Dear Readers,
We live in an era where digital evidence surrounds us completely, and artificial intelligence is fundamentally redefining not only the modern threat landscape but the very fabric of how we conduct investigations. In this latest issue of eForensics, we bring you a highly curated collection of articles that cut straight through the ongoing AI hype to deliver practical insights from the front lines of digital forensics and incident response (DFIR).
Inside this comprehensive issue, you will discover:
- macOS Tahoe Binary Analysis via LLMs: Israel Torres walks through an exact, step-by-step methodology to coax ChatGPT into analyzing untrusted binaries and generating production-ready YARA rules, skillfully bypassing vendor-imposed platform guardrails along the way.
- Behavioral Identification of Chat-Based Abuse: Andreas Antonsen from STNDRDS AB shares a unique, multi-layered linguistic framework capable of identifying patterns of coercion, control, and psychological manipulation where traditional keyword-based filtering completely fails.
- AI Assistants as Targets and Weapons: Igor Korkin, Yuriy Tumanov, and Oksana Dokuchaeva dissect the rapidly expanding attack surfaces of Large Language Models, detailing the mechanics of context poisoning and corporate data exfiltration via active user browser sessions.
- The Boundaries of SOC Autonomy: Mayur Agnihotri staves off systemic risks by proposing an operational framework where an AI agent's level of permission is governed strictly by the reversibility of its actions, rather than subjective risk assessments.
- Post-Quantum Cryptography & Drone Warfare: Explore the field deployment of quantum-resistant ML-KEM-512 algorithms on resource-constrained ESP32 IoT microcontrollers, alongside a fascinating investigation into how Adversarial Machine Learning (AML) introduces a "forensic fog" during drone swarm crash analysis.
Wishing you an inspiring and insightful read,
Ewa & Paulo & the eForensics Team
Vet, Trust, and Use the Foundation for Bringing AI into Investigations by Amber Schroader
These days, you can’t even perform a simple web search without an AI chiming in. This shift has triggered a massive push for investigators to pack their toolkits with AI‑powered gadgets from automated triage and image matching to cleaning up audio and extracting data in real‑time. AI is often sold as a “magic wand” for digital forensics, and many examiners are skeptical. There is a real fear that these tools are either too good to be true or worse, designed to replace humans entirely. Those concerns are valid. We need to treat AI with the same scientific scrutiny we apply to any other forensic tool, even though it is not a forensic tool in the traditional sense.
Detecting Coercive Control Patterns in Forensic Chat Analysis: A Behavioural Approach by Andreas Antonsen — STNDRDS AB
Swedish examples are shown alongside English translations for clarity; detection runs in the original language.
Coercive control leaves few clean traces. Unlike physical assault, the evidence accumulates across hundreds of communication acts that look ordinary in isolation. A message saying "I'm the only one who really understands you" reads as genuine affection. The same line repeated across weeks, combined with systematic isolation from friends, memory-questioning of shared events, and gradual assumption of financial control, is something else entirely. The signal is in the pattern, not the phrase.
Weaponizing Intelligence: AI in the Hacker's Arsenal by Igor Korkin, Yuriy Tumanov, and Oksana Dokuchaeva
Generative AI is changing the economics of cybercrime. It can help attackers scale social engineering, produce synthetic media, accelerate code experimentation, and prepare attack logic that appears only at runtime. At the same time, AI-enabled applications introduce a fresh attack surface: prompt injection, poisoned retrieval data, sensitive information disclosure, improper output handling, excessive agency, and a newer risk: abuse of a trusted AI assistant through a compromised user endpoint or authenticated session. This article translates those risks into a practical, defensive workflow for security engineers, pentesters, AppSec teams, blue teams, and researchers. The focus is authorized testing, evidence collection, and engineering fixes — not exploit or attack recipes.
eForensics - Forensically Analyzing Binary Files using OpenAI's ChatGPT by Israel Torres
OpenAI's ChatGPT has grown to be one of my favorite daily tools for doing meta-work. For example digital forensics that I would run a first pass before moving to specialized tooling. Before ChatGPT I would run a first pass with tools in my tool bin, usually with a few automation scripts that I've written over time, or even just my own scripts and executables that I've built to crack the armor on what I am triaging. This would help me get a quick report on my next steps to make better decisions and not waste time. These same tools are what I would use for challenges and CTFs, and the like.
Action-Class Authority When AI Agents Do the Triage by Mayur Agnihotri
(Head of Threat Research-SecSphere · Information Security Specialist-StraightArc · OWASP AISVS Contributor · CSA IAM Working Group Reviewer · CoSAI WS4 Member)
Most workflows I've seen gate forensic AI actions on something like "is this risky" or "is this high-impact." Those questions sound useful and they fail under load. When the SOC queue spikes and the agent is being pushed hard, the judgment drifts. Whatever felt like a "high-impact" call last Tuesday gets reclassified by Friday afternoon. That's not a model problem, it's a definition problem. A cleaner axis: classify each action by whether it can be undone, and if so, by what mechanism.
