What TRIM, DRAT, and DZAT Really Mean for SSD Forensics
June 2nd, 2025 by Oleg Afonin
If you’re doing forensic work today, odds are you’re imaging SSDs, not just spinning hard drives. And SSDs don’t behave like HDDs – especially when it comes to deleted files. One key reason: the TRIM command. TRIM makes SSDs behave different to magnetic hard drives when it comes to recovering deleted evidence. This article breaks down what TRIM actually does, how SSDs respond, and what forensic experts need to know when handling modern storage.
checkm8 Extraction of iPhone 8, 8 Plus and iPhone X
February 3rd, 2022 by Oleg Afonin
Last month, we released the tool and published the guide on forensically sound extraction of the iPhone 7 generation of devices. Today, we have added support for the iPhone 8, 8 Plus, and iPhone X, making iOS Forensic Toolkit the first and only forensically sound iPhone extraction tool delivering repeatable and verifiable results for all 64-bit iPhone devices that can be exploited with checkm8. While the previous publication talks about the details on acquiring the iPhone 7, there are some things different when it comes to the last generation of checkm8-supported devices.
iPhone X, DFU mode and checkm8
February 3rd, 2022 by Vladimir Katalov
In order to use the checkm8-based acquisition, the device must be placed into DFU (Device Firmware Update) mode first, and this is the trickiest part of the process. There is no software way to enter DFU, so you have to do it manually. This article describes how to do it properly for the iPhone 8, iPhone 8 Plus and iPhone X that are now supported by Elcomsoft iOS Forensic Toolkit.
Agent-based full file system and keychain extraction: now up to iOS 14.8 (incl.)
January 13th, 2022 by Oleg Afonin
iOS Forensic Toolkit 7.10 brings low-level file system extraction support for a bunch of iOS versions. This includes the entire range of iPhone models based on the A11, A12, and A13 Bionic platforms running iOS 14.4 through 14.8.
Targeting Backup Encryption: Acronis, Macrium, and Veeam
January 6th, 2022 by Oleg Afonin
Windows backups are rarely targeted during investigations, yet they can be the only available source of evidence if the suspect’s computer is locked and encrypted. There are multiple third-part backup tools for Windows, and most of them have password protection as an option. We are adding the ability to break password protection of popular backup tools: Acronis True Image, Macrium Reflect, and Veeam.
Season’s Greetings and 2021 in Review
December 30th, 2021 by Olga Koksharova
The new year is just around the corner, and so it’s the right time to review our achievements in 2021. We’ve done plenty of researching, developing and updating, and posted a great deal of content in our blog. Let’s run through the most exciting developments of the year!
Breaking BestCrypt Volume Encryption 5
December 28th, 2021 by Oleg Afonin
BestCrypt, developed by the Finnish company Jetico, is a cross-platform commercial disk encryption tool directly competing with BitLocker, FileVault 2 and VeraCrypt. Volume encryption is available for Windows and macOS. Learn how to break BestCrypt full-disk encryption by recovering the original password!
Digital Evidence in Encrypted Backups
December 27th, 2021 by Vladimir Katalov
Backups are the primary way to preserve data. On smartphones, backups are handled automatically by the OS. Windows lacks a convincing backup app; numerous third-party tools are available, some of which feature strong encryption. Computer backups may contain valuable evidence that can be useful during an investigation – if you can do something about the password.
Checkm8 Based Extraction of iPhone 7 and iPhone 7 Plus
December 22nd, 2021 by Oleg Afonin
Last month we introduced forensically sound low-level extraction for a range of iPhone devices. Based on the renowned checkm8 exploit, our solution supported devices ranging from the iPhone 5s through 6s/6s Plus/SE. Today, we are extending the range of supported devices, adding checkm8 extraction of the iPhone 7 and 7 Plus.
Microsoft Office 40-bit Encryption and Thunder Tables in Advanced Office Password Recovery
December 20th, 2021 by Oleg Afonin
Before the end of this year, we are releasing one last update. Advanced Office Password Recovery can now break 40-bit encryption in Microsoft Office documents, and gains support for Thunder Tables. What are Thunder Tables exactly, and is 40-bit encryption still relevant? Read along to find out.
WhatsApp Explorer: End-to-End Encrypted Backups and Compatibility Improvements
December 16th, 2021 by Oleg Afonin
WhatsApp is the fastest growing instant messenger app. With over 2 billion monthly users, WhatsApp keeps the crown of the most popular instant messaging tool in the Western hemisphere. The recent introduction of end-to-end encrypted backups and the change of Google’s authentication protocol broke things temporarily for EXWA users, but now everything is back to normal. Learn how Elcomsoft Explorer for WhatsApp can download and decrypt encrypted WhatsApp communication histories from Google Drive and Apple iCloud!
