A round-up of this week’s digital forensics news and views:
Industry News
CSAM Investigators Face Growing Mental Health Crisis
Officers investigating crimes against children face severe psychological trauma, a burden that is intensifying as AI-generated CSAM floods caseloads while government mental health resources are being cut. Many investigators are parents themselves, adding personal weight to cases involving child exploitation material.
Tools & Software
Cellebrite Launches Agentic AI Investigative Tool
Cellebrite outlines the development and launch of Genesis, its agentic AI product designed to help investigators process digital evidence and surface leads more quickly. Early-access results from law enforcement agencies are highlighted, while stressing that investigators remain responsible for validating findings and preserving evidential integrity.
Tools & Software
Engram MCP Brings Autonomous AI to Memory Forensics
Engram MCP is an autonomous AI agent built for memory forensics workflows, using the Model Context Protocol to replace raw terminal access with structured APIs that prevent context flooding and hallucination. A baseline test showed an unstructured LLM agent consuming 147,000 tokens before collapse; Engram enforces a six-phase OODA loop architecturally and requires positive evidence before declaring any subsystem clean.
Research & Techniques
Berla Explains Location ID Without GPS Coordinates
Berla Corporation has published a guide on reachability analysis, a technique for identifying vehicle locations when GPS coordinates are unavailable. The method offers examiners an alternative investigative pathway for extracting location intelligence from vehicle infotainment and telematics systems.
Research & Techniques
iCloud Private Relay Challenges Network Forensics Workflows
Apple’s iCloud Private Relay routes Safari traffic and DNS queries through dual-hop proxies using QUIC/TLS 1.3, rendering traditional DNS logs and IP attribution unreliable for investigations involving Apple devices. Egress IPs rotate between sessions and are shared across users, while ODoH eliminates DNS query visibility at the network perimeter. DFIR teams relying on Zeek, Suricata, or pcap analysis will find destination correlation broken, requiring a fundamental shift in network-based detection logic.
Industry News
Belkasoft X Targets SQLite Forensic Recovery
Belkasoft explains why SQLite forensics remains a vital DFIR skill, showing how deleted records, WAL entries, journal files, and unallocated fragments can reveal evidence missed by automated parsing. Practical examples involving Avast Firewall logs, Microsoft Phone Link, Google Drive, and iOS SMS backups demonstrate how targeted SQLite analysis can uncover overlooked investigative leads.
Training & Events
Evidence Locker Centralizes DFIR Test Images
Kevin Pagano has compiled The Evidence Locker, a single repository of forensic test images spanning mobile devices, computers, and memory dumps. It gives DFIR practitioners ready-made datasets for practice, validation, and methodology development without relying solely on commercial tooling.
Tools & Software
SQLiteWalker v1.0.0 Adds GUI and TAR Support
SQLiteWalker v1.0.0 arrives with a new GUI, .TAR archive support, and a unified script that combines command-line and graphical modes into a single file. Updated by contributor Miguel, the tool extracts SQLite databases along with associated WAL and SHM files from folders or archives, reporting any errors encountered during scanning.
Tools & Software
Android Intrusion Log Parser 2.0 Released
Android Intrusion Log Parser 2.0 adds detection of AFU and BFU bad PIN attempts, app installation/run/uninstall tracking, unique IP and DNS query reporting, and full log conversion from JSON lines to CSV. Upcoming development will target flagging suspicious ADB activity and push/pull events.
Industry News
BelkaGPT Transcribes Audio and Video Evidence
Belkasoft demonstrates how BelkaGPT can transcribe audio, voice messages, and video files into indexed, searchable text for faster forensic review. Investigators can search recordings by keyword and jump to the exact moment a term is spoken, reducing the need to manually review hours of material.
Research & Techniques
Linux Forensic Image Creation and Mounting Guide
A new practitioner-focused guide walks through creating and mounting forensically sound disk images in Linux, covering installation of required tools and step-by-step acquisition procedures. It targets examiners already comfortable with Windows forensics who want to extend their skills to Linux environments.
Read more (matthewplascencia.substack.com)
Industry News
Cellebrite AI Transforms Digital Forensics
Cellebrite sets out ten best practices for using AI in digital investigations, urging examiners to start with familiar cases, understand data sources, ask specific questions, and treat AI as an investigative aid rather than a replacement for practitioner judgment. The guidance emphasises that AI can accelerate triage and evidence correlation, but validation, documentation, chain of custody, disclosure, and court presentation remain the responsibility of qualified forensic professionals.
