Julian Derry

A Deep Dive into Mobile Forensics I recently completed a full mobile forensic analysis on an iPhone 13 Pro and it was a powerful reminder of how much a device actually remembers. This was an advanced logical extraction with verified image integrity. Even without diving into content, the metadata alone told a story. From location artifacts, I reconstructed where the device had been, the routes it traveled and the exact timestamps tied to those movements. But more importantly, I could see how those locations were generated. Some coordinates were tied to ride activity such as uber and bolt. Others came from navigation searches. Some were linked to shared live locations inside messaging apps. Each source leaves a different footprint. A searched address tells a different story than an active trip. A shared live location suggests intentional disclosure. The coordinates are only part of it, the behavior behind them is the real evidence. The “most visited locations” view made patterns obvious. Certain coordinates appeared repeatedly, building a clear picture of routine and frequency over time. On the communication side, interaction volume alone highlighted the primary contacts. Without even reading conversations, it was immediately clear who the highest frequency messaging relationships were. Volume builds pattern. Pattern builds context. Call analysis went just as deep. Even when call entries were deleted, I could still determine whether interactions were audio or video, which platform they occurred on, how long they lasted, and whether they were answered, missed or rejected. Deleting a visible log doesn’t erase the underlying artifacts. I was also able to recover delivered media, expired content, deleted messages and metadata tying everything to specific timestamps and user actions. Here’s what stands out. Phones don’t just store content. They store behavior. They store routine. They store intent. Files can be deleted. Logs can be cleared. But the artifacts remain. #digitalforensics #DFI #mobileforensics #cybersecurity

@visegrad24 if it’s true, whoever took that shot is one hell of shooter.

BREAKING: CNN reports that a U.S. F-35 fighter jet made an emergency landing in the Middle East after being hit by suspected Iranian fire over Iran. If true, it would be the first time an F-35 has been hit ever.

Two choices First choice - wild, unpredictable, full of surprises, where you learn as you go. Second choice - safe, comfortable, everything planned but everyone follows the same path. Which do you pick. Adventure or comfort?

@T3chFalcon 🤣

Adding crack.exe to the exclusions lmao.

- KeePass database recovered from memory. - Suspicious NEW_TMP variable across processes. - Base64 data hidden inside environment variables.

A high-profile environmental activist lost access to his system. His company needed critical data recovered, browser files, password manager credentials… everything. No disk access. Just memory. I loaded the memory dump into Volatility 3. Chrome and KeePass immediately stood out among active processes. From there, I carved out browser artifacts directly from memory and began recovering traces of stored data. Here’s what people underestimate. Even when files aren’t saved to disk, user activity still lives in RAM. Memory forensics isn’t just a backup plan. Sometimes, it’s the only place the truth still exists.

Otilor

@nii_wayo @mrphilghana Anytime chief

@CyberSamuraiDev @mrphilghana It was an interesting session.I will come for more tutorials

Spent 3 hours sharing knowledge of what I know about memory forensics. Analyzed a Windows memory dump using autopsy, volatility workbench and volatility3 on linux to uncover attacker activity and recover lost data. Good session with @mrphilghana and Isaac.

I disagree. High complexity work isn’t next on the list for automation, it’s where automation starts to fall apart without human judgment. In digital forensics, you’re not just parsing data, you’re building a narrative that has to survive court. Automation speeds up the how, not the why. Rely on tools blindly and things break. An algorithm can’t testify. If you can’t defend your process, your evidence gets torn apart. Scripts miss edge cases. Tiny details, timestamps, partial overwrites, can flip a case. Tools flag signatures. Analysts prove intent by correlating logs, user activity and memory. Memory forensics says it all. You can script a process list, but spotting injection, hollowing, or weird parent-child chains takes actual expertise. Automation helps. It doesn’t replace accountability.

@CyberBadger_NG @mrphilghana 🥂

@CyberSamuraiDev @mrphilghana Weldone !

Pre- action notice to @the__tomiwa Let’s all play our parts in getting this resolved.

@mrphilghana teach me your ways

@CyberSamuraiDev This was a mind blowing dig and we achieved it 👌

@elormkdaniel cut soap for me 🤲🏽

I have both 🤭🤭

Studying is a privilege, but working in the field you studied so hard in is another privilege.

It only hides it from your mama

Incognito mode doesn’t hide your activity from digital forensics investigators

Digital Forensics leads the throne because every cyber story ends with the truth

He sold thousands of customer records for crypto… and nearly got away with it. But one late-night alert triggered a forensic chain that exposed it all. USB activity, encrypted files, even recruiter emails. This real insider threat case proves why forensic readiness matters. 👇👇