Full File System and Keychain Acquisition: What, When, and How

June 28th, 2022 by Vladimir Katalov

We often write about full file system acquisition, yet we rarely explain what it is, when you can do it, and which methods you can use. We decided to clarify low-level extraction of Apple mobile devices (iPhones and iPads, and some other IoT devices such as Apple TVs and Apple Watches).

Read the rest of this entry »

GPU Acceleration: Attacking Passwords with NVIDIA RTX Series Boards

June 24th, 2022 by Oleg Afonin

Today’s data protection methods utilize many thousands (sometimes millions) hash iterations to strengthen password protection, slowing down the attacks to a crawl. Consumer-grade video cards are commonly used for GPU acceleration. How do these video cards compare, and what about the price-performance ratio? We tested five reasonably priced NVIDIA boards ranging from the lowly GTX 1650 to RTX 3060 Ti.

Read the rest of this entry »

Logical Acquisition: Not as Simple as It Sounds

June 23rd, 2022 by Vladimir Katalov

Speaking of mobile devices, especially Apple’s, “logical acquisition” is probably the most misused term. Are you sure you know what it is and how to properly use it, especially if you are working in mobile forensics? Let us shed some light on it.

Read the rest of this entry »

checkm8 Extraction: the iPads, iPods, and TVs

June 21st, 2022 by Oleg Afonin

The ninth beta of iOS Forensic Toolkit 8.0 for Mac introduces forensically sound, checkm8-based extraction of sixteen iPad, iPod Touch and Apple TV models. The low-level extraction solution is now available for all iPad and all iPod Touch models susceptible to the checkm8 exploit.

Read the rest of this entry »

Filling the Gaps: iOS 14 Full File System Extracted

June 9th, 2022 by Oleg Afonin

iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.

Read the rest of this entry »

Live System Analysis: Extracting BitLocker Keys

May 20th, 2022 by Oleg Afonin

Live system analysis is the easiest and often the only way to access encrypted data stored on BitLocker-protected disks. In this article we’ll discuss the available options for extracting BitLocker keys from authenticated sessions during live system analysis.

Read the rest of this entry »

Breaking Passwords on Alder Lake CPUs

May 18th, 2022 by Oleg Afonin

In Alder Lake, Intel introduced hybrid architecture. Large, hyperthreading-enabled Performance cores are complemented with smaller, single-thread Efficiency cores. The host OS is responsible for assigning threads to one core or another. We discovered that Windows 10 scheduler is not doing a perfect job when it comes to password recovery, which requires a careful approach to thread scheduling.

Read the rest of this entry »

checkm8: Unlocking and Imaging the iPhone 4s

May 12th, 2022 by Elcomsoft R&D

The seventh beta of iOS Forensic Toolkit 8.0 for Mac introduces passcode unlock and forensically sound checkm8 extraction of iPhone 4s, iPad 2 and 3. The new solution employs a Raspberry Pi Pico board to apply the exploit. Learn how to configure and use the Pico microcontroller for extracting an iPhone 4s!

Read the rest of this entry »

Identifying the iPhone Model

May 5th, 2022 by Oleg Afonin

A pre-requisite to successful forensic analysis is accurate information about the device being investigated. Knowing the exact model number of the device helps identify the SoC used and the range of available iOS versions, which in turn pre-determines the available acquisition methods. Identifying the iPhone model may not be as obvious as it may seem. In this article, we’ll go through several methods for finding the iPhone model.

Read the rest of this entry »

Agent-Based Low-Level iOS File System Extraction

April 29th, 2022 by Oleg Afonin

While we continue working on the major update to iOS Forensic Toolkit with forensically sound checkm8 extraction, we keep updating the current release branch. iOS Forensic Toolkit 7.30 brings low-level file system extraction support for iOS 15.1, expanding the ability to perform full file system extraction on iOS devices ranging from the iPhone 8 through iPhone 13 Pro Max.

Read the rest of this entry »