When a computer document is suspect but access is password-protected, digital forensics experts must attempt to decrypt it. Once the file format - .jpg, .pdf, etc. - is determined, experts use specialized software that tries possible passwords. Once the password is found, the document can be opened. The computer in this case was seized from Michael Ryan South, who was convicted of crossing state lines to have sex with a child. Investigators believe encrypted files on the computer contain child pornography. The graphic below shows one program, Password Recovery Toolkit, which can run as many as 250,000 possible passwords per second.
Federal agents in Mobile investigating an accused child predator sent a computer to cyber consultant Gus Dimitrelos on Jan. 2 with a request that he open encrypted files that they believed contained child pornography.
Dimitrelos, a retired Secret Service agent who assists the U.S. Attorney's Office, easily discovered the secret password to log on to the computer proved exponentially more stubborn. One hundred and 80 days later having tried some 9.5 billion passwords a forensic software program working around the clock on the seized computer has yet to break the code and reveal the files' secrets. In May, prosecutors convicted the computer's owner, Michael Ryan South, of traveling across state lines to try to have sex with a child.
Still, Dimitrelos' computers never rested in their efforts to probe South's machine. "We're going to decrypt it," Dimitrelos said. "I just have to wait. There's nothing else I can do. ... It could be years. We could be having the same conversation three years from now." Or significantly longer, according to some computer experts. Nine and a half billion "is not a lot when you're talking about trillions or quintillions of possible combinations," said Philip Craiger, an engineering technology professor at the University of Central Florida in Tampa.
Regardless of the outcome, South is going nowhere. With a prior sex offense on his record, he faces an automatic life sentence for his latest conviction.
But Dimitrelos said that it's important to try to open the encrypted files because they might contain evidence about molestation of which investigators are unaware. If investigators find child pornography, Dimitrelos said, they will turn the information over to prosecutors.
Would they bring new charges against a man already serving life? "It depends on what's on there, “said Maria Murphy, the acting chief of the criminal division of the U.S. Attorney's Office.
Dimitrelos throws as many as five computers each with an Intel Core Duo processor, resulting in the equivalent of 10 computers at the challenge. At times, he redirects some of the computers to other tasks. Dimitrelos uses a "brute force" program known as Password Recovery Toolkit by a company called Access to run through different groups of possible passwords at a rate as fast as 250,000 a second. The first group, for instance, consists of just 10 possible passwords the numbers 0 through 9, followed by searches of two digits and three digits. The program searches the alphabet, entire dictionary and then various combinations of letters, numbers and other keys. Foreign languages can be employed.
Dimitrelos recently demonstrated for the Press-Register how the process works. He copied the newspaper's logo from its Web site into a Microsoft Word document, encrypted it and assigned it the password "register." The program ran through 15 different searches. On the 16th a search of the dictionary the program came upon the correct password. The entire process, on Dimitrelos' small laptop computer, took a minute and 4 seconds. An earlier test of the same information that he ran on a faster computer took just 12 seconds to complete. What makes the task so hard in the South case, Dimitrelos said, is the level of encryption protecting the password and the sophistication of the password that the defendant used. At 256 bits, he said, it is equal to the standard that the government employs to protect top-secret documents. The software installed on South's computer allows for a password that is up to 109 characters long.
The Toolkit program will run through all known dictionaries, cookbooks, technical manuals and other documents searching to find the combination of letters that might open the lock. If that fails, Dimitrelos said, it will begin searching custom-made lists derived from South's interests, dates that have meaning to him and other personal data.
As a last resort, the program can start searching through random combinations of letters, numbers and special characters. If that's the case, said Central Florida's Craiger, the password could be virtually impossible to break. "It would take to the end of the universe in time to break it," he said. "Essentially, you might as well give up." The surprising and to investigators, disconcerting aspect of South's subterfuge is that he is no computer specialist.
The program that he used to encrypt his files is readily available for free on the Internet, Dimitrelos said. "What he's doing is researching the data," Dimitrelos said. "He's not advanced. The tools are advanced.”
Craiger predicted that law enforcement agencies increasingly will face complications investigating cyber crimes as encryption software becomes more powerful and dispersed."
There's tons of software both free and cheap on the Internet," he said. Dimitrelos suggested that the technology will force changes in the way that police investigate cyber crime. The standard practice now is for officers serving a search warrant to shut down the computer and take it to a forensics lab. Dimitrelos said would be far better for police to keep the computer running, and summon a forensics expert to the scene, where the data can more easily be obtained."
We're in a position where one day we will be pulling the plug on pulling the plug," Dimitrelos said.”