Forensic Access to Encrypted BitLocker, PGP and TrueCrypt Containers
Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP, TrueCrypt and its successors. Elcomsoft Forensic Disk Decryptor allows instant access to encrypted data by mounting or decrypting encrypted volumes using decryption keys found in the computer’s RAM, memory dumps or hibernation files.
Two Access Modes
Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for PGP and BitLocker, decryption and mounting can be performed using recovery key (if available).
Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes
Real-Time Access to Encrypted Information
In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time.
Zero Footprint Operation
ElcomSoft offers a forensically sound solution. The tool provides true zero-footprint operation, leaving no traces and making no changes to the contents of encrypted volumes.
Sources of Encryption Keys
Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:
- By analyzing the hibernation file (if the PC being analyzed is turned off);
- By analyzing a memory dump file
- By performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted).
BitLocker volumes can be decrypted or mounted by using the escrow key (Recovery Key).
Elcomsoft Distributed Password Recovery is required if you need to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit
A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception)