At the main program screen, the following options are available:
Decrypt or mount a disk
See Decrypt or mount disk for details.
Extract keys
Once the disk is mounted into the system (unlocked), the system keeps the encryption keys in the system's volatile memory (RAM), allowing the keys to be extracted or obtained from a memory dump or hibernation file (if the system hibernated with encrypted disks mounted). See Extract keys for more details.
Extract/prepare data
If the password is not known, no recovery keys, memory dump or hibernation file are available, the only option left is to recover the original password using a time-consuming brute-force or dictionary attack. EFDD allows to extract the data required for further recovery. You can use that data in Distributed Password Recovery for effective password cracking.
First, select the data source:
For the first two options, the program lists all available partitions and detects the encryption, if any. The Container option is for PGP (.pgd) and TrueCrypt/VeraCrypt containers (the latter may have an arbitrary extension).
The data extracted with EFDD can be further used for password recovery with Distributed Password Recovery.
Dump physical memory
Once the disk is mounted into the system (unlocked), the system keeps the encryption keys in the RAM. If you have access to the live system, the keys can be obtained easily. Select the file to dump the memory to, and press Start. This operation requires Administrator privileges.
Create portable version
This option allows to create a portable version of the program that can run from a removable drive. There are the following differences between normal and portable versions:
•Portable version does not require installation; run 'efdd.exe' to operate
•Portable version does not include an option to create another portable version
•Portable version cannot mount disks (it can just decrypt)
