2026-03-16 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file (which has residual file system information) but this is not detected (DFW-1134) 137c6d1
2026-03-16 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file (which has residual file system information) but this is not detected (DFW-1134) 137c6d1
2026-03-16 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file (which has residual file system information) but this is not detected (DFW-1134) 137c6d1
2026-03-16 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file (which has residual file system information) but this is not detected (DFW-1134) 137c6d1
2026-03-16 Added technique: Writing bitstream data to a raw image format (DFT-1177) d7ca645
2026-03-16 Added technique: Writing bitstream data to a raw image format (DFT-1177) d7ca645
2026-03-16 Added technique: Writing bitstream data to a raw image format (DFT-1177) d7ca645
2026-03-16 Added technique: Writing bitstream data to a raw image format (DFT-1177) d7ca645
2026-03-16 Updated technique: Writing bitstream data to a forensic image format (DFT-1025) d7ca645
2026-03-16 Updated technique: Writing bitstream data to a forensic image format (DFT-1025) d7ca645
2026-03-16 Updated technique: Writing bitstream data to a forensic image format (DFT-1025) d7ca645
2026-03-16 Updated technique: Writing bitstream data to a forensic image format (DFT-1025) d7ca645
2026-03-16 Updated technique: Use software write blockers to provide read only access to storage media (DFT-1013) bbeae8c
2026-03-16 Updated technique: Use software write blockers to provide read only access to storage media (DFT-1013) bbeae8c
2026-03-16 Updated technique: Use software write blockers to provide read only access to storage media (DFT-1013) bbeae8c
2026-03-16 Updated technique: Use software write blockers to provide read only access to storage media (DFT-1013) bbeae8c
2026-03-16 Updated technique: Disk imaging (DFT-1002) bbeae8c
2026-03-16 Updated technique: Disk imaging (DFT-1002) bbeae8c
2026-03-16 Updated technique: Disk imaging (DFT-1002) bbeae8c
2026-03-16 Updated technique: Disk imaging (DFT-1002) bbeae8c
2026-03-16 Updated mitigation: Analyse file system to find any duplicate references to blocks that are referenced by the non-allocated file (DFM-1082) 07ef04e
2026-03-16 Updated mitigation: Analyse file system to find any duplicate references to blocks that are referenced by the non-allocated file (DFM-1082) 07ef04e
2026-03-16 Updated mitigation: Analyse file system to find any duplicate references to blocks that are referenced by the non-allocated file (DFM-1082) 07ef04e
2026-03-16 Updated mitigation: Analyse file system to find any duplicate references to blocks that are referenced by the non-allocated file (DFM-1082) 07ef04e
2026-03-16 Updated mitigation: Check if recovered content matches with size in metadata e.g. file footer at expected location. (DFM-1081) 137c6d1
2026-03-16 Updated mitigation: Check if recovered content matches with size in metadata e.g. file footer at expected location. (DFM-1081) 137c6d1
2026-03-16 Updated mitigation: Check if recovered content matches with size in metadata e.g. file footer at expected location. (DFM-1081) 137c6d1
2026-03-16 Updated mitigation: Check if recovered content matches with size in metadata e.g. file footer at expected location. (DFM-1081) 137c6d1
2026-03-16 Updated mitigation: Analyse file content to detect incompatibility between the content and the recovered file system metadata (DFM-1079) 07ef04e
2026-03-16 Updated mitigation: Analyse file content to detect incompatibility between the content and the recovered file system metadata (DFM-1079) 07ef04e
2026-03-16 Updated mitigation: Analyse file content to detect incompatibility between the content and the recovered file system metadata (DFM-1079) 07ef04e
2026-03-16 Updated mitigation: Analyse file content to detect incompatibility between the content and the recovered file system metadata (DFM-1079) 07ef04e
2026-03-11 Deleted weakness: Data copied does not include all sectors from LBA0 to LBA max due to the data copying process skipping some sectors or bytes (W1278) 8f41da0
2026-03-11 Added weakness: Data copied does not include all sectors from LBA0 to LBA max due to the data copying process skipping some sectors or bytes (DFW-1278) 477e4c0
2026-03-11 Deleted weakness: Failure to decrypt internal disk using a bootable environment (DFW-1181) 8f41da0
2026-03-11 Deleted weakness: Failure to decrypt internal disk using a bootable environment (DFW-1181) 477e4c0
2026-03-10 Updated technique: Direct data read from a block device (T1164) 895d744
2026-03-09 Added weakness: Data copied does not include all sectors from LBA0 to LBA max due to the data copying process skipping some sectors or bytes (W1278) dd5630a
2026-03-09 Updated weakness: Data is not read from remapped sectors e.g. G-Lists during the acquisition process (W1143) e47bb0a
2026-03-09 Updated weakness: Data cannot be read from a device du to the device having failed physically (W1136) e47bb0a
2026-03-09 Updated weakness: Disk image has been replaced with tampered version along with updated stored hash (W1128) e47bb0a
2026-03-09 Updated weakness: Failure to validate disk image metadata (W1127) e47bb0a
