Balancing Act: Trials, Training, and the Future of Digital Forensics

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:10):
Welcome to the Digital Forensics Now podcast.
Today is Thursday, september12th 2024.
My name is Alexis Brignoni, akaBriggs, and I'm accompanied by
my co-host, the return of thedifferent Jedi from NCFI, the
job fair fairy, the one with thebest concepts of a plan, the

(00:34):
one and only Heather Charpentier.
The music is higher up by ShaneIvers and can be found at
silvermansoundcom.
Heather, I just kind of like adrop of the music knivers, and
can be found atsilvermansoundcom.
Oh, heather, I just kind oflike a drop of the music.

Speaker 2 (00:49):
Nice, abrupt ending to the music.

Speaker 1 (00:52):
Sorry Go ahead.
Go ahead.

Speaker 2 (00:54):
The intro is over.

Speaker 1 (00:56):
Yeah, right, if we're done.
I didn't.
I didn't put the fader in andout, so my bad.

Speaker 2 (01:03):
The cyber fair fairy.
Yeah, yeah, you gotta telleverybody about that.
Yeah, I will, I will thank you,oh my goodness.

Speaker 1 (01:12):
and thank you everybody.
That's uh rolling into thechats.
I see there's some uh comments.
Jeremy saying hi hey, jeremygood to have you.
So, yeah, no, I'm yeah, heather.
So, uh, interesting,interesting.
You have done a lot of thingslast couple of weeks.
What's going on?

Speaker 2 (01:26):
I've been busy.
So I mean last podcast I airedfrom Hoover, alabama, and was at
NCFI for a class down there.
It was great.
I'm back now, happy to be backthough Two weeks is a long time
to be away but I came back toimmediately being just as busy.
So I came back to immediatelybeing just as busy, so yeah.
So I found out that I'm goingto be possibly testifying in a

(01:50):
trial.
So immediately prepping for atrial, that is not in a few
weeks, it's just like next week.
And then today, myself and acouple of coworkers actually
went over to the university atAlbany cyber job fair.
Um, they have a nice little jobfair set up over there where
they uh, they take, uh differentcompanies uh that have digital

(02:12):
forensics jobs and they have yougive like a 10 minute pitch on
why you want to, why you want towork here.
So, um, my coworker Corey, whois a sworn investigator in our
office, he did the pitch for whyto become a trooper and then
maybe work your way to thedigital digital forensic lab.
And then myself and Deanna, whoare both computer forensic
analysts, gave the pitch onbecoming a civilian computer

(02:35):
forensic analyst in the in thelab.
So it was really good and afterafter the 10 minute speech, we
set up at a table and justanswer questions for the rest of
the day, and there were a lotof questions.
I think I might have talked allday long and now we'll just
continue it with the podcast.

Speaker 1 (02:55):
So by the time we're done, you have no voice.
You'll be like yeah.

Speaker 2 (02:58):
I'm not going to talk at all tomorrow.
You're welcome, coworkers.

Speaker 1 (03:04):
Look folks, heather is so, so good.
She went and she said you knowwhat?
There's so many people here, soI'm gonna stand on top of this
table or a chair, I didn't knowwhat was it.
You call everybody in and yougive them this meal, all at the
same time because that's what wedo in this field.

Speaker 2 (03:17):
We're efficient, I'm gonna, actually I'm gonna.
I'm gonna roast my co-workerright here.
Uh, this is Deanna at the CyberJob Fair and we had our table
all set up with the StateTrooper swag and then some of
the digital forensic items fromour lab.

Speaker 1 (03:36):
I like that you said a table.
It's an actual table, yeah.

Speaker 2 (03:38):
Yeah, oh, you literally just set the table up,
yeah.

Speaker 1 (03:41):
It's not like you know the conference table.
So you say it's a table, butit's not like a conference for
that purpose.
No, that's a table that you sitand drink coffee.
That's cool.

Speaker 2 (03:47):
Yes.
Yeah definitely Anywayco-workers their thumbs, the
folks that cannot see thumbs upthe whole situation, that's
awesome yeah, she's excellent inour office, but into a bunch of
the prospective job candidates,and one of them actually
recognized me from the podcastbecause he watched our podcast

(04:08):
as part of an assignment for oneof his classes.
So thank you to you, albany.

Speaker 1 (04:13):
So Heather is now Heather Hollywood.

Speaker 2 (04:16):
Oh yeah.

Speaker 1 (04:19):
So you get to sign autographs at any time please,
yeah, no, not quite thatHollywood.
The paparazzi are following you.

Speaker 2 (04:27):
But it was nice being over there and then hearing one
of them actually looked for adigital forensics podcast and
found ours.

Speaker 1 (04:34):
Oh no, look, I'm giving you a hard time, but when
you told me, I was superexcited as well.
So it's pretty cool having alittle bit of a voice and folks
kind of you know stumbling intothe podcast and finding
something of value.
So that's awesome, that'sawesome.

Speaker 2 (04:48):
Oh yeah, abraham says in the comments, I fangirled
when I met Heather at schoolevent.
I did a presentation over thereand he came for it, so thank
you, abraham.

Speaker 1 (04:58):
Hey look, I fangirled too at IASIS, and we do it
daily.

Speaker 2 (05:01):
Oh my God, stop it.

Speaker 1 (05:04):
I understand at Iasis and we do it.
Oh my God, stop it.
I understand.
Oh look, look, kevin is sayingI'm back in the broom closet.
I'm going to correct you.
This is actually a coat closet,okay.

Speaker 2 (05:14):
I think it's also now his permanent spot, so it's not
like he's just moonlightingthere, it's a permanent spot.

Speaker 1 (05:20):
Yeah, it's true.
Like you know I, I, I, this ishow I say this.
Yeah, it's true, like you know,I, this is how I say this.

Speaker 2 (05:29):
This is my house, that my life, my life, my wife
lets me live in, so the kidsgive you a little bit of space
of your own, and there it is.

Speaker 1 (05:33):
Yeah that's all I get .
You know, I can't even stretchout my arms like legit, stretch
out my arms, it's all fun, it'sall fun.
So what have you been up to?
So, yeah, a lot of caseworkthat I can't really speak about.
But what else have I done?
Oh, I got a couple ofconferences coming up.
I got InfoConf, and that's anArgentinian conference, but

(05:56):
sadly I'm not going to Argentina, so I'm going to present a
couple of topics.
Well, one presentation like aspeech online Everything's
online but one speech and thenext day like a workshop on
mobile forensics, and it'sfocused on data structures.
Lately and you and me, I thinkwe've both been really focused
on spreading the understandingof data structures.

Speaker 2 (06:17):
Yeah.

Speaker 1 (06:19):
Yeah, not just using a tool to get to them, but what
do you do to get to them in themost direct way possible?
So we're going to be teachingsome of that protobuffs and
double dbs and even sequel likestuff like that.
So so I'm prepping for that.
And then the icac um conference, the one in redmond in
washington state oh yeah,pacific northwest right, I think

(06:40):
that's the name of it, that's.
That's one of the bigger onesin the country, it's it.
A lot of people there, a lot ofgood investigators, all the
vendors are going to be there.
So I'll be doing a panel andtwo workshops on how to reuse
the Leaps, which I'm alsoexcited about.

Speaker 2 (06:56):
So you're going to be busy, jeez.

Speaker 1 (06:58):
Yeah, I'll be flying.
I'll be there for the week andI appreciate all the ICAC there
for having me there andhopefully I can bring some value
to the conference.

Speaker 2 (07:07):
Nice, good stuff, very good.
So let's get into our topicsfor the week then.
So we talked on a previouspodcast about the SANS
Difference Maker Awards.
We just kind of wanted to hiton it one more time, because the
deadline for nominating peoplefor the SANS Difference Maker
Awards is tomorrow at 5 o'clock.

Speaker 1 (07:31):
Like, for example, there's a category.
I'm going to mention one, I'mgoing to mention more, but it's
a category.
For example, just an example.
Just imagine.
Imagine there's one for podcastof the year.
Okay, and if you're interested,they say you can maybe nominate
your favorite digital forensicspodcast.
I'm not gonna say which one,but I think you can imagine
which one.
Which one could that be?

Speaker 2 (07:50):
so yeah, nominate I think, the listeners have an
idea of what you might betalking about yeah, yeah, just
use your imagination there yougo, but the um.
the nominations are open untiltomorrow at 5 pm Eastern
Standard Time, and I'll just runthrough the categories real
quick to article or book of theyear, people's champion of the

(08:11):
year, diversity champion of theyear, innovation of the year.
So open source or product pool,podcast, live stream, video
series of the year, rising star,team of the year, practitioner
of the year, ciso of the Year,cybersecurity Company of the
Year and Lifetime AchievementAward.

Speaker 1 (08:28):
Well, at least I can tell you which cybersecurity
company of the year is not goingto get it this year.
I can tell you which one theone that got me stranded in San
Francisco I'm not going to getit.

Speaker 2 (08:40):
Yeah, probably not.

Speaker 1 (08:41):
I'm going to make that a safe bet.
They're not going to get it.

Speaker 2 (08:45):
You're probably right .
So another award that's closingsoon that we've mentioned on in
past shows, but we'll bring itup again, is the Celebrate
Summit Digital Justice Awards,and I actually have an image to
share for that as well.
Let me put it up here and thoseare going to be closing on

(09:09):
September 24th.
I didn't take down a time forthat, so when you go onto the
website, just take note of thetime on that day.
But it's September 24th andtheir categories are Digital
Bridge Builder Award, Voice ofthe Voiceless Award, Mentor of
the Year and Diversity andInclusion Champion.

Speaker 1 (09:30):
Yeah, I mean, I think they had more categories before
they did.

Speaker 2 (09:34):
Yeah, that's all I saw on the site for now, but I
think they did when theyoriginally opened it up.
Not sure what changed there.

Speaker 1 (09:42):
Yeah, that conference is going to be in in in
washington, washington dc yeahum.
So there'll be great, greattalks there um so I we're not
attending, sadly, but uh, itpromises to be pretty good.
So nominate, nominate, uh, youknow, nominate all the folks.
Recognition, recognition isimportant and I say that because
you know everybody wants to berecognized.
We would love to be recognized,at least me.

(10:02):
Heather is so humble that shedon't care for that yeah, I'm
all right she has a fan clubalready.
She needs no more recognition.
But the thing recognition is, oh, it makes you feel good, but it
also uh, opens uh the audienceup, right when you're recognized
and people that might havenever heard of your thing or
your program, your show, yourproduct or your research now

(10:23):
they'll be aware of it.
More people will be aware andthen that knowledge spreads.

Speaker 2 (10:26):
So I believe in that, just for the fact that we want
folks to be informed and thegood stuff that comes out of the
community be more broadly knownby others, so, yeah, I
especially like the rising starcategory, because that's
somebody who may have juststarted doing blogs or started
doing research or started doingsomething, and to get a rising

(10:46):
star award I would.
If it were me, anyway, who wasthe rising star?
It would give me the push, themomentum to keep going and, and,
um, keep improving.

Speaker 1 (10:53):
So oh, okay, no, and imagine that this, this young
researcher, and it's sometimes,I'll tell you, sometimes it's
like you feel like you'rescreaming into the void.
Right, you put content out.
You know it's a hitting, it'speople getting.
Feel like you're screaming intothe void, right, you put
content out.
Is it hitting, is peoplegetting it?
At some level you do that foryourself, but it's also nice to
kind of share and some otherfolks benefit.
So if you get that little pushthat you're saying, that's great

(11:15):
.
I mean it would definitelymotivate folks to continue to do
what they're doing.
And yeah, please, please do,please, do motivate and nominate
all the folks for thecategories please do, please do
not motivate and nominate allthe folks for the categories.

Speaker 2 (11:30):
Uh, another that is actually registration has just
opened.
Not awards, but trainingclasses.
So registration for iasis 2025is open.
I have a screenshot to sharehere too, my eyes is sure ah,
you do.
I should have worn mine, maybenext time I.

Speaker 1 (11:44):
I wore it like three days out of the week.
So when you teach they give youa few poll shares for teaching,
so I use them all the time now.

Speaker 2 (11:52):
So registration's open and the classes will run
April 28th through May 9th.
Some of the classes are thefull two weeks and then most of
the classes are actually oneweek of the class.
You can choose to go the firstweek or the second week, but
it's a two-week training eventheld once a year.
Iacis is I think it's anawesome organization made up of

(12:14):
all volunteers, and some of theavailable classes the Advanced
Mobile Device Forensics, windowsForensic Examiner, cyber
Incident Forensic Response,mobile Device Forensics, windows
Forensic Examiner, cyberIncident Forensic Response,
mobile Device Forensics,preparing for Lab Accreditation,
applied Scripting, forensicTechniques.
The Basic Computer ForensicExaminer course, computer

(12:36):
Forensics Real World, managing aDigital Forensics Lab and Open
Source Investigations and RAMCapture and Analysis are the
classes that are open andavailable right now and go ahead
.

Speaker 1 (12:49):
And I highly recommend the mobile device, the
advanced mobile device course.
Yes, the chair for that classis an awesome, awesome
instructor that we all know andlove.
Like I said, she needs norecognition, like I mentioned
previously.
Oh my gosh.

Speaker 2 (13:04):
So she's my boss, but she does great.

Speaker 1 (13:05):
I love her.
Like I said, she needs norecognition, like I mentioned
previously.
Oh my gosh, so she's my boss,but she does great I love her.

Speaker 2 (13:07):
I'm not your boss.
Oh my gosh.

Speaker 1 (13:09):
She's my boss.
She runs the class I teach ather pleasure, so that's how it
works.

Speaker 2 (13:16):
But so for the advanced mobile class, if
anybody's looking to get intothe advanced mobile class, we
were a shock to see the comesign up for the class
notification dropped on IASISLinkedIn page.
So I went to look at the openseats and the second week is
already almost sold out.
There's only two seats left inthe advanced mobile class.

Speaker 1 (13:35):
I'm still not.
Is that a glitch?
No, I reached out and I'm likeis this real?

Speaker 2 (13:40):
And I was told it's real there's only two seats left
in the second week.
The first week still has likefour, I think 14 seats, but yeah
.

Speaker 1 (13:51):
But Bill, Bill.
So Bill's in the chat.
He says sign up now and youshould.
Bill is one of the otherinstructors on the class.
He is Look, I will go.
Just I will go to the classesbecause Bill is there, All right
.
So, honestly, Heather knows I'mbeing legit on this.
He's such a great instructorand has a great touch with all
the topics that he teaches, soplease go.

Speaker 2 (14:10):
Yeah, that instructor , that when you listen to them
they like captivate you and youwant to hear more.
That is totally, bill.

Speaker 1 (14:18):
Kevin says the mobile course is good.
Well, you know, of course it is.

Speaker 2 (14:23):
We think so we think so.

Speaker 1 (14:25):
We do.
But okay in a sense.
So at least we can speak aboutall courses.
We've taken a whole bunch ofthem, or most of them.
You have the BCFE still, or notyet, right?

Speaker 2 (14:36):
I don't, because I was going to go.
But then I started helpingteach the mobile class and then
teaching the advanced mobileclass with you.
It's the same two weeks and Ireally want to take the class to
get the certification.
But if I do that I'm going tohave to step back from the
mobile class for one year.
But we'll see.
Maybe I'll just do thecertification without the class.

Speaker 1 (14:56):
Yes, I mean yes, and you do breeze through it.
I know how much you know andit'll be fine.
But the point I'm making iswe're taking a lot of the
courses.
I know you have a couple morecourses you've taken.
The point is this At least forthe advanced one that we created
, we made the point andobviously Heather leading the
effort in regards to where we'reheading, to make the class not

(15:17):
just to hey, look, press hereand you get this stuff.
We try to go as root level as wecan, in a way that makes it
workable for the examiner, right.
You're not going to we'll talkabout that in a second, in the
next section.
We want to make sure youunderstand the data structures
and what to do with them,because at some point, using
viewers and tools it's not goingto get you to where you need to
go, all right, or to pull thethread all the way through Right

(15:39):
.
And that's what we do in thatclass.
And, folks, I'll tell youstraight up, it's a little bit
of a challenge, but by theFriday everybody has learned
something from it or a lot fromit.
So I'm really proud of all theinstructors and I'm proud of the
course that Heather sets for usin the class, so I highly
recommend the class.

