Windows account passwords, or NTLM passwords, are among the easiest to recover due to their relatively low cryptographic strength. At the same time, NTLM passwords can be used to unlock DPAPI-protected data such as the user’s passwords stored in Web browsers, encrypted chats, EFS-protected files and folders, and a lot more. In this article we argue about prioritizing the recovery of NTLM hashes over any other types of encrypted data.

Several generations of Apple TV devices have a bootloader vulnerability that can be exploited with checkm8 to extract information from the device. The vulnerability exists in the Apple TV 3 (2012 and 2013), Apple TV HD (formerly Apple TV 4) 2015 and 2021, and Apple TV 4K (2017). Newer generations of Apple TV do not have the vulnerability. This guide lists the tools and steps required to fully extract a compatible Apple TV device.

checkm8 is the only extraction method available for the Apple Watch S3 allowing full access to essential evidence stored in the device. In this guide, we will talk about connecting the Apple Watch S3 to the computer, placing the watch into DFU mode, applying the checkm8 exploit and extracting the file system from the device with iOS Forensic Toolkit 8.0.

The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.

iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

Apple offers by far the most sophisticated solution for backing up, restoring, transferring and synchronizing data across devices belonging to the company’s ecosystem. Apple iCloud can store cloud backups and media files, synchronize essential information between Apple devices, and keep highly sensitive information such as Health and authentication credentials securely synchronized. In this article we’ll explain what kinds of data are stored in iCloud and what you need to access them.

Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.

In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

The title says it all. In this article we’ll explain the steps required to put the listed Apple TV models into DFU mode. These Apple TV models are based on the A5, A8, and A10X chips that are susceptible to the checkm8 exploit and checkm8-based extraction with iOS Forensic Toolkit 8, and DFU mode is the required initial step of the process.