New Security Features and Low-Level Extraction of iOS 26
April 29th, 2026 by Oleg Afonin
We updated iOS Forensic Toolkit, adding low-level extraction support for iOS 26 and 26.0.1 via the extraction agent. This support is available for most iPhones and iPads compatible with the iOS 26 branch with a notable exception of the iPhone 17 range and M5-based iPads. Why exactly are these devices exempt, and what else did Apple do to make iOS 26 tougher and more resistant? Let’s find out.
Digital Triage Masterclass
April 28th, 2026 by Oleg Afonin
For decades, the forensic “gold standard” was straightforward: isolate the machine, pull the plug, and image the drive. In that era, what you saw on the screen was exactly what you would extract, bit by bit, from the magnetic platters. Today, that assumption is outdated, and is actively detrimental to an investigation. The digital forensics landscape is shifting too fast, and traditional “dead-box” methods cannot keep up with modern realities. As investigations face a crisis of scale, with terabytes of data spread across dozens of seized devices, the old “image everything, analyze later” approach has created massive backlogs that let critical leads go cold.
Recovering Windows Credentials with Elcomsoft System Recovery
April 23rd, 2026 by Oleg Afonin
In traditional forensic workflows, gaining access to a Windows system was a straightforward exercise: extract the NT hashes from a local database and run a fast (very fast!) offline attack. Today, Windows authentication is moving away from those essentially insecure NTLM hashes toward more resilient mechanisms. Microsoft is actively steering users away from local Windows accounts, pushing them toward cloud-integrated identities (such as the Microsoft Account) and hardware-backed security models (like Windows Hello).
Low-Level Extraction for M-Series iPads
April 21st, 2026 by Oleg Afonin
With the release of iOS Forensic Toolkit 10.01, we are extending low-level extraction capabilities to Apple tablets running up to iPadOS 18.7.1. This update brings our extraction agent to the latest hardware, supporting not just A-series but also M-series iPads. We have also implemented support for the distinct memory layout found in high-end 1TB and 2TB iPad Pro models equipped with 16GB of RAM, which required a targeted engineering approach to handle the structural differences.
Low-Level Extraction for iOS 17 and 18
April 14th, 2026 by Oleg Afonin
We’ve just updated iOS Forensic Toolkit to version 10.0, significantly expanding its low-level extraction capabilities for both the extraction agent and bootloader-based methods. Previously, agent-based extraction was capped at iOS 16.6.1. This release finally covers the remainder of the iOS 16 branch, and adds support for the entire iOS 17 branch as well as iOS 18 through 18.7.1. We have also expanded checkm8 support to cover all the latest OS updates pushed by Apple on devices susceptible to the exploit. Finally, we improved extended logical acquisition support for iOS/iPadOS 26, now pulling significantly more shared data than before.
Compelled Decryption: The East Asian Region
April 3rd, 2026 by Oleg Afonin
This piece marks the third installment in our ongoing series analyzing compelled decryption laws. As digital evidence continues to play a central role in modern investigations, legal systems worldwide are actively addressing the friction between encrypted devices and law enforcement access. For this chapter, our geographic focus shifts to East Asia. The region provides a highly practical comparative landscape for observing how neighboring jurisdictions weigh the technical demands of modern forensics against individual procedural rights. To map these diverse approaches, the following sections review the current legal mechanisms in mainland China, Hong Kong, Taiwan, Japan, and South Korea.
Digital Rights vs. State Power – The Protectors
April 1st, 2026 by Oleg Afonin
The first part of this series examined jurisdictions that have adopted a coercive approach to cryptographic barriers. Nations such as the United Kingdom, Australia, and France navigate the practical hurdles of end-to-end encryption through statutory workarounds. Rather than attempting to break the encryption itself, these legal systems apply pressure directly to the device owner – even if the owner is the suspect. By treating the refusal to provide decryption keys or passwords as a standalone criminal offense, they effectively bypass the technical roadblock. Under this model, non-compliance triggers its own set of penalties, entirely separate from the underlying investigation.
The Geography of Coercion: a Study of Compelled Decryption Laws
March 31st, 2026 by Oleg Afonin
On March 23, 2026, the Hong Kong government amended the rules of its National Security Law, making it a criminal offense to refuse police passwords or decryption assistance for personal devices. When I read the security alert, my initial plan was simply to compile a list of jurisdictions with similar laws. That catalog quickly outgrew its premise. Tracking these statutes revealed a fractured global approach to digital privacy and state power, resulting in a comparative study too broad for a single article. I decided to split the research into two parts. This first installment examines the countries that criminalize digital silence.
Arrested by AI
March 27th, 2026 by Oleg Afonin
In July 2025, a tactical team of United States Marshals descended on the Tennessee home of Angela Lipps, arresting the fifty-year-old grandmother at gunpoint while she watched her young grandchildren. Her apprehension was not the culmination of traditional detective work, but the result of authorities placing undue confidence in an AI-based facial recognition system. An algorithm had linked a photograph of her face to a counterfeit military identification card used in a sophisticated bank fraud operation over 1,200 miles away in Fargo, North Dakota.
Distributed Password Recovery Goes 64-bit: Ready for RTX 5090
March 26th, 2026 by Oleg Afonin
We have just released a major update to Elcomsoft Distributed Password Recovery. While the release notes might simply say “migrated to 64-bit,” the reality under the hood is far more complex and significant. This is not a cosmetic update or a simple recompile; it is a fundamental architectural shift necessitated by the evolution of GPU hardware. Put simply: if you want to use the latest NVIDIA RTX 50-series Blackwell GPUs for password recovery, you can no longer use 32-bit code.
