A round-up of this week’s digital forensics news and views:
Digital Detectives vs. Android 14: overcoming new forensic challenges
The release of Android 14 requires digital forensics analysts to update their extraction and analysis methods. Analysts must develop new techniques to bypass scoped storage restrictions, crack improved file system encryption, and navigate the new permission model for sensitive APIs. Despite these challenges, Android 14 still offers valuable artifacts like calendar data, contacts, and app usage information. Forensic professionals are advised to leverage advanced logical extraction, emulate app permissions, and utilize AI-driven analysis to effectively process the data.
Maximizing Disk Imaging Speeds
Digital forensics experts must prioritize preserving data integrity when imaging disks, and the use of write blockers is crucial to this process. While imaging speed is not the most critical factor, the latest hardware write blockers equipped with 10 Gbps chips and USB 3.2 Gen 2 connectivity can substantially reduce extraction times, especially for faster solid-state drives. Testing shows that the choice of imaging software and compression settings can greatly impact performance, with OSForensics achieving the highest speeds in uncompressed RAW format, while X-Ways Imager excelling with compressed formats. To maximize disk imaging speeds, forensics professionals should use powered laptops, leverage the fastest available USB ports, employ high-quality cables, utilize NVMe SSDs as targets, and minimize background system activity. By following these advanced tips, experts can optimize the efficiency and speed of their disk imaging workflows.
Is There A Mental Health Crisis In Digital Forensics?
Prof. Sarah Morris joins the Forensic Focus Podcast to discuss the critical topic of mental health within the digital forensics field. The conversation covers the impact of traumatic content on analysts, the gaps in mental health support services, and the challenges faced by the industry due to work-related stress. The episode also explores strategies for coping with mental health issues, the role of AI in mitigating exposure to sensitive content, and the importance of organizational changes to better support professionals in the field.
‘It’s so important to talk to people’: MSAB’s Adam Firman shares his mental health story
Former Suffolk police officer Adam Firman’s journey from the force to becoming a podcast host for a mobile forensics company highlights the mental health challenges police can face. After a decade as a digital forensics analyst, Firman left the police in 2019 due to the toll of processing disturbing digital evidence, especially after the switch from in-person to online counseling. Though he’s found fulfillment in his current role, Firman still grapples with lingering paranoia and an overprotective view of his own child. His story underscores the importance of accessible mental health support for police, as well as the value of open communication among colleagues to address the emotional strain of the job. Firman’s advice to current officers is to avoid compartmentalizing the trauma they encounter and to prioritize looking out for one another.
Read More (Suffolk Police Federation)
Memory Forensics Tools Overview
As cyber threats become more sophisticated, memory forensics is becoming increasingly essential for incident response and threat analysis. Unlike traditional digital forensics that focuses on hard drive analysis, memory forensics examines a computer’s volatile memory to uncover evidence of malware and other malicious activities that leave traces in RAM but not on disk. Popular memory forensics tools like the Volatility Framework, Rekall, and YARA allow investigators to manually analyze memory dumps and identify suspicious processes, network connections, and other artifacts that may indicate a security breach. These tools enable analysts to understand an attacker’s tactics, techniques, and procedures, and develop better defenses against future attacks. As more attacks employ fileless malware and in-memory injection to evade detection, memory forensics has become a crucial capability for modern cybersecurity professionals.
REPORT Act revolutionizes child protection: A deep dive into legislative and digital forensic innovations
In a major win for child protection, the REPORT Act has ushered in new requirements for online platforms to swiftly report and preserve evidence of child sexual exploitation, expediting investigations. Leveraging AI and digital forensics, organizations like Cellebrite and the National Center for Missing and Exploited Children are arming law enforcement with advanced tools to identify victims, track down perpetrators, and remove abusive content from the internet. Digital forensics expert Heather Mahalik emphasizes the critical role of this technology, even as challenges like encryption and jurisdictional hurdles remain. With AI-generated deepfakes posing new risks, Mahalik calls for urgency in passing legislation to keep pace with evolving threats. By empowering open dialogue with children, removing explicit content, and equipping authorities with the latest forensic capabilities, experts aim to combat the growing scourge of online child exploitation.
Reversing DISGOMOJI with Malcat like a BOSS
Malcat, a feature-rich hex editor and disassembler, has become an invaluable tool for cybersecurity professionals in their day-to-day work investigating malware and threats. Malcat’s extensive capabilities, including native Yara support, built-in Python scripting, and integrated threat intelligence lookups, allow analysts to rapidly analyze binary samples like the DISGOMOJI Linux malware used by Pakistani hackers to breach Indian government systems. The platform’s ability to stack data transformation “recipes” similar to CyberChef, along with customizable Yara rule sets and malware corpus searches, make Malcat a versatile and time-saving solution for binary analysis and reverse engineering. As the cybersecurity landscape grows more complex, Malcat’s user-friendly interface and rich feature set are presented as a compelling alternative to traditional disassemblers like IDA or Ghidra.
Read More (Anchored Narratives on Threat Intelligence and Geopolitics)
Up and Running with Siftgrab
Siftgrab, a Linux shell script menu, was developed to help both novice and experienced digital forensics analysts more easily identify and correlate relevant artifacts from Windows systems. By serving as a wrapper for various open-source forensic tools and custom scripts, Siftgrab allows users to quickly mount disk images or process data collected by tools like Kape and CyLR, and then extract a wide range of Windows artifacts organized into categorized outputs. From browser history and PowerShell logs to event logs and Windows timeline data, Siftgrab simplifies access to crucial forensic evidence, especially for those new to the field of digital forensics. Modeled after the SANS Windows Forensic Analysis Poster, Siftgrab aims to demystify the intricacies of Windows forensics and empower analysts of all skill levels to rapidly analyze systems during incident response and investigations.
IIMT Collaborates with FCRF to Launch State-of-the-Art CoE for Digital Forensics and Incident Response (DFIR)
IIMT College of Engineering, in partnership with the Future Crime Research Foundation, is inaugurating a new Centre of Excellence in Digital Forensics & Incident Response (CoE-DFIR) on August 22nd. The state-of-the-art center will serve as a global hub for research, training, and innovation in digital forensics, offering both online and offline courses to law enforcement, corporate professionals, and students. Alongside the CoE-DFIR launch, the event will mark the start of the ‘Cyber Safe Uttar Pradesh’ initiative, aimed at building cybersecurity awareness across the state. Guided by the expertise of Chief Mentor Prof. Triveni Singh, ex-IPS officer, the center seeks to address the shortage of skilled digital forensics professionals in India and equip participants with the latest tools and techniques to combat cybercrime. The inauguration will feature a showcase of new cyber forensic technologies and a certificate ceremony for interns who have completed the DFIR training program.