No announcement yet.

Decryption and Password Decryption using a GPU

  • Filter
  • Time
  • Show
Clear All
new posts

  • Decryption and Password Decryption using a GPU


    I am a student and I am currently working through an assignment where I need to analyse a given .E01 image file. To gain as much experience using different forensics tools, I am currently using OSForensics to conduct my investigation.

    The image contains some encrypted .docx files and trying to use the decryption tool included in OSForensics. Running the feature without using the GPU seems to work fine but when I try and use my GPU the program doesn't start the decryption. I've made sure that run_server.exe is bypassing the firewall so does anyone else have some advice for this?


  • #2
    What type of GPU?
    Was there any error message?
    What version of OSF and Windows?

    I kind of doubt you would be given an assignment that could only be completed by students with a high end GPU.


    • #3
      It's a nVidia GTX 1080ti.

      No error message, it just stuck on this screen...
      Click image for larger version

Name:	Annotation 2020-02-04 210955.jpg
Views:	177
Size:	25.2 KB
ID:	46482

      OSForensics v7.1 Build 1005 and Windows 10 Home

      I haven't been given an assignment which can only be done by students with high end GPUs, like I said I'm just trying to gain some experience with a wide range of forensic software and the features each software package offers.



      • #4
        Can you restart OSForensics in Debug Mode? And then send in client/server logs in C:\ProgramData\PassMark\OSForensics\PasswordRecove ry


        • #5
          Sorry about the delay, I have been busy. Here are the logs you requested.

          Attached Files


          • #6
            Thanks for the logs. According to the log, the GPU client was started, but there was an issue with OpenCL.
            Maybe the wrong video card drivers are installed for the video card?

            We don't have GTX 1080TI available, but we'll see if we can replicate the issue.

            Sun Feb 9 18:11:58 2020
            GPU client connected, session id=23477


            Sun Feb 9 18:12:07 2020
            Client Error (3): OpenCL GPU not found or not compatible


            • #7
              We believe we have located the issue. Some supporting files were not updated and/or missing that were utilized by the GPU decryption when we switched to VS2017. A fix has been submitted internally and should be included in the next build update released.


              • #8
                Brilliant, thank you.


                • #9
                  I am having a similar issue. I am going through your online training program and brute-forcing the encrypted Word-Docx file in the Sample Files directory provided in your online training program.

                  I selected four dictionaries and GPU for processing the encrypted file. I have an i9-9900K CPU and 64 GB of system RAM with an ASUS Strix GeForce RTX 2080 Ti (11GB RAM) video card using the latest graphics drivers (456.55) from Nvidia and it appears (see screenshot) the GPU was not utilized in the brute force attack.

                  Click image for larger version

Name:	Screenshot 2020-10-01 152312.png
Views:	88
Size:	1.4 KB
ID:	48664

                  Click image for larger version

Name:	Screenshot 2020-10-01 153455.png
Views:	78
Size:	33.2 KB
ID:	48665


                  • #10
                    bkberghuis, Are you using OSF V7, or V8 Beta?
                    If V7, then which patch level?

                    Can you EMail us or post the log files.


                    • #11
                      I apologize, I should have included the requested information. I was running OSF version 7.1.1012. Furthermore, I did successfully decrypt the file using the CPU. I am running Windows version 2004 (OS Build 19041.50.

                      After reading your post and requested information I renamed the version 7 installed directory to OSForenscis_v7 and installed OSF v8 Beta-9. I subsequently ran the passwords module --> Decryption & Password Recovery selected the installed dictionaries and added the My Secrets.docx (online training encrypted file) and a selected GPU.

                      I now received an error message which I didn't get yesterday. The error message, "Password recovery server can't be initialized!

                      I then uninstalled both versions 7 & 8. I reinstalled v7.1.1012 and ran it in debug mode. I then tried it again and received the same error.

                      I did check my system firewall settings which appear to be correct. See screenshots and logs for more details.

                      Click image for larger version

Name:	FW.run_server.exe.config.png
Views:	87
Size:	188.9 KB
ID:	48674Click image for larger version

Name:	Server.Initialization-Error.PNG
Views:	73
Size:	8.6 KB
ID:	48675

                      Debug files: .


                      • #12
                        The GPU is only used when the decrypting using the Random Passwords dictionary. From your first screenshot, it looks to be working through the Common Name dictionary set. Can you disabled all other dictionaries and test just using the Random Password selected to see if the GPU is used.

                        Regarding the second screenshot, the server failed to start, error could be caused by an existing instance of "run_server.exe" is already running. You can verify by bringing up the Task Manager and looking for zombie run_server.exe instance. Either restart the machine or you can kill process and see if the decrypting will start afterwards. Also note, that in the Trial/Free edition, you are also limited to 1 decrypting thread.


                        • #13

                          I ran OSF v7.1.1012 (Licensed) after a fresh restart in debug mode. I selected one dictionary (Random Passwords), selected the training Word-docx file for decryption, and received the error server can't be initialized. I verified through Windows Task Manager there were no zombie run_server processes running. I checked Window's firewall settings and it showed run_server.exe allowed (Private Network). However, I did discover when looking at my NICs that my network status was set to Public. I subsequently change the status to a Private Network. I then decided to make a second attempt in debugging mode. Unfortunately, it failed again. I did see some differences in Task Manager.

                          I then decided to reboot and make a third attempt at the decryption. Unfortunately, I had the same results.

                          ***Note*** The uploaded zip file contains numerous screenshots, 1st, and 2nd attempts debug files, and a systemInfo.txt.....

                          Disregard... unable to upload screenshots due to forum upload limits.

                          I hope this helps, please advise.

                          Attached Files


                          • #14
                            I'll check with other members to see if we have an RTX 20XX to see if they run into the same issue. My testing of V7.1.1012 has been with a GTX 1050 Ti on my local machine and has been working.


                            • #15
                              We tested V7.1.1012 on RTX 2060 and it went okay. It was a new install so we had to go into the firewall settings and enable both network types for run_server.exe. It seems the windows firewall was blocking it (despite the initial popup).

                              Looking at your screenshot, attempt 1, shows that it failed to start the server at all, while attempt 2, the server is started, but OSForensics timed out while waiting for it to respond it started. It might be something on your machine blocking the program? Some anti-virus program? The password decryption uses distributed method. There is a server that acts as the scheduler and then clients (CPU and GPU) connect to it to get jobs.

                              If you would like to continue to debug it, let us know, you can send us email. We'll likely have to add extra debug logging logging to the program or if we can have access to the machine remotely, we can see if we can spot anything.