News

A round-up of this week’s digital forensics news and views:

Digital forensics experts reveal Bryan Kohberger’s preparation for Idaho murders

Digital forensics experts who were set to testify at Bryan Kohberger’s trial reveal evidence showing the convicted killer prepared extensively for the quadruple murders of University of Idaho students. Heather Barnhart and Jared Barnhart from Cellebrite discovered that Kohberger deliberately powered off his phone during the exact window of the November 2022 killings, downloaded detailed reports on serial killers, and used VPN technology to hide his online activity. Analysis of his digital footprint showed obsessive research into murder cases, scrubbed files, and evidence his phone had connected to WiFi at a restaurant where two victims worked.
Read more (the-independent.com)

FBI and NSPCC alarmed at ‘shocking’ rise in online sextortion of children

Tech companies reported more than 9,600 cases of adults grooming children online in the UK during just six months last year, equivalent to about 400 cases per week. Law enforcement agencies including the FBI and UK’s National Crime Agency express growing alarm about sextortion threats targeting teenagers, with victims being blackmailed into sharing explicit images. Snapchat logged approximately 20,000 cases of concerning material in the first half of 2024, more than all other major social media platforms combined. The Guardian reports that some teenage victims have taken their own lives due to this abuse, prompting unprecedented awareness campaigns.
Read more (theguardian.com)

Brian Carrier Launches Course on Automation and AI

Digital forensics has always depended on automation, from early tools like EnCase v1 and FTK v1 that automatically detected and parsed file systems. Brian Carrier explains that automation handles intermediate steps in investigations but still requires skilled investigators to ask the right questions and understand context. He is developing a comprehensive mini-course on automation and AI in forensics through LinkedIn posts, blogs, webinars, and eventually video content.
Read more (linkedin.com)

Hannah Bailey Discusses Mental Health Support for Digital Forensics and Police

Hannah Bailey, founder of Blue Light Wellbeing and former police officer with 15 years of frontline experience, discusses critical mental health challenges facing digital forensics investigators and law enforcement. Hannah, who left policing after experiencing PTSD and cancer, now works as a psychotherapist specializing in trauma therapy for high-risk professions. She emphasizes the need for proactive mental health support rather than reactive approaches, noting that digital forensics investigators face constant trauma exposure with added isolation from working alone with screens. Bailey advocates for regular supervision sessions and culturally-aware therapists who understand the unique stresses of law enforcement work.
Read more (forensicfocus.com)

Unfurl v2025.08 Released with Enhanced TikTok ID Parsing

Version 2025.08 of Unfurl has been released with improved TikTok ID analysis capabilities. Enhanced parser now extracts milliseconds, entity types, sequence numbers, and machine IDs from TikTok identifiers, thanks to research by Benjamin Steel. The update also fixes a bug in Google Search EI timestamp parsing where leading zeros in microseconds caused incorrect conversions.
Read more (dfir.blog)

Researchers Develop Hybrid Framework for Drone Forensics Investigation

Researchers have developed a new forensic framework that combines live, digital, and physical evidence collection to investigate drone-related crimes and accidents. Dongkyu Lee and Wook Kang propose a systematic analysis algorithm specifically designed for unmanned aerial vehicle evidence, addressing the growing need for post-incident investigation capabilities. Current drone security strategies focus primarily on real-time defense measures like detection and neutralization, but this research emphasizes the importance of forensic analysis to identify flight paths, pilot information, and accident causes. The framework aims to enhance the legal admissibility of drone forensic evidence in criminal and civil proceedings.
Read more (sciencedirect.com)

LinkedIn Timestamps Decoded for Open Source Investigations

LinkedIn provides only rough time estimates like “1d” for posts, frustrating investigators who need precise timestamps for fact timelines. Researcher Ollie Boyd discovered that LinkedIn post URLs contain hidden timestamps – the 19-digit number at the end, when reduced to its first 41 bits, reveals the exact Unix timestamp of publication. This technique has been integrated into Bellingcat’s Uniform Timezone Chrome extension to help investigators extract precise publication times from LinkedIn posts and comments.
Read more (maynier.eu)

