Passware Kit Forensic 2021

Quick Start Guide

This guide covers:

• Detecting encrypted files and containers

• Recovering a file password
• Using the Dictionary Manager tool
• Customizing password recovery settings
• Extracting passwords from a memory image
• Decrypting a Keychain
• Decrypting a VeraCrypt container

Last updated: April 2021

© Copyright 1998-2021 Passware Inc.

1
Before You Begin
To get started with this guide, please follow the steps below:

1. Install Passware Kit Forensic 2021

Passware customers can download the software from Passware Account. If you do not own a
Passware Kit license yet, please download Passware Kit Forensic Demo and review the list of
limitations below.

2. Check for updates

Select “Check for Updates…” from the Help menu or download the latest version from Passware
Account.

3. Get sample files

Download files.

Passware Kit Forensic Demo version limitations:

• Recovers either the first 3 letters of passwords or passwords containing no more than 3 characters
• Allows each of the attacks to run for up to 1 minute
• 64 MB limitation for VeraCrypt volume size

Passware Tip: Contact Sales Team to get a fully functional time-limited evaluation version of Passware Kit
Forensic (available to Law Enforcement only).

System Requirements

PC platforms: Microsoft Windows Vista, Server 2003/2008/2012/2016/2019, or Windows 7/8.x/10 (64-bit only).
macOS: Mojave, Catalina, Big Sur.

• 1 GHz processor (2.4 GHz recommended)

• 1 GB of RAM (4 GB recommended)
• 1 GB of free hard disk space (more if you use custom dictionaries). For hardware acceleration on some strong file types, it
is recommended to have 2 x (RAM + GPUs RAM) of free disk space for paging file.

GPU: GPU (Graphics Processing Unit) cards allow users to accelerate password recovery by up to 400 times compared
to CPU-only systems. Passware Kit supports almost all types of NVIDIA (GTX, Tesla) and AMD GPUs.
Follow the link to get more information on hardware system and GPU recommendations.

Passware Tip: Passware Kit for Mac is a beta version. This beta is available for free to all Passware Kit Forensic
customers with an active SMS subscription.

2
Contents
Task 1: Detecting encrypted files and containers 4-5

Task 2: Recovering a file password 6-7

Task 3: Using the Dictionary Manager tool 8-13

Task 4: Customizing password recovery settings 14-19

Task 5: Extracting passwords from a memory image 20-21

Task 6: Decrypting a Keychain 22-23

Task 7: Decrypting a VeraCrypt container 24-26

3
 Task 1: Detecting encrypted files and containers

Task 1
Detecting encrypted files and containers

1. On the Start page, click Find

Encrypted Files:

2. Enable the checkbox Scan

for encrypted containers
and disk images, click
Browse and select the folder
1-DetectingEncryptedFiles to
scan:

Click Scan.

4
 Task 1: Detecting encrypted files and containers

3. Passware Kit lists the

encrypted files along with the
detailed information about
them, such as Recovery
Complexity, Protection Flags,
Date Modified, etc. Click
Recovery Complexity to sort the
files by the encryption strength.

Passware Tip: Do not lose the results of the search. Use the Save Files List option to save the list of found encrypted
items into Passware Job File (*.pwjf). To load the list back, choose JOBS in the right panel on the Start Page. Click
Open Job and browse for the saved Passware Job File.

4. Optionally: Select the

files (use Ctrl-click to select
dedicated files or Shift-click
to select multiple items at
once) that you want to decrypt,
starting from files with Instant
Unprotection complexity
and moving on to files with
stronger encryption, such as
archives or containers. Click
Recover Passwords to proceed
with password recovery and
decryption in batch mode.

Passware Tip: Check out 5 Tips for Discovering and Analyzing Encrypted Electronic Evidence.

5
 Task 2: Recovering a file password

Task 2
Recovering a file password

1. On the Start page, click

Recover File Password:

2. Browse for the file

[Link] from the
2-RecoveringFilePassword
folder and click Open.

3. Choose Use Predefined

Settings:

6
 Task 2: Recovering a file password

4. Passware Kit applies its built-

in English dictionary to the file
and recovers the password:

Passware Tip: Passware Kit provides comprehensive details on the recovery process. Check out all available tabs:
Files, Resources, Performance, Attacks, and Log.

7
 Task 3: Using the Dictionary Manager tool

Task 3
Using the Dictionary Manager tool
Dictionary Manager is a built-in tool for managing dictionaries and wordlists used by the Dictionary attack. The
password for the file [Link] is a capital name. To recover this type of password, use the list of capitals as a
custom dictionary file ([Link] from the 3-UsingDictionaryManager folder).

Such a list could be created manually as a text file or downloaded from wordlist resources. Learn more about
dictionaries from Passware Knowledge Base.

Passware Tip: All Passware Kit Forensic customers have access to a selection of proprietary Passware dictionaries
available at Passware Account on the “Free Dictionaries” tab.

1. On the Start page, click Tools

and select Dictionary Manager:

8
 Task 3: Using the Dictionary Manager tool

2. In the Dictionary Manager

window, click Add Dictionary
and choose Compile from File….
Locate the file [Link] (a
custom list of capitals, which
is supposed to be used as a
dictionary) and click Next.

Click Compile to proceed:

Passware Tip: Use the Keep the original order of words option to import password lists sorted by the frequency of
use and length, not alphabetically.

3. Passware Kit compiles the

text file into a dictionary named
[Link].

Click Done.

9
 Task 3: Using the Dictionary Manager tool

4. On the Start page, click

Recover File Password:

5. Locate the file

[Link] from the
3-UsingDictionaryManager
folder and click Open.

