What’s New in Elcomsoft System Recovery 8.34: More Data, Faster Imaging, BitLocker Key Extraction
April 29th, 2025 by Oleg Afonin
We updated Elcomsoft System Recovery to version 8.34. This release focuses on expanding the tool’s data acquisition capabilities, improving disk imaging performance, and adding BitLocker recovery key extraction for systems managed via Active Directory. Here’s a technical breakdown of the changes.
How To Extract Telegram Secret Chats from the iPhone
April 29th, 2020 by Oleg Afonin
With nearly half a billion users, Telegram is an incredibly popular cross-platform instant messaging app. While Telegram is not considered the most secure instant messaging app (this title belongs to Signal), its conversation histories do not appear in either iTunes or iCloud backups. Moreover, Telegram secure chats are not stored on Telegram servers. As a result, Telegram secret chats can be only extracted from the device of origin. Learn how to extract and analyse Telegram secret chats from the iPhone file system image.
Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition
April 29th, 2020 by Vladimir Katalov
Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five top instant messaging apps for iOS in the context of their forensic analysis.
iOS acquisition methods compared: logical, full file system and iCloud
April 20th, 2020 by Vladimir Katalov
The iPhone is one of the most popular smartphone devices. Thanks to its huge popularity, the iPhone gets a lot of attention from the forensic community. Multiple acquisition methods exist, allowing forensic users to obtain more or less information with more or less efforts. Some of these acquisition methods are based on undocumented exploits and public jailbreaks, while some other methods utilize published APIs to access information. In this article, we’ll compare the types and amounts of data one can extract from the same 256-GB iPhone 11 Pro Max using three different acquisition methods: advanced logical, full file system and iCloud extraction.
Cloudy Times: Extracting and Analyzing Location Evidence from Cloud Services
April 9th, 2020 by Oleg Afonin
Geolocation data can provide a wealth of evidence to various government agencies. Law enforcement agencies use location data to help place suspects near a crime scene in a given time frame. However, the use of location is not limited to criminal or civil investigations. Emergency response services use geolocation to locate persons, taxi and delivery services use location to improve service. There are many more examples where location evidence is vital. Recently, governments have started using (or are considering using) geolocation data to help identify and isolate infected citizens. Where does the location evidence come from and how one can extract it?
Extracting Passwords from Microsoft Edge Chromium
April 9th, 2020 by Oleg Afonin
Last week, Microsoft Edge has become the second most popular desktop Web browser based on NetMarketShare usage figures. The new, Chromium-powered Edge offers impressive levels of customization and performance, much better compatibility with Web sites. The new browser is available on multiple platforms including older versions of Windows. With Chromium-based Edge quickly gaining momentum, we felt the urge of researching its protected storage.
Breaking LastPass: Instant Unlock of the Password Vault
April 6th, 2020 by Oleg Afonin
Password managers such as LastPass are designed from the ground up to withstand brute-force attacks on the password database. Using encryption and thousands of hash iterations, the protection is made to slow down access to the encrypted vault that contains all of the user’s stored passwords. In this article, we’ll demonstrate how to unlock LastPass password vault instantly without running a length attack.
Accelerating Password Recovery: GPU Acceleration, Distributed and Cloud Attacks
April 3rd, 2020 by Oleg Afonin
Modern encryption tools employ strong encryption with multiple hash iterations, making passwords extremely difficult to break. The November article “What is password recovery and how it is different from password cracking” explains the differences between instantly accessing protected information and attempting to break the original plain-text password. In that article, I briefly mentioned GPU acceleration and distributed attacks as methods to speed up the recovery. In this article, I’ll discuss the two acceleration techniques in more detail.
Password Reuse vs. Master Password: Two Sides of Password Managers
April 2nd, 2020 by Oleg Afonin
Password managers or password reuse? This is the question faced by most consumers. Reusing a password or its minor variations for different accounts has never been a good idea, yet in today’s world of online everything the rate of password reuse reaches astonishing values. Using a password manager helps reduce password reuse, supposedly offering increased security. In this article, we’ll perform forensic analysis of some of the most common password managers.
Using Microsoft Azure to Break Passwords
April 2nd, 2020 by Andrey Malyshev
Modern applications use highly secure and thus deliberately slow algorithms for verifying passwords. For this reason, the password recovery process may take a lot of time and require extreme computational resources. You can build your own powerful cluster to accelerate brute-force attacks, but if you only need to recover a password every once in a while, maintaining your own cluster may not be the best investment. Cloud services can help do a one-off job faster. For a long time, Elcomsoft Distributed Password Recovery had supported Amazon cloud services with automatic deployment on Amazon’s powerful GPU-accelerated servers. The latest update brings support for Microsoft Azure, adding the ability to automatically deploy Password Recovery Agents to virtual machines created in Microsoft Azure. In this article I will describe the deployment steps.
Tally ERP 9 Vault: How to Not Implement Password Protection
April 2nd, 2020 by Oleg Afonin
Tally ERP 9 is a “new-age business management software for new-age businesses” that is “tailor-made to delight”. With more than two million users, Tally is one of the most popular tools of its kind in India. The product includes the company’s implementation of secure storage named Tally Vault. How secure is Tally Vault, and what does one need to break in? In this article, we’ve provided some insights on how ElcomSoft researchers work when adding support for a new file format.
