John the Ripper and partially known password bruteforce

[MysteryMiner]

I have this DiskCryptor 0.9.x encrypted computer that I only partially remember password. I used this password for every day for like 1,5 years and one not so good evening I came back home, entered the password and it was not accepted. Tried various combinations, maybe I missed some letter or wrong case. Nothing. I am pretty sure that the encryption is not malfunctioning or somehow gotten corrupted. It is the password that got some bit flip in my brain. It got not only several bitcoins stored on that computer, but my digital life for almost decade that is locked away - pictures, music, game saves, everything.

I have the password written down after the incident as I remember it. Obviously, it is not the exact correct password. I think that John The Ripper is best software that can do various permutations on a text string given, then feed the output into command line of diskcryptor and depending of diskcryptor returned status repeat with new password or print out correct password. All could be controlled with BAT file.

I need some ideas and general discussion. Maybe someone have better software that can manipulate a password. I have no backups, the setup was super paranoid and secure.

[LoyceV]

I have no backups

I can't help you with your problem, but (to state the obvious) I can recommend to create a backup first: create a disk image (or more than one). The image will still be encrypted, but at least disk failure won't mean losing the data if you ever recover the password.

[MysteryMiner]

Of course I have created disk images and working on them.

A tool that creates wordlist from mangling given passphrase also would be workable. In fact it could be much better since it will be simpler for me to implement in bat file.

[whanau]

I think john the ripper is the right tool also. Have a look at this.

 https://countuponsecurity.com/wp-content/uploads/2016/09/jtr-cheat-sheet.pdf

There are many sites you can download rule sets from.

[Smartprofit]

I have this DiskCryptor 0.9.x encrypted computer that I only partially remember password. I used this password for every day for like 1,5 years and one not so good evening I came back home, entered the password and it was not accepted. Tried various combinations, maybe I missed some letter or wrong case. Nothing. I am pretty sure that the encryption is not malfunctioning or somehow gotten corrupted. It is the password that got some bit flip in my brain. It got not only several bitcoins stored on that computer, but my digital life for almost decade that is locked away - pictures, music, game saves, everything.

I have the password written down after the incident as I remember it. Obviously, it is not the exact correct password. I think that John The Ripper is best software that can do various permutations on a text string given, then feed the output into command line of diskcryptor and depending of diskcryptor returned status repeat with new password or print out correct password. All could be controlled with BAT file.

I need some ideas and general discussion. Maybe someone have better software that can manipulate a password. I have no backups, the setup was super paranoid and secure.

Did you enter your password from memory every day for 1.5 years, that is, 547 times, and then forgot it?  Here we can say unequivocally - you REMEMBER your password. 
And in order to restore it, you will not need any additional software or a password written down after the “incident” occurred.  You need to work with your memory.  For example, completely restore the entire atmosphere of one of those 547 days when you remembered your password well and successfully decrypted your computer. 
Remember the exact time when you started working at the computer, the smells from the kitchen, your thoughts and moods at that moment, visual images - that is, everything that can mentally return you to that time.... 
In neurolinguistic programming these are called "anchors".  By activating the “anchors”, you can quite easily hack your own brain and extract the information you need from it. 
As a last resort, you can resort to the help of an appropriate specialist who knows similar techniques.

[MysteryMiner]

Did you enter your password from memory every day for 1.5 years, that is, 547 times, and then forgot it?  Here we can say unequivocally - you REMEMBER your password.

I probably did not enter it every day, but sometimes it went without entering the password for week, sometimes I entered the password multiple times per day when installing and rebooting. I am pretty confident it was at least 350 times over course of the usage of that computer. That unhappy day I hibernated the computer at morning, went to study, returned home, powered the computer but it refused my password I entered multiple times. That was stressful time in my life - study and exams, relationship issues, and that day I slipped on icy road and slightly hurt my leg (not head!). I entered the password mostly from muscle memory, because it was 28 or more random characters, upper and lower case, numbers and special symbols. As it turns out the brain is unreliable storage medium.

