 

ElcomSoft Helps Investigators Access Evidence in Encrypted Virtual Machines, Adds Rule Editor

LONDON, Oct. 23, 2020 /PRNewswire/ -- ElcomSoft Co. Ltd. updates ElcomSoft Distributed Password Recovery with support for an even wider range of encrypted and locked evidence. The update enables forensic access to evidence stored in encrypted VMware, Parallels, and VirtualBox virtual machines. In addition, the new Rule editor has been added to the user interface, allowing users editing rules for hybrid directly in the user interface.

"Virtual machines are very common in the criminal world," says Andy Malyshev, ElcomSoft s.r.o. CEO. "Using an encrypted VM allows criminals hiding their activities under a virtual umbrella, reducing the risks of an accidental leak of incriminating evidence. We built a tool to help investigators gain access to all of that evidence by breaking the original encryption password."

Breaking VMware, Parallels, and VirtualBox VMs

Virtual machines use a portable, hardware-independent environment to perform essentially the same role as an actual computer. User activities performed in the virtual machine remain leave trails mostly in the VM image files and not on the host computer. Virtual machine analysis becomes an important factor when performing digital investigations.

Many types of virtual machines used in the criminal world can be securely encrypted. Evidence stored in such VM images can be only accessed if the investigator can produce the original encryption password. ElcomSoft Distributed Password Recovery provides a solution by allowing experts to run hardware-accelerated distributed attacks on passwords protecting encrypted VM images created by VMware, Parallels, and VirtualBox.

Read more about «Breaking Encrypted Virtual Machines: Recovering VMWare, Parallels, and VirtualBox Passwords» in our blog

Technology & performance

The most common virtual machines that can encrypt the whole VM image are Parallels, VMware, and VirtualBox. The encryption strength and the resulting password recovery speeds are vastly different between these VMs.

Parallels has the weakest protection of the trio. With only two MD5 hash iterations used to derive the encryption key, Parallels is the fastest to attack. ElcomSoft Distributed Password Recovery 4.30 reaches an unprecedented recovery speed of 19 million passwords per second on a single Intel i7 CPU, enabling speedy recovery of reasonably complex passwords even without GPU acceleration.