Mental Health Challenges in Digital Forensics Explored

A new episode of Truth in Data examines the psychological impact on professionals working in digital forensics and incident response (DFIR). Episode 14 focuses on the often overlooked mental health toll that forensic investigators face while dealing with disturbing digital evidence and high-pressure cases. Mental health support and awareness in the cybersecurity field remains a critical but underaddressed concern.
Read more (youtube.com)

A round-up of this week’s digital forensics news and views:

Digital Forensics Expert Offers Guidance on Starting DF Business

Patrick Siewert provides comprehensive advice for aspiring digital forensics entrepreneurs in the first part of a three-part series on starting a digital forensic business. He emphasizes the importance of choosing a clear, professional company name, carefully selecting target clientele, and establishing solid business foundations including mission statements and proper legal structures. Siewert warns against common pitfalls like taking on undesirable clients and reveals that major forensic tool providers make their products deliberately expensive and difficult for private practitioners to access, often due to pressure from their primary law enforcement customers.

Read more (dfirphilosophy.blogspot.com)

Hashcat v7.0.0 Released with Major Performance Improvements

Hashcat releases version 7.0.0 after two years of development, featuring over 900,000 lines of code changes and contributions from 105 developers. Major new features include an Assimilation Bridge for integrating external resources, Python Bridge Plugin for rapid hash-matching implementation, and hash-mode autodetection. Performance improvements include up to 320% speed increases for scrypt and major optimizations for NTLM and NetNTLMv2, while 58 new application-specific hash types have been added including support for Argon2, MetaMask, and LUKS2.

Read more (hashcat.net)

OWASP Releases GenAI Incident Response Guide 1.0

OWASP GenAI Security Project releases its first comprehensive incident response guide for security practitioners dealing with GenAI application incidents. Created by a panel of experts from the project’s CTI Initiative, the guide provides guidelines and best practices without requiring deep GenAI knowledge. It aims to fill a critical gap in helping security teams respond effectively to incidents involving generative AI systems.

Read more (genai.owasp.org)

Building the UFADE Touch V1: A Portable iOS Forensics Device

A forensics professional demonstrates how to build an affordable portable backup system called “UFADE Touch” using a Raspberry Pi 4B, 7-inch touchscreen, and specialized cooling components. Components cost around €175 and include a DSI interface display to preserve USB ports for data sources and drives. Assembly requires minor case modifications and specific configuration changes to Raspbian OS to support the display driver and optimize performance for the 1024×600 resolution screen.

Read more (cp-df.com)

DB Browser Offers Alternative to Spreadsheets for CSV Forensic Analysis

A new video tutorial demonstrates how to use DB Browser for SQLite instead of traditional spreadsheet programs when conducting forensic analysis of CSV files. Sherman Kwok walks viewers through downloading the tool, importing CSV data, and using SQLite commands for sorting, filtering, and formatting data. The tutorial covers basic to intermediate techniques including regular expression filtering for more efficient data analysis.

Read more (youtube.com)

machofile Tool Released for Mach-O Binary Analysis

Security researcher Pasquale Stirparo releases machofile, a new Python module designed for parsing Mach-O binary files with a focus on malware analysis and reverse engineering. The self-contained tool works across macOS, Windows, and Linux without dependencies and offers features including header parsing, entropy calculation, symbol extraction, and code signature analysis. Stirparo developed the initial version after attending Patrick Wardle’s macOS malware class, spending nearly two years refining the tool before its official release.

Read more (github.com)

Cybersecurity Expert Releases Memory Forensics Dataset for Malware Research

Daniel Jeremiah releases a comprehensive memory forensics dataset featuring controlled attack scenarios on Windows 10 systems for cybersecurity research and training. Six distinct scenarios cover process injection, credential dumping, Cobalt Strike beacons, and various remote access trojans including AsyncRAT and MasonRAT. Each scenario includes detailed memory dumps, attack characteristics, and evasion techniques designed for analysts to practice using tools like Volatility and YARA. Cases range from unknown infections to targeted intrusions, providing varied complexity levels for students, analysts, and researchers developing memory analysis workflows.

