A round-up of this week’s digital forensics news and views:
Autopsy 4.22.0: BitLocker Support, Cyber Triage Sidecar, Library Updates
The latest release of Autopsy introduces BitLocker support, allowing users to decrypt encrypted drives using recovery keys, and the ability to run alongside Cyber Triage without conflicts. Investigators can now seamlessly transition from Cyber Triage’s initial triage analysis to Autopsy’s deeper forensic capabilities without shutting down either tool. Cyber Triage, developed by the same engineers as Autopsy, focuses on intrusion analysis and remote access investigations, offering automated analysis to streamline forensic workflows. Additionally, a webinar hosted by Brian Carrier and Markus Schober on March 27 will cover attacker tactics that evade EDR detection, helping analysts identify pre-alert activity.
Read More (Autopsy Digital Forensics)
The Duck Hunters Guide – Blog #4 – DuckDuckGo Closed Tab Information (Android)
Closed tabs in the DuckDuckGo Android browser leave behind residual forensic artifacts despite deletion mechanisms. While the app.db database removes tab records upon closure, traces can persist in freeblocks and unallocated space unless securely overwritten. The cache directory retains tab previews and favicons, providing timestamps and visual evidence of closed tabs. By analyzing these cached files alongside browsing history, investigators can reconstruct user activity, linking search queries and website visits to specific timestamps. However, using the browser’s fire button erases all related data, leaving no forensic trail.
Read More (Digital Forensics with Damien)
Interview: Jessica Hyde, Founder, Hexordia
In this Forensic Focus interview, Jessica Hyde discusses her work leading Hexordia, expanding forensic training, and contributing to the DFIR community. As 1st VP of HTCIA and Chair of DFIR Review, she fosters networking and peer-reviewed research. Hexordia provides forensic casework, government services, and training on topics like mobile forensics and IoT. Hyde stresses the need for ongoing education, highlighting Capture the Flag (CTF) challenges as vital learning tools. She sees AI, cloud infrastructure, IoT, and evolving legislation as major challenges for forensic practitioners. Passionate about knowledge-sharing, she encourages blogging to strengthen the field. Outside of DFIR, she enjoys camping and board games to disconnect from technology.
SharePoint Sync: Productivity Turned Data Exfiltration
SharePoint’s native sync features, designed for productivity, can be exploited by threat actors to exfiltrate data, particularly if they gain access to a Microsoft 365 account. By leveraging the SharePoint Sync button or adding shortcuts to OneDrive, an attacker can obtain a full local copy of site contents. Investigations rely on Unified Audit Logs to track sync activity, identifying synchronized files, data volume, and IP addresses involved. Organizations can mitigate risks by restricting sync permissions, enforcing domain-based restrictions, blocking downloads, and controlling access from unmanaged devices. Strengthening security measures and monitoring sync-related logs are crucial to preventing unauthorized SharePoint data exfiltration.
Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts
The Japanese National Police Agency (NPA) and NISC have issued a security advisory on an APT campaign by MirrorFace, which exploits Windows Sandbox to execute malware undetected. Using the open-source LilimRAT, attackers enable and configure Windows Sandbox to evade security tools, execute malicious scripts, and establish C2 communication. With recent Windows updates allowing background execution and command-line configuration, detecting these attacks has become more challenging. Forensic investigations focus on tracking Windows Sandbox processes, Unified Audit Logs, and VHDX artifacts. To mitigate risks, organizations should monitor activation events, apply AppLocker policies, and restrict administrative privileges to prevent abuse.
Read More (Itochu Cyber & Intelligence Inc.)
The Basics of Digital Forensics – Request For Input
John Sammons is looking for digital forensics practitioners of all experience levels to contribute to the third edition of his book, The Basics of Digital Forensics. The upcoming edition will include interviews with professionals in the field, offering diverse perspectives on forensic practices. Those interested in participating or seeking more information are encouraged to reach out to him directly.
Read More (John Sammons, LinkedIn)
AnyDesk – Investigating Threat Actors Favorite Tool
Threat actors frequently abuse AnyDesk, a legitimate remote monitoring and management (RMM) tool, to establish persistence and evade detection in compromised environments. Because endpoint security solutions often allow its use, attackers leverage AnyDesk for remote access, lateral movement, and data exfiltration. Investigating AnyDesk-related incidents involves analyzing logs such as connection_trace.txt, ad.trace, and file_transfer_trace.txt, as well as Windows artifacts like event logs, prefetch files, SRUM, registry entries, and network traffic. Identifying service creation events, firewall rule modifications, and execution traces in system artifacts can help detect unauthorized AnyDesk use and potential exfiltration attempts.
Investigator’s Favorite Little Windows: WinFE
WinFE (Windows Forensic Environment) is a modified version of Windows Preinstallation Environment (WinPE) designed for forensic investigations, offering a read-only mode to prevent data modification. It supports familiar forensic tools like FTK Imager and EnCase, making it a versatile acquisition tool. However, WinFE has limitations, including potential drive signature alterations, inability to decrypt BitLocker-encrypted drives, and restricted visibility in multi-boot systems. Proper testing is essential to ensure forensic soundness, including checking for unintended modifications. While WinFE can be a valuable tool, investigators must understand its constraints and validate its integrity before use in real cases.
Read More (Forensics With Matt)
mStrings: A Practical Approach to Malware String Analysis
mStrings is a Rust-based malware analysis tool designed to streamline string extraction and enhance threat investigation. Unlike simple string dumpers, it integrates regex-based detection, structured JSON output, and MITRE ATT&CK mapping to provide meaningful context for malware artifacts. Analysts can cross-reference findings in hex editors, quickly review results in VS Code, and customize detection rules using Sigma. Optimized for efficiency, mStrings is part of the MalChela suite and continues to evolve with new features for improved investigative workflows.
Read More (Baker Street Forensics)
Sign Here
PDF signatures, whether scanned images, drawn signatures, or cryptographic signatures, provide the appearance of authenticity but lack inherent security. Simple forgeries, such as copying a signature image or manipulating a cryptographic signature by appending content, demonstrate how easily PDF signatures can be altered. Cryptographic signatures, introduced in PDF 1.3, rely on validation by specific viewers like Adobe Acrobat, LibreOffice, and Okular, while most common PDF readers do not verify them. Attackers can exploit weaknesses by impersonating a signer, stripping or modifying signatures, and appending unauthorized content while maintaining a valid signature. Ultimately, trust in a PDF signature depends not on the technical mechanism but on the credibility of the person presenting the document.
Read More (The Hacker Factor Blog)
Triage Collector
Forensic analysts in need of a quick DFIR triage solution can now use triage.zip, a prebuilt Velociraptor collector designed for rapid forensic data collection. While creating a custom offline collector is ideal, this ready-to-go tool ensures that responders always have access to essential triage capabilities when unexpected incidents occur. Simply download and run it for immediate forensic analysis.