2026-03-09 Updated weakness: Failure to validate hash properly during disk image verification (W1125) e47bb0a
2026-03-09 Updated weakness: Failure to compute hash of source device correctly during disk image verification (W1124) e47bb0a
2026-03-09 Updated weakness: Data copied from sectors on source device are not transferred correctly for storage (W1016) e47bb0a
2026-03-09 Updated weakness: Accessing the drive to copy data changes original data (W1014) e47bb0a
2026-03-09 Updated weakness: During acquisition the data copying process results in extra bytes (W1013) e47bb0a
2026-03-09 Updated weakness: Acquisition tool does not copy data from DCO (W1007) e47bb0a
2026-03-09 Updated weakness: Acquisition tool does not copy data from HPA (W1006) e47bb0a
2026-03-09 Updated weakness: Data copied does not include all sectors from LBA0 to LBA max due to the data copying process stopping prematurely (W1004) dd5630a
2026-03-09 Updated technique: Hash verification of source device against stored data (T1042) e47bb0a
2026-03-09 Updated technique: Disk imaging (T1002) dd5630a
2026-03-06 Deleted weakness: Failure to decrypt internal disk using a bootable environment (W1181) 2c47756
2026-03-02 Updated weakness: Relevant data is overwritten by deploying an agent to a mobile device (W1276) 80a2c34
2026-03-02 Updated weakness: Failure to store data due to size limitations of archive format used (W1275) 80a2c34
2026-03-02 Updated weakness: Inability to enable required service due to locked device (W1274) 80a2c34
2026-03-02 Updated weakness: Failure to preserve full resolution of all relevant timestamps of files obtained using exposed services on a device (W1273) 80a2c34
2026-03-02 Updated weakness: Failure to preserve all relevant timestamps of files obtained using exposed services on a device (W1272) 80a2c34
2026-03-02 Updated weakness: Inability to access required service as it is not enabled (W1271) 80a2c34
2026-03-02 Updated weakness: Inability to create a device backup due to locked device (W1270) 80a2c34
2026-03-02 Updated weakness: Failure to detect internal disk from bootable environment (W1179) 80a2c34
2026-03-02 Updated weakness: Inability to load the forensic bootable environment due to system configuration (W1178) 80a2c34
2026-03-02 Updated weakness: Relevant reference data missed as its necessity was not known at time of preservation (W1172) 80a2c34
2026-03-02 Added technique: Access file system via live operating system (T1171) fa68cf0
2026-03-02 Updated technique: Automated screenshot-based capture of a mobile device (T1163) 80a2c34
2026-03-02 Updated technique: Use time anchors to estimate clock offset (T1134) 80a2c34
2026-03-02 Updated technique: Recording system clock offset (T1111) 80a2c34
2026-03-02 Updated technique: Access data from a desoldered eMMC via a chip reader (T1029) 80a2c34
2026-03-02 Updated technique: Writing data to a forensic image format (T1025) 80a2c34
2026-02-12 Updated weakness: Inability to enable required service due to locked device (W1274) 5918cef
2026-02-12 Updated weakness: Inability to enable required service due to locked device (W1274) 2ba965d
2026-02-12 Added mitigation: Obtain possible passwords/PIN codes from other devices with limited security (M1239) 2ba965d
2026-02-12 Added mitigation: Configure device to enable required service (M1238) 2ba965d
2026-02-03 Added technique: Automated screenshot-based capture of a mobile device (T1163) 15fe713
2026-02-03 Added technique: Read data from a device via In-System Programming (ISP) (T1162) e853d0b
2026-02-03 Updated technique: Read data from a device via In-System Programming (ISP) (T1162) 13c1af4
2026-02-03 Added technique: Collect data with ‘cloud backup restore’ approach (T1160) 6327f74
2026-02-03 Updated technique: Cloud data collection via submission of request to service provider (T1024) afcbb8f
2026-02-03 Updated technique: Cloud data collection to access data via a live web page using credentials (T1023) afcbb8f
January 2026
2026-01-18 Added weakness: Relevant data is overwritten by deploying an agent to a mobile device (W1276) abc94cd
2026-01-18 Added technique: Extract mobile data via deployed agent (T1159) abc94cd
2026-01-15 Added weakness: Failure to store data due to size limitations of archive format used (W1275) bca6e1b
2026-01-15 Updated technique: Writing data to standard archive format (T1026) bca6e1b
2026-01-15 Added mitigation: Ensure that archive format used can handle sufficiently large files (M1237) bca6e1b
2026-01-13 Added weakness: Inability to enable required service due to locked device (W1274) 5c6cef8
2026-01-13 Added weakness: Failure to preserve full resolution of all relevant timestamps of files obtained using exposed services on a device (W1273) 5c6cef8
2026-01-13 Added weakness: Failure to preserve all relevant timestamps of files obtained using exposed services on a device (W1272) 5c6cef8
2026-01-13 Added weakness: Inability to access required service as it is not enabled (W1271) 5c6cef8
2026-01-13 Added weakness: Inability to create a device backup due to locked device (W1270) 5c6cef8
2026-01-13 Updated weakness: System locks after X failed brute force attempts (W1142) 5c6cef8
2026-01-13 Updated weakness: Failing to determine password via brute force in the time available (W1141) 5c6cef8
