Elcomsoft breaks VMware, Parallels, and VirtualBox encryption

Elcomsoft Distributed Password Recovery 4.30 helps forensic experts gain access to evidence stored in encrypted virtual machines. The new release breaks VMware, Parallels, and VirtualBox encryption with high-speed attacks. In addition, the update adds support for multi-volume 7Zip archives, and brings advanced rule editing directly to the user interface.

In this release, we’ve added support for three of the most popular virtual machines: VMware, Parallels, and VirtualBox. Elcomsoft Distributed Password Recovery 4.30 gains the ability to attack the encryption passwords, helping investigators to gain access stored in encrypted VMs. We have also added the Rule editor to the user interface, which enables access to scriptable password mutation rules directly from the user interface. In addition, the tool gains the ability to attack multi-volume archives in 7Zip format.

Finally, we have also updated Elcomsoft Forensic Disk Decryptor. The tool now enables the choice of the algorithms when attacking TrueCrypt and VeraCrypt containers.

Breaking VMware, Parallels, and VirtualBox VMs

Virtual machines are one of the tools commonly used in the criminal world. Using an encrypted VM allows keeping all criminal activities under a single umbrella without the need to clean up browsing and communication sessions or risking an accidental data leak.

The most common virtual machines that can encrypt the whole VM image are Parallels, VMware, and VirtualBox. The encryption strength is quite different between these VMs.

Parallels has the weakest protection of the trio. With only two MD5 hash iterations used to derive the encryption key, Parallels is the fastest to attack. Elcomsoft Distributed Password Recovery 4.30 reaches an unprecedented recovery speed of 19 million passwords per second on a single Intel i7 CPU, enabling speedy recovery of reasonably complex passwords even without GPU acceleration.

VMware employs some 10,000 hash rounds while using a stronger PBKDF-SHA1 hash function. A CPU-only attack results in around 10,000 passwords a second, making the supported GPU-assisted recovery strongly recommended. The use of a single NVIDIA GeForce 2070 RTX board boosts the recovery speed to 1,6 million passwords per second.

Finally, Oracle VirtualBox delivers the strongest protection with the most secure encryption. With up to 1.2 million hash iterations and a variable-length encryption key, a non-accelerated, CPU-only attack would yield the recovery speed of only 15 passwords per second. The supported GPU-assisted attack is a significantly faster and strongly recommended option along with a targeted dictionary and reasonable mutation settings, delivering the speed of up to 2700 passwords a second on a single NVIDIA GeForce 2070 RTX board.

By enabling access to encrypted virtual machines, Elcomsoft Distributed Password Recovery 4.30 will help experts gain access to crucial evidence that might be available in those VMs.

Release notes:

  • Support for Parallels, VirtualBox, and VMWare encrypted virtual machines
  • Added support for multi-volume 7ZIP archives
  • Bugfix: fixed the issue when attacking certain types of compressed archives
  • Added ZIP, 7ZIP, RAR support to Elcomsoft Hash Extractor
  • Support AMD and Intel GPUs for 7ZIP archives
  • Silent installer functionality restored
  • TrueCrypt and VeraCrypt: added the ability to specify algorithms for brute-forcing passwords
  • Added Unicode files support to LM/NTLM extension
  • Added new Rules tab for editing hybrid attack rules directly from the user interface

See also