What’s New in Elcomsoft System Recovery 8.34: More Data, Faster Imaging, BitLocker Key Extraction
April 29th, 2025 by Oleg Afonin
We updated Elcomsoft System Recovery to version 8.34. This release focuses on expanding the tool’s data acquisition capabilities, improving disk imaging performance, and adding BitLocker recovery key extraction for systems managed via Active Directory. Here’s a technical breakdown of the changes.
A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption
April 25th, 2019 by Oleg Afonin
Full-disk encryption presents an immediate challenge to forensic experts. When acquiring computers with encrypted system volumes, the investigation cannot go forward without breaking the encryption first. Traditionally, experts would remove the hard drive(s), make disk images and work from there. We are offering a faster and easier way to access information required to break full-disk system encryption by booting from a flash drive and obtaining encryption metadata required to brute-force the original plain-text passwords to encrypted volumes. For non-system volumes, experts can quickly pull the system’s hibernation file to extract on-the-fly encryption keys later on with Elcomsoft Forensic Disk Decryptor.
iOS 12 Rootless Jailbreak
February 22nd, 2019 by Oleg Afonin
The new generation of jailbreaks has arrived. Available for iOS 11 and iOS 12 (up to and including iOS 12.1.2), rootless jailbreaks offer significantly more forensically sound extraction compared to traditional jailbreaks. Learn how rootless jailbreaks are different to classic jailbreaks, why they are better for forensic extractions and what traces they leave behind.
Technical and Legal Implications of iOS File System Acquisition
February 21st, 2019 by Vladimir Katalov
There has been a lot of noise regarding GrayKey news recently. GrayKey is an excellent appliance for iOS data extraction, and yes, it can help access more evidence. As always, the devil is in the detail.
Physical Extraction and File System Imaging of iOS 12 Devices
February 21st, 2019 by Oleg Afonin
The new generation of jailbreaks has arrived for iPhones and iPads running iOS 12. Rootless jailbreaks offer experts the same low-level access to the file system as classic jailbreaks – but without their drawbacks. We’ve been closely watching the development of rootless jailbreaks, and developed full physical acquisition support (including keychain decryption) for Apple devices running iOS 12.0 through 12.1.2. Learn how to install a rootless jailbreak and how to perform physical extraction with Elcomsoft iOS Forensic Toolkit.
iPhone Physical Acquisition: iOS 11.4 and 11.4.1
February 5th, 2019 by Vladimir Katalov
The two recent jailbreaks, unc0ver and Electra, have finally enabled file system extraction for Apple devices running iOS 11.4 and 11.4.1. At this time, all versions of iOS 11 can be jailbroken regardless of hardware. Let’s talk about forensic consequences of today’s release: keychain and file system extraction.
Identifying SSD Controller and NAND Configuration
January 31st, 2019 by Oleg Afonin
In our previous article Why SSDs Die a Sudden Death (and How to Deal with It) we talked about SSD endurance and how it’s not the only thing affecting real life reliability. In that article, we assumed that manufacturers’ specifications of certain SSD models remain similar for a given SSD model. In fact, this is not the case. Quite a few manufacturers play tricks with consumers, releasing a certain SSD model with top notch specifications only to downgrade them at some point during the production cycle (but certainly after receiving its share of glowing reviews). While some OEMs do note the change at least in the revision number, the rest will just quote the small print allowing them to “change specifications at any time without prior notice”. We’ve seen well known SSD manufacturers switching from reliable MLC NAND to planar TLC trash within the same model (and zero notice to potential buyers). How can you tell which NAND configuration your particular SSD drive employs and whether or not it lives up to your expectations? Read along to find out.
Securing and Extracting Health Data: Apple Health vs. Google Fit
January 30th, 2019 by Oleg Afonin
Today’s smartphones and wearable devices collect overwhelming amounts of data about the user’s health. Health information including the user’s daily activities, workouts, medical conditions, body measurements and many other types of information is undoubtedly one of the most sensitive types of data. Yet, smartphone users are lenient to trust this highly sensitive information to other parties. In this research, we’ll figure out how Apple and Google as two major mobile OS manufacturers collect, store, process and secure health data. We’ll analyze Apple Health and Google Fit, research what information they store in the cloud, learn how to extract the data. We’ll also analyze how both companies secure health information and how much of that data is available to third parties.
Apple iTunes: Standalone vs. Microsoft Store Edition
January 23rd, 2019 by Oleg Afonin
Since April 2018, Apple made iTunes available to Windows 10 users through the Microsoft Store. While the stand-alone download remains available from Apple’s Web site, it is no longer offered by default to Windows 10 users. Instead, visitors are directed to Microsoft Store, which will handle the installation and updates of the iTunes app.
Why SSDs Die a Sudden Death (and How to Deal with It)
January 18th, 2019 by Oleg Afonin
Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.
Life after Trim: Using Factory Access Mode for Imaging SSD Drives
January 16th, 2019 by Oleg Afonin
Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.
