ElcomSoft released Elcomsoft Forensic Disk Decryptor, a forensic tool providing access to information stored in disks and volumes encrypted with BitLocker, PGP and TrueCrypt.


The complete decryption mode provides full, unrestricted forensic access to all information stored on encrypted volumes. Alternatively, by mounting encrypted containers as drive letters, investigators gain immediate, real-time access to protected volumes. In real-time mode, information read from encrypted containers is decrypted on-the-fly. The software offers true zero-footprint operation with no alterations or modifications to original content ever.

Elcomsoft Forensic Disk Decryptor acquires all necessary decryption keys by analyzing memory dumps or hibernation files obtained from the target PC. A memory dump can be obtained from a running PC, locked or unlocked, with encrypted volumes mounted. Memory dumps produced with any forensic product or obtained via a FireWire attack are supported.

A FireWire attack requires a free third-party tool, a FireWire (IEEE 1394) cable and another PC to launch the attack from. Decryption keys can also be derived from hibernation files if a target PC is turned off.

“Before Elcomsoft Forensic Disk Decryptor, only Elcomsoft Distributed Password Recovery could handle encrypted disks”, says Yuri Konenkov, ElcomSoft leading crypto analytic. “It used brute force to break passwords. Today, we’re introducing a special tool that uses a completely different approach to decrypting disks protected with PGP, True Crypt, BitLocker and BitLocker To Go. We have also added the ability to brute-force passwords for TrueCrypt and BitLocker To Go containers to Elcomsoft Distributed Password Recovery.”