Send a text

Tool output can look authoritative while still being dangerously easy to misread, and we’ve both seen how fast that goes sideways when a case hits court. Live from the MSAB Digital Summit 2026, we walk through a simple principle that saves careers: an artifact is a clue, not a conclusion. We talk about how “artifact worship” happens, how to build real corroboration, and why multiple records on the same phone are not automatically multiple lines of evidence.

We also get honest about forensic reporting and peer review. Assuming “legal will catch it” is a trap, because attorneys and supervisors may not be able to validate the technical meaning of a timestamp, a parser decision, or an attribution statement. We share practical ways to write clearer digital forensics reports, verify tool parsing, and test your assumptions so you’re not learning hard lessons under oath. If you work mobile device forensics, this section is for you.

From there we shift into training and deep technical skills that are quickly becoming baseline: Android RAM acquisition and analysis, what kinds of artifacts can show up in memory, and why RAM can hold evidence you may never find in a file system extraction. We also unpack protocol buffers (protobuf) and the uncertainty that comes with app data when the .proto schema is missing, plus why that matters when AI and automation start “helping” with interpretation. We wrap with an ALEAPP update, a reminder that a portable tool report isn’t analysis, and a quick look at how standards like Daubert and Frye raise the bar for methodology.

Notes:

Brett Shavers Blogs:

It’s Not Artifact Worship When One Artifact Actually Changes the Case https://www.linkedin.com/pulse/its-artifact-worship-when-one-actually-changes-case-brett-shavers-nwi6c/

I Thought Legal Would Catch It. They didn’t. https://www.brettshavers.com/brett-s-blog/entry/i-thought-legal-would-catch-it-they-didnt

IACIS https://www.iacis.com/events/in-person/2026-orlando-training-conference/

Send us a text

A blue jay, a busted feeder, and a brand-new camera set the tone, but only briefly.

We kick off the new year with updates from the Florida ICAC conference, including firsthand courtroom experience watching frame rate and frame count testimony in action. The episode centers on Frame Counts Galore, an open-source script for extracting and hashing every video frame, calculating true variable frame rates, and producing transparent, courtroom-ready logs and reports.

We cover upcoming DFIR conferences, introduce a lightweight AI Provenance Scanner for fast C2PA and metadata checks, and reflect on standout moments from the digital forensics year—especially the impact of open-source tools and honest conversations about the realities of the work.

The episode closes with a 2026 wish list focused on stronger education, fair workloads, and customizable forensic reporting that analysts can actually defend in court.

Happy New Year to the DFIR community.

Notes:

Frame Counts Galore-

https://github.com/abrignoni/frame-counts-galore

Upcoming Conferences-

https://www.iacis.com/

https://www.msab.com/digital-summit-2026/

https://magnetvirtualsummit.com/

https://www.technosecurity.us/

https://ofta.cellebrite.com/event/cellebrite-c2c-user-summit-2026/

AI Provenance Scanner-

https://github.com/abrignoni/AI_Provenance_Scanner

Brett Shavers Blogs-

https://www.brettshavers.com/

UFADE & ALEX-

https://github.com/prosch88

Send us a text

This episode digs into the habits that actually hold up: learning from CTF wins and post-event reviews, exploring scholarships and Reno trainings that build technical muscle, and walking through expert-witness prep that turns courtroom stress into structured, confident testimony.

We’ll unpack Brett Shavers’ reminder that truth alone doesn’t win cases—procedure, documentation, and bias-aware methods do. Clear writing matters too; vague language can undermine solid work.

On the tools side, RabbitHole v3 now recovers deleted SQLite records and rebuilds them into query-ready databases—speeding validation and reporting without losing traceability. We’ll also demo the new Android Logical Extractor: pull device info, logs, and scoped chat data with hashes and ready-to-file PDFs. It’s ideal when consent is limited or full file systems aren’t on the table, and integrates cleanly with downstream workflows.

Throughout, we emphasize one idea: tools are abstractions. If you can’t explain how a result was produced or reproduce it, you don’t own the finding. That’s especially true with AI. Generative models are nondeterministic—useful when documented, risky when their prompts or scope stay hidden. We’ll cover prompt disclosure, reproducibility, and how to write about “deleted” data with precision: previously existing, marked deleted, not referenced—describe state, not intent.

If you’re serious about improving testimony, validating results, and adopting new tools without losing forensic footing, join us. Then share your take on AI prompts and language precision—what will you change in your next report?

Notes:

IACIS Scholarships
https://www.iacis.com/awards-and-scholarships/will-docken-scholarship/
https://www.iacis.com/awards-and-scholarships/womens-scholarship/

Training Opportunities!
IACIS Reno
https://www.iacis.com/events/in-person/reno-nv/


Free DFIR Test Images + Industry Tools to Analyze Them
https://www.dfir.training/downloads/test-images

New Blogs from Brett Shavers!
https://www.linkedin.com/pulse/theres-lot-more-trial-than-you-may-know-even-have-100-brett-shavers-br4sc/
https://www.linkedin.com/pulse/case-almost-made-me-quit-dfir-shouldve-news-brett-shavers-pie1c/
https://www.linkedin.com/pulse/i-when-digital-forensics-lost-its-soul-brett-shavers-otkec/
https://www.linkedin.com/pulse/end-dfir-again-dfir-training-ab5jc/
https://www.linkedin.com/pulse/how-wreck-your-report-affidavit-testimony-one-word-brett-shavers-qkyvc/
Free Webinar
https://www.suspectbehindthekeyboard.com/fighting-city-hall-dfir-lessons-from-a-pro-se-plaintiff

Rabbithole Update
https://www.linkedin.com/posts/rabbithole-dataviewer-sqllite-ugcPost-7384144022065274880-0d0D
https://www.cclsolutionsgroup.com/forensic-products/rabbithole

ALEX Release
https://github.com/prosch88/ALEX
https://github.com/RealityNet/android_triage