Speaker 2 (15:58):
Yeah, we get a lot of questions.
I've had a lot of questionsanyway about the class, like why
, of questions anyway about theclass like why, why would I ever
need to do this?
And um, that is one big thingwe stress in the class and we
teach you and and talk to youabout the why with like real
case, um case examples, like whyI needed a level db file for a
case, uh, when none of the toolssupported it, or something
similar to that.

(16:18):
But the why is definitely oneof the biggest, one of the
biggest things to explain inthat class.
Oh yeah, yeah, look, I see I'mgonna say a little bit of the
biggest, one of the biggestthings to explain in that class.

Speaker 1 (16:25):
Oh yeah, yeah, I see I'm gonna say a little bit of
the white, because now I've beenyeah, no, go for it.
You can do things one way allthe time and that's fine with
cannot be a little bit not doingyour due diligence.
And then one time, when that'sthere's gonna be one case that's
gonna be in the news, it'sgonna have scrutiny from the
national press and if you're onthe prosecution side, for

(16:46):
example, the defense is going tobe really high-powered lawyers
and they will have, for example,they will have Heather after
she retires and goes to theprivate sector and she will be
the examiner for the defense,right.
And then you're sitting therelooking at Heather and her
qualifications and you're likewhat did I do on this case?
Did I cross all my I's and dotit on my T's?
And what did I do on this case?
Did I cross all my I's and doneit on my T's?
And you know I mean, of course,the example.

(17:06):
I mean it's true, it's a trueexample.
But the underlying, the realthing of the how to say this,
the real thought behind theexample, is not so much if you
get a national case, you don'twant to be embarrassed.
Okay, of course we don't wantto, but that's not.
The important thing is that youwant to treat every single of
your cases in a sense, as anational case, for you to have
the knowledge to be able toquickly and efficiently treat

(17:28):
all your cases with the utmostcare that each case deserves.
There's no case should bebigger than the other.
No person deserves more justicethan the other person, right?
A famous person doesn't deservemore attention or more justice
than a person that's not famous,right, and that's, I think, a
big.
Why is we want equal justice?
That means we need to giveequal and proper attention to

(17:50):
the details of each case.
With how do we do that?
We don't have all the time inthe world, then you do it by
knowing what you're doing, beingefficient, being, you know,
consensual to what you'relooking for and doing a good job
.
You're looking for and doing agood job.
That's how you do it, and to me, that's one of my big why's?

Speaker 2 (18:06):
I don't know if that makes sense, it absolutely makes
sense, absolutely so.
Sign up for iasys classes now,before they sell out, was our
whole uh spiegel on that.

Speaker 1 (18:16):
We we just almost done, so you better hurry up for
week one yeah, I can't, stillcan't believe that.

Speaker 2 (18:21):
It's insane.
Yeah, yeah.
So this week, an article cameout from Belkasoft about iOS
Telegram acquisition anddatabase analysis.
I love this one.
Us is some of the desiredartifacts that you want to look

(18:42):
at from that acquired data, suchas secret chats, private
channels, deleted messages,previous versions of edited
messages and other key artifacts.
But this article actually goesinto how to read the iOS
Telegram database, which, ifanybody listening has ever

(19:03):
looked at the Telegram database,it is a nightmare.
It's just a nightmare.
I mean, you have experiencewith that too, right?

Speaker 1 (19:10):
Well, yeah, and you know it's.
It's so we, we, we learn aboutlittle ND and big ND in our
classes and nobody cares.
So maybe it's attention If.
If you don't understand theconcept, you need it for just to
parse this right.
They they use deleniumbeginning in different places,
different ways.
And and a good thing about thisarticle and I'll tell folks I
jury you know the ceo presidentof the company we interact in

(19:32):
linkedin a lot.
I give him crap every now andthen he gives me crap.
I mean he's a, he's a good guy,I was gonna say you give it to
each other, yeah, yeah no, butit's all it's in.
Good good jokes, good jest.
But I will say this, say this Igive companies crap, but I also
give them kudos when required.
I've seen a lot of this type ofarticle from other companies
that say, hey, let's talk aboutTelegram acquisition.
They say, well, what you do isyou connect your phone to my

(19:54):
tool, you're going to press thebutton and these are the things
the tool gets.
Okay, that's not helpful at all.
Yep, nope.
So what Belkasoft did isactually tell you look, this is
how the database looks, this ishow the fields look, and where
are you going to switch thatIndian-ness in order to
understand what the message is?
And true, you could go, becauseTelegram source code is open

(20:16):
source.
I believe the code is out there, you can read it, but not
everybody will be able to readit and understand it because
they don't know code.
But articles like Belkasov'sbridge that gap between what the
source code says and what theapplicability is for the
examiner, and I would hope thesearticles like these motivate
examiners to learn a little bitof code, to go that next step.

(20:38):
You see how the Belkasovengineers went and understood
how to do this.
Then you can do it too.
You can go that step furtherand kind of validate that work.
So I give him a lot of creditfor the article.
I wish more articles were putout.
That's why I said in LinkedInput out by the vendors Don't
hide the ball or just tell methe tool does it and then hide

(21:00):
the ball on how he did it.

Speaker 2 (21:01):
Yeah, I definitely want the how, how you did it,
especially when you need tovalidate artifacts, specifically
from Telegram.
This article will come in handywhen you go to validate
artifacts.
It lays out how the database islaid out.
So if you're looking to see ifsomething that was parsed from
the Telegram database actuallyis what it says it is in the

(21:22):
parsed data, you can go use thatarticle in conjunction with the
database and verify.

Speaker 1 (21:28):
Look, and I believe that the parsing shouldn't be a
black box, right?
I understand why it is, and byblack box what I mean is like a
process that you put data in anddata comes out and you don't
know what happens inside thatbox.
I don't like that for parsing.
That's why even the toolingthat I have put out there with
the community is open source, soit's transparent and and the

(21:49):
parsing at least, I don't thinkit needs to be dark like that or
hidden.
I understand trying to hit howyou get the data, how you, you
know, kind of, get gain access,lawful access to devices.
I understand that, but afterthe data's out, how you go about
it parsing it shouldn't be asecret or a mystery.
Um, we need to validate that.
So why, why are we hiding this?

(22:10):
So welkins has done a good jobwith our article and I encourage
everybody to go read it and getfamiliar with it yeah,
definitely.

Speaker 2 (22:19):
Um, so katherine headley has a script called
Parse USBs and I'm actuallygoing to share my screen for
this one.
But let me tell you a littleabout it first.
It automates USB artifactparsing from the registry and
event logs.
It's been updated recently forevent logs, specifically event
ID 1006 in the event logs, butit will pull all of the USB

(22:45):
artifacts out of system softwareNT user and I saw her post on
it and I'm like, all right, I'mgoing to go try this and see how
easy it is.
And it is super easy to quicklytriage for USB artifacts.
So let me just pull up thewindow.
There we go, so install thedependencies it's all right in

(23:15):
her blog or on her GitHub pageand then it is a simple script
to just push it out to a CSV.
It runs in seconds.
So if you're looking to, I see,I see.
I see python there on the screenright python, yes, yep yeah
simple python script to run andlet me share the output

(23:35):
literally takes seconds.
I love this as a triage tool ifyou're, if you're um parsing
the data or parsing the e01 andyou're waiting and waiting and
waiting, open this up quickly.
Take a look at the USB and Ihave a little sample here.
There it is, so you'll get anice spreadsheet.

(23:57):
I have the device friendly name, the serial number first
connected, last connected, lastremoved and last drive letter if
it's there, volume name and allof that data in a matter of
seconds.

Speaker 1 (24:13):
Yeah, and it's pretty neat.
I mean, it's not so much that.
Look that data has been knownfor years and years and years.
It's not just there.
But the fact that you're ableto quickly in a can-look command
line really easy, pull all thatout so quickly and it can save
you hours of work just bypulling that script out.
And it's free, you don't haveto have an expensive tool to get

(24:34):
to it.
So that's pretty neat.

Speaker 2 (24:35):
Right and she updated it to add the event logs there
for for the USB artifacts.

Speaker 1 (24:39):
So that's awesome.
That's awesome.

Speaker 2 (24:43):
Um, I put the the blog up.
We'll have that in the shownotes too.
But there's also, um, she hasthe get hub where you can go get
the script.
Uh, read about it, install itand.

