Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008. The price tag isn’t outrageous, but EFDD will still set you back a solid $299.
EFDD offers access to encrypted information either by completely decrypting everything or by doing so for individual files in real time. You can choose to either decrypt all files and folders stored in the cryptographic container (full, unrestricted forensic access to all stored information) or mount the encrypted volume as new drive letter for instant access (information is decrypted on-the-fly).
Last but not least, the tool offers zero-footprint operation with no alterations or modifications to original content. If you want to get in and out without making a mess, this is particularly crucial whether you’re an investigator or a spy.
So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You’ll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off.
“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys,” ElcomSoft CEO Vladimir Katalov said in a statement. “Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”
The full feature list for EFDD is as follows:
- Decrypts information stored in three most popular crypto containers.
- Mounts encrypted BitLocker, PGP and TrueCrypt volumes.
- Supports removable media encrypted with BitLocker To Go.
- Supports both encrypted containers and full disk encryption.
- Acquires protection keys from RAM dumps, hibernation files.
- Extracts all the keys from a memory dump at once if there is more than one crypto container in the system.
- Fast acquisition (limited only by disk read speeds).
- Zero-footprint operation leaves no traces and requires no modifications to encrypted volume contents.
- Recovers and stores original encryption keys.
- Supports all 32-bit and 64-bit versions of Windows.
Update: The title of this article previously said “cracking” but has been changed to “decrypting” to more accurately describe the tool.
Image credit: doctor-a