Three major stories this week all point at the same failure mode: trusted build pipelines being used as delivery vectors for attacker code. If you run forensic triage on CI/CD artifacts only after the fact, this is the issue to read end-to-end.
We picked the five links below because each one teaches a different piece of the defense story — tooling, detection, response, and post-incident review.
SANS ISC tracks the seventh update on the TeamPCP campaign, now confirmed to have exfiltrated Cisco source code through a Trivy-related compromise.
Lead the issue with this — supply-chain story is the strongest news this week and SBOM/dependency hygiene angle resonates with both LE and corporate IR readers.
New CLI tool that ingests Microsoft 365 audit logs and produces a normalized investigator-ready timeline. Relevant for BEC and tenant-takeover cases.
Pair with last quarter's Magnet Spring update on M365 — a single-tool comparison post would land well.
Open-source Rust DFIR utility focused on performance plus a graph view for entity relationships across artifacts.
Worth a hands-on look — Rust DFIR is still rare. Consider a follow-up tooling deep-dive.
Framework that enables remote wireless ADB-style access for Android forensic acquisition without a physical USB connection.
Important for field acquisition scenarios — call out the chain-of-custody implications since wireless capture changes the integrity story.
Drop-in replacement for hashdeep with BLAKE3 as the default algorithm, written for performance on large evidence sets.
Note that BLAKE3 is not yet accepted by all courts — flag the verification angle when recommending.
CLI utility for analyzing offline AD databases (NTDS.dit) and Windows evidence without reattaching to a live domain.
Useful angle for IR teams handling DC compromise cases — pair with a NTDS.dit walkthrough post.
Threat-hunting framework using lightweight agents to execute hunt queries across endpoints with centralized aggregation.
Worth noting this is automation-heavy — interesting positioning for AI-assisted hunting workflows.
Targeted utility for matching environment artifacts against known IOCs of the Chrysalis botnet family.
Confirm the Chrysalis attribution against your usual TI sources — repo author is new and the family name is not yet widely catalogued.
Curated KQL query repository for Defender XDR covering common threat-hunting scenarios.
Solid resource — quick win to feature in the Tools section every few months as the queries get refreshed.
ISC honeypot data shows targeted scanning for the EncystPHP webshell, suggesting an active campaign or post-exploitation reconnaissance wave.
Group with the obfuscated-JS and web-shells items into a webshell trend mini-section.
ISC analyzes which web shells attackers most frequently scan for, providing a prioritized hunting list for defenders.
Pair with the EncystPHP item — these together justify a 'web-shells in 2026' explainer post.
ISC reports that observed payload deliveries this period are either heavily obfuscated JavaScript or nothing detectable, indicating a methodology shift.
Good lead-in to a deobfuscation tooling sidebar — link Volatility plugins or didier-stevens tools.
Continued evidence of attackers fingerprinting honeypots before engaging, raising the bar for defensive deception infrastructure.
If we already have a honeypot reader segment, this is a natural follow-on item.
Follow-up analysis on how users place numbers within passwords, with implications for cracking-rule prioritization in IR.
Useful when investigators need to justify rule choices in hashcat — short tip-style mention.
Forensic Focus explores how unmanaged case backlogs and burnout silently erode investigation quality across DFIR teams.
Anchor for a community section — your readers are this audience. Consider an opinion sidebar from your own caseload experience.
Forensic Focus podcast on the under-discussed mental health and retention crisis affecting digital forensics units in policing.
Strong companion to the burnout article — frame the cluster as 'the human cost of DFIR'.
Webinar arguing that triage-first workflows reduce backlog and let analysts focus on high-value evidence.
This connects naturally to the burnout cluster — triage is the operational answer to backlog-induced fatigue.
Cellebrite announces Spring 2026 release covering expanded mobile device access and multi-cloud evidence collection.
Vendor news but materially important for LE workflows — keep neutral and call out which device categories specifically.
Cellebrite webinar surveying detection techniques for AI-generated images, video, and audio in evidence pipelines.
Hot topic — pair with our own AI-forensics positioning for a stronger editorial angle.
Hexordia maps how varying degrees of Google service integration on Android devices affect what forensic data is recoverable.
Jessica Hyde's team — high credibility. Worth highlighting in a mobile-focused issue.
Forensic Focus's own weekly aggregation of DFIR industry items — useful cross-reference for our own digest.
Brief mention — point readers to it as 'further reading' rather than re-summarizing.
AboutDFIR's curated daily DFIR/InfoSec news roundup, with overlap on TeamPCP supply-chain coverage.
Mention only the latest of the four News Nuggets — repetitive otherwise.
Daily Stormcast podcast continues to summarize active threats and CVEs; this week emphasizes web-shell scanning trends.
Link the most recent episode only — repeating four daily entries adds no value.
Region-specific Cellebrite webinar on device unlock capabilities, useful as evidence of EU LE engagement patterns.
Consider a brief segment on EU LE procurement patterns — relevant to our own EU positioning work.
由 AI 策划、unJaena 编辑团队审阅编辑的数字取证摘要 — 全部过刊集合。
订阅双周摘要
订阅双周摘要 →