Speaker 1 (24:53):
No good deal.
Good on Catherine for puttingthat out.

Speaker 2 (24:58):
All right, Another article Cracking OneDrive's
Personal Vault.
I'm going to let you talk aboutthis one.

Speaker 1 (25:09):
Yeah.
So Brian Maloney, he's made histhing, is understanding
OneDrives and how they interactwith your computers and
different systems, and he hasdone such a great job.
He has some scripts to actuallypull out relevant forensic data
, forensic value, from OneDrive.
So he's trying to think okay,so there is a personal vault
that comes with OneDrive.
And he's trying to think well,this personal vault, where is it

(25:32):
?
What's the structure behind it?
So in the article I'm going toparaphrase it so folks will read
it to get the full story hefigures out that the vault is
nothing more than a VHDX, right,vhdx?
Yep, it's a virtual hard drivefor Windows that is BitLocker

(25:53):
encrypted and it sits at aparticular location.
So what he did was he triedokay, let's mount it, give it a
letter and use the command linemanagement I forgot what the
command is for dealing withBitLocker drives and see what we
can get.
So he did that and he tried tocollect the keys at that point,
but he couldn't.
So he went to another processin order to be able to collect

(26:14):
those keys and he did.
It's pretty neat because thenhe closed the vault and with the
keys he was able to open itagain.
So there's a couple of thingshere that are useful for
everybody.
If at least the way I, this isthe way or my takeaway from this
article is if you go to acomputer has one drive, right,
and it's on, don't just turn itoff, because if you turn it off

(26:40):
that one, that drive is open,it's going to close and you're
done.
You're not going to get in,you're not going to.
Just, I mean you can try bootforce that big locker thing, but
good, good luck, okay.
So if it's open and it's on,then use the process that that
brian describes and get thosekeys out.
Okay, you have to haveadministrator access to the
system as well, and the drivehas to be open.
If it is, you can pull thosekeys out.
Okay, you have to haveadministrator access to the
system as well, and the drivehas to be open.
If it is, you can pull thosekeys, put in your back pocket,

(27:02):
seize the device and then at thelab you can, at your leisure,
easily open it and do whateveryou need to do, okay.
Okay, if you have enough timeto be able to do some extraction
on site, then go.
You know that's an examiner.
You should make those calls,but he has a, a, a GitHub doc.
You know, his GitHub has allthe explanation how to do that,
how to get that BK, that, that,that, that key for the drive,

(27:25):
and you're off to the races.
It's pretty neat.

Speaker 2 (27:27):
Yeah, that's awesome.
So another article that cameout in the last couple of weeks
out in the last couple of weeks.
I hope everybody had the chanceto read this.
If you didn't, you have to.
So Brett Shavers put outanother article.
Love all of his articles plus,of course, his books, but this
one is called Today.

(27:48):
Today I Rant.
There is so much to talk aboutin this article.
So many topics are covered.
We're just going to kind of goover a few of them.
But the first sentence in thisarticle is so true.
It's um.
Dfir standards are a mess,confusing, convoluted and
chaotic disaster that's doingmore harm than good.
Um, do you need certifications?

(28:09):
Do you need a degree?
Do you need classes?
What do you need?
Um, and I would have to agreewith this Like, what do you need
?
There's so many differenttrainings, so many different
classes, so many differentdegrees, so many different
acronyms after people's names.
How do you know?
How do you know what you need?

Speaker 1 (28:26):
Yeah, and it's so hard because so, you know during
what year or whatever you arecourt, you know you're asked a
series of questions and thejudge will decide if you were
able to speak on that topic.
And my experience is that atthat level you don't need a lot,
a lot right, as long as youhave a few things.
And then these experts quote,unquote, get thrown to the jury

(28:50):
and then the jury has to decidewhether they're being credible
or not, truthful or not, andthat's tough.
That lack of standardization um, makes the determinations to be
uh, to be really subjective.
I mean, again, we'll say this,we have to say it neither
heather nor myself speak for ouragencies.
All we're saying, uh ispersonal, it's an opinion as
examiners, has nothing to dowith the people that we work,

(29:13):
work with and we do notrepresent them with our policies
.
Okay, thank you.
So, uh, so, uh, so you've gotthat down.

Speaker 2 (29:19):
Oh yeah, no, I'm going to say it every single
show.

Speaker 1 (29:22):
So uh, so yeah.
So I was saying oh yeah.
So I was saying it's, it's hard, right, there's there's no
standardization, and then it'sreally subjective and, in my
opinion, a lot of people thatare claimed to be experts,
they're anything but experts.
There's like some of them arejust guns for hire, and it's

(29:42):
quite hard.
And then the education systembehind it.

Speaker 2 (29:43):
how do you get?
There is also a mess, right,yeah, yeah.
So I mean, in the very firstparagraph of the paper, brett
talks about universities and theheadline that he has for that
section is stop promising orrose garden.
So I mean, I love that Studentsleave college.
They don't possess the skillsto work in dfir, in my, in the
digital forensics realm, and inmy opinion, they need the real
world experience.

(30:04):
And I mean I sometimes feellike universities sell it as
come, get our degree and thenyou're gonna walk right into
your job and be proficient atdoing a job in digital forensics
and that's just.
It's not the case.

Speaker 1 (30:17):
Yeah, it's a better roses.
Without the roses you only getthe thorns.

Speaker 2 (30:22):
Yeah absolutely and honestly.
I speak from personalexperience on this one, because
my master's degree, like I,learned a ton.
I'm never going to say I didn'tlearn a ton, but it did not
prepare me for what the job wasgoing to be at the state police
Not even a little bit.
And I know you.
You get those skills fromvarious different sources, it's
not just the university.

(30:43):
But I thought when I went tocollege that I'm going to get
this degree and I'm going to goin and know what I'm doing.

Speaker 1 (30:48):
And no, not at all, and I heard from universities
that.
So they have a course inforensics, for whatever it is.
And then it's the like, themath teacher teaching it.
Like what does this person?

Speaker 2 (31:00):
know about forensics?

Speaker 1 (31:01):
yes, like nothing.
You just teach math and theyput you there because they
didn't have anybody else andit's, it's, it's ridiculous.

Speaker 2 (31:08):
You know the students are not being served yes, in my
notes I put teachers providingthe instruction lack the real
world experience to be teachingin an effective manner.
And that is so true.
And maybe somebody who studiedit studied it but never put put
it to practice Right, and youcan't effectively teach that way
.

Speaker 1 (31:27):
I think the real world experience is invaluable,
so and if you're listening tothis and you're in a degree,
right, you don't know what youdon't know.
So how do I know I'm teachingall that I need to teach?
Well, you need to do something.
You need to, I believe, reachout to to you know examiners in
your area and I, you know folksthat reach out to me all the
time and of course I do it astime permits and you know, try

(31:48):
to advise them and kind of givethem some guidance in regards to
what they're, what classesthey're taking, what content
they're receiving and if it'sgood or not.
And then you can maybe work onthat, either by reaching out to
the university or yourself doingyour own research.
But we can't just blindlydepend on the certification or
blindly depend on the degree andassume that we know what we
need to know.

Speaker 2 (32:08):
Yeah, and definitely, if I had to give a piece of
advice to university, when itcomes to digital forensics
degrees, the curriculum has tobe up to date.
You have to have, you have tochange the curriculum as things
change in this field and I feellike that doesn't get done
quickly enough at some some ofthe universities.

Speaker 1 (32:28):
Well, yeah, I mean, if you think about it, most
universities, how can I say this?
So certain sciences are pretty,pretty standard, established,
right.
And you say well, let's sayWindows forensics, it changes,
yeah, I mean not at light speed,but certain areas of forensics,
like mobile forensics, theychange month to month, right?
Yes, sometimes weekly, and thecurriculums are not keeping up

(32:50):
for many reasons.
So, yeah, you're absolutelycorrect.

Speaker 2 (32:54):
Yeah, the next section of his article actually
talks about vendors.
Uh, the headline for this issomething we talk about often on
the on the show, but quit withthe magic button.
I think that this is one of thebest headlines for the
paragraph, but please, please,please, stop selling the magic
button.
Uh, the training from thevendors needs to include the

(33:16):
fundamentals.
We talked about this last weeka little bit.
But the why behind what we'redoing, why the tools are doing
what they're doing.
What the tools are doing, ithas to be on par with what we're
doing for work, or we're nevergoing to be able to testify to
these artifacts if we don't knowthe why.
I think the training isbecoming too watered down.

