A round-up of this week’s digital forensics news and views:
Robert B. Fried Shares Talk on Electronic Evidence Management
Robert B. Fried is sharing his recent presentation on electronic evidence management from the Global Scientific Guild’s 15th Global Webinar on Forensic Science, offering practitioners a chance to revisit best practices for handling ESI. His session underscores how rigorous documentation and chain-of-custody controls are essential to keeping digital evidence admissible and defensible in court. With taglines like “No documentation, no evidence” and “If it’s not documented, it didn’t happen,” the talk is a reminder that technical skill alone isn’t enough without meticulous evidentiary record-keeping.
Professor Sarah Morris Returns to the House of Lords for Forensic Inquiry
Digital forensics expert Sarah Morris returns to the House of Lords to give oral evidence in the follow-up to the Forensic Science Inquiry, highlighting the pressures on solo practitioners, the demands of accreditation, and the often-overlooked mental health strains in the field. Representing the University of Southampton, she stresses the value of research-intensive institutions that stay close to real cases. She describes the session as a strong start and expresses optimism for the future of forensic science.
Meta to Mine AI Chats for Ads, Raising New Privacy Risks
Meta’s plan to start using AI chats, searches, and private messages from Facebook, Instagram, and Threads for ad personalisation from 16 December 2025 pushes already-blurry privacy lines into new territory. Tate Jarrow highlights that once conversational data is fair game for targeting, it becomes more accessible not just to Meta but potentially to insiders, attackers, and law enforcement wielding legal process. For digital forensics and OSINT practitioners, this shift both expands the pool of potentially discoverable data and heightens the operational security stakes for anyone relying on Meta platforms.
Read more (onlinesafety.substack.com)
Hands-On with Alias by SockPuppet for OSINT CTFs
DFIR Diva recounts using Alias by SockPuppet during a recent TraceLabs OSINT CTF, highlighting how browser-based, pre-aged sock accounts solved the usual suspension headaches. Beyond disposable personas, the service supplies a managed virtual desktop and phone with SMS/email verification, screen recording, file sharing and multi-location support, making it easier to operationalize OSINT workflows. For forensic practitioners, early testing with Magnet AXIOM Cyber shows promise for social media acquisitions from these accounts, though reliability outside SockPuppet’s environment still needs refinement and the roughly $500-per-month entry price targets serious individual or team users.
How LLMs Are Rewiring Incident Response in the SOC
Andrea Fortuna explores how large language models are being woven into Security Operations Centers to cut through alert fatigue, automatically correlate multi-source telemetry, and generate plain-language narratives that speed triage and investigation. Drawing on insights from Francesco Iezzi, the piece emphasizes Retrieval-Augmented Generation, sandboxed deployments, and strict source verification to curb hallucinations while keeping humans in control of critical actions. It also maps the fast-moving regulatory terrain in Europe—GDPR, NIS2, DORA, the AI Act, and Cyber Resilience Act—and outlines the cross-functional roles, from CISOs to legal, required to deploy AI safely. A pragmatic roadmap shows how to pilot AI on high-friction tasks, instrument SOC metrics, and evolve toward a “human-AI teamwork” model for Incident Response 2.0.
Lost Apples: AI-Built Tool for Deep-Dive iOS FindMy Artifacts
Binary Hick introduces Lost Apples, a Python-based GUI built with help from Claude Code to automate parsing of Apple FindMy artifacts that previously required tedious manual work. Rather than letting AI interpret evidence, the tool uses it strictly for code generation, handling decryption of Observations.db and .record bplists, ingesting GrayKey and Premium/Inseyets extractions directly, and exporting results to CSV, KML, text, and decrypted datasets. This cautious approach underscores an insistence on human-led interpretation, audit logging, and independent validation, signaling a pragmatic middle ground for using AI in high-stakes mobile forensics.
Read more (thebinaryhick.blog)
Mining Evidence from Windows Hibernation Files
Windows’ hiberfil.sys file is revealed as a near-complete, compressed snapshot of physical memory at the moment of hibernation or Fast Startup, often preserving volatile data that never touches disk in cleartext. Beyond process lists, it can expose decrypted credentials, open documents, network sessions, in-memory-only malware, and user activity, turning a “powered-off” system into a time capsule of what was really happening just before shutdown. Examiners, however, must navigate locked files, changing file formats, compression, and full-disk encryption to safely collect and reconstruct the image, making dead-box acquisition of hiberfil.sys a strategic choice when live RAM capture isn’t possible. Two detailed case scenarios—homicide investigation and insider exfiltration—underscore how a properly acquired and parsed hibernation file can flip a case from “no evidence” to decisive leads.
Read more (magnetforensics.com)
Hidden iPhone Metadata Exposes Rich Forensic Footprints
A routine iPhone extraction by researcher Elorm Daniel turns into a stark reminder of how much metadata a non‑jailbroken device quietly preserves, from WhatsApp-logged GPS coordinates on messages to exhaustive password histories and long-forgotten group memberships. Rather than exploiting vulnerabilities, his work shows how standard forensic tools used by law enforcement can reconstruct years of movements, relationships, and app activity from what users assume is deleted or invisible. This persistent, OS-level logging highlights a widening gap between user-facing privacy settings and the evidence actually available on-disk, raising fresh questions about consent, legal access, and how far mobile forensics should go.
SYTECH’s Daren Greener: How AI and Policy Are Reshaping Forensics
SYTECH Managing Director Daren Greener tells Forensic Focus that digital forensics is at a pivotal moment, with national debates over examination thresholds, the influence of sentencing guidance, and AI’s expanding role reshaping how examiners work. He outlines SYTECH’s quality-led, independent approach across high-volume and complex cases, and explains why the company is driving discussion on safeguarding, efficiency, and reducing analysts’ psychological burden. Greener says AI offers both relief through automated filtering and risk through synthetic imagery, underscoring the need for updated legislation and stronger collaboration across law enforcement, industry, and policymakers.
