Elcomsoft System Recovery and Forensic Disk Decryptor updates: macOS encryption and VeraCrypt support

We updated Elcomsoft System Recovery and Elcomsoft Forensic Disk Decryptor. Elcomsoft System Recovery can now create a bootable flash drive allowing experts boot macOS computers and extract data required to launch attacks on full-disk encryption. Elcomsoft Forensic Disk Decryptor receives support for VeraCrypt volumes.

We updated Elcomsoft System Recovery with support for macOS computers. With Elcomsoft System Recovery, experts can now create a flash drive to boot macOS computers. The bootable flash drive allows experts extract hashes from HFS+ and APFS-formatted FileVault 2 volumes to quickly initiate password attacks on encrypted volumes without imaging the whole drive.

We have also updated Elcomsoft Forensic Disk Decryptor with VeraCrypt extraction support. Elcomsoft Forensic Disk Decryptor helps extract hash data from VeraCrypt containers, and pre-configure password attacks by specifying the range of encryption and hashing options.

macOS Encryption

Elcomsoft System Recovery delivers support for HFS+ and APFS encrypted volumes on macOS computers, offering faster access to encrypted evidence compared to the traditional workflow. Once you boot the Mac or MacBook from the ESR flash drive, the tool will automatically detect full-disk encryption, extract and store the data that is required to brute-force passwords to encrypted volumes. Even if the keyboard and mouse are not available, the tool will start a countdown timer to capture the required hashes and store them on the bootable flash drive automatically.

Elcomsoft System Recovery makes it easy to process full-disk encryption by simply booting the macOS computer from a flash drive. The tool extracts and saves information required to brute-force passwords to encrypted HFS+ and APFS volumes.

VeraCrypt Support

VeraCrypt is the most popular successor to open-source disk encryption tool TrueCrypt. Compared to the original, VeraCrypt supposes a wider range of encryption methods and hash algorithms. In this update, Elcomsoft Forensic Disk Decryptor receives full support for VeraCrypt volumes, enabling experts extracting hash data from VeraCrypt containers to launch brute-force or smart dictionary attacks with Distributed Password Recovery.

Elcomsoft System Recovery 7.2 change log:

  • Added macOS support: creates a bootable flash drive for macOS computers, extracts hashes from encrypted HFS+ and APFS volumes
  • macOS computers: if keyboard/mouse cannot be used due to the lack of drivers, password hashes are automatically saved to the flash drive on countdown timer
  • Disk letters for partitions have been added
  • AD cached passwords can now be reset
  • Searching for plaintext SAM and AD passwords has been improved
  • Standard license has been eliminated; all users automatically upgraded to Pro features
  • Bug fixes and compatibility improvements

Elcomsoft Forensic Disk Decryptor 2.11 change log:

  • Added support for APFS partitions with FileVault2
  • Added support for VeraCrypt (extracting hash data for subsequent password attacks)
  • Added support for GUID partitions
  • Improved support for encrypted HFS+ partitions
  • Improved user interface; disk letters are now available
  • Improved PGP WDE support

See also