The Iceberg of Digital Evidence: What AI Can't See

The boundary between tool-dependent analysis and true forensic expertise grows increasingly blurred as AI enters the digital forensics landscape. Alexis Brignoni and Heather Charpentier reunite after a month-long hiatus to sound the alarm on a concerning trend: the integration of generative AI into forensic tools without adequate safeguards for verification and validation.

Drawing from Stacey Eldridge's firsthand experience, they reveal how AI outputs can be dangerously inconsistent, potentially creating false positives (or missing critical evidence) while providing no reduction in examination time if proper verification procedures are followed. This presents investigators with a troubling choice: trust AI results and save time but risk severe legal and professional consequences, or verify everything and negate the promised efficiency benefits. The hosts warn that as AI becomes ubiquitous in forensic tools, it dramatically expands the attack surface for challenging evidence in court—especially when there's no traceability of AI prompts, responses, or error rates.

Beyond the AI discussion, the episode delivers practical insights for investigators, including an in-depth look at the Android gallery trash functionality. When users delete photos, these files remain in a dedicated trash directory for 30 days with their original paths and deletion timestamps fully preserved in the local DB database—a forensic goldmine for cases where suspects attempt to eliminate evidence shortly before investigators arrive. Other highlights include recent updates to the Unfurl tool for URL analysis, Parse SMS for recovering edited and unsent iOS messages, and Josh Hickman's research on Apple CarPlay forensics.

Whether you're investigating distracted driving cases, analyzing group calls on iOS, or simply trying to navigate the increasingly complex digital evidence landscape, this episode offers both cautionary wisdom and practical techniques to enhance your forensic capabilities. Join the conversation as we explore what it truly means to be a digital forensic expert in an age of increasing automation.

Ready to strengthen your digital investigation skills? Subscribe now for more insights from the front lines of digital forensics.

Notes:

Magnet Virtual Summit Presentations
https://www.magnetforensics.com/magnet-virtual-summit-2025-replays/
https://www.stark4n6.com/2025/03/magnet-virtual-summit-2025-ctf-android.html

parse_smsdb
https://www.linkedin.com/posts/alberthui_ios-16-allows-for-imessagesmsmmsrcs-message-activity-7279586088988413952-xHWl
https://github.com/h4x0r/parse_sms.db/tree/main

Are you a DF/IR Expert Witness or Just a Useful Pawn?
https://www.linkedin.com/posts/dfir-training_a-pawn-moves-where-its-told-a-dfir-expert-activity-7292981112463572992-c3wd/

Unfurl
https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
https://github.com/obsidianforensics/unfurl

AI to Summarize Chat Logs and Audio from Seized Mobile Phones
https://www.404media.co/cellebrite-is-using-ai-to-summarize-chat-logs-and-audio-from-seized-mobile-phones/

Ridin' With Apple CarPlay 2
https://thebinaryhick.blog/2025/02/19/ridin-with-apple-carplay-2/

Hello Who is on the Line?
https://metadataperspective.com/2025/02/05/hello-who-is-on-the-line/

Mind Matters: Navigating DFIR with Balance

Get ready for a hands-on look at digital forensics and the challenges professionals tackle every day. We share a story about forensic guessing that highlights the importance of testing assumptions and following the evidence to avoid errors. The discussion emphasizes how staying grounded in facts can prevent investigations from going off track.

We also highlight advancements in forensic tools and training. Learn about tools like Belkasoft, the UFADE tool for iOS device extraction, and SQBite for SQLite database analysis. These tools are improving efficiency and accessibility in the field.

But it’s not all about the tech. We address the important topic of mental health in digital forensics. We discuss the pressures of the job, strategies for managing stress, and the importance of supporting one another. Personal experiences and practical tips highlight the need to prioritize mental well-being in this demanding field.

This episode provides valuable information on tools, investigative approaches, and mental health strategies for forensic professionals.

