What’s New in Elcomsoft System Recovery 8.34: More Data, Faster Imaging, BitLocker Key Extraction
April 29th, 2025 by Oleg Afonin
We updated Elcomsoft System Recovery to version 8.34. This release focuses on expanding the tool’s data acquisition capabilities, improving disk imaging performance, and adding BitLocker recovery key extraction for systems managed via Active Directory. Here’s a technical breakdown of the changes.
Protecting Your Data and Apple Account If They Know Your iPhone Passcode
June 12th, 2018 by Oleg Afonin
This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.
The iOS File System: TAR and Aggregated Locations Analysis
June 7th, 2018 by Oleg Afonin
Finally, TAR support is there! Using Elcomsoft iOS Forensic Toolkit to pull TAR images out of jailbroken iOS devices? You’ll no longer be left on your own with the resulting TAR file! Elcomsoft Phone Viewer 3.70 can now open the TAR images obtained with Elcomsoft iOS Forensic Toolkit or GrayKey and help you analyse evidence in that file. In addition, we added an aggregated view for location data extracted from multiple sources – such as the system logs or geotags found in media files.
Apple Probably Knows What You Did Last Summer
June 5th, 2018 by Vladimir Katalov
“Significant Locations” are an important part of the evidence logged on iPhones. Forensic experts doing the acquisition will try accessing Significant Locations. At the same time, many iPhone users are completely unaware of the existence of this feature. What are Significant Locations, where are they stored, and how to extract them, and what value do they serve in investigations?
iOS 11.4.1 Beta: USB Restricted Mode Has Arrived
June 2nd, 2018 by Oleg Afonin
As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalists and the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.
WhatsApp Business Acquisition Guide
May 29th, 2018 by Oleg Afonin
Starting with version 2.40, Elcomsoft Extractor for WhatsApp supports physical and cloud acquisition of WhatsApp Business. The physical extraction method requires root access, while cloud acquisition requires authenticating into the user’s Google Drive account with proper authentication credential. In addition, a verification code received from WhatsApp as an SMS must be provided to decrypt the backup downloaded from Google Drive. In this guide, we’ll describe all the steps required to perform physical and cloud acquisition of WhatsApp Business.
Demystifying Android Physical Acquisition
May 29th, 2018 by Oleg Afonin
Numerous vendors advertise many types of solutions for extracting evidence from Android devices. The companies claim to support tens of thousands of models, creating the impression that most (if not all) Android devices can be successfully acquired using one method or another.
Accessing Google Account Data without a Password
May 17th, 2018 by Oleg Afonin
Cloud acquisition is arguably the future of mobile forensics. Even today, cloud services by Apple and Google often contain more information than any single device – mostly due to the fact that cloud data is collected from multiple sources.
Apple Strikes Back: the iPhone Cracking Challenge
May 11th, 2018 by Vladimir Katalov
We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).
iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics
May 8th, 2018 by Oleg Afonin
UPDATE June 2, 2018: USB Restricted Mode did not make it into iOS 11.4. However, in iOS 11.4.1 Beta USB Restricted Mode Has Arrived
Legal and Technical Implications of Chinese iCloud Operations
April 10th, 2018 by Vladimir Katalov
On February 28, 2018, Apple has officially moved its Chinese iCloud operations and encryption keys to China. The reaction to this move from the media was overwhelmingly negative. The Verge, The Guardian, Reuters, Wired, and CNN among other Western media outlets expressed their concerns about the Chinese government potentially violating the human rights of its citizens. Politics aside, we will review Apple policies governing the Chinese accounts, and look into the technical implementation of Chinese iCloud operations. Let us see if the fears are substantiated.
