A round-up of this week’s digital forensics news and views:
UK Call for a National DFI Mental Health Working Group
UK policing faces a reckoning over DFI welfare as research finds 68.8% of investigators show PTSD symptoms, while support remains inconsistent, reactive, and designed without their lived input. A national working group bringing DFIs together with trauma clinicians, occupational health, researchers, and Home Office stakeholders is proposed to co-design evidence-based, practical interventions that go beyond six-session caps and patchy local schemes. CAID and emerging AI can reduce duplicate exposure, but first-generation CSAM still lands on analysts’ desks, making standardized screening, trauma-informed supervision, and funded peer networks critical for retention, accuracy, and child-protection outcomes.
Organised Crime Online: How Europol Disrupts Cybercrime
Europol lays out how it targets organised cybercrime, emphasizing cross‑border intelligence sharing, coordinated infrastructure takedowns, cryptocurrency tracing, and tight public‑private collaboration. For DFIR teams, it signals growing reliance on rapid data preservation, lawful cross‑jurisdiction evidence exchange, and platform cooperation that can reshape timelines and toolsets. In a notable shift, disruption aims to fracture criminal ecosystems as much as to land arrests, pushing investigators to map dependencies and anticipate cascading effects.
Inside Proton Drive Android: Artifacts, Metadata, and PGP Roadblocks
Damien Attoe peels back Proton Drive’s Android vault, pinpointing the db-drive SQLite store—spanning 110 tables laced with PGP artifacts—as the keystone for account and storage evidence. User and session details surface in UserEntity and AccountEntity, while linkEntity yields hierarchy, timestamps, share indicators, MIME types, sizes, and access counts, yet filenames reside in PGP-encrypted blobs whose key IDs can be seen but private keys aren’t on-device. For examiners, that translates to solid activity reconstruction without plaintext filenames or contents, with ready-made SQL queries to speed collection and triage.
Read more (digital4n6withdamien.blogspot.com)
Original Photos vs. Screenshots: Metadata That Makes or Breaks Evidence
Courts increasingly see images as evidence, but not all pixels carry equal weight. Dante Fazio explains how camera‑original photos preserve verifiable EXIF and device-level artifacts that can be validated via forensic extraction and hashing, whereas screenshots overwrite or strip timestamps, GPS, and edit traces, severing source linkage and inviting spoofing. In a practical twist, he highlights iOS Photos.sqlite fields that expose edits and origins even when on-screen details look legitimate, yet screenshots effectively neutralize those signals. The takeaway for investigators and attorneys is to demand originals or strong corroboration from device logs and servers, because screenshot-only submissions risk exclusion and can undermine a case.
Read more (metadataperspective.com)
Samsung-Only Android Artifacts Need New Forensic Parsers
Mattia Epifani spotlights a trove of Samsung‑only SQLite databases that most forensic suites skip, urging the community to build parsers. From app‑use predictors and Wi‑Fi geofences to Secure Wi‑Fi event logs, Continuity activity/sleep signals and a richer Privacy Dashboard, these artifacts can expose launches, movement, boot/time tweaks, locations and notification states—yet many persist only briefly (battery 1–2 days, network 5–7, permissions ~7, CPU ~30). Unique to Samsung and largely unmined, they could sharpen timelines and behavior analysis if researchers validate and operationalize them before the evidence rolls off.
Read more (blog.digital-forensics.it)
Cellebrite Charts Three-Stage AI Plan to Accelerate Digital Investigations
Cellebrite charts a three-stage AI push to tackle digital evidence backlogs, pairing automation with investigator oversight to speed review and surface hidden links. New and planned features span image and video classification, chat summarization, speech-to-text, entity resolution, and forthcoming agentic assistants with conversational querying and deepfake detection. Early casework ranges from triaging 35TB in a Connecticut CSAM probe to asset-focused cartel takedowns and faster IP theft response, signaling a shift in DFIR workloads from sifting to validating.
Jad Saliba Donates $500K to TMU Anti-Exploitation Programs
Magnet Forensics co-founder Jad Saliba is channeling $500,000 through his Badge of Hope foundation to expand Toronto Metropolitan University’s survivor-informed work against child sex trafficking and online child sexual exploitation. It backs a new executive certificate and a forthcoming Master of Health Sciences, building transdisciplinary training and research capacity over the next decade. For digital forensics practitioners, the gift funds bursaries for police and survivor-leaders and reinforces an academic pipeline and research centre poised to sharpen tools, practice and global coordination in OCSE cases.
Prompt Injection Upends Digital Forensics Norms
Prompt injection attacks are upending digital forensics as AI agents spread across enterprise workflows, with half of successful abuses triggering no alert and nearly 70% of cases resisting reconstruction, Dorian Granosa says. Because the breach lives inside a model’s stochastic reasoning, conventional request/response logs and healthy dashboards can mask unsafe actions that propagate between agents, as Donghyun Lee’s prompt infection research shows. Forensic readiness now demands smarter telemetry—an AI “flight recorder” of prompts, parameters, tools and timing—plus cross-agent correlation and explicit visibility agreements with vendors to preserve auditability and incident response.
Read more (bankinfosecurity.com)
Council of Europe Launches CyberSEE to Boost Digital Forensics Capacity
Council of Europe’s new CyberSEE initiative targets a persistent gap: scalable skills and procedures for handling digital forensics and electronic evidence across South‑East Europe. Working with regional justice and law enforcement bodies, the program promises hands‑on training, harmonised SOPs, and stronger cross‑border cooperation to make digital evidence both usable and rights‑compliant. For investigators and prosecutors, that means better triage, faster mutual legal assistance, and fewer courtroom challenges over chain of custody and admissibility.
Digital Forensics Workshop at ITASEC26 Announces CFP and Practical Focus
A Digital Forensics Workshop co-located with ITASEC26 puts a practical, courtroom-minded lens on investigations and opens its call for papers. Organizers Silvia Lucia Sanna, Sebastiano Battiato, and Luca Cadonici aim to probe limits in mobile, memory and computer acquisition, IoT, and open-source tooling, while confronting deepfakes and AI-assisted analysis with an eye to admissibility. Key dates move fast: submissions due 5 December 2025, decisions by 20 December, camera-ready 10 January, and the workshop on 9 February 2026.
