Awareness Unlocks Discovery: Knowing It Exists is the First Step to Finding It

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:05):
Welcome to the Dirt Art Forensics Now podcast.
Today is Thursday, October 3rd2024.
My name is Alexis Brignoni, akaBriggs, and I'm accompanied by
my co-host the best co-hostanyone would ever dream of
having.
The one that makes sure thingswork as advertised, the premier

(00:30):
Geek Squad agent of the digitalforensics world, the one and
only Heather Charpentier.
The music is Hired Up by ShaneIvers and can be found at
silvermansoundcom.
Everybody see us, see yourbeautiful smile.
Did you like the intro?

(00:51):
Did you like the intro, Heather?

Speaker 2 (00:53):
I knew you would not let me get away without the Geek
Squad comment Of course not.

Speaker 1 (00:59):
Oh my gosh.

Speaker 2 (01:01):
Well, let me tell the quick story behind the Geek
Squad comment.
Yeah, please do share I wastestifying in a trial, which is
now completely over with um, andI, uh was being questioned by
defense and they pretty muchequated my job to being a member
of the geek squad at Best Buy.

(01:21):
Yeah, right up on the stand Iwas like what Promptly corrected
them and told them no, that Iwork at the New York State
Police Computer ForensicLaboratory.

Speaker 1 (01:37):
Which with the geek squad, but not from Best Buy,
just for the state police.
Okay, let's make it clear.

Speaker 2 (01:44):
Forensics is a little different between best by and a
state police agency, I wouldthink oh, my goodness, that's
hilarious, the geek squad.
They didn't give you like a cupfor that oh yeah, one of my
co-workers bought me a mug Isaid the geek squad he thought
it was funny.
It is funny, it is funny, it isnot that you look like a geek,

(02:05):
but maybe you do.
I don't know you need someglasses to reinforce it.
Careful with the geek.

Speaker 1 (02:11):
Look, I am a geek and a nerd, so don't feel bad about
it.

Speaker 2 (02:14):
All right, yeah, I guess me too.

Speaker 1 (02:16):
Embrace it, embrace it, all right, all right, so
yeah, so everybody, again, we'rehere.
We had to jump or skip anepisode because life gets in the
way, but we're back.
I just want to say a quick hito Johan and we're going to a
good friend from he's in Franceand we're going to be talking

(02:36):
about some of the work that heand some of the other folks are
doing at the Leaps by the end ofthe show.
But before we do that, heather,what else is going on other
than being called a geek, uh, bya court?
What else is going on?
I know?

Speaker 2 (02:49):
um, we uh have some new employees that just started
in our office, so, uh, I havebeen with my, my other
co-workers, uh, starting withthem with the intro, kind of
here's the intro to your job andwhat you're going to be doing.
We started a whole new programto kind of not just throw them
into digital forensics, like toprepare them to work in digital

(03:11):
forensics.
So it's been going prettysmoothly.

Speaker 1 (03:15):
How about you, instead of just giving the
firehose approach, you tell themhey, look, here's the firehose,
are you ready?
Okay, now here we go.

Speaker 2 (03:22):
That was kind of the method we had before, and now
we're kind of structuring it alittle better now.

Speaker 1 (03:29):
That's awesome.
That's awesome, I mean, and weneed to do that.

Speaker 2 (03:33):
Yeah, definitely, definitely.

Speaker 1 (03:35):
Well, on my end.
So I participated at theInfoConf conference.
Well, infoconference, butInfoConf 2024.
That's in Argentina.
Sadly I was not there in person.
Yeah, I know, it was in LaMatanza University.
That's right there next toBuenos Aires, and it was awesome

(03:59):
.
I spoke about push-buttonforensics versus examiner.
What's the word I'm looking forin terms of translating from
Spanish?
Be an expert, right?
So an expert versus apush-button forensics, right?
So what's the difference thereand why should we strive to do
more and actually, you know, upour level of expertise?
So I talked about that a littlebit.

(04:20):
On mobile forensics, a littlecourse.
So it was pretty fun.
And yeah, and next week I'mgoing to land at Seattle, at
SeaTac, and I'll be, I think, inRedmond for the Northwest ICAC
conference, one of the biggerones in the country.
I'm super stoked and excitedyeah, that's awesome oh, I yeah,
I've been to the ones back inthe day.

(04:41):
I was when I used to doexploitation, to the ones back
in the day we, when I used to douh uh exploitation cases,
online exploitation cases likefull-time that.
I went to the one in dallas alot, so that was a lot of fun
I've heard that one's awesome.

Speaker 2 (04:51):
I've never been to the one in dallas.
I've been to the one in orlando, but not dallas yeah yeah, the
orlando ones are gonna show up.

Speaker 1 (04:58):
But kind of funny, by the way.
Yeah, it was good.
Yeah, so this is my first timegoing there.
It's pretty cool.
I'm going to be at a panel witha whole bunch of people that
it's like how did I get in thispanel?
So you know, heather Barnhartis going to be there in the
panel, jessica Hyde and a fewother folks where I admire.

(05:18):
So I'm pretty honored to bethere and I'm going to give two
courses on the LeapTools andPython and stuff like that.
So, and I'm going to give twocourses on the LeapTools and
Python and stuff like that.
So that's fun.

Speaker 2 (05:25):
Oh, very cool.

Speaker 1 (05:26):
Yeah, oh, kevin is in the chat.
Hi, kevin.

Speaker 2 (05:28):
You belong on the panel.
Don't be modest.

Speaker 1 (05:31):
You're kind, you're kind yeah, so that's what's
going on, what's going to happen.
Awesome, pretty cool stuff.

Speaker 2 (05:37):
Yeah, very good.
Well, let's talk about some ofthe things that have been going
on the last three weeks.
I'm not sure if everybody saw,but Josh Hickman from the Binary
Hick, who also works atCelebrate, released some new
test images for everybody to useiOS 16, ios 17, and Android 14

(05:58):
test images are now available.
They are all Celebrateextractions this time around
available.
They are all Celebriteextractions this time around.
The iOS 17 image, he says,picks up right where the iOS 16
left off.
He upgraded the iOS 16 to iOS17 and just continued generating
the test data and he has theseall on a site hosted by Digital

(06:20):
Corpora and I'll put the link uphere for his blog about the
release of those new images.

Speaker 1 (06:28):
Yeah, and I love these.
Every time they come out, werun into the leaps you know the
tools, that community tools thatwe work with, but also running
through your other tooling,tooling sets and try them out
and he adds, like, for example,ios.
He usually adds six diagnosedlogs and some other extra things
.
Yeah, so you get a really goodpicture of what that phone was

(06:49):
doing and for research it's justinvaluable.
So highly, highly recommend,especially you know 17 and 18
and all that With all the sec Bfiles.
You can play with those andsome other artifacts that are
coming out on the newer version.
So we really, really, reallyappreciate Josh's work and
hopefully he keeps doing that.

Speaker 2 (07:08):
Well, and now that he has 16, 17, and 14 out, ios 18
and Android 15 will be comingout, so they'll just keep him
busy.

Speaker 1 (07:17):
I don't think he ever sleeps.
Yeah Well, you know I'll buyhim the coffee.
It's okay, it's all good, there, we go To keep him awake.
You know I'll buy him thecoffee.
It's okay, it's all good, there, we go To keep him awake.
There's iOS 18.
And you know, I think they Idon't know if I mentioned it
last episode, but the wholehiding apps thing- yeah.
I really want to have some testdata to do some more.
I know some people are workingon it, but I would like to look
at it myself.

Speaker 2 (07:42):
Yeah.

Speaker 1 (07:42):
Well, that great, great segue right.

