Exterro INFORM 2025 started as a simple idea: put real investigators in front of other investigators and let them present on what it takes to work cases in 2025.
INFORM is a full day of webinars, fifteen sessions rolling across time zones, where law enforcement investigators, corporate examiners, and experts from across the world provide insight into what is really happening in cases right now, and what we can do about it.
If you work in digital forensics or incident response, you know the feeling: more cases, more data, more “critical” alerts, and the same 24 hours in a day. INFORM was built on the idea of having experts provide you with tips and tricks for when you are staring at a stack of drives and phones, an anxious stakeholder is asking for answers, and you still have to make sure everything you do will stand up in court, in front of regulators, or both.
Across the sessions this year, three themes kept surfacing:
- Our approach to investigations is fundamentally different from five years ago.
- Forensic fundamentals still decide whether your work survives contact with a courtroom or a regulator.
- Efficiency is the only way to stay on top of your caseloads and demands.
The value of INFORM 2025 was hearing from experts with real experience and cases; and then walking away with practical changes you can make in your own lab.
1. The Approach to Investigations Has Changed
One of the clearest messages from INFORM was that most of us are no longer working “simple” cases where everything lives on a single workstation and a single phone. The environments being described had a few things in common:
- Data scattered across SaaS platforms, on premises servers, and endpoints.
- Critical data living alongside many other customers in multi-tenant cloud services, with real legal and technical limits on what you can touch.
- Password protected devices, full disk encryption, and complex authentication flows that are great for security but a headache for collection if you do not plan.
- Ransomware payments, fraud proceeds, and underground markets increasingly using coins and tokens instead of traditional rails.
- Deepfakes used in social engineering, synthetic identities in fraud, and AI tools helping both attackers and defenders move faster.
For investigators, this changes the starting question. It’s not “Which hard drive do I image first?” It is “Where does this organization actually live digitally, who controls those systems, and what can I legally and technically obtain in a defensible way?”
Several INFORM sessions leaned into that reality. Instead of pretending “the cloud” is a single place, they walked through questions like:
- Which logs exist by default in the platforms you use, and how long are they retained?
- How do you scope remote collections so you get what you need without over collecting an entire organization?
- Where do identity artifacts live now that authentication is happening through SSO, mobile prompts, and conditional access policies, not just local Windows logons?
- How do you preserve evidence in places like chat platforms, collaboration suites, and mobile apps where users can edit and delete in real time?
Every DFIR practitioner needs at least a working mental model of these systems, or we risk missing the story entirely.
2. The Fundamentals Still Decide Whether Your Work Stands
If the first takeaway was about how things are changing, the second was about what is staying the same.
Tools evolve, threats evolve, but defensibility still lives or dies on the fundamentals of good forensic procedure.
Evidence lifecycle and integrity
From the moment a device is seized, or a cloud export is requested, INFORM speakers emphasized:
- Clear, complete chain of custody, including digital items and remote acquisitions.
- Imaging and export processes that can be repeated and explained, not just “pushed a button.”
- Hashing and verification at each stage so you can prove that the data you analyzed is the same data you collected.
- Preserving original sources in a bit accurate, read only state wherever possible.
None of that is shiny or new, but it is foundational. It is what allows you, years later, to walk into a courtroom or a boardroom and say, “This is what happened, and here is how I know.”
Documentation as your future memory
Another recurring point was the value of documentation with an emphasis on your future memory.
Most of us have had the experience of returning to a case years after we finished the analysis. By that time, you may be juggling dozens of other cases or matters. Without thorough notes on what you did, why you did it, and what artifacts you examined, you are left trying to reconstruct your own thinking after the fact.
A consistent approach to documentation solves that. It gives you:
- A timeline of your actions that can be compared with tool logs.
- Enough detail that a colleague could pick up the case if you are out or move on.
- A ready reference for testimony, reports, and internal reviews.
