Android Security, Market Acquisitions, Research, Tools & More Tools!

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:12):
Welcome to the Detail Forensics Now podcast.
Today is Thursday, May 16th2024.
My name is Alexis Brignone, akaBriggs, and I'm accompanied by
my co-host, the one that putsthe tech in techno, the patience
generator, the gluten-free pitathat's healthy for you, the one

(00:36):
and only Heather Charpentier.
The music is higher up by ShaneIvers and can be found at
silvermansoundcom.

Speaker 2 (00:48):
The gluten-free pita.

Speaker 1 (00:50):
Yeah, you know you're healthy.
You know all that working outthat we're doing.
All of a sudden, oh my gosh, Ilike the patient generator more,
and you know why I say that.

Speaker 2 (01:01):
I do, I do, I definitely do.

Speaker 1 (01:14):
Hello everybody.
I'm happy that we're happy thatyou're all here.
People are starting to roll into the chat and whatnot.

Speaker 2 (01:19):
What's going on, Heather?
Since IASIS, what have you beenup to?
Nothing.
We're back from.
Iasis 2024 is over for IASIS.

Speaker 1 (01:28):
Now we got got to start working on 2025.

Speaker 2 (01:29):
Let's take a couple weeks off first yeah, let's take
almost one year off, okay, allright.
All right, we'll start thinkingabout it, though.
But being away for two weeks,um came right back to a trial
that had already started and hada message on my phone hey, I'm
gonna'm going to need you totestify.
So that's what I did this weektestified in a trial, fun times.

Speaker 1 (01:49):
You know I always freak out before I go testify,
but then when I'm there I'm likeinto it.

Speaker 2 (01:54):
Yeah, so I was freaking out for this.
I haven't testified in a littlewhile.
It's been a little bit, and Iwas freaking out for this one
like I was for the very firsttime I ever testified.
I'm like what is going on?
And you're right?
As soon as I got in that seat,I was absolutely fine.

Speaker 1 (02:10):
Yeah, I mean, that's the good thing about the type of
work that we do, because we'rethere for the facts, so there's
nothing I need to be afraid of.
It is what it is and that'swhat's going to happen.
It's what's going to come out.
Still, that panic factorhappens every time.
Oh yeah, yeah, and I take thatas a symbol that we take it
seriously, and that's a goodthing.

Speaker 2 (02:29):
It's definitely the unknown of what's going to be
asked by the other side.

Speaker 1 (02:34):
And sometimes by your side too.

Speaker 2 (02:36):
That's true, oh, that's really true, especially
when it's last minute, right.

Speaker 1 (02:42):
I don't know where you're going with these
questions, but here we go.

Speaker 2 (02:47):
Don't ask that.

Speaker 1 (02:47):
Please don't ask that .
So yeah, so well, yeah, we,there's some conference coming
up, right.

Speaker 2 (02:56):
Yeah, I'm going to techno in a couple of weeks.
So I've been asking to go tothe techno conference for like
nine years since I startedworking at the state police
forensic lab and at the time weweren't allowed to go because it
was in Myrtle Beach and MyrtleBeach is too fun, apparently.
So now that it's in Wilmington,north Carolina, I get to go
this year for the first time, sosuper excited, looking forward
to that.

Speaker 1 (03:16):
No fun allowed I know I'm surprised.

Speaker 2 (03:22):
I was allowed to go to Orlando for IASIS, but
actually we weren't allowed tofor years.

Speaker 1 (03:26):
So no, I, I, that's actually not only your agency.

Speaker 2 (03:28):
Yeah.

Speaker 1 (03:28):
Even, even you know federal agencies at some level
they put some constraintsbecause you know we don't want
to give the impression thatwe're there for the party, which
again we're not.
We're there to learn, obviouslyobviously.

Speaker 2 (03:38):
I have a feeling Vegas would be a problem.

Speaker 1 (03:41):
Well, I just want to say that I'm not jealous or
envious at all that you're goingto Techno.

Speaker 2 (03:45):
I wish you were going .

Speaker 1 (03:48):
Me too.
Yeah, we'll see.
We'll see.
I mean, again, it's hard to,like you said, just get the
approvals and the funding.
It's not always easy, butthere's a will, there's a way.
We'll find a way, what's beengoing on with you?
So uh, so, talking about placesand to be and things to do,
I'll be uh teaching next week atdepartment of the interior

(04:12):
campus over at west virginia, soI'm really excited about that
and then after that I'm going toargentina, um so don't cry for
me no, I'm jealous.
I kind of want to go on thattrip going to beautiful buenos
aires, one of the most beautifulcities, one of my favorite
cities in the whole world youmust need an assistant.
No, all right and look, I mean,if I could, I would.

(04:32):
But yeah, I'll be teachingthere, you know, and working
with some of the um localagencies from the region, and
then I'm gonna be the secondweek.
I'll be working with the festaengineeringTA Engineering
University.
I get some community programsand talking about Python, the
Leaps, utah Forensics, and alsoworking with the local

(04:53):
prosecutors.
There I cannot be, I won't be,I will be remiss if I don't
mention that Kevin, the man withthe master plan, the man with
the repo powers, the one thatapproves and can also cancel you
, is in the chat.
So, kevin, glad to have you here, hi, kevin For those that don't
know, kevin, he's one of themain repository maintainer for

(05:17):
the LEAP program.
He's been keeping the fort upand handling all things.
So again, I couldn't thank youenough for the work that you do,
kevin.
So thank you.
So, yeah, so that's what'shappening.
I tell the folks that arelistening and watching we might
skip a show because again we'llbe traveling, heather will be in

(05:37):
techno, I'll be overseas, so wemight have to skip a show here
and there.
But just keep your eyes on ourLinkedIn linkedin page dtar
forensics now podcast, and thenwe'll make announcements if
we're missing a show, or or whenwe'll miss it and when we're
gonna make the show live again.
So all right.

Speaker 2 (05:54):
Any other news that we're missing, like short stuff,
we're good I think that's good,except for I just wanted you to
know that you're making kevinblush well, well, good, because
he, because he deserves all theblushes, he's awesome.

Speaker 1 (06:09):
So we got a lot of stuff.
So tell us, tell us what's on.

Speaker 2 (06:11):
So the first topic I wanted to talk about is iOS
Unified Logs.
So we've talked a few timesabout Lionel Notari's work with
the Unified Logs.
He's doing a ton of testing andalso has a tool that has the
capability of pulling theunified logs.
I demoed it on a previousepisode of the podcast.

(06:32):
So for his new blog, he'sactually outlining driving and
motion States.
It's really some cool research.
I'm going to pop up some slidesthat go along with it.
So he is, he's conductingresearch and he outlines in his

(06:54):
blog that it would could bereally useful research when it
comes to distracted driver casesand, after reading all of his
research, it really will beuseful in distracted driver
cases.
I've worked a few of them andknowing that these logs are here
and being able to utilize themand match them up with other
artifacts inside of the devicecan really help bolster the case

(07:18):
.
So he has artifacts such as thedriving motion states.
So the first motion states arestationary to walking you can
see them here in the slides butstationary to walking and then
stationary to running and it'scapturing these transitions

(07:39):
between the motion states.
And when it comes to thevehicles, there are vehicle
start times and vehicle stoptimes and transitions from
stationary into vehicle motionstates.
So here's just an outline ofthe start time and what that
entry would look like in theunified logs.

Speaker 1 (08:01):
Yeah, and can you go one slide back?
I want to make a quick comment.
So for the folks that are justlistening, you can't see what
we're showing on the screen.
You got to remember a couple ofthings.
This unified logs.
It requires you to do certainthings, either to the phone or
have some software to pull thoseout.
They just don't sit there foryou to get.
So if you're just taking anextraction from the phone,
you're not going to see them.

(08:22):
Right, you need to do theseextra steps, and we discussed
this maybe a few episodes back Idon't remember specifically
which one.

Speaker 2 (08:29):
Yeah.

Speaker 1 (08:29):
We talk about software to include, you know,
some software that the NL alsodoes to pull this out, and what
you see on the screen, folks, isa timestamp for that event, and
then the particular service orsystem within the device, be it
location D or the Wi-Fi serviceor whatever service.
It is telling you somethingabout what's happening on the

(08:52):
phone, like Heather is saying,like the vehicular start time
and what happens right, or themotions Is it state driving, is
it stationary?
So it's really impressive this,this amount of data, and you
need to be aware that whenyou're done with your extraction
, be it file, full file systemor whatever it is, start looking

(09:13):
into this ios unified logs forthis type of stuff yeah,
definitely.

Speaker 2 (09:18):
um, there's the same type of data when it comes to
driving stopped.
So the transition will be themotion state will transition to
driving stopped.
And then he also did someresearch on the out of my pocket
.
He called it get the phone outof my pocket.
So there's different statesthat show if the if the phone is

(09:41):
out of the pocket, if it's inyour pocket, if it's face down
or if it's face down on a table.
I want to also just point outthat he mentions numerous times
in his research and I'm reallyreally glad he does this that
there needs to be secondarysources to validate this data.

(10:02):
He's found that some of themcan be imprecise and some were
pretty precise, but throughoutthe article he continues to just
let the user or the reader knowthat there needs to be
verification, validation for theaccuracy of the data stored in
these logs.

