A round-up of this week’s digital forensics news and views:
Maintaining Our Edge: How “Capture the Flag” Digital Trainings Help Local Law Enforcement Stay a Step Ahead
Law enforcement agencies are leveraging Capture the Flag (CTF) digital forensics exercises to stay ahead of evolving criminal tactics and rapidly advancing technology. These scenario-based competitions, inspired by cybersecurity and military training, challenge participants to locate hidden artifacts in digital data, enhancing investigative skills and resourcefulness. Cellebrite’s recent CTF event allowed teams from around the globe to analyze complex datasets from mobile devices, solve real-world investigative problems, and explore cutting-edge tools like the Cellebrite Inseyets Suite. Such events help practitioners refine their expertise, foster collaboration, and bring advanced methodologies back to their agencies to better serve their communities.
Who Knows What Happened to My Logs? Tracking Event Log Deletion
Krzysztof Gajewski clarifies misconceptions about Windows event log deletion, highlighting that while Security.evtx logs deletions internally with Event ID 1102, other logs like Application.evtx and Setup.evtx are tracked in System.evtx with Event ID 104. He demonstrates how threat actors can obscure their tracks by clearing System.evtx last, leaving only one deletion record. Investigators can use modification times of empty logs and forensic tools like $MFT and $UsnJrnl parsing to reconstruct timelines and uncover log deletions, emphasizing the importance of thorough artifact analysis and timeline building.
Decrypting Full Disk Encryption with Dissect
Fox-IT’s incident response framework, Dissect, now supports decryption for encrypted disks, including BitLocker and LUKS, with the release of version 3.17. Originally open-sourced in 2022, Dissect enables artifact extraction and analysis from various formats, making it a vital tool for large-scale incident response. This update allows analysts to decrypt and analyze encrypted disks using passphrases, recovery keys, or BitLocker files. Demonstrated on both Windows and Linux environments, Dissect’s capabilities include browsing decrypted filesystems and exporting decrypted disk images. With continued community contributions, Dissect remains a key resource for digital forensics professionals.
Detecting AI Fakes: Forensic Image Analysis With Cellebrite
Heather and Jared Barnhart, forensic experts from Cellebrite, discuss their work on detecting AI-generated and manipulated images, emphasizing the challenges of trust in digital media. They highlight advancements in forensic tools, such as Cellebrite’s Media Origin feature, and the importance of analyzing metadata and file paths to identify manipulated content. The couple also reflects on the societal implications of AI-generated media, its potential misuse, and the necessity of human oversight in investigations. They stress the importance of improving mental health support for forensic professionals and share insights into their ongoing research to address these pressing issues.
Citizen jurors to help shape future of digital crime fighting in Scotland
The University of Dundee is recruiting volunteer jurors from across Scotland to help shape the future of digital crime fighting through the pan-European Clarus project. This initiative examines the impartiality and reliability of digital forensic evidence and how it is utilized by law enforcement. Citizen jurors will provide input on current practices, terminology, and communication methods in digital investigations, aiming to ensure justice is pursued effectively and without bias. The study, launched in 2023, seeks to align forensic procedures with the increasing reliance on digital technology, while maintaining transparency and accountability.
Scientific Working Group on Digital Evidence (SWGDE)
The Scientific Working Group on Digital Evidence (SWGDE) has released ten new draft documents for public review and comment, covering areas like forensic audio analysis, historical cell site analysis, remote digital evidence collection, and data destruction. These drafts, available on their website, aim to improve best practices and standards in digital and multimedia forensics. Stakeholders are encouraged to submit feedback during the 60-day public review period, ensuring the guidelines reflect the needs of the forensic community and maintain quality and consistency in evidence handling and analysis.
Digital Evidence, LE Training and Partnerships are Key to Combating Human Trafficking
Matt Parker, Co-founder of The Exodus Road, highlights the critical role of partnerships, law enforcement training, and digital evidence in combating human trafficking. Through initiatives like Operation Find Them All, involving Cellebrite, Raven, and NCMEC, significant strides have been made in rescuing victims and prosecuting traffickers. In 2024 alone, The Exodus Road supported the rescue of 128 survivors and trained 4,600 officers globally, equipping them to handle digital evidence and disrupt trafficking networks. Collaborative efforts between non-profits, law enforcement, and technology providers continue to drive impactful change in dismantling this $236 billion criminal industry.
Mac Artifact Viewer
Mac Artifact Viewer is a new tool designed to simplify the analysis of MacOS artifacts, addressing a gap in forensic tools often focused on Windows. Users can navigate five pages covering system, user, and internet artifacts, as well as a Spotlight-V100 search tool, which indexes files and metadata from MacOS’s file search feature. After selecting the root directory of a mounted MacOS disk image, the tool parses selected artifacts, saving results or displaying them instantly. Features include parsing login data, bash history, recent items, and a robust Spotlight-V100 search function. The tool, currently in its early stages, is open-source and available for download on GitHub.
Apple Notes in iOS 18
iOS 18 introduces subtle but useful enhancements to Apple Notes, including live transcription for audio recordings, interactive math, collapsible headings, and text highlighting in five colors. From a forensic standpoint, the update adds seven new columns to the ZICCLOUDSYNCINGOBJECT table, which now totals 209 columns. Notable changes include transcriptions stored in ZADDITIONALINDEXABLETEXT for audio, math objects using inline attachments, and collapsible header states recorded in ZOUTLINESTATEDATA via a protobuf. While these features enhance usability, they do not present major forensic challenges compared to the structural shifts seen in previous iOS releases.