2026-01-13 Updated weakness: Failing to determine password as it is not in the search space (W1140) 5c6cef8
2026-01-13 Updated weakness: System locks after X failed dictionary attempts (W1139) 5c6cef8
2026-01-13 Updated weakness: Failing to identify password in the time available (W1138) 5c6cef8
2026-01-13 Updated weakness: Failing to determine password as it is not in the dictionary used (W1137) 5c6cef8
2026-01-13 Updated weakness: Not considering SD Card acquisition in addition to other extractions performed (W1040) 5c6cef8
2026-01-13 Added technique: Configure device to enable a service needed for data extraction (T1158) 5c6cef8
2026-01-13 Added technique: Extract device data using exposed service (T1157) 5c6cef8
2026-01-13 Updated technique: Obtain password from the device owner (T1037) 5c6cef8
2026-01-13 Updated technique: Extraction of credential from an accessible device (T1033) 5c6cef8
2026-01-13 Updated technique: Mobile backup extraction (T1019) 5c6cef8
2026-01-13 Added mitigation: Attempt to obtain password/pincode with dictionary attacks (M1236) 5c6cef8
2026-01-13 Added mitigation: Attempt to obtain password/pincode with brute force attacks (M1235) 5c6cef8
2025-12-06 Updated mitigation: Ensure that tools used present the uncertainty associated with automated interpretation of data (M1209) 18786e3
2025-12-06 Updated mitigation: Ensure that tools used present the uncertainty associated with automated interpretation of data (M1209) dc1346b
2025-12-06 Updated mitigation: Review critical findings from tools to ensure they are facts, or if they are an automated interpretation, ensure that any uncertainty is considered (M1208) c165bda
2025-12-06 Updated mitigation: Ensure training is in place for tool operators to separate fact from interpretation within the tool used (M1207) 6457659
2025-12-01 Updated weakness: Failure to consider timestamp inaccuracy at time of inferred event (W1149) 68b4621
2025-11-26 Added weakness: Failure to apply time offset to a timeline entry (W1269) 4a31363
2025-11-26 Added weakness: Offset applied to timestamp is incorrect due to incorrect daylight savings configuration used (W1268) 4a31363
2025-11-26 Added weakness: Offset applied to timestamp is incorrect due to variations in clock offset over the history of data source (W1267) 4a31363
2025-11-26 Added weakness: Timestamp used is an inaccurate representation of the real world time due to timezone and/or daylight savings (W1266) 4a31363
2025-11-26 Updated weakness: Failure to determine clock accuracy at time of inferred event (W1149) 4a31363
2025-11-26 Updated weakness: Timestamp used is an inaccurate representation of the real world time due to inaccurate system clock (W1148) 4a31363
2025-11-26 Updated technique: Apply offset to a timestamp (T1153) 4a31363
2025-11-25 Updated mitigation: Estimate clock offset at a specific point in time using time anchoring (M1225) df4e764
2025-11-25 Updated mitigation: Periodically keep records of time offsets of significant external servers (M1220) df4e764
2025-11-25 Updated mitigation: Ensure that tools and processes take into account all current knowledge on sources of local/external timestamp pairs (time anchors) (M1218) df4e764
2025-11-24 Added weakness: Offset applied to timestamp is incorrect due to variations in time zone over the history of data source (W1265) 37b44c2
2025-11-24 Added weakness: Offset applied to timestamp is incorrect due to failure to distinguish UTC stored timestamp from local timestamp (W1264) 37b44c2
2025-11-24 Added weakness: Estimated clock offset is incorrect resulting from misinterpretation of locally stored timestamps when performing Time Anchoring (W1263) 5ef9b9e
2025-11-24 Added weakness: Estimated clock offset is incorrect resulting from correlating two timestamps that were not written at the same time (W1262) 5ef9b9e
2025-11-24 Added weakness: Estimated clock offset is incorrect resulting from an inaccurate external time source when performing Time Anchoring (W1261) 5ef9b9e
2025-11-24 Added weakness: Failure to derive clock offset due to inability to locate a suitable time anchor (W1260) 5ef9b9e
2025-11-24 Updated weakness: Offset applied to timestamp is incorrect due to variations in clock offset over the history of data source (W1149) 37b44c2
2025-11-24 Added technique: Apply offset to a timestamp (T1153) 37b44c2
2025-11-24 Added technique: Estimate system clock offset at a point in time (T1134) 5ef9b9e
2025-11-24 Added mitigation: Testing to determine whether a timestamp is in UTC or local time (M1226) 37b44c2
2025-11-24 Added mitigation: Estimate clock offset at a specific point in time using time anchoring (M1225) 37b44c2
2025-11-24 Added mitigation: Check for location artifacts to infer the time zone at a specific moment (M1224) 37b44c2
2025-11-24 Added mitigation: Apply time zone based offsets only to UTC stored timestamps (M1223) 37b44c2
2025-11-24 Added mitigation: Testing to ensure that tooling is able to extract local/external timestamp pairs (time anchors) (M1222) 5ef9b9e
2025-11-24 Added mitigation: Testing of timestamp decoding within a time anchor (M1221) 5ef9b9e
2025-11-24 Added mitigation: Periodically keep records of time offsets of significant external servers (M1220) 5ef9b9e
2025-11-24 Added mitigation: Manual verification of timestamp decoding within a time anchor (M1219) 5ef9b9e
