August 8, 2024 • 73 mins
(THIS IS WHAT AN AI GENERATED DESCRIPTION WITH NO HUMAN CORRECTIONS WILL PROVIDE FOR YOU! SO NATURALLY WE HAD TO KEEP IT HAHA!)
What happens when a digital forensics expert sets up a podcast studio in a cupboard under the stairs and a co-host becomes a modern-day Snow White with her Bird Buddy camera? You get a lively and engaging episode of the Digital Forensics Now podcast! Alexis Brignoni, aka Briggs, and Heather Charpentier kick off this special episode with humor and camaraderie, sharing personal anecdotes and giving shout outs to their devoted listeners like Adam and Kevin. Plus, we nod to fellow podcaster Justin Tolman for his enlightening episodes on forensic technology, including a riveting discussion on AI and legal standards with Brandon Epstein.
Ever wondered how driving on the opposite side of the road or discovering local flavors like Vegemite could become part of a professional journey? This episode takes you on an entertaining trip to New Zealand, where Alexis recounts his experiences teaching at a New Zealand Customs event alongside experts like Jung Son and Mario Merendon. From navigating tiny light switches to marveling at Auckland’s architectural wonders, this chapter is filled with both professional insights and delightful cultural encounters. The rooftop bar with waist-high glass bumps offering views into the train station below is a highlight not to be missed!
For our tech-savvy listeners, we dive deep into the world of digital forensics tools and training. We discuss the significance of volunteering for IACIS, troubleshoot Magnet Axiom software, and outline upcoming training events like the SANS Community Learning Day in Miami. We also explore the practicalities of running Python scripts, showcasing a new tool called Mister Skinnylegs, caution against over-reliance on AI, and stress the importance of fundamental knowledge in digital forensics. From iOS tool updates and Metadata Forensics to sourcing forensic-related blogs, this episode is packed with valuable insights to enhance your forensic expertise.
Notes:
DFIRCON xLEAPP
https://www.sans.org/mlp/dfircon-miami-agenda/
CCL Solutions Group - Mister Skinnylegs
https://github.com/cclgroupltd/mister-skinnylegs
iOS 17- The “Forever” Setting That Isn’t… Or Is It?
https://smarterforensics.com/2024/08/ios-17-the-forever-setting-that-isnt-or-is-it/
Identity Lookup Service
https://djangofaiola.blogspot.com/2024/08/identity-lookup-service.html
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:08):
All right, welcome to the Digital Forensics Now
podcast, episode 21.
And if you're not a programmer,episode 22.
Today is Thursday, august 8th,2024.
Almost almost a year of theshow.
We're reaching it almost there.
My name 2024.
Almost almost a year of theshow.
We're reaching it Almost there.
My name almost my name isAlexis Brignone, aka Briggs, and
(00:31):
I'm accompanied by my co-host,new York, snow White, the one
that teemo's until she cannotteemo anymore.
The lean and mean, but mostlymean.
Mean, but only when she'shungry.
Oh, and when they talk lita,francis, crap the one and only
(00:53):
heather charpentier.
The music is higher up by shaneivers and can be found at
silvermansoundcom.
Yay, and I mentioned, I think,most of it.
It was intelligible, hopefully.
Hello, heather.
Speaker 2 (01:09):
I can understand the whole thing.
That was an interesting intro.
Speaker 1 (01:14):
Yeah, don't worry folks, if you're listening,
tuning in.
We're going to explain theintro little by little as we go
along, which, by the way, Ithink we can notice a difference
here in my setup here.
Speaker 2 (01:27):
Yeah, alex has been banished to the closet.
I do, I do.
Speaker 1 (01:32):
I like it though it's funny because you know, if any
any harry harry potter fans inthe in the chat here I see um,
um, oh, they're just like hey,adam, adam, adam is on the chat
hi adam so we're good to see youstaying up late all the way
from the uk.
