A round-up of this week’s digital forensics news and views:
Tools & Software
ADF Solutions Highlights Importance Of On-Scene Digital Forensics
Stuart Hutchinson, VP of Sales at ADF Solutions, joins the Forensic Focus Podcast to talk about on-scene digital forensics and empowering first responders during the golden hour. Stuart shares his journey from 23 years with the Met Police — including a chance encounter in a New Scotland Yard lift that led him into Mac forensics and the vendor space at BlackBag, Cellebrite, Oxygen, and now ADF. With 99.9% of investigations involving a digital element, he argues that mishandling digital evidence at the scene is as damaging as trampling through traditional forensic evidence.
Tools & Software
YellowKey Exploit Automates BitLocker Bypass
A security researcher has published an automation script on GitHub that streamlines use of the YellowKey exploit for bypassing BitLocker on TPM-locked Windows 11 devices — reporting 75% success across lab cases. The script, built with ChatGPT assistance, automates USB build and rebuild steps forked from the original YellowKey repository, complementing existing methods like bitpixie and DMA attacks.
Research & Techniques
Berla Explores How To Find Previous Locations Without Geolocation Data
Timestamped odometer data can help investigators identify where a vehicle has been, even without GPS records. By combining journey timings, distances and reachability analysis, they can narrow unknown stops to specific areas of interest and uncover valuable investigative leads.
Research & Techniques
Volatility Plugin Decrypts IPsec Traffic from Memory
A new Volatility 3 plugin extracts IPsec session keys directly from Linux memory dumps, enabling analysts to feed those keys into Wireshark and decrypt previously opaque network captures. Bridging memory forensics and network analysis, the technique turns encrypted packet captures into readable cleartext without requiring access to private keys or certificates.
Well-Being
Podcast Explores How Distressing Material Shapes Investigator Well-Being
Dr. Fazeelat Duran, Assistant Professor in Psychology at the University of Birmingham, joins the Forensic Focus Podcast to talk about the psychological impact of working with distressing material in law enforcement roles. Drawing on her recent longitudinal study — the first of its kind to follow newly recruited secondary investigators and analysts from day one through 18 months in role — Dr. Duran explains how repeated, indirect exposure to traumatic material shapes mental health over time. She walks through the trajectory her team observed at six, 12, and 18 months, the concept of “dosage of exposure,” and why early warning signs often go hidden in the first six months when the novelty effect masks the emotional toll to come.
Research & Techniques
Pagefile.sys Yields Critical Memory Forensic Evidence
When live RAM acquisition isn’t possible, pagefile.sys becomes a primary source for recovering volatile evidence that would otherwise be lost. Chad Gish details how examiners can extract decrypted chat fragments, plaintext credentials, memory-only malware artifacts, and user activity preserved across reboots from this hidden Windows system file.
Read more (magnetforensics.com)
Tools & Software
Emi Polito Demonstrates Assisted Redaction In Amped Replay
Emi Polito, Forensic Analyst at Amped Software, provides a live demo of Assisted Redaction in Amped Replay — a new tool that automatically detects people, vehicles, and license plates to streamline complex redaction tasks. He sets the scene by covering the wider context of AI in policing: the College of Policing’s principles, the EU AI Act, the forensic risks of generative tools that hallucinate detail, and why Amped’s Assisted Redaction runs entirely offline.
Tools & Software
crush-forensics Adds LevelDB and SEGB Parsers
crush-forensics, an open-source desktop tool for digital forensic analysis, has released refined parsers for LevelDB and Apple SEGB/Biome formats, with supporting deep-dive write-ups explaining investigative significance. LevelDB support includes MANIFEST metadata, compaction levels, and per-record state filtering; SEGB support covers v1 and v2 with automatic protobuf decoding, Cocoa timestamps, CRC verification, and backing SQLite access via json_extract.
Tools & Software
Tesla Dashcam Telemetry Decoder Tool Launches
A new interactive learning tool lets forensic examiners decode SEI telemetry data embedded in Tesla dashcam MP4 files, stepping through hex conversion for each of 2,174 data fields per 60 seconds of footage. Built to support collision investigators who rely on this data as EDR-equivalent evidence, it includes explainers, a glossary, and knowledge checks. A standalone decoder validated against Tesla’s published tool is planned as the next development phase.
Read more (teslasei.netlify.app)
Tools & Software
Plaso Releases Version 20260512
A new version of Plaso, the widely used log2timeline supertimeline framework, has been released on GitHub. Practitioners relying on Plaso for timeline analysis should check the release for updates and compatibility changes.
Training & Events
DFIR Community Launches GenAI Investigation Challenge
Brian Carrier is organizing a four-week community challenge inviting DFIR practitioners to submit sanitized screenshots showing where GenAI helped or failed during real investigations, CTFs, or realistic datasets. A panel of judges — including names from SANS, LEAPPS, and Sleuth Kit Labs — will select finalists, with public voting determining winners. Submissions close May 25, 2026.
Legal & Policy
Post Office Scandal Shapes Digital Evidence Trust
A digital forensics practitioner who grew up affected by the Post Office Capture scandal has published a blog post drawing on evidence submitted to the Ministry of Justice’s 2025 call for evidence on digital evidence reliability in criminal proceedings. The piece connects the scandal’s lessons to current AI adoption risks, arguing that unchecked computer output can destroy individuals and families. It makes a case for why rigorous verification of digital evidence matters more than the profession often acknowledges.
