In recent years, technology has been growing in leaps and bounds, shaking up entire industries and fields. One field that has benefitted greatly from advancements in technology is the field of forensics.
Forensics is a field involved with using science to investigate crimes to find out why and how something happened. The field examines and comes up with evidence that might be presented in a court of law to help solve a crime.
The application of technology in forensics gave rise to a branch of forensics called digital forensics. Digital forensics involves investigating and finding evidence stored in digital devices such as mobile phones and personal computers with the aim of solving computer-related crimes.
To effectively perform their duties, people in digital forensics face one major hurdle, encryption. Encryption is a way of scrambling data into secret code to prevent access to the data by unauthorized parties. With encryption tools such as AxCrypt and NordLocker and operating systems such as Windows and macOS allowing users to encrypt their data, it becomes harder for digital forensics to recover data from digital devices.
The ubiquity of encryption tools creates the need for forensic decryption tools. These are specialized software that transform encrypted data back to their original human-readable form. Such tools are meant to help forensics gather data from encrypted files in digital devices to aid in investigating crimes.
Advantages of using forensic decryption tools
The following are some of the advantages of using forensic decryption tools:
- Speed – Forensic decryption tools allow forensic experts to decrypt large amounts of data, regardless of their complexity, in a much shorter time.
- Easy to use – To decrypt encrypted data, one needs a deep understanding of programming, mathematics, and cryptography. However, with decryption tools, you don’t need to be an expert in any of those, as decryption tools handle all the heavy lifting for you.
- More tools at your disposal – Forensic decryption tools provide you with a large array of tools to perform actions such as analyzing a computer’s registry, password recovery, and recovering deleted files in addition to decrypting files.
- Accuracy – Forensic evidence can be questioned in a court of law; hence its accuracy is very important. Forensic decryption tools undergo immense testing and can work with different algorithms in decryption, allowing you to gather very accurate data.
Factors to consider when selecting a Forensic Decryption Tool
All forensic decryption tools are not made equal. The following are considerations to make when selecting a forensic decryption tool:
- GPU acceleration – This entails making use of a computer’s graphics processing unit(GPU) to speed up the execution of intensive operations. This has the effect of greatly reducing the time needed to perform forensic decryption on large amounts of data.
- FDE Decryption – Full Disk Encryption(FDE) is a security mechanism where all data in a hard drive is encrypted by default using disk-level encryption without the need for users to perform encryption themselves. Since a lot of businesses make use of FDE, it is important to pick a tool that can decrypt full-disk encrypted hard drives.
- Supported file types – Many file types, such as archive files, word documents, pdf, etc., can be encrypted. As such, different forensic decryption tools support forensic decryption on certain file types only. As a result, while picking a forensic decryption tool, find out if it supports the type of files you want to decrypt.
- Detection of encrypted files – While doing forensic description on a large system, at times, it can be hard to search for all encrypted files which may have the needed information. As a result, picking a forensic decryption tool that can detect and show you all the encrypted files in a system will save you tons of time.
- Untraceability – The ideal forensic decryption tool should not leave any traces after decryption. The targeted files should all remain unchanged, and no footprints of a decryption exercise should be left behind. This is because investigations often benefit from being untraceable to avoid raising suspicions and countermeasures to the exercise. As a result, untraceable forensic decryption is ideal.
Currently, there are a lot of decryption tools available to forensic experts interested in digital forensics. However, not all have the same capabilities.
Here are the best forensic decryption tools to aid you in your investigations.
Passware Kit Ultimate
Passware Kit Ultimate is the latest flagship product by Passware, a company that makes password recovery and decryption tools for different users. According to their website, Passware products are used by the world’s top law enforcement agencies to crack cases that require decryption.
This decryption tool has a number of features that make it top this list.
- Password recovery for 340+ file types – Passware Kit Ultimate allows you to recover passwords from a wide range of files, including archived files, bitcoin wallets, word documents, and QuickBooks, among others. It even allows you to recover passwords encrypted by encryption tools such as AxCrypt and VeraCrypt.
- Ability to extract data and recover passwords from over 250 mobile devices ranging from iPhones to popular android brands such as Samsung, Nokia, Huawei, and LG. You can even extract data from encrypted mobile devices.
- Full Disk Decryption – Passware Kit Ultimate can decrypt or recover passwords from drives with full disk encryption.
- Hardware acceleration – Passware Kit Ultimate allows you to leverage NVIDIA and AMD GPUs to accelerate the process of password recovery and decryption, allowing you to work on a large number of files in a much shorter time.
- Decryption of Macs with Apple T2 Security Chip – Passware Kit Ultimate provides an add-on that can be used to decrypt Macs with the Apple T2 Security chip.
Passware Kit Ultimate has no free trial but offers a 30-day money-back guarantee on the product.
