Elcomsoft Forensic Disk Decryptor

Elcomsoft Forensic Disk Decryptor offers forensic specialists an easy way to obtain complete real-time access to information stored in popular crypto containers. Supporting desktop and portable versions of BitLocker, PGP and TrueCrypt protection, the tool can decrypt all files and folders stored in crypto containers or mount encrypted vol-umes as new drive letters for instant access. Decryption keys can be acquired by analyzing hibernation files or memory dumps produced with any forensic products or obtained via a FireWire attack. With zero-footprint operation and real-time access to encrypted infor-mation, Elcomsoft Forensic Disk Decryptor becomes an invaluable tool for investigators, IT security and forensic specialists.

Features and Benefits

  • Decrypts information stored in three most popular crypto containers
  • Mounts encrypted BitLocker, PGP and TrueCrypt volumes
  • Supports removable media encrypted with BitLocker To Go
  • Supports both encrypted containers and full disk encryption
  • Acquires protection keys from RAM dumps, hibernation files
  • Extracts all the keys from a memory dump at once if there is more than one crypto con-tainer in the system
  • Fast acquisition (limited only by disk read speeds)
  • Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents
  • Recovers and stores original encryption keys
  • Supports all 32-bit and 64-bit versions of Windows

The tool provides near-instant acquisition with two options to access the content of encrypted volumes. With full decryption, the entire content of the protected disk is decrypted, providing investigators with full, unrestricted access to all information stored on encrypted volumes. For fast, real-time access to protected information, the encrypted volume can be mounted as a new drive letter. In this mode, the files will be decrypted on the fly.

Elcomsoft Forensic Disk Decryptor supports three ways to acquire decryption keys used to ac-cess the content of encrypted containers. Depending on whether the PC is running or turned off, locked or unlocked, the keys can be obtained by analyzing a memory dump or hibernation file, or by performing an attack via the FireWire protocol in order to obtain a live memory dump. In order to obtain the decryption keys, the encrypted volume must be mounted on the target PC.

Elcomsoft Forensic Disk Decryptor supports flash drives and removable media encrypted with BitLocker To Go, and recognizes PGP encrypted volumes and full disk encryption.