A round-up of this week’s digital forensics news and views:
Best Practices for Mobile Devices Evidence Collection & Preservation Handling and Acquisition
The Scientific Working Group on Digital Evidence (SWGDE) releases a draft document “Best Practices for Mobile Devices Evidence Collection & Preservation Handling and Acquisition” (Version 2.0, dated 2/28/2025) for 60-day public comment. The comprehensive guidelines outline critical procedures for digital forensics practitioners dealing with the unique challenges of mobile device evidence. Key considerations include anti-forensic features, specialized cables, data retention periods, encryption, network isolation, and the dynamic nature of mobile device data. The document emphasizes qualified personnel must maintain evidence integrity throughout collection, preservation, and acquisition processes while acknowledging the complications posed by diverse device types and proprietary operating systems.
DF/IR is not dying. It’s just harder than ever.
Digital forensics and incident response (DF/IR) professionals now confront a transformed industry landscape marked by increasing automation, according to cybersecurity expert Brett Shavers. In his recent article, Shavers argues that while DF/IR is not dying, it faces significant challenges as companies increasingly favor “button-pushers” over skilled investigators. The cybersecurity job market has become a “meat grinder,” with entry-level positions attracting hundreds of applicants competing for low-paying SOC/NOC roles that offer little advancement into true forensic work. Meanwhile, artificial intelligence threatens to outpace human analysis speed, college programs flood the market with inadequately prepared graduates, and security clearance requirements create additional barriers for newcomers.
Learn About Oxygen Analytic Center With Matt Finnegan
Digital forensics practitioners gain a new tool with Oxygen Forensics’ Analytics Center (OAC), according to Matt Finnegan in a recent webinar. The client-server application enables uploading digital forensic data to a central server accessible via any web browser, streamlining collaboration among investigation teams. As a flexible solution deployable both on-premises and in cloud environments, OAC addresses the growing challenge of sharing forensic data with non-technical reviewers across organizations. The system features comprehensive user permission controls, allowing administrators to grant access at departmental, case, or device levels while customizing each user’s view based on their specific role and technical expertise.
Sunday Funday – Searching for searching
Recent testing reveals significant limitations in Microsoft 365’s Unified Audit Log (UAL), where standard mailbox and OneDrive searches—whether performed by regular users or administrators—generate no audit trail, even when accessing others’ resources through delegated permissions. Only eDiscovery content searches through the Purview portal produce comprehensive logs, creating blindspots for digital forensics practitioners as search histories remain stored locally within applications rather than centrally logged unless administrators enable specific configurations that are disabled by default.
Google Chrome Forensics: Analyzing History and cache
Google Chrome stores extensive user browsing data in SQLite databases and cache files, providing digital forensics practitioners with detailed evidence of online activities. The browser’s history database tracks URLs, timestamps, visit durations, and page transition types that reveal how users accessed websites, while the cache stores actual webpage content allowing investigators to reconstruct what users viewed. These well-structured artifacts, primarily located in the user’s profile directory, create comprehensive timelines of browsing behavior when properly analyzed with specialized tools, though cache data remains volatile as older items are automatically purged.
Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions
Apple’s Rosetta 2 translation technology, which enables x86-64 binaries to run on Apple Silicon systems, creates valuable forensic artifacts that persist even when malware is deleted. When x86-64 code executes on ARM64 Macs, the system generates Ahead-Of-Time (AOT) files in a protected cache directory that remains accessible even after attackers remove the original malicious binaries. Mandiant researchers have observed sophisticated threat actors, including North Korean APT groups, deliberately using x86-64 malware to exploit less restrictive code signing requirements compared to native ARM64 applications. By analyzing these cache files in combination with FSEvents and Unified Logs, investigators can reconstruct malicious activity, identify initial execution timestamps, and potentially recover developer information from otherwise unrecoverable malware.
Read More (Joshua Goddard, Google Cloud)
Deep Dive: Forensic Analysis of eM Client
Digital forensics practitioners investigating Business Email Compromise (BEC) incidents now regularly encounter the legitimate email client “eM Client” being exploited by threat actors for persistent mailbox access. This application, while not malicious itself, leaves distinct forensic traces that investigators can use to identify unauthorized activity. Threat actors prefer eM Client for its ability to store local email copies, maintain access after credential resets, manage multiple compromised accounts, and utilize built-in mass mailing features. When installed, the application creates identifiable artifacts in Entra ID audit logs, sign-in logs, and Unified Audit Logs, including specific operations such as service principal creation, application consent, and role assignments—all tied to eM Client’s unique application ID (e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd).
Honoring Women in Cyberspace 2025: Future Crime Research Foundation Celebrates Women Pioneers in Cybersecurity and Digital Forensics
The Future Crime Research Foundation (FCRF) celebrates exceptional women in cybersecurity, digital forensics, and law enforcement through its “Honoring Women in Cyberspace 2025” initiative. The honorees represent diverse expertise across government, law enforcement, legal practice, academia, and corporate sectors. These professionals have made significant contributions through specialized work in areas including digital forensics, cryptocurrency investigation, cybercrime prevention, and quantum secure communications. Many recipients hold leadership positions in organizations such as police cyber crime units, forensic science laboratories, government ministries, and global corporations, where they develop innovative solutions for emerging threats while training the next generation of cybersecurity professionals.