(33:36):
I think I said that last weektoo.

Speaker 1 (33:38):
Yeah, yeah, but this is a point I don't know if we
made it last week, but if we did, we'll make it again that type
of mentality where the vendor ispushing and vendors have most
vendors have some powerful PRbehind it, right, they put a lot
of effort in marketing becausethey're selling a product.
They have to do that.
So the marketing is pushing tothe examiner body in the whole
planet that hey, look, if youuse my tool, you easily are

(34:04):
going to find these things andyou're going to quickly be able
to master and do certain thingsright.
And that mentality is comingdown to the examiners and
examiners consciously orsubconsciously eat it up when
they come and believe well,these tools are broadly accepted
now at courts.
Right, I just need to run itand it goes.
I don't even have to explain itwhy.
Why do I have to explain how atool works?
The court knows how it works.
They've seen it a lot before.

(34:25):
And I just use it and I'm beingan expert, I'm doing what I'm
actually expected to be doing,and that mentality comes from
that product as a service thatvendors sometimes give and
that's not how it should be andit's a big.
It's a big problem becausesometimes the tool, um, will be
wrong, the tool will not showyou everything like.

(34:45):
At that point we said last week,yeah, so instead of developing
this oh, by the way, folks thatbuy into this thought process
they resist, actually resistbeing able to do more work
outside of that tool.
They're like, well, why do Ihave to do that?
I mean I don't have time for it.
I got so many cases.
I mean, come on this whole,push the button and you get all

(35:07):
you need is a fallacy and it'sgoing to bite you at some point
and it's going to affect yourcases at some point.
And we're not saying don't usetools.
Use the tools.
Automation is important.
You won't be able to do workwithout it, right, but you need
to validate what's important,your smoking gun, even if you
use that tool a million times.
I had some cases, and I'm notgoing to mention from where or
who, but one of the tools showssome chats and another tool

(35:32):
showed more chats and by hand wefound even more chats.
So so the two tools show us.

Speaker 2 (35:43):
Each one showed us more, but both didn't show
everything right, right.

Speaker 1 (35:45):
So so my my examiner friend, which we know from my
aces and and heather knows Ihaven't I mentioned who the
person is later, but, um, theperson was telling me, look, I
had to, I found more, even goingby hand, because the two tools
that I was using were getting mepartials right, even if they
were not uh, you know, they weredistinct from each other didn't
have everything so.
So no, that that mentality I Ipush back.
I want to push back on thevendors.

(36:05):
Um, vendor tool centric, wewill give you what you need is,
it's all.
I'm going to push on it and we,as access, the community, we
should push on it.
Don't come at me telling me thatyou're 12 day or seven day or
whatever.
Two week certification is all Ineed to be an expert.
No, you're not an expert.
You took a forensic class fortwo weeks.
That's what you did and youlearned a lot, but you're not an
expert.
That's by no stretch of theimagination, just because you

(36:27):
got a company's logo in a pieceof paper with a signature from
some person.
That who knows who?
That person is Right, and Ifeel really strongly about it.

Speaker 2 (36:37):
I think even scarier than examiners believing that
there's a magic button or theyonly need two days of training
and they're proficient.
Is the command staff believingthat because they're seeing the
latest poster out from thevendors that says we can get
this all done?
Clear your backlog?
And I mean people who don'twork in digital forensics but
maybe up the chain they justthey believe it.

Speaker 1 (37:01):
Well, and that mentality that the vendors push
infects the mind of the examiner, but it more easily infects the
mind of the management staff,because they're not examiners.
Now the question is andJeremy's hitting the nail on the
head should the fundamentals,then, be the responsibility of
the vendors?
Well, depends, right, becauseif you're telling me you're
going to make me an expert in aweek, then you need to teach me

(37:21):
the fundamentals, becausethere's no.
What's an expert?
An expert is not magic.
It's a person that knows allthe fundamentals, all the basic
stuff, knows it enough and knowsit so well.
And knowing all the basic stuff, that's what makes you an
expert.
There's no magic to an expert,it's just you knowing all the
fundamentals like the back ofyour hand.
So how can you be an expert andnot have the fundamentals?

(37:43):
That's what makes you an expert, if that makes sense.

Speaker 2 (37:47):
I think I get a little bit of what Jeremy might
be saying too, though.
Like so okay, I went in with amaster's degree in computer
forensics.
I should know the fundamentalsalready.
But if we apply it to a lawenforcement agency, they're
taking a road officer off theroad and saying here, you're
doing digital forensics now.
So they need to be able to gettheir fundamentals from

(38:07):
somewhere.
If it's not going to be thevendors, the vendors just need
to make that clear so we canmake alternate arrangements to
make sure that those officersare adequately trained to be
able to do digital forensics.

Speaker 1 (38:19):
Well, and that speaks , I agree, and that speaks to
the point Brett is saying.
What a mess it is.
There's no standardizationright.
Every agency is out there foritself.
Some decide to have vendorcourses.
Only as long as you can fulfillthese 10 vendor courses, there
you go, go and testify on it.
And we've seen in manydisciplines to include Utah
Forensics where a big case comesup and they put that expert
there and it's an embarrassmentand the person did what they

(38:42):
were told to do.
They pressed the right buttonsUnder cross.
Well, why did you press thatbutton?
Why didn't you press this otherbutton?
Wouldn't, in the circumstances,this other approach be correct?
The person doesn't know becausethey were never.
They never.
How can you know if you nevertaught that or at least
researched it yourself, right?
So again, it speaks to Brett'spoint of why lack of
standardization nationally.

(39:02):
It kind of hurts.
The best we could do, I guessand you tell me what you think
about this is kind of recommendto you know, folks, take a a
hybrid approach.
Make sure you get somebody thatto lead your lab, your sergeant
or the lab or the director, toactually have a really broad
experience in the field, andthen make maybe a hybrid
curriculum where you have somevendor courses which are needed.

(39:22):
I'm not against vendor coursesif I want to use a tool and I
said and certified by the tool,that's a good thing, right,
because I'm coming from thesource how the tool works.
But then also in-house ororganizations that are really
good at it again, like isis,they're really good at certain
fundamentals then integratethose with vendor courses or
internal courses that youdevelop to then holistically

(39:43):
create a well-rounded examiner.
Because the days of explainingthe tools they're not over just
because they're used a lot incourts.
They they're just starting.
And we've seen cases this yearwhere the main point of
contention of the case is how weinterpret the report, the tool
report, what does the toolreport mean?
And they even bring the toolreport vendor to speak at trial

(40:06):
and so what?
That still becomes a contentionpoint.
So just because you use a tooldoesn't mean that you won't have
to explain what's happeningbehind the scenes on that.

Speaker 2 (40:15):
Yeah, definitely.
There's a bunch of otherheadlines in his article.
You have to go read it, but I'mjust going to hit a few more.
So, training and education hetalks about how there's over 400
college degree programs, over500 continuing education
programs, over 50 large privatetraining vendors and over 400
smaller niche training vendorsin the USA alone.

(40:37):
How do you pick what youactually need?
So, honestly, without realworld knowledge of the job that
you're doing, if you're juststarting out, you'll never know
what you actually need, becauseeverybody's training program is
going to be the best.
This is the best trainingprogram you have to take's
training program is going to bethe best.
This is the best trainingprogram you have to take this
training program and by the timeyou're done with it, you've
taken so many training programsI wouldn't even know what was

(40:59):
going on, because the vendors incollege they're looking to sell
you anything.
So, whether it's in your bestinterest or not sometimes and it
leads to great qualificationson paper but not so great
qualifications to do the job, inmy opinion.

