ElcomSoft has released an interesting forensic tool called Forensic Disk Decryptor that can be successfully used to gain access to information stored on disks encrypted with TrueCrypt, PGP and BitLocker.
Existing solutions, such as the Elcomsoft Distributed Password Recovery, can attempt to crack encrypted disks by trying to break their passwords with brute-force attacks.
However, the new Forensic Disk Decryptor has a novel approach. It analyzes memory dumps and hibernation files from the targeted computer in search for the decryption keys.
The only condition is for the targeted computer to be running with the encrypted volumes mounted, regardless whether the device is locked or unlocked. The decryption keys can be obtained even if the computer is in hibernation.
“The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file,” Vladimir Katalov, ElcomSoft CEO, explained on the company’s blog.
“As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool.”
The tool comes with two decryption modes: full and real-time. In the “full” mode, the user gains unrestricted access to all the information stored on the targeted drives, including hidden files.
However, this mode is time consuming. Which is why the “real-time” mode allows users to mount the encrypted containers as drive letters and decrypt the information stored on them on-the-fly.
The Elecomsoft Forensic Disk Decryptor is available immediately, being priced at around $300 (233 EUR).
The utility works on most Windows operating systems and it supports TrueCrypt, BitLocker To Go, BitLocker, and PGP Whole Disk Encryption.