How To Decrypt A VeraCrypt Volume Image Using Passware Kit

Passware Kit (Business and Forensic Editions) provide digital forensic investigators with the powerful capability of decrypting hard disks that have been encrypted using VeraCrypt, TrueCrypt, DriveCrypt, LUKS, FileVault2, BitLocker, PGP, and McAfee EPE.

Passware Kit may function with a VeraCrypt volume file or with its image. Note that an .HC file is made by VeraCrypt. It is an encrypted file container and comprises a virtual encrypted disk.

Regarding the decryption of FileVault2/PGP/BitLocker, Passware Kit operates with image files of encrypted disks.

Digital forensic software such as EnCase and FTK Imager allow forensic professionals to create disk volume images.

Passware Kit has many capabilities, including the ability to extract every encryption key/decrypting the provided volume, and scan the physical memory image file. The physical memory image file was obtained during the time the encrypted disk was mounted in spite of the suspect’s computer being locked. Memory images may be obtained using tools such as Magnet RAM Capture and Belkasoft Live RAM Capturer.

Keep in mind that in the event that the suspect’s computer with the encrypted volume is turned off, the encryption keys are not kept in its memory, though they may be potentially recovered from the file hiberfil.sys., which is automatically made once a computer hibernates.

Ideally, you will want to take the hiberfil.sys file from the suspect’s computer or obtain a memory image. This is followed by producing an encrypted disk image and running the Passware Kit software to recover the encryption keys and decrypt the hard disk. Note that producing an encrypted disk image is not necessary for VeraCrypt and TrueCrypt.

In this tutorial, we will illustrate how to decrypt a VeraCrypt volume/hard disk image.

1. Start by going to the Passware Kit Start Page and clicking on “Full Disk Encryption”. We will see the following:

We will want to select the relevant encryption type. In this tutorial, we will be selecting VeraCrypt.

2. Under the “Encrypted VeraCrypt volume image file” section, select “Browse…”, go to the pull-down menu under the File name field and choose “All files (.)” to locate the file “vc.hc.”

We will ultimately see that the decrypted volume image will have been saved in the location specified in the “Destination file” section.

3. Under the “Physical memory image file” section, select “Browse..” and find the .bin file or the hiberfil.sys file out of the computer to which the encrypted volume was mounted. Click on the blue “DECRYPT” button.

Bear in mind that in the event that the suspect’s computer is shut down and the encrypted volume was dismounted within the final hibernation, both the hiberfil.sys file and memory image will not include the encryption keys. Hence, instant decryption of the volume is impracticable. In this instance, pick “I don’t have a memory image” and the software will allocate brute-force attacks to recover the original password for the volume.

4. Passware Kit takes out the VeraCrypt encryption key and saves the decrypted image file. The decryption could take a couple of minutes contingent on the memory image file’s size.