Speaker 1 (10:21):
Yeah, and that's key, because these are sensors and
that's the part that peoplereally don't think about.
You have what's recorded, butthat recording in your device,
be it a car, a phone, whateverit is, it's a reading from a
sensor.
Now, how of the phone would beregistered as something that
might not be it.
So that's why you've got to bereally careful and look from my

(10:51):
perspective and you can tell meif you think I'm wrong or not.
Don't look at the one thing,right, You've got to look at a
series of events across aparticular time frame to then be
able to extrapolate.
Not extrapolate, but kind ofdetermine yeah, the movement was
this or no, there was nomovement?
Because if you focus only onthe oh, this event at minute

(11:11):
number one, second three, youcould be wrong, really, really
wrong.
You need to look at a few ofthem across a large enough time
frame to be able to make properconclusions.

Speaker 2 (11:24):
Right and when he was doing the research he actually
outlines that the pocket statesare what he found to be very
imprecise, so minor movementswere were making some of those
changes.
But also that comes along withdo your own testing on it as
well.
Find out what.
What is precise, what isimprecise, what things you can
use and I think, kind of goingalong with what you just said,

(11:45):
these could fit really nice intoa timeline with other artifacts
where they match right up andthey're showing the progression
of what's going on with thedevice.

Speaker 1 (11:54):
Oh yeah, and I think digital forensics is moving into
that Again.
We like the whole ones andzeros, yes or no, but we're
going to start thinking of dataas a continuum of our degree of
this.
Sensor recordings, right, andthose recordings are a
reflection of events that happenin the real world and they need

(12:15):
to be taken with that we talkabout this in other episodes
taken with that degree ofuncertainty, because there is
some uncertainty there and weneed to consider that as we make
our analysis.

Speaker 2 (12:26):
Yeah, I see the comments.
You had no idea that the logshad all that stuff.
I didn't either.
When I read this I was like youhave to be kidding me.
I've never seen this before.

Speaker 1 (12:35):
Oh yeah, I mean.
So you look at logs, right, andit's so much of it and you're
like, well, there's tons ofstuff here.
I don't see nothing right.
But what Lionel is doing, he'staking the time to really dig
into them and say, oh, there's anugget here, there's a nugget
there.
And folks like him bring somuch to the community because
now it makes our work easierbecause he's done the hard

(12:56):
finding part right.
So, lionel, we appreciate yourwork, we appreciate you and
we're looking forward to allyour new blog posts on the
different things that you findand my plan is hopefully, down
the road, be able to supportsome of these in our tooling.
Yeah, I'm definitely stalkinghis.

Speaker 2 (13:16):
LinkedIn page for all of the new blog posts.
Kevin says there's anorientation and screen wake
artifact in there that could becorrelated with these two, so
definitely pair it up with thoseother artifacts.

Speaker 1 (13:27):
Yeah, I'm going to share a comment here from from
Christian Peter.
He's working on a master thesisfor that and that's fantastic,
because research at that levelmaster level thesis that goes to
a peer review process and allthat.
Christian, whenever you getyour stuff out and you're able
to publish it, let us know andwe'll share it with the
community.
Get your stuff out, you're ableto publish it, let us know and
we'll share it with thecommunity.
We're really looking forward tothat as well.

Speaker 2 (13:47):
Yeah, definitely, let me remove this here.
Hold on one second, there we goso.

Speaker 1 (13:58):
Yeah, we have some movement in the digital forensic
space and it's been a prettyheavy year so far and we're
about to hit the midpoint.
So Tom Abravo announces a cashoffer to acquire cybersecurity
leader Doug Trace, and this iswhy they obviously advertised
that acquisition.

(14:18):
So let me put folks on set thetable on what's going on.
So, tom Abravo, is thisinvestment?
I don't want to say investmentfirm, I don't.
On what's going on.
So, toma Bravo, is thisinvestment?
I don't want to say investmentfirm, I don't know how come I'm
worded.
Let's call it investment firmfor our purposes here.
So they acquire businesses andthey build them up and obviously
to enhance stockholder sharevalue, right.

(14:38):
So they acquire MagnetForensics.
There's a lot of synergy,obviously with Grey Keys,
something that was happening waybefore toma bravo showed up.
Right, that magnet gray keysynergy was there.
They added uh with that umgriffi.
They added uh for the name ofthe company, but a company that
deals with dealing with dvrs andextracting video from devices,

(15:02):
which again, another field witha lot of growth there.
And what I'm seeing is, oh,they added also some analysis on
video analysis as well.
Not only extraction, but videoanalysis, support for that
acquiring companies.
They even recently acquired anexploit firm, and what that
means is that they're lookingfor really smart folks that are
able to provide us access todevices to be able to lawfully

(15:25):
obtain evidence.
Okay, so what I'm seeing isthey're actually becoming kind
of building this big behemoth inregards to their forensic
offering, and this latest one,with Darktrace, is really
interesting because it goesbeyond the purely forensic side
of the business right of thebusiness right.
So what Darktrace does is theyhave some AI solutions for

(15:48):
incident response and incidentresponse prevention and what
that does and I think it's oneof the few, from my perspective,
one of the few clear AI reasonsto exist that actually makes
sense to me.
All right, and I say thatbecause what the AI does, based
on my understanding of theirbusiness, is that the AI can
baseline the network, canbaseline your endpoints in your

(16:10):
enterprise, and, after thatbaseline is set, the AI is able
to determine any deviations fromthis baseline, which could mean
either an attack is ongoing orsome evilness is spreading to
the network, and that knowledgeeventually then leads to other
AI responses in regards tocontainment, in regards to

(16:31):
alerting the folks that need toknow about it, and in regards to
also prevention rightPrevention, containment and
resolution.
So having them acquire that andputting it together with all
the other magnet forensics ittogether with all the other
magnet forensics great keytooling capabilities I think
it's going to really they'returning into a really big player
at a speed that I don't think,from my perspective, other

(16:53):
companies in the space are doingright now.

Speaker 2 (16:57):
Yeah, I mean definitely.
I read an article that wentalong with this particular topic
, and they were saying thattheir goal is to automate all of
these functions and streamlineit and really work on that
backlog of case data thateverybody has.

(17:17):
I don't know how I feel aboutthe automation, though.

Speaker 1 (17:22):
They have a solution that actually we'll talk about
it in a second, then we'll gointo the automation though.
Yeah, and they have a solutionthat actually we'll talk about
it in a second I want to point,then we'll go into that, onto
the automation piece.
This is a hard analysis topredict what could happen,
because I see the value inhaving all these tools and
expanding into the incidentresponse field and obviously I'm
pretty sure they're gonnaexpand also even more they do

(17:42):
already, but even more into thee-discovery area and it comes
with the benefit of, hey, youhave all these baskets now that
you can put eggs in.
But also the question is willthey lose focus on their main
core capabilities?
And that's always that I'veseen happen in this industry.
When a company that's focusedon uter forensics expands to

(18:02):
other markets, they lose thatfocus on their primary mission
and then they have to eventuallycome back to it.
So is that what's going tohappen?
I don't know.
I do know a few, you know, Iknow mostly folks from Magnet
and I know they're reallycapable folks.
I don't know anything about theother companies.
So it'll be interesting to see,and also interesting to see how
other players in the marketreact?

(18:24):
No-transcript.
I just hope they don't losethat customer service that we

(18:50):
get from the tools that wementioned that they're picking
up.
Yeah right, I mean again, maybeI'm overgeneralizing, but they
become really big and then youknow customer support sucks or
they outsource it to somecompany that does not really
their thing.
Right, and it's bad.

Speaker 2 (19:05):
Yeah, I don't want to start getting the answer turn
it off and turn it back on again.

Speaker 1 (19:08):
Did you try that?
Yes, yeah.

Speaker 2 (19:10):
Definitely, definitely.

Speaker 1 (19:13):
No, but to your point of automation, right.
So actually let me show folksquickly here what Magnet
Forensics I guess, from thepublic's perspective, kind of
the big umbrella under whichcapabilities seem to be living
they came out with the conceptof the Magnet One and what

(19:35):
Magnet One is, and let me sharehere.

Speaker 2 (19:41):
What am I?

Speaker 1 (19:41):
sharing here Slide.
Oh, sorry, sorry, folks I'mlooking for.
I forgot how to share stuff onmy screen.
Now, alright, here we go.
Magnet 1.
Boom, alright.
So what you see on the screenis you got, on the left,
different sources of evidence.
You got a phone, a computer,cloud, legal returns, cars,

(20:05):
drones, video, wi-fi or a housewith Wi-Fi signals coming out of
it.
I guess maybe that means likeIoT stuff, I would assume.
And then Magnet is saying okay,we're going to handle your
storage of the evidence in thecloud which we have thoughts
about that.

Speaker 2 (20:23):
A lot of thoughts.

Speaker 1 (20:30):
We're going to, you know, connect all these products
, automate that case management,let you know when things are
happening, have folks be able tocollaborate, all in one case
remotely.
And obviously the machinelearning is another kind of
older way of saying AI right,and they're going to do that
acquisition that's how theyadvertise it Do that workflow
optimization, automate it, dosome kind of automated analysis

(20:54):
and then share it right.
And then the idea of them isyou know, eliminate backlogs
faster to what you get and weget it.
And honestly, let's be realhere, all companies in the space
are proclaiming that theirautomation solutions do this,
like literally, the question isfor us is okay, well, who's

(21:15):
doing it better at the pricepoint that actually makes sense,
and it's going to be.
Again, I like competition.
I'm hoping that this continuesbecause, at you know, at some
point, hopefully economies ofscale prevail and prices come
back to a reasonable amount,because, from my perspective,
prices are getting really out ofhand lately.

Speaker 2 (21:36):
Yeah, definitely, the bills definitely keep going up.
So, with the automation though,good thing or bad thing.