2025-11-24 Added mitigation: Ensure that tools and processes take into account all current knoweldge on sources of local/external timestamp pairs (time anchors) (M1218) 5ef9b9e
2025-11-24 Added mitigation: Consider multiple time anchors and check if timestamps from multiple external time sources agree (M1217) 5ef9b9e
2025-11-24 Added mitigation: Check that the assumption is valid that the specific local/external timestamp pair should be correlated (M1216) 5ef9b9e
2025-11-23 Updated weakness: Missing deleted but recoverable partitions from unpartitioned space (W1066) 87253de
2025-11-23 Updated weakness: Incorrectly parsing the partitions table(s) (W1063) 87253de
2025-10-29 Added mitigation: Ensure that tools used present the uncertainty associated with automated interpretation of data (M1209) f529604
2025-10-29 Added mitigation: Review critical findings from tools to ensure they are facts, or if they are an automated interpretation, ensure that any uncertainty is considered (M1208) f529604
2025-10-29 Added mitigation: Ensure training is in place for tool operators to separate fact from interpretation within the tool used (M1207) f529604
2025-10-29 Added mitigation: Ensure that tools used clearly separate fact from interpretation (M1206) f529604
2025-10-29 Added mitigation: Use wordlist generator with case data (M1205) 1d36eec
2025-10-27 Added weakness: Missing content that is relevant to a keyword search but it has not been extracted as ‘artifacts’ (W1257) e35928e
2025-10-27 Updated technique: Digital sniffer dogs (T1006) abb04fe
2025-10-27 Updated technique: Crime scene searching (T1005) b353a9b
2025-10-27 Updated technique: Crime scene searching (T1005) daa7834
2025-10-27 Added mitigation: Use live keyword search over broader content of the data source (M1204) e35928e
2025-10-27 Added mitigation: Use indexed keyword search over broader content of the data source (M1203) e35928e
2025-10-10 Updated weakness: Incorrect time offset applied to a timeline entry (W1148) 4170ea2
2025-10-10 Updated technique: Disk imaging (T1002) 9b16197
2025-10-07 Added weakness: Incorrect attribution of metadata to file content that was the result of ‘file tunnelling’ (W1256) f9c833c
2025-10-07 Added weakness: Recovered file content is incorrect due to incorrect parsing of file size information that records allocated but unwritten sectors (e.g. Valid Data Length (VDL) (W1255) f9c833c
2025-10-07 Added weakness: Recovered (non-allocated) file content is incorrect due to an incorrect assumption that the file was contiguous e.g. some residual file metadata exists, but not the full reassembly information (W1254) f9c833c
2025-10-07 Added weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file which does not have any residual file system information (W1253) f9c833c
2025-10-07 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer live file but this is not detected (W1135) f7d42d5
2025-10-07 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file (which has residual file system information) but this is not detected (W1134) f7d42d5
2025-10-07 Updated weakness: Recovered (non-allocated) file content has been overwritten by the content of a newer, but also non-allocated file (which has residual file system information) but this is not detected (W1134) f9c833c
2025-10-07 Added technique: Recover non-allocated files using residual file metadata in the file system (T1150) 2bdca36
2025-10-07 Updated technique: Recover non-allocated files using residual file metadata in the file system (T1150) 22c3072
2025-10-07 Updated technique: Enumerate allocated files and folders (T1060) 2bdca36
2025-10-07 Added mitigation: Ensure that inconsistencies between allocated data size and data written size are clearly flagged. (M1200) f9c833c
2025-10-07 Added mitigation: Check all relevant file size metadata values when recovering file content (M1199) f9c833c
2025-10-07 Added mitigation: Check if file system and operating system make use of an ‘allocated but unwritten’ value e.g. VDL. (M1198) f9c833c
2025-10-07 Added mitigation: Check if file being recovered is resident (applicable on some file systems) (M1197) f9c833c
2025-10-07 Added mitigation: Check if file being recovered is smaller than a block (M1196) f9c833c
2025-10-01 Updated weakness: Attribution of incorrect details (e.g. page title) to a browser web visit due to join queries used in underlying database (W1246) 81ab306
2025-10-01 Added mitigation: Also examine browser cache to confirm details about an older web visit when details are recovered using SQL join queries. (M1195) 81ab306
2025-10-01 Added mitigation: Consider carefully page titles and other details associated with older web history visits when details are recovered using SQL join queries. (M1194) 81ab306
2025-09-29 Added weakness: Assuming that data stored in the cache was viewed by the user (W1252) 8d4122f
2025-09-29 Added weakness: Incomplete browser activity extraction due to failure to consider multiple profiles (W1251) 8d4122f
2025-09-29 Added weakness: Incomplete browser activity extraction due to not considering the browser cache artifacts (W1250) 8d4122f
2025-09-29 Added weakness: Missing a web browser profile as it was stored outside of the usual browser profile folders (W1249) d620c94
