Digital Forensics Round-Up, November 20 2024

A round-up of this week’s digital forensics news and views:


Can Screenshots Of Text Messages Be Used As Digital Evidence In Court?

Screenshots of text messages are often unreliable in court due to the ease of manipulation through editing software, fake message generators, and altered device settings. Digital forensics experts play a crucial role in authenticating such evidence through methods like forensic acquisitions, which extract comprehensive data including metadata and timestamps, ensuring its integrity and admissibility. While manual examinations can serve as an alternative when forensic acquisitions aren’t feasible, they require meticulous documentation and secure handling to maintain credibility. Ultimately, forensic methods ensure authenticity, protecting legal cases and preventing wrongful accusations.

Read More (Forbes)


New FOR518: Mac and iOS Forensic Analysis Poster Update

The updated Digital Forensics and Incident Response Poster, available from SANS, enhances forensic analysis for macOS 15 and iOS 18 with new “Evidence of…” categories. Created by SANS experts Kat Hedley and Sarah Edwards, it maps key macOS and iOS artifacts to their Windows counterparts in the Windows Forensic Analysis poster. Updates include Biomes for user activity tracking, CarPlay interaction logs, Spotlight metadata, AirDrop transfers, TCC app permissions, and APFS snapshot mounting, providing investigators with powerful tools to uncover critical evidence in Apple’s evolving ecosystem.

Read More (SANS)


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.



Understanding Digital Forensics Mental Health Stressors: Traumatic Content And Workload Pressure

Digital forensic investigators face significant mental health challenges due to exposure to traumatic content, such as CSAM, and high workloads exacerbated by tight deadlines. These stressors can lead to PTSD, burnout, and diminished productivity, impacting decision-making and increasing investigative inaccuracies. Protective measures, such as the UK Crown Prosecution Service’s proportional approach and the use of automated tools like CAID, help mitigate these impacts by reducing exposure to traumatic material and improving case efficiency. As the demand for digital forensics grows, a supportive organizational culture and advanced forensic technologies are essential for preserving investigator well-being and sustaining productivity.

Read More (Forensic Focus)


Linux DFIR: Essential Tools, Techniques, and Case Scenarios for Effective Digital Forensics and Incident Response

Shawn Belcourt explores Linux Digital Forensics and Incident Response (DFIR), detailing tools, techniques, and scenarios for investigating and mitigating security incidents. The article covers key areas like file system analysis, memory forensics, disk imaging, log visualization, and malware detection while showcasing tools such as SIFT Workstation, Velociraptor, and the ELK Stack. With real-world workflows for live response and deadbox analysis, it equips DFIR professionals to efficiently handle threats and preserve evidence integrity in Linux environments.

Read More (Shawn Belcourt, LinkedIn)


ETW Forensics – Why use Event Tracing for Windows over EventLog?

Shusei Tomonaga of JPCERT/CC discusses the forensic benefits of Event Tracing for Windows (ETW) compared to traditional EventLogs for incident investigations. Unlike EventLogs, ETW can capture detailed behaviors like process injections, file operations, and DNS activity through its extensive provider system. The article explores ETW’s structure, including its architecture and event formats, and introduces a Volatility3 plugin developed by JPCERT/CC to recover ETW events from memory images. Highlighting real-world use cases, it shows how ETW can aid in uncovering malware activity and system behaviors critical for incident response.

Read More (JPCERT)


Comprehensive Guide to Windows DFIR-Digital Forensics and Incident Response Tools

Windows Digital Forensics and Incident Response (DFIR) is pivotal in cybersecurity, offering tools and methodologies to analyze breaches, uncover evidence, and respond to threats within Microsoft Windows environments. As attackers evolve with tactics like fileless malware, registry-based persistence, and lateral movement across Active Directory, investigators must adapt with advanced tools such as Velociraptor, Volatility, and YARA. Covering core aspects like disk imaging, memory forensics, timeline reconstruction, and reporting, this comprehensive resource equips practitioners to investigate incidents effectively, from recovering NTFS artifacts to analyzing cloud-based attacks, ensuring robust incident response and system integrity.

Read More (Shawn Belcourt, LinkedIn)


RunMRU is not the only one forensic artifact left by the “Run” Prompt

Krzysztof Gajewski explores artifacts left by the Windows Run prompt beyond the well-known RunMRU registry key, introducing the Activity Cache as a complementary source of forensic evidence. While RunMRU tracks recent commands with limitations such as overwriting repeated entries, the Activity Cache, introduced in Windows 10 (version 1803), logs detailed timestamps of interactions with the Run prompt. By combining registry analysis with tools like WxTCmd for Activity Cache data, forensic investigators can construct comprehensive timelines to trace user actions and identify malicious behavior effectively.

Read More (CYBERDEFNERD)


Chrome Visited Links

The “visited_links” table in Chrome’s History database provides insights into how users navigate to specific sites, including frame and top-level URLs. Despite standard history deletion, records in this table may persist if “All Time” is not selected for clearing history, with lingering data surviving browser updates. Testing confirmed the table’s existence in Chrome versions 126 and above, while improper deletion behaviors were patched as of July 2024. Investigators can leverage SQL queries to correlate this table with the “urls” table for more comprehensive browser activity analysis.

Read More (AskClees)


Burned and locked devices: Experts break down digital evidence in Brad Simpson case

Digital forensic experts are analyzing burned and locked devices in the Brad Simpson case, where the disappearance of Suzanne Simpson has drawn significant attention. Investigators uncovered three phones and a laptop from a burn pit, along with vehicle location data and security footage. Experts explain that while recovering data from burned devices is complex, it’s often possible, especially if the memory modules are intact. Simpson’s phone, set to “lockdown mode,” added challenges but remains potentially accessible through advanced tools. The case highlights how phones, vehicles, and cloud backups provide vital digital evidence even when devices are physically destroyed or encrypted.

Read More (News4SA)

Leave a Comment