Speaker 2 (07:44):
Yes, perfect.
There's a couple of blogsrelated to iOS 18 that I saw.
I'm sure there's more, but oneis out by Chris Vance from
Magnet Forensics, and anotherone, Mattia I'm going to butcher
his last name every time.

Speaker 1 (07:58):
I'm sure, Epifani, you said you were going to say
Epifani, I think I would havehad it right.

Speaker 2 (08:02):
Yes, epifani, I think I would have had it right.
Yes, of course you would.
So he has a new blog with iOS18 too.
So the Magnet article takes alook at iOS 18 with a full file
system extraction.
Just a couple of the thingsthat Chris outlines are app
protections so a user can hidein password protect apps and or

(08:24):
just password protect apps.
The article provides the P listthat hold the data to track
which applications have beenhidden or hidden in password
protected, and then hidden appswill actually be marked ignored
in the icon state P list.
But he has a whole section onthat in his blog to check out.
He outlines the new RCSmessaging feature in iOS 18.

(08:48):
So, if my iOS friends havenoticed, they now can see when
I'm typing to them because I'man Android user, but they can
see when I'm typing to them.
But he outlines how that'lllook in the SMS database and
that it will indicate if amessage was an RCS message.
The date read and datedelivered will now have a date

(09:09):
and time in the SMS DB for thoseRCS messages.

Speaker 1 (09:13):
Look, I was hoping iOS users would discriminate
less about you know, less youknow in regards to Android user
being in their chat, but no, Idon't think so.
They'll still feel superior.
That's iOS users.
What can I tell you?

Speaker 2 (09:24):
A couple of my friends don't like it.

Speaker 1 (09:27):
See, I told you, I told you I was kidding, but not
so much.

Speaker 2 (09:31):
Like why can I see that you're typing now?
Don't you still have Android?
They thought I switched over toiPhone.
I'm like no, never, never.

Speaker 1 (09:39):
Hey, we love iOS too, yeah.

Speaker 2 (09:44):
In iOS 18, users can now also schedule their
iMessages with a send laterfeature.
So when the messages arescheduled they're immediately
written to the database.
So that'll change maybe some ofthe way you do forensics and
interpreting that message.
Data and the date will reflectwhen the message is actually
scheduled.

Speaker 1 (10:05):
Oh, interesting.

Speaker 2 (10:06):
Yeah, I thought so too.

Speaker 1 (10:08):
Yeah, I wonder if there's any other contextual
clues somewhere else in regardsto when this was actually
written, because, let's say, themessage is trying to make an
alibi.
You know, yeah, I'm over there.
You wrote it before the event,right Before you, whatever
making the subline.
You, you wrote it before theevents, right Before you, or
whatever making the sublet.
You killed the suspect, I meankilled the victim.

(10:28):
Then, okay, I would like toknow that you wrote this before,
right, yeah?

Speaker 2 (10:31):
definitely, definitely.

Speaker 1 (10:33):
A lot of research to be done, yeah.

Speaker 2 (10:35):
Yeah, a ton, I'm just .
I'm just highlighting a few ofthe key features.
There's a whole bunch more inthe article that Chris wrote as
well.
He also noted in his articlethat there's still data in the
Knowledge C.
No major changes were noted andthat the SegB version 2 files
are still in iOS 18.
No new versions, so you don'thave to change all of the

(10:57):
artifacts for iLeap.

Speaker 1 (10:59):
Yeah, I know, I mean this whole changing versions,
but that's good, I'm happy.

Speaker 2 (11:05):
Yeah, so that's Chris Vance's article.
I'm going to throw the link toit here, but as always, it'll be
in the show notes at the end ofthe show when we put that up.
And then Mattia, his blog,addresses some of the changes
found in an extraction that hecreated with Ufade.
We've talked about ChristianPeter's Ufade tool quite a bit

(11:28):
on the podcast and it's awesome,and that's what Mattia used to
extract the data from his device.

Speaker 1 (11:34):
Yeah, no, and let me tell you real quick Ufade is
awesome.
Just a quick reminder for folks.
It's free, you can use it, youdon't have to pay nothing and
you get extractions from iosdevices and they look like
advanced logical extractions,you know, and it pulls, it does
a whole bunch of features andagain, it's free.

(11:54):
So I've been recommending it alot.
I was recommending it to thestudents in argentina when I was
talking to them last week.
Um and you fade, there we go,um, christian go.
Christian is on the chat.

Speaker 2 (12:06):
He says this feels like a nightly accolade.

Speaker 1 (12:13):
There you go, Sir Peter of the iOS Ufade, I need
one of those big broadswords andgo shoulder to shoulder right.
No, it's good stuff.
Thanks, Christian, for hangingout and for putting that tool
out there.
We appreciate it.

Speaker 2 (12:24):
So Matias' blog details a list of files present
in the previous versions of iOSand available in an iTunes
backup with iOS 18.
So they're still available.
He provides locations in thefile system for all of the files
that he mentions.
He also includes locations offiles that should be analyzed
from the SysDiagnose logs andit's a great blog, Definitely a

(12:49):
great blog.
While we all wait for supportto have that full file system
for iOS 18 too, I think I'm notsure One of the tools has it for
consent, I think.

Speaker 1 (13:00):
I do not know, I think so.

Speaker 2 (13:03):
But again, how many suspects have unlocked iOS
devices there?

Speaker 1 (13:08):
No, I mean, and the thing is you still need to be.
This type of stuff is goodbecause you still need to be
aware of what the functionalityis, because the moment, even you
get access to the phone becauseyou've got a full file system
extraction and for the folksthat might be the first time
listening to us that what thatmeans is that now you can get to
all the files and folders onthe phone, not just what you

(13:29):
will get from a itunes backup,which is really limited, right?
Um that you need to be awarewhat you're looking for, what
you should be looking for.
You need to understand thephone features per the operating
system.
If you're not aware that appscan be hidden, then you're not
going to look for it.
If you're not aware, um, somecan be hidden, then you're not
going to look for it.
If you're not aware some of thestuff we're going to talk about
in the next section, you're notgoing to be aware of what you

(13:52):
need to take into account, likethe RCS messages, right, when
Android folks type how does thatlook in the database?
Is there any changes in thedatabase that identifies it as
Android users versus not Android?
There's a lot of things youneed to take into consideration
and just knowing the info isimportant.
When you get access, then youapply that information.

Speaker 2 (14:09):
Right, kevin just chimed in.
Verikey gets the iOS 18 consent.
So GreyKey or VeriKey,whichever one you're using, is
how you can get the full filesystem for now.

Speaker 1 (14:23):
Yeah, I love how the main players in Access, which
you know, everybody knows whothey are is Greiky and Celebi,
right?
Mm-hmm, we were talking aboutit before the show.
How they?
What's the word you used?

Speaker 2 (14:34):
Oh, like the cat and mouse.

Speaker 1 (14:36):
Yeah, kind of multiple things.

Speaker 2 (14:36):
Yeah, they're trying to one-up each other.

Speaker 1 (14:38):
That's great.
I I've been lately on a bigwish list.
I hope more vendors will getinto the extraction space like
more options.
So it's not only to get high.
Say high level, I shouldn't saythat.
I say deeper level extraction.
You know what I mean.
Right, right, and I know XRYdoes a few bunch.
I don't want to dismiss theother folks.

Speaker 2 (15:00):
Oh yeah, they do.

Speaker 1 (15:02):
They do great work as well, but usually, at least in
the United States.
Those are the two bigger ones,but I would like to see five,
six, seven, eight companiesproviding access.

Speaker 2 (15:09):
You know what I mean.
Definitely, mattia's blog linkis there on the screen as well,
but that'll also be in the shownotes at the end.
Yes, and since we're talkingabout Christian's Ufade tool, mr
Erie blog it's Derek Erie.
He actually just added to hisblog.