2025-09-29 Updated weakness: Missing a web browser profile as it was stored outside of the usual browser profile folders (W1249) 8d4122f
2025-09-29 Added weakness: Missing browser downloads as the files were saved to a non-standard location (W1248) d620c94
2025-09-29 Added weakness: Attributing saved browser bookmarks to a user but they were bundled with the browser installation (W1247) d620c94
2025-09-29 Added weakness: Attribution of incorrect details (e.g. page title) to a browser web visit due to join queries used in underlying database (W1246) d620c94
2025-09-29 Added weakness: Relying on times stored in browser history that are not representative of exact web page visit time (W1245) d620c94
2025-09-29 Added weakness: Missing browser history data as it was cleared by user (W1244) d620c94
2025-09-29 Updated weakness: Missing browser history data as it was cleared by user (W1244) 8d4122f
2025-09-29 Added weakness: Missing browser history data as it was conducted outside of configured retention period (W1243) d620c94
2025-09-29 Updated weakness: Missing browser history data as it was conducted outside of configured retention period (W1243) 8d4122f
2025-09-29 Updated weakness: Misinterpretation a URL located on disk/memory as a web visit (W1113) 8d4122f
2025-09-29 Added technique: Browser web storage examination (T1148) 6fa542c
2025-09-29 Added mitigation: Obtain older versions of browser history files from backups or from file system versioning features (M1193) 8d4122f
2025-09-29 Added mitigation: Examine browser configuration to determine history retention settings (M1192) 8d4122f
2025-09-29 Added mitigation: Ensure that profile configuration is examined rather than just folders within the standard profile folder (M1191) 8d4122f
2025-09-29 Added mitigation: Ensure that the context of recovered URLs is considered during event reconstruction (M1190) 8d4122f
2025-09-29 Added mitigation: Conduct experiments to determine if content from the page in question is cached only when viewed in the browser (M1189) 8d4122f
2025-09-29 Added mitigation: Ensure all profiles of the web browser are considered (M1188) 8d4122f
2025-09-29 Added mitigation: Ensure browser cache data is also considered (M1187) 8d4122f
2025-09-19 Updated weakness: Overwriting relevant data with changes caused by running the live tools (W1036) 3992f49
2025-09-19 Updated weakness: Collecting incorrect information from live system due to compromised machine (e.g. rootkit) (W1035) 3992f49
2025-09-19 Updated technique: Live data collection (T1016) 3992f49
2025-09-19 Updated mitigation: Analyze web browser memory for web browsing activity (M1067) c61ddd2
2025-09-19 Updated mitigation: Attempt to reconstruct browser activity from other areas of disk (M1066) c61ddd2
2025-09-14 Updated weakness: Incorrectly interpreting a log entry type based on a different version of the generating software or operating system (W1236) 94baa35
2025-09-14 Updated weakness: Failure to extract log entry type (W1235) 94baa35
2025-09-14 Updated weakness: Event time presented incorrectly due to incorrect timezone handling (W1234) 94baa35
2025-09-14 Updated weakness: Failure to communicate imprecision in log entry timestamp (W1233) 94baa35
2025-09-14 Updated mitigation: If timestamp is local time, ensure that the system timezone was applicable at time of log entry generation (M1179) 94baa35
2025-09-14 Updated mitigation: Ensure timezone handling method for logfile timestamps is understood (M1178) 94baa35
2025-09-14 Updated mitigation: Ensure resolution or limitations of logfile timestamps are understood (M1177) 94baa35
2025-09-14 Updated mitigation: Ensure log entry type interpretation applies for the software version being examined (M1176) 94baa35
2025-09-14 Updated mitigation: Ensure any available archive logs are also examined (M1175) 94baa35
2025-09-14 Updated mitigation: Check logging settings so the bounds of logging are known (M1173) 94baa35
2025-09-14 Updated mitigation: Also examine any older versions of the logs from backups (M1172) 94baa35
2025-09-02 Added weakness: Incorrectly interpreting a log entry type based on a different version of the generating software or operating system (W1209) 67cf820
2025-09-02 Added weakness: Failure to extract log entry type (W1208) 67cf820
2025-09-02 Added weakness: Event time presented incorrectly due to incorrect timezone handling (W1207) 67cf820
2025-09-02 Added weakness: Failure to communicate imprecision in log entry timestamp (W1206) 67cf820
2025-09-02 Added mitigation: If timestamp is local time, ensure that the system timezone was applicable at time of log entry generation (M1161) 67cf820
2025-09-02 Added mitigation: Ensure timezone handling method for logfile timestamps is understood (M1160) 67cf820
2025-09-02 Added mitigation: Ensure resolution or limitations of logfile timestamps are understood (M1159) 67cf820
2025-09-02 Added mitigation: Ensure log entry type interpretation applies for the software version being examined (M1158) 67cf820
2025-09-02 Added mitigation: Ensure any available archive logs are also examined (M1157) 67cf820
2025-08-19 Added weakness (TRWM): Presenting a deleted account as live, or vice versa (W1224) f8eef39
