Select Page


Home » Digital Forensic Training » Additional DFI Courses » Elcomsoft Password Recovery & Data Decryption

This class is offered in partnership with Elcomsoft, Russia’s leading password recovery, data decryption and mobile forensics service providers.

Course Objective

In this 3-day Password Recovery and Data Decryption for Mobile Forensics Course, students will develop an in-depth knowledge of password protection and data encryption techniques used in mobile forensics. The attendees will further master modern technologies for password recovery, mobile forensics, data extraction and decryption.

In Part 1 of this course students are led through the fundamentals of Mobile Forensics including; an overview of common platforms, operating systems, workflow, logical acquisition, physical acquisition, and cloud based acquisition.

In Part 2 students will be instructed in the fundamentals of Encryption, Data Protection, and Passwords, including; brute force, smart attacks, dictionary attacks, how to avoid lengthy attacks, and much more.

Attendees who successfully pass the class assignments will be given a certificate of completion.

I left with a far better understanding of the linear differences between backup / sync features which I had not previously investigated. I found that it has already paid for itself in our interaction with investigators. Probably one of the better instruction training I have had in a while. I will definitely be recommending Vlad and Oleg for future training with our members. Good job guys.

Who can take this course?

This training course has been designed for digital forensic investigators, law enforcement personnel, e-discovery, and IT security specialists looking to further develop their mobile forensic skill sets to encompass password recovery and data encryption.

What Will I Learn?

1.1. Introduction

  • A brief overview of global mobile platforms:
    • Apple iOS, Google and non-Google Android, Amazon, Microsoft and BlackBerry ecosystems
    • Mobile operating systems:
      • Apple iOS
      • BlackBerry OS and BlackBerry 10
      • Windows Phone 8.x and Windows 10 Mobile
      • Android: Google and non-Google
      • Other systems: Jolla Sailfish, Samsung Tizen
    • Evidence available in mobile devices
    • Encryption and protection
  • Mobile forensic workflow
    • Seizing, shielding and storing the device
    • Steps to preserve evidence
    • An overview of acquisition techniques
      • Logical extraction
      • Over-the-air acquisition
      • Physical extraction
      • Chip-off and JTAG, their limitations and applicability

1.2. iOS Logical Acquisition

  • Logical acquisition as major technique
  • Backup encryption and password protection
  • Forensic implications of password protection
  • Performing logical acquisition
    • Producing a local backup with iOS Forensic Toolkit
    • iTunes backups
    • iTunes backup protection
    • Making use of lockdown records
    • Extracting backup passwords from Windows and OS X
  • Attacking unknown backup passwords with Elcomsoft Phone Breaker
  • Decrypting the backup
  • Decrypting and analysing keychain data
    • Wi-Fi passwords
    • Mail passwords and tokens
    • Apple ID and password
    • DSID and authentication tokens
    • Apple ID token: how to use the token for subsequent cloud acquisition
    • Social network tokens
    • Brower auto-complete data, forms and passwords

1.3. iOS Physical Acquisition

  • Introduction
    • What is physical acquisition
    • Applicability, limitations and forensic implications
    • Advantages of physical acquisition
      • Cached mail
      • Location data
      • Application data
      • Photo library (if iCloud Photos is enabled)
      • Caches, temp files, log
      • WAL data
  • Jailbreak-based Physical Acquisition Techniques
    • 32-bit devices
      • breaking passcode
      • full disk imaging
    • 64-bit devices
      • file system-based acquisition
    • Jailbreaks, hardware generations and versions of iOS
    • Limitations of jailbreaking
    • Forensic implications of Internet connectivity required for jailbreaking
    • Troubleshooting jailbreaks
  • Practicing jailbreaking the iPhone
  • Performing physical acquisition of a jailbroken 64-bit device
  • Working with disk images (DMG) on Windows and OS X

1.4. Over-the-Air Acquisition via iCloud

  • iCloud backups
    • When and where iCloud backups are created
    • iCloud backups storage and encryption
    • Downloading iCloud backups using Apple ID and password
    • Downloading using authentication tokens
    • Extracting authentication token from Windows
    • Extracting authentication token from OS X
    • Extracting DSID and authentication token from other device
    • Two-step verification and two-factor authentication
    • Differences between iTunes and iCloud backups
      • IMEI and some other data
      • Keychain encryption
  • iCloud Drive
    • Documents
    • Third-party application data
    • System data
  • Extracting synchronized data
    • Call logs
    • Notes
    • Photos
    • iCloud Keychain

1.5. Analysing the Data

  • Data categories
    • Contacts
    • Calendars
    • Notes
    • Messages
      • SMS & iMessage
      • Encrypted messages (iOS 9.3)
      • Message attachments
      • Recovery of deleted messages
    • Call log
    • Web (Safari) data
      • Bookmarks
      • History
      • Search history
      • Auto-complete data
    • Media library
      • Albums
      • Location data
      • iCloud Photos
  • Filtering and searching
    • By date/time
    • By data type
  • Export and reporting

