Accelerating Computer Forensics: Elcomsoft System Recovery and the Low-Hanging Fruit Strategy

July 14th, 2023 by Oleg Afonin
Category: «General»

In the world of digital investigations, the sheer volume of data and the challenge of identifying valuable evidence can be overwhelming. Often, investigators find themselves faced with the need for optimization — the ability to quickly and seamlessly identify what is valuable and requires further examination. We aim to fulfill this need by introducing a new forensic toolkit in Elcomsoft System Recovery, a powerful bootable tool designed to speed up investigations, quickly identify and collect digital evidence right on the spot.

The challenge of overburdened labs

Experts are overwhelmed with analyzing vast amounts of computers and data, which can lead to significant backlogs. Statistics show that numerous computers and disks lie dormant for months, not only leading to wasted time and effort but placing roadblocks on the way of criminal investigations. To address this issue, we have developed a streamlined approach, revolutionizing the way investigations are conducted.

Our approach

To help experts streamline investigations, we created Elcomsoft System Recovery, a portable field analysis tool for computer forensics. Built as a forensically sound computer analysis tool, Elcomsoft System Recovery enables experts to make real-time decisions on the spot. Key benefits of Elcomsoft System Recovery include:

  1. Unparalleled compatibility: By utilizing the licensed Windows PE environment, Elcomsoft System Recovery ensures exceptional compatibility across various systems and hardware configurations. This compatibility enables investigators to access digital evidence on the nearly every Windows device in existence.
  2. User-friendly experience: The tool runs off a ready-to-use bootable disk, simplifying the analysis and making it almost a one-click solution. Investigators can seamlessly navigate the interface, harnessing its power with ease and efficiency.
  3. Breaking through password barriers: Elcomsoft System Recovery’s core functionality revolves around gaining access to crucial data without knowing the user’s Windows account password. This unique feature empowers investigators, enabling them to uncover vital evidence that may have otherwise remained inaccessible.
  4. Quick access to essential data: In a matter of minutes, Elcomsoft System Recovery efficiently retrieves the most critical and valuable information. From passwords to important documents, the tool uncovers a wide array of artifacts, providing investigators with a solid foundation for decision-making.
  5. Identifying potential leads: Upon discovering potentially significant findings, Elcomsoft System Recovery allows investigators to create forensic disk images for further analysis. These images serve as a starting point for deeper exploration, facilitating a thorough examination of potential leads.
  6. Saving time and resources: By speeding up the identification and extraction of essential evidence, Elcomsoft System Recovery significantly reduces the strain on experts. This optimization frees up valuable time and resources, enabling investigators to focus on high-priority cases and complex analyses.

The “low-hanging fruit” strategy

Just like a fruit picker in an orchard, law enforcement professionals conducting digital investigations often encounter a similar concept known as the “low-hanging fruit” principle. Let’s imagine you’re strolling through an orchard, and the fruit within easy reach can be effortlessly picked as you walk by. However, if you want to reach the fruit higher up, you’ll need to drag a ladder, spending additional time and effort.

When it comes to digital investigations, the low-hanging fruit principle suggests that investigators should first target the most accessible and crucial pieces of evidence. These can include items like passwords, readily available documents, encryption keys, or logs of user activity. By swiftly and efficiently obtaining this information, investigators can establish a solid starting point for further analysis.

Applying the low-hanging fruit principle not only saves time but also allows investigators to make significant progress early on, effectively reducing or even eliminating potential backlog. By quickly gathering the most essential evidence, they can assess the situation, identify potential leads, and determine the next steps of the investigation. This strategic approach is particularly valuable when faced with limited resources or time constraints.

We designed Elcomsoft System Recovery around the “low-hanging fruit” strategy, allowing investigators to quickly gather the most critical and easily accessible evidence along with keys to encrypted disks and vaults. Since Elcomsoft System Recovery operates as a bootable disk, investigators can extract crucial data and make informed decisions on further actions on the spot. Based on the collected data, investigators can determine whether it is necessary to create a disk image and transport it to the laboratory for further in-depth analysis. This streamlined approach saves time and resources, ensuring that investigations can progress swiftly and accurately in both the field and the laboratory.

It is important to emphasize that Elcomsoft System Recovery goes beyond merely extracting a number of easily accessible forensic artifacts. It aims to provide comprehensive insights into user activity, both online and offline. The tool retrieves passwords, critical documents, and even provides visibility into the applications and files accessed by the user. While the exact list of data collected is extensive and continually expanding, rest assured that Elcomsoft System Recovery strives to quickly retrieve the maximum amount of relevant information on the spot.

Conclusion

By focusing on the most accessible and critical evidence, investigators can make swift progress and establish a strong foundation for their investigation. It is essential to balance this approach with the willingness to explore deeper, more complex areas when necessary. This strategic combination ensures a thorough and successful investigation.


REFERENCES:

Elcomsoft System Recovery

Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.

Elcomsoft System Recovery official web page & downloads »