Full disk encryption is a serious obstacle for IT professionals. When computers with encrypted system volumes are compromised, it is not possible to advance research without breaking the encryption. Traditionally, experts first extract the hard disks and take the disk images and work on it. However, booting the computer via a USB stick is also sufficient to crack the entire disk encryption. Thanks to the tools produced by Elcomsoft, it is possible to obtain the keys used for encryption and even to obtain these keys easily by using the system files for the partitions that are not installed.
When the system directory is encrypted, there is nothing to do but break the encryption. Elcomsoft System Recovery, tries various methods to recover the startup password, and can obtain the encryption keys that protect encrypted directories in minutes using the system’s hibernation file.
This method is especially useful for devices that use non-removable, soldered or non-standard storage areas such as ultrabooks, laptops, Windows tablets. Experts can obtain the necessary information for an attack on encrypted volumes with a few clicks.
Elcomsoft System Recovery offers a high level of compatibility and security for all these processes. Licensed Windows PE It provides full hardware compatibility using the environment and boot support for protected systems with secure boot feature. Moreover, it provides the opportunity to obtain forensically logical data by connecting to disks and storage units only with read mode during operations.
Creating Bootable USB Stick Using Elcomsoft System Recovery Tool
You only need a small piece of the encrypted volume to obtain the information that will be used to crack the original passwords. You can unlock Windows accounts and access encrypted volumes by booting the system from Windows PE USB stick and using Elcomsoft System Recovery tool. Moreover, the tool also provides convenience for you to easily create a USB memory.
- Firstly Elcomsoft System Recoveryinstall the tool.
- Plug a blank USB stick into your computer and run the tool.
- Select the target drive and identify the file system. Make sure you choose the correct partition scheme. FAT32 MBR, BIOS running old computers; FAT32 MBR is required for new computers with UEFIx64 Secure Boot. Although some devices are loaded with 64-bit processors, they run in 32-bit mode (like Lenovo ThinkPad 8) and FAT32 MBR requires the UEFIx32 scheme to be selected.
- Click on Format. Elcomsoft System Recovery will create a bootable USB stick with Windows PE media and ESR tool installed and configured.
There are two different methods you can use to access the required information.
First Method: Obtain Hibernate Files to Access Encryption Keys
Encrypted volumes are designed to withstand attacks on their passwords. However, the frequently preferred BitLocker device encryption does not use a password, although it offers full disk encryption. Since obtaining passwords by brute force is time consuming, different methods have been introduced.
All encrypted volumes also have a vulnerability feature. OTFE (on-the-fly encryption) keys are binary keys used by the system to encrypt and decrypt data during normal operations. Keys are stored in the system’s short-term memory while the encrypted data is read and written. It is also possible to obtain these keys using the Elcomsoft Forensic Disk Decryptor tool.
When the user puts their computer to sleep (rather than shutting it down), Windows goes into a so-called hybrid sleep mode. During this sleep, Windows saves the short-term memory to the computer’s hard disk. Thus, the saved state can be recovered from power failure. At the same time, the computer’s RAM chips continue to draw power to hold data. If power is not lost during sleep, the computer resumes almost instantly. However, when the battery is exhausted or there is a power outage, Windows loads the saved RAM content onto the hard disk. This loaded file is also called hibernation file. Windows stores this file as “hiberfil.sys”. This file is encrypted, but it is possible to break this encryption.
If the computer is put to sleep with the encrypted partition mounted, the OTFE keys may also be stored in the system’s hibernation file. The hibernation file can be obtained when the computer is started via a USB stick, and the OTFE keys of the attached encrypted partitions can be obtained when the computer is put to sleep. Elcomsoft Forensic Disk Decryptor tool allows you to extract OTFE keys and mount or decrypt encrypted partitions.
To obtain the hibernation file of the system, perform the following steps:
- Install Elcomsoft System Recovery 6.0 or newer on your own computer.
- Create a bootable USB stick. Use the appropriate options as we mentioned earlier. It is recommended to use a memory of at least 32 GB as the hibernation file can be large.
- Boot the USB stick you created from the target computer.