Notes:

Belkasoft Windows Forensics Course
https://belkasoft.com/windows-forensics-training

Updates to UFADE
https://github.com/prosch88/UFADE/releases

The Duck Hunter's Blog
https://digital4n6withdamien.blogspot.com/2025/01/the-duck-hunters-guide-blog-1.html
https://digital4n6withdamien.blogspot.com/2025/01/the-duck-hunters-guide-blog-2.html
https://digital4n6withdamien.blogspot.com/2025/01/the-duck-hunters-guide-blog-3.html

SQBite
https://digital4n6withdamien.blogspot.com/2025/01/introducing-sqbite-alpha-python-tool.html
https://github.com/SpyderForensics/SQLite_Forensics/tree/main/SQBite

Mental Health in DFIR
https://thebinaryhick.blog/2019/06/21/mental-health-in-dfir-its-kind-of-a-big-deal/
https://www.forensicfocus.com/podcast/the-impact-of-traumatic-material-on-dfir-well-being/
https://www.forensicfocus.com/news/dfir-and-mental-health-are-we-doing-enough-to-protect-investigators/
https://www.sciencedirect.com/science/article/pii/S2666281721000251
https://belkasoft.com/preventing-burnout-in-digital-forensics
https://www.magnetforensics.com/resources/taking-care-of-mental-health-during-digital-forensics-investigations/
https://www.harmlessthepodcast.com/
https://www.shiftwellness.org/about-us
https://www.nyleap.org/

What's New with the LEAPPS
https://github.com/abrignoni

New Year, New Discoveries: Diving into Digital Forensics!

Kick off your new year with some forensic fun as we recount our holiday escapades and dive into the latest in digital forensics! Ever wondered how RAM dumps from Android devices can reveal crucial data? We spotlight MSAB's innovative RAMalyzer tool and their new blog series covering RAM from mobile devices.

Discover how the digital forensics community is collaborating to propel the field forward, as we share insights from the DF Pulse 2024 Digital Forensic Practitioner Survey and the delicate dance between competition and cooperation. Standardization is the name of the game, and we're exploring how the field of digital forensics can benefit from it.

Updates to Magnet Axiom's date range capabilities showcase the ceaseless evolution of digital forensics tools. Journey with us as we tackle the intricacies of Bluetooth tracker detection, all while considering the dual nature of technology and the significance of using it responsibly.

From exploring Richard Davis's work with 13 Cubed to discussing Yogesh Khatri's contribution to analyzing the USN Journal, we shine a light on the vital role of principles in our field.

With warm wishes for the new year, we invite you to stay tuned for more episodes brimming with insights and camaraderie.

Notes:
MSAB RAMalyzer series!
https://msab.com/resources/blog/

Paraben Forensic Innovation Conference
https://link.reachpenguin.com/widget/form/99kVMTgaA0mbpZvYLTjG

Tip Tuesday: Troubleshooting in PA
https://www.youtube.com/watch?v=eSNovfdwucw&list=PLwmKlEiYNUYte-pnlbw45YKpPB7K8xCgC&index=1

DFPulse: The 2024 digital forensic practitioner survey
https://www.sciencedirect.com/science/article/pii/S2666281724001719

Magnet Axiom Cyber 8.7: Acquire iCloud backups from ADP-enabled accounts, and more!
https://www.magnetforensics.com/blog/magnet-axiom-cyber-8-7-icloud-adp-and-more/

Android Will Let You Find Unknown Bluetooth Trackers Instead of Just Warning You About Them
https://www.engadget.com/mobile/smartphones/android-will-let-you-find-unknown-bluetooth-trackers-instead-of-just-warning-you-about-them-204707655.html

Be Kind, Rewind... The USN Journal
https://youtu.be/GDc8TbWiQio?feature=shared

Apple Photos phones home on iOS 18 and macOS 15
https://lapcatsoftware.com/articles/2024/12/3.html

SWGDE Considerations for Required Minimization of Digital Evidence Seizure
swgde.org/16-f-002/

The Gift of Expertise: Why Forensics Matter in the Courtroom

Join us for a holiday-themed episode of Digital Forensics Now, where we blend expert insights with personal stories from the field of digital forensics.

