Android

North Korea-linked operators in the KONNI/APT37 orbit used stolen Google credentials to log into Google’s Find Hub and remotely trigger factory resets on victims’ Android phones and tablets, timing the wipes after checking GPS location to isolate targets and delay response (BleepingComputer, Nov 10, 2025; Genians Security Center report). Find Hub is Google’s rebranded “Find My Device” service that supports locating, locking, and erasing devices (Google Find Hub about; Android Authority rebrand coverage).

You often investigate incidents where a DJI aircraft is involved-flyaways, near-misses, restricted-area incursions, or simply reconstructing pilot actions. The DJI Fly app (dji.go.v5) is the default ground-control app for most recent DJI consumer drones, and it quietly records rich telemetry you can extract, preserve, and analyze for DFIR.

This guide shows you how it works, where to find the artifacts, and how to process them with current tools-on Android, iOS, and DJI RC-class smart controllers. You’ll also learn the common traps (Android scoped storage, missing DAT files, cropped logs, and cloud policy changes in the U.S.) and practical workflows to avoid data loss.

SANS Internet Storm Center’s Oct 24, 2025 Stormcast flags four items that should immediately shape triage and detection content across enterprise environments: an Android infostealer abusing Termux, active exploitation of Adobe Commerce/Magento “SessionReaper,” new cache-poisoning fixes for BIND and Unbound resolvers, and a released exploit for a critical WSUS deserialization RCE. Reference the minimal Stormcast entry and the full podcast summary for context (ISC diary 32418, podcast detail).

Below is a forensics-first breakdown: what to collect, where to hunt, and how to contain.