Passware Kit User Guide

Passware Kit User Guide www.lostpassword.com

Overview of the Passware Kit You can use the Passware Kit to recover lost file, e-mail, and Internet passwords, as well as search for password-protected files. What do you want to do? Learn more about the Passware Kit Quick Start

Quick Start Recovering a lost password is easy with the Passware Kit. Simply follow these basic steps: 1. Launch the Passware Kit application. 2. Click the link on the Start Page that relates to the type of password you want to recover (file, e-mail and network, or Windows Administrator). 3. Follow the instructions on the screen -- for some types of passwords, such as file passwords, you have to fill out a few fields; for other types, such as Outlook Express account passwords, the password recovery process starts immediately. 4. When the password recovery process is complete, the results are displayed in the window. 5. You can then save and print the results. NOTE: At any time when using Passware Recovery Kit, you can click the Start Page button at the top of the screen to cancel out of what you are doing and start over. What do you want to do? Recover a lost file password Recover a lost e-mail, Internet, or network password Reset your Windows Admin password

Search for password-protected files Recover a lost password for encrypted hard drive Recover lost passwords for a standalone computer (registry analysis) Recover passwords from Windows/Unix/Mac hash files Work with Passware Kit Portable Use Passware Kit Forensic with EnCase Test password recovery settings

Getting Around in the Passware Kit Application Navigating in the Passware Kit application is as simple as a few mouse clicks.

Important Buttons Here are a few of the most commonly used buttons. Takes you to the Start Page (the page that appears when you launch the application). Starts the currently selected action, such as a password attack or search for protected file. Takes you to the previously displayed page, just as in an Internet browser. Takes you to the next page in your browsing sequence. Opens this Help file.

Window Arrangement The main application window is divided into two main parts. The left pane lists available actions (these vary, depending on what you are doing), and details about the currently viewed action, if there are any. The wider, right pane is where you select choices, enter values, and view password recovery and protected file search results. At the bottom of the window is a status bar that may contain hints on how to proceed.

Working with Passware Kit You can use the Passware Kit to recover lost passwords, wherever they are -- file passwords, e-mail account passwords, Internet passwords, and VPN and network passwords. What do you want to do? Recover a lost file password Recover a lost e-mail, Internet, or network password Reset your Windows Admin password Search for password-protected files Recover a lost password for encrypted hard drive Recover lost passwords for a standalone computer (registry analysis) Recover passwords from Windows/Unix/Mac hash files Work with Passware Kit Portable Work with Decryptum Portable Use Passware Kit Forensic with EnCase Test password recovery settings

Recovering File Passwords Not being able to open or use a file because you can't remember its password can be frustrating. The Passware Kit can help you recover passwords for many types of files. The quickest way to start password recovery for a file is to click the Recover button on the Start Page, or press Ctrl+O. Once the Passware Kit discovers the password for a file, it remembers that password. If you ever forget the same password, you don't have to run all the attacks again - simply select the file, and the Passware Kit displays the password immediately. If one or more passwords in the original file were reset (changed) or removed (for example, QuickBooks QBW passwords to open or MS Excel Workbook and Worksheet passwords), the Passware Kit creates an unprotected file that is listed in the results of the password recovery process. If the Passware Kit recovers all original passwords, it doesnt create the unprotected file (for example, MS Excel passwords to open and MS Access passwords). What do you want to do? Use the Password Recovery Wizard - best for users who know something about their passwords, but are new to password recovery. Run the default attacks - best for users who know nothing about their passwords. Use the Attack Editor - best for advanced users and who are decrypting strong passwords. Learn about reports and log files

Using the Attack Wizard The Attack Wizard walks you through setting up your search for a lost file password, step-by-step. The Attack Wizard is best for situations where you know something about the password, but are new to password recovery. When you complete the Wizard, Passware Kit automatically sets up the proper password recovery attacks, based on your answers.

Starting the Attack Wizard 1. Launch the Passware Kit application. 2. Click Recover File Password (or press Ctrl+O). This displays the Open dialog box. 3. Choose the file for which you want to find the password, and click Open. This displays the screen shown below: 4. Click Run Attack Wizard (or press Ctrl+W).

Filling Out the Attack Wizard Information The Attack Wizard consists of several screens, asking you to supply as much information about your password as possible. NOTE: At any point in the Attack Wizard, you can click the Skip and Start button to simply start recovering your password - but bear in mind that the recovery process may take longer, or be less successful, than if you had completed the wizard. Specifying the General Password Format The first Attack Wizard screen, shown below, asks you to supply the general format of the password. For example, does it consist of one dictionary word, or more than one? Choose the best selection and click Next. NOTE: If you choose I know nothing about my password, there are no "Next" screens - simply click Finish to start the password recovery process with the default settings. From this point forward, the Attack Wizard screens differ, depending on which general format you choose. Single Dictionary Word Multiple Dictionary Words One or More Dictionary Words Combined with Letters, Numbers, or

Symbols Non-dictionary, but Similar to a Dictionary Word Other

Running the Default Attacks If you do not know anything about a missing password, you can simply run the default attacks to find the password.

Starting the Default Attacks 1. Launch the Passware Kit application. 2. Click Recover File Password (or press Ctrl+O). This displays the Open dialog box. 3. Choose the file for which you want to find the password, and click Open. This displays the screen shown below: 4. Click Use Pre-defined Default Attacks (or press Ctrl+D). The attacks start immediately, and when finished, the results appear in the window.

Which Attacks Are Run The following list describes the default attacks, in the order in which they are run, and gives examples of the sort of password each attack is best at finding, where appropriate. 1. Previous Passwords Attack (with modifiers Original Password, Normal Casing, Upper Casing, and Lower Casing) 2. Decryptum Attack (if applicable) - free demo preview of decrypted Word or Excel file 3. SureZip Attack (if applicable) - instant decryption of Zip archives up to version 8.0 4. Brute-force Attack (English, 1-4 characters, full symbol set: lowercase letters, uppercase letters, numbers, symbols, space) Sample password: "Pw5@" 5. Dictionary Attack (English words up to 15 letters, with all possible Casing modifiers) Sample password: "Specialization" 6. Xieve Attack (passwords similar to English words, from 5 to 9 letters, lowercase, level "Medium" - checks common combinations of letters only) Sample password: "mycomp" 7. Brute-force Attack (Numbers only, from 5 to 8 characters) Sample password: "23012009" 8. Join Attacks group: 1. Dictionary Attack (English words from 1 to 9 letters) + 2. Append Attacks group: 1. Brute-force Attack (from 1 to 2 characters, symbols+numbers) 2. Brute-force Attack (from 3 to 4 characters, numbers only) Sample password: "open123" 9. Join Attacks group: 1. Dictionary Attack (English words from 1 to 9 letters) + 2. Dictionary Attack (English words from 1 to 9 letters) Sample password: "greenapple" 10. Brute-force Attack (English, from 5 to 7 characters, lowercase letters +

numbers) Sample password: "qw3erty" 11. Xieve Attack (passwords similar to English words, from 10 to 11 letters, lowercase, level "Low" - checks almost all combinations of letters) Sample password: "sweetemily"

Using the Attack Editor The Attack Editor allows you great control over the password recovery process. You can choose which attacks you want to use, modify attack settings, and combine attacks. The Attack Editor is best used if you are an experienced IT person who knows a lot about password recovery.

Starting the Attack Editor 1. Launch the Passware Kit application. 2. Click Recover File Password (or press Ctrl+O). This displays the Open dialog box. 3. Choose the file for which you want to find the password, and click Open. This displays the screen shown below: 4. Click Use Attack Editor (or press Ctrl+E). The Attack Editor appears, a sample of which is shown in the following figure.

The Attack Editor window is divided into three parts. On the left, you see available actions and details. In the middle are the attacks which will be run, and on the right is an "attack tree" which lists available attacks and attack modifiers. Once you have the attacks the way you want them, start the attacks by clicking the Start button at the top of the window clicking the Start Recovery button in the bottom right corner of the Attack Editor window clicking on the Start Recovery selection in the Actions area of the left pane. What do you want to do? Add an attack Remove an attack Rearrange Attacks Use Attack Modifiers Reset attack settings to their default values Save or load attacks Sort attacks according to duration

Reports and Log Files The Passware Kit provides several reports and log files that track its activity during a password recovery operation. You can print and save these files for future reference.

Passwords Found Report Once an attack is complete, the Passware Kit displays the results of the password recovery process in the Passwords Found Report, a sample of which is shown below: In the report, you'll see any recovered passwords. Click on a "copy" link to copy a password to the Windows Clipboard. For files with instant unprotection, you can click on a filename to open a protected or unprotected file

Attacks Report The Passware Kit also reports which attacks it used, how long they took, their state (such as started, successful, or unsuccessful), and what passwords were recovered by which attacks. To view this report, click the Attacks tab at the bottom of the window. A sample Attacks Report is shown below:

Log A third type of information provided by the Passware Kit is a log that tracks each attack's start and stop time, and other useful information. To view the log, click the Log tab at the bottom of the window. A sample Log is shown below: What do you want to do? Print a report or log Save a report or log

Recovering Passwords for Multiple Files Passware Kit supports batch file processing, recovering passwords for multiple files, one-by-one, in an automated way.

How to Start Select multiple files for decryption using the Recover File Password option at the Start Page. You can also initiate password recovery for multiple files from the results of the Search for Protected Files option. Select the files that you want to decrypt from the list of encrypted files displayed by Passware Kit. Then click the Recover button as shown below:

Groups and Settings Once you have selected the files to decrypt, Passware Kit groups them according to the decryption options, i.e., Known Password, Instant, Default. You can add, modify, or delete groups. For each group (except for Known Password and Instant groups, for which the password is recovered instantly regardless of its settings) you can use the Predefined settings, or customize them in Attack Editor. Click the Save Settings and Return button to save the changes and return to the list of files.

Recovering the Passwords Once you have set up the list of files and password recovery attacks, click the Recover button to start the batch password recovery process: While the password recovery is in progress, you can pause, resume, or stop it, as well as skip attacks, files, or groups. As a result, Passware Kit displays the passwords recovered, as well as a log file. A sample result is shown below:

You can enable the option to create unprotected files automatically when a password is recovered or reset at Tools Options Folders. When batch file processing is complete, unprotected copies of the files will be saved in a single folder. Supported file types: MS Office, Zip, FileMaker, SQL, MYOB, and QuickBooks.

Searching for Protected Files Using an Explorer-like interface and clicking a few checkboxes and buttons, you can find your password-protected files quickly and easily. Encrypted volumes and hard disk images, such as BitLocker, TrueCrypt, PGP, etc., are also detected. What do you want to do? Select the files to scan Monitor scan progress Work with scan results Start a new scan

Searching for Protected Files - Quick Start To find password-protected files on your computer system: 1. Click Search for Protected Files on the Passware Kit start page: You will see the following screen: 2. Click the Start Scan button in the bottom-right corner of the window. This scans your entire computer system for password-protected files. A dialog box appears to indicate the scan is complete:

Click OK to close this dialog box. After the scan is complete, you can Save the list Save the scan log Recover passwords Start a new scan

Selecting the Files to Scan You can scan specific files -- from your entire computer system to one or two selected folders. You can also select the type of scan you want to use. A full scan includes scanning system folders, slow file types, encrypted containers and disk images, and calculating MD5 values. You can disable these options if you need a less complete, but much faster scan. What do you want to do? Choose scan type Choose what to scan After you have chosen the type of scan and the folders and/or drives to scan, start the scan by clicking the Start button on the toolbar, which looks like this:

Scan Options The software offers four options of the scan. Which one you use depends on what type of password-protected file you are looking for, and how fast you want the scan to run. Scan Option Scan system folders Scan slow file types Scan for encrypted containers and disk images Calculate MD5 When to Use System folders and registry files are unlikely to contain any encrypted items. It is appropriate to use this option only if you need the full system scan. Some file types, such as MS SQL and ACT! databases, or any unknown types of files, are slow to analyze. Disable this option to make the scan faster, or enable it if you need the complete scan of the file system. Use this option if you assume that your system has TrueCrypt containers and other disk images. There might be false positives with this option. Use this option if you need your reports completed with MD5 hash values for each encrypted file detected. Otherwise, disable it as it slows down the scan speed. Enable or disable these options in the Scan Options area of the window, shown below:

Next, you can choose what to scan. NOTE: The settings you choose in the Scan Options area are saved when you exit the application, and are in effect the next time you launch the program.

Monitoring Scan Progress You can track the progress of the scan in several ways: The Scan Progress area at the top of the main window displays a graphical progress bar, and lists time elapsed and time-to-completion. A sample Scan Progress area is shown here: The Status Bar, visible along the bottom of the window, gives a summary of the number of protected items found and the total number of items scanned. The Scan Status area summarized the scan status. A sample is shown here: NOTE: If you want, you can turn off the Status Bar. You can temporarily pause or cancel a scan at any time.

Canceling or Pausing a Scan You can temporarily pause a scan at any time by clicking the Pause button in the toolbar: To resume a paused scan, click the Resume button in the toolbar: You can cancel a scan at any time by clicking the Stop button in the toolbar:

Working with the Scan Results After scanning the selected folders, the application displays a both a list of password-protected files (in the right pane of the window) and a summary of the scan results (in the Last Scan area on the left side of the window). An sample scan result is shown below: NOTE: Clicking on the Items Skipped line in the Last Scan area displays the scan log. What do you want to do? Work with selected files from the scan results Customize the appearance of the scan results Save the file list Save the scan log

Recovering File Passwords Once you have found one or more password-protected files, you can recover the password using the Passware Kit.

Start a New Scan When you click Search for Protected Files on the Start Page, the window defaults to the new scan display. To start a new scan after another scan has already completed: 1. Click Start a New Scan in the Actions area of the window. 2. A dialog box, shown below, appears, asking if you want to start a new scan. 3. Click Yes. to start a new scan. Another way to start a new Scan is to click the Back button on the toolbar. CAUTION: The results of the previous scan are cleared from the screen when you click Yes. If you want to save the results for future use, be sure to save the file list before starting a new scan.

