Despite the fact that support was stopped, the program continues to exist and remains a reliable protection of personal data. In March 2015, the second audit of Truecrypt was completed. According to the audit results, there is no bookmark in TrueCrypt 7.1a. The auditors noted only 3 potentially bad areas that did not lead to the compromise of any data under normal conditions:
- 1. Lack of authentication of encrypted data in the volume header
- 2. Key file mixing is not done in a cryptographically secure manner
- 3. AES implementation may be vulnerable to timing attack
However, in 2015, Russian developers created applications for opening TrueCrypt containers.
It is one of the most unusual applications that allows you to decrypt any type of file container on which data encryption programs were used, in order to conduct a forensic analysis of the contents. The program is used to retrieve encryption keys.
The program extracts encryption keys using three methods:
- 1. From a RAM dump. All keys are retrieved at once, even if there is more than one crypto container in the system. A RAM dump can be created using appropriate forensic products, such as MoonSols Windows Memory Toolkit. Encrypted volumes must be mounted at the time the snapshot is taken; otherwise, the decryption key cannot be retrieved.
- 2. Analysis of the hibernation file (the computer under study is turned off). Protected volumes must be mounted before turning off the computer. If the crypto container was unmounted before creating the hibernation file, it will not be possible to extract the keys from it.
- 3. Attack through the FireWire port, if you do not have enough rights to take a memory dump or run programs on the computer being analyzed. To carry out an attack via the FireWire port, an additional computer with a free product installed (for example, Inception) is required. Such an attack gives almost one hundred percent results, but again, encrypted volumes must be mounted at the time of analysis.
Rice. eleven.
If you manage to extract the encryption keys, then with their help the information on the media is decrypted in real time.
In real-time mode, access to data is provided instantly. The crypto container is mounted in the system as a new disk, after which you can extract the data using standard Explorer or any other tool for working with files. In this case, the information is decrypted “on the fly”, in the process of reading the data. There is a trial version, but it is “incomplete” and it is impossible to remove encryption keys from it. This program also has a full version, which is distributed exclusively for government agencies.
This tool can extract data from an encrypted disk volume (FileVault 2, PGP, BitLocker, or TrueCrypt) using the binary encryption key contained in the computer's RAM.
- The new release of Elcomsoft Forensic Disk Decryptor will help you extract the key by analyzing memory dump files or hibernation files, including everything that was missing in earlier versions. Plain text passwords and recovery keys, a Microsoft-signed kernel-level RAM visualization tool, a long-awaited portable version now available, and support for the standard EnCase .E01 snapshot and encrypted DMG snapshots. Automatically detects all encrypted volumes and provides detailed information about the encryption method used for each volume. Let's run the program and look at an example.
- Launch Elcomsoft Forensic Disk Decryptor 2.0 and open the encrypted disk or disk image. EFDD scans the drive and identifies all encrypted volumes available on that drive. The volumes along with the corresponding encryption settings are displayed in the main window, picture below:
- Previous versions were limited to mounting or decrypting volumes using binary cryptographic keys extracted from a computer memory image or hibernation file. There was very little vulnerability in using plaintext passwords or escrow keys to access data stored in encrypted containers.
- In EFDD 2.0. added new ways to mount or decrypt encrypted volumes. You can also use a binary cryptographic key, if you know the password of the original container, then you can enter it to mount the volume for full decryption or offline analysis.
- Another way to access encrypted data is to use an escrow key or recovery key as they are sometimes called. Escrow keys offer sorting backup, allowing the rightful owner to decrypt data if the password is lost or forgotten.
- For BitLocker encrypted volumes, the recovery key can be retrieved from Active Directory or from Personal Accounts, a Microsoft user account at this link:
- To decrypt BitLocker volumes, check out the official Elcomsoft blog and. You can also find out what's changed for BitLocker in the November Update on Microsoft's website.
- For FileVault 2, you can extract the recovery key from Apple iCloud, then you will need a utility.
- EFDD was originally made to scan volatile computer memory. In the picture below, EFDD searches for cryptographic keys that are used to access data stored in encrypted containers. If a cryptographic key is found, then decrypting the container will not be difficult and there will be no need to attack the original plain text password.
- Initially, Elcomsoft Forensic Disk Decryptor relied on memory images captured by third-party tools. Version 2.0 comes with a pre-existing critical memory image tool that uses level-0 access to the computer's RAM. The RAM Handling Tool includes a kernel mode driver that is digitally signed by Microsoft, which is fully compatible with 32-bit and 64-bit versions of Windows.
- Because you need access to all areas of the computer's memory, including areas that are actively protected using system or third-party anti-dumping and anti-debugging tools. Some utilities, programs, and data collection run in user mode and are denied access to certain protected, as I wrote above, areas in the computer’s RAM. ElcomSoft comes with a kernel-level driver that works in the most privileged “zero” environment of the system, having full and unlimited access to all areas of the computer’s memory, that’s cool!
