All USB Cables Are Equal, But Some Are More Equal Than Others
October 17th, 2025 by Elcomsoft R&D
As we outlined in the previous article (Effective Disk Imaging: Ports, Hubs, and Power), it’s better to connect external USB-C devices (such as adapters and especially write-blockers) to a USB-C port that complies with at least the USB 3.2 Gen2 specs (10 Gbit/s). But what if your computer only has USB-A ports, or only a USB-A port is free? Obviously, you’ll need a USB-C to USB-A cable – but you’ll need to choose the right one very carefully, and that’s not the only thing that matters.
Apple vs. Law Enforcement: poker face?
May 14th, 2020 by Vladimir Katalov
“We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both. Ultimately, protecting someone else’s data protects all of us.” Guess who said that? The answer is at the end of the article. In the meantime, we keep talking of iPhone and iOS security, following up the Apple vs. Law Enforcement – iOS 4 through 13.5 article. This time we are about to discuss some other aspects of iOS security.
Apple vs. Law Enforcement – iOS 4 through 13.5
May 14th, 2020 by Oleg Afonin
Today’s smartphones are a forensic goldmine. Your smartphone learns and knows about your daily life more than everything and everyone else. It tracks your location and counts your footsteps, AI’s your pictures and takes care of your payments. With that much data concentrated in a single device, it is reasonable to expect the highest level of protection. In this article, we’ll review the timeline of Apple’s measures to protect their users’ data and the countermeasures used by the law enforcement. This time no cloud, just pure device forensics.
Working Around the iPhone USB Restricted Mode
May 12th, 2020 by Vladimir Katalov
The USB restricted mode was introduced in iOS 11.4.1, improved in iOS 12 and further strengthened in iOS 13. The USB restrictions are a real headache for iPhone investigators. We’ve discovered a simple yet effective trick to fool it in some cases, but currently it securely protects the iPhones from passcode cracking and BFU (Before First Unlock) extractions. However, there is a trick allowing you to obtain some information from devices with disabled USB interface. Learn how to use this trick with the recently updated iOS Forensic Toolkit.
iOS Acquisition Reloaded
May 12th, 2020 by Vladimir Katalov
The new build of iOS Forensic Toolkit is out. This time around, most of the changes are “internal” and do not add much functionality, but there is a lot going on behind the scenes. In this article, we will describe in details what is new and important, and how it’s going to affect you. We’ll share some tips on how to use the software in the most effective way, making sure that you extract all the data from iOS devices in the most forensically sound possible.
Google Account Access Without a Password
May 7th, 2020 by Oleg Afonin
Cloud acquisition is one of the most common ways to obtain valuable evidence. When it comes to Google, the Google Account analysis may return significantly more data compared to the extraction of a physical Android device. However, there is one feature that is often overlooked: the ability to extract data stored in the user’s Google Account without the login and password. Let’s talk about Google authentication tokens and what they bring for the mobile forensics.
Extracting Google Dashboard Data
May 5th, 2020 by Oleg Afonin
We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Dashboard support. The Google Dashboard service is little known among computer forensic specialists since Dashboard data cannot be downloaded from Google or obtained by serving a legal request. Yet, Dashboard aggregates massive amounts of data collected and stored in the user’s Google Account, offering an essential overview of the user’s activities. In this article, we’ll demonstrate how to obtain Dashboard data directly from the user’s Google account.
How to Unlock Windows Systems with a Bootable Flash Drive
April 30th, 2020 by Oleg Afonin
Accessing a locked system is always a challenge. While you might be tempted to pull the plug and image the disk, you could miss a lot of valuable evidence if you do. Full-disk encryption, EFS-encrypted files and folders and everything protected with DPAPI (including the passwords stored in most modern Web browsers) are just a few obstacles to mention. Recovering the original Windows logon is a must to access the full set of data, while resetting the logon password may help unlock working accounts in emergencies.
How To Extract Telegram Secret Chats from the iPhone
April 29th, 2020 by Oleg Afonin
With nearly half a billion users, Telegram is an incredibly popular cross-platform instant messaging app. While Telegram is not considered the most secure instant messaging app (this title belongs to Signal), its conversation histories do not appear in either iTunes or iCloud backups. Moreover, Telegram secure chats are not stored on Telegram servers. As a result, Telegram secret chats can be only extracted from the device of origin. Learn how to extract and analyse Telegram secret chats from the iPhone file system image.
Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition
April 29th, 2020 by Vladimir Katalov
Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five top instant messaging apps for iOS in the context of their forensic analysis.
iOS acquisition methods compared: logical, full file system and iCloud
April 20th, 2020 by Vladimir Katalov
The iPhone is one of the most popular smartphone devices. Thanks to its huge popularity, the iPhone gets a lot of attention from the forensic community. Multiple acquisition methods exist, allowing forensic users to obtain more or less information with more or less efforts. Some of these acquisition methods are based on undocumented exploits and public jailbreaks, while some other methods utilize published APIs to access information. In this article, we’ll compare the types and amounts of data one can extract from the same 256-GB iPhone 11 Pro Max using three different acquisition methods: advanced logical, full file system and iCloud extraction.
