All news with #digital forensics tag

🔐 Intrusion Logging is an opt-in feature in Android's Advanced Protection Mode that records daily device and network activity to support forensic investigations. Developed with Amnesty International and Reporters Without Borders, it captures app launches, installs, network connections, USB file transfers, certificate changes, and lock/unlock events. Logs are end-to-end encrypted on the device, stored on Google servers for 12 months, and cannot be deleted early; users may download decrypted logs for external review but remain responsible for their security.

🔐 The FBI reportedly extracted copies of incoming Signal messages from an iPhone’s internal push notification database after the app was deleted. The extraction occurred during a criminal case where physical access allowed forensic tools to retrieve notification previews stored by iOS. The case underscores the privacy risk when message previews are enabled and the importance of disabling notification previews within Signal or device settings.

🔍 Citizen Lab identified indicators that Kenyan authorities used Cellebrite forensic extraction tools on the personal Samsung phone of pro-democracy activist Boniface Mwangi while it was held in police custody in July 2025. The researchers assessed with high confidence that the extraction occurred on or around July 20–21; the device was returned in September and was no longer password-protected. Such access could have enabled full extraction of messages, files, passwords and other sensitive data. The finding compounds other recent reports of commercial spyware and extraction-tool misuse against civil society.

🕒 The opening moments after detection — often referred to as the first 90 seconds — determine whether an incident becomes manageable or spirals out of control. Responders must quickly decide what to preserve, what to examine first, and whether a single affected host reflects broader compromise. Prioritize evidence of execution and retain backward telemetry rather than immediately restoring services. Consistent discipline, environment knowledge, and repeatable procedures are what let teams scale investigations with confidence.

🔍 Organizations often overemphasize detection and response at the expense of thorough investigation. While IDS, firewalls, and response teams are essential to stop immediate damage, investigation provides the root-cause insights—examining exploited vulnerabilities, attacker entry paths, and post-compromise activity—that prevent recurrence. Investing in deep packet inspection and forensic analysis turns incidents into learning opportunities and strengthens long-term resilience.

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.

🔒 In August 2025 Volvo Group North America disclosed a breach that originated in its third‑party HR provider, Miljödata, and a slow timeline of detection and notification has raised questions about forensic readiness. Reported exposed records included Social Security numbers and sensitive employee identifiers, and Volvo offered 18 months of identity‑protection services. The author provides five practical recommendations to preserve evidentiary integrity: embed forensics from day zero, align IR and forensic priorities, automate collection and triage, contractually manage vendor response, and coordinate legal messaging to reduce litigation and regulatory risk.

🔎 Digital forensics professionals investigate breaches to determine access methods, affected systems, and attacker actions, with the goal of preventing future incidents. This article reviews a curated list of a dozen certifications that span vendor-neutral and vendor-specific tracks, including mobile, cloud, network, memory, and Windows forensics. Each entry summarizes scope, target audience, exam format, validity period, renewal or CPE requirements, and typical training and exam fees to help practitioners choose the most appropriate credential.