This episode delves into cutting-edge tools and techniques for digital forensics. Explore insights from Arsenal on advanced methods for analyzing swap space and memory files. We also share experiences with the Samsung Secure Health Data Parser, highlighting the challenges of decrypting health databases and the critical role of UFED in overcoming them. Don’t miss an in-depth look at the remarkable features of ArtEX, showcasing its value to examiners. Additionally, we introduce the LEAPPS Artifact Viewer App (LAVA), a groundbreaking tool unveiled at the Cyber Social Hub conference.

We discuss the vital role of forensic experts in legal proceedings, from the importance of meticulous validation to the risks of mishandling evidence. Real-world cases and a controversial court rulings that highlight why expert testimony remains essential in interpreting digital artifacts.

We close with gratitude to our listeners and warm holiday wishes. Stay tuned on social media for updates on our next live session after the holidays.

Notes:

Working with 010 Hex-Editor
https://www.youtube.com/playlist?list=PLCS2zI95IiNwheFCTaUEytA1GT0mNOOdn

Arsenal Releases a New Tool!
https://arsenalrecon.com/additional-products

Samsung Secure Health Data Parser - A Forensic Tool for Parsing & Analyzing Samsung Secure Health Databases
https://github.com/breakpointforensics/Samsung-Secure-Health-Data-Parser-/tree/main

ArtEx Artifact Examiner
https://www.doubleblak.com/app.php?id=ArtEx2

Why the Manual Preview/Screenshots May Not Hold Up in Court
https://www.forbes.com/sites/larsdaniel/2024/11/13/think-that-screenshot-is-proof-heres-why-it-might-not-hold-up-in-court/
https://www.forbes.com/sites/larsdaniel/2024/12/06/smartphone-forensics-and-fake-texts-how-are-courts-responding/

What's New with the LEAPPS!?
Google Keep Notes
https://charpy4n6.blogspot.com/2024/12/google-keep-notes.html
Signup for Updates!
leapps.org

BFU Data, Forensic Tools, and the Future of Digital Investigations

The latest episode of Digital Forensics Now kicks off with lighthearted banter about Heather's newfound fame in commercials, bringing a fun and relatable start to a tech-heavy discussion. Following the laughs, the conversation shifts to an invigorating recap of Alexis' recent experience at SANS DFIRCON, featuring interactions with digital forensics luminaries like Brian Maloney and Ian Whiffin. Ian's ArtEx tool, which cleverly maps locations for forensic investigations, also takes center stage as a highlight of the conference. The episode weaves in personal reflections, including a scenic family train ride from Orlando to Miami and the implementation of a Python artifact exercise during a teaching session.

The journey continues with a vibrant detour to the Tanganyika Wildlife Park in Kansas, where the usual birthday horseback riding tradition was replaced with unforgettable encounters like swimming with penguins, feeding giraffes, and snapping selfies with lemurs. These charming moments with nature set a refreshing tone before diving back into the tech world.

In the realm of digital forensics, the episode explores reverse engineering iOS 18, discusses the brief availability of BitLocker support in FTK Imager, and examines the evolving landscape of BFU (Before First Unlock) data extraction in law enforcement. The hosts delve deep into the complexities of digital forensics tools, translating technical data structures into accessible insights while emphasizing the importance of a strong digital evidence strategy. Topics include advancements in the LEAPP Parsers, the innovative Lava Viewer, and the latest developments in Blue Sky data structures, offering a comprehensive look at the tools shaping the field.

The episode wraps up with an open invitation for listeners to connect on social platforms, share their thoughts, and showcase innovative projects within the community, fostering a collaborative and forward-thinking space for digital forensics enthusiasts.

