20 October, 2020

Elcomsoft Helps Investigators Access Evidence in Encrypted Virtual Machines, Adds Rule Editor

ElcomSoft Co. Ltd. updates Elcomsoft Distributed Password Recovery with support for an even wider range of encrypted and locked evidence. The update enables forensic access to evidence stored in encrypted VMware, Parallels, and VirtualBox virtual machines. In addition, the new Rule editor has been added to the user interface, allowing users editing rules for hybrid attacks directly in the user interface.

“Virtual machines are very common in the criminal world”, says Andy Malyshev, Elcomsoft s.r.o. CEO. “Using an encrypted VM allows criminals hiding their activities under a virtual umbrella, reducing the risks of an accidental leak of incriminating evidence. We built a tool to help investigators gain access to all of that evidence by breaking the original encryption password.”

Breaking VMware, Parallels, and VirtualBox VMs

Virtual machines use a portable, hardware-independent environment to perform essentially the same role as an actual computer. User activities performed in the virtual machine leave trails mostly in the VM image files and not on the host computer. Virtual machine analysis becomes an important factor when performing digital investigations.

Many types of virtual machines used in the criminal world can be securely encrypted. Evidence stored in such VM images can be only accessed if the investigator can produce the original encryption password. Elcomsoft Distributed Password Recovery provides a solution by allowing experts to run hardware-accelerated distributed attacks on passwords protecting encrypted VM images created by VMware, Parallels, and VirtualBox.

Technology & performance

The most common virtual machines that can encrypt the whole VM image are Parallels, VMware, and VirtualBox. The encryption strength and the resulting password recovery speeds are vastly different between these VMs.

Parallels has the weakest protection of the trio. With only two MD5 hash iterations used to derive the encryption key, Parallels is the fastest to attack. Elcomsoft Distributed Password Recovery 4.30 reaches an unprecedented recovery speed of 19 million passwords per second on a single Intel i7 CPU, enabling speedy recovery of reasonably complex passwords even without GPU acceleration.

VMware employs some 10,000 hash rounds while using a stronger PBKDF-SHA1 hash function. A CPU-only attack results in around 10,000 passwords a second, making the supported GPU-assisted recovery strongly recommended. The use of a single NVIDIA GeForce 2070 RTX board boosts the recovery speed to 1,6 million passwords per second.

Finally, Oracle VirtualBox delivers the strongest protection with the most secure encryption. With up to 1.2 million hash iterations and a variable-length encryption key, a non-accelerated, CPU-only attack would yield the recovery speed of only 15 passwords per second. The supported GPU-assisted attack is a significantly faster and strongly recommended option along with a targeted dictionary and reasonable mutation settings, delivering the speed of up to 2,700 passwords a second on a single NVIDIA GeForce 2070 RTX board.

Rule editor

The newly added Rule editor enables the use of hybrid attacks based on the industry-standard John the Ripper's syntax directly from the user interface. The new Rule editor replaces the previous mode based on manually editing text files.

About Elcomsoft Distributed Password Recovery

Elcomsoft Distributed Password Recovery enables accelerated password recovery for more than 500 formats including Microsoft Office and Adobe PDF documents, encrypted volumes and archives, personal security certificates and exchange keys, MD5 hashes and Oracle passwords, Windows and UNIX login and domain passwords.

Supporting ElcomSoft’s patented GPU acceleration technology and being able to scale to over 10,000 workstations with zero scalability overhead, Elcomsoft Distributed Password Recovery is a high-end password recovery solution offering the speediest recovery with the most sophisticated commercially available technologies.

Pricing and Availability

Elcomsoft Distributed Password Recovery is available immediately. Licensing starts from 599 EUR for 5 clients. A license for 100 clients is available for 4999 EUR. Other tiers are available on request. Customers are welcome to contact ElcomSoft about larger purchases. Local pricing may vary.

Elcomsoft Distributed Password Recovery supports Microsoft Windows 7, 8.x, 10, as well as the corresponding Windows Server editions.

About ElcomSoft Co. Ltd.

Founded in 1990, ElcomSoft Co.Ltd. is a global industry-acknowledged expert in computer and mobile forensics providing tools, training, and consulting services to law enforcement, forensics, financial and intelligence agencies. ElcomSoft pioneered and patented numerous cryptography techniques, setting and exceeding expectations by consistently breaking the industry’s performance records. ElcomSoft is Microsoft Certrified Partner, and Intel Software Premier Elite Partner.

Kontakter

Elcomsoft s.r.o.

Československé armády 371/11,
Praha 6-Bubeneč,
Czech Republic, PSČ 160 00

Klicka här för att kontakta Elcomsoft

As one of the industry leaders, our job involves complex research and constant monitoring of industry news. We love sharing our findings with our followers. Follow us on a social network of your choice, and we’ll deliver quality content straight to your news feed.