Why Every Digital Forensics Lab Needs a Good USB Hub
May 23rd, 2025 by Oleg Afonin
In modern digital forensics, a reliable USB hub isn’t just a convenience – it’s a critical piece of lab infrastructure. With today’s laptops (especially MacBooks) offering only one or two USB-C ports – often occupied by power adapters – connecting all the required equipment becomes a real challenge. USB hubs help bridge this gap, solving port limitations, improving device compatibility, and even increasing the stability of the checkm8 exploit used for iPhone data extraction. This article explains why and where to use USB hubs shine in forensic workflows and how to choose the right model for your lab.
checkm8 Extraction Cheat Sheet: iPhone and iPad Devices
November 3rd, 2022 by Oleg Afonin
The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.
How to Put Apple TV 3 (2012-2013), Apple TV 4/HD (2015) and Apple TV 4K (2017) into DFU
October 31st, 2022 by Oleg Afonin
The title says it all. In this article we’ll explain the steps required to put the listed Apple TV models into DFU mode. These Apple TV models are based on the A5, A8, and A10X chips that are susceptible to the checkm8 exploit and checkm8-based extraction with iOS Forensic Toolkit 8, and DFU mode is the required initial step of the process.
iOS 16: SEP Hardening, New Security Measures and Their Forensic Implications
September 23rd, 2022 by Vladimir Katalov
iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.
iOS Forensic Toolkit 8.0 Now Official: Bootloader-Level Extraction for 76 Devices
September 22nd, 2022 by Oleg Afonin
iOS Forensic Toolkit 8.0 is officially released! Delivering forensically sound checkm8 extraction and a new command-line driven user experience, the new release becomes the most sophisticated mobile forensic tool we’ve released to date.
iOS 16: Extracting the File System and Keychain from A11 Devices
September 22nd, 2022 by Vladimir Katalov
Bootloader-based acquisition is the only 100% forensically sound data extraction method for Apple devices. It is the only way to acquire the full set of data from those devices that run iOS 16, albeit with a huge caveat that makes the whole thing more of a brain exercise than a practical forensic tool. Let’s review the iOS 16 compatibility in iOS Forensic Toolkit and go through the whole process step by step.
Entering DFU: iPhone 8, 8 Plus, and iPhone X
September 13th, 2022 by Oleg Afonin
DFU (Device Firmware Update) is a special service mode available in many Apple devices for recovering corrupted devices by uploading a clean copy of the firmware. Forensic specialists use DFU during checkm8 extractions (Elcomsoft iOS Forensic Toolkit). Unlike Recovery, which serves a similar purpose, DFU operates on a lower level and is undocumented. Surprisingly, there might be more than one DFU mode, one being more reliable than the others when it comes to forensic extractions. The method described in this article works for the iPhone 8, 8 Plus and iPhone X.
Low-Level Extraction of iOS 15.2-15.3.1
August 25th, 2022 by Oleg Afonin
iOS Forensic Toolkit 7.60 brings gapless low-level extraction support for several iOS versions from iOS 15.2 up to and including iOS 15.3.1, adding full file system extraction support for Apple devices based on Apple A11-A15 and M1 chips.
Probing Linux Disk Encryption: LUKS2, Argon 2 and GPU Acceleration
August 16th, 2022 by Oleg Afonin
Disk encryption is widely used desktop and laptop computers. Many non-ZFS Linux distributions rely on LUKS for data protection. LUKS is a classic implementation of disk encryption offering the choice of encryption algorithms, encryption modes and hash functions. LUKS2 further improves the already tough disk encryption. Learn how to deal with LUKS2 encryption in Windows and how to break in with distributed password attacks.
Breaking Windows Passwords: LM, NTLM, DCC and Windows Hello PIN Compared
August 16th, 2022 by Oleg Afonin
Modern versions of Windows have many different types of accounts. Local Windows accounts, Microsoft accounts, and domain accounts feature different types of protection. There is also Windows Hello with PIN codes, which are protected differently from everything else. How secure are these types of passwords, and how can you break them? Read along to find out!
Windows Hello: No TPM No Security
August 4th, 2022 by Oleg Afonin
While Windows 11 requires a Trusted Platform Module (TPM), older versions of Windows can do without while still using PIN-based Windows Hello sign-in. We prove that all-digit PINs are a serious security risk on systems without a TPM, and can be broken in a matter of minutes.
