r/computerforensics

Looking for employment, resources to keep my skills sharpe.

Good morning, everyone. I am an prior US veteran who recently gotten my Master's Degree in Digital Forensic. However, it has been a struggle to find employment. Let me explain my background.

  1. I have been in the IT industry for 20 years. I have done system administration, IT project management and etc. However, digital forensics is a different level for me. I love learning more and more about it. However, I can't find employment for myself. I can find IT jobs, but not in digital forensic.

  2. I am aware of certification, but it is not easy to find school for my program to help me with any of certification for me. I am looking for resources to help with anything that will keep my skills sharpe in my field. Any help would be greatly appreciated in the field

reddit.com
u/TheKillingJoke2022 — 1 day ago

Does the DF in DFIR exist anymore?

Mainly wanted to discuss something I've noticed in the field.

I was recently laid off and have been navigating the job market. I was at my last job for a long time so part of my job hunt experience has been learning how divided the field can be. Many of the 'DFIR' style jobs don't care about forensics. I've interviewed at a few places - some DFIR consulting boutiques, some SOC IR teams and both freely tell me they 'dont do forensics here'. A lot of it seems to be because they have so many cases to manage (3+ a week!) they don't have time for host forensics, they are just getting the basics solved so they can move on to the next case.

Anyone else notice this? My last job I worked for a small MSSP so we took whatever case we could get. I loved it because I worked a bit of everything. But it seems to be a disadvantage in this market where most jobs would rather find someone who can do IR with a bit of DF knowledge or a place where they want someone who's only done digital forensics for litigation / LEO and don't want someone who's spent time in cyber.

reddit.com
u/internal_l0gging — 3 days ago
▲ 24 r/computerforensics+2 crossposts

My write up for a Memory Forensics/DFIR chall for Macos

https://mooofin.github.io/portfolio/blog/s4nct1m0ny.html

tuts for ISF from kernel DWARF. for vol as well . loginwindow plaintext credential extraction, Chainbreaker 3DES keychain decryption, and full RE of a Swift dropper using machine Hardware UUID as decryption key , ive tried to make it very less jargon and reader friendly

u/mewwwfinnn — 2 days ago
▲ 103 r/computerforensics+3 crossposts

VMware vTPM-encrypted vmem/vmsn decryption ready for volatility3

Recently I ran into a problem: I needed to analyze a VMware snapshot of a Windows 11 25H2 VM, but the VM had a vTPM, which makes VMware silently encrypt the .vmem/.vmsn/.vmss/.nvram. Volatility just couldn't find the kernel, and I couldn't find any existing tool to decrypt these files for offline analysis.

So I reverse-engineered the format with the help of Claude and wrote one. It's called vmem-decrypt (pure Python):

- Recovers the data-file key from the VM password (PBKDF2 → AES-256-CBC key chain VMware labels everything "XTS-AES-256" but it's actually CBC, which trips up most people).

- Decrypts .vmem/.vmsn/.vmss/.nvram.

- Flattens the decrypted .vmem into a flat, Volatility-ready image. (VMware compresses then encrypts, so it's still in a proprietary checkpoint LZ77 layout)

Workflow: pull the password hash from the .vmx (VM-Password-Extractor) → crack with hashcat (mode 27400) → feed the password to the tool → run Volatility. Full steps + format notes in the README.

Tested on VMware Workstation Pro 26H1 / Win11 25H2 (build 26100), Volatility 3. Feedback welcome, especially snapshots from other VMware versions to test the format against.

Repo: https://github.com/heeeyaaaa/vmem-decrypt

(Yes, I used AI to help build this. It's tested and it works, that's what matters. Happy to walk through any part of how it works.)

u/h_e_e_y_a_a_a — 6 days ago

Microsoft Copilot Forensics

Hey everyone,

With Microsoft 365 and Windows Copilot fully deployed in enterprise environments, I’m thinking a lot about the post-compromise lifecycle. Instead of manually hunting through SharePoint, a Threat Actor (TA) with a compromised identity can just ask Copilot: “Find our network architecture diagrams and financial spreadsheets.” Has anyone actually worked an incident where a TA abused an active Copilot license for internal recon or data aggregation?

For those who have been in the trenches on this:

  1. Have you caught a TA using Copilot for rapid data exfiltration or recon yet?
  2. Were you able to recover the actual prompts, or did you rely strictly on file-access anomalies?
reddit.com
u/CyberAkatsuki — 4 days ago

Can a worm replicate from a mounted image?

Hello fellow nerds,
I’m a DFIR analyst and I need to perform a forensic analysis of a Windows SSD. The host is confirmed to be infected with malware, and based on my observations during the incident response, I suspect it may be a worm.