Speaker 1 (21:44):
Oh, so gee, so look, automation is good, but it could
be such a crutch, right.
So, okay, automation on pullingstuff, the data, out of things.
Sure, I mean that's pretty muchit.
Yeah, agree, right, like abrain dead process.

Speaker 2 (22:03):
Yeah, please yeah, bring it all up front for me.
Yes, I like that.

Speaker 1 (22:07):
Yeah, I'm okay with that, but when you automate the
analysis and maybe I'm going tojump ahead a little bit.
So forgive me, Heather, butthat's okay.
You know, the tool might decideto show you something or not
show you something, right, Basedon many factors, but we don't,
usually don't, get to know thosefactors and actually I'm not
going to say it.
We're going to talk about it alittle bit later.

(22:28):
So what do we do?
Right, and most folks I'll bestraight here most folks just
hit the button and whatever thetool spit out, that's it.
They don't have the incentiveand I believe, as a field and
Heather, I know you agree withme We've been really hammering
this drum and we'll continue tohammer it till the drum breaks.

Speaker 2 (22:48):
Yes, yes, that we take ownership of our analysis.

Speaker 1 (22:52):
Yeah, and that just gets whatever tool spits out,
you know.

Speaker 2 (22:55):
So Caesar puts in a comment that is so 100% true,
1000% true.
Management wants automation.
They want automation.
They want everything done asquick as possible.
But they don't understand thatthe quicker we go and the more
automation there is, the more ofa chance that something is
wrong or the less of a chancethat something is verified or

(23:16):
validated.
So I love that comment.

Speaker 1 (23:18):
So true, and again, we're talking about management
in general terms.
So the folks that we work for,we're not talking about you,
okay, at all, right.
So, that being said, they know.
Exactly, of course they do.
So, that being said, this isthe thing.
Right.
They want automation, they wantthe results, they want the
outcomes.
But what happens if somethinggoes wrong?

(23:39):
Right, right Managementimmediately wants accountability
right oh yeah, so where's theaccountability going to lie?
Well, the tool messed up.
They're not going to take thatfor an answer.

Speaker 2 (23:50):
Oh no, Definitely not .

Speaker 1 (23:54):
Yeah, and accountability is important.
I mean don't get me wrong, andit's something that Brett
Shavers also bangs the drum alot the tool doesn't do the
analysis.
You, the examiner, you're theone that does the analysis and
the accountability is going tofall on you Just because the
tool did it or because youdidn't know it's not an excuse,
right, like the law.
Just because you have an absenceof knowledge of the law doesn't

(24:15):
excuse you or absolve you frombreaking it right, and
accountability works the sameway.
I didn't know, I didn't mean it, well, yeah, but you're still
responsible and people need tounderstand.
We need to understand that.
I need to understand that on adaily basis, remind myself of it
.

Speaker 2 (24:30):
The automation, though, for that quick upfront
look at what you need.
I love it.
I mean, it's great to havethings right there parsed in
your face when you first open upan extraction, so there's
definitely a place for it.
But it just it worries me thatwe'll put too much emphasis on
the automation and not enough onthe actual forensics.

Speaker 1 (24:55):
No, I agree with you.
And again, you know we're usingthe whole magnet automation
plan as a segue to talking to atopic.
Obviously, we're not referringto magnets specifically.
Right, this is a general termfor all the industry.
Right, and again, and we'll seethis, I think this is a theme
lately, heather, I think it is.
They give you a knife and youcan butter bread or you can stab
somebody with it or stabyourself.
In this case, if you depend toomuch on the tool and you're not

(25:18):
careful, you're going to stabyourself with it and they'll be
like oh, what happened?
And that's a theme lately, andactually it's going to come up
again with some of the differentnew tooling that's coming up.
Automation is great and AI isgoing to continue to infiltrate
the space, but it will notsubstitute the need for trained
examiners, because theautomation, the AI, has no

(25:42):
accountability on its own Right.
The only people that areaccountable.

Speaker 2 (25:48):
Are that people?
I agree, Definitely.
So you have a little thing toshow here for Belka GPT correct?

Speaker 1 (25:56):
Yeah, and this definitely goes with the topic
we just introduced, or we justdiscussed, right in regards to
that accountability and tooling,and I want to show you how
BelkaSooft and it's actually itwas a pretty impressive
presentation.
So, to give you guys somebackground, belkasoft had an
event called Belka Day, so twodays of conferences.
I was honored to be invited toparticipate and I talked about

(26:19):
SecBees and some considerationsin regards to pattern of life
analysis in iOS and macOSdevices.
But before my talk, jury whichis, you know, the president,
founder, ceo and owner of thecompany Belkasoft's a great
product he talked about someenhancement they're adding to
the latest Belkasoft EvidenceCenter X software suite and he

(26:43):
called it Belka GPT, right?
I don't know if there's anyrelationship with GPT proper, I
have no idea, but that's howthey called it, although we've
seen, you know, other companiesin the space also use words like
Copilot, which you know kind ofis used by multiple companies
in the space.
Right, that makes sense, allright.
So what I'm showing here on thescreen, folks, is you see the

(27:08):
dashboard and you can go to datasources and you can enable the
Vulca GPT capability.
So the big thing that Judy waskind of explaining was that this
functionality or this largelanguage model that they use.
It's all offline.
Well, let me rephrase that it'sall within your device, right?
You don't have to connect to anexternal service to be able to

(27:30):
have this AI work with you.
Your case and, of course, froma technical standpoint, there's
some benefits and drawbacks.
Right, there's some benefits inregards to data is kept locally
.
There's some drawbacks inregards to the capability for
you to do some AI analysis willbe limited by the hardware and
software that you have.
But the way he explained it isthat the AI will work on

(27:54):
computers without any GPU cards,only running on CPU power.
Of course, if there's a GPUavailable, it will use it to
expedite the process, but youdon't need to have a
supercomputer to run this.
At least that's how Juryexplained it, right?
So, after you enable thesoftware, for example, he went
and opened a chat from WhatsAppand he saw some content there

(28:18):
showing the audience.
Well, there's some conversationabout Bitcoins, right?
So we know it's there for thesake of the of the demonstration
.
And then he goes to the uhbelkis gpt interface there and
says any mention ofcryptocurrencies and, you know,
a few seconds later, thesoftware responds in natural
language.
Yes, there are mentions ofcryptocurrencies in the text

(28:39):
data, for instance and explainsa little bit of summary what the
chat is and then provides firstmessage and the information and
then you can right click on itand actually navigates you to
that chat where the AI is makingthat reference Okay, and there
is the Bitcoin message, okay.

(28:59):
Another example he gave is doesthe case contain images of both
faces and guns?
And that's an interestingexample, because it's not one or
the other, it's both.
And the AI responds yes, thecase contains images with both
faces and guns and then shows,you know, the links I say links,
but shows the name, file namesof those and then you can click
on them and go to them.

(29:19):
And he did that.
And then you show here apicture of a man holding what
seems to be like some sort ofrifle or shotgun and it
highlights the face and there itis right, and folks that are
watching they can see that.
And you know, this is a quickside note here.
It's interesting because it'sactually moving a lot of that

(29:40):
finding work to the first lineuser.
What I mean by first line useris the reviewers.
For example, your nonforensically trained individual
will be able to.
You know if this is implementedin a portable case or you know
type of system.
If they allow regular users toask questions to the AI, it will

(30:03):
help, I believe, folks be ableto get to stuff faster using
natural language.
They don't need to know a lotabout technical stuff to say, I
want to know about Bitcoin,where is it?
Well, it's in all these places.
They don't need to know whatthose places are because the AI
will find it for them.
So that's a good thing.
That's not a bad thing.
Of course, we need to discussthis a little bit more.

(30:26):
So the last one is the one thatI found really interesting.
Do you recall this?
You can ask the AI stupidquestions.
Right?
A stupid question that he gaveit was any crime or illegal
activity, and I understand whathe meant by that.
Right, it's like is that astupid question?
What do you think, heather?
Is that a stupid question?
It's pretty vague.

(30:49):
Well, and it is vague and Ilike that.
He described it as stupid.
I found it funny because guesswhat?

Speaker 2 (30:56):
People are going to ask it.
Yeah, everybody where is theevidence of the crime?
That's the question.
Find the evidence?
Yeah, you're right.

Speaker 1 (31:06):
There's not a button for find the evidence, they're
just going to tell it to findthe evidence and actually the
tool did a fairly decent job.
It said you know there's noevidence of any crime or legal
activity discussed in the textdata and the reasons it gave.
It even gave an argument saying, well, it's going to, could be,
but we require more.
It says it is impossible toconclude that this request is
related to any wrongdoing andgive you the stuff.

(31:27):
And that's the part where nowthe AI is starting to bug me.

Speaker 2 (31:34):
Yeah.

Speaker 1 (31:36):
What do you think, Heather?
What do you think about that?
I don't know about that.

Speaker 2 (31:40):
I don't know about that.
I mean, I would love to knowthe rate of false positives on
that, but um yeah the questionsare gonna be crazy no, and I
think you hit the nail on thehead.

Speaker 1 (31:53):
Yeah, um, with the rate of false positives or
hallucinations, and I'm notsaying his tool does that.
I'm not saying that.
Obviously, I'm just seeing thedemo and that's it.
But the AIs are known for that.
Now, the good thing is thatwhenever the AI responds,
underneath there's somereference to what it's talking
about, so you can confirm it.
But the question is, like yousaid, what will the error rate

(32:17):
be?
And we can determine that if wehave a large data set, which
means people using this live Isay live, but usually in their
daily work?
Yes, and it's tough because thetesting is happening not in a
testing environment.
It's happening live because youcan test in a testing
environment, but that's notenough data or use cases to make

(32:37):
a determination about the tools.
Does that even make sense,heather, to you Right?

