Briefings

WhatsApp is rolling out passkey-encrypted chat backups for iOS and Android, letting users protect backup restores with Face ID/Touch ID, Android biometrics, or the device screen lock instead of a password or 64-digit key (BleepingComputer; The Verge). End-to-end encrypted (E2EE) backups themselves aren’t new-WhatsApp shipped them in October 2021 with a password or 64-digit key option and an HSM-backed Backup Key Vault design (Meta Engineering)-but the gate to restore is now a platform passkey instead of something you type. Enable path remains: Settings → Chats → Chat backup → End-to-end encrypted backup (BleepingComputer).

You often investigate incidents where a DJI aircraft is involved-flyaways, near-misses, restricted-area incursions, or simply reconstructing pilot actions. The DJI Fly app (dji.go.v5) is the default ground-control app for most recent DJI consumer drones, and it quietly records rich telemetry you can extract, preserve, and analyze for DFIR.

This guide shows you how it works, where to find the artifacts, and how to process them with current tools-on Android, iOS, and DJI RC-class smart controllers. You’ll also learn the common traps (Android scoped storage, missing DAT files, cropped logs, and cloud policy changes in the U.S.) and practical workflows to avoid data loss.

Check Point’s October 27, 2025 weekly report flags two things we should treat as priority hunts: a fresh LockBit 5.0 build with cross-platform encryptors and faster runtime, and active abuse of Magento’s SessionReaper (CVE-2025-54236) to hijack sessions and drop PHP webshells via the REST API. Their write-up aligns with Trend Micro’s technical analysis of the LockBit 5.0 binaries and Adobe/Sansec guidance on SessionReaper exploitation in the wild. (Check Point report; Check Point blog on the comeback; Trend Micro analysis; Adobe APSB25-88; Sansec). (research.checkpoint.com)

End-to-end encryption (E2EE) protects message content in transit, but mobile devices still maintain local state to function. On a physical or full file-system acquisition, you can frequently recover accounts, device identifiers, contact and group identifiers, message timing, call history, media references, and even local key material or key handles. Your goal in DFIR is to turn these device-resident artifacts into defensible timelines of who communicated with whom, when, and how often.

You often can’t trust a standard “MAC times” timeline when an adversary timestomps $STANDARD_INFORMATION, renames files, or deletes entire directories. This guide teaches you how to map the physical fragments of a file across the disk and reconstruct a resilient chronology from NTFS internals and low-level journals-so you can explain what really happened even when typical metadata is gone.

At a high level, you will:

• Identify the file system geometry (cluster size, offsets) and extract unallocated space for carving. Tools like fsstat and blkls from The Sleuth Kit (TSK) provide those fundamentals fsstat manual and blkls manual. (sleuthkit.org)
• Carve for file signatures to find fragments independent of the file system’s directory structures (e.g., PhotoRec’s header/structure carving) PhotoRec documentation. (cgsecurity.org)
• Map carved fragments and known files to physical clusters (LCNs) and virtual cluster numbers (VCNs) using NTFS runlists and APIs that expose VCN↔LCN mappings (FSCTL_GET_RETRIEVAL_POINTERS) Microsoft FSCTL_GET_RETRIEVAL_POINTERS and RETRIEVAL_POINTERS_BUFFER. (learn.microsoft.com)
• Correlate fragments with NTFS metadata records (MFT), the Update Sequence Number (USN) Change Journal, and the NTFS transaction log ($LogFile) to build a timeline not reliant on potentially manipulated MAC times USN Change Journals overview, USN record structure, and $LogFile analysis tooling. (learn.microsoft.com)

Why this works: NTFS separates “what data sits where” (runlists mapping VCNs to LCNs) from file names and times. It also appends low-level summaries of changes into the USN Journal ($Extend$UsnJrnl) and records transaction details in $LogFile. Even when $MFT timestamps are forged, those other structures often retain independent evidence of creation, writes, renames, and deletes USN Change Journal records behavior and NTFS attribute types including $STANDARD_INFORMATION and $FILE_NAME. (learn.microsoft.com)

Shufflecake implements plausible deniability on Linux by scattering several independently-keyed volumes across what looks like random free space, making both the existence and the number of volumes hard to prove in deadbox exams. The design ships as a device-mapper target (kernel module) plus a userland CLI, with volumes exposed as virtual block devices under /dev/mapper when opened (Shufflecake project site). The project originated at Kudelski Security and EPFL in November 2022 (Kudelski Security blog), and the research was later peer-reviewed at ACM CCS 2023 (Shufflecake ePrint).

CISA confirmed active exploitation of two more DELMIA Apriso vulnerabilities and added them to the Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Federal agencies have three weeks under BOD 22-01; the remediation due date cited is November 18, 2025. (BleepingComputer). (bleepingcomputer.com)

DELMIA Apriso is a manufacturing operations/MES platform commonly deployed on Windows with IIS and a backend database. Vendor advisories state both CVEs affect releases 2020 through 2025, with the missing authorization bug enabling privileged access and the code injection bug enabling arbitrary code execution under specific conditions. (Dassault Systèmes CVE-2025-6205, CVE-2025-6204; NVD 6205, NVD 6204). (3ds.com)

SANS ISC documented a phishing message whose Subject was split into multiple RFC 2047 “encoded-words,” with soft hyphen characters (U+00AD) inserted between letters to break keyword matches. Outlook renders these as normal-looking text, so users never see the obfuscation, but filters that don’t normalize Unicode or decode RFC 2047 first can miss it (SANS ISC). Soft hyphen is a format character that’s typically invisible except at line breaks (Unicode UAX #14; see “Use of Soft Hyphen”), and Microsoft has previously called out invisible Unicode (including U+00AD and U+2060) as a phish-evasion tactic in both bodies and subject lines (Microsoft Threat Intelligence, 2021).

Techno Security & Digital Forensics Conference West 2025 kicks off in San Diego on October 27-29 at the Town & Country Resort, with a strong emphasis on Generative/Agentic AI discovery and legal impacts (event announcement, program highlights). Legal-oriented sessions are explicitly tackling discovery for GenAI and agentic AI, including JAMS’ panel “Artificial Intelligence and Generative AI: Causes of Action and Defenses and Discovery” scheduled for Monday, October 27 at 3:15 p.m. (JAMS session page). Regional partners also underline the AI-heavy tracks (Cybersecurity, eDiscovery, Forensics, Investigations) running October 27-29 (CCOE event listing).

MSAB’s Q3 2025 release introduces BruteStorm Surge, a GPU-accelerated brute-force add-on for XRY Pro that targets long/complex passcodes, alongside major suite updates: XAMN 8.3 adds cross-app conversation threading and support for Cash App warrant returns; UNIFY 25.9 can ingest Cellebrite UFDR and GrayKey extractions; and XEC 7.15 brings role-based access control (RBAC). These capabilities are confirmed in MSAB’s official update and the initial news brief. See MSAB’s release post and feature breakdown (MSAB Q3 2025; Forensic Focus news).