Reversing DPAPI and Stealing Windows Secrets Offline
| 2354 downloads
The Data Protection API (DPAPI) plays a key role in Windows security:
This API is meant to be the standard way on Windows OS to store encrypted data on the disk.
DPAPI is used by many popular applications including Internet Explorer,
Google Talk, Google Chrome, Skype, MSN (6.5-7) to encrypt their passwords.
It is also used by Windows itself to store sensitive information such as EFS certificates
and Wifi (WEP and WPA) keys.
DPAPI uses very opaque structures to store these encrypted data on disk
and the available documentation is very sparse.
Therefore prior to our work it was impossible to extract and analyze these secrets offline
for forensic purposes. This is a particular huge issue for files encrypted
using EFS because unless the EFS certificate protected by DPAPI is recovered
these files can't be decrypted and analyzed.
To address these issues, we did reverse the DPAPI and in this presentation will provide
a complete walkthrough DPAPI and its structures.
Afterward armed with this knowledge, anyone interested in windows forensic will be able
to deal with data stored with DPAPI. We will cover the change made
by Microsoft from Windows XP up to Windows Seven.
Finally we will demonstrate and release DPAPick (www.dpapick.com) which we believe,
is the first tool that allows to decrypt offline data encrypted with DPAPI.
You might also like reading
Recovering Windows Secrets and EFS Certificates Offline
Using the Microsoft Geolocalization API to retrace where a Windows laptop has been
OWADE Offline Windows Analysis and Data Extraction
Beyond files recovery OWADE cloud-based forensic