Read more (daniyyell.com)

A round-up of this week’s digital forensics news and views:

Digital Forensics Experts Analyze ‘Missing’ Epstein Surveillance Video

Two former FBI forensic examiners conducted an independent analysis of Jeffrey Epstein’s jail surveillance footage that appeared to have missing minutes. Their investigation reveals the timing discrepancies likely resulted from routine video processing rather than evidence tampering. The experts found three types of technical artifacts: a system reboot gap, edited content from the file’s beginning, and dropped frames during compression, accounting for all apparent missing time.

Read more (forbes.com)

Digital Forensics And Stress: Understanding Your Body’s Signals

Dr. Zoe Billings and Mark Pannone discuss their innovative approach to managing stress in digital forensics through biological wellbeing education. Adapt & Evolve teaches investigators to recognize early physical warning signs of stress before mental health issues develop. They emphasize that chronic stress manifests physically through symptoms like lower back pain, high blood pressure, and digestive issues, which can be prevented through scientifically proven techniques.

Read more (forensicfocus.com)

Portable Forensics with Toby: A Raspberry Pi Toolkit

A digital forensics expert develops “Toby,” a portable forensic toolkit built around a Raspberry Pi Zero 2 W that fits in a travel organizer and can be operated headlessly from mobile devices. It runs Kali Linux with custom forensic tools including MalChela and a built-in tool finder called “toby-find” that serves as a searchable cheat sheet for available commands. The compact kit includes wireless connectivity, battery power options, and can perform malware analysis, memory forensics, and field acquisition tasks.

Read more (bakerstreetforensics.com)

Simson Garfinkel Receives Inaugural Test of Time Award at DFRWS

Simson Garfinkel receives the first-ever Test of Time Award at the 25th anniversary of DFRWS for his paper “Digital Forensics: The Next Ten Years,” which is the most cited paper in the conference’s history. The award recognizes Garfinkel’s foundational contributions to defining the field of digital forensics.

Read more (linkedin.com)

AI-Driven Open-Source Intelligence Transforms Digital Forensics for Cybercrime Investigation

Researchers explore how artificial intelligence can enhance open-source intelligence gathering in digital forensics to improve cybercrime investigations. The study examines AI’s potential to automate and streamline the collection and analysis of publicly available digital evidence. This approach could significantly accelerate forensic processes and help investigators identify patterns in cyber criminal activities more effectively.

Read more (researchgate.net)

SWGDE Releases Draft Technical Notes on Timing Advance Records

The Scientific Working Group on Digital Evidence has published a draft document titled “Technical Notes on the Use of Timing Advance Records (25-F-002-1.0)” for public review and comment. This draft represents the latest guidance from SWGDE’s forensics committee on the technical aspects and proper use of timing advance records in digital evidence analysis.

Read more (swgde.org)

PDF Security Vulnerabilities Enable Document Tampering

Security researchers have discovered critical vulnerabilities in PDF document handling that allow attackers to tamper with documents without detection. The flaws affect how PDF viewers process and validate document integrity, potentially enabling malicious actors to modify contracts, financial documents, and other sensitive files. These vulnerabilities pose significant risks to organizations that rely on PDF documents for secure communications and record keeping.

Read more (group-ib.com)

Research Validates Foreground Application Data in AMD Usage Events

A new study examines the validity of foreground application data stored in AMD’s SQLite database usage events, with a focus on analyzing the accuracy and reliability of application usage tracking mechanisms. The findings contribute to better understanding of how application usage data is collected and stored in AMD systems.

Read more (researchgate.net)

Researchers Release Comprehensive IoT Forensics Dataset for Cyberattack Detection

Researchers from UNSW Canberra introduce IoT-CAD, a new digital forensics dataset designed to train AI systems for detecting and attributing cyberattacks in Internet of Things environments. The dataset captures traces from Windows and Linux systems across multiple sources including memory, hard drives, processes, and network traffic from various IoT devices. The team validates the dataset using machine learning, digital forensics, and explainable AI techniques, employing both centralized learning for attack detection and federated learning for attack attribution.

Read more (sciencedirect.com)