Photograph via snooOG

Dedicated to the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. This field involves the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just personal computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.).

Computer Forensics

A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). Topics include digital forensics, incident response, malware analysis, and more.

Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness.

Read the FAQ before posting.

Related Subreddits:

/r/antiforensics - anti forensics

/r/crypto - cryptography

/r/forensics - forensics

/r/cyberlaws - cyberlaws

/r/malware - malware

/r/memoryforensics - memory forensics

/r/netsec - netsec

/r/reverseengineering - binary reversing

/r/UIC - reversing/malware research

Related Technical Subreddits

/r/filesystems - filesystems

/r/kernel - kernel development

/r/lowlevel - low level programming


65,247 Subscribers


Google account sign out for "suspicious activity"

I got a notification on my phone that I've signed out on my MacBook from my Google account for "suspicious activity". I've tried looking through my account, on the notification and online but I can't see any actual reason. The closest was possibly a program on my device interacting with my account for some reason that was considered malicious. I can't think of any reason for this. Maybe on my desktop or phone but definitely not on my Mac. Im also signed into 2 other Google accounts on that device which didn't have kind at security problems.

I have no idea what triggered this, downloaded malware bytes and found nothing. Can't find any weird programs or browser extensions installed. Changed my password.

Around a month ago I did change all my passwords and move to bitwarden.

I have no idea what triggered this or where else to ask. Does anyone have any advice?

09:59 UTC


File System Tunneling

A new 13Cubed episode is up! This is a rather obscure topic, but something I've been meaning to create a video about for a while.

In this episode, we'll explore File System Tunneling, a lesser-known legacy feature of Windows. We'll uncover the fascinating behind-the-scenes functionality and discuss the potential implications for forensic examinations of compromised systems.


More at youtube.com/13cubed.

11:33 UTC


What is the most trusted tool for law enforcement to use to obtain deleted Snapchat photos/messages?

I’ve heard mixed things on Cellebrite, and even their videos on recovering Snapchat conversations/photos seem unclear because they say that it’ll recover “what was available on the server at the time of acquisition”. Does it actually give you more than what a data download thru the Snapchat application will give you? Does it help retrieve stuff that was “deleted”? If not Cellebrite, is there a different more trusted law enforcement tool? I’ve been going down a rabbit hole lately learning about digital crime and I’m curious if Snapchat at least leaves acquirable traces that could help keep its users safe.

09:00 UTC


Any Agent-based acquisition for IOS 17?


noob here

https://belkasoft.com/agent_based_ios_acquisition - according to this, Agent-Based iOS Acquisition is supported up to IOS 16.5. I used checkm8 back when i had my iP...

Are you familiar with something newer? if so please point me in the right direction

Anyways, what is the best way to pull data from iPhones 12+ (running iOS 17+) ? Does encrypted iTunes backup come with databases?

Thank you

12:02 UTC


Automate dynamic analysis for forensic investigation

Hi, first post here, for the context, I'm working on a tool to help me automate dynamic analysis of malware and giving me report about it, and I wanted to know if someone know some open-source tools that can help me doing so or if there is already some tools that can do that. Or if you have ideas on how I can achieve it. Thank you for if you take time to read my post ☺️

07:55 UTC


Voiltaile memory dump on M1?

Hello everyone,

I get straight to the point, am I right in my assumption that there is no way to pull a memdump on apple silicon chips? Right now I consider ediscovery/log2timeline the best way to do forensics on recent apple plattforms Thank you for your answers

18:26 UTC


Firewall Log Parser/IOC

Looking for a possible github repo/opensource code that can parse through any type of FW logs. (not sure if something like this exist, but I figured I would ask)

Also, looking for a script or IOC rule set that can be used against FW logs to access suspicious activity.

16:39 UTC


Yara Rule Set

Looking for a good Yara rule set via github that looks for a wide range of different indicators of compromises. Amy recommendations?

16:30 UTC


Automation in Forensics

How and which DevOps & automation tools are used today to simplify or automate processes in IT forensics?

05:49 UTC


Resource for creating expert witness CV?

Hi all! I find myself in the position of the prosecutor and defense wanting me to submit a CV to be able to testify as an expert witness. I have a homicide trial coming up where I was the primary and will be testifying about a phone extraction, iCloud and social media warrants etc. The data found is pretty simple, so I'm not worried about that part but haven't written a resume or CV in forever. I thought I recently saw a Webinar or something similar regarding writing a CV, but can't find wherever it was now. Anyone know of any good resources? I'm trying to figure out little stuff like whether I should add the class description, whether I'm expected to add copies of certificates etc. Anyone know where I can find some examples? The Google hasn't been super helpful. Maybe I'll see what Chatgpt has to say lol.