Standard operating procedures and repeatable workflows
Several sessions also stressed the role of standard operating procedures. Good SOPs do not turn you into a robot. They give you a baseline. They answer questions like:
- How do we handle a standard smartphone seizure from intake through analysis and reporting?
- How do we process a new murder case, a CSAM case, a fraud case, or an insider threat case from a workflow perspective?
- Which tools are approved for which tasks, how are they validated, and how do we document their use?
When you have that foundation, you are not inventing a process for every case. You can focus on the investigative questions and adapt where needed, while still being able to show that you started from a defensible, documented baseline.
Training and capacity building
Finally, INFORM 2025 made it obvious that tools alone are not enough. Many labs have impressive hardware and software. The bottleneck is capacity and experience.
Sessions highlighted the need for:
- Longer term training plans, not just one-off classes.
- Mentoring and peer review so examiners learn by seeing how others think.
- Time is allocated for practice, research, and validation, not only production work.
You cannot bolt this on after a big incident or after a case blows up in court. It must be part of the way your team is built.
3. Making Big Data Small
The third major theme at INFORM 2025 was efficiency. Three ideas showed up repeatedly.
Narrowing scope with smarter communication
A lot of examiners are drowning in evidence because everything gets treated as equally important. INFORM sessions pushed hard on the value of better communication with investigators, legal, and stakeholders.
Instead of accepting “image everything and find something,” practitioners talked about questions like:
- Which device was in use at the time of the incident?
- Which accounts and time frames matter for the specific allegation?
- Which systems contain data that is genuinely in dispute, versus noise?
Those conversations let you turn a pile of twenty devices into a prioritized list of four that matter, with clear reasoning behind the decision.
Workflow and “Crockpot” forensics
Another theme was how to structure your day so tools are working for you instead of the other way around. Examples included:
- Kicking off long running tasks like imaging, indexing, or big exports at the end of the day so they run overnight.
- Running a small number of cases in parallel so you can pivot when one process is waiting on a tool, a password, or a stakeholder.
- Using case management systems or even well-designed spreadsheets to track status, deadlines, and next actions, so nothing falls through.
Think of it as “Crockpot forensics” in the best sense: set things up correctly, let the tools run, and come back to something you can immediately work with.
Using AI as an accelerator, not a crutch
AI naturally came up in several sessions.
- AI is already useful for triage, especially large image and video sets or common content like drug photos and weapons.
- It is not a replacement for examiner judgment. Anything AI flags must still be validated, the context must be proved, and an explanation must be given.
- You need to document when and how you use AI, just like any other tool, and be prepared to explain its role.
Used well, AI helps you turn “big data” into “small, focused data” faster. Used poorly, it becomes push button forensics that is impossible to defend.
Why Inform 2026 Should Be On Your Calendar
INFORM 2025 was a snapshot of where DFIR really is this year:
- Working inside cloud and hybrid environments that are still catching up on visibility and logging.
- Navigating new privacy and data protection rules that change how we collect, store, and share evidence.
- Dealing with attackers who have access to the same AI and automation that we do.
- Trying to keep labs functional in the face of data growth and staff burnout.
If you felt any of that reading this, INFORM 2026 is worth your time. You can expect the same core strengths:
- Global perspectives from practitioners who see things unfolding in different legal and cultural contexts.
- Case driven content that starts with, “Here is what happened in a real investigation,” not with a feature list.
- Practical ideas you can bring back to your own environment, whether you sit in a police lab, a corporate SOC, or a service provider.
INFORM is a reminder that you are not the only one struggling with these problems. Other teams are facing the same pressures. Some have found approaches that work. Some have learned the hard way what does not.
Taking time to listen, compare notes, and update your own mental model of DFIR is part of staying sharp and being defensible. The tools will keep changing. The threats will keep changing. Our job is to keep our thinking one step ahead. INFORM is a series to help you do exactly that.
Secure your place today at INFORM 2026, 17th March by registering here!
