Elcomsoft Forensic Disk Decryptor receives a major update, gaining the ability to mount or decrypt encrypted containers using their respective passwords, escrow keys, or cryptographic keys extracted from the computer’s volatile memory image. Elcomsoft Forensic Disk Decryptor comes with a built-in memory dumping tool, allowing experts to image computer’s RAM.
In its first major update, Elcomsoft Forensic Disk Decryptor 2.0 becomes a fully integrated, all-in-one solution for accessing encrypted FileVault 2, BitLocker, PGP and TrueCrypt volumes. The updated toolkit gains the ability to mount or decrypt encrypted volumes using plain text passwords, escrow keys, or cryptographic keys extracted from the computer’s volatile memory image. In addition, a kernel-level memory dumping tool is now supplied with the toolkit, allowing experts to image computer’s RAM on Windows computers.
Integrated Solution for Accessing Encrypted Volumes
In previous versions of Forensic Disk Decryptor, the toolkit was limited to mounting or decrypting volumes using the binary cryptographic keys extracted from the computer’s memory image or hibernation file. Elcomsoft Forensic Disk Decryptor 2.0 adds the ability to mount encrypted volumes or to perform full decryption for offline analysis by using plain-text passwords, escrow or recovery keys, as well as the binary keys extracted from the computer’s memory image. FileVault 2 recovery keys can be extracted from iCloud with Elcomsoft Phone Breaker, while BitLocker recovery keys are available in Active Directory or in the user’s Microsoft Account.
Built-In Kernel Level Memory Dumping Tool
Elcomsoft Forensic Disk Decryptor 2.0 comes with a forensic-grade memory imaging tool that uses zero-level access to computer’s RAM in order to create the most complete memory image. ElcomSoft’s RAM imaging driver works in kernel mode and carries a Microsoft digital signature, making the driver fully compatible with all 32-bit and 64-bit versions of Windows from Windows 7 and up to the latest Windows 10 Fall Creators Update.
Using images dumped by the new tool, Elcomsoft Forensic Disk Decryptor can obtain cryptographic keys for decrypting data stored in encrypted containers without running a lengthy attack on the original plain-text password.
Automatic Encryption Detection
Elcomsoft Forensic Disk Decryptor 2.0 offers fully automatic detection of encryption algorithms and parameters, including TrueCrypt. Experts will only need to provide path to the encrypted container or disk image, and Elcomsoft Forensic Disk Decryptor will automatically detect and display encrypted volumes and details of their encryption algorithms.
EnCase .E01 Support and Portable Version
Elcomsoft Forensic Disk Decryptor 2.0 now fully supports EnCase images in the industry-standard .EO1 format, as well as encrypted DMG images. In addition, Elcomsoft Forensic Disk Decryptor can be used to create a portable installation on a user-provided USB flash drive. The portable installation can be used to image computer’s volatile memory and/or mount or decrypt encrypted volumes.