Menu
Is free
registration
home  /  Multimedia/ Anti-hacking. Open password-protected crypt files with Elcomsoft Forensic Disk Decryptor Why a kernel-level driver is required for an imaging device, a snapshot

Hacking prevention. Open password-protected crypt files with Elcomsoft Forensic Disk Decryptor Why a kernel-level driver is required for an imaging device, a snapshot


ElcomSoft software package for removing password protection with the maximum number of supported data formats, security systems and encryption algorithms. The set includes all the company's products for password recovery.

System requirements:
Windows: 7, 8, 8.1, 10, Server 2012, Server 2016, Server 2019

Torrent Software for guessing passwords - ElcomSoft Password Recovery Bundle Forensic Edition 2019 in detail:
ElcomSoft Password Recovery Bundle 2019 includes:
ElcomSoft Advanced Archive Password Recovery 4.54.110
ElcomSoft Advanced EFS Data Recovery Pro 4.50.51.1795
ElcomSoft Advanced IM Password Recovery 4.90.1805
ElcomSoft Advanced Intuit Password Recovery 2.0
ElcomSoft Advanced Lotus Password Recovery 2.11
ElcomSoft Advanced Mailbox Password Recovery 1.11.476
ElcomSoft Advanced Office Password Breaker Enterprise Edition 3.05.802
ElcomSoft Advanced Office Password Recovery Pro 6.34.1889
ElcomSoft Advanced PDF Password Recovery Enterprise 5.08.145
ElcomSoft Advanced Sage Password Recovery 2.30.383
ElcomSoft Advanced SQL Password Recovery 1.13.1786
ElcomSoft Advanced VBA Password Recovery 1.63
ElcomSoft Advanced WordPerfect Office Password Recovery 1.35
ElcomSoft Cloud eXplorer ECX Forensic 2.11.28407 Full
ElcomSoft Dictionaries 1.0.1110
ElcomSoft Distributed Password Recovery 4.10.1236
ElcomSoft Explorer for WhatsApp Standard 2.60.30943
ElcomSoft Forensic Disk Decryptor Common 2.10.567
ElcomSoft Internet Password Breaker Standard Edition 3.10.4770
ElcomSoft iOS Forensic Toolkit 5.0
ElcomSoft Lightning Hash Cracker 0.60
ElcomSoft Password Digger Standard 1.04.147
ElcomSoft Phone Breaker 8.30
ElcomSoft Phone Breaker 9.05.31064 Forensic Edition Windows
ElcomSoft Phone Password Breaker Professional 3.00.106
ElcomSoft Phone Viewer Forensic 4.40.31234
ElcomSoft Proactive Password Auditor 2.07.61
ElcomSoft Proactive System Password Recovery 6.60.568
ElcomSoft System Recovery 5.60.389 BootISO
ElcomSoft Wireless Security Auditor Pro 7.12.538