- A Microsoft digitally signed driver allows a utility, a program, to be installed (or run) on the computer on which the driver's signature is verified. Actually, to have everything without restrictions in all directions and areas, I’ll put it this way.
- The portable version also supports EnCase snapshots in the standard .EO1 format like the installation one, as well as encrypted DMG snapshots. The program can be run on running systems from a USB drive. To create a portable version, you need to install the utility on your computer and register it with your license key. Next, create a portable version of the utility, picture below:
- You can then use the newly created portable version of the program to capture the volatile memory of other computers, mount, decrypt encrypted volumes.
- If you previously purchased the program, then you can update to the latest version for free. If you would like to purchase a license to use Elcomsoft Forensic Disk Decryptor 2.0 then go to the official website and check out the purchase offers. Good software is always paid, this is a fact, of course there are exceptions, but they are very few. With this program you get a good assistant who will restore your files in case of infection with ransomware viruses. Just as I wrote above, if you forgot or lost the password to an encrypted disk or container. If you have any questions, I will be happy to answer them in the comments below on this page.
What's new?
Review of Elcomsoft Forensic Disk Decryptor 2.0
Decryption methods:
Memory visualization tool, kernel level. Find the key to open the crypto container.
Why does the snapshot processing device require a kernel driver?
Creating a portable version of Elcomsoft Forensic Disk Decryptor 2.0
Program interface: English
Platform:XP/7/Vista
Manufacturer: Elcomsoft Co. Ltd.
Website: www.elcomsoft.ru
Elcomsoft Forensic Disk Decryptor is one of the most unusual applications that allows you to decrypt any type of file container on which data encryption programs were used, in order to conduct forensic analysis of the contents. As they say, this is definitely a program for hacking information. Although the Elcomsoft Forensic Disk Decryptor application is a rather serious software product, you can even download it for free from our website. After installing Elcomsoft Forensic Disk Decryptor, you will be simply amazed at the capabilities it offers, even when used by a completely untrained user.
Key features of Elcomsoft Forensic Disk Decryptor
This unique product is presumably used by the relevant services dealing with crime. Otherwise, how to explain the capabilities that are available in the Elcomsoft Forensic Disk Decryptor application. First of all, it is worth paying attention to three options for extracting data decryption keys. Here you can use a snapshot of RAM, an attack through the FireWire port (with the terminal turned on and encrypted volumes connected), as well as analysis of the hibernation file (even with the computer turned off). So, if you are trying to hide information from the access of relevant organizations, do not rush to rejoice.
As for the decryptor, it supports working with crypto containers such as BitLocker, PGP and TrueCrypt, as well as removable drives, the information on which was fully protected using BitLocker To Go. As you can see, everything is set on a grand scale.
The most interesting thing is that the Elcomsoft Forensic Disk Decryptor program supports at least two modes of access to information. In the first case, a full decryption is performed, and in the second, real-time access is provided. In principle, an unprepared user may not even know that at the moment access has been made to, say, the RAM of his computer, and the corresponding keys are no longer his personal secret. Moreover, in real time, such access from the outside does not even affect the performance or speed of its system. Plus, even with the help of regular Windows Explorer, in this case, you can work with the crypto container, just like an additional virtual disk in the system. Moreover, the information is retrieved holistically and without any changes on the part of the user.
Elcomsoft Forensic Disk Decryptor 1.0.124 – this program is designed to decrypt BitLocker, PGP and TrueCrypt crypto containers and conduct forensic analysis of data stored in encrypted volumes. Both fixed and portable media are supported, including PGP full-disk encryption, as well as removable drives protected with BitLocker To Go. Using Elcomsoft Forensic Disk Decryptor, you can either completely decrypt the contents of a protected volume or work in real time by connecting encrypted volumes and decrypting selected data on the fly. Key features of Elcomsoft Forensic Disk Decryptor:
You can download the program via a direct link (from the cloud) at the bottom of the page.
click on the picture and it will enlarge
| System requirements: | |
| Operating system: | Windows XP,Vista,7,8 (x86,x64) |
| CPU: | 1 GHz |
| RAM: | 512 MB |
| Hard disk space: | 8.8 MB |
| Interface language: | English |
| Size: | 8.3 MB |
| pharmacy: | included |
| *archive WITHOUT password |
opens in a new window
Today, employees of many companies widely use laptops in their work. At the same time, it is worth recognizing that these devices are also regularly stolen and lost. Thus, according to a study by the Ponemon Institute, in Europe alone, company losses amount to more than 1 billion euros due to stolen laptops. The study involved 275 large organizations from Europe. As a result, it was found that they lost 72,789 laptops over 12 months, an average of 265 laptops per company. Most of them were lost while traveling (32%) or while working outside the office (32%). In 13% of cases, laptop loss occurred in a work environment. In another 13% of cases, respondents were unable to clarify where exactly they lost their laptops... It is noted that only 4.5% of lost laptops were returned to their owners.
