Well, I have to admit that it’s been a long time since I wrote here.
Lot of people complained during the past years that DPAPIck was only supporting Windows XP and Vista and basically wanted to know if one day we were going to support newer versions of Microsoft Windows.
Thanks to Francesco Picasso (@dfirfpi), this project now supports Windows versions from XP to the latest Windows 8.1 (sorry, we haven’t tested it on Windows 10 yet). He did the work and sent me a patch that allowed DPAPIck to run against Windows 7 blobs but it was also breaking XP support at the same time. So I took some extra time to give that a bit of polish and to improve a few things on how the tool was processing data.
As a side note, I wish to say that DPAPIck is an opensource project that currently relies on the amount of spare time I can dedicate to it (and being involved in other projects, this amount will not magically increase). But contributions are more than welcome, just like Francesco did.
So, let’s talk a bit on the changes/improvements that we made for v0.3 release:
Well, we are already working with Francesco on DPAPIck v0.4 that is going to includes other big changes that we weren’t able to finish for this release.
Here is a rough overview of what to expect for v0.4:
On a bigger picture (i.e. features that I want to be there for DPAPIck v1.0), we are probably going to:
Leveraging that, DPAPIck would be able to act as a migration tool to import data from a computer A into a computer B, even if they don’t share the same Windows version. Another scenario would be to re-encrypt all the masterkeys with the current password to clear the CREDHIST file.
Again, if you want to contribute to this project, I’d be happy to integrate your patches/files in this project.
You can also use the bug tracker to ask for a feature request that we have not thought about. If you are requesting for additional, please, try to provide some test data for that.
As usual, you can get the tool on Bitbucket either through mercurial or through the download section (click on the “Tags” tab).
If I didn’t screw up the installation system, you can also try “pip install dpapick” to get it on your computer and benefit from the upgrade capability that it provides 🙂
Filed under dpapi dfir roadmap python release
Next week, DPAPIck will finally became the first opensource tool (GPLv3 licence) which is able to deal with DPAPI structures as well as the first tool that can do so from another operating system than Microsoft’s !
It has been entirely re-written in Python and only requires OpenSSL for decryption to be fully cross-platform. It is coming along with several applicative probes that embeds the decryption logic specific to each application that uses DPAPI (eg. Google Talk, Skype, Wireless keys, Internet Explorer, etc.).
And we are not releasing DPAPIck v0.2 alone ! It comes along with other surprises that we let you discover on August 🙂
Until the public release, you will be able to meet us, for the lucky ones who are attending BlackHat USA 2011 or DefCon 19. And if you are attending BlackHat, do not forget to go and see our presentation of OWADE, our new advanced forensic tool !
Filed under DPAPI BlackHat python OWADE
Pour la population francophone intéressée par DPAPI, nous avons rédigé un article qui sera publié dans la revue française MISC pour son numéro 56 (Juillet/Août).
Il reprend l’analyse des structures que nous avons publiée à BlackHat DC 2010, en incluant quelques corrections et quelques unes de nos avancées. Des bouts de scripts Python permettant de déchiffrer les structures sont également fournis dans l’article.
Nous continuons nos travaux sur le sujet et DPAPIck a été entièrement réécrit en Python pour faciliter les développements et les tests. Cette version devrait prochainement être mise à disposition de la communauté.
For non-French people, the above paragraphs are telling that we are about to publish an article about DPAPI in a French magazine that includes code snipplets in Python to decrypt the structures we talked about at BlackHat DC 2010.
We are still working on that subject and our tool, DPAPIck, has been entirely rewrote in Python to help us adding new features more easily. This new version may soon be made available to the community. Stay tuned !
Filed under publication magazine python DPAPI
I recently discovered that Bitbucket is not duplicating the issue tracker while forking a repository. Thus you don’t have any visibility on what’s going on for DPAPIck and that’s why I’m writing this post.
So, as far as we are going, this is why we planned to release for version 0.3:
Inline documentation is already done, EFS private decryption is done too but we need to add a PKCS#12 export function to keep the certificate with its private key and make it easy to work on EFS from Linux.
The bin tools rewriting is stale for the moment as I need to focus on another project. But as soon as I have time to go back on DPAPIck, I will finish this part and release a new version. Okteta support may be for a further version.
If you have any suggestion, any wish-list to add to our roadmap, feel free to leave a comment ! This blog is here for that kind of stuff too