Passware Kit Forensic is Now Integrated with Oxygen Forensic Suite to Provide a Joint Solution for Mobile Investigations

Passware Kit Forensic recovers passwords for Apple iTunes backup files, both for iPhone and iPad. This technology is now integrated with Oxygen Forensic Suite – a mobile forensic software that acquires data of seized cell phones, smartphones and tablets.

Using advanced proprietary protocols permits Oxygen Forensic Suite 2013 to extract much more data than usually extracted by logical forensic tools, especially for smartphones. This includes and is not limited to phone basic information and SIM-card data, contacts list, caller groups, speed dials, missed/outgoing/incoming calls, deleted SMS messages, calendar events, tasks, text notes, photos, videos, and other data. Thanks to the integration with Passware Kit Forensic, Oxygen Forensic Suite is now capable of extracting data from encrypted backup files from iPhone and iPad.

Oxygen and Passware

Both Oxygen Forensic Suite and Passware Kit Forensic should be installed to extract data from encrypted mobile backup files. Passware offers a 30% discount on Oxygen Forensic Suite. Contact Sales for more information.

Posted in Announcements, Partnership, Passware | Leave a comment

Extracting Facebook passwords from memory image or hibernation file

Passware Kit 12.3 recovers passwords for Facebook, Gmail, and other websites by analyzing a memory image or a system hibernation file.

Here is how it’s done.

Launch Google Chrome browser on a target machine and open a new Incognito window (Ctrl+Shift+N). In Incognito mode Chrome does not save your passwords, but still they are present in computer memory.

Fill in email and password and click Log In:
Google Chrome in Incognito mode

Read More »

Posted in How To, Passware | Tagged , , , , , | Leave a comment

Passware Kit 12.3 Extracts Facebook, Google Passwords from Computer Memory; Improves ATI Acceleration and Distributed Password Recovery


  • Extraction of Facebook, Google, and other websites’ passwords from live memory or hibernation files
  • Hardware acceleration: the latest ATI cards (AMD Radeon 7 series) supported
  • Distributed password recovery now with custom dictionaries
  • Portable rainbow tables for instant offline decryption of Word and Excel files up to v.2003 now for sale
  • Control hardware resources used for password recovery to optimize performance

Read More »

Posted in Announcements, Passware | Tagged , , | Leave a comment

Passware Kit 12.1 Accelerates Password Recovery for MS Office 2013 and PGP, Supports QuickBooks 2013 and FileMaker 12


  • Hardware accelerated password recovery for MS Office v.2013 files
  • GPU acceleration added for PGP password recovery
  • Instant decryption of QuickBooks v.2013 databases
  • Instant decryption of FileMaker v.12 databases
  • Password recovery for Adobe Acrobat X, XI documents
  • Password recovery for RAR v.4 archives
  • Password recovery for Mac OS 10.8 users
  • Instant recovery of Windows user passwords from UPEK

Read More »

Posted in Announcements, Passware | Leave a comment

Live and online training and certification for Passware Kit Forensic by Sumuri


Passware, in cooperation with Sumuri, is giving a series of live and online training and certification classes.

This three-day training class will give students the knowledge and skills to meet the challenges of digital encryption using Passware Kit. Students will gain an understanding of how encryption and cryptanalysis work to build core forensic analyst skills. Through hands-on practicals, students will learn how to apply Passware Kit in different scenarios, to include, encrypted files, email passwords, Windows passwords, Apple passwords, encrypted volumes, and more.

Read More »

Posted in Announcements, Events, Passware | Tagged , | Leave a comment

Instant extraction of Windows login passwords from Hibernation file or memory image

Windows stores account passwords for all the logged-in users in memory. This holds true for Windows XP through Windows 8. Passwords are encrypted and are not visible in plain text, but there is still a way to identify and decrypt those passwords.

When a computer hibernates, Windows writes all the physical RAM memory contents to C:\hiberfil.sys file, creating a memory image. This image contains encrypted windows accounts and passwords.

As hiberfil.sys file is locked by Windows, you might need to use special tools (like WinHex) or boot the system into Windows Recovery Console in order to access the file.

Read More »

Posted in How To, Passware, Tips | Tagged , , | Leave a comment

Passware Kit v.12 Introduces Batch File Processing and Instant Recovery of Windows Login Passwords from Memory



  • Batch file processing
  • Instant recovery of Windows login passwords through memory analysis

Read More »

Posted in Announcements, Passware | Tagged , , | Leave a comment

On cracking Mac OS X Lion accounts passwords

Mac OS X Lion stores salted SHA512 hashes of user accounts passwords.

NOTE: if a memory image of a target computer is available, Mac OS X login passwords could be recovered instantly.

Password hashes are stored in
/private/var/db/dslocal/nodes/Default/users/<username>.plist files.

Read More »

Posted in How To, Passware, Tips | Tagged , , , | Leave a comment

Passware Kit 11.7 Instantly Decrypts PGP and Office 2010; Features Improved Integration with EnCase



  • Instantly decrypts MS Office 2007-2010 documents through memory analysis
  • Instantly decrypts PGP Whole Disk Encryption volumes through memory analysis
  • Recovers passwords for Apple Disk Images (DMG)
  • Improved integration with Guidance EnCase:
    • One-click password recovery from EnCase
    • Imports dictionaries/wordlists directly from EnCase


Read More »

Posted in Announcements, Passware | Leave a comment

How effective are your password recovery settings?

Improving password recovery success rates

Limited time and resources are usually the two biggest constraints for password recovery. A live memory image could contain encryption keys and passwords, but what are the options if there is no such image available?

There are two important metrics for measuring effectiveness of password recovery: success rate and time spent. After all, we could do a full brute-force attack for all 16-character alpha-numeric passwords with 100% success rate, but waiting a billion years is not a viable option.

There is a lot of research to identify different patterns in passwords used, and the common view now is that there is no such thing as “the best” list of password recovery attacks. People choose different types of passwords to protect different types of data – corporate files, personal documents, or web accounts.

One of the questions we are asked often is, “How do I measure the efficiency of my set of password recovery attacks?”

That’s exactly the reason why Passware Kit now allows running password recovery attacks against a list of known passwords. For different types of passwords, this is the fastest way to see the success rate and estimate performance in real-life scenarios.

Read More »

Posted in How To, Passware, Tips | Leave a comment