Analyzing Memory and Decrypting Hard Disks You can use the Passware Kit to decrypt hard disks encrypted with BitLocker, TrueCrypt or FileVault 2. BitLocker is a data protection feature available in Windows systems starting from Vista. TrueCrypt is a software application that creates virtual hard disks with real-time encryption. FileVault 2 is a system which encrypts files on a Macintosh computer. It can be found in the Mac OS X Lion operating systems. To get started, display the Passware Kit Start Page, and click Analyze Memory and Decrypt Hard Disk (or press Ctrl+D). This displays the following window: What do you want to do? Recover BitLocker encryption keys Decrypt a TrueCrypt volume Decrypt a FileVault volume

Recovering BitLocker Encryption Keys Passware Kit recovers encryption keys for hard drives encrypted with BitLocker. BitLocker is a data protection feature available in Windows Vista and Windows 7. The software scans the physical memory image file (created while the encrypted disk was mounted) and extracts all the encryption keys for a given volume. To recover BitLocker encryption keys, two images of the target system are required: The image file of the encrypted volume. The physical memory image file or hiberfil.sys file from the target system (with the encrypted volume mounted). Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the BitLocker volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. NOTE: If the target computer is turned off and the BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume. Once the images are created, follow these steps to recover the password: 1. Click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D) on the Passware Kit Start Page. This displays the screen shown below:

2. Click BitLocker (or press Ctrl+B). This displays the screen shown below: 3. Click Browse and locate the image file of the BitLocker encrypted volume or partition. 4. Click Browse and locate the physical memory image (memory.bin) or the hiberfil.sys file from the computer to which your encrypted volume was mounted. If you do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the on-

screen instructions. NOTE: If the target computer is turned off and the BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to The BitLocker volume is dismounted option, and Passware Kit will assign Brute-force attacks to recover the password for the volume. 5. Click Next. This procedure initiates the encryption key recovery process. The recovery might take several minutes depending on the size of the memory image file. The results are displayed when the recovery is complete. The figure below shows a sample result.

Decrypting a TrueCrypt Volume Passware Kit decrypts hard disk volumes encrypted with TrueCrypt. TrueCrypt is a software application that creates virtual hard disks with real-time encryption. The software scans the physical memory image file (created while the encrypted disk was mounted), extracts all the encryption keys, decrypts the given volume, and saves the image of the decrypted volume. To decrypt a TrueCrypt volume, the physical memory image file or hiberfil.sys file from the target system (with the encrypted volume mounted) is required. The Passware Kit can work with either a TrueCrypt volume file (encrypted file container), or with its image. Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the TrueCrypt volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. NOTE: If the target computer is turned off and the TrueCrypt volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume. Once the images are created, follow these steps to recover the password: 1. Click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D) on the Passware Kit Start Page. This displays the screen shown below:

2. Click TrueCrypt (or press Ctrl+T). This displays the screen shown below: 3. Click Browse and locate the TrueCrypt volume file or its image file. 4. Click Browse and locate the physical memory image (memory.bin) or the hiberfil.sys file from the computer to which your encrypted volume was mounted. If you do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the onscreen instructions.

NOTE: If the target computer is turned off and the TrueCrypt volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to The TrueCrypt volume is dismounted option, and Passware Kit will assign Brute-force attacks to recover the password for the volume. 5. Click Browse and select the location and name of the destination file (the image of the decrypted volume). 6. Click Next. This procedure initiates the decryption process. The decryption might take several minutes depending on the size of the memory image file. The results are displayed when the decryption is complete. The figure below shows a sample result.

Decrypting a PGP WDE Volume Passware Kit decrypts hard disk volumes encrypted with PGP Whole Disk Encryption. The software scans the physical memory image file (created while the encrypted disk was mounted), extracts all the encryption keys, decrypts the given volume, and saves the image of the decrypted volume. To decrypt a PGP volume, the physical memory image file or hiberfil.sys file from the target system (with the encrypted volume mounted) is required. PGP volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the PGP volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. NOTE: If the target computer is turned off and the PGP volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume. Once the images are created, follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk (or press Ctrl+D) on the Passware Kit Start Page. This displays the screen shown below:

2. Click PGP WDE (or press Ctrl+P). This displays the screen shown below: 3. Click Browse and locate the encrypted PGP volume image file. 4. Click Browse and locate the physical memory image (memory.bin) or the hiberfil.sys file from the computer to which your encrypted volume was

mounted. If you do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the onscreen instructions. NOTE: If the target computer is turned off and the PGP volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to The PGP disk is dismounted option, and Passware Kit will assign brute-force attacks to recover the password for the volume. 5. Click Browse and select the location and name of the destination folder (the folder to save decrypted volume to). 6. Click Next. This procedure initiates the decryption process. The decryption might take several minutes depending on the size of the memory image file. The results are displayed when the decryption is complete. The figure below shows a sample result.

Recovering Mac Passwords You can use Passware Kit to recover the following passwords for Mac OS: user login passwords and keychain file passwords. What do you want to do? Decrypt a FileVault2 volume Recover login passwords for Mac OS Recover a password for a Mac keychain file

Decrypting a Mac FileVault2 Volume Passware Kit recovers encryption keys for hard drives encrypted with FileVault2. FileVault2 is a data protection feature available in MAC OS X starting from v.10.7. The software scans the physical memory image file (created when the encrypted disk was mounted), extracts all the encryption keys, decrypts the given volume, and saves an image of the decrypted volume. To recover FileVault2 encryption keys, two images of the target system are required: the image file of the encrypted volume the physical memory image file from the target system (with the encrypted volume mounted and at least one user logged in) Disk-volume images can be created using third-party tools such as Guidance EnCase, Free EASIS Drive Cloning, DD, and Apple Disk Utility. Physicalmemory images can be created using Passware FireWire Memory Imager. NOTE: If the target computer is turned off, the memory image will not contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume. Once the images are created, follow these steps to recover the encryption key: 1. Click Analyze Memory and Decrypt Hard Disk on the Passware Kit Start Page. This displays the screen shown below:

2. Click FileVault. This displays the screen shown below: 3. Click Browse... and locate the image of the FileVault2 encrypted volume or partition. 4. Click Browse... and locate the physical memory image (memory.bin) file from the computer in which your encrypted volume was mounted. If you

do not have this memory image and the target computer is still powered on, click Acquire a memory image and follow the on-screen instructions. NOTE: If the target computer is turned off, the memory image will not contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to the FileVault volume is dismounted option, and Passware Kit will assign regular brute-force attacks to recover the password for the volume. 5. Click Browse... and select the location and name of the destination file (the image of the decrypted volume). 6. Click Next. This procedure initiates the decryption process. The decryption might take several minutes depending on the size of the memory image file. The results are displayed when the decryption is complete. The figure below shows a sample result.

Recovering a Mac FileVault2 Password If the instant decryption option through memory analysis is not applicable, e.g., if the target computer is turned off or the memory image does not contain the encryption keys for some reason, Passware Kit can still recover the original password for the FileVault disk. To recover the password, Passware Kit requires a FileVault Wipekey file. To access and copy this file from the target computer, follow the steps below, depending on whether you have direct access to the target computer or just the hard disk image. If you have access to the target computer: 1. Boot the target Mac computer with a Setup/Recovery CD; 2. Launch the Terminal tool from the Setup CD; 3. Type command: defaults write com.apple.diskutility DUDebugMenuEnabled 1; 4. Open the tool Disk Utility; 5. In the Debug menu, choose Show every partition, then choose Recovery HD and click Mount; 6. Locate the Wipekey file (normally named EncryptedRoot.plist.wipekey) at: com.apple.boot.r/system/library/caches/com.apple.corestorage/ NOTE: The directory name can also be com.apple.boot.s or com.apple.boot.p; 7. Copy the EncryptedRoot.plist.wipekey file to the computer on which you run Passware Kit. If you have the target disk image: Mount it with any disk-mounting tool and proceed to step 7. Steps 1-6 refer to mounting the disk image using Guidance EnCase. 1. Run Guidance EnCase; 2. Click New Case and choose the name and location of the case file; 3. Click Add Evidence;

4. Click Add Local Device, then click Next; 5. Pick up the device with the label Apple and click Finish; 6. In the Table window, double-click the target disk; 7. In the Evidence tab, locate the Recovery HD partition; 8. Locate the Wipekey file (normally named EncryptedRoot.plist.wipekey) at: com.apple.boot.r/system/library/caches/com.apple.corestorage/ NOTE: The directory name can also be com.apple.boot.s or com.apple.boot.p; 9. Copy the EncryptedRoot.plist.wipekey file to the computer on which you run Passware Kit. Once you have copied the Wipekey file to your computer, run Passware Kit and follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk on the Passware Kit Start Page. This displays the screen shown below: 2. Click FileVault. This displays the screen shown below:

2. Click FileVault. This displays the screen shown below: 3. Click Browse... and locate the image of the FileVault2 encrypted volume or partition; 4. Click the FileVault volume is dismounted option; 5. Click Browse... and select the location of the Wipekey file as shown below: 6. Click Next.

This procedure initiates the decryption process. It might be accelerated using NVIDIA and AMD GPU cards, as well as Distributed Password Recovery. The results are displayed when the decryption is complete. The figure below shows a sample result.

Recovering Mac Login Passwords You can use Passware Kit to recover login passwords for Mac OS users in a matter of minutes, regardless of the password length and use of a FileVault encryption. The following operating systems are supported: Mac OS X Version 10.5 (Leopard), 10.6 (Snow Leopard), 10.7 (Lion) The software scans the physical memory image file (acquired while the target system is running and at least one user remains logged in, even if the user is currently logged out or the account is locked) and extracts all the login passwords for a given system. Physical memory images can be created using Passware FireWire Memory Imager. If the target Mac computer is powered off, login passwords are not stored in its memory, and therefore it is impossible to recover them. To get started, display the Passware Kit Start Page, and click Analyze Memory and Decrypt Hard Disk Mac User (or press Ctrl+M). This displays the following window: Locate the physical memory image (memory.bin) of the target Mac computer.

If you do not have this memory image, follow these steps to acquire it using Passware Kit: 1. At the Passware Kit Start Page click Analyzing Memory and Decrypting Hard Disk. 2. Click Passware FireWire Memory Imager. 3. Follow the on-screen instructions. Once the image is created, follow these steps to recover the password: 1. Click Recover Mac Password (or press Ctrl+M) on the Passware Kit Start Page. 2. Locate the physical memory image (memory.bin) from the target computer and click Open. This procedure initiates the password recovery process, as shown below: The recovery might take several minutes depending on the size of the memory image file. The results are displayed when the recovery is complete. The figure below shows a sample result.

Recovering Mac Keychain Passwords You can use Passware Kit to recover passwords for Mac OS keychain files. Files from the following operating systems are supported: Mac OS X Version 10.5 (Leopard), 10.6 (Snow Leopard), 10.7 (Lion) Mac keychain files are usually stored at /Users//Library/Keychains and are protected with a password. By default, the keychain password is the same as the corresponding Mac user login password, but it may also be different. By recovering this password, you gain access to the following user information contained in the keychain file: saved passwords (for websites, network shares, wireless networks), private keys, certificates, etc. NOTE: Passware Kit does not support System.keychain files. To get started, display the Passware Kit Start Page, then click the Recover button, or press Ctrl+O. Locate the keychain file (by default this file is named login.keychain) and click Open. This displays the following window: Choose one of the following options for password recovery, depending on the available information about the password:

Use the Password Recovery Wizard - best for users who know something about their passwords, but are new to password recovery. Run the default attacks - best for users who know nothing about their passwords. Use the Attack Editor - best for advanced users and who are decrypting strong passwords. This procedure initiates the password recovery process. The results are displayed when the recovery is complete. The figure below shows a sample result.

Recovering Windows Login Passwords You can use Passware Kit to recover login passwords for Windows users in a matter of minutes, regardless of the password length and use of a BitLocker encryption. The solution works on all versions of Windows, including Windows 8. The software scans the physical memory image file (acquired while the target system is running, even if the user is currently logged out or the account is locked) and extracts all the login passwords for a given system. Physical memory images can be created using Passware FireWire Memory Imager. If the target computer is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. In other cases, it is impossible to recover the user passwords instantly. To get started, display the Passware Kit Start Page, and click Analyze Memory and Decrypt Hard Disk Windows User (or press Ctrl+W). This displays the following window: Locate the physical memory image (memory.bin) or the hibernation file

(hiberfil.sys) of the target Windows computer. If you do not have this memory image, follow these steps to acquire it using Passware Kit: 1. At the Passware Kit Start Page click Analyzing Memory and Decrypting Hard Disk. 2. Click Passware FireWire Memory Imager. 3. Follow the on-screen instructions. Once the image is created, follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk Windows User (or press Ctrl+W) on the Passware Kit Start Page. 2. Locate the physical memory image (memory.bin) or the hibernation file (hiberfil.sys) from the target computer and click Open. This procedure initiates the password recovery process, as shown below: The recovery might take several minutes depending on the size of the memory image file. The results are displayed when the recovery is complete. The figure below shows a sample result.

Recovering Website Passwords from Memory You can use Passware Kit to recover passwords for Facebook, Google, and other websites in a matter of minutes, regardless of the password length and whether the password was saved in the browser or not. The software scans the physical memory image file (acquired while the target system is running, even if the user is currently logged out or the account is locked) and extracts all the websites' passwords which the user had typed during the last session. Physical memory images can be created using Passware FireWire Memory Imager. If the target computer is powered off, the passwords are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. To get started, display the Passware Kit Start Page, and click Analyze Memory and Decrypt Hard Disk Websites (or press Ctrl+S). This displays the following window: Locate the physical memory image (memory.bin) or the hibernation file (hiberfil.sys) of the target Windows computer. If you do not have this memory

image, follow these steps to acquire it using Passware Kit: 1. At the Passware Kit Start Page click Analyzing Memory and Decrypting Hard Disk. 2. Click Passware FireWire Memory Imager. 3. Follow the on-screen instructions. Once the image is created, follow these steps to recover the password: 1. Click Analyze Memory and Decrypt Hard Disk Websites (or press Ctrl+S) on the Passware Kit Start Page. 2. Locate the physical memory image (memory.bin) or the hibernation file (hiberfil.sys) from the target computer and click Open. This procedure initiates the password recovery process, as shown below: The recovery might take several minutes depending on the size of the memory image file. The results are displayed when the recovery is complete. The figure below shows a sample result.

Passware FireWire Memory Imager To recover BitLocker and TrueCrypt encryption keys, Passware Kit requires a physical memory image file of a target computer that was created while the BitLocker or TrueCrypt encrypted disk was mounted. Passware Kit includes Passware FireWire Memory Imager, which creates a bootable memory-imaging USB drive. This USB drive acquires a memory image of the target computer connected with a FireWire (IEEE 1394) cable. The overall steps on acquiring the memory image with Passware FireWire Memory Imager are: 1. Create a bootable Passware FireWire Memory Imager USB drive 2. Acquire the memory image of the target computer with the USB drive NOTE: If the target computer is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates. If the target computer is powered off and the TrueCrypt/BitLocker volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns Brute-force attacks to recover the original password for the volume.

Creating Passware FireWire Memory Imager USB Drive Below are the steps to create a memory-imaging USB drive. 1. On the Start Page click Analyzing Memory and Decrypting Hard Disk (or press Ctrl+D), and then click Passware FireWire Memory Imager. The following screen appears: 1. Insert a USB flash drive and select it in the Select USB drive pulldown menu. Recommended size of the USB flash drive is 8GB and more. 2. Click Next. NOTE: All the files on the USB flash drive will be erased. If you are using Windows Vista, you may need to run Passware Kit as the Administrator in order to create a memory-imaging USB drive. 2. The recording process starts. Passware Kit copies the necessary files on the USB flash drive.