The incident happened 8 years ago. I left the computer as-is and counted the data as unrecoverable. Because I made it to be immune against seizing and decryption attempts by KGB, FBI, CIA and NSA. But now I want to restore the computer as it was because it is in very good physical condition and very great example of that era ( HP Pavilion dv8000) and I have the the disk images to play with and spare hardware to run brute force on.

[ABCbits]

I have this DiskCryptor 0.9.x encrypted computer that I only partially remember password. I used this password for every day for like 1,5 years and one not so good evening I came back home, entered the password and it was not accepted. Tried various combinations, maybe I missed some letter or wrong case. Nothing. I am pretty sure that the encryption is not malfunctioning or somehow gotten corrupted. It is the password that got some bit flip in my brain. It got not only several bitcoins stored on that computer, but my digital life for almost decade that is locked away - pictures, music, game saves, everything.

I have the password written down after the incident as I remember it. Obviously, it is not the exact correct password. I think that John The Ripper is best software that can do various permutations on a text string given, then feed the output into command line of diskcryptor and depending of diskcryptor returned status repeat with new password or print out correct password. All could be controlled with BAT file.

I need some ideas and general discussion. Maybe someone have better software that can manipulate a password. I have no backups, the setup was super paranoid and secure.

Since you said you enter it everyday for 1.5 years, i feel it's far more likely the header got corrupted. By header, i refer to section of the partition which store key needed to perform decryption[1]. Anyway, you might also want to ask for help on DiskCryptor GitHub or forum, since it's less popular than BitLocker or LUKS.

[1] https://diskcryptor.org/volume/

[dsjgjf]

Have you tried using win pe to get the bitcoin file?

[ABCbits]

Have you tried using win pe to get the bitcoin file?

win pe as in Windows Preinstallation Environment? I don't see how it can help OP perform brute-force in order to decrypt the encrypted disk.

[Smartprofit]

Did you enter your password from memory every day for 1.5 years, that is, 547 times, and then forgot it?  Here we can say unequivocally - you REMEMBER your password.

I probably did not enter it every day, but sometimes it went without entering the password for week, sometimes I entered the password multiple times per day when installing and rebooting. I am pretty confident it was at least 350 times over course of the usage of that computer. That unhappy day I hibernated the computer at morning, went to study, returned home, powered the computer but it refused my password I entered multiple times. That was stressful time in my life - study and exams, relationship issues, and that day I slipped on icy road and slightly hurt my leg (not head!). I entered the password mostly from muscle memory, because it was 28 or more random characters, upper and lower case, numbers and special symbols. As it turns out the brain is unreliable storage medium.

The incident happened 8 years ago. I left the computer as-is and counted the data as unrecoverable. Because I made it to be immune against seizing and decryption attempts by KGB, FBI, CIA and NSA. But now I want to restore the computer as it was because it is in very good physical condition and very great example of that era ( HP Pavilion dv8000) and I have the the disk images to play with and spare hardware to run brute force on.

You have a very good memory if you can remember 28 or more random characters... 
You wrote that you relied on muscle memory, but it was damaged after injury?  Perhaps hypnosis will help you? 
An experienced hypnotist can mentally transport you back in time and “give you a verbal command” to enter the correct password.  Your muscle memory may be blocked, but it is not gone, so it is possible that you will be able to decrypt your computer.  And then the hypnotist will bring you out of the altered state and you will change the password to a new one (which you will write down in a paper notebook). 
In general, it seems that crypto enthusiasts very often lose access to their Bitcoin wallets precisely because of their paranoia, due to overly complex passwords that they forget. 
Because the story you told is not the only such case.

[LoyceV]

I entered the password mostly from muscle memory, because it was 28 or more random characters, upper and lower case, numbers and special symbols. As it turns out the brain is unreliable storage medium.

That's how I enter most of my passwords too: I wouldn't be able to write them down, but I can easily enter them on a keyboard. And that brings me to my next question (small chance): have you tried a different keyboard? Or enter it 100 times in a text document, and see where you make common mistakes?

[NotATether]

This is the sort of thing that I'd store in a password manage though. Just saying.

The disk image obviously is not something that should go in a password manager but particularly when you are dealing with random passwords, you are inevitably going to forget them so you need to save them somewhere.

