Digital-Forensics

Elastic Security Labs published a workflow on December 5, 2025 that shows how to automate detection-tuning requests with Kibana Cases, using custom fields, a detection to watch for toggled requests, and a webhook to create tickets and add links back to the case (Elastic Security Labs, 2025-12-05).

Overview

Kibana Cases lets you open, track, and enrich investigations with alerts, comments, files, visualizations, and external tickets via connectors such as ServiceNow, Jira, Slack, and webhooks (Cases overview, connector catalog). Custom fields for Cases (text/toggle) were added in Elastic 8.15, enabling standardized “tuning requested?” switches captured directly in the case form (custom fields in settings, Security app settings). You can attach alerts to cases from the Alerts UI or create a case from an alert, ensuring the detection context travels with the request (create/manage cases and attach alerts).

Forensic Focus’ December 3 round-up flagged two updates worth immediate lab attention: Oxygen Forensic Detective v18.1 and Atola TaskForce 2025.11. Both change how we plan Android collections and triage storage with fewer clicks and less context switching (round-up).

Overview

• Oxygen Forensic Detective v18.1 adds Android “chain extractions” so you can sequence multiple methods (e.g., Physical → Full File System → Android Agent → ADB Backup) in one flow with automatic fallback handling, plus new iOS Agent screenshot capture and desktop artifacts (v18.1 notes).
• Earlier in the v18 series, Oxygen introduced “multi-source extraction via Android Agent,” letting you combine multiple logical categories and third-party apps into a single Agent run for one consolidated output (v18 highlights).
• Atola TaskForce firmware 2025.11 brings system-wide ZFS support (diagnostics, imaging, partition browsing) and LDAP integration for centralized authentication; it also adds QOL items like pinned folders and report/network tweaks (Atola blog, Forensic Focus coverage).

Acquisition and Extraction (platform-specific)

Android with Oxygen Detective v18.1

1. Plan a chained Android run

• In Device Extractor, set the chain order so time-heavier but richer methods run first, with automatic fallback to lighter ones (e.g., Physical → FFS → Android Agent → ADB Backup) (v18.1 notes).
• Document the chosen order in the case record before you start (keeps later variance explainable).

2. Leverage Agent multi-source in the chain

• When the run reaches Android Agent, pre-select logical categories (calls, contacts, calendars, etc.) and multiple third-party apps to produce one combined extraction folder/file, minimizing repetitive passes over the handset (v18 highlights).

3. Respect method prerequisites

• Full File System (FFS) extraction in current Detective builds supports many Android 9-14 devices with SPL prior to July 2024 via a general Android vuln; verify the device’s SPL before triggering FFS to avoid dead ends (FFS method notes).
• Android Agent is intended for unlocked devices and focuses on logical/manual collection; it does not access internal memory apps/files like FFS does-set expectations and use Agent where appropriate (Android Agent guide).

4. Optional iOS screenshot capture

• If your scene includes iOS, v18.1 can record screenshots during extraction (iOS 12+) to quickly preserve on-screen context with proper logging (v18.1 notes).

Storage imaging with Atola TaskForce 2025.11

1. Image ZFS cleanly

• TaskForce now recognizes and works end-to-end with ZFS: diagnostics (File systems stage), partition browsing, and imaging-useful for servers/NAS/Linux estates common in enterprise cases (Atola blog).
• RAID autodetection now attempts reassembly when ZFS partitions are present; this shortens triage when metadata is missing or the layout is unknown (Atola blog).

2. Centralize user auth

• Enable the new LDAP option to authenticate users against AD/LDAP; TaskForce stores no passwords locally when LDAP is in use. Keep local accounts available as a contingency (Atola blog).

3. Quality-of-life tweaks

• Pin frequently used network targets/folders in the UI to speed repetitive imaging destinations (Atola blog).
• Expect improved parallel imaging performance estimates and report loading-useful during busy lab days (Forensic Focus coverage).

Artifact Locations and Paths

• Android Agent exports typical logical sets-calls, messages, contacts, calendars, Wi-Fi APs, Bluetooth pairs, basic file structure, and select third-party apps-into one consolidated extraction when you use the multi-source option. Treat this as a targeted logical capture, not an internal-app dump (Android Agent guide, v18 highlights).
• On storage, ZFS volumes will enumerate in TaskForce’s File systems stage alongside NTFS, ext*, XFS, Btrfs, APFS/HFS+, FAT, and ZFS; validate the enumerated topology before committing to a full image or a logical carve (Atola blog).

Analysis and Correlation

• Merge sources in Oxygen: after collection, merge FFS, physical, cloud, SIM, and OxyAgent/Android-Agent extractions into a single dataset to keep timelines/social graphs coherent (merge feature).
• Automate post-processing: Oxygen’s CLI can batch-import extractions, analyze images, and export reports-helpful for overnight queues after long scene days (CLI automation).
• For ZFS/RAID jobs, snapshot your Atola case state and export reports immediately after autodetection; re-attempts can change arrays as members drop in/out. Atola’s 2025.11 improves report handling and error logs for share connections, which helps with later reproduction (Atola blog).

Validation and Pitfalls

• Don’t over-promise Agent scope: Android Agent logical/manual extraction won’t touch internal app data; if you need app sandboxes or keychains, prioritize FFS/physical where legally and technically possible (Android Agent guide).
• Check SPL early: if SPL ≥ July 2024, your FFS path may be blocked-adjust the chain to avoid wasting time (e.g., pivot sooner to Agent or ADB backup) (FFS method notes).
• LDAP is great-test lockout behavior: validate how TaskForce handles directory outages, password expiry, and group changes before you flip the switch lab-wide (Atola blog).
• As always, keep the paperwork tight. Evidence management talks regularly remind us that documentation is what makes the data admissible-“no documentation, no evidence” still applies (round-up reference to talk).

