File Decryption & Distributed Password Recovery (Professional Edition Only)

OSForensics supports file decryption and password recovery of Microsoft Office documents (doc, docx, docm, xls, xlsx, xlsb, ppt, pps, pptx, pptm, ppsm), archive files (zip, rar) and PDF files. The Professional Edition of OSForensics, starting in V9, also supports distributed password recovery with additional clients running on separate computers. Included with the installation of OSForensics, a separate application Password Recovery Client Manager (PWRecClientMgr.exe), can be started on additional machines to increase the processing power. Users can connect and run up to 1000 total clients to aid in decrypting a password protected file.



Setting up Distributed Password Recovery in OSForensics

  1. Within OSForensics, navigate to the Passwords module and select the Decryption & Password Recovery tab.
  2. Under Installed Dictionaries, enable the Random Passwords dictionary. If needed, you can edit the Random Dictionary to match required password criteria.
  3. Under Work Queue List, click the Add button to add items to be decrypted.
  4. An Add dialog will appear in which you can select a single file or groups of files to be added.
  5. Set any additional options, e.g. Use GPU (if supported) or Use Custom Dictionary Set (if unchecked, the job will use the Global Dictionary selection). Click OK to add the items to the work queue.
  6. To enable remote clients, click the Options button:
    1. Password decryption can be compute intensive and can bog down the system. If the OSForensics computer is to be used for other tasks or running other modules within OSForensics, it is recommended to lower the Number of local clients that will be started locally (the default is the number of cores dectected for your computer).
    2. Checking the Allow Remote Clients checkbox will enable distributed password cracking and allow remote clients to connect to the machine. Important: Once cracking process has started, you cannot change this option without restarting the whole job queue.
    3. (Optional) Change the default port that OSForensics will listen to for incoming remote clients.
    4. Note: The Options dialog will show the first dectected LAN IP address on the system. This IP address may or may not be the correct IP address depending on our system's VPN or other network settings.

  7. Click the Start button to signal OSForensics to begin the decryption on the work queue. Once the decryption process is started, remote clients can now connect.

Setting up Distributed Password Recovery Clients on Additional Computers

The Password Recovery Client Manager (PWRecClientMgr.exe) is a standalone application that can be ran on remote machines. The PWRecClientMgr.exe application and other required files (see below) are found in the OSForensics ProgramData directory. The files should be copied to the remote computers and ran from these systems. On the OSForensics computer, the required files are located in C:\ProgramData\PassMark\OSForensics\PasswordRecovery directory. The required files should be copied to each computer that will be aiding in the decryption process. Copy all files to the same directory, e.g., the Desktop or C:\PWRecClientMgr. Then the Password Recovery Client Manager can then be started by double clicking on the PWRecClientMgr.exe file.


Required Files/Directories:

  • PWRecClientMgr.exe
  • ext_cpu_client.exe
  • ext_gpu_client.exe
  • pthreadVC2.dll
  • GPUSupport.dll
  • test_dll (Entire directory)


Start Password Recovery Client Manager by running/double-click PWRecClientMgr.exe

  1. Set the number of clients that will be started on this machine, (the default is the number of cores decteded by the program). As noted previously, password decryption is compute intensive process. Lower the number of clients if the computer is to be used for other tasks.
  2. Specify the IP address of the computer running OSForensics. If the computers are on the same network/subnet, the LAN IP can be used, otherwise specify the WAN IP and configure port forwarding on your router. (Optional) Change the port to that of OSForensics is listening on. Refer to your router's instructions or contact your IT department is assistance is required.
  3. Clicking the Connect button will start the clients. The clients will appear in the list and display their status during the decryption process.

The remote clients will start connecting to OSForensics.

You can verify their connection in OSForensics as well.


If successful, users will hear a short audio notification as OSForensics displayed the password as shown below.


Troubleshooting

Server is unable to start
The password recovery module in OSForensics works by starting a server module and several client modules (ones for each client specified). TCP/IP connections are used for communication between the modules and as such they can be blocked by firewall and internet security products (such as the Windows firewall, Kaspersky and AVG). If you are unable to start the server please try disabling your antivirus/firewall software while using the password recovery tools.


Windows Firewall
The Windows firewall may block the server application and display the following alert, please allow ext_run_server.exe to communicate on "Private networks".


Remote clients are not connecting.
If the remote computer running PWRecClientMgr.exe is on an outside network from OSForensics, you may need to configure your router to forward the traffic to the OSForensics computer. Log into your router and forward the assigned port to your OSForensics computer's Internal IP and port.

(Note: Your router configuration page will be different.)
On the computer running OSForensics, determine your WAN IP, e.g. What's My IP service.

On the remote computer running PWRecClientMgr.exe, set the IP address to IP address obtained in the last step.


No observable speed increase with additional clients and/or Clients do not appear to be busy
There is point of diminishing returns, the more powerful the computer running OSForensics, the better it will be able to handle additional clients. If there are heavy activity (e.g. CPU, Network) on the computer running OSForensics, and it may not be able keep up with the clients requests. At such point, adding additional clients will not increase the speed and may have a negative effect and increase the time remaining.


Videocard/GPU not being used but option enabled.
When decrypting a 40 bit file, use of GPU to decrypt is not currently supported. GPU decryption only applies for when the Random Passwords dictionary is being used. Also, note that not all GPUs are currently supported, e.g. older videocards or Intel GPUs.



For a tutorial on Distributed Password Cracking, please see the below video.  


Distributed Password Cracking.
Download

(Right-click to download, MP4 format, 130MB)