DPAPIck

Let's talk about roadmap

Wed, 02 Nov 2011 04:28:19 -0400

I recently discovered that Bitbucket is not duplicating the issue tracker while forking a repository. Thus you don’t have any visibility on what’s going on for DPAPIck and that’s why I’m writing this post.

So, as far as we are going, this is why we planned to release for version 0.3:

EFS Certificate recovery
Inline documentation
bin tools rewriting to keep only one binary and link it to the probes (usage should be similar to volatility for those who are familiar)
Okteta support but low priority for this one…

Inline documentation is already done, EFS private decryption is done too but we need to add a PKCS#12 export function to keep the certificate with its private key and make it easy to work on EFS from Linux.

The bin tools rewriting is stale for the moment as I need to focus on another project. But as soon as I have time to go back on DPAPIck, I will finish this part and release a new version. Okteta support may be for a further version.

If you have any suggestion, any wish-list to add to our roadmap, feel free to leave a comment ! This blog is here for that kind of stuff too :-)

Maybe I just don't know or understand enough about this tool. Where is the MasterKey or Credhist stored in windows?

Fri, 09 Sep 2011 15:17:12 -0400

Don’t worry, there is no stupid question :)

You have a masterkey directory and one CREDHIST file per user account. For each user account, they are both located under Application Data\Microsoft\Protect (for XP) or AppData\Roaming\Microsoft\Protect (Vista & Seven). SYSTEM account also has masterkeys (but no CREDHIST), located under Windows\System32\Microsoft\Protect

Be aware that they are hidden and system files so they are not displayed by default on Windows (could be configured in explorer).

It's out !!!

Wed, 03 Aug 2011 10:32:00 -0400

As promised, today we are releasing the source code of DPAPIck v0.2 !

The project is hosted at Bitbucket and you can freely check it out to play with it.

You can also report bugs/issues on the tracker and see part of the roadmap for our tool.

A wiki will also be put online as soon as we take time to write documentation.

But no more waiting, here is the URL to have a look at DPAPIck : http://bitbucket.org/jmichel/dpapick

D-6 ?

Thu, 28 Jul 2011 17:21:58 -0400

Next week, DPAPIck will finally became the first opensource tool (GPLv3 licence) which is able to deal with DPAPI structures as well as the first tool that can do so from another operating system than Microsoft’s !

It has been entirely re-written in Python and only requires OpenSSL for decryption to be fully cross-platform. It is coming along with several applicative probes that embeds the decryption logic specific to each application that uses DPAPI (eg. Google Talk, Skype, Wireless keys, Internet Explorer, etc.).

And we are not releasing DPAPIck v0.2 alone ! It comes along with other surprises that we let you discover on August :-)

Until the public release, you will be able to meet us, for the lucky ones who are attending BlackHat USA 2011 or DefCon 19. And if you are attending BlackHat, do not forget to go and see our presentation of OWADE, our new advanced forensic tool !

No, we're not dead !

Sun, 22 May 2011 08:00:00 -0400

Pour la population francophone intéressée par DPAPI, nous avons rédigé un article qui sera publié dans la revue française MISC pour son numéro 56 (Juillet/Août).

Il reprend l’analyse des structures que nous avons publiée à BlackHat DC 2010, en incluant quelques corrections et quelques unes de nos avancées. Des bouts de scripts Python permettant de déchiffrer les structures sont également fournis dans l’article.

Nous continuons nos travaux sur le sujet et DPAPIck a été entièrement réécrit en Python pour faciliter les développements et les tests. Cette version devrait prochainement être mise à disposition de la communauté.

For non-French people, the above paragraphs are telling that we are about to publish an article about DPAPI in a French magazine that includes code snipplets in Python to decrypt the structures we talked about at BlackHat DC 2010.

We are still working on that subject and our tool, DPAPIck, has been entirely rewrote in Python to help us adding new features more easily. This new version may soon be made available to the community. Stay tuned !

Presented @BlackHat dc+2010

Tue, 17 May 2011 10:37:00 -0400

Presented @BlackHat dc+2010:

Our tool was presented during the BlackHat dc+2010

What is DPAPIck?

Tue, 17 May 2011 10:19:25 -0400

This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API).

A non-exhaustive list of those recoverable secrets are :

EFS certificates
MSN Messenger credentials
Internet Explorer form passwords
Outlook passwords
Google Talk credentials
Google Chrome form passwords
Wireless network keys (WEP key and WPA-PMK)
Skype credentials
…