A round-up of this week’s digital forensics news and views:
Exploring UFADE to Extract Data From iOS Devices
Derek Eiri reviews UFADE (Universal Forensic Apple Device Extractor) as a versatile tool for extracting data from iOS devices, emphasizing its ability to handle supervised and pair-locked devices, create logical and full backups, and enable advanced developer options. He highlights UFADE’s ease of use, recent improvements, and cross-platform compatibility, positioning it as a valuable open-source resource for digital forensic professionals and corporate environments.
Evidence of Execution – Windows Prefetch
Windows Prefetch is a system feature designed to speed up application loading, but it holds significant forensic value by storing data about program execution. Prefetch files contain information like the last execution time, execution count, and associated files. Starting with Windows 8, these files store up to eight execution timestamps, and in Windows 10, they are compressed. Forensic investigators use Prefetch to create execution timelines, verify the use of specific programs, and detect potential malicious activity, despite challenges like file overwriting and manual deletion.
Amped Authenticate – Overcoming Multimedia Forensics Challenges With Expert Witness Testimony
Amped Authenticate is a multimedia forensics tool highly valued by expert witness Gernot Schmied for analyzing the authenticity of digital images and videos. It helps uncover tampering, manipulation, and deepfake content through a scientific approach, supporting expert testimony in court. The tool’s capabilities, including batch processing, smart reporting, and camera ballistics, assist in verifying the integrity of evidence while addressing growing concerns over synthetic content and deepfakes. Amped Authenticate has become an essential resource for digital forensics, particularly in courtroom scenarios.
Trust me. I’m an Expert.
Brett Shavers highlights that while experts are essential in fields like DFIR, overconfidence, bias, and groupthink can lead them astray. Expertise does not guarantee infallibility, and mistakes happen, as seen in cases like Y2K and thalidomide. Shavers emphasizes the importance of critical thinking, healthy skepticism, and the need to verify facts. Experts should recognize their influence and use their authority responsibly, fostering open-mindedness and continuous learning in their field.
Linux Artifacts: Timestamps of Last SUDO Command Execution
In Linux forensics, the /var/run/sudo/ts timestamp files log the last sudo command executed by a user, providing valuable traces of privilege escalation. These timestamps are useful when system logs are unavailable, allowing investigators to track sudo usage. Cross-referencing these files with other artifacts, like bash history, enhances forensic investigations by revealing when elevated permissions were used.
Not All Androids Who Wonder Are Lost. Exploring Android’s Find My Device System
Since Apple introduced AirTag in 2021, privacy concerns arose, particularly for Android users. Over time, Android users gained the ability to detect rogue AirTags and other Bluetooth trackers via Google’s Find My Device network, which now supports third-party trackers. Key forensic artifacts are left behind when Android phones encounter these trackers, and tracker data may also reside with Google, accessible through Takeout or legal processes.
Read More (SANS Digital Forensics and Incident Response, YouTube)
OpenDream Claims to be an AI Art Platform. But Its Users Generated Child Sexual Abuse Material
OpenDream, an AI art platform, allowed users to generate and publicly share child sexual abuse material (CSAM) and non-consensual deepfakes for months without moderation. The site monetized explicit content through subscriptions and ads, despite prohibitions from services like Google and Stripe. After Bellingcat’s investigation, which linked the platform to individuals in Singapore and Vietnam, the explicit content was removed, though OpenDream continues to offer NSFW features. The case highlights ongoing legal challenges in combating AI-generated CSAM globally.
Capability Access Manager Forensics in Windows 11
In Windows 11, the Capability Access Manager now stores access history for up to 30 days in a SQLite 3 database, replacing the older method of overwriting registry keys. This database logs details about application access to user capabilities like the camera, microphone, or location. The database organizes entries by user ID, application type (Packaged or NonPackaged), and access times. Preliminary testing suggests this information is retained longer than in previous versions, making it a valuable forensic artifact. Future research will explore whether this artifact appears in all Windows 11 versions and how it interacts with AmCache and registry entries.
Read More (Cyber Sundae DFIR, Medium)
A day in the life of a digital forensic examiner
Gayle Warren, a former journalist turned forensic scientist, handles Arizona’s first electronic detection K-9, Zona. After starting her career with the Tucson Police Department, Warren’s expertise now extends to digital forensics, where she tackles high-profile cases and child exploitation investigations. Zona, trained to detect hidden electronic devices by scent, has been crucial in uncovering critical evidence, assisting in over 80 search warrants. Warren’s unique skill set and Zona’s detection abilities have made a significant impact on Arizona’s most complex cases, from ICAC to hidden electronics searches.