Cloud Forensics: the New Reality
September 23rd, 2021 by Oleg Afonin
The majority of mobile devices today are encrypted throughout, making extractions difficult or even impossible for major platforms. Traditional attack vectors are becoming a thing of the past with encryption being moved into dedicated security chips, and encryption keys generated on first unlock based on the user’s screen lock passwords. Cloud forensics is a great alternative, often returning as much or even more data compared to what is stored on the device itself.
How to Remove Restrictions from Adobe PDF Files
July 1st, 2021 by Vladimir Katalov
Have you got an Adobe PDF file that you can open but cannot edit, print or copy selected text to the clipboard? There is an easy solution: with just a couple of clicks, the file can be unprotected. Bad news: you’ll need software. Good news: we’ve built one for you.
Elcomsoft System Recovery Simplifies Digital Field Triage and In-Field Investigations
June 17th, 2021 by Oleg Afonin
Elcomsoft System Recovery is a perfect tool for digital field triage, enabling safer and more secure in-field investigations of live computers by booting from a dedicated USB media instead of using the installed OS. The recent update added a host of features to the already great tool, making it easier to examine the file system and extract passwords from the target computer.
Analyzing Microsoft Timeline, OneDrive and Personal Vault Files
June 15th, 2021 by Oleg Afonin
Elcomsoft Phone Breaker is not just about Apple iCloud data. It can also download the data from other cloud services including Microsoft accounts. In this new version, we have added support for even more types of data, including Windows 10 Timeline, Account Activity (logins to the account), OneDrive files, recent OneDrive files history, and files from Microsoft Personal Vault. Learn about these data types and how they can help advance your investigation.
Breaking VeraCrypt: Obtaining and Extracting On-The-Fly Encryption Keys
June 3rd, 2021 by Oleg Afonin
Released back in 2013, VeraCrypt picks up where TrueCrypt left off. Supporting more encryption algorithms, more hash functions and a variable number of hash iterations, VeraCrypt is the default choice for the security conscious. VeraCrypt has no known weaknesses except one: once the encrypted disk is mounted, the symmetric, on-the-fly encryption key must be kept in the computer’s RAM in order to read and write encrypted data. A recent change in VeraCrypt made OTF key extraction harder, while the latest update to Elcomsoft Forensic Disk Decryptor attempts to counter the effect of the change. Who is going to win this round?
Password Crackers’ Gold Mine: Browser Passwords
June 1st, 2021 by Vladimir Katalov
How to break ‘strong’ passwords? Is there a methodology, a step by step approach? What shall you start from if your time is limited but you desperately need to decrypt critical evidence? We want to share some tips with you, this time about the passwords saved in the Web browsers on most popular platforms.
Hey Dude, Where Is My iCloud Data?
May 27th, 2021 by Vladimir Katalov
For more than ten years, we’ve been exploring iPhone backups, both local and iCloud, and we know a lot about them. Let’s reveal some secrets about the different types of backups and how they compare to each other.
The Inception of Elcomsoft Phone Breaker
May 26th, 2021 by Vladimir Katalov
It’s been 10 years since we have released one of our flagship products, Elcomsoft Phone Breaker. The first version appeared in April 2011, and was named “iPhone Password Breaker”. Since then, we made tons of improvements. The tool lost the “iPhone” designation, and the “Password” part was dropped from its name because it was no longer limited to iPhones or passwords. Today, the tool can offer unmatched features for the mobile forensic specialists.
Forensically Sound checkm8 Based Extraction of iPhone 5s, 6, 6s and SE
May 19th, 2021 by Oleg Afonin
Back in 2019, independent researcher axi0mX has developed a ground-breaking exploit. Targeting a vulnerability in the bootloader of several generations of iOS devices, checkm8 made it possible to obtain BootROM code execution and perform forensic analysis on a long list of devices running a wide range of iOS versions. In this article, we’ll talk about the forensic use of checkm8 with iOS Forensic Toolkit.
Guide: Forensically Sound Extraction of iPhone 5s, 6, 6s and SE with checkm8 Exploit
May 19th, 2021 by Vladimir Katalov
The previous publication talks about the basics of using the bootloader-level exploit for extracting iOS devices. In this article, we are posting a comprehensive step-by-step guide of using the new checkm8 capability of iOS Forensic Toolkit for performing forensically sound extractions of a range of Apple devices.
The File System Dirty Bit
May 18th, 2021 by Vladimir Katalov
In older iPhones, the ‘file system dirty’ flag indicates unclean device shutdown, which affects the ability to perform bootloader-level extractions of Apple devices running legacy versions of iOS (prior to iOS 10.3 released in March 2017). As such, the “file system dirty” flag must be cleared before the extraction. In this article we discuss the very different forensic implications of this flag if it is set on the Data or System partitions.
