Elcomsoft (Vladimir Katalov).

Every employee’s #password was stored in a single Excel file theregister.com/security/202…

Elcomsoft Phone Breaker 11.1 fixes iCloud backup extraction issues that caused downloads to stall after first few GB. Fully supports iOS/iPadOS 18 and below, with iOS 26 support coming in future release. #DFIR_Radar

A Decade of BitLocker Vulnerabilities: What’s Patched, What’s Not, and What Still Works, by @ElcomSoft blog.elcomsoft.com/2026/05/a…

New ElcomSoft masterclass series challenges the traditional "dead-box" forensics approach, advocating for live digital triage to extract high-value artifacts like DPAPI-protected tokens and browser data before imaging. #DFIR_Radar

Windows File System Artefacts Under C:\ProgramData, by @ElcomSoft #DFIR blog.elcomsoft.com/2026/03/w…

"Recovering Windows Credentials with Elcomsoft System Recovery" In traditional forensic workflows, gaining access to a Windows system was a straightforward exercise: extract the NT hashes from a local database and run a fast (very fast!) offline attack.… ift.tt/fDJeAGg

New comprehensive guide reveals Apple Watch as critical forensic source with unique acquisition paths and artifacts that often exceed iPhone capabilities. Legacy models (Series 0-3) allow full filesystem extraction via checkm8 exploit. Key technical details: • Series 0-3: checkm8 bootrom exploit enables complete data extraction without passcode using Elcomsoft iOS Forensic Toolkit • Series 4 : Logical extraction only, requires unlocked device and established pairing trust • Primary data sources: watch device, paired iPhone's Health database (/private/var/mobile/Library/Health/healthdb_secure.sqlite), and iCloud Health container • Critical artifacts: GPS-precise workout routes, continuous heart rate data, ECG waveforms, sleep tracking, deleted messages retained ~30 days DFIR opportunities: • Health database in encrypted iPhone backups contains watch sensor data with device attribution • Workout route data stored in healthdb_secure.hdf with sub-second GPS coordinates • watchOS diagnostic logs (.logarchive format) include app launches and Siri interactions • Wrist detection creates automatic lock after removal - enable airplane mode immediately upon seizure Prioritize encrypted iPhone backup over direct watch extraction for most comprehensive data recovery. Full acquisition methodology and artifact locations detailed in source. #DFIR_Radar

The C:\User Data in Windows Forensics, by @ElcomSoft blog.elcomsoft.com/2026/03/t…

Investigating Windows Registry, by @ElcomSoft blog.elcomsoft.com/2026/02/i…

Investigating Windows File System Artifacts Under C:\Windows, by @ElcomSoft #DFIR blog.elcomsoft.com/2026/03/i…

USB Device Forensics on Windows 10 and 11, by @ElcomSoft #DFIR blog.elcomsoft.com/2026/02/u…

Recently asked by a young, aspiring DF/IR practitioner: 'What are some of your current favorite tools?' My toolkit is large, but here's my current top 10: 1. Sumuri RECON (Mac and iOS forensics) – @SUMURIForensics 2. Magnet AXIOM (Windows, iOS, and Android forensics) – @MagnetForensics 3. Cyber Triage (automated DFIR for incident response with artifact scoring) – @cybertriage 4. X-Ways Forensics (Windows forensics ) – @XWaysSoftware 5. KAPE (Kroll Artifact Parser and Extractor) – @EricRZimmerman 6. Digital Detective (NetAnalysis for browser artifacts) – @DigitalDetectiv 7. Arsenal Recon (advanced disk mounting, hibernation/registry analysis, and evidence exploitation) – @ArsenalRecon 8. Magnet Verakey (full file system extractions for iOS/Android) – @MagnetForensics 9. FEX (Forensic Explorer for Windows forensics) 10. Elcomsoft Phone Breaker (iCloud acquisitions) – @elcomsoft These all get heavy daily use in my workflow. What's in your toolkit?

Forensic Analysis of Windows 10 and 11 Event Logs, by @ElcomSoft blog.elcomsoft.com/2026/02/f…

Investigating Windows Registry, by @ElcomSoft blog.elcomsoft.com/2026/02/i…

Elcomsoft Achieves Full Filesystem Extraction for Apple TV 4K on tvOS 26 #News privacyguides.org/news/2025/…

•   Ninguna herramienta forense (Cellebrite, Magnet AXIOM, Oxygen, XRY, Elcomsoft, etc.) puede reconstruir los chats sin esa clave.       •   Por eso, después de un reset de fábrica, la probabilidad de recupe ración es 0% desde la memoria interna.

