ElcomSoft

ElcomSoft is a Russian software company founded in 1990, headquartered in Moscow, specialising in password recovery, mobile forensics, and cloud extraction tooling. The company’s product line includes Phone Breaker (iCloud and BlackBerry extraction), iOS Forensic Toolkit (iOS device acquisition), and Distributed Password Recovery (GPU-accelerated password cracking). ElcomSoft has been an established vendor for law enforcement and corporate investigators globally since the early 2000s, though sanctions and corporate scrutiny following the Russian invasion of Ukraine in 2022 have substantially restricted Western customer access.

What it means in practice

ElcomSoft’s flagship capability is iCloud extraction without the device, using captured authentication tokens or supplied account credentials. The product can extract iMessages, photos, contacts, calendar entries, and backup files from an iCloud account when the investigator has obtained either the account password or an authentication token captured from the device. iOS Forensic Toolkit additionally supports physical and file system acquisition on iPhones, with capability varying by device model and iOS version.

Specific things to know

ElcomSoft’s Moscow base and Russian corporate registration have placed the company outside the practical reach of most US, UK, and EU law enforcement customers since 2022. Western customers who previously relied on ElcomSoft for iCloud extraction have largely transitioned to Cellebrite, Oxygen, or open-source equivalents. The Russian customer base, including FSB and MVD investigators, has remained continuous. The company’s technical research, published through blog posts and conference talks, remains influential in the forensic community even where the product itself is no longer purchasable.

Change today

For anyone whose iCloud account may be of interest to a Russian-aligned investigator, the operational answer is the same as for any cloud account: strong unique password, hardware-key 2FA where supported, regular review of account sessions and devices, and limitation of cloud backup scope to non-sensitive material. The ElcomSoft case illustrates that cloud account compromise can produce the same result as physical device compromise, often through a much lower-cost path.

Related articles

See our coverage of iCloud extraction techniques, Russian forensic vendors post-2022 sanctions, and the operational answer to cloud account compulsion.