There is a bit of confusion about our software designed to allow breaking into password-protected systems, files, documents, and encrypted containers. We have as many as three products (and five different tools) dealing with the matter: Elcomsoft Forensic Disk Decryptor (with an unnamed memory dumping tool), Elcomsoft System Recovery and Elcomsoft Distributed Password Recovery, which also includes Elcomsoft Hash Extractor as part of the package. Let’s briefly go through all of them. Hopefully it will help you select the right product for your needs and save time in your investigation.

Elcomsoft System Recovery: ignite your investigation

Elcomsoft System Recovery (ESR) consists of a bootable flash drive with pre-configured Windows PE environment and the System Recovery tool itself. The distributive you receive includes everything to make that flash drive.

What do you use it for? Elcomsoft System Recovery helps you boot a live system from a flash drive and do the following:

• If the boot drive is not encrypted, you can reset the user’s Windows account password, or attempt to quickly recover that password with fast, pre-configured attacks, or extract account metadata to run a full blown attack on another PC with Elcomsoft Distributed Password Recovery.
• If the boot drive is encrypted, you can quickly extract encryption metadata and run a password attack on another PC with Elcomsoft Distributed Password Recovery. If the drive is encrypted with a non-password type of protector (e.g. TPM or USB Key), ESR will spare your time by telling you right away.

In other words, ESR is for those situations where you have a live system (not a ‘cold’ hard drive or disk image) and don’t have much time. ESR is the perfect tool to help you ignite your investigation.

Elcomsoft Forensic Disk Decryptor: dealing with encrypted drives or disk images

Unlike ESR, Elcomsoft Forensic Disk Decryptor deals with cold hard drives or disk images if those are encrypted (or have encrypted partitions). VeraCrypt, BitLocker, TrueCrypt and other encrypted containers all fall into this department. To make matters more interesting, EFDD comes with an unnamed memory dumping tool which *is* to run on live systems and *not* on cold drives or disk images.

Use Elcomsoft Forensic Disk Decryptor for:

• Attempting to decrypt or instantly mount encrypted volumes with on-the-fly encryption keys extracted from page files and hibernation files.
• Decrypting or instantly mounting encrypted volumes in a forensically sound way with known plain-text password.
• Decrypting or instantly mounting encrypted volumes in a forensically sound way with escrow/recovery keys obtained from Active Directory or cloud accounts.
• Analyzing memory dumps for on-the-fly encryption keys and using those keys to decrypt or instantly mount encrypted volumes.
• Extract encryption metadata (password hash, number of iterations, encryption algorithm, encryption mode etc.) to metadata and run a password attack on another PC with Elcomsoft Distributed Password Recovery.

Use the unnamed RAM capturing tool for:

• Dumping the RAM image of the computer being investigated. This RAM image can then be opened in Elcomsoft Forensic Disk Decryptor, which will scan the image for on-the-fly encryption keys to any encrypted volumes mounted on the computer at the time of the capture.

Elcomsoft Distributed Password Recovery: extract and attack!

It may be simple at the first glance: as the name implies, you use Elcomsoft Distributed Password Recovery for running hardware-accelerated brute-force, dictionary or hybrid attacks on the password (and sometimes on the encryption key) for several hundred formats. The “Distributed” part means you can use several thousand computers or cloud instances to perform the attack.

Sounds simple? Not so fast. Elcomsoft Distributed Password Recovery comes with a tool named Elcomsoft Hash Extractor. This tool (for sanity, let’s just call it EHE) can extract hash values and encryption metadata from a handful of file formats including office documents, password manager databases and, in near future, compressed archives. You can then use the encryption metadata instead of the original file or document to run the attack in EDPR. Why would you want to do that? One word: privacy. Attacking a small, anonymous hash instead of the raw document helps conform with local data protection laws, especially if you are sub-contracting password recovery or are using remote servers or cloud instances.

Use Elcomsoft Hash Extractor for:

• Extracting hash values and encryption metadata from a handful of file formats including office documents, password manager databases and, in near future, compressed archives. These values must be passed to EDPR for password attacks instead of the original file or document.

Think that was a bit complicated? Let me tell you that Elcomsoft Distributed Password Recovery includes a trimmed down version of Elcomsoft Forensic Disk Decryptor, and we’ll call it a day.

Use the included, stripped-down version of Elcomsoft Forensic Disk Decryptor for:

• Decrypting or instantly mounting encrypted volumes in a forensically sound way with escrow/recovery keys obtained from Active Directory or cloud accounts.
• Extract encryption metadata (password hash, number of iterations, encryption algorithm, encryption mode etc.) to metadata and run a password attack on another PC with Elcomsoft Distributed Password Recovery.

For anything above and beyond, you’ll need the full, unrestricted version of Elcomsoft Forensic Disk Decryptor that is available as a separate purchase or part of Elcomsoft Desktop Forensic Bundle or Elcomsoft Premium Forensic Bundle.

Finally, use Elcomsoft Distributed Password Recovery for:

• Running a password recovery attack on a file or document (several hundred formats supported).
• Running a password recovery attack on encryption metadata extracted with Elcomsoft Hash Extractor, Elcomsoft System Recovery, or Elcomsoft Forensic Disk Decryptor.

And this is what you cannot use Elcomsoft Distributed Password Recovery for:

• NO WAY: Running a password recovery attack on directly on an encrypted volume (BitLocker), disk image or container (TrueCrypt, VeraCrypt etc.) Always extract hash metadata first.
• NO WAY: Running a password recovery attack directly on password managers’ databases. Always extract hash metadata first.

Finally, the iffy part:

• You can, technically, use Elcomsoft Distributed Password Recovery to attack whole raw documents (e.g. Word documents, Excel spreadsheets etc.) However, if you care about data protection at all, we strongly recommend using EHE to extract encryption metadata beforehand, and then run an attack on encryption metadata instead of the raw document.