3. The bootable Passware FireWire Memory Imager USB drive is now ready. NOTE: Passware FireWire Memory Imager files are created on a hidden partition of the USB flash drive, while the open partition of the drive, which can be viewed in Windows Explorer, is blank. Now that you have created the memory-imaging USB drive, you are ready to acquire the memory image of the target computer.

Acquiring Memory Image with Passware FireWire Memory Imager USB Drive Once you have created the bootable Passware FireWire Memory Imager USB drive, you are ready to acquire the memory image of the target computer by following the steps below. Requirements: The target computer is turned on and the encrypted volume is mounted Both the target computer and the computer used for acquisition have FireWire (IEEE 1394) ports A FireWire cable 1. Insert the memory-imaging USB drive and restart your computer. 2. Passware FireWire Memory Imager starts: 3. Make sure the FireWire cable is unplugged and press Next. 4. Connect the target computer with a FireWire cable. If the target computer is not detected after 30 seconds, you may need to unplug and re-connect the FireWire cable.

Press Next. 5. The memory imaging process starts: The progress screen displays the time of the imaging process and the size of the acquired target memory. Upon completion of the process, press Next. 6. Unplug the FireWire cable, remove the USB flash drive, and press Reboot to restart your PC. 7. The memory image of the target computer (a memory.bin file) is created

on the USB flash drive: Once you have created the memory image of the target computer, you are ready to decrypt BitLocker or TrueCrypt volumes using Passware Kit.

Recovering Passwords for Mobile Data You can use the Passware Kit to acquire icloud backups, recover passwords for Apple iphone and ipad backups, Android backups, and Android images. To get started, display the Passware Kit Start Page and click Mobile Forensics. This displays the following window: What do you want to do? Recover a password for Apple itunes or Android backup file Recover a password for an Android device image Acquire an icloud backup

Recovering Apple itunes and Android Backup Passwords Apple stores iphone and ipad backups in an itunes backup file (*.PLIST). This file, named Manifest.plist, is normally located in the Apple Computer directory. For example, for Windows 8, the full path is: C:\Documents and Settings\User\AppData\Roaming\Apple Computer\MobileSync\Backup\BackupID\Manifest.plist Android backup files are usually created with an ADB tool from Android SDK and normally have an *.AB extension. Passwords for itunes and Android backup files are recovered using regular password-recovery attacks. The process can be accelerated with GPU cards and distributed computing. To start the password-recovery process, click Mobile Forensics on the Start Page, choose either the iphone Backup or Android Backup option and locate your file. Refer to the Recovering File Passwords section for further recommendations.

Recovering Passwords for Android Images Passware Kit recovers passwords for Android physical images acquired from the encrypted devices using third-party tools, such as Oxygen Forensic Passware Analyst. Passwords for Android image files are recovered using regular passwordrecovery attacks. The process can be accelerated with GPU cards and distributed computing. To start the password-recovery process, click Mobile Forensics on the Start Page, choose the Android Image option and locate your file. Refer to the Recovering File Passwords section for further recommendations.

Acquiring icloud Backups Passware Kit acquires full ios backups from icloud if Apple ID credentials are known. The backups are downloaded in itunes format (readable by Apple software and Oxygen Forensic Suite Passware Analyst) and plain readable format. All versions of ios, including the latest 8.1, are supported. Below are the steps to acquire an ios backup from icloud. 1. On the Start Page click Mobile Forensics, then choose the icloud Backup option 2. Enter your icloud login. Both Apple ID and password should be entered as shown on the screen below: 3. Click Next. The following screen appears:

4. Choose the backup snapshots you want to download. The latest snapshot is listed first. By selecting other snapshots you will be able to download all previous versions of the backup. 5. Choose where to save the backup (make sure you have enough space on your disk. Passware Kit will display the size of the backup to be downloaded). 6. Choose the format you want to save the backup in. By default, it is the "itunes default format" readable by Apple itunes. You can also save the backup in plain readable format, i.e. without itunes default folders, but as a plain list of files. 7. Click Next. 8. The acquisition process starts. Passware Kit downloads the necessary backup files from icloud to your local computer.

9. The full ios backup is now downloaded. Now that you have acquired the ios backup from icloud, you are ready to analyze it with Oxygen Forensic Passware Analyst or open it with Apple itunes to see the device data.

Recovering Lost Internet and Network Passwords You can use the Passware Kit to recover your e-mail account, Internet, and Network connection passwords. To get started, display the Passware Kit Start Page, and click Recover Internet and Network Passwords (or press Ctrl+I). This displays the following window: What do you want to do? Recover a lost e-mail password Recover a lost Internet password Recover a lost network password

Recovering E-mail Passwords The Passware Kit can recover e-mail passwords associated with Microsoft Outlook and Outlook Express accounts, data files and identies. To recover one of these passwords, follow these steps: 1. Display the Passware Kit Start Page. 2. Click Recover Internet and Network Passwords (or press Ctrl+I). 3. Click on the appropriate choice in the Email Passwords area of the window. The password recovery process begins. The results are displayed when it is finished. The figure below shows a sample result.

Recovering Internet Passwords The Passware Kit can recover passwords associated with websites in browsers and with Internet Explorer Content Advisor. To recover one of these passwords, follow these steps: 1. Display the Passware Kit Start Page. 2. Click Recover Internet and Network Passwords (or press Ctrl+I). 3. Click on the appropriate choice in the Internet Passwords area of the window. The password recovery process begins. The results are displayed when it is finished. The figure below shows a sample result.

Recovering Network Connection Passwords The Passware Kit can recover passwords associated with VPN and dialup accounts as well as remote desktop accounts. To recover one of these passwords, follow these steps: 1. Display the Passware Kit Start Page. 2. Click Recover Internet and Network Passwords (or press Ctrl+I). 3. Click on the appropriate choice in the Network Passwords area of the window. The password recovery process begins. The results are displayed when it is finished. The figure below shows a sample result.

Resetting a Windows Administrator Password What do you want to do? Learn how to reset a Windows password with Passware Kit CD / USB disk Find out what versions of Windows are supported

Using a Password Reset CD / USB Disk With Passware Kit, you can reset a password for any local or Active Directory Administrator account. The overall steps are as follows: 1. Create a password reset CD/USB image and burn it on a disk 2. Reset the password with the CD or USB disk

Creating a Password Reset CD Image / USB Disk Below are the steps to create an ISO image file for a password reset CD or USB disk. 1. On the Start Page click Reset Windows Administrator Password. The following screen appears. 2. Insert your Windows Setup CD. NOTE: Both Windows 32-bit and 64-bit Setup CDs are supported. Browse for either a TXTSETUP.SIF or a BOOT.WIM file. The TXTSETUP.SIF file is usually located in the 'I386' folder of the Windows XP/2003 Setup CD. The BOOT.WIM file is usually located in the 'Sources' folder of the Windows 8/7/Vista/2008 Setup CD. The Make password reset image from field should contain the location of the TXTSETUP.SIF or BOOT.WIM file; You can protect the Windows Key password reset media with a password by enabling the Set a password on the Windows Password Reset CD/USB disk check-box and typing your own password in the field; Check Add drivers for SCSI/RAID hard drives, if you need to reset a Windows password for a SCSI/RAID/IDE hard drive. The field Copy drivers from should contain the location of the additional drivers for your hard drive. These drivers should be listed in the Pick up the drivers for your hard drive field. For example, drivers for Intel hard drives can be downloaded at the manufacturer's site.

3. Click Next. NOTE: If you do not have a Windows Setup CD, you can request a Windows Key.ISO download. 4. Choose what password reset device to create: Select CD/DVD if you want to make a password reset CD or DVD disk; Select USB flash if you want to make a password reset USB flash drive. 5. Specify the CD or USB burning drive from the pull-down list of the CD/DVD or USB flash options. 6. Click Next. NOTE: To create a Windows password reset CD, a CD-ROM drive capable of burning is required. 7. The burning process starts. Passware Kit copies the necessary files from the Windows Setup CD into the ISO image file.

8. After Passware Kit creates a password reset ISO image, it prompts you to insert a blank CD/DVD disk into the CD-ROM drive so that it could burn the image on this disk. Insert a blank CD/DVD disk into the CD-ROM drive. Click OK. 9. The password reset disk is now ready.

Now that you have created the Windows Password Reset CD or USB disk, you are ready to reset the password on the locked computer.

Resetting the Password NOTE: If you used a Windows XP/2003 Setup CD (TXTSETUP.SIF file) to create a Windows Key password reset disk, follow these instructions to reset the password. If you used a Windows 8/7/Vista/2008 Setup CD (BOOT.WIM file) to create a Windows Key password reset disk, follow the steps below to reset the password. 1. Reboot your system with this CD or USB disk. NOTE: To reboot your PC with a USB Flash Drive you may need to set the following options for the BIOS Setup Utility: after rebooting your PC please press 'Del' or 'F2' to run BIOS Setup Utility, go to the 'Boot' section and press 'F6' to move the 'Hard Drive' device up, then press 'Enter' on the 'Hard Drive' option and press 'F6' to move the 'USB Drive' device up. After all the changes are set, press 'F10' to exit and save the settings. 2. After all the required files are loaded from the CD or USB drive, Windows Key process starts. 3. Enter the protection password that you have set while creating the Windows Password Reset CD\USB disk. Click Next. If you have not set any password, go to the next step. 4. Select the Windows installation to be unlocked. If there are several installations, use additional information from the table to choose the one you need to unlock. Click Next.

5. Select the local Windows account or Active Directory Administrator account for which you want to reset the password. Click Next. 6. Review the list of tasks to complete. Click Next. 7. To reset passwords for other Windows installations or accounts, click Back To Start and repeat the process from Step 4. 8. Click Reboot if you are finished and want to exit.

9. Remove the Windows Key bootable CD or USB disk to restart your PC. NOTE: For Microsoft Live ID accounts, passwords are reset to "12345678", as the system does not allow to set blank passwords. Now you are able to log into your computer as Administrator!

Versions of Windows Supported All Passware products support Windows 8/7/2008/Vista/2003/XP/2000/NT systems.

What Version of Windows Setup CD Should You Use? It is recommended to use a Windows 8, 7, Vista or Server 2008 Setup CD to create a bootable password reset CD/USB disk for all versions of Windows. It is possible to use a Windows XP SP2 and Server 2003 Setup CD to create a bootable password reset CD/USB disk for Windows XP, 2003, and earlier versions.

Recovering Passwords for a Standalone System You can use Passware Kit to recover saved passwords for standalone systems from registry files. The quickest way to start password extraction from registry files is to click the Recover Passwords for a Standalone System option on the Start Page, or press Ctrl+S. Password extraction from registry files is supported for Windows 7, Vista, Server 2008, Server 2003, and XP. The following system directories are required for the password extraction: Documents and Settings (for Windows XP) or Users (for Windows 7/Vista), and Windows\system32\config. What do you want to do? Recover passwords for Windows accounts Recover passwords for email accounts, websites and network connections

Recovering Windows User Passwords for a Standalone System You can use Passware Kit to recover Windows user login passwords of standalone systems from a SAM file copied from these systems. The following system directory is required: - Windows\system32\config\ NOTE: Recovery of cached login passwords requires a Windows\system32\config\SECURITY system file, and might also require SOFTWARE and SYSTEM files. To get started, display the Passware Kit Start Page, click Recover Passwords for a Standalone System (or press Ctrl+S) and locate the system directory of a standalone computer, as shown below: Click OK. This displays the following window:

Follow these steps to recover passwords for Windows accounts: 1. Click Recover Windows User Passwords for a Standalone System. This displays the following window: 2. Choose one of the following options for password recovery, depending on the available information about the password: Use the Password Recovery Wizard - best for users who know something about their passwords, but are new to password recovery.

Run the default attacks - best for users who know nothing about their passwords. Use the Attack Editor - best for advanced users and who are decrypting strong passwords. This procedure initiates the password recovery process. The results are displayed when the recovery is complete. The figure below shows a sample result.

Recovering Internet and Network Passwords for a Standalone System You can use Passware Kit to recover saved passwords for email accounts, websites, network and remote desktop connections of standalone systems from the user directories copied from these systems. The following system directory is required: - Documents and Settings (for Windows XP) or Users (for Windows 7/Vista) To get started, display the Passware Kit Start Page, click Recover Passwords for a Standalone System (or press Ctrl+S) and locate the system directory, as shown below: Click OK. This displays the following window:

Follow these steps to recover the internet and network passwords for the standalone system: 1. Click Recover Internet and Network Passwords for a Standalone System. This displays the following window: 2. Click Browse... and locate the Windows User directory, which is usually named as Documents and Settings. 3. In the Windows Users list select the account you want to recover the internet and network passwords for. 4. If the account you selected is protected with a Windows login password, Passware Kit will ask you to choose one of the two options below. If the account is not password-protected, click Next and continue to step 6.

If you know a Windows login password for this account, switch to the I know the password option. Type the known password in this field. If you do not know a Windows login password for this account, switch to the I don't know the password option. The recovery process for the Windows login password will be initiated. Once the password is recovered, type it in the I know the password field and continue to the next step. 5. Click Next. This displays the following window: 6. Click on the appropriate choice, depending on what password you would like to recover. The password recovery process begins. The results are displayed when it is finished. The figure below shows a sample result.

Recovering Windows/Unix/Mac Hash Passwords With Passware Kit you can recover passwords from Windows/Unix/Mac hashes. The following hashing algorithms are supported: Raw MD4, MD5, SHA1 Windows NT/LanMan Unix DES/MD5/SHA256/SHA512 MAC OS X salted SHA1, SHA 512 The following hashing algorithms allow instant password recovery using a Rainbow Tables Attack: Raw unsalted MD5, SHA1 Windows NT/LanMan Windows stores local user names and their hashed passwords in a SAM (Security Account Manager) registry file. To dump Windows NTLM hashes, you need administrative access to the target computer. Learn how to reset Windows Administrator password Once you have logged in as an Administrator, you can use third-party tools like PWDUMP and FGDUMP to dump the hash file from the system. NOTE: To recover Windows hash passwords, you can also use the Recover passwords for a standalone system option. In this case the recovery is instant and does not require dumping the hash file from the system. Unix-like operating systems use a shadow password database mechanism to increase the security level of passwords by restricting all but the highly privileged users' access to encrypted password data. Typically, that data is kept in hash files owned by and accessible only by, the super user (i.e., on Unix-like systems, the root user, and on many other systems, the Administrator account). These hash files are located at: /etc/shadow (Linux systems) /etc/master.passwd (BSD systems) /var/db/shadow/hash (Mac systems)

Once you have dumped the hash file, you are ready to recover the user names and passwords that it contains. To get started, display the Passware Kit Start Page, then click the Recover button, or press Ctrl+O. Locate the hash file and click Open. This displays the following window: Choose one of the following options for password recovery, depending on the available information about the password: Use the Password Recovery Wizard - best for users who know something about their passwords, but are new to password recovery. Run the default attacks - best for users who know nothing about their passwords. Use the Attack Editor - best for advanced users and who are decrypting strong passwords. This procedure initiates the password recovery process. The results (i.e., user account names and login passwords) are displayed when the recovery is complete. The figure below shows a sample result.

