A round-up of this week’s digital forensics news and views:
Tools & Software
Amped Software Discusses CCTV Chain of Custody
Amped Software’s Lucy Carey-Shields and Blake Sawyer discuss CCTV evidence challenges and maintaining chain of custody from scene to courtroom. Drawing on their own time in UK and US law enforcement, Lucy and Blake walk through how easily digital video evidence can be mishandled, and why intangible data deserves the same rigour as a weapon or a knife in an evidence bag.
Case Studies
OSINT Training Identifies Nine CSAM Suspects Live
Law enforcement officers from across Malaysia completed an AFP-hosted workshop covering OPSEC, facial recognition, Google dorking, GEOINT, and SOCMINT techniques. Applying those methods to live NCMEC reports, participants identified nine child abuse suspects during the session itself. A full training log documenting the methodology is publicly available.
Research & Techniques
UEFI Bootkit Detection Workflows for DFIR
UEFI bootkits such as BlackLotus and CosmicStrand persist below the reach of standard forensic tools, requiring specialist utilities like CHIPSEC and UEFITool alongside pre-incident TPM PCR baselines to detect. A practical roundup covers known implants, forensic workflows, and why Secure Boot alone fails as a defence.
Tools & Software
Open-Source Tool Parses Android Intrusion Logs
A new open-source Python tool converts Android’s Advanced Protection Intrusion Logs from raw JSON into human-readable CSV, making telemetry more accessible for mobile forensic analysis. The project is in early stages, with the developer seeking collaborators to extend it toward automated IoC detection and anomalous behaviour flagging.
Industry News
Mobile Movement Patterns Aid Investigative Timelines
Location evidence from mobile devices extends beyond simple coordinates to reveal behavioural patterns and movement timelines. Analysing these patterns can help investigators reconstruct events and corroborate or challenge witness accounts.
Tools & Software
Free EDR Timeline Visualiser Tool Released
A beta EDR timeline visualiser built for vehicle forensic casework is now publicly available, developed from prior Tesla SEI decoding research. The free tool is designed to help examiners review and interpret event data recorder outputs during investigations.
Read more (edrvisualiser-beta.netlify.app)
Tools & Software
LAVA Brings New Reporting to LEAPP Tools
The LEAPPs project has introduced LAVA, a new artifact viewer designed to replace aging HTML reporting across iLEAPP, ALEAPP, RLEAPP, and VLEAPP. LAVA adds artifact search filtering, per-column filtering, conversation views for chat parsers, timestamp conversion, and multiple export options including TSV and CSV. Mobile forensic examiners can access LAVA now and contribute via the project’s Discord server.
Research & Techniques
New macOS Tahoe 26 Biome Artifact Tracks Menu Selections
A newly identified macOS Tahoe 26 Biome stream, App.MenuItem, logs every menu selection a user makes across the OS, capturing timestamps and exact menu text. Located at ~/Library/Biome/streams/restricted/App.MenuItem/local, it can be parsed using the open-source ccl-segb tool since most commercial forensic platforms don’t yet support it. Correlated with file system logs, it can reconstruct deliberate user actions such as compressing and deleting files.
Read more (unit42.paloaltonetworks.com)
Tools & Software
Evanole VM Update Adds Environment Version Manager
Evanole VM v20260603 introduces EVM, a command-line environment version manager built on uv and Git that lets examiners update and switch Python-based forensic tools without downloading a new OVA. New additions include crush-forensics for data structure analysis, LAVA auto-install on first launch, and a free Lumyx Path Builder web app for forensic timelining. Wireshark has also been optimised for nRF Bluetooth dongles.
Research & Techniques
Artifact Causation and the Daubert Standard
Forensic artifacts weren’t designed for examiners — they’re traces of system activity, and assuming causation without testing undermines court admissibility. Applying the scientific method means identifying and testing alternate explanations for every artifact before it appears in a report. Hexordia offers a free bite-sized class on mobile forensics testing.
