Digital Forensics Round-Up, January 23 2025

A round-up of this week’s digital forensics news and views:


Use of computer evidence in court to be interrogated

The UK Ministry of Justice launches a groundbreaking review of how computer evidence is treated in court, challenging the long-standing presumption that digital systems operate correctly by default. The 12-week call for evidence, announced by Justice Minister Sarah Sackman KC, comes in direct response to the Post Office Horizon scandal, where faulty accounting software led to hundreds of wrongful convictions. The review seeks expert input on defining and potentially reforming the legal treatment of digital evidence, particularly distinguishing between general digital artifacts like text messages and software-generated evidence. This initiative represents a significant shift in digital forensics policy, as authorities grapple with balancing the need for thorough scrutiny of digital evidence against maintaining efficient court proceedings in an increasingly digitized justice system.

Read More (Gov UK)


Amnesty International Digital Forensics Fellowship

Amnesty International’s Security Lab launches its third Digital Forensics Fellowship program, offering a unique opportunity for human rights defenders, journalists, and technologists to develop advanced digital investigation skills in the fight against state-sponsored surveillance. The part-time fellowship, running from April to July 2025, will select 5-7 participants globally to receive specialized training in spyware detection and incident response, including a week-long in-person convening in June. Fellows, who will receive a £500 monthly stipend, must possess foundational knowledge of Linux systems, command-line tools, and internet infrastructure, while demonstrating commitment to protecting civil society from digital threats. The program represents Amnesty Tech’s continued efforts to build a decentralized network of skilled investigators capable of responding to the evolving landscape of mercenary spyware targeting activists worldwide.

Read More (Amnesty International)


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.



When The Job Comes Home: The Personal Toll Of Digital Forensics

A powerful firsthand account from former Digital Forensic Investigator Paul Gullon-Scott and his wife Fiona reveals the devastating psychological toll that investigating child abuse cases takes not only on investigators but their families. After 14 years of exposure to traumatic material at Northumbria Police, Gullon-Scott’s struggle with PTSD manifested in destructive behaviors that nearly destroyed his family life, including alcoholism, emotional withdrawal, and suicidal ideation. Through specialist trauma therapy and family support, he eventually recovered and now works as a Higher Assistant Psychologist, developing mental health frameworks for digital forensics professionals and advocating for better support systems that extend beyond the traditional yearly occupational health checks to encompass both investigators and their families.

Read More (Forensic Focus)


Effective Advanced Communication in DF/IR

Patrick Siewert, a veteran law enforcement officer turned digital forensics expert and educator, emphasizes the critical importance of advanced communication skills in digital forensics and incident response (DFIR). Drawing from his experience as an Adjunct Professor at Virginia Commonwealth University and observations of expert testimony, Siewert argues that technical expertise alone is insufficient without the ability to effectively communicate complex findings to various stakeholders. He highlights how poor communication skills, particularly in courtroom testimony and report writing, can undermine even the most thorough forensic analysis, and advocates for continuous development of these skills through active listening, thoughtful articulation, and practical experience beyond the “pump and dump” approach common in law enforcement digital forensics.

Read More (DFIR Philosophy)


Windows Recycle Bin – The known and the unknown

A detailed technical investigation into Windows Recycle Bin behavior reveals several previously undocumented characteristics that could prove crucial for digital forensic analysts. The research demonstrates that $I metadata files persist even after file restoration, allowing investigators to trace deletion history even when files have been restored; multiple deletions of the same restored file create distinct $I files with different timestamps; command-line deletions bypass the Recycle Bin entirely; and FAT32 systems, unlike NTFS, store Recycle Bin contents without user SID folders, limiting user attribution capabilities. These findings, tested on Windows 10 and validated using Eric Zimmerman’s RBCmd tool, provide forensic examiners with new insights into artifact interpretation and highlight the importance of correlating multiple artifacts for comprehensive analysis.

Read More (Be-binary 4n6)


SRUMday Funday!

