Password Recovery and Data Decryption: Getting Around and About

February 22nd, 2023 by Oleg Afonin
Category: «General», «GPU acceleration», «Tips & Tricks»

Access to encrypted information can be gained through various methods, including live system analysis (1 and 2), using bootable forensic tools, analysis of sleep/hibernation files, and exploiting TPM vulnerabilities, with password recovery being the last option on the list. Each method has different resource requirements and should be used in order of least resource-intensive to most time-consuming, with password recovery as the last resort. Familiarize yourself with the different encryption recovery strategies and learn about data formats with weak protection or known vulnerabilities.

Why password recovery is your last resort

When presented encrypted evidence, one’s immediate thought is “I need to break a bunch of passwords”. However, decrypting protected information by recovering the original plain-text password is the most straightforward approach, but also the least efficient one. Since most encryption formats are designed to withstand password attacks with hundreds thousands rounds of hashing, the time required to break even a simple password could be days, months, or years. In real life, the chance of successfully breaking encryption by attacking passwords is low. For example, the authors of When Encryption Baffles the Police: A Collection of Cases describe as many as 55 criminal cases that involved data encryption. In 17 cases, encryption was fully or partially broken, which results in an approximately 30% success rate.

You may be able to improve this success rate by employing alternative techniques to decrypt information other than attacking plain-text passwords. If access to encrypted digital evidence takes precedence over retrieving the plain-text password (which is not always the case, e.g. Windows Account Passwords: Why and How to Break NTLM Credentials), a number of more efficient solutions may be available. The recovery methods for accessing protected pose very different resource requirements such as the time spent by the expert to set up the attack, and the time required to carry out the attack. We recommend trying the least resource-intensive methods first and only resorting to more time-consuming methods (such as brute force) when all other options have been exhausted. The following are our preferred recovery methods:

  1. Encrypted disks and virtual machines: Live system analysis. This method, if available, enables the retrieval of binary encryption keys and/or imaging of the file system of a mounted disk without the need for lengthy brute-force attacks.
  2. Live system analysis: If you have access to an authenticated user session, make the most of it before shutting down the computer. Even if full-disk encryption is not used, some data (such as DPAPI-protected items) will only be accessible when the user signs in with their password. DPAPI-protected items include passwords saved in web browsers (Chrome, Edge, etc.), passwords for network shares, keys, tokens, and certificates.
  3. Computer in sleep/hibernation: Analyze page/hibernation files for disk encryption keys (using Elcomsoft Forensic Disk Decryptor). Keep in mind that volatile virtual machine images may also be stored in RAM.
  4. Consider using bootable forensic tools (such as Elcomsoft System Recovery) to quickly image built-in storage media and extract encryption metadata.
  5. BitLocker disks: Consider using TPM vulnerabilities to unlock the BitLocker boot drive before removing storage media for imaging.
  6. Encrypted disks: Analyze hibernation and page files with Elcomsoft Forensic Disk Decryptor (searching for encryption keys). An authenticated user session is not necessary for this analysis.
  7. Some data formats have weak protection or known vulnerabilities. Familiarize yourself with these formats (such as Microsoft Office documents saved in legacy formats like .doc/.xls instead of .docx/.xlsx); e.g. Decrypting Password-Protected DOC and XLS Files in Minutes.
  8. Use the “low hanging fruit” strategy and prioritize files with weak protection.
  9. Password recovery. This should only be used as a last resort, but you may have options such as a smart attack and/or custom dictionaries made up of the user’s other passwords (for example, extracted from the keychain/web browsers).

More information:



Elcomsoft Distributed Password Recovery

Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.

Elcomsoft Distributed Password Recovery official web page & downloads »

Elcomsoft Forensic Disk Decryptor

Elcomsoft Forensic Disk Decryptor offers forensic specialists an easy way to obtain complete real-time access to information stored in popular crypto containers. Supporting desktop and portable versions of BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt protection, the tool can decrypt all files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.

Elcomsoft Forensic Disk Decryptor official web page & downloads »

Elcomsoft System Recovery

Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.

Elcomsoft System Recovery official web page & downloads »