Arsenal’s Bypass Data Protection API (DPAPI)

Arsenal’s Bypass Data Protection API (DPAPI)

  Something new from Arsenal.

Arsenal is an innovative forensic developer because once again, they just released a cool feature for their Arsenal Image Mounter (currently just for military and LE, but will be publicly released in two weeks).  Arsenal Image Mounter’s ByPass DPAPI provides seamless access to DPAPI protected content such as website, network share, application credentials, files and folders protected by encrypting file system, and some more content protected by DPAPI.  The best part is that you don’t need any credentials from the user to do this.

This is what you get with Arsenal Image Mounter’s Bypass DPAPI :

Using the Chrome browser as one example of accessing DPAPI protected content, after launching your evidence virtual machine with Arsenal Image Mounter, you can open a user’s Chrome browser and drill down to manage passwords under settings . When asked to enter the user’s Windows password, you simply hit okay without entering anything and you’ll see the website password.  This is because Arsenal image Mounter’s Windows authentication bypass is working in the background, taking care of the DPAPI business of bypassing data protection.  Figure 1 is an example of this.

Figure 1: Chrome passwords. 

***It's not just passwords from a Chrome browser that you are able to access. It's DPAPI protected content all over. Even decrypting Dropbox databases, WiFi passwords, and more!***

What is the DPAPI?

The Data Protection API or DPAPI is not something new to forensics. The DPAPI and Windows protect your data when you’re saving your passwords in Outlook, Skype, or Internet browsers.  The DPAPI described by Microsoft:

DPAPI is a password-based data protection service. It requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys, which we'll cover in more detail later. Because DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user's logon password for protection.”  - https://docs.microsoft.com/en-us/previous-versions/ms995355(v%3Dmsdn.10)

There are several tools available to bypass the DPAPI, such as NIRSOFT’s DataProtectionDecryptor that can already decrypt passwords encrypted by the DPAPI on Windows operating systems.  Nirosoft’s app will also work on DPAPI data stored on external hard drives as well.  But rather than to get deep into the weeds of DPAPI and a list of tools, here are some links with more information to describe DPAPI because my purpose is to get straight into this new feature of the Arsenal Image Mounter.

Windows Data Protection

https://docs.microsoft.com/en-us/previous-versions/ms995355(v%3Dmsdn.10)

Data Protection API

https://en.wikipedia.org/wiki/Data_Protection_API

HIP19: DPAPI and DPAPI-NG Decrypting All Users’ Secrets and PFX Passwords - P. Januskiewicz

https://www.youtube.com/watch?v=418ZeP5XsZ4

An easier (and better!) way of bypassing DPAPI-protected evidence

The Chrome password access above was a short version of what this actually means for your forensic analysis with AIM launched virtual machine evidence.  AIM’s Bypass Data Protection API allows access to the last logged on user’s (or Microsoft cloud user) DPAPI protected content in Windows 10 X 64 systems and works best with single-user systems and does not persist across reboots.  I am told that future builds of AIM may have support for applying DPAPI against users, other than the last logged on user.  Figure 2 shows the Bypass Data Protection API option when launching as a virtual machine with AIM. 

Figure 2: AIM Bypass Data Protection API (DPAPI)

Warning!

Just because you can obtain passwords to email accounts, cloud storage accounts, and other types of password-protected content, does not mean you also have legal access to that content.  With that, obtain legal authorization before accessing any computer system, such as a user’s cloud storage account, even when you have the password.

However, being able to collect a user’s passwords from their system is certainly beneficial in creating a password list for encrypted files that may be stored on that system or contained on other devices controlled by the user.

My testing

I was provided an early build of the AIM Bypass Data Protection API and tested it on one of my personal systems simply because I can verify the passwords as being correct and able to log into any account legally.  In short, this works.

I can see a real benefit to military and intelligence use of AIM’s Bypass Data Protection API as well as in law enforcement investigations.  For the private sector, being able to access DPAPI-protected data is the from within a launched virtual machine is a timesaver.  Collecting the user account passwords will certainly be a big benefit to bypassing encryption protection on user files for analysis.

About Arsenal and their tools.

Arsenal’s consulting seems to always get someone very intriguing and complex cases.  When I say complex, I actually mean difficult.  But rather than just work a case, it seems that Arsenal releases a new tool or a new feature to a tool that surely was inspired by one of these really difficult cases.

I listened to Mark Spencer at the conference talk about one of his cases, and I knew that if I was working that case, I wouldn’t be able to do half the job that his team did.  But listen to how this amazing case was worked, the clues and leads that they followed, and the drive to keep digging reminded me that in the face of any case that may be simple, there may be a lot more to the story.  Of course, I know that.  And of course, I need reminders.  Each time that I touch any of Arsenal's tools, I am reminded to dig a little deeper to make sure I don’t miss something important or pivotal in an analysis. That is solely due to listening to one case study from Arsenal. 

Follow-up

Go to Arsenal Recon .  Take a look at their Insights posts.  The how-to descriptions are detailed and insightful (hence “Insights”…).  The newest post from October 20 is another one of those neat things to know about accessing protected content.

Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass https://arsenalrecon.com/2020/10/introducing-arsenal-image-mounter-v3-3-134-and-dpapi-bypass/  

I’m glad to have had my hands on this early and look forward to putting it to use.

Written by :Brett Shavers