Most people meet these four tools one product page at a time, which makes them look like four separate purchases for four separate problems. On a real desktop case they are closer to four stages of a single job. Each one hands its output to the next: Elcomsoft System Recovery and Elcomsoft Quick Triage pull the raw material off the machine, Forensic Disk Decryptor turns keys into mounted volumes, and Distributed Password Recovery grinds through whatever is left. In this article we will not go through the feature lists (the product pages do that job well enough); instead we will look at when to reach for each tool, and why the order in which you use them is not fixed but decided by the situation in front of you.
If you have read Password Recovery and Data Decryption: Getting Around and About, the logic here will feel familiar. The idea is the same: try the least resource-intensive method first, and leave the brute force for the end. The four tools in the Desktop Forensic Bundle are simply that idea packaged as a pipeline.
When you arrive at a machine, your immediate thought is often “I need to break a bunch of passwords”. In practice that is the last thing you want to do, and whether you have to do it at all depends on two questions you answer at the scene.
The first: is the machine on or off? A running, unlocked system is holding things a powered-off one is not, most importantly the encryption keys sitting in RAM while a volume is mounted. Power it down and much of that is gone. So the state of the machine when you walk up to it decides which tool goes first.
The second: if the system disk is encrypted (assuming BitLocker), do you have a key, or do you need to find one? Can you use a bypass? Every encrypted volume you hit sends you down one of two roads. If a key is within reach (from memory, from a hibernation file, from an escrow or recovery key, or because you already know the password), you decrypt and move on in seconds. If not, your options can be limited as attacking BitLocker system disk encryption is not a simple matter of extracting a piece of metadata and handing it to a GPU cluster.
Keep those two questions in mind and the four tools mostly sort themselves.
Many things depend on what exactly you have before you: an authenticated user session? A locked or hibernated computer? A machine that was abruptly pulled from the power grid? The answer changes everything.
This is the good case, and it is also the one where haste actually pays off. Elcomsoft Quick Triage runs against the live session and collects the high-value artifacts (saved browser and email passwords, history, messenger data, documents, Windows credentials, DPAPI-protected items) into a single open VHDX container. It indexes as it goes, so you can search across everything on the spot and decide whether this box is worth a full acquisition or not. We wrote more about the tool itself in Introducing Elcomsoft Quick Triage.
The part that is genuinely time-sensitive: if encrypted volumes are mounted right now, their keys are in memory. Elcomsoft Quick Triage can capture a memory image, and so can Forensic Disk Decryptor with its own kernel-level RAM imager. Grab that dump before anything is powered off. This is the difference between mounting the container in a few seconds later on and attacking it for weeks, and it is the one window that does not reopen once the machine goes dark. The same reasoning applies to running virtual machines, whose volatile images live in RAM as well. For the background on pulling live keys, see Live System Analysis: Extracting BitLocker Keys.
Not sure whether there are any encrypted volumes to begin with? The free Encrypted Disk Hunter answers that in one pass before you commit to pulling the plug. While we’re at it, check out the other Free forensic tools we have to offer.
No live session means no keys in RAM, so the priority shifts to a clean acquisition. Elcomsoft System Recovery boots the target from your USB stick into a Windows PE environment that comes up read-only by default; nothing touches the original disk unless you deliberately clear the write-blocking option. From there you can:
Elcomsoft System Recovery also runs its own artifact sweep (registry, event logs, credentials, DPAPI keys), so you can make the keep-or-image decision on-site instead of hauling everything back and looking blind. There is more on this in Elcomsoft System Recovery: A Swiss Army Knife of Desktop Forensics.
A word on the overlap: Elcomsoft System Recovery and Elcomsoft Quick Triage both collect artifacts, and that is deliberate, not redundant. Elcomsoft System Recovery works from outside a booted OS (machine off, or no working credentials); Elcomsoft Quick Triage works from inside a live session (machine on and unlocked). You choose based on how you found the machine, not on which of the two you happen to own.
By now you have a disk image, an encrypted container, or a memory dump. Which road you take depends entirely on whether a key is within reach.
Elcomsoft Forensic Disk Decryptor takes any of the following and gives you the data:
Feed it one of those and you either decrypt the whole container or mount it as a drive letter for real-time, read-as-you-go access. It covers BitLocker (including BitLocker To Go and TPM setups), FileVault 2 on HFS+ and APFS, PGP Disk, TrueCrypt, VeraCrypt, LUKS/LUKS2 and Jetico BestCrypt. This is the fast lane: no attack, no waiting.
If there is no key to be found anywhere, Forensic Disk Decryptor (or Elcomsoft System Recovery) extracts the encryption metadata, a tiny file, and that is what goes to the password recovery stage. Worth pointing out for anyone handling sensitive material: only that small piece of metadata leaves the machine, never the encrypted data itself, so you can push it to a remote or cloud cluster without the content going along with it.
