We celebrate our two-year podcast anniversary and discuss the importance of thorough case preparation for CSAM cases, courtroom experience, and extracting evidence from iOS devices.
• SANS Difference Maker Awards open for nominations through September 15th across multiple categories
• AI debate webinar with Magnet Forensics scheduled for September 17th
• Binary Hick's blogs reveal insights on iOS search party and Samsung's Rubin and Digital Wellbeing databases
• Discussion on properly preparing CSAM cases for trial with understanding of statutes and evidence requirements
• Brett Shaver's article highlights importance of attending trials to understand courtroom proceedings
• iOS File Provider Storage in BFU extractions can reveal user-created images with metadata
• Updates to LEAPPS tool including CashApp parser improvements and Snapchat returns parser
• New Lava viewer coming soon for the LEAPPS project
Notes:
SANS Difference Makers Awards-
https://docs.google.com/forms/d/e/1FAIpQLSeLNMZm3r4c9WSKdNW8XaPh6KRXoS3C1WI51UtnEANe2osCpQ/viewform
AI Unpacked #5: The great AI debate with Digital Forensics Now-
https://www.magnetforensics.com/resources/ai-unpacked-5-the-great-ai-debate-with-digital-forensics-now/
The Binary Hick New Blogs-
https://thebinaryhick.blog/2025/08/19/further-observations-more-on-ios-search-party/
https://thebinaryhick.blog/2025/08/06/not-strange-bedfellows-samsungs-rubin-digital-wellbeing/
Monolith Notes-
https://www.monolithforensics.com/free-tools
Brett Shavers- Courtroom Trials Are the Final Exam for Your Work. Why Haven’t You Attended One?-
linkedin.com/in/brettshavers/recent-activity/all/
Friday, August 29, 2025
Thursday, July 31, 2025
From Cryptic Apps to Clickable Maps: Making Sense of Digital Evidence
We're back! After a short break we are back to discuss the growing crossover between real-world events and digital evidence in court cases, highlighting how device data can make or break timelines in high-stakes investigations.
This episode covers:
Ian Whiffin’s latest forensic work, including iOS power log timestamps, Apple Health data reliability, iPhone battery temperature readings, and IR Doppler functionality – with examples of how these artifacts were used in a recent homicide trial to validate timelines and environmental conditions.
Kevin Pagano’s App Store Package Search tool, which translates obscure bundle IDs into recognizable app information for easier analysis.
Concerns over the growing reliance on AI in digital forensics, emphasizing the need for human expertise and proper validation in every step of the process.
A demonstration of LUMYX, a mapping tool that converts extracted location data into customizable visual timelines for courtroom presentations.
Updates on LAVA (LEAPPS Artifact Viewer App) and guidance on writing LAVA-compliant artifacts to improve reporting workflows.
Notes:
Ian's FOUR Newest Blogs
https://www.doubleblak.com/blogPost.php?k=powerlog
https://www.doubleblak.com/blogPost.php?k=healthaccuracy
https://www.doubleblak.com/blogPost.php?k=temperature
https://www.doubleblak.com/blogPost.php?k=doppler
Ian Whiffin Testimony
https://www.youtube.com/watch?v=kahgl-mIUFE
Kevin Pagano Stark4n6 app store package search
https://www.stark4n6.com/2025/07/introducing-asp-app-store-package-search.html
https://github.com/stark4n6
Elcomsoft Article- AI driven Password Recovery Myth or Reality?
https://blog.elcomsoft.com/2025/07/ai-driven-password-recovery-myth-or-reality/
Beyond the Badge AI's role in Modern Investigations
https://www.magnetforensics.com/blog/beyond-the-badge-ais-role-in-modern-investigations/
LUMYX
https://lumyx.com/
LEAPPs
leapps.org
How to make LAVA Compliant LEAPP Artifacts
https://www.linkedin.com/video/live/urn:li:ugcPost:7356497708628520962/
UFADE
https://cp-df.com/en/blog/ufade_touch.html
This episode covers:
Ian Whiffin’s latest forensic work, including iOS power log timestamps, Apple Health data reliability, iPhone battery temperature readings, and IR Doppler functionality – with examples of how these artifacts were used in a recent homicide trial to validate timelines and environmental conditions.
