Bypassing Stolen Device Protection: Alternative Ways of Installing the Extraction Agent
June 24th, 2026 by Oleg Afonin
Stated plainly: iOS Forensic Toolkit can now get past Stolen Device Protection. There is a catch, and it belongs up front: this is not a magic unlock, and anyone selling it as one is selling something. What we have built is a way to install the extraction agent without ever pairing the iPhone to the workstation over a USB port. Because the most disruptive thing SDP does to a forensic workflow is place Face ID or Touch ID in front of that pairing step, bypassing the pairing step bypasses the gate. You still need the device passcode, a paid Apple Developer account, and a device you are authorized to examine. With those in hand, SDP is no longer the wall it was a month ago.
Sideloading the extraction agent: a Stolen Device Protection workaround
June 24th, 2026 by Vladimir Katalov
A new update to iOS Forensic Toolkit is out. The headline feature is an alternative installation method for the extraction agent – that is, deploying it onto an iPhone while bypassing the mandatory pairing requirement. The agent can now be delivered across the network, which removes a number of limitations that came with the usual cable-based installation. One requirement up front: the device must already be unlocked – in other words, the passcode must be known. This method does not work with a fully locked iPhone.
“Get Verification Code” Is Missing in iOS 18 and iOS 26; Here’s Where It Went
June 19th, 2026 by Oleg Afonin
If you have an Apple device running iOS 18 or iOS 26 and gone looking for the old Get Verification Code option under Settings → [user name] → Sign-In & Security, you’ve probably noticed it’s no longer there. A quick search turns up forum threads, support comments, and even GitHub issues all reaching the same conclusion: Apple removed it. Some posts go further and call it “deprecated” or “Apple’s middle finger to users of older devices.” That conclusion is wrong. The option still exists in iOS 26. It just doesn’t show up the way it used to.
Downloading iOS 26 iCloud Backups
June 18th, 2026 by Oleg Afonin
Elcomsoft Phone Breaker 11.2 adds the ability to download iCloud backups created on devices running iOS and iPadOS 26 and, by extension, iOS/iPadOS 27 beta. With this release, Elcomsoft Phone Breaker becomes the first and only third-party tool capable of pulling these backups from Apple’s cloud. That might read like a routine compatibility update. It isn’t. In iOS 26, Apple reworked its iCloud backup mechanism from the ground up, breaking every third-party tool that relied on the previous scheme. Restoring access meant rebuilding a large part of our cloud extraction pipeline. Below is what changed, what we did about it, and where the current build still has rough edges.
Forensic Implications of Apple Stolen Device Protection
June 1st, 2026 by Oleg Afonin
If you extract data from iPhones for a living, Stolen Device Protection is the change you can no longer afford to ignore. It does something deceptively simple: it puts Face ID or Touch ID in front of the “Trust This Computer” prompt. The practical result is that an examiner who knows the device passcode still cannot pair an unfamiliar iPhone to a forensic workstation. That is the most disruptive change Apple has made to iPhone pairing behavior in roughly a decade, and as of spring 2026 it is switched on out of the box.
Downloading iPhone and iPad backups from Apple iCloud
May 26th, 2026 by Oleg Afonin
Pulling a backup out of iCloud is one of the more technically demanding jobs in cloud forensics. An iCloud backup is not a single, ready-to-download file; instead, it is assembled from a large number of separate fragments that have to be collected and stitched back together into a coherent backup. Recent changes to Apple’s communication protocols broke things for everyone except Apple themselves, meaning that we had to rework the underlying extraction logic. This is documented in Elcomsoft Phone Breaker 11 Restores iCloud Access.
A Decade of BitLocker Vulnerabilities: What’s Patched, What’s Not, and What Still Works
May 22nd, 2026 by Oleg Afonin
A few days ago we wrote about YellowKey, the newest entry in what has become a remarkably long list of BitLocker bypasses. That article walked through one specific attack with a practical workflow. This follow-up steps back and surveys the broader landscape: where BitLocker has been broken before, where it is still broken today, and what an investigator should expect to encounter on a seized Windows machine in 2026.
YellowKey: An Unexpected Backdoor into BitLocker, and Why You Should Be Paying Attention
May 18th, 2026 by Oleg Afonin
On May 12, 2026, a researcher operating under the handles Chaotic Eclipse and Nightmare-Eclipse dropped a working proof-of-concept on GitHub for a Windows zero-day called YellowKey. In short, it lets anyone with brief physical access to a BitLocker-protected Windows 11, Windows Server 2022, or Windows Server 2025 machine pop a command prompt with full read access to the encrypted volume. No password. No recovery key. No TPM sniffing rig. A USB stick and a key combination during reboot.
Using the Extraction Agent in 2026: Compatibility, Signing, Firewall, and Extraction Tips
May 11th, 2026 by Oleg Afonin
Over the years, we have published several articles about the extraction agent. However, the underlying technology changes quickly, and incremental changes often have significant cumulative effects. As a result, many of our older posts are no longer relevant and can be misleading if followed to the letter today. While last year’s recap, Installing and Troubleshooting the Extraction Agent (2025), remains a solid foundation for general setup, it does not account for the most recent hardware and software developments. This article serves as the definitive point of reference, providing an up-to-date recap of everything you need to know about the extraction agent as of May 2026.
Elcomsoft Phone Breaker 11 Restores iCloud Access
April 30th, 2026 by Oleg Afonin
Extracting cloud data becomes increasingly valuable – and increasingly complex at the same time. In scenarios where a target device is physically unavailable cloud extraction is often the only real way to access evidence. This is particularly relevant when devices are secured by an unknown passcode or locked under Apple’s Stolen Device Protection framework without available biometric authentication, rendering traditional extraction techniques ineffective.
