Elcomsoft System
Recovery
Reset or recover passwords to local Windows accounts and Microsoft Accounts in all versions of Windows. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery. Create forensic disk images. It is supplied with a bootable Windows PE environment.
- Perform forensically sound extractions
- Reset passwords to Windows accounts
- Extract encryption metadata from TrueCrypt, VeraCrypt, Bitlocker, FileVault (HFS+/APFS), PGP Disk, LUKS and LUKS2 encrypted disks
- Create forensic disk images
- Recover passwords to local accounts, Microsoft Accounts and Wi-Fi networks
- Customized Windows PE environment with broad hardware compatibility and genuinely native FAT and NTFS support
Supports: Windows 7, 8, 8.1, Windows 10, Windows 11; Windows Vista, Windows XP, Windows 2000, Windows NT; all relevant Windows Server versions; 32-bit and 64-bit systems; Windows PE with 32-bit and 64-bit UEFI and legacy BIOS configurations; familiar Windows GUI; SAM/SYSTEM and Active Directory
Description
Forensically Sound Extractions, Verifiable Disk Imaging
During an in-field investigation, speed is often the most critical factor when accessing a locked system. However, maintaining a digital chain of custody is crucial when producing court-admissible evidence. Elcomsoft System Recovery contains features to help establish and maintain a digital chain of custody throughout the investigation.
The chain of custody begins from the first point of data collection to preserve digital evidence. Elcomsoft System Recovery employs a forensically sound workflow to ensure that digital evidence collected during the investigation remains court-admissible. The workflow implements read-only, write-blocking access to the target computer and saves collected evidence in the form of digitally signed, verifiable disk images, making Elcomsoft System Recovery a viable alternative to hardware-based write-blocking disk imaging devices while offering real-time access to crucial evidence.
Write-blocking disk access
Elcomsoft System Recovery helps produce court-admissible evidence with write-blocking mode and read-only disk imaging. The write-blocking mode is engaged by default during the first steps of running Elcomsoft System Recovery, ensuring no data is modified on the target computer. Write-blocking disk access is the tool’s default behaviour. Experts must explicitly untick the “read-only” box to access system management functionality such as resetting Windows user and administrative passwords.
Verifiable disk imaging
The disks can be imaged into verifiable E01 images. Together with read-only access, the use of hashing helps establish a digital chain of custody while employing the industry standard. The E01 format makes the images compatible with third-party forensic tools for comprehensive analysis. Whether the disk is imaged into a RAW/DD or the newly supported E01 format, Elcomsoft System Recovery calculates a hash file and places it alongside the image. The hash values calculated during collection can be used to authenticate evidence at a later stage.
Improved Full-Disk Encryption Workflow
Elcomsoft System Recovery makes accessing data stored in encrypted disks and containers easier. With automatic detection of encrypted volumes, ESR will automatically extract hashes required to launch an attack[1] on the password of the encrypted volume, saving them to the flash drive to offer faster access to encrypted evidence compared to the traditional workflow. In addition, ESR can extract and save hibernation files that may contain encryption keys to access information stored in encrypted volumes. These keys can be used to instantly mount encrypted volumes or decrypt their content for offline analysis[2].
Encrypted Virtual Machines
In the world of hi-tech crime, encrypted virtual machines become one of the most widely used cover-up tools. Manually locating such virtual machines can be an involving and time-consuming process. We made your work easier by finding many types of encrypted virtual machines automatically. Better yet, ESR will automatically capture the encryption metadata you’ll need to launch the attack on the VM encryption password in Elcomsoft Distributed Password Recovery.
Reset or Recover Windows Account Passwords
Up to 40% of support calls are related to forgotten passwords and locked logins. Elcomsoft System Recovery helps instantly reset Windows system passwords, enabling system administrators to regain access to locked Windows accounts. Supporting local Windows accounts, network domains, and Microsoft Accounts, Elcomsoft System Recovery is a must-have tool for network administrators, IT professionals, and security specialists.
Reset or Recover SYSKEY Passwords
SYSKEY passwords were a dubious and controversial way to add an extra layer of security to Windows login. Used in older versions of Windows, SYSKEY passwords were removed from Windows 10 and Windows Server 2016 release 1709. An unknown SYSKEY password blocks Windows startup and prevents the ability to recover or reset the user’s account password.
Elcomsoft System Recovery can reset SYSKEY passwords to restore the system’s normal boot operation. Before resetting a SYSKEY password, ESR will check whether this operation is safe for the system.
In addition, Elcomsoft System Recovery allows looking up cached SYSKEY passwords in various system databases and cache files before resetting.