Kevin Pagano’s App Store Package Search tool, which translates obscure bundle IDs into recognizable app information for easier analysis.
Concerns over the growing reliance on AI in digital forensics, emphasizing the need for human expertise and proper validation in every step of the process.
A demonstration of LUMYX, a mapping tool that converts extracted location data into customizable visual timelines for courtroom presentations.
Updates on LAVA (LEAPPS Artifact Viewer App) and guidance on writing LAVA-compliant artifacts to improve reporting workflows.
Notes:
Ian's FOUR Newest Blogs
https://www.doubleblak.com/blogPost.php?k=powerlog
https://www.doubleblak.com/blogPost.php?k=healthaccuracy
https://www.doubleblak.com/blogPost.php?k=temperature
https://www.doubleblak.com/blogPost.php?k=doppler
Ian Whiffin Testimony
https://www.youtube.com/watch?v=kahgl-mIUFE
Kevin Pagano Stark4n6 app store package search
https://www.stark4n6.com/2025/07/introducing-asp-app-store-package-search.html
https://github.com/stark4n6
Elcomsoft Article- AI driven Password Recovery Myth or Reality?
https://blog.elcomsoft.com/2025/07/ai-driven-password-recovery-myth-or-reality/
Beyond the Badge AI's role in Modern Investigations
https://www.magnetforensics.com/blog/beyond-the-badge-ais-role-in-modern-investigations/
LUMYX
https://lumyx.com/
LEAPPs
leapps.org
How to make LAVA Compliant LEAPP Artifacts
https://www.linkedin.com/video/live/urn:li:ugcPost:7356497708628520962/
UFADE
https://cp-df.com/en/blog/ufade_touch.html
Thursday, June 26, 2025
Techno, Timeline, and Training Truths
We kick off this episode with highlights from the Techno Security Conference, our 80s-themed outfits, packed LEAPP labs, AI panel discussions, and great conversations with friends and colleagues across the field.
We discuss Brett Shavers’ recent series on DFIR entry-level work, and share our thoughts on the need for better forensic training and clearer distinctions between forensics, cybersecurity, and incident response.
We also talk about recent tool changes in the industry. Cellebrite’s acquisition of Corellium could make mobile app testing more accessible, and Magnet’s purchase of Dark Circuit Labs.
We cover Harper Shaw’s Vehicle Network App, a valuable source of vehicle-related data. Alongside that, we highlight a recent blog on cached screenshots in Windows 11.
Be sure to check out the excellent “Parsing the Truth” podcast.
Heather walks through her Easter road trip to test Android's Timeline feature (formerly Google Location History). The location data was impressively accurate, but also showed how easily some points can mislead without the right context.
Catch us at IACIS Reno in January and check out the some of the resources we mentioned.
Notes:
Parsing the Truth: One Byte at a Time
https://parsingthetruth.com/
Cached Screenshots on Windows 11
https://thinkdfir.com/2025/06/13/cached-screenshots-on-windows-11/
The Vehicle Network App from Harper Shaw
https://harpershaw.co.uk/the-vehicle-network-app-1
Beklkasoft CTF
https://belkasoft.com/belkactf7/
Brett Shavers 6 part series
https://www.linkedin.com/pulse/dfir-really-entry-level-brett-shavers-ewsvc/
https://www.dfir.training/new-to-dfir/dfir-career
Artifact of the Week/Android Location History
https://thebinaryhick.blog/2024/06/28/the-green-look-back-androids-on-device-location-history/
We discuss Brett Shavers’ recent series on DFIR entry-level work, and share our thoughts on the need for better forensic training and clearer distinctions between forensics, cybersecurity, and incident response.
We also talk about recent tool changes in the industry. Cellebrite’s acquisition of Corellium could make mobile app testing more accessible, and Magnet’s purchase of Dark Circuit Labs.
We cover Harper Shaw’s Vehicle Network App, a valuable source of vehicle-related data. Alongside that, we highlight a recent blog on cached screenshots in Windows 11.