Speaker 2 (32:41):
It's a lot different using test data that's set up
for that specific um function.
Right, you know what you'relooking for as you set up the
and it contains that and it's asmall data set.
Usually when you set up thetest data, um, I would say like
an example on like evidenceitems.
An example is there's an aifunction in one of the tools
that looks for grooming and um,I mean, I was looking through, I

(33:05):
ran a couple of times.
I'm looking through data andgrooming.
Is mom telling son I love youhoney, See you later.
So I mean the false positivesare like.
Do I really want to siftthrough all the false positives
when it's such a big data set,Because there are a lot when it
comes to the AI features.

Speaker 1 (33:21):
Oh, I love that example.
That's a good example, and atsome point the returns are going
to overpower the.
You know the benefit.
I mean, I'm sorry, the worksare going to overpower the
returns.
Yeah, because at that point I'drather just read the messages
straight up, right, oh,definitely Go one by one, it'll
be quicker.
Right, right, one by one, it'llbe quicker, right.

Speaker 2 (33:40):
Right, sometimes with the AI features, with the
images too right.
You're looking, for example,that what you just said with the
Belkasov you're looking for thefaces with guns.
You may have a few faces withguns up front, but if you have a
really large data set, there'sa ton of images in there.
I'm not saying with Belkasov,but I've never tested it, but
with other images in there thatare not even close to being a

(34:03):
gun or a face.

Speaker 1 (34:04):
Yeah, and that level of uncertainty, of percentage of
false positive orhallucinations.
We cannot determine that onourselves using one or two cases
.
A lot of cases are neededbecause this thing is
deterministic and it's alsoprobabilistic at the same time,
how these AIs work, how thoseinternal decision trees happen,

(34:27):
based on training, and that wecannot really quantify ourselves
.
They're so large, right, itdoesn't fit in my mind how this
thing works.
So that's I guess and let meknow if you agree with this or
not I think this is a good toolthat could be used, just to
start.

Speaker 2 (34:46):
Yes.

Speaker 1 (34:46):
Just to kind of frame your investigation.
But I mean, I'm afraid thatpeople will take that output,
screenshot it and say, look,here's the crime.

Speaker 2 (34:58):
Yeah.

Speaker 1 (34:59):
You know, I mean, I don't know.

Speaker 2 (35:01):
That's my fear with the automation.
Like you use the automationfeatures, check all that shows
up in the automation and thencall it a day.

Speaker 1 (35:11):
So yeah, no, like Kevin's saying, maybe the AI
says look, there's too muchcrime here.
I quit the.
AI is taking a vacation today.
This device is too guilty.
That's good, yeah.
I think that speaks also to onelast point in regards to the
training data.
Could I foresee an AI that'sreally trained in the federal

(35:37):
code of law or your state lawsystem and rules of evidence and
all that type of stuff and gothrough a device and make even
some prosecutorialdeterminations?
I foresee a company maybe doingthat right and again, that
knife.
You know it's good to kind offrame your mindset, but you

(35:59):
cannot outsource that to the AI,no matter how big that training
data set is.

Speaker 2 (36:04):
Yeah, I'm sure that it's going to continue to get
more sophisticated and we'll seesome of that type of stuff
where it gets better at somethings.

Speaker 1 (36:14):
Yeah, no, no, absolutely, and I think again.
I said the last point.
I have one last point.

Speaker 2 (36:19):
This is the real last point.

Speaker 1 (36:21):
It also speaks to us being able to be able to
communicate with a freakingmachine now, right.

Speaker 2 (36:27):
Yeah.

Speaker 1 (36:28):
It's not only talking to people, it's talking to the
computer, because whatever youask, the computer response will
be as good as the questionyou're asking it.
And folks have used ChatGPT notthis AI in forensics, but plain
ChatGPT.
If you're trying to code or dosomething, you ask it a question
, you give it a response and youhave to do another question to
kind of narrow that response andkind of lead the AI to help it

(36:51):
go to where you really want toknow, Right.
So it'll be interesting how wehave to develop certain
community-built phrases or waysof asking things to these AIs to
be to be effective.

Speaker 2 (37:07):
Definitely All right Enough with the AI.

Speaker 1 (37:13):
Yep.
So, actually not.
Not that much, but by next weeksomebody will come with some
other thing and we will have totalk about it.

Speaker 2 (37:20):
I thought you had another point on it?

Speaker 1 (37:21):
Oh, no, no, no, I already gave you two last points
.
Okay, All right, and we willhave to talk about it.
I thought you had another pointon it.
Oh, no, no, no, I already gaveyou two last points.

Speaker 2 (37:24):
Okay, all right.
So I wanted to talk also aboutso another tool that we showed
in a previous episode calledUfade, which has the capability
of pulling some of those iOSlogs as well.
I'm going to throw some slidesup, because I have some
screenshots that I stole fromthe creator of Ufade, Christian

(37:47):
Peter, and he has a few, a fewnew updates, so the tool is now
able to perform full file systemextractions on already
jailbroken devices.
You can see on the screen isthe interface for Ufade, and
option four gives you that filesystem backup for jailbroken

(38:08):
devices.
And then there's anotherscreenshot he had on his
LinkedIn where it's actuallyperforming the file system
backup.

Speaker 1 (38:18):
And this is again, like Heather said, full file
system.
If it's jailbroken, you havethat access.
You can pull everything down,which is pretty neat.

Speaker 2 (38:26):
Yeah, and free tool, so you don't have to spend
thousands and thousands ofdollars to get a full file
system.

Speaker 1 (38:32):
And it's kind of interesting because there are
companies out there, well-knowncompanies, whose capability is
this.
It's true I'm not going to callthem out, call them out, but
everybody knows who they or whothese are yeah and and I'm like
really that's, that's theoffering, okay but yeah, so you

(38:52):
can do it free here with youfade.

Speaker 2 (38:55):
The another update to you fade is that it's able to
capture live network trafficfrom your iOS device as a PCAP
file.
So again, the interface is upon the screen and option three
is sniff device traffic.
And then I'm just going to showa quick screenshot that I took
from Christian's LinkedIn thathe posted of it in action.

Speaker 1 (39:18):
Yeah, and it's really interesting, if possible, for
malware analysis maybe, or ifyou're trying to intercept some
malicious traffic.
There's a lot of utility to beable to do that on a mobile
device.

Speaker 2 (39:35):
And then, finally, another update that was
announced recently is unlockingthe developer mode options on
devices with iOS 17 and up.
I didn't initially know whatthis one was doing, so I
actually messaged Christiantonight and asked him.
So it takes screenshots fromthe device screen with that

(39:56):
developer options enabled.
And to further clarify, he toldme you can take single
screenshots or loop chats, andthen it's highlighting every
message and then it startsscrolling and when it reaches
the end you'll have a screenshotper message in the chats on the
device.
I had asked him is this similarto what Celebrite's chat

(40:20):
capture is?
And it sounds similar to whatthat chat capture is.

Speaker 1 (40:25):
Yeah, no again.
That's an awesome capability.

Speaker 2 (40:29):
And again the cost of nothing is unbelievable.
Yeah, very, very cool newfeatures in the tool that we
previously outlined, how to useit to pull the logs too, so you
can see that on previousepisodes, yep, yeah.

Speaker 1 (40:43):
And again, christian, thank you for see that on
previous episodes.
Yep, yeah.
And again, christian, thank youfor that work that you're
putting out.
I used it a couple of times andthe software works really solid
.
I do appreciate it.

Speaker 2 (40:53):
Yeah, so Android had.
Android had an update this weektoo, so they have theft
protection features that aremeant to keep your data safe, so
they're announcing a bunch ofnew theft protection features.

Speaker 1 (41:10):
Yeah, and we're going to mention them in a second.
But I understand where they'recoming from and sometimes we
think, well, they're just there,are you know some folks.
Well, they're against us beingable to do lawful access.
Let me tell you, I've gone alot of travel overseas and in
some countries the secondhandmarket for stolen devices is
huge.
It's a big black market,millions, maybe billions of

(41:33):
dollars worth.
Where you know you're walkingdown the street and somebody
snatches your phone, they go offwith it.
They, you know they clear itout and they resell it.
Or they because some companiesI say companies, but some
companies in some of thesecountries what they do is they
take the IMEI and the phonestolen, they blacklist that IMEI
.
So for folks that don't knowwhat it is, an IMEI is the

(41:56):
individual identifier for thedevice.
Okay, if they see that stolenIMEI hitting their networks,
they cut off that phone.
Well, these criminals are reallyhow can I say this?
Creative and what they do iswell, easy let's just ship this
phone to the next country overand sell it over there.
It might not work here, but itmight work, or will work, two

(42:17):
countries over and they go sellit somewhere else, right?
So some of these features are,for example, if somebody
snatches the phone from yourhand I guess it's some sort of
type of machine learning or someway, some sensor activity that
combined together tells thedevice, hey, you're being
snatched, and immediately whatthe phone does is it blocks
itself, locks itself up, andthen you know you're able to

(42:42):
then remotely find it or evenwipe it and delete it.
And that's actually.
I'm going to jump straight tothe deletion part, because I
just mentioned it.
I haven't seen many phonesbeing deleted after seizure
lawful seizure because folksdon't know how to do it Right.
They have to go to a website,they have to log in, they might
need dual fact-checkauthentication.

(43:03):
If the dual fact-checkauthentication is the phone
itself and they don't have thephone, they can't do anything.
Well, one of the features thatGoogle is putting up is you can
go and take any phone from yourbody next to you, take it and as
long as you know your own phonenumber and you know a specific
passcode that you set up, youcan access those capabilities
immediately.

