Analyzing the Windows SRUM Database
August 15th, 2025 by Oleg Afonin
When it comes to Windows forensics, some of the most valuable evidence can be stored deep inside system directories the average user never touches. One such source of evidence is the System Resource Usage Monitor (SRUM) database. Introduced in Windows 8 and still shipping today with the latest Windows 11 updates, SRUM collects detailed historical records about application usage and network activity. This database is a perfect source of data for reconstructing the user’s activities during an investigation. In this article, we’ll review the available types of data and demonstrate a way to access the SRUM database by using a bootable tool.
Elcomsoft Phone Breaker 8, New Apple Devices and iOS 11
September 14th, 2017 by Oleg Afonin
With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.
iOS 11: jailbreaking, backups, keychain, iCloud – what’s the deal?
September 14th, 2017 by Vladimir Katalov
iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.
iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About
September 11th, 2017 by Vladimir Katalov
In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.
New Security Measures in iOS 11 and Their Forensic Implications
September 7th, 2017 by Oleg Afonin
Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.
iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak
August 24th, 2017 by Oleg Afonin
If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.
How to Extract iCloud Keychain with Elcomsoft Phone Breaker
August 22nd, 2017 by Olga Koksharova
Starting with version 7.0, Elcomsoft Phone Breaker has the ability to access, decrypt and display passwords stored in the user’s iCloud Keychain. The requirements and steps differ across Apple accounts, and depend on factors such as whether or not the user has Two-Factor Authentication, and if not, whether or not the user configured an iCloud Security Code. Let’s review the steps one needs to take in order to successfully acquire iCloud Keychain.
Acquiring Apple’s iCloud Keychain
August 22nd, 2017 by Oleg Afonin
Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.
The Past and Future of iCloud Acquisition
August 21st, 2017 by Vladimir Katalov
In today’s world, everything is stored in the cloud. Your backups can be stored in the cloud. The “big brother” knows where you had lunch yesterday and how long you’ve been there. Your photos can back up to the cloud, as well as your calls and messages. Finally, your passwords are also stored online – at least if you don’t disable iCloud Keychain. Let’s follow the history of Apple iCloud, its most known hacks and our own forensic efforts.
Attacking the 1Password Master Password Follow-Up
August 18th, 2017 by Vladimir Katalov
We received some great feedback on the original article about attacking master passwords of several popular password managers. In one discussion, our benchmark numbers for 1Password were questioned. We had no choice but to re-run the benchmarks and publish an updated chart along with some technical details and explanations. We bring our apologies to AgileBits, the developers of 1Password, for letting the wrong number creep in to our benchmark. Can we still break into 1Password by attacking the master password? Please bear with us for up-to-date information and detailed technical discussion.
One Password to Rule Them All: Breaking into 1Password, KeePass, LastPass and Dashlane
August 10th, 2017 by Oleg Afonin
We’ve just updated Elcomsoft Distributed Password Recovery with the ability to break master passwords protecting encrypted vaults of the four popular password keepers: 1Password, KeePass, LastPass and Dashlane. In this article, we’ll talk about security of today’s password managers, and provide insight on what exactly we did and how to break in to encrypted vaults.
