Digital Forensics tools
ElcomSoft forensic products and tools are used for criminal investigations by the law enforcement
Break NTFS encryption and decrypt files protected with the Encrypting File System (EFS) in Windows.
| Break NTFS encryption by attacking Encrypting File System (EFS) |
| Decrypt files from users transferred to another domain, deleted accounts and disks taken offline |
| Recover encrypted files if the system partition was formatted |
| Search for encryption keys with low-level disk scan |
| Helps analyze deleted data |
all consumer and Server versions of Windows since Windows 2000 to Windows 10, NTFS, Encrypted File System (EFS), deleted users
Break into password-protected ZIP and RAR archives! Thorough low-level optimization help finish the job faster. Guaranteed recovery for certain types of archives within one hour.
| Recover passwords protecting encrypted ZIP and RAR archives |
| Known-plaintext attacks and guaranteed one-hour recovery for certain types of archives |
| Thorough optimizations deliver class-leading performance |
| Supports AES encryption found in latest RAR and ZIP formats |
ZIP/PKZip/WinZip, RAR/WinRAR, ARJ/WinARJ, ACE/WinACE (1.x), AES encryption, self-extracting archives, dictionary and brute-force attacks.
Recover many types of Windows passwords and review hidden information such as product keys. Extract Wi-Fi encryption keys (WEP and WPA-PSK), VPN, RAS and dial-up passwords, passwords to network shares and RDP.
| Extract many types of passwords from Windows systems |
| Quickly build a custom dictionary consisting of users’ existing passwords |
| Reveal passwords to network shares, RAS, dial-up and RDP connections |
| Recovers passwords that cannot be instantly extracted |
auto logon passwords, Windows user passwords, Wireless encryption keys (WEP and WPA-PSK), stored user passwords, VPN, RDP, RAS and dial-up passwords
Instantly extract account passwords from various instant messengers. Retrieve authentication credentials from more than 70 popular instant messengers such as AOL, ICQ, MSN, and Yahoo!
| Instantly extract logins and passwords from popular instant messengers |
| Retrieve hashed authentication credentials |
| Export, backup and restore passwords |
| Build password dictionaries to speed up other attacks |
more than 70 instant messengers including ICQ and ICQLite, AOL Instant Messenger, AIM Triton, AIM Pro, Yahoo! Messenger, Excite Messenger, MSN Messenger, Windows Live Messenger, Microsoft Lync 2013, Microsoft Office Communicator 2005, Google Talk, Trillian, Trillian Astra, Odigo, AT&T IM Anywhere, T-Online Messenger, Match Messenger, Jabber IM, Miranda, Tencent QQ, QQ (Africa Version), Picasa Hello, QIP Infium, Gadu-Gadu, Mail.Ru Agent, Microsoft Lync 2013, and many more
Unlocks password-protected Intuit Quicken and Quick Books documents.
| Recover original Quicken passwords with GPU-assisted attacks |
| Instantly unlock QuickBooks files by resetting the password |
| Supports documents and passwords in all languages and encodings |
| Recover passwords for localized and international versions |
Quicken 2006 through 2019, QuickBooks 2006 through 2019, most non-US versions of Quicken and QuickBooks, as well as most international versions; Intuit Quicken .QDF, QuickBooks .QBW
Instantly recover passwords protecting documents created by any product and any version of Lotus SmartSuite.
| Guaranteed instant password recovery for Lotus SmartSuite documents |
| Recover passwords of any length and complexity |
| View passwords to Lotus Organizer, Lotus WordPro, Lotus 1-2-3, Lotus Approach and Freelance Graphics documents |
| Recover FTP and proxy passwords set in Lotus SmartSuite components |
all versions of Lotus SmartSuite; Lotus Organizer, Lotus WordPro, Lotus 1-2-3, Lotus Approach and Freelance Graphics
Instantly recover account passwords from multiple email clients. In addition to local recovery, the tool can intercept network traffic from email clients by emulating POP3/IMAP servers. The built-in POP3/IMAP Server Emulator can recover POP3 and IMAP passwords from any email client ever developed, including those running on remote computers and mobile devices.
