Accelerating digital forensics: Elcomsoft System Recovery boosts efficiency in forensic analysis

Elcomsoft System Recovery, a bootable forensic analysis tool for Windows, receives an update that introduces several new features designed to enhance efficiency and simplicity during in-field investigations. The updated tool enables the collection, extraction, and analysis of essential artifacts available on the computers being investigated.

The primary focus of this update is to streamline the process of analyzing digital evidence during in-field investigation by expanding the collection of bootable forensic tools. With the updated version of Elcomsoft System Recovery, investigators can now collect and extract essential artifacts from the computers they are examining by booting from a designated USB device without the need to remove and image the disks. These artifacts include crucial items such as a copy of the user's Windows registry, important DPAPI and encryption keys, system credentials, various system and event logs, as well as page and hibernation files that can be scanned for encryption keys used by BitLocker and third-party disk encryption tools.

This new tool follows a strategy known as the “low hanging fruit”, allowing investigators to quickly gather the most critical and easily accessible evidence along with keys to encrypted disks and vaults. Importantly, Elcomsoft System Recovery operates as a bootable disk, allowing investigators to extract crucial data and make informed decisions on-site. Based on the collected data, investigators can determine whether it is necessary to create a disk image and transport it to the laboratory for further in-depth analysis. This streamlined approach saves time and resources, ensuring that investigations can progress swiftly and accurately in both the field and the laboratory.

Moreover, it's important to emphasize that Elcomsoft System Recovery goes beyond merely extracting a number of easily accessible forensic artifacts. It aims to provide comprehensive insights into user activity, both online and offline. The tool retrieves passwords, critical documents, and even provides visibility into the applications and files accessed by the user. While the exact list of data collected is extensive and continually expanding, rest assured that Elcomsoft System Recovery strives to quickly retrieve the maximum amount of relevant information on the spot.

Elcomsoft System Recovery is a portable field analysis tool for computer forensics. Built as a forensically sound computer analysis tool, Elcomsoft System Recovery enables experts to make real-time decisions in the field. Thanks to the Windows-based bootable environment, the tool provides quick access to digital evidence while supporting all the Windows native file systems and a wide array of computer hardware.

In terms of deployment, Elcomsoft System Recovery comes pre-configured as a tool built on top of the supplied Windows PE environment. It includes powerful disk imaging and system management tools, along with a user-friendly two-panel file manager that simplifies navigation within the file system.

Elcomsoft System Recovery 8.31 change log:

  • Added “Forensic artifacts” tab for quickly searching, exporting, and analyzing essential digital artefacts