Notes

iOS Devices Rebooting Continued https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html

Samsung Secure Health Data Parser
https://breakpointforensics.com/2024/11/06/samsung-secure-health-data-parser-a-forensic-tool-for-parsing-analyzing-samsung-secure-health-databases/
https://github.com/breakpointforensics/Samsung-Secure-Health-Data-Parser-/tree/main

Mobile Forensics Data Structures: Extracting and Analyzing Data with Free Tools
https://www.hexordia.com/blog/mobile-forensics-data-structures

GAMEPLANS: A template for robust digital evidence strategy development
https://onlinelibrary.wiley.com/doi/10.1111/1556-4029.15655 Digital Evidence

Enhancing public safety using digital investigative technologies
https://majorcitieschiefs.com/wp-content/uploads/2024/10/MCCA-Digital-Evidence-White-Paper-_-Oct-2024.pdf

Importance of BFU Partial Filesystem Extractions!
https://www.linkedin.com/posts/1carl-lawrence_dfir-polcing-digitalforensics-activity-7264179600631468034-FHGh

Sumuri Gives Back 2024
https://sumuri.com/sumuri-gives-back-2024/

iOS 18’s Inactivity Reboots Explained: AFU to BFU Transitions with Chris Vance from Magnet Forensics

Join us on the Digital Forensics Now podcast as we explore the details of the iOS 18 inactivity reboot issue with mobile forensics expert Christopher Vance from Magnet Forensics. Chris traces the origins of this challenge back to iOS 17 and explains how unified logs play a key role in diagnosing these system memory resets. This episode is packed with valuable insights for anyone interested in the inner workings of iOS devices and the unique considerations they present in digital forensics.

We also discuss device security and data preservation, focusing on iOS devices. Examining the balance between law enforcement’s need for data access and Apple’s privacy measures, we highlight the importance of extracting the data from devices quickly to prevent data loss. Our conversation covers the legal complexities, jurisdictional nuances, and the demand for data preservation tools to address these challenges effectively.

We explore recent developments in mobile technology, specifically Android 15's "Private Space" feature and how it will effect the digital forensic community workflow.

With insights from industry experts, this episode is full of essential updates tailored for digital forensics professionals looking to stay current.

Notes:

iOS Devices Rebooting
https://www.magnetforensics.com/blog/understanding-the-security-impacts-of-ios-18s-inactivity-reboot/

5 iOS forensics evidence sources to capture before they expire
https://www.magnetforensics.com/blog/ios-forensics-evidence-sources-to-capture-before-they-expire

Mac and iOS Forensic Analysis and Incident Response Poster
https://www.sans.org/posters/macos-ios-forensic-analysis/

AI in Court: Testimony or Tech-tastrophe?

Could AI in forensic analysis be more of a liability than an asset? Join us as we explore this pressing concern.

We kick off this episode with an important update for those dealing with Android extractions. Recent changes to the Android OS and Google Play Store might be causing the Keystore (secrets.json) file to either miss data or not be extracted at all. This brings attention to the vital role decryption keys play in accessing data from mobile devices.

Next, we dive into advancements in forensic tools like MSAB’s new RAM analyzer for XRY Pro users.

For iOS investigators, if you’re working with Cache.sqlite data, you’ll want to check out iCatch, a tool designed to map the data efficiently and streamline your workflow.

Shifting to the role of AI, we examine a recent legal case that highlights the dangers of relying on AI-generated results without proper verification. Accuracy and repeatability are key, and our discussion focuses on the ethical implications of using AI in forensic investigations. We emphasize the importance of thoroughly validating AI tools to maintain trust in the legal process.

Notes:

Updated Telegram Policy
https://www.linkedin.com/posts/luca-cadonici-41299b4b_policy-telegram-cybersecurity-activity-7244258209979334656-AxPl
https://telegram.org/privacy#8-3-law-enforcement-authorities

MSAB RAMalyzer
https://www.youtube.com/watch?v=1SEgSYSF03A

Expert witness used Copilot to make up fake damages, irking judge
https://arstechnica.com/tech-policy/2024/10/judge-confronts-expert-witness-who-used-copilot-to-fake-expertise/
https://law.justia.com/cases/new-york/other-courts/2024/2024-ny-slip-op-24258.html

iCATCH
https://github.com/AXYS-Cyber/iCATCH