(15:29):
He has a whole bunch of topicson his blog, but he just added
to his blog exploring Ufade toextract data from iOS devices
and he talks about theinstallation, navigating the GUI
interface, some advancedoptions and how to use Ufade
with MDM devices.
So he's got a whole niceoutline on how to use Ufade,

(15:51):
with pictures and everything, soscreenshots.
So check it out.
If you haven't used Ufade yet,that's the perfect blog to go
get started.
It really lays it out nicely.

Speaker 1 (16:01):
Yeah, I see a good community being built around the
tool, and that's what we wantto see.
We want to see oh, and Ihaven't mentioned that Christian
was nominated, the tooling, theUfade for a Difference Maker
Award.

Speaker 2 (16:16):
Yes.

Speaker 1 (16:17):
So we don't have the link here, but go Google SANS
Difference Maker Awards.
And the first link is going tobe the voting link most likely,
and make sure that you vote forUf8 as the tool of the year type
of award, because he's totallydeserving of it.
Oh definitely 100% support fromthe podcast.

(16:37):
Well, I mean 50% support.
How about you?

Speaker 2 (16:39):
Heather, do you agree ?
Oh yeah, he has support.
Definitely, it's awesome.

Speaker 1 (16:43):
Then 100% support from the podcast that he should.
I know you were going to saythat too, but I don't want to
speak for you.

Speaker 2 (16:50):
You don't want to speak for me.
Yeah, thanks, I definitely wasgoing to say it 100% support.

Speaker 1 (16:55):
So go for Christian and the tool.

Speaker 2 (16:59):
So also kind of going along with iOS updates.
A LinkedIn post from BrianKrebs was on recently and his

(17:21):
post talked about a new featurein iOS that a user can request
or give remote control through aFaceTime call on an iPhone.
So a participant can request toremotely control your screen if
they're using an iPhone or iPadwith iOS 18 or later and then
when you receive a remotecontrol request notification in
the FaceTime app on your iPhone,you can tap allow.
A countdown from three to oneappears, then remote control
session starts, which is crazy.

Speaker 1 (17:43):
I mean what could go wrong.
I know, come on.
I mean yo that's great.
I mean I cannot think of anysituation this might be a
problem.

Speaker 2 (17:51):
Yeah, there's a warning on that.
So there's a warning about it.
The person remotely controllingthe screen can perform tasks on
your iPhone such as opening andclosing apps, changing settings
, deleting items or sendingmessages.
The person remotely controllingthe screen may be restricted
from tasks such as changing yourApple account or Face ID

(18:12):
settings, making payments orerasing your device.
Well, thank you, yeah.
At least, and it also says yourFace ID and Touch ID will be
disabled during a remote controlsession.
You can still tap, swipe ortype while the screen is
remotely controlled, and youractions will take priority over
the remote actions.

(18:32):
Oh my goodness.

Speaker 1 (18:34):
Yeah.

Speaker 2 (18:36):
So many things to go wrong with that.

Speaker 1 (18:39):
I appreciate them trying to put some sort of risk
mitigation features there forthe parents, you know.
But still, yeah, I mean,especially when you have, you
know, grandma or granddad andyou know we get scammed to the
computer oh, you got a virus youneed to contact.
Give me remote.

(18:59):
Can you imagine now that on thephone, so this kind of scams
this is my perception that arepretty prevalent in older folks
or more experienced folks, itmight be migrated to the phone.
So, yeah, let's go to your bankaccount, you know.

Speaker 2 (19:15):
Yeah, I think we're going to have some more cases of
unlawful intrusion intopeople's devices.
Definitely, Whoa no, and thatspeaks again.

Speaker 1 (19:25):
that speaks to the whole artifact.
How is that recorded on thephone when you have a live
session?
Where does that go?
Yeah, it has to go, I wouldassume somewhere.

Speaker 2 (19:33):
I'm definitely going to have to test that one, yeah.

Speaker 1 (19:35):
Oh, for sure.
Well, artifacts are generatedthrough the interaction, right?
So no, that'll be good.
Oh, but a quick note Lori's inthe chat, so hi, lori.

Speaker 2 (19:44):
Hi Lori.

Speaker 1 (19:45):
Um, we were here, we're here, you, you, you made
it, we're still.
Uh, it's not, it's not over yet.

Speaker 2 (19:51):
You just missed Alex calling me a geek in the
beginning.
Lori, it's okay.

Speaker 1 (19:56):
She knew that already .

Speaker 2 (19:57):
Yeah.
She probably did.

Speaker 1 (20:04):
She's part probably the geek club too, the geek
squad club, yeah, so no, there'sa lot of features coming up and
I don't think again.
I think we need to be aware ofthose features and then, kind of
as a community, startrecognizing what stuff is where.
I don't like to wait for thevendors to tell me, hey look, we
support this, and like, oh,first time I hear.
No, I want to know itbeforehand because I might need

(20:25):
it before yeah before they getsupport.

Speaker 2 (20:27):
So that's a big deal definitely um going along with
the same theme.
Uh, there was an article fromsumari mac uh, mac os 15 what
forensic examiners need to know,and Sumari released the article
and some of the updates are thesame as iOS, but there's some

(20:47):
others as well.
So there's passwords as an app,the scheduled messages that I
already said for iOS.
Downloaded maps so users candownload selected areas for
offline map using or offline mapuse, sorry, including custom
hiking trails, and the featureopens up more possibilities for
tracking offline movements.

(21:08):
So investigators definitelythat'll be a good artifact for
investigators when it comes tolocation data and downloaded
maps.
Absolutely Home Go ahead, sorry, no, no, no, go home.
Kit guest access so users uhcan grant guests temporary
access to their home securitysystems.

(21:30):
Another one that uh sounds likedangerous um turn alarm off,
let's go steal yeah, so itincludes, like garage doors, um
alarms during specific times, sothat definitely can be a key
detail in investigations ifyou're sharing that data with
other people.

Speaker 1 (21:50):
Well, I mean, you could be tricked into doing that
, or who knows, if any malware Imean, we don't know, we're just
speculating but what type ofmalware could then do that
without you noticing?
And this is not far-fetched.
It might sound far-fetched, butit's not.
Let me quick segue here.
You see banking Trojans thathit different mobile devices.
They use accessibility servicesto click for you.

(22:11):
You don't have to click, theyclick for you and they do all
these sort of things.
Why wouldn't they be able toget into your home kits?
And again, I'm not trying to beparanoid, although we kind of
are because we're in thisbusiness, uh, but but the main
point is yeah, this is a featurethat you know the computer has,
or the phone has or whateverhas.
Um, yeah, let's figure outhow's that um, um, memorialize

(22:33):
on the device and see if there'sany forensic value.
Uh, you know, to it and get toit yeah, definitely.

Speaker 2 (22:40):
Uh, just a couple more from theirs.
Uh, safari highlights.
They have a have picture inpicture, reminders in the
calendar and then, of course,for iOS and Mac OS, the Apple AI
and what it means for theinvestigations.
So go and check that out.
On Samari's blog.

Speaker 1 (22:58):
Yeah, let me get a quick comment.
Laurie says you are more likelyto be victimized by people you
know, and she's absolutely right.
Let me make a quick comment.
Lori says you are more likelyto be victimized by people you
know, and she's absolutely right, especially if we're talking
about home security systems.
You know, I don't think ahacker from some country is
going to worry about thatbecause they're far away, or
maybe who knows.
But yeah, she's absolutely onit.
But the thing with agreeingwith her, the thing with
cybercrime for lack of a betterterm is that, yeah, it could be

(23:21):
somebody close, it could besomebody far away, and our task
is to make sure we understandhow is that recorded and how is
that then extracted andpresented at court?
And we need to be aware of thefeatures.
I think the big theme oftoday's show is be aware of
what's coming.
So then you can go find itespecially on a device that's
new and we don't have anextraction yet.
Be aware of the features.