Description of package applications:
ElcomSoft Advanced Archive Password Recovery - decryption of protected ZIP archives and RAR and original password recovery. Maximum productivity when recovering complex passwords... Some types of archives are guaranteed to be decrypted within an hour.
ElcomSoft Advanced EFS Data Recovery Pro - decrypts NTFS-encrypted files using Encrypting File System (EFS).
ElcomSoft Advanced IM Password Recovery - instant password recovery from dozens of instant messaging programs. Support for ICQ, AOL, MSN, Yahoo !, clients of Mail.ru, Jabber, Picasa, QIP and many others. The extracted passwords can be used to compose a dictionary, with the help of which it is possible to significantly speed up the search for passwords for encrypted files.
ElcomSoft Advanced Intuit Password Recovery - recovering access to password-protected Intuit Quicken and QuickBooks documents.
ElcomSoft Advanced Lotus Password Recovery - instant recovery of passwords of any complexity for Lotus SmartSuite documents.
ElcomSoft Advanced Mailbox Password Recovery - guaranteed recovery of passwords for email clients and accounts Email POP3 and IMAP. Retrieving username and password stored on the user's computer. Built-in POP3 / IMAP server emulator to intercept POP3 and IMAP passwords from any mail clients, including mobile applications.
ElcomSoft Advanced Office Password Breaker Enterprise Edition - guaranteed recovery of access to encrypted documents in Microsoft applications Office 97/2000 in minutes.
ElcomSoft Advanced Office Password Recovery Pro - guaranteed recovery of access to encrypted documents in application format Microsoft Office 97/2000 in minutes.
ElcomSoft Advanced PDF Password Recovery Enterprise - guaranteed removal of restrictions on editing, printing and copying PDF files... Password recovery for opening a document with support hardware acceleration... The patented Thunder Tables technology guarantees 40-bit key recovery within a minute.
ElcomSoft Advanced Sage Password Recovery - guaranteed access to protected ACT documents! Change and recover passwords for BLB, MUD and ADF / PAD documents created with ACT! Remote operation does not require ACT! on the computer.
ElcomSoft Advanced SQL Password Recovery - guaranteed recovery of access to password-protected Microsoft databases SQL Server... Instantly reset or change any user or database administrator password in Microsoft SQL Server format.
ElcomSoft Advanced VBA Password Recovery is a tool for recovering, removing and replacing passwords to Microsoft documents Office, OpenOffice, Apple iWork, and Hangul Office with GPU acceleration support.
ElcomSoft Advanced WordPerfect Office Password Recovery - instant password recovery for Corel WordPerfect Office documents. Extract passwords from WordPerfect, Quattro Pro and Paradox within seconds.
ElcomSoft Cloud eXplorer ECX Forensic - Extract and view data from Google accounts. It retrieves passwords and browser history, user location data for the entire period of its existence account, Mail Messages & Contacts, Google Keep Notes, Bookmarks, History search queries, calendars and more. Password authentication and no password authentication are supported.
ElcomSoft Distributed Password Recovery is a productive solution for corporate clients of government organizations. Recover passwords for dozens of file, document, key and certificate formats on clusters of computers united in a single distributed computer network.
ElcomSoft Explorer for WhatsApp Standard is a tool for retrieving, viewing and analyzing the communication of WhatsApp users with iOS and Android support.
ElcomSoft Forensic Disk Decryptor Common - Instantly decrypt or mount BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt encrypted containers using passwords, escrow keys and encryption keys extracted from the image random access memory, paging or hibernation file.
ElcomSoft Internet Password Breaker - Instantly extract available passwords for websites, accounts and mailboxes from a variety of applications. Support for saved fields and passwords in Internet Explorer, Edge, Chrome, Firefox, Opera, Outlook and Outlook Express, Windows Mail and Windows Live Mail.
ElcomSoft iOS Forensic Toolkit is a specialized tool for extracting data from devices running Apple iOS methods of physical and logical analysis.
ElcomSoft Password Digger Standard - decryption of the contents of system and user protected keychain vaults of macOS (OS X). Saving a list of passwords to a text file that can be used as a dictionary to speed up the search for passwords with appropriate tools.
ElcomSoft Phone Breaker - extract information from devices under iOS control, Windows Phone, Windows 10 Mobile and BlackBerry 10 Decryption backups and guessing unknown passwords using hardware acceleration.
ElcomSoft Phone Password Breaker - Extract information from devices running iOS, Windows Phone, Windows 10 Mobile and BlackBerry 10, decrypt backups and brute force unknown passwords using hardware acceleration.
ElcomSoft Phone Viewer Forensic is a simple, convenient and compact tool for viewing information extracted from devices running iOS, BlackBerry and mobile Windows. The product supports Elcomsoft Phone Breaker output formats and standard iTunes and BlackBerry Link backup formats.
ElcomSoft Proactive Password Auditor - audit of corporate security policy. The product will allow you to find out the degree of security of the local network by launching full-scale attacks on account passwords. Identifying weak and insecure passwords, the product identifies weaknesses in the protection of the local network.
ElcomSoft Proactive System Password Recovery - recover many types of passwords and view hidden Windows information. Extract Wi-Fi keys (WEP and WPA-PSK), VPN, RAS, dial-up passwords, passwords for network resources, connections and RDP.
ElcomSoft System Recovery BootISO will help in restoring access to accounts Windows, including local, network and account Microsoft records Account. Supports reset and recovery of original passwords.
ElcomSoft Wireless Security Auditor - security audit wireless networks Wi-Fi, checking the congestion of wireless networks and channels. Capturing packets using dedicated or consumer wireless adapter Wi-Fi and full blown WPA / WPA2 password attack.

Treatment procedure:
Each program has instructions and medicine in a folder with installation files... This is usually a key or file replacement.

