Adventures in the Underland: The CQForensic Toolkit as a Unique Weapon Against Hackers

Conference:  BlackHat USA 2019



The presentation discusses the CQRE forensic toolkit and its various tools that can be used for forensics. The toolkit includes tools for decrypting data, specifically the Data Protection API (DPAPI) secrets. The presentation also emphasizes the importance of sharing knowledge and tools for free.
  • The CQRE forensic toolkit includes various tools for forensics
  • The toolkit includes tools for decrypting data, specifically DPAPI secrets
  • Sharing knowledge and tools for free is important
The presenter shares a story about a social engineering project in Switzerland where she used tailgating to get into a building. She then leveraged her knowledge of DPAPI to decrypt data and gain access to the key path database.


Best practices come out when true experts’ experience meets the power of science! Let’s face it: hackers’ creativity has no end. What is more, people, the most valuable resource, are not always aware of the level of security in their companies, possible points of entry, how operating systems are attacked, and how to protect the infrastructure from successful attacks which are, in some cases, triggered by configuration mistakes. The secure infrastructure configuration should be the most important line of defense in every organization. Although hackers often win the race, your OS is not defenseless!This session is based on CQTools; several of them are the result of discoveries made by CQURE Team! Some took years to be completed, and all of those work in a straightforward manner. CQTools is the ultimate toolkit to have when delivering penetration tests – the tools work simply, and we use them in practice during our cybersecurity projects. Furthermore, Paula and CQURE Team made a DPAPI world discovery where they have reverse-engineered this mechanism to tell you at the moment how it works and if it is safe. During the session, participants could also hear about 2 great discoveries CQURE made. First is about how to decrypt DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller. The second discovery is a great way to find the way how to decrypt SID-protected PFX files even without access to user's password but just by generating the SID and user's token. Attendees become familiar with completely unique CQForensic toolkit which can build an attack timeline, extract information from the USN journal, recover files, also from MFT, decrypt user's and system's stored secrets, like encrypted data, extract information from Prefetch and from Remote Desktop Session cache, extract information from the configuration of the used for administration tools.Beware: extremely technical and detailed session!