You are on page 1of 262

PasswareKit

UserGuide

www.LostPassword.com

Overview of the Passware Kit


You can use the Passware Kit to recover lost file, e-mail, and Internet
passwords, as well as search for password-protected files.
What do you want to do?
Learn more about the Passware Kit
Quick Start

Quick Start
Recovering a lost password is easy with the Passware Kit. Simply follow these
basic steps:
1. Launch the Passware Kit application.

2. Click the link on the Start Page that relates to the type of password you
want to recover (file, e-mail and network, or Windows Administrator).
3. Follow the instructions on the screen -- for some types of passwords, such
as file passwords, you have to fill out a few fields; for other types, such as
Outlook Express account passwords, the password recovery process starts
immediately.
4. When the password recovery process is complete, the results are displayed
in the window.
5. You can then save and print the results.
NOTE: At any time when using Passware Recovery Kit, you can click the Start
Page button at the top of the screen to cancel out of what you are doing and
start over.

What do you want to do?


Recover a lost file password
Recover a lost e-mail, Internet, or network password
Reset your Windows Admin password

Search for password-protected files


Recover a lost password for encrypted hard drive
Recover lost passwords for a standalone computer (registry analysis)
Recover passwords from Windows/Unix/Mac hash files
Work with Passware Kit Portable
Use Passware Kit Forensic with EnCase
Test password recovery settings

Getting Around in the Passware Kit Application


Navigating in the Passware Kit application is as simple as a few mouse clicks.

Important Buttons
Here are a few of the most commonly used buttons.
Takes you to the Start Page (the page that appears
when you launch the application).
Starts the currently selected action, such as a
password attack or search for protected file.
Takes you to the previously displayed page, just as
in an Internet browser.
Takes you to the next page in your browsing
sequence.
Opens this Help file.

Window Arrangement
The main application window is divided into two main parts. The left pane lists
available actions (these vary, depending on what you are doing), and details
about the currently viewed action, if there are any.
The wider, right pane is where you select choices, enter values, and view
password recovery and protected file search results.
At the bottom of the window is a status bar that may contain hints on how to
proceed.

Working with Passware Kit


You can use the Passware Kit to recover lost passwords, wherever they are -file passwords, e-mail account passwords, Internet passwords, and VPN and
network passwords.
What do you want to do?
Recover a lost file password
Recover a lost e-mail, Internet, or network password
Reset your Windows Admin password
Search for password-protected files
Recover a lost password for encrypted hard drive
Recover lost passwords for a standalone computer (registry analysis)
Recover passwords from Windows/Unix/Mac hash files
Work with Passware Kit Portable
Work with Decryptum Portable
Use Passware Kit Forensic with EnCase
Test password recovery settings

Recovering File Passwords


Not being able to open or use a file because you can't remember its password
can be frustrating. The Passware Kit can help you recover passwords for many
types of files.
The quickest way to start password recovery for a file is to click the Recover
button on the Start Page, or press Ctrl+O.

Once the Passware Kit discovers the password for a file, it remembers that
password. If you ever forget the same password, you don't have to run all the
attacks again - simply select the file, and the Passware Kit displays the
password immediately.
If one or more passwords in the original file were reset (changed) or removed
(for example, QuickBooks QBW passwords to open or MS Excel Workbook and
Worksheet passwords), the Passware Kit creates an unprotected file that is
listed in the results of the password recovery process. If the Passware Kit
recovers all original passwords, it doesnt create the unprotected file (for
example, MS Excel passwords to open and MS Access passwords).
What do you want to do?
Use the Password Recovery Wizard - best for users who know
something about their passwords, but are new to password
recovery.
Run the default attacks - best for users who know nothing about
their passwords.
Use the Attack Editor - best for advanced users and who are
decrypting strong passwords.
Learn about reports and log files

Using the Attack Wizard


The Attack Wizard walks you through setting up your search for a lost file
password, step-by-step. The Attack Wizard is best for situations where you
know something about the password, but are new to password recovery.
When you complete the Wizard, Passware Kit automatically sets up the proper
password recovery attacks, based on your answers.

Starting the Attack Wizard


1. Launch the Passware Kit application.
2. Click Recover File Password (or press Ctrl+O). This displays the Open
dialog box.
3. Choose the file for which you want to find the password, and click Open.
This displays the screen shown below:

4. Click Run Attack Wizard (or press Ctrl+W).

Filling Out the Attack Wizard Information


The Attack Wizard consists of several screens, asking you to supply as much
information about your password as possible.
NOTE: At any point in the Attack Wizard, you can click the Skip and Start
button to simply start recovering your password - but bear in mind that the
recovery process may take longer, or be less successful, than if you had
completed the wizard.
Specifying the General Password Format
The first Attack Wizard screen, shown below, asks you to supply the general
format of the password. For example, does it consist of one dictionary word, or
more than one? Choose the best selection and click Next.

NOTE: If you choose I know nothing about my password, there are no


"Next" screens - simply click Finish to start the password recovery process
with the default settings.
From this point forward, the Attack Wizard screens differ, depending on which
general format you choose.
Single Dictionary Word
Multiple Dictionary Words
One or More Dictionary Words Combined with Letters, Numbers, or

Symbols
Non-dictionary, but Similar to a Dictionary Word
Other

Running the Default Attacks


If you do not know anything about a missing password, you can simply run the
default attacks to find the password.

Starting the Default Attacks


1. Launch the Passware Kit application.
2. Click Recover File Password (or press Ctrl+O). This displays the Open
dialog box.
3. Choose the file for which you want to find the password, and click Open.
This displays the screen shown below:

4. Click Use Pre-defined Default Attacks (or press Ctrl+D).


The attacks start immediately, and when finished, the results appear in the
window.

Which Attacks Are Run


The following list describes the default attacks, in the order in which they are
run, and gives examples of the sort of password each attack is best at finding,
where appropriate.
1. Previous Passwords Attack (with modifiers Original Password, Normal
Casing, Upper Casing, and Lower Casing)
2. Decryptum Attack (if applicable) - free demo preview of decrypted Word or
Excel file
3. SureZip Attack (if applicable) - instant decryption of Zip archives up to
version 8.0
4. Brute-force Attack (English, 1-4 characters, full symbol set: lowercase
letters, uppercase letters, numbers, symbols, space)
Sample password: "Pw5@"
5. Dictionary Attack (English words up to 15 letters, with all possible Casing
modifiers)
Sample password: "Specialization"
6. Xieve Attack (passwords similar to English words, from 5 to 9 letters,
lowercase, level "Medium" - checks common combinations of letters only)
Sample password: "mycomp"
7. Brute-force Attack (Numbers only, from 5 to 8 characters)
Sample password: "23012009"
8. Join Attacks group:
1. Dictionary Attack (English words from 1 to 9 letters)
+
2. Append Attacks group:
1. Brute-force Attack (from 1 to 2 characters, symbols+numbers)
2. Brute-force Attack (from 3 to 4 characters, numbers only)
Sample password: "open123"
9. Join Attacks group:
1. Dictionary Attack (English words from 1 to 9 letters)
+
2. Dictionary Attack (English words from 1 to 9 letters)
Sample password: "greenapple"
10. Brute-force Attack (English, from 5 to 7 characters, lowercase letters +

numbers)
Sample password: "qw3erty"
11. Xieve Attack (passwords similar to English words, from 10 to 11 letters,
lowercase, level "Low" - checks almost all combinations of letters)
Sample password: "sweetemily"

Using the Attack Editor


The Attack Editor allows you great control over the password recovery process.
You can choose which attacks you want to use, modify attack settings, and
combine attacks. The Attack Editor is best used if you are an experienced IT
person who knows a lot about password recovery.

Starting the Attack Editor


1. Launch the Passware Kit application.
2. Click Recover File Password (or press Ctrl+O). This displays the Open
dialog box.
3. Choose the file for which you want to find the password, and click Open.
This displays the screen shown below:

4. Click Use Attack Editor (or press Ctrl+E).


The Attack Editor appears, a sample of which is shown in the following figure.

The Attack Editor window is divided into three parts. On the left, you see
available actions and details. In the middle are the attacks which will be run,
and on the right is an "attack tree" which lists available attacks and attack
modifiers.
Once you have the attacks the way you want them, start the attacks by
clicking the Start button at the top of the window
clicking the Start Recovery button in the bottom right corner of the
Attack Editor window
clicking on the Start Recovery selection in the Actions area of the left
pane.
What do you want to do?
Add an attack
Remove an attack
Rearrange Attacks
Use Attack Modifiers
Reset attack settings to their default values
Save or load attacks
Sort attacks according to duration

Reports and Log Files


The Passware Kit provides several reports and log files that track its activity
during a password recovery operation. You can print and save these files for
future reference.

Passwords Found Report


Once an attack is complete, the Passware Kit displays the results of the
password recovery process in the Passwords Found Report, a sample of which
is shown below:

In the report, you'll see any recovered passwords. Click on a "copy" link to
copy a password to the Windows Clipboard. For files with instant unprotection,
you can click on a filename to open a protected or unprotected file

Attacks Report
The Passware Kit also reports which attacks it used, how long they took, their
state (such as started, successful, or unsuccessful), and what passwords were
recovered by which attacks. To view this report, click the Attacks tab at the
bottom of the window. A sample Attacks Report is shown below:

Log
A third type of information provided by the Passware Kit is a log that tracks
each attack's start and stop time, and other useful information. To view the
log, click the Log tab at the bottom of the window. A sample Log is shown
below:

What do you want to do?


Print a report or log
Save a report or log

Recovering Passwords for Multiple Files


Passware Kit supports batch file processing, recovering passwords for multiple
files, one-by-one, in an automated way.

How to Start
Select multiple files for decryption using the Recover File Password option
at the Start Page.
You can also initiate password recovery for multiple files from the results of
the Search for Protected Files option. Select the files that you want to
decrypt from the list of encrypted files displayed by Passware Kit. Then click
the Recover button as shown below:

Groups and Settings


Once you have selected the files to decrypt, Passware Kit groups them
according to the decryption options, i.e., Known Password, Instant,
Default. You can add, modify, or delete groups.

For each group (except for Known Password and Instant groups, for which
the password is recovered instantly regardless of its settings) you can use the
Predefined settings, or customize them in Attack Editor. Click the Save
Settings and Return button to save the changes and return to the list of
files.

Recovering the Passwords


Once you have set up the list of files and password recovery attacks, click the
Recover button to start the batch password recovery process:

While the password recovery is in progress, you can pause, resume, or stop it,
as well as skip attacks, files, or groups.
As a result, Passware Kit displays the passwords recovered, as well as a log
file. A sample result is shown below:

You can enable the option to create unprotected files automatically when a
password is recovered or reset at Tools | Options | Folders. When batch file
processing is complete, unprotected copies of the files will be saved in a single
folder. Supported file types: MS Office, Zip, FileMaker, SQL, MYOB, and
QuickBooks.

Searching for Protected Files


Using an Explorer-like interface and clicking a few checkboxes and buttons,
you can find your password-protected files quickly and easily. Encrypted
volumes and hard disk images, such as BitLocker, TrueCrypt, PGP, etc., are
also detected.
What do you want to do?
Select the files to scan
Monitor scan progress
Work with scan results
Start a new scan

Searching for Protected Files - Quick Start


To find password-protected files on your computer system:
1. Click Search for Protected Files on the Passware Kit start page:

You will see the following screen:

2. Click the Start Scan button in the bottom-right corner of the window. This
scans your entire computer system for password-protected files.
A dialog box appears to indicate the scan is complete:

Click OK to close this dialog box.


After the scan is complete, you can
Save the list
Save the scan log
Recover passwords
Start a new scan

Selecting the Files to Scan


You can scan specific files -- from your entire computer system to one or two
selected folders.
You can also select the type of scan you want to use. A full scan includes
scanning system folders, slow file types, encrypted containers and disk images,
and calculating MD5 values. You can disable these options if you need a less
complete, but much faster scan.
What do you want to do?
Choose scan type
Choose what to scan
After you have chosen the type of scan and the folders and/or drives to scan,
start the scan by clicking the Start button on the toolbar, which looks like this:

Scan Options
The software offers four options of the scan. Which one you use depends on
what type of password-protected file you are looking for, and how fast you
want the scan to run.
Scan
Option

When to Use

Scan
system
folders

System folders and registry files are unlikely to contain any


encrypted items. It is appropriate to use this option only if you
need the full system scan.

Scan slow
file types

Some file types, such as MS SQL and ACT! databases, or any


unknown types of files, are slow to analyze. Disable this option
to make the scan faster, or enable it if you need the complete
scan of the file system.

Scan for
encrypted
containers
and disk
images

Use this option if you assume that your system has TrueCrypt
containers and other disk images. There might be false
positives with this option.

Calculate
MD5

Use this option if you need your reports completed with MD5
hash values for each encrypted file detected. Otherwise,
disable it as it slows down the scan speed.

Enable or disable these options in the Scan Options area of the window,
shown below:

Next, you can choose what to scan.


NOTE: The settings you choose in the Scan Options area are saved when you
exit the application, and are in effect the next time you launch the program.

Monitoring Scan Progress


You can track the progress of the scan in several ways:
The Scan Progress area at the top of the main window displays a
graphical progress bar, and lists time elapsed and time-to-completion. A
sample Scan Progress area is shown here:

The Status Bar, visible along the bottom of the window, gives a summary
of the number of protected items found and the total number of items
scanned.
The Scan Status area summarized the scan status. A sample is shown
here:

NOTE: If you want, you can turn off the Status Bar.
You can temporarily pause or cancel a scan at any time.

Canceling or Pausing a Scan


You can temporarily pause a scan at any time by clicking the Pause button in
the toolbar:

To resume a paused scan, click the Resume button in the toolbar:

You can cancel a scan at any time by clicking the Stop button in the toolbar:

Working with the Scan Results


After scanning the selected folders, the application displays a both a list of
password-protected files (in the right pane of the window) and a summary of
the scan results (in the Last Scan area on the left side of the window). An
sample scan result is shown below:

NOTE: Clicking on the Items Skipped line in the Last Scan area displays the
scan log.
What do you want to do?
Work with selected files from the scan results
Customize the appearance of the scan results
Save the file list
Save the scan log

Recovering File Passwords


Once you have found one or more password-protected files, you can recover
the password using the Passware Kit.

Start a New Scan


When you click Search for Protected Files on the Start Page, the window
defaults to the new scan display.
To start a new scan after another scan has already completed:
1. Click Start a New Scan in the Actions area of the window.
2. A dialog box, shown below, appears, asking if you want to start a new
scan.

3. Click Yes. to start a new scan.


Another way to start a new Scan is to click the Back button on the toolbar.
CAUTION: The results of the previous scan are cleared from the screen when
you click Yes. If you want to save the results for future use, be sure to save
the file list before starting a new scan.

Analyzing Memory and Decrypting Hard Disks


You can use the Passware Kit to decrypt hard disks encrypted with BitLocker,
TrueCrypt or FileVault 2.
BitLocker is a data protection feature available in Windows systems starting
from Vista. TrueCrypt is a software application that creates virtual hard disks
with real-time encryption.
FileVault 2 is a system which encrypts files on a Macintosh computer. It can be
found in the Mac OS X Lion operating systems.
To get started, display the Passware Kit Start Page, and click Analyze
Memory and Decrypt Hard Disk (or press Ctrl+D). This displays the
following window:

What do you want to do?


