At the end of last year, First Forensic Forum (F3) brought the digital forensics community together for three packed days of talks, demos, and discussion at Chesford Grange in Warwickshire. Combining technical deep dives, real-world case studies, and lively evening events, the conference offered a valuable opportunity to explore new tools, emerging challenges, and the fast-moving realities of modern investigations.
Day One
Day one opened with a series of vendor-led sessions, giving attendees a chance to see new tools in action and hear directly from the teams behind them. Semantics 21’s Tom Oldroyd introduced S21 VisionX, demonstrating how the platform automates complex aspects of CSAM investigations, including content description, classification, victim and suspect identification, and court-ready reporting. Throughout the session, Tom emphasised the company’s long-standing focus on investigator well-being — something he explored in more depth on the Forensic Focus Podcast. Ailsa Slack followed with a hands-on demonstration of ADF PRO, focusing on its mobile screen-capture capabilities. She later earned a steady stream of visitors at the ADF stand thanks to her generosity with Tunnock’s, whisky and gin.
Later sessions included Tom Cross, appearing in one of his final presentations for Detego Global, who showcased Ballistic Imager and its ability to achieve world record forensic imaging speeds. Kevin Mansell of Control-F closed the vendor sessions with an engaging exploration of emoji forensics, explaining how Unicode storage and platform-specific rendering can complicate evidential interpretation. With everyone staying on site, the day concluded with informal networking in the bar before a well-received curry and quiz night, complete with musical rounds, friendly competition, and chocolate gold medals for the winning team.
Day Two
Day Two began with coffee in the vendor hall, giving attendees time to browse the stalls and catch up with exhibitors before the talks began. In addition to the vendors who led the Day One sessions, the hall featured stands from Amped Software, CCL Solutions Group, Continental, MD5, MSAB, OpenText, Paliscope and VSPL. There was an interesting mix of merchandise, hardware and a few live demos, all of which remained in the hall for the remainder of the conference. Once everyone had settled in, Gareth Davies, the Chairman, welcomed us to the hall and opened the day’s programme.
Enterprise to Everyday: Demystifying BitLocker, TPM and the Vulnerability Landscape — Elliot Glendye (Control-F)
Elliot Glendye from Control-F took a fresh look at BitLocker — a tool that’s been around for years but is now turning up everywhere, especially on consumer devices. He explained how modern deployments lean heavily on TPM and Secure Boot, and how that combination introduces its own set of vulnerabilities and quirks for investigators. One of his key messages was the importance of researching a device properly before deciding on any exploitation method. With Windows 10 reaching end of support and more people shifting to Windows 11 (where UEFI Secure Boot and TPM are mandatory), practitioners are going to encounter these setups even more often. Elliot also noted that many users don’t realise their devices are encrypted at all, which can make examinations more interesting.
Extracting the Unseen: Real-World RAM Acquisition and Analysis from Android Devices — Alex Cooley (MSAB)
MSAB’s Alex Cooley focused on the growing importance of mobile devices in today’s investigations and highlighted how much critical evidence sits in volatile memory — evidence that can be easily missed or wiped when relying solely on traditional extraction methods. He walked us through some common misconceptions about RAM before presenting two case studies that showed just how much high-value data can be recovered from Android devices through proper RAM acquisition and analysis, often revealing artefacts that aren’t accessible through standard logical, file system or even physical examinations. Alex also explained how XRY Pro approaches this, capturing everything on the device — starting with RAM — in a process that only takes a few minutes.
The Challenges of Digital Multimedia Evidence for the Criminal Justice System — Emi Polito (Amped Software)
Emi Polito from Amped Software looked at how photos and videos have become one of the main sources of evidence for law enforcement, driven by the rise of CCTV, smartphones, dash cams, doorbell cameras and body-worn video. Yet, despite their prevalence, this type of material is still not always handled with the rigour it requires. The session covered key principles that help ensure reliable results and fair, transparent trials, while reducing the risk of errors that could lead to miscarriages of justice. There were some fascinating insights into how factors like perspective, colour fidelity and compression artefacts can dramatically alter the way an image or video is interpreted.
Are We Doing Browser Forensics Wrong? — Alex Calvert-Caithness (CCL Forensics Ltd.)
Alex Calvert-Caithness from CCL Solutions Group explored how modern websites and web apps have become so complex and feature-rich that browsers now offer developers far more ways to persist data about a user’s activity. In many cases, the browser behaves less like a simple application and more like an operating system or platform, with each site acting like its own mini-app and leaving behind a distinct trail of artefacts. The session highlighted where and how this data can be stored, along with practical approaches and tools to help investigators make the most of the valuable information browsers can reveal.
AI Ethics in Policing — Giles Herdale (Herdale Digital Consulting)
Giles Herdale explored how public trust in policing has shifted over time and set out the pressures police forces now face, from stretched resources and performance demands to a less experienced workforce and an explosion in digital evidence. He outlined the specific challenges this creates for digital forensics, including rising demand, growing technical complexity and tighter regulation. Against this backdrop, Giles discussed where AI might be able to help, while stressing the importance of explainability and the risks posed by “black box” outputs in a policing context. Accountability, bias, and the responsible use of AI were recurring themes.
