There are lots of carving tools out there, but surprisingly there's no open-source one for carving JSON objects. Reporters United, a network of investigative reporters in Greece, wrote json-carver as part of our investigation into the Telemessage leaks. json-carver is a FOSS tool written in Rust, that can recover JSON objects from any binary stream, even partially-corrupted ones.
We'll discuss the role of this tool in our investigation, compare its accuracy and speed against strings(1), and show how to use this tool in any of your future investigations.
Bugbane is an open-source Android application that simplifies consensual forensics by building on Amnesty TechLab's Mobile Verification Toolkit (MVT). Bugbane makes MVT's capabilities accessible to everyone through a user-friendly interface, allowing users to self-test in just a few minutes without needing a second device. It also enables periodic data acquisitions, supporting the analysis of past acquisitions with updated IoCs in an "acquire-now, detect-later" workflow. Bugbane reliably extracts and decodes key artifacts like installed apps, backups, and system logs, and allows users users to export AndroidQF-compatible age-encrypted archives.
The goal is to expand access and usage, helping users and supporting organizations work more efficiently, and reaching a broader audience, including less-technical individuals and communities currently outside civil-society support. In the longer term, Bugbane aims to strengthen the collection of open threat intelligence that can be shared with researchers, analysts, and civil-society organizations.
In this talk, we will introduce PUMA (Programmable Utility for Mobile Automation), an open-source Python tool developed by the Netherlands Forensic Institute. PUMA streamlines mobile app automation by allowing users to define high-level actions—like sending messages or searching in apps—without manual UI scripting. PUMA is designed for ease-of-use and reproducibility, making it ideal for testing, research, and workflow automation. We’ll explore PUMA’s architecture, key features, and practical applications, from forensic purposes like generating reference datasets, educational purposes like how to validate your application, to personal use cases like automating repetitive tasks. Whether you’re a developer, tester, or automation enthusiast, discover how PUMA can save time, reduce errors, and unlock new possibilities in mobile automation.
Fox-IT's Dissect has a huge collection of features and parsers, but what does it take to maintain those and, more importantly, make them easily usable and accessibly to analysts? Wondered how we made recursive hypervisor analysis a hell of a lot easier? Or why it's so ridiculously easy to build custom tools on top of Dissect? Join us as we take you on a tour of some of the features of Dissect, as well as the challenges that come with maintaining it.
Activists and whistleblowers often handle sensitive documents that can incriminate both the exposed parties and themselves for acquiring or distributing the material. To move forward with their revelations, they must ensure they leave no identifiable trail. Enter Dangerzone, an open-source tool that sanitizes suspicious documents and removes incriminating metadata in the process.
This talk covers metadata removal: concrete examples of how metadata has been used to de-anonymize authors and distributors, the limitations of current tools, and the challenges posed by adversaries who can apply advanced watermarking and tracing techniques to documents.
The absence of forensics data can be just as dangerous as the presence of malicious activity. While traditional digital forensics focuses on artefacts located on storage devices, containerized environments like Kubernetes introduce new challenges for collection of digital evidence from compromised applications, where malware now routinely leaves no traces. In this talk, we are going to explore how to collect, preserve, and analyse forensic snapshots with transparent checkpointing methods while maintaining a chain of custody to investigate security incidents. We will also discuss techniques for automation in real-world scenarios and best practices for capturing and analysing malicious activity in compromised containers.
Someone on the internet told me I was wrong. Or, well, that my code was wrong. And a totally normal response to that is to spend over a month reverse engineering proprietary kernels and kernel modules.
How did we get here? Well, once upon a time I was fed up with all the bugs in vmfs-tools and vmfs6-tools, so I wrote my own VMFS implementation. Except that I took a lot of shortcuts, and in doing so I inherited some of the same bugs! Fast forward to 2025, and those bugs are finally catching up to me.
Join me as I go over the excruciating process of gathering decade old ESX(i) installation media, hunting for debug symbols, and trying to piece together how VMFS actually works. Oh, and fix that bug, of course.
Software reverse engineering is a very useful tool in digital forensics. Not only can it tells us a lot about the inner workings of the software of interest, it can also lead us to quirks and even vulnerabilities not even available in the source (e.g. compiler quirks). With enough effort it even turns proprietary implementations into open-source, what's not to like?
Of course, with a technique this powerful, there will always be downsides. Reverse engineering large binaries can be a monumental task. Where a few kB's of storage seem tiny, a few kB's of code can be huge if you have to reverse it all. A secondary problem to this, is that all this work is quite hard to reuse in the future. Binary code can differ, even with the same source, purely based on compiler options. SRE tools change, making your scripts obsolete. Decompilers change, making your signatures obsolete and so on.
We present an open-source machine learning model, server and Ghidra plugin for creating function signatures from aarch64 assembly. These function signatures can be stored and compared to a database of known functions to easily reuse all the blood, sweat and tears you put into reversing that library that has since been updated twice.
All code is of course open source and available at https://github.com/NetherlandsForensicInstitute/asmtransformers