6. Click Customize Settings:

10
 Task 3: Using the Dictionary Manager tool

7. Passware Kit displays

the settings of the default
password recovery attacks.
Click All to clear the list and
start with your own settings:

8. Click +:

11
 Task 3: Using the Dictionary Manager tool

9. In the New Dictionary

Attack settings, choose
[Link] from the
Dictionary pull-down menu:

Click Add Attack.

10. Click Recover to proceed

with the custom settings:

12
 Task 3: Using the Dictionary Manager tool

11. Passware Kit recovers the

password for the file using the
custom dictionary:

13
 Task 4: Customizing password recovery settings

Task 4
Customizing password recovery settings
If a pattern for a password is known, it can be specified in Passware Kit settings. For example, the password for the
file [Link] is a city name followed by a year, i.e. “London2015”, “Amsterdam2000”, etc. To recover this
type of password, use a custom dictionary file from Task 3.

1. On the Start page, click

Recover File Password:

2. Select the
[Link] file from
the 4-CustomizingSettings
folder and click Open.

Click Customize Settings:

14
 Task 4: Customizing password recovery settings

3. Passware Kit displays

the settings of the default
password recovery attacks.
Click All to clear the list and
start with your own settings:

4. Click +:

15
 Task 4: Customizing password recovery settings

5. To specify the pattern city

+ year, click Join Attacks. You
will need to join a Dictionary
(city names) attack and a
Brute-force attack (numbers)
together. Specify the overall
range of password Length,
if known. In this example,
the length is from 5 to 10
characters.

Click Add Attack:

6. Click + and choose a

Dictionary attack:

16
 Task 4: Customizing password recovery settings

7. From the Dictionary pull-

down menu, choose capitals-
[Link], which was
previously compiled in Task 3.

Click Add Attack:

8. Click + and choose a Brute-

force attack:

17
 Task 4: Customizing password recovery settings

9. In the Brute-force Attack

settings, specify the length of
the password part: For a year
number, Length should be set
from 4 to 4 characters. Specify
the Symbol Set: enable the
checkbox Numbers and disable
all other checkboxes. In the
Advanced Settings section,
specify the Pattern of the
password part: If it is a year
of the current century, set the
pattern to 20* (the password
part will look like 2000, 2001, …,
2099).

Click Add Attack:

10. In the Join Attacks settings,

click the Sample passwords link
to see the passwords that are
generated by the attack (a city
name followed by a year):

Click Save Attack.

18
 Task 4: Customizing password recovery settings

11. Click Recover to proceed

with the custom settings:

12. Passware Kit recovers the

password for the file using the
custom settings:

Passware Tip: Follow the link for more information about Passware Kit password recovery settings to configure
password candidates.

19
 Task 5: Extracting passwords from a memory image

Task 5
Extracting passwords from a memory image

1. On the Start page, click

Memory Analysis:

2. Click Browse… and locate the

[Link] file from the
5-ExtractingPasswordsFrom-
MemoryImage folder. Click
Open.

3. Enable checkboxes Mac User

and Websites.

Click Next:

20
 Task 5: Extracting passwords from a memory image

4. Passware Kit extracts

passwords for Mac users,
as well as the list of open
websites along with their login
credentials:

Passware Tip: Check out 3 Steps to Acquire Memory and Bypass Encryption.

21
 Task 6: Decrypting a Keychain

Task 6
Decrypting a Keychain
By default, a Keychain password is the same as a Mac user password. Passware Kit leverages this feature to
recover Keychain passwords with a Previous Passwords attack, which includes previously recovered passwords for
Mac users (in Task 5). The previously recovered passwords are added automatically to the “Previous Passwords”
dictionary to be reused for subsequent files.

1. On the Start page, click

Recover File Password:

22
 Task 6: Decrypting a Keychain

2. Locate the
[Link] file from the
6-DecryptingKeychain folder
and click Open.

3. Click Use Predefined

Settings:

Passware Tip: The [Link] file is located at “~/<User>/Library/Keychains/” by default.

4. Passware Kit runs default

password recovery attacks,
which include a Previous
Passwords attack. The File-
Open password is recovered
in seconds and Passware Kit
extracts all the login credentials
and other data from the
Keychain. It saves the records
to a separate folder:

23
 Task 7: Decrypting a VeraCrypt container

Task 7
Decrypting a VeraCrypt container

1. On the Start page, click Full

Disk Encryption:

2. Choose VeraCrypt.

3. Click the I have a memory

image tab:

24
 Task 7: Decrypting a VeraCrypt container

3. In the Encrypted VeraCrypt

volume image file field, click
Browse…, set All files (*.*) from
the pull-down menu of the File
name field, and locate file [Link]
from the 7-DecryptingVera-
CryptContainer folder:

The decrypted volume image

will be saved in the Destination
folder location.

4. In the Physical memory

image file field, click Browse…
and locate the [Link]
file.

Click Decrypt:

25
 Task 7: Decrypting a VeraCrypt container

5. Passware Kit extracts the

VeraCrypt volume encryption
key and uses it to decrypt the
volume:

It also displays the encryption

algorithm used to protect the
container.

Passware Tip: More related articles Tips for Efficient TrueCrypt/VeraCrypt Decryption and
BitLocker Decryption Explained from our blog.

26
 Congratulations!

You have successfully

completed all the tasks!
Enroll on Passware Certified Examiner (PCE) Training
now to become a certified decryption expert.

Questions?
Contact us for assistance.

27