LabEx
Log InJoin Free

John the Ripper for Digital Forensics

Kali LinuxBeginner
Practice Now

Introduction

In digital forensics, recovering passwords from seized evidence is often a critical step. These passwords can unlock encrypted files, access user accounts, or provide crucial insights into a suspect's activities. John the Ripper is a free and open-source password cracking tool that is widely used by security professionals and forensic investigators to test password strength and recover lost or compromised passwords.

This lab will guide you through the practical application of John the Ripper in a digital forensics context. You will learn how to extract password hashes from various sources, use John the Ripper to crack these hashes, and understand the importance of proper documentation and chain of custody in forensic investigations. By the end of this lab, you will have a solid understanding of how to integrate John the Ripper into your digital forensics workflow.

Extract Hashes from Forensic Images

In this step, you will learn how to simulate the extraction of password hashes from a forensic image. In a real-world scenario, these hashes would be extracted from various sources like /etc/shadow files, SAM databases, or encrypted containers. For this lab, we have pre-created a file named hashes.txt containing example MD5 hashes.

First, let's examine the contents of the hashes.txt file to understand the format of the hashes we will be working with.

cat ~/project/hashes.txt

You should see output similar to this, where each line represents a username followed by a colon and its corresponding hash:

user1:5f4dcc3b5aa765d61d8327deb882cf99
user2:21232f297a57a5a743894a0e4a801fc3
user3:d41d8cd98f00b204e9800998ecf8427e
user4:a87ff679a2f3e71d9181a67b7542122c

These are MD5 hashes. John the Ripper can automatically detect many hash types, but understanding the format is crucial for effective cracking.

Use John the Ripper to Recover Passwords from Evidence

In this step, you will use John the Ripper to crack the hashes extracted in the previous step. We will use a simple wordlist attack, which is a common technique in password cracking where John attempts to match hashes against a list of common passwords.

First, let's use John the Ripper with the hashes.txt file and the wordlist.txt file. The --format=Raw-MD5 option explicitly tells John the Ripper to treat the hashes as raw MD5, although it often auto-detects.

john --wordlist=~/project/wordlist.txt ~/project/hashes.txt

After running the command, John the Ripper will attempt to crack the passwords. The output will show the progress and any cracked passwords. It might take a few moments.

Once John finishes, you can view the cracked passwords using the --show option.

john --show ~/project/hashes.txt

You should see output similar to this, showing the cracked passwords for the users:

user1:password (user1)
user2:admin (user2)
user4:test (user4)
3 password hashes cracked, 1 left

Note that user3's password (which is empty, represented by d41d8cd98f00b204e9800998ecf8427e) might not be cracked by this specific wordlist, as empty passwords are often handled differently or require specific rules.

Document Forensic Procedures with John the Ripper

In digital forensics, meticulous documentation is paramount. Every step taken during an investigation, including the use of tools like John the Ripper, must be recorded. This ensures the integrity of the evidence and the credibility of the findings in court.

In this step, you will simulate documenting the cracking process. You should record:

  1. Tool used: John the Ripper
  2. Version: (You can find this by running john --version)
  3. Input file: ~/project/hashes.txt
  4. Wordlist used: ~/project/wordlist.txt
  5. Cracked passwords: The output from john --show
  6. Date and Time: When the cracking was performed.

Let's create a simple text file to document this. Use nano to create and edit a file named forensic_log.txt in your ~/project directory.

nano ~/project/forensic_log.txt

Inside nano, add content similar to the following, replacing the cracked passwords with your actual results:

Forensic Log - Password Cracking

Date: <Current Date and Time>
Investigator: LabEx User

Tool Used: John the Ripper
Version: <Output of john --version>

Input Hash File: ~/project/hashes.txt
Wordlist Used: ~/project/wordlist.txt

Cracking Command:
john --wordlist=~/project/wordlist.txt ~/project/hashes.txt

Cracked Passwords:
user1:password
user2:admin
user4:test

Notes:
Attempted to crack MD5 hashes using a provided wordlist.

Press Ctrl+X, then Y to save, and Enter to confirm the filename.

After saving, you can view the content of your log file:

cat ~/project/forensic_log.txt

This log serves as a crucial part of your forensic report.

