A method for offline parsing of dpapi encrypted data

Abstract

The invention discloses a method of off-line analyzing DPAPI (Data Protection Application Programming Interface) enciphered data. The method comprises the steps that S1, equipment data source to be analyzed is loaded, and a disk Windows operating system partition of the equipment data source to be analyzed is determined; S2, a system account master key file, a System file and a Security file are obtained; S3, a DPAPI encryption block of a file to be decoded is obtained by scanning a DPAPI encryption block characteristic value; S4, the System file and the Security file are analyzed to obtain a Pbkdf2 secret key cleartext; S5, key information needed for decoding the system account master key file is obtained, and a master key cleartext is obtained by using a Pbkdf2 secret key to decode the system account master key file; S6, data cleartext is obtained by using a master key to decode the DPAPI encryption block. The method of off-line analyzing the DPAPI enciphered data has the beneficial effects that an operating system where a target data source is located is not relied on, a user name and a password of a computer are not needed to be known, the decryption is performed on enciphered data of a DPAPI system storage region, and the requirements of read only operation and cross-platform decryption on evidence sources are met.

Description

technical field [0001] The invention relates to the field of data encryption and decryption, in particular to a method for offline analysis of DPAPI encrypted data. Background technique [0002] The Windows operating system of Microsoft Corporation in the United States is currently the most popular PC operating system, and its data security has always attracted much attention. Starting from Windows 2000, Microsoft has provided a set of easy-to-use system-level data protection interfaces (DataProtection Application Programming Interface, or DPAPI, including the encryption function CryptProtectData and the decryption function CryptUnprotectData), providing data protection services for applications and operating systems. The salient feature of this group of interfaces is that the encryption and decryption operations must be performed on the same computer, and the key generation, storage and use are completed within the operating system, eliminating the management of application...

AI Technical Summary

Problems solved by technology

This method directly depends on the target source operating system. If the system is damaged and cannot be started, the data cannot be decrypted, and the data source is easily polluted during the operation, destroying the read-only nature of the evidence.

[0004] In addition, although there is a domestic patent that proposes the decryption of DPAPI encrypted data in the user storage area, this method can analyze the encrypted data at the user account level, but it needs to know the SID and plaintext password corresponding to the user login account in advance, otherwise it cannot be decrypted. The method is only for the encrypted data in the DPAPI user storage area, and cannot decrypt the DPAPI encrypted data in the system storage area, that is, the local system level.

Images