A round-up of this week’s digital forensics news and views:
Tools & Software
New Open-Source Forensic Browser Released
BlindSite is a new open-source forensic browser and encrypted evidence vault designed for high-risk digital investigations, including dark web and CSAM-adjacent workflows. It captures dynamic web pages, blocks harmful media from investigator view while preserving it encrypted, and exports sealed evidence packages with hashes and audit records. Tor support, chain-of-custody logging, and an authorized-reviewer decryption workflow round out the feature set.
Tools & Software
MalChela v4.1 Adds Mac Malware Analysis
MalChela v4.1 introduces dedicated macOS malware analysis tools covering Mach-O binary parsing, code signature verification, and plist static analysis, with indicators mapped to MITRE ATT&CK techniques. Twelve new Mac-specific detection rules target persistence, keychain access, dylib injection, and sandbox evasion. FileMiner gains session persistence and automatic Mach-O code-sign suggestions, and the release is freely available on GitHub.
Read more (bakerstreetforensics.com)
Interviews
Aid4Mail CEO on Email Forensics Challenges
Fookes Software founder Eric Fookes outlines how email investigations have shifted from local PST and mbox files to cloud-based collection via Microsoft 365 and Google Workspace APIs. Key practitioner insights cover mbox corruption risks, over-collection pitfalls under GDPR data-minimisation rules, and the limits of keyword-only search. Cloud-hosted attachments that no longer exist at their original URLs are flagged as a growing evidence recovery problem.
Tools & Software
LEAPPs Artifact Viewer LAVA Hits Beta
The LEAPPs Artifact Viewer Application (LAVA) has launched in beta, offering DFIR examiners a dedicated interface for large artifact datasets that exceed LEAPPs’ HTML reporting limits. Built by key community contributors including Kevin Pagano and James Habben, it adds on-the-fly timezone switching and dark mode. Binaries are available for Windows, Windows ARM, Apple Silicon, MacIntel, and Ubuntu.
Tools & Software
Android Adds Intrusion Logging for Spyware Investigations
Google is rolling out Intrusion Logging, an opt-in feature in Android’s Advanced Protection Mode aimed at security researchers and forensic analysts investigating spyware. Previously, Android investigations were hampered by system logs that overwrote quickly and lacked persistence for deep forensic reconstruction. The new capability offers meaningful improvements for mobile forensic examinations of high-risk targets such as journalists and activists.
Legal & Policy
Countering AI-Generated CSAM Defenses in Court
Defense attorneys are increasingly claiming CSAM is AI-generated, complicating authentication and jury deliberations in ICAC prosecutions. The episode covers why metadata alone is insufficient, how Rule 901 authentication applies, and when expert testimony is essential to rebut speculative deepfake defenses.
Read more (magnetforensics.com)
Research & Techniques
TRUTH Methodology Tackles Unsupported App Artifacts
A presentation from Simply Cyber walks DFIR practitioners through the five-step TRUTH methodology for parsing unsupported third-party apps and commonly overlooked file system artifacts. Jessica H. covers Track Down, Recreate, Unearth, Translate, and Help Others as a structured approach to mobile forensic analysis gaps.
Research & Techniques
AI Decodes Tesla Dashcam SEI Telemetry Data
A forensic practitioner used Claude AI to decode and explain SEI telemetry data embedded in Tesla MP4 dashcam footage, completing the analysis in under 90 minutes. The research targets collision investigators and digital forensic examiners who may need to present this evidence in court, covering both methodology and source verification.
Read more (teslasei.netlify.app)
Research & Techniques
WhatsApp Forensic Recovery: SQLite and WAL Artifacts
WhatsApp stores messages in SQLite databases that retain deleted records in freelists and WAL files until overwritten, giving investigators a time-sensitive recovery window. Android devices offer higher recovery potential through freelist persistence and encrypted backup decryption, while iOS applies aggressive vacuuming and sandboxing that narrows that window. Techniques including chip-off, ISP, and checkm8-based full file system extraction extend options for damaged or locked devices.
Training & Events
AI DFIR Competition Seeks Expert Judges
A competition challenging nearly 3,000 participants to build AI agents capable of detecting malicious activity in real DFIR data is now recruiting judges with forensic and AI expertise. Judging runs June 19–July 3 across six criteria including IR accuracy, audit trail quality, and hallucination detection, with $22,000 in prizes at stake.
Research & Techniques
C2PA Content Credentials: What Examiners Must Know
C2PA Content Credentials establish media provenance, not authenticity — a critical distinction for investigators and attorneys. Brandon Epstein explains how credentials can be stripped, why their absence proves nothing, and what practitioners need to understand as adoption grows.
