Elcomsoft Forensic Disk Decryptor

即时访问保存在加密的BitLocker,FileVault 2,PGP,TrueCrypt和VeraCrypt存储中的数据。该工具从RAM捕获数据,休眠和页面文件中提取加密密钥,或使用纯文本密码或托管密钥来解密存储在加密容器中的文件和文件夹,或者将加密卷装载为新的驱动器号,以便进行实时访问。

  • 解密BitLocker,BitLocker To Go,FileVault 2,PGP,TrueCrypt和VeraCrypt卷
  • 从RAM捕获数据,休眠和页面文件,托管和恢复密钥中提取加密密钥
  • 提取并保存所有可用的加密密钥
  • 立即以磁盘卷形式挂载加密存储
  • 使用内核级工具捕获计算机易失性内存的内容
  • 快速,无操作痕迹

支持:BitLocker(包括TPM配置),FileVault 2,PGP,TrueCrypt和VeraCrypt加密容器和全盘加密,BitLocker To Go,XTS-AES BitLocker加密,RAM转储,休眠文件,页面文件

Common license $ 599
购买

A Fully Integrated Solution for Accessing Encrypted Volumes

Elcomsoft Forensic Disk Decryptor offers all available methods for gaining access to information stored in encrypted BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt disks and volumes. The toolkit allows using the volume's plain-text password, escrow or recovery keys, as well as the binary keys extracted from the computer’s memory image or hibernation file. FileVault 2 recovery keys can be extracted from iCloud with Elcomsoft Phone Breaker, while BitLocker recovery keys are available in Active Directory or in the user’s Microsoft Account.

If neither the encryption key nor the recovery key can be extracted, EFDD can extract meta data from the encrypted container to let Elcomsoft Distributed Password Recovery do its job.

Full Decryption, Instant Mount or Attack

With fully automatic detection of encrypted volumes and encryption settings, experts will only need to provide path to the encrypted container or disk image. Elcomsoft Forensic Disk Decryptor will automatically search for, identify and display encrypted volumes and details of their corresponding encryption settings.

Access is provided by either decrypting the entire content of an encrypted volume or by mounting the volume as a drive letter in unlocked, unencrypted mode. Both operations can be done with volumes as attached disks (physical or logical) or raw images; for FileVault 2, PGP and BitLocker, decryption and mounting can be performed using recovery key (if available).

Full Decryption

Elcomsoft Forensic Disk Decryptor can automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to all information stored on encrypted volumes

Real-Time Access to Encrypted Information

In the real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted volume as a new drive letter on the investigator’s PC. In this mode, forensic specialists enjoy fast, real-time access to protected information. Information read from mounted disks and volumes is decrypted on-the-fly in real time.

No Decryption Key and No Recovery Key?

If neither the decryption key nor the recovery key is available, Elcomsoft Forensic Disk Decryptor will extract metadata necessary to brute-force the password with Elcomsoft Distributed Password Recovery.

Elcomsoft Distributed Password Recovery can attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force. (Note: VeraCrypt is currently not supported.)

Sources of Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be extracted from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

  • By analyzing the hibernation file (if the PC being analyzed is turned off);
  • By analyzing a memory dump file. A memory dump of a running PC can be acquired with the built-in memory imaging tool.
  • By performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted). A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception).
  • By capturing a memory dump with built-in RAM imaging tool

FileVault 2, PGP and BitLocker volumes can be decrypted or mounted by using the escrow key (Recovery Key).

系统需求

Windows

  • Windows Server 2008
  • Windows 7 (32 bit)
  • Windows 7 (64 bit)
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2012
  • Windows 2016

产品版本信息

Elcomsoft Forensic Disk Decryptor v.2.10.567

  • added support for VeraCrypt
  • added support for BitLocker encryption with TPM

可以使用标准Microsoft Windows工具删除所有程序 – 还可以通过控制面板或在“开始”菜单中使用“ Uninstall ”快捷方式

系统需求

Windows

  • Windows Server 2008
  • Windows 7 (32 bit)
  • Windows 7 (64 bit)
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2012
  • Windows 2016

产品版本信息

Elcomsoft Forensic Disk Decryptor v.2.10.567

  • added support for VeraCrypt
  • added support for BitLocker encryption with TPM

可以使用标准Microsoft Windows工具删除所有程序 – 还可以通过控制面板或在“开始”菜单中使用“ Uninstall ”快捷方式

买Elcomsoft Forensic Disk Decryptor

Common license
$ 599
购买