Forensic Disk Decryptor 2.18 extracts VeraCrypt on-the-fly encryption keys

Elcomsoft Forensic Disk Decryptor is updated to support RAM imaging and extraction of on-the-fly encryption keys in recent versions of VeraCrypt, the most popular TrueCrypt successor. The keys are extracted for all encryption configurations.

Elcomsoft Forensic Disk Decryptor 2.18 adds the ability to extract on-the-fly encryption keys from RAM of computers running the latest versions of VeraCrypt.
VeraCrypt is the most popular successor of the open-source disk encryption tool TrueCrypt. Compared to the original, VeraCrypt offers a lot more customization options. In this update, Elcomsoft Forensic Disk Decryptor adds the ability to extract on-the-fly encryption keys from memory dumps in recent versions of VeraCrypt.

On-the-fly encryption keys are the only weakness of VeraCrypt, enabling investigators to access encrypted disks without brute-forcing the original plain-text password. The binary, symmetric encryption key is stored in the computer’s volatile memory at all times while the encrypted disk is mounted. By extracting these keys, examiners can instantly mount or decrypt encrypted disks without running password attacks and bypassing the associated complexity altogether.

Until recently, extracting VeraCrypt OTF encryption keys was straightforward. The latest VeraCrypt updates changed the way the encryption keys are handled in RAM, making the extraction of encryption keys extremely difficult. Elcomsoft Forensic Disk Decryptor 2.18 adds support for encryption keys stored by all versions of VeraCrypt including the current 1.24 Update 7. Note that EFDD 2.18 must be used to both analyze and capture memory dumps. RAM dumps created with third-party tools or older versions of EFDD will not allow discovering the encryption keys stored by recent versions of VeraCrypt.

See also