2025-08-19 Added weakness (TRWM): Live access to the device (for extraction) updates last access times for an account (W1223) f8eef39
2025-08-19 Added weakness (TRWM): Presenting account details that did not exist (W1222) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover account details from the AI app data (W1221) f8eef39
2025-08-19 Added weakness (TRWM): Presenting an incorrect timestamp associated with an interaction with the AI companion app (W1220) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover metadata associated with an interaction with the AI companion app (W1219) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a call to the AI companion app as from the AI companion app, or vice versa (W1218) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a deleted call to the AI companion app as a live one, or vice versa (W1217) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a call to or from the AI companion app that did not exist (W1216) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover deleted but recoverable records of calls to or from the AI companion app (W1215) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover live records of calls to or from the AI companion app (W1214) f8eef39
2025-08-19 Added weakness (TRWM): Failure to display an image to or from the AI companion app in the context of other messages (W1213) f8eef39
2025-08-19 Added weakness (TRWM): Presenting an image sent to the AI chat app as from the AI companion app, or vice versa (W1212) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a deleted image sent to the AI companion app as a live one, or vice versa (W1211) f8eef39
2025-08-19 Added weakness (TRWM): Presenting an image sent from the user or AI companion app that did not exist (W1210) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover deleted but recoverable images sent to or from the AI companion app (W1209) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover live images sent to or from the AI companion app (W1208) f8eef39
2025-08-19 Added weakness (TRWM): Failure to display a message to or from the AI companion app in the context of other messages (W1207) f8eef39
2025-08-19 Added weakness (TRWM): Merging the contents of two deleted messages together and presenting them as a single one sent to the AI companion app (W1206) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a message to the AI chat app as from the AI companion app, or vice versa (W1205) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a deleted message to the AI companion app as a live one, or vice versa (W1204) f8eef39
2025-08-19 Added weakness (TRWM): Presenting a message from the user or AI companion app that did not exist (W1203) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover deleted but recoverable messages to or from the AI companion app (W1202) f8eef39
2025-08-19 Added weakness (TRWM): Failure to recover live messages to or from the AI companion app (W1201) f8eef39
2025-08-19 Added technique (TRWM): AI companion app examination (T1128) f8eef39
2025-08-19 Added mitigation (TRWM): Testing of the recovery of companion AI bot settings (M1171) f8eef39
2025-08-19 Added mitigation (TRWM): Experiments with test device to view possible settings of forensic value (M1170) f8eef39
2025-08-19 Added mitigation (TRWM): Testing of app settings recovery from AI companion app (M1169) f8eef39
2025-08-19 Added mitigation (TRWM): Request logs of access times from service provider (M1168) f8eef39
2025-08-19 Added mitigation (TRWM): Check time of account access is prior to device seizure time (M1167) f8eef39
2025-08-19 Added mitigation (TRWM): Remove all network connectivity from device (M1166) f8eef39
2025-08-19 Added mitigation (TRWM): Ensure data collection prior to any interaction with app (M1165) f8eef39
2025-08-19 Added mitigation (TRWM): Testing of account details recovery from AI companion app (M1164) f8eef39
2025-08-19 Added mitigation (TRWM): Testing that call record caller and recipient extraction are correct (M1163) f8eef39
2025-08-19 Added mitigation (TRWM): Testing of deleted call record recovery from AI companion app (M1162) f8eef39
2025-08-19 Added mitigation (TRWM): Testing of live call record recovery from AI companion app (M1161) f8eef39
2025-08-19 Added mitigation (TRWM): Testing that picture message sender and recipient extraction are correct (M1160) f8eef39
2025-08-19 Added mitigation (TRWM): Testing for deleted picture message recovery from AI companion app (M1159) f8eef39
2025-08-19 Added mitigation (TRWM): Testing for live picture message recovery from AI companion app (M1158) f8eef39
2025-08-19 Added mitigation (TRWM): Ensure messages are viewed in the context of the message thread (M1157) f8eef39
2025-08-19 Added mitigation (TRWM): Testing that message sender and recipient extraction are correct (M1156) f8eef39
2025-08-19 Added mitigation (TRWM): Testing for deleted message recovery from AI companion app (M1155) f8eef39
2025-08-19 Added mitigation (TRWM): Testing for live message recovery from AI companion app (M1154) f8eef39
2025-08-19 Updated mitigation (TRWM): Correlation of data extracted with data from service provider (M1055) f8eef39
2025-08-15 Updated weakness: Failure to determine clock accuracy at time of inferred event (W1149) a2769c7
2025-08-15 Added technique: Search for indicators of artifact wiping (T1132) e4c1f30
