Julian Derry

A Deep Dive into Mobile Forensics I recently completed a full mobile forensic analysis on an iPhone 13 Pro and it was a powerful reminder of how much a device actually remembers. This was an advanced logical extraction with verified image integrity. Even without diving into content, the metadata alone told a story. From location artifacts, I reconstructed where the device had been, the routes it traveled and the exact timestamps tied to those movements. But more importantly, I could see how those locations were generated. Some coordinates were tied to ride activity such as uber and bolt. Others came from navigation searches. Some were linked to shared live locations inside messaging apps. Each source leaves a different footprint. A searched address tells a different story than an active trip. A shared live location suggests intentional disclosure. The coordinates are only part of it, the behavior behind them is the real evidence. The “most visited locations” view made patterns obvious. Certain coordinates appeared repeatedly, building a clear picture of routine and frequency over time. On the communication side, interaction volume alone highlighted the primary contacts. Without even reading conversations, it was immediately clear who the highest frequency messaging relationships were. Volume builds pattern. Pattern builds context. Call analysis went just as deep. Even when call entries were deleted, I could still determine whether interactions were audio or video, which platform they occurred on, how long they lasted, and whether they were answered, missed or rejected. Deleting a visible log doesn’t erase the underlying artifacts. I was also able to recover delivered media, expired content, deleted messages and metadata tying everything to specific timestamps and user actions. Here’s what stands out. Phones don’t just store content. They store behavior. They store routine. They store intent. Files can be deleted. Logs can be cleared. But the artifacts remain. #digitalforensics #DFI #mobileforensics #cybersecurity

I agree 💯 "A strong password becomes a single point of failure if it’s used everywhere." That is why if you’re not using 2FA (OTP), you’re leaving your door half open. Passwords can be guessed. Passwords can be leaked. But 2FA adds a second lock. Most attacks fail when that second lock exists.

@Mr_Izrael Brilliant addition 👏🏽

@mrphilghana exactly

Oh yhyh and it goes even deeper than most people realise. Even after an app is removed, the device can still retain cached files, notification records, background service logs, account identifiers and network traces showing how the app communicated with external servers. In some cases, tokens, temporary files or configuration remnants may remain in protected storage areas long after the user believes everything is gone. From an investigative standpoint, these residual artifacts help reconstruct user behaviour and timelines. They can show patterns of usage, correlate activity with other apps, and sometimes reveal whether data was shared, transferred or accessed before deletion. Modern operating systems prioritise performance and usability, not forensic sanitisation, which means cleanup is rarely complete. In digital forensics, deletion is usually just a change in visibility, not an immediate removal of evidence. What disappears from the screen can still exist in logs, backups, memory snapshots or unallocated storage waiting to be analysed.

Think deleting an app wipes it off your phone? Think again. Mobile forensics can still recover traces like - when the app was installed - when it was first used - when it was removed Database journaling, system artifacts and data carving often leave behind fragments the OS doesn’t fully clean up. Delete doesn’t equal disappear.

@prettycyb3rgirl C

What does CSRF trick a user into doing? A) Downloading malware B) Revealing passwords C) Executing unwanted actions on a website they're authenticated to D) Changing their IP address

@elormkdaniel 😏

@CyberSamuraiDev If you see me, run

Calm down 😌

I get your point, but this still pushes people toward reusing the same password, which is where the real risk is. 1.Compromised passwords don’t only come from breaches. People reuse them on random sites, fall for phishing, or even expose them themselves (sticky notes, saved files, etc. 2. Saying a password is “safe to use for all” because it’s complex is misleading. Once that password is exposed anywhere, attackers don’t need to guess it, they just try it across multiple platforms. At that point, every account using it is at risk. So the issue isn’t how complex the password is. It’s reuse. Even a strong password becomes a single point of failure if it’s used everywhere.

@JustWantToQ1 Yes, it’s possible if the encryption was passed in plaintext was captured while it was still running in memory

@CyberSamuraiDev Is iv/key for ransomware recovery possible in this context if it's passed insecurely at some point in memory?