Um, so yeah, so we'll make thatjoke in a second.
(01:54):
So, um, you see, harry potterfans, you know that harry potter
lived on the cupboard under thestairs.
This is literally under thestairs in my house.
I'm a little bit of a HarryPotter set up here.
Speaker 2 (02:09):
It looks good.
It looks good.
Speaker 1 (02:10):
What's that?
What's that I'm saying?
What's that I'm saying?
Can you read it, Heather?
Speaker 2 (02:15):
Still watching HBO Thanks to Heather, and waiting
for Briggs to wear the shirt.
If you know, you know.
Speaker 1 (02:21):
Yeah, yeah, that's true, I had the shirt.
Speaker 2 (02:27):
I need to wear it, and if you watch a previous
version, you know why he'swatching my hbl yeah, previous
episode.
Speaker 1 (02:31):
So if you don't know what the uh, what the uh, what
they put things on the moviethat easter egg, if you don't
understand that easter egg, youneed to watch a previous episode
to get it yes, yeah, referenceuh, anyway, so yeah, so this is
my, my is my cupboard under thestairs office.
Speaker 2 (02:46):
It's good, but you don't have as many wall signs
and I don't know, my wall signsare kind of starting to show
yours up.
Speaker 1 (02:51):
Yeah, well, I mean, I don't have many walls to begin
with.
Speaker 2 (02:55):
Or door signs, sorry.
Speaker 1 (02:58):
Yeah, like this thing , like I cannot extend my arms
to my right, I won't fit here.
Kevin is in the chat.
Hello, kevin, it's always goodto have all the main folks under
the Leap repo and mainmastermind of all good things.
So yeah, so everybody can seemy menu office.
(03:19):
So I mean office is new foreverybody.
Hopefully it's good.
How about you?
What have you been doing up?
What's up with you lately?
Speaker 2 (03:25):
Oh, I mean not a ton.
I am a new bird lady.
I thought I would share thatwith everybody.
My parents got me the birdbuddy, the camera for outdoors
to capture video and images ofbirds, and I am I'm obsessed
with it.
So yeah, I'm gathering.
(03:46):
I call it like my old ladyhabit.
I'm gathering my my old ladyhobbies, I guess.
So here's my birds.
Speaker 1 (03:54):
I have the hummingbird attachment and, and
let me tell you you said so, sheso.
So, folks, she sent me thepicture of the hummingbirds come
in right, also the squirrelsand all the birds and I'm like
how many animals.
So I say she's Snow White right, like they all congregate now
in front of her feeding cameraand it's uncanny, it's amazing.
Speaker 2 (04:14):
Yeah, the squirrels have figured out how to climb
the pole.
Well, I'm sure they knew how todo that, but they climb the
pole, get in there and eat allthe bird seed.
So that's kind of what I'vebeen up to watching my bird cam.
Speaker 1 (04:25):
I mean look, look.
I mean the next thing isknitting and you'll be set.
Speaker 2 (04:29):
I know that's funny you say that because I made a
post that says I'm a cat lady.
Now I'm a bird lady.
I'm going to be sitting on mycouch knitting a damn Afghan
soon.
Speaker 1 (04:38):
So I'm not doing that .
Can you make a beanie for me atleast?
Sure, I have this hat, as youcan see my hat right, I did not
put gel on my hair, and so then,okay, I'll confess I'm trying
to be the next Justin Tolman.
Speaker 2 (05:00):
But unaffiliated.
See, there's no company namehere.
Speaker 1 (05:03):
Oh, if you don't know who Justin Tolman is, he works
for Xterrao and I don't thinkI've ever seen him without a hat
on, ever I think I think heshowers with it on.
No, okay, look, justin is doinga great podcast, ftk over the
air, if I'm not mistaken.
Yeah, their last episode theyhad, uh, the guy from medics.
He's a great guy.
What's his name?
