Configure Password Cracking for Reprocessing

Home > selected Project > menu or right-click > Settings > Password Cracking
Project > Settings drop-down > Project Settings > Password Cracking

Requires Project - Password Cracking - View, Add/Edit Permissions

Note: Digital Reef now restricts import and reprocessing of data to Projects using Parsing Library V2. You can no longer import or reprocess data in a Parsing Library V1 Project.

At the Project level, Password Cracking allows you to set up and apply password-cracking criteria for use during reprocessing.

For all document reprocessing, the software will perform its own password cracking and accumulate a list of working passwords, even if you do not explicitly specify other password criteria. Once you select your criteria, enable one or more password-cracking modes, and apply your changes, the software will also use your criteria during document reprocessing.

Note: Password cracking applies to reprocessing scenarios only, as the password-cracking process could take time. Password-cracking criteria does not apply at import.

To indicate that the software performs its own password cracking and gathering of working passwords by default, the following appears above the configurable modes on the screen:

• Found Passwords — This mode is always enabled and is the password cracking always performed by the software during reprocessing. In this mode, the software detects and maintains a list of working passwords (that is, passwords successfully used to process encrypted documents).
• Password count <count>View... — Displays the current number of passwords found and used by the software to process encrypted documents. Click View... to see a list of the Found Passwords.

You can configure any combination of the following password-cracking modes for a Project:

• Email Context — Enable this mode to create a case-sensitive email contextual dictionary for each email attachment that is subject to password cracking. This option applies to either encrypted email attachments of emails extracted from a mail archive (e.g., a PST), or encrypted email attachments from a loose email.When encrypted email attachments are part of a loose email, the software builds the contextual dictionary using the content of unencrypted documents from the family of those attachments. When encrypted email attachments are part of an email from a given mail archive, the software builds the contextual dictionary using the email and email attachment content from that same mail archive within a 24-hour period (that is, within 12 hours before or 12 hours after the sent date of the email with the encrypted attachment). When the Email Context mode is enabled, the software attempts to crack each email attachment subject to password cracking using the email contextual dictionary and then stores the correct password, if one is found. The limit for a given password is 256 characters. Any correct passwords found and stored during the reprocessing of email attachments are used to crack remaining documents, and these passwords are visible in the Found Passwords list. If a term (password) is within quotes or parentheses, the software will capture the term both with the quotes and parentheses and without the quotes and parentheses. Note that the Email Context mode cannot identify leading or trailing spaces in passwords. Keep in mind that the Email Context mode can be intensive if the 24-hour period encompasses a large number of documents with considerable content.
• Known Passwords — Enable this mode if you want to provide a list of known passwords to use for document reprocessing in the Project. Since this mode processes the passwords exactly as they appear in the list, this is the least intensive of the optional password cracking modes.
• Frequently Used Passwords — Enable this mode if you want to provide a list of frequently used passwords to use as a type of password-cracking dictionary during document reprocessing, with criteria that enables the software to look for selected variations of the passwords in the list. This mode is more intensive than the Known Passwords mode. Select parameters for this mode carefully, as some are particularly intensive (for example, capitalizing any letter and making common substitutions).
• Brute Force — Enable this mode if you want the software to try all possible passwords in order to find the correct password during document reprocessing. This is the most intensive password cracking mode and will consume the most processing time.

If you select all of these modes, then the software uses the following order:

1. Passwords already found in the Project (referred to as Found Passwords).
2. Email Context Dictionary (email context only passwords).
3. Known Passwords (known passwords).
4. Frequently Used Passwords (cracking dictionary passwords).
5. Brute Force passwords.

If you select none of the modes, the software will still handle found passwords for documents.

You perform reprocessing from Search results, where you select files or all files and click Process > Reprocess, then select the appropriate reprocess options. To check for password-protected or encrypted entries after import of data into a Project, go to the Warning and Errors section of the Data Set Scan Report. Protected files such as protected PDFs are labeled Protected (that is, their parsing status is 00029 PROTECTED). Encrypted items such as encrypted ZIP files are labeled Encrypted (that is, their parsing status is 00027 ENCRYPTED). For example, you can drill through the Protected entry in the Data Set Scan Report and, from the Search Results, click Process > Reprocess to reprocess the PDF, using the appropriate option Reprocess documents only or Reprocess documents with children. Note that Reprocessing documents with children is required to discover any children of an encrypted/protected file that could not previously be processed. For more information about reprocessing, see How to Perform Document Reprocessing.

