Description
| $ 599 |
New features
VeraCrypt Encryption
VeraCrypt is the most popular successor to open-source disk
encryption tool TrueCrypt. Compared to the original, VeraCrypt supposes a
wider range of encryption methods and hash algorithms. In this update,
Elcomsoft Forensic Disk Decryptor receives full support for VeraCrypt
volumes, enabling experts extracting hash data from VeraCrypt containers
to launch brute-force or smart dictionary attacks with Distributed
Password Recovery.
A Fully Integrated Solution for Accessing Encrypted Volumes
Elcomsoft Forensic Disk Decryptor offers all available methods for
gaining access to information stored in encrypted BitLocker, FileVault
2, PGP, TrueCrypt and VeraCrypt disks and volumes. The toolkit allows
using the volume’s plain-text password, escrow or recovery keys, as well
as the binary keys extracted from the computer’s memory image or
hibernation file. FileVault 2 recovery keys can be extracted from iCloud
with Elcomsoft Phone Breaker, while BitLocker recovery keys are
available in Active Directory or in the user’s Microsoft Account.
If neither the encryption key nor the recovery key can be extracted,
EFDD can extract meta data from the encrypted container to let Elcomsoft Distributed Password Recovery do its job.
Full Decryption, Instant Mount or Attack
With fully automatic detection of encrypted volumes and encryption
settings, experts will only need to provide path to the encrypted
container or disk image. Elcomsoft Forensic Disk Decryptor will
automatically search for, identify and display encrypted volumes and
details of their corresponding encryption settings.
Access is provided by either decrypting the entire content of an
encrypted volume or by mounting the volume as a drive letter in
unlocked, unencrypted mode. Both operations can be done with volumes as
attached disks (physical or logical) or raw images; for FileVault 2, PGP
and BitLocker, decryption and mounting can be performed using recovery
key (if available).
Full Decryption
Elcomsoft Forensic Disk Decryptor can automatically decrypt the
entire content of the encrypted container, providing investigators with
full, unrestricted access to all information stored on encrypted volumes
Real-Time Access to Encrypted Information
In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the
encrypted volume as a new drive letter on the investigator’s PC. In this
mode, forensic specialists enjoy fast, real-time access to protected
information. Information read from mounted disks and volumes is
decrypted on-the-fly in real time.
No Decryption Key and No Recovery Key?
If neither the decryption key nor the recovery key is available,
Elcomsoft Forensic Disk Decryptor will extract metadata necessary to
brute-force the password with Elcomsoft Distributed Password Recovery.
Elcomsoft Distributed Password Recovery can
attack plain-text passwords protecting the encrypted containers with a
range of advanced attacks including dictionary, mask and permutation
attacks in addition to brute-force.
Sources of Encryption Keys
Elcomsoft Forensic Disk Decryptor needs the original encryption keys
in order to access protected information stored in crypto containers.
The encryption keys can be extracted from hibernation files or memory
dump files acquired while the encrypted volume was mounted. There are
three ways available to acquire the original encryption keys:
- By analyzing the hibernation file (if the PC being analyzed is turned off);
- By analyzing a memory dump file. A memory dump of a running PC can be acquired with the built-in memory imaging tool.
- By performing a FireWire attack (PC being analyzed must be running
with encrypted volumes mounted). A free tool launched on investigator’s
PC is required to perform the FireWire attack (e.g. Inception).
- By capturing a memory dump with built-in RAM imaging tool
FileVault 2, PGP and BitLocker volumes can be decrypted or mounted by using the escrow key (Recovery Key).
All Features and Benefits
ElcomSoft offers investigators a fast,
easy way to access encrypted information stored in crypto containers
created by BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt.
There are at least three different methods
for acquiring the decryption keys. The choice of one of the three
methods depends on the running state of the PC being analyzed. It also
depends on whether or not installation of a forensic tool is possible on
a PC under investigation.
If the PC being investigated is turned off, the
encryption keys may be retrieved from the hibernation file. The
encrypted volume must be mounted before the computer went to sleep. If
the volume is dismounted before hibernation, the encryption keys may not
be derived from the hibernation file.
If the PC is turned on, a memory dump can be
captured with a built-in memory imaging tool if installing such a tool
is permitted (e.g. the PC is unlocked and the currently logged-in
account has administrative privileges). The encrypted volume must be
mounted at the time of acquisition.
Finally, if the PC being investigated is turned on but installing forensic tools is not possible
(e.g. the PC is locked or logged-in account lacks administrative
privileges), a DMA attack via a FireWire port can be performed in order
to obtain a memory dump. This attack requires the use of a free
third-party tool (such as Inception: https://www.breaknenter.org/projects/inception/),
and offers near 100% results due to the implementation of the FireWire
protocol that enables direct memory access. Both the target PC and the
computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic
Disk Decryptor stores the keys for future access, and offers an option
to either decrypt the entire content of encrypted container or mount the
protected disk as another drive letter for real-time access.
Elcomsoft Forensic Disk Decryptor works
with encrypted volumes created by current versions of BitLocker,
FileVault 2, PGP, VeraCrypt and TrueCrypt, including removable and flash
storage media encrypted with BitLocker To Go. Supports PGP encrypted
containers and full disk encryption, VeraCrypt and TrueCrypt system and
hidden disks.
System requirements
Windows
- Windows Server 2008
- Windows 7 (32 bit)
- Windows 7 (64 bit)
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2012
- Windows 2016
- Memory image or hibernation file that contains disk encryption keys (created when encrypted disk was mounted)
System Requirements
- Windows 7, Windows 8/8.1, Windows 10, Windows Server 2003/2008/2012/2016
- Approximately 8MB of free space on the hard disk
- Administrator privileges (to create a memory dump)
- Memory image or hibernation file containing disk encryption keys
(created while the encrypted disk was mounted), or escrow/recovery key
(FileVault 2, BitLocker or PGP), or a password
Trial limitations
Free trial version of EFDD does not allow to save the encryption
keys; in decryption/mount mode, it only verifies the validness of the
key(s), but does not actually decrypt or mount the disks.
Release notes
Elcomsoft Forensic Disk Decryptor v.2.12.787
27 May, 2020
- show file system (NTFS, FAT32, ExFAT, ReFS HFS+, APFS)
- unloading kernel driver after memory dump
- added VeraCrypt support for GPT partitions
- improved error processing on memory dump
- improved UI/UX
- some minor bug fixes
Uninstallation
procedure: in order to uninstall the product, follow the standard
procedure via Control Panel – Programs and features or use the
corresponding Unistall link from the product’s folder in the Windows
Start menu.
