"The master was furious. "That's a terrible way to live! It's criminal to live cautiously like that! If you knew I was after the best, why did you do less than the least?
[msb] Matt.25.26
HERMES: A Universal Timeline for Digital Communications Forensics
Investigators cannot just magically read WhatsApp messages from the internet because WhatsApp chats are end-to-end encrypted, meaning WhatsApp says nobody outside the chat, not even WhatsApp, can read the messages in transit.
But once messages are already stored on the phone, they may exist inside WhatsApp database files. So, if an investigator legally gets the phone or a forensic extraction and also gets the readable database or the database plus the needed key, they can analyze the messages.
A phone extraction rarely arrives as one tidy dataset. It's usually a folder of separate SQLite databases: WhatsApp, iMessage, Android SMS, maybe a Cellebrite export, each with its own schema, its own timestamp format, and its own way of marking a message sent or received.
Traditionally, an investigator has to know each format, write custom queries, and manually reconcile timestamps that might be Unix seconds in one file and Apple epoch in another. HERMES removes that preparation layer entirely.
Drop any messaging .db file into HERMES, and it detects the app that created it.
It supports WhatsApp, iMessage, and SMS, then merges all messages into one clear timeline showing sender, receiver, direction, time, and message body.
HERMES also converts different timestamp formats like Unix, Apple epoch, and Windows FILETIME into readable dates while keeping the raw value for verification.
For direction, HERMES only uses the real flag inside the database. It does not guess. If no direction flag exists, it marks the message as unresolved.
BITLOCKER FORENSICS
There is a reason why a lot of us don't like BitLocker or investigating drives that have BitLocker.
The forensic image contains a GPT disk with an EFI partition, a Windows partition, and a Recovery partition. You correctly identified the Windows partition at sector 32802 and attempted to examine it using fsstat and fls.
However, the Windows partition is encrypted with BitLocker, so normal Sleuth Kit commands cannot read the NTFS file system until the volume is decrypted.
1. fsstat -o 32802
File system details of Windows partition
BitLocker detected
2. fls -o 32802
Active files and folders
BitLocker detected
3. fls -rd -o 32802
Deleted files and folders
BitLocker detected
To continue the investigation, you would need the BitLocker recovery key, password, TPM-related key material, or memory artifacts that can help unlock the volume.
RAVEN outputs a timestamped JSON report with SHA-256 hash, all recovered artefacts, and their exact offsets.
For investigators who can't afford €1,000+ commercial tools, this is what accessible forensics looks like.
@RedHatPentester ⚡️
🧵 BitLocker encryption is one of the most common walls DFIR analysts hit during investigations. I ran a tool called RAVEN dev. by @RedHatPentester against a suspect USB image and it changed how I think about encrypted drive forensics. [1/5]
The Module 4 hit different.
The formal metadata parser missed the key protectors. But the raw byte sweep still found a valid 48-digit recovery key buried in the image at offset 0xf000b0.
That's the difference between a dead end and a lead. [4/5]
Just as I was about to shut down all @calendly appointments for a while (for health reasons), I got this email. The founder agreed that I should share it, as he was already going to do a post on it.
I love the part where his client gave him a furnished office. No better PMF.
Vehicle Forensics - The Petroleum Tanker Theft Case.
Systematic Fuel Diversion / Fleet Telematics Fraud.
This repository houses the digital, telematics, and mechanical forensic reconstruction of a highly organized, multi-week fuel siphoning and diversion operation. Operating along Ghana's strategic N1 highway corridor, a driver entrusted with commercial fuel distribution systematically drained thousands of litres of diesel per run into unlicensed roadside black-market stations before delivering short-loaded cargo to authorized corporate depots.
The illegal pipeline was compromised and dismantled during its eleventh run on 15 November 2024, when an enforcement operation by the Ghana National Petroleum Authority (GNPA) intercepted the asset at a highway weighbridge following heavy structural weight discrepancies.
The Core Assignment:
Prove that the fuel diversion was deliberate, pre-planned, and systematic using only data recovered from the vehicle's internal Infotainment and Telematics Unit (IVI): the GPS tracks, Power Take-Off (PTO) event logs, fuel sensor records, keyfob cargo door logs, odometer discrepancy tables, and integrated Bluetooth pairing history.
Link: https://t.co/m8rQtiZv29
On 14 November 2024 at 14:31 UTC, the Security Operations Centre (SOC) at Meridian Technology Solutions Ltd. received an IDS alert identifying anomalous encrypted traffic from WORKSTATION-04. The activity involved unusual outbound TCP connections and suspicious DNS queries inconsistent with normal corporate behavior.
A 26-minute network capture containing 158 packets was preserved, covering the full session lifecycle from initial activity to suspected darknet marketplace access and session termination between 14:23:00 and 14:50:12 UTC.
Your Goal? The Core Investigative Goal
"Prove that Marcus K. Webb, IT contractor on WORKSTATION-04, deliberately accessed a darknet marketplace from the corporate network, had an authenticated account, and attempted a transaction ; using only network traffic evidence."
Link: https://t.co/SupX7R8szg
Operational Forensic Report: Project Cross-Border Heavy
Target Classification: Illicit Inbound Smuggling / Cargo Discrepancy
Primary Subject: Kwame Boateng Asare
This repository contains the digital and mechanical forensic reconstruction of an organized smuggling operation operating between Warehouse B4 in the Tema Industrial Area and the Aflao border. Over a ten-week period, the network utilized a legitimate textile transportation front to mask a high-volume inbound contraband pipeline.
The operation was compromised and dismantled during its eleventh run on 13 December 2024 when the Narcotics Control Commission (NACOC) intercepted the convoy following an anomaly detection profile regarding vehicle return weights.
Reconstruct the complete eleven-run operation from the vehicle’s internal data (GPS tracks, Bluetooth logs, cargo-door records, EDR, suspension logs, deleted messages, media files, and raw NMEA data) to map the supply chain, timeline, and co-conspirators.
The ONLY EVIDENCE YOU HAVE ARE THE DBS FROM THE CAR.
Link: https://t.co/y30CVa8g2t