We are releasing a major update to Elcomsoft Quick Triage (EQT), our forensic triage solution designed for rapid in-field data acquisition. Version 2.1 expands the tool's extraction capabilities, introduces substantial performance optimizations to the core engine, and adds new workflow features to assist investigators on-site.

Advanced credential and browser extraction

A primary focus of this release is the expanded access to protected credentials. EQT 2.1 introduces offline decryption support for passwords stored in Chrome and Chromium-based browsers utilizing App-Bound Encryption (ABE). We have also added support for browsers protected by master passwords, including Yandex and Gecko-based builds such as Firefox. Furthermore, the tool now supports the extraction of Entra ID and Microsoft Accounts with fast password recovery attacks.

Optimized processing and indexing

To maintain the primary design goal of maximum acquisition speed, we have overhauled the core container format and improved the indexing engine. These changes result in a significantly faster processing workflow, smoother progress reporting and a reduced storage footprint. Search operations have also been optimized to bypass the Windows API, allowing the tool to efficiently skip unsynced "offline" files.

Workflow enhancements and edge cases

Version 2.1 brings several practical additions for field operations. Investigators can now generate a portable version of EQT directly from the interface. For drives where the operating system is unknown or unbootable, a new "data only" source type allows for immediate extraction. We have also implemented a dedicated event viewer for rapid .evtx file analysis and added fast export capabilities to CSV format.

Handling system roadblocks

This update addresses two specific issues specialists might encounter during acquisition. First, we have implemented a workaround to prevent Windows Defender from blocking EQT. However, aggressive Defender updates may still occasionally interfere. If an extraction hangs or is intercepted, the investigator must manually add an OS-level exclusion on the target machine. Second, we temporarily disabled memory dumps if the Windows Memory Integrity Check is enabled on the computer being investigated. We are working on an updated kernel driver to enable memory capturing even if the Windows Memory Integrity Check is enabled.

A full list of changes in Elcomsoft Quick Triage 2.1 is available below.

Release Notes

Extraction and Decryption

• New: Offline decryption support for passwords stored in Chrome and Chromium-based browsers with ABE protection
• New: Support for browsers with master passwords (Yandex browser, and all Gecko-based including Firefox)
• New: Support for Entra ID and Microsoft Accounts
• Workaround: Implemented a workaround for Windows Defender
• Workaround: Memory dumps are now temporarily skipped if the Memory Integrity Check is enabled

Processing, Searching, and Indexing

• Improved: The container format, making it much faster, with new indexing
• Improved: Data indexing in the Lucene indexing engine (less storage space, faster processing)
• Improved: Faster search without the Windows API to skip "offline" files that are not actually synced
• Improved: Global search improvements and fixes, alongside smoother progress on data indexing
• New: An event viewer for .evtx files with faster search
• New: A "data only" source type (when the OS is unknown)
• New: Source data mapping in the container

Workflow, Exporting, and UI Enhancements

• New: Fast export into CSV format
• New: Portable version creation
• New: An ability to select files or folders to be saved to the container
• New: Calculating the disk space needed for project storage
• New: Source type information in smart folders
• New: All fields now have a type description
• New: A "Recent projects" menu
• Fixed: Problems with smart folders (improper field names)