ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers

December 20th, 2012 by Vladimir Katalov
  • 3

BitLocker, PGP and TrueCrypt set industry standard in the area of whole-disk and partition encryption. All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto.

Normally, information stored in any of these containers is impossible to retrieve without knowing the original plain-text password protecting the encrypted volume. The very nature of these crypto containers suggests that their target audience is likely to select long, complex passwords that won’t be easy to guess or brute-force. And this is exactly the weakness we’ve targeted in our new product: Elcomsoft Forensic Disk Decryptor.

The Weakness of Crypto Containers

The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool. Such as Elcomsoft Forensic Disk Decryptor.

Retrieving Decryption Keys

In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack. If the computer is off, Elcomsoft Forensic Disk Decryptor can retrieve decryption keys from a hibernation file. It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.

“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”

It is essential to note that Elcomsoft Forensic Disk Decryptor extracts all the keys from a memory dump at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.

Using forensic software for taking snapshots of computers’ memory is nothing new. The FireWire attack method existed for many years, but for some reason it’s not widely known. This method is described in detail in many sources such as http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf or http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation

The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links. One can take direct control of a PC or laptop operating memory (RAM) by connecting through a FireWire. After that, grabbing a full memory dump takes only a few minutes. What made it possible is a feature of the original FireWide/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external FireWire devices. Direct Memory Access (DMA) is used to provide that access. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or even logged on. There’s no way to protect a PC against this threat except explicitly disabling FireWire drivers. The vulnerability exists for as long as the system is running. There are many free tools available to carry on this attack, so Elcomsoft Forensic Disk Decryptor does not include a module to perform one.

If the computer is turned off, there are still chances that the decryption keys can be retrieved from the computer’s hibernation file. Elcomsoft Forensic Disk Decryptor comes with a module analyzing hibernation files and retrieving decryption keys to protected volumes.

Complete Decryption and On-the-Fly Access

With decryption keys handy, Elcomsoft Forensic Disk Decryptor can go ahead and unlock the protected disks. There are two different modes available. In complete decryption mode, the product will decrypt everything stored in the container, including any hidden volumes. This mode is useful for collecting the most evidence, time permitting.

In real-time access mode, Elcomsoft Forensic Disk Decryptor mounts encrypted containers as drive letters, enabling quick random access to encrypted data. In this mode files are decrypted on-the-fly at the time they are read from the disk. Real-time access comes handy when investigators are short on time (which is almost always the case).

We are also adding True Crypt and Bitlocker To Go plugins to Elcomsoft Distributed Password Recovery, enabling the product to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.

Unique Features

The unique feature of Elcomsoft Forensic Disk Decryptor is the ability to mount encrypted disks as a drive letter, using any and all forensic tools to quickly access the data. This may not seem secure, and may not be allowed by some policies, but sometimes the speed and convenience is everything. When you don’t have the time to spend hours decrypting the entire crypto container, simply mount the disk and run your analysis tools for quick results!

More Information

More information about Elcomsoft Forensic Disk Decryptor is available on the official product page at http://www.elcomsoft.com/efdd.html

  • 3

Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

12 Responses to “ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers”

  1. Gabriel Yoran (Steganos) says:

    Hello, this is Gabriel Yoran from privacy software maker Steganos.

    The attack described here is in part possible due to a typical vulnerability of whole disk encryption tools. What appears to be maximum security – everything is encrypted all the time – actually is the opposite: Everything is accessible all the time (at least as long as the disk is decrypted, and obviously even in standby mode).

    At Steganos, we do not offer whole disk encryption, but volume encryption, for example in our Steganos Safe or Steganos Privacy Suite products. The technology used there works in a totally different way:

    1st: As Vladimir points out, “[i]t’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.”

    Therefore, the user of Steganos Safe or Privacy Suite only opens and closes the encrypted volume (the “Safe”) when they need it. There is no need to keep it open all the time. In whole disk encryption products (the ones being attacked like PGP WDE),

    2nd: When the computer goes into standby (or sleep/hibernation) the Safe is automatically closed. Therefore there is no way to access its contents.

    It should also be said that, if an attacker does gain access to the user’s computer to run such an attack while an encrypted volume is open, the attacker could simply steal the user’s data, since at this point in time, user data is simply not encrypted.

    Learnings: Whole disk encryption can be a risk, since unencrypted data is available to the user – and an attacker – all the time. Software which does not close encrypted volumes before hibernation is a problem, too (Steganos Safe and Steganos Privacy Suite are not affected by this issue).

    We will post more information on this issue on our blog at http://blog.steganos.com

    Gabriel Yoran
    Steganos Software GmbH

  2. Mark says:

    What about a TPM with Bitlocker? I don’t see anything in the documentation of the product about that, and it wasn’t covered in your post.

  3. Q says:

    In systems like http://www.datadiode.eu and https://wuala.com/freemovequantumexchange storage is physically separated from the encryption/decryption so this attack is not possible on these systems.

  4. iNsuRRecTiON says:

    Hi there,

    how can efdd access and read the hibernation file on whole disk encryption software such as truecrypt, if the hibernation file itself is encrypted on the disk?

    If the computer is turned off, everything including the hibernation file is encrypted on the hdd.

    @Mark, I don’t know whether the encryption/decryption key is stored in the computer main memory or only in the TPM.

    If it is only in the TPM it should not be recoverable.



  5. furiousangel says:


    the hybernation file on whole disk encryption is not encrypted it rest in memory and people have been able to acess it for some time thorough a firewire hack for some time. this file rest in the main memory. Give me physical access to your computer and even with it off but still pluged in and i will be able to bypass bitlocker. I like the fact that someone automated the process. with the ability to mount the logical portion of the drive, you will have all the access needed.

  6. Ella says:

    Interesting article! I scanned through something remarkably similar
    in a science blog post. Seriously worth checking out

    my web page – my website

  7. Paul says:

    This really is quite some claim, and I cant believe this company has the cheek to imply that it can offer something new. The techniques here have been known and used by the forensics community for years. While it is no doubt useful in terms of saving time by automating the process, to imply (as the title on this page clearly does) that it decrypts Truecrypt is entirely inaccurate and they know this. It is simply able to locate the key in memory if the system isn’t powered down. The documentation for Truecrypt clearly states that you should turn of any paging or hibernation, and if this is followed the only way to get the key is if the encrypted volume is mounted, through accessing the RAM.

  8. zgandiro says:


  9. Bruce says:

    I see no mention of a “super-encrypted” object. For example, using Steganos Safe to hold an encrypted volume that was encrypted using a different encryption program. How would it be possible to locate both keys?

  10. Bruce,

    Our software does not work with Steganos Safe at all. Speaking of other encrypted disks we support — as far as I know, there is no way to use two of them together for the same disk partition.

  11. Charlie Troell says:

    Is there work being done to extract the keys for the newest form of Truecrypt, now Veracrypt? I just ran one through my system and Disk Decryptor failed to locate the key.