Even passwords made from combinations of words that are otherwise easy to remember can be forgotten if you suddenly get distracted with other things.

[LoyceV]

The disk image obviously is not something that should go in a password manager

I actually did that once (at work!): I stored the password to an encrypted container inside that encrypted container. Luckily I had a backup of the data.
And you'll still have to remember the password to the password manager

[DecipherBTC]

OP

Here is an example to bruteforce your password with hashcat or Johntheripper:

1. Lets say the password is "Bitcoinlover184%"

The only part of the password you remember and are sure about is that it contained "bitcoinlover" and maybe you remember the lenght or approx lenght.


You could either use the mask attack like this ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a

This would find your password but you would need an Extreme amount of GPU power.

Rather, like i would do is implement a couple of statistically proven password rules and it would be this:


Dictonary + bruteforce attack

1. put bitcoinlover in wordlist

use masks on the password. For example:

?H?itcoinlover?d?d?d?a

This mask would crack the password very fast but is not realistic as we dont know all the Details of the password. This is just meant to show you how easy it can be to crack passwords.

[MysteryMiner]

Since you said you enter it everyday for 1.5 years, i feel it's far more likely the header got corrupted.

I also suspected this is the case, but I have no idea how it must happen by accident. Header corrupion usually happens when improperly configured Windows tries to initialize encrypted drive and overwrites header. How it can happen on laptop going to hibernation I do not know. Cosmic rays hit my RAM chip maybe? Also, the computer have 2 hard drives encrypted with same password. Both drives do not accept password, I deduct that it is wrong password, not corrupted volume header at play.

Have you tried using win pe to get the bitcoin file?

BEGIN
10 One of us two are stupid.
20 I am not stupid.
END

I know a lot about computers, forensics, data rescue, repairs, troubleshooting, administration. If WinPE would get to my wallet file, I would use it.

You have a very good memory if you can remember 28 or more random characters... 

One of few good things about me. Increases my nerdyness level at expense of social skills stats.

You wrote that you relied on muscle memory, but it was damaged after injury?  Perhaps hypnosis will help you?
An experienced hypnotist can mentally transport you back in time and “give you a verbal command” to enter the correct password.  Your muscle memory may be blocked, but it is not gone, so it is possible that you will be able to decrypt your computer.  And then the hypnotist will bring you out of the altered state and you will change the password to a new one (which you will write down in a paper notebook). 

Yes I relied on muscle memory. No, I sligtly bruised my leg, not arm or head. I was only stressed, studying before exam, and very mild infection of common cold. It appears it is enough to lose the muscle memory. Also I live in a place where there is no hypnotists or similar charlatans available. I am also very resistant to suggestion and hypnosis, discovered that after friends invited me to religious sect where the priestess attempted to scare me, hypnotize and other tricks just to later privately admit that I am crazy or psychopath and completely immune to contact. It will not help. Also, the password was lost in February 2016 so pretty much time have been passed since then.

In general, it seems that crypto enthusiasts very often lose access to their Bitcoin wallets precisely because of their paranoia, due to overly complex passwords that they forget.
Because the story you told is not the only such case.

There are lot of stories when people forget the encryption password or damage the key material and lose their files. But they are just files. There are also even more stories where people make some dumb opsec mistakes and FBI rummage trough their filesystems and smear them with shit in court. And they lose the files as in first example plus their freedom in addition. And then there are few examples where people encrypt their devices properly AND refuse to give password and eventually they go free. The fact that You or I have paranoia does not mean glowies are not after us.

And that brings me to my next question (small chance): have you tried a different keyboard?

Laptop computer, used as Desktop Replacement. Nothing changed.

enter it 100 times in a text document, and see where you make common mistakes?

Really good idea! Will try it.

This is the sort of thing that I'd store in a password manage though. Just saying.

I use KeePass on my computer for all sorts of passwords, but obviously preboot authentification password should be stored somewhere else. I could try to find old keepass database file on my old backups in hope that it contains the password in question but I first need to get the drives recognized and unlocked. They are failing or failed, IBM Deskstars GXP120

OP

Here is an example to bruteforce your password with hashcat or Johntheripper:

1. Lets say the password is "Bitcoinlover184%"

The only part of the password you remember and are sure about is that it contained "bitcoinlover" and maybe you remember the lenght or approx lenght.