Elcomsoft Forensic Disk Decryptor is designed to decrypt BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt encrypted containers and perform forensic analysis of data stored in encrypted volumes. Both fixed and portable media are supported, including PGP in full disk encryption mode, and removable disks protected with BitLocker To Go.

With the help of Elcomsoft Forensic Disk Decryptor, you can both completely decrypt the contents of a protected volume, and work in real time with the connection of encrypted volumes and decryption of selected data on the fly.

Product features

  • Decryption of information protected by the three most common cryptocontainers (BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt)
  • Supports BitLocker To Go-protected portable media and memory cards and Hardware TPM-protected BitLocker volumes
  • Support for BitLocker XTS-AES format added in November Windows update 10 (Build 1511)
  • Supports all PGP modes, including full disk encryption
  • Real-time and full decryption access
  • Extracting data decryption keys from hibernation files, an image file of the computer's RAM
  • Built-in kernel-mode RAM imaging tool, digitally signed by Microsoft
  • The ability to create a portable installation to run from a USB stick
  • The ability to decrypt volumes using plain text passwords and escrow keys
  • Decrypt BitLocker volumes, including TPM-protected volumes, using escrowed BitLocker Recovery Keys that can be retrieved from a Microsoft Account or Active Directory
  • Decrypt PGP volumes with Recovery Key
  • Decrypt FileVault 2 volumes using keys deposited in iCloud (Elcomsoft Phone Breaker required to retrieve them)
  • Retrieves all keys from the main memory dump at the same time, even if there are more than one cryptocontainer on the system
  • Guarantee of the integrity and invariability of the investigated data
  • Support for both physical media and images in RAW (DD) formats, EnCase .E01, DMG (including encrypted)
  • Supports 32-bit and 64-bit versions of Windows (from Windows XP and later, including Windows 10)

Elcomsoft Forensic Disk Decryptor provides access to information stored in encrypted volumes created by BitLocker, PGP and TrueCrypt crypto containers, allowing you to completely decrypt data or mount encrypted volumes for quick access in real time with on-the-fly file decryption.

Full decryption, mount or attack

Two modes of access to encrypted information are supported: full decryption and real-time access mode.

Full decryption of protected data

In this mode, Elcomsoft Forensic Disk Decryptor automatically decrypts all data stored in the cryptocontainer. This mode gives the most full access with protected data, decrypting absolutely all files from the encrypted volume.

Connecting crypto-containers and decrypting data "on the fly"

In real-time mode, data access is provided instantly. The cryptocontainer is mounted in the system as new disc, after which the data can be extracted using the standard Explorer - or any other tool for working with files. In this case, the information is decrypted "on the fly", in the process of reading the data.

The speed of reading data in real-time access mode is limited only by the speed of the hard disk.

Brute force passwords

In cases where it is impossible to extract neither cryptographic key nor an access recovery key, you may need to recover the original password to access the data. allows you to attack the password that protects the encrypted container using a series modern technologies, including dictionary attacks, mask attacks, mutations and brute force attacks. (Except VeraCrypt)

Data integrity and invariability guarantee

Access to data and work with cryptocontainers is provided without changing their content. The authenticity and invariability of the information received is guaranteed.

Retrieving Decryption Keys

Elcomsoft Forensic Disk Decryptor retrieves the keys with which the data was encrypted. With the help of these keys, decryption is carried out in real time - almost instantly.

The product supports several methods for extracting decryption keys.

  • Analysis of the hibernation file (the examined computer is turned off);
  • Analysis of a snapshot of the computer's RAM (can be obtained using the built-in utility)
  • Attack through the FireWire port (the computer must be turned on, and the encrypted volumes must be connected). To carry out an attack through the FireWire port, an additional computer is required with free product(like Inception).
  • Removing an image of RAM using the built-in tool (it is possible to run from a USB drive)

Using passwords and escrow keys

Elcomsoft Forensic Disk Decryptor provides the ability to mount or perform full decryption of encrypted containers with a known password or deposited key. FileVault 2 escrow keys can be retrieved from the cloud service Apple iCloud via Elcomsoft Phone Breaker, and BitLocker keys can be obtained from Active Directory or from an account by Microsoft Account.

Extracting keys to decrypt data

The decryption key is required to gain access to the encrypted data and decrypt the contents of the cryptocontainer. Elcomsoft Forensic Disk Decryptor supports three key extraction methods. The choice of this or that method depends on whether the computer under investigation is turned on or off, as well as on whether it is possible to run a program for taking an image ("snapshot") of RAM on the computer under investigation.

Computer is off: in this case, the keys are retrieved from the hibernation file. Protected volumes must be mounted before shutting down the computer. If the crypto container was unmounted before the creation of the hibernation file, it will be impossible to extract keys from it.

Computer turned on: if possible, a program for taking a snapshot of RAM is launched on the computer under study. The contents of the RAM are saved to a file from which Elcomsoft Forensic Disk Decryptor extracts decryption keys. Encrypted volumes must be online at the time of taking a snapshot; otherwise, the decryption key cannot be retrieved. Detailed description this technology (and full list both commercial and free software is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging).

The computer is turned on in limited access: if it is impossible to launch programs on the computer under investigation (there are not enough privileges, there is no password for the user account, etc.), extraction of the keys is possible by carrying out an attack through the FireWire port. The attack is carried out with separate computer or a laptop connected to the studied computer via the FireWire interface. To carry out the attack, it is used free utility installed separately (for example, Inception: http://www.breaknenter.org/projects/inception/). This kind attacks gives a result close to one hundred percent. The encrypted volumes must be mounted at the time of the attack.

After extracting the decryption keys, they are saved in the database, after which Elcomsoft Forensic Disk Decryptor will offer to carry out a complete decryption of the contents of the encrypted container or mount protected volumes in the form of new disks for on-the-fly decryption.

If it is impossible to extract the encryption keys and the recovery keys are unavailable, EFDD will extract the data from the encrypted volume that is necessary to launch a distributed attack using Elcomsoft Distributed Password Recovery.

Tool to take an image of RAM

Elcomsoft Forensic Disk Decryptor includes a tool that allows you to take an image of your computer's RAM. The tool works through a low-level driver that runs in the kernel mode of the system. Available in 32-bit and 64-bit driver versions that are compatible with operating systems Windows 7, 8, 10 and corresponding server editions. The driver is digitally signed by Microsoft, and is fully compatible with the latest builds of Windows 10 Fall Creators Update that verify the digital signature of the driver.

It is recommended to run the utility for removing the RAM image from an external USB drive, on which the portable version of Elcomsoft Forensic Disk Decryptor is deployed.

Portable installation

Elcomsoft Forensic Disk Decryptor users can deploy a portable version of the toolkit to external USB storage device. The portable version is essential for technical due diligence and forensic analysis. It runs directly from the installation drive, does not require installation or configuration on the user's computer, and does not make modifications. system registry or file system.

Compatibility

Elcomsoft Forensic Disk Decryptor supports encrypted volumes, drives and portable media protected with BitLocker, FileVault 2, PGP and TrueCrypt, as well as disk images in RAW format(DD). Flash card encryption using BitLocker To Go is supported, as well as full drive encryption using PGP.

Elcomsoft Forensic Disk Decryptor 1.0.124This program is designed to decrypt BitLocker, PGP and TrueCrypt encrypted containers and perform forensic analysis of data stored in encrypted volumes.

Both fixed and portable media are supported, including PGP in full-drive encryption mode, and removable drives protected with BitLocker To Go. With the help of Elcomsoft Forensic Disk Decryptor, you can both completely decrypt the contents of a protected volume, and work in real time with the connection of encrypted volumes and decryption of selected data on the fly.
You can download the program via a direct link (from the cloud) at the bottom of the page.

Key features of Elcomsoft Forensic Disk Decryptor:

  • Decryption of information protected by the three most common cryptocontainers
  • Support for BitLocker protected volumes, PGP and TrueCrypt.
  • Support for portable media and flash cards protected by BitLocker To Go.
  • Supports all modes of PGP operation, including encryption of the entire disk.
  • Access in real time and full decryption.
  • Extracting data decryption keys from hibernation files, an image file of the computer's RAM.
  • Retrieves all keys from the main memory dump at the same time, even if there are more than one cryptocontainer on the system.
  • Guarantee of the integrity and invariability of the investigated data.
  • Recovery and preservation of data decryption keys.
  • Supports 32-bit and 64-bit Windows.

click on the picture and it will enlarge

System requirements:
Operating system: Windows XP, Vista, 7.8 (x86, x64)
CPU: 1 GHz
RAM: 512 MB
Hard disk space: 8.8 MB
Interface language: English
The size: 8.3 MB
pharmacy4: included
* archive WITHOUT password

opens in a new window

Despite the fact that support was stopped, the program continues to exist and remain reliable protection personal data. In March 2015, the second audit of Truecrypt was completed. According to the audit results, there is no bookmark in TrueCrypt 7.1a. The auditors noted only 3 potentially bad places that did not lead to the compromise of any data under normal conditions:

  • 1. Lack of authentication of encrypted data in the volume header
  • 2. The mixing of the key file is not done in a cryptographically secure manner
  • 3. An AES implementation may be vulnerable to timing attacks

However, in 2015, Russian developers created applications for opening TrueCrypt containers.

It is one of the most unusual applications that allows decryption of any type of file-containers, on which data encryption programs were used, in order to conduct forensic analysis of the content. The program is used to extract encryption keys.

The program extracts encryption keys using three methods:

  • 1. From a memory dump. All keys are retrieved at the same time, even if more than one cryptocontainer is present in the system. A RAM dump can be generated using appropriate forensic products such as MoonSols Windows Memory Toolkit. Encrypted volumes must be online at the time of taking a snapshot; otherwise, the decryption key cannot be retrieved.
  • 2. Analysis of the hibernation file (the examined computer is turned off). Protected volumes must be mounted before shutting down the computer. If the crypto container was unmounted before the creation of the hibernation file, it will be impossible to extract keys from it.
  • 3. Attack through the FireWire port if you do not have enough rights to take a memory dump or run programs on the analyzed computer. To carry out an attack through the FireWire port, you need an additional computer with a free product installed (for example, Inception). Such an attack gives almost one hundred percent result, but again, the encrypted volumes must be mounted at the time of analysis.

Rice. eleven.

If it was possible to extract the encryption keys, then with their help, the information on the media is decrypted in real time.

In real-time mode, data access is provided instantly. The cryptocontainer is mounted in the system as a new disk, after which you can extract the data using the standard "Explorer" or any other tool for working with files. In this case, the information is decrypted "on the fly", in the process of reading the data. There is trial version, but it is "incomplete", it is impossible to extract encryption keys from it. Also, this program has a full version, which is distributed exclusively for government agencies.

Program interface: English

Platform: XP / 7 / Vista

Manufacturer: Elcomsoft Co. Ltd.

Website: www.elcomsoft.ru

Elcomsoft Forensic Disk Decryptor is one of the most unusual applications that allows decryption of any type of file-containers on which data encryption programs were used, in order to conduct forensic analysis of the content. As the saying goes, that's for sure, a program for cracking information. Although the Elcomsoft Forensic Disk Decryptor application is quite serious software product, you can download it for free even from our website. After installing Elcomsoft Forensic Disk Decryptor, you will be simply amazed at the possibilities it offers, even if it is used by a completely unprepared user.

Key features of Elcomsoft Forensic Disk Decryptor

This unique product, presumably, is used by the relevant services dealing with crime. Otherwise, how can one explain the possibilities that are available in the Elcomsoft Forensic Disk Decryptor application. First of all, it is worth paying attention to three options for extracting data decryption keys. Here you can use a snapshot of the RAM, an attack through the FireWire port (with the terminal turned on and encrypted volumes connected), as well as analysis of the hibernation file (even with the computer turned off). So if you are trying to hide information from the access of the relevant organizations, do not rush to rejoice.

As for the decryptor, it supports working with crypto-containers such as BitLocker, PGP and TrueCrypt, as well as removable drives, information on which has been fully protected with BitLocker To Go. As you can see, everything is set on a grand scale.

The most interesting thing is that Elcomsoft Forensic Disk Decryptor supports at least two modes of access to information. In the first case, full decryption is performed, and in the second, real-time access. In principle, an unprepared user may not even know what is on this moment access has been made, say, to the RAM of his computer, and the corresponding keys are no longer his personal secret. In addition, in real time such access from the outside does not even affect the performance or performance of his system. Plus, even with the usual Windows Explorer in this case, you can work with a cryptocontainer, just as with an additional virtual disk in system. Moreover, the information is retrieved in a holistic manner and without any changes on the part of the user.