Forensics: Keys for virtual machines

9 November 2020
| No comments

Share post

Elcomsoft opens encrypted virtual machines to law enforcement forensic experts. The new version 4.30 of the Elcomsoft Distributed Password Recovery product supports access to further encrypted virtual machines. Forensic experts now have access to data stored in encrypted VMware, Parallels and VirtualBox virtual machines.

Additionally, a new rules editor has been added to the UI, allowing users to edit hybrid attack rules directly in the UI. "Virtual machines are very common in the criminal world," explains Andy Malyshev, CEO of ElcomSoft. “By using an encrypted virtual machine, criminals can hide their activities under a virtual roof, so to speak, reducing the risk of an accidental leak of evidence. We have developed a tool that allows forensic scientists to gain access to all of this evidence by breaking the original encryption password."

Open encrypted VMware, Parallels and VirtualBox VMs for forensic experts

Elcomsoft Distributed Password Recovery decrypt virtual machines for forensic experts

Elcomsoft Distributed Password Recovery decrypts cyber gangster virtual machines for government agencies using high performance GPU.

Virtual machines use a portable, hardware-independent environment to play essentially the same role as a real computer. User activity performed in the virtual machine leaves traces. However, these are mostly found in the VM image files and not on the host computer. The analysis of virtual machines becomes an important factor in the implementation of digital forensic investigations, which with the Elcomsoft product does not violate the hacker paragraph.

Many types of virtual machines used in the criminal world can be securely encrypted. Evidence stored in such VM images can only be accessed if the investigator can provide the original encryption password. Elcomsoft Distributed Password Recovery offers a solution that enables experts to execute hardware accelerated and distributed attacks on passwords protecting VMware, Parallels and VirtualBox.

Technology and performance

The most common virtual machines that can encrypt the entire VM image are Parallels, VMware, and VirtualBox. The encryption strength and the resulting password recovery speeds differ significantly between these three VMs.

Parallels has the weakest protection. With only two MD5 hash iterations used to derive the encryption key, Parallels is the fastest to attack. Elcomsoft Distributed Password Recovery 4.30 achieves a very high recovery speed of 19 million passwords per second on a single Intel i7 CPU and enables the quick recovery of relatively complex passwords even without GPU acceleration.

Fast, GPU-based decryption

VMware uses about 10.000 hash rounds while also using a stronger PBKDF-SHA1 hash function. A CPU-only attack results in around 10.000 passwords per second, so GPU-assisted recovery is highly recommended. Using a single NVIDIA GeForce 2070 RTX card increases the recovery speed to 1,6 million passwords per second.

After all, Oracle VirtualBox offers the strongest protection with the most secure encryption. With up to 1,2 million hash iterations and a variable length encryption key, a non-accelerated CPU-only attack would increase the recovery speed to just 15 passwords per second. The GPU-assisted attack available is a vastly faster and highly recommended option, along with a targeted dictionary and mutation settings that enables speeds of up to 2700 passwords per second on a single NVIDIA GeForce 2070 RTX card.

New functions and editor

The newly added rule editor enables the use of hybrid attacks based on the industry-standard syntax of John the Ripper directly via the user interface. The rule editor replaces the previous mode based on the manual editing of text files.

More on this at ElcomSoft.de

 

About ElcomSoft

The software development company ElcomSoft Co. Ltd. was founded in 1990 by Alexander Katalov and has been in his possession ever since. The Moscow-based company specializes in proactive password security software for businesses and private users and sells its products worldwide. ElcomSoft aims to provide users with easy-to-use password recovery solutions to access their data. The software company also provides administrators with security solutions with which they can locate and eliminate unsafe identifiers in company networks under Windows or rescue EFS-encrypted files.

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more

PR News
, , , ,