Intelligence Feed

Dispatches from the lab

The Sherlock Forensics Intelligence Feed provides expert analysis of AI code security, vibe coding vulnerabilities, CVE advisories and digital forensics methodologies from certified examiners with over 20 years of field experience in Vancouver, BC.

Compare all forensic tool pricing Fact checks on security misconceptions
Buyer Education

Can Forensic Investigators Tell If a Photo Was Edited Before or After It Was Sent?

Forensic investigators routinely determine whether a photo was edited before sending plus distinguish edits made by the sender from edits made by social media platforms post-upload. EXIF Software field residue, DateTimeOriginal versus ModifyDate timestamps plus XMP edit history together establish the photo edit timeline. Sherlock Forensics walks through the analysis.

Security Research

Windows ShimCache and AmCache: Forensic Process Execution Attribution When Other Logs Have Rolled Off

Windows ShimCache plus AmCache preserve process execution traces that survive when Security event logs plus Application event logs have rolled off. For investigators reconstructing process execution timelines on Windows the two artifacts together provide one of the most durable execution attribution sources. Sherlock Forensics walks through the artifacts plus the parsing toolchain.

Security Research

Forensic Analysis of Microsoft Teams Local Cache Data in 2026 Corporate Investigations

Microsoft Teams desktop client cache holds message history, file transfer records plus meeting metadata that frequently outlasts cloud retention configuration. For corporate investigations the Teams local cache is a high-value forensic artifact. Sherlock Forensics walks through the cache structure, the parsing toolchain plus what investigators recover.

Industry Briefing

Why Canadian Family Court Browser History Reconstruction Demand Doubled in 2026

Browser history reconstruction demand in Canadian family court matters rose materially through 2026. Drivers include hidden financial accounts surfacing via browser history, dating app activity reconstruction, custody-related contact patterns plus hybrid-work device blur. Sherlock Forensics walks through the trend plus the operational implications.

Incident Breakdown

When the Photo Metadata Said One Camera But the Photo Said Another: A Sherlock Insurance Claim Fraud Reconstruction

An auto insurance carrier received vehicle damage claim photos that appeared to show recent collision damage. EXIF metadata analysis with Sherlock Metadata Inspector revealed the photos were taken on a camera model that did not match the claimant device plus the photos showed image-manipulation software residue. Sherlock Forensics walks through the case end-to-end.

Buyer Education

What Is a PDF Object Stream and Why Forensic Examiners Care About It

PDF object streams are the data structure inside a PDF file that hold the document content. For forensic examiners the object stream is where tampering, redaction failures plus hidden content show up. Sherlock Forensics walks through what object streams are plus what investigators find in them.

Buyer Education

How Long Does Windows Preserve USB Device Connection Records?

Windows preserves USB device connection records in the registry plus setupapi.dev.log plus event log entries. For forensic examiners these records identify which devices were connected, when they were first connected plus which user account was logged in. Sherlock Forensics walks through the retention windows plus what investigators recover.

Security Research

Email Header Forensics in 2026: How Investigators Read SPF, DKIM and DMARC

Email authentication headers (SPF, DKIM, DMARC) carry the forensic record of whether a message claim about its sender stands up. For investigators handling phishing, business email compromise plus vendor-impersonation cases, header analysis is the load-bearing technical step. Sherlock Forensics walks through what each header records plus how investigators read them in 2026.

CVE Analysis

CVE-2026-8858: IBM WebSphere Application Server Plug-in Code Injection Surface Forensic Investigators Should Plan For

CVE-2026-8858: IBM WebSphere Application Server plus WebSphere Liberty are vulnerable to remote code execution plus denial of service in the WebSphere Web Server Plug-in component. CVSS 7.5 HIGH. Forensic investigators handling enterprise Java compromise should plan acquisition workflow around plug-in logs plus reverse-proxy chain audit.

Compliance Deep Dive

Alberta PIPA Section 34 in 2026: What Alberta Organizations Holding Personal Information Must Know

Alberta PIPA Section 34 sets the breach notification framework for organizations holding personal information in Alberta. Distinct from PIPEDA plus Quebec Law 25. The Office of the Information and Privacy Commissioner of Alberta is the regulator. Sherlock Forensics walks through the framework, the threshold plus the documentation discipline.

Buyer Education

What Does the NTFS $LogFile Tell a Forensic Examiner About File Deletions?

NTFS $LogFile records every filesystem transaction before it commits to disk. For forensic examiners this is a high-fidelity record of file creates, renames plus deletions that often survives long after the deleted file is gone. Sherlock Forensics walks through what the $LogFile shows plus what it does not.

Buyer Education

Can OST Files Be Recovered After the Mailbox Is Deleted From Exchange?

