All USB Cables Are Equal, But Some Are More Equal Than Others
October 17th, 2025 by Elcomsoft R&D
As we outlined in the previous article (Effective Disk Imaging: Ports, Hubs, and Power), it’s better to connect external USB-C devices (such as adapters and especially write-blockers) to a USB-C port that complies with at least the USB 3.2 Gen2 specs (10 Gbit/s). But what if your computer only has USB-A ports, or only a USB-A port is free? Obviously, you’ll need a USB-C to USB-A cable – but you’ll need to choose the right one very carefully, and that’s not the only thing that matters.
Effective Disk Imaging: Ports, Hubs, and Power
October 14th, 2025 by Elcomsoft R&D
Some time ago, we tested NVMe disk imaging performance (see When Speed Matters: Imaging Fast NVMe Drives), focusing mainly on software. This time, we turned our attention to hardware connections: which ports deliver the best results, and whether using a USB hub, active or passive, affects imaging speed and reliability.
Extracting Apple Unified Logs
October 13th, 2025 by Elcomsoft R&D
In our previous post, Extracting and Analyzing Apple sysdiagnose Logs, we explained the difference between sysdiagnose logs and Apple Unified Logs. Today we’ll show how the latest build of iOS Forensic Toolkit can pull Unified Logs directly from an iPhone or iPad during advanced logical extraction.
Cheat Sheet: Perfect Acquisition (32-bit)
October 13th, 2025 by Elcomsoft R&D
Perfect Acquisition is the most sophisticated method for extracting data from compatible iOS devices. This method is completely forensically sound; it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis. Note: this guide applies to iOS Forensic Toolkit 8.80 and newer, in which the process has been made easier to use.
Evidence Preservation: Why iPhone Data Can Expire
October 9th, 2025 by Elcomsoft R&D
When an iPhone is seized and later re-examined, forensic teams sometimes find that data present in an earlier extraction are missing from a subsequent backup or filesystem image. Why exactly does that happen, what kinds of data are affected, how long do they usually live, and what can you do to preserve volatile and semi-volatile artifacts? Let’s try to find out.
AI in Digital Forensics: a Tool, not an Oracle
October 3rd, 2025 by Oleg Afonin
“A core selling point of machine learning is discovery without understanding, which is why errors are particularly common in machine-learning-based science.” I could not resist the temptation to start this article with a quote by AI as Normal Technology – it captures the current state of AI-everything perfectly. Should investigators really trust black boxes running a set of non-deterministic algorithms and providing different results on every reroll? And can we still use such black boxes to automate routine operations? Let’s try to find out.
Breaking into Password Managers: from Bitwarden to Zoho Vault
September 30th, 2025 by Oleg Afonin
The latest update to Elcomsoft Distributed Password Recovery added eight additional password management tools to the list of supported data formats. The software can now attack master passwords protecting databases from Bitwarden, Dropbox Passwords, Enpass, Kaspersky, Keeper, Roboform, Sticky Password, and Zoho Vault password managers. Let’s talk about password managers – and how to handle them in a forensic lab.
iPhone 17: the End of PWM Flickering?
September 29th, 2025 by Oleg Afonin
Like the previous generation of iPhones, the iPhone 17 range employs OLED panels that are prone to flickering, which some people are sensitive to. The flickering is caused by PWM (Pulse Width Modulation), a technology used by OLED manufacturers to control display brightness. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. Fortunately, in this generation Apple provided a simple solution to get rid of the flickering by finally adding the DC Dimming option.
Apple Face ID: Security Implications and Potential Vulnerabilities
September 23rd, 2025 by Oleg Afonin
Since its introduction with the iPhone X in 2017, Apple’s Face ID has become one of the most widely used biometric authentication systems in the world, often praised for its convenience and technological sophistication. Yet, like any system that relies on human biology, it has its share of limitations: reports of identical twins, close relatives or young children occasionally unlocking a parent’s device have circulated since its debut.
Analyzing the Windows SRUM Database
August 15th, 2025 by Oleg Afonin
When it comes to Windows forensics, some of the most valuable evidence can be stored deep inside system directories the average user never touches. One such source of evidence is the System Resource Usage Monitor (SRUM) database. Introduced in Windows 8 and still shipping today with the latest Windows 11 updates, SRUM collects detailed historical records about application usage and network activity. This database is a perfect source of data for reconstructing the user’s activities during an investigation. In this article, we’ll review the available types of data and demonstrate a way to access the SRUM database by using a bootable tool.
