Find encryption keys

Top  Previous  Next

 

EFDD can extract disk encryption keys from computer's memory. There are two ways to get the memory image (dump):

 

On 'live' system: using one of memory imaging tools (administrative privileges are required). The complete description of this technology and a comprehensive list of tools (free and commercial) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging; we recommend MoonSols Windows Memory Toolkit as the most advanced tool.

Through FireWire attack. It is possible for FireWire devices to directly access the memory of a computer (even if it is locked). There are a few tools that can acquire memory using this technology, e.g. Inception (please note that you would need a separate computer running Linux).

 

EFDD can also search for encryption keys in Windows hibernation file. Upon hibernation, the computer saves the contents of its memory to a hard disk; upon resumption, the computer is exactly as it was upon entering hibernation. Windows uses the hiberfil.sys file to store a copy of the system memory; more information how to disable and re-enable hibernation is available at http://support.microsoft.com/kb/920730.

 

Please note that the encrypted disk should be mounted to the system when you make the dump (or when the computer has been put to the hibernate state); otherwise, the keys are not stored in memory.

 

Use Extract keys option at the first step of EFDD wizard. You will have to select the source (memory dump or hibernation file), as well as the type of encryption keys to search for:

 

search

 

Please note that searching for keys is a time-consuming process, so it is recommended to limit the search only to particular types of the keys (especially for PGP, if you know what algorithm has been used). If you are not sure, just select all of them.

 

Once the keys have been found, the program shows them, and allows to save into file (for future use, i.e. mounting the disk or decrypting it); you can save multiple keys (even of different types) into the single file:

 

key_search

key_found

 

Then, wizard returns back to the first step (to search for keys in other dump file, or to decrypt or mount the disk).


 Get more information about Elcomsoft Forensic Disk Decryptor
 Get full version of Elcomsoft Forensic Disk Decryptor

 © 2016 ElcomSoft Co.Ltd.