Reporting Notes (chain of custody, reproducibility)

• Oxygen: record the exact chain order, method outcomes, version/build, and any Agent multi-source selections in the notes; v18.1 also tweaks evidence tagging/notes, which can clarify your audit trail (v18.1 notes).
• Atola: export diagnostics and imaging reports immediately after ZFS enumeration/reassembly; the 2025.11 update improved report loading and logging, making it easier to reconcile target paths and share errors later (Atola blog).

Tools

• Oxygen Forensic Detective v18.1: chain extractions, iOS Agent screenshots, additional artifacts (v18.1 notes). Multi-source Android Agent from v18 still applies for consolidated logicals (v18 highlights). Core method references: FFS coverage window (FFS method notes), Android Agent scope (Android Agent guide).
• Atola TaskForce/TaskForce 2 2025.11: ZFS, LDAP, pinned folders, and assorted fixes/perf gains (Atola blog, Forensic Focus coverage). Hardware/platform overview and automation options are on the product page if you’re integrating at scale (TaskForce 2 page).

Takeaways

• Update your SOPs this week to: (1) use Oxygen’s chained Android flows with Agent multi-source to cut repeats, and (2) enable Atola ZFS handling + LDAP in the lab for smoother storage triage and access control. Test on known-good devices/images before first live use (v18.1 notes, Atola blog).

Exterro has introduced FTK Imager Pro as a paid add-on to the longstanding free FTK Imager, bringing BitLocker decryption during imaging and iOS logical/advanced logical collection while keeping the free edition available; the Pro and Free editions share the same download with license-gated features, and the Pro subscription is currently listed at $499 USD. Android acquisition is “on the roadmap,” according to Exterro’s public remarks on a recorded interview. (Forensic Focus transcript, Nov 24, 2025; Exterro FTK Imager Pro store page).

YARA-X 1.10.0 adds a new subcommand that can automatically apply suggested fixes for certain compiler warnings. The command is invoked as yr fix warnings, and one common transformation replaces ambiguous 0 of (...) conditions with explicit none of (...). The tool edits your rule files in place, so use version control or work on copies first. (github.com)

Overview

YARA-X is a Rust rewrite of YARA with a modern CLI named yr. It targets high compatibility with existing rules while improving performance, safety, and developer ergonomics. (github.com)

Cloudflare proposed using anonymous credentials to rate-limit bots and AI agents while preserving user privacy on October 31, 2025, outlining issuance, presentation, and verification flows and comparing bandwidth/CPU trade-offs with existing Privacy Pass deployments (Cloudflare). The building blocks sit on standardized components: the Privacy Pass architecture and issuance protocols, and the HTTP “PrivateToken” authentication/challenge scheme (RFC 9576, RFC 9578, IETF draft: Auth Scheme). Expect to see more Authorization: PrivateToken headers, unlinkable single-use tokens or multi-show anonymous credentials (ARC/ACT), and, in some deployments, traffic tunneled via Oblivious HTTP (OHTTP), which intentionally splits client IP from request content (RFC 9458).

Microsoft shipped Windows 11 Insider Preview build 26220.7051 (KB5067115) to Dev and Beta on October 31, 2025, introducing an opt-in “Ask Copilot” experience on the taskbar. You enable it at Settings > Personalization > Taskbar > Ask Copilot and can also toggle whether the Copilot app auto-starts at sign-in. Microsoft states Ask Copilot uses existing Windows APIs to return apps, files, and settings like Windows Search, and it does not grant Copilot access to personal content. (blogs.windows.com)

WhatsApp is rolling out passkey-encrypted chat backups for iOS and Android, letting users protect backup restores with Face ID/Touch ID, Android biometrics, or the device screen lock instead of a password or 64-digit key (BleepingComputer; The Verge). End-to-end encrypted (E2EE) backups themselves aren’t new-WhatsApp shipped them in October 2021 with a password or 64-digit key option and an HSM-backed Backup Key Vault design (Meta Engineering)-but the gate to restore is now a platform passkey instead of something you type. Enable path remains: Settings → Chats → Chat backup → End-to-end encrypted backup (BleepingComputer).

You often investigate incidents where a DJI aircraft is involved-flyaways, near-misses, restricted-area incursions, or simply reconstructing pilot actions. The DJI Fly app (dji.go.v5) is the default ground-control app for most recent DJI consumer drones, and it quietly records rich telemetry you can extract, preserve, and analyze for DFIR.

This guide shows you how it works, where to find the artifacts, and how to process them with current tools-on Android, iOS, and DJI RC-class smart controllers. You’ll also learn the common traps (Android scoped storage, missing DAT files, cropped logs, and cloud policy changes in the U.S.) and practical workflows to avoid data loss.

Shufflecake implements plausible deniability on Linux by scattering several independently-keyed volumes across what looks like random free space, making both the existence and the number of volumes hard to prove in deadbox exams. The design ships as a device-mapper target (kernel module) plus a userland CLI, with volumes exposed as virtual block devices under /dev/mapper when opened (Shufflecake project site). The project originated at Kudelski Security and EPFL in November 2022 (Kudelski Security blog), and the research was later peer-reviewed at ACM CCS 2023 (Shufflecake ePrint).