A round-up of this week’s digital forensics news and views:
Industry News
DFIR Well-Being Study Results Reveal Need for Urgent Change
Phil Anderson and Paul Gullon-Scott break down the Forensic Focus International Well-Being Study, spotlighting findings on burnout, PTSD symptoms, and exposure to AI-generated CSAM among digital forensics professionals. The study points to urgent gaps in support structures across the DFIR field.
Research & Techniques
LEAPPs.org Launches Unified Artifact Browser
LEAPPs.org has shipped a major update adding an Artifact Browser that lets practitioners search and filter every artifact supported across iLEAPP, ALEAPP, RLEAPP, and VLEAPP in one place, eliminating the need to dig through individual GitHub repositories. Examiners can filter by tool, category, or file path pattern and jump directly to source files — a practical time-saver when planning extraction workflows.
Read more (abrignoni.blogspot.com)
Research & Techniques
Agentic AI Creates New Forensic Blind Spots
A 2026 Unit 42 engagement documented an insider weaponizing an enterprise AI assistant to exfiltrate data the user lacked direct permission to access — exploiting the agent's broader credential footprint. MCP-connected agents now operate across most enterprise environments, with research finding 43% of MCP server implementations contain command injection flaws. Forensic investigators face a novel challenge: reconstructing autonomous, multi-step agent actions across fragmented logs with no clear human actor trail.
Tools & Software
ADF Tools Version 6.3.0 Features Explored
Digital forensic specialist Rich Frawley reviews the latest features in ADF Tools MDI and ADF Pro version 6.3.0. The update is presented as a significant advance for field triage and forensic acquisition workflows.
Research & Techniques
Amped Explains Forensically Sound Deepfake Image Analysis Workflow
Analyzing suspected deepfakes demands more than a single AI detector — a defensible forensic workflow combines AI triage, metadata inspection, JPEG compression analysis, and geometric consistency checks. JPEG inconsistency analysis, for example, can expose localized AI inpainting edits that AI-based detectors miss entirely. Each step must be documented for reproducibility and courtroom defensibility.
Read more (blog.ampedsoftware.com)
Industry News
Vehicle Forensics Uncovers Digital Evidence in Cars
Modern vehicle infotainment systems store a wealth of forensic data that can answer critical investigative questions. Artifacts from these systems are increasingly relevant to DFIR practitioners working crash, crime, and civil cases.
Read more (policechiefmagazine.org)
Research & Techniques
Disk Forensics Techniques Help Identify Exfiltrated Data
Recovering exfiltrated file details from a disk image requires examining free space via file carving, slack space remnants, and orphaned MFT entries—all of which can survive deletion if acquisition is timely. NTFS artifacts including the $MFT, $LogFile, and USN Journal provide file names, timestamps, and operation records critical to reconstructing staging and exfiltration activity. SSD and NVMe adoption makes rapid image acquisition increasingly urgent, as TRIM operations accelerate unallocated data loss.
Industry News
Apple Stolen Device Protection Disrupts iPhone Acquisition
Apple's Stolen Device Protection, now enabled by default from iOS 26.4, blocks examiners from pairing an iPhone to a forensic workstation even when the passcode is known — the most disruptive change to iPhone pairing behaviour in roughly a decade. The feature enforces biometric-only authentication for the Trust This Computer prompt, with no passcode fallback, and activates whenever a device is away from a familiar location. Elcomsoft outlines version-specific triage rules and notes an upcoming solution to allow extraction agent sideloading with protection engaged.
Read more (blog.elcomsoft.com)
Research & Techniques
PersistenceSniper Detects 117 Malware Persistence Techniques
PersistenceSniper is an open-source tool that detects 117 malware persistence techniques across Windows, Linux, and macOS systems. Covering a broad cross-platform scope, it gives DFIR examiners a unified method to identify attacker footholds during investigations.