Instant Reset and Configurable Attacks
Elcomsoft System Recovery can reset account passwords instantly while supporting pre-configured attacks to recover the original passwords. In addition, users can upload their own custom dictionaries for high-performance dictionary attacks with up to 4 levels of mutations.
Elcomsoft System Recovery unlocks locked and disabled user and administrative accounts in Windows 7, 8, 8.1, and Windows 10, as well as many legacy versions of Windows including Windows Vista, Windows XP, Windows 2000, Windows NT as well as the corresponding Server versions up to and including Windows Server 2019. Both 32-bit and 64-bit systems are supported.
Ready to Boot, Immediate Assistance, Easy to Operate
Elcomsoft System Recovery comes with everything needed to quickly create a bootable DVD or USB flash drive. The image is based on a customised Windows PE environment and comes pre-configured with several drivers to allow a seamless experience in most legacy and cutting-edge hardware configurations.
Create a bootable USB drive or DVD disc in a few easy steps for immediate assistance. Elcomsoft System Recovery comes with 32-bit and 64-bit UEFI and legacy BIOS configurations, allowing you to create bootable media for all types of systems.
The genuine Windows PE environment offers complete access to the familiar Windows graphical user interface. No command line scripts and no poor imitations of the Windows GUI!
Case Studies
Elcomsoft System Recovery is an all-in-one security tool for Windows accounts. It helps detect and resolve various issues related to user and administrative account passwords.
- Perform forensically sound data collection
- Do in-field analysis and disk imaging
- Collect court-admissible evidence during in-field investigations
- Assign Administrator privileges to any user account
- Enable and unlock the locked and disabled user accounts
- Create a forensic disk image for subsequent in-lab analysis
- Change and reset passwords for any local accounts
- List all local user accounts and highlight Administrator accounts
- Look up account privileges
- Detect accounts with empty passwords
- Instantly recover certain passwords to special/system accounts (e.g. IUSR_, HelpAssistant, etc.)
- Backup and restore SAM/SYSTEM files
- Optionally restore original SAM/SYSTEM files after successful logon with a new password
Feature List
Windows versions support
- Supports Windows XP/Vista/7, Windows 8/8.1, Windows 10, Windows 11
- Supports Windows NT/2000/XP workstations
- Supports Windows NT/2000/2003-2022 servers
- Creates bootable media for 32-bit и 64-bit BIOS
- Creates bootable media for 32-bit и 64-bit UEFI
- Supports Windows 8/8.1/10 Live! (Microsoft) accounts
General Features
- Based on Windows PE
- Create a bootable CD or USB flash drive
- Collect crucial evidence and establish a digital chain of custody
- Create verifiable forensic disk images
- Reset password to user accounts
- Dump password hashes for local and domain accounts for further recovery
Advanced features
- In-place recovery of 4 through 6-digit Windows Hello PIN codes on systems without a TPM
- Locate encrypted virtual machines and extract encryption metadata for subsequent password recovery
- Extract Wi-Fi passwords
- Reveals Windows license keys
- Browse the file system, copy and view files with a two-panel file manager
- Multilingual user interface
- Supports all RAID/SCSI/SATA devices
- Automatic mode (list of installed systems)
- Manual mode (browse for Registry files)
- Reset the local Administrator password
- Backup/restore SAM
- Enable/unlock Administrator account
- Unlock BitLocker volumes (if one of the disk protectors is known or available)
- Create bootable media for macOS computers
- Extract hash dumps from TrueCrypt, VeraCrypt, Bitlocker, FileVault (HFS+/APFS), PGP Disk, LUKS and LUKS2 encrypted disks
- Extract password hints and control questions and answers
- Reset passwords to cached AD credentials
- Highlight accounts with Administrator rights
- Look up account privileges
- Enable/unlock disabled/locked accounts
- Give Administrator privileges to any user account
- Recover passwords for some system accounts
- Reset the Domain Administrator password
- Dump password hashes for AD accounts
- Backup/restore NTDS.DIT
- Show LM/NTLM hashes
- Show password history hashes
- Test short and simple passwords
- SAM database editor
- Reset SYSKEY security
- Look up SYSKEY passwords
License, maintenance, delivery
- Instant download
- One year of free updates
- Licensed for business use
System requirements
Windows
- Windows 11/10/8.1/8/7/Vista/XP/2000 (32 bit and 64 bit; all editions)
- Windows Server 2022/2019/2016/2008/2003
Uninstallation procedure: To uninstall the product, follow the standard procedure via Control Panel—Programs and Features or use the Uninstall link from the product’s folder in the Windows Start menu.