Elcomsoft Forensic Disk Decryptor

Instantly access data stored in encrypted BitLocker, FileVault 2, PGP and TrueCrypt containers. The tool extracts cryptographic keys from RAM captures, hibernation and page files or uses plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.

  • Decrypt BitLocker, BitLocker To Go, FileVault 2, PGP and TrueCrypt volumes
  • Extract cryptographic keys from RAM captures, hibernation and page files, escrow and Recovery keys
  • Extract and store all available encryption keys
  • Instantly mount encrypted containers as drive letters
  • Capture the content of computer's volatile memory with kernel-level tool
  • Fast, zero-footprint operation

Supports: BitLocker, FileVault 2, PGP and TrueCrypt encrypted containers and full disk encryption, BitLocker To Go, XTS-AES BitLocker encryption, RAM dumps, hibernation files, page files

Common license $ 599
Buy now

New features

Built-In Memory Imaging Tool

A forensic-grade memory imaging tool is included with Elcomsoft Forensic Disk Decryptor. The tool uses zero-level access to computer’s volatile memory in order to create the most complete memory image. The supplied RAM imaging tool operates through a custom kernel-level driver. The driver is digitally signed with a Microsoft signature, making it fully compatible with all 32-bit and 64-bit versions of Windows from
Windows 7 and up to the latest Windows 10 update.

EnCase .E01 Support and Portable Version

Elcomsoft Forensic Disk Decryptor 2.0 now fully supports EnCase images in the industry-standard .EO1 format, as well as encrypted DMG images. In addition, Elcomsoft Forensic Disk Decryptor can be used to create a portable installation on a user-provided USB flash drive. The portable installation can be used to image computer’s volatile memory and/or mount or decrypt encrypted volumes.

A Fully Integrated Solution for Accessing Encrypted Volumes

Elcomsoft Forensic Disk Decryptor offers all available methods for gaining access to information stored in encrypted BitLocker, FileVault 2, PGP and TrueCrypt disks and volumes. The toolkit allows using the volume's plain-text password, escrow or recovery keys, as well as the binary keys extracted from the computer’s memory image or hibernation file. FileVault 2 recovery keys can beextracted from iCloud with Elcomsoft Phone Breaker, while BitLocker recovery keys are available in Active Directory or in the user’s Microsoft Account.

Two Access Modes[1]

With fully automatic detection of encrypted volumes and encryption settings, experts will only need to provide path to the encrypted container or disk image. Elcomsoft Forensic Disk Decryptor will automatically search for, identify and display encrypted volumes and details of their corresponding encryption settings.

Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for FileVault 2, PGP and BitLocker, decryption and mounting can be performed using recovery key (if available).

Full Decryption

Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes

Real-Time Access to Encrypted Information

In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time.

Sources of Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

  • By analyzing the hibernation file (if the PC being analyzed is turned off);
  • By analyzing a memory dump file[2]
  • By performing a FireWire attack[3] (PC being analyzed must be running with encrypted volumes mounted).
  • By capturing a memory dump with built-in RAM imaging tool [4]

FileVault 2, PGP and BitLocker volumes can be decrypted or mounted by using the escrow key (Recovery Key).


  1. Elcomsoft Distributed Password Recovery is required if you need to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force. 

  2. A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit 

  3. A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception) 

  4. Portable installation on a USB drive is highly recommended 

All Features and Benefits

Access Information Stored in Popular Crypto Containers

ElcomSoft offers investigators a fast, easy way to access encrypted information stored in crypto containers created by BitLocker, FileVault 2, PGP and TrueCrypt.

Acquiring Encryption Keys

There are at least three different methods for acquiring the decryption keys. The choice of one of the three methods depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.

If the PC being investigated is turned off, the encryption keys may be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be captured with any forensic tool if installing such a tool is permitted (e.g. the PC is unlocked and the currently logged-in account has administrative privileges). The encrypted volume must be mounted at the time of acquisition. Good description of this technology (and a list of free and commercial memory acquisition tools) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a DMA attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of the FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.

Supported Disk Encryption Tools

Elcomsoft Forensic Disk Decryptor works with encrypted volumes created by current versions of BitLocker, FileVault 2, PGP and TrueCrypt, including removable and flash storage media encrypted with BitLocker To Go. Supports PGP encrypted containers and full disk encryption, TrueCrypt system and hidden disks.

Video Tutorial

System requirements

Windows

  • Windows Server 2008
  • Windows 7 (32 bit)
  • Windows 7 (64 bit)
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2012
  • Windows 2016
  • Memory image or hibernation file that contains disk encryption keys (created when encrypted disk was mounted)

System Requirements

  • Windows 7, Windows 8/8.1, Windows 10, Windows Server 2003/2008/2012/2016
  • Approximately 8MB of free space on the hard disk
  • Administrator privileges (to create a memory dump)
  • Memory image or hibernation file containing disk encryption keys (created while the encrypted disk was mounted), or escrow/recovery key (FileVault 2, BitLocker or PGP), or a password

Trial limitations

Free trial version of EFDD does not allow to save the encryption keys; in decryption/mount mode, it only verifies the validness of the key(s), but does not actually decrypt or mount the disks.

Release notes

Elcomsoft Forensic Disk Decryptor v.2.0.520

11 April, 2018

  • bug fixes

Uninstallation procedure: in order to uninstall the product, follow the standard procedure via Control Panel - Programs and features or use the corresponding Unistall link from the product's folder in the Windows Start menu.

System requirements

Windows

  • Windows Server 2008
  • Windows 7 (32 bit)
  • Windows 7 (64 bit)
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2012
  • Windows 2016
  • Memory image or hibernation file that contains disk encryption keys (created when encrypted disk was mounted)

System Requirements

  • Windows 7, Windows 8/8.1, Windows 10, Windows Server 2003/2008/2012/2016
  • Approximately 8MB of free space on the hard disk
  • Administrator privileges (to create a memory dump)
  • Memory image or hibernation file containing disk encryption keys (created while the encrypted disk was mounted), or escrow/recovery key (FileVault 2, BitLocker or PGP), or a password

Trial limitations

Free trial version of EFDD does not allow to save the encryption keys; in decryption/mount mode, it only verifies the validness of the key(s), but does not actually decrypt or mount the disks.

Release notes

Elcomsoft Forensic Disk Decryptor v.2.0.520

11 April, 2018

  • bug fixes

Uninstallation procedure: in order to uninstall the product, follow the standard procedure via Control Panel - Programs and features or use the corresponding Unistall link from the product's folder in the Windows Start menu.

Buy Elcomsoft Forensic Disk Decryptor

Common license
$ 599
Buy now