Be sure to check out the excellent “Parsing the Truth” podcast.
Heather walks through her Easter road trip to test Android's Timeline feature (formerly Google Location History). The location data was impressively accurate, but also showed how easily some points can mislead without the right context.
Catch us at IACIS Reno in January and check out the some of the resources we mentioned.
Notes:
Parsing the Truth: One Byte at a Time
https://parsingthetruth.com/
Cached Screenshots on Windows 11
https://thinkdfir.com/2025/06/13/cached-screenshots-on-windows-11/
The Vehicle Network App from Harper Shaw
https://harpershaw.co.uk/the-vehicle-network-app-1
Beklkasoft CTF
https://belkasoft.com/belkactf7/
Brett Shavers 6 part series
https://www.linkedin.com/pulse/dfir-really-entry-level-brett-shavers-ewsvc/
https://www.dfir.training/new-to-dfir/dfir-career
Artifact of the Week/Android Location History
https://thebinaryhick.blog/2024/06/28/the-green-look-back-androids-on-device-location-history/
Thursday, May 15, 2025
Every Breath You Take, Every Swipe You Make—Your iPhone’s Logging It
Apple devices are constantly recording user activity, yet few forensic examiners are making use of the vast amount of data these systems quietly generate. Apple's Unified Logs and Spotlight databases track nearly everything that happens on an iOS device, often without the user realizing it.
Would you believe an iPhone can generate around 1.5 million log entries in just 15 minutes of regular use? These records include highly specific actions—such as the exact moment Face ID is used to unlock a device, when the phone is flipped face-up, or whether a user interacted with Siri or used the device manually. Despite their detail and reliability, these sources are often overlooked in mobile investigations.
In this session, we’ll show how forensic practitioners can process and search these massive log sets using open-source tools. We’ll walk through examples of log entries that record actions like toggling airplane mode, launching specific apps like Facebook, or even detecting changes in device orientation. For investigators, this means direct, time-stamped evidence of how a device was used.
One of the most valuable aspects of this data is its ability to help distinguish between user actions and automatic background processes. Was an app opened by the user, or was it a system event? These logs provide that level of clarity. We’ll demonstrate how to isolate specific events from millions of entries and construct accurate timelines that reflect exactly what happened—and when.
As part of our ongoing work, we’re also focused on improving the accessibility and usability of these artifacts with incorporation into the LEAPPS. If you work with iOS devices, this is a session you won’t want to miss.
Notes:
2026 IACIS in Reno NV-
https://www.iacis.com/training/reno-info/
Spotlight-
https://github.com/ydkhatri/mac_apt
Unified Logs-
https://www.ios-unifiedlogs.com/
https://github.com/abrignoni/iLEAPP
Would you believe an iPhone can generate around 1.5 million log entries in just 15 minutes of regular use? These records include highly specific actions—such as the exact moment Face ID is used to unlock a device, when the phone is flipped face-up, or whether a user interacted with Siri or used the device manually. Despite their detail and reliability, these sources are often overlooked in mobile investigations.
In this session, we’ll show how forensic practitioners can process and search these massive log sets using open-source tools. We’ll walk through examples of log entries that record actions like toggling airplane mode, launching specific apps like Facebook, or even detecting changes in device orientation. For investigators, this means direct, time-stamped evidence of how a device was used.
One of the most valuable aspects of this data is its ability to help distinguish between user actions and automatic background processes. Was an app opened by the user, or was it a system event? These logs provide that level of clarity. We’ll demonstrate how to isolate specific events from millions of entries and construct accurate timelines that reflect exactly what happened—and when.
As part of our ongoing work, we’re also focused on improving the accessibility and usability of these artifacts with incorporation into the LEAPPS. If you work with iOS devices, this is a session you won’t want to miss.
Notes:
2026 IACIS in Reno NV-
https://www.iacis.com/training/reno-info/
Spotlight-
https://github.com/ydkhatri/mac_apt
Unified Logs-
https://www.ios-unifiedlogs.com/
https://github.com/abrignoni/iLEAPP
Thursday, May 1, 2025
Stomping Grounds: Digital Forensics at IACIS 2025
The Digital Forensics Now podcast brings together the core LEAPPs developer team for a candid, unscripted conversation about mobile forensics, legal challenges, and the future of their tools during the IACIS conference in Orlando.