1 Comment
03:04 UTC


Digital Forensics training, reading material, ETC

I have recently been assigned an investigator role with my department, mainly for CP and sex crimes in general. My knowledge is rather inadequate when it comes to digital forensics. We are looking at giving the roll to another officer as well here in the near future and he is in the same boat I am.

This sub is a good source of knowledge from what I have seen. I am wondering if any of you have recommendations for trainings or reading material for beginner or intermediate level?

Thank you in advance.

00:36 UTC


Artifact that proves webhistory has been deleted (mobile)

What should I look for in (for example) Cellebrite to prove that the browsing history has been deleted? I now only see favicon references for the website I know must have been visited.

22:35 UTC


com.apple.Mobilesms.plist on IOS 17

I currently have an image of an iPhone running IOS 17.1.2 and am looking for message retention settings as we would like to know why we do not have messages after a particular date. When looking at com.apple.mobilesms.plist, the KeepMessagesForDays is set to 365 which would make sense as to why we do not have messages however there is no KeepMessages version to indicate any change and the phone settings showed that keep messages was set to forever. There are two fields I have not noticed before SSKeepMesssages and SSKeepAttachments. Does anyone know if IOS 17 changed the KeepMessagesForDays field to SSKeepMessages instead and an update from IOS 16 or lower to IOS 17 reset the message retention to keep forever?

I do not currently have an iPhone capable of running IOS 17 for testing this. Thanks in advance if anyone has any details about this.

14:54 UTC


Part time/Contract/Remote gigs

I'm eligible to retire in 7 years from my law enforcement position and am looking at options for work in retirement. My ultimate goal is to find part time work I can do from anywhere in the world. I currently teach college classes on line which meets this requirement but the income isn't great.

I'm curious if any of you have found forensics related work that is part-time, flexible, and totally remote? Working from anywhere in the world is probably not going to be possible but if it's flexible enough to allow for extended travel, it might work.

I'm aware of jobs with some of the major vendors that might work (teaching, etc) but I'd love to know if there's something I'm not thinking of. Are any of you working gigs that might fit the bill?

It's impossible to predict what digital forensics will be like in 7 years but it's at least worth looking at option.


23:03 UTC


general purpose livecd for forensics

Hello, could you advice me a general purpose live cd for forensic (if it has volatility it's better) ?

Or better help me to make a list, I try to begin:

NameversiondateDownload urlweb site
Caine13.0Mar 2023Downloadcaine-live
Kali2024.1Jan 2024Downloadkali
FHC Live2029.02Jun 2019Downloadfhclive
Tsurugi2023.02Feb 2023Downloadtsuragi-linux
CSI Linux2023.02Feb 2023Downloadcsilinux
Forlex3.0.0Nov 2019DownloadForlex
WinFEOct 2020DownloadWinFE
BlackArch2023.04.01Apr 2023DownloadBlackArch
HirensBootCD1.0.8Mar 2024DownloadHBCD
Parrot Security6.0Jan 2024DownloadParrotSec
BackBox8.1Nov 2023DownloadBackBox

I see that some are italian, I don't know if it's a coincidence or because google prefer italian web site because my chrome locale is italian.


21:35 UTC


iPhone message

I’m s there anyway to extract the messages from my iPhone to be used in court? So that it shows the date and can be used as proof? I imagine a screen shot wouldn’t help I need it more official I guess

21:28 UTC


Where can I download a .dd disk image.

Hi, I'm new to forensics and looking for a .dd image to use with tsk_recover. I've been unable to find an image. Any help would be appreciated.

15:23 UTC


Transition from private sector back to LE

Hi all,

I graduated with a bachelors in Digital Forensics and by the end of 2020 I was working for a prosecutors office as a DF analyst in an ICAC related capacity although that’s not all that I did.

I transitioned out due to an issue with a power tripping boss who was actively ignoring NCMEC cyber tips due to his issues with being fired from a specific police department among other issues. I ended up in a cyber security engineer role now making 6 figures.

I like the company I work for but cyber security is… for lack of a better term, boring and significantly less fulfilling than the work I was doing at the prosecutors office.

My question here is, what are my best options for transitioning back to LE without taking a massive pay cut? For reference, I was making $67k/yr at the prosecutors office and now make a flat $100k/yr.

I am also open to options in private sector with more investigative responsibilities as that’s really what I’m missing about LE. You don’t do much of that as an engineer.

Thanks in advance :)

03:11 UTC


Job Training

I am looking into this field of study as a post-high school career. Are there any ways I could learn and get a job without going to college?

02:43 UTC


FAT32 Thumb Drive - Deleted file date

Hey all,

I’m working on a case where I received a thumb drive (formatted FAT32). I imaged the device and processed it with Encase. After processing, I was able to show a bunch of files that were deleted.

