Looks Can Lie: Is That Really an NVMe Drive?
March 17th, 2026 by Oleg Afonin
Many storage devices and adapter boards look alike. When holding a module with a connector that looks suspiciously like the M.2, how do you know exactly what you are dealing with? Is that M.2 board a SATA drive, a fast NVMe device or a Wi-Fi/Bluetooth combo? Will a drive removed from an Apple computer work in a simple mechanical adapter, or will it require the original Apple device to access? A physical connector does not guarantee the underlying technology.
iMessage Security, Encryption and Attachments
November 15th, 2018 by Vladimir Katalov
iMessage is undoubtedly one of the most popular instant messaging platforms for an obvious reason: it’s built in to iOS and ships with every iPhone by default. iMessage does not require complex setup, so the number of iMessage users is closely matching the number of iPhone users. Apple sells about 200 million iPhones every year, and the total number of iPhones sold is more than a billion. Unless you absolutely must chat with someone outside of Apple’s ecosystem (like those poor Android folks), you won’t need Skype, WhatsApp or Telegram. It’s also comforting to know that iMessage works everywhere around the world while most other messengers are oppressed in one or more countries.
Google Enables Manual Google Drive Backups on Android Devices
November 12th, 2018 by Oleg Afonin
An update to Google Play Services enables manual Google Drive backup option on many Android handsets. Since Android 6.0, Android has had an online backup solution, allowing Android users back up and restore their device settings and app data from their Google Drive account. Android backups were running on top of Google Play Services; in other words, they were always part of Google Android as opposed to being part of Android Open Source. Unlike iOS with predictable iCloud backups and the manual “Backup now” option, Google’s backup solution behaved inconsistently at best. In our (extensive) tests, we discovered that the first backup would be only made automatically on the second day, while data for most applications would be backed up days, if not weeks after the initial backup. The ability to manually initiate a backup was sorely missing.
iPhone Xs PWM Demystified: How to Reduce Eyestrain by Disabling iPhone Xs and Xs Max Display Flicker
October 30th, 2018 by Oleg Afonin
The iPhone Xs employs a revised version of the OLED panel we’ve seen in last year’s iPhone X. The iPhone Xs Max uses a larger, higher-resolution version of the panel. Both panels feature higher peak brightness compared to the OLED panel Apple used in the iPhone X. While OLED displays are thinner and more power-efficient compared to their IPS counterparts, most OLED displays (including those installed in the iPhone Xs and Xs max) will flicker at lower brightness levels. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. The OLED flickering issue is still mostly unheard of by most consumers. In this article we will demystify OLED display flickering and provide a step by step instruction on how to conveniently disable (and re-enable) PWM flickering on iPhone Xs and Xs Max displays to reduce eyestrain.
Everything about iOS DFU and Recovery Modes
October 29th, 2018 by Oleg Afonin
If you are involved with iOS forensics, you have probably used at least one of these modes. Both DFU and Recovery modes are intended for recovering iPhone and iPad devices from issues if the device becomes unusable, does not boot or has a problem installing an update.
Everything You Wanted to Know about Activation Lock and iCloud Lock
October 4th, 2018 by Oleg Afonin
Working in a mobile forensic company developing tools for iCloud forensics, logical and physical extraction of iPhone devices, we don’t live another day without being asked if (or “how”) we can help remove iCloud lock from a given iPhone. Without throwing a definite “yes” or “no” (or “just buy this tool”), we’ve decided to gather everything we know about bypassing, resetting and disabling iCloud activation lock on recent Apple devices.
iOS Forensics Training in Vienna: 17-19 Oct 2018
October 1st, 2018 by Oleg Afonin
There’s still time to register for the upcoming ElcomSoft training program in Vienna! Held in partnership with T3K-Forensics, this three-day training program will cover everything about iOS forensics. Law enforcement and forensic specialists are welcome to sign up! We’ll cover all the bases from seizing and transporting mobile devices to iOS extraction and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience obtaining evidence from iOS devices, pulling data from locked iPhones and accessing iCloud for even more evidence.
iOS 12 Enhances USB Restricted Mode
September 20th, 2018 by Oleg Afonin
The release of iOS 11.4.1 back in July 2018 introduced USB Restricted Mode, a feature designed to defer passcode cracking tools such as those developed by Cellerbrite and Grayshift. As a reminder, iOS 11.4.1 automatically switches off data connectivity of the Lightning port after one hour since the device was last unlocked, or one hour since the device has been disconnected from a USB accessory or computer. In addition, users could manually disable the USB port by following the S.O.S. mode routine.
Cloud Forensics: Why, What and How to Extract Evidence
September 6th, 2018 by Oleg Afonin
Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.
Analysing Apple Pay Transactions
August 30th, 2018 by Oleg Afonin
With more than 127 million users in multiple countries, Apple Pay is one of the more popular contactless payment systems. Unlike some competing payment technologies, Apple Pay is not only tightly integrated into Apple’s ecosystem but is exclusive to Apple devices.
Using Intel Built-in Graphic Cores to Accelerate Password Recovery
August 14th, 2018 by Oleg Afonin
GPU acceleration is the thing when you need to break a password. Whether you use brute force, a dictionary of common words or a highly customized dictionary comprised of the user’s existed passwords pulled from their Web browser, extracted from their smartphone or downloaded from the cloud, sheer performance is what you need to make the job done in reasonable time.
