Elcomsoft System Recovery Simplifies Digital Field Triage and In-Field Investigations

June 17th, 2021 by Oleg Afonin
Category: «General»

Elcomsoft System Recovery is a perfect tool for digital field triage, enabling safer and more secure in-field investigations of live computers by booting from a dedicated USB media instead of using the installed OS. The recent update added a host of features to the already great tool, making it easier to examine the file system and extract passwords from the target computer.

What’s it all about?

Elcomsoft System Recovery is a digital triage tool for examining computers in the field. The tool is particularly useful if the computer being analyzed is locked or is inaccessible due to unknown account passwords and/or full disk encryption. Elcomsoft System Recovery helps overcome the challenger of accessing a locked system, delivering a straightforward workflow for investigating computers in the field. The tool helps access information in encrypted disks and encrypted virtual machines, extract passwords and access encrypted file systems.

Once you get Elcomsoft System Recovery, you first make a portable version of the tool by creating bootable USB media on your computer. The bootable USB media is then used to boot the target computer, the one you will be examining. The ESR bootable media contains a customized version of Microsoft Windows PE with Elcomsoft-developed extras to help you extract passwords, access encrypted disks and examine the file system. The complete step-by-step workflow is available in Elcomsoft System Recovery: a Swiss Army Knife of Desktop Forensics.

The latest update adds a host of powerful features to make file system analysis and password extraction even easier.

Extracting Wi-Fi passwords

Home users frequently re-use passwords. Same or similar passwords built to a limited number of patterns are often used to protect access to online resources, encrypt disks, documents and VMs. Extracting all of the user’s existing passwords offers valuable insight to the way the particular user composes their passwords, drastically reducing the time required to discover the right password and increasing the chance of unlocking secure encryption.

Elcomsoft System Recovery already had the ability to quickly recover simple Windows passwords. Today, we’re adding one more type of passwords to extract: the Wi-Fi passwords. Together with other types of passwords, the Wi-Fi passwords can be added to a highly targeted custom dictionary that can be used to break strong encryption and attack passwords protecting encrypted documents, disks and accounts.

Extracting Windows license keys: why you need them and how to use

One more thing extracted by the latest update of Elcomsoft System Recovery is the ability to reveal Windows product keys. This information is buried deep in the system, and typically is not user-accessible. Elcomsoft System Recovery will instantly reveal the system’s product key, enabling investigators to request Microsoft for information about the owner of the license, which may be a great deal of help when examining a computer from a crime scene.

Password hints and QA

Another important piece of information extractable in the field are password hints, questions and answers. This information is intended to help users recall their forgotten passwords. In many cases, examiners can use password hints and QA to re-create the user’s original passwords. As an example, “questions and answers” may contain a hint that the password contains the user’s place of birth or the name of their spouse or sibling. In that case, the names and places can be added to a custom dictionary for a fast dictionary attack.

FAR Manager

One last thing added to Elcomsoft System Recovery is FAR, one of the most convenient two-panel file managers. The now embedded Far Manager is an open-source tool developed by Eugene Roshal for navigating the file system and managing files and archives. Far Manager works in text mode and provides a simple and intuitive way for performing the most common actions such as viewing files and directories, accessing hidden and system items, copying data and accessing archives.

Conclusion

The already powerful digital triage tool gained additional features. The extraction of Wi-Fi passwords, hints and Q&A for Windows account passwords, as well as the inclusion of the convenient two-panel file manager make Elcomsoft System Recovery the perfect tool for in-field investigations.


REFERENCES:

Elcomsoft System Recovery

Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.

Elcomsoft System Recovery official web page & downloads »