First time bringing together most of the LEAPPs development team in person
Florida's new requirement for 10-day search warrant renewals creates significant challenges for long-running forensic processes
Timestamp parameters in warrants can limit investigators' ability to discover relevant evidence
Paladin now includes the LEAPPs integration, making powerful open-source forensic tools more accessible
Real-world success stories of the LEAPPs helping solve cases when commercial tools failed
Introduction of "The DFIR Investigative Mindset" book with technical editor Lee Harris
Multiple specialized forensic training courses available at IACIS including incident response, drone, MAC and RAM forensics
Join us in two weeks for a more technical episode exploring new forensic artifacts and techniques.
First time bringing together most of the LEAPPs development team in person
Florida's new requirement for 10-day search warrant renewals creates significant challenges for long-running forensic processes
Timestamp parameters in warrants can limit investigators' ability to discover relevant evidence
Paladin now includes the LEAPPs integration, making powerful open-source forensic tools more accessible
Real-world success stories of the LEAPPs helping solve cases when commercial tools failed
Introduction of "The DFIR Investigative Mindset" book with technical editor Lee Harris
Multiple specialized forensic training courses available at IACIS including incident response, drone, MAC and RAM forensics
Join us in two weeks for a more technical episode exploring new forensic artifacts and techniques.
Thursday, April 10, 2025
The "Bear" Essentials of Digital Forensics 🐻
The digital forensics world isn’t slowing down — and neither are we. In this episode, we celebrate Heather’s well-deserved recognition as Cellebrite’s Mentor of the Year 2025. Naturally, there were a few speech mishaps and, somehow, a bear raiding Heather’s bird feeder (yes, actual wildlife). But between the chaos, we get serious about the fast-changing landscape of digital evidence collection.
We dig into Amazon’s decision to remove the "do not send voice recordings" setting from Echo devices — meaning all voice requests now head straight to the cloud for AI training. It’s part of a growing industry trend, raising huge privacy red flags. We also unpack a study showing AI search engines misattribute sources at rates over 60%, and discuss how leaning too hard on generative AI risks dulling the critical thinking that digital forensics demands.
On the technical front, Christian Peter reveals that some forensic tools alter or delete unified logs during extraction — a serious concern for evidence integrity that can compromise investigations before they even begin. We also walk through a deep dive into Snapchat artifacts, showing how to connect media files to user actions and locations by following database breadcrumbs that automated tools tend to overlook.
Through it all, one theme stays clear: while technology keeps racing ahead, the responsibility for getting it right stays firmly with the examiner. As one guest bluntly put it, "We might be the last generation of cognitive thinkers."
Tune in for a sharp, insightful, and slightly unpredictable conversation at the intersection of bears, bytes, and the future of digital evidence.
Notes:
Mobile Forensics Are you nerd enough?
https://www.msab.com/events-webinars/webinar-are-you-nerd-enough/
New Podcasts!
https://osintcocktail.com/
https://www.youtube.com/@hexordia
Amazon "Do Not Send Voice Recordings" Privacy Feature
https://www.usatoday.com/story/tech/2025/03/17/amazon-echo-alexa-reporting-privacy/82503576007/
https://www.thesun.co.uk/tech/33907850/amazon-alexa-echo-do-not-send-voice-recordings
AI search engines cite incorrect news sources at an alarming 60% rate, study says
https://arstechnica.com/ai/2025/03/ai-search-engines-give-incorrect-answers-at-an-alarming-60-rate-study-says/
The Slow Collapse of Critical Thinking in OSINT due to AI
https://www.dutchosintguy.com/post/the-slow-collapse-of-critical-thinking-in-osint-due-to-ai
NIST
https://www.nist.gov/news-events/news/2025/01/updated-guidelines-managing-misuse-risk-dual-use-foundation-models
Don't lose your logbook
https://www.linkedin.com/pulse/dont-lose-your-logbook-christian-peter-ebcje
Not All Encryption is created equal
https://www.s-rminform.com/latest-thinking/cracking-the-vault-exposing-the-weaknesses-of-encrypted-apps
We dig into Amazon’s decision to remove the "do not send voice recordings" setting from Echo devices — meaning all voice requests now head straight to the cloud for AI training. It’s part of a growing industry trend, raising huge privacy red flags. We also unpack a study showing AI search engines misattribute sources at rates over 60%, and discuss how leaning too hard on generative AI risks dulling the critical thinking that digital forensics demands.
