No announcement yet.

Dictionary File

  • Filter
  • Time
  • Show
Clear All
new posts

  • Dictionary File

    Hello -

    I am attempting to crack an iTunes encryption password on a iPhone 6S (A1633) mobile backup using Passware's password cracking software.

    I have a forensic image of the Windows OS laptop belonging to the owner of the iPhone 6S.

    Is it possible to export a "Dictionary" file from OSForensics once I have created an index of the Windows laptop?

    I would like to use the custom Dictionary file to speed up the password cracking of the iPhone mobile backup.

  • #2
    When you use OSForensics to create an index (using the "Create Index" module) then it extracts the words from all the documents found on the hard drive and turns them into an index. One of the files in the index is the dictionary of words found.

    Within OSF you can use this word dictionary to attempt to crack encrypted documents.

    We have never made any attempt to feed the dictionary into a 3rd party tool. But here are some details to get you started.

    The dictionary files are always called, "zoom_dictionary.zdat"

    There is one zoom_dictionary.zdat file per index you create in OSF.

    The index files are found in the Case folder. By default this is,
    C:\Users\<UserName>\Documents\PassMark\OSForensics \Cases\<CaseName>\Index\<IndexName>\zoom_dictionar y.zdat

    The content of the zoom_dictionary.zdat file is a text file in UTF8 format.

    Example content is,

    redirect 129312 2
    alreadi 129326 1
    stori 130644 5
    The numbers, 129312, 129326, etc.. are internal reference numbers used for fast searching of the full document set. So you don't want these.

    So to make use of the dictionary in an external tool you would need to strip off the numbers. Which is easy enough to with a regular expression find and replace operation. Take a copy of the file before doing this as regular expressions are easy to mess up.

    Note that there are some limitations with using a search index dictionary as a password cracking dictionary. The main ones are,
    1) The dictionary is a dictionary of individual words. Not a dictionary of phrases. So none of the words will have space characters in them.
    2) Some punctuation characters are stripped from the words. e.g. ( ) { } [ ], etc... So if your password contains these characters your out of luck with this approach.
    3) There is a max word length of 35 characters. So if your password is 36+ characters your out of luck with this approach.

    Also I have no idea what Passware's product will accept as input. If it doesn't take a UTF-8 text list, then further manipulation on the text file will be required to get it into an acceptable format.

    Let us know how you go.