Elcomsoft System Recovery 6.0 Extracts Hibernation Files and Data to Break Full Disk Encryption Passwords

Elcomsoft System Recovery 6.0 is a major update with enhanced full-disk encryption support. The update makes it easy to process full-disk encryption by simply booting from a flash drive. The tool automatically detects full-disk encryption, extracting and saving information required to brute-force passwords to encrypted volumes. In addition, the tool can save the system’s hibernation file to the flash drive for subsequent extraction of decryption keys for accessing encrypted volumes.

We updated Elcomsoft System Recovery with significantly improved support for encrypted volumes, offering faster access to encrypted evidence compared to the traditional workflow. Once you boot from the ESR flash drive, the tool will automatically detect full-disk encryption, extract and store the data that is required to brute-force passwords to encrypted volumes.

Elcomsoft System Recovery can automatically detect full-disk encryption with BitLocker, PGP, and TrueCrypt/VeraCrypt containers, automatically extracting the bits of data required to attack the volume’s encryption password and saving them to the flash drive you have booted from. The data can be readily imported into Elcomsoft Distributed Password Recovery, allowing you to quickly launch the attack on full-disk encryption. This workflow takes significantly less time comparing to imaging the hard drive and extracting the values from the disk image, allowing to start the attack at an earlier stage of the investigation.

Full-disk encryption passwords can be difficult to break. A quicker alternative to brute-forcing the password might be available in a case the computer was hibernated (with either the Hibernate or Hybrid Sleep option) while the encrypted partition was mounted. If this is the case, the decryption key can be stored in the system’s hibernation file. This decryption key can be quickly extracted and used to instantly mount or decrypt the encrypted volume with Elcomsoft Forensic Disk Decryptor without lengthy attacks.

In addition, Elcomsoft System Recovery is updated to supports the latest builds of Windows, adding support for Windows 10 October 2018 Update and Windows Server 2019. The update enables users to attack system passwords and dump password hashes from the most recent versions of Windows.

There are numerous other improvements. The full changelog includes:

  • New: automatic detection of full disk encryption
  • New: automatic extraction of the data required for recovering passwords of encrypted containers (BitLocker, PGP, TrueCrypt/VeraCrypt)
  • New: the ability to save hiberfil.sys to the flash drive (allows extracting decryption keys for encrypted volumes)
  • Added support for the latest builds of Windows 10
  • Added support for Windows Server 2019
  • Added support for user-defined dictionaries (wordlists) with mutations
  • Added the ability to search for SYSKEY passwords (in addition to resetting)

See also