Working with Passware Kit Portable You can use the Passware Kit to find encrypted files and recover lost passwords on other computers without installing the software there. The Portable Version can be installed on any removable device, i.e., a USB drive or a CD (USB recommended), and then used directly from this device on a target computer. Passware Kit Portable does not modify settings or files on a target computer (registry records, patched or unprotected files, etc.). The overall steps are: 1. Prepare a portable version on a CD or USB disk 2. Run a portable version on a target computer

Preparing Passware Kit Portable To create a portable version of Passware Kit, click Create Portable Version in the File menu: This displays the screen shown below: Choose the folder in which to install the portable version. It can be installed directly on a removable USB thumb drive. Click OK. Passware Kit installs its portable version in the specified folder. Once installed, you can copy this folder onto a CD or USB drive.

Passware Kit Portable is now ready to be used directly from your removable CD or USB drive.

Running Passware Kit Portable Once you have prepared the portable CD or USB drive, you are ready to use Passware Kit Portable on a target computer by following these steps: 1. Insert the portable CD or USB drive to the target computer. 2. Run PasswareKitForensic.exe file from the portable CD/USB. 3. Passware Kit starts: Use Passware Kit Portable like a regular version of the software. NOTE: Passware Kit Portable does not make any changes to the original file system or registry of the target computer. This means that after encryption scanning, password recovery, or decryption of files on the target computer, all items and original passwords remain unaffected. Passware Kit Portable does not save any log files, reports, or unprotected files on a target computer. All data is saved on a portable USB drive. It is recommended to run Passware Kit Portable from a USB drive instead of a CD; otherwise, the program will be unable to save any data due to writing restrictions on a CD drive.

Using Passware Kit Forensic with EnCase All Guidance EnCase users can now utilize Passware Kit Forensic to detect encrypted files in a case. Thanks to integration with Passware Kit Forensic, EnCase can detect over 200 encrypted file types and initiate a password recovery process if required. Requirements: EnCase 7.x or later (32-bit). Passware Kit Forensic 11.7 or later ("Install for all users" option selected).

How-To for EnCase v7 and Higher 1. Launch EnCase and open a case file. 2. Click "Process Evidence". The information about encrypted files will be displayed in the "Protected" and "Protection complexity" columns of EnCase. 3. Right-mouse click on the file you would like to open: 4. Choose Open With -> Passware Kit. Passware Kit Forensic will be launched as a File Viewer and the password recovery process will start automatically. 5. After the file is decrypted or the password is recovered, you can open the file directly from Passware Kit Forensic.

How-To for EnCase v6 If you are using EnCase v6, you can still use the encryption detection capabilities of Passware Kit Forensic via EnScript. The sample EnScript bookmarks all the password-protected or encrypted files for further analysis. Passware Kit Forensic 10.3 or later is required in this case. 1. Launch EnCase and open a case file 2. Add C:\Program Files (x86)\passware\passware Kit\EnCase\PasswareSample.EnScript 3. Select Entries you would like to scan 4. Run PasswareSample.EnScript 5. All the encrypted or password protected entries are bookmarked and additional information is displayed at the Console. A sample report is shown below:

Testing Password Recovery Settings Before using Passware Kit to recover a password, you can test password recovery settings against a known passwords list. The list could be Passware's Frequent Passwords dictionary or your own list of previously used or known passwords (a TXT file). As a result of the testing, Passware Kit reports the percentage of passwords recovered with the current settings. To test the settings against your passwords list, launch Passware Kit and click Tools Check Recovery Rate for a Known Passwords List...: The Select a passwords list window appears. Locate your passwords list file (TXT) and click Open. Passware Kit processes your file and reports the result as displayed below:

Now you can see if the current settings are appropriate for your list of passwords and optimize them if necessary!

Using the Decryptum Portable Decryptum Portable is a set of rainbow tables that allows instant decryption of Word and Excel files up to v.2003 with a Rainbow Tables attack. This set of rainbow tables can be purchased in addition to Passware Kit and is shipped on a physical USB disk. With Decryptum Portable, the decryption is performed offline, so there's no need to connect to Passware's Decryptum server. All types of File-Open passwords are removed instantly, regardless of their length and strength. There is no limitation on the number of files decrypted. Limitations of Decryptum Portable: The success rate is 99.7% for MS Word files and 95% for MS Excel files. Decryptum Portable does not support MS Word/Excel files created with MS Office 2007 or later versions and old files created with MS Office 95 or prior versions. Decryptum Portable does not recover the original password; it just removes it. Decryptum Portable does not work with Workbook/Worksheet, document protection, or VBA passwords. It removes only File-Open passwords. Files protected using additional crypto providers are not supported. Documents created with restricted permissions using the "Information Rights Service for Microsoft Office" are not supported. MS Excel files that contain custom menus are not supported. NOTE: In all cases above, you can use other regular password recovery attacks to recover passwords for your files. The overall steps are: 1. Start the Rainbow Tables attack; 2. Add the Rainbow Tables from the Decryptum Portable USB disk and run the decryption process.

Starting the Rainbow Tables Attack To use the Decryptum Portable, you first need to select the file that you need to decrypt and start the Rainbow Tables attack against it. 1. Launch the Passware Kit application. 2. Click Recover File Password. This displays the Open dialog box. 3. Choose the MS Word or Excel file to decrypt and click Open. This displays the screen shown below: 4. Click Advanced: Customize Settings. The Attack Editor appears, a sample of which is shown in the following figure.

5. Remove all current attacks by clicking the Remove Remove All button in the toolbar. 6. Pick the Rainbow Tables attack from the list on the right and drag it to the attack list in the middle pane. This displays the screen shown below: Once you have started the Rainbow Tables attack, you need to add the Rainbow Tables to it.

Adding the Rainbow Tables and Running the Decryption Process Once you have started the Rainbow Tables attack, you need to add the Rainbow Tables to it. Make sure your Decryptum Portable USB disk is connected and that you run Passware Kit as Administrator. 1. At the Attack Editor window click the Settings button to customize the attack. This displays the screen shown below: 2. Click the Add button and locate the.rt files (rainbow tables) from the connected Decryptum Portable USB disk. Click Ctrl+A to select all files as shown below:

Click OK to add the tables selected. Once you have added the rainbow tables to the attack, start the decryption process by clicking the Recover >> button in the bottom right corner of the Attack Editor window. This launches the decryption process: The decryption process takes less than one minute for each of the files. The results (i.e., the decrypted files) are displayed when the decryption is

complete. The figure below shows a sample result.

Password Recovery Details This section describes the details of password recovery. What do you want to do? Learn about password recovery complexity levels Find out what file types are supported by the Passware Kit Read detailed descriptions of the different kinds of attack Learn about attack modifiers Learn about distributed password recovery

Supported File Types The Passware Kit recognizes a wide variety of file types. Below is a table that summarizes the supported file types and the password recovery options (complexity) available for each type. Aplication File Extension File-Open Password Recovery Options Acrobat 3.0 PDF Instant Recovery / Brute-force Recovery - Fast Acrobat 4.0 PDF Instant Recovery / Brute-force Recovery - Fast / Medium Acrobat 5.0 PDF Instant Recovery / Brute-force Recovery - Medium Acrobat 6.0 PDF Instant Recovery / Brute-force Recovery - Medium Acrobat 7.0 PDF Instant Recovery / Brute-force Recovery - Medium Acrobat 8.0 PDF Instant Recovery / Brute-force Recovery - Hardware Acceleration

Medium Acrobat 9.0 PDF Instant Recovery / Brute-force Recovery - Fast / Medium Acrobat 10.0 PDF Instant Recovery / Brute-force Recovery - Slow Acrobat 11.0 PDF Instant Recovery / Brute-force Recovery - Slow Symantec ACT! 2.0 BLB Instant Recovery Symantec ACT! 3.0 BLB Instant Recovery Symantec ACT! 4.0 BLB Instant Recovery Symantec ACT! 2000 BLB Instant Recovery ACT! by Sage 2005 ADF Instant Recovery ACT! by Sage 2006 ADF Instant Recovery ACT! by Sage 2007 ADF Instant Recovery ACT! by Sage 2008 ADF Instant Recovery ACT! by Sage 2009 ADF Instant Recovery Android Backup AB Brute-force X

Recovery - Slow Android Image BIN Brute-force Recovery - Slow Apple Disk Image DMG, DD Brute-force Recovery - Slow X X Apple itunes Backup / ios 4.x - 7.x PLIST Brute-force Recovery - Slow X BestCrypt 6.0 JBC Brute-force Recovery - Slow BestCrypt 7.0 JBC Brute-force Recovery - Slow BestCrypt 8.0 JBC Brute-force Recovery - Slow FileMaker Pro 3.0 FP3 Instant Recovery FileMaker Pro 4.0 FP3 Instant Recovery FileMaker Pro 5.0 FP5 Instant Recovery FileMaker Pro 6.0 FP5 Instant Removal FileMaker Pro 7.0 FP7 Instant Removal FileMaker Pro 8.x FP7 Instant Removal FileMaker Pro 9.0 FP7 Instant Removal FileMaker Pro 10.0 FP7 Instant

Removal FileMaker Pro 11.0 FP7 Instant Removal FileMaker Pro 12.0 Google Chrome Website FMP12, USR Instant Removal Instant Recovery ICQ 2000-2003 DAT Instant Recovery ICQ 99a DAT Instant Recovery ICQ Lite FB Instant Recovery Lotus 1-2-3 1.1+ WK!, WK1, WK4, WRC, WR1, WR9, 123 Instant Recovery Lotus Notes 4.x ID Brute-force Recovery - Medium Lotus Notes 6.x ID Brute-force Recovery - Medium Lotus Notes 7.0 ID Brute-force Recovery - Medium Lotus Notes 8.0 (RC2 encryption) ID Brute-force Recovery - Medium Lotus Organizer 1.0 ORG Instant Recovery Lotus Organizer 2.0 OR2 Instant Recovery Lotus Organizer 3.0 OR3 Instant X

Recovery Lotus Organizer 4.0 OR4 Instant Recovery Lotus Organizer 5.0 OR5 Instant Recovery Lotus Organizer 6.0 OR6 Instant Recovery Lotus Word Pro 96-99 LWP Instant Recovery Mac OS / FileVault2 Mac OS X Keychain DMG, DD, IMG, BIN, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow Brute-force Recovery - Slow Mac OS X User / Hash PLIST Instant Recovery (Memory Analysis) / Brute-force Recovery - Fast Mac OS X 10.8 User / Hash PLIST Instant Recovery (Memory Analysis) / Brute-force Recovery - Slow Mozilla Firefox Website Instant Recovery MS Access 2.0 MDB Instant Recovery X X X

MS Access 95 MDB Instant Recovery MS Access 97 MDB Instant Recovery MS Access 2000 MDB Instant Recovery MS Access 2002 MDB Instant Recovery MS Access 2003 MDB Instant Recovery MS Access 2007 ACCDB Brute-force Recovery - Slow MS Access 2010 ACCDB Brute-force Recovery - Slow MS Access 2013 ACCDB Brute-force Recovery - Slow X X X MS Access 2.0 System Database MS Access 97 System Database MS Access 2000 System Database MDA MDW MDW Instant Recovery Instant Recovery Instant Recovery MS Access VBA MDA Instant Recovery or Reset MS Backup QIC Instant Recovery MS Excel 4.0 XLS Instant Recovery MS Excel 5.0 XLS Instant Recovery

MS Excel 95 XLS Instant Recovery MS Excel 97 XLS Instant Recovery or Removal / Brute-force Recovery - Fast MS Excel 2000 XLS Instant Recovery or Removal / Brute-force Recovery - Fast MS Excel 2002 XLS Instant Recovery or Removal / Brute-force Recovery - Medium MS Excel 2003 XLS Instant Recovery or Removal / Brute-force Recovery - Medium MS Excel 2007 XLSX, XLSM Instant Recovery or Removal (Memory Analysis) / Brute-force Recovery - Slow X MS Excel 2010 XLSX, XLSM Instant Recovery or Removal (Memory Analysis) / Brute-force Recovery - X

Slow MS Excel 2013 XLSX, XLSM Instant Recovery or Removal (Memory Analysis) / Brute-force Recovery - Slow X MS Pocket Excel PXL Instant Recovery MS Excel VBA XLA, XLSM Instant Recovery or Reset MS Internet Explorer 4.0-9.0 Website MS Internet Explorer 6.0-9.0 Webform MS Internet Explorer 6.0-9.0 Content Advisor Instant Recovery Instant Recovery Instant Removal MS Mail MMF Instant Recovery MS Money 99 or earlier MNY Instant Recovery MS Money 2000-2001 MNY Instant Recovery MS Money 2002 MNY Brute-force Recovery - Medium MS Money 2003-2004 MNY Brute-force Recovery - Medium MS Money 2005-2007 MNY Brute-force Recovery - Medium

MS OneNote 2003 Section ONE Brute-force Recovery - Medium MS OneNote 2007 Section ONE Brute-force Recovery - Slow MS OneNote 2010 Section ONE Brute-force Recovery - Slow MS OneNote 2013 Section ONE Brute-force Recovery - Slow X X X MS Outlook 2000/2003/2007/2010/2013 Email Accounts MS Outlook 2000/2003/2007/2010/2013 Form Template MS Outlook 2000/2003/2007/2010/2013 Personal Storage OFT PST Instant Recovery Instant Recovery Instant Recovery MS Outlook Express Accounts MS Outlook Express Identities Instant Recovery Instant Recovery MS PowerPoint 2002 PPT Instant Recovery or Removal / Brute-force Recovery - Medium MS PowerPoint 2003 PPT Instant Recovery or Removal / Brute-force Recovery - Medium

MS PowerPoint 2007 MS PowerPoint 2010 MS PowerPoint 2013 PPTX, PPTM PPTX, PPTM PPTX, PPTM Instant Recovery or Removal / Brute-force Recovery - Slow Instant Recovery or Removal / Brute-force Recovery - Slow Instant Recovery or Removal / Brute-force Recovery - Slow MS PowerPoint VBA PPT, PPTM Instant Recovery or Reset MS Project 95 MPP Instant Recovery MS Project 98 MPP Instant Recovery MS Project 2000 MPP Instant Recovery MS Project 2002 MPP Instant Recovery MS Project 2003 MPP Instant Recovery MS SQL 2000 MDF Instant Reset MS SQL 2005 MDF Instant Reset MS SQL 2008 MDF Instant Reset MS Windows NT Users / Instant X X X

Secure Boot Option MS Windows 2000 Users / Secure Boot Option MS Windows 2000 Server Users / Secure Boot Option MS Windows 2000 Server Active Directory Administrator MS Windows XP Users / Secure Boot Option MS Windows 2003 Server Users / Secure Boot Option MS Windows 2003 Server Active Directory Administrator MS Windows 2003 SBS Users / Secure Boot Option Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or Removal Instant Recovery (Memory Analysis) or

