A round-up of this week’s digital forensics news and views:
Using Covert Research Accounts in OSINT Investigations
Raymond James Todd explores the strategic use of covert research accounts in OSINT, highlighting their role in intelligence gathering, while addressing the significant ethical and legal challenges they pose. These fictitious online identities enable discreet observation and interaction within specific groups, but their deceptive nature raises concerns, especially in terms of privacy, legal compliance, and the potential harm to vulnerable populations. Raymond emphasizes the importance of careful management, adherence to ethical guidelines, and the need for clear legal frameworks to navigate the complexities surrounding their use in investigations.
Read More (UK OSINT Community)
macOS Sequoia and DFIR: what investigators need to know
With the release of macOS Sequoia on September 16th, Apple is set to reshape the landscape of Digital Forensics and Incident Response (DFIR). This new iteration introduces a suite of AI-driven features, including Apple Intelligence, AI-powered writing and image tools, and integrated ChatGPT, which pose both novel opportunities and complex challenges for forensic investigators. Key updates, such as enhanced Siri capabilities, iPhone Mirroring, and new data sources like AI interaction logs and improved Maps, demand that DFIR professionals swiftly adapt their tools and techniques to navigate the intricacies of AI-generated content, cross-device data flows, and advanced data encryption, ensuring that digital forensics keeps pace with Apple’s rapidly evolving technology ecosystem.
Shimcache Execution Is Back – What You Need to Know!
Mike Peterson from nullsec.us appears on the 13 Cubed podcast to discuss important new research on Shimcache/AppCompatCache. He explains how this artifact can potentially be used to prove program execution in Windows 10 and later—a capability that was previously thought impossible. Peterson’s insights shed light on the evolving understanding of this artifact and its implications for digital forensics on modern Windows systems.
Kathryn Hedley’s parseusbs script updated to include EID 1006 events from the Windows-Partition-Diagnostic log
Kathryn Hedley, a Digital Forensic Specialist and SANS Certified Instructor/Author, announces an update to her script for parsing USB connection artifacts from mounted Windows volumes. The latest version now includes EID 1006 events from the Windows-Partition-Diagnostic log, enabling users to capture connect and disconnect times, volume serial numbers (VSNs), and filesystem types.
A Word on DFIR Credentials
Brett Shavers emphasizes the critical importance of competence in Digital Forensics and Incident Response (DFIR), arguing that credentials alone are not enough if one cannot perform the work competently. He calls for a clear definition and standardization of competence in the field to avoid hiring mismatches and frustration on both sides. Shavers highlights that true competence is proven through real-world experience, beyond formal education and certifications. He also points out that anyone sharing knowledge in DFIR—whether through teaching, blogging, or speaking—plays a role in influencing the field, urging professionals to embrace their impact and continue guiding others toward competence.
Bitlocker Key Finder v3.3
The Bitlocker Key Finder tool receives a major update, featuring a new user interface, speed improvements, and expanded file format support for CSV, DOCX, XLSX, and RTF files, along with enhanced reporting functions. Designed for scenarios where multiple powered-down devices, including Bitlocked external drives, need imaging and key retrieval, the tool now offers refined search capabilities. It scans directories and file systems for Bitlocker keys stored as plaintext files, cloud-synced text files, or hidden BEK files. Users can choose between simple file name searches or exhaustive content searches, with results delivered in a CSV report. The tool can also triage live systems when run as an administrator, providing detailed recovery key data summaries and text reports, simplifying the process of key recovery from a mounted image or live system. The output directory defaults to the executable’s location, making it ideal for use from a triage drive.
Read More (North Loop Consulting)
Journal of Forensic Sciences: Artifacts in Digital & Multimedia Forensics
The Digital & Multimedia Sciences (DMS) Section of the American Academy of Forensic Sciences (AAFS), established in 2008 as the first new section added since the 1970s, focuses on the forensic analysis of computers, mobile devices, networks, and multimedia. Initially formed from members of the General & Engineering Sections, the DMS Section now encompasses a diverse group of practitioners, academics, and researchers. As digital technologies evolve, the section tackles emerging challenges, from the forensic implications of the Internet of Things (IoT) and vehicle infotainment systems to the growing threat of synthetic media and deepfakes in legal proceedings. This special virtual issue of the Journal of Forensic Sciences highlights articles addressing the discovery and identification of digital artifacts, underscoring the journal’s role in sharing cutting-edge forensic research and methodologies.
Read More (Wiley Online Library)
Xeuledoc – a free tool which fetches information about any public Google document
A new tool called Xeuledoc is gaining attention for its ability to reveal the full registered name and email address of the creator behind a Google Docs URL, a feature that can be particularly useful in investigations. During a probe into crypto-investment scams, Xeuledoc helped uncover the identity of a document’s author who had used their private Gmail account, demonstrating poor operational security. The tool outputs key information, including the registrant’s name and email, the creation and last edit dates, and the GAIA ID associated with the email account. While GAIA IDs cannot be directly linked back to email addresses, they can provide valuable connections during broader research efforts. Xeuledoc can be installed from its repository, and users can run it through the terminal with a simple command. The tool was recently highlighted on Michael Bazzell’s blog, which offers further insights and tips on using search engine dorks to find Google Docs of interest.