A round-up of this week’s digital forensics news and views:
DATAPILOT 2025 Digital Forensics Grant Program is now open for law enforcement agency submissions
The 2025 DATAPILOT Digital Forensics Grant Program offers law enforcement agencies access to vital mobile forensics software, addressing challenges in handling increasing cases involving cell phone data. This initiative helps agencies acquire discounted licenses and training through donations of unused licenses, reducing reliance on external services and potential data loss. With the addition of the DPX forensic acquisition device, agencies can now conduct faster in-field evidence collection and enhance lab-based tools with field triage capabilities. The program supports both agencies with existing software looking to upgrade and those new to digital forensics, promoting community safety through improved investigative resources.
Lateral Movement Analysis: Using Chainsaw, Hayabusa, and LogParser for Cybersecurity Investigations
Lateral movement analysis remains a challenge even for seasoned cybersecurity professionals, prompting the author to simplify the process using three tools: Chainsaw, Hayabusa, and Log Parser. Chainsaw streamlines log analysis by quickly identifying suspicious events like RDP activities, while Hayabusa filters thousands of log entries into manageable categories, enabling efficient detection of potential lateral movement. Log Parser provides a customizable approach with SQL-like queries for precise detection of activities like RDP logins and SMB access. The article emphasizes combining these automated tools with foundational manual skills to enhance investigative accuracy and efficiency, offering detailed guidance and additional resources for practitioners.
Why Dubai Police is a global leader in combating cybercrimes
The Dubai Police Digital Forensics Department has grown from a modest unit to a global leader in cybercrime investigation, employing advanced technologies such as AI, biometric analysis, and emotion detection to tackle crimes like deepfake impersonation, online fraud, and document counterfeiting. Led by Lieutenant Colonel Hamd Juma Khamis, the department handles 80-100 cases monthly, leveraging international collaborations and tools like gait analysis and deepwater device recovery. Recent high-profile cases include tracking a disguised thief who stole Dh50 million and combating scams exploiting AI and social media. Accredited by ISO 17025 and ILAC, the department plans to expand digital forensic units to more police stations while addressing cross-border cybercrime challenges.
The Fast and The Hackable: Digital License Plates Edition
Drivers have developed creative methods to evade tolls, but a new concern has emerged with jailbroken digital license plates. Security researcher Josep Rodriguez demonstrated how Reviver’s digital plates, marketed as tamper-proof and innovative, can be hacked in minutes to display any image or text, enabling toll evasion and avoidance of cameras. Reviver’s plates, supported by a 2022 California law, offer features like vehicle registration renewal and theft reporting but have hardware-level vulnerabilities requiring chip replacements to fix. This issue arises as New York City implements a controversial congestion pricing plan and grapples with significant toll evasion losses, making jailbroken plates a potential tool for those avoiding new fees.
Read More (The Legal Aid Society)
A BITS of a Problem – Investigating BITS Jobs
Microsoft’s Background Intelligent Transfer Service (BITS), a built-in Windows feature for downloading and uploading files, is frequently abused by threat actors leveraging its capabilities for malicious activities such as downloading payloads, establishing persistence, or executing commands in the background. BITS jobs, designed for legitimate purposes like Windows Updates, can persist after reboots, run without alerting antivirus tools, and are easily configured through PowerShell or BitsAdmin. Investigating BITS abuse requires thorough visibility into execution artifacts like event logs, registry keys, and database files, as well as robust logging and monitoring of processes and command lines. By leveraging tools like Sysmon, KAPE, and forensic suites, practitioners can correlate artifacts and timeline activities to identify and mitigate BITS-based attacks effectively.
Interview: Andrew Tyshchenko, Head of Hardware, Atola Technology
Andrew Tyshchenko, Head of Hardware at Atola Technology, shares insights into the development of the TaskForce 2 forensic imager, a robust evolution of its predecessor designed for high-demand forensic labs. Launched in 2023, TaskForce 2 features significant advancements, including the ability to image 26 drives in parallel, a rack-mountable design, dual LED indicators for task monitoring, and compatibility with Atola’s existing extensions. With innovative hardware components like a Supermicro motherboard, Xeon processor, and IcyDock NVMe docks, it offers enhanced performance, cooling, and user-friendly design. Tyshchenko also highlights Atola’s forward-looking plans for a standalone imager with market-unique features aimed at further streamlining forensic workflows.
Tracing Reused $MFT Entries Paths : Recovering Deleted File Paths Forensically with CyberCX UsnJrnl Rewind
The $MFT and $UsnJrnl logs serve complementary roles in forensic investigations, with $MFT providing a file system snapshot and $UsnJrnl tracking detailed file system changes over time. However, challenges arise when $MFT entries are reused, complicating the recovery of deleted file paths. CyberCX’s UsnJrnl Rewind tool addresses this issue by correlating data from $MFT and $UsnJrnl to reconstruct paths of deleted files, even for overwritten entries. By parsing these logs, the tool traces the lifecycle of files, helping investigators recover critical evidence in cases involving sophisticated file manipulation or deletion.
45 Million Phones Tracked Without Consent, Says Lawsuit
Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its subsidiary Arity, accusing them of unlawfully collecting and selling sensitive location data from over 45 million Americans without consent, violating the Texas Data Privacy and Security Act. The suit claims Arity embedded tracking software in popular apps like GasBuddy and Life360, harvesting trillions of miles of driving data and selling it to insurers, including Allstate. This comes amid increasing concerns over the misuse of location data, which can reveal private aspects of individuals’ lives, such as health conditions and political affiliations, posing significant privacy and cybersecurity risks. Digital forensics experts often leverage such data for lifestyle analysis, demonstrating both its power and the dangers of its unauthorized exploitation.