On the technical front, Christian Peter reveals that some forensic tools alter or delete unified logs during extraction — a serious concern for evidence integrity that can compromise investigations before they even begin. We also walk through a deep dive into Snapchat artifacts, showing how to connect media files to user actions and locations by following database breadcrumbs that automated tools tend to overlook.
Through it all, one theme stays clear: while technology keeps racing ahead, the responsibility for getting it right stays firmly with the examiner. As one guest bluntly put it, "We might be the last generation of cognitive thinkers."
Tune in for a sharp, insightful, and slightly unpredictable conversation at the intersection of bears, bytes, and the future of digital evidence.
Notes:
Mobile Forensics Are you nerd enough?
https://www.msab.com/events-webinars/webinar-are-you-nerd-enough/
New Podcasts!
https://osintcocktail.com/
https://www.youtube.com/@hexordia
Amazon "Do Not Send Voice Recordings" Privacy Feature
https://www.usatoday.com/story/tech/2025/03/17/amazon-echo-alexa-reporting-privacy/82503576007/
https://www.thesun.co.uk/tech/33907850/amazon-alexa-echo-do-not-send-voice-recordings
AI search engines cite incorrect news sources at an alarming 60% rate, study says
https://arstechnica.com/ai/2025/03/ai-search-engines-give-incorrect-answers-at-an-alarming-60-rate-study-says/
The Slow Collapse of Critical Thinking in OSINT due to AI
https://www.dutchosintguy.com/post/the-slow-collapse-of-critical-thinking-in-osint-due-to-ai
NIST
https://www.nist.gov/news-events/news/2025/01/updated-guidelines-managing-misuse-risk-dual-use-foundation-models
Don't lose your logbook
https://www.linkedin.com/pulse/dont-lose-your-logbook-christian-peter-ebcje
Not All Encryption is created equal
https://www.s-rminform.com/latest-thinking/cracking-the-vault-exposing-the-weaknesses-of-encrypted-apps
Thursday, March 6, 2025
The Iceberg of Digital Evidence: What AI Can't See
The boundary between tool-dependent analysis and true forensic expertise grows increasingly blurred as AI enters the digital forensics landscape. Alexis Brignoni and Heather Charpentier reunite after a month-long hiatus to sound the alarm on a concerning trend: the integration of generative AI into forensic tools without adequate safeguards for verification and validation.
Drawing from Stacey Eldridge's firsthand experience, they reveal how AI outputs can be dangerously inconsistent, potentially creating false positives (or missing critical evidence) while providing no reduction in examination time if proper verification procedures are followed. This presents investigators with a troubling choice: trust AI results and save time but risk severe legal and professional consequences, or verify everything and negate the promised efficiency benefits. The hosts warn that as AI becomes ubiquitous in forensic tools, it dramatically expands the attack surface for challenging evidence in court—especially when there's no traceability of AI prompts, responses, or error rates.
Beyond the AI discussion, the episode delivers practical insights for investigators, including an in-depth look at the Android gallery trash functionality. When users delete photos, these files remain in a dedicated trash directory for 30 days with their original paths and deletion timestamps fully preserved in the local DB database—a forensic goldmine for cases where suspects attempt to eliminate evidence shortly before investigators arrive. Other highlights include recent updates to the Unfurl tool for URL analysis, Parse SMS for recovering edited and unsent iOS messages, and Josh Hickman's research on Apple CarPlay forensics.
Whether you're investigating distracted driving cases, analyzing group calls on iOS, or simply trying to navigate the increasingly complex digital evidence landscape, this episode offers both cautionary wisdom and practical techniques to enhance your forensic capabilities. Join the conversation as we explore what it truly means to be a digital forensic expert in an age of increasing automation.