(23:42):
If you don't like to be awareof the latest phones and what
they do or don't do, then you'regoing to be lagging behind the
rest of the pack.

Speaker 2 (23:51):
Definitely so.
25th anniversary of Paraben.
I saw this on LinkedIn.
Actually, they're celebratingtheir 25th anniversary and to
mark that anniversary, they'reoffering complimentary 30-day
license for Parabin's E3universal software, and they're

(24:13):
also offering access to allthree of their operator level
certifications until October31st.
So they said right on the postthe offer is their way of
expressing gratitude for theindustry's continued support.

Speaker 1 (24:28):
Yeah, and Amber, she's amazing.
I don't want to misspoke butdon't quote me on this, but I
think I do know that she and herteam many years ago I think
they made the first Faraday bagor a patent for a Faraday bag
back in the day, right 25 yearsago, and I think it's the first
one, yeah, and they've beendoing great work since then

(24:50):
until today.
So I really hope that folkstake advantage of this.
Like Heather said, it's 30 days, it's free and you get to get
extra certifications.
If you're new in this businessand, uh, especially if you're
really windows based in yourwork and you want to kind of
expand your digital, firstacknowledge this is one way to
start.
If you're new, go to thesecourses.

(25:11):
You got all the operator levels, all the tool work where
artifacts are on differentphones and take advantage and
there's images to be you canwork and parse through that are
free, like and available likej's.
There's no reason why you can'tgrow in this field.
The tools are there.

Speaker 2 (25:29):
That, and if you've never used Paraben, this is the
perfect opportunity to try itfor free for 30 days.
You may end up adding that toolto your tools in your lab.

Speaker 1 (25:41):
And they're one of the folks them and others but
that also support Hapthamintegration with the Leaps as
well.
So you can also use the Leapsthrough PowerBend tooling and
you can have another view of thedata from a community
standpoint through the tool.

Speaker 2 (25:57):
So Oxygen, another great tool, but Oxygen's 2024
International User Summit iscoming up.
It is October 15th through the18th in Alexandria, virginia.
They're going to have speakersand presentations the first two
days and it's no cost to attendthe first two days, and then the

(26:17):
17th and 18th are training days.
The attendees will choose atrack and that'll either be an
extraction refresher track or anoxygen forensic detective
update and analytics track.
Both tracks include a capturethe flag event on the second day
and the trainings are only $500per student.

Speaker 1 (26:39):
That's a great price for all the things, for my
opinion, and, like always, wedon't.

Speaker 2 (26:45):
Our opinions reflect our employers yeah, two days of
training for five hundreddollars that's.
That's a really good deal,definitely yeah, it's good stuff
speaking of training, hexordiauh, previously on the cyber 5w
website has moved over to a newwebsite Let me put that up and

(27:07):
it is Learn with Hexordia.
So they just launched the Learnwith Hexordia platform.
They have free micro content,virtual live classes, hands-on
labs and a community for supportand learning on their new
website.
So, if you haven't registered,jessica Hyde is the head of
Haxordia and she is awesome andthe trainings are awesome.

(27:29):
I've done quite a few of them.

Speaker 1 (27:31):
Yeah, and I love some of the courses specifically
because, you know, even though Imean we're friends, you know us
with Jess, but it's kind ofinteresting how we come to some
conclusions that converge and wecome to them separately.
Right, we started movingtowards really focusing on data
structures as a way of gettingdeeper knowledge of our

(27:51):
investigations and Jess, kind ofon her own also, was going that
route.
So she has a great course ondata structures, and by that we
mean understanding Protobuf,understanding SQLite, which is
kind of the classical one, butexpanding to JSON, secp's, like
all the different datastructures in mobile devices,
and they go one by one,explaining what they are, what

(28:11):
they consist of and how to pullthem out and what value can you
get from them.
And that's amazing how we kindof come to the same.
You know, kind of we conversethat way Great, great, great,
great course, great topic, soworth checking it way.
Great, great, great, greatcourse, great topic, so worth
checking it out.

Speaker 2 (28:25):
Yeah, definitely.
I think she's expanded uponthat class too.
Don't quote me 100%, but Ithink it's a two-day class.
Now it was a one-day, yeah, soI think she's expanded upon it.
Plus, there's a whole bunch ofother great courses in mobile
forensics.
She has a Mac class that Ihaven't had a chance to take yet
, but I've heard great thingsabout it.

Speaker 1 (28:42):
I would hope that vendors start adding to their
courses a data structures course, because if you're showing how
to use a tool, there's nothingwrong with that, but after the
tool runs, then what?
At least a data structurescourse, and don't take away the
basics.
We talked about it, I think,two episodes ago and some basics
, right, at least you have amore rounded individual.

(29:03):
But you know I don't want totread on ground that we already
ran on.

Speaker 2 (29:08):
Oh, you can say it again we need to keep the
fundamentals in the training.

Speaker 1 (29:15):
I might say that like a hundred more times and there
might not be fun, but they'reelemental.

Speaker 2 (29:19):
Right, you have to know it.
You have to know it.
Another LinkedIn post that Isaw and I think you've shared
several times, but Noel Loudonhas some mini video series, bite

(29:42):
secondary considerationsrelated to effective vehicle
system forensics, triage andplanning to extract that data
from the vehicle system systems,and he outlines really well the
steps to take for anexamination.
I think these little miniseries are great.
Plus, they're free on onLinkedIn, his LinkedIn.

(30:02):
So definitely take take thetime to check out Noel's
LinkedIn page.
He's got a ton of content.

Speaker 1 (30:09):
I believe his content is worth its weight in gold.
Right yeah, and you'd besurprised how many agencies,
both in the US and also outside,they don't consider vehicle
forensics that much right, andthat needs to change.
Yes, they don't consider vehicleforensics that much right and
that needs to change.
He was talking about how theinfotainment systems, you access
them and that's where the datais kept, like track logs, where

(30:30):
the vehicle has been, whatsensors are being activated,
does the door open, the trunkopen, whatever.
And he's saying look, evenbetween let's say I think it's
BMWs or Mercedes, I don'tremember which some German cars,
cars the same brand theinfotainments change a lot and
there's still a lot of r?
D work in how to deal, get thedata out, but the data can be

(30:52):
pulled out.
That's one of the few devicesyou can still do chip chips,
chipoffs out of and get stuff.
You need to take that intoaccount.
Your investigations.
You get the, the suspect's car.
You have to do this type ofwork.
And again, talking aboutawareness, watching his videos,
looking at his series, you havethat awareness in regards to
what can you get and how do youget it.

(31:14):
That's the first step.

Speaker 2 (31:15):
Yeah, you know.
Speaking of Chipoff too, I meanhe's out of the UK but I'm
going to put his actual websiteup because he has training in
chip off forensics as well.
I noticed that on his websitewhen I was checking it out.
So if you're over in the UK ormaybe he'll come to you I'm not
sure.
I don't want to promise that,not knowing.
But there's a, there's a coursethere on it.

Speaker 1 (31:35):
I'm pretty sure the price is right.
I rather, I rather.
I rather somebody send me there, though.

Speaker 2 (31:41):
Yeah, me too, I want to go.

Speaker 1 (31:46):
Definitely I'll start drinking the tea with my pinky
up or something Good stuff.
Yeah, volcano site is a greatresource.
Do follow his LinkedIn and dowatch those videos.
You're going to learn a lot.