Um?
uh brandon epstein yeah, oh,brandon epstein, epstein, oh,
what an awesome interview.
(05:24):
So if you, and about AI and howthat works with LLMs used to
identify things in data, and howthat relates to the concept of
black box, and should that beintroduced at court on the
Daubert standards, all those, um, you should, you should go and
watch that podcast, videopodcast, um stream stream is
(05:48):
fantastic.
So, but again, a lot of lovefor justin.
Yes, yes, you know, I know hewas born with that hat, so you
might as well keep it.
Keep it on him at all times.
It's all good, I'm trying tolook, I'm trying to be like you,
man you're not quite there, yetyou're getting there oh
definitely not.
I don't think I'll ever getthere.
He's just one of them.
I'm a cheap imitation, anyways.
Speaker 2 (06:08):
So what have you been up to?
I already know quite a storythat you have.
Speaker 1 (06:13):
And I will make it after I make one last point Okay
, sign on the side of you.
That's a new sign.
I love it.
Speaker 2 (06:18):
It is it is.
So it's from Etsy.
I love Etsy.
It's not from Timu, even thoughyou decided that you should
pick on me about Timu in theintro.
But it says digital forensicsnow and I've got the little
twinkle lights behind it andcame out pretty good.
Speaker 1 (06:33):
So I made it.
Yeah, oh, looks great.
I mean you couldn't ask for iton Timu, because it's not going
to be here yet.
It's going to take like eightmonths to at least from some
China sweatshop somewhere, Idon't know.
Speaker 2 (06:42):
Anyways, I love my Timu.
Speaker 1 (06:45):
Before I go into what I've done, lori's saying no, no
knitting crochet.
Okay, get your old lady thingsin gear.
Speaker 2 (06:52):
Lori, that still adds to my old lady list, but I'm
going to embrace it.
I'm going to embrace it.
Speaker 1 (06:59):
I think you should, and we've been asked if we, if
we'd be liking the olympics.
We have, we have, we haven'tyeah about it.
Yeah, definitely definitelyit'll stay all the way to the
end.
So, yeah, so, um, since you ask, I'm gonna have a whole
presentation about what I'vebeen up to lately, since we have
the show, so let's, let's bringit up, let's bring up the
(07:19):
slides, okay.
So, uh, everybody, this is ourshow you have to put up with me.
So we had had, for the firsttime, iasis, and you can see my
shirt here.
It says IASIS.
We had, or, this side, we wereasked to teach the mobile device
forensics course in New Zealand.
What a beautiful place.
Speaker 2 (07:40):
I'm not jealous at all that I didn't get to go, not
even a little bit.
Speaker 1 (07:44):
No, no, I mean of course not Like the Friends
episode.
I'm not jealous, I'm notenvious at all.
So yeah, so you know the tripstarted here in Orlando, so
that's where I live, so I waspretty happy and let's get it
going.
So yeah, so I was in Orlando,happily going, for I'm really
happy, and you know I started mytrip.
I went from Orlando to SanFrancisco because you know you
(08:06):
get to fly across the country,across the Pacific, but then we
get to San Francisco.
Guess what?
Right, my flight was delayedfor some little technical
problem, don't?
worry guys, it's just delayedand Andrea is up in the chat.
Hey Andrea, so good to see youalways.
She's killing it, by the way,she works not with me in my
office, but in my organization,and she's killing it so.
Speaker 2 (08:26):
I know I was going to try and get her to come work
for us.
Speaker 1 (08:33):
And then I saw that she came and started working for
that.
Too bad Too bad, sorry for you.
All.
Right, so good for us.
So, yeah, so a little problem.
And that little problem turnedout to be something else.
So I'm running to make myflight to New Zealand and I'm
telling Heather you, I'm runningto make my flight to New
Zealand and I'm telling Heatheryou know, I got to get there,
heather's like you got to runright.
And as I'm running I see thescreens turning a weird, weird
(08:55):
but known shade of blue.