Recover BitLocker encryption keys
Decrypt a TrueCrypt volume
Decrypt a FileVault volume

Recovering BitLocker Encryption Keys


Passware Kit recovers encryption keys for hard drives encrypted with
BitLocker. BitLocker is a data protection feature available in Windows Vista
and Windows 7.
The software scans the physical memory image file (created while the
encrypted disk was mounted) and extracts all the encryption keys for a given
volume.
To recover BitLocker encryption keys, two images of the target system are
required:
The image file of the encrypted volume.
The physical memory image file or hiberfil.sys file from the target
system (with the encrypted volume mounted).
Disk volume images can be created using third-party tools, such as Guidance
EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be
created using Passware FireWire Memory Imager or third-party tools, such as
ManTech Physical Memory Dump Utility or win32dd. If the target computer
with the BitLocker volume is powered off, encryption keys are not stored in its
memory, but they could be possibly recovered from the hiberfil.sys file, which
is automatically created when a system hibernates.
NOTE: If the target computer is turned off and the BitLocker volume was
dismounted during the last hibernation, neither the memory image nor the
hiberfil.sys file will contain the encryption keys. Therefore, instant decryption
of the volume is impossible. In this case, Passware Kit assigns Brute-force
attacks to recover the original password for the volume.
Once the images are created, follow these steps to recover the password:
1. Click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D)
on the Passware Kit Start Page. This displays the screen shown below:

2. Click BitLocker (or press Ctrl+B). This displays the screen shown below:

3. Click Browse and locate the image file of the BitLocker encrypted volume
or partition.
4. Click Browse and locate the physical memory image (memory.bin) or the
hiberfil.sys file from the computer to which your encrypted volume was
mounted. If you do not have this memory image and the target computer
is still powered on, click Acquire a memory image and follow the on-

screen instructions.
NOTE: If the target computer is turned off and the BitLocker volume was
dismounted during the last hibernation, neither the memory image nor the
hiberfil.sys file will contain the encryption keys. Therefore, instant
decryption of the volume is impossible. In this case, switch to The
BitLocker volume is dismounted option, and Passware Kit will assign
Brute-force attacks to recover the password for the volume.
5. Click Next.
This procedure initiates the encryption key recovery process. The recovery
might take several minutes depending on the size of the memory image file.
The results are displayed when the recovery is complete. The figure below
shows a sample result.

Decrypting a TrueCrypt Volume


Passware Kit decrypts hard disk volumes encrypted with TrueCrypt. TrueCrypt
is a software application that creates virtual hard disks with real-time
encryption.
The software scans the physical memory image file (created while the
encrypted disk was mounted), extracts all the encryption keys, decrypts the
given volume, and saves the image of the decrypted volume.
To decrypt a TrueCrypt volume, the physical memory image file or hiberfil.sys
file from the target system (with the encrypted volume mounted) is required.
The Passware Kit can work with either a TrueCrypt volume file (encrypted file
container), or with its image.
Disk volume images can be created using third-party tools, such as Guidance
EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be
created using Passware FireWire Memory Imager or third-party tools, such as
ManTech Physical Memory Dump Utility or win32dd. If the target computer
with the TrueCrypt volume is powered off, encryption keys are not stored in its
memory, but they could be possibly recovered from the hiberfil.sys file, which
is automatically created when a system hibernates.
NOTE: If the target computer is turned off and the TrueCrypt volume was
dismounted during the last hibernation, neither the memory image nor the
hiberfil.sys file will contain the encryption keys. Therefore, instant decryption
of the volume is impossible. In this case, Passware Kit assigns Brute-force
attacks to recover the original password for the volume.
Once the images are created, follow these steps to recover the password:
1. Click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D)
on the Passware Kit Start Page. This displays the screen shown below:

2. Click TrueCrypt (or press Ctrl+T). This displays the screen shown below:

3. Click Browse and locate the TrueCrypt volume file or its image file.
4. Click Browse and locate the physical memory image (memory.bin) or the
hiberfil.sys file from the computer to which your encrypted volume was
mounted. If you do not have this memory image and the target computer
is still powered on, click Acquire a memory image and follow the onscreen instructions.

NOTE: If the target computer is turned off and the TrueCrypt volume was
dismounted during the last hibernation, neither the memory image nor the
hiberfil.sys file will contain the encryption keys. Therefore, instant
decryption of the volume is impossible. In this case, switch to The
TrueCrypt volume is dismounted option, and Passware Kit will assign
Brute-force attacks to recover the password for the volume.
5. Click Browse and select the location and name of the destination file (the
image of the decrypted volume).
6. Click Next.
This procedure initiates the decryption process. The decryption might take
several minutes depending on the size of the memory image file. The results
are displayed when the decryption is complete. The figure below shows a
sample result.

Decrypting a PGP WDE Volume


Passware Kit decrypts hard disk volumes encrypted with PGP Whole Disk
Encryption.
The software scans the physical memory image file (created while the
encrypted disk was mounted), extracts all the encryption keys, decrypts the
given volume, and saves the image of the decrypted volume.
To decrypt a PGP volume, the physical memory image file or hiberfil.sys file
from the target system (with the encrypted volume mounted) is required. PGP
volume images can be created using third-party tools, such as Guidance
EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be
created using Passware FireWire Memory Imager or third-party tools, such as
ManTech Physical Memory Dump Utility or win32dd. If the target computer
with the PGP volume is powered off, encryption keys are not stored in its
memory, but they could be possibly recovered from the hiberfil.sys file, which
is automatically created when a system hibernates.
NOTE: If the target computer is turned off and the PGP volume was
dismounted during the last hibernation, neither the memory image nor the
hiberfil.sys file will contain the encryption keys. Therefore, instant decryption
of the volume is impossible. In this case, Passware Kit assigns brute-force
attacks to recover the original password for the volume.
Once the images are created, follow these steps to recover the password:
1. Click Analyze Memory and Decrypt Hard Disk (or press Ctrl+D) on the
Passware Kit Start Page. This displays the screen shown below:

2. Click PGP WDE (or press Ctrl+P). This displays the screen shown below:

3. Click Browse and locate the encrypted PGP volume image file.
4. Click Browse and locate the physical memory image (memory.bin) or the
hiberfil.sys file from the computer to which your encrypted volume was

mounted. If you do not have this memory image and the target computer
is still powered on, click Acquire a memory image and follow the onscreen instructions.
NOTE: If the target computer is turned off and the PGP volume was
dismounted during the last hibernation, neither the memory image nor the
hiberfil.sys file will contain the encryption keys. Therefore, instant
decryption of the volume is impossible. In this case, switch to The PGP
disk is dismounted option, and Passware Kit will assign brute-force
attacks to recover the password for the volume.
5. Click Browse and select the location and name of the destination folder
(the folder to save decrypted volume to).
6. Click Next.
This procedure initiates the decryption process. The decryption might take
several minutes depending on the size of the memory image file. The results
are displayed when the decryption is complete. The figure below shows a
sample result.

Recovering Mac Passwords


You can use Passware Kit to recover the following passwords for Mac OS: user
login passwords and keychain file passwords.
What do you want to do?
Decrypt a FileVault2 volume
Recover login passwords for Mac OS
Recover a password for a Mac keychain file

Decrypting a Mac FileVault2 Volume


Passware Kit recovers encryption keys for hard drives encrypted with
FileVault2. FileVault2 is a data protection feature available in MAC OS X
starting from v.10.7.
The software scans the physical memory image file (created when the
encrypted disk was mounted), extracts all the encryption keys, decrypts the
given volume, and saves an image of the decrypted volume.
To recover FileVault2 encryption keys, two images of the target system are
required:
the image file of the encrypted volume
the physical memory image file from the target system (with the encrypted
volume mounted and at least one user logged in)
Disk-volume images can be created using third-party tools such as Guidance
EnCase, Free EASIS Drive Cloning, DD, and Apple Disk Utility. Physicalmemory images can be created using Passware FireWire Memory Imager.
NOTE: If the target computer is turned off, the memory image will not contain
the encryption keys. Therefore, instant decryption of the volume is impossible.
In this case, Passware Kit assigns brute-force attacks to recover the original
password for the volume.
Once the images are created, follow these steps to recover the encryption key:
1. Click Analyze Memory and Decrypt Hard Disk on the Passware Kit
Start Page. This displays the screen shown below:

2. Click FileVault. This displays the screen shown below:

3. Click Browse... and locate the image of the FileVault2 encrypted volume
or partition.
4. Click Browse... and locate the physical memory image (memory.bin) file
from the computer in which your encrypted volume was mounted. If you

do not have this memory image and the target computer is still powered
on, click Acquire a memory image and follow the on-screen instructions.
NOTE: If the target computer is turned off, the memory image will not
contain the encryption keys. Therefore, instant decryption of the volume is
impossible. In this case, switch to the FileVault volume is dismounted
option, and Passware Kit will assign regular brute-force attacks to recover
the password for the volume.
5. Click Browse... and select the location and name of the destination file
(the image of the decrypted volume).
6. Click Next.
This procedure initiates the decryption process. The decryption might take
several minutes depending on the size of the memory image file. The results
are displayed when the decryption is complete. The figure below shows a
sample result.

Recovering a Mac FileVault2 Password


If the instant decryption option through memory analysis is not applicable,
e.g., if the target computer is turned off or the memory image does not
contain the encryption keys for some reason, Passware Kit can still recover the
original password for the FileVault disk.
To recover the password, Passware Kit requires a FileVault Wipekey file. To
access and copy this file from the target computer, follow the steps below,
depending on whether you have direct access to the target computer or just
the hard disk image.

If you have access to the target computer:


1. Boot the target Mac computer with a Setup/Recovery CD;
2. Launch the Terminal tool from the Setup CD;
3. Type command: defaults write com.apple.DiskUtility
DUDebugMenuEnabled 1;
4. Open the tool Disk Utility;
5. In the Debug menu, choose Show every partition, then choose
Recovery HD and click Mount;
6. Locate the Wipekey file (normally named EncryptedRoot.plist.wipekey)
at:
com.apple.boot.R/System/Library/Caches/com.apple.corestorage/
NOTE: The directory name can also be com.apple.boot.S or
com.apple.boot.P;
7. Copy the EncryptedRoot.plist.wipekey file to the computer on which
you run Passware Kit.

If you have the target disk image:


Mount it with any disk-mounting tool and proceed to step 7. Steps 1 - 6 refer
to mounting the disk image using Guidance EnCase.
1. Run Guidance EnCase;
2. Click New Case and choose the name and location of the case file;
3. Click Add Evidence;

4.
5.
6.
7.
8.

Click Add Local Device, then click Next;


Pick up the device with the label Apple and click Finish;
In the Table window, double-click the target disk;
In the Evidence tab, locate the Recovery HD partition;
Locate the Wipekey file (normally named EncryptedRoot.plist.wipekey)
at:
com.apple.boot.R/System/Library/Caches/com.apple.corestorage/

NOTE: The directory name can also be com.apple.boot.S or


com.apple.boot.P;
9. Copy the EncryptedRoot.plist.wipekey file to the computer on which
you run Passware Kit.

Once you have copied the Wipekey file to your computer, run Passware Kit and
follow these steps to recover the password:
1. Click Analyze Memory and Decrypt Hard Disk on the Passware Kit
Start Page. This displays the screen shown below:

2. Click FileVault. This displays the screen shown below:

2. Click FileVault. This displays the screen shown below:

3. Click Browse... and locate the image of the FileVault2 encrypted volume
or partition;
4. Click the FileVault volume is dismounted option;
5. Click Browse... and select the location of the Wipekey file as shown
below:

6. Click Next.

This procedure initiates the decryption process. It might be accelerated using


NVIDIA and AMD GPU cards, as well as Distributed Password Recovery. The
results are displayed when the decryption is complete. The figure below shows
a sample result.

Recovering Mac Login Passwords


You can use Passware Kit to recover login passwords for Mac OS users in a
matter of minutes, regardless of the password length and use of a FileVault
encryption. The following operating systems are supported:
Mac OS X Version 10.5 (Leopard), 10.6 (Snow Leopard), 10.7 (Lion)
The software scans the physical memory image file (acquired while the target
system is running and at least one user remains logged in, even if the user is
currently logged out or the account is locked) and extracts all the login
passwords for a given system.
Physical memory images can be created using Passware FireWire Memory
Imager. If the target Mac computer is powered off, login passwords are not
stored in its memory, and therefore it is impossible to recover them.
To get started, display the Passware Kit Start Page, and click Analyze
Memory and Decrypt Hard Disk | Mac User (or press Ctrl+M). This displays
the following window:

Locate the physical memory image (memory.bin) of the target Mac computer.

If you do not have this memory image, follow these steps to acquire it using
Passware Kit:
1. At the Passware Kit Start Page click Analyzing Memory and Decrypting
Hard Disk.
2. Click Passware FireWire Memory Imager.
3. Follow the on-screen instructions.
Once the image is created, follow these steps to recover the password:
1. Click Recover Mac Password (or press Ctrl+M) on the Passware Kit Start
Page.
2. Locate the physical memory image (memory.bin) from the target computer
and click Open.
This procedure initiates the password recovery process, as shown below:

The recovery might take several minutes depending on the size of the memory
image file. The results are displayed when the recovery is complete. The figure
below shows a sample result.

Recovering Mac Keychain Passwords


You can use Passware Kit to recover passwords for Mac OS keychain files. Files
from the following operating systems are supported:
Mac OS X Version 10.5 (Leopard), 10.6 (Snow Leopard), 10.7 (Lion)
Mac keychain files are usually stored at /Users//Library/Keychains and are
protected with a password. By default, the keychain password is the same as
the corresponding Mac user login password, but it may also be different. By
recovering this password, you gain access to the following user information
contained in the keychain file: saved passwords (for websites, network shares,
wireless networks), private keys, certificates, etc.
NOTE: Passware Kit does not support System.keychain files.
To get started, display the Passware Kit Start Page, then click the Recover
button, or press Ctrl+O.

Locate the keychain file (by default this file is named login.keychain) and click
Open.
This displays the following window:

Choose one of the following options for password recovery, depending on the
available information about the password:

Use the Password Recovery Wizard - best for users who know
something about their passwords, but are new to password
recovery.
Run the default attacks - best for users who know nothing about
their passwords.
Use the Attack Editor - best for advanced users and who are
decrypting strong passwords.
This procedure initiates the password recovery process. The results are
displayed when the recovery is complete. The figure below shows a sample
result.

Recovering Windows Login Passwords


You can use Passware Kit to recover login passwords for Windows users in a
matter of minutes, regardless of the password length and use of a BitLocker
encryption. The solution works on all versions of Windows, including Windows
8.
The software scans the physical memory image file (acquired while the target
system is running, even if the user is currently logged out or the account is
locked) and extracts all the login passwords for a given system.
Physical memory images can be created using Passware FireWire Memory
Imager. If the target computer is powered off, encryption keys are not stored
in its memory, but they could be possibly recovered from the hiberfil.sys file,
which is automatically created when a system hibernates. In other cases, it is
impossible to recover the user passwords instantly.
To get started, display the Passware Kit Start Page, and click Analyze
Memory and Decrypt Hard Disk | Windows User (or press Ctrl+W). This
displays the following window:

Locate the physical memory image (memory.bin) or the hibernation file

(hiberfil.sys) of the target Windows computer. If you do not have this memory
image, follow these steps to acquire it using Passware Kit:
1. At the Passware Kit Start Page click Analyzing Memory and Decrypting
Hard Disk.
2. Click Passware FireWire Memory Imager.
3. Follow the on-screen instructions.
Once the image is created, follow these steps to recover the password:
1. Click Analyze Memory and Decrypt Hard Disk | Windows User (or
press Ctrl+W) on the Passware Kit Start Page.
2. Locate the physical memory image (memory.bin) or the hibernation file
(hiberfil.sys) from the target computer and click Open.
This procedure initiates the password recovery process, as shown below:

The recovery might take several minutes depending on the size of the memory
image file. The results are displayed when the recovery is complete. The figure
below shows a sample result.

Recovering Website Passwords from Memory


You can use Passware Kit to recover passwords for Facebook, Google, and
other websites in a matter of minutes, regardless of the password length and
whether the password was saved in the browser or not.
The software scans the physical memory image file (acquired while the target
system is running, even if the user is currently logged out or the account is
locked) and extracts all the websites' passwords which the user had typed
during the last session.
Physical memory images can be created using Passware FireWire Memory
Imager. If the target computer is powered off, the passwords are not stored in
its memory, but they could be possibly recovered from the hiberfil.sys file,
which is automatically created when a system hibernates.
To get started, display the Passware Kit Start Page, and click Analyze
Memory and Decrypt Hard Disk | Websites (or press Ctrl+S). This displays
the following window:

Locate the physical memory image (memory.bin) or the hibernation file


(hiberfil.sys) of the target Windows computer. If you do not have this memory

image, follow these steps to acquire it using Passware Kit:


1. At the Passware Kit Start Page click Analyzing Memory and Decrypting
Hard Disk.
2. Click Passware FireWire Memory Imager.
3. Follow the on-screen instructions.
Once the image is created, follow these steps to recover the password:
1. Click Analyze Memory and Decrypt Hard Disk | Websites (or press
Ctrl+S) on the Passware Kit Start Page.
2. Locate the physical memory image (memory.bin) or the hibernation file
(hiberfil.sys) from the target computer and click Open.
This procedure initiates the password recovery process, as shown below:

The recovery might take several minutes depending on the size of the memory
image file. The results are displayed when the recovery is complete. The figure
below shows a sample result.