Removal MS Windows 2003 SBS Active Directory Administrator Instant Recovery (Memory Analysis) or Removal MS Windows Vista Users / Secure Boot Option Instant Recovery (Memory Analysis) or Removal MS Windows Vista / Bitlocker DD, IMG, BIN, VHD, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow X MS Windows 2008 Server Users / Secure Boot Option Instant Recovery (Memory Analysis) or Removal MS Windows 2008 Server / BitLocker DD, IMG, BIN, VHD, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow X MS Windows 7 Users / Secure Boot Option Instant Recovery (Memory Analysis) or Removal MS Windows 7 / BitLocker DD, IMG, BIN, VHD, E01 Instant Removal (Memory X

MS Windows 2012 Server Users / Secure Boot Option Analysis) / Brute-force Recovery - Slow Instant Recovery (Memory Analysis) or Removal MS Windows 2012 Server Live ID Accounts Instant Reset MS Windows 2012 Server / BitLocker DD, IMG, BIN, VHD, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow X MS Windows 8 Users / Secure Boot Option Instant Recovery (Memory Analysis) or Removal MS Windows 8-8.1 Live ID Accounts Instant Reset MS Windows 8-8.1 / BitLocker DD, IMG, BIN, VHD, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow X MS Windows NTLM / LANMAN Hash Instant Recovery / Brute-force Recovery - Fast MS Windows Users / UPEK Instant Recovery

Network Connections Instant Recovery Remote Desktop Connections RDP Instant Recovery MS Word 1.0 DOC, DOT Instant Recovery MS Word 2.0 DOC, DOT Instant Recovery MS Word 3.0 DOC, DOT Instant Recovery MS Word 4.0 DOC, DOT Instant Recovery MS Word 5.0 DOC, DOT Instant Recovery MS Word 6.0 DOC, DOT Instant Recovery MS Word 95 DOC, DOT Instant Recovery MS Word 97 DOC, DOT Instant Recovery or Removal / Brute-force Recovery - Fast MS Word 2000 DOC, DOT Instant Recovery or Removal / Brute-force Recovery - Fast MS Word 2002 DOC, DOT Instant Recovery or Removal / Brute-force Recovery - Medium

MS Word 2003 DOC, DOT Instant Recovery or Removal / Brute-force Recovery - Medium MS Word 2007 MS Word 2010 MS Word 2013 MS Word VBA DOCX, DOTX, DOCM DOCX, DOTX, DOCM DOCX, DOTX, DOCM DOC, DOT, DOCM, DOTM Instant Recovery or Removal (Memory Analysis) / Brute-force Recovery - Slow Instant Recovery or Removal (Memory Analysis) / Brute-force Recovery - Slow Instant Recovery or Removal (Memory Analysis) / Brute-force Recovery - Slow Instant Recovery or Reset MYOB earlier than 2004 PLS, PRM Instant Recovery MYOB 2004 DAT Instant Reset MYOB 2005 MYO Instant Reset X X X

MYOB 2006 MYO Instant Reset MYOB 2007 MYO Instant Reset MYOB 2008 MYO Instant Reset MYOB 2009 MYO Instant Reset MYOB 2010 MYO Instant Reset Norton Backup SET Instant Recovery Paradox Database DB Instant Recovery Peachtree 2002-2006 DAT Instant Recovery Peachtree 2007 DAT Instant Recovery Peachtree 2008 DAT Instant Recovery Peachtree 2010 DAT Instant Recovery Peachtree 2013 DAT Instant Reset PGP Desktop 9.x - 10.x Zip PGP Brute-force Recovery - Slow PGP Desktop 9.x - 10.x Private Keyring PGP Desktop 9.x - 10.x Virtual Disk PGP Desktop 9.x - 10.x Self- Decrypting Archive PGP WDE SKR PGD EXE DD, IMG, BIN, VHD, E01 Brute-force Recovery - Slow / Medium Brute-force Recovery - Slow Brute-force Recovery - Slow Instant Removal (Memory Analysis) / X X X X X

Brute-force Recovery - Slow GnuPG Private Keyring GPG Brute-force Recovery - Slow X Quattro Pro 5-6 Quattro Pro 7-8 QPW, WB1, WB2, WB3 QPW, WB1, WB2, WB3 Instant Recovery Instant Recovery Quattro Pro 9-12, X3, X4 QPW Instant Recovery QuickBooks 3.x - 4.x QBW, QBA Instant Recovery QuickBooks 5.x QBW, QBA Instant Recovery QuickBooks 6.x - 8.x QBW, QBA Instant Recovery QuickBooks 99 QBW, QBA Instant Recovery QuickBooks 2000 QBW, QBA Instant Recovery QuickBooks 2001 QBW, QBA Instant Recovery QuickBooks 2002 QBW, QBA Instant Recovery QuickBooks 2003 QBW, QBA Instant Recovery QuickBooks 2004 QBW, QBA Instant Recovery QuickBooks 2005 QBW, QBA Instant Removal

QuickBooks 2006 QBW, QBA Instant Removal QuickBooks 2007 QBW, QBA Instant Removal QuickBooks 2008 QBW, QBA Instant Removal QuickBooks 2009 QBW, QBA Instant Removal QuickBooks 2010 QBW, QBA Instant Removal QuickBooks 2011 QBW, QBA Instant Removal QuickBooks 2012 QBW, QBA Instant Removal QuickBooks 2013 QBW, QBA Instant Removal QuickBooks 2014 QBW, QBA Instant Removal QuickBooks Backup QBB Instant Removal Quicken 95/6.0 QDF Instant Recovery Quicken 98 QDF Instant Recovery Quicken 99 QDF Instant Recovery Quicken 2000 QDF Instant Recovery Quicken 2001 QDF Instant Recovery Quicken 2002 QDF Instant Recovery Quicken 2003 QDF Instant Removal

Quicken 2004 QDF Instant Removal Quicken 2005 QDF Instant Removal Quicken 2006 QDF Instant Removal Quicken 2007 QDF Instant Removal Quicken 2008 QDF Brute-force Recovery - Slow Quicken 2009 QDF Brute-force Recovery - Slow Quicken 2010 QDF Brute-force Recovery - Slow Quicken 2011 QDF Brute-force Recovery - Slow Quicken 2012 QDF Brute-force Recovery - Slow Quicken 2013 QDF Brute-force Recovery - Slow Quicken 2014 QDF Brute-force Recovery - Slow RAR 2.0 Archive RAR Brute-force Recovery - Slow RAR 2.9-4.x (AES Encryption) Archive RAR Brute-force Recovery - Slow X

RAR 5.x Archive RAR Brute-force Recovery - Slow Safari Websites Instant Recovery X Schedule+ 1.0 CAL Instant Recovery Schedule+ 7.x SCD Instant Recovery TrueCrypt Non-System Partition/Volume DD, IMG, BIN, VHD, TC, E01 Instant Removal / Brute-force Recovery - Slow X TrueCrypt System Partition/Volume DD, IMG, BIN, VHD, TC, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow X TrueCrypt Whole Disk DD, IMG, BIN, VHD, TC, E01 Instant Removal (Memory Analysis) / Brute-force Recovery - Slow X Unix OS User Hash Brute-force Recovery - Fast / Slow WordPerfect 5.x WPD Instant Recovery WordPerfect 6.0 WPD Instant Recovery WordPerfect 6.1 WPD Instant Recovery

WordPerfect 7-12, X3, X4 WPD Instant Recovery WinZip 8.0 or earlier ZIP Instant Removal / Brute-force Recovery - Fast Yandex Browser Website Instant Recovery ZIP Archive ZIP Brute-force Recovery - Fast / Slow 7-Zip Archive 7Z Brute-force Recovery - Slow X X

Password Recovery Complexity The Passware Kit supports 180+ file types with the following complexity levels: Instant Unprotection -- Recovery or Reset of the password is guaranteed and takes less than 1 minute. Brute-force (Fast) -- Recovery of the password requires testing all passwords one by one. Speed is about 1,000,000 passwords per second. Brute-force (Medium) -- Recovery of the password requires testing all passwords one by one. Speed is between 100,000 and 1,000,000 passwords per second. Brute-force (Slow) -- Recovery of the password requires testing all passwords one by one. Speed is less than 100,000 passwords per second. Impossible - for some file types, password recovery is not possible. When using the brute-force method, the Passware Kit tries to recover the original password by testing all possible combinations. Four attacks are used to recover the original password: Dictionary, Brute-force, Xieve, and Previous Passwords. More information about these types of attacks can be found on the Attack Descriptions page. The speed of the recovery process performed by Brute-force attack is different for different types of files. For example, for MS Word and Excel files it is fast, for RAR archives it is slow. Click here to learn more about the password recovery options and complexity level for each supported file type.

Attack Descriptions Passware Kit uses eight different password recovery attacks.

Dictionary Dictionary attack tries thousands of words from dictionary files as possible passwords. Sample password: "Specialization". Dictionary attack allows you to customize the following settings: Password length The program searches for the password of the specified length. Dictionary file Passware Kit offers 9 built-in dictionaries: Arabic, Dutch, English, French, German, Italian, Portuguese, Russian, and Spanish. The program allows you to compile your own dictionary file by choosing the "Custom" option. Pattern Defines the part of the password. If any part of the password is known, enter it in the "Pattern" field. Known parts can be separated with special masking symbols '*' or '?'. For example, "*p?e*" will match both "apple" and "pie". All '?' characters in the pattern are replaced by exactly one letter. I.e. pattern "never?????" will match "neveragain" and won't match "forever", "nevermore". '*' character is replaced by zero or more letters. I.e. pattern "never*" will match "never", "neveragain", "nevermore", etc. If you need to use symbols '?' or '*', type symbol '\' before them to cancel the masking. For example, "whyme\?" will match only password "whyme?" and won't match password "whyme\w". You can also use unprintable control symbols in your password settings, such

as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others. Casing You can add Casing Modifier to the Dictionary attack to change casing of any or all letters of the password. Reverse Password You can add Reverse Password Modifier to the Dictionary attack to check for reversed words from the dictionary.

Brute-force Brute-force Attack finds passwords by checking all possible combinations of characters from the specified Symbol Set. This is the slowest, but most thorough, method. Sample passwords: "Pw5@", "23012009", and "qw3erty" Brute-force attack allows you to customize the following settings: Password length The program searches for the password of the specified length. Language Passware Kit offers 9 built-in symbol sets for the following languages: Arabic, Dutch, English, French, German, Italian, Portuguese, Russian, and Spanish. You can also add special characters to the symbol set in the "Custom characters" field. Symbol Set The Symbol Set can include Uppercase letters, Lowercase letters, Numbers, Symbols, Spaces, and Custom characters. Pattern Defines the part of the password. If any part of the password is known, enter it in the "Pattern" field. Known parts can be separated with '*' or '?'. For example, "*p?e*" will match both "apple" and "pie". All '?' characters in the pattern are replaced by exactly one of the symbols from the active Symbol Set. I.e. pattern "never?????" will match "neveragain"

and won't match "forever", "nevermore". '*' character is replaced by zero or more symbols from the active Symbol Set (this number depends on password length specified). I.e. pattern "never*" will match "never", "neveragain", "nevermore", etc. If you need to use symbols '?' or '*', type symbol '\' before them to cancel the masking. For example, "whyme\?" will match only password "whyme?" and won't match password "whyme\w". You can also use unprintable control symbols in your password settings, such as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others.

Xieve Xieve optimization dramatically boosts Brute-force attack speed by skipping password checks of nonsensical combinations of characters. It uses a large built-in table of frequences of different combinations of letters. Sample passwords: "mycomp" and "sweetemily". Xieve attack allows you to customize the following settings: Password length The program searches for the password of the specified length. Language Passware Kit offers 9 built-in symbol sets for the following languages: Arabic, Dutch, English, French, German, Italian, Portuguese, Russian, and Spanish. You can also add special characters to the symbol set in the "Custom characters" field. Symbol Set The Symbol Set can include Uppercase letters, Lowercase letters, Numbers, Symbols, Spaces, and Custom characters. Pattern Defines the part of the password. If any part of the password is known, enter it in the "Pattern" field. Known parts can be separated with '*' or '?'. For example, "*p?e*" will match both "apple" and "pie". All '?' characters in the pattern are replaced by exactly one of the symbols from the active Symbol Set. I.e. pattern "never?????" will match "neveragain"

and won't match "forever", "nevermore". '*' character is replaced by zero or more symbols from the active Symbol Set (this number depends on password length specified). I.e. pattern "never*" will match "never", "neveragain", "nevermore", etc. If you need to use symbols '?' or '*', type symbol '\' before them to cancel the masking. For example, "whyme\?" will match only password "whyme?" and won't match password "whyme\w". You can also use unprintable control symbols in your password settings, such as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others. Xieve level You can define the level of Xieve optimization by choosing between Low, Medium and High. With the High level the application checks the most common combinations of letters only, skipping all the combinations that are not typical for the language selected.

Known Password/Part Known Password/Part Attack checks a certain password entered in the "Value" field. There is no need to open a file in order to check whether a certain password is correct. You can also use unprintable control symbols in your password settings, such as '\n' (linefeed), '\t' (tab), '\r' (carriage return), and others. This attack can be combined with other attacks using the Join Attacks option. For example, if you know your password is a word followed by "1980", use Join Attacks to combine Dictionary attack and Known Password/Part attack with the value set to "1980".

Previous Passwords Previous Passwords Attack checks passwords that were previously recovered by other attacks for other files. It automatically saves all passwords found.

Decryptum Decryptum Attack instantly decrypts MS Word and Excel files up to v.2003 in online mode. It connects to the www.decryptum.com server to generate a free preview or to decrypt files. You are required to purchase a Decryptum PIN to save the decrypted file. The partial preview of the file is free. Passware Kit Standard, Professional, Enterprise, and Forensic editions already include a free Decryptum PIN for one or more files. Learn more about Decryptum Attack... Decryptum attack is also available offline as Decryptum Portable. Passware's portable rainbow tables are used by the Rainbow Tables attack and allow instant offline decryption of MS Word and Excel files of version up to 2003. Learn more about Decryptum Portable...

Encryption Keys Extraction Encryption Keys Extraction Attack instantly decrypts MS Office 2007-2013 files (Word, Excel, PowerPoint) if there is a memory image of a computer acquired while the file was open. The attack instantly extracts the encryption keys from the memory image or the system hibernation file (hiberfil.sys) and decrypts the file, regardless of the password length. To acquire the memory image, you can use Passware FireWire Memory Imager.

Surezip SureZip attack decrypts Zip archives created with WinZip version 8.0 and earlier in less than an hour regardless of password used to protect it. At least 5 simultaneously encrypted files are required in order to process the archive. Archives created with WinZip are supported.

Zip Plaintext If there is at least one file from a password protected Zip archive available unencrypted, Zip Plaintext attack instantly decrypts the whole archive, regardless of the password length. Archives with WinZip standard encryption are supported. AES-encrypted archives are not supported by Plaintext attack. Zip Plaintext attack allows you to customize the following settings: Plaintext archive Please compress the known file with the same version of Zip and then apply it to the Zip Plaintext attack as a Plaintext archive. Plaintext file should be zipped without encryption byte-by-byte equal to the one you have among others in the encrypted zip archive.

