A round-up of this week’s digital forensics news and views:
Data Preservation on Mobile Devices: The Quicker, The Better
Modern mobile phone features are making traditional digital evidence preservation methods increasingly ineffective, prompting the Scientific Working Group on Digital Evidence (SWGDE) to advocate for immediate onsite acquisition in a newly published position paper. Data degradation begins the moment a phone is seized, with factors like location-based security protocols, auto-reboots, USB restrictions, ephemeral artifacts, and anti-forensics apps all reducing or destroying valuable evidence. While technical solutions exist to capture data quickly, legal and policy frameworks often lag behind, relying on outdated assumptions about network isolation being sufficient. SWGDE urges forensic practitioners and tool vendors to prioritize preservation at the point of seizure to ensure comprehensive and legally defensible data collection in today’s volatile mobile landscape.
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT&CK
A new paper introduces SOLVE-IT, a proposed digital forensic knowledge base inspired by MITRE ATT&CK, aiming to systematically catalog forensic techniques, their associated weaknesses, and potential mitigations. The resource currently indexes 104 techniques under 17 investigative objectives, with detailed entries for 33 of them, and is designed to support tool testing, quality assurance, AI integration, and practitioner training. Hosted on GitHub to encourage community contributions, SOLVE-IT enables structured reviews of forensic investigations and processes by linking techniques to known errors, CASE Ontology classes, and mitigation strategies. Demonstrations include using the knowledge base to highlight gaps in tool performance, AI applicability across forensic methods, and unresolved issues needing further research—paving the way for greater transparency, consistency, and reliability in digital forensics.
The Need for a National Review of Digital Forensics Thresholds in CSAM Cases
SYTECH highlights urgent concerns around inconsistent CPS prosecution thresholds and CSAM grading practices across UK regions, which result in unequal sentencing and place excessive strain on digital forensic analysts. The current system varies widely in image-count thresholds and evidentiary standards, complicating law enforcement efforts and exacerbating analyst exposure to traumatic material. SYTECH calls for a national review to standardise thresholds, expand the use of automation, protect analyst welfare, and improve operational efficiency. A unified, trauma-informed approach is essential to ensure fairer prosecutions, better resource allocation, and sustained support for professionals handling CSAM investigations.
Read More (Jessica Clewlow, LinkedIn)
Don’t Trust the Clock: Timestamp Discrepancies in iOS Unified Logs
In this investigative write-up, Lionel Notari explores a crucial discrepancy in iOS Unified Logs: the same log entry can display different timestamps depending on whether it’s viewed live through macOS Console or extracted for forensic analysis. When users manually alter the system time, live logs reflect the new, fake date, while forensic .logarchive files correctly preserve the actual moment the change occurred. This distinction is vital for investigators, as it confirms that forensic exports are more trustworthy. Notari also demonstrates how variables like TMCurrentTime in the logs can reveal the manually set date, reinforcing that the altered time can still be recovered and interpreted accurately.
Read More (iOS – Unified Logs)
You Don’t Belong in DF/IR
Digital Forensics and Incident Response (DF/IR) is a highly demanding field that requires practitioners to be technically competent, self-sufficient, and capable of handling sensitive and complex cases without relying on constant guidance or training. Entry into the field is not based on academic credentials alone but on demonstrated ability to solve problems under pressure, interpret data accurately, and contribute to investigations where outcomes may involve criminal charges or courtroom scrutiny. Analysts must also be prepared to encounter disturbing content, including material related to child exploitation, abuse, and other severe crimes. Tools can assist, but the responsibility for analysis and interpretation rests with the examiner. The field calls for individuals who are committed to continuous learning and high standards, and those already in the profession are expected to help maintain these standards by supporting capable newcomers while filtering out those not suited to the work.
What’s Happening At Techno Security Wilmington, June 03 – 05 2025
The 2025 Techno Security and Digital Forensics Conference will take place in Wilmington, NC from June 3–5, offering over 100 sessions across cybersecurity, digital forensics, eDiscovery, and investigations. Highlights include a keynote on transnational financial scams, hands-on labs covering open-source forensics, sysdiagnose logs, and encryption, and presentations on AI-driven fraud, metadata in child exploitation cases, anti-forensics, blockchain in mobile apps, and dark web investigations. The event also features a live cyber incident response CTF, T-Warz, and sessions from major sponsors including Cellebrite and Magnet Forensics. Forensic Focus members can claim a 10% discount using code FOR25.
Shellbags Forensic Analysis 2025
Shellbags are Windows registry artifacts that track user folder interaction preferences and are valuable in digital forensic investigations for identifying accessed or deleted folders. Stored across various registry keys depending on OS version and folder type, Shellbags record folder paths, user-specific data, and timestamps tied to folder interaction. They are populated via Windows Explorer and Open/Save dialogs, though not all entries confirm content access. Analysts must interpret BagMRU and Bags keys to reconstruct user activity. Anti-forensic techniques include modifying registry permissions or using alternate browsing methods like PowerShell or web browsers. Due to their complexity, tools like Shellbag Explorer and SBECMD are used to analyze this data, though limitations include OS behavior differences, lack of file-level tracking, and dependency on specific user actions.
Google Location History Takeout Parser Version 1. 3. 0. 0
Metadata Perspective has released a forensic tool for parsing Google Takeout Location History and Google Semantic Location History warrant return data. The parser extracts and organizes location data, including PlaceVisit durations and ActivitySegments, into CSV files for easier analysis. New features include TimeSpan and description fields, as well as LineString support for objects containing multiple points, such as waypoints and raw paths. Users can download and run the Windows application—Google Location History Data Parser—with additional steps required to bypass standard security prompts. The tool outputs structured data and original files for validation.
Unix-like Artifacts Collector v3.1.0
UAC (Unix-like Artifacts Collector) v3.1.0 has been released, bringing new features and expanded artifact collection for Linux and BSD systems. Highlights include the ability to detect hidden /etc/ld.so.preload files via debugfs and xfs_db, collection of immutable files, and improved coverage of recently accessed files. A new offline_ir_triage profile has also been introduced for offline incident response triage scenarios.
Don’t lose your logbook
Testing indicates that using Cellebrite UFED Premium to perform a full file system extraction on an iPhone 11 (iOS 18.3.1) significantly reduces the size and content of the unified logs, effectively deleting earlier log entries. Comparison of logarchives before and after extraction revealed a drastic drop in file size and a reset of the “OldestTimeRef” value to a time just after the Cellebrite-induced device reboot. Additionally, the /private/var/db/diagnostics directory was missing from the extracted file system. These findings suggest that unified logs should be collected prior to connecting the device to UFED Premium, particularly when using the Premium Adapter in unlocked flow.