Passware FireWire Memory Imager


To recover BitLocker and TrueCrypt encryption keys, Passware Kit requires a
physical memory image file of a target computer that was created while the
BitLocker or TrueCrypt encrypted disk was mounted.
Passware Kit includes Passware FireWire Memory Imager, which creates a
bootable memory-imaging USB drive. This USB drive acquires a memory
image of the target computer connected with a FireWire (IEEE 1394) cable.
The overall steps on acquiring the memory image with Passware FireWire
Memory Imager are:
1. Create a bootable Passware FireWire Memory Imager USB drive
2. Acquire the memory image of the target computer with the USB drive
NOTE:
If the target computer is powered off, encryption keys are not
stored in its memory, but they could be possibly recovered from the
hiberfil.sys file, which is automatically created when a system
hibernates.
If the target computer is powered off and the TrueCrypt/BitLocker
volume was dismounted during the last hibernation, neither the
memory image nor the hiberfil.sys file will contain the encryption
keys. Therefore, instant decryption of the volume is impossible. In
this case, Passware Kit assigns Brute-force attacks to recover the
original password for the volume.

Creating Passware FireWire Memory Imager USB


Drive
Below are the steps to create a memory-imaging USB drive.
1. On the Start Page click Analyzing Memory and Decrypting Hard Disk
(or press Ctrl+D), and then click Passware FireWire Memory Imager.
The following screen appears:

1. Insert a USB flash drive and select it in the Select USB drive pulldown menu. Recommended size of the USB flash drive is 8GB and
more.
2. Click Next.
NOTE: All the files on the USB flash drive will be erased. If you are using
Windows Vista, you may need to run Passware Kit as the Administrator in
order to create a memory-imaging USB drive.
2. The recording process starts. Passware Kit copies the necessary files on the
USB flash drive.

3. The bootable Passware FireWire Memory Imager USB drive is now ready.

NOTE: Passware FireWire Memory Imager files are created on a hidden


partition of the USB flash drive, while the open partition of the drive,
which can be viewed in Windows Explorer, is blank.
Now that you have created the memory-imaging USB drive, you are ready to
acquire the memory image of the target computer.

Acquiring Memory Image with Passware FireWire


Memory Imager USB Drive
Once you have created the bootable Passware FireWire Memory Imager USB
drive, you are ready to acquire the memory image of the target computer by
following the steps below.
Requirements:
The target computer is turned on and the encrypted volume is mounted
Both the target computer and the computer used for acquisition have
FireWire (IEEE 1394) ports
A FireWire cable
1. Insert the memory-imaging USB drive and restart your computer.
2. Passware FireWire Memory Imager starts:

3. Make sure the FireWire cable is unplugged and press Next.


4. Connect the target computer with a FireWire cable. If the target computer
is not detected after 30 seconds, you may need to unplug and re-connect
the FireWire cable.

Press Next.
5. The memory imaging process starts:

The progress screen displays the time of the imaging process and the size
of the acquired target memory. Upon completion of the process, press
Next.
6. Unplug the FireWire cable, remove the USB flash drive, and press Reboot
to restart your PC.
7. The memory image of the target computer (a memory.bin file) is created

on the USB flash drive:

Once you have created the memory image of the target computer, you are
ready to decrypt BitLocker or TrueCrypt volumes using Passware Kit.

Recovering Passwords for Mobile Data


You can use the Passware Kit to acquire iCloud backups, recover passwords for
Apple iPhone and iPad backups, Android backups, and Android images.
To get started, display the Passware Kit Start Page and click Mobile
Forensics. This displays the following window:

What do you want to do?


Recover a password for Apple iTunes or Android backup file
Recover a password for an Android device image
Acquire an iCloud backup

Recovering Apple iTunes and Android Backup


Passwords
Apple stores iPhone and iPad backups in an iTunes backup file (*.PLIST). This
file, named Manifest.plist, is normally located in the Apple Computer
directory. For example, for Windows 8, the full path is:
C:\Documents and Settings\User\AppData\Roaming\Apple
Computer\MobileSync\Backup\BackupID\Manifest.plist
Android backup files are usually created with an ADB tool from Android SDK
and normally have an *.AB extension.
Passwords for iTunes and Android backup files are recovered using regular
password-recovery attacks. The process can be accelerated with GPU cards and
distributed computing.
To start the password-recovery process, click Mobile Forensics on the Start
Page, choose either the iPhone Backup or Android Backup option and locate
your file. Refer to the Recovering File Passwords section for further
recommendations.

Recovering Passwords for Android Images


Passware Kit recovers passwords for Android physical images acquired from
the encrypted devices using third-party tools, such as Oxygen Forensic
Passware Analyst.
Passwords for Android image files are recovered using regular passwordrecovery attacks. The process can be accelerated with GPU cards and
distributed computing.
To start the password-recovery process, click Mobile Forensics on the Start
Page, choose the Android Image option and locate your file. Refer to the
Recovering File Passwords section for further recommendations.

Acquiring iCloud Backups


Passware Kit acquires full iOS backups from iCloud if Apple ID credentials are
known. The backups are downloaded in iTunes format (readable by Apple
software and Oxygen Forensic Suite Passware Analyst) and plain readable
format. All versions of iOS, including the latest 8.1, are supported.
Below are the steps to acquire an iOS backup from iCloud.
1. On the Start Page click Mobile Forensics, then choose the iCloud
Backup option
2. Enter your iCloud login. Both Apple ID and password should be entered as
shown on the screen below:

3. Click Next. The following screen appears:

4. Choose the backup snapshots you want to download. The latest snapshot is
listed first. By selecting other snapshots you will be able to download all
previous versions of the backup.
5. Choose where to save the backup (make sure you have enough space on
your disk. Passware Kit will display the size of the backup to be
downloaded).
6. Choose the format you want to save the backup in. By default, it is the
"iTunes default format" readable by Apple iTunes. You can also save the
backup in plain readable format, i.e. without iTunes default folders, but as
a plain list of files.
7. Click Next.
8. The acquisition process starts. Passware Kit downloads the necessary
backup files from iCloud to your local computer.

9. The full iOS backup is now downloaded.

Now that you have acquired the iOS backup from iCloud, you are ready to
analyze it with Oxygen Forensic Passware Analyst or open it with Apple iTunes
to see the device data.

Recovering Lost Internet and Network Passwords


You can use the Passware Kit to recover your e-mail account, Internet, and
Network connection passwords.
To get started, display the Passware Kit Start Page, and click Recover
Internet and Network Passwords (or press Ctrl+I). This displays the
following window:

What do you want to do?


Recover a lost e-mail password
Recover a lost Internet password
Recover a lost network password

Recovering E-mail Passwords


The Passware Kit can recover e-mail passwords associated with Microsoft
Outlook and Outlook Express accounts, data files and identies.
To recover one of these passwords, follow these steps:
1. Display the Passware Kit Start Page.
2. Click Recover Internet and Network Passwords (or press Ctrl+I).
3. Click on the appropriate choice in the Email Passwords area of the
window.
The password recovery process begins. The results are displayed when it is
finished. The figure below shows a sample result.

Recovering Internet Passwords


The Passware Kit can recover passwords associated with websites in browsers
and with Internet Explorer Content Advisor.
To recover one of these passwords, follow these steps:
1. Display the Passware Kit Start Page.
2. Click Recover Internet and Network Passwords (or press Ctrl+I).
3. Click on the appropriate choice in the Internet Passwords area of the
window.
The password recovery process begins. The results are displayed when it is
finished. The figure below shows a sample result.

Recovering Network Connection Passwords


The Passware Kit can recover passwords associated with VPN and dialup
accounts as well as remote desktop accounts.
To recover one of these passwords, follow these steps:
1. Display the Passware Kit Start Page.
2. Click Recover Internet and Network Passwords (or press Ctrl+I).
3. Click on the appropriate choice in the Network Passwords area of the
window.
The password recovery process begins. The results are displayed when it is
finished. The figure below shows a sample result.

Resetting a Windows Administrator Password


What do you want to do?
Learn how to reset a Windows password with Passware Kit CD /
USB disk
Find out what versions of Windows are supported

Using a Password Reset CD / USB Disk


With Passware Kit, you can reset a password for any local or Active Directory
Administrator account.
The overall steps are as follows:
1. Create a password reset CD/USB image and burn it on a disk
2. Reset the password with the CD or USB disk

Creating a Password Reset CD Image / USB Disk


Below are the steps to create an ISO image file for a password reset CD or
USB disk.
1. On the Start Page click Reset Windows Administrator Password. The
following screen appears.

2. Insert your Windows Setup CD.


NOTE: Both Windows 32-bit and 64-bit Setup CDs are supported.
Browse for either a TXTSETUP.SIF or a BOOT.WIM file. The TXTSETUP.SIF
file is usually located in the 'I386' folder of the Windows XP/2003 Setup
CD. The BOOT.WIM file is usually located in the 'Sources' folder of the
Windows 8/7/Vista/2008 Setup CD.
The Make password reset image from field should contain the
location of the TXTSETUP.SIF or BOOT.WIM file;
You can protect the Windows Key password reset media with a
password by enabling the Set a password on the Windows
Password Reset CD/USB disk check-box and typing your own
password in the field;
Check Add drivers for SCSI/RAID hard drives, if you need to reset
a Windows password for a SCSI/RAID/IDE hard drive. The field Copy
drivers from should contain the location of the additional drivers for
your hard drive. These drivers should be listed in the Pick up the
drivers for your hard drive field. For example, drivers for Intel hard
drives can be downloaded at the manufacturer's site.

3. Click Next.
NOTE: If you do not have a Windows Setup CD, you can request a
Windows Key .ISO download.
4. Choose what password reset device to create:

Select CD/DVD if you want to make a password reset CD or DVD disk;


Select USB flash if you want to make a password reset USB flash
drive.
5. Specify the CD or USB burning drive from the pull-down list of the CD/DVD
or USB flash options.
6. Click Next.
NOTE: To create a Windows password reset CD, a CD-ROM drive capable
of burning is required.
7. The burning process starts. Passware Kit copies the necessary files from
the Windows Setup CD into the ISO image file.

8. After Passware Kit creates a password reset ISO image, it prompts you to
insert a blank CD/DVD disk into the CD-ROM drive so that it could burn the
image on this disk. Insert a blank CD/DVD disk into the CD-ROM drive.
Click OK.

9. The password reset disk is now ready.

Now that you have created the Windows Password Reset CD or USB disk, you
are ready to reset the password on the locked computer.

Resetting the Password


NOTE: If you used a Windows XP/2003 Setup CD (TXTSETUP.SIF file) to
create a Windows Key password reset disk, follow these instructions to reset
the password. If you used a Windows 8/7/Vista/2008 Setup CD (BOOT.WIM
file) to create a Windows Key password reset disk, follow the steps below to
reset the password.
1. Reboot your system with this CD or USB disk.
NOTE: To reboot your PC with a USB Flash Drive you may need to set the
following options for the BIOS Setup Utility: after rebooting your PC please
press 'Del' or 'F2' to run BIOS Setup Utility, go to the 'Boot' section and
press 'F6' to move the 'Hard Drive' device up, then press 'Enter' on the
'Hard Drive' option and press 'F6' to move the 'USB Drive' device up. After
all the changes are set, press 'F10' to exit and save the settings.
2. After all the required files are loaded from the CD or USB drive, Windows
Key process starts.

3. Enter the protection password that you have set while creating the
Windows Password Reset CD\USB disk. Click Next. If you have not set any
password, go to the next step.
4. Select the Windows installation to be unlocked. If there are several
installations, use additional information from the table to choose the one
you need to unlock. Click Next.

5. Select the local Windows account or Active Directory Administrator


account for which you want to reset the password. Click Next.

6. Review the list of tasks to complete. Click Next.


7. To reset passwords for other Windows installations or accounts, click Back
To Start and repeat the process from Step 4.
8. Click Reboot if you are finished and want to exit.

9. Remove the Windows Key bootable CD or USB disk to restart your PC.

NOTE: For Microsoft Live ID accounts, passwords are reset to "12345678", as


the system does not allow to set blank passwords.
Now you are able to log into your computer as Administrator!

Versions of Windows Supported


All Passware products support Windows 8/7/2008/Vista/2003/XP/2000/NT
systems.

What Version of Windows Setup CD Should You Use?


It is recommended to use a Windows 8, 7, Vista or Server 2008 Setup CD
to create a bootable password reset CD/USB disk for all versions of
Windows.
It is possible to use a Windows XP SP2 and Server 2003 Setup CD to
create a bootable password reset CD/USB disk for Windows XP, 2003, and
earlier versions.

Recovering Passwords for a Standalone System


You can use Passware Kit to recover saved passwords for standalone systems
from registry files.
The quickest way to start password extraction from registry files is to click the
Recover Passwords for a Standalone System option on the Start Page, or
press Ctrl+S.

Password extraction from registry files is supported for Windows 7, Vista,


Server 2008, Server 2003, and XP. The following system directories are
required for the password extraction: Documents and Settings (for Windows
XP) or Users (for Windows 7/Vista), and Windows\system32\config.
What do you want to do?
Recover passwords for Windows accounts
Recover passwords for email accounts, websites and network
connections

Recovering Windows User Passwords for a


Standalone System
You can use Passware Kit to recover Windows user login passwords of
standalone systems from a SAM file copied from these systems.
The following system directory is required:
- Windows\system32\config\
NOTE: Recovery of cached login passwords requires a
Windows\system32\config\SECURITY system file, and might also require
SOFTWARE and SYSTEM files.
To get started, display the Passware Kit Start Page, click Recover Passwords
for a Standalone System (or press Ctrl+S) and locate the system directory
of a standalone computer, as shown below:

Click OK. This displays the following window:

Follow these steps to recover passwords for Windows accounts:


1. Click Recover Windows User Passwords for a Standalone System.
This displays the following window:

2. Choose one of the following options for password recovery, depending on


the available information about the password:
Use the Password Recovery Wizard - best for users who know
something about their passwords, but are new to password
recovery.

Run the default attacks - best for users who know nothing about
their passwords.
Use the Attack Editor - best for advanced users and who are
decrypting strong passwords.
This procedure initiates the password recovery process. The results are
displayed when the recovery is complete. The figure below shows a sample
result.

Recovering Internet and Network Passwords for a


Standalone System
You can use Passware Kit to recover saved passwords for email accounts,
websites, network and remote desktop connections of standalone systems from
the user directories copied from these systems.
The following system directory is required:
- Documents and Settings (for Windows XP) or Users (for Windows 7/Vista)
To get started, display the Passware Kit Start Page, click Recover Passwords
for a Standalone System (or press Ctrl+S) and locate the system directory,
as shown below:

Click OK. This displays the following window:

Follow these steps to recover the internet and network passwords for the
standalone system:
1. Click Recover Internet and Network Passwords for a Standalone
System. This displays the following window:

2. Click Browse... and locate the Windows User directory, which is usually
named as Documents and Settings.
3. In the Windows Users list select the account you want to recover the
internet and network passwords for.
4. If the account you selected is protected with a Windows login password,
Passware Kit will ask you to choose one of the two options below. If the
account is not password-protected, click Next and continue to step 6.

If you know a Windows login password for this account, switch to the I
know the password option. Type the known password in this field.
If you do not know a Windows login password for this account, switch
to the I don't know the password option. The recovery process for
the Windows login password will be initiated. Once the password is
recovered, type it in the I know the password field and continue to
the next step.
5. Click Next. This displays the following window:

6. Click on the appropriate choice, depending on what password you would


like to recover.
The password recovery process begins. The results are displayed when it is
finished. The figure below shows a sample result.