Most of the lost devices contained sensitive information and personal data. Thus, the losses due to each loss of a laptop significantly exceed the cost of a new device. The results revealed that the 275 organizations surveyed in Europe lose around €1.29 billion annually due to lost laptops, which equates to around €4.7 million per laptop.
Last year, a similar study was conducted in the United States. Then 329 organizations were surveyed, which lost more than 86 thousand laptops, and the total financial losses amounted to 2.1 billion dollars.
Thus, we can conclude that the problem of security of information stored on mobile devices is becoming alarming. What can be imagined as the last line of physical defense? Encryption. Is encryption a panacea?
Let's consider a new product from Elcomsoft - Elcomsoft Forensic Disk Decryptor, which is designed to decrypt crypto containers using the BitLocker, PGP and TrueCrypt encryption algorithms and analyze data stored in encrypted volumes. Both fixed and portable media are supported, including PGP full-disk encryption, as well as removable drives protected with BitLocker To Go. At the same time, using this product you can either completely decrypt the contents of a protected volume or work in real time with connecting encrypted volumes (media) and decrypting data on the fly.
Let's list the product's capabilities.
Decryption of information protected by the three most common cryptocontainers.
Support for BitLocker, PGP and TrueCrypt protected volumes.
Support for portable media and flash cards protected by BitLocker To Go.
Supports all PGP operating modes, including full disk encryption mode.
Access in real time and full transcript.
Extracting data decryption keys from hibernation files, an image file of the computer's RAM.
Retrieves all keys from a RAM dump at once, even if there is more than one crypto container on the system.
Guarantee of the integrity and immutability of the studied data.
Recovering and saving data decryption keys.
Supports 32- and 64-bit versions of Windows.
It should be noted that Elcomsoft Forensic Disk Decryptor extracts the keys with which the data was encrypted. With the help of these keys, decryption is carried out in real time - almost instantly. The product supports three methods for retrieving decryption keys:
* analysis of the hibernation file (the computer under study is turned off);
* analysis of a cast of the computer's RAM, while a memory cast can be created using appropriate forensic products;
* attack via the FireWire port (the computer must be turned on and the encrypted volumes must be connected); To carry out an attack over the FireWire port, an additional computer with a free product installed (for example, Inception) is required.
Extracting keys to decrypt data
I used OSForensics software (http://www.osforensics.com) to take a memory impression, see Figure 1.
The decryption key is required to gain access to the encrypted data and decrypt the contents of the crypto container. Elcomsoft Forensic Disk Decryptor supports three methods for extracting keys, the choice depends on whether the computer under test is turned on or off, and also on whether it is possible to run a program on the computer under study to take an image ("snapshot") of RAM. Let's consider all the options.
The computer is turned off. In this case, the keys are retrieved from the hibernation file. Protected volumes must be mounted before turning off the computer. If the crypto container was unmounted before creating the hibernation file, it will not be possible to extract the keys from it.
The computer is turned on. If possible, a program is launched on the computer under study to take a snapshot of the RAM. The contents of RAM are saved to a file from which Elcomsoft Forensic Disk Decryptor extracts decryption keys. Encrypted volumes must be mounted at the time the snapshot is taken; otherwise, the decryption key cannot be retrieved. A detailed description of this technology and a complete list of both commercial and free programs are available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.
The computer is turned on in restricted mode. If it is impossible to launch programs on the computer under investigation (there are not enough rights, there is no password for the user account, etc.), it is possible to extract the keys by carrying out an attack through the FireWire port. The attack is carried out from a separate computer or laptop connected to the target computer via a FireWire interface. To carry out the attack, a free utility that is installed separately is used (for example, Inception, at the link http://www.breaknenter.org/projects/inception/). This type of attack gives a result close to one hundred percent. Encrypted volumes must be mounted at the time of the attack.
After extraction, the decryption keys are stored in the database, then Elcomsoft Forensic Disk Decryptor will offer to fully decrypt the contents of the crypto container or connect the protected volumes as new disks for on-the-fly decryption, see Figure 2.
Will searching for keys always be effective? Not really.
Countermeasures
If you use BitLocker and have carefully read Microsoft's recommendations for using BitLocker encryption mode, you should have remembered that:
Have you ever wondered why this is so? The reasons are actually simple.
1. If you are encrypting only the data disk, and also using hibernation, your encryption key can be extracted from the hibernation file, which will be located on the unencrypted system partition.
2. Even if both partitions are encrypted, but you use hibernation, your computer, upon waking up, will not ask for the BitLocker password, but will immediately ask for your user password. Most people prefer a passwordless account, and even one with local administrator rights. Who's stopping you from taking a memory dump? Nobody! And, therefore, an attacker can simply obtain your encryption keys.
When using the PGP algorithm to prevent hacking, the user can force the shutdown of encrypted drives and crypto containers (Figure 4). But does everyone do this?
However, it is necessary to take into account that if the laptop’s battery charge is extremely low and an automatic transition to power saving mode occurs, then the volumes may not be unmounted automatically! Therefore, carefully monitor the battery charge level.
