A round-up of this week’s digital forensics news and views:
Podcast: Cellebrite’s 2025 DFIR Industry Survey – Key Insights
Cellebrite’s Heather Barnhart and Paul Lorenz join the Forensic Focus Podcast to unpack insights from Cellebrite’s 2025 DFIR Industry Survey. They discuss challenges like encrypted devices, case backlogs, and the cautious rise of AI and cloud in forensics. The conversation touches on global trends, training preferences, cognitive bias, and the critical need for human oversight in digital investigations.
iPhone Backup Forensics 101
iPhone backups offer a fast, accessible forensic source, especially when physical access to a device isn’t possible. Key backup files include Info.plist (device details, app list), Manifest.plist (app bundles, OS info), Status.plist (backup status, timestamps), and Manifest.db (an SQLite database indexing files like SMS, Notes, and WhatsApp data). Understanding these files helps examiners extract critical evidence from local, unencrypted backups.
HashBro: A New File Hashing Tool for Digital Evidence Verification
HashBro is a newly developed file hashing tool designed for digital evidence verification, offering batch processing and robust reporting features. It generates professional reports in PDF, CSV, and JSON formats to track file integrity, identify matches, and document the chain of evidence. Available on GitHub, HashBro aims to support digital forensics professionals and invites community feedback on future enhancements.
New Study Evaluates Precision of Timing Advance Cellular Geolocation
Timing Advance, widely used in North American cellular geolocation evidence, has long sparked debate between prosecutors and defense over its precision. To address the lack of empirical data, Joe Hoy, Martin Griffiths, and U.S. law enforcement colleagues conducted tests to assess its reliability. Their newly published report finds that Timing Advance is dependable within a defined margin of error.
Too Much Noise in DF/IR
Digital forensics and incident response (DF/IR) is overwhelmed by fragmented content, unclear roles, and misaligned training, creating confusion across the field. To address this, practitioners should focus on role-specific skills, vet their learning sources, and prioritize practice over theory. Educators and vendors are called to align training with real-world needs, while academia is urged to embed active practitioners and prioritize performance. The field’s future depends on building clarity, competence, and professionalism together.
Linux Forensics is Harder than Windows (Here’s Why)
Linux forensics presents unique challenges compared to Windows, from diverse distributions, custom scripts, and varied file systems to the absence of a central registry and standardized logs. Investigators must navigate scattered configurations, tamper-prone logs, and ephemeral environments like containers, often under time pressure. A structured triage approach—identifying the system, collecting volatile data, examining key artifacts, and documenting thoroughly—helps cut through the chaos. Though demanding, Linux forensics rewards those who adapt, offering the satisfaction of solving complex, high-stakes puzzles.
Read More (Mat Cyb3rF0xFuchs, Medium)
The Good, the bad, and the ugly of Microsoft Edge’s autofill databases
Microsoft Edge’s autofill database quietly accumulates highly sensitive data—ranging from credit card numbers and passwords to HR forms and ChatGPT entries—often beyond users’ or organisations’ awareness. While these SQLite stores offer valuable forensic insights by preserving timelines and user behavior, they also create major security and compliance risks, providing rich targets for attackers. Poor form design and missing HTML safeguards exacerbate the problem, leaving organisations with hidden caches of unregulated data scattered across endpoints. Addressing this risk demands coordinated efforts in browser management, user training, form design, and regular auditing.
Heavy USB Forensics
USB forensics relies on analyzing system artifacts like the registry, event logs, jumplists, and setup logs to uncover critical details about connected devices. Investigators can determine drive letters, device make and serial numbers, copied file names, user activity, volume GUIDs, removal times, partitions, file system types, and volume serial numbers. Key techniques include correlating registry entries, extracting partition data, and decoding volume boot records to reconstruct USB usage and potential insider threats.