Speaker 2 (31:56):
Yeah, you know, with the vehicle forensics too, I
think there's not a lot ofdocumentation on the how, the
why.
I mean it's like this tool isused for vehicle forensics, Plug
it in, pull the data and justsend out a report, and he goes a
little more into that.
So I think that's needed in thevehicle forensics for sure.

Speaker 1 (32:15):
Oh, absolutely that provenance of that data, how it
was acquired, the processes andall that is so important as it
gets more scrutinized, becauseyou might you're the other side,
be it civil or criminal casesthe other side might not be that
aware, but as it gets used more, there'll be more awareness,
and which is a good thing.
That means that you need to upyour level, make sure you

(32:37):
understand what you're doing andpresent it properly.

Speaker 2 (32:41):
Yeah, another good blog article out by Alex
Kathness from CCL Solutions.
The title of it is when is anapp, not an app?
Investigating web APKs onAndroid, and this one outlines a
progressive web app is anapplication which is built using

(33:02):
web technologies and it'sdesigned to give the look and
feel of a native application.
His blog addresses how toidentify that the app you're
looking at is a web apk from theuser's perspective, but also
from the file system and wherethat data is stored.

Speaker 1 (33:19):
related to the web apk and my big takeaway from
that is because the big takeawayis the difference between, for
me, an Electron app and aprogressive web app.
Right, I dealt with a lot ofElectron apps and I have a lot
of talks about them and a littlebit of a summary.
When you talk about Electronapps you're talking about you

(33:43):
download the app and it lookslike an app, it walks like an
app, it ducks like an app.
Guess what?
It's not an app, it's a browser.
Yeah, exactly, it's a browser.
It's most likely a Chromiumbrowser with some code that
behaves like an app.
All right, but it's actuallyChromium.

(34:06):
Now, a progressive app is alsorun from a browser, but not like
a standalone browser like that.
It's run from the browser onyour system and that's kind of
the big difference there.
When you look at Chromium apps,you're looking at a whole new
browser in there.
That browser with some codemight generate its own little
web server internally to accessand show you things, whereas a
progressive app, if you need toshow you something, it won't be

(34:29):
able to show it to you.
It has to go out to theInternet and show it to you.
There's a pretty lot of thislinkage to the browser that's
installed to the outside world,whereas an electron app might
also do that, but it's notneeded.
The progressive app withinitself should be able to provide
you some of that stuff locally.
And that being said, right, anapp that's running, or a browser

(34:51):
running locally in that sense,might have and some extra code
might have more access to yourdevice than something running
from a browser that's actuallyaccessing the internet, because
at that point sandboxing andsome security measures are
involved and a browser that'sreaching out in that way won't
have that access that anElectron app has.

(35:13):
But again, it's kind of funnybecause we didn't plan it this
way.
But the topic of the day isawareness, right, if you're not
aware that a progressive app,what it is, you have no idea how
to parse it.
I would say a lot ofprogressive apps.
I don't know if vendors havesupport for them, like so.
Yeah, I don't think so, yeah, Imean, it's true that it's using

(35:35):
the browser and it will be as abrowser artifact, but we talked
about in the past how context isimportant.
If you can tell me, look, allthis web history, these
particular items belong, forexample I'm just making this up
for some examples belong toprogressive web application,
right?
Or these structures againmaking this up let's say, some

(35:56):
level DB databases are involvedwith this particular website or
domain, which is representative,or a progressive web app.
That changes my perception ofwhat's going on.
Right, it wasn't just the userbrowsing to pages.
There's another level ofabstraction and app.
That and that involvesdifferent other additional
things for me to present andconsider, and that awareness is

(36:18):
needed.
If you don't know that exists,you will know how to look for it
, and if the tools don't parseit, then who's going to do it?

Speaker 2 (36:23):
Right.

Speaker 1 (36:24):
Well, actually, let me point at you, heather, you're
going to do it.

Speaker 2 (36:26):
Yeah, I'll do it, but we have a little bit of help
now, though, because Alex's toolthat we've talked about on a
previous episode, Mr Skinny Legs, actually does some of that too
.

Speaker 1 (36:38):
I love that name.
Yeah, me too, even though I hadno idea what he was talking
about at first, but I got it now.
Yeah, people that are.
You know we were explaining itlast time, but look the skinny
legs.
You need to do more leg day.
That's it.
Don't skip leg day.

Speaker 2 (36:52):
Oh, so you don't have skinny legs.

Speaker 1 (36:54):
Heather never skips leg day.

Speaker 2 (36:57):
Yeah, nope Never.

Speaker 1 (36:59):
Never.

Speaker 2 (37:00):
Never yeah.

Speaker 1 (37:06):
That's never, never never, yeah, no worst day oh my
goodness, you know what I didtoday no leg day, did you?

Speaker 2 (37:11):
yeah, oh no, I'm fine now, I'm not gonna be fine
tomorrow no no, when it hurtsdefinitely definitely, or if you
work out with you, my legs seemto hurt a little bit more.

Speaker 1 (37:23):
I don't ever want to do that again see, I try to work
out without myself, but that's,that's not happening.
I got no choice.
Uh, no, no, all kidding aside,it's, it's again the, it's the
work that ccl solutions, uh, youknow they do.
And through, obviously, toalice capeness, another great uh
article.
They're always, uh, through him, on the cutting edge of what do

(37:45):
we need to know that we don'tknow, or that we don't know that
we don't know.
Like Roosevelt once said, I'mgoing back to the 90s yeah, we
don't know the things that wedon't know.
So, highly recommend it, gocheck it out and be educated.

Speaker 2 (38:01):
Back on the training subject.
So Hal Pomerantz has a awebinar.
Um, it's not scary binary, andum it's going to be october 22nd
at 1 pm eastern time and it'sonly going to be 25, which is
super affordable.
Um, the course topics for hiswebinar are going to be why do

(38:24):
computers use binary?
It's going to talk aboutdecimal versus binary, binary to
decimal conversions, decimal tobinary conversions, um
hexadecimal converting binary tohex and back again, uh, bytes,
words, d words, q words, littleindian and big indian.
It's just all of thatfundamental stuff that I keep
saying vendors need to not getrid of.

(38:47):
Hal Pomerantz is going to havethat in a webinar for 25 bucks.

Speaker 1 (38:52):
And if you don't know who Hal is, let me give you a
little bit of a little bit oflittle detail.
His background, right.
He for many years used to teachat SANS right, and we know SANS
is world-class level training,okay In regards to instant
response for for linux right.

(39:12):
So this guy, it's like downthere I know him.
Um, he's a really cool dude inperson as well and I highly
recommend that.
Let me put it this way when hespeaks you need to listen, so
you got a chance to train withhim at $24, as opposed to sand
prices.
You know why not?
We should all not walk run.

Speaker 2 (39:32):
Definitely.

Speaker 1 (39:33):
And take that course.
Especially again, the topicshere go from really basic I say
basic like why do computers usebinary, right In a sense, to
packed bytes?
Packed bytes and masking andshifting, like I'm going to put
it in my calendar, I haven't Igot so many things going.
I don't know what I'm doing in20 seconds.

(39:54):
But if I can fit it I will.
I myself will do it because itreally covers so many important
things.
I do like not scary binary inOctober.
You know, get it, I like that.

Speaker 2 (40:07):
Yeah, definitely I highly recommend it.
Yeah, I'm super bummed.
I'm going to be traveling thatday, so hopefully I can pay the
$25 and do it at a later date.
If not, you better take notesfor me.
I need to, I need my.

Speaker 1 (40:19):
I need my refresher on all of that oh no, I'll say
good, no, so don't worry okay,uh.