Speaker 1 (41:14):
Yeah, and mentorship needs to.
I mean, mentorship fills thosevoids most of the time.
And again, if you're a personcoming into the field, don't be
discouraged.
Right as you go into the field,your lab, your place of work,
look for mentors, look for thefolks that are being efficient,
that are being serious abouttheir job, and you can pick them
, you can tell them apart.
It's really easy.
And try to, you know, go underthe wing to then get that, get

(41:39):
that knowledge, get mentors.
Mentors like apprenticeshipsBack in the day, you know, say
in the middle ages, for example,you know, or before that,
because there were universitiesthen.
But before universities existed, how did knowledge get passed
on?
What's apprentice?
I have apprentices right.
The person that knew how todeal with wood had.
You know.
The carpenter had apprentices.
The guy that deal with masonry,right, and they have

(42:01):
associations for masonry rightand kind of develop that
knowledge.
Just because we have degreesdoesn't mean that that human way
of transmitting knowledge isold and outdated.
We call it mentorship nowinstead of an apprenticeship,
but it's the same thing.
Be mentored, be an apprentice,learn from the experience of
those that come before you andI'm telling you that will be way

(42:24):
more educational and importantthan maybe your four degree
college thing.

Speaker 2 (42:28):
Yes, I agree, that's just a fact, you know, I agree,
definitely.
Brett in the article sayscertifications and he calls them
a pyramid scheme college thing.
Yes, I agree, that's just afact, you know, I agree,
definitely.
Um, brett in the article sayscertifications and he, uh, he
calls them a pyramid scheme.
Um, it's I.
I find that one to fit quitewell.
Uh, he says they're justexpensive pieces of paper.
Um, so certifications have theirplace.
Obviously, you, they have tohave certifications and some

(42:49):
stuff.
You have to show that you knowhow to do certain things, use
certain tools.
There's some certificationsthat really hold a lot of weight
, but I'll tell you, there'speople that I know, um, in this
field actually, um, I know themvery well.
They don't have all the fancycertifications, they didn't go
to all the expensive trainingsand there's some of the
brightest people that I know.
They're self starters and theytake the time to learn and

(43:10):
absorb as much source material,open source material as they can
.
They test things, they doonline free trainings, they know
how to use Google and theyprove that the number of
trainings and certificationsthat you have, it maybe doesn't
matter as much as you think itdoes.

Speaker 1 (43:26):
Oh, absolutely.
And again, you know a personthat reads about it and a person
that does it.
But they both learned.

Speaker 2 (43:32):
But the one that does it definitely learns more.

Speaker 1 (43:35):
That's just how it is .
And that doesn't change in thisrealm Do?
I believe it will get morestandardized.
I think so at some point, asthe field becomes more and more
mature, there will be some sortof I think normal push for it.
An example I discussed withsome other examiners is if you
want to become a doctor, right,you, you know you're not just a

(43:56):
doctor, but you could, you'recertified in being a doctor.
You have to go to the boardexams, right.
Yeah, there's a body that thatnationally make sure that you're
actually a doctor.
Or you're actually an engineerRight, engineer that makes
bridges or buildings, becausewe're not make sure that that
building doesn't fall on the topof our heads after this dump.
You know, I mean so, you knowthere will be some certification

(44:16):
bodies.
I think and this is me opiningthat will build us to feel
mature.
But between here and there, wegave you some ideas on how to do
that.
Right, get your studies, getyour certs, but get your
apprenticeships, get mentoring,do your research, be a BSL
starter, test things outyourself.
This field allows for that andactually recognizes that.

Speaker 2 (44:38):
Brett has in his article that CTFs are time
killers.
I agree with this one.
Some of them, depending on whatthe content is, if it's not
completely relevant for you,could be a time killer.
He says that winning a CTF iscool, but is it strong on the CV
?
And I think a CTF can be agreat learning experience.
So they teach you about theunparsed data.
You have to go find the answers.

(45:00):
They're not going to be parsedand right there for you, um.
They teach you what you'remissing, um, by just hitting the
button and, although they mightnot do too much for your CV, I
still strongly recommendparticipating if you have the
time, because they they are timeconsuming I.

Speaker 1 (45:14):
I see ctfs as fun and bragging rights that's it yeah,
yeah that's it um.

Speaker 2 (45:21):
I mean, oh could you learn things the ctf king here.
This makes me sad well, why?

Speaker 1 (45:29):
why makes him head sad?
If there's a person that canbrag a lot about winning cts,
it's him.
No, I mean.
So why?
Why would we brag about it?
Well, you have to know certainthings, true, yeah, you need to.
You need to know about wherethings are and and to a certain
point, at certain point, whatthey mean.
The thing that I I say morebragging than education is

(45:49):
because a lot of the questions,how they're made, you know, know
, they're so like convoluted,you know what I mean.
Like you're trying to get youto the answer without giving you
a legit question, and then thejump from knowledge I'm sorry,
from the answer to the actualknowledge.
It gets lost, right?
People that play CTS willunderstand when you read the
question, like what's the answerfor this question?

Speaker 2 (46:11):
the question is sometimes a little bit opaque,
so at some point it becomes, uh,you know, like a blind hunt I
feel like, at the end, though,when people do those write-ups
on what the answers were and howthey got to the answer, that
that's invaluable training foranybody.
So bill says ctf is additionalon-the-job training.
I agree while you're doing thectf you're learning things, but
it it's when you have that writeup to see how people came to

(46:32):
the answers.
I don't think you ever forgetthose artifacts, because you're
like I can't believe I missedthat, and it was so easy to find
with this detailed explanation.

Speaker 1 (46:42):
Well and true, I agree 100 percent.
But so I'm OK with readingthose without doing it, so I can
learn without putting the hours.
But that's the whole point,right?
Do we have the time?
I mean most examiners.
They have a lot of casework andI'm lucky I don't have an
insane amount of caseworkbecause I'm not a local agency.
So I see less devices.
Now, the devices that I see,they're usually more complex,
but this is the point.

(47:03):
You don't have the time.
Folks don't have the time to dowith that.
If you're an on the field,right Right, but folks are able
to put that time in becausethat's their hobby or their fun
time.
Hey, look, put some write-upslike Heather's saying share with
the community and then me.
I will read them and learn andbenefit from it.
So I appreciate you all.

Speaker 2 (47:20):
You'll find those artifacts forever because of the
wonderful person that wrote itup.

Speaker 1 (47:24):
Oh many times that Kevin has come out.
I find like, oh, I think Kevinor somebody, and then I Google
it but it put the bug in my headthat such a thing exists.

Speaker 2 (47:33):
Right right.

Speaker 1 (47:35):
And then I use it to a good benefit in a case.

Speaker 2 (47:37):
Yeah.
So a few other topics that arein the paper.
I'm not going to, we're notgoing to go into detail on all
these.
Read the paper, though.
It's great.
So, tools, the never-endingparade of buttons.
Skills needed a checklist fromhell.
Cost of entry stop whining andstart fighting.
And then the problems a brokensystem that we allowed to happen
.
And the solution time to burnit down and start over.

(48:01):
So, honestly, how do you knowwhat you need?
Which schooling, which training, which certifications?
Which acronyms do you need tohave after your name?
Which tools do you need to getthe job done?
The list is never ending.
Your guess is as good as mineto have after your name.
Which tools do you need to getthe job done?
The list is never ending.
Your cast is as good as mine.
But I recently heard that theScientific Working Group on
Digital Evidence is actuallyworking on a project to address

(48:21):
some of the issues that areoutlined in this paper, to come
up with guidelines to make thesedecisions on what is needed.
So if anybody has ever thoughtof contributing to the Swig DE
scientific working group, givethem your thoughts.
I think, as a community as awhole, we all need to contribute
to something as big as a topiclike that.

Speaker 1 (48:43):
Oh, and that organization is legit.
I know some of the folks thatyou know participate, you know
in the organization and theproducts, the documents that
come out of it.
I highly recommend them tointegrate into your workflow
process.
So, yeah, be part of thesolution.
I mean I know we kind of whinea lot about the problems here in
this podcast, but we can alsogive you ways of becoming the

(49:06):
solution.
Be part of SWAG-D, become anapprentice and become a mentor
as well both sides and helpstart to develop.
Put some order into this field,some logical, scientifically
based order in the type of workthat we do.
Yeah, Good stuff, All right.
Yeah, definitely Read thearticle.
Read the article.
It's really long, it's reallygood, yeah, so, yeah.