Join Attacks Join Attacks group applies its attacks to different parts of the password. Set the whole password length first. Then add attacks to the Join Attacks group for each part of the password. Example: for passwords like "green123", set the following Join Attacks group: Join Attacks (Password Length: from 8 to 8) Dictionary Attack: English (Password Length: from 5 to 5) + Brute-force Attack: English (Password Length: from 3 to 3 Symbol Set: Numbers) Sample passwords: "admin123" and "black000". Join Attacks group allows you to customize the following settings: Password length The program searches for the password of the total specified length. Reversed Order The program also checks passwords from the reversed order of the attacks. For the previous example, sample passwords are: "123green","123admin", "000black".

Append Attacks Append Attacks group runs attacks to check the shortest passwords first, then runs the same attacks to check increasingly longer passwords. When Append Attacks group is not enabled, Passware Kit checks all the passwords of each attack before running the next attack.

Rainbow Tables Rainbow Tables attack recovers hashed passwords from Windows, MD5, LANMAN, NTLM, and SHA1 hashes. To calculate a password, it uses a rainbow table - a precomputed table for reversing cryptographic hash functions. Rainbow tables are available for download at third-party websites, such as FreeRainbowTables.com (free) and Rainbow Crack. The attack supports unpacked non-hybrid.rt tables,.rti tables converted with rti2rto.exe tool, and.rtc tables converted with rtc2rt.exe. The Rainbow Tables attack can also be used to decrypt instantly MS Word and Excel files up to v.2003. To decrypt the files, the attack requires special rainbow tables that are available as an additional product by Passware - Decryptum Portable.

Attack Modifiers Attack modifiers enable you to further control the password recovery process by specifying which casing is used, and whether a reverse password should be used. Once you have added a modifier, you should then add an attack to this modifier.

Change Casing Modifier This modifier specifies how uppercase and lowercase letters are used in your password. The default is Original. You can add, remove, or change the settings for a particular attack as required, using the Attack Editor. For example, the password "password" can be modified as follows: Original (no modifications): password Normal (first letter capital, the rest are lowercase): Password Toggle (vice-versa to Normal, first letter lowercase, the rest are capital): password Upper (all letters capital): PASSWORD Lower (all letters lowercase): password Reverse (vice-versa to Original): PAsSwoRD Mixed (randomize lowercase and capital letters): PaSsWord

Reverse Password Modifier This modifier reverses your password. For example, "password" becomes "drowssap".

Hardware Acceleration Passware Kit accelerates password-recovery processes using hardware.

Multiple CPUs Passware Kit utilizes multi-core computers efficiently. Password-recovery speed is increased scalable to the number of CPUs on a computer.

NVIDIA and ATI GPU GPU (Graphics Processing Unit) cards help to accelerate password recovery by up to 45 times. Passware Kit supports all types of NVIDIA GeForce cards, TESLA, and other CUDA cards, as well as ATI (AMD Radeon). Passware Kit automatically detects NVIDIA and ATI cards available for acceleration on a target computer and uses them to speed up the password search process. It can use multiple cards simultaneously. NOTE: The performance of NVIDIA cards depends on the version of the driver installed. The maximum password recovery speed on NVIDIA cards is achieved using driver GeForce 327.23. For AMD cards, we recommend using driver version 13.152 + OpenCL Driver version 10.0.1268.1.

Tableau TACC Tableau TACC 1441 hardware accelerator helps to speed up the passwordrecovery process by up to 25 times. The device is connected to a computer through a FireWire port. Passware Kit supports multiple TACC hardware accelerators connected to a single computer for better performance.

Distributed Password Recovery Passware Kit uses the computing power of multiple computers to achieve the highest performance. All hardware acceleration methods listed above can be used in Distributed Password Recovery. NOTE: Multiple CPU and TACC acceleration is enabled by default. To enable GPU acceleration and Distributed Password Recovery, check the Acceleration Units and Distributed Password Recovery boxes as shown below:

In order for Passware Kit to detect and use your GPU card, the latest driver for this card model and operating system should be installed. The drivers are available for download at NVIDIA and AMD websites. The table below summarizes the accelerated password-recovery speeds for the most difficult-to-decrypt file types. * File Type Android Backup Android Image Apple Disk Image Encryption / Hashing AES-256 / SHA-1 AES-128 / SHA-1 AES-256 / SHA-1 Password Recovery Speed on CPU (p/s) Password Recovery Speed on NVIDIA GPU (p/s) Password Recovery Speed on AMD GPU (p/s) 1,868 24,654 25,565 7,366 Password Recovery Speed on TACC accelerator (p/s) 9,365 120,661 121,296 34,268 16,691 76,542 69,557 24,913

Apple itunes Backup AES-256 / SHA-1 1,858 24,488 25,591 6,673 Lotus Notes ID Mac FileVault2 Mac Keychain Mac OS X 10.8-10.9 Hash MS BitLocker MS Office 2013 MS Office 2010 MS Office 2007 PGP SDA Archive PGP Disk (PGD) PGP Private Keyring RSA PGP Private Keyring DSA AES-256 / SHA-1 AES-128 / SHA-256 TripleDes / SHA-1 601 83,642 N/A N/A 51 3,703 4,235 N/A 18,228 181,765 174,655 48,005 SHA-512 35 635 515 N/A BitLocker / SHA-256 AES-256 / SHA-512 AES-128 / SHA-1 CSP / SHA- 1 CAST / SHA-1 AES-256 / SHA-1 AES-256 / SHA-1 AES-256 / SHA-1 PGP WDE AES-256 / SHA-1 5 168 N/A N/A 63 1,108 1,230 N/A 699 10,391 10,600 1,922 1,412 20,912 20,980 3,804 10,807 424,275 N/A 56,821 1,900 N/A N/A 15,140 666 31,644 N/A 4,699 502 23,905 N/A 3,572 7,935 301,697 N/A 48,335

PGP Zip Archive CAST / SHA-1 258 13,285 N/A 1,863 RAR 3.x- 4.x AES-128 / SHA-1 RAR 5.x AES-256 / SHA-256 TrueCrypt System / RIPEMD- 160 Zip 7-Zip Archive AES / SHA- 1 AES-256 / SHA-256 579 9,588 9,529 1,751 78 5,619 6,457 N/A 452 48,411 N/A N/A 36,092 467,013 451,293 91,288 398 4,467 N/A N/A * Settings: Brute-force attack, password length from 5 to 5 characters, English lowercase letters, English uppercase letters, numbers. CPU: Intel Core i5-2400 @ 3.10GHz (4 cores) GPU: NVIDIA GeForce GTX 680 (Kepler) GPU: AMD Radeon HD 7850 (Pitcairn) TACC: Tableau TACC1441.

Distributed Password Recovery Passware Kit accelerates password recovery using the computing power of multiple computers to achieve the highest performance.

Features of Distributed Password Recovery Recovers passwords for 40+ file types that require Brute-force attack Has linear performance scalability Uses multiple-core CPUs and nvidia GPUs efficiently to speed up the password recovery process Uses Tableau TACC hardware accelerators to speed up the password recovery process by up to 25 times Each computer running Passware Kit Agent supports multiple CPUs, GPUs, and TACC accelerators simultaneously Uses Dictionary, Brute-force, Xieve, Known Password/Part, Previous Passwords attacks and any combination of them Uses Amazon Compute Cloud to accelerate MS Office 2007-2010 password recovery by up to 20 times without your having to buy expensive hardware (watch the video guide) Passware Kit Agent is available for both Windows and Linux systems, 32 and 64 bit. The overall steps in using the distributed password recovery are as follows: 1. Install Passware Kit Agents on multiple computers 2. Run Passware Kit on your computer (Passware Kit Server) 3. Passware Kit Agents detect and connect to Passware Kit automatically, and password recovery tasks are divided among multiple computers Add more Passware Kit Agents

Installing Passware Kit Agents Passware Kit Agent is available for download for both Windows and Linux systems, 32 and 64 bit. For instructions on installing and running Passware Kit Agent on Linux, refer to the README file from the downloaded TAR archive. Below are the instructions on installing and running Passware Kit Agent for Windows. 1. Run the passware-kit-agent.msi file to install Passware Kit Agent on node computers. Use the same installation file to install the Agents on multiple computers 2. You have the option to configure Passware Kit Agent to connect to a specific server. Launch Passware Kit Agent. The following screen appears: At the Settings tab, you can choose between Auto discovery and Manual connection to Passware Kit:

In the Auto discovery mode, Passware Kit Agent automatically locates a running installation of Passware Kit over the network. In the Manual connection mode, you can specify the name of the computer Passware Kit is running on. Now that you have installed Passware Kit Agent, you are ready to recover the password with Passware Kit.

Running Passware Kit and Recovering the Password Once you have installed Passware Kit Agent, you are ready to recover the password by following these steps: 1. Launch Passware Kit on the server computer and select a file to process. At the following screen, click the Enable distributed password recovery checkbox: 2. Choose one of the three options to specify password settings. Password recovery process starts. 3. The Agents tab displays all the Passware Kit Agents detected over the network. You can see the status of each of the Agents in the Status column:

Status "Running the current attack" means that this Passware Kit Agent is connected to Passware Kit and is running the current password recovery task. 4. When the Passware Kit Agent is connected to Passware Kit, it's Settings tab displays the IP address and port of the Passware Kit Server, and the Activity tab displays a graph of resources usage:

During the password recovery process, the status of the Agent is "Connected and busy..." 5. The detailed activity of the Passware Kit and Passware Kit Agents is displayed in the Log tab: 6. You can adjust the GPU usage during the password recovery process for efficient performance of your computer by enabling the Use GPU acceleration only when the user is not active checkbox from the Tools Options menu. Now your password is being recovered using multiple computers efficiently!

Adding Passware Kit Agents 1. Launch Passware Kit and click Tools License Manager: 2. The License Manager window appears. It displays the initial Serial Number of your Passware Kit license and the total number of Passware Kit Agents available for this license: Click Add SN:

3. Enter your new Serial Number and click OK. 4. The License Manager window now displays your new Serial Number and the increased number of Passware Kit Agents available for your license. Click OK to save the changes. Now you can use more computers to recover your password even faster!

Amazon Elastic Compute Cloud Passware Kit accelerates password recovery using the power of cloud computing to achieve the highest performance without your having to buy expensive hardware.

Features of Amazon EC2 Password Recovery Recovers passwords for MS Office 2007-2010 files that require a Bruteforce attack Each Amazon EC2 Instance has two NVIDIA Tesla Fermi GPU cards, which accelerate password recovery by 11 times Uses Dictionary, Brute-force, Xieve, Known Password/Part, Previous Passwords attacks and any combination of them No need to overload computer CPU since the time-consuming password calculation process is performed remotely No need to purchase expensive hardware. Pay only for capacity that you actually use The overall steps are as follows: 1. Launch Amazon EC2 Instance. 2. Run Passware Kit on your computer (Passware Kit Server). 3. Passware Amazon Agents detect and then connect to Passware Kit, and password recovery tasks are divided among Amazon instances.

Launching Amazon EC2 Instance Passware Kit accelerates password recovery using Amazon Elastic Compute Cloud (EC2) - a highly scalable cloud computing platform.

Working with Passware Amazon Agent 1. Sign in to the AWS Management Console at http://aws.amazon.com/. If you do not have an Amazon AWS account, you need to sign up first. 2. Click on the EC2 tab. At the Navigation pane, go to NETWORKING & SECURITY -> Security Groups. Select the default group. 3. Once at the default group, make a new connection rule by clicking on Inbound, selecting Custom TCP rule from the Create a new rule menu, and typing 11555 in the Port range field. Click Add Rule, then Apply Rule Changes. 4. At the Navigation pane, go to IMAGES -> AMIs. Make sure the Region is set to US East (Virginia). Select image Passware Amazon agent. To locate this image, type "passware" in the Search field in the Viewing area.

5. Right-click the mouse on the image and select Launch Instance. The Request Instances Wizard window appears. 6. In the Instance Type field, select Cluster GPU from the pull-down menu. Click Continue. 7. In the Placement Group field, select Create new placement group... and type any name for the new group. In the User Data field, type your own authentication key. NOTE: By specifying an authentication key, you secure the Instance, so that no other user can connect to Passware Amazon Agent. Click Continue.

8. Skip the next window by clicking Continue. 9. At Create Key Pair, select Proceed without a Key Pair. Click Continue. 10. At Configure Firewall, select the default Security Group. Click Continue. 11. At Review verify all the fields and click Launch. 12. The Amazon EC2 Instance is now launched.

NOTE: After you finish the password recovery process, stop the Instance in AWS Management Console. Go to the EC2 tab, click on Instances in the Navigation pane, and select Stop from the right-click menu of the running Instance. Sign out from the AWS Management Console. Now that you have launched the Amazon EC2 Instance, you are ready to recover the password with Passware Kit.

Running Passware Kit and Recovering the Password Once you have launched an Amazon EC2 instance, you are ready to recover the password by following these steps: 1. Launch Passware Kit and click Tools Options... Network. 2. Click the Enable Distributed Password Recovery checkbox. The Amazon Elastic Compute Cloud group appears. 3. Click the Enable Password Recovery on Amazon EC2 checkbox. 4. In the Instance public DNS field paste the value copied from AWS Management Console. (To see this value in AWS Management Console, go to the EC2 tab, click on Instances in the Navigation pane, then click on the running instance. Copy the value of the Public DNS field from the Instance Description.) The DNS value should look like this: ec2-xxx-xxxxxx-xxx.compute-1.amazonaws.com. 5. In the Instance authentication key field, paste the value copied from AWS Management Console. (To see this value in AWS Management Console, go to the EC2 tab, click on Instances in the Navigation pane, right-mouse click on the running instance, and click on View/Change User Data. Copy the value of the User Data field, which is used as your authentication key.) 6. Click OK.

7. Click Recover File Password and select a file to process. At the following screen, choose one of the three options to specify password settings. 8. The password recovery process starts. 9. The Log tab displays all the Passware Amazon Agents detected over the network. Status Connected to Passware Amazon Agent means that this Passware Amazon Agent is connected to Passware Kit and is running the current password recovery task. Now your password is being recovered using the power of cloud computing!

NOTE: After you finish the password recovery process, stop the Instance in AWS Management Console. Go to the EC2 tab, click on Instances in the Navigation Pane, and select Stop from the right-click menu of the running Instance. Sign out from the AWS Management Console.

System Requirements Microsoft Windows XP, Vista, Server 2003/2008/2012, or Windows 7/8 (32-bit or 64-bit) installed and configured on your system 1 GHz processor (2.4 GHz recommended) 512 MB of RAM (1 GB recommended) 150 MB of free hard disk space (more if you use custom dictionaries) Passware software supports PC platforms only. However, it can recover passwords for some files created on Macintosh, such as FileMaker. You can run Passware products on a Virtual PC or Parallels Desktop to unprotect your files. For Windows Key, a Windows Setup 32-bit CD is required, as well as a burning CD-RW drive in order to record a password reset CD instead of the USB disk. To acquire a physical memory image of the target computer using Passware FireWire Memory Imager (used to recover BitLocker, TrueCrypt, PGP, MS Office encryption keys, as well as Windows and Mac user passwords), a FireWire cable is required. Both the target computer and the computer used for acquisition should have FireWire (IEEE 1394) ports. A USB flash drive for Passware FireWire Memory Imager should be 8 GB or more.

System Recommendations The password calculation process depends to some extent on the processor speed. We recommend 1 GB RAM. Larger RAM does not make much difference to the password calculation process. Passware Kit supports network distributed password recovery, multi-cpu, and multi-core systems. To accelerate a password recovery process, Passware Kit uses both NVIDIA and ATI GPU cards, as well as Guidance Tableau TACC accelerator. NOTE: The performance of NVIDIA cards depends on the version of the driver installed. The maximum password recovery speed on NVIDIA cards is achieved using driver GeForce 327.23. For AMD cards, we recommend using driver version 13.152 + OpenCL Driver version 10.0.1268.1. Cost-efficient hardware: We recommend using Intel Core i5 processor or similar. The number of cores is more important than its frequency. To accelerate a password recovery process, use NVIDIA GeForce GTX (CUDA architecture) and AMD Radeon HD cards. AMD cards are cheaper than NVIDIA, providing the same or even higher performance. However, ATI cards are currently supported for password recovery only for Office 2007-2013 files, RAR and Zip archives, Mac Keychain files, Apple DMG images, and itunes backups. Please note that GTX 5XX cards provide better acceleration than the latest 6XX ones. If you use GPU acceleration, pay attention to the corresponding cooling system and power supply unit, depending on the number of GPU cards. Maximum performance: Maximum performance can be achieved by using Distributed Password Recovery. The more Passware Kit Agents you use, the better. We also recommend using the 64-bit versions of Passware Kit and Passware Kit Agent. Recommendations for Passware Kit Server: Intel Core i7 processor or higher. No GPU. Disable the built-in Passware Kit Agent. Recommendations for Passware Kit Agent: Intel Core i7 processor, with 4 cores or more. Two dual AMD Radeon HD 7990 cards. Corresponding cooling system.

Corresponding power supply unit.

Passware Kit Frequently Asked Questions The answers to these commonly asked questions can help you use the Passware Kit more efficiently. The answers refer to Passware's online Customer Support center. 1 How long does it take to recover a password? 2 What is Distributed Password Recovery and how do I use it? 3 Does your Distributed Password Recovery take advantage of remote GPUs or TACCs? 4 Why do I sometimes get random characters instead of the original password? 5 How much does it cost to update Passware product to the latest version? 6 Why is Passware Kit connecting to the Internet when I run Default Attacks to recover my password? 7 How do I reset the Administrator password on a different computer? 8 How can I transfer Passware Kit to another PC? 9 How do I uninstall Passware Kit? 10 Can Passware Kit recover passwords for multiple files simultaneously? 11 What models of GPU cards do you recommend for hardware acceleration? 12 I don't have any Windows 8/7, Server 2012/2008/2003, Vista, XP, or 2000 Setup CD. How do I use Passware Kit to reset a Windows Administrator password? 13 Passware Kit/Windows Key cannot find any Windows installations on my hard disk. What is wrong? 14 Does Passware Kit work with Hard Drive encryption? 15 Can the software decrypt a BitLocker or TrueCrypt drive that was not mounted when the memory dump was created? 16 Does the software support.e01 disk image files?

17 How do I use Passware Kit with Guidance EnCase? 18 Does Passware Kit support Macintosh? 19 How do I use a Portable Version? 20 What are the limitations of the demo version? 21 How difficult is it to recover my password and is hardware acceleration possible? 22 What are the terms of the end user license agreement for Passware software? 23 What bearing does Passware Kit have on Windows security?

Contact Passware Passware is dedicated to providing the best possible customer care. What do you want to do? Learn more about Passware and its products Contact Customer Support

More About Passware Who We Are Founded in 1998, Passware, Inc. is the worldwide leading maker of password recovery and decryption software for corporations, law enforcement and forensic agencies, help desk personnel, business and home users. Numerous federal, state, and local government agencies, Fortune 500 companies, and thousands of private users rely on Passware software products to ensure data availability in the event of lost passwords. A few of our customers include: Microsoft, Adobe, Apple, Intel, Hewlett- Packard, Deloitte, Ernst & Young, KPMG, PricewaterhouseCoopers, Department of Justice, US Senate, NASA, FDA, IRS, and many more.

Contacting Customer Support You can contact Passware customer support online at: http://www.lostpassword.com/support.

Non-customer Support Questions If you have other questions besides customer support, you can contact Passware by: Phone +1 (650) 472-3716 Fax +1 (650) 403-0718 Mail Passware Inc. 800 W El Camino Real, Ste 180 Mountain View, CA 94040 USA

Contact Customer Support To request customer support please follow the steps below: 1. Select Request Customer Support Online item from the Help menu 2. Enter all applicable information in the form 3. Click the 'Submit request' button

Tips The Online Customer Support is the fastest way to get support. The form is specifically designed to gather information necessary to handle customer inquiries most effectively. You can also contact Passware customer support by: Email csupport@lostpassword.com Fax +1 (650) 403-0718 Online http://www.lostpassword.com/support

SOFTWARE LICENSE AGREEMENT FOR PASSWARE SOFTWARE This Software License Agreement ("SLA") is a legal agreement between you (either an individual or a single entity) and Passware for the Passware software product identified above, which includes computer software and may include associated media, printed materials, and "online" or electronic documentation ("SOFTWARE PRODUCT"). By installing, copying, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this SLA. If you do not agree to the terms of this SLA, do not install or use the SOFTWARE PRODUCT; you may, however, return it to your place of purchase for a full refund.

SOFTWARE PRODUCT LICENSE The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is licensed, not sold.

1. GRANT OF LICENSE This SLA grants you the following rights: Applications Software. You may install and use one copy of the SOFTWARE PRODUCT, or any prior version for the same operating system, on a single computer. The primary user of the computer on which the SOFTWARE PRODUCT is installed may make a second copy for his or her exclusive use on a portable computer. Storage/Network Use. You may also store or install a copy of the SOFTWARE PRODUCT on a storage device, such as a network server, used only to install or run the SOFTWARE PRODUCT on your other computers over an internal network; however, you must acquire and dedicate a license for each separate computer on which the SOFTWARE PRODUCT is installed or run from the storage device. A license for the SOFTWARE PRODUCT may not be shared or used concurrently on different computers. License Pack. If you have acquired this SLA in a Passware License Pack, you may make the number of additional copies of the computer software portion of the SOFTWARE PRODUCT accordingly to the number of licenses acquired (stated in receipt), and you may use each copy in the manner specified above. You are also entitled to make a corresponding number of secondary copies for portable computer use as specified above. Demo. If you have acquired this SLA with Passware SOFTWARE PRODUCT labeled as demo version of another Passware SOFTWARE PRODUCT, you are granted unlimited number of SLA's, and you may use unlimited number of copies in the manner specified above.

2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS Not for Resale Software. Notwithstanding other sections of this SLA, you may not resell, or otherwise transfer for value, the SOFTWARE PRODUCT. Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. Separation of Components. The SOFTWARE PRODUCT is licensed as a single product. Its component parts may not be separated for use on more than one computer. Rental. You may not rent, lease, or lend the SOFTWARE PRODUCT. Support Services. Passware may provide you with support services related to the SOFTWARE PRODUCT ("Support Services"). Use of Support Services is governed by the Passware policies and programs described in "online" documentation, and/or in other Passware-provided materials. Any supplemental software code provided to you as part of the Support Services shall be considered part of the SOFTWARE PRODUCT and subject to the terms and conditions of this SLA. With respect to technical information you provide to Passware as part of the Support Services, Passware may use such information for its business purposes, including for product support and development. Passware will not utilize such technical information in a form that personally identifies you. Software Transfer. You may permanently transfer all of your rights under this SLA, provided you retain no copies, you transfer all of the SOFTWARE PRODUCT (including all component parts, the media and printed materials, any upgrades, this SLA, and, if applicable, the Certificate of Authenticity), and the recipient agrees to the terms of this SLA. If the SOFTWARE PRODUCT is an upgrade, any transfer must include all prior versions of the SOFTWARE PRODUCT. Termination. Without prejudice to any other rights, Passware may terminate this SLA if you fail to comply with the terms and conditions of this SLA. In such event, you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.

3. INDEMNIFICATION You accept full legal responsibility for all password recovery performed through your use of the SOFTWARE PRODUCT. Password recovery and decryption of unauthorized or illegally obtained files or media may constitute theft and may result in your civil and criminal prosecution. You agree to hold harmless and indemnify Licensor for any and all demands, claims, legal action and damages, including all attorney's fees and costs, against Licensor which arise out of your use of the Program.

4. UPGRADES If the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly licensed to use a product identified by Passware as being eligible for the upgrade in order to use the SOFTWARE PRODUCT. A SOFTWARE PRODUCT labeled as an upgrade replaces and/or supplements the product that formed the basis for your eligibility for the upgrade. You may use the resulting upgraded product only in accordance with the terms of this SLA. If the SOFTWARE PRODUCT is an upgrade of a component of a package of software programs that you licensed as a single product, the SOFTWARE PRODUCT may be used and transferred only as part of that single product package and may not be separated for use on more than one computer.

5. COPYRIGHT All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and "applets" incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by Passware or its suppliers. The SOFTWARE PRODUCT is protected by copyright laws and international treaty provisions. Therefore, you must treat the SOFTWARE PRODUCT like any other copyrighted material except that you may install the SOFTWARE PRODUCT on a single computer provided you keep the original solely for backup or archival purposes. You may not copy the printed materials accompanying the SOFTWARE PRODUCT.

6. DUAL-MEDIA SOFTWARE You may receive the SOFTWARE PRODUCT in more than one medium. Regardless of the type or size of medium you receive, you may use only one medium that is appropriate for your single computer. You may not use or install the other medium on another computer. You may not loan, rent, lease, or otherwise transfer the other medium to another user, except as part of the permanent transfer (as provided above) of the SOFTWARE PRODUCT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PASSWARE AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON- INFRINGEMENT, WITH REGARD TO THE SOFTWARE PRODUCT, AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL PASSWARE OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT OR THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF PASSWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, PASSWARE'S ENTIRE LIABILITY UNDER ANY PROVISION OF THIS SLA SHALL BE LIMITED TO THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR THE SOFTWARE PRODUCT OR U.S.$5.00. BECAUSE SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

More About the Passware Kit The Passware Kit can reduce the time you spend recovering passwords, improves password recovery rates, and gives you more control over the password recovery process. It can recover all kinds of passwords for the world's most popular office application files, including Excel, Word, WinZip, Windows 2008/Vista/2003/XP, Internet Explorer, Firefox, Access, Outlook, Acrobat, QuickBooks, FileMaker, WordPerfect, VBA, Lotus Notes, ACT!, and more. The Passware Recovery Kit includes 30+ password recovery modules integrated in an all-in-one user interface. Advanced acceleration methods are used to recover difficult passwords. Instant online decryption is supported for MS Word and Excel files up to version 2007. The Passware Kit also includes Encryption Analyzer Professional, which can find password-protected files on your computer system -- either on a PC, or over the network.

Key Features All-in-one password recovery for 180+ file types Integrated Encryption Analyzer Pro scans computers for passwordprotected items Integrated Search Index Examiner retrieves electronic evidence from a Windows Desktop Search Database Resets passwords for Local and Domain Windows Administrators Instant online decryption of Word/Excel files (up to version 2003) Multi-core CPUs acceleration GPU acceleration for MS Office 2007 files Basic password recovery attacks: Dictionary, Xieve, Brute-force, Known Password/Part, Previous Passwords Password modifiers supported (casing, reverse words, etc.) Combination of attacks for passwords like "strong123password" Wizard for an easy setup of password recovery attacks MD5 hash values for forensic reports What do you want to do? Quick Start Recover file password Recover Internet and network passwords Create a Windows password reset disk Search for protected files Recover hard drive password

Recovering a One-Dictionary-Word Password Specifying the Dictionary If you indicated that the password was one dictionary word, such as "administrator", "apple", "support", and "laptop", the next screen asks you to specify the language of the dictionary. Chose the appropriate dictionary and click Next. Specifying the Dictionary Attack Settings This screen enables you to fine-tune the attack settings, such as specifying a password length, any known parts, the casing, and whether it can be reversed. Complete this screen, and click Finish to display the results of the password recovery process.

NOTE: If you indicated your password was more than one dictionary word, an intermediate screen appears, asking how long the entire password is, how many parts there are, and if you know some settings (such as case or known parts) for each part. After you enter this information, the Dictionary Attack Settings screen appears for each part.

Recovering a Multiple-Dictionary-Word Password Specifying the Dictionary If you indicated that the password was more than one dictionary word, such as "bigapple", "securepassword", and "mycomputer", the next screen asks you to specify the language of the dictionary. Chose the appropriate dictionary and click Next. Specifying the Number of Words The next screen lets you optionally specify a length for the entire password, and asks you how many words the password contains. You can also indicate that you know some settings for each part, such as length and casing. NOTE: If you know the total password length, enable check-box "Set the password length". Otherwise, the program will set the total password length based on further information about password parts.

Complete this screen and click Next. NOTE: If you did not select any of the "I know settings..." checkboxes, there is no "Next" button - simply click Finish. Specifying the Dictionary Attack Settings If you indicated you know settings for any of the parts of the password, this screen enables you to fine-tune the attack settings (such as specifying a password length, any known parts, the casing, and whether it can be reversed) for each part. There is a separate screen for each part for which you know settings.

Complete this screen, and click Finish to display the results of the password recovery process.

Recovering a Password that Combines Dictionary Words and Letters, Numbers, and Symbols Specifying the Dictionary If you indicated that the password combined dictionary words with letters, numbers, and symbols, such as "weird&123", the next screen asks you to specify the language of the dictionary. Chose the appropriate dictionary and click Next. Specifying the Number of Dictionary Words On this screen, you can inidicate how many dictionary words are in the password -- one or two.

Select the appropriate choice and click Next. Specifying the Password Structure This screen enables you to optionally enter the length for the entire password. It also asks you to choose the structure of the password, and to indicate whether you know settings (such as length or casing) of each part. Complete this screen and click Next. NOTE: If you did not select any of the "I know settings..." checkboxes, there is no "Next" button - simply click Finish.

Specifying the Dictionary Attack Settings If you indicated you know settings for any of the parts of the password, this screen enables you to fine-tune the attack settings (such as specifying a password length, any known parts, the casing, and whether it can be reversed) for each part. There is a separate screen for each part for which you know settings. Complete this screen, and click Finish to display the results of the password recovery process.