The Digital Forensics Career Journey — Karla Poppleton (Mandiant, Google)
Karla Poppleton shared her career story, which has taken her from digital forensics roles in the private sector and frontline policing to leading incident response at the UK’s National Cyber Security Centre, and later into senior consultancy positions with Mandiant and Google. She spoke about the differences between digital forensics and incident response, but also how a forensic mindset — analytical discipline, critical thinking, rigour, accountability and strong communication — can open doors across the wider cybersecurity landscape. Karla discussed the opportunities, challenges and trade-offs she has encountered along the way and emphasised that the ability to think forensically can be a real passport to a varied and rewarding cyber career.
The day concluded with a formal dinner — a relaxed and enjoyable way to unwind after a full programme, with plenty of time to continue conversations and catch up with colleagues.
Day Three
Day Three began with more coffee — especially welcome for those who’d stayed up chatting until the early hours — and a final warm welcome from Gareth.
Email Forensics – Applying an Analytical Approach to Amended Attachments — Dr Tristan Jenkinson (Sky Discovery)
Dr Tristan Jenkinson from Sky Discovery began with a high-level overview of email forensics before diving into a case study that showed just how easily end users can alter or replace email attachments. He walked through how remnants in MAPI data can reveal this kind of activity and highlighted the volatility of MAPI dates and times, which can complicate analysis. Tristan also touched on the growing impact of generative AI, adding yet another layer for investigators to consider when assessing the authenticity of email content and attachments.
Drones Are Not Just for Prison — Alan Roder (West Midlands Police)
Alan Roder from West Midlands Police walked us through a case involving a student who was convicted of preparing acts of terrorism after adapting a fixed-wing drone to deliver an explosive warhead over an 8km distance for ISIS. It offered a fascinating look at drone forensics, showing how the design and build of a device can reveal criminal intent. In this instance, the drone had been modified in a way that made it clear it was intended to be used as a missile — it wasn’t designed to land, but to crash into a target. It also featured far fewer electronics than an off-the-shelf model, a choice that made it harder to fly but ensured it collected no data.
A–Z Forensics of Linux — Si Biles (Forensic Focus)
Si Biles — our own Forensic Focus podcast co-host — delivered a wonderfully creative session, taking us through a literal A to Z of Linux using Dr Seuss–style slides. He opened with a quote from Heraclitus — “there is nothing permanent except change” — to capture the rapid pace at which Linux forensics evolves. Each letter introduced a different concept, tool or artefact, ranging from A for authentication and auth logs all the way through to Z for /dev/zero. It was an entertaining and informative tour through the landscape of Linux forensics, with plenty of useful tools and live demos along the way.
Seize My Bank Account? I Use Bitcoin… Good Luck With That! — Stuart McLaren (zeroShadow.io)
Stuart McLaren, an Investigator at zeroShadow, talked us through a complex investigation into a darknet market vendor who had been working hard to conceal their digital assets. The case combined digital forensics, communications data, OSINT and blockchain analysis to trace transactions linked to illicit online activity. Investigators recovered and decrypted non-custodial cryptocurrency wallets, uncovered the obfuscation techniques being used and ultimately seized around 85 bitcoin under the Proceeds of Crime Act. The session offered valuable lessons in asset tracing, digital evidence handling and the wider challenges involved in tackling cyber-enabled crime.
Cellebrite and Corellium Introduction: Virtualised Mobile Testing for Forensics — Dan Embury (Cellebrite)
Dan Embury introduced the partnership between Cellebrite and Corellium, outlining how the two companies are working together to bring virtualised mobile testing into the digital forensics workflow. He followed this with a live demo of the Viper/Falcon offering, showing how combining forensic expertise with leading mobile virtualisation can help teams identify vulnerabilities earlier and speed up mobile development and security testing. Dan also highlighted how digital forensic units (DFUs) will benefit from these capabilities, for example with new methods for mobile forensics training and advanced solution development.
Forensic Analysis of ChatGPT — Chris Blight (Magnet Forensics)
Chris Blight from Magnet Forensics looked at the growing concern around AI misuse and the importance for law enforcement of being able to identify and interpret digital evidence linked to AI tools, including OpenAI’s ChatGPT mobile app for iOS and Android. He walked through the types of forensic artefacts the app generates — such as JSON, protobuff and log files — and showed how these can help investigators understand user activity. Chris also demonstrated how tools like Magnet AXIOM can support cases involving AI-generated content, an area that is only going to become more important.
Deepfakes — Emi Polito (Amped Software)
Emi Polito returned to explore the growing use of AI in creating and manipulating digital media, explaining how deepfakes are generated and how techniques like image enlargement with trained neural networks work behind the scenes. He also outlined the risks posed by AI-generated content — from how easily inexperienced users can now produce deepfakes to the difficulty of identifying an “original” fake — as well as broader issues such as political propaganda, sextortion, malicious communication and other emerging offences. Emi then moved on to practical ways to authenticate AI-generated material, including examining metadata, assessing shadows and looking for signs of post-processing or repeated JPEG compression.
Final Reflections
F3 2025 brought together a wide range of voices, ideas and tools, offering a clear snapshot of where digital forensics is heading and the challenges practitioners are navigating. From deep technical sessions to creative presentations and late-night conversations, the event highlighted a community that is adapting quickly and supporting one another through increasingly complex work. It was a full and rewarding three days — and a reminder of the value of coming together to learn, share and collaborate. To find out more about F3, visit https://f3.org.uk/
