Eighteen Years of GPU Acceleration
November 27th, 2025 by Oleg Afonin
Eighteen years ago, before “GPU acceleration” and “AI data center” became household terms, a small hi-tech company changed the rules of cryptography. In 2007, we unveiled a radical idea – using the untapped power of graphics processors to recover passwords, which coincided with the release of video cards capable of performing fixed-point calculations. What began as an experiment would soon redefine performance computing across nearly every field.
Cheat Sheet: Perfect Acquisition (32-bit)
October 13th, 2025 by Elcomsoft R&D
Perfect Acquisition is the most sophisticated method for extracting data from compatible iOS devices. This method is completely forensically sound; it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis. Note: this guide applies to iOS Forensic Toolkit 8.80 and newer, in which the process has been made easier to use.
Evidence Preservation: Why iPhone Data Can Expire
October 9th, 2025 by Elcomsoft R&D
When an iPhone is seized and later re-examined, forensic teams sometimes find that data present in an earlier extraction are missing from a subsequent backup or filesystem image. Why exactly does that happen, what kinds of data are affected, how long do they usually live, and what can you do to preserve volatile and semi-volatile artifacts? Let’s try to find out.
AI in Digital Forensics: a Tool, not an Oracle
October 3rd, 2025 by Oleg Afonin
“A core selling point of machine learning is discovery without understanding, which is why errors are particularly common in machine-learning-based science.” I could not resist the temptation to start this article with a quote by AI as Normal Technology – it captures the current state of AI-everything perfectly. Should investigators really trust black boxes running a set of non-deterministic algorithms and providing different results on every reroll? And can we still use such black boxes to automate routine operations? Let’s try to find out.
Breaking into Password Managers: from Bitwarden to Zoho Vault
September 30th, 2025 by Oleg Afonin
The latest update to Elcomsoft Distributed Password Recovery added eight additional password management tools to the list of supported data formats. The software can now attack master passwords protecting databases from Bitwarden, Dropbox Passwords, Enpass, Kaspersky, Keeper, Roboform, Sticky Password, and Zoho Vault password managers. Let’s talk about password managers – and how to handle them in a forensic lab.
iPhone 17: the End of PWM Flickering?
September 29th, 2025 by Oleg Afonin
Like the previous generation of iPhones, the iPhone 17 range employs OLED panels that are prone to flickering, which some people are sensitive to. The flickering is caused by PWM (Pulse Width Modulation), a technology used by OLED manufacturers to control display brightness. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. Fortunately, in this generation Apple provided a simple solution to get rid of the flickering by finally adding the DC Dimming option.
Apple Face ID: Security Implications and Potential Vulnerabilities
September 23rd, 2025 by Oleg Afonin
Since its introduction with the iPhone X in 2017, Apple’s Face ID has become one of the most widely used biometric authentication systems in the world, often praised for its convenience and technological sophistication. Yet, like any system that relies on human biology, it has its share of limitations: reports of identical twins, close relatives or young children occasionally unlocking a parent’s device have circulated since its debut.
Analyzing the Windows SRUM Database
August 15th, 2025 by Oleg Afonin
When it comes to Windows forensics, some of the most valuable evidence can be stored deep inside system directories the average user never touches. One such source of evidence is the System Resource Usage Monitor (SRUM) database. Introduced in Windows 8 and still shipping today with the latest Windows 11 updates, SRUM collects detailed historical records about application usage and network activity. This database is a perfect source of data for reconstructing the user’s activities during an investigation. In this article, we’ll review the available types of data and demonstrate a way to access the SRUM database by using a bootable tool.
Perfect Acquisition Part 5: Perfect APFS Acquisition
July 21st, 2025 by Elcomsoft R&D
Welcome to Part 5 of the Perfect Acquisition series! In case you missed the previous parts, please check them out for background information. This section provides a comprehensive guide to performing the Perfect APFS Acquisition procedure.
Issues Affecting Forensic Disk Imaging
July 10th, 2025 by Oleg Afonin
We previously tested disk imaging speeds using high-performance storage devices. But raw speed is only part of the equation. Even under ideal conditions, getting a fully correct and complete image can be tricky. And achieving peak speed consistently is even harder – many factors can slow things down, and sometimes even corrupt the results. In this article, we explore the key reasons why both speed and accuracy can fall short during disk imaging.
AI-Driven Password Recovery: Myth or Reality?
July 8th, 2025 by Oleg Afonin
Artificial intelligence is everywhere – from phones that guess your next move to fridges that shop for you. It’s only natural to ask whether AI can help in a more serious domain: digital forensics, specifically password cracking. The idea sounds promising: use large language models (LLMs) to produce rules and templates for guessing highly probable password variants, prioritizing the most likely ones first. But in practice, things aren’t so straightforward.
