What TRIM, DRAT, and DZAT Really Mean for SSD Forensics
June 2nd, 2025 by Oleg Afonin
If you’re doing forensic work today, odds are you’re imaging SSDs, not just spinning hard drives. And SSDs don’t behave like HDDs – especially when it comes to deleted files. One key reason: the TRIM command. TRIM makes SSDs behave different to magnetic hard drives when it comes to recovering deleted evidence. This article breaks down what TRIM actually does, how SSDs respond, and what forensic experts need to know when handling modern storage.
Preventing BitLocker Lockout and Recovering Access to Encrypted System Drive
April 19th, 2022 by Oleg Afonin
Encrypting a Windows system drive with BitLocker provides effective protection against unauthorized access, especially when paired with TPM. A hardware upgrade, firmware update or even a change in the computer’s UEFI BIOS may effectively lock you out, making your data inaccessible and the Windows system unbootable. How to prevent being locked out and how to restore access to the data if you are prompted to unlock the drive? Read along to find out.
Decrypting Password-Protected DOC and XLS Files in Minutes
April 13th, 2022 by Oleg Afonin
Accessing the content of password-protected and encrypted documents saved as DOC/XLS files (as opposed to the newer DOCX/XLSX files) is often possible without time-consuming attacks regardless of the length of the password. Advanced Office Password Recovery enables experts quickly breaking the encryption of password-protected DOC and XLS files, which are Microsoft Word and Excel documents saved by modern versions of the app in the “compatibility” format. Organizations are still using the “compatible” Office 97/2000 formats for their document workflow.
Unlock WordPerfect and Lotus Documents with Advanced Office Password Recovery
April 4th, 2022 by Oleg Afonin
We are continuing the consolidation of our product line, now adding WordPerfect and Lotus office apps into Advanced Office Password Recovery. The tool can help experts unlock a host of digital document formats including Microsoft Office, OpenDocument, Hangul/Hancell, and many others without lengthy attacks.
Windows 11 TPM Protection, Passwordless Sign-In and What You Can Do About Them
March 28th, 2022 by Oleg Afonin
Windows 11 introduces increased account protection, passwordless sign-in and hardware-based security. What has been changed compared to Windows 10, how these changes affect forensic extraction and analysis, and to what extent can one overcome the TPM-based protection? Read along to find out!
Simplifying Digital Triage with Bootable Forensic Tools
March 23rd, 2022 by Oleg Afonin
Elcomsoft System Recovery speeds up in-field investigations by providing experts with a forensic tool they can use by booting a PC from a dedicated USB media. The recent update extended the functionality of the tool by adding three new forensic tools.
GPU Acceleration On The Cheap: Using Affordable Video Cards to Break Passwords Faster
February 17th, 2022 by Oleg Afonin
Most password protection methods rely on multiple rounds of hash iterations to slow down brute-force attacks. Even the fastest processors choke when trying to break a reasonably strong password. Video cards can be used to speed up the recovery with GPU acceleration, yet the GPU market is currently overheated, and most high-end video cards are severely overpriced. Today, we’ll test a bunch of low-end video cards and compare their price/performance ratio.
Dude, Where Are My Messages?
February 15th, 2022 by Oleg Afonin
Cloud backups are an invaluable source of information whether you download them from the user’s iCloud account or obtain directly from Apple. But why some iCloud backups miss essential bits and pieces of information such as text messages, particularly iMessages? The answer is “end-to-end encryption”, and there’s more to it than just backups.
Apple Mobile Devices and iOS Acquisition Methods
February 11th, 2022 by Vladimir Katalov
Do you have to know which SoC a certain Apple device is based on? If you are working in mobile forensics, the answer is positive. Along with the version of iOS/watchOS/iPadOS, the SoC is one of the deciding factors that affects the data extraction paths available in each case. Read this article to better understand your options for each generation of Apple platforms.
IoT Forensics: Analyzing Apple Watch 3 File System
February 10th, 2022 by Vladimir Katalov
Over the last several years, the use of smart wearables continued to grow despite slowing sales. Among the many models, the Apple Watch Series 3 occupies a special spot. Introduced back in 2017, this model is still available new, occupying the niche of the most affordable wearable device in the Apple ecosystem. All that makes the Series 3 one of the most common Apple Watch models. The latest update to iOS Forensic Toolkit enables low-level extraction of the Apple Watch 3 using the checkm8 exploit.
checkm8 Extraction of Apple Watch Series 3
February 10th, 2022 by Oleg Afonin
The fifth beta of iOS Forensic Toolkit 8 for Mac introduces forensically sound, checkm8-based extraction of Apple Watch Series 3. How to connect the watch to the computer, what data is available and how to apply the exploit? Check out this comprehensive guide!
