Password recovery in forensics is not the villainous activity of fiction. It is a routine part of getting at data the client already owns, on devices and archives the client already controls, under an instruction that authorises the work.
How it actually works
- Dictionary attacks using human patterns, augmented by information known about the account holder.
- Rule based transformations of likely candidates.
- GPU accelerated brute force against the hash, where the format allows.
- Exploitation of known weaknesses in older container or backup formats.
What clients should understand
Modern strong passwords on modern hardware backed encryption may be unrecoverable within any sensible time. Older encrypted archives, weak passwords, and reused credentials from the client's own history are usually cracked quickly. A five minute conversation with the client at intake often makes the difference.

