Analyzing the Windows SRUM Database
August 15th, 2025 by Oleg Afonin
When it comes to Windows forensics, some of the most valuable evidence can be stored deep inside system directories the average user never touches. One such source of evidence is the System Resource Usage Monitor (SRUM) database. Introduced in Windows 8 and still shipping today with the latest Windows 11 updates, SRUM collects detailed historical records about application usage and network activity. This database is a perfect source of data for reconstructing the user’s activities during an investigation. In this article, we’ll review the available types of data and demonstrate a way to access the SRUM database by using a bootable tool.
We Did It Again: Deleted Notes Extracted from iCloud
May 19th, 2017 by Oleg Afonin
As we already know, Apple syncs many types of data across devices that share the same Apple ID. Calls logs, contacts, Safari tabs and browsing history, favorites and notes can be synced. The syncing mechanism supposedly synchronizes newly created, edited and deleted items. These synchronizations work near instantly with little or no delay.
On Apple iCloud security and ‘deleted’ notes
May 19th, 2017 by Vladimir Katalov
Apple, it’s not funny anymore.
ElcomSoft vs. The Cloud: a Game of Cat and Mouse
May 12th, 2017 by Oleg Afonin
We’ve got a few forensic tools for getting data off the cloud, with Apple iCloud and Google Account being the biggest two. Every once in a while, the cloud owners (Google and Apple) make changes to their protocols or authentication mechanisms, or employ additional security measures to prevent third-party access to user accounts. Every time this happens, we try to push a hotfix as soon as possible, sometimes in just a day or two. In this article, we’ll try to address our customers’ major concerns, give detailed explanations on what’s going on with cloud access, and provide our predictions on what could happen in the future.
Extracting Text Messages from Google Accounts
April 26th, 2017 by Oleg Afonin
Elcomsoft Cloud Explorer 1.30 can now pull SMS (text) messages straight off the cloud, and offers enhanced location processing with support for Routes and Places. In this article, we’ll have a close look at the new features and get detailed instructions on how to use them. The first article will discuss the text messages, while enhanced location data will be covered in the one that follows.
Routes and Places: Obtaining Enhanced Location Data from Google Accounts
April 26th, 2017 by Oleg Afonin
Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.
How Long Does It Take to Crack Your Password?
April 4th, 2017 by Oleg Afonin
We hear the “how long will it take to break…” question all the time. The answer is always the same: “it depends”. In this article we’ll try to give a detailed explanation and a definite answer for as many possible combinations as possible.
Extracting Unread Notifications from iOS Backups
March 2nd, 2017 by Oleg Afonin
In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation!
How to Break 70% of Passwords in Minutes
February 14th, 2017 by Oleg Afonin
According to surveys, the average English-speaking consumer maintains around 27 online accounts. Memorizing 27 unique, cryptographically secure passwords is nearly impossible for a person one could reasonably call “average”. As a result, the average person tends to reuse passwords, which means that a single password (or its simple variations) can be used to protect multiple online accounts and services. The same passwords are very likely to be chosen to protect access to offline resources such as encrypted archives and documents. In fact, several independent researches published between 2012 and 2016 suggest that between 59 and 61 per cent of consumers reuse passwords.
ElcomSoft Extracts Deleted Safari Browsing History from iCloud
February 9th, 2017 by Vladimir Katalov
Your browsing history represents your habits. You are what you read, and your browsing history reflects that. Your Google searches, visits to news sites, activities in blogs and forums, shopping, banking, communications in social networks and other Web-based activities can picture your daily activities. It could be that the browsing history is the most intimate part of what they call “online privacy”. You wouldn’t want your browsing history become public, would you?
How to Break 30 Per Cent of Passwords in Seconds
February 6th, 2017 by Oleg Afonin
This article opens a new series dedicated to breaking passwords. It’s no secret that simply getting a good password recovery tool is not enough to successfully break a given password. Brute-force attacks are inefficient for modern formats (e.g. encrypted Office 2013 documents), while using general dictionaries can still be too much for speedy attacks and too little to actually work. In this article, we’ll discuss the first of the two relatively unknown vectors of attack that can potentially break 30 to 70 per cent of real-world passwords in a matter of minutes. The second method will be described in the follow-up article.
