BFU Data, Forensic Tools, and the Future of Digital Investigations

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:11):
Welcome to the Digital Forensics Now podcast.
Today is Thursday, November21st 2024.
My name is Alexis Brignoni, akaBriggs, and I'm accompanied by
my co-host, the one that putsthe wild in wildlife, the tester
supreme, the one now betterknown as HC Hollywood, the one

(00:33):
and only Heather Charpentier.
The music is Hired Up by ShaneIvers and can be found at
silvermansoundcom.

Speaker 2 (00:52):
Yes, my outro was worse than last time.
Yes, the what the hc, what hc,hollywood heather, oh my god.

Speaker 1 (00:54):
No, no, if people don't know why I'm saying that
I'm gonna show you right now ohmy gosh that she is now the star
of all sorts of commercials.

Speaker 2 (01:04):
Oh, my God.

Speaker 1 (01:05):
Get out of here.

Speaker 2 (01:06):
What is wrong with you?

Speaker 1 (01:08):
No, look, look at that Computer Forensic Analyst
for Excellence.
She's on all the TV shows.
Now I expect her to be likewhat's that show that's going to
go?
It's called it's like aninvestigative show.

Speaker 2 (01:22):
Oh my God, there's some people joining us.

Speaker 1 (01:24):
It's great that you joined us as we're looking at
Heather doing her Hollywooddebut on social media.

Speaker 2 (01:30):
It's a lovely shot you grabbed, thank you.

Speaker 1 (01:33):
It's fantastic.
So if you all want to see her,go to the Minded Forensics
social media and look for thevideo where she talks.
It's a great mini documentaryof New York State Police and
some of the work they do, whichis outstanding work, and
obviously they show their header.
Having a few words about thework that, she does.

Speaker 2 (01:50):
Oh my gosh, Holly and Jeremy say law and order.

Speaker 1 (01:54):
Law and order.
Thank you, that's the show.

Speaker 2 (01:55):
Yeah.

Speaker 1 (01:56):
See, I knew that Tuntun would for people to give
us the answer there, yeah, sosurprise, surprise.

Speaker 2 (02:04):
Sneaky, sneaky, sneaky.
I didn't know you were gonna dothat.

Speaker 1 (02:08):
Um, thank you for picking such a fabulous shot I
mean, you know, I, I can only domy best oh my gosh.

Speaker 2 (02:17):
So what have you been up to?
We just did a podcast last week, but what's new?

Speaker 1 (02:22):
well, um, yeah, I've been doing a whole bunch of
things, so, let me, talkingabout sharing pictures, I'm
gonna share pictures too, but ofmyself.
So let me, um, let me share it.
So what I'm gonna show you isso, this, uh, this weekend, I
was, uh, I spoke at sans defercon.
You can see there, uh, folksthat are not, they are listening

(02:43):
, won't see it right, but yousee stickers from SANS and D4Con
, and what I did there was talkabout the leaps.
Right, I was accompanied by mybeautiful family.
It's a picture of us behind theBrightline train.
So we took the train fromOrlando to Miami so the boys
could experience it.
Their face looks like emojis.

(03:03):
That's their face.

Speaker 2 (03:04):
I was going their faces.
Wife and kids look just likeyou, yeah yeah, yeah.

Speaker 1 (03:10):
So their emoji faces are their real faces, so it's
not a mask, that's their faces.
So I kid you, I kid, I kid,right, so so you can see a
little video there of me goingon the train.
Uh, let me tell you, centralflorida is pretty beautiful and
on you know, as you're going bythe train, you see the rivers
and bridges and all the goodstuff.
I really enjoyed the BrightLine experience.
I would definitely do it again.

Speaker 2 (03:30):
So it was nice.

Speaker 1 (03:32):
And then we had that night.
We got there on Friday night soI had a dinner with some of the
speakers.
You see Brian Maloney there onthe right, ian Whiffin and
Christian on the bottom on theback part and so these people,
all this brainpower in thattable.
It was pretty amazing.
I was hoping that we couldmaybe see the future if we put
our heads together, but that didnot happen.

Speaker 2 (03:53):
You must have come close.

Speaker 1 (03:54):
Well, I mean, I was the one not putting enough
output there Brainpower outputso I blame myself.
All right, and then I ate asalad because, because I gotta
eat healthy for health reasons,but I'm not gonna bore you all
with that, but where's theburger that you had after that
salad?
I already ate all the burgers Ineeded to eat in the past.
I guess, all right.

(04:15):
And then, uh, I started my day,um, and I started setting the
family up and all that, uh, bylistening to ian whiffen.
Ian whiffen explain his art x?
Uh tool and if you're notfamiliar with it we say it a lot
of times but I'm going to sayit again it's a must-have tool
for your examinations.
It's absolutely free, it'sreally I love it for the
location.
So he maps it and gives youdifferent ways of showing the

(04:37):
map locations for your exhibits.
It's fantastic.
So art x a r t e x, so ArtExA-R-T-E-X, and at
doubleblackwithak instead ofckcom, you can get it there.
So just Google EM within ArtExand you're going to find it All
right, very cool.
So, and the next thing is, it'sme teaching.
So I've been of a double mindin this trip because I gave my

(05:02):
spiel about the leaps and Ithink I was asking Heather but
not our Heather here.
I was asking Heather Barnhartfrom SANS, which we all know and
love.
She thought I was overreaching.
Overreaching because I tried tohave the class do an artifact
with me and you know, I thinksome people knew Python, some
didn't, and it was kind of a bitof a situation where some folks

(05:24):
were totally lost and somefolks were like oh, this is
great, it's easy, right.
So I was a little bit about twomiles about it, but then I came
to a conclusion, right, and myconclusion is that I believe and
a little bit of a soapbox herewe've got to start moving as a
community to I didn't close mydoor properly we need to move as
a community to start acquiringthese skills.

(05:46):
Look, if the only thing you dois connect the device and press
a button and hit print, you'regoing to be automated out of a
job in a matter of years, maybeless.
So we got to start thinkingabout if things are made using
code.
We need to understand code, orat least not be.
I'm not going to make the nextiPhone, but at least know enough
to be able to determine what isrelevant and how to parse it

(06:09):
out.
Okay, right you need tounderstand how these devices
works at a more deeper level.
So so I was of two minds, butyou know what that's gonna be my
spiel moving forward?
Yeah, definitely, I like thispicture because it shows it's
random picture here.
I was at the hotel and you knowhotels, you know multi-level
hotels.
They usually have like a firecabinet and there will be a hose

(06:31):
there, right, but they took thehose out and just put a
extinguisher and I'm like that'snot like the same thing.
That's not enough.
You know a little thing, and itwasn't even a big extinguisher.
It's like a little extinguisher, fire extinguisher instead of
having like the actual hose thatyou could turn on the valve and
douse the fire.
So I know there's a lessonthere, but I will leave it for

(06:52):
later for this question.

Speaker 2 (06:54):
Thankfully there was no fire.

Speaker 1 (06:56):
Exactly, I'd rather have the fire hose than have the
little fire extinguisher.
So make sure you have firehoses, intellectual fire hoses
in your brain.
Start developing those.
All right.
Brian maloney gave me a nicecoin.
Uh, he does the one drive.
Uh, explorer, it's a forensictool to deal with one drives and
if you have investigations thatrequire that you need to use

(07:18):
that tool.
It's also free.
It's super well documented.
He did a great, a great job atit.
I couldn't stay for his spielbecause I had to catch the train
, but he gave me a nice coin andwe discussed a little bit about
his tool.
So that was.
I was pretty, pretty satisfyingand actually I got to met him,
met him in person, so I loved itvery nice and then they gave me
a little interview.
They're asking me about what Iwas talking.

(07:40):
There were my really bright uhyellow shoes, as you can see
down.

Speaker 2 (07:43):
Oh, I didn't know.
You got interviewed while youwere down there.

Speaker 1 (07:47):
You know, I got interviewed.
I'm famous and also everybodyelse was interviewed, so it
wasn't anything special that itwas me, just to make it clear.
It was me and everybody else.
So I spoke a little bit aboutthe tool and all that.
So that's fine and that's it.

Speaker 2 (08:02):
Very cool.
I think we're going to have todo a demo of Ian's Art X on an
upcoming podcast.

Speaker 1 (08:09):
Hey, that's not an idea, that's not reality.
We're going to do that.
Yeah, definitely.

Speaker 2 (08:14):
It's a great tool.
I've used it.
I don't use it as much as Ishould actually, but it's a
great tool and, yeah, let's showit on the next one, I'll get
something put together.

Speaker 1 (08:23):
No, we're definitely going to do that, and by doing
that I mean you.

Speaker 2 (08:26):
Yeah, yeah, I'll put it together.

Speaker 1 (08:30):
Heather is so good at the whole testing thing, you
know.

Speaker 2 (08:33):
I'm going to put this comment up.
Everybody's going to get itlater.
Mr Terry Tibbs is in here andsays Evening DFN podcast.
Talk to me.

Speaker 1 (08:46):
And one of our topics later is going to pull that
together.
Oh okay, fantastic, fantastic,we're waiting for that.
Yeah, a quick shout out tokevin is in the chat.
Adam is in the chat.
Um my sister holly is in therehey, there we go yeah but she's
the one with the culturalreference a lot of order.