Elcomsoft Forensic Disk Decryptor
Elcomsoft Forensic Disk Decryptor is a decryption tool that gives you instant access to data encrypted using BitLocker, FileVault 2, TrueCrypt, Veracrypt, and PGP Disk.
Some unique features of Elcomsoft Forensic Disk Decryptor include:
- Zero-footprint operation – Using Elcomsoft Forensic Disk Decryptor leaves no footprints of the decryption operation. The entire decryption operation is undetectable.
- Provides access to encryption metadata – this feature is useful if you need to access the original plaintext password to access encrypted data.
- Real-Time Access to Encrypted Information – Elcomsoft Forensic Disk Decryptor does decryption on the fly allowing a user to mount an encrypted volume as a drive letter and have real-time access to the encrypted data.
Additionally, it offers full disk decryption and automatically searches, identifies, and displays encrypted volumes and details on the volume’s encryption settings. Elcomsoft offers a free trial version of the forensic decryptor.
Paladin forensics suite is a bootable forensic Linux distribution based on Ubuntu and is available for both 32-bit and 64-bit computers. It is developed by SUMURI, which develops software and hardware related to digital evidence, computer forensics, and eDiscovery.
Once a user boots the Paladin forensics suite, they have access to over 100 pre-compiled open-source forensic tools to perform a wide range of tasks, such as decryption, hardware analysis, messenger forensics, password discovery, and social media analysis, among others.
Some of its unique features include:
- The ability to clone devices. This is useful if you can’t remove a device’s storage media
- It has a disk manager which comes in handy when you want to easily visualize and identify attached drives and their respective partitions.
- It does automatic logging, which can be stored on any device
- Comes with Autopsy Digital Forensics Platform, which is a hard drive investigation technology built by Basis technology.
Various versions of the software are available under a ‘name your price’ offer.
Mobile Verification Toolkit(MVT)
From their GitHub page, Mobile Verification Toolkit(MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices. MVT was built and released by Amnesty International Security Lab in 2021.
This tool was developed specifically for android and ios devices to allow them to detect spyware such as Pegasus Spyware which was developed and sold to governments allowing them to spy on people’s phones.
MVT is very effective in identifying if malicious software such as spyware has been installed in an android or ios device without the user’s knowledge.
Windows Media Forensics
Windows media forensics tool comprises three parts: image analysis, video analysis, and user actions. All of these are used to analyze the photos and videos stored in the Windows Photos application. Since computers can store large amounts of photos and videos, it can be hard to go through all of them, and this is where windows media forensics comes in handy.
The tool can analyze images and videos and identify faces, people, tags, characters, and locations in the images and videos stored. It can also identify when they were captured, the camera model used, and the manufacturer of the camera.
Additionally, it allows the investigator to find out when the user made accessed the photos and videos stored and what changes were made to them. All this information is provided in a human-readable format, and the data captured can be backed up for future analysis.
CredentialsFileView is a tool for the Windows operating system that decrypts and displays the data stored in the operating system’s credential files.
The windows operating system credential files store files such as login passwords for a computer and remote computers on the computer’s LAN. It also stores passwords of windows messenger accounts, mail accounts, and passwords of password-protected websites accessed through internet explorer.
This tool works on Windows versions up to Windows 10 and supports both 32-bit and 64-bit systems.
Hashcat is a popular password-cracking tool that is widely used by penetration testers, system admins, criminals, and spies.
To safely store passwords, passwords are converted into an unintelligible string of numbers and letters by passing them through a hashing algorithm. Hashcat guesses passwords, hashes them and compares them to the stored hash, and repeats the process till the right password is found. Hashcat supports all existing hash formats and is able to use a system’s GPU to accelerate its password cracking.
Hashcat can perform different attacks to crack passwords. These attacks include dictionary attack, combinator attack, mask attack, and its most efficient attack, the rule-based attack.
If you need to crack passwords. This is your go-to tool.
John the Ripper password cracker
John the Ripper password cracker is a free and open-source password security auditing and password recovery tool. It can be used to find and crack weak passwords in a system.
This tool supports hundreds of hashes and cyphers, including hashed used in passwords stored in UNIX-based systems, Windows operating systems, macOS, web apps such as WordPress, database servers such as SQL, and encrypted private keys on cryptocurrency wallets, among others.
However, unlike Hashcat, John the ripper can use GPU Acceleration to speed up password cracking.
Forensic decryption is done using a wide range of tools, each with a unique application. Certain tools are best suited for particular tasks, such as password cracking for penetration testing, in the case of Hashcat.
To determine the right tool to aid in your investigation, it is important that you first determine the nature of your investigation and what you want to be accomplished. From there, you can then make a decision on what tool to use from the ones that have been discussed in this article.