Note: The software does not support more than one password for password cracking of RAR file contents. If you have an encrypted RAR file that continues to report 00027 ENCRYPTED after being set up for password cracking and submitted for reprocessing, then the RAR contents may require a second password, and you will need to perform external reprocessing.

You can use password cracking modes to decrypt the following encrypted/protected files during reprocessing:

• Encrypted Microsoft Office documents, supported for Microsoft Office 97 and later.

Note: Password cracking does not apply to Microsoft Excel 95 documents. To address Microsoft Excel 95 documents, perform external reprocessing at an external area and remember to remove the passwords from the documents before loading them back to eDiscovery. See How to Perform External Reprocessing for more information. See Supported File Types for Analysis for a list of the supported file types.

• An encrypted ZIP file. Supported ZIP formats include ZIP, ZIPX, and 7-ZIP.

• An encrypted RAR file.
• Nested ZIP files that are encrypted.
• A single password-protected PDF (RC4 encryption).
• A password-protected PDF within a PDF Portfolio.
• An encrypted PDF Portfolio. Children of the PDF Portfolio will then be extracted and identified using a filename prefix that identifies the parent Portfolio name followed by _pdf_ and then the name of the child document (for example, Portfolio1_pdf_WordDoc1.pdf). Metadata is available for the encrypted PDF Portfolio and the children. For example, the parent Portfolio will indicate that it has children in the metadata, and the children will point to the parent.
• A BitLocker-encrypted disk partition. See How to Manage Container Key Files for information about BitLocker-encrypted partitions, which can be opened using either a Key file or a password. (If you want to supply the password for a BitLocker-encrypted partition as part of password-cracking, the Known Passwords mode is recommended instead of the more intensive modes, and note that for some BitLocker files, you may have to perform a second reprocessing pass.)

Note the following:

• Password cracking does not address a password-protected Lotus Notes NSF file, which you can address by adding a Lotus Notes ID file.
• All decrypted files will report an origparsingstatus and the current parsingstatus, which will indicate success after successful password cracking.

• Password-cracked documents (non-container files) are not rendered on the HTML tab. Although the HTML view is not available after the document is password-cracked, you can still use Text view and show metadata. All container files, password-cracked or not, will identify the files within the container file on the HTML tab.

• Found passwords are stored by the software. The storing of passwords is limited to single-byte characters (that is, there is no support for multi-byte characters such as Chinese, Japanese, and Korean characters).
• The Found password for a given document will appear in the password field for the document in the Export load file (assuming the password field is included in the list of Export Fields). The Organization Administrator can also view the password used to open, parse, and render the document in the Metadata panel of the Document Viewer. (Viewing of the password is restricted to users in the Organization Administrator role by default.)
• If the system has an available OCR node, that node can be used for password cracking (that is, when password criteria has been applied and documents have been submitted for reprocessing).
• If you cancel a password-cracking Job, all documents that had been cracked to that point are updated based on the results of the reprocessing. This ensures that you do not lose the password-cracking work performed prior to the cancellation. You can search for password::<exists> and find all files that were cracked to that point.

Known Passwords

This mode, when enabled, uses the list of Known Passwords in effect during document reprocessing.

The software uses the passwords exactly as they appear in the list, iterating through the list of passwords until an available password enables processing of the file, or until the entire list has been checked.

• Password count <count>View/Edit... — Displays the current number of Known Passwords. Click View/Edit... to manage the list of the Known Passwords.
• Last modified — Indicates when the Known passwords were last modified on the system (for example, Today 11:00 by Admin). This is the last time an Organization User edited the list of Known Passwords by adding, uploading, or deleting them.

Frequently Used Passwords

This mode, when enabled, uses the list of Frequently Used Passwords during document reprocessing, subject to the specified password parameters to match variations of the passwords in the list.

• Password count <count> View/Edit... – Displays the current number of Frequently Used Passwords. Click View/Edit... to manage the list of the Frequently Used Passwords.
• Last modified – Indicates when the Frequently Used Passwords were last modified on the system (for example, Today 11:00 by Admin). This is the last time an Organization User edited the list of Frequently User Passwords by adding or deleting them.

Choose Password Parameters

For the Frequently Used Passwords, specify one or more of the password parameters to provide the desired amount of password cracking (for example, using common substitutions, the appropriate handling of capitalized letters, and word reversal). For the Frequently Used Passwords, it is expected that a password file contains lowercase version of the passwords.

