A round-up of this week’s digital forensics news and views:
New Open-Source macOS Triage Tool Aims To Consolidate Key Artifacts
A SANS FOR518 student built triagectl to simplify macOS triage by gathering scattered forensic artifacts in one place. It exports results to SQLite and generates an interactive HTML report. It also produces a Timesketch-compatible timeline for faster investigation workflows.
Occupational Trauma In Digital Forensics: A Child’s Experience Raises Alarms
A Sky News case of an 18-year-old with complex PTSD after a brief suicide video spotlights the hidden toll on digital forensic investigators. Repeated exposure to CSAM, violence, and death can fuel intrusive symptoms and burnout. Forensic Focus and Northumbria University seek participants for an international well-being survey.
CSAM Case Volume Fuels DFIR Workload And Burnout
Google Alerts show a steady stream of CSAM and ICAC case updates, highlighting rising workloads. Law enforcement teams face massive data volumes, growing CyberTipline reports, and limited resources. Digital forensic examiners feel the strain as they triage devices and preserve evidence.
FBI iPhone Lockdown Mode Case Raises USB Restricted Mode Questions
Court filings suggest the FBI could not extract data from a seized iPhone showing iOS Lockdown Mode. A technical hypothesis argues Lockdown Mode may trigger USB Restricted Mode immediately, removing the usual one-hour USB data window. If true, it complicates cable-based mobile forensics without an unlock.
Hindsight v2026.01 Adds Chrome Sync Data Parsing And Output Updates
Hindsight v2026.01 adds partial parsing of Chrome Sync Data stored in local LevelDB files, expanding device attribution for synced URL visits. A refreshed CLI uses the rich library while keeping the same syntax. Release also adds new Chrome artifact parsing and improves XLSX, JSONL, and SQLite outputs for easier analysis and Timesketch workflows.
Script Update Chunks RAM Dumps To Recover BitLocker Keys
A BitLocker key recovery script now processes memory dumps in 100MB chunks to reduce RAM use and prevent crashes. Analysts can handle large RAM images more safely during incident response. Update also enables scanning full disk images for recoverable VMKs.
DFRWS EU 2026 Announces Hands-On Workshops In Linköping
DFRWS EU 2026 opens workshop registration for a hybrid event in Linköping. Sessions span network traffic analysis, memory forensics, Tor, medical devices, and bootloader exploitation, plus LLM prompt engineering. Workshops run 23–24 March 2026 and are included with registration.
iOS Forensics Without Jailbreak: Practical Acquisition For iOS 18 And iOS 26
A practical guide outlines non-jailbreak iOS forensics for iOS 18 and iOS 26, describing what evidence can be pulled from native apps, connectivity, and pattern-of-life artifacts. It covers logical backups, AFC media extraction, and sysdiagnose/crash-log collection with libimobiledevice, UFADE, iLEAPP, and MEAT. Key limitations are noted.
Velociraptor Artifact Targets Notepad++ Supply-Chain IOCs
A new Velociraptor artifact is available to help scope IOCs tied to a publicly disclosed Notepad++ supply-chain attack. It aims to identify impacted Notepad++ versions, suspicious files seen in public reporting, and reported network URLs in running processes, plus Warbird clipc.dll loader strings.
Read more (docs.velociraptor.app)
James Eichbaum On Making SQLite Analysis Understandable
Elusive Data founder James Eichbaum says SQLite expertise is essential when tools miss or misread app data. He highlights rising complexity from large schemas, write-ahead logs, and BLOBs that can hold plists, protobufs, or fragmented JSON. Eichbaum argues visualization and SQLite-aware hex views help validate findings and explain them in court.
Streamline Malware Hash Search With FOSSOR
FOSSOR aims to speed up malware triage by searching multiple repositories for hashes found in CISA or Microsoft reports. It targets analysts who waste time copying indicators across sites when no match appears. Tooling like this can streamline collection and follow-on reverse engineering.
