Donate for the Cryptome archive of files from June 1996 to the present

23 December 2012

Comments on Elcomsoft Forensic Disk Decryptor

24 December 2012. A2 sends:

It should work if you have acccess to the computer with the fresh RAM containing the master keys. Check this paper, and also some source code that they made available.

Date: Sat, 22 Dec 2012 19:38:54 -0800
Subject: CRYPTOME: Elcomsoft Forensic Disk Decryptor
To: cryptome[at]

This tool is aimed at Microsoft Windows OS based computers that are seized in an "on" state. It can not be used on a found USB thumb drive with encrypted PGP files on it, for example:

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order to access protected information stored in crypto containers. The encryption keys can be derived from hibernation files or memory dump files acquired while the encrypted volume was mounted. There are three ways available to acquire the original encryption keys:

By analyzing the hibernation file (if the PC being analyzed is turned off); By analyzing a memory dump file *

By performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted).

* A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit

** A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception)

The 'Inception' firewire memory dump tool required PCIe hardware interface:

A FireWire/Thunderbolt/ExpressCard/PC Card interface at both machines. If you don’t have a native FireWire port, you can buy an adapter to hotplug one. The tool works over anything that expands the PCIe bus.

Lifeguard advises using GPG (not Symantec PGP) and Linux for best security.

Subject: Re: Elcomsoft $300 decryption tool.
From: Ian Batten <igb[at]>
Date: Sun, 23 Dec 2012 11:01:49 +0000
To: UK Cryptography Policy Discussion Group <ukcrypto[at]>

On 21 Dec 2012, at 18:02, Ben Laurie <ben[at]> wrote:

On Fri, Dec 21, 2012 at 9:48 AM, Brian L Johnson
<brian[at]> wrote:

"This $299 tool is reportedly capable of decrypting BitLocker, PGP, and
TrueCrypt disks in real-time"

Somewhat misleadingly labeled product - it is actually a key stealing tool.

And one which makes you ponder if they're still worrying about having to rewind VHS tapes before returning them to the video rental store. People who want to scare the money from the pockets of the gullible with talk of key-stealing attacks immediately invoke the fact that Firewire ports can do DMA all over memory. Firewire ports. On Windows. In 2012. What proportion of machines does that cover? And as for practical purposes no-one is using it, how hard would it be to either disable in the BIOS or fill with Araldite?


[[ Apple, quietly, have addressed this issue with the "destroyfvkeyonstandby" option to pmset --- combined with standby and hibernatemode 3 or 25, you use standbydelay to say "on closing the lid, go to sleep, but after standbydelay seconds turn off the RAM and destroy the Filevault keys". ]]