Speaker 2 (40:27):
So another topic, uh, that also I saw on linkedin
because you shared it, um, butamazon web services, so I'll
throw up a picture if you wantto start talking about this yeah
, so so I I essentially this wasinteresting to me because um
celebrate, and again, it's a acompany that does a lot of good
stuff and we love them.

Speaker 1 (40:47):
We also, when needed, we give them constructive
criticism, and there's nothingwrong with that.
The CEO, carmel, he was sayingthat what they're doing is so
we're dealing with a lot ofevidence, right, and we all know
this.
We got so much stuff coming inand instead of saying, well,
we're going to keep it in ourlocal network area storage or

(41:08):
whatever it is that we're usingright now, sellerby is proposing
that you leverage their service, which uses Amazon Web Services
, aws for storage.
So now you don't need aphysical server on location.
What you do is you take yourevidence and you push it up to
the cloud, to the AWS cloud, andthey explain that they maintain

(41:31):
security and preserve theresources and expedite data
analysis, and that workshand-in-hand with their
Pathfinder tooling, and I'm notreally familiar with the tooling
.
I'm only more familiar with theextraction capabilities they
use and the parsing capabilities.
You know premium or I guess,insights now, insights premium

(41:51):
and insights PA.
So I took a screenshot of howthe Pathfinder tool looks.
I don't know if we have it.

Speaker 2 (41:59):
I do, let me just get it open.

Speaker 1 (42:01):
And the reason I'm going to show it is because I
wanted to see okay, so this data, your case data, is going up to
the cloud, so you're going toprocess it and work from it.
From the cloud, how's it goingto look on the user from the
user standpoint?
And it's pretty nice, right?
You've got a little dashboardand you see all the different
things the tool is kind of doingin regards to analytics.

(42:21):
It makes linkages and you getmore from.
That's all great.
But there's a a point there, oran entry for images, and I
don't know, it's kind of smallthe picture, but you can look it
up, it's there.
So then I thought, okay, sonormally I might, if I put all
my evidence on the cloud, right,and my evidence is contraband,

(42:45):
I mean, and see, I'm kind oflost at words Like there's a lot
of things that come to mind.
Right, how in regards to access, right, how is this being
managed?
What's being proposed?
And maybe I'm mistaken, right,I'm open to being corrected on
this.
So this is my thoughts.
A little bit of ignorance there.
I accept it up front.
But my thought process is we'regoing from having control,

(43:07):
absolute control over theevidence, over a standalone air
gap network.
And now we're saying we'regoing to trust this vendor to
put this data on another vendorthing and then hope that that's
secure and the contraband isgoing to live outside where I'm
at, outside my office and it'sgoing to live outside where I'm

(43:29):
at, outside my office and it'sgoing to be secure.
And there's a lot of risk.
And, again, I'm ignorant inregards to what the mitigations
are.
But that's the questions weneed to be asking.
I don't think we should go say,oh, this is great, how much is
it?
Can we afford it?
Take it.
Where are the discussions aboutrisk and risk mitigation?
And I'm pretty sure that someof those discussions, the sales
rep will have them with you andthat's great.
But I believe that some ofthese discussions should be up

(43:50):
in the open for the community todiscuss, because this is no
dis-accelerate, nodis-accelerate, this is for the
industry.
A sales rep has a purpose.
What's the purpose of the salesrep, heather?

Speaker 2 (44:03):
Sell the product.

Speaker 1 (44:06):
To sell it to you.
They're not there to you know,I'm going to show you
transparently how secure orunsecure this is.
And bye, I have a nice day.
I'm going to try to make thesale and I mean that's just
normal incentives, right, whenthe discussion happens within
the community, in the open,there's no incentives to sell
anybody.
Anything we discuss, hopefullywe can discuss what the risks

(44:31):
are and what the mitigations are.
Is this a good idea?
Do we want to really put someof our evidence?
What happens?
And I'm going to jump on this,heather, I guess it's like my
mini soapbox moment.
Go for it.
I was reading an article lastweek and one today about aws

(44:52):
itself.
Right in aws, aws, right, anyservice, they have mitigations
for, you know, hacking and allthat type of good stuff.
But it happens.
We've seen uh, bad actors beingable to get credentials.
Um, be advised, uh by uh.
Um, I lost the word.
When you trick a person, ahuman, what's the word?
When you trick a person to giveyou something without them

(45:14):
knowing that they gave it to you?
It's not human engineering,what's that called?

Speaker 2 (45:19):
You know what I'm trying to say.
Right, I do.
I'm drawing a complete blank,though that makes sense.

Speaker 1 (45:23):
Chat, give me a help.
I'm going to keep talking, butthe chat, give me a help when I
trick talking about the chat.
Give me a help when I tricksomebody to do something.
That, uh, the socialengineering.
I got it myself.
Social engineering.
Okay, so they use.
You're like, yeah, that's notit, but yeah, that's what it is.
Well, I'm gonna say socialengineering, the social
engineering, somebody to giveyou the access.
And now, what right?
All that mitigation that youhad goes out of the window

(45:44):
because the data is accessible.
It's out in the universe.
What holds it is that access.
Social engineering, see ianthanks, he's got it.
He's jumping right in with youand the fact that a person like
ian of his caliber said it'ssocial engineering.
That means I'm right and you'rewrong.
Yeah, okay, thank you.
Thank you, ian, for sellingthat dispute.
I was not gonna guess that yeah, and another ian is there in

(46:08):
case.
You see he got here Again.
This is not a discelebrateright I'm talking about.
Yeah, I'm talking about,because this is not only Celer
right.
We see this move toward cloudand Magnet as well.
They have some of the casemanagement that is on the cloud
it's not on premise and Magnetis another great company like
kind, and Magnet is anothergreat company kind of same space
and how much oh, and reviews aswell.

(46:29):
You can do case reviews toprocess it and you put it on the
cloud.
So it's not only Sellerby.
I don't know if Magnet uses AWSor not, but what system you use
doesn't matter.
The risks are still there.
And then are those beingdiscussed in the open as a
community and those mitigationsas well.
One more I thought it wasinteresting, not directly

(46:49):
related to this topic, but I wasreading Brian Krebs' blog post
today and he was talking abouthow these bad actors go and sell
credentials to some AWS-hostedLLMs so large-language models,
pretty much AIs, ai engines andthey take some credentials that

(47:10):
somebody mistakenly put inGitHub, for example, or some
other places and they log in andwhat they do is, when they have
access to the AI, they have ontheir end.
A website that offers sexchatbots.
Ok, so you want to have, like,some conversation of that topic?
You don't have to talk to anactual person.

(47:31):
The ai will provide you withthat conversation, which is kind
of disturbing in the sense thatsome of those conversations can
uh deal with really, uh likeabuse conversations, if you
folks I don't want to go intomore details, but folks
understand what I mean by thatConversations regarding victims
that are disturbing, and they dothat by kind of jailbreaking

(47:55):
the LLMs, and by jailbreakingmeans that they make or ask
questions to the LLM in a waythat breaks that security and
the LLM converses in a waythat's not designed to.
I'm saying all of this just tomake the point that the access
if they get the access, they getthe data.
If they get the access thesebad actors they get the service.

(48:17):
And maybe I'm too old school,coming from the school, of
saying, hey, all the evidenceshould be housed in-house,
should be handled by the agencyand it should be an error gap.
Maybe I'm a luddite in thatsense, old school, I don't know.
I mean, do you think it's agood idea?
What are your thoughts, heather, in regards to this move to put

(48:38):
evidence in the cloud as a wayof expanding storage.

