ElcomSoft Helps Investigators Access Evidence in Encrypted Virtual Machines, Adds Rule Editor


ElcomSoft Co. Ltd. updates ElcomSoft Distributed Password Recovery with support for an even wider range of encrypted and locked evidence. The update enables forensic access to evidence stored in encrypted VMware, Parallels, and VirtualBox virtual machines. In addition, the new Rule editor has been added to the user interface, allowing users editing rules for hybrid directly in the user interface.

Virtual machines are very common in the criminal world,” says Andy Malyshev, ElcomSoft s.r.o. CEO. “Using an encrypted VM allows criminals hiding their activities under a virtual umbrella, reducing the risks of an accidental leak of incriminating evidence. We built a tool to help investigators gain access to all of that evidence by breaking the original encryption password.

Breaking VMware, Parallels, and VirtualBox VMs

Virtual machines use a portable, hardware-independent environment to perform essentially the same role as an actual computer. User activities performed in the virtual machine remain to leave trails mostly in the VM image files and not on the host computer. Virtual machine analysis becomes an important factor when performing digital investigations.

Many types of virtual machines used in the criminal world can be securely encrypted. Evidence stored in such VM images can be only accessed if the investigator can produce the original encryption password. ElcomSoft Distributed Password Recovery provides a solution by allowing experts to run hardware-accelerated distributed attacks on passwords protecting encrypted VM images created by VMware, Parallels, and VirtualBox.

Technology & performance

The most common virtual machines that can encrypt the whole VM image are Parallels, VMware, and VirtualBox. The encryption strength and the resulting password recovery speeds are vastly different between these VMs.

Read More: IT Security and Privacy Compliance Policies Are Costing Enterprises Big

Parallels has the weakest protection of the trio. With only two MD5 hash iterations used to derive the encryption key, Parallels is the fastest to attack. ElcomSoft Distributed Password Recovery 4.30 reaches an unprecedented recovery speed of 19 million passwords per second on a single Intel i7 CPU, enabling speedy recovery of reasonably complex passwords even without GPU acceleration.

VMware employs some 10,000 hash rounds while using a stronger PBKDF-SHA1 hash function. A CPU-only attack results in around 10,000 passwords a second, making the supported GPU-assisted recovery strongly recommended. The use of a single NVIDIA GeForce 2070 RTX board boosts the recovery speed to 1,6 million passwords per second.

Read More: The Evolving Cyber Risks and Vulnerabilities in the Healthcare Industry

Finally, Oracle VirtualBox delivers the strongest protection with the most secure encryption. With up to 1.2 million hash iterations and a variable-length encryption key, a non-accelerated, CPU-only attack would yield the recovery speed of only 15 passwords per second. The supported GPU-assisted attack is a significantly faster and strongly recommended option along with a targeted dictionary and reasonable mutation settings, delivering the speed of up to 2700 passwords a second on a single NVIDIA GeForce 2070 RTX board.

Rule editor

The newly added Rule editor enables the use of hybrid attacks based on the industry-standard John the Ripper’s syntax directly from the user interface. The new Rule editor replaces the previous mode based on manually editing text files.