Recovering Windows/Unix/Mac Hash Passwords


With Passware Kit you can recover passwords from Windows/Unix/Mac hashes.
The following hashing algorithms are supported:
Raw MD4, MD5, SHA1
Windows NT/LanMan
Unix DES/MD5/SHA256/SHA512
MAC OS X salted SHA1, SHA 512
The following hashing algorithms allow instant password recovery using a
Rainbow Tables Attack:
Raw unsalted MD5, SHA1
Windows NT/LanMan
Windows stores local user names and their hashed passwords in a SAM
(Security Account Manager) registry file.
To dump Windows NTLM hashes, you need administrative access to the target
computer.
Learn how to reset Windows Administrator password
Once you have logged in as an Administrator, you can use third-party tools
like PWDUMP and FGDUMP to dump the hash file from the system.
NOTE: To recover Windows hash passwords, you can also use the Recover
passwords for a standalone system option. In this case the recovery is
instant and does not require dumping the hash file from the system.
Unix-like operating systems use a shadow password database mechanism to
increase the security level of passwords by restricting all but the highly
privileged users' access to encrypted password data. Typically, that data is kept
in hash files owned by and accessible only by, the super user (i.e., on Unix-like
systems, the root user, and on many other systems, the Administrator
account).
These hash files are located at:
/etc/shadow (Linux systems)
/etc/master.passwd (BSD systems)
/var/db/shadow/hash (Mac systems)

Once you have dumped the hash file, you are ready to recover the user names
and passwords that it contains.
To get started, display the Passware Kit Start Page, then click the Recover
button, or press Ctrl+O.

Locate the hash file and click Open.


This displays the following window:

Choose one of the following options for password recovery, depending on the
available information about the password:
Use the Password Recovery Wizard - best for users who know
something about their passwords, but are new to password
recovery.
Run the default attacks - best for users who know nothing about
their passwords.
Use the Attack Editor - best for advanced users and who are
decrypting strong passwords.
This procedure initiates the password recovery process. The results (i.e., user
account names and login passwords) are displayed when the recovery is
complete. The figure below shows a sample result.

Working with Passware Kit Portable


You can use the Passware Kit to find encrypted files and recover lost passwords
on other computers without installing the software there. The Portable Version
can be installed on any removable device, i.e., a USB drive or a CD (USB
recommended), and then used directly from this device on a target computer.
Passware Kit Portable does not modify settings or files on a target computer
(registry records, patched or unprotected files, etc.).
The overall steps are:
1. Prepare a portable version on a CD or USB disk
2. Run a portable version on a target computer

Preparing Passware Kit Portable


To create a portable version of Passware Kit, click Create Portable Version in
the File menu:

This displays the screen shown below:

Choose the folder in which to install the portable version. It can be installed
directly on a removable USB thumb drive. Click OK.
Passware Kit installs its portable version in the specified folder. Once installed,
you can copy this folder onto a CD or USB drive.

Passware Kit Portable is now ready to be used directly from your


removable CD or USB drive.

Running Passware Kit Portable


Once you have prepared the portable CD or USB drive, you are ready to use
Passware Kit Portable on a target computer by following these steps:
1. Insert the portable CD or USB drive to the target computer.
2. Run PasswareKitForensic.exe file from the portable CD/USB.
3. Passware Kit starts:

Use Passware Kit Portable like a regular version of the software.


NOTE: Passware Kit Portable does not make any changes to the original file
system or registry of the target computer. This means that after encryption
scanning, password recovery, or decryption of files on the target computer, all
items and original passwords remain unaffected. Passware Kit Portable does
not save any log files, reports, or unprotected files on a target computer. All
data is saved on a portable USB drive. It is recommended to run Passware Kit
Portable from a USB drive instead of a CD; otherwise, the program will be
unable to save any data due to writing restrictions on a CD drive.

Using Passware Kit Forensic with EnCase


All Guidance EnCase users can now utilize Passware Kit Forensic to detect
encrypted files in a case. Thanks to integration with Passware Kit Forensic,
EnCase can detect over 200 encrypted file types and initiate a password
recovery process if required.
Requirements:
EnCase 7.x or later (32-bit).
Passware Kit Forensic 11.7 or later ("Install for all users" option selected).

How-To for EnCase v7 and Higher


1. Launch EnCase and open a case file.
2. Click "Process Evidence". The information about encrypted files will be
displayed in the "Protected" and "Protection complexity" columns of
EnCase.
3. Right-mouse click on the file you would like to open:

4. Choose Open With -> Passware Kit. Passware Kit Forensic will be
launched as a File Viewer and the password recovery process will start
automatically.
5. After the file is decrypted or the password is recovered, you can open the
file directly from Passware Kit Forensic.

How-To for EnCase v6


If you are using EnCase v6, you can still use the encryption detection
capabilities of Passware Kit Forensic via EnScript. The sample EnScript
bookmarks all the password-protected or encrypted files for further analysis.
Passware Kit Forensic 10.3 or later is required in this case.
1. Launch EnCase and open a case file
2. Add C:\Program Files (x86)\Passware\Passware
Kit\EnCase\PasswareSample.EnScript
3. Select Entries you would like to scan
4. Run PasswareSample.EnScript
5. All the encrypted or password protected entries are bookmarked and
additional information is displayed at the Console. A sample report is
shown below:

Testing Password Recovery Settings


Before using Passware Kit to recover a password, you can test password
recovery settings against a known passwords list. The list could be Passware's
Frequent Passwords dictionary or your own list of previously used or known
passwords (a TXT file). As a result of the testing, Passware Kit reports the
percentage of passwords recovered with the current settings. To test the
settings against your passwords list, launch Passware Kit and click Tools |
Check Recovery Rate for a Known Passwords List...:

The Select a passwords list window appears. Locate your passwords list file
(TXT) and click Open.
Passware Kit processes your file and reports the result as displayed below:

Now you can see if the current settings are appropriate for your list of
passwords and optimize them if necessary!

Using the Decryptum Portable


Decryptum Portable is a set of rainbow tables that allows instant decryption of
Word and Excel files up to v.2003 with a Rainbow Tables attack. This set of
rainbow tables can be purchased in addition to Passware Kit and is shipped on
a physical USB disk.
With Decryptum Portable, the decryption is performed offline, so there's no
need to connect to Passware's Decryptum server. All types of File-Open
passwords are removed instantly, regardless of their length and strength.
There is no limitation on the number of files decrypted.
Limitations of Decryptum Portable:
The success rate is 99.7% for MS Word files and 95% for MS Excel files.
Decryptum Portable does not support MS Word/Excel files created with MS
Office 2007 or later versions and old files created with MS Office 95 or
prior versions.
Decryptum Portable does not recover the original password; it just
removes it.
Decryptum Portable does not work with Workbook/Worksheet, document
protection, or VBA passwords. It removes only File-Open passwords.
Files protected using additional crypto providers are not supported.
Documents created with restricted permissions using the "Information
Rights Service for Microsoft Office" are not supported.
MS Excel files that contain custom menus are not supported.
NOTE: In all cases above, you can use other regular password recovery
attacks to recover passwords for your files.
The overall steps are:
1. Start the Rainbow Tables attack;
2. Add the Rainbow Tables from the Decryptum Portable USB disk and run
the decryption process .

Starting the Rainbow Tables Attack


To use the Decryptum Portable, you first need to select the file that you
need to decrypt and start the Rainbow Tables attack against it.
1. Launch the Passware Kit application.
2. Click Recover File Password. This displays the Open dialog box.
3. Choose the MS Word or Excel file to decrypt and click Open. This displays
the screen shown below:

4. Click Advanced: Customize Settings. The Attack Editor appears, a


sample of which is shown in the following figure.

5. Remove all current attacks by clicking the Remove | Remove All button
in the toolbar.
6. Pick the Rainbow Tables attack from the list on the right and drag it to
the attack list in the middle pane. This displays the screen shown below:

Once you have started the Rainbow Tables attack, you need to add the
Rainbow Tables to it.

Adding the Rainbow Tables and Running the


Decryption Process
Once you have started the Rainbow Tables attack, you need to add the
Rainbow Tables to it. Make sure your Decryptum Portable USB disk is
connected and that you run Passware Kit as Administrator.
1. At the Attack Editor window click the Settings button to customize the
attack. This displays the screen shown below:

2. Click the Add button and locate the .RT files (rainbow tables) from the
connected Decryptum Portable USB disk. Click Ctrl+A to select all files as
shown below:

Click OK to add the tables selected.


Once you have added the rainbow tables to the attack, start the decryption
process by clicking the Recover >> button in the bottom right corner of the
Attack Editor window. This launches the decryption process:

The decryption process takes less than one minute for each of the files. The
results (i.e., the decrypted files) are displayed when the decryption is

complete. The figure below shows a sample result.

Password Recovery Details


This section describes the details of password recovery.
What do you want to do?
Learn about password recovery complexity levels
Find out what file types are supported by the Passware Kit
Read detailed descriptions of the different kinds of attack
Learn about attack modifiers
Learn about distributed password recovery

Supported File Types


The Passware Kit recognizes a wide variety of file types. Below is a table that
summarizes the supported file types and the password recovery options
(complexity) available for each type.
File-Open
Password
Recovery
Options

Aplication

File
Extension

Acrobat 3.0

PDF

Instant
Recovery /
Brute-force
Recovery - Fast

Acrobat 4.0

PDF

Instant
Recovery /
Brute-force
Recovery - Fast
/ Medium

Acrobat 5.0

PDF

Instant
Recovery /
Brute-force
Recovery Medium

Acrobat 6.0

PDF

Instant
Recovery /
Brute-force
Recovery Medium

Acrobat 7.0

PDF

Instant
Recovery /
Brute-force
Recovery Medium

Acrobat 8.0

PDF

Instant
Recovery /
Brute-force
Recovery -

Hardware
Acceleration

Medium
Acrobat 9.0

PDF

Instant
Recovery /
Brute-force
Recovery - Fast
/ Medium

Acrobat 10.0

PDF

Instant
Recovery /
Brute-force
Recovery Slow

Acrobat 11.0

PDF

Instant
Recovery /
Brute-force
Recovery Slow

Symantec ACT! 2.0

BLB

Instant
Recovery

Symantec ACT! 3.0

BLB

Instant
Recovery

Symantec ACT! 4.0

BLB

Instant
Recovery

Symantec ACT! 2000

BLB

Instant
Recovery

ACT! by Sage 2005

ADF

Instant
Recovery

ACT! by Sage 2006

ADF

Instant
Recovery

ACT! by Sage 2007

ADF

Instant
Recovery

ACT! by Sage 2008

ADF

Instant
Recovery

ACT! by Sage 2009

ADF

Instant
Recovery

Android Backup

AB

Brute-force

Recovery Slow
Brute-force
Recovery Slow

Android Image

BIN

Apple Disk Image

DMG, DD

Brute-force
Recovery Slow

Apple iTunes Backup / iOS


4.x - 7.x

PLIST

Brute-force
Recovery Slow

BestCrypt 6.0

JBC

Brute-force
Recovery Slow

BestCrypt 7.0

JBC

Brute-force
Recovery Slow

BestCrypt 8.0

JBC

Brute-force
Recovery Slow

FileMaker Pro 3.0

FP3

Instant
Recovery

FileMaker Pro 4.0

FP3

Instant
Recovery

FileMaker Pro 5.0

FP5

Instant
Recovery

FileMaker Pro 6.0

FP5

Instant
Removal

FileMaker Pro 7.0

FP7

Instant
Removal

FileMaker Pro 8.x

FP7

Instant
Removal

FileMaker Pro 9.0

FP7

Instant
Removal

FileMaker Pro 10.0

FP7

Instant

Removal
FileMaker Pro 11.0

FP7

Instant
Removal

FileMaker Pro 12.0

FMP12,
USR

Instant
Removal

Google Chrome Website

Instant
Recovery

ICQ 2000-2003

DAT

Instant
Recovery

ICQ 99a

DAT

Instant
Recovery

ICQ Lite

FB

Instant
Recovery

Lotus 1-2-3 1.1+

WK!, WK1,
WK4,
WRC,
WR1,
WR9, 123

Instant
Recovery

Lotus Notes 4.x

ID

Brute-force
Recovery Medium

Lotus Notes 6.x

ID

Brute-force
Recovery Medium

Lotus Notes 7.0

ID

Brute-force
Recovery Medium

Lotus Notes 8.0 (RC2


encryption)

ID

Brute-force
Recovery Medium

Lotus Organizer 1.0

ORG

Instant
Recovery

Lotus Organizer 2.0

OR2

Instant
Recovery

Lotus Organizer 3.0

OR3

Instant

Recovery
Lotus Organizer 4.0

OR4

Instant
Recovery

Lotus Organizer 5.0

OR5

Instant
Recovery

Lotus Organizer 6.0

OR6

Instant
Recovery

Lotus Word Pro 96-99

LWP

Instant
Recovery

Mac OS / FileVault2

DMG, DD,
IMG, BIN,
E01

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

Brute-force
Recovery Slow

Mac OS X Keychain

Mac OS X User / Hash

PLIST

Instant
Recovery
(Memory
Analysis) /
Brute-force
Recovery - Fast

Mac OS X 10.8 User / Hash

PLIST

Instant
Recovery
(Memory
Analysis) /
Brute-force
Recovery Slow

Mozilla Firefox Website


MS Access 2.0

Instant
Recovery
MDB

Instant
Recovery

MS Access 95

MDB

Instant
Recovery
Instant
Recovery

MS Access 97

MDB

MS Access 2000

MDB

Instant
Recovery

MS Access 2002

MDB

Instant
Recovery

MS Access 2003

MDB

Instant
Recovery

MS Access 2007

ACCDB

Brute-force
Recovery Slow

MS Access 2010

ACCDB

Brute-force
Recovery Slow

MS Access 2013

ACCDB

Brute-force
Recovery Slow

MS Access 2.0 System


Database

MDA

Instant
Recovery

MS Access 97 System
Database

MDW

Instant
Recovery

MS Access 2000 System


Database

MDW

Instant
Recovery

MS Access VBA

MDA

Instant
Recovery or
Reset

MS Backup

QIC

Instant
Recovery

MS Excel 4.0

XLS

Instant
Recovery

MS Excel 5.0

XLS

Instant
Recovery

MS Excel 95

XLS

Instant
Recovery
Instant
Recovery or
Removal /
Brute-force
Recovery - Fast

MS Excel 97

XLS

MS Excel 2000

XLS

Instant
Recovery or
Removal /
Brute-force
Recovery - Fast

MS Excel 2002

XLS

Instant
Recovery or
Removal /
Brute-force
Recovery Medium

MS Excel 2003

XLS

Instant
Recovery or
Removal /
Brute-force
Recovery Medium

MS Excel 2007

XLSX,
XLSM

Instant
Recovery or
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Excel 2010

XLSX,
XLSM

Instant
Recovery or
Removal
(Memory
Analysis) /
Brute-force
Recovery -

Slow
Instant
Recovery or
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Excel 2013

XLSX,
XLSM

MS Pocket Excel

PXL

Instant
Recovery

MS Excel VBA

XLA, XLSM

Instant
Recovery or
Reset

MS Internet Explorer 4.0-9.0


Website

Instant
Recovery

MS Internet Explorer 6.0-9.0


Webform

Instant
Recovery

MS Internet Explorer 6.0-9.0


Content Advisor

Instant
Removal

MS Mail

MMF

Instant
Recovery

MS Money 99 or earlier

MNY

Instant
Recovery

MS Money 2000-2001

MNY

Instant
Recovery

MS Money 2002

MNY

Brute-force
Recovery Medium

MS Money 2003-2004

MNY

Brute-force
Recovery Medium

MS Money 2005-2007

MNY

Brute-force
Recovery Medium

MS OneNote 2003 Section

ONE

MS OneNote 2007 Section

ONE

MS OneNote 2010 Section

ONE

Brute-force
Recovery Slow

MS OneNote 2013 Section

ONE

Brute-force
Recovery Slow

MS Outlook
2000/2003/2007/2010/2013
Email Accounts

Brute-force
Recovery Medium
Brute-force
Recovery Slow

Instant
Recovery

MS Outlook
2000/2003/2007/2010/2013
Form Template

OFT

Instant
Recovery

MS Outlook
2000/2003/2007/2010/2013
Personal Storage

PST

Instant
Recovery

MS Outlook Express
Accounts

Instant
Recovery

MS Outlook Express
Identities

Instant
Recovery

MS PowerPoint 2002

PPT

Instant
Recovery or
Removal /
Brute-force
Recovery Medium

MS PowerPoint 2003

PPT

Instant
Recovery or
Removal /
Brute-force
Recovery Medium

MS PowerPoint 2007

PPTX,
PPTM

Instant
Recovery or
Removal /
Brute-force
Recovery Slow

MS PowerPoint 2010

PPTX,
PPTM

Instant
Recovery or
Removal /
Brute-force
Recovery Slow

MS PowerPoint 2013

PPTX,
PPTM

Instant
Recovery or
Removal /
Brute-force
Recovery Slow

MS PowerPoint VBA

PPT, PPTM

Instant
Recovery or
Reset

MS Project 95

MPP

Instant
Recovery

MS Project 98

MPP

Instant
Recovery

MS Project 2000

MPP

Instant
Recovery

MS Project 2002

MPP

Instant
Recovery

MS Project 2003

MPP

Instant
Recovery

MS SQL 2000

MDF

Instant Reset

MS SQL 2005

MDF

Instant Reset

MS SQL 2008

MDF

Instant Reset

MS Windows NT Users /

Instant

Secure Boot Option

Recovery
(Memory
Analysis) or
Removal

MS Windows 2000 Users /


Secure Boot Option

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 2000 Server


Users / Secure Boot Option

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 2000 Server


Active Directory
Administrator

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows XP Users /
Secure Boot Option