(43:23):
And to me that means that folksneed to.
I mean, we all should startgetting me included a Faraday
box and those little Faradaybags.
We have them, but do we reallyreally use them?
Or we use them and then we openthem and we get to the lab, or

(43:44):
then you lost the whole plot.

Speaker 2 (43:46):
You have to get a Faraday room.
We have a Faraday room.

Speaker 1 (43:50):
Oh, but you're fancy.

Speaker 2 (43:51):
You all in New York are fancy.

Speaker 1 (43:55):
I don't, I don't, I don't got a room at all.
I barely have a room for myself.
But no, I mean a Faraday room,obviously, like you all do up
there.
It's the best scenario, but atleast a little faraday bag, and
I guess our standard proceduremoving forward has to be that
not to only high, high riskphones but to all phones, oh yes
I agree, absolutely so.

Speaker 2 (44:18):
We will get them.
Sometimes they're in a faradaybag.
But when we get them in thefaraday bag we don't even open
the bag until we go into theroom.
And if, if you had the box, youcould open the bag in the box.
But definitely they all shouldbe equipped and in with a
Faraday bag upon seizure.

Speaker 1 (44:34):
Oh, absolutely.
We say it in our courses butpeople haven't seen that push
for it.
I think we're getting to thepoint where it's going to become
a thing you have to do with allthese advancements.
Some of the other thing it doesis if the thief tries to

(44:55):
disconnect your phone from thenetwork for a long time.
Let's say I'm like I have thephone Easy, I'll just stick it
on airplane mode Done and I takeit and it's unlocked.
If some time it's gonna lockitself up, no matter what the
settings are, and you're likewell, you know what, I'm gonna
change the settings.
Well, now, settings you couldchange in, change them only by
having the passcode.
Well, now, if you it's asenabled, you can put the pin

(45:19):
code, the phone unlocks.
You want to change thosesettings.
Guess what?
What it's going to ask forbiometrics, right and now that
you have to have both.
Whereas before having the pincode overrode any biometrics
because the pin code was thething, now it will ask for both,
right and again.
I see that as a good thing forconsumers in regards to being

(45:40):
able to protect and stolendevices and dissuade these
criminals from stealing them,because why would they go to the
effort of stealing a phone.
They cannot wipe because itwill not allow it to be factory
reset by a thief.
That's another capabilityThieves.
People stole the phones.
They factory reset them forselling them and they will not

(46:02):
be able to set them up againbecause the device will ask you
for the credentials of thegoogle account so and so you
know it's.
There's benefits to that, butalso some drawbacks.
Uh, for us, obvious drawbacks,drawbacks yeah, definitely,
definitely.

Speaker 2 (46:17):
There's another feature that has also um a
private space that hides yoursensitive apps.
So, like your banking apps oranything that's like personal,
you or could potentially holdprivate data that would allow
thieves to get into youraccounts.
That private space feature letsyou create a separate area in
your phone that you can hide andlock with a separate PIN code.

Speaker 1 (46:42):
And usually there's apps that do that and usually
some yeah, suspects do it andthose ads.
You know, we have ways ofcircumventing it.
We can go and reverse some ofthat code, do some things, brute
force them.
But now this capability isbuilt in the operating system
and how is that going to lookfor us?
I, we don't.
I don't know yet.
Oh, and this update you'll belike well, this is going to

(47:03):
happen with the latest phones.
No, any phone from android 10upwards right which is pretty
much any.
Any phone will benefit from thefrom these updates, and they're
saying the time frame is by theend of the year.
Um, so we just started thinkingabout how are we gonna address
some of these issues and trainour first responders for this,
the people doing the seizures onthese capabilities, because

(47:24):
they will need to be even moreaware on how to properly seize
these devices and being able todo the work that we need to do
on a timely basis.

Speaker 2 (47:33):
Yeah, this is the perfect topic too for somebody
who's looking for a researchproject.
Get some test data, test it out, extract it and see how this is
stored and how it's going toaffect us in the forensic
community.

Speaker 1 (47:48):
Yeah, and I'm going to jump ahead a tiny bit, but I
think one way they're going tobe doing this is by leveraging
that multi-user function of thedevice, where you have more than
one account in a phone, whichthat's a thing that all phones,
modern phones do.
I can log into your phone anduse it and then I can log off
and you can log in and you useit like a computer.
Right, and I think that's howthey're going to do some of that

(48:10):
.
I think because they've beengiving hints in some of the
releases, the alphas from thelatest Android.
It's going to be coming outSome of that code you can see.

Speaker 2 (48:27):
See it there that they're looking or doing that.
But that's all that's what I'mgoing to say now, because the
next section you're going totalk about a little bit more.
Well, the next section is alittle bit different than that.
So, um, samsung dual app issomething I didn't really know
anything about.
Um, we have a new computer newer, she's been there in the office
for a little while, but a newercomputer forensic analyst named
Deanna in our office and shedoes extractions for, like her

(48:50):
main job duty in our office, andshe came across a user account
95 in a Samsung phone.
Um, so what is it?
We we didn't know.
And she took it upon herself totake one of my test phones and
go do some research and try andfigure out how that user 95
account is created.

(49:12):
So, um, you could see that itwas related to something called
dual messenger.
So she started out byresearching what dual messenger
even is, um for Samsung phones,and she found that it's a
setting that can enable, can beenabled on specific Samsung
models that'll allow you to usetwo separate accounts for the
same application.

(49:33):
So, a little bit different.
It's for an app, not for thedevice.
I'm going to just pull up somepictures that she has from my
test device.

Speaker 1 (49:42):
But think about it.
Think about it.
It might be the same thing,because you can say, well, it's
for the app, yeah, but if theapp is sitting in a separate
user space like another user?
to use like oh, it's another app, it's a different app.
No, it's a whole different user.
Yes, and a private space, likeSamsung does on their secure
folder.
What do they call it Securefolder?

(50:04):
Yep, yeah, secure folder.
We know already it's anotheruser, that's all they do, that
they encrypt that other user.
So again, we don't know.
We haven't looked at it, but Ihave an inkling that that's
what's happening here as well.

Speaker 2 (50:14):
But we'll see, I have a screenshot for you to show
some of that.
So she went into the settings,found the dual messenger
settings and under the dualmessenger you'll find any of the
available apps, so the appsthat are capable of having a
dual account installed.
She enabled Snapchat andinstalled the second copy of

(50:37):
Snapchat.
When she installed that thelittle icon you can see it in
the picture if you're listening,so I'll explain it there's a
little Snapchat icon and at thebottom right corner it's an
orange circle with two whitecircles inside of it.
Once she installed it in thesettings out on the home screen

(50:59):
of the device you have theuser's original Snapchat icon.
On the home screen of thedevice you have the user's
original Snapchat icon and thenthat Snapchat icon that has the
orange circle with the twolittle white circles inside.
So when she extracted the datathe user account she had zero,
so that your main user accountshe had 95, which houses the

(51:21):
dual app capable applications,the 150, which is the secure
folder, and then 1000,.
Actually, josh Hickman told mewhat 1000 was the other day.
I didn't know that either.
It's the secure browser forSamsung.

Speaker 1 (51:35):
Josh is in the chat, so Josh tell us again.
Write it in the chat.

Speaker 2 (51:39):
What's the 1000?
Yeah, tell us.
Tell us, please, the securebrowser.
Oh, he told us already, already, yeah, he told me the other day
.

Speaker 1 (51:46):
So it's a secure browser.

Speaker 2 (51:47):
Okay, you remembered okay yeah, so under the users
you have the separate useraccounts and 95 holds that
snapchat um dual application.
So I asked diana in my office.
I said well, what if you enableanother application and you
have two?
Does it create like 96 or dothey both go into 95?
Well, she tested that as welland they're both in the 95 user

(52:10):
account.

Speaker 1 (52:13):
So she's just Explain that to me again.
So the user user zero, I guessthat would be her account has
these apps in the system and itjust keeps dumping them in that
95, quote-unquote other userright.

Speaker 2 (52:27):
Yes.

Speaker 1 (52:28):
As opposed to making a new user for each app.

Speaker 2 (52:30):
Correct, we installed two.
She installed two and they bothwere under user account 95.

Speaker 1 (52:38):
That's interesting, that's pretty interesting.

Speaker 2 (52:40):
I thought it was going to hop to maybe 96, but it
didn't.
And she's doing all thistesting.
She's going to write a niceblog on it.
She's got it started.
It's coming along nice.
But she's got a little moretesting she wants to do with it.

Speaker 1 (52:53):
Yeah, and actually Kevin's making a great point,
maybe for her testing.
He says multiple user datacould be mixed.
So it'd be interesting to haveanother user account, not zero,
but another main user account,and then see we will dump it on
the quote unquote 95, or wouldit make its own 90, something
else?
So now, kevin, you're making mybrain move around.

(53:16):
And then how can we determinethose relationships?
Right, how can we determinethat zero is linked to that 95?
And again, it's hard for folksthat you're not looking if
you're listening, but whatHeather put on the screen is
those user account directories.
And what we're discussing ishow can we discover those
relationships by lookingstraight at a file system.
That's now.

(53:37):
I'm excited.

Speaker 2 (53:39):
Deanna, if you're listening or you may be watching
the recording tomorrow, but ifyou're listening, you have more
work to do.
I think she's having fun withit, so that's good.

Speaker 1 (53:49):
Yeah, and I'm going to share some comments here
because we got a lot ofluminaries in the chat.

Speaker 2 (53:54):
I see that.