Speaker 2 (09:00):
Thank you, holly yes, so what?

Speaker 1 (09:05):
what?
So now that I spoke for half anhour about what I did, I want
to know what, what you did.
So what's going on?

Speaker 2 (09:13):
So I went on vacation since not last podcast, but the
podcast before, and I have somepictures from my vacation.
So my sister turned 25 again onOctober 23rd, yeah, so we did a
little birthday trip and Ithink you've mentioned it

(09:34):
probably 15, 20 times how muchof an animal lover I am on the
podcast.
Well, my sister is so much moreof an animal lover than I am.
So we chose to go to TanganyikaWildlife Park in Kansas.

Speaker 1 (09:50):
I would have never guessed that by that name that
it was in Kansas.

Speaker 2 (09:52):
You know, I think it was in Africa, or something you
know.
So she loves penguins.
So I Googled where can you swimwith the penguins and this is
the only place in the UnitedStates that comes up as a place
that you can swim with thepenguins.
In is the only place in theunited states that comes up as a
place that you can swim withthe penguins in kansas, yeah, in
kansas.
So we went to kansas.
It's very, it's very flat there.
It's very flat, yeah.

(10:14):
Um.
So we went and we saw all ofthe animals.
We did a three-day all-inclusiveat this park where you get to
feed with the animals andinteract with the animals.
Um, so these are the lorikeetswe were feeding and there
actually was a lorikeet named umnoodle that if he sat on your
shoulder, if you asked him todance, he would dance.

(10:35):
He would like bob his head upand down.
It was really cute.
Um, we saw the capybaras, whichare adorable.
These are babies.
They actually get really big.
Um, but these were littlebabies we got to feed.
Feed them.
Like how big?
Like I think a couple hundredpounds.
They're big, it, big oh geezyeah and these are just little
guys.
Um, so it was so much fun.

(10:56):
Those, I think the capybaras,were one of like close to my
favorite animal at the zoo.
Um, yeah, they're awesome,kevin, we got to go hang out
with the owl monkey and thecavies in this picture and then
we got to swim with the penguins.
So they gave you a wetsuit andyou actually get in with the
penguins and they have littlecat toys.

(11:18):
The penguins like to swim afterthe cat toys.
So just some pictures of usswimming with the penguins, got
to feed the giraffes and had thelittle giraffe interaction.
Oh, holly said up to 100 pounds, so I said a couple or 150
pounds for the capybaras.

Speaker 1 (11:34):
So like a decent, decent amount of weight.
Yeah, a big animal.

Speaker 2 (11:39):
We interacted with the otters and the sloths and
actually the sloths.
What they do with them is thesloths will hold a paintbrush,
so I have the pictures here andthe zookeeper holds the little
canvas up and the sloth paintsyou a picture.

Speaker 1 (11:54):
But he's not telling you that picture took three
hours.

Speaker 2 (11:56):
Yeah, oh yeah, pretty much.
Yeah, it was not a fast process, but I didn't care because I
liked being in there with thesloths.
And then this animal right here, the Okapi, is the weirdest
looking thing I've ever seen.
I'd never heard of it until Iwent to Tanganyika.
It is.
It just looks like a mix of awhole bunch of different animals

(12:18):
.
You can see like its butt is azebra and its face looks more
like a horse and deercombination.
So it was a really cool animaland the monkeys and the rhinos
we got to feed the rhinos andhang out with the rhinos and the
pygmy hippo was the mostadorable thing ever.

Speaker 1 (12:34):
um, they have.
That's not the one like dengthe mudeng is that?
Yes, it's just like him.

Speaker 2 (12:39):
Oh, it's not.
No, this one's name is locky,but it's just like.
Just like mudeng um, and theypainted pictures too.
So it was a non-toxic paintthey put on the nose and it
comes over for treats and paintson your canvas.

Speaker 1 (12:52):
Oh, look at that.

Speaker 2 (12:53):
And then my very favorite animal at the entire
place was the lemur.
You got to go in with them andthey sat on your lap and you got
to feed them out of your hands.

Speaker 1 (13:04):
I bet people made the whole.
I got to move and move a joke,right yeah, yeah, of course.

Speaker 2 (13:09):
And then we got this nice selfie with a lemur there
on the one of the last days.

Speaker 1 (13:13):
So it was, it was he's sticking his tongue out for
the folks that can't see it.

Speaker 2 (13:17):
So I guess, he's like it's just sticking the tongue
out it was awesome, um, one ofthe best trips I've ever been on
.
We usually go horseback ridingfor her birthday every year, um,
but this was like a once in alifetime type of uh trip to
wildlife park in kansas of allplaces I heard that I heard
they're looking for some missingcapybara.

Speaker 1 (13:36):
So oh yeah, it's a pure coincidence that they got.
They weren't missing after youwent there they're both at my
sister's house.

Speaker 2 (13:43):
She would be the one to steal them don't tell anybody
, don't tell the police so thetime off was well spent.
Uh, it was a great vacationwell, that's, that's awesome.

Speaker 1 (13:56):
Thank you for sharing all your your pictures yeah
adorkable.
They're great um adorkableadorable.

Speaker 2 (14:05):
So now that we have vacations out of the way, hop
into some forensics.

Speaker 1 (14:10):
Let's do it.
Let's do it.

Speaker 2 (14:12):
All right.
So last week we had Chris Vanceon.
We talked about the iOS devicesthat were rebooting due to
inactivity.
Just wanted to quickly throw upanother resource to learn a
little more about that.
There's a blog called ReverseEngineering iOS 18 Inactivity.
It is similar to Chris's blog.

(14:34):
It has some detail, talks aboutwhere you can find those
artifacts that show whether thedevice was rebooted and a whole
bunch of other stuff about theiOS 18 too.

Speaker 1 (14:46):
Yeah, and something I like about the article is that
it actually goes into the detailof how the author went and had
to reverse engineer theprocesses, right, because one
thing is looking at logs andwhat the logs show and another
one is trying to look at.
For example, if you want tounderstand some undocumented
feature on whatever software,the first thing he did was he

(15:06):
took the IPA, whatever theexecutable is, and you look for
strings and hopefully thedevelopers left some strings
there that you can read likenotes to give you an idea of
what's going on.
A lot of these variable names.
There are things you canactually read like that makes
sense.
So he put together some ofthose.
Do some testing.
He had to.
Some of the hiccups with it ishow do you get into the software

(15:31):
when the encryption keys areremoved by Apple, right?
So he went around all thisrigmarole to be able to get to
that data and give a detailedsense of what's going within the
device and when it was addedand how is it executed within
the device.
So I recommend everybody toread that and get familiar with

(15:53):
it, and if this is something youfind attractive, then
definitely reverse engineeringis for you and I believe we need
more of that within the mobileforensics sphere, beyond just
intrusion, intrusion detection,intrusion response.
In the DF field we definitelyneed more reverse engineers.
So, good example there.

Speaker 2 (16:14):
Okay, so FTK image or BitLocker.
We had it for a minute.
I'm going to show it.

Speaker 1 (16:22):
Look, look, look.
The thing is the for backgroundhere.
Uh, extero, which are themakers of ftk and ftk imager uh,
really, ftk imager iseverybody's toolbox.
It's one of the mostwell-renowned tools.
They came out with a releaseftk 7.3 point something and it
had bitlocker support and it wasup for a day or so.

(16:43):
So a whole bunch of us well,not me, but somebody else
downloaded it and it's like oh,this is great, let's test it out
.
And a few people made blogposts and then it disappeared.
You couldn't download it.
So I started complaining Notcomplaining, that's not true.
I started pointing out the factthat it disappeared.
I'm like what happened to itwas was there an issue with the
software that we should knowabout?

(17:03):
Was it not working properly?
It just took it out, but nottell us.
But eventually, is that theexplanation was?
And harsh peel that, I think,is the main product manager for
ftk tooling within exteroexplained that the reason is
that it was uh, it was.
They were not supposed torelease it yet, right?
Yeah, um, so there was about anaccident.
So they released version 7.0, Iguess, or 0.1, and not this

(17:26):
version which is ahead.
But guess what?
It's already out, so we'regoing to use it and we're going
to show it.

Speaker 2 (17:33):
So let me take that off the screen.
All right, so I just have aBitLockered thumb drive and I am
going to add it.
Oh, hold on.
Oh, I have to have it out.
Sorry, I'm gonna add thephysical drive.
I have it plugged into mylaptop and it is this, and just

(17:56):
hit finish.
When I add it it pops up, andhere let me zoom in on that.

Speaker 1 (18:00):
Yes, yes please.

Speaker 2 (18:01):
Pops up a screen asking for your BitLocker
encryption credentials.
We can do a recovery key or wecan do the password to the
BitLockered USB.

Speaker 1 (18:11):
Or the boot key file too.

Speaker 2 (18:12):
Yes, or the boot key file?
Yes, I have, let's see if Istill.
Yeah, so I have the recoverykey to this because I
BitLockered it.
Because I BitLockered it and assoon as I put it in, we have
access to the files on the USBdrive.

