Disk Decryptor Portable: Elcomsoft Forensic

From a forensic perspective, EFDD Portable is sound when used correctly:

When an investigator arrives at a crime scene or a suspect's residence, the suspect's computer is often turned on. This is the "golden window." If the computer is powered down, the volatile memory (RAM) is flushed, and the encryption keys are lost. elcomsoft forensic disk decryptor portable

But what happens when you encounter a target computer that is still running ? Rebooting the machine to install your software will wipe the RAM, destroying the very encryption keys you need. Furthermore, installing third-party software on a suspect’s machine could be argued as tampering with evidence. From a forensic perspective, EFDD Portable is sound

Because the tool is portable, you can initiate a decryption job and physically disconnect the USB drive. The decryption process runs independently on the target drive (if you are performing an offline attack or image conversion) or on your workstation. This allows one investigator to service multiple drives simultaneously. Rebooting the machine to install your software will

The standard version of EFDD requires installation. It writes to the Windows registry, installs drivers, and leaves artifacts on the host machine. For a dedicated forensic lab, this is acceptable.

: Connect the drive to the target's running system and execute the small, built-in memory imaging tool (requires administrative privileges).