| Instantly recover passwords to popular email clients |
| Intercept POP3 and IMAP passwords with built-in POP3/IMAP Server Emulator |
| Access all relevant passwords with fully automatic extraction |
| Advanced recovery options for broken installations and corrupted email databases |
all desktop and mobile email clients via POP3/IMAP Server Emulator; local extraction for Microsoft Internet Mail and News, Eudora, TheBat! and TheBat! Voyager, Netscape Navigator/Communicator Mail, Pegasus mail, Calypso mail, FoxMail, Phoenix Mail, IncrediMail, @nyMail, QuickMail Pro, MailThem, Opera mail, Kaufman Mail Warrior, Becky!, Internet Mail
Remove password protection from documents in Microsoft Word 97/2000 and Excel 97/2000 format (as well as Office XP/2003 with default encryption) in a matter of minutes. The tool attacks 40-bit encryption keys instead of the lengthy passwords, achieving a 97% password recovery rate for Excel spreadsheets and offering unprecedented 100% recovery guarantee for Microsoft Word 97/2000 documents.
| Guaranteed recovery of 40-bit encryption in a matter of minutes |
| Unlock password-protected Microsoft Word and Excel documents in Office 97/2000 format |
| Decrypt documents saved by modern versions of Microsoft Office in Office 97/2000 Compatibility mode and Office XP/2003 with default encryption |
| Patented Thunder Tables® technology to unlock most documents in less than a minute |
Microsoft Word 97/2000 documents, Excel 97/2000 spreadsheets, 40-bit encryption, Thunder Tables®, documents saved in modern Microsoft Office in Office 97/2000 Compatibility mode.
Recover, remove or circumvent passwords protecting documents created with a variety of office suites. Break passwords to Microsoft Office documents and files in OpenOffice, Apple iWork and Hangul Office formats.
| Break passwords to all relevant office documents |
| The fastest office recovery tool on the market thanks to low-level optimization and GPU acceleration |
| Exploits all known backdoors and tricks in the Office family for instant recovery |
| Multiple video cards get the job done up to 200 times faster than CPU alone |
| Combine brute-force, dictionary and advanced attacks into a straightforward workflow |
all versions of Microsoft Office, OpenOffice, Hangul Office, Apple iWork, GPU acceleration with AMD and NVIDIA video cards, heterogeneous computing
Instantly unlock PDF restrictions and enable editing, printing and copying of locked PDF files. Recover original PDF passwords with configurable attacks. Break 40-bit encryption in under a minute with patented Thunder Tables technology.
| Unlock PDF restrictions (editing, printing and copying) |
| Break 40-bit encryption in under a minute with Thunder Tables |
| Recover original plain-text passwords with configurable attacks |
| Decrypt PDF documents encrypted with 40-bit, 128-bit RC4 and 256-bit AES encryption |
Adobe PDF, 40-bit and 128-bit RC4 encryption, 128-bit and 256-bit AES encryption, PDF with printing, copying and editing restrictions.
View user and Admin passwords in Sage PeachTree Accounting and get instant access to password-protected ACT! documents. Recover or replace passwords protecting BLB, MUD and ADF/PAD files created with ACT! software suite locally or remotely.
| Instantly access passwords protecting documents saved by all versions of ACT! |
| View user and administrator passwords in Sage PeachTree Accounting |
| Recover or reset passwords to BLB, MUD and ADF/PAD files |
| Upgrade user accounts from Restrictive to Administrative |
ACT! Premium Version, Sage PeachTree Accounting Pro, Complete, Premium, and Quantum editions; Peachtree 50 Accounting; Sage 50 Accounts, Sage 50 Accounting and Sage 50 Complete Accounting; Sage Instant Accounts, Sage Simply Accounting
Instant access to password-protected SQL Server databases - guaranteed! Change any user or administrative password protecting databases in Microsoft SQL Server format.
| Instantly reset passwords protecting Microsoft SQL Server databases |
| Passwords in any language and encoding |
| Automatic backup of the original database |
| Guaranteed password reset on supported database formats |
all versions of Microsoft SQL Server, master.mdf
Instantly recover passwords protecting Corel WordPerfect Office documents. Extract passwords from WordPerfect, Quattro Pro and Paradox in a matter of seconds.
| Instantly unlock protected documents |
| Guaranteed password recovery for multiple products |
| Recover passwords in any language and encoding |
| Recover Corel WordPerfect Lightning account passwords |
Corel WordPerfect Office, WordPerfect (.wp, .wpd), QuattroPro (.qpw, .wb?, .wq?), Paradox (.db), Corel WordPerfect Lightning account passwords
Analyze legacy BlackBerry OS backups produced with BlackBerry Desktop Software.
| Access information stored in BlackBerry OS backups |
| Decrypts BlackBerry OS backups with a known password |
| View, analyze, print and export information |
| Supports legacy BlackBerry OS backups up to and including BlackBerry 7.1 |
backups produced by BlackBerry Desktop Software for legacy BlackBerry devices; BlackBerry OS 5, 6, 7 and 7.1.