Speaker 1 (53:56):
So Josh is saying their profile is somewhat
similar to Windows accounts.
So Josh has been looking atsome of the code that's coming
out.
As you know, android is opensource, so he's commenting that
they're considered profilessomewhat similar to Windows
accounts.
We have system local user andguest.
That makes sense to me.
Yeah, so 95, he has a dual app,you know.

(54:18):
And then he makes another list,a few more.
So 1,000 is the S browser,1,001 is the private browsing in
the S browser.
The S browser is the Samsungbrowser and I want to make a
point with that.
Samsung is really known forsaying, okay, android from
Google is going to come withthis functionality and for them
to be able to use or updatetheir software to that version,

(54:42):
they have to have the samecapabilities.
To say they're Android 15,right.
They can't say they're Android15 and then not have that
capability.
Android forces you to havethose capabilities, but Android
doesn't force you on how youimplement it.
So Samsung implements thingsdifferently.
Samsung puts the digitalwellbeing data in a database in
a whole different place right,for example.
Right, and this might be andagain, give me your thoughts on

(55:06):
that, this might be kind of likean inkling.
This is how Samsung is going toimplement that capability.
But it very well could be thatAndroid is going to have the
same thing.
It's just maybe in a differentplace or in a different way, but
the same type of concept.

Speaker 2 (55:21):
Yeah, no, absolutely.
I think we're probably going tosee this more in all of the
devices.

Speaker 1 (55:29):
Were you able to use a tool from what we have now and
parse it and get I mean, whattype of results you'll get?

Speaker 2 (55:37):
Yeah, so it's supported.
The major extraction toolsactually alert you that there is
a dual app account and it'llask you if you want to brute
force it.
The tools will also pull thedata and the major tools are
also parsing it as well.

Speaker 1 (55:58):
All right, but I really wonder if you have more
than one user account.
Although that's kind of like anedge case Most people don't
share their phones, right, butwe need to look at everything,
right.
So I was wondering if you havemore than one user with dual
apps enabled on each user, howwould you know who generated
that data?

Speaker 2 (56:16):
Well, Deanna is going to be testing that when I tell
her tomorrow, unless she'slistening and you can get
started now, Deanna.

Speaker 1 (56:25):
Wow, you drive a hard bargain here.

Speaker 2 (56:28):
Well, she's having fun with it.
I'm not making her do it.

Speaker 1 (56:31):
I know, I know You're kind and nice, we all know that
she's awesome.
Yeah, again, I got to show youknow what we're going to bring
Josh one day just to chat herewith us and be on the show.

Speaker 2 (56:46):
Yeah.

Speaker 1 (56:47):
Yeah, so multi-user on iOS.
So that makes absolute sense tome that that will be definitely
coming.
He's also telling us that youhave to have that collaboration
with other artifacts to help tiethe profiles, and that makes
sense to me.
Yeah, it does.
Yeah, if there's no one directthing that you could tell, at
least for now, you will have todo that.
But my inkling, and hopefullythe research that you're all
doing starts leading us in thatdirection there has to be some

(57:08):
sort of internal indication ofwhat is connected to what you
know.

Speaker 2 (57:13):
Right.

Speaker 1 (57:14):
But even at the end of the day, that corroboration
with other artifacts is stillnecessary for that validation
and to actually paint a picturewhen you're trying to present it
.
So that makes absolute sense.

Speaker 2 (57:22):
Well, we're going to find that corroboration, because
I won't give up till I do, andDeanna is exactly the same way.

Speaker 1 (57:30):
Well, she has somebody to guide her through
that process that knows a lotabout you Check this out.
So the folks at Exordia andJessica Hyde, they are Swigdy
Swigdy.
My pronunciation is so Hispanic.
It sounded fine.
It sounded fine.
It's hard for me to pronounce aword that only has one vowel at
the end In English, but theyare I mean again really

(57:56):
important organization inregards to establishing
different testing and validationprocedures in our field, and
they're watching in the lobby.
So, hi everybody, we love thework that you do In LinkedIn.
I follow all the happeningswhen you all get together and
come out with your differentproducts and documents.
So we appreciate you and weappreciate you watching.

Speaker 2 (58:16):
Yeah, definitely.
All right, let me remove this.
So we will continue working onthe dual app stuff and have a
paper eventually.

Speaker 1 (58:29):
Yeah, we'll announce it on our social media and keep
an eye out for that.
I'm really excited about it nowthat you discussed it, so I'm
looking forward to it.

Speaker 2 (58:38):
Yeah.
So another quick update here.
We have some collaboration withJohn Hyla.
If you don't know who John Hylais, he actually went and taught
with us at IASIS the last twoweeks prior.
He has an electronics caninenamed Hannah, who we love.
I showed a picture last week.

(58:58):
But he has been collaboratingwith CCL Solutions on updates to
their SegB script, so heactually is improving the
usability of the library forparsing iOS and macOS SegB files
.
He was able to shorten theamount of code needed for the

(59:19):
iLeap, specifically for theiLeap artifacts, for the ILEAP,
specifically for the ILEAPartifacts, and it now internally
handles checking if it's aSegB1 or a SegB2, and processes
automatically and returns youthe data.

Speaker 1 (59:37):
And John is the granddaddy, or the father of our
SegB knowledge in the field.
He was the first one thatactually said you know what?
What is this?
Is this important?
So he's the first one that putsomething out in public and I
mean the whole field benefitedfrom it.
It's kind of funny because atthe beginning that article came
out and nobody really thoughtmuch of it until they figured
out holy crap, this is superimportant.

(01:00:00):
So I was honored, we werehonored, to teach with him over
at IASIS and we're going to havehim back next year.
Hopefully his agency continuesto send it with us.

Speaker 2 (01:00:09):
Anyways, I digress.

Speaker 1 (01:00:19):
The point I'm making is that he made some good.
One of the things that hechanged that I'm really happy
that he did is that the code asit was and it was correct, right
?
The segb file tells you hey,these are the amount of bytes
you need to read to get to theprotobuf payload, because the
data within the secb file is ina protobuf formatted payload,
most of it and it said read fromthis byte to this byte.
And when you did that, thefirst eight bytes were not
actually part of the protobuf.
So I had to in my code and welearned about that yesterday.

(01:00:41):
Right, heather, we had to in mycode and we learned about that
yesterday, right, heather, wehad to, in the code, clean those
first eight bytes out to thenactually get to the port above.
But that's been taken care of.
So now you don't have to worryabout those eight bytes in your
code.
The library will account forthem automatically, which makes
my life so much easier andHeather's life so much easier,
which I know she will appreciate.

Speaker 2 (01:01:01):
Yeah, I'm not good at figuring out how to remove the
bites.

Speaker 1 (01:01:05):
No, she's good.
She's just going through thatlearning process and everybody's
bad until you learn how to doit.

Speaker 2 (01:01:12):
So don't be hard on yourself, girl.
The computer was about to goout the window last night, so I
had some choice words for it.

Speaker 1 (01:01:19):
Fantastic, beautiful.
I love your computer.
Oh, that was definitely it.
So check that out.
And again, I motivate folks.
Look, the field is moving fastand you need to keep up, and one
way is start learning somescripting.
Learning some scripting.
I've been having again tangent,sorry, little tiny soul back

(01:01:39):
moment.
I got folks in the last twoweeks ask me hey, I got this
JSON inside a database or thesetype of data stores.
What do I do?
What tool do I use?
And the thing is that the toolwill format it for you to look
at, maybe indent it for you soit looks nicer, but that data
source might have so much gunkin it that you don't care about,

(01:02:00):
right that.
What you need to do as part ofwhat we do in our IASIS class,
is give you some tools, say,look, you need to learn a little
bit of scripting to be able topull the relevant items of that
thing to actually come to properconclusions.
And sitting down and waitingfor the tools to do that, it
might not come anytime soon foryour intents and purposes, right

(01:02:21):
.
So we need to start thinking ofcoding not as a good thing to
have in an examiner, but as anecessary thing to have if
you're coming into the field.
That's my perspective.

Speaker 2 (01:02:34):
Yeah, no, I agree, oh well, and you can see it.
You can view it in a lot of themajor tools, but how are you
reporting it?
There's no add this to myreport function in a lot of
those data viewers.

Speaker 1 (01:02:46):
Look, heather, don't feel bad.

Speaker 2 (01:02:47):
I see it, somebody of the stature as the forensic
scooter is also learning withyou.

Speaker 1 (01:02:53):
So if he's telling you that he's learning and he's
putting hard work.
You're in excellent company.

Speaker 2 (01:03:00):
Listen.
Most of the time, scott.
You are teaching me because Iam constantly referencing your
blogs.

Speaker 1 (01:03:08):
You and me both.

Speaker 2 (01:03:09):
Uh-huh, Rereading and rereading.
What does he mean here?
Wait what.

Speaker 1 (01:03:15):
Yeah, and not because it's not clear.
It's because there's so muchgood stuff that we're like I
cannot hold it all in my brainat the same time.

Speaker 2 (01:03:21):
It's all good, there's just so much.

Speaker 1 (01:03:27):
Actually, Scott, I'm going to talk about you more in
a little bit.

Speaker 2 (01:03:29):
Shortly here.
So more research.
I'm on a kick of pointing outpeople's good research.
So today, actually on LinkedIn,there was a post from Brian
Hempstead and he did some workwith the Session application.
If you don't know what theSession application is, it's a

(01:03:51):
privacy-based chat app.
So Celebrite was the tool heused.
He was able to decrypt andparse the data.
But he takes it a step furtherand he validates the data.
Right, he goes in, he looks atthe database and he's validating
what he's seeing in the parsedata and the research blog.
I'm going to put his oh, thiswill be in the show notes, but

(01:04:11):
I'll put it up anyway.
Um, the research blog actuallyoutlines, um, how he's able to
identify which chat thread aparticular image attached image
um originated from, which isreally important when you have
these chat applications.
Sometimes the images are well,most of the time the images are
stored separately and being ableto relate them back to exactly
which chat the images go withcan be really difficult.
So definitely a good researchpaper to read.

