Computer users must commonly provide a user ID to log on to a system. The user ID identifies the specific user and tells the security subsystem what permissions to grant to the user. Unfortunately, some computer users are disingenuous and will provide another person's user ID. By doing so, the new user can perform actions that will be traced back to the user ID owner's account.
A string of characters that identifies a user in a computing environment.
Fred is an enterprising university student who enjoys testing the limits of his school's computer use policy. The policy clearly states that users can use only their own IDs to access the computer system. If Fred wants to create some mischief on the university's computer system, he could ignore the policy and use Mary's user ID to access the system. In effect, he could pretend to be Mary. With no controls in place to stop him, Fred could be quite mischievous and it would appear that Mary was the guilty party. A control would be anything that stands between Fred and Fred's unauthorized actions. Actually, there is one control to deter him. The university's computer use policy is an administrative control. Such controls dictate proper behavior and the penalty of noncompliance , but they do not stop unauthorized actions in Fred's case.
There is a simple solution. The user ID provides the identification of a user. Another piece of information, one that only the true user should know, provides the authentication that the user is who she says she is. The most common authentication item is the password . A user provides a user ID and the proper password. The security system validates that the password provided matches the user ID. If the two match, the user is authenticated and trusted.
A string of characters used to authenticate a user by comparing the provided value to a value that has previously been stored and is associated with a specific user ID. Passwords are routinely stored when an account is created or the password is changed.
During an investigation, investigators commonly need access to one or more computer accounts. When a suspect or other knowledgeable user is cooperating with the investigation, obtaining a user ID and password can be as easy as asking for it. Never forget to try the simple approach. Always ask for any passwords you need. When passwords are not readily available to you, you have three alternatives for acquiring them. You can:
Understand when and how to use each of these techniques. Although passwords are the most common user authentication technique, they can be quite unsecure. The next sections look at each password recovery technique and show you just how available some passwords can be.
By far the easiest way to obtain a password is to simply ask someone who knows the password to provide it to you. If asking nicely doesn't work, try social engineering. Try an approach that builds trust with a person who knows information you want. The person could be anyone who knows the password. You could call and pretend to be a member of the network administrator team. A simple statement like, 'Hi, this is Tom from network support. Your computer looks like it is sending out a virus to other computers. I need to log on to stop it. What is the user ID and password you used to log on this morning?' Far too many people would provide the requested information. As long as you have permission to conduct social engineering activities, you can proceed. As long as you abide by any applicable security policies, encouraging a suspect to give you the information you need is perfectly fine. Law enforcement officials are good at doing this. Ask them for help, especially if this is a criminal investigation.
If you cannot ask, or the person who knows the password is not cooperating, you can still use a simple approach. There are two basic types of passwords: those that are easy to remember and those that are hard to remember. With more people becoming aware of security issues, passwords tend to be more secure than in times past. Most people equate password complexity with security. That is, long, hard-to-remember passwords appear to be more secure than simple ones.
Longer passwords can be less secure than shorter ones. Passwords that expire frequently are less secure as well. The reason is that when a user must use a password that is too hard to remember, he will often write it down. The hassle of retrieving a lost password often encourages users to keep their own sticky notes with passwords written on them. When trying to create strong passwords, allow users to create ones they can remember.
Because a password is a string of characters that authenticates a user's identity, it is important that the user always have access to the password. The more complex a password is, the more likely it is that the user has it written down or otherwise recorded somewhere. Look around the computer for written notes. You will find sticky notes with passwords written on them in a surprisingly large percentage of the sites you investigate. Here is a list of common 'hiding places' for password notes:
On the monitor (front, sides, top, etc.)
Under the keyboard
In drawers (look under pencil holders and organizers)
Attached to the underside of drawers
Anywhere that is easily accessible from the seat in front of the computer but not readily visible
Personal digital assistants (PDAs)
Obvious files on the hard disk (such as passwords.txt )
Don't dismiss this important method of finding passwords. Few people trust their memories for important passwords. They are probably written down somewhere.
So, you've looked all around the physical hardware and desk but you still cannot find the password you are looking for. You still have other options to obtain passwords. In spite of all the common rules to create 'strong' passwords, the rules are routinely broken. If you are trying to guess a password, try the obvious ones. The more you know about the real user, the better chance you have of guessing the password. Try some of these ideas:
Social security number
Favorite team name or mascot
Common word or name from a hobby
Use this section as a lesson for creating your own passwords. Because so many people ignore password best practices, take it upon yourself to be unique. Take the time to create strong passwords and keep them secure.
Although guessing a password is possible, it is not very productive in most cases. Don't spend a lot of time guessing a password. Only try it if you have a pretty strong hunch that you'll be successful. I solved a password puzzle one time by piecing several pieces of information together. I found a note that read 'me 4 her -7.' I tried several combinations and hit on a password that consisted of the subject's initials, 'ajd,' and his wife's initials, 'rgd.' The password was 'ajd4rgd7. (In case you are wondering, this was not the actual password. The initials were changed to protect the innocent.)
Even though you might get lucky once in a while, really 'guessing' a password is not very common. It looks good in the movies, but it doesn't happen that often in the real world. Deduced passwords normally come from piecing several pieces of information together. For instance, when analyzing a subject's activity, keep track of visited websites and locally protected applications. You might find a cookie for a recently visited website that stores an unprotected password. Many people use the same passwords repeatedly, so if you find an unprotected password for one resource, try it in other areas.
As much as it violates good security practices and common sense, you'll find the same password often used to protect a secured server and to subscribe to a website's news services. If you can find a password, see if it is used elsewhere.
