Send us a text

We kick off this episode with highlights from the Techno Security Conference, our 80s-themed outfits, packed LEAPP labs, AI panel discussions, and great conversations with friends and colleagues across the field.

We discuss Brett Shavers’ recent series on DFIR entry-level work, and share our thoughts on the need for better forensic training and clearer distinctions between forensics, cybersecurity, and incident response.

We also talk about recent tool changes in the industry. Cellebrite’s acquisition of Corellium could make mobile app testing more accessible, and Magnet’s purchase of Dark Circuit Labs.

We cover Harper Shaw’s Vehicle Network App, a valuable source of vehicle-related data. Alongside that, we highlight a recent blog on cached screenshots in Windows 11.

Be sure to check out the excellent “Parsing the Truth” podcast.

Heather walks through her Easter road trip to test Android's Timeline feature (formerly Google Location History). The location data was impressively accurate, but also showed how easily some points can mislead without the right context.

Catch us at IACIS Reno in January and check out the some of the resources we mentioned.

Notes:

Parsing the Truth: One Byte at a Time
https://parsingthetruth.com/

Cached Screenshots on Windows 11
https://thinkdfir.com/2025/06/13/cached-screenshots-on-windows-11/

The Vehicle Network App from Harper Shaw
https://harpershaw.co.uk/the-vehicle-network-app-1

Beklkasoft CTF
https://belkasoft.com/belkactf7/

Brett Shavers 6 part series
https://www.linkedin.com/pulse/dfir-really-entry-level-brett-shavers-ewsvc/
https://www.dfir.training/new-to-dfir/dfir-career

Artifact of the Week/Android Location History
https://thebinaryhick.blog/2024/06/28/the-green-look-back-androids-on-device-location-history/

Send us a text

Apple devices are constantly recording user activity, yet few forensic examiners are making use of the vast amount of data these systems quietly generate. Apple's Unified Logs and Spotlight databases track nearly everything that happens on an iOS device, often without the user realizing it.

Would you believe an iPhone can generate around 1.5 million log entries in just 15 minutes of regular use? These records include highly specific actions—such as the exact moment Face ID is used to unlock a device, when the phone is flipped face-up, or whether a user interacted with Siri or used the device manually. Despite their detail and reliability, these sources are often overlooked in mobile investigations.

In this session, we’ll show how forensic practitioners can process and search these massive log sets using open-source tools. We’ll walk through examples of log entries that record actions like toggling airplane mode, launching specific apps like Facebook, or even detecting changes in device orientation. For investigators, this means direct, time-stamped evidence of how a device was used.

One of the most valuable aspects of this data is its ability to help distinguish between user actions and automatic background processes. Was an app opened by the user, or was it a system event? These logs provide that level of clarity. We’ll demonstrate how to isolate specific events from millions of entries and construct accurate timelines that reflect exactly what happened—and when.

As part of our ongoing work, we’re also focused on improving the accessibility and usability of these artifacts with incorporation into the LEAPPS. If you work with iOS devices, this is a session you won’t want to miss.

Notes:

2026 IACIS in Reno NV-

https://www.iacis.com/training/reno-info/

Spotlight-

https://github.com/ydkhatri/mac_apt

Unified Logs-

https://www.ios-unifiedlogs.com/

https://github.com/abrignoni/iLEAPP

Send us a text

The Digital Forensics Now podcast brings together the core LEAPPs developer team for a candid, unscripted conversation about mobile forensics, legal challenges, and the future of their tools during the IACIS conference in Orlando.

• First time bringing together most of the LEAPPs development team in person
• Florida's new requirement for 10-day search warrant renewals creates significant challenges for long-running forensic processes
• Timestamp parameters in warrants can limit investigators' ability to discover relevant evidence
• Paladin now includes the LEAPPs integration, making powerful open-source forensic tools more accessible
• Real-world success stories of the LEAPPs helping solve cases when commercial tools failed
• Introduction of "The DFIR Investigative Mindset" book with technical editor Lee Harris
• Multiple specialized forensic training courses available at IACIS including incident response, drone, MAC and RAM forensics

Join us in two weeks for a more technical episode exploring new forensic artifacts and techniques.