As I look back at 2024, there were a lot of shifts in the digital forensic space and the overall digital information arena. It is always hard to stay on top of things that change as often as these areas do, so I really appreciate all the valuable contributions from guest bloggers this last year. I am looking forward to even more in 2025!
Computer Data Review
Even though we don’t always see major changes with computer data, some good artifacts that got the spotlight in 2024 should still be noted.
Analyzing app installation times on Windows is a good area to check to provide some valuable data. Examiners can better understand a user’s online activity by analyzing when they installed applications like Discord, Facebook Messenger, Teams, Telegram, etc. on their desktop.
Another shift that happened in 2024 was the data split with more mobile apps also having corresponding desktop app versions. Some of the popular apps that made this transition include:
- Signal
- Telegram
- Line
- Pushbullet
- Viber
- And More!
Make sure you look at them in your Windows images and make sure they match what you might have discovered in your Smartphone image. Not all apps cloud-sync their data between sources, and often people use two different accounts based on where they are running the app. Data apps like Pushbullet share all the mobile notifications to the desktop and can be a valuable resource when linking your evidence.
Cloud Data Review
Cloud data has become increasingly important as we see more and more data migrate from smart devices to cloud storage. There has not been a huge shift in case law, but the workflow has changed for many examiners by adding consent collections as part of their regular procedures.
One unique cloud barrier that has occurred is related to how Google has shifted its cloud access. Many tools had to make major adjustments to their collection methods by integrating Google-authorized cloud tools. Paraben responded to this shift with the release of Paraben’s E3 Google Authenticator utility.
Another cloud change that happened is with the collection of iCloud data. Instead of solely relying on backups, many tools now look at iCloud data from the sync perspective, which allows for the acquisition of more recent data.
Finally, an additional cloud area of focus was expanding support of gaming data. Paraben added support for Steam in 2024. This popular platform contains a lot of data that provides valuable insights into user behavior and adds a more human element into your data collection through the collection of artifacts such as:
Account info
- Contacts list
- Direct messages
- Group chat list
- Group chats
- Login history
- User avatars
Smartphone Data
As with much of the world, the digital investigation realm still focuses a lot of time on smartphone-related data. There has been an industry push for more imaging options for Apple devices, which has produced mixed results with the different tool vendors. Device imaging will always be in a tug-of-war battle with privacy, so expect constant updates happening from all providers.
Despite the shifts with Apple, we have been blessed with the ability to still recover deleted data from logical images of Apple devices.
Even as Apple and Android added new app-hiding options with locks, the forensic market was able to adapt with methods to be able to capture the data.
Additional work will continue for most tool providers to address some of the Android shifts with their latest firmware release, but rest assured, root access is still available, and data is still recoverable.
The other significant development is the big rise in Rich Communication Services (RCS) messaging, which aims to improve communication functionality between the two primary smartphone platforms. RCS offers enhanced messaging capabilities for both platforms beyond traditional SMS and MMS, such as Wi-Fi and cellular network support.
The final big note is the increased push from device manufacturers for more user privacy with things like the default automated device reboot for iOS devices that are idle for 72 hours. Similar privacy functionality is also available with some Android devices. The 72-hour reboot has been a hot topic in many online forums and blogs. These new reset options mean it is even more critical for devices to be processed promptly with FIFO (First In, First Out), to prevent data loss or alteration. I have seen some examiners who believe that Faraday protection no longer matters. This is a misstep that could lead to more data loss. The use of Faraday technology can still protect devices from data changes and data loss/wipe commands. Protection of the data has always been a basic principle in the seizure of a device and that has not changed. The added default reset commands do not decrease the need to protect devices before processing.
A general trend that has been seen throughout the digital investigations industry has been the increasing popularity of OSINT data and DFIR data being used together to get a larger 360-degree perspective of an investigation. This shift has happened through a combination of different tools adding OSINT capabilities, like Paraben’s E3 has done, along with open-source tools creating compatible inputs that can be used with forensic tools.
Additionally, the open-source DFIR community surged last year with tools offering parsing of unique artifacts, and overall having more participation in the industry. As with all tools, the valuable step of verification of the data produced should always come into play. This step becomes even more critical when using open-source tools that may not go through the same rigorous testing as commercially developed software. Give yourself extra time for verification of your tools so you can have a solid mix between commercial and open-source.
Conclusion
The digital investigation community saw a surge in virtual events due to the pandemic in 2020, but this trend is one that will continue in 2025 with even more conferences adding virtual options and more training courses moving to virtual.
Remember that these online events offer valuable opportunities for professional development. Not only do they enhance your knowledge and skills, but they also provide a platform for networking with DFIR practitioners from around the globe.
The last note is for all those looking to get into the field of digital forensics or digital investigations in general. It is a long road to get into an active position and the more experience the better. Many times, that is a cart before the horse scenario. Put yourself out there to volunteer for different organizations that might not have a full cyber team to gain valuable experience. If you have a tight budget (or none at all), don’t be afraid to ask the commercial tool providers for trades. Offer to provide a write-up or do testing for them in exchange for a longer-term temporary software license. Use the rich open-source community and its tools to get your foot in the door. Participation and kindness go hand in hand, so ask nicely and many times you might get what you ask for.
Forensic-Impact Articles
Drone Forensics: Navigating the new frontier of digital evidence
Guest Blogger: Ria GhoshDrones are rapidly becoming part of our daily landscape—used in industries from agriculture to media, and even for personal leisure. As they grow in popularity, they also pose unique challenges for forensic investigators. Drone forensics is an...
Cryptocurrency and the Dark Web: A Guide to Investigation
Guest Blogger: Silvia GonzalezThe emergence of cryptocurrency has revolutionized the financial landscape, introducing new investment opportunities and challenges. While digital assets like Bitcoin and Ethereum offer a decentralized and secure means of transaction,...
Paraben E3 Forensic Platform v4.1 Delivers Powerful New Features for Digital Investigations
Paraben Corporation, a leading provider of digital investigation and eDiscovery solutions, today announced the release of E3 Forensic Platform v4.1. This latest version introduces a wide range of powerful new features designed to enhance efficiency and effectiveness...