2025-08-15 Added technique: Search for indicators of trail obfuscation (T1131) e4c1f30
2025-08-15 Added technique: Search for indicators of encrypted data (T1130) e4c1f30
2025-08-15 Added technique: Search for indicators of clock tampering (T1129) e4c1f30
2025-08-15 Added technique: Search for indicators of malware (T1128) e4c1f30
2025-08-15 Updated technique: Manual content review for relevant material (T1054) 09778b0
2025-08-08 Added weakness: Failure to conduct iterative keyword searching due to excessive time taken per search (W1200) 60bf068
2025-08-08 Added weakness: Excessive keyword results returned from case-specific wordlists such that careful review of all results is impractical (W1199) 60bf068
2025-08-08 Updated weakness: Keyword results from a tool are associated with a file, but the result was within slack space and therefore it may not have been part of that file (W1195) 60bf068
2025-08-08 Updated weakness: Relevant results not captured by the case-specific keywords used (W1192) 60bf068
2025-08-08 Updated weakness: Excessive keyword results returned from case-type wordlists such that careful review of all results is impractical (W1059) 60bf068
2025-08-08 Updated weakness: Relevant keyword results not captured by the case-type keyword list used (W1057) 60bf068
2025-08-08 Added mitigation: Index data in the case and perform iterative keyword searching using the index (M1153) 60bf068
2025-08-08 Added mitigation: Peer review of case-specific keyword list created (M1152) 60bf068
2025-08-08 Updated mitigation: Check keyword results are part of allocated file, or if not perform detailed analysis to determine if the association between keyword results and file is valid (M1151) 60bf068
2025-08-08 Updated mitigation: Review of case-specific keyword list by case officer (M1142) 60bf068
2025-08-08 Updated mitigation: Comparison of index results with live search results (M1034) 60bf068
2025-08-08 Updated mitigation: Prioritization of search results based on context (M1033) 60bf068
2025-08-08 Updated mitigation: Evaluation of the effectiveness of wordlist used for case-type searching (M1032) 60bf068
2025-08-02 Added weakness: Data not indexed for keyword searching due to file or content encoding (W1198) a5e6e27
2025-08-02 Added weakness: Data not indexed for keyword searching due to compression (W1197) a5e6e27
2025-08-02 Added weakness: One or more files with relevant keyword results are missed since they are not stored as text, e.g. within an image (W1196) a5e6e27
2025-08-02 Added weakness: One or more keyword results are associated with a file by a tool but was within slack space and therefore it may not have been part of that file (W1195) a5e6e27
2025-08-02 Added weakness: Keyword results missed since relevant keyword is inside compressed or encoded data (W1194) a5e6e27
2025-08-02 Added weakness: Keyword results missed since relevant keyword is split over a sector or cluster boundary (W1193) a5e6e27
2025-08-02 Updated weakness: Relevant results not captured by the case-specific keywords used (W1192) a5e6e27
2025-08-02 Updated weakness: Data not indexed for keyword searching due to case sensitivity problem (W1056) a5e6e27
2025-08-02 Updated weakness: Data not indexed for keyword searching due to missing substring feature (W1055) a5e6e27
2025-08-02 Updated weakness: Data not indexed for keyword searching due to text encoding (W1054) a5e6e27
2025-08-02 Added mitigation: Check keyword results are part of allocated file, or if not perform detailed analysis to determine if association is valid (M1151) a5e6e27
2025-08-02 Added mitigation: Ensure keyword indexing settings mean that file formats will be decoded as required during indexing (M1150) a5e6e27
2025-08-02 Added mitigation: Ensure keyword indexing settings mean that decompression will be applied as required during indexing (M1149) a5e6e27
2025-08-02 Added mitigation: Ensure keyword indexing settings configure case sensitivity for indexing as required (M1148) a5e6e27
2025-08-02 Added mitigation: Ensure keyword indexing settings configure text substring handling as required during indexing (M1147) a5e6e27
2025-08-02 Added mitigation: Ensure keyword indexing settings capture text encodings required during indexing (M1146) a5e6e27
2025-08-02 Added mitigation: Apply OCR to files and search or index resulting text (M1145) a5e6e27
2025-08-02 Added mitigation: Use indexed keyword search (M1144) a5e6e27
2025-08-02 Added mitigation: Use live logical keyword search (M1143) a5e6e27
2025-08-02 Added mitigation: Review of case-specific keyword list by case officer via peer review (M1142) a5e6e27
2025-08-02 Added mitigation: Careful review of case brief for case-specific keyword list generation (M1141) a5e6e27
2025-08-02 Updated mitigation: Comparison of index results with live search results (M1034) a5e6e27
July 2025
2025-07-31 Added weakness: Relevant results not captured by the case-specific keywords used (W1192) f3f3141
2025-07-31 Updated weakness: Interpretation of app data is incorrect due to app version changes. (W1190) 80c4461
2025-07-31 Updated weakness: Excessive results returned such that careful review of all results is impractical (W1059) 0eaca6d
2025-07-31 Updated weakness: Relevant results not captured by the case-type keyword list used (W1057) f3f3141