Recovering a Non-Dictionary-Word Password Specifying the Xieve Attack Settings If you indicated that the password was a non-dictionary word, such as "softool", "johnyboy", and "oopsy", the next screen asks you to provide more information, such as length, known parts, symbol set, and Xieve level (high, medium, or low). Complete this screen and click Finish to display the results of the password recovery process.

Recovering a Password with an Unknown Format Specifying the General Password Settings If you indicated that the password had an "Other" format, such as "qw3er5ty" and "03101980", the next screen asks you to specify the length of the password (optional) and the appropriate dictionary. NOTE: If you know the total password length, enable check-box "Set the password length". Otherwise, the program will set the total password length based on further information about password parts. Complete this screen and click Next. Specifying whether Part of the Password Resembles a Dictionary Word The next screen asks if part of the password looks like an English word, such as "softool". If it does, choose Yes. If not, choose No.

Now click Next. The screen that appears depends on your choice above. Specifying the Password Structure If you indicated that part of the password did resemble a dictionary word, the next screen lets you specify the structure for this part. (If you said no, it did not resemble an dictionary word, a different screen appears. You can also indicate that you know some settings for the various parts of the password, such as length and casing. Complete this screen and click Next.

NOTE: If you know the total password length, enable check-box "Set the password length". Otherwise, the program will set the total password length based on further information about password parts. NOTE: If you did not select any of the "I know settings..." checkboxes, there is no "Next" button - simply click Finish. Specifying the Attack Settings If you indicated you know settings for any of the parts of the password, this screen enables you to fine-tune the attack settings (such as specifying a password length, any known parts, the casing, and whether it can be reversed) for each part. There is a separate screen for each part for which you know settings. Complete this screen, and click Finish to display the results of the password recovery process. Specifying the Brute-force Attack Settings If, earlier, you indicated that no part of the password resembled a dictionary word, the brute-force attack settings screen appears.

Enter any known parts, and select the appropriate symbol set(s) and casing, and click Finish to display the results of the password recovery process.

Adding an Attack in the Attack Editor To add an attack to the attack list, first select the attack after which you want the new attack to appear. Clicking on an attack selects it. Now use one of the following methods to add an attack: Double-click on the attack in the Attack Tree in the right -hand pane. Select the attack by clicking on it, then click the red left-pointing arrow: Drag-and-drop an attack into the attack list. The attack is added to the attack list. What do you want to do? Remove an attack Rearrange Attacks Use Attack Modifiers Reset attack settings to their default values Sort attacks according to duration

Removing an Attack from the Attack List To remove an attack to the attack list, first select the attack that you want to remove. Clicking on an attack selects it. Now use one of the following methods to remove the attack: Select the attack by clicking on it, then click the Remove button at the top of the Attack Editor window: Select the attack by clicking on it, then click the red right-pointing arrow: Right-click on the attack, then click Remove in the resulting popup menu. The attack is removed from the attack list.

Removing All Attacks from the Attack List You can remove all attacks from the attack list by right-clicking anywhere in the attack list and then clicking Remove All in the resulting popup menu. Alternatively, click the down-arrow on the Remove button (at the top of the window), then click Remove All. What do you want to do? Add an attack Rearrange Attacks Use Attack Modifiers Reset attack settings to their default values Sort attacks according to duration

Rearranging Attacks in the Attack Editor You can move the attacks around in the Attack Editor's attack list. You can also copy one attack to another location in the list.

Moving Attacks in the Attack List To move an attack, first select the attack you want to move. Now click either the Move Up or Move Down buttons at the top of the Attack Editor window. You can also right-click on the attack, then click either Move Up or Move Down in the resulting popup menu. A third way to move attacks is by drag-and-drop. Simply select the attack you want to move, then drag it to its new location in the attack list.

Copying Attacks in the Attack List To copy an attack from one place in the attack list to another, follow these steps: 1. Right-click on the attack you want to copy. 2. Click Copy in the resulting popup menu. 3. Now right-click on the attack after which you want the copied attack to appear. 4. Click Paste in the resulting popup menu. NOTE: If you select Cut instead of Copy in the popup menu, the attack is moved, not copied. What do you want to do? Add an attack Remove an attack Use Attack Modifiers Reset attack settings to their default values Sort attacks according to duration

Using Attack Modifiers You can use attack modifiers to control the casing and reversal of the password attack. To add an attack modifier to the attack list, select the modifier in the list in the right-hand pane, then click the red left-pointing arrow. (Alternatively, simply double-click the modifier in the list.) The modifier is added to the attack list after the currently selected attack. You can also drag-and-drop an attack modifier onto the attack list. The following figure shows a modifier that has just been added to the attack list. Once you have added the attack modifier to the attack list, you must add a new attack to go with the modifier. What do you want to do? Add an attack Remove an attack Rearrange Attacks Reset attack settings to their default values Sort attacks according to duration

Resetting the Attack Editor to the Default Settings If you want to return the Attack Editor to its default list of attacks, click Reset to Defaults in the Actions area of the Attack Editor window. What do you want to do? Add an attack Remove an attack Rearrange Attacks Use Attack Modifiers Sort attacks according to duration

Loading and Saving Attacks in the Attack Editor You can export the password recovery attacks as an XML file, which can be recognized by other instances of Passware Kit. Click the Save Attacks link at the Actions pane and choose the directory to save the XML file. The current list of password recovery attacks and their settings will be saved on your computer. You can import the password recovery attacks from an existing XML file, created by other instances of Passware Kit. Click the Load Attacks link at the Actions pane and choose the location of the XML file. The saved list of attacks and their settings will be loaded for the current password recovery process.

Sorting Attacks in the Attack List Some attacks take longer than others. To run the attacks in order of duration from shortest to longest, click the Sort by Duration button at the top of the Attack Editor window. What do you want to do? Add an attack Remove an attack Rearrange Attacks Use Attack Modifiers Reset attack settings to their default values

Printing a Report or Log To print a report or log, follow these steps: 1. Display the report or log you want to print. 2. Click the Print button at the top of the window. 3. Select the appropriate printer in the resulting Print dialog box. 4. Click Print in the Print dialog box.

Saving a Report or Log To save a report or log, follow these steps: 1. Display the report or log you want to save. 2. Click the Save Results button at the top of the window. 3. Specify the appropriate filename and location in the resulting Save As dialog box. 4. Click Save in the Save As dialog box.

Selecting the Files to Scan You can scan specific files -- from your entire computer system to one or two selected folders. You can also select the type of scan you want to use. A full scan includes scanning system folders, slow file types, encrypted containers and disk images, and calculating MD5 values. You can disable these options if you need a less complete, but much faster scan. What do you want to do? Choose scan type Choose what to scan After you have chosen the type of scan and the folders and/or drives to scan, start the scan by clicking the Start button on the toolbar, which looks like this:

Monitoring Scan Progress During a scan, Passware Kit keeps you up-to-date as to the progress of the scan in several ways: The Scan Progress area at the top of the main window displays a graphical progress bar, and lists time elapsed and time-to-completion. A sample Scan Progress area is shown here: The Status Bar, visible along the bottom of the window, gives a summary of the number of protected items found and the total number of items scanned. The Scan Status area of the window. A sample is shown here: NOTE: If you want, you can turn off the Status Bar. You can temporarily pause or cancel a scan at any time.

Saving the List You may find it useful to save a list of password-protected files on your computer. To save the scan results to a file: 1. Click Save List in the Actions area of the window. Alternatively, click the Save List button in the toolbar. 2. In the resulting Save As dialog box, navigate to the folder in which you want to save the file, and give it a file name, then click OK. NOTE: The default format of the list file is a tab-delimited text file, and the default name is PFOutputFile.txt. You can also save the file as a commadelimited file (.csv) or XML (.xml) file, using the Save as type field of the Save As dialog box. CAUTION: If you save more than one scan result, be sure to give each saved list a unique name.

Accessing and Saving the Scan Log Passware Kit keeps a detailed log of the files it scans. You can access the log in two ways: Click the Scan Log tab at the bottom of the window. or Click Skipped Items in the Last Scan area. In the scan log, you can see which files were skipped, the time they were scanned and other useful information. 1. Click Save Log in the Last Scan area of the window. 2. In the resulting Save As dialog box, navigate to the folder in which you want to save the file, and give it a file name, then click OK. NOTE: The default format of the scan log file is a tab-delimited text file, and the default name is LogOutputFile.txt. You can also save the file as a commadelimited file (.csv) or XML (.xml) file, using the Save as type field of the Save As dialog box. CAUTION: If you save more than one scan log, be sure to give each saved log a unique name.

Choosing What to Scan You can limit your scan to a single drive or folder, or to scan your entire computer system.

Using the Where to Scan Area to Select Files Select one of the four options in the Where to Scan area: If you select Selected Drives and Folders, a list of drives and folders appears, as shown here: Use the + icons next to the drives and folders to expand them as necessary; click each drive or folder you want to scan. NOTE: Selecting a folder in the list automatically selects all subfolders of that folder; you can deselect individual subfolders if you want. NOTE: The settings you choose in the Where to Scan area are saved when you exit the program, and are in effect the next time you launch the program. NOTE:You can also drag-and-drop folders into the main window for scanning. For this type of scan, only the Recommended scan type is used.

Starting the Scan If you have finished selecting the scan type and what to scan, you are ready to start the scan by clicking the Start button on the toolbar, which looks like this: (not necessary if you drag-and-dropped files)

Turning the Status Bar On and Off The Status Bar appears by default at the bottom of the window, displaying various status messages associated with scan progress. You can turn the Status Bar off by clicking Status Bar in the View menu. Clicking Status Bar again toggles the Status Bar back on, and a check mark appears next to the menu selection to indicate the Status Bar is active.

Working with Selected Files in the Scan Results Once a scan is complete and the scan results appear, you can choose several actions for selected files.

Selecting a File in the List To select a single file, click on it in the file list. To select several files in the file list at once, use SHIFT-click and Ctrl+click. To select all files, click Select All in the View menu. To invert the selection, click Invert Selection in the View menu. Details for a single selected file, including file name, type, and size, appear in the Details area, a sample of which is shown here: If more than one file is selected, the Details section displays how many items are selected and how much total disk space they occupy. Now that you have selected the file(s), what do you want to do? Open a file Open the folder containing the file Copy files to another folder Move files to another folder Recover password

Customizing the Scan Results Display You can adjust the information displayed by the scan results with a few mouse clicks. What do you want to do? Hide selected files Rearrange files Turn off the status bar

Resetting the Password Once you have created the password reset CD or USB disk and burned the image, you are ready to reset the password by following these steps: 1. Reboot the locked PC with the Password Reset CD or USB disk. 2. The Windows Setup process starts. 3. After all the required files are loaded from the bootable CD/USB, Passware Kit starts working. It displays your license info. 4. Select the Windows installation to be unlocked. 5. Passware Kit asks: "Undo Passware Kit changes? (Y/N)". Type N if you want to reset the password. Type Y if you want to leave the original passwords and cancel the program changes.

6. Select the account for which you want to reset the password. 7. Passware Kit asks: "Reset 'account_name' password? (Y/N)". Type Y to reset the password. Type N to leave the original password. 8. Passware Kit asks: "Reset password for another account? (Y/N)". Type Y to reset a password for another account. Type N if you are finished and want to exit Passware Kit. 9. Remove the Passware Kit bootable disk and restart your PC. Now you are able to log into your computer without a password!

Scanning Files Using Drag-and-Drop If you prefer, you can drag and drop the files that you want to scan. 1. Resize your application windows so that you can see both Windows Explorer and Passware Kit on your screen. 2. In Windows Explorer, select the folders you want to scan. 3. Drag them, using the mouse, and release them over the Passware Kit window. When you release the files, a dialog box appears, asking if you want to start the scan for the selected files. Click OK to start the scan, or Cancel. NOTE: When you drag-and-drop files to scan, the scan type defaults to Recommended. You cannot run a Fast or Full scan on drag-and-dropped files.

Opening a File To open a file shown in the scan results file list: 1. Select the file in the list. 2. Click Open in the File menu. Of course, to open a file, you must know the password that protects the file. Use the Passware Recover Kit to recover lost passwords.

Opening a Folder from the Scan Results To open the folder that contains a file selected in the scan results: 1. Select the file in the results list. 2. Click Open Containing Folder in the File menu. This opens a new instance of Windows Explorer, showing the entire contents of the folder that contains the selected file.

Copying Files from the Scan Results To copy one or more files shown in the scan results file list to another location: 1. Select the file(s) in the list. 2. Click Copy to Folder in the Actions area (top-left corner of the window). 3. In the Browse for Folder dialog box, navigate to the appropriate folder, then click OK. A sample Browse for Folder dialog box is shown below: NOTE: You can use the Make New Folder button in the Browse for Folder dialog box to create a new folder in which to copy the file(s). The new folder is named New Folder, and is added to the My Documents folder. Subsequent new folders are named New Folder (2), and so on.

Moving Files from the Scan Results To move one or more files shown in the scan results file list to another location: 1. Select the file(s) in the list. 2. Click Move to Folder from the File menu. 3. In the Browse for Folder dialog box, navigate to the appropriate folder, then click OK. A sample Browse for Folder dialog box is shown below: NOTE: You can use the Make New Folder button in the Browse for Folder dialog box to create a new folder in which to copy the file(s). The new folder is named New Folder, and is added to the My Documents folder. Subsequent new folders are named New Folder (2), and so on.

Hiding Selected Files in the Scan Results After you have selected one or more files in the scan results, you can hide those files by clicking Hide Selected Files in the File menu. These files no longer appear in the current file list. CAUTION: Once you hide files from the file list, you cannot redisplay them. Use this feature with care.

Rearranging and Sorting Files in the Scan Results By default, the files in the scan results are arranged in alphabetical order by the folder in which they were found during the scan. After the scan is complete, you can rearrange and sort the list.

Rearranging the List Rearrange the list by clicking Arrange By in the View menu. Several choices are offered in the submenu: Name Protection Level Folder Size Date

Sorting the List By default, the list is sorted in ascending alphabetical order by folder. You can change the sort order by clicking on a column name in the scan results, such as File Name, Folder, Unprotection, File Type, or Document Type. The sort order, ascending or descending, is indicated by an up or down arrow in the column heading. Clicking the heading again toggles between ascending and descending sort order.

Burning a Password Reset CD Image NOTE: To create a Windows password reset CD, a CD-ROM drive capable of burning is required Once you have created the password reset ISO image, follow these steps to burn it on a CD: 1. Select I have a WindowsKey.ISO image. Burn it on a CD. Make sure the Pick up the existing password reset WindowsKey.ISO image field contains the location of your WindowsKey.ISO file. Click Next. 2. The following screen appears:

Select CD/DVD and specify the CD burning drive from the pull-down list. Insert a blank CD/DVD disk into the CD-ROM drive. Click Next. 3. The burning process starts. Passware Password Recovery Kit extracts the ISO image and copies the necessary files on a CD. 4. The Windows Key password reset CD is now ready.

Now that you have created the Windows password reset CD, you are ready to reset the password on the locked computer.