Security

Password Forensic Kit 11.5 – Software Review

Passware Password Kit Forensic 11.5
Publisher: Passware, Inc.
Price: $995
Product Page

This month, I obtained a review copy of Passware’s “Passware Password Kit Forensic 11.5”. For brevity’s sake, I’ll refer to it as “Passware” for the rest of this review. Passware is a password recovery/cracking system which has the ability to work on multiple file types. The Forensic Kit version adds more features, such as cracking of filesystem passwords and resetting Windows user account passwords.

My test system was a 2.33GHz Intel Core2Duo with 4GB of RAM, running Windows 7 Professional (32-bit).

To evaluate the software, I attempted to crack passwords on several files, some of which I knew, others I did not, as I’d forgotten them. What better test could you ask for?

Recover File Passwords
My first test was a Quickbooks 2009 data file for one of my companies. I ran Passware, chose “recovery file password” from the start page, and browsed to my .QBW file. Passware took less than one second to remove the passwords of all of the accounts in the Quickbooks file, and created a copy in the same directory as the original, leaving the original file unmodified. I was successfully able to open the unprotected file normally and, indeed no password was required.

My next test case was to open some password-protected PDF document – my 2009 tax return which I’d obtained from an accounting firm that I no longer want to deal with. However, I need to access the file as part of a loan for which I am applying. What to do? Enter Passware. From the Start Page, I again chose “Recover File Password,” and browsed to the PDF. Passware automatically recognized a PDF document as the target and offered me a choice of running a wizard, using predefined settings, or an “advanced custom settings” option. I chose to use the wizard, which gave me a variety of choices to describe the password, such as “a dictionary word,” “more than one dictionary word,” “one of more dictionary words combined with letters, numbers, symbols,” “non-dictionary but similar to English” words, “other,” and finally, “I know nothing about the password.” To put Passware through its paces, I said I knew nothing about the password and clicked “Finish” to start the process. Passware launched a variety of attacks, including brute force. Passware was able to successfully brute force the relatively simple (all numeric) password in 4 minutes 37 seconds.

Recover Internet and Network Passwords
Next, I decided to try Passware’s ability to crack passwords in RDP (Remote Desktop Protocol) saved profiles. I pointed Passware at a saved .RDP file and, to my horror, my saved password was revealed to me on screen in under one second.

I also used Passware’s ability to recover website passwords. To do this, Passware scanned my Internet Explorer, Firefox, and Chrome passwords and was able to completely crack all of the saved passwords in each of these browsers in about 10 seconds.

When testing Passware’s ability to crack “Network Connections” passwords, for instance, VPN connections to remote networks, Passware failed in my single test case, erroneously reporting that no password was set on a connection when there indeed was one set.

Search for Protected Files

Another feature that would be quite useful for forensics work is the ability to scan a filesystem for protected files. This option digs through the specified drive or folder and, if it finds a file that is protected or encrypted, reveals that fact to you. My scan of my own home directory revealed several protected files, including Microsoft Outlook OST files, protected Microsoft Office documents and Quickbooks data files. Passware also listed many Adobe PDF files, even though they were not protected.

Analyze Memory and Hard Disk
This is advanced forensics stuff that most ordinary users will never even think about, let alone undertake on their own. Still, if you need to do forensics analysis on a Macintosh RAM or disk image, Passware now has this ability, as well as the ability to brute-force TrueCrypt-protected images, and analyze memory dumps for BitLocker keys.

After 42 minutes, Passware was able to successfully pull my Macintosh user password from an 8GB memory dump I pulled from my MacBook Pro.

Passware also has the ability to analyze Windows registry files that you’ve obtained from another system. However, it does not have the ability to analyze raw Windows memory dumps for miscellaneous info and passwords, such as you can do with AccessData’s FTK.

Miscellaneous Features
Passware allows you to launch multiple copies of the software at the same time. This is great, as the main app itself is apparently not written to allow it to work on multiple cracking processes at the same time. I found this useful, for instance, when my machine was busy cracking the PDF file, which took a relatively long time when compared to opening Quickbooks data files, which it could crack almost instantly. What I would do is start on the long processes and let them go in the background while I could then focus on easier cracking processes.

Passware is clever, and remembers previously-seen passwords and prioritizes them when trying subsequent attacks. For example, I was again horrified to see my Windows password, previously extracted from a saved RDP profile, show up as one of the passwords attempted to use to crack my MS Word document. It didn’t work, as I did not recycle the password, but it was still scary.

After I rebooted my computer for maintenance while in the middle of a filesystem crack attempt, Passware resumed normal operations when I re-opened the application. This is a must-have feature, as some brute force attacks can take weeks, months, or longer.

Passware has several other features which I did not have time to test in my evaluation, such as distributed password cracking, which allows multiple computers to work on cracking the same file simultaneously, and even includes an Amazon S3 acceleration feature, which allows you to stand up S3 virtual computers to really speed up the brute force attempts. Also part of Passware’s Swiss Army Knife product is the ability to create a boot disc that can be used to reset a Windows password, similar to a Linux tool I’ve used for this purpose for several years. However, since I did not have access to my Windows boot media while doing this review, I could not create the disc to test this feature. Passware can also crack Microsoft Outlook and Outlook Express passwords, which it did in my tests in a very short time.

Passware Inc.’s Passware Password Kit Forensic 11.5 retails for $995 and is available, along with several other recovery programs, at lostpassword.com.

Comments are closed.