A round-up of this week’s digital forensics news and views:
Extortion and Ransomware Drive Over Half of Cyberattacks
Microsoft’s latest Digital Defense Report reveals that over half of cyberattacks with known motives are driven by extortion or ransomware, with 80% of investigated incidents involving data theft primarily for financial gain rather than espionage. Amy Hogan-Burney reports that Microsoft processes over 100 trillion security signals daily, blocking 4.5 million malware attempts and analyzing 38 million identity risk detections. Nation-state actors from China, Iran, Russia, and North Korea are expanding their operations, while cybercriminals increasingly use AI to enhance phishing and ransomware attacks. More than 97% of identity attacks involve password-based attacks, but phishing-resistant multifactor authentication can block over 99% of these attempts.
Read more (blogs.microsoft.com)
AI-Enhanced Cybercrime Detection and Digital Forensics Research
Researchers from Italy explore how artificial intelligence can improve cybercrime detection and digital forensics investigations according to a new academic paper. Silvia Lucia Sanna and colleagues highlight both the potential benefits and risks of AI in cybersecurity, noting that while AI can enhance automated network analysis and malware detection, cybercriminals may also exploit these tools. Their case study demonstrates how popular chatbots like Gemini, Copilot, and ChatGPT can be used to develop steganographic techniques for hiding data in images, illustrating the dual-edged nature of AI in cybersecurity applications.
Oxygen Forensics Training – Extraction in a Box (XiB) Review
Si Biles reviews Oxygen Forensics’ three-day Extraction in a Box training course, which teaches advanced mobile phone acquisition techniques through hands-on experience with real devices. Participants receive a kit containing eight phones, tools, and course materials to practice various extraction methods including hardware-level access using test points and conducting tweezers. Biles praises the comprehensive coverage of Android and iOS exploitation techniques, the quality of instruction, and Oxygen’s honest approach to their product capabilities, noting the course successfully bridges the gap between simple extractions and complex forensic acquisition methods.
Digital Forensics Technology Helps Crack Ireland’s Largest Cocaine Smuggling Case
Cellebrite’s digital investigation tools played a crucial role in exposing a major drug trafficking network that attempted to smuggle 2.2 tons of cocaine into Ireland via cargo ship. John Lucey from Cellebrite describes how the technology analyzed mobile phone data to connect criminal coordination across multiple apps, leading to prison sentences for gang members. Modern smartphones can carry up to two terabytes of data, making AI-powered tools essential for investigators to process vast amounts of digital evidence efficiently.
Digital Forensics Community Leader Discusses F3 Organization’s Mission
Gareth Davies, chairman of the First Forensic Forum (F3), discusses the UK-based not-for-profit organization that provides training and knowledge sharing for digital forensics professionals. F3 runs vendor-neutral conferences and workshops at costs significantly below commercial alternatives, with their annual three-day event priced at £650 including accommodation and meals. Davies explains how F3 has operated for 30 years, building community connections and offering practical training from experts across law enforcement, academia, and industry vendors.
Brett Shavers Raises Concerns About Using “Deleted” in Reports
Digital forensics expert Brett Shavers warns that using the word “deleted” carelessly in forensic reports can destroy credibility and cases in court. Shavers argues the term implies intentional action when examiners can only prove a file’s state, not the cause of its removal. He recommends more precise language like “previously existing” or qualifying deletion with specific mechanisms such as “user-deleted” or “system-deleted” to maintain accuracy and avoid implying intent where none can be proven.
A Primer on Windows Digital Forensics Artifacts
Matthew Plascencia introduces the key artifacts that digital forensic investigators examine when analyzing Windows systems. His overview covers major evidence sources including registry hives (SECURITY, SYSTEM, SOFTWARE, and NTUSER.DAT), prefetch files that track program execution, jumplists that record recently accessed documents, and LNK shortcut files containing rich metadata. Plascencia explains how these artifacts work together to provide investigators with comprehensive insights into user activity, system configuration, and application usage patterns on Windows machines.
Read more (matthewplascencia.substack.com)
Kyrgyzstan Receives Equipment for Digital Forensics, Infrastructure Protection
Kyrgyzstan’s Forensic Service and Anti-Terrorism Center have received new equipment to enhance digital forensics capabilities and protect critical infrastructure. EU and UN funding provided the technical assistance through the EU-UN Global Terrorism Threats Facility. Almazbek Zarylbek uulu says the upgrades will modernize computer-technical and phonoscopic examinations, improving investigation effectiveness and accuracy of forensic conclusions.
