A round-up of this week’s digital forensics news and views:
Introducing Semantics 21: The Best Kept Secret In Digital Forensics
Semantics 21 is rapidly gaining global recognition for its investigator-first digital forensics tools, including the AI-powered S21 LASERi-X for CSAM investigations, S21 CCTV for rapid video analysis, and the offline-ready S21 Transcriber. The UK-based company, staffed by engineers, former investigators, and AI experts, supports agencies worldwide with tools that prioritise speed, accuracy, and investigator wellbeing—earning accolades such as the 2024 King’s Award for Enterprise. Trusted by leading law enforcement agencies, including the UK’s NCA and Canada’s RCMP, S21’s tools stand out for being powerful, intuitive, cost-effective, and server-free. With its expanding international presence and complimentary licences available, S21 invites the global DFIR community to discover why it’s called the best-kept secret in digital forensics.
Backup2FS: Simplifying iOS Backup Analysis for Forensics
James Eichbaum unveils Backup2FS, a lightweight tool designed to simplify iOS backup analysis by normalizing backup data into a familiar file system structure. Tailored for digital forensic and mobile analysis professionals, Backup2FS works in tandem with UFADE and iTunes Backup Reader to extract, decrypt, and present iOS artifacts more intuitively. Features include instant access to extracted folders, detailed device info panels, app overviews, flexible hashing options, and process control. Eichbaum aims to streamline forensic workflows by reducing the complexity of navigating raw iOS backups, offering a practical alternative for rapid artifact discovery.
The Echoes We Carry
Professor Sarah Morris offers a powerful, deeply personal exploration of the emotional cost of digital forensic work, shedding light on the mental toll experienced across law enforcement, academia, and independent consultancy. Drawing from her own journey, Morris highlights the trauma, isolation, and burnout that too often remain unspoken in the field, while advocating for better support, understanding, and structural change. With vivid storytelling and quiet urgency, she challenges the industry to prioritise wellbeing, dismantle harmful myths around resilience, and listen more closely to the voices often left out of support conversations. Her reflections, part manifesto and part survival guide, underscore the human cost of justice and the need for a more compassionate forensic culture.
How to use btf2json to generate a kernel profile for Volatility 3
A new guide walks DFIR practitioners through generating a custom Linux kernel profile for Volatility 3 using btf2json—entirely within WSL and without spinning up virtual machines. The process leverages a memory sample from 13Cubed’s recent analysis challenge and shows how to extract and decompress relevant Ubuntu kernel files, including vmlinux and System.map, before compiling them into a Volatility-compatible symbol table. This method significantly reduces setup time compared to traditional dwarf2json workflows and sidesteps enterprise environment constraints. By detailing every step from kernel banner identification to schema modification and profile testing, the guide positions btf2json as a powerful alternative for scalable, Linux memory analysis.
Read More (Digital Forensics & Incident Response)
UFADE 0.9.8 is out now
UFADE 0.9.8 is now available, introducing several user-focused improvements for mobile forensic workflows. The update brings support for Unified Logs in PRFS backups and enables partial device information display when devices are connected in recovery or DFU mode—leveraging libusb for enhanced compatibility. It also resolves a known issue with mounting DeveloperDiskImages on older devices, improves handling of decryption errors, and bundles the latest version of pymobiledevice3, now updated with support for newer models like the iPhone 16e. Additional minor bug fixes round out this release, aimed at increasing reliability and ease of use.
Why Does Teams Activity Appear in SharePoint Logs? And Why Does This Matter to Attackers?
In a detailed breakdown, Adithya Vellal uncovers how Microsoft Teams activity—specifically file sharing in chats—manifests not in Teams logs but in SharePoint logs, due to Teams’ reliance on OneDrive for backend file storage. Through examples of file uploads, deletions, and sharing, Vellal highlights how innocuous Teams actions generate complex SharePoint telemetry. This backend quirk creates blind spots for defenders, as attackers can leverage Teams to share files while obscuring their tracks behind misleading log sources. The post underscores the need for defenders to correlate SharePoint and Teams data to effectively trace behavior and close gaps in Microsoft environment visibility.
Read More (Microsoft Detection Deep Dives)
Truth in Data: EP1: Evidence Gone: The Perils of Delayed Mobile Acquisition
In the first episode of the new Truth in Data podcast, Jessica Hyde, Debbie Garner, and Kim Bradley explore the high-stakes world of mobile data preservation, emphasizing the need for speed when acquiring digital evidence. Referencing Forensic Magazine’s The Quicker, The Better and SWGDE’s position paper on timely acquisition, the hosts discuss best practices, real-world obstacles, and how delays can compromise both investigations and evidence integrity. The episode highlights why rapid response and evolving workflows are essential for ensuring data is captured before it disappears.
14th Counter Fraud, Cybercrime and Forensic Accounting Conference
Registration is now open for the 2025 Counter Fraud, Cybercrime and Forensic Accounting Conference, set to take place at the University of Portsmouth on June 18–19. This year’s event is the largest to date, featuring over 70 international speakers covering a diverse range of pressing topics—from cyber-enabled terrorism, romance fraud, and misinformation to the challenges of cybersecurity education and the impact of economic crime across regions like Africa. The conference will also explore virtual assets, social media threats, and fraud resilience, with selected sessions available to stream online.
Read More (University of Portsmouth)
Fake Zoom Ends in BlackSuit Ransomware
A fake Zoom installer leads to a sophisticated, multi-stage intrusion culminating in the deployment of BlackSuit ransomware, as detailed in The DFIR Report’s latest case study. The attack begins with a trojanized download that executes d3f@ckloader, which in turn delivers SectopRAT, Brute Ratel, and Cobalt Strike payloads. Over nine days, the threat actor conducts stealthy reconnaissance, credential dumping, and lateral movement using PsExec and RDP—facilitated by QDoor, a malware-based proxy. Data is exfiltrated via WinRAR and the Bublup cloud platform before ransomware is deployed across all Windows systems. The case highlights the growing use of legitimate infrastructure, multi-framework C2 operations, and stealthy staging techniques by threat actors to obscure their actions until impact.
Love, Lies and Larceny
A new empirical study titled Love, Lies and Larceny offers rare insight into cybercrime offenders, focusing on convicted individuals—96% of whom are young, university-educated men from southern Nigeria. Drawing on hard-to-access case files rather than self-reports or fake profile data, the research reveals that 80% of cases involve online romance fraud, with others linked to cryptocurrency scams and hacking. Notably, 96% of the individuals studied acted as primary perpetrators rather than mules. This landmark study, co-authored by Adebayo Soares and Professor Mark Button, fills a critical gap in cybercrime literature by spotlighting the people behind the deception.
Read More (Taylor & Francis Online)