Speaker 2 (48:42):
So I think it depends .
I mean, so I was actually youbrought this topic up.
So I was actually you broughtthis topic up.
So I'm like I'm going toresearch this a little bit.
But with AWS they do a sharedresponsibility model where the
customer is responsible forsecuring their own data.
So with with tools likePathfinder or a magnets review,
my question would be is thecustomer me that is securing my

(49:05):
own data, or is it, is itcelebrate, or is it magnet or
whoever else is providing thethe service right?
So the customer would have totailor it to their security and
compliance control to meet theiragency requirements.
Um, and I don't know, do I feellike that would have to be
different for every agency on acase-by-case basis, and I wonder

(49:27):
who takes that responsibilityon?

Speaker 1 (49:31):
wow, yeah, especially since I don't.
I mean there is no universal,to my knowledge, standard or how
you're going to keep this stuffno I mean there's there's.
No, there's some mandate orsome law that tells you you need
to keep it this way.
You know?
I mean right, right, so itcould be different from agency
to agency.

Speaker 2 (49:46):
So who, who's controlling that?
And I mean Right, Right, so itcould be different from agency
to agency, so who's controllingthat?
And I mean I don't even know ifit was our agency, who would
control that in our agency.
I'm not even sure at all.
So I mean putting that factorinto it.
I think it could be it couldmake it more dangerous when it
comes to vulnerabilities instoring the data could make it

(50:10):
more dangerous.

Speaker 1 (50:10):
when it comes to vulnerabilities in storing the
data.
Well, I mean, and look, Iunderstand that.
But let me put it this wayWould I say that me having my
email server at my house is moresecure than having my email
managed by Google?
Well, google will do a betterjob of securing the email server
than me.
That's just a fact.
So I understand where we'recoming from.

(50:30):
Right, does a big company atAWS, right, has this security
team will secure it.
Well, of course, but thepremise is we're going to agree
to put this evidence in thecloud and then the question is
how to best secure it.
But my contention is maybe weshouldn't.
Maybe we should still keep itin-house, in a sense, because

(50:54):
and again, we're kind ofbrainstorming we're kind of just
discussing some thoughts herefor the folks that are listening
and for everybody that'slistening, with us participating
.
I believe it.
Correct me if I'm wrong,heather.
We don't have really superstrong opinions on it.
I want to be educated.
Yeah, I want to know more aboutthis.

Speaker 2 (51:09):
Yeah, me too.
I definitely do, and I think itcould be secure if it's done
correctly.
I just I would like tounderstand a little bit more in
depth of how it's done.

Speaker 1 (51:20):
Because this is how I think about it.
Let's say, you secure it, it'son the cloud and you made a
mistake or you didn't press abutton, or somebody social
engineered you and now you'reexposed.
Whereas what the worst couldhappen if I had the evidence in
a standalone air gap network inmy office?
What's the worst that couldhappen in regards to security?
Maybe I forgot my password orsomething.

(51:41):
I need to reset it.
Nobody's going to come from theoutside.
Now, I'm not saying that airgap networks are intrusion proof
.
I'm not saying that air gapnetworks are intrusion proof.
I'm not saying that right.
I'm not saying that somebodycould come in and pull the data
out physically and then put itout.
So I'm coming from the contextof risk mitigations that are
needed from a standalone air gapnetwork compared to hey, let's

(52:03):
put everything in a third partycloud service.
I'm going through anotherthird-party to kind of make that
access either to Magnet andagain, I'm mentioning Magnet now
a lot because I want to makesure folks understand.
We're not dissing any particularcompany.
We're talking about the stateof the industry as it's being
moved, because this move iscoming from vendors.
Vendors from a technologicalstandpoint it makes sense.

(52:25):
They say look, this might be abetter solution than you having
to buy all these drives and allthis hardware.
Maybe you can save the cost onhardware because now you can
spend it on software.
Ta-da, I mean the profit motive, and I got nothing against
profit motive, right, that's howthings get better.
You know, in a society thatworks like ours operates, right,
you want to incentivize thesetechnological companies to

(52:49):
create solutions.
But is this a good idea or not?
I'm still on the fence, butkind of tending still to the old
school method.
We'll see how the market andfolks react.
Or if hopefully not if a bighack happens of a law
enforcement agency, can youimagine?

Speaker 2 (53:08):
Yeah, that will not be good.

Speaker 1 (53:10):
Yeah, I mean, would that change the approach?
I don't know.
I mean, again, I'm ignorant onthis, so I'm really I would hope
that folks will leave commentsin in our LinkedIn page or yeah,
about what they think aboutthis and maybe we can discuss it
as we learn further in a futurepodcast.

Speaker 2 (53:26):
I think there's a few other things to consider too.
So when it comes to migratingto a service like this, what
type of logs from that servicenow become part of discovery in
court?

Speaker 1 (53:38):
Oh, my goodness, yes.

Speaker 2 (53:39):
Yeah, and chain of custody Like, how are we
explaining chain of custody?
I'm sure there is a perfectexplanation on chain of custody
when it's stored up in the cloud, but are all of the users in
your agency ready and preparedto explain the process in court?
Do they understand the process?
Do they understand what happenswhen it's uploaded?
How to ensure that theintegrity of the data that's

(54:03):
stored in the cloud remains?

Speaker 1 (54:05):
I just think there's a lot to think about when moving
to a service like this yeah,and I mean, I mean again, I, I'm
ignorant, but it makes me thinkof when you get stuff from a
provider, a cloud provider,somebody from their end has to
testify or send somedocumentation saying, yeah, this
was housed here and it wasaccurate and this is what it was
.
Um, if it's and we can saywhat's a VIP?

(54:27):
It's a virtual private network.
Right From the topologystandpoint, for sure it feels
like a computer.
That's on your network, itfeels, but it's not right.
Will the courts want to validatethat?
Would they need somebody fromthe other end?
Right, well, it's going to beencrypted at rest, right, is
that?
Will that?
Will that suffice?

(54:47):
Like, yeah, like.
Those are pretty validquestions and thank you for
bringing that.
That did not cross my mind, sothank you for bringing that up.
That needs to be discussed with, with our, I say, prosecutors
or lawyers or whoever you'reworking with, to make sure we
keep that, that chain of custody, as it should.
That's a.
That's a pretty good, goodpoint.

Speaker 2 (55:04):
Yeah, I think it would have to be a standard
explanation for everybody inyour agency too.
We should all be testifying orrepeating that process in the
same manner.
So I think it would be sometraining involved for sure.

Speaker 1 (55:18):
Yeah, laurie's saying what it will cost you to get
the data back, because thesefolks might charge by the
megabytes going up and down.

Speaker 2 (55:28):
Yeah, that's true.

Speaker 1 (55:29):
Yeah, we run out of the budget for this month, so no
cases are going to be solveduntil we get the next data block
allocation.
I don't know how it works,it'll be good to know.

Speaker 2 (55:47):
Yeah, on this topic, though as a whole, please feel
free to leave comments, becauseI would love to hear what other
people think about this.
I mean, if people could kind oflike phone in and talk about it
right now, I would want toallow you to, because I just
want to hear what other people'sthoughts are and if anybody
knows additional details on howit all works.

Speaker 1 (56:03):
Yeah, if you go to our, if you're listening to our
podcast, if you go to ourpodcast page and it's going to
be there in the description ofthe show the BuzzFeed or Buzz I
missed it Buzzsprout page If yougo there, also, in the podcast
directories there's a littlelink where you can send us a

(56:25):
message as well.
So if you want to communicatethat way, you can go to your
podcast, the podcast page inyour podcast feed.
Go, leave a message for us andwe'll read it in the next show
and discuss it.
Folks on LinkedIn, leave uscomments what you think about
putting stuff on the cloud asevidence, risk and mitigations
and also the benefits.
Right, and let's maybe get adiscussion going.

