ZENA FORENSICS

When I first started working in Digital Forensics, one of the fundamental principles was to always create a bit‑by‑bit copy of the storage device . Back then, we typically dealt with hard drives (internal and external), memory cards, and optical media. The choices to be made—then as now—revolved around how to access the device, giving rise to the concept of order of volatility . Simply put, this means collecting the data that is most likely to disappear first. Traditionally, the main decision was whether to perform live forensics or to “pull the plug” and create a disk image. In practice, the challenge was always finding the most effective method—hardware, software, or a combination—to access stored data without modifying it . In the pre-smartphone era, mobile devices followed a similar logic, but the need for live acquisition —acquiring data while the device was powered on—was already evident. Today, both the world and digital forensics have changed significantly. Several factors...

This has been a tough year for me: my mom passed away in June, and I'm still slowly recovering from the hard blow. It's time to start again doing what I love: researching and sharing! It's early September and like every year, that moment is approaching when everyone who deals with mobile forensics starts to tremble at the thought of the arrival of a new version of iOS! First the good news: the basic and traditional techniques for logical acquisition (or Advanced Logical, if you want to call it that) still work on iOS 18! A new cross-platform open-source tool has recently become available that enables this type of extraction from various types of Apple devices (iPhone, iPad, Apple TV, Apple Watch).  The UFADE tool https://github.com/prosch88/UFADE ), developed and maintained by Christian Peter, fully supports iOS 18 and was used to perform the tests described in this article. The tests were performed on an iPhone 12 with iOS 18 beta operating system, which was reinstalled ...

A smartphone is often connected to a Wi-Fi network: think of how much time we spend at home, in our office, or even in a public place while studying or exercising. As soon as we can reach a (hopefully trusted) Wi-Fi network, we connect to it! On Android devices, the Wi-Fi connection is managed by the Wi-Fi service. This service must store information about the previously connected Wi-Fi networks so that the phone can reconnect as soon as it's in the vicinity. The file that stores this information is WiFiConfigStore.xml, a simple XML file stored in the Userdata partition under /data/misc/apexdata/com.android.wifi/. The source code describing the contents of this file is  available on the Android source code website . This file is parsed by most commercial and open-source tools. I wanted to go a little more in-depth to take a look at the different Wi-Fi settings. The main XML tag is  <WifiConfigStoreData > . This tag contains the  Version  sub-tag, which contains...