When you're poking around and guessing passwords, you might end up locking the resource you are attempting to access due to excessive failed logon attempts. Always make sure you have at least two copies of media. If you corrupt one copy, you can always make a new working copy from your second image. You never want to explain to the judge that you had to check out the original media from the evidence locker twice because you messed up the first copy.
Up to now, our password discussion has focused on ambiguous strategies. Finding, guessing, or deducing a password is more of an art than a science. It involves knowing your subject and knowing how people think. It might take a lot of homework, but it is fun and can yield that gold nugget that opens up the evidence you need.
The last method of obtaining a password is the most technical and complete. When you cannot find a password by any other means, you can try the process of password cracking . Cracking a password involves trying every possible password combination, or every combination in a defined subset, until you find the right one.
Attempting to discover a password by trying multiple options and continuing until a successful match is found.
Different utilities allow you to crack passwords online or offline. The utilities employ several different methods . Because older Unix systems stored encoded passwords in a single file, the /etc/passwd file, several utilities emerged that would try different combinations of password strings until they found a match for each line in the file. All you had to do was copy the /etc/passwd file to your own computer, launch the password cracker, and let it run.
This approach became so popular and dangerous that newer flavors of Unix go to great lengths to hide encoded passwords in another file, the /etc/shadow file, that has highly restricted access permissions. If you have access to a computer running Unix or Linux, look at the /etc/passwd file. The x character between two colons indicates that the actual password is stored in the shadow file. For example, here is what a line from the /etc/passwd file would look like if you are using password shadowing (notice the 'x' after the user name, msolomon):
Several contractors were working at a manufacturing plant in southern California. We were hired to fill various functions, including project management and application development. The project goal was to modify a manufacturing software package to meet the client's specific needs. One morning the company's system administrator noticed that his assigned IP address was in use when he booted his computer. After a couple comments under his breath , he rebooted again and found that the IP address was available. He took note of the people who were in the office that morning and started doing a little investigative work on his own to find out if anyone was using his IP address. He found that a particular contractor had installed a common password cracker in his home directory. A further look at the contractor's history file showed that he had been engaging in attempts to crack the system's password file.
The system administrator immediately removed the contractor's access and had him terminated that very morning. The company's policy regarding appropriate use of computing systems forbade any use of password-cracking software and provided the grounds for immediate termination.
Take a look at some of these password-cracking utilities for more details on how they work (an Internet search for these utilities can provide up-to-date URLs):
Jack the Ripper
Anytime you find passwords stored in a file or database, you can use offline password-cracking techniques. If you cannot find the password repository or do not have access to it (it might reside on another system), you will need to try online password cracking. Online password cracking is much slower and may fail for more reasons that offline cracking. An online password-cracking utility attempts to pass logon credentials to a target system until it finds a successful user ID/password pair. The number of attempts that are necessary to find a password is the same as an offline cracking utility, but the act of passing the logon credentials to another process requires substantially more time. If the target computer is remote to the client password-cracking utility, network propagation further slows the process and adds to the possibility of failure.
Regardless of the type of utility you decide to use, there are three basic approaches, or 'attack types,' that password-crack utilities employ.
Never attempt to crack passwords unless you have specific, written authority to do so. The person or organization who owns the computer system can provide the necessary permission. Without written permission, you may be at risk of substantial civil and criminal penalties. Ensure that your permission is in writing, has been granted by someone with the authority to do so, and is specific as to what you are allowed to do. The main reason to crack a password is to obtain evidence that is protected by that password. You can obtain permission to crack a password from the computer owner or a court. In cases where the computer owner is unwilling to provide the permission to crack a password, a court order will suffice.
A dictionary attack is the simplest and fastest attack. The cracking utility uses potential passwords from a predefined list of commonly used passwords. The list of passwords is called the password dictionary. The larger the dictionary, the higher the probability the utility will succeed. A little research on the Internet will yield several password dictionaries of common passwords.
An attack that tries different passwords defined in a list, or database, of password candidates.
The reason such an attack works so well lies in human nature. People tend to use common, easy-to-remember passwords. Look through a password dictionary to see if you are using any common passwords. If your password is in a password dictionary, your password is too weak and should be changed.
On the other end of the spectrum is the brute force attack . A brute force attack simply attempts every possible password combination until it finds a match. If the utility attempts to use every possible combination, it will eventually succeed. However, the amount of time required depends on the complexity of the password. The longer the password, the more time it will take to crack.
brute force attack
An attack that tries all possible password combinations until the correct password is found.
Brute force attacks should not be your primary method of cracking passwords for two reasons. First, brute force attacks are slow. They can take a substantial amount of time. If you do not know the length of the password, you will have to try many, many combinations that will not succeed.
Second, the location of the client, resource server, or authentication credentials (passwords) may be on different computers. If so, the brute force attack will generate a huge volume of network traffic. Excessive network traffic and multiple failed logon attempts may have a tangible impact on the network. Unless you can set up a copy of the suspect network in your lab, you may not be allowed to launch a brute force attack.
The final type of attack, the hybrid attack , combines the dictionary and brute force attacks. In a hybrid attack, the utility starts with a dictionary entry and tries various alternative combinations. For example, if the dictionary entry were 'lord,' the hybrid attack utility would look for these possible alternatives:
A modification of the dictionary attack that tries different permutations of each dictionary entry.
And many, many others. As you can see from this list, it is common to obscure passwords from dictionary words by replacing the letter 'l' with the digit '1,' or replacing the letter 'o' with the digit '0.' Don't do this. Even simple cracking utilities know this trick. Regardless of the type of utility you choose, there is a tool that can help you get the passwords you need to access evidence.
The next section addresses one of the methods of protecting data from disclosure-encryption.