A round-up of this week’s digital forensics news and views:
Robert B. Fried Announces the Release of the Latest Edition of ‘Forensic Data Collections 2.0’
The third edition of Forensic Data Collections 2.0 explores best practices in digital forensics, focusing on preserving electronic evidence, thorough documentation, and legal compliance. Robert B. Fried examines the human and legal factors shaping investigations and underscores the importance of collaboration. The book serves as a cross-disciplinary resource for forensic practitioners, legal professionals, and investigative teams navigating evolving digital landscapes.
Ridin’ With Apple CarPlay 2
New research revisits Apple CarPlay forensic artifacts, highlighting changes since its initial examination. Key updates include a dedicated “recently used” file, Siri invocation tracking in knowledgeC, and CarPlay connection records migrating to biomes. Unified Logs now provide crucial insights, distinguishing actions performed via CarPlay versus directly on the phone—an essential factor in distracted driving investigations. While biomes and knowledgeC remain valuable, forensic examiners must analyze multiple data sources to confirm user activity accurately.
Protecting Investigators: Dr. Michael Bourke On Building A Healthier DFIR Community
Dr. Michael Bourke discusses the psychological impact of digital forensics work, particularly for those investigating internet crimes against children. He highlights the stigma around seeking mental health support, the need for proactive resilience training, and the financial and operational costs of burnout. Bourke also introduces the FORWARD Center, a nonprofit offering culturally competent mental health services for first responders. He emphasizes the importance of structured well-being initiatives and previews the next National Wellbeing Survey to assess investigator support needs globally.
Meet the Cyber Forensics Champions: Winners of the India’s Biggest Digital Hackathon
The Future Crime Research Foundation (FCRF) and Bhumi Itech hosted the world’s largest digital forensics hackathon, drawing over 600 participants to tackle real-world cybercrime challenges. Contestants demonstrated expertise in memory forensics, malware analysis, and cryptographic investigations, with top winners including high school prodigy Pratik G K and researchers from leading cybersecurity institutions. The competition showcased the growing importance of digital forensics, emphasizing innovation, endurance, and collaboration in tackling evolving cyber threats.
WMI Malware: The Complete Forensics Guide
WMI malware is a powerful tool for attackers, enabling execution, persistence, lateral movement, and evasion tactics without additional software. Threat actors exploit WMI for process creation, system discovery, firewall tampering, and stealthy persistence through event consumers. Real-world cases, including ShrinkLocker ransomware and Metador, illustrate its impact. Detection techniques include monitoring for unusual child processes of scrcons.exe and wmiprvse.exe, identifying anomalous WMI consumer activity, and reviewing process history for suspicious WMI commands. Automated forensic tools, like Cyber Triage, help investigators efficiently detect and analyze WMI-based threats.
Apple Intelligence Photo Forensics
A forensic analysis of Apple’s Photo Cleanup feature reveals how metadata changes when an image is edited using generative AI. The tool removes location, device details, and extended attributes while adding Exif metadata indicating AI modification. Apple’s Photos.app and Preview.app automatically detect these edits, displaying a “Modified with Clean Up” tag. However, forensic experts demonstrate that altering the Credit and Digital Source Type fields in the Exif data can remove this tag, highlighting potential challenges in detecting AI-generated image modifications.
macOS Extended Attributes: Case Study
Extended attributes (EAs) in macOS store metadata beyond standard file attributes, playing a crucial role in security and forensic investigations. Using commands like xattr and ls, analysts can inspect attributes such as com.apple.metadata:kMDItemWhereFroms (tracking file origin) and com.apple.quarantine (marking files downloaded from the internet). These attributes, stored in system databases, help incident responders trace potential infection sources. While quarantine flags can block unverified applications, they can be manually removed, demonstrating both security measures and forensic challenges in macOS.
CapabilityAccessManager.db Deep Dive, Part 3
This deep dive into CapabilityAccessManager.db in Windows 11 examines its reliance on AmCache for FileIDs, revealing inconsistencies when executables are modified. FileIDs in CapabilityAccessManager.db are pulled from AmCache at the time of data transfer, meaning outdated access events may be associated with newer FileIDs if the executable changes between events. Testing confirmed that modifying AmCache alters the recorded FileID in CapabilityAccessManager.db. Investigators must account for this lag, cross-referencing previous entries to ensure accurate forensic analysis.
