The Shift from Disk Imaging to Digital Triage
January 5th, 2026 by Oleg Afonin
Modern digital forensic labs are facing a crisis of scale. When a search warrant results in the seizure of a dozen laptops, several servers, and a mountain of external drives, the traditional forensic workflow – bit-for-bit imaging followed by exhaustive analysis – becomes a liability rather than an asset. This is precisely where our new tool, Elcomsoft Quick Triage, enters the picture. Designed as a solution for rapid, in-field data acquisition, EQT allows investigators to bypass the “imaging bottleneck” and identify the “smoking gun” in minutes rather than months.
Apple Watch Forensics 02: Analysis
June 26th, 2019 by Mattia Epifani
Over the last several years, the use of smart wearables has increased significantly. With 141 million smartwatch units sold in 2018, the number of smart wearables sold has nearly doubled compared to the year before. Among the various competitors, the Apple Watch is dominating the field with more than 22.5 million of wearable devices sold in 2018. Year over year, the Apple Watch occupies nearly half of the global market.
Apple TV and Apple Watch Forensics 01: Acquisition
June 19th, 2019 by Vladimir Katalov
While the iPhone is Apple’s bread and butter product, is not the only device produced by the company. We’ve got the Mac (in desktop and laptop variations), the complete range of tablets (the iPad line, which is arguably the best tablet range on the market), the music device (HomePod), the wearable (Apple Watch), and the Apple TV. In today’s article, we are going to cover data extraction from Apple TV and Apple Watch. They do contain tons of valuable data, and are often the only source of evidence.
The Most Unusual Things about iPhone Backups
June 18th, 2019 by Vladimir Katalov
If you are familiar with breaking passwords, you already know that different tools and file formats require a very different amount of efforts to break. Breaking a password protecting a RAR archive can take ten times as long as breaking a password to a ZIP archive with the same content, while breaking a Word document saved in Office 2016 can take ten times as long as breaking an Office 2010 document. With solutions for over 300 file formats and encryption algorithms, we still find iTunes backups amazing, and their passwords to be very different from the rest of the crop in some interesting ways. In this article we tried to gather everything we know about iTunes backup passwords to help you break (or reset) their passwords in the most efficient way.
Forensic Implications of iOS Jailbreaking
June 12th, 2019 by Oleg Afonin
Jailbreaking is used by the forensic community to access the file system of iOS devices, perform physical extraction and decrypt device secrets. Jailbreaking the device is one of the most straightforward ways to gain low-level access to many types of evidence not available with any other extraction methods.
Step by Step Guide to iOS Jailbreaking and Physical Acquisition
May 30th, 2019 by Oleg Afonin
Unless you’re using GrayShift or Cellebrite services for iPhone extraction, jailbreaking is a required pre-requisite for physical acquisition. Physical access offers numerous benefits over other types of extraction; as a result, jailbreaking is in demand among experts and forensic specialists.
You Lost Your Second Authentication Factor. Now What?
April 26th, 2019 by Oleg Afonin
In Apple’s land, losing your Apple Account password is not a big deal. If you’d lost your password, there could be a number of options to reinstate access to your account. If your account is not using Two-Factor Authentication, you could answer security questions to quickly reset your password, or use iForgot to reinstate access to your account. If you switched on Two-Factor Authentication to protect your Apple Account, you (or anyone else who knows your device passcode and has physical access to one of your Apple devices) can easily change the password; literally in a matter of seconds.
A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption
April 25th, 2019 by Oleg Afonin
Full-disk encryption presents an immediate challenge to forensic experts. When acquiring computers with encrypted system volumes, the investigation cannot go forward without breaking the encryption first. Traditionally, experts would remove the hard drive(s), make disk images and work from there. We are offering a faster and easier way to access information required to break full-disk system encryption by booting from a flash drive and obtaining encryption metadata required to brute-force the original plain-text passwords to encrypted volumes. For non-system volumes, experts can quickly pull the system’s hibernation file to extract on-the-fly encryption keys later on with Elcomsoft Forensic Disk Decryptor.
iOS 12 Rootless Jailbreak
February 22nd, 2019 by Oleg Afonin
The new generation of jailbreaks has arrived. Available for iOS 11 and iOS 12 (up to and including iOS 12.1.2), rootless jailbreaks offer significantly more forensically sound extraction compared to traditional jailbreaks. Learn how rootless jailbreaks are different to classic jailbreaks, why they are better for forensic extractions and what traces they leave behind.
Technical and Legal Implications of iOS File System Acquisition
February 21st, 2019 by Vladimir Katalov
There has been a lot of noise regarding GrayKey news recently. GrayKey is an excellent appliance for iOS data extraction, and yes, it can help access more evidence. As always, the devil is in the detail.
Physical Extraction and File System Imaging of iOS 12 Devices
February 21st, 2019 by Oleg Afonin
The new generation of jailbreaks has arrived for iPhones and iPads running iOS 12. Rootless jailbreaks offer experts the same low-level access to the file system as classic jailbreaks – but without their drawbacks. We’ve been closely watching the development of rootless jailbreaks, and developed full physical acquisition support (including keychain decryption) for Apple devices running iOS 12.0 through 12.1.2. Learn how to install a rootless jailbreak and how to perform physical extraction with Elcomsoft iOS Forensic Toolkit.
