Password Recovery
Find it
     
 
Home > Support > Hard Disk Decryption
 
 

Hard Disk Decryption

 
     
     
     
   
   
     
     
   
  Want to see how the software works? Sign up for a free webinar.  
     
     
   
  Today I was able to open a TrueCrypt Volume in a very important case. All the relevant information for the case has been in there. Other products have failed before. Thank you Passware!
Matthias Berg,
Hessisches Landeskriminalamt,
Detective Inspector.

Wow! I have worked with and taught a number of forensic software tools, but Passware Kit Forensic is the top dog. From lost passwords to complete Bitlocker and TrueCrypt Volume recovery. This is an absolute must for security and IT Professionals.
Andy Malone,
Microsoft MVP,
Cybercrime Security Forum & Microsoft TechEd 2010 Speaker.

 
     
     
 
$995
32.1 MB
Download
Buy Now
Buy Now 10 Pack

Related Products

Passware Kit Enterprise and Passware Kit Forensic decrypt hard disks encrypted with BitLocker, TrueCrypt, FileVault2, or PGP.

BitLocker is a data protection feature available in Windows systems starting from Vista. TrueCrypt is a software application that creates virtual hard disks with real-time encryption.

Passware Kit scans the physical memory image file (acquired while the encrypted disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.

If the target computer with the encrypted volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.

NOTE: If the target computer is turned off and the encrypted volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, Passware Kit assigns brute-force attacks to recover the original password for the volume.

Overall Disk Decryption Steps

  • Acquire a memory image of or take the hiberfil.sys file from the target computer.
  • Create an encrypted disk image (not required for TrueCrypt).
  • Run Passware Kit to recover the encryption keys and decrypt the hard disk.

Below are the steps to decrypt a hard disk image. Please, refer to Passware Kit Help for the detailed instructions.

Acquiring Memory Image Using Passware FireWire Memory Imager

If the target computer is turned off, but the encrypted volume was mounted during the last hibernation, skip this step. Take the hibefil.sys file from the target computer or its hard drive image and use this file as a memory image for decryption.

Requirements for Memory Acquisition:

  • The target computer is turned on and the encrypted volume is mounted.
  • Both the target computer and the computer used for acquisition have FireWire (IEEE 1394) ports.
  • A FireWire cable.

1. On the Passware Kit Start Page click Recover Hard Disk Passwords (or press Ctrl+D), and then click Passware FireWire Memory Imager:

Recover Hard Disk Passwords

The following screen appears:

Create FireWire Memory Imager USB

Insert a blank USB flash drive and click Next.
2. Passware Kit copies the necessary files on the USB flash drive. The Passware FireWire Memory Imager USB drive is ready:

Memory-imaging USB Drive Ready

3. Restart your computer.
4. Passware FireWire Memory Imager starts:

Passware FireWire Memory Imager

5. Connect the target computer with a FireWire cable. Press Next.

Passware FireWire Memory Imager

6. The memory imaging process starts:

Passware FireWire Memory Imager

7. Unplug the FireWire cable, remove the USB flash drive, and press Reboot to restart your PC.
8. The memory image of the target computer (a memory.bin file) is created on the USB flash drive.

Decrypting the Hard Disk

Passware Kit can work with either a TrueCrypt volume file (.TC, encrypted file container), or with its image. For BitLocker/FileVault2/PGP decryption, Passware Kit works with image files of encrypted disks. Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD.

1. Click Recover Hard Disk Passwords on the Passware Kit Start Page. This displays the screen shown below:

Recover Hard Disk Passwords

2. Click on the corresponding encryption type, e.g. BitLocker. This displays the screen shown below:

TrueCrypt

3. Click Browse… and locate the encrypted volume file or its image file.
4. Click Browse… and locate the physical memory image (memory.bin) or the hiberfil.sys file from the computer to which your encrypted volume was mounted.

NOTE: If the target computer is turned off and the encrypted volume was dismounted during the last hibernation, neither the memory image nor the hiberfil.sys file will contain the encryption keys. Therefore, instant decryption of the volume is impossible. In this case, switch to “The volume is dismounted” option, and Passware Kit will assign brute-force attacks to recover the password for the volume.

5. For TrueCrypt, FileVault2 and PGP decryption, click Browse… and select the location and name of the destination file (the image of the decrypted volume).
6. Click Next.

This procedure initiates the decryption process. The decryption might take several minutes depending on the size of the memory image file. The figure below shows a sample result.

TrueCrypt Volume Decrypted

Now you can open your hard disk using the encryption key recovered, or extract an image of the decrypted disk.

 
 
 
 
     
   
     
   
     
   
     
  Copyright © 1998 2014 Passware