Digital Forensics Round-Up, November 27 2024

A round-up of this week’s digital forensics news and views:


iOS Inactivity Reboot

Apple’s new “Inactivity Reboot” feature for iOS devices, introduced in version 18.0 and adjusted in 18.1, automatically reboots devices after 72 hours of inactivity to enhance security by encrypting data and minimizing attack surfaces. Inspired by GrapheneOS, this feature counters forensic acquisition techniques, creating challenges for law enforcement and digital forensic analysts who rely on data accessible after first unlock (AFU). The reboot transitions devices to a “before first unlock” (BFU) state, erasing volatile data and restricting access to crucial files. This security measure underscores the growing conflict between user privacy and forensic accessibility, requiring new strategies for evidence preservation and device exploitation.

Read More (Hexordia)


Goodbye Activity History: Windows 10’s Timeline Feature Removed in Windows 11

The Windows 11 update significantly impacts the forensic value of the Activity History artifact, ActivitiesCache.db, which previously tracked user activity for the Timeline feature in Windows 10. In Windows 11, this functionality has been deprecated, leaving the database with minimal entries, primarily related to system activities like Wi-Fi, and no longer recording application interactions. Research indicates Microsoft began phasing out this feature in later Windows 10 versions before fully discontinuing it in Windows 11. While the reasoning remains unclear, references to a potential replacement, “Recall AI Timeline,” suggest new forensic opportunities may arise. Analysts must adapt to these changes, especially when working with clients on older Windows systems.

Read More (CYBERDEFNERD)


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.



Commentary:- Can I use that tool?

Digital forensic practitioners face complex decisions when determining whether a tool is suitable for investigative use, going beyond mere technical capabilities. This work identifies five critical questions practitioners must address: understanding a tool’s functionality, proper operation, underlying mechanisms, reliability, and ethical or legal implications. Each question is accompanied by associated risks, such as vague documentation, misinterpretation, or unauthorized use. By systematically addressing these concerns, practitioners can ensure the defensibility and effectiveness of their tool choices, bolstering confidence in forensic processes and judicial outcomes.

Read More (Graeme Horsman, ScienceDirect)


The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

Volexity uncovers a sophisticated attack by Russian APT GruesomeLarch, dubbed the “Nearest Neighbor Attack,” leveraging Wi-Fi networks of physically proximate organizations to infiltrate a high-value target, Organization A, from thousands of miles away. The attack used compromised credentials, dual-homed systems, and living-off-the-land techniques, exploiting gaps in Wi-Fi security protocols not protected by multi-factor authentication (MFA). This novel method highlights the need for heightened security measures on corporate Wi-Fi networks, equivalent to those for other remote access services. Volexity’s investigation underscores the attacker’s creative resourcefulness and provides actionable recommendations for mitigating similar threats.

Read More (Volexity)


iCloud Shared Photo Library: Forensic Artifacts Explained

This blog explores the digital forensic artifacts associated with iCloud Shared Photo Library (SPL), introduced in iOS 16, providing insights into key database structures, property lists, and artifact storage paths. It identifies indicators of SPL activation, participant contributions, and shared media attribution, offering tools such as SQLite queries and iLEAPP parsers to facilitate analysis. While commercial forensic tools may not yet parse much of this data, the research highlights forensic opportunities in SPL for determining ownership, contribution, and potential anti-forensics practices. Further study is recommended for iOS 18 and beyond to uncover new forensic details.

Read More (The Forensic Scooter)


SSD Forensic Acquisition: The Inconvenient Truth

Albert Hui highlights the challenges of ensuring data integrity during forensic acquisition of solid-state drives (SSDs) due to behind-the-scenes operations like TRIM, garbage collection, and wear leveling. Unlike traditional HDDs, SSDs actively modify stored data as soon as they are powered, even with write blockers, potentially altering hash values and complicating legal proceedings. Hui references Dr. Manish Kumar’s research, which confirms these issues, and suggests chip-off forensics as a more reliable—though resource-intensive—solution, bypassing the SSD controller to capture unaltered data.

Read More (Albert Hui, LinkedIn)


Oxygen Forensics Tech Takedown: A Remote Journey

The Oxygen Forensics webinar, “A Remote Journey,” highlights the functionality and benefits of Oxygen Remote Explorer (ORE), a tool designed for remote digital forensic data collection from devices like workstations and mobile phones. VP Keith Lockhart explains how ORE enables targeted and scalable remote investigations, eliminating the need for physical access. Key features include profile customization for data collection, task scheduling, agent deployment, and support for Windows, Mac, Linux, Android, and iOS. The webinar also addresses challenges like network connectivity, licensing, and future updates, with plans to expand targeted app collections for Telegram and Signal.

Read More (Forensic Focus)


Lateral Movement – Remote Desktop Protocol (RDP) Artifacts

This blog explores various artifacts that can reveal lateral movement using Remote Desktop Protocol (RDP) during forensic investigations. It highlights the significance of analyzing artifacts on both the source (initiating) and target (receiving) systems, such as Bitmap Cache, UserAssist, RecentApps, JumpLists, Prefetch, Shimcache, Amcache, and registry entries like BAM/DAM and Terminal Server Client keys. These artifacts collectively help establish RDP session details, including execution attempts, connected IP addresses, and evidence of RDP-related tools like mstsc.exe, rdpclip.exe, and tstheme.exe. Investigators are encouraged to pair these with event logs and other evidence to construct a reliable timeline and uncover potential tampering by threat actors leveraging RDP for lateral movement.

Read More (The DFIR Spot)

Leave a Comment