- The Elcomsoft System Recovery tool will launch after the boot process is complete. In the incoming window ” disk toolsCheck the ” option.
- Next ” Copy hiberfil.sys Select ”. All hibernate file will be copied to your USB stick. So make sure you have enough space on the USB drive.
- Specify where the file will be stored. By default ESR will recommend using the booted drive. If there is not enough space on the USB drive, you can choose another media.
- You can then transfer the hibernation file to your computer. With the Elcomsoft Forensic Disk Decryptor tool, you can obtain OTFE keys and mount or decrypt encrypted volumes. This can take minutes, especially if the hibernation file is large.
If the encryption keys are not found in the hibernate file (the encrypted volume is set to be automatically ejected during sleep or hibernation), the encrypted partition’s password must be hacked. For this, it is necessary to obtain a few kilobytes of encryption metadata of the encrypted partition.
Method Two: Obtaining Cryptographic Metadata and Brute-Forcing Password
The traditional approach is to disassemble and image the computer and then the storage devices. However, only a few kilobytes worth of cryptographic metadata are required for an attack. Obtaining this metadata can be achieved quickly without removing all hard drives.
Elcomsoft System Recovery allows to provide read-only access to the computer’s storage devices by booting with a USB memory stick. The tool automatically detects all disk encryption for all internal and removable drives. It then obtains the encryption metadata needed to perform a brute-force attack on the original password of the encrypted disk volumes. Performing dictionary-based attacks with the Elcomsoft Distributed Password Recovery tool can also speed up your work, as encrypted volumes are designed to make attacks on passwords very slow.
Since TrueCrypt and VeraCrypt use similar formats, it is not possible to separate these tools from each other. Unfortunately, the two tools take quite a different route when it comes to password cracking, so it is necessary to specify the right tool before attacking the password.
Additionally, TrueCrypt and VeraCrypt allow users to choose between several encryption algorithms. Each algorithm can optionally be arranged with the desired number of repetitions. If the user has specified a non-standard repeat number, you will not be able to obtain the password without knowing this number. Trying all possible combinations will also increase the attack time a lot.
To obtain the encryption metadata, follow these steps:
- Create a bootable USB stick by following the steps we mentioned before and boot the target computer with the USB stick you created.
- The Elcomsoft System Recovery tool will open when the boot process is complete. From the window ” disk toolsCheck the ” option.
- Next ” Drive encryption keysCheck the ” option.
- Elcomsoft System Recovery will automatically detect partitions with whole disk encryption.
- Select the unit or units you want to work with.
- Because TrueCrypt or VeraCrypt volumes use the same volume format, it is not possible to distinguish them automatically. At this stage you will need to manually select the type of encryption one.
- Both TrueCrypt and VeraCrypt allow using different encryption and hashing algorithms, so you need to know them to decrypt the volume. In this step you will define them.
- If you are in doubt about the user’s encryption and hash algorithm preference, you can use these values as ” Unknown Leave it as “. This option will slow down the attack and the tool will try to try multiple combinations, but it’s still better than choosing the wrong encryption type.
- When encryption metadata is obtained, you can import these files to Elcomsoft Distributed Password Recovery tool to obtain the original password. Password attacks take a significant amount of time, even with powerful hardware.
If you successfully find the password, you can mount the encrypted partitions or decrypt them for offline analysis using the Elcomsoft Forensic Disk Decryptor tool.
Addendum: Using the RAM Image
If you are analyzing an active system and the user is logged into the system, OTFE keys can be obtained by making a short-term RAM backup. To get the RAM image, you need to run the Elcomsoft Forensic Disk Decryptor tool on the user’s active system. The user account must be logged in and the account must have administrator rights.
But the analysis of active systems is dangerous. While Elcomsoft System Recovery operates in safe and read-only mode, active system analysis works in the opposite direction.
To obtain the RAM image, install the Elcomsoft Forensic Disk Decryptor tool on the USB stick and connect the USB memory to the target system and ” dump physical memoryCheck the ” option.
Then specify the location where the RAM image will be saved and start the transfer process. You can use Elcomsoft Forensic Disk Decryptor tool to obtain OTFE keys.