Password Recovery, System Security & Forensic Software


Elcomsoft System Recovery

Forensically Sound Extractions, Verifiable Disk Imaging

When accessing a locked system during an in-field investigation, speed is often the most important factor. However, maintaining digital chain of custody is crucial when producing court admissible evidence. Elcomsoft System Recovery contains features to help establish and maintain digital chain of custody throughout the investigation.

In order to preserve digital evidence, the chain of custody begins from the first point of data collection. Elcomsoft System Recovery employs a forensically sound workflow to ensure that digital evidence collected during the investigation remains court admissible. The workflow implements read-only, write-blocking access to the target computer, and saves collected evidence in the form of digitally signed, verifiable disk images, making Elcomsoft System Recovery a viable alternative to hardware-based write blocking disk imaging devices while offering real-time access to crucial evidence.

Write-blocking disk access

Elcomsoft System Recovery helps producing court admissible evidence with write-blocking mode and read-only disk imaging. The write-blocking mode is engaged by default during the first steps of running Elcomsoft System Recovery, ensuring that no data is modified on the target computer. Write-blocking disk access is the tool’s default behavior. Experts must explicitly untick the “read-only” box to access system management functionality such as resetting Windows user and administrative passwords.

Verifiable disk imaging

The disks can be imaged into verifiable .E01 images. Together with read-only access, the use of hashing helps establish digital chain of custody, while employing the industry-standard .E01 format makes the images compatible with third-party forensic tools for comprehensive analysis. Whether the disk is imaged into a RAW/DD or the newly supported .E01 format, Elcomsoft System Recovery calculates a hash file and places it alongside with the image. The hash values calculated during collection can be used to authenticate evidence at a later stage.

Improved Full-Disk Encryption Workflow

Elcomsoft System Recovery makes it easier to access data stored in encrypted disks and containers. With automatic detection of encrypted volumes, ESR will automatically extract hashes required to launch an attack[1] on the password of the encrypted volume, saving them to the flash drive to offer faster access to encrypted evidence compared to the traditional workflow. In addition, ESR can extract and save hibernation files that may contain the encryption keys to access information stored in encrypted volumes. These keys can be used to instantly mount encrypted volumes or decrypt their content for offline analysis[2].

Encrypted Virtual Machines

In the world of hi-tech crime, encrypted virtual machines become one the most widely used cover-up tools. Manually locating such virtual machines can be an involving and time-consuming process. We made your work easier by finding many types of encrypted virtual machines automatically. Better yet, ESR will automatically capture the encryption metadata you’ll need to launch the attack on the VM encryption password in Elcomsoft Distributed Password Recovery.

Reset or Recover Windows Account Passwords

Up to 40% of support calls are related to forgotten passwords and locked logins. Elcomsoft System Recovery helps instantly reset Windows system passwords, enabling system administrators regain access to locked Windows accounts. Supporting local Windows accounts, network domains and Microsoft Account, Elcomsoft System Recovery is a must-have tool for network administrators, IT professionals and security specialists.

Reset or Recover SYSKEY Passwords

SYSKEY passwords were a dubious and controversial way to add an extra layer of security to Windows login. Used in older versions of Windows, SYSKEY passwords were removed from Windows 10 and Windows Server 2016 release 1709. An unknown SYSKEY password blocks Windows startup and prevents the ability to recover or reset the user's account password.

Elcomsoft System Recovery can reset SYSKEY passwords in order to restore the system’s normal boot operation. Before resetting a SYSKEY password, ESR will now check whether this operation is safe for the system.

In addition, Elcomsoft System Recovery allows looking up for cached SYSKEY passwords in various system databases and cache files before resetting.

Instant Reset and Configurable Attacks

Elcomsoft System Recovery can reset account passwords instantly, while supporting pre-configured attacks to recover the original passwords. In addition, users can upload their own custom dictionaries for high-performance dictionary attacks with up to 4 levels of mutations.

Elcomsoft System Recovery unlocks locked and disabled user and administrative accounts in Windows 7, 8, 8.1, Windows 10, as well as many legacy versions of Windows including Windows Vista, Windows XP, Windows 2000, Windows NT as well as the corresponding Server versions up to and including Windows Server 2019. Both 32-bit and 64-bit systems are supported.

