Elcomsoft Forensic Disk Decryptor Keygen 59
Olegario Benford
This new workflow is especially handy when analyzing ultrabooks, laptops and 2-in-1 Windows tablet devices such as the Microsoft Surface range featuring non-removable, soldered storage or non-standard media. With just a few clicks (literally), experts can extract all information required to launch the attack on encrypted volumes.
Crypto-containers are designed to withstand brute-force attacks on their passwords. Moreover, some full-disk encryption methods do not employ a password at all (for example, BitLocker Device Encryption, the most common encryption method for 2-in-1 devices and ultra-thin laptops such as the Microsoft Surface range).
The traditional acquisition approach requires disassembling the computer, removing and imaging all of its storage devices. However, all one really needs to start the attack on the password of an encrypted volume is a few kilobytes worth of encryption metadata. The metadata can be extracted significantly faster without removing the hard drives.
Since TrueCrypt and VeraCrypt containers use similar formats, there is no way for us to tell them apart. Unfortunately, the two tools differ when it comes to breaking encryption, so you must specify the correct tool before you can launch a password attack.
Elcomsoft System Recovery does not allow you to magically break into encrypted disk volumes. Instead, the tool offers a faster alternative workflow to allow you quickly extracting information that may allow you extracting on-the-fly encryption keys or launching a password attack sooner than you would by employing the traditional approach.
Elcomsoft Forensic Disk Decryptor offers forensic specialists an easy way to obtain complete real-time access to information stored in popular crypto containers. Supporting desktop and portable versions of BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt protection, the tool can decrypt all files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.
Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.
Elcomsoft Forensic Disk Decryptor 2.17 receives an update, adding support for BitLocker-encrypted disks in systems running the latest Windows 10 Feature Update (20H2). The new release provides the ability to create forensic RAM images of computers running the latest version of Windows, search for BitLocker encryption keys and decrypt or mount protected disks without the need for lengthy attacks.
Using memory images dumped by the extraction tool, Elcomsoft Forensic Disk Decryptor can obtain cryptographic keys for decrypting data stored in a wide range of encrypted containers without running a lengthy attack on the original plain-text password.
Instantly access data stored in encrypted BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt disks and containers. The tool extracts cryptographic keys from RAM captures, hibernation and page files or uses plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.
TrueCrypt and VeraCrypt allow users to change the encryption algorithm as well as the hash function used to generate the encryption key from the password. This information is never stored anywhere in the encrypted container. Should the expert specify the wrong algorithm, the attempt to recover the password will fail even if the correct password is tried. In this release, we've added the ability to specify algorithms for brute-forcing passwords when capturing encryption metadata from TrueCrypt/VeraCrypt volumes.
Extracting encryption metadata from the encrypted disk is required if you need access to the original plaintext password to access the data. Forensic Disk Decryptor will instantly extract the encryption metadata from encrypted hard drives, crypto-containers and forensic disk images protected with TrueCrypt, VeraCrypt, BitLocker, FileVault, PGP Disk, LUKS/LUKS2, and Jetico BestCrypt disks and containers. The resulting small file contains everything that's required to launch a GPU-accelerated distributed attack with Elcomsoft Distributed Password Recovery.
With fully automatic detection of encrypted volumes and encryption settings, experts will only need to provide path to the encrypted container or disk image. Elcomsoft Forensic Disk Decryptor will automatically search for, identify and display encrypted volumes and details of their corresponding encryption settings.
Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for FileVault 2, PGP Disk and BitLocker, decryption and mounting can be performed using recovery key (if available).
Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes
If neither the decryption key nor the recovery key is available, Elcomsoft Forensic Disk Decryptor will extract metadata necessary to brute-force the password with Elcomsoft Distributed Password Recovery.
Elcomsoft Distributed Password Recovery can attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:
Multiple Windows, Linux and macOS full-disk encryption tools are supported including TrueCrypt/VeraCrypt, all versions of Microsoft BitLocker, PGP WDE, FileVault2, BestCrypt and LUKS. The tool must be launched with administrative privileges on the live system being analyzed. If an encrypted volume is detected, a further investigation of a live system might be needed to preserve evidence that could be lost if the computer were powered off.
There are at least three different methods for acquiring the decryption keys. The choice of one of the three methods depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.
If the PC being investigated is turned off, the encryption keys may be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.
If the PC is turned on, a memory dump can be captured with a built-in memory imaging tool if installing such a tool is permitted (e.g. the PC is unlocked and the currently logged-in account has administrative privileges). The encrypted volume must be mounted at the time of acquisition.
Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a DMA attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: ), and offers near 100% results due to the implementation of the FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
Elcomsoft Forensic Disk Decryptor works with encrypted volumes created by current versions of BitLocker, FileVault 2, LUKS/LUKS2, PGP Disk, VeraCrypt and TrueCrypt, including removable and flash storage media encrypted with BitLocker To Go. Supports PGP Disk encrypted containers and full disk encryption, VeraCrypt and TrueCrypt system and hidden disks, and Jetico BestCrypt 9 containers.
Uninstallation procedure: in order to uninstall the product, follow the standard procedure via Control Panel - Programs and features or use the corresponding Unistall link from the product's folder in the Windows Start menu.
BitLocker is one of the most advanced and most commonly used volume encryption solutions. BitLocker is well-studied and extensively documented solution with few known vulnerabilities and a limited number of possible vectors of attack. BitLocker volumes may be protected with one or more protectors such as the hardware-bound TPM, user-selectable password, USB key, or combination thereof. Attacking the password is only possible in one of these cases, while other protectors require a very different set of attacks. Learn how to approach BitLocker volumes depending on the type of protector.
According to Microsoft, raw data is encrypted with the full volume encryption key (FVEK), which is then encrypted with the volume master key (VMK). The volume master key is in turn encrypted by one of several possible methods depending on the chosen authentication type (that is, key protectors or TPM) and recovery scenarios.
b1e95dc632