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 2003 Server


Users / Secure Boot Option

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 2003 Server


Active Directory
Administrator

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 2003 SBS


Users / Secure Boot Option

Instant
Recovery
(Memory
Analysis) or

Removal
MS Windows 2003 SBS
Active Directory
Administrator

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows Vista Users /


Secure Boot Option

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows Vista / Bitlocker

DD, IMG,
BIN, VHD,
E01

MS Windows 2008 Server


Users / Secure Boot Option

MS Windows 2008 Server /


BitLocker

Instant
Recovery
(Memory
Analysis) or
Removal
DD, IMG,
BIN, VHD,
E01

MS Windows 7 Users /
Secure Boot Option

MS Windows 7 / BitLocker

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

Instant
Recovery
(Memory
Analysis) or
Removal
DD, IMG,
BIN, VHD,
E01

Instant
Removal
(Memory

Analysis) /
Brute-force
Recovery Slow
Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 2012 Server


Users / Secure Boot Option

MS Windows 2012 Server


Live ID Accounts
MS Windows 2012 Server /
BitLocker

Instant Reset
DD, IMG,
BIN, VHD,
E01

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Windows 8 Users /
Secure Boot Option

Instant
Recovery
(Memory
Analysis) or
Removal

MS Windows 8 - 8.1 Live ID


Accounts

Instant Reset

MS Windows 8 - 8.1 /
BitLocker

DD, IMG,
BIN, VHD,
E01

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Windows NTLM /
LANMAN Hash

Instant
Recovery /
Brute-force
Recovery - Fast

MS Windows Users / UPEK

Instant
Recovery

Network Connections

Instant
Recovery

Remote Desktop Connections

RDP

Instant
Recovery

MS Word 1.0

DOC, DOT

Instant
Recovery

MS Word 2.0

DOC, DOT

Instant
Recovery

MS Word 3.0

DOC, DOT

Instant
Recovery

MS Word 4.0

DOC, DOT

Instant
Recovery

MS Word 5.0

DOC, DOT

Instant
Recovery

MS Word 6.0

DOC, DOT

Instant
Recovery

MS Word 95

DOC, DOT

Instant
Recovery

MS Word 97

DOC, DOT

Instant
Recovery or
Removal /
Brute-force
Recovery - Fast

MS Word 2000

DOC, DOT

Instant
Recovery or
Removal /
Brute-force
Recovery - Fast

MS Word 2002

DOC, DOT

Instant
Recovery or
Removal /
Brute-force
Recovery Medium

MS Word 2003

DOC, DOT

Instant
Recovery or
Removal /
Brute-force
Recovery Medium

MS Word 2007

DOCX,
DOTX,
DOCM

Instant
Recovery or
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Word 2010

DOCX,
DOTX,
DOCM

Instant
Recovery or
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Word 2013

DOCX,
DOTX,
DOCM

Instant
Recovery or
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

MS Word VBA

DOC, DOT,
DOCM,
DOTM

Instant
Recovery or
Reset

MYOB earlier than 2004

PLS, PRM

Instant
Recovery

MYOB 2004

DAT

Instant Reset

MYOB 2005

MYO

Instant Reset

MYOB 2006

MYO

Instant Reset

MYOB 2007

MYO

Instant Reset

MYOB 2008

MYO

Instant Reset

MYOB 2009

MYO

Instant Reset

MYOB 2010

MYO

Instant Reset

Norton Backup

SET

Instant
Recovery

Paradox Database

DB

Instant
Recovery

Peachtree 2002-2006

DAT

Instant
Recovery

Peachtree 2007

DAT

Instant
Recovery

Peachtree 2008

DAT

Instant
Recovery

Peachtree 2010

DAT

Instant
Recovery

Peachtree 2013

DAT

Instant Reset

PGP Desktop 9.x - 10.x Zip

PGP

Brute-force
Recovery Slow

PGP Desktop 9.x - 10.x


Private Keyring

SKR

Brute-force
Recovery Slow / Medium

PGP Desktop 9.x - 10.x


Virtual Disk

PGD

Brute-force
Recovery Slow

PGP Desktop 9.x - 10.x SelfDecrypting Archive

EXE

Brute-force
Recovery Slow

PGP WDE

DD, IMG,
BIN, VHD,
E01

Instant
Removal
(Memory
Analysis) /

Brute-force
Recovery Slow
GnuPG Private Keyring

GPG

Brute-force
Recovery Slow

Quattro Pro 5 - 6

QPW,
WB1,
WB2, WB3

Instant
Recovery

Quattro Pro 7 - 8

QPW,
WB1,
WB2, WB3

Instant
Recovery

Quattro Pro 9 - 12, X3, X4

QPW

Instant
Recovery

QuickBooks 3.x - 4.x

QBW, QBA

Instant
Recovery

QuickBooks 5.x

QBW, QBA

Instant
Recovery

QuickBooks 6.x - 8.x

QBW, QBA

Instant
Recovery

QuickBooks 99

QBW, QBA

Instant
Recovery

QuickBooks 2000

QBW, QBA

Instant
Recovery

QuickBooks 2001

QBW, QBA

Instant
Recovery

QuickBooks 2002

QBW, QBA

Instant
Recovery

QuickBooks 2003

QBW, QBA

Instant
Recovery

QuickBooks 2004

QBW, QBA

Instant
Recovery

QuickBooks 2005

QBW, QBA

Instant
Removal

QuickBooks 2006

QBW, QBA

Instant
Removal
Instant
Removal

QuickBooks 2007

QBW, QBA

QuickBooks 2008

QBW, QBA

Instant
Removal

QuickBooks 2009

QBW, QBA

Instant
Removal

QuickBooks 2010

QBW, QBA

Instant
Removal

QuickBooks 2011

QBW, QBA

Instant
Removal

QuickBooks 2012

QBW, QBA

Instant
Removal

QuickBooks 2013

QBW, QBA

Instant
Removal

QuickBooks 2014

QBW, QBA

Instant
Removal

QuickBooks Backup

QBB

Instant
Removal

Quicken 95/6.0

QDF

Instant
Recovery

Quicken 98

QDF

Instant
Recovery

Quicken 99

QDF

Instant
Recovery

Quicken 2000

QDF

Instant
Recovery

Quicken 2001

QDF

Instant
Recovery

Quicken 2002

QDF

Instant
Recovery

Quicken 2003

QDF

Instant
Removal

Quicken 2004

QDF

Instant
Removal

Quicken 2005

QDF

Instant
Removal

Quicken 2006

QDF

Instant
Removal

Quicken 2007

QDF

Instant
Removal

Quicken 2008

QDF

Brute-force
Recovery Slow

Quicken 2009

QDF

Brute-force
Recovery Slow

Quicken 2010

QDF

Brute-force
Recovery Slow

Quicken 2011

QDF

Brute-force
Recovery Slow

Quicken 2012

QDF

Brute-force
Recovery Slow

Quicken 2013

QDF

Brute-force
Recovery Slow

Quicken 2014

QDF

Brute-force
Recovery Slow

RAR 2.0 Archive

RAR

Brute-force
Recovery Slow

RAR 2.9 - 4.x (AES


Encryption) Archive

RAR

Brute-force
Recovery Slow

RAR 5.x Archive

RAR

Brute-force
Recovery Slow
Instant
Recovery

Schedule+ 1.0

CAL

Instant
Recovery

Schedule+ 7.x

SCD

Instant
Recovery

TrueCrypt Non-System
Partition/Volume

DD, IMG,
BIN, VHD,
TC, E01

Instant
Removal /
Brute-force
Recovery Slow

TrueCrypt System
Partition/Volume

DD, IMG,
BIN, VHD,
TC, E01

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

TrueCrypt Whole Disk

DD, IMG,
BIN, VHD,
TC, E01

Instant
Removal
(Memory
Analysis) /
Brute-force
Recovery Slow

Safari Websites

Unix OS User Hash

Brute-force
Recovery - Fast
/ Slow

WordPerfect 5.x

WPD

Instant
Recovery

WordPerfect 6.0

WPD

Instant
Recovery

WordPerfect 6.1

WPD

Instant
Recovery

WordPerfect 7 - 12, X3, X4

WPD

Instant
Recovery

WinZip 8.0 or earlier

ZIP

Instant
Removal /
Brute-force
Recovery - Fast

Yandex Browser Website

Instant
Recovery

ZIP Archive

ZIP

Brute-force
Recovery - Fast
/ Slow

7-Zip Archive

7Z

Brute-force
Recovery Slow

Password Recovery Complexity


The Passware Kit supports 180+ file types with the following complexity levels:
Instant Unprotection -- Recovery or Reset of the password is guaranteed
and takes less than 1 minute.
Brute-force (Fast) -- Recovery of the password requires testing all
passwords one by one. Speed is about 1,000,000 passwords per second.
Brute-force (Medium) -- Recovery of the password requires testing all
passwords one by one. Speed is between 100,000 and 1,000,000
passwords per second.
Brute-force (Slow) -- Recovery of the password requires testing all
passwords one by one. Speed is less than 100,000 passwords per second.
Impossible - for some file types, password recovery is not possible.
When using the brute-force method, the Passware Kit tries to recover the
original password by testing all possible combinations. Four attacks are used to
recover the original password: Dictionary, Brute-force, Xieve, and Previous
Passwords. More information about these types of attacks can be found on the
Attack Descriptions page.
The speed of the recovery process performed by Brute-force attack is different
for different types of files. For example, for MS Word and Excel files it is fast,
for RAR archives it is slow.
Click here to learn more about the password recovery options and complexity
level for each supported file type.

Attack Descriptions
Passware Kit uses eight different password recovery attacks.

Dictionary
Dictionary attack tries thousands of words from dictionary files as possible
passwords.

Sample password: "Specialization".

Dictionary attack allows you to customize the following settings:


Password length
The program searches for the password of the specified length.
Dictionary file
Passware Kit offers 9 built-in dictionaries: Arabic, Dutch, English, French,
German, Italian, Portuguese, Russian, and Spanish. The program allows you to
compile your own dictionary file by choosing the "Custom" option.
Pattern
Defines the part of the password.
If any part of the password is known, enter it in the "Pattern" field. Known
parts can be separated with special masking symbols '*' or '?'. For example,
"*p?e*" will match both "apple" and "pie".
All '?' characters in the pattern are replaced by exactly one letter. I.e. pattern
"never?????" will match "neveragain" and won't match "forever", "nevermore".
'*' character is replaced by zero or more letters. I.e. pattern "never*" will
match "never", "neveragain", "nevermore", etc.
If you need to use symbols '?' or '*', type symbol '\' before them to cancel the
masking. For example, "whyme\?" will match only password "whyme?" and
won't match password "whyme\w".
You can also use unprintable control symbols in your password settings, such

as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others.


Casing
You can add Casing Modifier to the Dictionary attack to change casing of any
or all letters of the password.
Reverse Password
You can add Reverse Password Modifier to the Dictionary attack to check for
reversed words from the dictionary.

Brute-force
Brute-force Attack finds passwords by checking all possible combinations of
characters from the specified Symbol Set. This is the slowest, but most
thorough, method.

Sample passwords: "Pw5@", "23012009", and "qw3erty"

Brute-force attack allows you to customize the following settings:


Password length
The program searches for the password of the specified length.
Language
Passware Kit offers 9 built-in symbol sets for the following languages: Arabic,
Dutch, English, French, German, Italian, Portuguese, Russian, and Spanish.
You can also add special characters to the symbol set in the "Custom
characters" field.
Symbol Set
The Symbol Set can include Uppercase letters, Lowercase letters, Numbers,
Symbols, Spaces, and Custom characters.
Pattern
Defines the part of the password.
If any part of the password is known, enter it in the "Pattern" field. Known
parts can be separated with '*' or '?'. For example, "*p?e*" will match both
"apple" and "pie".
All '?' characters in the pattern are replaced by exactly one of the symbols
from the active Symbol Set. I.e. pattern "never?????" will match "neveragain"

and won't match "forever", "nevermore". '*' character is replaced by zero or


more symbols from the active Symbol Set (this number depends on password
length specified). I.e. pattern "never*" will match "never", "neveragain",
"nevermore", etc.
If you need to use symbols '?' or '*', type symbol '\' before them to cancel the
masking. For example, "whyme\?" will match only password "whyme?" and
won't match password "whyme\w".
You can also use unprintable control symbols in your password settings, such
as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others.

Xieve
Xieve optimization dramatically boosts Brute-force attack speed by skipping
password checks of nonsensical combinations of characters. It uses a large
built-in table of frequences of different combinations of letters.

Sample passwords: "mycomp" and "sweetemily".

Xieve attack allows you to customize the following settings:


Password length
The program searches for the password of the specified length.
Language
Passware Kit offers 9 built-in symbol sets for the following languages: Arabic,
Dutch, English, French, German, Italian, Portuguese, Russian, and Spanish.
You can also add special characters to the symbol set in the "Custom
characters" field.
Symbol Set
The Symbol Set can include Uppercase letters, Lowercase letters, Numbers,
Symbols, Spaces, and Custom characters.
Pattern
Defines the part of the password.
If any part of the password is known, enter it in the "Pattern" field. Known
parts can be separated with '*' or '?'. For example, "*p?e*" will match both
"apple" and "pie".
All '?' characters in the pattern are replaced by exactly one of the symbols
from the active Symbol Set. I.e. pattern "never?????" will match "neveragain"

and won't match "forever", "nevermore". '*' character is replaced by zero or


more symbols from the active Symbol Set (this number depends on password
length specified). I.e. pattern "never*" will match "never", "neveragain",
"nevermore", etc.
If you need to use symbols '?' or '*', type symbol '\' before them to cancel the
masking. For example, "whyme\?" will match only password "whyme?" and
won't match password "whyme\w".
You can also use unprintable control symbols in your password settings, such
as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others.
Xieve level
You can define the level of Xieve optimization by choosing between Low,
Medium and High. With the High level the application checks the most common
combinations of letters only, skipping all the combinations that are not typical
for the language selected.

Known Password/Part
Known Password/Part Attack checks a certain password entered in the "Value"
field. There is no need to open a file in order to check whether a certain
password is correct.
You can also use unprintable control symbols in your password settings, such
as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others.

This attack can be combined with other attacks using the Join Attacks option.
For example, if you know your password is a word followed by "1980", use Join
Attacks to combine Dictionary attack and Known Password/Part attack with the
value set to "1980".

Previous Passwords
Previous Passwords Attack checks passwords that were previously recovered
by other attacks for other files. It automatically saves all passwords found.

Decryptum
Decryptum Attack instantly decrypts MS Word and Excel files up to v.2003 in
online mode. It connects to the www.decryptum.com server to generate a free
preview or to decrypt files.

You are required to purchase a Decryptum PIN to save the decrypted file. The
partial preview of the file is free.
Passware Kit Standard, Professional, Enterprise, and Forensic editions already
include a free Decryptum PIN for one or more files.
Learn more about Decryptum Attack...
Decryptum attack is also available offline as Decryptum Portable. Passware's
portable rainbow tables are used by the Rainbow Tables attack and allow
instant offline decryption of MS Word and Excel files of version up to 2003.
Learn more about Decryptum Portable...