I’ll be working from an E01 image created during acquisition. My usual workflow is to mount the image inside a Windows Sandbox and perform triage with KAPE.

I’ll also need to reverse engineer the malware, but I’ve never analyzed a worm before. Is there any realistic risk that it could replicate itself within the sandbox when the image will be mounted ? I’d rather not have to rebuild my analysis environment.

reddit.com
u/Arkas404 — 6 days ago

Audio Manipulation Detection

Hi everyone!

I am looking for a software, platform, or automated solution to analyze a large batch of exported WhatsApp voice messages (.opus files) to determine how they were recorded.

Specifically, I want to categorize them into three types:

  • Natural: Recorded in one continuous go.
  • Studio-quality: Professionally produced/edited.
  • Highly edited: The user frequently used the WhatsApp pause/break button to piece the message together perfectly.

The Challenge: I ran some files through basic AI tools like Cleanvoice, but they often misinterpret the edits as normal breathing or simple pauses. However, when I look at the Audacity Spectrogram, I can clearly see hard cuts, phase shifts, and abrupt changes in the room tone (noise floor) right where the pause button was pressed.

Since I have hundreds of files, checking the spectrogram manually for each one is not feasible.

Is there any audio-forensics tool, python library (like librosa), or platform that can batch-analyze noise floor continuity or phase breaks to automatically flag these cuts?

Thanks in advance!

reddit.com
u/Infamous_System9873 — 5 days ago

The Vibe coded projects uptick

There been an huge uptick of people posting Vibe Codded AI projects here any then saying "Hey I made this cool tool try it" can we get a sticky thread for all these projects so this doesn't become a sub reddit of people spamming vibe codded project from free credits. Or just straight out ban them from being posted here?

reddit.com
u/MDCDF — 10 days ago
▲ 13 r/computerforensics+1 crossposts

If you ever wanted to carve out a piece of MFT/Journal - a timeframe, path or file extensions... here's your chance

I worked in forensics for many years and one of the most annoying things in MFT/Journal analysis, is that initial work of prepping the files until they are readable by humans (size, format, timeframe). I used to export to csv, open in emeditor, then carve out the time periods I did not care about, but that took time and was not reliable.

Now, with the emergence of AI, I was finally able to create the app that does it.

It basically allows you to select a timeframe, extensions you do or do not care about, folders you wish to exclude, and go on your merry way of exporting the valid but carved out MFT for use in other tools or a CSV for use in your favorite tools, too.

As this could be a collaborative project... and I will NEVER sell it, it will remain free (and maybe even open source) - what else would you like to see in such an app? Mods, am I allowed to add a link to a free tool here?

https://preview.redd.it/smc3u9vl679h1.png?width=2470&format=png&auto=webp&s=8435e8ed9428b9d46396d069816eefe7fe631af1

I am almost certain there is no free or paid software out there that allows this kind of laser-focused carving of MFT files for speed of analysis. If the mods allow it, I'll post a link to the download. It's Freeware.

reddit.com
u/xorredd — 12 days ago

Seeking feedback: Searchable index of EXIF/IPTC/XMP metadata from 720M+ public images — potentially useful for digital forensics investigations

I've been building a tool called Image-Meta and would love feedback from people who actually do forensics work, since that's one of the primary use cases I'm trying to serve well.

**What it does:**

Crawls and indexes the embedded metadata from publicly accessible images using ExifTool. Currently ~720 million images indexed with full EXIF/IPTC/XMP extraction.

**Forensics-relevant capabilities:**

**Device attribution**

- Search by camera serial number — link multiple images across different domains or accounts back to the same physical device

- Make/model filtering to narrow device type before drilling into serial

**Identity traces**

- Author, copyright, rights, and description fields often contain real names, emails, and organizational affiliations that subjects didn't know were there

- Software fields can expose Photoshop/Lightroom license strings, machine names, or internal workflow metadata

**Timeline reconstruction**

- foundDT = date we first indexed the image (earliest known appearance online)

- createDT / modifyDT = timestamps embedded in the file itself

- Useful for establishing when an image was created vs. when it first appeared publicly

**GPS / geospatial** (Not available to public without subscription)

- Coordinate + radius search for images taken near a location

- Reverse-geocoded address search

- Many images still carry precise GPS even when uploaded to platforms that claim to strip metadata

**What I'm looking for feedback on:**

- Are there metadata fields or query types that would make this more useful in an actual investigation workflow?

- Is the API structure (REST, Bearer token, field-level boolean search) something that integrates well with existing tooling?

- What's missing that you'd expect from a tool like this?

Not trying to sell anything here — genuinely want to understand what the forensics community needs before I build more features.

https://image-meta.com

API docs: https://image-meta.com/api-docs

image-meta.com
u/cstadler — 10 days ago