Speaker 1 (01:04:35):
Oh, absolutely.
And again, even if and we saythis a lot even if the tool does
it for you, coming out with aresearch paper, you know testing
and validating, testing, youknow validating that data and
testing the tool, it's soimportant.
I mean it's another way ofdoing kind of like a peer review
type of work that you can thensay look, this is not me making

(01:04:56):
this up, it's just a toolhallucinating things.
There's backing to this.
So we appreciate folks likeBrian that make the time to kind
of guide us through theiranalysis and we all learn from
it.

Speaker 2 (01:05:08):
Yeah, definitely Another announcement.
I'll let you take this one.

Speaker 1 (01:05:13):
Yeah, talking about learning.
If you all don't know PhilHagen, you should.
Phil Hagen has been around for along time.
He's really well known fordoing forensics in networks and
I've been one of his studentsone of the classes.
I really enjoyed that class.
I actually want to take itagain.
Obviously there have beenadvancements and not only does
he teach the SANS networkforensics class, he spearheads

(01:05:38):
Linux distribution used fornetwork forensics that you can
download and benefit from, andhe's come out with a YouTube
channel and I'm really excited.
I want to after my trips thesetrips that are coming up.
When I'm done with that, I'mgoing to start going to his
videos where he goes about allthe network forensics knowledge
that he's teaching.
He has them as a series ofvideos.

(01:05:59):
So I really recommend folks togo and subscribe to the YouTube
channel.
It's really easy.
You have the link there.
It's youtubecom.
Slash at Phil with one L Hagen,h-a-g-e-n, and again, he's a
fantastic instructor.
A master instructor knows hisstuff back and forward and you

(01:06:20):
will learn a lot from him.
So I'm really happy that he'sputting that content out to the
community.

Speaker 2 (01:06:25):
Yeah.
In his post about his YouTubechannel too, he specifically
says that anyone starting out innetwork investigations and
analysis this playlist will bevery helpful for you.
So if you're looking to justget into network analysis or
investigations, this may be agood place to start.

Speaker 1 (01:06:44):
And let me tell you, for folks that are data
forensics and law enforcementand you do phones and computers
all day long when you go out tothe private sector if you start
getting ready for this type ofwork, you'll benefit by
expanding your skills.
Definitely, because you seewell, network forensics for what
?
When there's intrusions in anenterprise, the nuggets of the
intrusion, when it's happenedand how guess where they're
going to be In your network logs, in the devices in between the

(01:07:09):
routers or in devices that aregateways to your network, that
keep logs, that keep informationabout that.
Has there been any exfiltrationfrom that network?
Because we want to know if ithas and be able to remediate and
take into account those.
How do you do that?
Well, I don't know.
It's not on the computer.
Well, it will not be on thecomputer.

(01:07:29):
It will be based on networkforensics.
If you have a network whereyou're doing packet captures, if
it's a sensitive network, howdo I go about dealing with PCAP
files?
Maybe it's not data sensitive,but you're getting NetFlow data
and again, but you're gettingNetFlow data and again.
If you're like a cop likeourselves and you never heard
about the term, about NetFlow orthe term PCAP, well, maybe you
should Right.
So a good way is going to thechannel.

(01:07:51):
Start learning about thosethings.
It can only make you better.

Speaker 2 (01:07:55):
Yeah, I would say that this is one of my weaker
areas and I'm looking forward togoing and starting from the
beginning of the playlist andwatching all the way through
Absolutely.

Speaker 1 (01:08:03):
Absolutely.

Speaker 2 (01:08:04):
Absolutely so.
Another update from this weekVMware Fusion Pro.
If you use VMware, it's nowavailable free for personal use
the pro version.
So you could use VMware Playerbefore as a free version, but
now the pro and Workstation Prohave different license models,

(01:08:26):
one free for personal use andthen one paid for commercial use
.

Speaker 1 (01:08:31):
And when I heard that , I felt the heavens open, the
angels singing hallelujah oh boy.
Yeah, actually, do I have anyreaction for that?

Speaker 2 (01:08:44):
Let me see, you don't have any fireworks or anything.

Speaker 1 (01:08:47):
Oh yeah, look, look, yes.

Speaker 2 (01:08:48):
There you go, there you go, I have fireworks.

Speaker 1 (01:08:50):
Folks that are listening.
I have fireworks behind me.
I'm going to put some of theconfetti coming down.
I'm really happy because, youknow, VMware was bought by a
company I forgot what thecompany was and they've been
making some moves there inregards to their pricing and I
think this is a really welcomeway of getting into the good
graces of the user base and Iagree with it.

Speaker 2 (01:09:11):
Yeah.

Speaker 1 (01:09:12):
Of course you know, if you're a corporate user, you
might have some comments aboutthe non-free model.
But I don't care.
I don't care about you, Sorry.

Speaker 2 (01:09:23):
That's nice.

Speaker 1 (01:09:25):
Good, but I don't care I don't care about you.

Speaker 2 (01:09:28):
Sorry, that's nice.
Good luck with that.
They also in the article thatI've outlined I'll have in the
show notes.
They also have a link to apodcast that's available that
discusses all of the changes.
So if anybody's interested inthat as well, they have a whole
podcast explaining the changesand part of it is called Did I
Hear Free?
So if you heard free and youwant to hear more about it, tune
into their podcast.

Speaker 1 (01:09:49):
Exactly.
It's not like fat free whereyou don't have fat.
It's like free as in you canuse it.

Speaker 2 (01:09:54):
Yes.

Speaker 1 (01:09:56):
Here we go.
Cesar told us it's Broadcomabout VMware.

Speaker 2 (01:09:59):
Okay, perfect, I was looking at that today.

Speaker 1 (01:10:04):
I couldn't remember it.
It was a tip of my tongue.
I was about to stick it out tosee if I could read it.
Thanks for reminding me of that, yeah.

Speaker 2 (01:10:12):
All right.
So what's new with the Leap All?

Speaker 1 (01:10:14):
right.
So I said a second ago thatwe're going to talk more about
Scott and the forensic scooter.
So he's really well known asthe.
Now he's the granddaddy ofphotossqlite analysis and, for
folks that are not in the know,in iOS, photossqlite keeps track
of the images from that deviceand it has a ton of information.

(01:10:36):
One of the things I like aboutthat database is that it helps
me it's a data point todetermine where a picture came
from.
So he added support for one ofthe queries that he has within
the queries that he shares andalso within my own tooling.
I leap in the leaps to be ableto get embedded P lists out of

(01:10:56):
that and also get embeddedpreview images, which is pretty
good because if it's sittingthere, I can look at that image.
In case you know, the garbagecollection hasn't gone around
yet, right?
So another way of getting atthe data and we say this in
other episodes data is likemoney it likes to replicate,
replicate, replicate, replicate.
So you got to know where thatstuff is.

Speaker 2 (01:11:17):
Right.

Speaker 1 (01:11:19):
The only drawback is that it's a pretty involved,
intense script and it will takesome time to run.
So the decision that we madeand by we I mean Johan, which
again Johan, we love you he saidyou know, maybe we should make
this optional.
What that means is that whenyou run iLeap, it's not going to

(01:11:39):
be checked by default, going tobe checked by default.
So that gives you the power tosay look, do I really want to
spend five, six extra minutes onlooking for something?
Then you can do that and youmight tell me five minutes is
not a long time.
The leaves are designed to bequick and to me, five minutes is
a lot.

Speaker 2 (01:11:56):
Yeah, that is a lot for the leaves definitely.

Speaker 1 (01:11:59):
Yeah, for other tools , five minutes is just them.

Speaker 2 (01:12:01):
Starting to process, see if we can even find the
database.

Speaker 1 (01:12:12):
Exactly, it's a computer on.
It's just eating up your memory.
Those five minutes used to eatyour memory up, so that's a long
time in our benchmarking forthat.
But it's not Scott's fault,it's just that there's so much
data to be got to get.
Then that's how it is right.
So it's optional.
So what I tell folks is look,run it without the optional
stuff on, first to get yourquick hits, and then, if you
need to go deep dive, then onlycheck the photos, sqlite or

(01:12:35):
check some of the other onesthat take a long time, and then
do that with more time.
You can do those while you'relooking at your first parsing
for quick wins.
Yeah, so another update.
It's canine mail support byKalinko.
So we appreciate you.
Kevin has made the report inthe leaves a little bit more

(01:12:57):
pretty, so it's actuallyhighlighting some of the header
sections on the left side of theinterface.
So I appreciate that.
He showed me.
I'm like dude, of course itlooks great, do it, do it.
So he made those changes and weare working on by we I mean
mostly header.

Speaker 2 (01:13:14):
Oh, yeah, right.

Speaker 1 (01:13:16):
So what are we working on?

Speaker 2 (01:13:18):
We're updating the current one, actually because
there already was one, but thebrowser state database.
So previously on a priorepisode, we talked about Ian
Whiffen's research on thebrowser state database and how
the last visited timestampdoesn't necessarily mean last
visited.
So I was just going to go inand change that field so it

(01:13:41):
didn't say last visitedtimestamp anymore.
But there's another table inthat database that includes tab
sessions data.
So I thought we'll just addthat tab session data in to
match up with the tabs that areopen.
And it didn't end up being aseasy as I thought it was going
to be.
I am struggling.

