Why Every Digital Forensics Lab Needs a Good USB Hub
May 23rd, 2025 by Oleg Afonin
In modern digital forensics, a reliable USB hub isn’t just a convenience – it’s a critical piece of lab infrastructure. With today’s laptops (especially MacBooks) offering only one or two USB-C ports – often occupied by power adapters – connecting all the required equipment becomes a real challenge. USB hubs help bridge this gap, solving port limitations, improving device compatibility, and even increasing the stability of the checkm8 exploit used for iPhone data extraction. This article explains why and where to use USB hubs shine in forensic workflows and how to choose the right model for your lab.
Installing iOS Forensic Toolkit on Linux
May 22nd, 2025 by Oleg Afonin
For a long time, the macOS version of iOS Forensic Toolkit remained the most feature-complete. Only macOS supported bootloader-level acquisition using checkm8, installation of the extraction agent with regular Apple IDs, and use of wireless adapters for Apple Watch analysis. All of these capabilities are now available in the Linux build as well, eliminating the need for a Mac in many workflows. This guide explains how to properly install and use EIFT on a Linux system.
The Linux Edition Goes Live
May 20th, 2025 by Oleg Afonin
Acquiring data from iOS devices can be a complex task, particularly when performing bootloader-based extractions leveraging the checkm8 exploit. Traditionally, these extractions required access to a macOS computer. However, the Linux edition of iOS Forensic Toolkit offers a practical and efficient solution for forensic investigators who may not have macOS readily available. With minimal functional differences between the Mac, Windows, and Linux editions, the toolkit’s new, bootable Live Linux version allows for seamless bootloader-level extractions, booting from an external device and utilizing all the necessary tools without the need for a Mac.
Breaking into the Ecosystem: How One Weak Link Can Unlock a Secure Device
May 19th, 2025 by Oleg Afonin
A forensic examiner receives a locked smartphone – a recent-model iPhone, encrypted and secured with an unknown passcode. No tool works, checkm8 long obsolete, USB port locked. Is this a dead end? Not quite. iPhones don’t operate in isolation. They’re part of a digital ecosystem, and ecosystems often have weak points. This article explores how gaining access through a weak link can compromise even the most secure smartphone.
iOS Forensic Toolkit Now Supports All Models of Apple Watch
May 15th, 2025 by Oleg Afonin
We’ve released an important update to iOS Forensic Toolkit: the Toolkit expands logical acquisition to all newer models of Apple Watch starting from Apple Watch Series 6 (with a wired third-party adapter), Apple Watch Series 7 through 10, SE2, Ultra, and Ultra 2 (via a special wireless adapter). With this update, the Toolkit supports the complete range of Apple Watch devices with no gaps or omissions.
Extraction Agent: Offline Extraction with All Developer Accounts
May 15th, 2025 by Oleg Afonin
We are excited to announce an update to Elcomsoft iOS Forensic Toolkit that solves a long-lasting issue connected to the installation and use of the low-level extraction agent. In version 8.70, we introduce a critical improvement: you can now sideload and launch the extraction agent completely offline using any Apple Developer account – regardless of when it was created. What exactly changed, and what does that mean for you? Read along to find out.
Microsoft Goes Passwordless: Forensic Implications of Passwordless Microsoft Accounts
May 14th, 2025 by Oleg Afonin
Microsoft has officially announced that newly created Microsoft Accounts will now be passwordless by default for “simpler, safer sign-ins”. This change extends the direction set by Windows 11, where traditional passwords have been gradually phased out in favor of more secure and user-friendly authentication methods – such as PIN codes, biometrics, and passkeys. In this article, we will evaluate the forensic implications of this move.
Forensic Implications of BitLocker-by-Default in Windows 11 24H2
May 8th, 2025 by Oleg Afonin
The Windows 11 24H2 update introduced a change in Microsoft’s approach to disk encryption, a shift that will have long lasting implications on digital forensics. In this release, BitLocker encryption is automatically enabled on most modern hardware when installing Windows when a Microsoft Account (MSA) is used during setup. Encryption starts seamlessly and silently in the background, covering even Home editions and consumer devices such as desktop computers that historically escaped full-disk encryption defaults.
What’s New in Elcomsoft System Recovery 8.34: More Data, Faster Imaging, BitLocker Key Extraction
April 29th, 2025 by Oleg Afonin
We updated Elcomsoft System Recovery to version 8.34. This release focuses on expanding the tool’s data acquisition capabilities, improving disk imaging performance, and adding BitLocker recovery key extraction for systems managed via Active Directory. Here’s a technical breakdown of the changes.
Forensic Implications of Apple’s “Stolen Device Protection”
March 10th, 2025 by Oleg Afonin
With the release of iOS 17.3, Apple introduced a new security feature called “Stolen Device Protection.” This functionality is designed to prevent unauthorized access to sensitive data in cases where a thief has gained knowledge of an iPhone’s passcode. While this feature significantly enhances security for end users, it simultaneously creates substantial obstacles for digital forensic experts, complicating lawful data extraction.
