Live System Analysis: Extracting BitLocker Keys

May 20th, 2022 by Oleg Afonin

Live system analysis is the easiest and often the only way to access encrypted data stored on BitLocker-protected disks. In this article we’ll discuss the available options for extracting BitLocker keys from authenticated sessions during live system analysis.

Read the rest of this entry »

Simplifying Digital Triage with Bootable Forensic Tools

March 23rd, 2022 by Oleg Afonin

Elcomsoft System Recovery speeds up in-field investigations by providing experts with a forensic tool they can use by booting a PC from a dedicated USB media. The recent update extended the functionality of the tool by adding three new forensic tools.

Read the rest of this entry »

GPU Acceleration On The Cheap: Using Affordable Video Cards to Break Passwords Faster

February 17th, 2022 by Oleg Afonin

Most password protection methods rely on multiple rounds of hash iterations to slow down brute-force attacks. Even the fastest processors choke when trying to break a reasonably strong password. Video cards can be used to speed up the recovery with GPU acceleration, yet the GPU market is currently overheated, and most high-end video cards are severely overpriced. Today, we’ll test a bunch of low-end video cards and compare their price/performance ratio.

Read the rest of this entry »

Dude, Where Are My Messages?

February 15th, 2022 by Oleg Afonin

Cloud backups are an invaluable source of information whether you download them from the user’s iCloud account or obtain directly from Apple. But why some iCloud backups miss essential bits and pieces of information such as text messages, particularly iMessages? The answer is “end-to-end encryption”, and there’s more to it than just backups.

Read the rest of this entry »

Apple Mobile Devices and iOS Acquisition Methods

February 11th, 2022 by Vladimir Katalov

Do you have to know which SoC a certain Apple device is based on? If you are working in mobile forensics, the answer is positive. Along with the version of iOS/watchOS/iPadOS, the SoC is one of the deciding factors that affects the data extraction paths available in each case. Read this article to better understand your options for each generation of Apple platforms.

Read the rest of this entry »

IoT Forensics: Analyzing Apple Watch 3 File System

February 10th, 2022 by Vladimir Katalov

Over the last several years, the use of smart wearables continued to grow despite slowing sales. Among the many models, the Apple Watch Series 3 occupies a special spot. Introduced back in 2017, this model is still available new, occupying the niche of the most affordable wearable device in the Apple ecosystem. All that makes the Series 3 one of the most common Apple Watch models. The latest update to iOS Forensic Toolkit enables low-level extraction of the Apple Watch 3 using the checkm8 exploit.

Read the rest of this entry »

checkm8 Extraction of Apple Watch Series 3

February 10th, 2022 by Oleg Afonin

The fifth beta of iOS Forensic Toolkit 8 for Mac introduces forensically sound, checkm8-based extraction of Apple Watch Series 3. How to connect the watch to the computer, what data is available and how to apply the exploit? Check out this comprehensive guide!

Read the rest of this entry »

checkm8 Extraction of iPhone 8, 8 Plus and iPhone X

February 3rd, 2022 by Oleg Afonin

Last month, we released the tool and published the guide on forensically sound extraction of the iPhone 7 generation of devices. Today, we have added support for the iPhone 8, 8 Plus, and iPhone X, making iOS Forensic Toolkit the first and only forensically sound iPhone extraction tool delivering repeatable and verifiable results for all 64-bit iPhone devices that can be exploited with checkm8. While the previous publication talks about the details on acquiring the iPhone 7, there are some things different when it comes to the last generation of checkm8-supported devices.

Read the rest of this entry »

iPhone X, DFU mode and checkm8

February 3rd, 2022 by Vladimir Katalov

In order to use the checkm8-based acquisition, the device must be placed into DFU (Device Firmware Update) mode first, and this is the trickiest part of the process. There is no software way to enter DFU, so you have to do it manually. This article describes how to do it properly for the iPhone 8, iPhone 8 Plus and iPhone X that are now supported by Elcomsoft iOS Forensic Toolkit.

Read the rest of this entry »

Agent-based full file system and keychain extraction: now up to iOS 14.8 (incl.)

January 13th, 2022 by Oleg Afonin

iOS Forensic Toolkit 7.10 brings low-level file system extraction support for a bunch of iOS versions. This includes the entire range of iPhone models based on the A11, A12, and A13 Bionic platforms running iOS 14.4 through 14.8.

Read the rest of this entry »

Targeting Backup Encryption: Acronis, Macrium, and Veeam

January 6th, 2022 by Oleg Afonin

Windows backups are rarely targeted during investigations, yet they can be the only available source of evidence if the suspect’s computer is locked and encrypted. There are multiple third-part backup tools for Windows, and most of them have password protection as an option. We are adding the ability to break password protection of popular backup tools: Acronis True Image, Macrium Reflect, and Veeam.

Read the rest of this entry »