Working with the program

Top  Previous  Next

When encrypted disk is mounted into the system (i.e. once you entered the password to access it, or provided the smart card, or any other type of authentication), the system keeps the encryption keys because it needs to constantly access the encrypted data.Thus, these keys are kept in system memory (regardless the authentication method used: based on password, encryption keys on disk or smart card).

 

The program works the following way: if you are able to get the contents of the system memory (again, when the disk is mounted), or the hibernation file (which is in fact the file that contains the system state, including the memory), then you can further use these keys to decrypt this disk, or to mount it (into the same or any other system) without knowledge of the password of whatever else is used to access the disk normally. So basically, you should perform three steps:

 

dump system memory or gram the hibernation file

find encryption keys

decrypt or mount the disk

 

These steps are further described in Find encryption keys and Decrypt or mount disk chapters.


 Get more information about Elcomsoft Forensic Disk Decryptor
 Get full version of Elcomsoft Forensic Disk Decryptor

 © 2016 ElcomSoft Co.Ltd.