Downloading iPhone and iPad backups from Apple iCloud
May 26th, 2026 by Oleg Afonin
Pulling a backup out of iCloud is one of the more technically demanding jobs in cloud forensics. An iCloud backup is not a single, ready-to-download file; instead, it is assembled from a large number of separate fragments that have to be collected and stitched back together into a coherent backup. Recent changes to Apple’s communication protocols broke things for everyone except Apple themselves, meaning that we had to rework the underlying extraction logic. This is documented in Elcomsoft Phone Breaker 11 Restores iCloud Access.
A Decade of BitLocker Vulnerabilities: What’s Patched, What’s Not, and What Still Works
May 22nd, 2026 by Oleg Afonin
A few days ago we wrote about YellowKey, the newest entry in what has become a remarkably long list of BitLocker bypasses. That article walked through one specific attack with a practical workflow. This follow-up steps back and surveys the broader landscape: where BitLocker has been broken before, where it is still broken today, and what an investigator should expect to encounter on a seized Windows machine in 2026.
YellowKey: An Unexpected Backdoor into BitLocker, and Why You Should Be Paying Attention
May 18th, 2026 by Oleg Afonin
On May 12, 2026, a researcher operating under the handles Chaotic Eclipse and Nightmare-Eclipse dropped a working proof-of-concept on GitHub for a Windows zero-day called YellowKey. In short, it lets anyone with brief physical access to a BitLocker-protected Windows 11, Windows Server 2022, or Windows Server 2025 machine pop a command prompt with full read access to the encrypted volume. No password. No recovery key. No TPM sniffing rig. A USB stick and a key combination during reboot.
Using the Extraction Agent in 2026: Compatibility, Signing, Firewall, and Extraction Tips
May 11th, 2026 by Oleg Afonin
Over the years, we have published several articles about the extraction agent. However, the underlying technology changes quickly, and incremental changes often have significant cumulative effects. As a result, many of our older posts are no longer relevant and can be misleading if followed to the letter today. While last year’s recap, Installing and Troubleshooting the Extraction Agent (2025), remains a solid foundation for general setup, it does not account for the most recent hardware and software developments. This article serves as the definitive point of reference, providing an up-to-date recap of everything you need to know about the extraction agent as of May 2026.
Elcomsoft Phone Breaker 11 Restores iCloud Access
April 30th, 2026 by Oleg Afonin
Extracting cloud data becomes increasingly valuable – and increasingly complex at the same time. In scenarios where a target device is physically unavailable cloud extraction is often the only real way to access evidence. This is particularly relevant when devices are secured by an unknown passcode or locked under Apple’s Stolen Device Protection framework without available biometric authentication, rendering traditional extraction techniques ineffective.
New Security Features and Low-Level Extraction of iOS 26
April 29th, 2026 by Oleg Afonin
We updated iOS Forensic Toolkit, adding low-level extraction support for iOS 26 and 26.0.1 via the extraction agent. This support is available for most iPhones and iPads compatible with the iOS 26 branch with a notable exception of the iPhone 17 range and M5-based iPads. Why exactly are these devices exempt, and what else did Apple do to make iOS 26 tougher and more resistant? Let’s find out.
Digital Triage Masterclass
April 28th, 2026 by Oleg Afonin
For decades, the forensic “gold standard” was straightforward: isolate the machine, pull the plug, and image the drive. In that era, what you saw on the screen was exactly what you would extract, bit by bit, from the magnetic platters. Today, that assumption is outdated, and is actively detrimental to an investigation. The digital forensics landscape is shifting too fast, and traditional “dead-box” methods cannot keep up with modern realities. As investigations face a crisis of scale, with terabytes of data spread across dozens of seized devices, the old “image everything, analyze later” approach has created massive backlogs that let critical leads go cold.
Recovering Windows Credentials with Elcomsoft System Recovery
April 23rd, 2026 by Oleg Afonin
In traditional forensic workflows, gaining access to a Windows system was a straightforward exercise: extract the NT hashes from a local database and run a fast (very fast!) offline attack. Today, Windows authentication is moving away from those essentially insecure NTLM hashes toward more resilient mechanisms. Microsoft is actively steering users away from local Windows accounts, pushing them toward cloud-integrated identities (such as the Microsoft Account) and hardware-backed security models (like Windows Hello).
Low-Level Extraction for M-Series iPads
April 21st, 2026 by Oleg Afonin
With the release of iOS Forensic Toolkit 10.01, we are extending low-level extraction capabilities to Apple tablets running up to iPadOS 18.7.1. This update brings our extraction agent to the latest hardware, supporting not just A-series but also M-series iPads. We have also implemented support for the distinct memory layout found in high-end 1TB and 2TB iPad Pro models equipped with 16GB of RAM, which required a targeted engineering approach to handle the structural differences.
Low-Level Extraction for iOS 17 and 18
April 14th, 2026 by Oleg Afonin
We’ve just updated iOS Forensic Toolkit to version 10.0, significantly expanding its low-level extraction capabilities for both the extraction agent and bootloader-based methods. Previously, agent-based extraction was capped at iOS 16.6.1. This release finally covers the remainder of the iOS 16 branch, and adds support for the entire iOS 17 branch as well as iOS 18 through 18.7.1. We have also expanded checkm8 support to cover all the latest OS updates pushed by Apple on devices susceptible to the exploit. Finally, we improved extended logical acquisition support for iOS/iPadOS 26, now pulling significantly more shared data than before.
