Analyzing the Windows SRUM Database
August 15th, 2025 by Oleg Afonin
When it comes to Windows forensics, some of the most valuable evidence can be stored deep inside system directories the average user never touches. One such source of evidence is the System Resource Usage Monitor (SRUM) database. Introduced in Windows 8 and still shipping today with the latest Windows 11 updates, SRUM collects detailed historical records about application usage and network activity. This database is a perfect source of data for reconstructing the user’s activities during an investigation. In this article, we’ll review the available types of data and demonstrate a way to access the SRUM database by using a bootable tool.
What’s Broken in iOS for iPhone X
March 28th, 2018 by Oleg Afonin
Apple’s latest and greatest iPhone, the iPhone X, received mixed reviews and sells slower than expected. While the high price of the new iPhone is a major factor influencing the slow sales, some of the negative points come from the device usability. The combination of design language, hardware and software interactions make using the new iPhone less than intuitive in many situations. In this article, we collected the list of utterly strange design decisions affecting the daily use of the iPhone X.
iPhone X Eye Strain: How to Stop OLED Flickering in Just Three Clicks
March 5th, 2018 by Oleg Afonin
The iPhone X uses a new (for Apple) display technology. For the first time ever, Apple went with an OLED display instead of the IPS panels used in all other iPhones. While OLED displays have numerous benefits such as the true blacks and wide color gamut, the majority of OLED displays (particularly those made by Samsung) tend to flicker. The flickering is particularly visible at low brightness levels, causing eyestrain and headaches to sensitive users. Very few users have the slightest idea of what’s going on, attributing these health issues to oversaturated colors, the oh-so-harmful blue light and anything but OLED flickering.
Breaking into iOS 11
February 20th, 2018 by Oleg Afonin
In the world of mobile forensics, physical acquisition is still the way to go. Providing significantly more information compared to logical extraction, physical acquisition can return sandboxed app data (even for apps that disabled backups), downloaded mail, Web browser cache, chat histories, comprehensive location history, system logs and much more.
Get iOS Shared Files without a Jailbreak
February 20th, 2018 by Vladimir Katalov
iOS is a locked down mobile operating system that does not allow its apps to directly access files in the file system. Unlike every other major mobile OS, iOS does not have a “shared” area in the file system to allow apps keep and share files with other apps. Yet, individual iOS apps are allowed to let the user access their files by using the file sharing mechanism.
Apple iCloud Keeps More Real-Time Data Than You Can Imagine
February 8th, 2018 by Oleg Afonin
Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.
How to Instantly Access BitLocker, TrueCrypt, PGP and FileVault 2 Volumes
January 31st, 2018 by Vladimir Katalov
It’s been a long while since we made an update to one of our most technically advanced tools, Elcomsoft Forensic Disk Decryptor (EFDD). With this tool, one could extract data from an encrypted disk volume (FileVault 2, PGP, BitLocker or TrueCrypt) by utilizing the binary encryption key contained in the computer’s RAM. We could find and extract that key by analyzing the memory dump or hibernation files.
Meet iOS 11.3: Apple to Make It Harder for Law Enforcement to Extract iPhone Data
January 25th, 2018 by Vladimir Katalov
Forget battery issues. Yes, Apple issued an apology for slowing down the iPhone and promised to add better battery management in future versions of iOS, but that’s not the point in iOS 11.3. Neither are ARKit improvements or AirPlay 2 support. There is something much more important, and it is gong to affect everyone.
iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records
January 25th, 2018 by Oleg Afonin
Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.
Extract and Decrypt Android WhatsApp Backups from Google Account
January 24th, 2018 by Oleg Afonin
With over 1.3 billion monthly users, WhatsApp is the most popular instant messaging tool worldwide, and Android is the most popular mobile operating system by far. This makes WhatsApp acquisition from Android devices essential for the law enforcement. Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories stored in Google Drive. If you have access to the user’s trusted phone number or their physical SIM card (to receive a verification code from WhatsApp), you can now use Elcomsoft Explorer for WhatsApp to download, decrypt and display WhatsApp communication histories backed up into the user’s Google Account. Surprisingly, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.
Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile
January 15th, 2018 by Oleg Afonin
Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.
