Cloud Forensics: the New Reality

September 23rd, 2021 by Oleg Afonin

The majority of mobile devices today are encrypted throughout, making extractions difficult or even impossible for major platforms. Traditional attack vectors are becoming a thing of the past with encryption being moved into dedicated security chips, and encryption keys generated on first unlock based on the user’s screen lock passwords. Cloud forensics is a great alternative, often returning as much or even more data compared to what is stored on the device itself.

Read the rest of this entry »

How to Remove Restrictions from Adobe PDF Files

July 1st, 2021 by Vladimir Katalov

Have you got an Adobe PDF file that you can open but cannot edit, print or copy selected text to the clipboard? There is an easy solution: with just a couple of clicks, the file can be unprotected. Bad news: you’ll need software. Good news: we’ve built one for you.

Read the rest of this entry »

Elcomsoft System Recovery Simplifies Digital Field Triage and In-Field Investigations

June 17th, 2021 by Oleg Afonin

Elcomsoft System Recovery is a perfect tool for digital field triage, enabling safer and more secure in-field investigations of live computers by booting from a dedicated USB media instead of using the installed OS. The recent update added a host of features to the already great tool, making it easier to examine the file system and extract passwords from the target computer.

Read the rest of this entry »

Analyzing Microsoft Timeline, OneDrive and Personal Vault Files

June 15th, 2021 by Oleg Afonin

Elcomsoft Phone Breaker is not just about Apple iCloud data. It can also download the data from other cloud services including Microsoft accounts. In this new version, we have added support for even more types of data, including Windows 10 Timeline, Account Activity (logins to the account), OneDrive files, recent OneDrive files history, and files from Microsoft Personal Vault. Learn about these data types and how they can help advance your investigation.

Read the rest of this entry »

Breaking VeraCrypt: Obtaining and Extracting On-The-Fly Encryption Keys

June 3rd, 2021 by Oleg Afonin

Released back in 2013, VeraCrypt picks up where TrueCrypt left off. Supporting more encryption algorithms, more hash functions and a variable number of hash iterations, VeraCrypt is the default choice for the security conscious. VeraCrypt has no known weaknesses except one: once the encrypted disk is mounted, the symmetric, on-the-fly encryption key must be kept in the computer’s RAM in order to read and write encrypted data. A recent change in VeraCrypt made OTF key extraction harder, while the latest update to Elcomsoft Forensic Disk Decryptor attempts to counter the effect of the change. Who is going to win this round?

Read the rest of this entry »

Password Crackers’ Gold Mine: Browser Passwords

June 1st, 2021 by Vladimir Katalov

How to break ‘strong’ passwords? Is there a methodology, a step by step approach? What shall you start from if your time is limited but you desperately need to decrypt critical evidence? We want to share some tips with you, this time about the passwords saved in the Web browsers on most popular platforms.

Read the rest of this entry »

Hey Dude, Where Is My iCloud Data?

May 27th, 2021 by Vladimir Katalov

For more than ten years, we’ve been exploring iPhone backups, both local and iCloud, and we know a lot about them. Let’s reveal some secrets about the different types of backups and how they compare to each other.

Read the rest of this entry »

The Inception of Elcomsoft Phone Breaker

May 26th, 2021 by Vladimir Katalov

It’s been 10 years since we have released one of our flagship products, Elcomsoft Phone Breaker. The first version appeared in April 2011, and was named “iPhone Password Breaker”.  Since then, we made tons of improvements. The tool lost the “iPhone” designation, and the “Password” part was dropped from its name because it was no longer limited to iPhones or passwords. Today, the tool can offer unmatched features for the mobile forensic specialists.

Read the rest of this entry »

Forensically Sound checkm8 Based Extraction of iPhone 5s, 6, 6s and SE

May 19th, 2021 by Oleg Afonin

Back in 2019, independent researcher axi0mX has developed a ground-breaking exploit. Targeting a vulnerability in the bootloader of several generations of iOS devices, checkm8 made it possible to obtain BootROM code execution and perform forensic analysis on a long list of devices running a wide range of iOS versions. In this article, we’ll talk about the forensic use of checkm8 with iOS Forensic Toolkit.

Read the rest of this entry »

Guide: Forensically Sound Extraction of iPhone 5s, 6, 6s and SE with checkm8 Exploit

May 19th, 2021 by Vladimir Katalov

The previous publication talks about the basics of using the bootloader-level exploit for extracting iOS devices. In this article, we are posting a comprehensive step-by-step guide of using the new checkm8 capability of iOS Forensic Toolkit for performing forensically sound extractions of a range of Apple devices.

Read the rest of this entry »

The File System Dirty Bit

May 18th, 2021 by Vladimir Katalov

In older iPhones, the ‘file system dirty’ flag indicates unclean device shutdown, which affects the ability to perform bootloader-level extractions of Apple devices running legacy versions of iOS (prior to iOS 10.3 released in March 2017). As such, the “file system dirty” flag must be cleared before the extraction. In this article we discuss the very different forensic implications of this flag if it is set on the Data or System partitions.

Read the rest of this entry »