Features and Benefits

  • Ready to boot with licensed Windows PE (Preinstallation Environment)
  • Forensically sound digital triage
  • Verifiable disk images
  • Extracts Wi-Fi passwords
  • Includes two-panel file manager for navigating around the file system, copying and viewing files
  • Supports legacy BIOS and modern UEFI configurations (32-bit and 64-bit environments)
  • Supports Windows tablets with 32-bit and 64-bit UEFI configurations
  • Create bootable media for macOS computers
  • Locate encrypted virtual machines and extract encryption metadata for subsequent password recovery
  • Create forensic disk images
  • Extract encryption metadata from TrueCrypt, VeraCrypt, Bitlocker, PGP Disk, FileVault, LUKS, LUKS2, and HFS+/APFS encrypted volumes
  • Reset passwords to cached AD credentials
  • Customized boot environment with additional drivers for cutting-edge and legacy configurations
  • Instantly resets user and administrative passwords
  • Pre-configured attacks for recovering plain-text passwords
  • An option to dump hashed passwords from SAM/SYSTEM files or Active Directory database for further analysis and off-line password recovery
  • Recovering original password may provide access to EFS-encrypted files
  • Unlocks disabled user and administrative accounts
  • Assigns administrative privileges to any user account
  • Resets or disables password expiry options
  • Broad hardware compatibility and genuinely native FAT and NTFS support
  • Genuine Windows GUI for convenient operation
  • Supports Windows 7, 8, 8.1, 10, 11
  • Supports legacy versions of Windows including Windows Vista, Windows XP, Windows 2000 and Windows NT
  • Supports Windows Server 2003-2022
  • Supports US and localized versions of Windows and multilingual user names and passwords
  • Detects all Windows installations automatically

Ready to Boot, Immediate Assistance, Easy to Operate

Elcomsoft System Recovery comes with everything to quickly create a bootable DVD or USB flash drive. The image is based on a customized Windows PE environment, and comes pre-configured with a number of drivers to allow seamless experience on most legacy and cutting-edge hardware configurations.

Create a bootable USB drive or DVD disc in a few easy steps for immediate assistance. Elcomsoft System Recovery comes with 32-bit and 64-bit UEFI and legacy BIOS configurations, allowing you to create bootable media for all types of systems.

The genuine Windows PE environment offers complete access to the familiar Windows graphical user interface. No command line scripts and no poor imitations of the Windows GUI!

Broad Compatibility

Elcomsoft System Recovery comes with a customized Windows PE environment. The bootable environment supports the widest range of hardware components including the latest storage controllers and chipsets. Unlike the various emulation environments, Elcomsoft System Recovery is genuinely compatible with the latest revisions of Microsoft file systems, including the latest versions of the FAT and NTFS.

macOS Encryption

With Elcomsoft System Recovery, experts can now create a flash drive to boot macOS computers. The bootable flash drive allows experts extract hashes from TrueCrypt, VeraCrypt, Bitlocker, FileVault (HFS+/APFS), PGP Disk, LUKS and LUKS2 encrypted disks to quickly initiate password attacks on encrypted volumes without imaging the whole drive.

Instant Unlock

If there are no EFS-encrypted files on your Windows account, an instant unlock option is the quickest and easiest way to gain access to user and administrative accounts. Elcomsoft System Recovery resets forgotten passwords with a new password supplied by you, allowing for immediate login without the time-consuming password recovery operations.

Recovers Windows Account and Wi-Fi Passwords

In case you must know an original password to a Windows account, Elcomsoft System Recovery is fully equipped with everything needed to recover the password. Common passwords and dictionary attack are attempted first hand, and take only minutes with good chances of retrieving a password.

Elcomsoft System Recovery knows places where system passwords are cached, often allowing for instant password recovery.

Offline password recovery is easily possible by dumping hashed passwords from SAM/SYSTEM files or Active Directory database for further analysis off-line analysis. ElcomSoft recommends Elcomsoft Distributed Password Recovery for highly scalable, GPU-accelerated recovery of system passwords.

In addition to Windows account passwords, ESR can extract stored Wi-Fi passwords. Together with other types of passwords, the Wi-Fi passwords can be added to a highly targeted custom dictionary that can be used to break strong encryption and attack passwords protecting encrypted documents, disks and accounts.

Extracts Password Hints, Questions and Answers

Elcomsoft System Recovery can extract password hints and security questions and answers aimed at helping users recall their forgotten passwords. Examiners can use password hints and QA to re-create the user’s original passwords and make targeted dictionaries for password attacks.

