A round-up of this week’s digital forensics news and views:
Top Talks From Magnet Forensics Virtual Summit 2026
Highlights from the Magnet Forensics Virtual Summit 2026 spotlight iOS Biome artifacts, preservation pitfalls, and PiKVM driver forensics on Windows. Speakers also demonstrate Magnet Axiom’s location correlation capabilities and approaches to acquiring and analysing Signal Messenger data. The full session catalogue is available online.
Read more (magnetforensics.com)
Building Windows USB Timelines For DFIR Investigations
USB devices remain a common route for data theft and malware delivery, making accurate connection timelines essential. Investigators often need to link a specific USB device to local file access, rather than simply proving it was connected. Elcomsoft highlights how Windows records different USB hardware classes and where gaps can appear.
Read more (blog.elcomsoft.com)
Amped Replay Adds Assisted Redaction Option For Shaky Video Evidence
Amped Software has added Assisted Redaction to Amped Replay to speed up masking for court and privacy requirements. Users can install builds with or without machine learning, depending on organisational policy. The tool detects people, faces, vehicles, and licence plates, but requires human review before MP4 export and PDF reporting.
New York Court Split Highlights Rising Bar For Video Authentication
New York’s highest court has split over whether a child abuse video was properly authenticated for trial. The majority found that prosecutors failed to establish a sufficient foundation linking the footage to the defendant. The decision signals increasing scrutiny of digital media as deepfakes and AI-edited content threaten evidentiary trust.
Deepfake Tests Show AI Detectors Fail, Raising Evidence Risks
Tests by major outlets show that AI detection tools struggle to reliably identify deepfakes, highlighting the limits of automated screening. As a result, DFIR teams may need to rely on provenance checks, metadata validation, and strong chain-of-custody controls to defend digital evidence. Stronger verification workflows can help ensure images and video withstand courtroom scrutiny.
Malwoverview 7.0 Adds NIST Vulnerability Records
Malwoverview 7.0 expands its rapid-response malware intelligence lookups and now pulls vulnerability records from NIST. The tool already aggregates results from sources including VirusTotal, Hybrid Analysis, URLHaus, and MalwareBazaar, and also includes checks for Android vulnerabilities. Installation is available via pip using python -m pip install -U malwoverview.
MalChela Meets AI: Three Paths To Smarter Malware Analysis
MalChela is being tested in AI-assisted malware analysis workflows, building on earlier experiments integrating it with OpenCode on REMnux. The focus is now on making these integrations more robust, reproducible, and persistent across environments, with three approaches explored to support different use cases.
Read more (bakerstreetforensics.com)
Apache ActiveMQ Exploit Leads To LockBit Ransomware
An attacker exploited CVE-2023-46604 on an exposed Apache ActiveMQ server on two occasions. After being evicted, access resumed 18 days later, with Metasploit activity including privilege escalation and LSASS dumping. Stolen credentials were then used to deploy LockBit over RDP, likely built using the leaked builder and configured to use Session for contact.
Ten Problems Volatility 2 Analysts Hit When Migrating To Volatility 3
Migrating from Volatility 2 to Volatility 3 can disrupt established workflows in memory forensics. Key pain points include symbol table handling across Windows, Linux, Android, and macOS, offline cache preparation, and kernel base detection failures. Andrea Fortuna also highlights plugin slowdowns, missing plugins, the availability of standalone binaries, and dependency pitfalls, along with practical workarounds.
FACT Framework Aims To Cut Report Bloat And Strengthen DFIR Attribution
Brett Shavers outlines the FACT Attribution Framework, which front-loads decision questions, competing hypotheses, and defensible inference chains. The framework separates technical identification, investigative attribution, and legal attribution to reduce risks during cross-examination. The guidance also covers stop rules to limit scope creep and explains how to disclose and validate AI-assisted work.
Gabon Tightens Rules On Digital Evidence In Criminal Courts
On February 26, Gabon approved a draft ordinance amending the Criminal Procedure Code to govern the use of digital evidence in court. Digital data must demonstrate reliability, authenticity, and traceability, and be verified by public entities—raising the bar for DFIR workflows. A Cellebrite survey also finds that 60% of investigators consider digital evidence more decisive than DNA.
