How to Use Elcomsoft Forensic Disk Decryptor v2.10 Build 567 to Access Encrypted Data
How to Use Elcomsoft Forensic Disk Decryptor v2.10 Build 567 to Access Encrypted Data
If you are a forensic expert or a security professional who needs to access data stored in encrypted BitLocker, FileVault 2, PGP Disk, TrueCrypt, VeraCrypt or Jetico BestCrypt disks and containers, you may find Elcomsoft Forensic Disk Decryptor v2.10 Build 567 a useful tool. This software can help you extract cryptographic keys from RAM captures, hibernation and page files, or use plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.
Elcomsoft Forensic Disk Decryptor v2.10 Build 567 Hard Disk Decryptor
In this article, we will show you how to use Elcomsoft Forensic Disk Decryptor v2.10 Build 567 to access encrypted data in different scenarios.
Scenario 1: Decrypt or Mount Disk
If you have a memory image of the target system or a live system that you can access, you can use the "Decrypt or Mount Disk" option to unlock the encrypted disk or container. This option supports BitLocker, FileVault 2, LUKS, LUKS2, PGP Disk, TrueCrypt and VeraCrypt encryption methods.
To use this option, follow these steps:
Launch Elcomsoft Forensic Disk Decryptor v2.10 Build 567 and select "Decrypt or Mount Disk".
Select the source of the memory image: a file (such as a memory dump or a hibernation file) or a live system (if you have administrative privileges on the target system).
Select the encrypted disk or container that you want to decrypt or mount. You can also specify the encryption and hashing algorithms for TrueCrypt/VeraCrypt volumes if you know them.
Click "Next" and wait for the software to scan the memory image and find the encryption keys.
If the keys are found, you can choose to decrypt the disk or container to a new location, or mount it as a new drive letter for instant access.
Scenario 2: Extract Keys
If you only need to extract the encryption keys from the memory image and use them later with another tool, you can use the "Extract Keys" option. This option supports BitLocker, FileVault 2, LUKS, LUKS2, PGP Disk, TrueCrypt and VeraCrypt encryption methods.
To use this option, follow these steps:
Launch Elcomsoft Forensic Disk Decryptor v2.10 Build 567 and select "Extract Keys".
Select the source of the memory image: a file (such as a memory dump or a hibernation file) or a live system (if you have administrative privileges on the target system).
Select the encrypted disk or container that you want to extract keys from. You can also specify the encryption and hashing algorithms for TrueCrypt/VeraCrypt volumes if you know them.
Click "Next" and wait for the software to scan the memory image and find the encryption keys.
If the keys are found, you can save them to a file or copy them to the clipboard for later use.
Scenario 3: Use Password or Escrow Keys
If you don't have a memory image of the target system but you know the plain-text password or escrow keys for the encrypted disk or container, you can use them to decrypt or mount it with Elcomsoft Forensic Disk Decryptor v2.10 Build 567. This option supports BitLocker, FileVault 2 and PGP Disk encryption methods.
To use this option, follow these steps:
Launch Elcomsoft Forensic Disk Decryptor v2.10 Build 567 and select "Decrypt or Mount Disk".
Select "Use Password / Recovery Key" as the source of the memory image.
Select the encrypted disk or container that you want to decrypt or mount.
Enter the plain-text password or escrow key for the disk or container. For BitLocker disks, you can use recovery keys that are available in Active Directory or in the user's Microsoft e0e6b7cb5c