Supports Microsoft Account Passwords and Windows Hello PINs

In Windows 8, Microsoft added the ability to authenticate Windows accounts via Microsoft Account. Microsoft Account is an online authentication mechanism that is actively used in new versions of Windows including Windows 10. Microsoft Account credentials are authenticated online on Microsoft servers; however, Elcomsoft System Recovery can instantly reset the locally cached copy of the user’s Microsoft Account password and switch authentication mode back to offline. In addition, the tool can quickly brute-force 4-digit through 6-digit Windows Hello PINs on computers without a Trusted Platform Module (TPM).

In addition to instantly resetting the password, Elcomsoft System Recovery comes with the ability to export hashed Microsoft Account passwords, enabling experts to perform an attack to recover original plain-text passwords using Elcomsoft Distributed Password Recovery or compatible tool. By recovering the original password, experts gain access to large amounts of information stored in Microsoft and third-party services authenticated via Microsoft Account. These services include Skype, Hotmail, and OneDrive. In addition, Microsoft Account can unlock access to Windows Phone and Windows 10 Mobile backups, detailed information about the account owner, the complete list of all desktop and mobile devices connected to the account (along with their locations), and in some cases even synced browsing history from all of the user’s devices, favorites and form data including passwords to online services and social networks. Finally, knowing the user’s Microsoft Account password enables access to BitLocker Recovery Key, allowing experts to access volumes encrypted with BitLocker.

Safe Operation

Each step taken by Elcomsoft System Recovery is accompanied by a full backup of all changes, allowing to easily roll-back the system to its original state.

Case Studies

Elcomsoft System Recovery is an all-in-one security tool for Windows accounts. The tool helps detect and resolve a variety of issues related to user and administrative account passwords.

  • Perform forensically sound data collection
  • Do in-field analysis and disk imaging
  • Collect court admissible evidence during in-field investigations
  • Assign Administrator privileges to any user account
  • Enable and unlock the locked and disabled user accounts
  • Create forensic disk image for subsequent in-lab analysis
  • Change and reset passwords for any local accounts
  • List all local user accounts and highlight Administrator accounts
  • Look up account privileges
  • Detect accounts with empty passwords
  • Instantly recover certain passwords to special/system accounts (e.g. IUSR_, HelpAssistant, etc)
  • Backup and restore SAM/SYSTEM files
  • Optionally restore original SAM/SYSTEM files after successful logon with a new password

Feature List

Windows versions support

  • Supports Windows XP/Vista/7, Windows 8/8.1, Windows 10, Windows 11
  • Supports Windows NT/2000/XP workstations
  • Supports Windows NT/2000/2003-2022 servers
  • Creates bootable media for 32-bit и 64-bit BIOS
  • Creates bootable media for 32-bit и 64-bit UEFI
  • Supports Windows 8/8.1/10 Live! (Microsoft) accounts

General features

  • Based on Windows PE
  • Create bootable CD or USB flash drive
  • Collect crucial evidence and establish digital chain of custody
  • Create verifiable forensic disk images
  • Reset password to user accounts
  • Dump password hashes for local and domain accounts for further recovery

Advanced features

  • In-place recovery of 4 through 6-digit Windows Hello PIN codes on systems without a TPM
  • Locate encrypted virtual machines and extract encryption metadata for subsequent password recovery
  • Extract Wi-Fi passwords
  • Reveals Windows license keys
  • Browse the file system, copy and view files with two-panel file manager
  • Multilingual user interface
  • Supports all RAID/SCSI/SATA devices
  • Automatic mode (list of installed systems)
  • Manual mode (browse for Registry files)
  • Reset local Administrator password
  • Backup/restore SAM
  • Enable/unlock Administrator account
  • Unlock BitLocker volumes (if one of the disk protectors is known or available)
  • Create bootable media for macOS computers
  • Extract hash dumps from TrueCrypt, VeraCrypt, Bitlocker, FileVault (HFS+/APFS), PGP Disk, LUKS and LUKS2 encrypted disks
  • Extract password hints and control questions and answers
  • Reset passwords to cached AD credentials
  • Highlight accounts with Administrator rights
  • Look up account privileges
  • Enable/unlock disabled/locked accounts
  • Give Administrator privileges to any user account
  • Recover passwords for some system accounts
  • Reset Domain Administrator password
  • Dump password hashes for AD accounts
  • Backup/restore NTDS.DIT
  • Show LM/NTLM hashes
  • Show password history hashes
  • Test short and simple passwords
  • SAM database editor
  • Reset SYSKEY security
  • Look up SYSKEY passwords

