Digital Forensics Round-Up, June 24 2026

A round-up of this week’s digital forensics news and views:     INDUSTRY NEWS CSAM Investigators Face Growing Mental Health Crisis Officers investigating crimes against children face severe psychological trauma, a burden that is intensifying as AI-generated CSAM floods caseloads while government mental health resources are being cut. Many investigators are parents themselves, adding personal weight to cases involving child exploitation material. Read more (bloomberg.com)     TOOLS & SOFTWARE Get The Latest DFIR News Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month. Unsubscribe any time. We respect your privacy - read our privacy policy. Cellebrite Launches Agentic AI Investigative Tool Cellebrite outlines the development and launch of Genesis, its agentic AI product designed to help investigators process digital evidence and surface leads more quickly. Early-access results from law enforcement agencies are highlighted, while stressing that investigators remain responsible for validating findings and preserving evidential integrity. Read more (forensicfocus.com)     TOOLS & SOFTWARE Engram MCP Brings Autonomous AI to Memory Forensics Engram MCP is an autonomous AI agent built for memory forensics workflows, using the Model Context Protocol to replace raw terminal access with structured APIs that prevent context flooding and hallucination. A baseline test showed an unstructured LLM agent consuming 147,000 tokens before collapse; Engram enforces a six-phase OODA loop architecturally and requires positive evidence before declaring any subsystem clean. Read more (github.com)     RESEARCH & TECHNIQUES Berla Explains Location ID Without GPS Coordinates Berla Corporation has published a guide on reachability analysis, a technique for identifying vehicle locations when GPS coordinates are unavailable. The method offers examiners an alternative investigative pathway for extracting location intelligence from vehicle infotainment and telematics systems. Read more (forensicfocus.com)     RESEARCH & TECHNIQUES iCloud Private Relay Challenges Network Forensics Workflows Apple’s iCloud Private Relay routes Safari traffic and DNS queries through dual-hop proxies using QUIC/TLS 1.3, rendering traditional DNS logs and IP attribution unreliable for investigations involving Apple devices. Egress IPs rotate between sessions and are shared across users, while ODoH eliminates DNS query visibility at the network perimeter. DFIR teams relying on Zeek, Suricata, or pcap analysis will find destination correlation broken, requiring a fundamental shift in network-based detection logic. Read more (andreafortuna.org)     INDUSTRY NEWS Belkasoft X Targets SQLite Forensic Recovery Belkasoft explains why SQLite forensics remains a vital DFIR skill, showing how deleted records, WAL entries, journal files, and unallocated fragments can reveal evidence missed by automated parsing. Practical examples involving Avast Firewall logs, Microsoft Phone Link, Google Drive, and iOS SMS backups demonstrate how targeted SQLite analysis can uncover overlooked investigative leads. Read more (forensicfocus.com)     TRAINING & EVENTS Evidence Locker Centralizes DFIR Test Images Kevin Pagano has compiled The Evidence Locker, a single repository of forensic test images spanning mobile devices, computers, and memory dumps. It gives DFIR practitioners ready-made datasets for practice, validation, and methodology development without relying solely on commercial tooling. Read more (stark4n6.com)     TOOLS & SOFTWARE SQLiteWalker v1.0.0 Adds GUI and TAR Support SQLiteWalker v1.0.0 arrives with a new GUI, .TAR archive support, and a unified script that combines command-line and graphical modes into a single file. Updated by contributor Miguel, the tool extracts SQLite databases along with associated WAL and SHM files from folders or archives, reporting any errors encountered during scanning. Read more (stark4n6.com)     TOOLS & SOFTWARE Android Intrusion Log Parser 2.0 Released Android Intrusion Log Parser 2.0 adds detection of AFU and BFU bad PIN attempts, app installation/run/uninstall tracking, unique IP and DNS query reporting, and full log conversion from JSON lines to CSV. Upcoming development will target flagging suspicious ADB activity and push/pull events. Read more (github.com)     INDUSTRY NEWS BelkaGPT Transcribes Audio and Video Evidence Belkasoft demonstrates how BelkaGPT can transcribe audio, voice messages, and video files into indexed, searchable text for faster forensic review. Investigators can search recordings by keyword and jump to the exact moment a term is spoken, reducing the need to manually review hours of material. Read more (forensicfocus.com)     RESEARCH & TECHNIQUES Linux Forensic Image Creation and Mounting Guide A new practitioner-focused guide walks through creating and mounting forensically sound disk images in Linux, covering installation of required tools and step-by-step acquisition procedures. It targets examiners already comfortable with Windows forensics who want to extend their skills to Linux environments. Read more (matthewplascencia.substack.com)     INDUSTRY NEWS Cellebrite AI Transforms Digital Forensics Cellebrite sets out ten best practices for using AI in digital investigations, urging examiners to start with familiar cases, understand data sources, ask specific questions, and treat AI as an investigative aid rather than a replacement for practitioner judgment. The guidance emphasises that AI can accelerate triage and evidence correlation, but validation, documentation, chain of custody, disclosure, and court presentation remain the responsibility of qualified forensic professionals. Read more (forensicfocus.com)