Locating passwords

I have been thinking about passwords - your passwords. I have your drive image, but can not break your password with conventional methods.

At Defcon 15, I heard about this attack that is used by your favorite government agencies. The idea is this: you type your passwords in all the time and there is the possibility that they get written to swap, temp files, dr watson logs, or the such. So, why not scan your entire drive to look for "password like" strings to build a dictionary?

It has been done on a smaller scale - it's an old trick to find good stuff in the memory dump logs, but I have also found passwords in logs, such as: Wrong password for user "secretStrongP@ssw0rd".

So, I started writing some perl and c++ to process strings in images and dealing with the encoding. Pretty interesting initial results, when looking for passwords with a strong password and basic entropy filters on . I also did some searching and found a current project that has some progress - Dicop-workerframe.


Good stuff, and definitely food for thought, dude. I'll post some of my work and results shortly.

-Dave

PS - Visit my forensic company, HCP Forensic Services. We are really starting to grow and have very successful in getting the job right in the minimal amount of time. Are all contracts like that, though?