What TRIM, DRAT, and DZAT Really Mean for SSD Forensics
June 2nd, 2025 by Oleg Afonin
If you’re doing forensic work today, odds are you’re imaging SSDs, not just spinning hard drives. And SSDs don’t behave like HDDs – especially when it comes to deleted files. One key reason: the TRIM command. TRIM makes SSDs behave different to magnetic hard drives when it comes to recovering deleted evidence. This article breaks down what TRIM actually does, how SSDs respond, and what forensic experts need to know when handling modern storage.
Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords
September 28th, 2017 by Oleg Afonin
In this how-to guide, we’ll cover the steps required to access the list of saved wireless networks along with their passwords.
Android 8.0 Oreo: Your Text Messages Are in the Cloud Now
September 21st, 2017 by Oleg Afonin
In each major Android update, Google improves security on the one hand, and moves a few more things to the cloud on the other. The recently finalized and finally released Android 8.0 Oreo adds one important thing to all devices running the newest build of Google’s OS: the ability to back up SMS text messages into the user’s Google Account.
Elcomsoft Phone Breaker 8, New Apple Devices and iOS 11
September 14th, 2017 by Oleg Afonin
With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.
iOS 11: jailbreaking, backups, keychain, iCloud – what’s the deal?
September 14th, 2017 by Vladimir Katalov
iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.
iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About
September 11th, 2017 by Vladimir Katalov
In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.
New Security Measures in iOS 11 and Their Forensic Implications
September 7th, 2017 by Oleg Afonin
Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.
iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak
August 24th, 2017 by Oleg Afonin
If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.
How to Extract iCloud Keychain with Elcomsoft Phone Breaker
August 22nd, 2017 by Olga Koksharova
Starting with version 7.0, Elcomsoft Phone Breaker has the ability to access, decrypt and display passwords stored in the user’s iCloud Keychain. The requirements and steps differ across Apple accounts, and depend on factors such as whether or not the user has Two-Factor Authentication, and if not, whether or not the user configured an iCloud Security Code. Let’s review the steps one needs to take in order to successfully acquire iCloud Keychain.
Acquiring Apple’s iCloud Keychain
August 22nd, 2017 by Oleg Afonin
Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.
The Past and Future of iCloud Acquisition
August 21st, 2017 by Vladimir Katalov
In today’s world, everything is stored in the cloud. Your backups can be stored in the cloud. The “big brother” knows where you had lunch yesterday and how long you’ve been there. Your photos can back up to the cloud, as well as your calls and messages. Finally, your passwords are also stored online – at least if you don’t disable iCloud Keychain. Let’s follow the history of Apple iCloud, its most known hacks and our own forensic efforts.