To my knowledge, there isn’t a way to determine when these files were deleted, or am I wrong on that? It’s not as though I can parse a Windows artifact like the Info2 file on a Windows machine to get that information.

Thanks in advance.

22:27 UTC


Call for BETA testers!

Hello fellow forensicators!

I've been working on BIRT Incident Response & Triage for over 2 years now and I'd love to hear what the community thinks.

What can BIRT do?

  • Ingest endpoint artifact files ($MFT, Registry, EVTX, PCAP + more) and produce searchable, indexed timelines
  • Reconstruct the endpoint and apply MITRE ATT&CK based rules
  • Produce interactive investigations from endpoint evidence
  • Integrate with remote or local LLM's like chatGPT or LLAMA for contextual lookups and automated report building

Please check it out and let me know what you think, thanks!

The BIRT Project

16:36 UTC


Failed GCFA examination

Hi Folks,

After 7 months of hardwork, sacrifice. I have finally failed my GCFA exam. I believe i have given my best shot in labs. I am not sure on why solutions are incorrect.

I have scored 87% in practise exam.

Where as the real exam is above 100% tougher then the practise tests.

I have sent an email to SANS requesting to reevaluate my score.

Are there any tips for me?

20:57 UTC


Common Questions of Certificates and Learning

So I know this question gets asked a lot and the answer usually is "SANS". SANS provides the best for forensics. Sadly I haven't won the lottery yet, so I turn to other certs/learning. From some searching, I've found a few certs and want to know how people feel about them and how practical/useful they are.

There is EC-Council's Computer Hacking Forensics Investigator (CHFI). Which from my experience of EC-Council it would be very overview and not very practical.

Mosse Institute's MDFIR - https://www.mosse-institute.com/certifications/mdfir-certified-dfir-specialist.html. which according to this roadmap (https://pauljerimy.com/security-certification-roadmap/) might be good.

There is the CyberDefender's CCD which is more SOC orientated but has lots of forensics builtin - https://cyberdefenders.org/blue-team-training/courses/certified-cyberdefender-certification/

There are also two Windows specific courses that may give good training for practical learning:

TCM's Practical Windows Forensics - https://academy.tcm-sec.com/p/practical-windows-forensics

13Cubed Bundle - https://training.13cubed.com/

I'm sure there are lots of others but from this list (IACIS CFCE), you can get an idea of the certs that I may want to do, and are any of these actually worth the money? I swear every man and his dog are creating certs these days.

05:32 UTC


Autopsy - FTK Raw Format

Anyone ever use Autopsy for forensics using a a RAW formatted image? I’m having trouble choosing the source image as there are many files generated from FTK (001,002,003,etc…) am I supposed to choose one at a time for Autopsy to analyze?

14:51 UTC


Samsung smartthings on Android and cellebrite

I have done a full extraction of my phone and am looking for any info i can find in cellebrite about my smartthings app. Particularly regarding my smart Tags and where they have been but I am drawing a blank.

Any pointers?

13:28 UTC


network splitter ?

Hello, anyone know if can I use a network splitter like this for network forensics (aka packets capture) ?
Some guys say that a "network splitter" is a hub, other say that is a switch, other say neither.

13:08 UTC


What's the best practice for determining if removing a storage device will make getting decrypted access a lot harder?

So, I was trained to image computer storage devices in (what I think is) the most traditional way: remove it from the computer, attach to a write blocker, image.

I recently had an experience, thankfully not actual evidence, where I removed a hard drive and saw that it was BitLocker encrypted. I have the owner's consent, and I have Windows logon password, but the owner doesn't remember activating BitLocker at all or any associated credentials. So, I can't do any analysis on an image of it.

I'm not asking how I could potentially find (GREP) the recovery key in another storage device, or alternative means of finding the credentials.

I'm wondering, how do I have this not happen during a real case? I'm guessing BitLocker was enabled by default and the drive locked itself down when it was removed from the motherboard (due to TPM?), please correct me if that's wrong! I'm thinking, if I knew this to be the case, I could have booted the computer and/or performed a live image after logging in with the Windows credentials.

Do I use a USB bootable tool and/or perform a live image if I have any suspicion that encryption is enabled? Am I overthinking this, shouldn't this be taught in basic digital forensics?

Please feel free to correct me on anything, I like to be technically accurate. Thanks for your time.

21:08 UTC


(Interview preparation)How axiom is used for investigating child pornogrpahy?

Hi, I have an upcoming job interview for career progression in relating to investigating csam. I currently deal with mobile devices extraction and i m aware of axiom is used to decode the data but not too familiar with how axiom could be used for investigating csam.

Could someone be able to give me a brief idea so I could answer the questions in the interview if I get asked please? Thank you.

18:34 UTC

Back To Top