Reversing DPAPI and Stealing Windows Secrets Offline

Jean-Michel Picod, Elie Bursztein   @BlackHat DC 2010
0 reaction(s) | 2354 downloads
The Data Protection API (DPAPI) plays a key role in Windows security: This API is meant to be the standard way on Windows OS to store encrypted data on the disk. DPAPI is used by many popular applications including Internet Explorer, Google Talk, Google Chrome, Skype, MSN (6.5-7) to encrypt their passwords. It is also used by Windows itself to store sensitive information such as EFS certificates and Wifi (WEP and WPA) keys. DPAPI uses very opaque structures to store these encrypted data on disk and the available documentation is very sparse. Therefore prior to our work it was impossible to extract and analyze these secrets offline for forensic purposes. This is a particular huge issue for files encrypted using EFS because unless the EFS certificate protected by DPAPI is recovered these files can't be decrypted and analyzed. To address these issues, we did reverse the DPAPI and in this presentation will provide a complete walkthrough DPAPI and its structures. Afterward armed with this knowledge, anyone interested in windows forensic will be able to deal with data stored with DPAPI. We will cover the change made by Microsoft from Windows XP up to Windows Seven. Finally we will demonstrate and release DPAPick ( which we believe, is the first tool that allows to decrypt offline data encrypted with DPAPI.
You might also like reading

forensic 2010

Recovering Windows Secrets and EFS Certificates Offline

forensic 2010


privacy 2011

Using the Microsoft Geolocalization API to retrace where a Windows laptop has been

forensic 2011

OWADE Offline Windows Analysis and Data Extraction

forensic 2011

Beyond files recovery OWADE cloud-based forensic

Comments are loading
About me
Lead Google's anti-abuse research. Develop new ways to protect users and disrupt bad guys. Make Chrome safer and faster. Help keeping G+ and Gmail clean. Wear berets. Do magic tricks.