Elcomsoft Forensic Disk Decryptor

Elcomsoft Forensic Disk Decryptor offers forensic specialists an easy way to obtain complete real-time access to information stored in popular crypto containers. Supporting desktop and portable versions of BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt protection, the tool can decrypt all files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.

$599.00

Description

Instantly access data stored in encrypted BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt disks and containers. The tool extracts cryptographic keys from RAM captures, hibernation and page files or uses plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.

  • Decrypt BitLocker, BitLocker To Go, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt volumes and containers
  • Extract cryptographic keys from RAM captures, hibernation and page files, escrow and Recovery keys
  • Fast, zero-footprint operation
  • Instantly mount encrypted containers as drive letters
  • Capture the content of computer’s volatile memory with kernel-level tool
  • Extract encryption metadata from TrueCrypt, VeraCrypt, BitLocker, FileVault, PGP Disk, and LUKS/LUKS2 encrypted disks, Jetico BestCrypt disks and containers

Supports: BitLocker (including TPM configurations), FileVault 2 (including APFS volumes), LUKS, PGP Disk, TrueCrypt and VeraCrypt encrypted containers and full disk encryption, BitLocker To Go, XTS-AES BitLocker encryption, Jetico BestCrypt, RAM dumps, hibernation files, page files

 

A Fully Integrated Solution for Accessing Encrypted Volumes

Elcomsoft Forensic Disk Decryptor offers a range of methods for gaining access to information stored in encrypted BitLocker, FileVault 2, LUKS, LUKS2, PGP Disk, TrueCrypt and VeraCrypt disks and volumes, and Jetico BestCrypt 9 containers. The toolkit allows using the volume’s plain-text password, escrow or recovery keys, as well as the binary keys extracted from the computer’s memory image or hibernation file. FileVault 2 recovery keys can be extracted from iCloud with Elcomsoft Phone Breaker, while BitLocker recovery keys are available in Active Directory or in the user’s Microsoft Account.

If neither the encryption key nor the recovery key can be extracted, EFDD can extract meta data from the encrypted container to let Elcomsoft Distributed Password Recovery do its job.

 

Extract Encryption Metadata

Extracting encryption metadata from the encrypted disk is required if you need access to the original plaintext password to access the data. Forensic Disk Decryptor will instantly extract the encryption metadata from encrypted hard drives, crypto-containers and forensic disk images protected with TrueCrypt, VeraCrypt, BitLocker, FileVault, PGP Disk, LUKS/LUKS2, and Jetico BestCrypt disks and containers. The resulting small file contains everything that’s required to launch a GPU-accelerated distributed attack with Elcomsoft Distributed Password Recovery.

 

Full Decryption, Instant Mount or Attack

With fully automatic detection of encrypted volumes and encryption settings, experts will only need to provide path to the encrypted container or disk image. Elcomsoft Forensic Disk Decryptor will automatically search for, identify and display encrypted volumes and details of their corresponding encryption settings.

Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for FileVault 2, PGP Disk and BitLocker, decryption and mounting can be performed using recovery key (if available).

 

Full Decryption

Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes

 

Real-Time Access to Encrypted Information

In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time.

 

No Decryption Key and No Recovery Key?

If neither the decryption key nor the recovery key is available, Elcomsoft Forensic Disk Decryptor will extract metadata necessary to brute-force the password with Elcomsoft Distributed Password Recovery.

Elcomsoft Distributed Password Recovery can attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.

 

Sources of Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

  • By analyzing the hibernation file (if the PC being analyzed is turned off);
  • By analyzing a memory dump file. A memory dump of a running PC can be acquired with the built-in memory imaging tool.
  • By performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted). A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception).
  • By capturing a memory dump with built-in RAM imaging tool

FileVault 2, PGP Disk and BitLocker volumes can be decrypted or mounted by using the escrow key (Recovery Key).

Brand

ElcomSoft

ElcomSoft offers a comprehensive range of tools for unlocking access to many types of data, recovering passwords and decrypting encrypted files and volumes. The company’s range of mobile forensic products enable forensically sound extraction of evidence from a wide range of smartphones and cloud services.

New Features

Specifying Encryption and Hashing Algorithms for TrueCrypt/VeraCrypt

TrueCrypt and VeraCrypt allow users to change the encryption algorithm as well as the hash function used to generate the encryption key from the password. This information is never stored anywhere in the encrypted container. Should the expert specify the wrong algorithm, the attempt to recover the password will fail even if the correct password is tried. In this release, we’ve added the ability to specify algorithms for brute-forcing passwords when capturing encryption metadata from TrueCrypt/VeraCrypt volumes.

 

LUKS2 Encryption

We added support for LUKS2 encryption. The tool can extract LUKS2 metadata from encrypted disks and containers.

System Requirements

Windows

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008-2022
  • Administrator privileges (to create a memory dump)
  • Memory image or hibernation file containing disk encryption keys (created while the encrypted disk was mounted), or escrow/recovery key (FileVault 2, BitLocker or PGP Disk), or a password

Trial Limitations

Free trial version of EFDD does not allow to save the encryption keys; in decryption/mount mode, it only verifies the validness of the key(s), but does not actually decrypt or mount the disks.

Reviews

There are no reviews yet.

Be the first to review “Elcomsoft Forensic Disk Decryptor”

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recently Viewed Solutions

InstallAnywhere

$6,478.00$7,198.00

AdminStudio

$4,999.00$28,000.00

PL/SQL Developer

$216.00$648.00

Snagit

$62.49

Camtasia

$299.99

ImmuniWeb® Discovery

$199.00$995.00

InstallShield

$4,497.00$7,423.00

ImmuniWeb® On-Demand

$499.00$4,995.00