Working with the program
|Top Previous Next|
When encrypted disk is mounted into the system (i.e. once you entered the password to access it, or provided the smart card, or any other type of authentication), the system keeps the encryption keys because it needs to constantly access the encrypted data.Thus, these keys are kept in system memory (regardless the authentication method used: based on password, encryption keys on disk or smart card).
The program works the following way: if you are able to get the contents of the system memory (again, when the disk is mounted), or the hibernation file (which is in fact the file that contains the system state, including the memory), then you can further use these keys to decrypt this disk, or to mount it (into the same or any other system) without knowledge of the password of whatever else is used to access the disk normally. So basically, you should perform three steps:
•dump system memory or gram the hibernation file
•find encryption keys
•decrypt or mount the disk
Get more information about Elcomsoft Forensic Disk Decryptor
Get full version of Elcomsoft Forensic Disk Decryptor
© 2016 ElcomSoft Co.Ltd.