1.6. Google Account Acquisition & Analysis

  • Information stored in the Google Account
  • Android and iOS data that syncs with Google accounts
  • Extracting and browsing information from Google
    • User info
    • Contacts
    • Calendars
    • Notes
    • Messages
    • Dashboard
    • Backup data
    • Web data (Chrome) & History
      • Browsing history
      • Search history
      • YouTube data
    • Location data
    • Media files
      • Albums
      • EXIF data
      • Contacts & cycles
  • Handling two-factor authentication
  • Obtaining Google Account password

1.7. A Brief Overview of BlackBerry Acquisition

  • Legacy BlackBerry devices (OS 6/7)
    • Backup password recovery
    • Password Keeper password recovery
    • Wallet password recovery
    • Breaking device passcode
    • SD card decryption
    • Viewing and analysing BlackBerry backups
  • BlackBerry 10
    • BB 10 backup encryption basics
    • BB 10 backup decryption using BB ID
    • Breaking into BlackBerry Keeper

1.8. Microsoft Forensics: Windows Phone & Windows 10 Mobile

  • Windows Phone 8.x and Windows 10 Mobile
  • Available acquisition techniques
  • Cloud forensics
    • Windows Phone/Mobile backups
    • Downloading and analysing synced information
    • Obtaining Microsoft Account credentials

1.9. Acquisition & Analysis of WhatsApp Data

  • Extracting WhatsApp data from iOS devices (iPhone)
    • iOS: local iTunes backups
    • iOS: iCloud backups
    • iOS: proprietary backups in iCloud Drive
  • Extracting WhatsApp data from Android smartphones
    • Android: data in internal memory
    • Android: backups on SD card
    • Android: backups on Google Drive
    • Android: backups encryption

2.1. Encryption, Hashing & Password Protection

  • Do you need that password?
    • 40-bit PDF encryption
    • Legacy Microsoft Office formats, Rainbow Tables and Thunder Tables
    • QuickBooks, Quicken documents, MS SQL Server
    • User account passwords
  • Instant recovery or extraction
    • Obtaining cached passwords and browser forms
    • Obtaining or intercepting POP3 and IMAP passwords
    • Building a custom dictionary
  • If you have to brute force
    • Limiting the number of passwords to try
    • Increasing recovery speed with hardware acceleration
  • Password length and smart attacks
    • Estimating the time to complete the job
    • Estimating resources required to break the password in reasonable timeframe
    • Factors affecting attack speeds:
      • password length
      • password complexity
      • data format
      • hardware
  • Dictionary attacks
    • How to use mutations
  • How to avoid lengthy attacks
    • Extracting user passwords to speed up brute-force attacks
    • Password reuse: gathering the low hanging fruit
    • Using passwords from online leaks
    • The Ten Thousand Passwords list
    • The One Million Passwords list
  • Setting up attack pipeline in Elcomsoft Distributed Password Recovery


All attendees are invited to do a practical exercise on mobile forensics. Using a proper workflow for seizing and storing mobile devices to preserve evidence, and using all available acquisition steps in the right order are essential parts of the training.

Attendees will be using the skills and knowledge acquired during the training to perform acquisition of a given iPhone device. Attendees who successfully pass the assignments will be awarded a certificate.

Students registering for this class will receive a free copy of Mobile Forensics: Advanced Investigative Strategies. 

About the Instructors

Oleg-HD2Oleg Afonin is a researcher and an expert in digital forensics. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, FT-Day, Techno Forensics and others. Oleg co-authored multiple publications on IT security and mobile forensics. With years of experience in digital forensics and security domain, Oleg led forensic training courses for law enforcement departments in multiple countries.

Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Vladimir manages all technical research and product development in the company. He regularly presents on various events and runs security and computer forensics training both for foreign and inner (Russian) computer investigative committees and other law enforcement organizations.

Laptop Requirements

We prefer students bring their own laptops whenever possible. If this is not possible, Teel Tech Canada will provide one for you. If you are unable to bring your own laptop, please indicate so on the registration page.

For students bringing a laptop to class, please ensure they meet the following minimum requirements:

  • Windows 7
  • Windows 8.x and 10.x using these instructions (turn off driver sig enforcement)
  • macOS with Bootcamp Windows 7
  • macOS with Bootcamp Windows 8.x and Win 10.x using these instructions
  • macOS alone will not work (No Virtual Machines)
  • 8GB RAM (minimum)
  • 100GB storage (minimum)
  • You must have Admin rights or have the admin password for software installation.


Upcoming Courses