A high-profile environmental activist lost access to his system. His company needed critical data recovered, browser files, password manager credentials… everything. No disk access. Just memory. I loaded the memory dump into Volatility 3. Chrome and KeePass immediately stood out among active processes. From there, I carved out browser artifacts directly from memory and began recovering traces of stored data. Here’s what people underestimate. Even when files aren’t saved to disk, user activity still lives in RAM. Memory forensics isn’t just a backup plan. Sometimes, it’s the only place the truth still exists.

This is where tools like GrayKey Fastrak, Axiom Express, and Cellebrite make a real difference. Fast, reliable data extraction is critical for forensic investigations. And with cybercrime at an all time high, the demand for skilled digital forensics analysts and investigators is only growing.

8,000 phones, $580 million frozen, and the FBI is rotating agents to Thailand FBI's Bangkok office set up a joint task force with Royal Thai Police last August to go after scam compounds in the region. Royal Thai Police have since seized over 8,000 phones and 1,300 hard drives from suspected compounds. FBI Deputy Assistant Director Scott Schelble says they're no longer just targeting individual scammers but dismantling the networks financing and sustaining the compounds, tracing crypto across blockchains and freezing accounts. DOJ's Scam Center Strike Force has frozen or seized over $580 million in crypto so far. The FBI is also rotating special agents to Thailand on six-month deployments to work alongside Thai authorities. Meanwhile, Meta just took down 150,000+ accounts tied to scam center networks as part of a joint effort with Thai police, leading to 21 arrests.

@thecyberdevhq good choice

@CyberSamuraiDev Adventure 😁

Two choices First choice - wild, unpredictable, full of surprises, where you learn as you go. Second choice - safe, comfortable, everything planned but everyone follows the same path. Which do you pick. Adventure or comfort?

There are times in memory forensics where investigators encounter credential artifacts extracted from volatile memory, including NTLM hashes in pwdump format. Proper parsing and validation are critical before attempting recovery. In this case, multiple accounts reveal different security states: blank passwords, weak user credentials, and potentially stronger service or system-generated secrets. Tools like John the Ripper and Hashcat enable efficient offline analysis, but success depends on wordlist quality, rules, and context-driven targeting. You may need these credentials or one of these to access a particular file or folder. Beyond cracking, these artifacts support lateral movement analysis, credential reuse detection, and overall posture assessment, highlighting gaps in password policy enforcement and privileged account security.

@IGN That reload change is absolutely necessary

Valve is changing how to reload and manage ammo reserves in Counter-Strike 2 via a significant update. bit.ly/3PO3aJF

@acmultiple good choice

@CyberSamuraiDev "full of surprises where you Learn as you go"...... So true😭😭😭........ But it's still worth it.... So definitely Linux.

What’s the purpose of working so hard, to earn so much, if your child has to work just as much and as hard as you did. I get that wanting him to earn for himself is instilling the the discipline of not depending on anyone in him, but if he can’t inherit what you’ve acquired later on but other people can. That’s not tough love, it’s just wickedness.

Finally a rich person with common sense and not something like this

This is why incident response teams rush to capture memory first. RAM holds the live story of what really happened on a system, from running processes and decrypted browser sessions to fragments of chats, credentials and unsaved work. Attackers know this too, which is why many modern threats try to stay fileless and avoid leaving evidence on disk. In investigations, memory analysis can expose lateral movement, injected malware, command history and active network connections that would never appear in traditional disk forensics. It turns volatile data into actionable intelligence. Digital evidence does not only live in files. Sometimes the strongest evidence is what was never written to storage. Well done my brother ❤️ #MemoryForensics #DFIR #IncidentResponse #Volatility #CyberSecurity #DigitalForensics

@visegrad24 if it’s true, whoever took that shot is one hell of shooter.

BREAKING: CNN reports that a U.S. F-35 fighter jet made an emergency landing in the Middle East after being hit by suspected Iranian fire over Iran. If true, it would be the first time an F-35 has been hit ever.

@T3chFalcon 🤣

Adding crack.exe to the exclusions lmao.

- KeePass database recovered from memory. - Suspicious NEW_TMP variable across processes. - Base64 data hidden inside environment variables.