Elcomsoft System Recovery, a digital triage tool, receives an update, gaining the ability to view arbitrary Windows event logs, adding support for more than 800 new file system artefacts, and bringing disk imaging performance close to theoretical speed limit.

Elcomsoft System Recovery 8.34 delivers a series of technical enhancements focused on forensic flexibility and performance.

The update introduces support for over 800 new file system artefacts, expanding the scope of user and system data available during analysis. Users can now sort and filter file system artefacts using multiple parameters, making it easier to navigate large datasets during investigation. Investigators can now export these artefacts directly to external storage media for subsequent analysis. Exporting is available in raw file system format or using friendly names.

A key addition in version 8.34 is the ability to extract BitLocker recovery keys for all users stored in Active Directory. This feature analyzes the ntdis.dat file on the domain controller to enable seamless extraction BitLocker recovery keys for the entire Active Directory.

This release also adds support for hidden volumes in Windows 11. These invisible partitions, which follow unique logic in recent Windows 11 builds, can now be detected and processed.

Improvements extend to the built-in event viewer, which now supports loading EVT and EVTX log files from any location, not just standard system directories.

Finally, disk imaging performance has been significantly improved. Imaging speeds now approach the theoretical throughput limits of the underlying hardware, reducing acquisition time and improving overall efficiency.

Elcomsoft System Recovery 8.34 is available for immediate download.

Elcomsoft System Recovery is a portable field analysis tool for computer forensics. Built as a forensically sound computer analysis tool, Elcomsoft System Recovery enables experts to make real-time decisions in the field. Thanks to the Windows-based bootable environment, the tool provides quick access to digital evidence while supporting all the Windows native file systems and a wide array of computer hardware.

Designed for field deployment, Elcomsoft System Recovery comes as a pre-configured tool built on top of the supplied Windows PE environment. The tool includes powerful disk imaging and system management tools, and comes with a convenient two-panel file manager for easier navigation around the file system. Elcomsoft System is designed to simplify forensic computer triage with rapid data collection and secure disk imaging, making it an easy to use, forensically sound and extremely powerful triage tool.

Elcomsoft System Recovery 8.34 change log:

• Added more than 800 file system artifacts
• Added the ability to export file system artifacts to external storage
• Added support for Windows 11 hidden volumes
• Added the ability to extract BitLocker keys for all Active Directory users
• Event Viewer can now open arbitrary EVT/EVTX files
• Added sorting and filtering for file system artifacts
• Significantly improved disk imaging speed, now approaching theoretical limits