Extract everything from your Google Account. Download users’ location history, files and documents,, Contacts, Hangouts Messages, Google Keep, Chrome browsing history, search history and page transitions, Calendars, images, and a lot more.
| Download the complete set of data from Google Account |
| Extract significantly more information than available via Google Takeout |
| Authenticate without a password and bypass Two-Factor Authentication |
| Search, filter and analyze information with built-in viewer |
| Access user passwords, browsing history, contacts, location history, email and much more |
| Obtain files and documents from Google Drive |
Google Account, over-the-air acquisition, two-factor authentication, built-in viewer, Windows and Mac editions
Break complex passwords, recover strong encryption keys and unlock documents in a production environment.
| Break passwords to more than 300 types of data |
| Heterogeneous GPU acceleration with multiple different video cards per computer |
| Works 20 to 250 times faster with hardware acceleration |
| Linear scalability with low bandwidth requirements and zero overhead on up to 10,000 computers |
| Remote deployment and console management |
all versions of Microsoft Office, OpenOffice, ZIP/7zip/RAR/RAR5, PDF, BitLocker/PGP/TrueCrypt. Over 300 formats supported.
Acquire and analyze WhatsApp communication histories from multiple sources. Extract WhatsApp databases from Android phones with and without root access, download WhatsApp backups from Google Drive and iCloud Drive or extract from local and cloud iOS system backups.
| Includes WhatsApp acquisition and extraction tools for iOS and Android |
| Supports regular WhatsApp on Android and iOS and WhatsApp Business for Android |
| Comes with a built-in viewer |
| Extraction from physical devices, backups, Google and Apple cloud services |
| Automatic decryption, searching and filtering |
| All-in-one tool supplied with all relevant local and cloud acquisition tools |
WhatsApp databases and backups, Android devices with and without root, iOS system backups (local and cloud), stand-alone WhatsApp backups (Google Drive, iCloud Drive)
Instantly access data stored in encrypted BitLocker, FileVault 2, PGP, TrueCrypt and VeraCrypt containers. The tool extracts cryptographic keys from RAM captures, hibernation and page files or uses plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.
| Decrypt BitLocker, BitLocker To Go, FileVault 2, PGP, TrueCrypt and VeraCrypt volumes |
| Extract cryptographic keys from RAM captures, hibernation and page files, escrow and Recovery keys |
| Extract and store all available encryption keys |
| Instantly mount encrypted containers as drive letters |
| Capture the content of computer's volatile memory with kernel-level tool |
| Fast, zero-footprint operation |
BitLocker (including TPM configurations), FileVault 2, PGP, TrueCrypt and VeraCrypt encrypted containers and full disk encryption, BitLocker To Go, XTS-AES BitLocker encryption, RAM dumps, hibernation files, page files
Instantly extract passwords, stored forms and AutoComplete information from popular Web browsers and email clients. View individual passwords, export all data into a text file or build a perfect custom dictionary to speed up password recovery attacks performed with other tools.
| Extract passwords and autocomplete forms from all popular Web browsers |
| View individual passwords or export everything into a text file |
| Build a custom dictionary and achieve up to 70% success rates when attacking encryption passwords |
| Recover login and password information to various online services |
Microsoft Internet Explorer, Edge, Apple Safari, Google Chrome, Mozilla Firefox, Opera and Yandex Web browsers, POP3, IMAP, SMTP and NNTP passwords, Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail, Thunderbird.
Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.
| Physical acquisition for 64-bit iOS devices via jailbreak |
| Logical acquisition extracts backups, crash logs, media and shared files |
| Unlocks iOS devices with pairing records (lockdown files) |
| Extracts and decrypts protected keychain items |
| Real-time file system acquisition |
| Automatically disables screen lock for smooth, uninterrupted acquisition |
all generations of iPhone, iPad, iPad Pro and iPod Touch with and without jailbreak; Apple Watch and Apple TV 4 and 4K; all versions of iOS from iOS 7 to iOS 12
The complete mobile forensic kit in a single pack. Perform physical, logical and over-the-air acquisition of smartphones and tablets, break mobile backup passwords and decrypt encrypted backups, view and analyze information stored in mobile devices
| Tools for logical, physical and over-the-air acquisition of mobile devices |
| Over-the-air acquisition of iOS devices, Microsoft and Google accounts |
| iCloud acquisition with or without the password |
| Breaks passwords to mobile backups with GPU acceleration |
| Access to deleted evidence and forensically sound extraction |
physical, logical and over-the-air acquisition of all generations of iOS devices (iPhone, iPad and iPod Touch); decrypts BlackBerry OS and BlackBerry 10 backups; over-the-air acquisition of Windows devices and Google accounts; WhatsApp acquisition (iOS, Android). Where available, Windows and Mac editions are included.
