We updated Elcomsoft System Recovery to version 8.34. This release focuses on expanding the tool’s data acquisition capabilities, improving disk imaging performance, and adding BitLocker recovery key extraction for systems managed via Active Directory. Here’s a technical breakdown of the changes.

Before we start discussing the update, let us stop briefly at what the tool actually is. Elcomsoft System Recovery (ESR) is a portable digital forensics tool designed for on-site analysis of Windows-based systems. It enables investigators to examine computers without removing drives or booting into the installed operating system. Built on a Windows PE environment, ESR provides quick access to local storage and is compatible with all major Windows file systems and a wide range of both legacy and modern hardware. It’s especially useful in time-critical scenarios or when physical access to the system is restricted.

Added 800+ File System Artifacts

Version 8.34 introduces support for over 800 file system artifacts in addition to the already supported ones. These include user activity data, system event logs, temporary files, app execution history, and more. The goal is to maximize the volume and diversity of retrievable data, improving the chances of extracting relevant evidence quickly during the initial phase of analysis.

Below are just a few data types of new items to mention:

• Log files of popular antivirus tools (AVG, ESET NOD32, Avira, MalwareBytes Anti-Malware, Symantec, Avast, TotalAV, F-Secure)
• Logs, databases and files of various instant messengers (Skype, WhatsApp, Signal, Viber, MS Teams…)
• Logs and files of VPN clients (OpenVPN, Avira VPN, ProtonVPN)
• Logs and files of remote access tools (AnyDesk, RAdmin)
• Logs and files of FTP/SSH tools (Robo-FTP, Free Commander, Total Commander, OpenSSH)

Notably, we have also improved support for existing formats as well, which include full information about all installed Web browsers, including browsing history; application usage history; a detailed list of installed apps, including installation history; and many other essential types of data.

Given the scale of data now collected, ESR introduces filtering and sorting options for artifacts. Users can control which artifact types are displayed and define sorting criteria, improving navigability during analysis. Here’s what it looks like:

Additionally, artifacts can now be exported directly to external storage. Two modes are available: a “raw” export that retains original folder and file names, and a simplified mode that assigns friendly file names to extracted data.

Notably, there are no existing viewers for many of these formats. Whether you need to explore all or just some of them depends on the partcular circumstances.

Extracting Active Directory BitLocker Recovery Keys

A key new feature for enterprise environments is automated extraction of BitLocker recovery keys from Active Directory. This allows decrypting BitLocker volumes for any domain-joined user, which is critical when access to a system is needed urgently – for example, if a user forgets their password or during incident response involving encrypted drives.

BitLocker recovery keys are generated by the OS when encryption is first enabled. For domain-joined systems, these keys are stored in Active Directory on the domain controller. ESR can be run on a domain controller to parse the ntds.dit database and extract all available BitLocker recovery keys.

Much Faster Disk Imaging

Elcomsoft System Recovery supports forensic imaging of storage devices with data integrity preserved. In this release, the disk imaging engine was reworked and optimized to maximize performance. Our internal benchmark demonstrated nearly double the speed of the previous version when saving a compressed E01 image. The resulting performance now approaches the theoretical I/O limits of the underlying hardware, which is particularly valuable during field investigations or in scenarios with time constraints.

Access to Windows 11 Hidden Volumes

Recent builds of Windows 11 may create system volumes marked as hidden, which cannot be accessed using standard tools. ESR 8.34 adds the ability to expose these volumes for analysis. Note that altering visibility flags may compromise forensic soundness as it requires disabling read-only mode; caution is advised.

View Event Log Files from Custom Locations

Windows event logs are a vital source of forensic evidence. ESR includes a built-in viewer for EVT and EVTX files. Previously, it only supported logs from default Windows directories. The updated version can now open EVT/EVTX files from any location.

Conclusion

Elcomsoft System Recovery 8.34 introduces numerous enhancements to artifact analysis, disk imaging, and encrypted volume access. This is a significant update in terms of capability and performance. If you are using the tool, we encourage updating to the latest release.