You could either use the mask attack like this ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a

This would find your password but you would need an Extreme amount of GPU power.

Rather, like i would do is implement a couple of statistically proven password rules and it would be this:


Dictonary + bruteforce attack

1. put bitcoinlover in wordlist

use masks on the password. For example:

?H?itcoinlover?d?d?d?a

This mask would crack the password very fast but is not realistic as we dont know all the Details of the password. This is just meant to show you how easy it can be to crack passwords.

Thank You, as I read Jack the Rapper documentation it might help. First I envisioned the JTR running under BAT file control, but now I also discovered software that takes wordlists directly and works with TrueCrypt and DiscCryptor under Windows. Now only the question is a good wordlist that contains my password from the password I remember and have written down.

[ABCbits]

Since you said you enter it everyday for 1.5 years, i feel it's far more likely the header got corrupted.

I also suspected this is the case, but I have no idea how it must happen by accident. Header corrupion usually happens when improperly configured Windows tries to initialize encrypted drive and overwrites header. How it can happen on laptop going to hibernation I do not know. Cosmic rays hit my RAM chip maybe? Also, the computer have 2 hard drives encrypted with same password. Both drives do not accept password, I deduct that it is wrong password, not corrupted volume header at play.

I recall hibernation dump RAM content to the disk and load the dump to RAM once hibernation ends, so i doubt it's cosmic rays hit your RAM. And since you mention 2 drive, header corruption become unlikely. But just in case, have you checked S.M.A.R.T. status of both drives?

[MysteryMiner]

Since you said you enter it everyday for 1.5 years, i feel it's far more likely the header got corrupted.

I also suspected this is the case, but I have no idea how it must happen by accident. Header corrupion usually happens when improperly configured Windows tries to initialize encrypted drive and overwrites header. How it can happen on laptop going to hibernation I do not know. Cosmic rays hit my RAM chip maybe? Also, the computer have 2 hard drives encrypted with same password. Both drives do not accept password, I deduct that it is wrong password, not corrupted volume header at play.

I recall hibernation dump RAM content to the disk and load the dump to RAM once hibernation ends, so i doubt it's cosmic rays hit your RAM. And since you mention 2 drive, header corruption become unlikely. But just in case, have you checked S.M.A.R.T. status of both drives?

Have not checked after the incident, but I checked them at least one a month and they both were in great shape and also worked flawlessly. So the problem is not some sort of hardware failure.

[Cricktor]

I heard or read somewhere that the folks in the password cracking scene (the white hat password crackers) are a quite helpful bunch.

From reading over your thread, I'd say that likelyhood of encryption header corruption isn't high, when two separate devices can't be unlocked. That said, I know nothing about this DiskCryptor 0.9.x software you used for your setup.

Have you investigated if there's any potential issues with hibernation mode with that software?
Likely this can be dismissed, too, as I assume it wasn't the first and only time you sent your device into hibernation mode with your encrypted disks.

When you are sure about certain chunks/pieces of your encryption password, then I'd seek help in the forums of John the Ripper or Hashcat. There are really knowledgeable people there who can assist you to create a decent password generator and mangling script to execute a sophisticated and feasible crack attack.

As you don't seem to be a computer noob, it should be obvious to only work on forensic copies of your encrypted disks. If you haven't done yet, make forensic copies of your encrypted harddisks, after that you can leave the original mechanical disks at rest.

As your encrypted disks hold a significant value, you should make multiple copies of the forensic copies to ensure you'll never loose any of the forensic copies by any chance.

You do your cracking only on copies of the forensic copies, if that's not clear and obvious already. The above mentioned cracking tools usually only need a certain portion of encrypted key material or encryption header to work on. If DiskCryptor is known to John the Ripper or Hashcat then usually there are tutorials or recipies how to extract such data for further cracking work.

Good luck and I'd appreciate to keep us posted of your unlocking journey! There's always some lesson to learn from this.