We updated iOS Forensic Toolkit, adding low-level extraction support for iOS 26 and 26.0.1 via the extraction agent. This support is available for most iPhones and iPads compatible with the iOS 26 branch with a notable exception of the iPhone 17 range and M5-based iPads. Why exactly are these devices exempt, and what else did Apple do to make iOS 26 tougher and more resistant? Let’s find out.

For decades, the forensic “gold standard” was straightforward: isolate the machine, pull the plug, and image the drive. In that era, what you saw on the screen was exactly what you would extract, bit by bit, from the magnetic platters. Today, that assumption is outdated, and is actively detrimental to an investigation. The digital forensics landscape is shifting too fast, and traditional “dead-box” methods cannot keep up with modern realities. As investigations face a crisis of scale, with terabytes of data spread across dozens of seized devices, the old “image everything, analyze later” approach has created massive backlogs that let critical leads go cold.

In traditional forensic workflows, gaining access to a Windows system was a straightforward exercise: extract the NT hashes from a local database and run a fast (very fast!) offline attack. Today, Windows authentication is moving away from those essentially insecure NTLM hashes toward more resilient mechanisms. Microsoft is actively steering users away from local Windows accounts, pushing them toward cloud-integrated identities (such as the Microsoft Account) and hardware-backed security models (like Windows Hello).

With the release of iOS Forensic Toolkit 10.01, we are extending low-level extraction capabilities to Apple tablets running up to iPadOS 18.7.1. This update brings our extraction agent to the latest hardware, supporting not just A-series but also M-series iPads. We have also implemented support for the distinct memory layout found in high-end 1TB and 2TB iPad Pro models equipped with 16GB of RAM, which required a targeted engineering approach to handle the structural differences.

This piece marks the third installment in our ongoing series analyzing compelled decryption laws. As digital evidence continues to play a central role in modern investigations, legal systems worldwide are actively addressing the friction between encrypted devices and law enforcement access. For this chapter, our geographic focus shifts to East Asia. The region provides a highly practical comparative landscape for observing how neighboring jurisdictions weigh the technical demands of modern forensics against individual procedural rights. To map these diverse approaches, the following sections review the current legal mechanisms in mainland China, Hong Kong, Taiwan, Japan, and South Korea.

The first part of this series examined jurisdictions that have adopted a coercive approach to cryptographic barriers. Nations such as the United Kingdom, Australia, and France navigate the practical hurdles of end-to-end encryption through statutory workarounds. Rather than attempting to break the encryption itself, these legal systems apply pressure directly to the device owner – even if the owner is the suspect. By treating the refusal to provide decryption keys or passwords as a standalone criminal offense, they effectively bypass the technical roadblock. Under this model, non-compliance triggers its own set of penalties, entirely separate from the underlying investigation.

On March 23, 2026, the Hong Kong government amended the rules of its National Security Law, making it a criminal offense to refuse police passwords or decryption assistance for personal devices. When I read the security alert, my initial plan was simply to compile a list of jurisdictions with similar laws. That catalog quickly outgrew its premise. Tracking these statutes revealed a fractured global approach to digital privacy and state power, resulting in a comparative study too broad for a single article. I decided to split the research into two parts. This first installment examines the countries that criminalize digital silence.

In July 2025, a tactical team of United States Marshals descended on the Tennessee home of Angela Lipps, arresting the fifty-year-old grandmother at gunpoint while she watched her young grandchildren. Her apprehension was not the culmination of traditional detective work, but the result of authorities placing undue confidence in an AI-based facial recognition system. An algorithm had linked a photograph of her face to a counterfeit military identification card used in a sophisticated bank fraud operation over 1,200 miles away in Fargo, North Dakota.

We have just released a major update to Elcomsoft Distributed Password Recovery. While the release notes might simply say “migrated to 64-bit,” the reality under the hood is far more complex and significant. This is not a cosmetic update or a simple recompile; it is a fundamental architectural shift necessitated by the evolution of GPU hardware. Put simply: if you want to use the latest NVIDIA RTX 50-series Blackwell GPUs for password recovery, you can no longer use 32-bit code.

Many storage devices and adapter boards look alike. When holding a module with a connector that looks suspiciously like the M.2, how do you know exactly what you are dealing with? Is that M.2 board a SATA drive, a fast NVMe device or a Wi-Fi/Bluetooth combo? Will a drive removed from an Apple computer work in a simple mechanical adapter, or will it require the original Apple device to access? A physical connector does not guarantee the underlying technology.