Speaker 2 (49:29):
So last week, or the last podcast a couple of weeks
ago, we talked about LionelNatari's Logs of the Week.
He's doing the Logs of the Weekand the Log of the Week this
week is the iOS Unified Log ofthe Week.
Yes, that's what he does all ofhis research on, so the iOS
Unified Logs.
But he's picked a log for eachweek and this week he wrote up,

(49:51):
did a little write-up abouttouch events.
So the iOS unified logs savesyour touches on the screen and
the blog indicates the logs thatyou should investigate and the
identifiers to look for thatrelate to the touch artifacts.
Two of them that he mentions inhis write-up are touch events
and attention awareness.
And then he also addressestimestamps found in these logs.

(50:16):
The timestamps are actuallyseconds since last boot and
they're reset when the devicereboots.
So check out his logs of theweek.
Very cool stuff.

Speaker 1 (50:26):
Yeah, I think.
I think, if I read it correctly, that the log keeps track of,
like, where in the screen was atouch happening, I think like a
coordinate type of thing, andthat to me is pretty wild.

Speaker 2 (50:35):
talk about user attribution yeah, I mean, I
can't.

Speaker 1 (50:39):
I would never even imagine that was there yeah, I
don't need to touch it touchedthe little right corner, or you
know, two inches to the abovefrom from the top and four from
the left.
It's crazy and I appreciate hisseries, um, because going to
those unified logs and pullingvalue out of them, it's amazing
and that can then be automatedin a tool to find them easier.

Speaker 2 (50:59):
You know faster, but the actual blog post helps you
with understanding and then beable to validate some of that,
some of that product yeah, so weare to what's new with the
leaps, so there's some newartifacts that have been added
to the leaps in the last coupleof weeks.

Speaker 1 (51:16):
Yeah, there's been an expert developer lately who
want to work in artifacts andit's a she.
She is amazing and doing allsorts of things lately.
Do you tell us who that personis, Heather?

Speaker 2 (51:28):
I'm doing more of it.
It's so much fun.

Speaker 1 (51:31):
Right, see, look everybody, it's what September
12th 651.
Heather said that doingartifacts in Python is so much
fun.

Speaker 2 (51:40):
It is, and it's frustrating, but it's so much
fun.
So, yeah, so I was working on acase with a coworker this week.
We found some artifacts thatwere going to be important and
they aren't parsed by the tool.
So what do you do?
Just take a picture of it?
I mean, no, we have to figureout how to pull that data out
and pull it out in a manner thatit's going to look presentable

(52:03):
for court presentation.
That I worked on with him thisweek was Life360 driver behavior
reports, which I didn't evenknow were in there, but I kind
of knew that Life360 had thatfeature where it would kind of
monitor your driver behavior.
So this was in an Androiddevice and the artifact is

(52:26):
located in the Life360 driverbehavior and trips directory and
it's stored in a JSON format.
Inside of the JSON format, I'mgoing to actually share a little
picture of the.

Speaker 1 (52:43):
This guy JSON, he's everywhere.

Speaker 2 (52:45):
He's a little bit of a pain.

Speaker 1 (52:49):
All right.
No, JSON is good.
I wish everything was in JSON.

Speaker 2 (52:55):
So I had fun doing it , but let's just take that off
there, all right.
So inside of the JSON is tripevents and with the trip events
there's a trip ID, timestampsand then event data.
So for the event data you havea trip start and a trip end and

(53:17):
in between the trip start andthe trip end for each trip there
are events such as distracted,hard braking, rapid acceleration
and speeding events.
There may be more.
That's all I was finding in thedata that I had to look at.
But each trip has the tripstart and the trip end and it
also has a trip ID that ties allof the artifacts for one trip
together.

(53:37):
The time, the latitude, thelongitude and the speed at the
time of the event are alsorecorded.
So if you look up on the screenand I'll explain it for people
who are listening the ALEAPartifact is going to parse the
trip events and the tripwaypoints.
So for the trip events, you'llsee on the screen there's a

(53:57):
timestamp, the event typelatitude, longitude, speed in
meters per seconds, and then Icreated, because I wanted it for
my data I converted the metersper second to a column for miles
per hour.
Then there's top speed, averagespeed distance, which is in
meters, and then the trip ID.
So each event is logged by thetrip ID and then there's a

(54:20):
section at the bottom of theJSON for each trip that has
waypoints.
The waypoints don't have a dateand time, so you don't have the
exact moment they hit thewaypoint, but there's a latitude
, a longitude, exact moment theyhit the waypoint, but there's a
latitude, a longitude, anaccuracy in meters, and then it
has that trip ID to tie thewaypoints to the trip events.
So if you plot all of this outon a map, you can actually see

(54:44):
in Google Earth, you can see thetrip events with the dates and
times, and then the waypointsjust fall where you would expect
them to fall in the trips.

Speaker 1 (54:52):
Well, and I would say it would be a little bit of
more later on, a little bit moremath, right, because if we know
what we start, when we end andwe know the speed right, then we
should be able to calculate.
You know pretty much where eachpoint's falling, at what time,
with a little bit of more math,which we can do at least down
the road.
But that's amazing that thistype of data is not being parsed

(55:13):
by the commercial tools.
It's just mind-boggling,because the importance of this
data goes without saying.

Speaker 2 (55:19):
Yeah, definitely, especially if you have no
location data.
I mean, this is the featurethat you turn on in Life 360
when you set up the app and youmay not even realize you turned
it on.
And then if the suspect turnstheir locations off in the
future, you may not have any ofthose good locations, but this
is still logged in the driverbehavior every time one of those

(55:41):
events takes place.

Speaker 1 (55:44):
Yeah, that's amazing.

Speaker 2 (55:45):
Yeah, and then for this.
So specifically for my case, Iwanted the latitude, longitudes
for the trip events and thewaypoints all to be each in
their own csv for each trip id.
So that's the way the script iswritten.
For a leap is it combines uh,based off of trip event for the
events and then the waypointsfor each trip that's awesome,

(56:08):
and did you make it to create akmML for each?
I didn't do the KML.
You're going to have to help mewith that.

Speaker 1 (56:14):
Oh that's easy.
That's so easy.
It's one line of code,literally.

Speaker 2 (56:18):
Oh, perfect.
Well, you help me and tell mehow to do that, or push me in
the right direction, and I'll doit.
And I will do that because Iactually was bringing the CSVs
in and then creating my own KMZsfrom Google Earth.

Speaker 1 (56:30):
Boo, we can do that with Alib automatically.

Speaker 2 (56:33):
Oh perfect, it worked for me when I needed it, though
.

Speaker 1 (56:36):
Oh, no, no, no, well, but this is the thing I'm
saying.
Boo, just because I'm givingyou a hard time.
Oh yeah, I know If you're ableto get, like look what Heather
just did, which is take data.
That's easy peasy, my friend.

Speaker 2 (56:52):
Yeah, easy peasy In the words of Alexis easy peasy.
He says that to me and then Ilook at the data and I'm like
there is nothing easy about this.
What are you talking about?

Speaker 1 (57:03):
Look, at least I got to say it was fun.
So we're getting there.
It was, and.

Speaker 2 (57:07):
I may have gotten picked on a little bit, because
it's what I did all day Saturday.

Speaker 1 (57:16):
Hey, look, you want to see a Friday night, an
exciting Friday night at myhouse.
It's your.

Speaker 2 (57:20):
Saturday but a Friday night, but I really had fun
doing it.
I haven't put it in a leap, butI'm going to put it up tomorrow
for Kevin or Alex to check overmake sure I didn't miss
anything.
So it should be in a-Leap bytomorrow sometime, hopefully
maybe the weekend, whenever theyget a chance to look at it.

Speaker 1 (57:36):
Oh absolutely.

Speaker 2 (57:38):
Shannon and Caleb are just saying and we're
investigating this now, but itwould be interesting to find out
what requirements are for eachtrigger and I agree, we're
actually working on the researchfor that now, trying to figure
out exactly.
I have Life360 on my testphones and we're about to drive
around and figure it out, somaybe on a future podcast.

Speaker 1 (57:58):
I hope it's time, you know, like every two minutes or
something.
That's my hope, so that makesit easy.

Speaker 2 (58:03):
It doesn't seem like that, based off of the data but
we can still hope for that.
We can still hope for that.

