When accessing a locked system during an in-field investigation, speed is often the most important factor. However, maintaining digital chain of custody is just as if not more important in order to produce court admissible evidence. We are introducing new features in Elcomsoft System Recovery, our forensic triage tool, to help establish and maintain digital chain of custody throughout the investigation.

iMessage, Hangouts, Skype, Telegram, Signal, WhatsApp are familiar, while PalTalk, Pigin, Psi Jabber client, Gadu-Gadu, Gajim, Trillian, BigAnt or Brosix are relatively little known. The tools from the first group are not only more popular but infinitely more secure compared to the tools from the second group. In this publication we’ll review the authentication methods used by the various instant messengers, and attempt to extract a password to the user’s account.

Elcomsoft System Recovery is a perfect tool for digital field triage, enabling safer and more secure in-field investigations of live computers by booting from a dedicated USB media instead of using the installed OS. The recent update added a host of features to the already great tool, making it easier to examine the file system and extract passwords from the target computer.

Investigating a BitLocker-encrypted hard drive can be challenging, especially if the encryption keys are protected by the computer’s hardware protection, the TPM. In this article, we’ll talk about the protection that TPM chips provide to BitLocker volumes, and discuss vulnerabilities found in today’s TPM modules.

As opposed to live system analysis, experts performing the cold analysis are not dealing with authenticated user sessions. Instead, cold analysis can be viewed as an intermediary measure with live system analysis on the one end and the examination of a forensic disk image on another. Why and when would you use cold system analysis, what can you do and what benefits does it bring compared to the traditional approach? Read along to find out.

Accessing a locked system is always a challenge. Encrypted disks and encrypted virtual machines, encrypted files and passwords are just a few things to mention. In this article we are proposing a straightforward workflow for investigating computers in the field.

LUKS encryption is widely used in various Linux distributions to protect disks and create encrypted containers. Being a platform-independent, open-source specification, LUKS can be viewed as an exemplary implementation of disk encryption. Offering the choice of multiple encryption algorithms, several modes of encryption and several hash functions to choose from, LUKS is one of the tougher disk encryption systems to break. Learn how to deal with LUKS encryption in Windows and how to break in with distributed password attacks.

The wide spread of full-disk encryption makes live system analysis during incident response a challenge, but also an opportunity. A timely detection of full-disk encryption or a mounted crypto container allows experts take extra steps to secure access to encrypted evidence before pulling the plug. What steps are required and how to tell if the system is using full-disk encryption? “We have a tool for that”.

BitLocker is Windows default solution for encrypting disk volumes. A large number of organizations protect startup disks with BitLocker encryption. While adding the necessary layer of security, BitLocker also has the potential of locking administrative access to the encrypted volumes if the original Windows logon password is lost. We are offering a straightforward solution for reinstating access to BitLocker-protected Windows systems with the help of a bootable USB drive.

There is a bit of confusion about our software designed to allow breaking into password-protected systems, files, documents, and encrypted containers. We have as many as three products (and five different tools) dealing with the matter: Elcomsoft Forensic Disk Decryptor (with an unnamed memory dumping tool), Elcomsoft System Recovery and Elcomsoft Distributed Password Recovery, which also includes Elcomsoft Hash Extractor as part of the package. Let’s briefly go through all of them. Hopefully it will help you select the right product for your needs and save time in your investigation.