OST is the offline cache Outlook keeps on the client. When an Exchange mailbox is deleted the OST on the client survives the server-side delete plus contains the last-synced mailbox contents. Sherlock Forensics walks through OST recovery after server-side deletion plus the legal considerations.

Compliance Deep Dive

EoP Auditing for SOC 2 Type 2 Evidence

How Sherlock EoP Auditor produces evidence aligned with SOC 2 Type 2 control objectives covering Windows endpoint privileged access plus configuration management.

Buyer Education

PAM as Compensating Control vs EoP Auditing

Practitioner positioning of Privileged Access Management versus EoP Auditing on Windows endpoints. They are different controls plus they serve different defense in depth roles.

Security Research

EoP Auditor vs ManageEngine VM Plus 2026

Sherlock EoP Auditor vs ManageEngine Vulnerability Manager Plus 2026 compared honestly. Privilege-escalation specialist depth vs broad vuln management. When each wins for SMBs and MSPs.

Security Research

From Hunting Zero-Days to Building the Hunter

A first-person story from Ryan Purita CISSP about why he stopped hunting Windows privilege escalation bugs by hand and built the Sherlock EoP Auditor. The tool's first run found a brand new zero-day.

Industry Briefing

Privilege Escalation Hides in Plain Sight

Local Windows privilege escalation is the attack surface almost no defender audits. Third-party software ships SYSTEM services and standard AV misses them. Three recurring classes Sherlock Forensics sees in the wild.

CVE Analysis

CVE-2026-42916: Integer underflow

Integer underflow (wrap or privilege escalation (CVE-2026-42916) scores CVSS 7.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-42974: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-42974) scores CVSS 8.1 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-42980: Integer underflow

Integer underflow (wrap or privilege escalation (CVE-2026-42980) scores CVSS 7.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-42981: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-42981) scores CVSS 8.1 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-44817: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-44817) scores CVSS 7.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-44818: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-44818) scores CVSS 7.0 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-44820: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-44820) scores CVSS 7.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-44823: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-44823) scores CVSS 7.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-45469: Integer underflow

Integer underflow (wrap or vulnerability (CVE-2026-45469) scores CVSS 7.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-46746: SINEC INS

SINEC INS (All versions remote code execution (CVE-2026-46746) scores CVSS 8.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-46748: SINEC INS

SINEC INS (All versions privilege escalation (CVE-2026-46748) scores CVSS 8.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-46749: SINEC INS

SINEC INS (All versions vulnerability (CVE-2026-46749) scores CVSS 7.5 HIGH. Analysis of affected systems and remediation steps.

Research

Is Your Stack Vulnerable to SQL

10 new SQL Injection CVEs this week including CVE-2024-58348 (CVSS 9.8). What Startup Security teams need to know.

Research

Bates-Stamped MSG Exhibit Examination in Litigation

MSG files arrive routinely as Bates-stamped exhibits in litigation productions. A practical guide to forensic examination workflows for individual-message exhibits with chain of custody.

Research

Forensic Examination of MSG Files in E-Discovery

MSG files arrive routinely in e-discovery productions as individual Outlook exhibits. A practical guide to forensic-grade MSG examination with chain of custody for litigation.

Research

Ransomware Investigation in Windows Event Logs

A practical guide to using Windows event logs to reconstruct a ransomware attack: initial access, lateral movement, encryption detonation and what the logs reveal after the fact.

Research

Windows Event Log Forensics for Incident Response

Windows event logs are the first stop in incident response and the last place to find evidence. A practical guide to .evtx forensics for SOC analysts, IR responders and compliance teams.

Research

Is Your Stack Vulnerable to SQL

2 new SQL Injection CVEs this week including CVE-2026-7097 (CVSS 8.8). What Compliance teams need to know.

Research

Enterprise Security Checklist After

2 new Server-Side Request Forgery (SSRF) CVEs this week including CVE-2026-6581 (CVSS 8.8). What Enterprise Security teams need to know.

Research

Browser Forensic Viewer for $29

Sherlock Forensics Browser Viewer: extract history, bookmarks, downloads from 8 browsers. Free to view, $29 for CSV export. Forensic-grade.

Research

Free Forensic Disk Imager That Resumes

Free forensic disk imager with E01, raw dd, three-pass SHA-256 verification and resumable imaging. FTK Imager alternative. 4.4 MB.

Research

Android Forensics Tools Compared 2026

Android forensics tools compared for 2026: Cellebrite ($15K+) vs Sherlock ($399) vs MSAB XRY vs Oxygen. Side-by-side pricing, logical vs physical extraction and court-ready reporting.

Research

[Post Title Goes Here]

[50-160 char description optimized for CTR. Include primary keyword and value proposition.]