2025-07-31 Updated weakness: Incorrect parsing of a supplied regular expression used for keyword searching (W1053) f3f3141
2025-07-31 Updated weakness: Incorrect retrieval of results from an index (W1052) f3f3141
2025-05-18 Added mitigation: Acquire the encrypted contents of the internal disk and decrypt the copy within a virtualized environment (M1133) fbf22a9
2025-05-18 Added mitigation: Use a Trusted Bootable Environment that supports decryption of the internal disk (M1132) 01fb1bf
2025-05-18 Added mitigation: Use a Trusted Bootable Environment that supports accessing the internal disk (M1131) 15270fa
2025-05-18 Added mitigation: Disable Secureboot in BIOS to permit bootable environment to load (risks wiping FDE key, requiring ADK). (M1130) c8a6f44
2025-05-18 Added mitigation: Use USB flashdrive version if a CD version is not permitted to boot (M1129) bc125a1
2025-05-18 Added mitigation: Use a Trusted Bootable Environment that is permitted to boot (M1128) 021eb55
2025-05-18 Added mitigation: Use a similar system to test steps required to interrupt the normal boot process and boot from Trusted Bootable Environment (M1127) c64a485
2025-05-18 Added mitigation: Use manufacturer documentation to determine the process for interrupting the normal boot process and boot from the Trusted Bootable Environment (M1126) 3344c5f
2025-05-08 Added weakness: Bootable environment overwrites relevant data on the target device (W1182) 13b0b00
2025-05-08 Added weakness: Failure to decrypt internal disk using a bootable environment (W1181) 13b0b00
2025-05-08 Added weakness: Failure to identify encryption on the internal drive from bootable environment (W1180) 13b0b00
2025-05-08 Added weakness: Failure to detect internal disk from bootable environment (W1179) 13b0b00
2025-05-08 Added weakness: Inability to load the forensic bootable environment due to system configuration (W1178) 13b0b00
2025-05-08 Added weakness: Failing to boot from intended forensic bootable environment, causing the normal system boot process to commence (W1177) 13b0b00
2025-05-08 Updated weakness: Unable to physically remove/detach internal storage media (W1176) b40e6b0
2025-02-20 Updated weakness: Data copied from sectors on source are stored incorrectly (W1016) a01baeb
2025-02-20 Updated weakness: Acquisition does not include all sectors from LBA0 to LBA max (W1004) a01baeb
2025-02-20 Deleted mitigation: Apply additional resources to brute force attack (M1101) a01baeb
2025-02-18 Added weakness: Failure to recover data stored in database journal files (W1171) 9fab613
2025-02-18 Added weakness: Failure to recover data stored in Write Ahead Log (WAL) files (W1170) 9fab613
2025-02-18 Added weakness: Reliance on a field for historical reconstruction that is subject to updates and preserves only a single value (W1169) 9fab613
2025-02-18 Added weakness: Data extracted from a table is assigned an incorrect interpretation (W1168) 9fab613
2025-02-18 Added weakness: Combining data from multiple tables that should not be joined (W1167) 9fab613
2025-02-18 Added weakness: Consideration of live database content only (W1166) 9fab613
2025-02-07 Updated technique: Writing data in standard archive format (T1026) 542c2a1
2025-02-07 Deleted technique: Mobile storage imaging (T1021) c884d96
2025-02-05 Added weakness: Files are still encrypted using file-based encryption so inaccessible (W1164) f253f1c
2025-02-05 Updated technique: Mobile file system extraction (T1020) f253f1c
2025-02-05 Added mitigation: Attempt to obtain user PIN from user (M1117) f253f1c
2025-02-05 Added mitigation: Attempt to dictionary attack user PIN (potentially on device) (M1116) f253f1c
2025-02-05 Added mitigation: Attempt to brute force user PIN (potentially on device) (M1115) f253f1c
2025-02-01 Updated technique: Mobile file system extraction (T1020) e7e1c22
2025-02-01 Updated technique: Mobile file system extraction (T1020) 2c0ff28
January 2025
2025-01-28 Added weakness: Changing relevant file metadata during file system acquisition (W1163) deda971
2025-01-28 Added weakness: Changing relevant files during file system acquisition (W1162) deda971
2025-01-28 Added weakness: Lack of privileges for file system acquisition (W1161) deda971
2025-01-28 Added weakness: Failure to copy relevant files from the mobile device (W1160) deda971
2025-01-28 Added weakness: Presenting a mobile file system acquisition as a bitwise copy of the device (W1159) deda971
2025-01-28 Updated technique: Mobile device screenshot based capture (T1022) deda971
2025-01-28 Updated technique: Mobile file system extraction (T1020) deda971
2025-01-28 Added mitigation: Clear use of language around mobile file system extractions, making the limitations clear and differentiating from a full disk image (M1114) deda971
2025-01-28 Added mitigation: Use mobile exploit to gain privileged access (M1113) deda971
2025-01-24 Added weakness: Use of mobile exploit renders device unusable or ‘bricked’ (W1158) a423a0d
2025-01-24 Added weakness: Use of mobile exploit changes/overwrites data that was relevant to the investigation (W1157) a423a0d
2025-01-24 Updated technique: Use mobile device exploit (T1040) a423a0d
2025-01-24 Updated technique: Use mobile device exploit (T1040) 1df7cd3