Speaker 1 (18:38):
So you can see here my top secret documents folder
we now have access to andsomething that's pretty cool
about the tooling.
So this is a traditionalscenario where you have this
drive, you're going to writeblock and it's bitlocker, you
have the key, let's look what'sinside of it.
So my case, my testing case,was I took and I image the
bitlocker uh drive.
I imaged it as an e01 straightup.
So I have now the encrypted e01with bitlocker and again same

(19:01):
thing.
I put it there, I went in alittle bit and again that screen
popped up and I was able to getin which, which is pretty neat
because, yeah, as long as youhave the key, you can do the e01
straight up and then later on,uh, do the whole, uh decryption
of it, also with the tool, andafter that you can make ad1s, as
always and for those are notfamiliar, those are logical
extractions from from the imagethat you're working out of.

(19:24):
So you can take, say, a filmfile, some folders, build an
extraction, a logical extraction, and pull that out, or do the
traditional things you would dowith FTK Imager and if you're
digital forensics, you have toknow this tool.
This is just one of thosethings that you did.
One of the first tools theygive you when you're walking
through the door.

Speaker 2 (19:41):
Yeah, oh, definitely the first tool you use in
college too, right, oh,absolutely.

Speaker 1 (19:47):
It's like it's all reliable.
I call it in one of my old my.
Now the thing is that thequestion is are they gonna I
mean, why?
Why?
Take it back right?
Is it because they're gonnacharge for it or you're gonna
know?
Well, I hope not.
I hope they can release it asis, as I did, free with that
functionality.
But who knows, do other toolsdo this Absolutely?

(20:08):
But it's a benefit, becausewe're so used to using this tool
I've been using it for over 15years or whatever it is.
So just adding this capabilitymakes the tool so much useful
and it broadens the user basebecause we know how to use it,
we teach it and now it has morecapability.

Speaker 2 (20:29):
So I hope they release it for free again in the
not too distant future.
So please, xterra, don't makeus wait too much.
Yeah, and super easy to use.
So I mean we definitely wantaccess to this.

Speaker 1 (20:35):
So if you don't have access to it, I'm sorry and
don't ask me for it, because Iam not an Xterra tool
distributor and I don't want toget in trouble.
I just got a copy for me andfor testing and that's it.
So if you didn't get it, sorry.

Speaker 2 (20:48):
Yeah, I know.

Speaker 1 (20:50):
Don't come asking me for it.

Speaker 2 (20:51):
He's not lying.
He won't even give me a copy.
I had to get it elsewhere.
No, I'm just kidding.
Yeah, yeah, yeah, I didn't givehim the copy period.

Speaker 1 (21:01):
That's my story.
I'm sticking to it yeah.
Oh, ryan Benson.
Ryan Benson is in the chat.
I got a shout out to Ryan.
Ryan does great tools, like inhindsight.
He does Unfurl Unfurl justrecently Good thing I saw his
name Unfurl just updated.
So now it recognizes blue skytimestamps and more different

(21:22):
data and better parsing for someprotobufs and other things.
If you're not familiar withunfurl, what that does is it
takes the url from a, from awebsite, from a cloud service, a
chatting application.
You take that url, you put iton furl and it breaks down the
url in its component parts.
You see the domain and thosecomponent parts might have

(21:43):
timestamps in.
It, might have protobuf orsomething else other data types
within the URL base64, which istraditionally a URL thing.
It will explode that for youand show you all the component
parts and it's a great tool Ifyou carved out some URLs and you
want to know when the URL, theactivity, happened.

(22:04):
Some of these URLs havetimestamps of a search that was
done within that URL and justput it on referral and it tells
you what the timestamp is.
So great, great tool.
Same with hindsight.
You're doing browser forensics.
Check it out Also.
Quick shout out to BrettShavers in the chat.
What is he saying, heather?

Speaker 2 (22:20):
FTK Imager is the pair of pliers in the DFIR
toolbox.
Definitely.

Speaker 1 (22:25):
FTK Imager is the pair of pliers in the DFIR
toolbox Absolutely Of all thetools.
Pliers is a good analogy.
I like that.

Speaker 2 (22:31):
Yeah, that's really good.
So there's another release of atool, the Samsung Secure Health
Data Parser.
It was released, or created andreleased by um.
Oh, where did I put that?
I'm trying to remember the,trying to remember the blog name

(22:53):
.
I have it down.
Oh, breakpoint, breakpointforensics.
Um, what this does is it will,um, it'll parse out your Samsung
health data, right.
So the features of the tool arestep count parsing.
It does exercise sessions, itdoes live data decompression.
It creates comprehensivereports.

(23:13):
The GUI is super easy to use.
I'm going to just throw that upon the screen here.
So this is what the GUI lookslike for the Samsung Health
Database Parser.
What you do need, though, isthis database, by default, is
encrypted, so you have to get adecrypted copy of the database.

(23:33):
The database issecurehealthdatadb.
Tools like Celebrite actuallyautomatically were decrypting
the Samsung Health Database,automatically were decrypting
the Samsung health database.
I tried to extract my Samsungdevice to have some test data
for the podcast tonight so Icould show you how this tool
actually works, but I think,because of that key store issue,

(23:55):
where the key store is notbeing pulled from Android
devices, I'm not getting thedecryption keys necessary to
generate that decrypted versionof the health parser.
I do have some like olderversions, but it's work stuff so
I wasn't able to bring it onand show everybody how this tool
works.
So if you have that decryptedversion of the database, try it

(24:19):
out.
It looks super easy to use.
You're just going to choosethat database, pick your output
folder.
It'll create a report in CSV orin HTML and there's also a blog
about it which I have up on thescreen.
And then the BreakpointForensics GitHub page is where

(24:40):
you can go to download the tool.

Speaker 1 (24:43):
Yeah, go to the repository and get it, and I
think one of the big takeawaysof this type of discussion, it's
not only the tool which we need, and that's great.
And also, it's not only the factthat we need the vendors that
deal with extractions.
That's the part that we as acommunity are kind of forced to
outsource to them to get supportfor those encryption keys or
decryption keys.
A good teaching point is thatwhen you think about Android,

(25:05):
android is not just Androidright.
You got Android Samsung, yougot Android LG, you got Android
Moto, you got Android Googleones right, and all of them will
, for example, deal with healthdata.
But each vendor might decide todo their own implementation,
which means if you're doingAndroid forensics, if you know
about a health database in agoogle pixel, you gotta think

(25:26):
about is my tool showing me theimplementation from moto or
motorola or from lg or forwhatever other vendors out there
, right, if they're android 14,15, whatever it is compliant,
they will have it, but theymight not be located where you
expect it in traditional Vanillafrom Google Android.
So, again, the big takeaway ismake sure that, as you're

(25:50):
working with different Androidtypes, that you're looking for
those implementations.
Your tools will not parse allof those and I'm telling you
because this happened in mycases time and time again where,
oh, there's no health data.
I bet it might be there, it'sjust in Motorola.
It might be somewhere else, orit might have a little bit of
changes in how the data isdecoded and their meaning.

(26:12):
I'm trying to think of anexample.
Look for the one in SamsungRuben Ruben Ruben is another
example, by the way.

Speaker 2 (26:23):
You're right, that's not the one I the other one.

Speaker 1 (26:25):
Ruben is another example, by the way.
Yeah, you're right, you'reright.
Yeah, that's not the one I wasthinking of, but that's a good
example too.
Right, you have to decode thatas well.
There's one for activities.
It's not user stats, it's theother one.
I just forgot the name rightnow.
In Samsung it's a number and inGoogle it's a different number,
even though they track the sameactivity.

(26:47):
So that's part of that researchthat you have to do.
So, anyways, I'm going too longon this, but again, I want to
emphasize those differences.

Speaker 2 (26:56):
Specifically, though, ruben is a good example of what
I think the issue is here.
I can't decrypt the Rubendatabase right now because
there's issues with the pullingthe key store from the devices,
so I think that's probably justwhat happened here.
I I did find an older databaseand and used it.

Speaker 1 (27:13):
It works beautifully so, yeah, no, we, we need to.
We need to work with vendorsand again, I I believe that us
as examiners, the analysis is onus and the extraction is going
to be on vendors, and I don'tthink we should outsers.
The analysis is on us and theextraction is going to be on
vendors, and I don't think weshould outsource also the
analysis to the vendors.
But that's a discussion that wecan have later.

Speaker 2 (27:33):
You're just generating topics for the future
podcast.
Thank you.
I wanted to point out a blogarticle.
So the name of the blog isMobile Forensic Data Structures,
which data structures are superimportant.
I'm going to tell you why herein a second Extracting and
Analyzing Data with Free Tools.

(27:53):
So it's a blog written by CesarCaseta from Hexordia, and he
outlines how to extract andanalyze data structures using
SQLite Browser, pl editor proand notepad plus plus, which are
all free tools.
He takes the one of the cacheDB files.
So there's a whole bunch ofdifferent cache DB files in the

(28:14):
in extractions and they commonlyhave different types of data
structures stored within thecells as blob data.
In Caesar's example, there's BPlist and base 64 stored inside
of the SQLite database and heshows you, walks you through how
to open the data, how to exportit and view it with the free

(28:35):
tools.
Why is it important?
I mean, the tools do it for you, right?
So why do we need to know howto do that?
Do the tools always do it foryou?

