Investigating Windows Registry
February 13th, 2026 by Oleg Afonin
The Windows Registry remains one of the most information-dense repositories for reconstructing system activity and user behavior. Far more than a configuration database, it serves as a critical historical record of execution, data access, and persistence mechanisms across Windows 10 and 11. While automated forensic tools are essential for extracting and parsing this data, the correct interpretation of the results remains the responsibility of the investigator. This article focuses on the Registry keys that possess distinct forensic significance. We will move beyond the standard enumeration found in legacy guides to establish the specific links between technical artifacts and their value in an investigation, distinguishing between actionable evidence and system noise.
Newer iOS Forensic Toolkit Acquires iPhones in 20 Minutes, Including iOS 5
November 1st, 2011 by Olga Koksharova
iOS 5 Support
EPPB: Now Recovering BlackBerry Device Passwords
September 29th, 2011 by Andrey Belenko
Less than a month ago, we updated our Elcomsoft Phone Password Breaker tool with the ability to recover master passwords for BlackBerry Password Keeper and BlackBerry Wallet. I have blogged about that and promised the “next big thing” for BlackBerry forensics to be coming soon. The day arrived.
New version of EPPB: Recovering Master Passwords for BlackBerry Password Keeper and BlackBerry Wallet
August 30th, 2011 by Andrey Belenko
Conferences are good. When attending Mobile Forensics Conference this year (and demoing our iOS Forensic Toolkit), we received a lot of requests for tools aimed at BlackBerry forensics. Sorry guys, we can’t offer the solution for physical acquisition of BlackBerries (yet), but there is something new we can offer right now.
Visiting BlackHat and DefCon 2011
August 22nd, 2011 by Olga Koksharova
Yet again, we are back from a couple of conferences organized specially for heavy computer users like us. We are particularly happy that our company was again warmly welcomed by the overseas hacking community – thank you for accepting and visiting our talk – and that FBI didn’t bother us too much during our stay, though they didn’t miss a chance to scare the crap out of Andrey and Vladimir right before their departure back to Moscow. Apart from that little episode with three-letter guys everything went smoothly.
Elcomsoft iOS Forensic Toolkit highlighted in SANS Information Security Reading Room
August 15th, 2011 by Olga Koksharova
SANS Information Security Reading Room has recently publicized a whitepaper about iOS security where they mentioned our software – Elcomsoft iOS Forensic Toolkit – in a section about encryption. Kiel Thomas, the author of the whitepaper, explained one more time the main principles of iOS 4 encryption, which became stronger in comparison with iOS 3.x and how our toolkit can bypass new strong algorithms.
ElcomSoft at Techno Security Conference and AMD Fusion Developer Summit
June 28th, 2011 by Olga Koksharova
ElcomSoft had a great time overseas in the US, first at Techno Security Conference in Myrtle Beach, SC and later at AMD Fusion Developer Summit in Bellevue, WA. So it happened to be quite a long visit to the US full of preparations, talks, meetings, new acquaintances, parties and positive emotions (sun and ocean did their work).
How to trace criminals on Facebook
June 2nd, 2011 by Olga Koksharova
There has already been much said about enhanced federal activity in social networks “including but not limited to Facebook, MySpace, Twitter, Flickr” etc. in order to gather suspects’ information and use it as evidence in investigation. However, far not everybody can understand (neither do three-letter agencies I suppose) how they can represent such info in courts and to what extent it should be trusted.
Extracting the File System from iPhone/iPad/iPod Touch Devices
May 23rd, 2011 by Andrey Belenko
In our previous blog post we have described how we broke the encryption in iOS devices. One important thing was left out of that article for the sake of readability, and that is how we actually acquire the image of the file system of the device. Indeed, in order to decrypt the file system, we need to extract it from the device first.
ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps
May 23rd, 2011 by Vladimir Katalov
ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4. While at first this may sound as a minor achievement, ElcomSoft is in fact the world’s first company to do this. It’s also worth noting that we will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies. We have a number of good reasons for doing it this way. But first, let’s have a look at perspective.
