Digital Forensics Round-Up, January 08 2025

A round-up of this week’s digital forensics news and views:


Shamsud-Din Jabbar: OSINT Profiling and Uncovering Hidden Threads of the New Orleans Terror Attack

Open-Source Intelligence (OSINT) profiling is revolutionizing investigative practices by leveraging publicly available data to create detailed profiles, analyze networks, and uncover hidden connections. A recent structured guide illustrates how tools like IRBIS and Maltego facilitate efficient data integration, enabling investigators to track subjects such as Shamsud-Din Jabbar, whose digital footprint and connections revealed ties to extremist ideologies. The process includes steps like data collection, network analysis, and behavioral profiling, uncovering actionable insights and highlighting emerging risks, such as the growing use of cryptocurrency in extremist networks. This method demonstrates the power of OSINT to address immediate threats and prevent future risks.

Read more (Reddit)


DFIR in a Land Down Under

The 4th DFRWS APAC conference in Brisbane, Australia, showcased cutting-edge developments in digital forensics and incident response (DFIR) from October 22-24, 2024. Highlights included Jessica Hyde’s workshop on third-party app analysis, keynotes by Michael Cohen on the evolving challenges in digital forensics and Darren Hopkins on ransomware trends, and diverse presentations on topics like deepfake detection and forensic readiness. A panel discussed the UN Cybercrime Convention’s implications, and social events fostered networking. Despite positive feedback, organizers aim to improve outreach for next year.

Read More (Hexordia)


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.



Inside the team fighting crime on the digital frontier

West Midlands Police’s Digital Forensics Unit (DFU) plays a pivotal role in solving crimes by unlocking and analyzing digital evidence from devices like phones and computers. Over the past year, the 80-person team examined nearly 3,000 phones and 1,000 computers, aiding convictions for serious offenses such as murder and gun trafficking. To bolster its capacity, the DFU welcomed seven new apprentices, aged 18 to 40, who support live investigations while gaining practical experience and training. This initiative ensures a skilled future workforce as digital evidence becomes increasingly central to modern policing.

Read More (West Midlands Police)


The Challenge of Tracking SSH Connections Without System Logs

A recent exploration into macOS Unified Logs reveals an effective method for tracking SSH logins and logoffs without relying on the traditional system.log file, which attackers might delete. Researchers utilized precise filters and timestamps to extract SSH connection details, including IP addresses and ports, directly from Unified Logs across multiple macOS versions, including High Sierra, Big Sur, and Sonoma. This approach, tested collaboratively, circumvents potential log deletion while minimizing noise, providing a robust alternative for auditing SSH activity and enhancing forensic investigations on macOS systems.

Read More (HackMD)


Crypto Crime – No Such Thing?

In the latest Forensic Focus podcast, host Si Biles speaks with Nick Furneaux, renowned forensic investigator and author, about the evolving landscape of digital forensics, particularly in cryptocurrency investigations. Furneaux discusses the challenges of identifying cryptocurrency use in crimes, the importance of integrating crypto specialists into broader investigative teams, and the ethical and technical complexities of tackling scams like “pig butchering.” Reflecting on his career, Furneaux emphasizes the need for innovative tools to discover crypto-related evidence and explores the societal impacts of modern scams. His new book, There’s No Such Thing as Crypto Crime, aims to broaden understanding of cryptocurrency in investigations.

Read More (Forensic Focus)


File Carving: Encrypted Virtual Hard Disks

Ransomware encryption of virtual hard disks presents significant challenges for forensic investigations, but partial data recovery is possible due to the efficiency-focused encryption methods used by attackers. Using techniques like file carving, investigators can extract critical artifacts, even from partially encrypted disks. This article explores various tools and methods, including Grep, Bulk Extractor, PhotoRec, Scalpel, EVTXtract, and custom scripts, to recover files, event logs, and evidence from encrypted virtual hard disks. While success rates vary, these methods offer valuable insights into threat actor activities and can bridge forensic gaps, emphasizing the need for iterative and adaptable investigative strategies.

Read More (The DFIR Journal)


More than 140 Kenya Facebook moderators diagnosed with severe PTSD

More than 140 Facebook content moderators in Kenya have been diagnosed with severe post-traumatic stress disorder (PTSD), anxiety, and depression due to prolonged exposure to graphic content, including murders, suicides, and child sexual abuse. These moderators, employed by Samasource Kenya under contract with Facebook’s parent company, Meta, endured harsh working conditions for significantly lower pay than their U.S. counterparts. A lawsuit brought by nearly 190 former moderators alleges mental harm, unfair practices, and modern slavery. Despite Meta’s claims of providing support and safety measures, advocates argue the trauma inflicted on moderators highlights the human cost of social media moderation.

Read More (The Guardian)


watchOS Unified Logs – Introduction and Calls

Unified logs from Apple Watches and paired iPhones provide valuable data for digital investigations, particularly in cases involving calls initiated from the watch. Logs from watchOS differ significantly from those on iOS, with key processes such as “Carousel” replacing “SpringBoard” on the watch. Investigators can trace call activity through processes like “callservicesd” and identify timestamps, device interactions, and contact identifiers. However, while the watch captures essential details, it cannot independently reveal the full context of calls, such as dialed phone numbers, which are often available only on the paired iPhone. Cross-referencing logs from both devices offers a more comprehensive view of user activity.

Read More (iOS Unified Logs)

Leave a Comment