A round-up of this week’s digital forensics news and views:
Man who used AI to create child abuse images jailed for 18 years
In a landmark UK case, Hugh Nelson, 27, is sentenced to 18 years for using AI to transform ordinary photos of children into abusive images. This case, the first of its kind, saw Nelson use the AI-equipped Daz 3D software to create and distribute explicit content, including for paying clients in online chatrooms. Greater Manchester Police (GMP), in collaboration with the CPS and National Crime Agency, successfully prosecuted Nelson for creating and sharing indecent images, while also inciting and encouraging others to commit abuse. GMP underscores that this case reflects the growing challenge AI poses to law enforcement, with AI-facilitated abuse becoming an urgent issue across the UK.
Understanding Digital Forensics Mental Health Stressors: Introduction
In a new series on Forensic Focus, Paul Gullon-Scott explores the mental health challenges digital forensic investigators (DFIs) face due to high workloads, exposure to disturbing content, and insufficient organizational support. With research dating back to 2008, the series highlights how vicarious trauma, anxiety, depression, and burnout affect DFIs, emphasizing the crucial need for comprehensive mental health resources. The articles will delve into each mental health challenge in detail, aiming to promote understanding and encourage accessible support systems to address the unique psychological demands within digital forensics.
Windows Artifacts: Analyzing the USN Journal on a Live System
Krzysztof Gajewski explores techniques for working with the USN Journal in live forensic investigations without accessing or parsing the $UsnJrnl:$J file directly. He details using the Windows command-line tool FSUTIL to query, read, and enumerate USN data, which provides valuable file activity insights without creating new forensic artifacts. Commands such as fsutil usn queryjournal
, fsutil usn readdata
, fsutil usn readJournal
, and fsutil usn enumdata
allow investigators to monitor changes in real time, particularly helpful in urgent cases where immediate actions are needed. Practical examples include tracking specific file references, understanding deletion logs, and capturing updates, equipping DFIR professionals with flexible, live-data handling capabilities.
13Cubed XINTRA Lab Windows memory forensics challenge walkthrough
In this 13Cubed episode, viewers receive an in-depth walkthrough of a Windows memory forensics challenge created by 13Cubed or XINTRA, featuring practical applications of forensic analysis and investigative skills. Using tools like MemProcFS, the episode navigates a series of questions on both workstation and server environments, guiding viewers through detailed problem-solving steps to solve each challenge.
Brett Shavers: Reproducibility of results is required in science. But AI results are not reproducible…what now, DFIR?
As AI increasingly integrates into Digital Forensics and Incident Response (DFIR), it presents both advancements and risks. While AI can accelerate analysis and uncover patterns, its inconsistent outputs challenge the repeatability crucial to forensic science, and hallucinations (false AI-generated information) can compromise legal credibility. These risks underscore the need for human validation of AI’s findings, as well as for clear standards on AI use in investigations. Offline tools, like Belkasoft’s BelkaGPT, mitigate risks by restricting answers in uncertain cases, exemplifying privacy-centered approaches. With rigorous oversight, AI can enhance DFIR, provided its role is supplementary, not standalone.
Thiago Lahr announces UAC (Unix-like Artifacts Collector) v3.0.0 has been released
The latest UAC 3.0.0 update, released on October 22, 2024, introduces major improvements in artifact collection, file output options, and command flexibility. Key features include a new ‘–enable-modifiers’ option for artifact modification, expanded file output formats like direct and password-protected zip, and custom file paths for external profiles and artifacts. Enhanced commands allow for verbose logging, remote cloud transfers, and hashing of collected files. Additionally, the update adds new artifact collections across operating systems, with streamlined syntax for artifact conditions and updated profile settings. Notably, Android support is deprecated, with instructions for Linux compatibility.
DEFCON 32 – Defeating EDR Evading Malware with Memory Forensics
With EDR software facing an “arms race” against malware developers aiming to evade detection through sophisticated methods, researchers have developed new memory forensics techniques to counteract these EDR bypasses. By exploiting low-level system processes, such as call stacks, exception handlers, and debug registers, attackers have been able to elude EDRs, resulting in numerous high-profile cyberattacks. In response, this research introduces plugins for the Volatility memory analysis framework (version 3) designed to detect advanced bypass techniques, including direct and indirect system calls and module overwriting.
Read More (DEFCON Conference, YouTube)
Version 1.1 of iCatch (iOS Cache Analysis for Tracking Coordinates History) released
A new update has been released for iCatch, a tool designed to analyze GPS data from the iOS Cache.sqlite database for forensic purposes. iCatch allows investigators to process the Cache.sqlite file, generating a KML timeline map compatible with Google Earth and outputting data in CSV and KMZ formats with logs for further analysis. It enables customization, including radius and date/time filters to manage data size and precision, producing results in Coordinated Universal Time (UTC). With Python as its primary runtime, iCatch supports both script and executable formats, providing flexibility for various investigative needs.