July 10th, 2026 by Oleg Afonin
Most people meet these four tools one product page at a time, which makes them look like four separate purchases for four separate problems. On a real desktop case they are closer to four stages of a single job. Each one hands its output to the next: Elcomsoft System Recovery and Elcomsoft Quick Triage pull the raw material off the machine, Forensic Disk Decryptor turns keys into mounted volumes, and Distributed Password Recovery grinds through whatever is left. In this article we will not go through the feature lists (the product pages do that job well enough); instead we will look at when to reach for each tool, and why the order in which you use them is not fixed but decided by the situation in front of you.
July 2nd, 2026 by Oleg Afonin
Over at the Atola blog, Vitaliy Mokosiy published How to buy a reliable SSD – and none of it is wrong. That’s the problem. Read it back and it boils down to buy a good drive, don’t buy a bad one, and make backups. Every line is true and every line is the line an AI would hand you from a one-sentence prompt.
June 24th, 2026 by Oleg Afonin
Stated plainly: iOS Forensic Toolkit can now get past Stolen Device Protection. There is a catch, and it belongs up front: this is not a magic unlock, and anyone selling it as one is selling something. What we have built is a way to install the extraction agent without ever pairing the iPhone to the workstation over a USB port. Because the most disruptive thing SDP does to a forensic workflow is place Face ID or Touch ID in front of that pairing step, bypassing the pairing step bypasses the gate. You still need the device passcode, a paid Apple Developer account, and a device you are authorized to examine. With those in hand, SDP is no longer the wall it was a month ago.
June 24th, 2026 by Vladimir Katalov
A new update to iOS Forensic Toolkit is out. The headline feature is an alternative installation method for the extraction agent – that is, deploying it onto an iPhone while bypassing the mandatory pairing requirement. The agent can now be delivered across the network, which removes a number of limitations that came with the usual cable-based installation. One requirement up front: the device must already be unlocked – in other words, the passcode must be known. This method does not work with a fully locked iPhone.
June 19th, 2026 by Oleg Afonin
If you have an Apple device running iOS 18 or iOS 26 and gone looking for the old Get Verification Code option under Settings → [user name] → Sign-In & Security, you’ve probably noticed it’s no longer there. A quick search turns up forum threads, support comments, and even GitHub issues all reaching the same conclusion: Apple removed it. Some posts go further and call it “deprecated” or “Apple’s middle finger to users of older devices.” That conclusion is wrong. The option still exists in iOS 26. It just doesn’t show up the way it used to.
June 18th, 2026 by Oleg Afonin
Elcomsoft Phone Breaker 11.2 adds the ability to download iCloud backups created on devices running iOS and iPadOS 26 and, by extension, iOS/iPadOS 27 beta. With this release, Elcomsoft Phone Breaker becomes the first and only third-party tool capable of pulling these backups from Apple’s cloud. That might read like a routine compatibility update. It isn’t. In iOS 26, Apple reworked its iCloud backup mechanism from the ground up, breaking every third-party tool that relied on the previous scheme. Restoring access meant rebuilding a large part of our cloud extraction pipeline. Below is what changed, what we did about it, and where the current build still has rough edges.
June 1st, 2026 by Oleg Afonin
If you extract data from iPhones for a living, Stolen Device Protection is the change you can no longer afford to ignore. It does something deceptively simple: it puts Face ID or Touch ID in front of the “Trust This Computer” prompt. The practical result is that an examiner who knows the device passcode still cannot pair an unfamiliar iPhone to a forensic workstation. That is the most disruptive change Apple has made to iPhone pairing behavior in roughly a decade, and as of spring 2026 it is switched on out of the box.
May 26th, 2026 by Oleg Afonin
Pulling a backup out of iCloud is one of the more technically demanding jobs in cloud forensics. An iCloud backup is not a single, ready-to-download file; instead, it is assembled from a large number of separate fragments that have to be collected and stitched back together into a coherent backup. Recent changes to Apple’s communication protocols broke things for everyone except Apple themselves, meaning that we had to rework the underlying extraction logic. This is documented in Elcomsoft Phone Breaker 11 Restores iCloud Access.
May 22nd, 2026 by Oleg Afonin
A few days ago we wrote about YellowKey, the newest entry in what has become a remarkably long list of BitLocker bypasses. That article walked through one specific attack with a practical workflow. This follow-up steps back and surveys the broader landscape: where BitLocker has been broken before, where it is still broken today, and what an investigator should expect to encounter on a seized Windows machine in 2026.
May 18th, 2026 by Oleg Afonin
On May 12, 2026, a researcher operating under the handles Chaotic Eclipse and Nightmare-Eclipse dropped a working proof-of-concept on GitHub for a Windows zero-day called YellowKey. In short, it lets anyone with brief physical access to a BitLocker-protected Windows 11, Windows Server 2022, or Windows Server 2025 machine pop a command prompt with full read access to the encrypted volume. No password. No recovery key. No TPM sniffing rig. A USB stick and a key combination during reboot.