Yeah, so, literally, I sentHeather a picture here.
It's blurry because I'm runningto the plane.
I said look at this, heather,that's a screen Folks are not
listening.
It's a screen, folks that arenot listening.
It's a screen fromadvertisement in the airport and
it has a blue screen of death.
And I'm like that's kind ofweird that it's advertisement
screen has a blue screen ofdeath.
Right, because I didn't knowwhat was happening.
Well, as you all know, the crowdstrike mageddon had hit the
(09:17):
airports.
And, for those that haven'theard, um, this edr company, you
know, kind of cyber securitycompany, they put clients on the
endpoints in your network andthey, you know, make sure that
they keep the endpoints safefrom malware and ransomware
stuff like that.
Well, they sent an update.
The update just started bluescreening all the computers,
like literally all the computersin the airport.
(09:39):
So let's see the next slide.
I mean it was so bad that allthe screens about you know
departures or where your luggageis all blue screen all across
the airport, the terminals, allacross the airport.
So we're stuck and I'm likewhat are we going to do?
Right, no hotels, becausethere's no vouchers, there's
nothing.
So I had to sleep on the floor.
I was lucky enough to finagleand opened you can see me there.
(10:04):
Finagle and opened, you can seeme there and open a port to
charge my stuff because I'mspending the night on the.
On that.
I spent most of the night inthat spot on the floor of the
airport um, all hundreds andhundreds of us, because we were
kind of fighting over the notfighting, that's not true, but
kind of looking for ports tocharge, so anyhow.
So I slept there a little bitand uh, yeah, I'm lucky, I had
all my luggage with me.
(10:24):
I had it all carry on, becauseI packed really tight and you
had to put nothing under theplane.
So at least I kept it with me.
Some folks couldn't even gettheir luggage and the lines were
ridiculous I think it's thenext one.
The lines were ridiculous toget that.
So, yeah, look at the lines andtime to rebook.
So I was originally slated tofly straight to Auckland in New
(10:46):
Zealand and nope, the next one.
They flew me down to Melbournein Australia first.
So before I left, I was sostinky I had to take a shower,
and I discovered that you cantake a shower at the SFO, san
Francisco the airport, if youpay 30 bucks for 30 minutes.
It's the most expensive showerI've taken, but it was totally
(11:07):
worth every single dollar.
Yeah, so I got a ticket.
There we go.
So I went to Melbourne first.
So I started that flight acrossthe Pacific and I got lucky
because, thankfully, I think Iwas the only person on that
plane that had a whole row formyself, which is the universe
(11:30):
giving me a break, because I wasabout to break down emotionally
over the whole thing.
Speaker 2 (11:36):
I would have.
Speaker 1 (11:38):
Yeah, poor Heather had to hear my cries so I was
able to actually lay down, putyour seatbelt, and I literally
put my seatbelt as I'm layingdown I'm like I'm not sitting up
and then you know, that's alittle bit, I guess the sunrise
over the Pacific Really nice.
Yeah, no, it was tough.
(12:00):
So we got there to Melbourneand they had to fly kind of
backwards again to the otherside, to New Zealand there, and
that's another three and a halfhours.
While I waited in Melbournethey had Hungry Jack's.
I'm like, what is Hungry Jack's?
Well then I figured out that'sjust Burger King, like literally
Burger King.
It's just called Hungry Jack'sthere.
Oh really, yeah, oh, the samething.
Although they have a burger,it's took a whopper, like
(12:26):
whopper meat, and put it in abig mac.
It was kind of it was kind ofweird, like a big mac made out
of whoppers they have.
I don't know what the name ofthat was, but it was actually
pretty good.
I guess they don't get sued fordoing that over there, as
opposed to the us anyways, Idon't know.
There you can see me flyingback and flying to auckland, and
they're right now.
When I got there, what afantastic place.
I stayed at a hotel next to theSparks Arena.
