the PC is unlocked and logged-in account has administrative privileges). If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation. Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. ** A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. * A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit There are three ways available to acquire the original encryption keys:īy analyzing the hibernation file (if the PC being analyzed is turned off) īy performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted). The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. The tool provides true zero-footprint operation, leaving no traces and making no changes to the contents of encrypted volumes.Įlcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers.
* Another program Elcomsoft Distributed Password Recovery allows attacking plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.ĮlcomSoft offers a forensically sound solution.
Information read from mounted disks and volumes is decrypted on-the-fly in real time. In this mode, forensic specialists enjoy fast, real-time access to protected information. In real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. Real-Time Access to Encrypted Information In complete decryption mode, Elcomsoft Forensic Disk Decryptor will automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to absolutely all information stored on encrypted volumes.
Supports all 32-bit and 64-bit versions of WindowsĪccess Information Stored in Popular Crypto ContainersĮlcomSoft offers investigators a fast, easy way to access encrypted information stored in crypto containers created by BitLocker, PGP and TrueCrypt.Īccess is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Recovers and stores original encryption keys Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents
Supports both encrypted containers and full disk encryptionĪcquires protection keys from RAM dumps, hibernation filesĮxtracts all the keys from a memory dump at once if there is more than one crypto container in the systemįast acquisition (limited only by disk read speeds) Supports removable media encrypted with BitLocker To Go Mounts encrypted BitLocker, PGP and TrueCrypt volumes Access to encrypted information is provided in real-time.ĭecrypts information stored in three most popular crypto containers
Elcomsoft Forensic Disk Decryptor allows decrypting data from encrypted containers or mounting encrypted volumes, providing full forensic access to protected information stored in the three most popular types of crypto containers.
Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP and TrueCrypt. Les dejo la descripcion esta en ingles pero el programa es bastante buenoįorensic Access to Encrypted BitLocker, PGP and TrueCrypt Disks and Containers