilising tools like AccessData PRTK/DNA or Elcomsoft ARPR (Advanced RAR Password Recovery) or AAPR (Advanced Archive Password Recovery). Even with Tableau Hardware Accelerator it is going to take considerable time to get in. Using FTK imported wordlists may significantly reduce the time of dictionary attack. The wordlist can be used by Elcomsoft password crackers and with PRTK/DNA it is possible to generate a custom dictionary from that list.

I found Elcomsoft ARPR to be much faster performing brute force (approximately 110 pwd/sec compared to PRTK 45 pwd/sec) and only around 21 pwd/sec for dictionary attack (one dual core PC). There is no Elcomsoft DNA (Distributed Network Attack) software available for archive cracking. From my experience, for brute force algorithm to find 4 printable characters passwords with the speed of 110 pwd/sec would take about a week to complete and more than a year for 5 printable characters passwords. PRTK is much slower then Elcomsoft at brute forcing and DNA should be used instead. I found that DNA dictionary attack with around 10 workers (computers) produced a speed of around 500 pwd/sec, which is about three times slower than using the Tableau TACC1441 Hardware Accelerator.

When performing a live analysis, the memory (RAM) dump may produce some valuable information, so it is worth getting the RAM dump even just to get WinRAR passwords stored in memory. I've had some success in getting the passwords from both the RAM dump and hiberfil.sys files by obtaining a word list and using it in the dictionary attack.

There are various tools available to decompress hiberfil.sys file and there are plenty resources discussing the procedure. X-Ways forensics offers the easiest way to decompress hiberfil.sys, and it handles well the fragments. It looks for \x81\x81 xpress chunks and starts decompression from that point. In fact, X-Ways Forensics will have the Edit Convert option greyed out, so the file needs to be opened in an editable mode. Usually I copy hiberfil.sys file somewhere on my desktop and use WinHex that comes with X-Ways Forensics to decompress it.


If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.

Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.

CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.

No comments: