- Downloaded
- 121.9 GB
- Uploaded
- 2.5 TB
- Ratio
- 20.88
- Seedbonus
- 7,567
- Upload Count
- 6 (8)
Member for 5 years
Elcomsoft Forensic Disk Decryptor v2.11.751
Instantly access data stored in encrypted BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt containers. The tool extracts cryptographic keys from RAM captures, hibernation and page files or uses plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.
- Decrypt BitLocker, BitLocker To Go, FileVault 2, PGP, TrueCrypt and VeraCrypt volumes
- Extract cryptographic keys from RAM captures, hibernation and page files, escrow and Recovery keys
- Extract and store all available encryption keys
- Instantly mount encrypted containers as drive letters
- Capture the content of computer's volatile memory with kernel-level tool
- Fast, zero-footprint operation
NEW FEATURES
VeraCrypt Encryption
VeraCrypt is the most popular successor to open-source disk encryption tool TrueCrypt. Compared to the original, VeraCrypt supposes a wider range of encryption methods and hash algorithms. In this update, Elcomsoft Forensic Disk Decryptor receives full support for VeraCrypt volumes, enabling experts extracting hash data from VeraCrypt containers to launch brute-force or smart dictionary attacks with Distributed Password Recovery.
A Fully Integrated Solution for Accessing Encrypted Volumes
Elcomsoft Forensic Disk Decryptor offers all available methods for gaining access to information stored in encrypted BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt disks and volumes. The toolkit allows using the volume's plain-text password, escrow or recovery keys, as well as the binary keys extracted from the computer’s memory image or hibernation file. FileVault 2 recovery keys can be extracted from iCloud with Elcomsoft Phone Breaker, while BitLocker recovery keys are available in Active Directory or in the user’s Microsoft Account.
If neither the encryption key nor the recovery key can be extracted, EFDD can extract meta data from the encrypted container to let Elcomsoft Distributed Password Recovery do its job.
Full Decryption, Instant Mount or Attack
With fully automatic detection of encrypted volumes and encryption settings, experts will only need to provide path to the encrypted container or disk image. Elcomsoft Forensic Disk Decryptor will automatically search for, identify and display encrypted volumes and details of their corresponding encryption settings.
Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for FileVault 2, PGP and BitLocker, decryption and mounting can be performed using recovery key (if available).
Full Decryption Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes |
Real-Time Access to Encrypted Information In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time. |
No Decryption Key and No Recovery Key?
|
Sources of Encryption Keys
Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:
- By analyzing the hibernation file (if the PC being analyzed is turned off);
- By analyzing a memory dump file. A memory dump of a running PC can be acquired with the built-in memory imaging tool.
- By performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted). A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception).
- By capturing a memory dump with built-in RAM imaging tool
System Requirements
- Windows 7, Windows 8/8.1, Windows 10, Windows Server 2003/2008/2012/2016
- Approximately 8MB of free space on the hard disk
- Administrator privileges (to create a memory dump)
- Memory image or hibernation file containing disk encryption keys (created while the encrypted disk was mounted), or escrow/recovery key (FileVault 2, BitLocker or PGP), or a password
Release notes
Elcomsoft Forensic Disk Decryptor v.2.11.751 31 March, 2020
- added support for APFS partitions with FileVault2
- added support for VeraCrypt (generating files for further password recovery)
- added support for GUID partitions
- improved support for encrypted HFS+ partitions
- improved UI; disk letters are now available
- improved PGP WDE support
DOWNLOAD LINK :
You must be registered for see links
VirusTotal Results
https://www.virustotal.com/gui/file/4dec8ec285e8c8c7c5d862fdacf93d293b5bfa21c4b16b4e6dc71da737e58f62/detection
Last edited: