Hey guys! I appreciate the feed back from my other article and here's part 2! I found more damning evidence of an organized network and replied to some pedophile talking points!
Any comments/tips/concerns are very welcome!
Free and open source. Anyone who contributes to the code is awarded cryptocurrency on our site. Currently our site is down for maintenance, but it will be back up in a few days. Let’s work together and change the world.
this dude keeps commenting this on tons of women’s post, and if you go to his profile he’s also a pedo and not hiding it. i know it’s a “troll” account to get a reaction but it’s disgusting and im just wondering if there’s any way to find out who it is?
edit to add this has been an ongoing problem and reporting the account seems to do nothing unfortunately
hopefully that will change
I've been working on creating an AI-generated image detector and everything so called "state-of-the-art" in academic studies failed when I tried on a real-world scenarios. State-of-art detectors suffer from bad generalization (the artifacts produced by newer generators differ from those on which the detectors were trained); in-the-wild disturbances such as hard jpeg compression and automatic image post-processing some smartphones have tend to attenuate ai-generated artifacts; overlapping distributions on almost all image statistcs between fake and real datasets, considering features used in digital forensics.
I'm really struggling to make anything relliable. For those who are currently developing ai-generated image detectors, what is working for you?
Hey guys, I have come across this profile https://www.instagram.com/illandyinnovation?igsh=dm02cmtqMmdsamV2 of a man who is having a very difficult fight with cancer. I really wish to support him, however I have noticed several other profiles of this same man begging for help and donations, and I'm really scared that there's people using this man's posts to get people to give them money, money that was meant to help this man's recovery. Is there any way to confirm if this is his real profile or maybe someone might know the real profile in case it's not?
I feel like it's important and I've been checking on him regularly. It sickens me knowing that there's some people who want to scam people out of their money by stealing this man's content.
I've been building a Windows event log analysis tool called EventHawk and just shipped v1.2. Sharing here for feedback from people who work in IR/forensics.
What it is:
A GUI + CLI tool for parsing and analyzing .evtx files. Built around a Rust-backed parallel parser with a resource monitor that throttles workers automatically so your machine stays usable mid-parse. Supports EVTX from Windows Vista through Server 2022. Parses and filters 6M rows of event logs in just 50-60 secs.
Two parsing modes:
Normal Mode loads matched events into memory — fast and straightforward for most investigations.
Juggernaut Mode is for large captures: raw event XML goes to Parquet on disk, only metadata columns live in memory, full event detail lazy-loads on row click. Scroll 10M+ events with zero disk I/O.
v1.2 rewrote Juggernaut Mode from scratch — replaced the old multi-DuckDB connection model (OOM crashes, file lock conflicts) with a single Arrow in-memory table and filter thread. Filtering now runs as vectorized DuckDB SQL, 20-120ms at 6M rows.
Key features:
20 built-in DFIR profiles — filter at parse time. Logon/Logoff, Process Creation, Lateral Movement, PowerShell, RDP, Defender Alerts, and 13 more.
273+ event ID descriptions in plain English on click. No more looking up what 4688 or 7045 means mid-investigation.
ATT&CK tab — every parse maps events to MITRE techniques with ID, tactic, confidence, and source. Click any technique to filter the table to events that triggered it.
IOC tab — auto-extracts IPs, domains, file paths, hashes, URLs, registry keys, and suspicious command lines. Click any IOC to pivot the entire event table to events containing that indicator.
Chains tab — correlates events into multi-step attack chains shown as an expandable tree. Click any node to jump to that event.
Case tab — annotate events with analyst notes, export as a formal PDF investigation report.
Hayabusa integration — ~3,000 community Sigma rules evaluated and merged into the ATT&CK tab.
Sentinel anomaly engine — build a behavioral baseline from clean logs, then score a suspect capture. Each process-create event scored across five dimensions and classified into four tiers. Tier 3/4 findings include plain-English justifications. Built for novel malware, LOLBin abuse, and anything that slips past signatures.
Export in 8 formats — JSON, CSV, XML, HTML, PDF report, STIX 2.1, OpenIOC, YARA.
Full CLI and TUI for headless and automated use.
If the tool looks useful, a star on GitHub goes a long way ⭐⭐ — it helps the project get visibility and keeps me motivated to keep building. Would genuinely love feedback from anyone, especially on what's missing or annoying in the existing ecosystem.
There is a longstanding legal dispute and I am planning to seek a technology forensic expert. But I am concerned if any such data can be recovered / established at all.
Let’s say there is a large platform which operates a forum. It migrates the forum to a new software in january 2023. All historically banned users from the old forum are migrated to the new forum with a clean slate. Just 1 user is covertly and manually rebanned. The platform is denying this, despite the one rebanned user can clearly see that every historically banned user is now active. At the same time, every single person who used to be permanently suspended confirmed that they logged into a fully active account with a clean slate.
Would a forensic expert be able to establish after three years, whether any technical arrangements were made to carry over historical bans from the old software to a new software and also, how and when was the ban applied to the specific user, if this happened in 2023?
Platform insists that all bans were automatically carried over to the new software.
I am seriously worried the platform deliberately deleted and destroyed all logs and data. Would a forensics expert be able to still establish this?
If you were giving instructions questions to a forensic expert, where would you expect them to look, within the platform infrastructure, to search for answers?
Would it be possible that after 3 years every trace of that evidence can be gone?
I am proud to announce the release of Crow-Eye v0.10.0. This milestone marks the official launch of The Eye a robust intelligence layer designed to integrate your own AI agents directly into Crow-Eye, This isn't just a regular update; it’s a massive milestone for us . My goal from day one has been to build an ecosystem that doesn't just chase known signatures, but actually gives investigators the power to hunt zero-days
But as we celebrate this release and introduce our new AI layer, we need to talk about the elephant in the room.
There’s a huge rush right now to slap AI onto cybersecurity tools, and honestly, a lot of it is dangerous. We are seeing "black box" solutions where investigators feed raw data into an LLM and just trust the answers it spits out.
In DFIR, an AI hallucination can ruin a case. An answer without mathematical, binary proof is worthless. If an AI agent cannot anchor its reasoning to exact offsets, hashes, and unmanipulated timestamps, we cannot trust it. To fix this, I realized we had to architect a system where the AI is bound by the exact same strict evidentiary rules as a human analyst.
Before the AI even wakes up, Crow-Eye does the heavy lifting. When you launch The Eye, the platform immediately runs a high-speed Automated Triage phase.
It queries the underlying SQLite databases to map out the ground truth: active users, execution histories, accessed files, USB devices, and Auto Run configs. This builds a comprehensive Initial Report. This report isn't the final investigation it’s the baseline. It’s the verified starting line before we let the AI touch the data.
I believe you should have total control over your data and your analytical "brain." That’s why The Eye is completely modular. You can plug in whatever intelligence fits your environment:
Triage gives us the data, but the Ghassan Elsman Protocol (GEP) ensures the AI doesn't mess it up. The GEP is a strict set of rules hardcoded into the workflow to maintain a perfect chain of custody:
While The Eye handles the high-speed analysis, our educational hub, Eye Describe, In upcoming updates, we are going to start building a bridge between these two tools. The goal is to gradually integrate visual references alongside the AI's findings. We want to reach a point where the AI doesn't just give you an answer, but helps point you toward the structural anatomy of the artifact it analyzed. It’s an iterative, ongoing project, but we believe it is an important step toward total forensic transparency.
This is the very first release of The Eye. You might hit a few bumps connecting to certain local backends or managing specific CLI tools, but we are actively squashing bugs and refining the experience over the next few weeks. Please submit any issues you find!
The latest source code and release are available right now on our GitHub. For those waiting for the compiled .exe version, it will be dropping very soon on our official website.
GitHub : https://github.com/Ghassan-elsman/Crow-Eye
good hunting
Hi everyone,
I am trying to run some quick forensics on one of my own devices to recover some deleted messages. I already pulled a standard unencrypted backup, but the specific messages I need are not visible there at all.
Because I have the passcode, BFU and AFU states are not relevant for this. I really just need to grab a Full File System (FFS) extraction so I can dig deeper into the databases and see what is left behind.
Does anyone have recommendations on the quickest way to obtain the FFS and run the analysis? I would appreciate any advice on tools or workflows that are reliable and do not take a massive amount of time to get going.
Thanks in advance for any help!
Have been doing some research and am curious to hear people’s opinions or experience on what the most sought after roles in the private sector would be?
It seems like ‘in house’ positions at company’s like Apple/Google/Banks (maybe) would be the pinnacle in terms of ‘interesting’ work and less of a consulting/ services type role. I could absolutely be wrong, but from a lot of the private sector job postings I’ve seen, they appear to be more ediscovery / lit support type positions (Big 4 and similar firms, law firms, ediscovery vendors etc.).
I don’t think there is anything particularly bad about those roles (except maybe work life balance, but for me idrc ab that for now / my near future), but as someone who just wants to get stuck into forensics, and who just wants to ‘investigate’ artifacts all day, are there positions like that in the private sector or is LE the way to go?
Appreciate there is a lot to pick apart from what I have stated, but just curious to hear everyone’s opinions. Thanks!
Hello, i plan to take the BCFE training course next year because from my understanding, they only hold one session a year. I am a beginner who has a master degree in software engineering and a bachelors in criminal justice. I would like some advice on some stuff I could be doing to help me prepare and gain knowledge before I go into the BCFE course.
Hey all, I've been presented with a sensitive situation and I'm hoping to get some insight.
So, my wife's cousin's son died unexpectedly a few months ago. Younger guy, in college, was found in dorm room. He had been in regular contact with his mother, most recently like 4 or 5 days prior to his death. The assumption is overdose. I say assumption because apparently it wasn't immediately evident and they needed a toxicology, which they say should have results by next month. I don't know all the details, but the mother is unsatisfied with basically no information having been provided to her.
Now, his mother has collected his things, including his phone and laptop. Phone is iPhone and they don't know his passcode or password to icloud. They've reached out to Apple for support and need the proper death certificate, which they won't get until the coroner's report comes back? I think? Laptop is Windows.
However, somehow she was able to access his laptop (Windows, 11 I think. At least 10)... I'm unsure whether she knew his password or if it didn't have one, but I know she has access to it because she has a picture taken from her phone of his file explorer. In the Pictures shortcut folder, there's a subfolder called Photos that has a date modified date 2 days after his death. This doesn't sit well with her, so she's reached out to me to see if I can figure out what was modified in that folder and if anything else out of the ordinary comes up.
I've worked in cyber security for 7ish years, including as a pen tester and in DLP support, so I feel confident in my ability to at least be careful in not fucking with it further until I have a plan.
My question to the community is this: should I first and foremost just image the whole drive? I've used FTK Imager on an engagement for a USB, but not an entire OS before. Does it grab all drives or just C?
Then use a tool to look at that image? From cursory research, I see Autopsy and Digital Forensics Framework might be good open source options, but I'm confident I can get a hold of proprietary tools if needed.
I appreciate any insight into this. Once I have a good foundation for what tools to use and how to image and save the drive(s), I plan on looking into tutorials for next steps or just playing around with them on my devices first.
I hear how competitive the cybersecurity and IT market has become the past 2 years. Apparently even candidates with experience, a degree, and some advanced certs are struggling.
How is the DF world?
Working through some chain-of-custody questions and curious how others approach this in practice.
For traditional disk imaging, the workflow is well-established — hash on acquisition, hash on verification, document the tool/version, sign it off. But for ephemeral evidence (memory captures, live network sessions, volatile artifacts), I keep running into the same issue: the moment you capture it, the source state is already gone, so you can't re-verify against the original.
A few specific things I'm wondering:
I've seen some discussion around using cryptographic timestamping services for acquisition timestamps, but curious whether that's actually showing up in casework or if it's still mostly theoretical.
Not looking for product pitches, just want to understand current practice.
i wrote this exam project proposal, but apparently the "lone wolf" "owl" and "jean" scenarios are overused and should be avoided, any other similar forensic scenarios i could use at about the same level?
Hello,
I have noticed a difference in PDF reports with chat bubble format generated by Cellebrite Physical Analyzer 10.0 regarding the labeling of incoming messages.
In some reports, the message header displays only “From: [sender’s number],” while in others it includes both “From: [sender’s number]” and “To: [owner’s number].”
Could you please clarify the reason for this difference? Additionally, is there a configuration setting or reporting option that controls how these fields are displayed?
Thank you for your assistance.
Best regards,
Justin
I am currently working in a devops position and graduated with a bachelors degree in computer networking in 2020. I have recently become interested in digital forensics and I was wondering what the path to getting into the field is like.
