So, I've got a computer encrypted with DiskCryptor 0.9.x and I'm in a bit of a jam. I used the same password for like a year and a half, but one night I got home, tried to log in, and it just wouldn't take it. I've gone through a bunch of possible combinations because I think I might have mixed up some letters or got the case wrong. I'm pretty confident it's not an issue with the encryption itself. The real problem is that I seem to have a bit of a brain glitch with the password. This machine has several bitcoins and almost a decade of my digital life locked up photos, music, game saves, you name it.
After the incident, I jotted down what I think the password is, but it’s not quite right. I'm thinking John The Ripper would be a solid choice to help here. It can run through different variations of a password and pipe the results into DiskCryptor’s command line. Depending on what DiskCryptor says, it can either keep trying new passwords or tell me when it gets the right one. I'm hoping to automate this with a BAT file.
I'm looking for suggestions and thoughts on this. Is there anything better out there for messing with passwords? I don't have any backups since I went for a super secure setup.
I can't help you with your problem, but (to state the obvious) I can recommend to create a backup first: create a disk image (or more than one). The image will still be encrypted, but at least disk failure won't mean losing the data if you ever recover the password.
Of course I have created disk images and working on them.
A tool that creates wordlist from mangling given passphrase also would be workable. In fact it could be much better since it will be simpler for me to implement in bat file.
I think john the ripper is the right tool also. Have a look at this.
https://countuponsecurity.com/wp-content/uploads/2016/09/jtr-cheat-sheet.pdf
There are many sites you can download rule sets from.
Did you enter your password from memory every day for 1.5 years, that is, 547 times, and then forgot it? Here we can say unequivocally - you REMEMBER your password.
And in order to restore it, you will not need any additional software or a password written down after the incident occurred. You need to work with your memory. For example, completely restore the entire atmosphere of one of those 547 days when you remembered your password well and successfully decrypted your computer.
Remember the exact time when you started working at the computer, the smells from the kitchen, your thoughts and moods at that moment, visual images - that is, everything that can mentally return you to that time....
In neurolinguistic programming these are called "anchors". By activating the anchors, you can quite easily hack your own brain and extract the information you need from it.
As a last resort, you can resort to the help of an appropriate specialist who knows similar techniques.
I probably did not enter it every day, but sometimes it went without entering the password for week, sometimes I entered the password multiple times per day when installing and rebooting. I am pretty confident it was at least 350 times over course of the usage of that computer. That unhappy day I hibernated the computer at morning, went to study, returned home, powered the computer but it refused my password I entered multiple times. That was stressful time in my life - study and exams, relationship issues, and that day I slipped on icy road and slightly hurt my leg (not head!). I entered the password mostly from muscle memory, because it was 28 or more random characters, upper and lower case, numbers and special symbols. As it turns out the brain is unreliable storage medium.
The incident happened 8 years ago. I left the computer as-is and counted the data as unrecoverable. Because I made it to be immune against seizing and decryption attempts by KGB, FBI, CIA and NSA. But now I want to restore the computer as it was because it is in very good physical condition and very great example of that era ( HP Pavilion dv8000) and I have the the disk images to play with and spare hardware to run brute force on.
Since you said you enter it everyday for 1.5 years, i feel it's far more likely the header got corrupted. By header, i refer to section of the partition which store key needed to perform decryption[1]. Anyway, you might also want to ask for help on DiskCryptor GitHub or forum, since it's less popular than BitLocker or LUKS.
[1] https://diskcryptor.org/volume/
You have a very good memory if you can remember 28 or more random characters...
You wrote that you relied on muscle memory, but it was damaged after injury? Perhaps hypnosis will help you?
An experienced hypnotist can mentally transport you back in time and give you a verbal command to enter the correct password. Your muscle memory may be blocked, but it is not gone, so it is possible that you will be able to decrypt your computer. And then the hypnotist will bring you out of the altered state and you will change the password to a new one (which you will write down in a paper notebook).
In general, it seems that crypto enthusiasts very often lose access to their Bitcoin wallets precisely because of their paranoia, due to overly complex passwords that they forget.
Because the story you told is not the only such case.
That's how I enter most of my passwords too: I wouldn't be able to write them down, but I can easily enter them on a keyboard. And that brings me to my next question (small chance): have you tried a different keyboard? Or enter it 100 times in a text document, and see where you make common mistakes?
This is the sort of thing that I'd store in a password manage though. Just saying.
The disk image obviously is not something that should go in a password manager but particularly when you are dealing with random passwords, you are inevitably going to forget them so you need to save them somewhere.
Even passwords made from combinations of words that are otherwise easy to remember can be forgotten if you suddenly get distracted with other things.
I actually did that once (at work!): I stored the password to an encrypted container inside that encrypted container. Luckily I had a backup of the data.
And you'll still have to remember the password to the password manager
OP
Here is an example to bruteforce your password with hashcat or Johntheripper:
1. Lets say the password is "Bitcoinlover184%"
The only part of the password you remember and are sure about is that it contained "bitcoinlover" and maybe you remember the lenght or approx lenght.