Ready to strengthen your digital investigation skills? Subscribe now for more insights from the front lines of digital forensics.
Notes:
Magnet Virtual Summit Presentations
https://www.magnetforensics.com/magnet-virtual-summit-2025-replays/
https://www.stark4n6.com/2025/03/magnet-virtual-summit-2025-ctf-android.html
parse_smsdb
https://www.linkedin.com/posts/alberthui_ios-16-allows-for-imessagesmsmmsrcs-message-activity-7279586088988413952-xHWl
https://github.com/h4x0r/parse_sms.db/tree/main
Are you a DF/IR Expert Witness or Just a Useful Pawn?
https://www.linkedin.com/posts/dfir-training_a-pawn-moves-where-its-told-a-dfir-expert-activity-7292981112463572992-c3wd/
Unfurl
https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
https://github.com/obsidianforensics/unfurl
AI to Summarize Chat Logs and Audio from Seized Mobile Phones
https://www.404media.co/cellebrite-is-using-ai-to-summarize-chat-logs-and-audio-from-seized-mobile-phones/
Ridin' With Apple CarPlay 2
https://thebinaryhick.blog/2025/02/19/ridin-with-apple-carplay-2/
Hello Who is on the Line?
https://metadataperspective.com/2025/02/05/hello-who-is-on-the-line/
Drawing from Stacey Eldridge's firsthand experience, they reveal how AI outputs can be dangerously inconsistent, potentially creating false positives (or missing critical evidence) while providing no reduction in examination time if proper verification procedures are followed. This presents investigators with a troubling choice: trust AI results and save time but risk severe legal and professional consequences, or verify everything and negate the promised efficiency benefits. The hosts warn that as AI becomes ubiquitous in forensic tools, it dramatically expands the attack surface for challenging evidence in court—especially when there's no traceability of AI prompts, responses, or error rates.
Beyond the AI discussion, the episode delivers practical insights for investigators, including an in-depth look at the Android gallery trash functionality. When users delete photos, these files remain in a dedicated trash directory for 30 days with their original paths and deletion timestamps fully preserved in the local DB database—a forensic goldmine for cases where suspects attempt to eliminate evidence shortly before investigators arrive. Other highlights include recent updates to the Unfurl tool for URL analysis, Parse SMS for recovering edited and unsent iOS messages, and Josh Hickman's research on Apple CarPlay forensics.
Whether you're investigating distracted driving cases, analyzing group calls on iOS, or simply trying to navigate the increasingly complex digital evidence landscape, this episode offers both cautionary wisdom and practical techniques to enhance your forensic capabilities. Join the conversation as we explore what it truly means to be a digital forensic expert in an age of increasing automation.
Ready to strengthen your digital investigation skills? Subscribe now for more insights from the front lines of digital forensics.
Notes:
Magnet Virtual Summit Presentations
https://www.magnetforensics.com/magnet-virtual-summit-2025-replays/
https://www.stark4n6.com/2025/03/magnet-virtual-summit-2025-ctf-android.html
parse_smsdb
https://www.linkedin.com/posts/alberthui_ios-16-allows-for-imessagesmsmmsrcs-message-activity-7279586088988413952-xHWl
https://github.com/h4x0r/parse_sms.db/tree/main
Are you a DF/IR Expert Witness or Just a Useful Pawn?
https://www.linkedin.com/posts/dfir-training_a-pawn-moves-where-its-told-a-dfir-expert-activity-7292981112463572992-c3wd/
Unfurl
https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
https://github.com/obsidianforensics/unfurl
AI to Summarize Chat Logs and Audio from Seized Mobile Phones
https://www.404media.co/cellebrite-is-using-ai-to-summarize-chat-logs-and-audio-from-seized-mobile-phones/
Ridin' With Apple CarPlay 2
https://thebinaryhick.blog/2025/02/19/ridin-with-apple-carplay-2/
Hello Who is on the Line?
https://metadataperspective.com/2025/02/05/hello-who-is-on-the-line/
Subscribe to:
Posts (Atom)