Speaker 1 (58:08):
Hopefully it's not something too complicated.
But yeah, that's that I mean,and for the folks are listening
like that's the point.
Right, you have the data and ifyou're able to kind of
determine how does, how does howthey even, how does the device
recorded and why, that alsogives you a whole nother set of
understanding of what happenedin the past and you can recreate
that in the present.
So that's research that needsto be done, so that's awesome

(58:28):
yeah, um, I leap.

Speaker 2 (58:30):
There's some additions to ILEAP too, so the
oops chat parser in ILEAP theoops chat, was needed for a case
in my office.
Again, we find messages that weneed for court, and how do you
get them out?
Write some scripts, because I'mlearning how to do it and it
works wonderfully.
It's all set.
The report is ready and it'snow available in iLeap for

(58:51):
anybody who comes across theoops chat, which that was a
first for me.

Speaker 1 (58:56):
I've never heard of it and everybody I mean and
nobody have no examiner willhave heard of it if they only
run the tools that they havebecause it's not supported,
right?
So that's a good thing aboutthis community tools is that
we'll put stuff in that.
That chat is important untilyou see that as important.
That being said, right, thething we recommend is, you know,
don't just depend on your maintool and the leaves to then do

(59:18):
your work, right?
Um, part of the things that weteach in our class is and I take
a two seconds for this have aprocess.
I run this stuff to my toolsand part of my process is, for
Android is manual.
I say manually, manually, butvisually.
See the data data folder forbundle ids are unknown and for
ios, a leap throws a list of allthe bundle ids that I have for

(59:39):
that device and I go throughthem, you know, in five, ten
minutes visually to make surethere's one that is that I
haven't recognized, because themoment I do that, then I know I
need to go deep, dig deeper inthis case or this device.
So have a process to make surethat you don't miss stuff.

Speaker 2 (59:56):
Right, so another iLeap addition.
Heather Barnhart did a blogabout support for iOS 17 plus
message retention settings, andthat is now supported in iLeap.
So it was the week of theHeathers for the.
What's new with the Leaps?

Speaker 1 (01:00:16):
Yeah, and I don't know if we talked about it last
week.
Maybe we have, but retentionhas changed from iOS 16 to iOS
17.
And especially on 17, you willstill have the old retention
plist, but it's going to bewrong.
You cannot listen to that plist.
I mean you can't really listento it.
But the entry in the p-listthat work for ios 16 will still

(01:00:38):
be there, but have to ignore it.
You have to look for the keythat's applicable to ios 17 and
uh and the leaves now.
Uh, do that.
Um, it was kevin that did it,so you know it's good stuff all
right, we're to everybody'sfavorite time the meme of the
week.

Speaker 2 (01:00:53):
Let me pull that up.

Speaker 1 (01:00:54):
And before we pull that up, so Brett, just show up
to the chat.
I know he's late.
We talk about your article.
Sorry, so you will have tocatch it on YouTube or on the
podcast and listen to the part.
So, yeah, sorry about that.

Speaker 2 (01:01:09):
We talked about it a lot too, so all right M meal of
the week.

Speaker 1 (01:01:13):
What do we have?

Speaker 2 (01:01:14):
Got it, got it All right.
So we have Bart Simpson withhis goggles on and his cane he's
blind Finding the issues in thereport that I wrote.
And then Bart Simpson againwith a telescope and finding
issues in the report someoneelse wrote.

Speaker 1 (01:01:36):
I got inspired.
I got inspired by that becauseI'm teaching my kids Well, I
mean my nine-year-old, but mysix-year-old is kind of hanging
out how to play chess, okay, andthe thing about that is that
when you're playing chess right,you're there and you're like,
okay, what should I do?
And people behind you they'relike oh, pick that.
Like in their minds they cansee the whole game and what
should you pick.
But when you're in the gameitself, you might not make the

(01:01:59):
best decisions and when you moveit, they say why did you do
that?
You should have done somethingelse.
Of course, right.
If we switch roles, the samething's going to happen.
The person that's giving me theadvice is going to sit down and
not not see the things thatsomebody else on the outside
sees definitely yes, that's withchess.
So then I said you know what?
That's also true with our, withour peer reviews, and not only
of our cases, but documents,important emails, important

(01:02:23):
speeches.
Um, when you write somethinglook, that's so true that I
wrote things.
I read them, it's perfect.
I get to the next person andthey find 20 typos, like obvious
typos.
But yes, they were like.
How come that I wrote it and Imissed the typos?
It's crazy, right.

Speaker 2 (01:02:40):
I love when that happens, when I wrote it and
then I sat down and likethoroughly read through it and
they're still like I'm not quitesure how I miss it.
I do I do a lot of reviews ofother people's work at my job
and I'm finding, you know,things that they didn't see or
things maybe they missed.
Or, like you're saying, findingissues in the report they wrote
is hard and I can't find any ofthe issues in my own report

(01:03:01):
ever.

Speaker 1 (01:03:04):
And that speaks to a certain cognitive bias that we
have.
We have it.
And again, I think I'm a lonevoice in the desert saying this.
When people say, well, we haveto be unbiased, that's
impossible.
They will always have biases.
You have them Even when youwrite your report.
Your bias is that you know whatyou wrote and what's coming
next, to the point that youglaze over spelling mistakes or
even logical errors or even howyou put things together.

(01:03:25):
So we have biases.
The question then is how do wekeep those biases out of our
work, and that's the scientificprocess right In forensics or,
in this case, have somebody elsecome and peer review it for you
to make sure you can put thosedown.

Speaker 2 (01:03:40):
Yeah, that peer review process is super
important.
If you're not doing peerreviews in your agency, you have
to be doing peer reviews.
If you have nobody to do yourpeer reviews, reach out to
another agency.
Find somebody in the same fieldas you to do your peer reviews.
Reach out to another agency.
Find somebody in the same fieldas you to do the peer review.
Super important.

Speaker 1 (01:03:56):
Yeah, take the time to do that and you know, the
more you do it, the moreproficient you are at picking
things out, and then we helpeach other and we can grow
together.
So highly, highly recommendthat you do that.
So that's the purpose of themeeting.

Speaker 2 (01:04:10):
And doing the peer reviews too.
I mean, I learned new artifactsand learn new things I didn't
know from doing peer reviews forother people on a daily basis.

Speaker 1 (01:04:17):
So oh, yeah, yeah, yeah.
Oh, actually I forgot aboutwhat I'm saying right now.
Um, evangelos dragonas, fromfrom, from, from greece, you
know, great researcher, he didsome parsers for, for example,
for chat gpt right In Android,and I'm not sure if iOS and
those are parsed by the Leaps,not by any other tool.

(01:04:38):
And I want to bring that upbecause leverage that peer
review, leverage communityknowledge, right, reach out to
folks when you find things, andI had some cases that you know.
Chatgpt is becoming like asearch engine.
Now People see it as a searchengine in a sense.
Yes, and you might not find.
Oh, you know, they're notGoogling anything.
You know why?
Because they're asking the AIabout it now.

(01:05:00):
And if you're not aware, whereis the questions that the
person's asking to the AI?
Where's that on the phone?
You're not going to find it andthe tools right now they don't
show it to you, period, theyjust don't.
So, again, you have duediligence.
We talked about that last show.
What is due diligence and whatdoes it mean?
Check out season two, episodezero, and you can delve more

(01:05:22):
into that.

Speaker 2 (01:05:25):
That's it.
We've come to the end.

Speaker 1 (01:05:28):
That is amazing.
I appreciate all the folks thatpersevered with us this week,
all these interesting thingsthat we talked about.
That is amazing.
I appreciate all the folks thatpersevered with us this week,
all these kind of interestingthings that we talked about.
Again, sorry, brad, you came inlate, but catch the replay.

Speaker 2 (01:05:40):
Yeah, definitely.

Speaker 1 (01:05:42):
Anything else you have there?
Heather for the good of theorder.

Speaker 2 (01:05:44):
I have nothing else.
Thank you very much everyone.

Speaker 1 (01:05:47):
No, absolutely, and we'll be back in a couple of
weeks with another episode ofthe GTR46.podcast.
So thank you everybody and havea good night.
Thank you, See ya Outro.

Speaker 2 (01:06:18):
Music.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Balancing Act: Trials, Training, and the Future of Digital Forensics

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Balancing Act: Trials, Training, and the Future of Digital Forensics

On Purpose with Jay Shetty