Speaker 1 (28:46):
Not always going to work, yeah, and what is a data
type you know.
You said that your tool doesn'trecognize.
You have to pull it out and useanother tool to be able to look
at it, right?

Speaker 2 (28:56):
Exactly, exactly.

Speaker 1 (29:00):
Although I will say I will say something real quick.
That's why this part, thisinformation that Cesar is giving
out, is super important.
It, this information that Cesaris giving out, is super
important.
It gives you a way to do someof that.
But I want to push everybody totake it to the next level,
because if your cache file has10,000 rows, are you going to be

(29:20):
pulling all those one by oneand then opening it with a
viewer, one by one?
You're going to be there for aweek, right?
Or you can code a few lines todo a query on the database, pull
out the thing, it automaticallyidentifies what it is and then
it shows it to you in a nicereport, right.
Again, I'm kind of alsoself-serving, because that's
something you could do with theleaps.

(29:41):
Yeah, you know how to code alittle bit right and they use
the leaps to show it to you.
But this knowledge is importantfor you to know what's the deal
, what's inside of it.
We need to get to it, and thenthe next step, I believe, for
the community, is to startautomating some of the stuff and
sharing that knowledge amongthe rest of members of the
community.

Speaker 2 (29:59):
Right, and so definitely being able to code
and look at all of the cells inthe SQLite database, all the
tables, all the rows, isimportant, but if you just need
to go in and validate or verifythe results of one, the skills
that you can learn just byreading this blog can be super
helpful.

Speaker 1 (30:18):
Oh, absolutely.
And again, you might not needto do 10,000.
Maybe you do, but still, evenif you don't know how to code,
at least know that you can getto the data and look at it.
It's better than not, right.

Speaker 2 (30:28):
Oh yeah definitely.

Speaker 1 (30:30):
I mean there's 100% absolute great value on all this
, and then we can take that andautomate it as another goal we
can set for ourselves.

Speaker 2 (30:41):
Right With this data structures.
There's other courses to takeor there are courses to take too
.
So if CESAR works at Hexordia,there's a data structures course
at Hexordia, and if anybody'sinterested in learning more
about the different datastructures, it's an excellent
course and I believe it's got adiscount right now, through
December 2nd, I think for BlackFriday, so definitely maybe take

(31:03):
advantage of that discount andthen you could always come down
to Orlando also for the bigIASIS event in April and May.
The instructors who areteaching the advanced mobile
class are super awesome.
Yes, people listening can't seeAlex like dancing around and
pointing to himself and pointingto me.

(31:25):
But yeah, we teach that classat IASIS and there are still
seats available for week one, socheck it out.

Speaker 1 (31:34):
And everybody that's hitting me on LinkedIn and
social media.
I said don't worry, we willhave answers for all your
questions.
Heather will be in charge of itof answering the questions, so
I know that she's waiting forthose with bated breath to
actually answer all yourquestions.

Speaker 2 (31:49):
Yeah, I accidentally saw your comment too.
I forget who your comment evenwas to, but it was like oh,
Heather will be there, She'llanswer all of the questions for
you.
I expect to have some help withthat.

Speaker 1 (32:02):
I'll make sure the rest of the team does.
I'm just there to pet theelectronic detection dogs.

Speaker 2 (32:12):
We're going to have a couple in class this year too.
So if you don't want to comelearn about data structures with
us and you want to just comepet the dogs, no, you have to
learn about the data structurestoo.

Speaker 1 (32:22):
And pet the dogs in the process.

Speaker 2 (32:24):
Yeah, the dogs will be there.
I hear we're going to at leasthave two.

Speaker 1 (32:28):
Let me, before we move to the next topic, let me
just highlight a few othercomments in the chat.

Speaker 2 (32:32):
Sure.

Speaker 1 (32:33):
Yeah, the folks were talking about how hard it is to
get some of that Tableausoftware to update some of that
firmware.
They're saying that, well, wejust run the firmware to 2010.
We never update it, andactually that's so true.
You can ask some people whenwas the last time you updated
your write blockers?
And people are like you canupdate your write blockers?

(32:54):
Yes, you can, and please do itas soon as you can.
Yes, make sure you update thattype of stuff.
And Damien which again a shoutout to Damien he also teaches
with Spider Forensics, so hegives that class also during
IASIS, but within SpiderForensics and on data structures
and SQLite.
He's talking about how he had alot of work to do with a SQLite

(33:16):
database but with a few linesof code he was able to automate
the process and get to thoseresults.
So a lot of value in learningthose skills.

Speaker 2 (33:24):
Definitely skills, definitely so.
Um, an article that actuallyalexis shared with me uh called
game plans a template for robustdigital evidence strategy and
development.
Um, we thought it was a goodread and that we would share
with everybody.
So, um, it kind of addressesthe need to have digital

(33:46):
evidence strategies to uheffectively identify, collect,
examine and evaluate digitaldevices and data.
It lays out nine fundamentalcomponents of the game plan.
So let me share that screenshotwith everybody so you can see
the Nine components.

(34:09):
One day I'm going to be able todo this quickly, sharing the
screenshots.
I swear I'm going to come upwith some kind of quicker way.
There we go.
So for game plans, it's groundsfor investigation,
authorization, method ofinvestigation, evaluation of the
meaning of any findings,proportionality, logic agreement

(34:31):
, logic agreement, necessity andscrutiny.
So that lays out the steps ofthe game plan.
Having a game plan in placewill support investigators and
their teams and ensure thatimportant elements are not
overlooked or missed.
It may take time to implementand plan out, but it's necessary
to make sure that tasks arecarried out properly in not only

(34:52):
digital forensics, but I thinkthis kind of applies everywhere.
I can think of ways it couldapply in your own personal life
to have a game plan.
So what do you?

Speaker 1 (35:03):
think I like the format Again, each letter of the
word game plans.
I like the format Again, eachletter of the word game plans.
It speaks to an aspect of whatwe need to do.
When I read it, as I was readingit, I'm like this is good stuff
, but it's a lot right, it's alittle bit a lot of work to do
to develop them, and at the endof the article the author also
says, yes, it's a little bitburdensome.

(35:24):
So the author also agrees withme on that, but there's value in
trying to detail theinvestigative work based on this
pattern or these steps.
Will folks sit down and do thisat that detail?
Maybe not, but I do believethat discussing each of these
we're not going to do it heretoday, we'll discuss a few but
discussing these and then havethem as part of your process,

(35:47):
it's essential, right, even ifyou don't use this methodology
to the T right At that level,right, can I highlight a few?
Heather?

Speaker 2 (35:57):
Yeah, absolutely.

Speaker 1 (35:59):
So one that I found interesting is by
proportionality.
I'm like, what does evenproportionality mean?
And the article speaks abouthow the technique that you're
using is proportional to theneed, right?
For example and this is anexample that I came up with I
thought about if some of theevidence involves victims, right
, we need to be proportional tothat.

(36:19):
Is it necessary to disclose thevictims or move this data
related to victims around?
Is that necessary?
Is it what we need?
Is it proportional to the needof the case?
Well, it might not, so we don'tneed to do that.
We have to make sure that theevidence that we're acquiring is
proportional to the need of thecase and not go beyond that.

(36:42):
Right, it's logical to do that,right?
I like also the one about logic.
You have one for logic, right,and to me, this is something
that I've seen in many places Isit logical to look for X or Y?
Sometimes we want to look for Xor Y because we have a hunch,
because we think, and it becomesa fishing expedition.
And no, there's a constraint ofwhy we do things and why we do

(37:06):
it, and I don't care if it's onconsent.
This is my perspective, again,like always, and we're going to
say this, we say it every show.
We speak as our own personalopinions and our opinions do not
reflect all employers or theirpolicies in any kind.
We speak for ourselves and onlyfor ourselves.
So I don't care if you have adevice on consent.
Well, I have consent to look ateverything.

(37:27):
Well, should you?
Is it logical to do these thingsright?
Is it logical, let's say, tolook at something that's going
to take six months to be able toanalyze?
Maybe not.
Maybe the case has to be donein three months, in two months.
So wasting resources onsomething that's going to take
six months or more might not belogical, right?

(37:50):
Maybe you're looking for a crimeand you found evidence of a
different crime.
Is it logical to go down thatpath?
Maybe, maybe not, because maybethe crime, the sentencing,
might be concurrent.
So do we really need to spendtime delving into this different
crime?
That's not going to add to thepossible sentencing or
rehabilitation of the suspect.
That doesn't mean we're notgoing to use it.

