OPEN-SOURCE DIGITAL FORENSICS

Assume Adversarial

Chameleon Forensics is an open-source initiative focused on advancing digital forensics through an “assume adversarial” mindset, with a considered focus on mobile.

Hostile acquisition environments
Devices may resist or manipulate forensic workflows.
Anti-forensic awareness
Detect stealthy interference during logical extraction.
Platform-level realism
Account for OS controls and evolving security behavior.
Resilient investigator tooling
Support dependable workflows under adversarial conditions.
View Development Timeline LinkedIn ☕ Support on Ko-fi

$ initiative --status

Open source

$ priority --target

Evidence collection - Mobile for now :)

$ mode --operating

Assume adversarial

$ output --audience

Investigators, researchers, DFIR teams

MISSION

Challenge default assumptions in mobile forensics.

Traditional extraction workflows often assume the target device behaves honestly after access has been achieved. Chameleon Forensics focuses on the opposite premise: that collection environments may be hostile, deceptive, or intentionally resistant to analysis.

That mindset shapes the design of our tools, test methods, and research outputs.

TOOLING

Two complementary open-source toolstreams.

Logical extraction tooling
Designed for adversarial mobile acquisition environments.
Anti-forensic instrumentation frameworks
Built to test extraction reliability under controlled conditions.

FOCUS

Researching extraction reliability under pressure.

The project sits at the intersection of anti-forensics, extraction reliability, and open-source tooling for realistic testing in modern mobile environments.

Adversarial forensic environments

Model devices, operating systems, or surrounding conditions as active participants rather than passive sources of evidence.

Anti-forensic mechanism testing

Evaluate how logical extraction tools react when stealthy or disruptive conditions are intentionally introduced, with the aim of resilience improvement.

Open-source workflows

Lower the barrier to experimentation and reproducible validation for researchers and practitioners.

Practitioner resilience

Help investigators build collection methods that remain dependable even when the environment is deceptive.

DEVELOPMENT TIMELINE

Latest Public Activity

This timeline explains the history of how Chameleon Forensics Open-Source Projects came to be. The original idea of "assume adversarial" mobile forensics arised from a university project with multiple student contributors with a professor as a mentor. It was then moulded and further realised by many other individual contributors, each in their own expert capacities.

April 2026

Tool Release: ChameleonAF: Anti-Forensic APK Instrumentation Framework at DEF CON SG 1 Demo Labs

Released the first tool in the Chameleon Forensics suite of open-source research utilities. ChameleonAF enables investigators and researchers to evaluate how Android logical extraction tools behave when anti-forensic mechanisms are active, supporting controlled experimentation on extraction reliability under adversarial conditions. It also aims to act as a repository of anti-forensic mechanisms for researchers to reference to.

Speaker / Contributor: Joseph Lim

GitHub Release DEF CON SG Demo Labs Page
October 2025

Talk: Countering Forensics Software by Baiting Them at GovWare 2025

Further shared the honey-token–based detection approach with a regional practitioner audience, extending the discussion beyond research settings to operational digital forensics workflows. The session focused on how acquisition transparency assumptions can be challenged in real investigative environments, and how deterministic filesystem indicators can be leveraged to surface extraction activity earlier in the collection process.

Speaker(s): Dr. Weihan Goh, Joseph Lim

Additional Contributor(s): Wilson Lim, Isaac Soon, Zhen Yu Kwok, Aloysus Koh

GovWare 2025 Site
August 2025

Talk: Countering Forensics Software by Baiting Them at DEF CON 33 Creator Stage (Adversary Village)

Challenged the assumption that logical extraction proceeds transparently once device access is achieved, and introduced a novel approach using strategically placed honey tokens within the Android filesystem to detect acquisition activity. The talk demonstrated that these indicators can provide deterministic signals prior to extraction completion, enabling just-in-time countermeasure deployment against forensic tooling.

SweetDeceit was released after the talk, implementing the novel honey token approach with other known anti-forensic mechanisms, in the format of an Android 12 custom AOSP image, to make into reality how the novel approach could interrupt logicial acquisition workflows.

Speaker(s): Dr. Weihan Goh, Joseph Lim, Isaac Soon

Additional Contributor(s): Wilson Lim, Zhen Yu Kwok, Aloysus Koh

GitHub Release DEF CON 33 Media Server Talk Recording

SUPPORTERS

Backed by the Community

Chameleon Forensics has been supported by certain key individuals / teams which we would like to highlight and thank. These individuals / teams have either provided advice, monetary and / or in-kind support for the mission of Chameleon Forensics.

Brandon Cheong
☕ Become a Supporter