Julian Derry

A Deep Dive into Mobile Forensics I recently completed a full mobile forensic analysis on an iPhone 13 Pro and it was a powerful reminder of how much a device actually remembers. This was an advanced logical extraction with verified image integrity. Even without diving into content, the metadata alone told a story. From location artifacts, I reconstructed where the device had been, the routes it traveled and the exact timestamps tied to those movements. But more importantly, I could see how those locations were generated. Some coordinates were tied to ride activity such as uber and bolt. Others came from navigation searches. Some were linked to shared live locations inside messaging apps. Each source leaves a different footprint. A searched address tells a different story than an active trip. A shared live location suggests intentional disclosure. The coordinates are only part of it, the behavior behind them is the real evidence. The “most visited locations” view made patterns obvious. Certain coordinates appeared repeatedly, building a clear picture of routine and frequency over time. On the communication side, interaction volume alone highlighted the primary contacts. Without even reading conversations, it was immediately clear who the highest frequency messaging relationships were. Volume builds pattern. Pattern builds context. Call analysis went just as deep. Even when call entries were deleted, I could still determine whether interactions were audio or video, which platform they occurred on, how long they lasted, and whether they were answered, missed or rejected. Deleting a visible log doesn’t erase the underlying artifacts. I was also able to recover delivered media, expired content, deleted messages and metadata tying everything to specific timestamps and user actions. Here’s what stands out. Phones don’t just store content. They store behavior. They store routine. They store intent. Files can be deleted. Logs can be cleared. But the artifacts remain. #digitalforensics #DFI #mobileforensics #cybersecurity

@thecyberdevhq good choice

@CyberSamuraiDev Adventure 😁

Two choices First choice - wild, unpredictable, full of surprises, where you learn as you go. Second choice - safe, comfortable, everything planned but everyone follows the same path. Which do you pick. Adventure or comfort?

There are times in memory forensics where investigators encounter credential artifacts extracted from volatile memory, including NTLM hashes in pwdump format. Proper parsing and validation are critical before attempting recovery. In this case, multiple accounts reveal different security states: blank passwords, weak user credentials, and potentially stronger service or system-generated secrets. Tools like John the Ripper and Hashcat enable efficient offline analysis, but success depends on wordlist quality, rules, and context-driven targeting. You may need these credentials or one of these to access a particular file or folder. Beyond cracking, these artifacts support lateral movement analysis, credential reuse detection, and overall posture assessment, highlighting gaps in password policy enforcement and privileged account security.

@IGN That reload change is absolutely necessary

Valve is changing how to reload and manage ammo reserves in Counter-Strike 2 via a significant update. bit.ly/3PO3aJF

@acmultiple good choice

@CyberSamuraiDev "full of surprises where you Learn as you go"...... So true😭😭😭........ But it's still worth it.... So definitely Linux.

What’s the purpose of working so hard, to earn so much, if your child has to work just as much and as hard as you did. I get that wanting him to earn for himself is instilling the the discipline of not depending on anyone in him, but if he can’t inherit what you’ve acquired later on but other people can. That’s not tough love, it’s just wickedness.

Finally a rich person with common sense and not something like this

This is why incident response teams rush to capture memory first. RAM holds the live story of what really happened on a system, from running processes and decrypted browser sessions to fragments of chats, credentials and unsaved work. Attackers know this too, which is why many modern threats try to stay fileless and avoid leaving evidence on disk. In investigations, memory analysis can expose lateral movement, injected malware, command history and active network connections that would never appear in traditional disk forensics. It turns volatile data into actionable intelligence. Digital evidence does not only live in files. Sometimes the strongest evidence is what was never written to storage. Well done my brother ❤️ #MemoryForensics #DFIR #IncidentResponse #Volatility #CyberSecurity #DigitalForensics

@visegrad24 if it’s true, whoever took that shot is one hell of shooter.

BREAKING: CNN reports that a U.S. F-35 fighter jet made an emergency landing in the Middle East after being hit by suspected Iranian fire over Iran. If true, it would be the first time an F-35 has been hit ever.

@T3chFalcon 🤣

Adding crack.exe to the exclusions lmao.

- KeePass database recovered from memory. - Suspicious NEW_TMP variable across processes. - Base64 data hidden inside environment variables.

A high-profile environmental activist lost access to his system. His company needed critical data recovered, browser files, password manager credentials… everything. No disk access. Just memory. I loaded the memory dump into Volatility 3. Chrome and KeePass immediately stood out among active processes. From there, I carved out browser artifacts directly from memory and began recovering traces of stored data. Here’s what people underestimate. Even when files aren’t saved to disk, user activity still lives in RAM. Memory forensics isn’t just a backup plan. Sometimes, it’s the only place the truth still exists.

Otilor

@nii_wayo @mrphilghana Anytime chief

@CyberSamuraiDev @mrphilghana It was an interesting session.I will come for more tutorials

Spent 3 hours sharing knowledge of what I know about memory forensics. Analyzed a Windows memory dump using autopsy, volatility workbench and volatility3 on linux to uncover attacker activity and recover lost data. Good session with @mrphilghana and Isaac.

I disagree. High complexity work isn’t next on the list for automation, it’s where automation starts to fall apart without human judgment. In digital forensics, you’re not just parsing data, you’re building a narrative that has to survive court. Automation speeds up the how, not the why. Rely on tools blindly and things break. An algorithm can’t testify. If you can’t defend your process, your evidence gets torn apart. Scripts miss edge cases. Tiny details, timestamps, partial overwrites, can flip a case. Tools flag signatures. Analysts prove intent by correlating logs, user activity and memory. Memory forensics says it all. You can script a process list, but spotting injection, hollowing, or weird parent-child chains takes actual expertise. Automation helps. It doesn’t replace accountability.

@CyberBadger_NG @mrphilghana 🥂

@CyberSamuraiDev @mrphilghana Weldone !

Pre- action notice to @the__tomiwa Let’s all play our parts in getting this resolved.

@mrphilghana teach me your ways

@CyberSamuraiDev This was a mind blowing dig and we achieved it 👌