A round-up of this week’s digital forensics news and views:
Industry News
Ex-DFIR Investigator Discusses Impact on Family Life
An ex-DFIR investigator shares a candid account of how exposure to disturbing investigative material spills beyond the workplace into family life. Paul Gullon-Scott’s personal narrative highlights a rarely discussed dimension of DFIR work — the toll on investigators and those closest to them. The piece makes a clear case for better structured support for examiners and their loved ones.
Tools & Software
LEAPPs Launches Viewer App and Central Release Hub
The LEAPPs project has released LAVA (LEAPPs Artifact Viewer App) alongside updates to all LEAPPs tools, plus a new webpage centralising all releases to eliminate the need to hunt across multiple GitHub repositories. A mailing list is now available for practitioners wanting early notice of future releases.
Research & Techniques
Telegram Forensic Artifacts: A Field Guide
Telegram’s 2024 policy shift made it more cooperative with law enforcement, but message content remains largely off-limits via legal process — placing the device at the centre of any content-focused investigation. This guide covers Android cache4.db table structures, iOS db_sqlite binary serialisation, and acquisition sequencing within a narrow first-60-minute window, including WAL and freelist remnant recovery. Specific SQLite queries, TL constructor IDs, and tool references make the methodology immediately reproducible in the lab.
Industry News
Aid4Mail Targets Cloud Attachment Collection
Cloud-hosted “modern attachments” in email can create preservation and context gaps for forensic and eDiscovery teams, because standard exports often capture only the URL rather than the linked file. Aid4Mail’s cloud-attachment collection workflow retrieves linked files, preserves metadata and version information, logs exceptions, and feeds the results into downstream review, filtering, and AI-assisted classification.
Tools & Software
Free Vehicle Forensics Tools Launch for Investigators
The Vehicle Network Labs has launched two free browser-based tools for vehicle data investigators: a Tesla Dashcam SEI Decoder that parses binary structure, GPS encoding, and SEI data streams inside Tesla MP4 files, and an EDR Timeline Visualiser for plotting pre-crash event data. Both tools target the gap between raw vehicle data and actionable forensic interpretation, with CAN Bus and airbag visualisers in development.
Research & Techniques
BitLocker Bypass Landscape for DFIR Investigators
A follow-up survey maps the full history and current state of BitLocker bypasses, including the newly documented YellowKey attack, giving investigators a practical reference for what to expect when examining seized Windows machines in 2026. Known weaknesses and still-exploitable gaps are covered alongside a practical acquisition workflow.
Read more (blog.elcomsoft.com)
Training & Events
Free Intro to DFIR Course by Brian Carrier
Brian Carrier, creator of the Autopsy forensic platform, offers a free introductory DFIR course covering systematic approaches to intrusion investigations across 33 lessons and 2.5 hours of content. Over 27,000 students have already enrolled, making it one of the more widely adopted free resources in the field.
Read more (training.sleuthkitlabs.com)
Tools & Software
Cellebrite Announces Spring 2026 Release
Cellebrite’s Spring 2026 release focuses on improving access, speed, confidence, and collaboration across digital investigations. Updates include expanded device and OS support, Safeguard mode, drone forensic capabilities, AI-powered tools such as Guardian Investigate and Genesis, enhanced Pathfinder reporting, and tighter integration across the Cellebrite ecosystem.
Research & Techniques
GKE Forensics: Logging Gaps and IR Tactics
Kubernetes incident response on Google Kubernetes Engine requires adjusting your approach based on cluster mode — Autopilot removes node-level access entirely, forcing IR teams to rely solely on control-plane logs. Data Access logs covering secret enumeration and unauthorized exec sessions are disabled by default, meaning evidence is permanently lost if not enabled pre-incident. NetworkPolicies can quarantine compromised pods without alerting attackers or destroying volatile memory.
Industry News
AI Risk Framework Maps to NIST, SWGDE for DFIR
A new framework mapping AI integration risks to NIST and SWGDE forensic workflows was previewed at RSAC Conference, developed with input from prominent DFIR practitioners including Ovie Carroll, Taz Wake, and Rob Lee. It positions AI as a “junior analyst” requiring human validation, with risk levels assigned to each workflow phase to flag where automation is safe versus dangerous. Phased documentation releases and real-case usage examples from field experts are planned.
Training & Events
IACIS Opens 2026 EMEA Forensics Scholarship Applications
IACIS is accepting applications for its 2026 EMEA Scholarship, covering full tuition for the BCFE course (valued at €4,800), entry into the CFCE certification programme, forensic equipment, and an Arsenal Recon tool subscription. Law enforcement, NGOs, and paralegal organisations across Europe, the Middle East, and Africa are eligible to apply between May 15 and July 15, 2026, for training in Budapest that October.
