Bitlocker, PGP and TrueCrypt encryption broken (sort-of)

ElcomSoft has released a utility called Forensic Disk Decryptor that can get the data off encrypted hard drives without knowing the password. According to their web site it:

  • Decrypts information stored in three most popular crypto containers
  • Mounts encrypted BitLocker, PGP and TrueCrypt volumes


In complete decryption mode, Elcomsoft Forensic Disk Decryptor will automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to absolutely all information stored on encrypted volumes.


Elcomsoft Disk Decryptor PackageReading the technical details further, it’s not quite so amazing – they haven’t found a back-door to these encryption algorithms. Instead they’re examining the machine’s core (memory/RAM in user-land parlance) and pinching the key when they find it. This does, unfortunately, require that the machine in question is already running and decryption to be taking place ‘cos its user has already entered the password. This isn’t has hopeless as it sounds as there may be a core-dump (hibernation file) kicking around on an unencrypted hard disk, and indeed this is a known technique (one of very few) for getting data off these drives. Other methods are  scaring your suspect with a slap on the wrist if they don’t cough up the password, or running a trojan on the suspect’s PC (questionable legality).

According to ElcomSoft’s CEO, Vladimir Katalov, “Our customers asked us for a tool like this for a long, long time. We’re finally releasing a product that’s able to access encrypted volumes produced by all three popular crypto containers.”

ElcomSoft is a company that certainly knows what it’s doing, and this tool appears to automate a process that’s a PITA to do manually, but Mr. Katalov’s miraculous claims for the product shouldn’t unduly worry the user’s of this technology. It’s probably a good tool but it can’t do anything that wasn’t possible before.