Elcomsoft Distributed Password Recovery is the heavy end of the pipeline, and it is where everything the other three collected gets cashed in:
Elcomsoft Distributed Password Recovery scales across GPUs and across machines with effectively linear speed-up, and once it has the metadata it runs offline, which is the whole reason we extract hashes instead of shipping data around.
One habit worth building in at this point is the “low hanging fruit” approach we keep coming back to (see May the [Brute] Force Be with You). Everything Elcomsoft Quick Triage and Elcomsoft System Recovery recovered along the way, the browser passwords, Wi-Fi keys, password hints and security answers, makes excellent material for a custom dictionary. People reuse and mutate their passwords far more than they’d like to admit, so trying what you already know about the subject before launching a blind brute force turns a good number of “weeks” into “minutes”. In effect, the earlier tools build Distributed Password Recovery wordlist for you. When it comes to ordering the attacks themselves, Building a Password Recovery Queue covers how to arrange the queue so the fast attacks run first.
Here’s a brief summary:
| Situation at the scene | Reach for | What you get out |
|---|---|---|
| Machine running, unlocked | Elcomsoft Quick Triage | Live artifacts, passwords, memory image, on-the-fly search |
| Encrypted volume mounted right now | Elcomsoft Quick Triage / Forensic Disk Decryptor (memory capture) | Keys from RAM, the window that closes on shutdown |
| Machine off, or no working login | Elcomsoft System Recovery | Read-only imaging (E01 plus hash), password reset or hashes, encryption metadata |
| Container plus a key in hand | Forensic Disk Decryptor | Instant decrypt or mount |
| Container, no key | Forensic Disk Decryptor / Elcomsoft System Recovery then Distributed Password Recovery | Metadata out, GPU attack on the password |
| Windows, document, VM or archive password needed | Distributed Password Recovery | The plain-text password, offline and accelerated |
Read top to bottom it looks like four stages, acquire, triage, decrypt, recover, but you rarely walk all four in a straight line. You branch on machine state at the top and on key availability in the middle, and quite often you are done by the end of stage two without ever touching a brute-force attack.
The main reason these four tools ship as a bundle is the discount, of course, as the bundle does come out well ahead of buying the tools one at a time on a single, synchronized license period. But it is also that the handoffs are built in. Elcomsoft System Recovery and Forensic Disk Decryptor export encryption metadata in the exact format Distributed Password Recovery expects. The keys Elcomsoft Quick Triage and Forensic Disk Decryptor scrape out of memory are what Forensic Disk Decryptor then mounts with. Own three of the four and sooner or later you hit the case that stalls because the tool that does the next step simply is not on the shelf.
Taken separately, each of these is a capable tool in its own right. Taken together, they are a pipeline, which is how the work actually runs.
Trial versions of Elcomsoft Quick Triage, Forensic Disk Decryptor and Distributed Password Recovery are available on their respective product pages if you would like to walk the workflow before committing.
![]()
A complete suite of ElcomSoft password recovery tools allows corporate and government customers to unprotect disks and systems and decrypt files and documents protected with popular applications. The password recovery suite features the latest and most advanced cryptanalysis algorithms developed by ElcomSoft Research department.
Elcomsoft Desktop Forensic Bundle official web page & downloads »
![]()
Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.
Elcomsoft Distributed Password Recovery official web page & downloads »
![]()
Elcomsoft Forensic Disk Decryptor offers forensic specialists an easy way to obtain complete real-time access to information stored in popular crypto containers. Supporting desktop and portable versions of BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt protection, the tool can decrypt all files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.
Elcomsoft Forensic Disk Decryptor official web page & downloads »
![]()
Every tool we make in a deeply discounted value pack. The complete suite of ElcomSoft password recovery tools allows corporate and government customers to extract data from mobile devices, unlock documents, decrypt archives, break into encrypted containers, view and analyze evidence. The password recovery suite features the latest and most advanced cryptanalysis algorithms developed by ElcomSoft Research department, while the mobile forensic tools enable access to critical evidence stored in physical devices, local backups and cloud services.
Elcomsoft Premium Forensic Bundle official web page & downloads »
![]()
Elcomsoft Quick Triage is a tool designed to rapidly extract and analyze the most important evidence from a target computer or disk. It is equally effective during on-site operations and in laboratory environments, helping investigators make informed decisions at the earliest stages of an investigation.
![]()
In order to preserve digital evidence, the chain of custody begins from the first point of data collection. Elcomsoft System Recovery employs a forensically sound workflow to ensure that digital evidence collected during the investigation remains court admissible. The workflow implements read-only, write-blocking access to the target computer, and saves collected evidence in the form of digitally signed, verifiable disk images, making Elcomsoft System Recovery a viable alternative to hardware-based write blocking disk imaging devices while offering real-time access to crucial evidence.