A round-up of this week’s digital forensics news and views:
A new iOS 18 security feature makes it harder for police to unlock iPhones
Apple’s new iOS 18 security feature, introduced in iOS 18.1, adds an inactivity timer that reboots locked iPhones after four days, activating a “Before First Unlock” (BFU) state that enhances device security. This move, aimed at maintaining data protection, makes it harder for law enforcement to access data on locked iPhones. The BFU state requires a passcode for access, restricting forensic extraction methods, and further aligns Apple’s stance against compromising device encryption, despite recurring law enforcement pressures.
Open-Source Solutions For Digital Forensic Investigators
Open-source tools are proving invaluable for DFIR practitioners, offering accessible and powerful solutions for digital investigations without the high costs of commercial software. This article highlights five notable tools: TRACE, for disk image analysis; UFADE, for iOS data extraction; ParseUSBs, for USB artifact parsing; xeuledoc, for OSINT on Google documents; and EventLogExpert, for .evtx file analysis. Each tool addresses specific investigative needs, from registry analysis to real-time event monitoring, ensuring practitioners are equipped to handle complex digital forensic challenges.
Samsung Secure Health Data Parser — A Forensic Tool for Parsing & Analyzing Samsung Secure Health Databases
The Samsung Secure Health Data Parser is a new forensic tool for extracting and analyzing data from Samsung Health databases, critical for investigations involving health, movement, and exercise data. Developed to automate parsing of data such as step counts, heart rates, and exercise sessions, this tool provides a user-friendly interface and command-line mode for flexible use. It generates reports in Excel and HTML formats, offering valuable insights for investigators, health researchers, and insurance analysts. By bridging gaps in existing tools, it simplifies accessing otherwise complex health data stored in encrypted Samsung Health databases.
Read More (BreakPoint Forensics)
‘I was moderating hundreds of horrific and traumatising videos’
The BBC’s exploration into the challenging world of content moderation unveils the emotional toll faced by global moderators tasked with filtering disturbing and illegal content. Often outsourced, these moderators work for platforms like TikTok, Meta, and Instagram, sifting through graphic materials such as violent acts and abuse. Despite the traumatic impact of this work, which has spurred unionization efforts and legal claims, moderators express pride in protecting the public from online harm. While AI tools like those from OpenAI are advancing to assist moderation, experts argue that human judgment remains vital for nuanced content review, even as tech companies emphasize support for moderators’ wellbeing.
Beyond Connection Logs: Understanding File Transfer Artifacts in AnyDesk Forensics
In his analysis of AnyDesk forensics, Raj Upadhyay reveals the importance of the file_transfer_trace.txt artifact in uncovering details about file transfers beyond traditional connection logs. Working with the standalone version of AnyDesk, he explains how file_transfer_trace.txt records specific details on transfer mode, timestamps, file direction, and size, enabling forensic investigators to verify file movement between devices. This artifact aids in building detailed timelines and confirms whether files were downloaded or uploaded, supporting more comprehensive investigations into user activity on AnyDesk.
Unransomware: From Zero to Full Recovery in a Blink
DCSO’s Incident Response Team (DIRT) outlines a method for recovering data from Akira ransomware-encrypted virtual disks using open-source tools and a patched version of vmfs-tools. Focusing on NTFS partitions left partially unencrypted, they identify and mount the virtual disks, bypassing the encryption applied by Akira to retrieve essential business data. By using a Linux environment and custom scripts, they locate NTFS file system structures, allowing recovery of data crucial to resuming operations. This approach offers a viable solution for organizations affected by similar ransomware attacks on hypervisor systems.
New tool recovers compromised deep-learning models so researchers can understand what went wrong
Georgia Tech’s new tool, AI Psychiatry (AiP), enables cybersecurity investigators to recover compromised deep-learning models, allowing for a postmortem analysis of cyberattacks on neural networks in systems like self-driving cars. This forensic AI tool reconstructs the model’s structure from memory images, capturing essential data such as weights, biases, and layers, even without specific knowledge of the model’s framework. By rehosting recovered models, AiP helps researchers test and identify vulnerabilities caused by attacks, advancing forensic capabilities to understand and mitigate AI-based cyber threats.
CCI seeks to empanel digital forensic service providers
The Competition Commission of India (CCI) has issued a tender inviting digital forensic service providers to apply for empanelment, seeking expertise in data acquisition, extraction, analysis, and dealing with encrypted files. Empanelled providers, eligible to serve as expert witnesses, must ensure compliance with legal standards and avoid conflicts of interest. Service providers will perform both onsite and remote operations, adhering to specific software and hardware guidelines, with submissions due by 18 November 2024.