Passware Kit Business and Passware Kit Forensic decrypt hard disks encrypted with:
|
Passware Kit scans the physical memory image file (acquired while the encrypted disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using third-party tools, such as Passware Bootable Memory Imager, Belkasoft Live RAM Capturer, ManTech Physical Memory Dump Utility, Magnet RAM Capture, Digital Collector, MAGNET DumpIt, osxpmem or win32dd.
If the target computer with the encrypted volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.
NOTE: If the target computer is turned off and the encrypted volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume, which is a time-consuming process. |
Overall Disk Decryption Steps with Memory Image:
- Acquire a memory image of or take the hiberfil.sys file from the target computer.
- Create an encrypted disk image.
- Run Passware Kit to recover the encryption keys and decrypt the hard disk.
Below are the steps to decrypt a hard disk image.
Decrypting a Hard Disk (VeraCrypt container)
Passware Kit can work with either a VeraCrypt volume file (.HC, encrypted file container) or with its image. For BitLocker/FileVault2/PGP decryption, Passware Kit works with image files of encrypted disks. Disk volume images can be created using third-party tools, such as FTK Imager, X-Ways Forensics, OpenText EnCase Forensic, DD or other third-party companies.
1. Click Full Disk Encryption on the Passware Kit Start Page. This displays the screen shown below:
2. Click on the corresponding encryption type, e.g. VeraCrypt. This displays the screen shown below:
3. At the Encrypted VeraCrypt volume image file field click Browse…, set All files (*.*) from the pull-down menu of the File name field and locate file vc.hc.
The decrypted volume image will be saved in the Destination file location.
4. At the Physical memory image file field click Browse… and locate file .bin (or the hiberfil.sys file from the computer to which your encrypted volume was mounted) Click Decrypt:
NOTE: If the target computer is turned off and the encrypted volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to “I don't have a memory image” option, and Passware Kit will assign brute-force attacks to recover the password for the volume.
Passware Kit Forensic also recovers passwords for TrueCrypt and VeraCrypt containers and volumes protected by using keyfiles. At the password recovery setup (on “I don't have a memory image” tab), Passware Kit allows a user to specify one or more keyfiles to check in combination with the passwords. As a result, Passware Kit displays the recovered password, which can be used to mount the volume using the specified keyfiles.
5. Passware Kit extracts the VeraCrypt volume encryption key and uses it to decrypt the container. The software also displays the VeraCrypt encryption algorithm used to protect the volume:
Comments
14 comments
please create download link for this pag
This page has a link: https://support.passware.com/hc/en-us/articles/115002145727-How-to-decrypt-Full-Disk-Encryption
Do you mean anything else?
Hi, does this software decrypt files that are encrypted with Western Digital's WD Security software?
Meanwhile, I have my hard drive password, but I entered a mistake and unfortunately my hard drive was formatted!
Hello,
We do not yet support Western Digital's WD Security, but you can vote for this feature on our website: https://passware.uservoice.com/forums/172281-passware-kit
it has been the highest voted encryption type feature request for a while i see, can you give us an estimate on how long this will take before it is implemented?
Dear Menno,
We will consider adding this file type to the research queue. I cannot provide you with a more specific time frame at the moment.
Dear Yana,
1-) I want to attack my encrypted disk by selecting McAfee Enpoint Encryption option from the encrypted disk option. but when I show the image to the passware kit forensic 2020.2.3 software, I get the error "this a encrypted container file, please choose a mcafee end point file". what could be the reason for this
2-) Also, what fixed signature value do I need to read in the hex structure of the disk encrypted with McAfee encryption?
Thank you.
Dear Yavuz,
I will be glad to assist you via our Support system directly.
Thanks for sharing the valuable information.
Does it support password recovery from fully encrypted Android image files
@xxunlock We support only smartphones with up to Android 4.x versions at the moment.
Is there any way to decrypt a filevault2 encrypted disk with a known recovery code?
@Yaniv Schiff Yes, you can decrypt FileVault images with a known Recovery Key. I have provided you with more details via direct email.
Hello, what about DiskCryptor?
Please sign in to leave a comment.