In today’s digital age, extracting data from mobile devices is an essential aspect of forensic investigations. However, it must be done carefully and correctly to ensure the highest possible level of accuracy and reliability. To accomplish this, the appropriate extraction methods should be used in the right order, considering all available options for a given device running a specific version of the operating system. So what is the best order of extraction methods when acquiring an iPhone? Read along to find out.

Access to encrypted information can be gained through various methods, including live system analysis (1 and 2), using bootable forensic tools, analysis of sleep/hibernation files, and exploiting TPM vulnerabilities, with password recovery being the last option on the list. Each method has different resource requirements and should be used in order of least resource-intensive to most time-consuming, with password recovery as the last resort. Familiarize yourself with the different encryption recovery strategies and learn about data formats with weak protection or known vulnerabilities.

Discover the benefits of agent-based data extraction from iOS devices. Learn about the purpose and development of the extraction agent, when it can be used, and best practices. Get a comprehensive understanding of the cutting-edge approach for iOS data extraction.

On January 23, 2023, Apple have released a bunch of system updates that target the different device architectures. iOS 16.3 is available for many recent devices, while older models were updated to iOS 12.5.7, iOS 15.7.3 and iPadOS 15.7.3 respectively. While Elcomsoft iOS Forensic Toolkit supported these versions of the system from the get go, today we are rolling out an update that irons out minor inconveniences when imaging such devices.

What does “forensically sound extraction” mean? The classic definition of forensically sound extraction means both repeatable and verifiable results. However, there is more to it. We believe that forensically sound extractions should not only be verifiable and repeatable, but verifiable in a safe, error-proof manner, so we tweaked our product to deliver just that.

Apple is known for a very long time they support their devices. On January 23, 2023, alongside with iOS 16.3 the company rolled out security patches to older devices, releasing iOS 12.5.7, iOS 15.7.3 and iPadOS 15.7.3. iOS 12 was the last major version of iOS supported on Apple A7, A8, and A8X devices, which includes the iPhone 5s and iPhone 6 and 6 Plus generations along with several iPad models. We tested low-level extraction with these security-patched builds, and made several discoveries.

The updated iOS Forensic Toolkit 8.11 brings keychain decryption support to devices running iOS/iPadOS versions up to and including the 15.5 by using the extraction agent. The tool supports recent models that can run iOS 15 , which includes devices based on the Apple A12 through A15 Bionic, as well as Apple Silicon based devices built on the M1 SoC.

There are several methods for recovering the original password ranging from brute force to very complex rule-based attacks. Brute-force attacks are a last resort when all other options are exhausted. What can you reasonably expect of a brute-force attack, what is the chance of success, and how does it depend on the password and the data? Or just “how long will it take you to break it”? Let’s try to find out.

Just before the turn of the year, we’ve made an important update to Elcomsoft iOS Forensic Toolkit, a low-level iOS file system extraction and keychain decryption tool. The update brings checkm8 support to iOS, iPadOS and tvOS 16.2 devices, and enables agent-based low-level extraction of iOS 15.5. We’ve also fixed what’s been long broken: the ability to sideload the extraction agent from Windows PCs, yet the two updates are delivered in different branches. Sounds confusing? We’re here to solve it for you.

Windows account passwords, or NTLM passwords, are among the easiest to recover due to their relatively low cryptographic strength. At the same time, NTLM passwords can be used to unlock DPAPI-protected data such as the user’s passwords stored in Web browsers, encrypted chats, EFS-protected files and folders, and a lot more. In this article we argue about prioritizing the recovery of NTLM hashes over any other types of encrypted data.