You could either use the mask attack like this ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a
This would find your password but you would need an Extreme amount of GPU power.
Rather, like i would do is implement a couple of statistically proven password rules and it would be this:
Dictonary + bruteforce attack
1. put bitcoinlover in wordlist
use masks on the password. For example:
?H?itcoinlover?d?d?d?a
This mask would crack the password very fast but is not realistic as we dont know all the Details of the password. This is just meant to show you how easy it can be to crack passwords.
I also suspected this is the case, but I have no idea how it must happen by accident. Header corrupion usually happens when improperly configured Windows tries to initialize encrypted drive and overwrites header. How it can happen on laptop going to hibernation I do not know. Cosmic rays hit my RAM chip maybe? Also, the computer have 2 hard drives encrypted with same password. Both drives do not accept password, I deduct that it is wrong password, not corrupted volume header at play.BEGIN
10 One of us two are stupid.
20 I am not stupid.
END
I know a lot about computers, forensics, data rescue, repairs, troubleshooting, administration. If WinPE would get to my wallet file, I would use it.One of few good things about me. Increases my nerdyness level at expense of social skills stats.Yes I relied on muscle memory. No, I sligtly bruised my leg, not arm or head. I was only stressed, studying before exam, and very mild infection of common cold. It appears it is enough to lose the muscle memory. Also I live in a place where there is no hypnotists or similar charlatans available. I am also very resistant to suggestion and hypnosis, discovered that after friends invited me to religious sect where the priestess attempted to scare me, hypnotize and other tricks just to later privately admit that I am crazy or psychopath and completely immune to contact. It will not help. Also, the password was lost in February 2016 so pretty much time have been passed since then. There are lot of stories when people forget the encryption password or damage the key material and lose their files. But they are just files. There are also even more stories where people make some dumb opsec mistakes and FBI rummage trough their filesystems and smear them with shit in court. And they lose the files as in first example plus their freedom in addition. And then there are few examples where people encrypt their devices properly AND refuse to give password and eventually they go free. The fact that You or I have paranoia does not mean glowies are not after us.Laptop computer, used as Desktop Replacement. Nothing changed.Really good idea! Will try it.I use KeePass on my computer for all sorts of passwords, but obviously preboot authentification password should be stored somewhere else. I could try to find old keepass database file on my old backups in hope that it contains the password in question but I first need to get the drives recognized and unlocked. They are failing or failed, IBM Deskstars GXP120Thank You, as I read Jack the Rapper documentation it might help. First I envisioned the JTR running under BAT file control, but now I also discovered software that takes wordlists directly and works with TrueCrypt and DiscCryptor under Windows. Now only the question is a good wordlist that contains my password from the password I remember and have written down.
I recall hibernation dump RAM content to the disk and load the dump to RAM once hibernation ends, so i doubt it's cosmic rays hit your RAM. And since you mention 2 drive, header corruption become unlikely. But just in case, have you checked S.M.A.R.T. status of both drives?
Have not checked after the incident, but I checked them at least one a month and they both were in great shape and also worked flawlessly. So the problem is not some sort of hardware failure.
I heard or read somewhere that the folks in the password cracking scene (the white hat password crackers) are a quite helpful bunch.
From reading over your thread, I'd say that likelyhood of encryption header corruption isn't high, when two separate devices can't be unlocked. That said, I know nothing about this DiskCryptor 0.9.x software you used for your setup.
Have you investigated if there's any potential issues with hibernation mode with that software?
Likely this can be dismissed, too, as I assume it wasn't the first and only time you sent your device into hibernation mode with your encrypted disks.
When you are sure about certain chunks/pieces of your encryption password, then I'd seek help in the forums of John the Ripper or Hashcat. There are really knowledgeable people there who can assist you to create a decent password generator and mangling script to execute a sophisticated and feasible crack attack.
As you don't seem to be a computer noob, it should be obvious to only work on forensic copies of your encrypted disks. If you haven't done yet, make forensic copies of your encrypted harddisks, after that you can leave the original mechanical disks at rest.
As your encrypted disks hold a significant value, you should make multiple copies of the forensic copies to ensure you'll never loose any of the forensic copies by any chance.
You do your cracking only on copies of the forensic copies, if that's not clear and obvious already. The above mentioned cracking tools usually only need a certain portion of encrypted key material or encryption header to work on. If DiskCryptor is known to John the Ripper or Hashcat then usually there are tutorials or recipies how to extract such data for further cracking work.
Good luck and I'd appreciate to keep us posted of your unlocking journey! There's always some lesson to learn from this.
What You mean by extracting hash? DiskCryptor uses choice of 3 user selectable hash algorithms together with random plaintext salt to derive header encryption key that unlocks a header containing the real encryption keys. And it is not possible to extract right hash without the proper password so Your post makes little sense to me.