Speaker 2 (56:46):
Yeah, definitely All right.
What's new with the leaps?
I have one that.
I saw on.
I think Kevin posted it, I'mpretty sure.
So Marco Newman added theWithings Health Mate on iOS that
parses account informationbetween users devices connected.

(57:08):
The account measurements um sosteps, heart rate, location,
spo2, temperature, uh trackingand activities, and then um
specific activities trackedmanually or detected
automatically, like cycling,swimming or running, and there's
actually a blog post that goesalong with that from Marco, if

(57:30):
anybody wants to check that out,a blog post about the new Leap
artifact.

Speaker 1 (57:34):
I wish that more folks do what Marco's doing.
All those things are pattern oflife artifacts and, you know,
usually vendors focus on theones that come with the device
or device brand, like the iWatchor the Google and Fitbit,

(57:57):
because the Fitbits are prettypopular but some that are not as
popular might fall through thecracks.
So the more support we have forthese pattern of life artifacts
from many device vendorsWithings or the other Fitbits of
the world that would be good.
So I wish I could do more ofthose, but I don't have the
budget to buy all the devices togenerate data.
But hey, if you have some ofthese devices, then yeah, try to

(58:20):
make some parsers for that.
It's super useful.
So many cases are solved withthis type of pattern of life
data.
And pattern of life data ifyou're not familiar with the
concept, long story short isartifact that tells us something
about the state of the world inregards to the person that's
using the device or using thephone, and not only what they

(58:40):
were doing at a particular pointin time.
You can maybe be able to predictwhat they will do or detect
moments where they were notdoing what you were expecting
them to do, and a simple exampleof that is if that person you
see a pattern of being asleep atnight and then you see a
pattern or a day that theperson's awake, well, that's a

(59:01):
point you need to check out,right.
An obvious one if you see apattern of the heart beating and
then the heart stops, that's abig clue that something bad
happens, especially if theperson is deceased or
disappeared, and we can thinkabout many scenarios where this
data could be useful.
So the more support we have,the better.
And talking about support, Iwant to give a big shout out to

(59:23):
James, johan, john, hila andKevin and the folks that I did
not mention.
The last names we know they'refriends from the podcast, and
John, soon enough, will bementioned, just as John.
We know the last name there's alot of Johns, though we have to
just call him Hila.
Hila yeah, actually that'spretty good.
I like that.
I like that.

(59:45):
It's cooler as well.

Speaker 2 (59:46):
Yeah, so like that I like that it sounds.

Speaker 1 (59:47):
It's cooler as well.
Yeah, so so they've beenworking on a project um, you
know we've all been working, butthey're being the heart and
soul of the project.
It's a way of I cannot give alot of details because it's not
finalized yet but it's a way oflooking at extracted data with
the leap leap tools.
That's way faster, way moreefficient.
It handles more data.
It allows you to do a wholebunch of different capabilities.

(01:00:07):
It's a project that we'reworking on.
I just recruited a greatexaminer that works from the
great state of New York to helpus with updating some of the
artifacts.
I don't know if you know her.
She's awesome.
I'm going to try, let's see if Ican handle this oh you will,
and the point of that is, wehope, hopefully in the nearish

(01:00:29):
future we could make someannouncements.
But I don't want to say tojames, johan, john and kevin you
, you guys are, are rocking it.
Um, after this conference thatI got next week, I hope them to
then also.
You know, put my hands, youknow, roll up my sleeves, well,
my short sleeves, roll them upeven more and actually put
behind more hands on with someof the stuff, uh, that that
we're developing really, uh,look, keep your eye on the space

(01:00:52):
, the leaf space.
There there's a lot of goodstuff uh, coming, coming up yeah
, definitely looking forward toit.

Speaker 2 (01:01:01):
Uh, everybody's favorite time, the meme of the
week.
Let me share it here.
Yeah, I was going to saywhere's your fireworks.

Speaker 1 (01:01:10):
See, I'm on a lame dose or I'm sorry, windows, so I
don't have that anymore.

Speaker 2 (01:01:18):
So the meme of the week says are you two friends?
Incident response digitalforensics Incident response says
no, Digital forensics says yes,and you're going to further
explain this one for me yeah, sobecause I just killed it with
the characters.

Speaker 1 (01:01:34):
I think you have to explain yeah, so it's a star
trek episode.
So you got these two star trekfolks and you know one is like
no and the other one's yes,right, um, the thing is.
So there was this.
This being came in response toa post that Defer oh, my
goodness, I blanked out on hisname, hold on.

(01:01:57):
And a post that Brett Shavers.
Now, it came to mind that BrettShavers did explain and kind of
talking about the differencesbetween digital forensics and
incident response, becausethey're lumped together D-F-I-R.
So what's the differencebetween, uh, dtar forensics and
incident response?
Because they're lumped togetherdfir.
So what's the differencebetween df and ir?
He's making the point that dtarforensics has the court element
in it, right, so the fact thatI say court but you know, legal

(01:02:18):
element, the fact that legalelement is involved, means that
our processes within dtarforensics are gonna can be
really really different forinsurance response.
And the point I make with thisis like that's true, but it's
also some cultural differences,right, and the incident response
community, from my perspective,it's a lot of really like
hacker culture, kind of cooldudes with gray, you know, green

(01:02:40):
hair, right, you know doinghacks, you know, and again, not
hacks in the sense of negatives,in a negative way, I'm talking
about as a researcher and doingpen testing and when an incident
happens they go in there andmake sure they understand what
happened, how to mitigate it.
It's important work, but they'remore like a cooler crowd, in a
sense right, whereas UtahForensics is usually a bunch of

(01:03:02):
cops.
Utah Forensics in the plainsense of the word, right and
yeah, it's like are we friends?
Of course we are Not that muchright.
It's just a cultural difference.
The fact is that a lot of theincident response world is now
benefiting from the experiencethat sometimes retired law

(01:03:23):
enforcement folks that work inthese forensics that they make
the move over to to incidentresponse, which is a valid thing
and a great thing to do.
But there's some culturaldifferences and I was making
kind of that point in a littlebit of a funny way, to me at
least it's good yeah, look, look, data forensics, look, we're
gonna.
We're gonna be wearing 511s,5.11s boots, a polo shirt, okay,

(01:03:50):
and a tactical belt, of course,with our pockets and what else.

Speaker 2 (01:03:56):
It's almost time for you to share that meme with the
Halloween costume.

Speaker 1 (01:04:00):
Oh, that's coming soon.
That's coming next week.
It's that time of the year, yep.

Speaker 2 (01:04:05):
Definitely.

Speaker 1 (01:04:08):
Peter's in the chat.
Peter's a good friend fromCalifornia, so yeah, it's a good
meme.
I appreciate that.
You appreciate it, my friend.

Speaker 2 (01:04:18):
All right, that's all I've got.

Speaker 1 (01:04:22):
You're awesome as always.
Thank you for pretty muchdriving us home today, so I
appreciate it tons thank youwe're going to be out of action
in regards to here in my area ofresponsibility for the
conference, but we should beable to have the next episode at

(01:04:42):
the scheduled time we shouldalright awesome alright, folks,
then I have nothing else for thegood of the order this time I
have nothing else either.

Speaker 2 (01:04:53):
Thank you very much everybody for listening thank
you so much.

Speaker 1 (01:04:57):
We'll be seeing each other in a couple of weeks and,
uh, take care and be cool, be ageek, be part of the geek squad
have a good night.
Yeah, good night there we go.
Geek Squad definitely have agood night there we go.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Awareness Unlocks Discovery: Knowing It Exists is the First Step to Finding It

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Awareness Unlocks Discovery: Knowing It Exists is the First Step to Finding It

On Purpose with Jay Shetty