(38:12):
Maybe the plan is, the logicalthing is to take that conduct,
not charge it, but use it lateras sentencing, as conduct, as a
pattern of conduct, which alsothe law provides, at least in
the United States, for someenhancement of penalty based on
pattern of conduct, right?
So again this, this article,made me think of all the
different aspects of our workand how can we constrain it or

(38:36):
expand it in a way that andthat's really important on the
scrutiny part at the end, in away that's justifiable and that
S at the end, the scrutiny is soimportant.
We need to consider scrutiny,not because the defense is going
to come after us and then weget mad at them.
No, no, no.
The first level of scrutiny isyourself.
Is your property as an examinerright?
Am I expanding or limiting mysearch in a way that's

(38:59):
justifiable?
When I look at that phone live,do I really need to do that?
Do I really need to go aroundthe screen and click it around?
Can I justify that or can I not?
So those for me, is itnecessary and the scrutiny
really, really important withinthis aspect?
So please go to the link we'regoing to be in the show notes
and check the article out.
I think it's a great read andreally gave me a lot to think

(39:21):
about.

Speaker 2 (39:22):
Yeah, definitely.
I was applying it more to likethe lab setting because I work
in a lab and I think itdefinitely overall, if you have
a structured approach and youhave a game plan, it can improve
your investigative process,ensure that you have a thorough
analysis and then help tomaintain the highest standards

(39:43):
in the lab.
I also think the game plancould kind of like just follow
along the same lines as yourSOPs.
If you have good SOPs, you havea good game plan.
If you have no SOPs or noguidelines in your office at all
, there is no game plan and Ijust can see how that could lead
to chaos.
So I really liked this read onthe game plans and it made me

(40:04):
think of the lab setting mostlyand having a good set of SOPs.

Speaker 1 (40:09):
And I want to say something real quick.
Will SOPs or game plans coverevery single circumstance you're
going to find in your career?
The answer is no.
There will come some time whenthey might not apply exactly.
But guess what?
You need to know your SOPs, youneed to have your game plans,
because the only way you can go,move beyond them when needed,
is by having a thoroughunderstanding of them.
Right, it's like in martialarts.

(40:30):
Right, when you get your blackbelt and you're a high level
practitioner, that's when youstart you can actually go out of
that system and apply it inways that you wouldn't do before
because you didn't have thatknowledge.
I guess that's a lot of wordsto say that you need to know
your SOPs, you need to have yourgame plans, you need to know
your sops, you need to have yourgame plans, you need to know
your procedures and then, ifsomething changes, based on

(40:51):
those, you'll be able to justifywhatever changes are needed.
And and evolution movingforward, because technology
evolves, right, and then you cantake that sop, take that
knowledge and then evolve thatsop, that game plan, uh, with it
, you, you know, yeah.

Speaker 2 (41:05):
Definitely worth the read.

Speaker 1 (41:09):
Absolutely.

Speaker 2 (41:10):
Absolutely so.
Another article this isactually a paper, a paper put
out by Major Cities ChiefAssociation Digital Evidence
Working Group.
So this paper explores theincreasing importance and
challenges of managing digitalevidence in modern law
enforcement.
It highlights how digitalevidence plays a role in solving

(41:33):
cases, often surpassingtraditional forms like DNA
evidence, they say, with six outof 10 professionals identifying
it as their most criticalinvestigative tool.
So digital forensics I meandigital devices are in every
type of case and this reporttalks about that.
It talks about the role thatdigital devices have in modern

(41:58):
day law enforcement.
It was put up on LinkedIn byRobert Pike.
If you don't know Robert Pike,he works in North Carolina Great
guy, and I think he contributedto this paper.
But it's a whole bunch ofexaminers that contributed to
this paper and another greatread.

Speaker 1 (42:17):
It has a lot of reference materials because it's
more high level, so they don'tgo into.
This is how you extract a phone.
These are the things you'regoing to find on a computer.
It's more about.
These are the things you needto consider.
These are the things you'regoing to find on a computer.
It's more about.
This is the things you need toconsider.
These are the standards, andthen links to those and a lot of
high level policy guides, whichI think is going to be
extremely useful for managersand you know kind of folks that

(42:40):
might be a couple levels removedfrom the actual evidence, at
least to start educating them onsome of those aspects.
So we also really could read.

Speaker 2 (42:48):
Yeah, it touches on AI in digital forensics too.
I know that's a hot topic witheverybody.
We have talked about itnumerous times and I see
articles for it everywhere.
But they talk about thepotential for enhancing digital
investigations, but they alsoaddress the ethical
considerations and potentialbiases in AI.

Speaker 1 (43:08):
So another resource to um learn about about ai and
digital forensics yeah, let'snot, let's not, let's not get
into ai right now no, I don'twant to talk about that tonight
I'm gonna lose it again, whichwhich, by the way, I'm gonna be
talking at a small interview forthe deferred days of christmas,

(43:29):
or deferrmas.
Okay, uh, yeah, for uh, um, forthe uh, the company that makes
atrio atrio, I forgot his nameright now.
Um, arcpoint, arcpoint forasics, yeah, and there'll be a
lot of talk about validation andai.
So you want to hear me run.

Speaker 2 (43:45):
Be be aware, be ready for that'm going to have to
tune in for that one, definitelyAll right.
So this one got me going.
This week I saw a post by CarlLawrence of MSAB about the
importance of BFU partial filesystem extractions.

(44:05):
His post I'm just going to readhis post to you, so he wrote
this really shocked me.
But should it have?
I recently heard that someorganizations are shelving BFU
devices so before first unlockdevices, they're labeling them
as too difficult or not worth it.
He says this blew my mind.

(44:26):
He wanted to hear from thedeeper community about what they
think on bfu extractions andshould they be attempted.
Why wouldn't you attempt them?
Um, why wouldn't you attemptthem?
So yeah, go ahead yeah, I wasgonna.

Speaker 1 (44:43):
It's for folks that are not familiar with that.
Uh, bfu is a phone that isturned on and nobody has put the
code in yet, right?
No, pin code has not beenaccessed, which means the amount
of data that's accessible toyou is pretty limited.
If somebody calls you, forexample, you might get the phone
call, but the screen's notgoing to tell you who.
It is right, because thatinformation is still safeguarded

(45:05):
within the phone.
Now, if you put your PIN codein once and then the phone locks
again either because you lockedit or a timer when you get that
phone call again it will showyou on the screen hey, so-and-so
is calling you right, becausenow that data is accessible
because the phone was unlockedat least once.
So that's called AFU.
So being able to get anextraction in AFU state is

(45:29):
better.
You get more BFU, you get less.
And then I guess the articlespeaks of people assuming that
since it's less than AFU,therefore it's useless.
That's the question, right?
Is it useless or not?

Speaker 2 (45:43):
So I hear that from people all the time.
It's just a BFU, it's justsystem information.
I'm not going to look at it.
Why would you not look at it?
Or why would you skip theextraction?
Even so, for mobile devicesthat come in and there's no
support for brute force, nosupport for a full file system
and they're in that BFU state,you can get the BFU extraction,

(46:05):
which is limited data and mostlysystem artifacts.
When I say mostly, it'sdefinitely just mostly.
There are user artifacts inthere.
So some of the user artifactsthat I've seen in a BFU, I've
seen KTX files in the form ofsystem generated snapshots.
So what the snapshot is is theuser has an application up on

(46:27):
their screen and it was sent tothe background for some reason.
The user maybe just closed thewindow and the system takes a
snapshot of what that app lookedlike at that time that it was
sent to the background.
If your device user has textmessages up there, you
potentially have a snapshot ofthe text messages.
Is that going to be availablein every extraction, every BFU

(46:51):
extraction?
I don't know, but I've seen itin them before.
You have access to the Apple ID.
You have access to the cloudinformation.
When was the last time thedevice was synced to the cloud?
So potentially you have thedate that it was synced to the
cloud.
So potentially you have thedate that it was synced to the
cloud yesterday and then youhave the Apple ID that you can

(47:11):
send off to Apple with legalprocess to gather the data
that's stored in the cloud.
I've seen some locationartifacts in the BFUs.
They were specifically onimages that had EXIF data.
So there's an area of the phonecalled file provider storage

(47:33):
artifacts.
They can include user imagesthat have the EXIF data,
including the location.
One of my test data BFUextractions Kevin that I work
with and I were down in New YorkCity creating all this test
data.
We were taking pictures allover New York City, came back,
extracted the device, the BFU,and there were the pictures we

(47:55):
were taking in the city in thatfile provider storage, which
relates to synchronizationacross devices.
But I had the locations and itwas right where we were when we
took the pictures the locationsand it was right where we were
when we took the pictures.
Other things you can find in aBFU log entries, wi-fi
connections and Snapchat.
There is a ton of Snapchat.

(48:16):
If your device user is usingSnapchat.
You're potentially going tohave their messages in the
Snapchat Arroyo database.
All of their messages come outin a BFU partial file system
extraction.
I don't want to miss that.
What if Snapchat is theplatform that they were using to
plan the crime or commit thecrime?

(48:37):
We have all of that.
I'm going to.
You're going to read.

Speaker 1 (48:43):
Yeah.
So to add to that, so differentthan folks in the chat telling
us that testifying the case andthe BFU helped convict the
suspect of 10 counts, becauselater it says five years but
later he corrects oh sorry, it's10 counts because there was a
ton of data in that BFU.
So not only the stuff thatHeather is telling you, the BFU

(49:04):
has been used successfully, youknow, to prosecute and complete
investigations.
Jeremy is telling us that hehas gotten, like confirming what
you're saying, heather, thatthere are Snapchat conversations
on the BFU and people shouldnot sleep on those.
Look and let me mini rant right, go ahead.
Let me mini rant right, goahead.
Even if you think that thatphone has nothing on it, on that

(49:27):
BFU, and you have the authorityand you have a crime to solve,
you still need to do it, even if, just because you have a thing
called what Due diligence?
You need to do your duediligence and that's a word that
I believe we're not usingenough, a concept we're not
stressing to folks coming to thefield enough Due diligence.
It means that you do the workthe best you can, how you can

(49:51):
have your game plan, do all ofthat, but because it's expected
of you to do a completeinvestigation, right, you cannot
dismiss.
It's like an example that's notforensics, right?
You got a suspect and you gotto interview the suspect and
you're like, well, they know I'mcoming, I'm not going to ask
for their phone or they willnever talk to me, because they

(50:11):
know I'm coming.
What?
You're not going to go.
You still have to go and youask, hey, can we do this?
And they might say yes, and alot of times they do.
Right, you have to do your duediligence and it really irks me
that folks are looking for allsorts of excuses to not do their
due diligence, and managersneed to make sure, from my

(50:34):
perspective, that themselves andtheir reports are exercising
due diligence in theirinvestigations and their
casework.
If you're not doing that, thenwhat are you there for, mr
Manager?
Just to keep a spreadsheet ofhow much the tools cost and
which ones are we going to cutbecause we don't have funding?
That's, I mean, anybody can dothat.
But exercising due diligenceAre we doing the cases and

(50:57):
following up as we should?
And that means sometimes doinga BFU and guess what you might
get good stuff out of it.

Speaker 2 (51:05):
Definitely.
I'm going to share a couplepictures that Carl had up too.
There's all your BFU devices onshelves waiting for extraction,
waiting for support right,because we're waiting for
support to brute force thedevice and get a full file
system.
But these shelves and shelvesand shelves of devices that are
here in this screenshot all havethe capability of performing a

(51:27):
BFU partial file systemextraction and potentially
gathering that data that we'retalking about.

Speaker 1 (51:33):
I want to believe that picture is AI because, if
folks are listening, it's likeshelves and shelves full to the
brim of phones and I'm like Ihope this is not real, because
if these phones are for real andnobody has looked at them, I'll
lose my mind.
It's like an insane amount of,and I'm like I hope this is not
real, because these phones arefor real.
Nobody has looked at them.
I'll lose my mind.
It's like an insane amount ofphones like all on top of each
other, which I would say it'snot properly categorized.

(51:54):
But let's be real here.
A lot of our labs kind of looklike this Put a sticker on it
and just put it there.
You know yeah.
Oh geez Due diligence.

Speaker 2 (52:06):
Also how you handle your evidence.
Please, due diligence.
Yeah, so I I want to actuallytalk about a couple more
artifacts that I found.
Um, so there was an iphone 14that I had looked at in the past
I was running like ios 16, sowe're a little past that.
Is this artifact still there?
I don't know, it might not beanymore, but uh, there were
calls and chats, regular phonecalls and chats, regular phone
calls and native text messages.
In the BFU, the call databaseis call history dot store store

(52:32):
data and the SMS database is theSMS dot DB.
Well, there was a copy of thecall history dot store data with
an underscore temp and samewith the SMS, an underscore temp
, and inside of those temp fileswere two phone calls and three
text messages.
My guess is they were probablythe last three messages or the

(52:53):
last two phone calls on thedevice.
I didn't have anything tocompare to that, but there's
potential to get that data.
But you're never going to knowunless you open it up and take a
look.

Speaker 1 (53:03):
Exactly, exactly and, as a quick note, it's been
confirmed that that picture wasactually AI Oof.
What a relief.
I was going to lose it.

Speaker 2 (53:13):
You feel better, huh yeah.

Speaker 1 (53:14):
Kevin's saying that there's no way that's been
properly inventoried.

Speaker 2 (53:18):
No.

Speaker 1 (53:19):
Yeah, so okay, it's AI Oof.
Okay, there was no game planfor those phones.
None at all, absolutely no.
No SOPs there.
So which?
Again, let's not get into AI,it's just a scary definition.
Yeah, let's skip that.

Speaker 2 (53:34):
Let's skip that.
I have one more meme to show.
So this was the meme that wasup with Carl's post and I have
no idea, so I had to be schooledtoday, before the show, on who
this is in the screenshot.
It's Terry Tibbs.
So if anybody is in the chatright now on YouTube you might
see Mr Terry Tibbs as a user.
I'm going to guess that's Carlin there, but it's Terry Tibbs

(53:57):
from a UK TV show called PhoneJacker, so I'm hoping that
anybody from the UK mayrecognize what I'm talking about
.
But I had no idea who it wasuntil I said Carl, help me,
what's a phone jacker?

Speaker 1 (54:11):
They just run and take the phone from you.
They jack it away yeah.

Speaker 2 (54:18):
So he explained it as I'm going to butcher this.
By the way, he explained it asTerry Tibbs would make it would
be a personality on prank phonecalls.
Oh, okay, so they call you toprank you on the phone, I guess,
so I've never seen it.
I may have to see if I can finda version online and check this
out but one of the what's upone of the catchphrases of terry
tibbs is talk to me oh, thereyou go yeah that's me, with

(54:43):
every agent that walks throughthe door.

Speaker 1 (54:44):
Can you please tell me what this case is about?
Let's just don't drop the stuffhere.
Please talk to me.
Yeah, my uk uk culturalreferences are lacking, sadly,
but I will look into it minewere too.

Speaker 2 (54:55):
So I I cheated and I I phoned a friend, uh, before
the show, yeah, and I probablyjust butchered half of what I
was saying.
But uh, carl was telling methat he and he and adam firman,
who we love from MSAB2, werejoking about this show recently
and that's how the meme made itto his post about BFU's.

Speaker 1 (55:14):
Talk to me.
Talk to me that's the newcatchphrase for the month.
Talk to me.

Speaker 2 (55:17):
I'm adding it back up , trying to take it down.
Okay, last thing on the BFU's.
So I do have one case example.
Oh, he says I got it spot onwith the Terry Tibbs.
Good, I didn't screw it up toomuch.

Speaker 1 (55:30):
Well, there was a wink there.

Speaker 2 (55:31):
So I don't know.
I'll get rid of the wink side.
I'm sorry.
A home invasion case, uh, thatinvolved a BFU extraction.
Um, the guy dropped his phone,uh, the person who was at the

(55:52):
house didn't, didn't know who itwas that invaded the home.
And the guy dropped his phone,uh got the partial file system,
the BFU, and in it were enoughdetails to just prove whose
phone it was and who broke intothe home and assaulted a woman.
He got like 25 years in prison.
I think.
Um, if I had just said let'snot do the BFU, there's nothing

(56:13):
in it anyway, it's not worth it.
You may not have ever evenidentified who the suspect was.
So do not skip your BFU.

Speaker 1 (56:21):
Oh I mean wow, I got that.
That's so amazing.
I got nothing to add, it's justamazing.

Speaker 2 (56:26):
It was the Snapchat data right, because I mean I had
the username and the Snapchatdata and the iCloud, the Apple
account Saved the day.

Speaker 1 (56:34):
Oh, that's good stuff .

Speaker 2 (56:38):
Love.
It All right, we can move onfrom that, I swear.
No, I mean no, it was animportant discussion yeah, that
one, I truly believe that onedrives me nuts, so let's move on
to a happier note here.
So samari gives back.
Um, I don't know if anybody sawthis on linkedin but or any
other social media, but samarihas.

(56:58):
Samari gives back 2024, whereyou can submit a nomination for
a law enforcement agency withlimited resources, a high
caseload and a focus on seriouscrimes.
The nominations need to besubmitted by November 29th.
The submissions are limited to500 words.
A community of law enforcementexaminers will review all

(57:20):
nominations and select the topfive agencies, and then the top
five agencies will be notified,asked for permission to
participate.
Once they're approved, they'llbe featured online for public
voting from december 12th todecember 18th.
Um, and let me show you whatthey have the potential of
winning if it's, if it's summary, I'm expecting a legit box.

Speaker 1 (57:46):
There it is.

Speaker 2 (57:47):
Boom.
So they will be giving.
The title of the picture is thegreen Tolino, green Beast.
So it is a Tolino and all ofthe specs can be found on their
website at the Sumori Gives Back2024 link that I have up on the
screen.

Speaker 1 (58:06):
I will call it the green mean mystery machine,
that's how I would name it, youknow like green mean mystery
machine, love it.

Speaker 2 (58:12):
Yeah, it's a pretty nice looking machine.
I have a Tolino.
I loved my Tolino.
I need another Tolino.
I'm not going to win it, butmaybe I can talk the boss into
buying me another Tolino.
Yeah, how about you talk toboss also send me one.
Yeah, maybe you know we'llshare the love.

Speaker 1 (58:32):
We can give them out for christmas.
Holidays are coming soon.
Anybody else in the chat wantone?

Speaker 2 (58:34):
I'll work on it yeah, you're not gonna get it.
But no, you're not.
But uh, if you know an agencythat's deserving of that, so
murray gives back nomination.
Uh, write up the essay anddefinitely nominate them.

Speaker 1 (58:47):
Yeah, those are pretty powerful boxes and folks
that are not familiar.
Mori is a company that providescomputing resources computers,
laptops For due time, forensicpurposes.
They have write blockers builtin, proper video cards for
cracking passwords andencryption.
So pretty good equipment andgood on them.

(59:08):
For you know it's advertisementand that's fine, but this is
the type of advertisement that Ilike, because it recognizes the
good work people do and thenenables them to do even more
good work, right.

Speaker 2 (59:20):
So what's new with the leaps?

Speaker 1 (59:24):
So we got a lot of stuff going on.
So the first thing, actually,I'm going to go first and I'll
let you go after me.
Sure, what's new with the leaps?
So we got a lot of stuff goingon.
So the first thing, actually,I'm going to go first and I'll
let you go after me, sure.
So last episode I was trying toshow the changes within the
reporting structure that we'rebuilding and again, I always
give a quick explanation whatthe leaps are.
These are Lux events andproperties or PList Parsers.

(59:46):
It's a Python-based frameworkthat I developed and then the
community has embraced anddeveloped further.
That allows folks in an opensource, totally free,
python-based way to look atextraction from iOS, android's
returns from providers, vehicleextractions, all sorts of data
types, and it creates a niceHTML report and some other

(01:00:08):
reporting features in KMLs orSQLite databases for your cases.
And we try to specialize in thetool being quick Tools is more
than one, obviously, being quickand we try to parse things that
nobody else does as quickly aswe can.
For example, which is somethingthat Heather is going to talk
about, a lot of us have beenopening accounts in Blue Sky.

(01:00:29):
Blue Sky and that's like aTwitter-like application, like
competition with Twitter andthreads, and it's great stuff.
So Heather made some test datafor Android and I made a parser
for it within the Leap.
So if you have a case wherethey're chatting within Blue Sky
, the only tool that will do itas of now is ALEAP.

(01:00:51):
Right, good folks, I think Adamhopefully he can do that he's
trying to get us some iOS testdata to then build one, or at
least get us the data, and thenI'll use it to build something
for iOS, for ILEAP.
So we're working on that.
So that's what the platformdoes.
That's the purpose, and folkshave embraced it, which I'm
pretty grateful for.
And I got a good group ofdevelopers Kevin is in the chat,

(01:01:13):
one of them and I alwaysmention their names.
I'll mention them again in asecond.
Now that explanation.
So what happened with the Leapsleaves recently?
Well, we're moving to a newviewer called lava and
somebody's saying blue ski.
I hate you all.
It's your, it's your, it's yourfault.
Heather first calling like blueski, like a bruski.
No, it's blue sky.

Speaker 2 (01:01:33):
Okay, I will always oppose it dfir, dan and I are
gonna have bruskies while wechat with people on blue ski
later oh my god, I'm cringing.

Speaker 1 (01:01:41):
I'm cringing for you so hard on the inside.
I'm crying in my insides aboutit.

Speaker 2 (01:01:48):
I know.
That's why I keep saying it.

Speaker 1 (01:01:50):
Yeah, I know, folks, she's not on the show.
She texts me the blue ski whenshe texts with me just to annoy
me.
All right, when she's messagingme for stuff, anyways.
So what we've done is we'retrying to build a viewer, a
newer viewer, so that it allowsyou to look at more data in a
more efficient way and have moreparsing not parsing, I'm sorry

(01:02:11):
sorting capabilities and thatgood stuff.
So I'm going to show you nowhow the directory has changed
and it's actually way cleaner.
Now I want to give a shout outto the team, like I said I would
, as I'm representing the dataJames Haben, johan Policek,

(01:02:34):
kevin Pagano the one that'sright here next to me, heather
although she's slacking a littlebit, I am, I know you need to
catch up on some things, as youknow anyways, I digress and
Bruno Constanzo, a great, greatfriend as well, that he does a
lot of library parsing work.

Speaker 2 (01:02:57):
Oh and John.

Speaker 1 (01:02:58):
Hyla.
I cannot forget about John.
He's the king of therefactoring, so I love you all
guys.
So I'm actually going to have'mactually have some challenge
going to be sending you shortly,all right.
So what do we see here?
So this is the folder structureis way better now.
Before you would have all thereports were html and we're like
kind of thrown in the in theroot directory, which is kind of

(01:03:18):
ugly.
Now you hit index and it willopen your report, html report,
and then all the other littlereports.
I say say other little, but allthe other reports about it are
gonna be in the HTML directory.
So it's way cleaner and thetimeline is still there.
It's a SQLite database of allthings that have timestamps in
your parsing and that's aunderused capability.

(01:03:40):
People don't know about it.
Take dbBrowser for SQLite, openit up and then you can look at
all the artifacts, kind of linedup by timestamp, and see the
relationships between them,right, so it's really useful.
There's the tsvs, so tabseparated values.
You can import it into yourkind of spreadsheet program if
you need to.
Now the big thing I want toshow is these two structures.

(01:04:02):
One is a database, sqlitedatabase, called lava artifacts,
another one called lavadatajsonthe viewer that we're hoping to
release soonish because it'sstill working on it will take
that JSON and then be able toreference the database, and all
the information that's in theHTMLs is now in this database,

(01:04:23):
and this is really usefulbecause now it allows us to use
Lava as an electron applicationto look at the data and is now
on this database.
And this is really usefulbecause now it allows us to use
Lava as an electron applicationto look at the data and not
choke on it.
If it's too much data, htmlswon't work.
So I want to show folks let metake this off the screen I want
to show folks how it looks andagain, I'm really excited about
it, so that's why I'm talkingabout it at length.
So thank you for humoring mefolks, the folks that are still

(01:04:45):
here or are still here that werewith us.
So let me open my DB browser forSQLite and I want to show you
folks how it looks.
I'm opening it now, and now I'mgoing to share the actual
program.
It's a little bit too big.
There we go, so let me share it.
Share screen and, as you willsee here, this is the right one.

(01:05:11):
Yes, you'll see here of theartifacts that we have been able
to refactor to make itcompatible.
We have a whole bunch here wegot each artifact is a table.
You got the biomes, we gotburner artifacts, we got
notification artifacts, telegram, website, website visits, all
sorts of things and we'rerefactoring this code.
That means that we're updatingit to be compatible with this

(01:05:33):
and you can see here all thedata within the different
databases, or I'd say, tables inthe database, and this allows
us also, with the viewer, to beable to sort not sort the time
zone, change the time zone onthe fly, so you can move it to
any time zone that you need andit will deal with those.

(01:05:54):
I'm showing this because in thefuture, if you have data, as
long as it's in this type offormat, you could use Lava to
view other sorts of data.
So it's designed for our stuff.
But if you understand a littlebit of sqlite, how this is
ordered, you can create your ownsqlite databases and use lava
to view them.
So it will be another way oflooking at different sorts of
data if there are sqlitedatabases in this type of

(01:06:16):
structure.
Um, but that's a discussion foranother day.
So I'm excited, uh, for it.
Uh, the whole team is excitedabout it.
It'll be like a monumentalchange in how we deal with the
leaps and it will enable folksto be able to look at all sorts
of data, independent of how muchdata there is.
I guess we're going to begetting closer to more like a

(01:06:38):
corporate type of solution, butstill being open source and
available to the community.

Speaker 2 (01:06:44):
So we're excited, very cool, very cool.
It's going to be awesome,definitely.
I know I've had iOS cases whereI just have so many artifacts
and if you load them all ontothe page, the page just crashes.
So the fact that this is goingto fix that is awesome.
I think a lot of people willagree that use the leaps, oh
yeah, and it's way faster.
Look at this stuff that.

Speaker 1 (01:07:03):
Use the leaps, oh yeah, and it's way faster to
look at the stuff.
Oh, quick, quick thing.

Speaker 2 (01:07:06):
I was just going to put that up, yeah.

Speaker 1 (01:07:07):
Holly's saying that it's blue sky.
Okay, Sorry, rather so.
Your sister is the obviouslythe better one of the sisters.

Speaker 2 (01:07:14):
So I'm just going to say that she's just not joining
Dan and I for brewskis anymore.

Speaker 1 (01:07:26):
So no, she Us too.
We're going to go and actuallylook at the blue sky, you know,
Okay, you guys have fun.
Oh, and Rebecca showed up, sohey, don't worry, Rebecca, if
you're late, you can watch thefirst half later in the
recording.

Speaker 2 (01:07:38):
So with the Leaps since we're talking about blue
sky, blue ski we did some testdata and Alex wrote some parsers
for the blue sky data, so letme share my screen here oh, and
you're sharing the screen,johannes, in the chat again.

Speaker 1 (01:07:53):
You always stay late for the show.
We love you, man.
He's saying that it's more,it's able to manage more than 1
million records and that's allthat's a lot right.
There's no html reporting thatwill allow you to do that so
he's doing some of that testingand some of that implementation
and it's pretty awesome, sowe're super excited about it.
Sorry, go ahead.

Speaker 2 (01:08:12):
No, you're fine.
So we now have let me clickover here and zoom in we have
parsers for Blue Sky Actors,blue Sky Feedpost, blue Sky
Messages, blue Sky Posts andBlue Sky Searches for blue sky
actors, blue sky feed post, bluesky messages, blue sky posts
and blue sky searches.
So just to take a look at that,the actors are your contacts,

(01:08:34):
um, or people that were messagedwith correct not are not
necessarily contacts so it's.

Speaker 1 (01:08:42):
So.
People ask me why actors, notusers?
Well, the word that blue skiesuses within the data structure
is literally the word actors.
So I try when I do artifacts tokeep it as close to what the
verbiage they use.
So actors is anybody andeverybody is an actor.
Somebody put a post as an actor.
You put a post or respondedyou're an actor, everybody is an

(01:09:03):
actor.
And it's not necessarily yourcontacts, because I can have
actors there that are not myfriends.
They're just a post that cameby and that post have that actor
quote, unquote actorinformation.
So, since the data and I oh howmuch time we have.
Oh, we've been running short ontime, so I'm not going to the

(01:09:28):
details, you're sure.
Yeah, it's from an http cachetype of structure, which makes
me think I have I need to testmore this more, but it makes me
think that the app mostly worksas a browser.
It's an app, it's really abrowser, so it's pulling stuff
in, putting it there and asyou're moving around the app,
different things will be comingin and being shown to you on the
interface, kind of kind of likea browser.
So I'm able to capture thisdata from this kind of HTTP
cache functionality and it'smostly JSON.

(01:09:51):
So I try to just be as accurateas I can while trying to give
you something that you canactually interpret right.
These JSON files where this iscoming from.
There's more data in them.
I didn't find it to be horriblyrelevant, so I did not show that
and let me tell you this is notsomething weird that I do.
Oh, look at you hiding stufffrom me.
Let me tell you, your toolvendors do that all the time.

(01:10:13):
Yeah, if your tool vendors wereto show every single row or
every single table, you will notbe able to do things right.
So that speaks.
Another side note your toolswill point you to where things
might be.
If the smoking gun is the listof actors in my blue sky list, I
will still go and look at thosefiles by hand.
I say by hand, quote, unquoteright, I will look at them with

(01:10:35):
myself and make sure thatwhatever data points I didn't
put in, make sure they're notrelevant to my case.
Or if they are, then make sureto include them right.
So that's what an actor is, andfolks always think about that
way.
The tool will not.
Even if we show you something,that does not mean showing you
everything I have to say.
I have an example of one ofthese chat applications.

(01:10:55):
I forgot right now which one itwas, but there was an entry in
the database that tells you ifthe user was an administrator of
that group or not, and thetools didn't show you that.
The tools show you who theperson was, what was said and
all that and the media attachedto that conversation or that
particular entry in the chat,but it wouldn't tell you this
detail.
That's part of the database.
Well, guess what?

(01:11:16):
Some jurisdiction?
There are statutes thatexplicitly put penalties on
folks that are running illicitwebsites or illicit group chats
for, let's say, the trading ofcontraband.
Well, that charge, those folkswouldn't be penalized as they
should for being the leaders ofthe organization if I didn't

(01:11:38):
look at the database to figureout.
Hey, look the database, tell mewho's the administrators are or
who the main user is right.
So always, folks, always takeyour data, your smoking gun data
, look at the source directlywith your own eyes and make sure
that you're not missinganything.
Oof, sorry for the rant.

Speaker 2 (01:11:54):
No, you're fine.
So we have the Blue Sky feedposts here that you can see.
My test here.
Let me zoom in a little.
My test data is Amy FarrahFowler, so you can see the
display name, amy Farrah Fowler,and she posted checking out
this awesome new app.
It's her only post.
If anybody saw Amy FarrahFowler stalking their Blue Sky

(01:12:19):
page recently, I was just tryingto get test data.

Speaker 1 (01:12:23):
Yeah, and you might see a few entries repeated.
And again, that's a decisionthat I made.
Some of these files, differentfiles, these caches, will have
the same data in a few of them.
So I decided as of now to justshow them all, but at some point
I might deduplicate them.
But that's some of thedecisions that you make as a
developer and you will make usan examiner, right, how much of

(01:12:47):
this data might be useful.
Maybe the context indicatesthat this thing being there
three times means something andwe just don't know yet.
It might mean there was accessmore than once.
What does it mean?
So we have to take that intoaccount when we see data and try
to figure out.
What does it mean?

Speaker 2 (01:12:59):
So we have the messages.
Alexis became friends with AmyFarrah Fowler and had a little
conversation, and then posts.
This was Amy Farrah Fowler'sonly one post here and then the
searches.
So she searched for best memesHoward Wolowitz, leonard
Hofstadter, penny Hofstadter andSheldon Cooper.

(01:13:20):
So that is all stored withinthe Blue Sky Blue Ski data and
now you have a tool thatsupports it.
Yeah, I know.

Speaker 1 (01:13:30):
And it's good stuff.
Johan is saying that heactually staying early, so it's
so so late.

Speaker 2 (01:13:36):
That's already the next day, so he's already like.

Speaker 1 (01:13:39):
I'm up.
I'm staying up, whatever.

Speaker 2 (01:13:40):
I just want to watch the show.

Speaker 1 (01:13:42):
No, I'm just teasing you, johohan.
Thank you for all you do man um.
I hope we can meet in.

Speaker 2 (01:13:46):
We can meet in person sooner rather than later yeah,
I'm coming too, if we're goingto visit him actually you're
going.
I'll be in your luggage so tonsof great new updates to the
leaps, but we are now ateverybody's favorite part, the
meme of the week.
That's yeah, let me share it.
How could we not?

(01:14:11):
So this week was the mike tysonfight, um, and the two women
that fought were definitely thebetter fight, in my opinion.
So we we have the digitalforensic examiner who is all
beat up, and then one of theannouncer girls I don't even
know what the title is, I guess,the ones that carry the little

(01:14:33):
round.
Yeah, as the case agent.
So the case agent is lookingall happy and the digital
forensic examiner has just beenbeaten, beaten, beaten.

Speaker 1 (01:14:44):
Well, and the little note I had at the post was when
they asked you for updates,right.

Speaker 2 (01:14:50):
Yeah, hey, investigative team give us an
update and everybody's likehere's the examiner.

Speaker 1 (01:14:54):
Go ahead and you're like oh my gosh, this has been a
hard week and the case agent isall fresh, looking good you
know I mean that's not alwaysthe case.
I know case agents that workreally hard and we both work in
teams.
It's just a bit of a teasing tothe agents because I believe
that my work is the mostimportant work in the world.
But you know they believe thesame thing.
I'll be honest with you.

(01:15:14):
I did not watch the fightbecause I thought it was going
to be like a wrestling not realwrestling, but like WWE.

Speaker 2 (01:15:23):
Staged.

Speaker 1 (01:15:24):
A staged thing.
And I'm like wwf staged a stagething and I'm like this is
staged.

Speaker 2 (01:15:29):
This is ridiculous and, based on what I've been,
told I think it was staged, Ithink the tyson one was, but
these women really like, went oh, no, no, no yeah they were.

Speaker 1 (01:15:34):
That was a good one no, no, no, no, no.
This, this girl is beat up likefor real yeah, oh yeah yeah, no
, no, the, the, the cars, beforethe main thing they, they were
pretty legit, right, but yeah,but the main one.
Come on, that's all preordainedacting stuff.

Speaker 2 (01:15:49):
I fell asleep.
That's my opinion.
Definitely, but we had to useit as the meme of the week since
it's so fresh.

Speaker 1 (01:15:57):
Yeah, I thought for me it was funny.
Hopefully other peopleappreciated the humor in it.

Speaker 2 (01:16:03):
Yeah, I did.
That's why I picked it.
Awesome it yeah.

Speaker 1 (01:16:06):
I did.
That's why I picked it Awesome,awesome yeah.

Speaker 2 (01:16:08):
Well, that's it.
That's all we got.

Speaker 1 (01:16:10):
Well, thank you everybody.
Just a quick couple of notesfrom the chat.
You know, sometimes those agentsbring us donuts, so I guess
that's not a bad thing, orsometimes they don't, and then
you know sometimes you got acomment here that you complete
the report, submit it and thenyou can add more artifacts

(01:16:32):
related to the case, because anexamination is never done and
honestly it's never done, it'sonly done when you answer the
questions.
But it could go on forever onthe device.
All right, Talking about goingon forever, which is apparently
what I always do.
Heather, Heather, do you haveanything else for the Goody
Order?

Speaker 2 (01:16:48):
I have nothing else.
Thank you so much.

Speaker 1 (01:16:50):
Thank you.
All the folks watching, weappreciate it.
We love you.
Hit us up in Blue Sky, hit usup in LinkedIn or our accounts
in those platforms and othersand let us know what you think,
let us know what you want us tospeak about.
If you do something cool, also,let us know what you think, let
us know what you want us tospeak about.
If you do something cool, also,let us know and we'll try to
highlight it here and everywhereelse.
So good night Heather, goodnight everybody.

(01:17:11):
And thank you Good night, byeeverybody, thank you Bye.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}BFU Data, Forensic Tools, and the Future of Digital Investigations

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

BFU Data, Forensic Tools, and the Future of Digital Investigations

On Purpose with Jay Shetty