Hybrid Post-Quantum Cryptography Implementation on Resource-Constrained Edge Devices / X25519 + ML-KEM-512 Hybrid Key Exchange with AES-256-GCM Authenticated Encryption on ESP32 by Muhammad Sohaim Muqtada
The rapid advancement of quantum computing poses an existential threat to classical public-key cryptography, particularly RSA and elliptic-curve Diffie-Hellman (ECDH) schemes that underpin modern IoT infrastructure. This paper presents the design, implementation, and empirical evaluation of a hybrid post-quantum cryptographic (PQC) protocol deployed on a resource-constrained ESP32 microcontroller — a representative class of the billions of edge devices that remain unprotected against quantum-capable adversaries. The hybrid scheme combines X25519 classical ECDH (RFC 7748) with ML-KEM-512 (NIST FIPS 203, formerly Kyber), deriving a session key via HKDF-SHA256 over the concatenated shared secrets. This defense-in-depth approach guarantees that the resulting session key is compromised only if both classical and post-quantum algorithms are simultaneously broken — an astronomically unlikely scenario under current cryptanalytic knowledge. We conduct a three-way empirical benchmark across pure classical, pure PQC, and hybrid modes, measuring CPU cycle consumption, peak heap usage, stack depth, and round-trip handshake latency on the ESP32 Xtensa LX6 architecture. Experimental results demonstrate that the hybrid handshake completes in approximately 20.5 ms and requires only 14.1 KB of peak RAM — well within the ESP32's 520 KB envelope — while fully satisfying the NSA CNSA 2.0 transition requirements. These findings confirm that production-grade, quantum-resistant security is practically deployable today on low-cost, low-power edge devices where the IoT attack surface is most exposed.
The AI-Malware Debate by Paulo Pereira, PhD
This article explores the debate on AI-Malware within the context of its current state. Two opposing views (referred to here as opinion groups, merely for explanatory purposes) are discussed and reframed within the scope of forensic analysis. These two perspectives have emerged in the cybersecurity landscape, each with its own view on how AI-Malware can be devastating in attacking organizational infrastructure (Group I) and how current defense systems can detect this type of malware (Group II). This is merely an initial classification, aimed at organizing the arguments to better understand the reality of AI-Malware.
The Threat of Adversarial Machine Learning To UAV Swarm Investigations by Rhonda Johnson
Syed et al. (2026) define UAV swarms as groups of UAVs connected via networking technologies and coordinated through control methods that enable communication and data sharing. These swarms can carry out complex military missions efficiently, even if several UAVs fail. However, attackers are increasingly using adversarial machine learning to obstruct operations, disrupt coordination, or seize control of UAV swarms. As a result, drone forensics are shifting from primarily reviewing flight logs and telemetry to analyzing and deconstructing adversarial machine-learning models.
Beyond the Hype: Practical Considerations for AI-Assisted Malware Investigation by Scott A. Macri, Founder & CEO, BITSnBYTES.io, LLC
Readers will learn how to evaluate AI-assisted malware investigation in practical operational terms. The article explains where AI can help analysts today, where it can mislead, why evidence and human review remain essential, how to protect sensitive investigation data, and how security teams can measure whether AI is improving investigation quality rather than simply producing faster or more polished output.
In Today’s Rapidly Evolving AI Landscape, Can Organizations Rely on AI Bots? by Tharaka Singharage
As AI transforms the industry, businesses are keen to embed AI capabilities into their offerings to minimise human involvement, cut down on costs, and massively enhance process efficiency. AI is good at repetitive tasks that are defined by rules and can provide customer support, data processing and automation around the clock and at scale. Yet, when there is an increasing reliance, one might wonder whether AI bots can be trusted to function solely within a set scope? If AI is not used properly, it can also be misused, or “weaponized,” against the platforms it serves, creating risks of data breaches, reputational issues, or harm to the platforms themselves.
Data Carving Biochip using Proxmark3 by Viviane Cruz
The evolution of NFC (Near Field Communication) and RFID (Radio Frequency Identification) technologies is reshaping everyday interactions with technology. This phenomenon is especially noticable when these devices are integrated into a human body using biochips or wearable devices. At the same time, it introduces new challenges and opportunities in the field of digital forensics.
This article demonstrates, in practice, how to perform data reading, extraction, and analysis from an implanted biochip using the Proxmark3 tool.





Reviews
There are no reviews yet.