Encryption Keys Extraction


Encryption Keys Extraction Attack instantly decrypts MS Office 2007-2013 files
(Word, Excel, PowerPoint) if there is a memory image of a computer acquired
while the file was open. The attack instantly extracts the encryption keys from
the memory image or the system hibernation file (hiberfil.sys) and decrypts
the file, regardless of the password length.

To acquire the memory image, you can use Passware FireWire Memory
Imager.

Surezip
SureZip attack decrypts Zip archives created with WinZip version 8.0 and
earlier in less than an hour regardless of password used to protect it. At least
5 simultaneously encrypted files are required in order to process the archive.
Archives created with WinZip are supported.

Zip Plaintext
If there is at least one file from a password protected Zip archive available
unencrypted, Zip Plaintext attack instantly decrypts the whole archive,
regardless of the password length. Archives with WinZip standard encryption
are supported. AES-encrypted archives are not supported by Plaintext attack.

Zip Plaintext attack allows you to customize the following settings:


Plaintext archive
Please compress the known file with the same version of Zip and then apply it
to the Zip Plaintext attack as a Plaintext archive.
Plaintext file should be zipped without encryption byte-by-byte equal to the
one you have among others in the encrypted zip archive.

Join Attacks
Join Attacks group applies its attacks to different parts of the password. Set
the whole password length first. Then add attacks to the Join Attacks group for
each part of the password.

Example: for passwords like "green123", set the following Join Attacks group:
Join Attacks
(Password Length: from 8 to 8)
Dictionary Attack: English
(Password Length: from 5 to 5)
+
Brute-force Attack: English
(Password Length: from 3 to 3
Symbol Set: Numbers)

Sample passwords: "admin123" and "black000".

Join Attacks group allows you to customize the following settings:


Password length
The program searches for the password of the total specified length.
Reversed Order
The program also checks passwords from the reversed order of the attacks. For
the previous example, sample passwords are: "123green","123admin",
"000black".

Append Attacks
Append Attacks group runs attacks to check the shortest passwords first, then
runs the same attacks to check increasingly longer passwords.

When Append Attacks group is not enabled, Passware Kit checks all the
passwords of each attack before running the next attack.

Rainbow Tables
Rainbow Tables attack recovers hashed passwords from Windows, MD5,
LANMAN, NTLM, and SHA1 hashes. To calculate a password, it uses a rainbow
table - a precomputed table for reversing cryptographic hash functions.
Rainbow tables are available for download at third-party websites, such as
FreeRainbowTables.com (free) and Rainbow Crack. The attack supports
unpacked non-hybrid .RT tables, .RTI tables converted with rti2rto.exe tool,
and .RTC tables converted with rtc2rt.exe.
The Rainbow Tables attack can also be used to decrypt instantly MS Word and
Excel files up to v.2003. To decrypt the files, the attack requires special
rainbow tables that are available as an additional product by Passware Decryptum Portable.

Attack Modifiers
Attack modifiers enable you to further control the password recovery process
by specifying which casing is used, and whether a reverse password should be
used.
Once you have added a modifier, you should then add an attack to this
modifier.

Change Casing Modifier


This modifier specifies how uppercase and lowercase letters are used in your
password. The default is Original. You can add, remove, or change the settings
for a particular attack as required, using the Attack Editor.
For example, the password "paSsWOrd" can be modified as follows:
Original (no modifications): paSsWOrd
Normal (first letter capital, the rest are lowercase): Password
Toggle (vice-versa to Normal, first letter lowercase, the rest are capital):
pASSWORD
Upper (all letters capital): PASSWORD
Lower (all letters lowercase): password
Reverse (vice-versa to Original): PAsSwoRD
Mixed (randomize lowercase and capital letters): PaSsWord

Reverse Password Modifier


This modifier reverses your password. For example, "password" becomes
"drowssap".

Hardware Acceleration
Passware Kit accelerates password-recovery processes using hardware.

Multiple CPUs
Passware Kit utilizes multi-core computers efficiently. Password-recovery
speed is increased scalable to the number of CPUs on a computer.

NVIDIA and ATI GPU


GPU (Graphics Processing Unit) cards help to accelerate password recovery by
up to 45 times. Passware Kit supports all types of NVIDIA GeForce cards,
TESLA, and other CUDA cards, as well as ATI (AMD Radeon).
Passware Kit automatically detects NVIDIA and ATI cards available for
acceleration on a target computer and uses them to speed up the password
search process. It can use multiple cards simultaneously.
NOTE: The performance of NVIDIA cards depends on the version of the driver
installed. The maximum password recovery speed on NVIDIA cards is achieved
using driver GeForce 327.23. For AMD cards, we recommend using driver
version 13.152 + OpenCL Driver version 10.0.1268.1.

Tableau TACC
Tableau TACC 1441 hardware accelerator helps to speed up the passwordrecovery process by up to 25 times. The device is connected to a computer
through a FireWire port. Passware Kit supports multiple TACC hardware
accelerators connected to a single computer for better performance.

Distributed Password Recovery


Passware Kit uses the computing power of multiple computers to achieve the
highest performance. All hardware acceleration methods listed above can be
used in Distributed Password Recovery.
NOTE: Multiple CPU and TACC acceleration is enabled by default. To enable
GPU acceleration and Distributed Password Recovery, check the Acceleration
Units and Distributed Password Recovery boxes as shown below:

In order for Passware Kit to detect and use your GPU card, the latest driver for
this card model and operating system should be installed. The drivers are
available for download at NVIDIA and AMD websites.
The table below summarizes the accelerated password-recovery speeds for the
most difficult-to-decrypt file types. *

Password
Recovery
Speed on
CPU
(p/s)

Password
Recovery
Speed on
NVIDIA
GPU
(p/s)

Password
Recovery
Speed on
AMD GPU
(p/s)

Password
Recovery
Speed on
TACC
accelerator
(p/s)

File Type

Encryption
/ Hashing

Android
Backup

AES-256 /
SHA-1

1,868

24,654

25,565

7,366

Android
Image

AES-128 /
SHA-1

9,365

120,661

121,296

34,268

Apple
Disk
Image

AES-256 /
SHA-1

16,691

76,542

69,557

24,913

Apple
iTunes
Backup

AES-256 /
SHA-1

1,858

24,488

25,591

6,673

Lotus
Notes ID

AES-256 /
SHA-1

601

83,642

N/A

N/A

Mac
FileVault2

AES-128 /
SHA-256

51

3,703

4,235

N/A

Mac
Keychain

TripleDes /
SHA-1

18,228

181,765

174,655

48,005

Mac OS X
10.8 10.9
Hash

SHA-512

35

635

515

N/A

MS
BitLocker

BitLocker /
SHA-256

168

N/A

N/A

MS Office
2013

AES-256 /
SHA-512

63

1,108

1,230

N/A

MS Office
2010

AES-128 /
SHA-1

699

10,391

10,600

1,922

MS Office
2007

CSP / SHA1

1,412

20,912

20,980

3,804

PGP SDA
Archive

CAST /
SHA-1

10,807

424,275

N/A

56,821

PGP Disk
(PGD)

AES-256 /
SHA-1

1,900

N/A

N/A

15,140

PGP
Private
Keyring
RSA

AES-256 /
SHA-1

666

31,644

N/A

4,699

PGP
Private
Keyring
DSA

AES-256 /
SHA-1

502

23,905

N/A

3,572

PGP WDE

AES-256 /
SHA-1

7,935

301,697

N/A

48,335

PGP Zip
Archive

CAST /
SHA-1

258

13,285

N/A

1,863

RAR 3.x4.x

AES-128 /
SHA-1

579

9,588

9,529

1,751

RAR 5.x

AES-256 /
SHA-256

78

5,619

6,457

N/A

TrueCrypt

System /
RIPEMD160

452

48,411

N/A

N/A

Zip

AES / SHA1

36,092

467,013

451,293

91,288

7-Zip
Archive

AES-256 /
SHA-256

398

4,467

N/A

N/A

*
Settings: Brute-force attack, password length from 5 to 5 characters, English
lowercase letters, English uppercase letters, numbers.
CPU: Intel Core i5-2400 @ 3.10GHz (4 cores)
GPU: NVIDIA GeForce GTX 680 (Kepler)
GPU: AMD Radeon HD 7850 (Pitcairn)
TACC: Tableau TACC1441.

Distributed Password Recovery


Passware Kit accelerates password recovery using the computing power of
multiple computers to achieve the highest performance.

Features of Distributed Password Recovery


Recovers passwords for 40+ file types that require Brute-force attack
Has linear performance scalability
Uses multiple-core CPUs and nVidia GPUs efficiently to speed up the
password recovery process
Uses Tableau TACC hardware accelerators to speed up the password
recovery process by up to 25 times
Each computer running Passware Kit Agent supports multiple CPUs, GPUs,
and TACC accelerators simultaneously
Uses Dictionary, Brute-force, Xieve, Known Password/Part, Previous
Passwords attacks and any combination of them
Uses Amazon Compute Cloud to accelerate MS Office 2007-2010 password
recovery by up to 20 times without your having to buy expensive
hardware (watch the video guide)
Passware Kit Agent is available for both Windows and Linux systems, 32
and 64 bit.

The overall steps in using the distributed password recovery are as follows:
1. Install Passware Kit Agents on multiple computers
2. Run Passware Kit on your computer (Passware Kit Server)
3. Passware Kit Agents detect and connect to Passware Kit automatically, and
password recovery tasks are divided among multiple computers
Add more Passware Kit Agents

Installing Passware Kit Agents


Passware Kit Agent is available for download for both Windows and Linux
systems, 32 and 64 bit.
For instructions on installing and running Passware Kit Agent on Linux, refer
to the README file from the downloaded TAR archive.
Below are the instructions on installing and running Passware Kit Agent for
Windows.
1. Run the passware-kit-agent.msi file to install Passware Kit Agent on
node computers. Use the same installation file to install the Agents on
multiple computers
2. You have the option to configure Passware Kit Agent to connect to a
specific server. Launch Passware Kit Agent. The following screen appears:

At the Settings tab, you can choose between Auto discovery and
Manual connection to Passware Kit:

In the Auto discovery mode, Passware Kit Agent automatically locates a


running installation of Passware Kit over the network. In the Manual
connection mode, you can specify the name of the computer Passware Kit
is running on.

Now that you have installed Passware Kit Agent, you are ready to recover the
password with Passware Kit.

Running Passware Kit and Recovering the


Password
Once you have installed Passware Kit Agent, you are ready to recover the
password by following these steps:
1. Launch Passware Kit on the server computer and select a file to process. At
the following screen, click the Enable distributed password recovery
checkbox:

2. Choose one of the three options to specify password settings. Password


recovery process starts.
3. The Agents tab displays all the Passware Kit Agents detected over the
network. You can see the status of each of the Agents in the Status
column:

Status "Running the current attack" means that this Passware Kit Agent is
connected to Passware Kit and is running the current password recovery
task.
4. When the Passware Kit Agent is connected to Passware Kit, it's Settings
tab displays the IP address and port of the Passware Kit Server, and the
Activity tab displays a graph of resources usage:

During the password recovery process, the status of the Agent is


"Connected and busy..."
5. The detailed activity of the Passware Kit and Passware Kit Agents is
displayed in the Log tab:

6. You can adjust the GPU usage during the password recovery process for
efficient performance of your computer by enabling the Use GPU
acceleration only when the user is not active checkbox from the
Tools | Options menu.
Now your password is being recovered using multiple computers
efficiently!

Adding Passware Kit Agents


1. Launch Passware Kit and click Tools | License Manager:

2. The License Manager window appears. It displays the initial Serial


Number of your Passware Kit license and the total number of Passware Kit
Agents available for this license:

Click Add SN:

3. Enter your new Serial Number and click OK.


4. The License Manager window now displays your new Serial Number and
the increased number of Passware Kit Agents available for your license.
Click OK to save the changes.
Now you can use more computers to recover your password even faster!

Amazon Elastic Compute Cloud


Passware Kit accelerates password recovery using the power of cloud
computing to achieve the highest performance without your having to buy
expensive hardware.

Features of Amazon EC2 Password Recovery


Recovers passwords for MS Office 2007-2010 files that require a Bruteforce attack
Each Amazon EC2 Instance has two NVIDIA Tesla Fermi GPU cards, which
accelerate password recovery by 11 times
Uses Dictionary, Brute-force, Xieve, Known Password/Part, Previous
Passwords attacks and any combination of them
No need to overload computer CPU since the time-consuming password
calculation process is performed remotely
No need to purchase expensive hardware. Pay only for capacity that you
actually use

The overall steps are as follows:


1. Launch Amazon EC2 Instance.
2. Run Passware Kit on your computer (Passware Kit Server).
3. Passware Amazon Agents detect and then connect to Passware Kit, and
password recovery tasks are divided among Amazon instances.

Launching Amazon EC2 Instance


Passware Kit accelerates password recovery using Amazon Elastic Compute
Cloud (EC2) - a highly scalable cloud computing platform.

Working with Passware Amazon Agent


1. Sign in to the AWS Management Console at http://aws.amazon.com/.
If you do not have an Amazon AWS account, you need to sign up first.
2. Click on the EC2 tab. At the Navigation pane, go to NETWORKING &
SECURITY -> Security Groups. Select the default group.

3. Once at the default group, make a new connection rule by clicking on


Inbound, selecting Custom TCP rule from the Create a new rule menu,
and typing 11555 in the Port range field. Click Add Rule, then Apply
Rule Changes.
4. At the Navigation pane, go to IMAGES -> AMIs. Make sure the Region is
set to US East (Virginia). Select image Passware Amazon agent. To
locate this image, type "passware" in the Search field in the Viewing area.

5. Right-click the mouse on the image and select Launch Instance. The
Request Instances Wizard window appears.
6. In the Instance Type field, select Cluster GPU from the pull-down menu.
Click Continue.
7. In the Placement Group field, select Create new placement group...
and type any name for the new group. In the User Data field, type your
own authentication key.
NOTE: By specifying an authentication key, you secure the Instance, so
that no other user can connect to Passware Amazon Agent. Click
Continue.

8. Skip the next window by clicking Continue.


9. At Create Key Pair, select Proceed without a Key Pair. Click Continue.
10. At Configure Firewall, select the default Security Group. Click
Continue.
11. At Review verify all the fields and click Launch.
12. The Amazon EC2 Instance is now launched.

NOTE: After you finish the password recovery process, stop the
Instance in AWS Management Console. Go to the EC2 tab, click on
Instances in the Navigation pane, and select Stop from the right-click menu
of the running Instance. Sign out from the AWS Management Console.

Now that you have launched the Amazon EC2 Instance, you are ready to
recover the password with Passware Kit.

Running Passware Kit and Recovering the


Password
Once you have launched an Amazon EC2 instance, you are ready to recover
the password by following these steps:
1. Launch Passware Kit and click Tools | Options... | Network.
2. Click the Enable Distributed Password Recovery checkbox. The
Amazon Elastic Compute Cloud group appears.
3. Click the Enable Password Recovery on Amazon EC2 checkbox.
4. In the Instance public DNS field paste the value copied from AWS
Management Console. (To see this value in AWS Management Console, go
to the EC2 tab, click on Instances in the Navigation pane, then click on
the running instance. Copy the value of the Public DNS field from the
Instance Description.) The DNS value should look like this: ec2-xxx-xxxxxx-xxx.compute-1.amazonaws.com.
5. In the Instance authentication key field, paste the value copied from
AWS Management Console. (To see this value in AWS Management
Console, go to the EC2 tab, click on Instances in the Navigation pane,
right-mouse click on the running instance, and click on View/Change
User Data. Copy the value of the User Data field, which is used as your
authentication key.)

6. Click OK.

7. Click Recover File Password and select a file to process. At the following
screen, choose one of the three options to specify password settings.

8. The password recovery process starts.


9. The Log tab displays all the Passware Amazon Agents detected over the
network. Status Connected to Passware Amazon Agent means that
this Passware Amazon Agent is connected to Passware Kit and is running
the current password recovery task.

Now your password is being recovered using the power of cloud


computing!

NOTE: After you finish the password recovery process, stop the
Instance in AWS Management Console. Go to the EC2 tab, click on
Instances in the Navigation Pane, and select Stop from the right-click menu
of the running Instance. Sign out from the AWS Management Console.

