A round-up of this week’s digital forensics news and views:
Forensic Timeliner – A timeline creation tool built in PowerShell
Forensic Timeliner is a new open-source PowerShell tool designed to streamline timeline creation in digital forensics. Built for investigators working with KAPE, EZTools, and Chainsaw+Sigma outputs, it normalizes data from multiple sources into a unified timeline format. The tool offers interactive or scripted execution, efficient batch processing, and export options to CSV, JSON, and XLSX. Analysts can prefilter MFT and event log data, categorize web history by activity type, and use a built-in macro to color-code artifacts. Forensic Timeliner helps quickly correlate user activity and artifacts, making host-based analysis faster and more structured.
3rd BETA release of SRUM-DUMP v3
The third BETA release of SRUM-DUMP v3 brings enhanced capabilities for forensic analysts and incident responders, offering deep analysis of Windows SRUM (System Resource Usage Monitor) data to uncover application and process activity over the past 30 days. This version introduces a user-friendly wizard, keyword tagging to flag suspicious processes, and output in both Excel and CSV formats. SRUM-DUMP extracts data from the SRUDB.DAT file and optionally enriches findings using the SOFTWARE registry hive. Designed for streamlined triage and reporting, the updated tool empowers analysts to quickly identify anomalous activity across Windows systems.
Cell Site Analysis for Geolocation SFR
The National SFR Board has officially approved the use of the Streamlined Forensic Reporting (SFR) process for cell site analysis in geolocation cases, following agreement by the cell site expert working group in January 2025. This evidential use of the SFR process is intended to support opinions on device geolocation, and is not applicable to non-evidential scenarios such as missing person investigations. To ensure proper implementation, detailed guidance documents, templates, technical notes, and training videos have been made available, alongside a formal adoption plan to support practitioners adopting this process.
Read More (Forensic Capability Network)
DeepFace UI – simplifying facial verification for OSINT investigations
DeepFace UI is a newly developed open-source web application that adds a user-friendly interface to the powerful DeepFace facial recognition library, streamlining OSINT investigations and identity verification. Built to eliminate the hassle of account creation required by many free services, it enables investigators to drag and drop images for instant face detection, extraction, and analysis. DeepFace UI automates key steps in facial verification workflows, making it easier to compare faces and assess attributes directly within the browser.
DFRWS: PaSSw0rdVib3s!: AI-assisted password recognition for digital forensic investigations
New research introduces a machine learning-based approach to help digital forensic investigators identify cleartext passwords within data extracted from unlocked devices—an increasingly vital tactic when facing encrypted devices like secure phones. The study evaluates five models, including PassGPT, DistilBERT, and XGBoost variants, ranking their effectiveness at distinguishing passwords from non-passwords. It finds that PassGPT offers the highest accuracy, while DistilBERT strikes a strong balance between speed and performance. The research emphasizes the importance of diverse training data—combining leaked passwords with real-world text sources like chat logs and web crawls—and demonstrates that modern NLP techniques can significantly enhance forensic password discovery efforts in practical, real-world scenarios.
Decrypting Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat
This detailed forensic walkthrough demonstrates how an investigator decrypted a locked Apple Note on an iOS 16.7.10 device using a combination of open-source tools and methodical database analysis. The process involved extracting key encryption parameters from the NoteStore.sqlite database, cracking the note’s password with Hashcat, deriving cryptographic keys with Python and CyberChef, and ultimately decrypting and decompressing the AES-encrypted protobuf data to recover the note’s plaintext content. The investigation highlights how password hints and structured workflows can unlock critical evidence—while noting that changes introduced in iOS 17 and 18 require new investigative strategies.
Read More (James Eichbaum, LinkedIn)
The Hidden Toll Of Digital Forensics: A Serving Digital Investigator’s Story
Following the publication of an article on the personal toll of digital forensics, a serving investigator came forward to share a deeply personal account of the psychological damage caused by years of exposure to disturbing case materials. Their story highlights the hidden burden carried by digital forensic investigators, who often face graphic content daily with little to no proactive mental health support. The investigator recounts vivid flashbacks, sleep disturbances, and emotional trauma triggered by work-related exposure, exacerbated by outdated mental health tools and stigma within the profession. Their call for systemic change urges leadership to acknowledge the cost of justice on those behind the screens and to take meaningful action before more investigators are lost to burnout and despair.
DFDS ’25: Proceedings of the Digital Forensics Doctoral Symposium
The 2025 Digital Forensics Doctoral Symposium (DFDS ’25), held in Brno, Czech Republic, showcases a diverse range of open-access research advancing the field of digital forensics. Topics include AI-generated code testing frameworks, synthetic data for entity extraction, robustness of similarity digest schemes, forensic communication analysis, ICS side-channel monitoring, SMB fingerprinting, GenAI image tampering detection, automation classification in forensics, knowledge graph frameworks, and timestamp tampering strategies. With contributions from early-career researchers and experts, the symposium reflects cutting-edge innovation in forensic analysis, automation, and adversarial resilience.
Read More (ACM Digital Library)
How AI is ‘saving the Mona Lisa’: A paradigm shift in digital forensics
A groundbreaking project from the German Research Center for Artificial Intelligence (DFKI), Carve-DL, is revolutionizing digital forensics through AI-powered file reconstruction. Leveraging advanced deep learning models like Swin Transformer V2 and ResNet, Carve-DL can recover highly fragmented or deleted files with high precision—something traditional forensic methods struggle to achieve. The system includes models for file classification, fragment verification, clustering, and reordering, achieving up to 95% reconstruction accuracy. While the fictional “Mona Lisa theft” illustrates its use, Carve-DL shows real promise for police work, cybersecurity, industrial data recovery, and digital preservation. The project concludes in October 2025, with researchers optimistic about its impact on forensic science and beyond.
DFRWS: Preserving meaning of evidence from evolving systems
This paper argues that digital forensic science must expand its concept of preservation beyond simply protecting trace data to include the timely collection of reference data, which provides essential context and meaning. In evolving systems—like modern distributed applications and cloud services—reference data may change or become inaccessible, increasing uncertainty in forensic interpretations despite properly preserved evidence. The authors propose an extended definition of preservation, highlight the risks of delayed or missing reference material, and call for structured processes and tools to manage these risks. They recommend research into automated tools, shared artefact repositories, taxonomies for uncertainty assessment, and decision-making frameworks to prioritize reference data gathering in forensic workflows.