A detailed validation study of Windows System Resource Usage Monitor (SRUM) metrics on Windows 11 24H2 reveals both reliability and limitations in tracking system activities. Testing conducted using a 750MB test file shows that SRUM accurately records Explorer.exe file write operations but fails to track corresponding read operations during cross-volume transfers. Network upload tracking proved reliable, with both Chrome and OneDrive uploads accurately reflected in NetworkUsages BytesSent metrics. However, file wiping activities showed inconsistent tracking: while SDelete operations appeared in AppTimelineProvider, they were absent from AppResourceUsageInfo, and Eraser’s activity metrics failed to reflect actual data wiping operations. The research, analyzed using Azure Data Explorer and Eric Zimmerman’s tools, highlights the importance of corroborating SRUM data with other artifacts for comprehensive forensic analysis.

Read More (Think DFIR)


Handling Incident Response: A Guide with Velociraptor and KAPE

A comprehensive guide details an efficient incident response workflow combining Velociraptor and KAPE for investigating phishing attacks across large enterprise environments. The article outlines a structured approach using Velociraptor’s automated labeling and hunting capabilities to identify compromised endpoints, track lateral movement through RDP authentication logs and user access data, analyze suspicious processes with automated VirusTotal integration, and investigate persistence mechanisms through scheduled tasks and autoruns. The methodology emphasizes efficient data filtering through custom queries, strategic use of labels for organizing affected endpoints, and integration with KAPE for forensic triage, culminating in a systematic process for containment and recovery that balances thorough investigation with practical time constraints in real-world incident response scenarios.

Read More (Dean, Medium)


Authenticating Screenshots from Netflix’s Carry-On Movie

Digital forensics expert Ryan Benson demonstrates how URL analysis can authenticate screenshots using a Google Search URL spotted in Netflix’s “Carry-On” movie. By parsing the URL’s query parameters using the Unfurl tool, Benson extracts multiple data points including search timestamps, browser information, and user behavior patterns. The analysis reveals several inconsistencies between the URL data and the movie scene, including mismatched search terms (“nova shock” in URL versus “Nov Chuck” on screen) and temporal discrepancies (May 2023 timestamp versus December setting), effectively proving the screenshot was manipulated. Beyond this entertaining exercise, the article highlights how URL forensics can be leveraged to verify screenshot authenticity in real-world investigations, particularly when examining social media content and digital evidence.

Read More (DFIR Blog)


Introducing SQBite (Alpha) – Python Tool for Extracting Records from SQLite Databases

Digital forensics expert Damien Attoe announces the alpha release of SQBite, a new Python tool designed to extract records from SQLite databases at a physical level, offering enhanced capabilities beyond traditional SQLite library access. The tool, released on Spyder Forensics’ Github, focuses on parsing allocated records from both main database files and Write-Ahead Logs (WAL), with the ability to identify multiple versions of records and trace transaction sequences. Unlike conventional tools that only access allocated records through SQLite libraries, SQBite physically traverses database files to extract data, making it particularly valuable for forensic validation and educational purposes. While currently in alpha with support for basic record extraction and WAL parsing, the upcoming beta version planned for March 2025 promises to add recovery functionality for freeblocks, freelist pages, and unallocated space.

Read More (Digital Forensics with Damien)


OSINT Investigation: A Case Study on Emmanuel Edokpolor suspect wanted by Nigeria

A comprehensive OSINT case study details how investigators leveraged the IRBIS OSINT Center to profile Emmanuel Edokpolor, a suspect wanted by Nigeria’s Independent Corrupt Practices Commission (ICPC), demonstrating advanced digital investigation techniques. The investigation combined multiple methodologies including name profiling, face biometrics analysis, social media investigation, phone lookup, AI psychology analysis, and network mapping to build a comprehensive suspect profile. The study highlights how modern OSINT tools can enhance criminal investigations by integrating digital forensics, behavioral analysis, and data mining to uncover connections and establish evidence trails. Of particular interest is the implementation of AI-driven psychology analysis for behavioral pattern recognition and the use of advanced network mapping techniques to visualize suspect associations, showcasing the evolution of digital investigation methodologies in contemporary law enforcement.

Read More (Efim Lerner, LinkedIn)

Leave a Comment