An individual attended an NHS walk-in centre in order to speak to a physician and they divulged a criminal offence which was reported to the police. Subsequently a large quantity of digital equipment was seized and sent to the digital forensics laboratory for analysis. During the analysis a large number of unique zip files were located which were password protected and the suspect was refusing to cooperate with the investigation. Their contents were therefore of interest to the investigation.
There were 1,017 unique password protected zip files for which the passwords were not known. Compounding this problem was that the user was an interpreter and therefore was conversational in several foreign languages. Some passwords that were retrievable from the systems showed the use of Japanese words written in the Latin alphabet. It would therefore be unlikely that commonly available wordlists would be effective. Whilst some circumstantial evidence had been obtained, gaining access to these containers would prove key.
The large number of zip files had different passwords, therefore the process would need to be automated. The solution to this problem was therefore as follows;
From the 1,017 unique zip files, all but 39 (96%) of them were successfully extracted. Within the zip files was a selection of files which proved the offence beyond a reasonable doubt and the suspect entered a guilty plea.
If you have any questions about this case study, please contact our defensive security team.
