Elcomsoft Forensic Disk Decryptor

Forensic Access to Encrypted BitLocker, PGP and TrueCrypt Containers

Perform the complete forensic analysis of encrypted disks and volumes protected with desktop and portable versions of BitLocker, PGP, TrueCrypt and its successors. Elcomsoft Forensic Disk Decryptor allows instant access to encrypted data by mounting or decrypting encrypted volumes using decryption keys found in the computer’s RAM, memory dumps or hibernation files.

Features and Benefits

• Decrypts information stored in three most popular crypto containers
• Mounts encrypted BitLocker, PGP and TrueCrypt volumes
• Supports removable media encrypted with BitLocker To Go
• Supports XTS-AES BitLocker encryption in Windows 10 November Update (build 1511)
• Supports both encrypted containers and full disk encryption
• Works with physical disks, logical partitions and RAW/DD images
• Can decrypt and mount PGP and BitLocker volumes using escrow keys (Recovery Key)
• Acquires decryption keys from RAM dumps, hibernation files
• Extracts all available keys from a memory dump at once if more than one crypto container is present
• Fast acquisition (limited only by disk read speeds)
• Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents
• Recovers and stores original encryption keys
• Supports all 32-bit and 64-bit versions of Windows from XP to Windows 10

Access Information Stored in Popular Crypto Containers

ElcomSoft offers investigators a fast, easy way to access encrypted information stored in crypto containers created by BitLocker, PGP and TrueCrypt.

Two Access Modes^[1]

Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for PGP and BitLocker, decryption and mounting can be performed using recovery key (if available).

Full Decryption

Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes

Real-Time Access to Encrypted Information

In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time.

Zero Footprint Operation

ElcomSoft offers a forensically sound solution. The tool provides true zero-footprint operation, leaving no traces and making no changes to the contents of encrypted volumes.

Sources of Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

• By analyzing the hibernation file (if the PC being analyzed is turned off);
• By analyzing a memory dump file^[2]
• By performing a FireWire attack^[3] (PC being analyzed must be running with encrypted volumes mounted).

BitLocker volumes can be decrypted or mounted by using the escrow key (Recovery Key).

Acquiring Encryption Keys

There are at least three different methods for acquiring the decryption keys. The choice of one of the three methods depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.

If the PC being investigated is turned off, the encryption keys may be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be captured with any forensic tool if installing such a tool is permitted (e.g. the PC is unlocked and the currently logged-in account has administrative privileges). The encrypted volume must be mounted at the time of acquisition. Good description of this technology (and a list of free and commercial memory acquisition tools) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a DMA attack via a FireWire port can be performed in order to obtain a memory dump. This attack requires the use of a free third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/), and offers near 100% results due to the implementation of the FireWire protocol that enables direct memory access. Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.

Supported Disk Encryption Tools

Elcomsoft Forensic Disk Decryptor works with encrypted volumes created by current versions of BitLocker, PGP and TrueCrypt, including removable and flash storage media encrypted with BitLocker To Go. Supports PGP encrypted containers and full disk encryption, TrueCrypt system and hidden disks.