Decrypt information stored in macOS (OS X) keychain and build a custom dictionary for password recovery tools in just a few clicks.
| Extract, decrypt and export the content of the system and all user keychains |
| Build custom dictionaries with users’ real passwords to improve password recovery attacks |
| Use extracted Apple ID password to download iCloud backups (with Elcomsoft Phone Breaker) |
| Save time compared to using Apple Keychain Access |
| Export full keychain data into an unencrypted XML file |
all versions of macOS up to and including the latest version; macOS (OS X) keychain, Wi-Fi passwords, Apple ID password, password to iTunes backups, AirPort and TimeCapsule passwords, passwords to Web sites and accounts, VPN, RDP, FTP and SSH passwords, passwords to mail accounts including Gmail and Microsoft Exchange, passwords to network shares, iWork document passwords
All password recovery tools in a single value pack. Unlock documents, decrypt archives, break into encrypted containers with an all-in-one password recovery bundle.
| Breaks passwords to several hundred formats |
| Works 20 to 200 times faster with hardware acceleration using conventional video cards for GPU acceleration+ |
| Distributed attacks with excellent scalability on up to 10,000 computers |
| Includes all relevant password recovery tools in a single discounted package |
all versions of Microsoft Office, OpenOffice, NFS Encrypted File System, Windows and macOS passwords, macOS Keychain, ZIP/RAR/RAR5, PDF, BitLocker/PGP/TrueCrypt and many more. Instantly extracts passwords from instant messengers, email clients, Web browsers and many other products. Several hundred formats supported.
Perform logical and over-the-air acquisition of iOS devices, break into encrypted backups, obtain and analyze backups, synchronized data and passwords from Apple iCloud.
| Break passwords and decrypt iOS backups with GPU acceleration |
| Decrypt iCloud Keychain and Messages with media files and documents from iCloud |
| Obtain synchronized data from Apple and Microsoft accounts |
| Download iCloud backups and synced data with or without Apple ID password |
local iOS backups (iTunes); iCloud and iCloud Drive backups; iCloud synced data (call logs, photos, browsing history etc.) Microsoft Account (with valid authentication credentials); iCloud authentication tokens.
Analyze information extracted with ElcomSoft and third-party acquisition tools with a fast, lightweight viewer. Decrypt and view iOS backups and synced data, browse iOS file system images, analyze iCloud Photo Library and access synchronized data with ease.
| Lightweight forensic viewer requiring no learning curve |
| Analyze data extracted by ElcomSoft acquisition tools |
| Export evidence to continue analysis in third-party tools |
| View information unavailable in other forensic tools |
local iOS backups (iTunes), iCloud backups, iOS synced data (call logs, browsing history and so on).
Reset passwords to local Windows accounts and Microsoft Account in all versions of Windows. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery. Supplied with bootable Windows PE environment.
| Reset passwords to Windows accounts |
| Dump password hashes and extract hibernation files to attack encrypted volumes |
| Recover both local accounts and Microsoft Account passwords |
| Customized Windows PE environment with broad hardware compatibility and genuinely native FAT and NTFS support |
Windows 7, 8, 8.1, Windows 10; Windows Vista, Windows XP, Windows 2000, Windows NT; all relevant Windows Server versions; 32-bit and 64-bit systems; Windows PE with 32-bit and 64-bit UEFI and legacy BIOS configurations; familiar Windows GUI; SAM/SYSTEM and Active Directory
Audit security of your wireless network by running a high-profile timed attack. Use dedicated or generic Wi-Fi adapters to sniff wireless traffic and break WPA/WPA2 passwords.
| GPU-accelerated dictionary attacks on WPA/WPA2 passwords |
| Probe security of your Wi-Fi environment with timed attacks |
| Built-in Wi-Fi sniffer using AirPCap and generic Wi-Fi adapters |
| Intercepts limited Wi-Fi traffic, continues working offline |
WPA and WPA2-PSK passwords, AirPCap and generic Wi-Fi adapters, GPU acceleration with consumer video cards.
Audit security policies, examine network security and recover account passwords by running a timed attack on account passwords.
| Determine how secure your corporate network is by performing a network security audit |
| Test the strength of passwords protecting user accounts |
| Expose weak account passwords |
| Perform attacks with brute force, with a dictionary, or with a mask, from inside or outside of your network |
| Recover up to 95% of passwords in minutes from the inside with Rainbow attack |
network passwords, user account passwords; brute-force, dictionary and pre-computed hash tables attacks; online and offline recovery