Kaspersky experts share insights into how AmCache may prove useful during incident investigation, and provide a command line tool to extract data from this artifact.| Securelist
Apple’s release of macOS 26 Tahoe introduced a new disk image format and updated an older one, both of which are drawing attention from system testers and forensic examiners. Apple Sparse Image Format (ASIF) The Apple Sparse Image Format (ASIF) is a single-file sparse disk image. Although it can be assigned a large nominal capacity, it only consumes space on the host volume as data is written. ASIF containers can be formatted with the file … More → The post Apple strengthens storage fle...| Help Net Security
Mobile devices are frequently the most important source of truth in legal proceedings, regulatory investigations, and internal audits. They include the context, metadata, and communications that can make or break a case. To gather mobile data, however, many legal and compliance teams continue to use conventional, face-to-face techniques, such as shipping devices, sending examiners, and […]| ModeOne
A California court in Mendones v. Cushman and Wakefield found that key video and image exhibits were GenAI deepfakes. Metadata and platform inconsistencies, plus an implausible claim that an iPhone 6 on iOS 12.5.5 used Apple Intelligence, led the court to impose terminating sanctions and dismiss the action with prejudice. The post Deepfakes Uncovered – iPhone 6 Could Not Have Captured the A.I.-Generated Evidence appeared first on EDRM.| EDRM
Intellectual property and trade secrets in the modern era are predominantly stored as electronic records, or electronically stored information (ESI), which in turn increases the potential for misappropriation, exfiltration, or theft of these sensitive documents to unauthorized parties or entities outside the company domain. Historically, these electronic records have been saved to hard drives, file […]| Ocean Tomo
On the latest EDRM Illumination Zone, HaystackID's Todd Tabor shared strategies for detecting deepfakes and global case insights. The post [Podcast] HaystackID® in the EDRM Illumination Zone: Todd Tabor, Senior Vice President of Forensics appeared first on HaystackID.| HaystackID
Explore key insights from the Summer 2025 eDiscovery Pricing Survey on forensic services — including hourly and per-device pricing for collections, examinations, and expert witness testimony — revealing market trends, standardization, and strategic value.| ComplexDiscovery
Overland Park, Kansas, August 25, 2025 – ModeOne Technologies (“ModeOne”), the pioneer in remote, same-day, targeted mobile data collections, today announced a joint initiative with Kuro Group (“Kuro”), an end-to-end eDiscovery service provider known for combining cutting-edge technology with highly personalized client service. Through this initiative, ModeOne and Kuro will align their core strengths—ModeOne’s patented […] The post Kuro Group Expands Client Offerings with Mode...| ModeOne
ModeOne was highlighted in a recent Troutman Pepper Locke’s case study involving a complex insurance litigation matter with multiple custodians and a looming discovery deadline. Instead of performing complete forensic acquisitions—which can be disruptive, costly, and overbroad—the eMerge team deployed ModeOne’s remote mobile collection technology to efficiently target only the relevant categories of data, including […] The post ModeOne Featured in Troutman Pepper eMerge Case Study o...| ModeOne
Cyber, legal, and forensics experts gathered at CTRL ALT Defend to rethink tools, tactics, and teamwork in today’s threat landscape.| HaystackID
In this FAQ, learn why ModeOne was built for secure, same-day, remote mobile data collection—and how we’re continuing to lead the way.| ModeOne
I'm happy to announce there is a new Hindsight release available! 2021.04.26 has many small improvements and fixes, including adding support Chrome 88 - 90, but the main new features are an Unfurl plugin and parsing of the Site Characteristics Database! Unfurl Plugin I'm excited that this new| dfir.blog
I take saved keystrokes from Chrome's Omnibox and graph them in a Sankey flow diagram.| dfir.blog
A look back at a year of tweeting every day about DFIR topics - including a recap of the most popular tweets, coverage trends, and what's next in 2021.| dfir.blog
There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!| dfir.blog
I tinker with TikTok - and find a timestamp embedded in video URLs!| dfir.blog
As i’m sure i’ve mentioned before, event logs are a great source of evidence when performing incident response. In particular, lateral movement can be one of the hardest things to ident…| Salt Forensics
Overview I recently attended the awesome SANS DFIR, Mac and iOS Forensics and Incident Response course with Sarah Edwards. This has obviously given me lots of great inspiration on how to negotiate …| Salt Forensics
Overview For those of us who don’t have access to those GrayKey boxes or Cellebrite services to acquire physical images of devices, we are generally reliant upon logical extractions of iOS due to l…| Salt Forensics
