HK_Dig4nsics

In 2024, Apple introduced Apple Intelligence during Apple Worldwide Developers Conference 2024, describing it as a new AI system integrated into iOS, iPadOS, and macOS. This represented a progression beyond the capabilities previously associated with Siri, expanding the system’s ability to use contextual information from the device. Apple states on its Apple Intelligence page that the system is “aware of your personal information without collecting your personal information.” With this in mind, I wanted to review artifacts in an iOS filesystem extraction to determine how Apple Intelligence data might be useful in an iOS forensic investigation. I did not have a suitable dataset for testing until Magnet CTF 2026. I would like to thank Magnet Forensics for hosting the event and providing the data used in this research. I would also like to thank Jessica Hyde and her team for the tremendous work they put into creating the dataset and challenges. As part of the CTF, an iPhone 15 full file...

I understand that there are many imaging tools available, both free and commercial, but I wanted to share my testing results using Clonezilla as a digital forensic imaging tool. It may be useful for someone looking to add another reliable option to their forensic toolkit. If you have never heard of or used Clonezilla before, it is a free and open-source tool that can be used to preserve the state of a computer system at a specific point in time. As a digital forensic examiner, I wanted to evaluate it from a forensic acquisition perspective and determine whether it can be trusted for use in our field. Clonezilla Live can be used to create a bootable drive, which allows the examiner to boot directly into the Clonezilla environment without relying on the host operating system. This is important because it minimizes the risk of modifying the target system during acquisition. Once booted, Clonezilla presents several boot options. Each option controls the startup environment, such as nor...

Introduction UpScrolled is an emerging social media platform that continues to gain rapid adoption. As with any social media application, it presents potential evidentiary value in digital forensic investigations. This research documents the identification and structure of UpScrolled chat artifacts recovered from an iOS device using an iTunes-style logical backup extraction. Application Data Application artifacts were successfully recovered via a standard iTunes backup extraction. A preliminary review of the extracted data revealed that UpScrolled application data can be found in the following path within the iOS filesystem: /private/var/mobile/Containers/Data/Application/{UUID} Within this location, user-generated content and application data were stored in the Documents  directory: /private/var/mobile/Containers/Data/Application/{UUID}/ Documents Chat Database UpScrolled stores chat data in a SQLite database named using the format: db_{UserID}.sqlite This naming convention i...

 Forensic Analysis of Windows Subsystem for Android (WSA) Overview Microsoft released Windows 11 with a new feature, Windows Subsystem for Android (WSA). This feature enabled users to run Android applications in Windows 11 without involving third-party virtualization software. I believe that digital forensic examiners need to understand this feature as it can be used as a new source of digital evidence in Windows 11 systems. This blog post focuses on some of the critical WSA artifacts and how to extract data from the WSA environment.  Analysis of the WSA Environment Like any newly implemented feature, there is limited documentation and research regarding WSA. Figure 1 shows two primary layers to be considered during a digital forensic examination of WSA.  Wi ndows 11 is the first layer and the overall environment containing all the data, including execution, logging, and registry artifacts. The second layer is the Android environment, which contains user data and the inst...