(01:14:02):
But I'm getting help from a pro.

Speaker 1 (01:14:05):
You're being too hard on yourself.

Speaker 2 (01:14:06):
Oh, my God.

Speaker 1 (01:14:07):
You're doing good.
You're doing good.

Speaker 2 (01:14:09):
So it'll be coming, but it's not available quite yet
.

Speaker 1 (01:14:14):
Well, you know, I mean, see, the thing is that you
know I'm going to kind of, I'mgoing to point you, but I'm not
going to do it for you, as youknow.

Speaker 2 (01:14:19):
So no, I appreciate that I'm going to push, do it
for you, as you know.
So, no, I appreciate that I'mgonna push you along.
I thought I would do it withoutasking alex for help.
I'm like ah, let me just try itmyself.

Speaker 1 (01:14:30):
I don't, don't, don't help me, yeah right, yeah right
no, look, I mean, and as I wastelling you yesterday, I mean I
would appreciate something likeyogeshka 3, which again really
up my understanding and and Ihad to leave some of that ego to
the side and say you know whatI need help, I need to actually
learn the process.
So we're going through it andit's you know, you're doing

(01:14:50):
great, so don't feel bad.

Speaker 2 (01:14:51):
I finally caved and asked for the help that's
actually the harder thing.

Speaker 1 (01:14:56):
It's not the coding.
It's actually getting to thatpoint, so well done.

Speaker 2 (01:14:59):
Yeah, I get to a spot , though I'll get to a spot
where I'm like I don't know whatyou're talking about, and then
Alex is like let's start fromthe beginning, and I'm like, no,
I know.
So that was why the computeralmost went out the window last
night.

Speaker 1 (01:15:12):
Well, and for folks that are like what are you
talking about so you canunderstand, say well, I know
this is the output I want, butdo you really know how you got
there?

Speaker 2 (01:15:21):
I didn't.

Speaker 1 (01:15:22):
Yeah, and actually getting there is more important
than the output.
That's kind of the lesson wewere talking about yesterday.
Just because you got the rightanswer doesn't mean that it's
right Right.

Speaker 2 (01:15:32):
And also I'm not going to be able to replicate it
unless I understand it.

Speaker 1 (01:15:35):
Yeah, or troubleshoot it when it goes wrong, because
you don't know what happened.
You just know that it's there,right?

Speaker 2 (01:15:41):
Yeah.

Speaker 1 (01:15:41):
Absolutely happened.
You just know that it's there,right?
Yeah, no, absolutely, and, andI mean it's again, we have a lot
of fun doing that.
Um, so, and and folks, again wemotivate you to look into ways
of expanding you're notexpanding yourselves and and and
being better.
Um, I want to say somethingreal quick about that database,
the browser state database.
Uh, I didn't see it a lot.
Now I see it everywhere.

(01:16:02):
In a lot of cases, yeah, it'slike when you buy a car, it's
like, oh look, I bought let'ssay, I bought a new I don't know
a BMW, whatever, and you haveit.
And now when you drive, you seeit everywhere.
That's me now.
I see that browser, that DV,everywhere and it's important
because a lot of I've seen casescoming to wrong conclusions and

(01:16:24):
we discussed this a fewepisodes ago.
Check out Ian Whiffen's blog onthe browser statedb.
In regards to how thosetimestamps are populated.
People are coming to wrongconclusions, both on the
prosecution side and the defenseside on what those timestamps
mean and that's a big problem.
How can I say this side and thedefense side on what those

(01:16:44):
timestamps mean?
And that's a big problem.
How can I say this?
Some tooling might decide not toeven show it because it's
complex and there's no certainway of determining where the
timestamp comes from, under whatcircumstances, and that's a
decision that tooling makers canmake and others can decide to

(01:17:05):
still show it and hopefully puta lot of flags around the same.
You know timestamp of, you knowindeterminate origin.

Speaker 2 (01:17:12):
I don't know how to describe that field.
I'm still debating what to callit.

Speaker 1 (01:17:17):
It's tough because we're talking about it I know
we're off the hour, folks justthree more minutes and we're
done.
Like, do we want to show thatto users if we cannot determine
certain things with certainty,or do we want to hide it to
avoid confusion?
Or do we want to show it justfor completion?
And I mean, you have an opinionon that, Heather.

Speaker 2 (01:17:35):
Yeah, I mean I want to see it when I'm working on
the case.
I want to see it.
I have like a generalunderstanding of what different
circumstances can make thatchange the timestamp, so I still
want to see it.
I still know it's associatedwith those tabs.
I just never would go in andtestify that this is the date
and time that that specificwebsite that's tied to that tab

(01:17:59):
was visited, because it's beenfound in research, in Ian's
research, that that's not true.
But I still want to see it.

Speaker 1 (01:18:07):
Yeah, and I'm like you.
I also want to see it Again.
It talks about what we talkedabout at the beginning.
If you have multiple datapoints, maybe you cannot point
to that one, but you can buildthis pattern across multiple
data points to come to aconclusion.
So we need that.
But at the same time, a lot ofexaminers don't have the
expertise to look at it that way.

(01:18:27):
And is it a fault of thetooling or is it our fault, or
is it a way to we can bridgethat gap.
We're going to try with ourartifact and see how that comes
out.

Speaker 2 (01:18:37):
Yeah, you just have to be very careful in how you
name that timestamp field.

Speaker 1 (01:18:41):
Yeah, yeah, absolutely that header, for that
could make or break a case.
So again, folks, if you're notin the loop again, do Google EN
within W-I-F-F-I-N.
Double black is his blog andlook for the browser statedb
entry.
It's a really in-depth researchon this database and and I

(01:19:04):
recommend you do that- yeah, Ido as well.

Speaker 2 (01:19:08):
So we've made it to the end.
We're at the meme of the week,the most important part.
Let me see if I can share ithere.

Speaker 1 (01:19:16):
No, it's truly the most important part.
So let's give some fireworks,let's get some balloons going
there.
All right, describe it for us.
What are we seeing here,heather?

Speaker 2 (01:19:29):
Okay, so we have finished a conference, speaking,
teaching event, and now you'reback right Back in your office
Pending work stuff.
And then we have a nice littleexpletive to outline that
pending work stuff that you cameback to.
I picked this one this weekbecause we were just gone for
two weeks and I mentioned at thebeginning of the show I got

(01:19:51):
back to a trial that had alreadystarted and had to go testify.
So the little expletive mayhave been my first response or
something similar to it, butalso all the work that piles up
right, all of the things thatstill need to get done even
though you're gone for two weeks.

Speaker 1 (01:20:07):
See, I watch.
I know you haven't watched it,but I watched Fallout on Amazon
not too long ago.
So, now all my cursing is okiedokie.

Speaker 2 (01:20:16):
Okay, you may have to replace that on this meme then,
but it will not be as impactful.
Oh, no, no, no, no.

Speaker 1 (01:20:26):
The meme stays as is right.
Okay, good, I know Kevin willwatch the show so he knows I
like the meme a lot because it'sfrom the Office.
What's this guy's name in theOffice?
I forgot his name.

Speaker 2 (01:20:34):
I've never seen the Office.

Speaker 1 (01:20:36):
Oh my God, Okay, get out of here.

Speaker 2 (01:20:38):
I know I get picked on at work constantly for got
you, got 10 seconds to leave, toleave the the uh the stream.

Speaker 1 (01:20:48):
Okay, no, I know even I seen it right, so anyways.
So he's really happy they'restanding like having a good time
.
I just finished my conferenceand then the pending work stuff
kind of creeps up on him yeah,and then kind of shows up on the
.
He's like, oh, yep, f you, youknow what right.
So I like that.
That's how I felt also when Igot Dwight there we go, caesar,
saving the day.

(01:21:08):
Yeah, dwight Schrute.
Schrute is that I see mypronunciation is so bad, but
yeah.
So I think it's a funny meme,because that's how I felt after
I came for IASIS and how will Ifeel again when I come from
Argentina.

Speaker 2 (01:21:20):
I was going to say we may have to reuse it in a
couple of weeks, but you'll haveto make a new one that has the
similar theme for for the nextpodcast, that's true, I gotta, I
gotta think of something that'stopical for the region.

Speaker 1 (01:21:33):
We'll see All right.
Well, so I think we're at theother.
I know the podcast.

Speaker 2 (01:21:38):
Thank you for staying with us.

Speaker 1 (01:21:41):
Yeah, thanks for the folks that watch live and also
thank you for the folks that arewatching and listening later.
We appreciate you.
Please send us your comments,your ideas, constructive
criticism.
We love that and, again, we'regoing to be out for a couple of
weeks due to travel, so pleasego to our LinkedIn Detail
Forensics Now podcast to getnotice on where we're coming

(01:22:05):
with a new episode as well.
Yes, and I think that's it.
I mean anything else for thegood of the order, heather.

Speaker 2 (01:22:10):
That's it.
I see a question about theleaps in the chat from Mr Maka
and I'm going to get with youoffline and answer your
questions.

Speaker 1 (01:22:18):
Well, you're awesome.

Speaker 2 (01:22:19):
Heather.

Speaker 1 (01:22:20):
We appreciate it.
All right, folks, then we'llsee each other soon-ish.
Just keep an eye out Peace.

Speaker 2 (01:22:28):
See you Bye.
Thank you.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Android Security, Market Acquisitions, Research, Tools & More Tools!

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Android Security, Market Acquisitions, Research, Tools & More Tools!

On Purpose with Jay Shetty