Four Tools, One Workflow: Using Elcomsoft Desktop Forensic Tools on the Same Case

July 10th, 2026 by Oleg Afonin

Most people meet these four tools one product page at a time, which makes them look like four separate purchases for four separate problems. On a real desktop case they are closer to four stages of a single job. Each one hands its output to the next: Elcomsoft System Recovery and Elcomsoft Quick Triage pull the raw material off the machine, Forensic Disk Decryptor turns keys into mounted volumes, and Distributed Password Recovery grinds through whatever is left. In this article we will not go through the feature lists (the product pages do that job well enough); instead we will look at when to reach for each tool, and why the order in which you use them is not fixed but decided by the situation in front of you.

Read the rest of this entry »

Apple TV and Apple Watch Forensics 01: Acquisition

June 19th, 2019 by Vladimir Katalov

While the iPhone is Apple’s bread and butter product, is not the only device produced by the company. We’ve got the Mac (in desktop and laptop variations), the complete range of tablets (the iPad line, which is arguably the best tablet range on the market), the music device (HomePod), the wearable (Apple Watch), and the Apple TV. In today’s article, we are going to cover data extraction from Apple TV and Apple Watch. They do contain tons of valuable data, and are often the only source of evidence.

Read the rest of this entry »

The Most Unusual Things about iPhone Backups

June 18th, 2019 by Vladimir Katalov

If you are familiar with breaking passwords, you already know that different tools and file formats require a very different amount of efforts to break. Breaking a password protecting a RAR archive can take ten times as long as breaking a password to a ZIP archive with the same content, while breaking a Word document saved in Office 2016 can take ten times as long as breaking an Office 2010 document. With solutions for over 300 file formats and encryption algorithms, we still find iTunes backups amazing, and their passwords to be very different from the rest of the crop in some interesting ways. In this article we tried to gather everything we know about iTunes backup passwords to help you break (or reset) their passwords in the most efficient way.

Read the rest of this entry »

Forensic Implications of iOS Jailbreaking

June 12th, 2019 by Oleg Afonin

Jailbreaking is used by the forensic community to access the file system of iOS devices, perform physical extraction and decrypt device secrets. Jailbreaking the device is one of the most straightforward ways to gain low-level access to many types of evidence not available with any other extraction methods.

Read the rest of this entry »

Step by Step Guide to iOS Jailbreaking and Physical Acquisition

May 30th, 2019 by Oleg Afonin

Unless you’re using GrayShift or Cellebrite services for iPhone extraction, jailbreaking is a required pre-requisite for physical acquisition. Physical access offers numerous benefits over other types of extraction; as a result, jailbreaking is in demand among experts and forensic specialists.

Read the rest of this entry »

You Lost Your Second Authentication Factor. Now What?

April 26th, 2019 by Oleg Afonin

In Apple’s land, losing your Apple Account password is not a big deal. If you’d lost your password, there could be a number of options to reinstate access to your account. If your account is not using Two-Factor Authentication, you could answer security questions to quickly reset your password, or use iForgot to reinstate access to your account. If you switched on Two-Factor Authentication to protect your Apple Account, you (or anyone else who knows your device passcode and has physical access to one of your Apple devices) can easily change the password; literally in a matter of seconds.

Read the rest of this entry »

A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption

April 25th, 2019 by Oleg Afonin

Full-disk encryption presents an immediate challenge to forensic experts. When acquiring computers with encrypted system volumes, the investigation cannot go forward without breaking the encryption first. Traditionally, experts would remove the hard drive(s), make disk images and work from there. We are offering a faster and easier way to access information required to break full-disk system encryption by booting from a flash drive and obtaining encryption metadata required to brute-force the original plain-text passwords to encrypted volumes. For non-system volumes, experts can quickly pull the system’s hibernation file to extract on-the-fly encryption keys later on with Elcomsoft Forensic Disk Decryptor.

Read the rest of this entry »

iOS 12 Rootless Jailbreak

February 22nd, 2019 by Oleg Afonin

The new generation of jailbreaks has arrived. Available for iOS 11 and iOS 12 (up to and including iOS 12.1.2), rootless jailbreaks offer significantly more forensically sound extraction compared to traditional jailbreaks. Learn how rootless jailbreaks are different to classic jailbreaks, why they are better for forensic extractions and what traces they leave behind.

Read the rest of this entry »

Technical and Legal Implications of iOS File System Acquisition

February 21st, 2019 by Vladimir Katalov

There has been a lot of noise regarding GrayKey news recently. GrayKey is an excellent appliance for iOS data extraction, and yes, it can help access more evidence. As always, the devil is in the detail.

Read the rest of this entry »

Physical Extraction and File System Imaging of iOS 12 Devices

February 21st, 2019 by Oleg Afonin

The new generation of jailbreaks has arrived for iPhones and iPads running iOS 12. Rootless jailbreaks offer experts the same low-level access to the file system as classic jailbreaks – but without their drawbacks. We’ve been closely watching the development of rootless jailbreaks, and developed full physical acquisition support (including keychain decryption) for Apple devices running iOS 12.0 through 12.1.2. Learn how to install a rootless jailbreak and how to perform physical extraction with Elcomsoft iOS Forensic Toolkit.

Read the rest of this entry »

iPhone Physical Acquisition: iOS 11.4 and 11.4.1

February 5th, 2019 by Vladimir Katalov

The two recent jailbreaks, unc0ver and Electra, have finally enabled file system extraction for Apple devices running iOS 11.4 and 11.4.1. At this time, all versions of iOS 11 can be jailbroken regardless of hardware. Let’s talk about forensic consequences of today’s release: keychain and file system extraction.

Read the rest of this entry »