System Requirements
Microsoft Windows XP, Vista, Server 2003/2008/2012, or Windows 7/8
(32-bit or 64-bit) installed and configured on your system
1 GHz processor (2.4 GHz recommended)
512 MB of RAM (1 GB recommended)
150 MB of free hard disk space (more if you use custom dictionaries)
Passware software supports PC platforms only. However, it can recover
passwords for some files created on Macintosh, such as FileMaker. You can run
Passware products on a Virtual PC or Parallels Desktop to unprotect your files.
For Windows Key, a Windows Setup 32-bit CD is required, as well as a burning
CD-RW drive in order to record a password reset CD instead of the USB disk.
To acquire a physical memory image of the target computer using Passware
FireWire Memory Imager (used to recover BitLocker, TrueCrypt, PGP, MS
Office encryption keys, as well as Windows and Mac user passwords), a
FireWire cable is required. Both the target computer and the computer used
for acquisition should have FireWire (IEEE 1394) ports. A USB flash drive for
Passware FireWire Memory Imager should be 8 GB or more.

System Recommendations
The password calculation process depends to some extent on the processor
speed.
We recommend 1 GB RAM. Larger RAM does not make much difference to the
password calculation process.
Passware Kit supports network distributed password recovery, multi-CPU, and
multi-core systems.
To accelerate a password recovery process, Passware Kit uses both NVIDIA and
ATI GPU cards, as well as Guidance Tableau TACC accelerator.
NOTE: The performance of NVIDIA cards depends on the version of the driver
installed. The maximum password recovery speed on NVIDIA cards is achieved
using driver GeForce 327.23. For AMD cards, we recommend using driver
version 13.152 + OpenCL Driver version 10.0.1268.1.
Cost-efficient hardware: We recommend using Intel Core i5 processor
or similar. The number of cores is more important than its frequency.
To accelerate a password recovery process, use NVIDIA GeForce GTX
(CUDA architecture) and AMD Radeon HD cards. AMD cards are
cheaper than NVIDIA, providing the same or even higher performance.
However, ATI cards are currently supported for password recovery only for
Office 2007-2013 files, RAR and Zip archives, Mac Keychain files, Apple
DMG images, and iTunes backups. Please note that GTX 5XX cards provide
better acceleration than the latest 6XX ones. If you use GPU acceleration,
pay attention to the corresponding cooling system and power supply unit,
depending on the number of GPU cards.
Maximum performance:
Maximum performance can be achieved by using Distributed Password
Recovery. The more Passware Kit Agents you use, the better. We also
recommend using the 64-bit versions of Passware Kit and Passware Kit
Agent.
Recommendations for Passware Kit Server:
Intel Core i7 processor or higher. No GPU. Disable the built-in
Passware Kit Agent.
Recommendations for Passware Kit Agent:
Intel Core i7 processor, with 4 cores or more. Two dual AMD
Radeon HD 7990 cards. Corresponding cooling system.

Corresponding power supply unit.

Passware Kit Frequently Asked Questions


The answers to these commonly asked questions can help you use the
Passware Kit more efficiently. The answers refer to Passware's online
Customer Support center.
1

How long does it take to recover a password?

What is Distributed Password Recovery and how do I use it?

Does your Distributed Password Recovery take advantage of remote


GPUs or TACCs?

Why do I sometimes get random characters instead of the original


password?

How much does it cost to update Passware product to the latest


version?

Why is Passware Kit connecting to the Internet when I run Default


Attacks to recover my password?

How do I reset the Administrator password on a different


computer?

How can I transfer Passware Kit to another PC?

How do I uninstall Passware Kit?

10

Can Passware Kit recover passwords for multiple files


simultaneously?

11

What models of GPU cards do you recommend for hardware


acceleration?

12

I don't have any Windows 8/7, Server 2012/2008/2003, Vista, XP,


or 2000 Setup CD. How do I use Passware Kit to reset a Windows
Administrator password?

13

Passware Kit/Windows Key cannot find any Windows installations


on my hard disk. What is wrong?

14

Does Passware Kit work with Hard Drive encryption?

15

Can the software decrypt a BitLocker or TrueCrypt drive that was


not mounted when the memory dump was created?

16

Does the software support .E01 disk image files?

17

How do I use Passware Kit with Guidance EnCase?

18

Does Passware Kit support Macintosh?

19

How do I use a Portable Version?

20

What are the limitations of the demo version?

21

How difficult is it to recover my password and is hardware


acceleration possible?

22

What are the terms of the end user license agreement for Passware
software?

23

What bearing does Passware Kit have on Windows security?

Contact Passware
Passware is dedicated to providing the best possible customer care.
What do you want to do?
Learn more about Passware and its products
Contact Customer Support

More About Passware


Who We Are
Founded in 1998, Passware, Inc. is the worldwide leading maker of password
recovery and decryption software for corporations, law enforcement and
forensic agencies, help desk personnel, business and home users.
Numerous federal, state, and local government agencies, Fortune 500
companies, and thousands of private users rely on Passware software products
to ensure data availability in the event of lost passwords.
A few of our customers include: Microsoft, Adobe, Apple, Intel, HewlettPackard, Deloitte, Ernst & Young, KPMG, PricewaterhouseCoopers, Department
of Justice, US Senate, NASA, FDA, IRS, and many more.

Contacting Customer Support


You can contact Passware customer support online at:
http://www.LostPassword.com/support.

Non-customer Support Questions


If you have other questions besides customer support, you can contact
Passware by:
Phone

+1 (650) 472-3716

Fax

+1 (650) 403-0718

Mail

Passware Inc.
800 W El Camino Real, Ste 180
Mountain View, CA 94040
USA

Contact Customer Support


To request customer support please follow the steps below:
1. Select Request Customer Support Online item from the Help menu
2. Enter all applicable information in the form
3. Click the 'Submit request' button

Tips
The Online Customer Support is the fastest way to get support. The form is
specifically designed to gather information necessary to handle customer
inquiries most effectively.
You can also contact Passware customer support by:
Email

csupport@lostpassword.com

Fax

+1 (650) 403-0718

Online

http://www.LostPassword.com/support

SOFTWARE LICENSE AGREEMENT FOR PASSWARE


SOFTWARE
This Software License Agreement ("SLA") is a legal agreement between you
(either an individual or a single entity) and Passware for the Passware
software product identified above, which includes computer software and may
include associated media, printed materials, and "online" or electronic
documentation ("SOFTWARE PRODUCT"). By installing, copying, or otherwise
using the SOFTWARE PRODUCT, you agree to be bound by the terms of this
SLA. If you do not agree to the terms of this SLA, do not install or use the
SOFTWARE PRODUCT; you may, however, return it to your place of purchase
for a full refund.

SOFTWARE PRODUCT LICENSE


The SOFTWARE PRODUCT is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws and treaties. The
SOFTWARE PRODUCT is licensed, not sold.

1. GRANT OF LICENSE
This SLA grants you the following rights:
Applications Software. You may install and use one copy of the SOFTWARE
PRODUCT, or any prior version for the same operating system, on a single
computer. The primary user of the computer on which the SOFTWARE
PRODUCT is installed may make a second copy for his or her exclusive use on
a portable computer.
Storage/Network Use. You may also store or install a copy of the SOFTWARE
PRODUCT on a storage device, such as a network server, used only to install
or run the SOFTWARE PRODUCT on your other computers over an internal
network; however, you must acquire and dedicate a license for each separate
computer on which the SOFTWARE PRODUCT is installed or run from the
storage device. A license for the SOFTWARE PRODUCT may not be shared or
used concurrently on different computers.
License Pack. If you have acquired this SLA in a Passware License Pack, you
may make the number of additional copies of the computer software portion of
the SOFTWARE PRODUCT accordingly to the number of licenses acquired
(stated in receipt), and you may use each copy in the manner specified above.
You are also entitled to make a corresponding number of secondary copies for
portable computer use as specified above.
Demo. If you have acquired this SLA with Passware SOFTWARE PRODUCT
labeled as demo version of another Passware SOFTWARE PRODUCT, you are
granted unlimited number of SLA's, and you may use unlimited number of
copies in the manner specified above.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS


Not for Resale Software. Notwithstanding other sections of this SLA, you may
not resell, or otherwise transfer for value, the SOFTWARE PRODUCT.
Limitations on Reverse Engineering, Decompilation, and Disassembly. You may
not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT,
except and only to the extent that such activity is expressly permitted by
applicable law notwithstanding this limitation.
Separation of Components. The SOFTWARE PRODUCT is licensed as a single
product. Its component parts may not be separated for use on more than one
computer.
Rental. You may not rent, lease, or lend the SOFTWARE PRODUCT.
Support Services. Passware may provide you with support services related to
the SOFTWARE PRODUCT ("Support Services"). Use of Support Services is
governed by the Passware policies and programs described in "online"
documentation, and/or in other Passware-provided materials. Any
supplemental software code provided to you as part of the Support Services
shall be considered part of the SOFTWARE PRODUCT and subject to the terms
and conditions of this SLA. With respect to technical information you provide
to Passware as part of the Support Services, Passware may use such
information for its business purposes, including for product support and
development. Passware will not utilize such technical information in a form
that personally identifies you.
Software Transfer. You may permanently transfer all of your rights under this
SLA, provided you retain no copies, you transfer all of the SOFTWARE
PRODUCT (including all component parts, the media and printed materials, any
upgrades, this SLA, and, if applicable, the Certificate of Authenticity), and the
recipient agrees to the terms of this SLA. If the SOFTWARE PRODUCT is an
upgrade, any transfer must include all prior versions of the SOFTWARE
PRODUCT.
Termination. Without prejudice to any other rights, Passware may terminate
this SLA if you fail to comply with the terms and conditions of this SLA. In such
event, you must destroy all copies of the SOFTWARE PRODUCT and all of its
component parts.

3. INDEMNIFICATION
You accept full legal responsibility for all password recovery performed through
your use of the SOFTWARE PRODUCT. Password recovery and decryption of
unauthorized or illegally obtained files or media may constitute theft and may
result in your civil and criminal prosecution. You agree to hold harmless and
indemnify Licensor for any and all demands, claims, legal action and damages,
including all attorney's fees and costs, against Licensor which arise out of your
use of the Program.

4. UPGRADES
If the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly
licensed to use a product identified by Passware as being eligible for the
upgrade in order to use the SOFTWARE PRODUCT. A SOFTWARE PRODUCT
labeled as an upgrade replaces and/or supplements the product that formed
the basis for your eligibility for the upgrade. You may use the resulting
upgraded product only in accordance with the terms of this SLA. If the
SOFTWARE PRODUCT is an upgrade of a component of a package of software
programs that you licensed as a single product, the SOFTWARE PRODUCT may
be used and transferred only as part of that single product package and may
not be separated for use on more than one computer.

5. COPYRIGHT
All title and copyrights in and to the SOFTWARE PRODUCT (including but not
limited to any images, photographs, animations, video, audio, music, text, and
"applets" incorporated into the SOFTWARE PRODUCT), the accompanying
printed materials, and any copies of the SOFTWARE PRODUCT are owned by
Passware or its suppliers. The SOFTWARE PRODUCT is protected by copyright
laws and international treaty provisions. Therefore, you must treat the
SOFTWARE PRODUCT like any other copyrighted material except that you may
install the SOFTWARE PRODUCT on a single computer provided you keep the
original solely for backup or archival purposes. You may not copy the printed
materials accompanying the SOFTWARE PRODUCT.

6. DUAL-MEDIA SOFTWARE
You may receive the SOFTWARE PRODUCT in more than one medium.
Regardless of the type or size of medium you receive, you may use only one
medium that is appropriate for your single computer. You may not use or
install the other medium on another computer. You may not loan, rent, lease,
or otherwise transfer the other medium to another user, except as part of the
permanent transfer (as provided above) of the SOFTWARE PRODUCT.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PASSWARE AND
ITS SUPPLIERS DISCLAIM ALL WARRANTIES AND CONDITIONS, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
TITLE, AND NON- INFRINGEMENT, WITH REGARD TO THE SOFTWARE
PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT
SERVICES.
LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW, IN NO EVENT SHALL PASSWARE OR ITS SUPPLIERS BE
LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL
DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS
INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE
OF OR INABILITY TO USE THE SOFTWARE PRODUCT OR THE PROVISION OF
OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF PASSWARE HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE,
PASSWARE'S ENTIRE LIABILITY UNDER ANY PROVISION OF THIS SLA SHALL
BE LIMITED TO THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR
THE SOFTWARE PRODUCT OR U.S.$5.00. BECAUSE SOME STATES AND
JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

More About the Passware Kit


The Passware Kit can reduce the time you spend recovering passwords,
improves password recovery rates, and gives you more control over the
password recovery process. It can recover all kinds of passwords for the
world's most popular office application files, including Excel, Word, WinZip,
Windows 2008/Vista/2003/XP, Internet Explorer, Firefox, Access, Outlook,
Acrobat, QuickBooks, FileMaker, WordPerfect, VBA, Lotus Notes, ACT!, and
more.
The Passware Recovery Kit includes 30+ password recovery modules
integrated in an all-in-one user interface. Advanced acceleration methods are
used to recover difficult passwords. Instant online decryption is supported for
MS Word and Excel files up to version 2007.
The Passware Kit also includes Encryption Analyzer Professional, which can
find password-protected files on your computer system -- either on a PC, or
over the network.

Key Features
All-in-one password recovery for 180+ file types
Integrated Encryption Analyzer Pro scans computers for passwordprotected items
Integrated Search Index Examiner retrieves electronic evidence from a
Windows Desktop Search Database
Resets passwords for Local and Domain Windows Administrators
Instant online decryption of Word/Excel files (up to version 2003)
Multi-core CPUs acceleration
GPU acceleration for MS Office 2007 files
Basic password recovery attacks: Dictionary, Xieve, Brute-force, Known
Password/Part, Previous Passwords
Password modifiers supported (casing, reverse words, etc.)
Combination of attacks for passwords like "strong123password"
Wizard for an easy setup of password recovery attacks
MD5 hash values for forensic reports
What do you want to do?
Quick Start
Recover file password
Recover Internet and network passwords
Create a Windows password reset disk
Search for protected files
Recover hard drive password

Recovering a One-Dictionary-Word Password


Specifying the Dictionary
If you indicated that the password was one dictionary word, such as
"administrator", "apple", "support", and "laptop", the next screen asks you to
specify the language of the dictionary.

Chose the appropriate dictionary and click Next.


Specifying the Dictionary Attack Settings
This screen enables you to fine-tune the attack settings, such as specifying a
password length, any known parts, the casing, and whether it can be reversed.
Complete this screen, and click Finish to display the results of the password
recovery process.

NOTE: If you indicated your password was more than one dictionary word, an
intermediate screen appears, asking how long the entire password is, how
many parts there are, and if you know some settings (such as case or known
parts) for each part. After you enter this information, the Dictionary Attack
Settings screen appears for each part.

Recovering a Multiple-Dictionary-Word Password


Specifying the Dictionary
If you indicated that the password was more than one dictionary word, such as
"bigapple", "securepassword", and "mycomputer", the next screen asks you to
specify the language of the dictionary.

Chose the appropriate dictionary and click Next.


Specifying the Number of Words
The next screen lets you optionally specify a length for the entire password,
and asks you how many words the password contains. You can also indicate
that you know some settings for each part, such as length and casing.
NOTE: If you know the total password length, enable check-box "Set the
password length". Otherwise, the program will set the total password length
based on further information about password parts.

Complete this screen and click Next.


NOTE: If you did not select any of the "I know settings..." checkboxes, there is
no "Next" button - simply click Finish.
Specifying the Dictionary Attack Settings
If you indicated you know settings for any of the parts of the password, this
screen enables you to fine-tune the attack settings (such as specifying a
password length, any known parts, the casing, and whether it can be reversed)
for each part. There is a separate screen for each part for which you know
settings.

Complete this screen, and click Finish to display the results of the password
recovery process.

Recovering a Password that Combines Dictionary


Words and Letters, Numbers, and Symbols
Specifying the Dictionary
If you indicated that the password combined dictionary words with letters,
numbers, and symbols, such as "weird&123", the next screen asks you to
specify the language of the dictionary.

Chose the appropriate dictionary and click Next.


Specifying the Number of Dictionary Words
On this screen, you can inidicate how many dictionary words are in the
password -- one or two.

Select the appropriate choice and click Next.


Specifying the Password Structure
This screen enables you to optionally enter the length for the entire password.
It also asks you to choose the structure of the password, and to indicate
whether you know settings (such as length or casing) of each part.

