Perfect Acquisition Part 5: Perfect APFS Acquisition
July 21st, 2025 by Elcomsoft R&D
Welcome to Part 5 of the Perfect Acquisition series! In case you missed the previous parts, please check them out for background information. This section provides a comprehensive guide to performing the Perfect APFS Acquisition procedure.
Issues Affecting Forensic Disk Imaging
July 10th, 2025 by Oleg Afonin
We previously tested disk imaging speeds using high-performance storage devices. But raw speed is only part of the equation. Even under ideal conditions, getting a fully correct and complete image can be tricky. And achieving peak speed consistently is even harder – many factors can slow things down, and sometimes even corrupt the results. In this article, we explore the key reasons why both speed and accuracy can fall short during disk imaging.
AI-Driven Password Recovery: Myth or Reality?
July 8th, 2025 by Oleg Afonin
Artificial intelligence is everywhere – from phones that guess your next move to fridges that shop for you. It’s only natural to ask whether AI can help in a more serious domain: digital forensics, specifically password cracking. The idea sounds promising: use large language models (LLMs) to produce rules and templates for guessing highly probable password variants, prioritizing the most likely ones first. But in practice, things aren’t so straightforward.
Installing and Troubleshooting the Extraction Agent (2025)
July 2nd, 2025 by Oleg Afonin
Over the years, we’ve published numerous guides on installing the iOS Forensic Toolkit extraction agent and troubleshooting issues. As both the tool and its environment evolved, so did our documentation – often leading to outdated or scattered information. This article consolidates and updates everything in one place, detailing the correct installation and troubleshooting procedures.
Extracting and Analyzing Apple sysdiagnose Logs
June 27th, 2025 by Oleg Afonin
Apple’s unified logging system offers a wealth of information for forensic investigators analyzing iOS, iPadOS, watchOS, tvOS, and other devices from Apple ecosystems. Originally designed for debugging and diagnostics, these logs capture a continuous stream of detailed system activity – including app behavior, biometric events, power state changes, and connectivity transitions. In digital forensics, where traditional sources of evidence like backups or app data may be encrypted or inaccessible, the logs provide an alternative and often untapped reservoir of forensic artifacts. This article explores the content, availability, and forensic value of Apple logs collected via sysdiagnose across different device types, focusing on practical methods for extraction and analysis using modern forensic tools.
The 16 Billion Passwords Panic: What Really Happened and Why It Matters (Or Doesn’t)
June 23rd, 2025 by Oleg Afonin
In June 2025, headlines shouted that 16 billion passwords had leaked. Major outlets warned that credentials for Apple, Google, and other platforms were now exposed. As expected, this triggered a wave of public anxiety and standard advice: change your passwords immediately. Upon closer examination, however, technical sources clarified the situation. This was not a new breach, nor did it expose fresh credentials. The dataset was an aggregation of previously leaked databases, malware logs from infostealers, junk records and millions of duplicate entries. Essentially, it was old material, repackaged and redistributed under a sensational label. For digital forensics teams, however, the question remains open: could this kind of dataset be useful in real-world password recovery? In this article, we will explore if massive password leaks have practical value in the lab.
Apple Ecosystem: Overlooked Devices
June 18th, 2025 by Oleg Afonin
When it comes to digital evidence, most investigators naturally focus on smartphones – and occasionally tablets. But the rest of the Apple ecosystem often goes unnoticed: Apple Watch, Apple TV, HomePod, even older iPod Touch models. These supplementary devices might seem irrelevant, but they can contain valuable digital artifacts: activity logs, Wi‑Fi credentials, leftover bits and pieces of information, system logs, and even synced photos.
What TRIM, DRAT, and DZAT Really Mean for SSD Forensics
June 2nd, 2025 by Oleg Afonin
If you’re doing forensic work today, odds are you’re imaging SSDs, not just spinning hard drives. And SSDs don’t behave like HDDs – especially when it comes to deleted files. One key reason: the TRIM command. TRIM makes SSDs behave different to magnetic hard drives when it comes to recovering deleted evidence. This article breaks down what TRIM actually does, how SSDs respond, and what forensic experts need to know when handling modern storage.
iOS Extraction Tip: Why Start with Recovery Mode?
May 30th, 2025 by Oleg Afonin
When performing forensic tasks on Apple devices, the order in which you enter device modes can make a big difference. While DFU mode is necessary for certain extractions, especially using checkm8, going straight into DFU might not be your best option. Starting with Recovery Mode offers several advantages that make it a safer, faster approach. By entering Recovery Mode first, you reduce the risk of unexpected data changes, minimize delays, and ensure the device stays in a stable state. Let’s take a closer look at why starting with Recovery Mode is the better approach for your extraction process.
Why Every Digital Forensics Lab Needs a Good USB Hub
May 23rd, 2025 by Oleg Afonin
In modern digital forensics, a reliable USB hub isn’t just a convenience – it’s a critical piece of lab infrastructure. With today’s laptops (especially MacBooks) offering only one or two USB-C ports – often occupied by power adapters – connecting all the required equipment becomes a real challenge. USB hubs help bridge this gap, solving port limitations, improving device compatibility, and even increasing the stability of the checkm8 exploit used for iPhone data extraction. This article explains why and where to use USB hubs shine in forensic workflows and how to choose the right model for your lab.
