A round-up of this week’s digital forensics news and views:
A New File System, New Forensic Challenges
Microsoft’s Resilient File System (ReFS) challenges digital forensics by replacing NTFS staples like the Master File Table with a modern, B+tree-based structure designed for resilience and scalability. While key artifacts like $MFT and $LogFile are gone or altered, ReFS introduces new ones—redo-only logs, internal checkpoints, and block cloning—that require updated tools and techniques. The forensic tool gap echoes past struggles with emerging file systems like XFS and APFS, demanding rapid adaptation. Investigating ReFS alongside NTFS in mixed environments adds complexity, but also opportunity. As ReFS adoption grows, DFIR professionals must evolve or risk losing critical visibility.
Read More (Mat Cyb3rF0x Fuchs, Medium)
In wake of Horizon scandal, forensics prof says digital evidence is a minefield
As the UK Ministry of Justice reviews rules on computer evidence, digital forensics expert Peter Sommer warns that current practices risk undermining trust in digital evidence. From flawed data extraction tools to manual data handling and outdated standards, the system lacks consistency and oversight. Sommer argues that evidence is not inherently reliable or unreliable, especially when software and human interpretation shape how it’s presented in court. Rather than legislate rigid admissibility rules, he proposes a code of practice backed by judicial enforcement, with transparency about tools and processes used. With outdated guidance and little formal training for judges or certification for expert witnesses, systemic reform is urgently needed to maintain the integrity of digital evidence in UK courts.
SWGDE: Best Practices for the Enhancement of Digital Audio
The Scientific Working Group on Digital Evidence (SWGDE) has released updated best practices for enhancing digital audio, offering forensic examiners structured guidance on improving the intelligibility and quality of recordings. Version 2.0 outlines a recommended workflow—from pre-examination to audio processing—emphasizing documentation, critical listening, and tailored signal processing strategies to address common distortions like noise, clipping, and reverberation. The document stresses that enhancements must be reproducible and used with expert judgment, given the limitations of both the recordings and the software tools involved. It also cautions against cognitive bias, encourages standardized procedures, and reinforces the importance of using original, unprocessed audio whenever possible.
The DFIR Investigative Mindset: Brett Shavers On Thinking Like A Detective
In the latest Forensic Focus Podcast, Brett Shavers draws on his undercover law enforcement experience and digital forensics expertise to spotlight the importance of an investigative mindset in DFIR. Joined by hosts Si and Desi, he explores why digital forensics isn’t an entry-level job, emphasizing the need to understand human behavior behind digital evidence. Brett shares practical insights from his career and books—including DFIR Investigative Mindset and Placing the Suspect Behind the Keyboard—highlighting the balance between technical skill and strategic thinking needed to effectively investigate not just machines, but the people using them.
Potato Chat
A digital forensic analyst dives deep into the little-documented “Potato Chat” messaging app after discovering that existing tools fail to parse its data. Simulating activity across three devices, the researcher reverse-engineers artifacts from the app’s iOS file system, uncovering key forensic details about channels, groups, media files, and cached user interactions. Particularly noteworthy are the distinctions between regular chats and encrypted “secret chats,” the existence of auto-complete artifacts, media cache behaviors, and evidence of user interaction with image galleries and videos. The study highlights unparsed protobufs within the tgdata.db database and calls for community collaboration to decode them. This evolving post aims to become a forensic reference point for Potato Chat investigations.
Lay Witness or Expert Witness? Who Decides and Why Does it Matter?
A recent appellate case from Ohio highlights the critical importance of properly classifying forensic video testimony as either lay or expert evidence. In State v. Harris, a forensic video specialist provided opinion-laden testimony under the guise of lay testimony, leading to an appeal. While the appellate court agreed that the evidence should have been treated as expert testimony, it deemed the error harmless due to the strength of the remaining case. The article warns that miscategorizing forensic evidence—often due to lack of preparation, misunderstanding, or expediency—can jeopardize admissibility. It urges forensic video analysts to work proactively with counsel to clarify which aspects of their testimony are opinion-based, ensuring proper disclosure and maximizing the utility of their evidence at trial.
Read More (Jonathan W. Hak KC PhD)
Logs in a Sysdiagnose – It’s about time…
Christian Peter, an IT forensic analyst with the Thüringer Polizei, explores the forensic value of iOS logarchives by comparing logs generated through sysdiagnose with those extracted via direct collection methods. Using flashlight activity as a case study—relevant to a real investigation—Peter identifies distinct log entries tied to lock screen activation and flashlight intensity. His comparison, based on line-matching and date-specific counts, reveals that sysdiagnose logs may retain events for a far shorter duration—less than 24 hours—compared to the unified logs, which preserved the same data for at least a week. Conducted on an iPhone 11 running iOS 18.4.1, the study underscores the urgency of timely log preservation, especially when access to the device is restricted.
Read More (Christian Peter, LinkedIn)
Bulk Forensic Image Processor
Breakpoint Forensics has released version 5.4 of its Bulk Forensic Image Processor (BFIP), a powerful tool designed to streamline and enhance media extraction and analysis in digital forensics. BFIP 5.4 introduces key upgrades, including deeper APFS support, automated SQLite image extraction, and enhanced integration with Magnet Griffeye—though users must upgrade to Griffeye version 24.3.x or newer for full functionality. The tool’s Breakpoint Processing Engine enables multithreaded parallel carving, intelligent disk analysis, and recovery of deleted data, even from APFS snapshots. With its GUI-driven workflow, “Carve Only” mode, and direct Griffeye case creation, BFIP offers both simplicity and power for examiners handling large-scale image processing.
Read More (Breakpoint Forensics)
C2PA and Authentication Updates
Calls for media authentication tools grow louder amid fears of AI-generated fakes, yet current solutions like C2PA fall short of their promises. A fake passport image on LinkedIn and the BBC’s flawed use of C2PA to ‘verify’ a doctored video highlight the critical weaknesses in relying on signed metadata. The BBC’s quiet post-publication audio edit—still cryptographically “valid” under C2PA—exposes how provenance, attribution, and authenticity remain easily manipulated. Independent verification, not trust-based metadata, is essential. Encouragingly, the University of Maryland’s PASAWG initiative is taking a rigorous, independent look at C2PA and alternatives like SEAL to establish more reliable standards for digital media trust.