Complete this screen and click Next.


NOTE: If you did not select any of the "I know settings..." checkboxes, there is
no "Next" button - simply click Finish.

Specifying the Dictionary Attack Settings


If you indicated you know settings for any of the parts of the password, this
screen enables you to fine-tune the attack settings (such as specifying a
password length, any known parts, the casing, and whether it can be reversed)
for each part. There is a separate screen for each part for which you know
settings.

Complete this screen, and click Finish to display the results of the password
recovery process.

Recovering a Non-Dictionary-Word Password


Specifying the Xieve Attack Settings
If you indicated that the password was a non-dictionary word, such as
"softool", "johnyboy", and "oopsy", the next screen asks you to provide more
information, such as length, known parts, symbol set, and Xieve level (high,
medium, or low).

Complete this screen and click Finish to display the results of the password
recovery process.

Recovering a Password with an Unknown Format


Specifying the General Password Settings
If you indicated that the password had an "Other" format, such as "qw3er5ty"
and "03101980", the next screen asks you to specify the length of the
password (optional) and the appropriate dictionary.
NOTE: If you know the total password length, enable check-box "Set the
password length". Otherwise, the program will set the total password length
based on further information about password parts.

Complete this screen and click Next.


Specifying whether Part of the Password Resembles a Dictionary Word
The next screen asks if part of the password looks like an English word, such
as "softool".
If it does, choose Yes.
If not, choose No.

Now click Next. The screen that appears depends on your choice above.
Specifying the Password Structure
If you indicated that part of the password did resemble a dictionary word, the
next screen lets you specify the structure for this part. (If you said no, it did
not resemble an dictionary word, a different screen appears.

You can also indicate that you know some settings for the various parts of the
password, such as length and casing.
Complete this screen and click Next.

NOTE: If you know the total password length, enable check-box "Set the
password length". Otherwise, the program will set the total password length
based on further information about password parts.
NOTE: If you did not select any of the "I know settings..." checkboxes, there is
no "Next" button - simply click Finish.
Specifying the Attack Settings
If you indicated you know settings for any of the parts of the password, this
screen enables you to fine-tune the attack settings (such as specifying a
password length, any known parts, the casing, and whether it can be reversed)
for each part. There is a separate screen for each part for which you know
settings.

Complete this screen, and click Finish to display the results of the password
recovery process.
Specifying the Brute-force Attack Settings
If, earlier, you indicated that no part of the password resembled a dictionary
word, the brute-force attack settings screen appears.

Enter any known parts, and select the appropriate symbol set(s) and casing,
and click Finish to display the results of the password recovery process.

Adding an Attack in the Attack Editor


To add an attack to the attack list, first select the attack after which you want
the new attack to appear. Clicking on an attack selects it. Now use one of the
following methods to add an attack:
Double-click on the attack in the Attack Tree in the right -hand pane.
Select the attack by clicking on it, then click the red left-pointing arrow:
Drag-and-drop an attack into the attack list.
The attack is added to the attack list.
What do you want to do?
Remove an attack
Rearrange Attacks
Use Attack Modifiers
Reset attack settings to their default values
Sort attacks according to duration

Removing an Attack from the Attack List


To remove an attack to the attack list, first select the attack that you want to
remove. Clicking on an attack selects it. Now use one of the following methods
to remove the attack:
Select the attack by clicking on it, then click the Remove button at the top
of the Attack Editor window:
Select the attack by clicking on it, then click the red right-pointing arrow:
Right-click on the attack, then click Remove in the resulting popup menu.
The attack is removed from the attack list.

Removing All Attacks from the Attack List


You can remove all attacks from the attack list by right-clicking anywhere in
the attack list and then clicking Remove All in the resulting popup menu.
Alternatively, click the down-arrow on the Remove button (at the top of the
window), then click Remove All.
What do you want to do?
Add an attack
Rearrange Attacks
Use Attack Modifiers
Reset attack settings to their default values
Sort attacks according to duration

Rearranging Attacks in the Attack Editor


You can move the attacks around in the Attack Editor's attack list. You can also
copy one attack to another location in the list.

Moving Attacks in the Attack List


To move an attack, first select the attack you want to move. Now click either
the Move Up or Move Down buttons at the top of the Attack Editor window.

You can also right-click on the attack, then click either Move Up or Move
Down in the resulting popup menu.
A third way to move attacks is by drag-and-drop. Simply select the attack you
want to move, then drag it to its new location in the attack list.

Copying Attacks in the Attack List


To copy an attack from one place in the attack list to another, follow these
steps:
1. Right-click on the attack you want to copy.
2. Click Copy in the resulting popup menu.
3. Now right-click on the attack after which you want the copied attack to
appear.
4. Click Paste in the resulting popup menu.
NOTE: If you select Cut instead of Copy in the popup menu, the attack is
moved, not copied.
What do you want to do?
Add an attack
Remove an attack
Use Attack Modifiers
Reset attack settings to their default values
Sort attacks according to duration

Using Attack Modifiers


You can use attack modifiers to control the casing and reversal of the password
attack.
To add an attack modifier to the attack list, select the modifier in the list in the
right-hand pane, then click the red left-pointing arrow. (Alternatively, simply
double-click the modifier in the list.) The modifier is added to the attack list
after the currently selected attack.
You can also drag-and-drop an attack modifier onto the attack list.
The following figure shows a modifier that has just been added to the attack
list.

Once you have added the attack modifier to the attack list, you must add a
new attack to go with the modifier.
What do you want to do?
Add an attack
Remove an attack
Rearrange Attacks
Reset attack settings to their default values
Sort attacks according to duration

Resetting the Attack Editor to the Default


Settings
If you want to return the Attack Editor to its default list of attacks, click Reset
to Defaults in the Actions area of the Attack Editor window.
What do you want to do?
Add an attack
Remove an attack
Rearrange Attacks
Use Attack Modifiers
Sort attacks according to duration

Loading and Saving Attacks in the Attack Editor


You can export the password recovery attacks as an XML file, which can be
recognized by other instances of Passware Kit. Click the Save Attacks link at
the Actions pane and choose the directory to save the XML file. The current
list of password recovery attacks and their settings will be saved on your
computer.
You can import the password recovery attacks from an existing XML file,
created by other instances of Passware Kit. Click the Load Attacks link at the
Actions pane and choose the location of the XML file. The saved list of attacks
and their settings will be loaded for the current password recovery process.

Sorting Attacks in the Attack List


Some attacks take longer than others. To run the attacks in order of duration
from shortest to longest, click the Sort by Duration button at the top of the
Attack Editor window.

What do you want to do?


Add an attack
Remove an attack
Rearrange Attacks
Use Attack Modifiers
Reset attack settings to their default values

Printing a Report or Log


To print a report or log, follow these steps:
1. Display the report or log you want to print.
2. Click the Print button at the top of the window.
3. Select the appropriate printer in the resulting Print dialog box.
4. Click Print in the Print dialog box.

Saving a Report or Log


To save a report or log, follow these steps:
1. Display the report or log you want to save.
2. Click the Save Results button at the top of the window.
3. Specify the appropriate filename and location in the resulting Save As
dialog box.
4. Click Save in the Save As dialog box.

Selecting the Files to Scan


You can scan specific files -- from your entire computer system to one or two
selected folders.
You can also select the type of scan you want to use. A full scan includes
scanning system folders, slow file types, encrypted containers and disk images,
and calculating MD5 values. You can disable these options if you need a less
complete, but much faster scan.
What do you want to do?
Choose scan type
Choose what to scan
After you have chosen the type of scan and the folders and/or drives to scan,
start the scan by clicking the Start button on the toolbar, which looks like this:

Monitoring Scan Progress


During a scan, Passware Kit keeps you up-to-date as to the progress of the
scan in several ways:
The Scan Progress area at the top of the main window displays a
graphical progress bar, and lists time elapsed and time-to-completion. A
sample Scan Progress area is shown here:

The Status Bar, visible along the bottom of the window, gives a summary
of the number of protected items found and the total number of items
scanned.
The Scan Status area of the window. A sample is shown here:

NOTE: If you want, you can turn off the Status Bar.
You can temporarily pause or cancel a scan at any time.

Saving the List


You may find it useful to save a list of password-protected files on your
computer. To save the scan results to a file:
1. Click Save List in the Actions area of the window.
Alternatively, click the Save List button in the toolbar.
2. In the resulting Save As dialog box, navigate to the folder in which you
want to save the file, and give it a file name, then click OK.
NOTE: The default format of the list file is a tab-delimited text file, and the
default name is PFOutputFile.txt. You can also save the file as a commadelimited file (.csv) or XML (.xml) file, using the Save as type field of the
Save As dialog box.
CAUTION: If you save more than one scan result, be sure to give each saved
list a unique name.

Accessing and Saving the Scan Log


Passware Kit keeps a detailed log of the files it scans. You can access the log in
two ways:
Click the Scan Log tab at the bottom of the window.
or
Click Skipped Items in the Last Scan area.
In the scan log, you can see which files were skipped, the time they were
scanned and other useful information.
1. Click Save Log in the Last Scan area of the window.
2. In the resulting Save As dialog box, navigate to the folder in which you
want to save the file, and give it a file name, then click OK.
NOTE: The default format of the scan log file is a tab-delimited text file, and
the default name is LogOutputFile.txt. You can also save the file as a commadelimited file (.csv) or XML (.xml) file, using the Save as type field of the
Save As dialog box.
CAUTION: If you save more than one scan log, be sure to give each saved log
a unique name.

Choosing What to Scan


You can limit your scan to a single drive or folder, or to scan your entire
computer system.

Using the Where to Scan Area to Select Files


Select one of the four options in the Where to Scan area:

If you select Selected Drives and Folders, a list of drives and folders
appears, as shown here:

Use the + icons next to the drives and folders to expand them as necessary;
click each drive or folder you want to scan.
NOTE: Selecting a folder in the list automatically selects all subfolders of that
folder; you can deselect individual subfolders if you want.
NOTE: The settings you choose in the Where to Scan area are saved when
you exit the program, and are in effect the next time you launch the program.
NOTE:You can also drag-and-drop folders into the main window for scanning.
For this type of scan, only the Recommended scan type is used.

Starting the Scan


If you have finished selecting the scan type and what to scan, you are ready to
start the scan by clicking the Start button on the toolbar, which looks like this:
(not necessary if you drag-and-dropped files)

Turning the Status Bar On and Off


The Status Bar appears by default at the bottom of the window, displaying
various status messages associated with scan progress. You can turn the
Status Bar off by clicking Status Bar in the View menu.
Clicking Status Bar again toggles the Status Bar back on, and a check mark
appears next to the menu selection to indicate the Status Bar is active.

Working with Selected Files in the Scan Results


Once a scan is complete and the scan results appear, you can choose several
actions for selected files.

Selecting a File in the List


To select a single file, click on it in the file list.
To select several files in the file list at once, use SHIFT-click and
Ctrl+click.
To select all files, click Select All in the View menu.
To invert the selection, click Invert Selection in the View menu.
Details for a single selected file, including file name, type, and size, appear in
the Details area, a sample of which is shown here:

If more than one file is selected, the Details section displays how many items
are selected and how much total disk space they occupy.
Now that you have selected the file(s), what do you want to do?
Open a file
Open the folder containing the file
Copy files to another folder
Move files to another folder
Recover password

Customizing the Scan Results Display


You can adjust the information displayed by the scan results with a few mouse
clicks.
What do you want to do?
Hide selected files
Rearrange files
Turn off the status bar

Resetting the Password


Once you have created the password reset CD or USB disk and burned the
image, you are ready to reset the password by following these steps:
1. Reboot the locked PC with the Password Reset CD or USB disk.
2. The Windows Setup process starts.

3. After all the required files are loaded from the bootable CD/USB, Passware
Kit starts working. It displays your license info.

4. Select the Windows installation to be unlocked.


5. Passware Kit asks: "Undo Passware Kit changes? (Y/N)".
Type N if you want to reset the password.
Type Y if you want to leave the original passwords and cancel the
program changes.

6. Select the account for which you want to reset the password.
7. Passware Kit asks: "Reset 'account_name' password? (Y/N)".
Type Y to reset the password.
Type N to leave the original password.
8. Passware Kit asks: "Reset password for another account? (Y/N)".
Type Y to reset a password for another account.
Type N if you are finished and want to exit Passware Kit.

9. Remove the Passware Kit bootable disk and restart your PC.

Now you are able to log into your computer without a password!

Scanning Files Using Drag-and-Drop


If you prefer, you can drag and drop the files that you want to scan.
1. Resize your application windows so that you can see both Windows
Explorer and Passware Kit on your screen.
2. In Windows Explorer, select the folders you want to scan.
3. Drag them, using the mouse, and release them over the Passware Kit
window.
When you release the files, a dialog box appears, asking if you want to start
the scan for the selected files. Click OK to start the scan, or Cancel.
NOTE: When you drag-and-drop files to scan, the scan type defaults to
Recommended. You cannot run a Fast or Full scan on drag-and-dropped files.

Opening a File
To open a file shown in the scan results file list:
1. Select the file in the list.
2. Click Open in the File menu.
Of course, to open a file, you must know the password that protects the file.
Use the Passware Recover Kit to recover lost passwords.

Opening a Folder from the Scan Results


To open the folder that contains a file selected in the scan results:
1. Select the file in the results list.
2. Click Open Containing Folder in the File menu.
This opens a new instance of Windows Explorer, showing the entire contents of
the folder that contains the selected file.

Copying Files from the Scan Results


To copy one or more files shown in the scan results file list to another location:
1. Select the file(s) in the list.
2. Click Copy to Folder in the Actions area (top-left corner of the window).
3. In the Browse for Folder dialog box, navigate to the appropriate folder,
then click OK.
A sample Browse for Folder dialog box is shown below:

NOTE: You can use the Make New Folder button in the Browse for Folder
dialog box to create a new folder in which to copy the file(s). The new folder is
named New Folder, and is added to the My Documents folder. Subsequent new
folders are named New Folder (2), and so on.

Moving Files from the Scan Results


To move one or more files shown in the scan results file list to another
location:
1. Select the file(s) in the list.
2. Click Move to Folder from the File menu.
3. In the Browse for Folder dialog box, navigate to the appropriate folder,
then click OK.
A sample Browse for Folder dialog box is shown below:

NOTE: You can use the Make New Folder button in the Browse for Folder
dialog box to create a new folder in which to copy the file(s). The new folder is
named New Folder, and is added to the My Documents folder. Subsequent new
folders are named New Folder (2), and so on.

Hiding Selected Files in the Scan Results


After you have selected one or more files in the scan results, you can hide
those files by clicking Hide Selected Files in the File menu. These files no
longer appear in the current file list.
CAUTION: Once you hide files from the file list, you cannot redisplay them.
Use this feature with care.

Rearranging and Sorting Files in the Scan Results


By default, the files in the scan results are arranged in alphabetical order by
the folder in which they were found during the scan. After the scan is
complete, you can rearrange and sort the list.

Rearranging the List


Rearrange the list by clicking Arrange By in the View menu. Several choices
are offered in the submenu:
Name
Protection Level
Folder
Size
Date

Sorting the List


By default, the list is sorted in ascending alphabetical order by folder. You can
change the sort order by clicking on a column name in the scan results, such
as File Name, Folder, Unprotection, File Type, or Document Type.
The sort order, ascending or descending, is indicated by an up or down arrow
in the column heading. Clicking the heading again toggles between ascending
and descending sort order.

Burning a Password Reset CD Image


NOTE: To create a Windows password reset CD, a CD-ROM drive capable of
burning is required
Once you have created the password reset ISO image, follow these steps to
burn it on a CD:
1. Select I have a WindowsKey.ISO image. Burn it on a CD. Make sure
the Pick up the existing password reset WindowsKey.ISO image
field contains the location of your WindowsKey.ISO file.

Click Next.
2. The following screen appears:

Select CD/DVD and specify the CD burning drive from the pull-down list.
Insert a blank CD/DVD disk into the CD-ROM drive. Click Next.
3. The burning process starts.
Passware Password Recovery Kit extracts the ISO image and copies the
necessary files on a CD.

4. The Windows Key password reset CD is now ready.

Now that you have created the Windows password reset CD, you are ready to
reset the password on the locked computer.

You might also like