Tool Guide

How I Built the First Pure-Rust PST Writer

A first-person engineering story behind PST Viewer v1.3.0. Why I built it, what was hard and why the scanpst.exe verdict matters in court. The first pure-Rust PST writer we are aware of, with output that passes Microsoft's own validator at the same level as files Outlook itself creates.

CVE Analysis

CVE-2026-5411: WP Captcha PRO

WP Captcha PRO (the remote code execution (CVE-2026-5411) scores CVSS 8.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-5415: WP Captcha PRO

WP Captcha PRO (the authentication bypass (CVE-2026-5415) scores CVSS 8.8 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-22924: SIMATICN 4100

SIMATIC CN 4100 (All vulnerability (CVE-2026-22924) scores CVSS 9.1 CRITICAL. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-41551: ROS#

ROS# (All versions < directory traversal (CVE-2026-41551) scores CVSS 9.1 CRITICAL. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-34260: SAP S/4HANA

SAP S/4HANA (SAP Enterprise SQL injection (CVE-2026-34260) scores CVSS 9.6 CRITICAL. Analysis of affected systems and remediation steps.

Tool Guide

OSINT Recon Guide for Beginners

How to run external reconnaissance on your own organization. Domain enumeration, DNS analysis, port discovery and credential leak checks.

Industry Briefing

Healthcare Cybersecurity 2026

Healthcare breaches cost $10.93M average. HIPAA Security Rule requirements, ransomware targeting hospitals and what your security program needs.

CVE Analysis

CVE-2026-6596: CVSS 7.3 HIGH

A security flaw has vulnerability (CVE-2026-6596) scores CVSS 7.3 HIGH. Analysis of affected systems and remediation steps.

CVE Analysis

CVE-2026-6605: CVSS 7.3 HIGH

A security flaw has vulnerability (CVE-2026-6605) scores CVSS 7.3 HIGH. Analysis of affected systems and remediation steps.

Digital Forensics

How to Open a PST File Forensically

Step-by-step guide to opening PST email archives with chain of custody preservation. Hash verification, read-only analysis and evidence integrity.

Penetration Testing

Zero Trust Is Not Zero Risk

Zscaler, Cloudflare Zero Trust and BeyondTrust have limitations. Insider threats and misconfigurations bypass the architecture.

Penetration Testing

The Device Your Network Cannot See

ShadowTap Ghost Mode: physically on your network, generating zero outbound traffic. All C2 through cellular. Your IDS cannot see what is not there.

AI Security

Can AI Be Hacked?

A forensic examination of AI attack surfaces. Model extraction, data poisoning, adversarial inputs and the security gaps most teams overlook.

CVE Intelligence

Latest CVE Alerts

High and critical vulnerabilities relevant to cloud, web and AI infrastructure. Updated daily from the National Vulnerability Database.

CVE Severity CVSS Affected Product Vulnerability
CVE-2026-23696 CRITICAL 9.9 Windmill CE/EE SQL injection in folder ownership management
CVE-2021-4473 CRITICAL 9.8 Tianxin Management System Command injection in Reporter component
CVE-2026-22679 CRITICAL 9.8 Weaver E-cology 10.0 Unauthenticated RCE via debug endpoint
CVE-2026-3296 CRITICAL 9.8 Everest Forms (WordPress) PHP Object Injection via deserialization
CVE-2026-4631 CRITICAL 9.8 Cockpit (Linux) SSH command injection via login endpoint
CVE-2026-1346 CRITICAL 9.3 IBM Verify Identity Access Privilege escalation for local users
CVE-2026-22683 HIGH 8.8 Windmill Missing authorization bypasses operator restrictions
CVE-2026-3357 HIGH 8.8 IBM Langflow Desktop Insecure FAISS deserialization enables code execution
CVE-2026-1342 HIGH 8.5 IBM Verify Identity Access Local users can execute malicious scripts
CVE-2026-4788 HIGH 8.4 IBM Tivoli Netcool Impact Sensitive data exposure in log files
CVE-2026-4740 HIGH 8.2 Red Hat ACM / Open Cluster Mgmt Certificate forgery via improper validation
CVE-2026-5736 HIGH 7.3 PowerJob detailPlus endpoint manipulation
CVE-2026-5739 HIGH 7.3 PowerJob Code injection via OpenAPI workflow endpoint
CVE-2026-5741 HIGH 7.3 docker-mcp-server OS command injection via HTTP interface
CVE-2026-1343 HIGH 7.2 IBM Verify Identity Access SSRF exposes internal auth endpoints
CVE-2026-22682 HIGH 7.1 OpenHarness Improper access control exposes local files
View Weekly Roundup (Jun 1 - Jun 14)