Fully integrated solution for accessing encrypted volumes
Elcomsoft Forensic Disk Decryptor offers all possible methods to gain access to data in encrypted BitLocker, FileVault 2, LUKS, LUKS2, PGP Disk, TrueCrypt and VeraCrypt disks and Jetico BestCrypt 9 containers. The tool uses plaintext passwords, escrow or recovery keys, as well as the binary keys extracted from the computer's memory dump. FileVault 2 recovery keys can be extracted from iCloud using Elcomsoft Phone Breaker, while BitLocker recovery keys are available in the user's Active Directory or Microsoft account.
If neither the encryption key nor the recovery key can be extracted, EFDD can extract metadata from the encrypted container so that [Elcomsoft Distributed Password Recovery] (https://www.elcomsoft.com/edpr.html) can fulfil its task.
Extracting encryption metadata
Extracting encryption metadata from encrypted disks is necessary when you need access to the original plaintext password to access the data. Forensic Disk Decryptor instantly extracts encryption metadata from encrypted disks, crypto containers and forensic disk images protected with TrueCrypt, VeraCrypt, BitLocker, FileVault, PGP Disk, LUKS/LUKS2 or Jetico BestCrypt. The required small file contains everything needed to launch a GPU-accelerated distributed attack using Elcomsoft Distributed Password Recovery.
Full Decryption, Instant Mount or Attack
Thanks to fully automatic detection of encrypted containers and encryption algorithms, experts only need to specify the path to the encrypted container or disk image. Elcomsoft Forensic Disk Decryptor will automatically detect and display encrypted volumes and details of their encryption algorithms.
Access is provided either by decrypting the entire contents of an encrypted disk or by mounting the disk under a drive letter in unencrypted mode. Both operations can be performed using volumes as attached disks (physical or logical) or RAW images; for FileVault 2, PGP and BitLocker, decryption and mounting can be performed using the recovery key (if available).
Complete decryption
During a full decryption, Elcomsoft Forensic Disk Decryptor will automatically decrypt the entire contents of an encrypted container, providing the investigator with full, unrestricted access to absolutely all information on the encrypted disk.
Real-time access to encrypted information
In real-time mode, Elcomsoft Forensic Disk Decryptor can mount the encrypted disk as a new drive. In this mode, forensic investigators enjoy convenient access to the protected information. The data is decrypted in real time.
No decryption key and no recovery key?
If neither the decryption key nor the recovery key is available, Elcomsoft Forensic Disk Decryptor extracts metadata required to recover the password using Elcomsoft Distributed Password Recovery.
Another program,Elcomsoft Distributed Password Recoveryenables an attack on the plaintext passwords protecting crypto archives using advanced word list attacks, including masks, permutations, and brute force.
Sources of encryption keys
Elcomsoft Forensic Disk Decryptor needs the original keys to access protected data in crypto archives. These keys can be read from hibernation files or memory dumps created while the encrypted disk was mounted. There are three ways to get these keys:
- By analyzing the hibernation file (when the analyzed PC is turned off);
- By analyzing a memory dump. A memory dump of a running PC can be captured using the built-in memory dump tool.
- Through a FireWire attack (the encrypted disk must be mounted while the PC is running). A free tool (e.g. Inception) must be running on the investigator's PC so that the FireWire attack can be carried out.
- By creating the memory image using the built-in RAM imaging tool.
FileVault 2, PGP or BitLocker volumes can be mounted and decrypted using escrow keys (recovery keys).
Access to data in the most popular crypto archives
ElcomSoft provides forensic experts with a quick, easy way to access encrypted data stored on a variety of encrypted disks.
Obtaining the keys
There are at least three different methods for obtaining decryption keys. The choice of one of the three methods depends on the operating status of the computer being analyzed. It is also important whether it is possible to install a forensic tool on the PC being examined.
When the analyzed PC is turned off, the keys should be extracted from the hibernation file. The encrypted disk must be mounted before the computer is hibernated. If the disk was already removed before hibernation, the keys cannot be recovered from the hibernation file.
When the PC is turned on, a memory dump can be captured using a built-in memory imaging tool if the installation of such a tool is possible (e.g. if the PC is unlocked and the currently logged-in user account has administrator rights). The encrypted disk must be mounted at the time of access.
Finally,if the PC being examined is switched on, but the installation of a forensic tool is impossible(e.g. if the PC is locked or lacks administrator rights), a DMA attack can be performed through a FireWire port to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception:http://www.breaknenter.org/projects/inception/) and offers almost guaranteed success by using the FireWire protocol, which allows direct memory access. Both the target PC and the computer used for memory dump capture must have FireWire (IEEE 1394) ports.
After the original keys are acquired, Elcomsoft Forensic Disk Decryptor stores all these keys for future access and provides an opportunity to either decrypt the entire contents of the encrypted archives or mount the protected disk under a different drive letter for real-time access.
Supported encryption tools
Elcomsoft Forensic Disk Decryptor supports FileVault 2, BitLocker, LUKS/LUKS2, PGP disk encryption, VeraCrypt and TrueCrypt, including removable drives and flash storage media encrypted with BitLocker To Go. EFDD supports PGP Disk encrypted archives and full disk encryption, VeraCrypt and TrueCrypt system drives and hidden containers, Jetico BestCrypt 9 containers.
