Hashcat Basics for Mobile Forensic Investigators
What is Hashcat?
Hashcat is a popular password-cracking tool that security professionals, researchers, and digital forensic specialists use to recover lost or forgotten passwords. It works by taking a password hash, a unique alphanumeric representation of a password, and using numerous attacks to guess the password that produced the hash. Hashcat is fast and efficient, making it a powerful tool for password recovery.
According to GitHub, “Hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.”
Hashcat is unaffiliated with Magnet Forensics and licensed under the MIT license.
How Hashcat Works
Hashcat takes advantage of known vulnerabilities in password hashing algorithms, such as MD5 or SHA-256. These algorithms work to take a password and produce a unique fixed-length string of characters, known as a hash. The hash is typically stored in a database or file, along with other user information, such as usernames or email addresses.
Hashcat uses various techniques to crack passwords, such as brute force attacks, dictionary attacks, and hybrid attacks. Brute force attacks try every possible combination of characters until you find the correct password. Dictionary attacks use a pre-computed list of commonly used passwords to try and match the hash to a password. Hybrid attacks combine these two approaches, using a custom wordlist and adding additional characters or rules to each word.
Once Hashcat has successfully cracked the password, it will display the plain-text version of the password to the user. Digital investigators can use plain text to test their passwords’ strength or recover lost ones.
New (and seasoned) mobile forensic investigators who want to learn more about how they can use Hashcat in an investigation are invited to watch an on-demand webinar from DFS Matt Fullerton and DFS Stephen Coates: *Using the Passcode History File and Hashcat. Passcode history can be beneficial for your investigation but can be challenging to obtain. In this webinar, you’ll learn how you can use data extracted using Magnet GRAYKEY, in combination with Hashcat, to recover passwords for faster case resolution.
*This video is available to vetted law enforcement professionals who have requested and/or obtained login credentials to access the webinar.