When you find a Zip/rar file with password protected in the evidence, you may try dictionary attack or bruteforce attack O R Rainbow Talbes ... Usually those attack would take a very very long time and end with fail. What are you doing then? Allow me to remind you there are still one thing you can do: "Known plaintext attack".
What is "known plaintext attack"? Let's say when you use Zip/rar archiver to archive some files, and set password to protect this archive file. Those files in this archive now has something in common:the "key" generated when archiving.
So we could assume this some of files in that password-protected Zip/rar file is still in the hard drive. What we need are only one of the those files so we could start known plaintext attack. Maybe some would say "I don ' t know which file is one of the them?". Fine, all the need to do are gather some documents/pictures that has something to does with our suspect. Use the same Zip/rar archiver, the course the same version and the same method, to archive those files you gatehered from S Uspect ' s hard drive. Remember does not set password!!!
We have both files. The password-protected Zip/rar file, and the other are the Zip/rar file with no password-protected. Now you could understand why "known plaintext attack" works because all we had to do was to compare these the archive file s, then we could get the key generated in the first place.
You could the use Passware Kit or the Advanced Archive Password Recovery to proceed known plaintext attack. You'll be very surprise, that's the speed is very fast. It won ' t take long and you could see the result on the screen. To everybody ' s surprise, it is only takes one minute and forty-two seconds.
Next time you find password-protected zip/rar files in the evidence, don ' t forget "known plaintext attack"!!!
Known plaintext attack