License, maintenance, delivery

  • Instant download
  • One year of free updates
  • Licensed for business use

Quick Forensic Tools

Quick forensic tools introduce features that make it easier to analyze computer systems on the spot. The tools allow reviewing the list of applications installed in the system, analyze the users’ timeline and access the list of recently accessed files and folders, and do much more, enabling forensic experts to collect and extract essential artifacts from the computers they are examining by booting from a designated USB device. Experts can extract, save and analyze digital such as a copy of the user's Windows registry, important DPAPI and encryption keys, system credentials, various system and event logs, as well as page and hibernation files that can be scanned for encryption keys used by BitLocker and third-party disk encryption tools.

Experts can collect and extract essential artifacts from the computers they are examining by booting from a designated USB device without the need to remove and image the disks. These artifacts include crucial items such as a copy of the user's Windows registry, important DPAPI and encryption keys, system credentials, various system and event logs, as well as page and hibernation files that can be scanned for encryption keys used by BitLocker and third-party disk encryption tools.

This built-in forensic tools enable a strategy known as the “low hanging fruit”, allowing investigators to quickly gather the most critical and easily accessible evidence along with keys to encrypted disks and vaults. Since Elcomsoft System Recovery operates as a bootable disk, the tool allows experts extracting crucial data and make informed decisions on-site. Based on the collected data, investigators can determine whether it is necessary to create a disk image for further in-depth analysis. This streamlined approach saves time and resources, ensuring that investigations can progress swiftly and accurately in both the field and the laboratory.

Elcomsoft System Recovery goes beyond merely extracting a number of easily accessible forensic artifacts. It aims to provide comprehensive insights into user activity, both online and offline. The tool retrieves passwords, critical documents, and even provides visibility into the applications and files accessed by the user. While the exact list of data collected is extensive and continually expanding, rest assured that Elcomsoft System Recovery strives to quickly retrieve the maximum amount of relevant information on the spot.

System Artefacts

  • System Registry
  • Active Directory
  • Amcache
  • Program Compatibility Assistant
  • Energy reports
  • Microsoft Store logs
  • Shimcache
  • SRUM (System Resource Utilization Monitor)
  • Microsoft User Access Logs
  • Scheduled tasks
  • Windows events
  • Windows prefetch
  • setup.api logs
  • Recycle Bin
  • WER (Windows Error Reporting)
  • WiFi network configs and passwords
  • Windows search database
  • System DPAPI
  • System credentials
  • System vault
  • System crypto keys and certificates
  • Windows notifications
  • Defender logs
  • System logs
  • NGC keys
  • Memory dumps

User Artefacts

  • User Registry
  • ActivitiesCache
  • Recycle Bin
  • Notifications
  • RDP cache
  • Crash dumps
  • DPAPI keys
  • PowerShell console history
  • User credentials
  • User vault
  • User crypto keys and certificates
  • Files in Desktop/Documents/Downloads/Videos folders
  • Jumplist (Recent files)
  • Files in Videos folder
  • Windows Mail/calendar/phone/contacts database
  • Browsers data:
    Chromium: Amigo, Xpom, Kometa, Nichrome, Torch, Blisk, Orbitum, Slimjet, QIP Surf, Kinza, BlackHawk, Superbird, Sidekick, Iridium, Vivaldi, SRWare Iron, GhostBrowser, CentBrowser, Xvast, Chedot, SuperBird, SalamWeb, Elements, Chrome, CocCoc, QQBrowser, 360Browser, 360, Comodo Dragon, Brave, Epic Privacy, AVAST Software, Citrio, Uran, Coowon, 7Star, Chrome Canary, CoolNovo, Sputnik, Microsoft Edge, Atom, AVG, CCleaner, CryptoTab, Maxthon, Netbox, Swing, UR, ViaSat, Yandex, UCBrowser
    Mozilla: Firefox, Slim, Pale Moon, Waterfox, Cyberfox, BlackHawk, IceCat, Thunderbird, PostboxApp, Comodo IceDragon, SeaMonkey, Basilisk, BitTube, Cliqz, K-Meleon, Falkon
    Microsoft Edge

  1. Elcomsoft Distributed Password Recovery is required to recover passwords to encrypted containers. 

  2. Elcomsoft Forensic Disk Decryptor is required to search for encryption keys, mount and/or decrypt encrypted volumes.