Windows系统存储区DPAPI的解密技术研究  

作　　者：苏再添 郭弘 王欣 吴少华[1] 吴世雄[1] SU Zaitian;GUO Hong;WANG Xin;WU Shaohua;WU Shixiong(Xiamen Meiya Pico Information Co.,Ltd.,Xiamen 361008,China;Shanghai Forensic Service Platform,Key Laboratory of Forensic Science,Ministry of Justice,Academy of Forensic Science,Shanghai 200063,China)

机构地区：[1]厦门市美亚柏科信息股份有限公司,福建厦门361008 [2]司法鉴定科学研究院上海市司法鉴定专业技术服务平台司法部司法鉴定重点实验室,上海200063

出　　处：《中国司法鉴定》2021年第2期50-56,共7页Chinese Journal of Forensic Sciences

基　　金：十三五国家重点研发计划(2017YFC0803805);司法鉴定科学研究院技术攻关项目(GY2019G-2);上海市司法鉴定专业技术服务平台资助项目(19DZ2292700)。

摘　　要：目的在电子数据取证过程中,数据的加解密经常是取证人员关注的重点。数据保护接口(DPAPI)作为Windows系统提供的数据保护接口被广泛使用,目前主要用于保护加密的数据。其特性主要表现在加密和解密必须在同一台计算机上操作,密钥的生成、使用和管理由Windows系统内部完成,如果更换计算机则无法解开DPAPI加密数据。通过对DPAPI加密机制的分析,以达到对Windows系统存储区的DPAPI加密数据进行离线解密的目的。方法通过深入研究分析Windows XP、Windows 7、Windows 10等多款操作系统的DPAPI加密流程和解密流程,确定系统存储区数据离线解密主要依赖于系统的注册表文件和主密钥文件。结果利用还原后的解密流程和算法,以及系统的注册表文件和主密钥文件,可以正常解开DPAPI加密数据。结论该方法可达到对Windows系统存储区的DPAPI加密数据进行离线解密的目的。Objective In the process of electronic data forensics,data encryption and decryption is often the focus of forensics personnel.DPAPI is widely used as a data protection interface provided by the Windows system,and is currently mainly used to protect encrypted data.Its characteristics are mainly manifested in that encryption and decryption must be operated on the same computer.The generation,use and management of the key are completed by the Windows system.If the computer is replaced,the DPAPI encrypted data cannot be unlocked.This article analyzes the DPAPI encryption mechanism in depth to achieve the purpose of offline decryption of the DPAPI encrypted data in the Windows system storage area.Methods Through in-depth research and analysis of the DPAPI encryption process and decryption process of multiple operating systems such as Windows XP,Windows 7,and Windows 10,it is determined that offline decryption of data in the system storage area mainly depends on the system registry file and master key file.Results Using the restored decryption process and algorithm,as well as the system's registry file and master key file,the DPAPI encrypted data can be unlocked normally.Conclusion This method can achieve the purpose of offline decryption of DPAPI encrypted data in Windows system storage area.

关 键 词：数据保护接口 系统存储区 主密钥 解密 取证 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]