Cloud Token 抓取 iCloud 数据提取机制｜学习日志 · 第7期 ⚠️ Apple 并不总是在设备删除后立即使 token 失效 设备在访问 iCloud 或 Apple 服务时生成的临时/长期访问凭证，用于代替密码登录，授权数据同步、消息服务、照片管理等功能，这是你看到的各种数据泄露门事件的主要来源 这个 token 存在于本地系统文件中（Keychain、Plist、iTunes备份）即使不知道 Apple ID 密码，一旦抓到 token，就可以模拟设备去访问 iCloud 内容 抓取 Cloud Token 的三种常见方式 1. 从配对电脑中获取 连接过的 Mac 或 Windows 电脑中，可能保存着已登录过 iPhone 的 token 文件位置如： macOS: ~/Library/Application Support/MobileSync/Backup/ Windows: %APPDATA%\Apple Computer\MobileSync\Backup\ 可用工具： Elcomsoft iCloud Extractor iBackupBot sqlite3 PlistViewer 提取 Manifest.db Info.plist keychain-backup.plist 中的访问密钥 2. 在设备未锁定时提取临时令牌 如设备解锁状态，或已连接过开发设备、开启调试： 可使用 ADB（Android）或 Elcomsoft EIFT（iOS）抓取内存中的 session/token 缓存 有些令牌可用 curl / RESTful API 模拟调用 iCloud API 3. 利用旧版第三方授权 App 缓存 老版本的 QQ、微信、WhatsApp 曾在本地缓存 Apple 登录状态，用于调用 iCloud API（例如聊天记录备份） 有部分泄露包中抓到 .plist 文件里含有 token 与 refresh code 一旦抓取到有效 token，可访问： 📷 iCloud Photos所有图库照片、截图、删图回收站📞 通话记录通话时间、号码、通话类型 💬 短信/iMessage收发短信、时间、联系人 📍 查找我的iPhoneGPS 定位历史、设备激活状态 🔑 钥匙串登录记录、Wi-Fi 密码（部分加密） 🗂 文件/备忘录iCloud Drive 文件、Notes 内容 📌 注意：很多黑客在Twitter上传播需要安装信任证书的色情软件，一旦安装则可获取设备token. token 有时比密码更危险，因为它可用于静默获取数据、甚至远程清除设备（若具有管理权限）

IOS/安卓设备锁屏密码绕过与数据提取｜学习日志 · 第5期 安卓设备开启开发模式和苹果设备越狱都会给设备本身带来重大风险,根据多国法规，仅限设备合法所有者可执行此类操作。研究人员在操作前应确保符合《数据保护条例》（GDPR/CCPA）等相关法规 使用 ADB 工具移除 Android 设备的屏幕锁定密码 本方法依赖 Android 的调试接口（ADB），操作前请确认设备已开启 USB 调试模式 ADB 工具包官方下载地址developer.android.com/studio… 操作步骤 第一步：确认设备已连接且授权 adb devices 返回结果中应包含设备序列号和device状态： List of devices attached 1234567890abcdefdevice 第二步：进入 Android Shell adb shell 若返回如下提示符，说明已进入设备终端： shell@your_device:/ $ 第三步：删除锁屏密码数据库文件 图案锁（gesture unlock）文件： rm /data/system/gesture.key 数字或密码锁文件： rm /data/system/password.key rm /data/system/locksettings.db rm /data/system/locksettings.db-shm rm /data/system/locksettings.db-wal 以上文件是 Android 系统保存锁屏密码（散列值）的位置. 删除后，系统将跳过锁屏验证流程 第四步：重启设备 reboot 重启后，若成功，系统将直接进入桌面或提示创建新的锁屏密码 执法机构使用的移动设备数据提取工具 Android 取证工具 Cellebrite UFED Magnet GrayKey MOBILedit Forensic Belkasoft Evidence Center X iOS 取证工具 Cellebrite UFED Magnet GrayKey Elcomsoft iOS Forensic Toolkit Belkasoft Evidence Center X 由于列表中的部分厂商也和商业机构合作，这导致一些取证工具和取证软件权限流出，坏分子会在黑客论坛和Telegram暗网市场乘机购买这些执法机构专用工具，或伪造执法机构身份进行非法采购，一些民用快速工具和可解锁范围见下图

In Elcomsoft iOS Forensic Toolkit 8.70, we introduce a critical improvement: you can now sideload and launch the extraction agent completely offline using any Apple Developer account – regardless of when it was created. blog.elcomsoft.com/2025/05/e…