In general, select your parameters carefully, as they will impact the processing time.

Note: Each parameter you select is evaluated. For example, if you select Word Reverse and Capitalize All Letters, and the term password is in the dictionary, the software will try password, PASSWORD, as well as drowssap and DROWSSAP. Note that if you select Capitalize Any Letter, then Capitalize First Letter and Capitalize All Letters will have no effect.

Variations to Attempt:

• Capitalize First Letter – Tries both the lowercase version of the password as well as the initial cap version. For example, if password is in the Cracking dictionary, the software tries both password and Password.
• Capitalize ALL Letters – Tries both the lowercase version of the password as well as the All Cap version. For example, if password is in the Cracking dictionary, the software tries both password and PASSWORD.
• Capitalize Any Letter – This intensive operation tries both the lowercase version of the password as well as all versions in which a letter of the password is capitalized. If the term password is in the dictionary, the software would try 256 passwords (8 characters, both upper and lower), including Password, PASSWORD, pAsSwOrD, and every capitalization possible. If you select Capitalize Any Letter, then Capitalize First Letter and Capitalize All Letters have no effect.
• Word in Reverse – Tries both the word as it appears in the file as well as the word in reverse character order (for example, if the term password is in the Cracking dictionary, the software tries both password and drowssap).
• Common Substitutions– This intensive operation performs a common set of substitutions, replacing letters with symbols. This includes the following substitutions:
  • Replace a with @
  • Replace a with 4
  • Replace b with 8
  • Replace c with (
  • Replace d with 6
  • Replace e with 3
  • Replace g with 9
  • Replace h with #
  • Replace i with 1
  • Replace i with !
  • Replace k with |<
  • Replace l with 1
  • Replace l with |
  • Replace o with 0
  • Replace q with 9
  • Replace s with 5
  • Replace s with $
  • Replace t with 7
  • Replace t with +
  • Replace w with 2u
  • Replace w with uu
  • Replace v with >
  • Replace v with <
  • Replace v with \/ (backslash followed by forward slash, no space)
  • Replace x with %
  • Replace x with >< (greater than followed by less than, no space)
  • Replace z with 2

Brute Force

Brute Force mode, when enabled, causes the software to try all possible passwords in order to find the correct password during document reprocessing. This mode uses the specified password parameters (the password length criteria and the selected types of characters to attempt).

Note: Brute Force is the most intensive password cracking mode, so be aware that the process could take considerable time, depending on the parameters you select. In general, review the parameters for this mode carefully and select only the ones you need. (You should select at least one item under Characters to Attempt in order for Brute Force to be useful.)

Password Length: to characters – Tries passwords in the range of specified characters. The default minimum is 1, and you can specify a value 1 - 12. (This value can be less than or equal to the maximum value.) The default maximum is 7, and you can specify a value 1 - 12. This is a calculated value that takes into account exponential time growth with longer passwords. (This value can be equal to or great than the minimum value.)

Characters to Attempt:

Note: When Brute Force is enabled, the Lowercase, Uppercase, and Digits options are selected by default. In general, select only what you additionally need from the following list, as your selections will impact processing time. For Brute Force to be useful, you must make at least one selection.

• Lowercase (set by default) – Tries lowercase versions of the characters in the passwords: abcdefghijklmnopqrstuvwxyz.
• Uppercase (set by default) – Tries uppercase versions of the characters in the passwords: ABCDEFGHIJKLMNOPQRSTUVWXYZ.
• Digits (set by default) – Tries the digits 0123456789.
• Symbols – Tries the symbols '~!@#$%^&*()_-+={[}]:;" <,>.?/|\
• Spaces – Tries spaces (that is, it adds a space to the list of characters available).
• Custom characters – Tries the characters you specify. These can be any of the above or special characters, such as Spanish characters (but not multi-byte characters).

Password Cracking: Save or Discard Changes

When you specify any password cracking criteria, and/or are ready to enable the appropriate password modes, you must save the changes to put them into effect. If you do not save your changes before navigating away, you will be prompted to either save your changes and continue navigating away, discard your changes and continue navigating away, or cancel your changes and remain in the current location.

• Save – Saves your changes to the Password Cracking modes and associated criteria, putting them into effect for any future reprocessing.
• Discard Changes – Discards your changes to the Password Cracking modes and associated criteria.

Note: You can apply individual parameters and enable the appropriate modes when you are ready.