Maintain Chain of Custody for Cracked Passwords

Maintaining the chain of custody is vital in digital forensics to ensure that evidence is handled properly and remains admissible in court. This means documenting who had access to the evidence, when, and for what purpose. For cracked passwords, this involves securely storing them and documenting their discovery.

In this step, you will simulate securing the cracked passwords and documenting their handling. While in a real scenario, you might use encrypted containers or secure databases, here we will simply move the cracked passwords to a designated "evidence" directory and update our log.

First, let's create a directory to store the evidence.

mkdir -p ~/project/evidence/cracked_passwords

Now, let's redirect the output of john --show to a file within this new directory. This file will contain only the cracked passwords.

john --show ~/project/hashes.txt > ~/project/evidence/cracked_passwords/cracked_passwords_output.txt

Verify the file has been created and contains the cracked passwords:

cat ~/project/evidence/cracked_passwords/cracked_passwords_output.txt

Finally, update your forensic_log.txt to reflect that the cracked passwords have been secured. Open the log file again:

nano ~/project/forensic_log.txt

Add a new section to the log, similar to this:

Cracked Passwords Secured:
Location: ~/project/evidence/cracked_passwords/cracked_passwords_output.txt
Date Secured: <Current Date and Time>

Save and exit nano (Ctrl+X, Y, Enter).

This process ensures that the cracked passwords are treated as evidence and their handling is documented.

Present Findings in a Forensic Report

The final step in any digital forensics investigation is to present the findings in a clear, concise, and legally sound forensic report. This report summarizes the investigation, the methods used, the evidence found, and the conclusions drawn.

In this step, you will compile the information gathered throughout this lab into a simplified forensic report. This report would typically include:

  • Case Information: Case ID, Investigator, Date.
  • Executive Summary: Brief overview of the findings.
  • Methodology: Tools and techniques used (e.g., John the Ripper, wordlist attack).
  • Findings: Specific cracked passwords and their associated accounts.
  • Conclusion: Summary of what the findings imply.
  • Appendices: Raw logs, hash files, etc. (like forensic_log.txt).

Let's create a new file named forensic_report.txt in your ~/project directory using nano.

nano ~/project/forensic_report.txt

Add content similar to the following, incorporating the details from your forensic_log.txt and the cracked passwords:

Digital Forensic Report

Case ID: LABEX-JTR-001
Investigator: LabEx User
Date of Report: <Current Date and Time>

1. Executive Summary:
This report details the recovery of user account passwords from seized digital evidence using John the Ripper. Three passwords were successfully recovered.

2. Methodology:
Password hashes were extracted from a simulated forensic image (hashes.txt). John the Ripper (version <John version>) was utilized with a custom wordlist (wordlist.txt) to perform a dictionary attack against the extracted MD5 hashes.

3. Findings:
The following user accounts and their corresponding passwords were recovered:
- user1: password
- user2: admin
- user4: test

The raw output of the cracking process and detailed procedural logs are appended in the Forensic Log (forensic_log.txt).

4. Conclusion:
The recovered passwords provide access to the identified user accounts, which may contain further relevant evidence for the ongoing investigation.

5. Appendices:
- Forensic Log: ~/project/forensic_log.txt
- Cracked Passwords Output: ~/project/evidence/cracked_passwords/cracked_passwords_output.txt

Save and exit nano (Ctrl+X, Y, Enter).

Finally, review your complete report:

cat ~/project/forensic_report.txt

This exercise demonstrates the importance of consolidating all findings into a comprehensive report for legal and investigative purposes.

Summary

Congratulations! You have successfully completed the "John the Ripper for Digital Forensics" lab.

In this lab, you gained hands-on experience with John the Ripper, a fundamental tool in digital forensics. You learned how to:

  • Simulate hash extraction from forensic evidence.
  • Utilize John the Ripper to recover passwords using a wordlist attack.
  • Document forensic procedures meticulously, creating a detailed log of your actions.
  • Understand and maintain the chain of custody for discovered evidence, specifically cracked passwords.
  • Compile and present findings in a structured forensic report.

These skills are crucial for any digital forensics investigator, enabling them to effectively analyze evidence, recover critical information, and present their findings in a legally sound manner. Continue exploring other password cracking techniques and advanced features of John the Ripper to further enhance your forensic capabilities.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux