Investigating Windows Registry
February 13th, 2026 by Oleg Afonin
The Windows Registry remains one of the most information-dense repositories for reconstructing system activity and user behavior. Far more than a configuration database, it serves as a critical historical record of execution, data access, and persistence mechanisms across Windows 10 and 11. While automated forensic tools are essential for extracting and parsing this data, the correct interpretation of the results remains the responsibility of the investigator. This article focuses on the Registry keys that possess distinct forensic significance. We will move beyond the standard enumeration found in legacy guides to establish the specific links between technical artifacts and their value in an investigation, distinguishing between actionable evidence and system noise.
Perfect Acquisition With Passcode Unlock for A8/A8X Devices
February 11th, 2026 by Elcomsoft R&D
Perfect Acquisition is the most reliable method to acquire data from an iOS device. It is completely forensically sound – it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis.
Choosing the Right Strategy: Cold Boot Forensics vs Live System Analysis
February 9th, 2026 by Oleg Afonin
The first steps of an investigation are rarely straightforward. Do you shut down the system and image the storage media, taking the safe but slow traditional path? Do you run a triage tool on the live system to grab passwords and keys, or do you reboot into a clean forensic environment? Traditional wisdom might suggest pulling the plug to preserve the state of the disk, but modern encryption makes this increasingly difficult. During the initial stage of an investigation, the choice usually falls between two primary strategies: deploying a live triage tool on the running system or booting into a clean, external environment.
Live System Analysis: Mitigating Interference from Antivirus Tools
February 6th, 2026 by Oleg Afonin
Windows Defender and forensic triage tools often find themselves at odds. While endpoint protection is designed to lock down a system against unauthorized access, forensic utilities must access everything, including locked system files, to secure evidence. This conflict creates immediate operational risks during live analysis. Modern antivirus engines with aggressive heuristics may flag legitimate forensic binaries as malware, terminating the acquisition process or quarantining the tool itself. Beyond simple blocking, active background scanning introduces significant I/O latency and threatens the integrity of the evidence; the AV might delete or modify a suspicious file, such as a malware payload, moments before it can be preserved.
The History and Evolution of USB Charging Standards
January 26th, 2026 by Oleg Afonin
During the last decade, the evolution of charging standards in consumer electronics has been defined by an attempt to develop a single, unified power delivery interface centered around the USB Type-C connector. Historically, power delivery was characterized by a clear separation between data interfaces and dedicated power connectors. The Universal Serial Bus (USB) was originally introduced in the mid-1990s as a data bus for low-speed peripherals, with power capabilities capped at levels intended to support mice and keyboards rather than charge batteries – never intended to power demanding hardware.
Web Browser Forensics in Digital Triage
January 14th, 2026 by Oleg Afonin
In modern investigations, the web browser is no longer just an application – it is a comprehensive journal of a suspect’s life, intentions, and habits. While end-to-end encrypted clouds and locked smartphones often hit a dead end, the desktop web browser remains one of the most significant grounds for digital evidence, often serving as the silent witness that helps solve a case.
Browser Forensics in 2026: App-Bound Encryption and Live Triage
January 13th, 2026 by Oleg Afonin
Since the introduction of DPAPI in Windows 2000, the forensic workflow for recovering browser credentials was straightforward: isolate the computer, image the drive, and extract the browser profile. In that era, having the user’s Windows password was enough to decrypt everything offline. Today, that assumption is outdated. With the shift to App-Bound Encryption, Google and Microsoft effectively broke the “dead box” workflow for their browsers. While stored passwords remain critical evidence, accessing them now requires investigators to act before they pull the plug.
The Cloud Gap: Forensic Triage vs. Disk Imaging in the Age of On-Demand Sync
January 8th, 2026 by Oleg Afonin
For decades, the forensic “gold standard” was straightforward: isolate the computer, pull the plug, and image the drive. In that era, what you saw on the screen was physically present on the magnetic platters, waiting to be extracted bit by bit. Today, that assumption is not just outdated; it is plain wrong. The rapid adoption of cloud storage services, partial on-demand synchronization, and full-disk encryption has fundamentally broken the traditional dead-box workflow, turning the simple act of powering down a suspect’s computer into a potential destroyer of evidence.
The Shift from Disk Imaging to Digital Triage
January 5th, 2026 by Oleg Afonin
Modern digital forensic labs are facing a crisis of scale. When a search warrant results in the seizure of a dozen laptops, several servers, and a mountain of external drives, the traditional forensic workflow – bit-for-bit imaging followed by exhaustive analysis – becomes a liability rather than an asset. This is precisely where our new tool, Elcomsoft Quick Triage, enters the picture. Designed as a solution for rapid, in-field data acquisition, EQT allows investigators to bypass the “imaging bottleneck” and identify the “smoking gun” in minutes rather than months.
Introducing Elcomsoft Quick Triage
December 30th, 2025 by Oleg Afonin
We’re expanding our product line with a new tool: Elcomsoft Quick Triage. With this release, we are expanding into an area we had not previously covered – digital forensic triage. EQT is designed to address a very specific need that arises at the earliest stages of an investigation, when time is limited and quick decisions matter. The new tool is not intended to replace full-featured forensic platforms or in-depth analysis. Instead, it focuses on a different phase of the workflow: fast identification, collection, and review of the most relevant evidence before committing resources to a complete examination.