It was pretty nice.
Adam told me that McDonald'sover there is called Mackey's or
(12:49):
Macy's.
I don't know how to pronounceit.
Adam, mackey's, macy's, I don'tknow.
I guess Mackey's sounds better.
I don't know.
Speaker 2 (12:57):
McDonald's, Mackey's, yeah.
Speaker 1 (12:59):
Mickey D's, I guess it's over here also.
One of the things that I foundinteresting is that they drive
on the wrong side of the roadand again, I'll go right wrong,
get it, get it.
But which it was funny, becauseis there Vegemite over there?
I do not know if they had it inNew Zealand, I know they have
it in Australia.
Anyway, that's Matthew asking.
(13:20):
So I have to be careful becauseI'm used to looking certain
ways across the street.
So I have to be careful becauseI'm used to looking certain
ways across the street.
And here's the opposite.
Right, you expect cars comingfrom one direction.
They're coming from the otherone.
So, yeah, on the right side ofthe road, I don't know about
that.
Oh, there we go.
See, now I just pissed offother people.
Speaker 2 (13:40):
I got to share that one, the correct, civilized side
of the road.
Speaker 1 (13:47):
You mean, see, now I got everybody mad.
Look, there's the right andthere's the other side.
Sorry, no, I kid, I kid, I kidactually.
Oh, and that's another thing.
So Brent Whale is going to pickus up and I'm going to start,
you know, walking to get intothe car and he's like it's on
(14:08):
the other side.
Oh geez, I'm not driving,obviously.
So I need to sit on the otherside.
You know what I mean.
Anyway, sorry I'm taking toolong on this story, but let me
hurry up.
So here I am.
So it was a great event.
It was hosted by Customs, newZealand Customs Office.
What a great group of people.
They have a tremendous lab withamazing examiners there.
There were also some otherfolks from other agencies that
(14:28):
I'm not going to disclose here,and it was.
It was a great event.
I was teaching with a couple offolks.
I was teaching, I think, thenext slide.
Yep, I was teaching with JohnSun, right there, he's, he's
there from from New Zealand.
I went Mario Marendon.
He's a great examiner.
He's the class lead for theMobile Devices, for Enses course
, and the same way that Heatheris the lead for the advanced
(14:51):
course, for the course I teachwith her, so I know the two
leads.
So it's fantastic for me.
I got to teach with Mario andthere we are, so we gave the
class and that's me teachingSQLite, because I mean well, SQL
within SQLite, right, and wetaught a whole bunch of data
structures.
Something I found interestingabout New Zealand is that the
(15:13):
plugs are different.
I can expect that, but I lovethe little to turn the lights on
and off.
What's that called the switches?
Yeah, because they're tiny andkind of like little coins.
It's not in the US it's calledsticking out like a stick, like
that.
Right, I found they were cute,I like those.
So I learned the joys ofdrinking LMP.
(15:35):
So also really fantastic.
I know it has some lemons in it, what else is there, I don't
know, but it was fantastic.
So I drank quite a few of those.
It's a local software.
I mean software, soft drink.
My brain was thinking aboutthings.
Right, see, adam is saying.
See, he has the oppositereaction when he goes in the US,
(16:03):
wants to get in the car, hewants to get in the driver's
seat because he's confused.
Right, yeah, so good, yeah, onething that I noticed about
auckland what a beautiful cityis, so clean heather I I was.
I was trying to go out of myway to find trash, either on a
sidewalk, on the curb, I evenI'm so crazy like that I saw a
little alleyway between twobuildings and I went down that
alleyway looking for trash thatwas clean, clean too.
(16:23):
All alleyways have no, yeah, no,no trash Like like how did, how
did they do this?
That picture that you see therelooks all clean and like wash
and clean.
That's the whole freaking city.
It's like that.
That's crazy.
Speaker 2 (16:33):
That's crazy.
Speaker 1 (16:34):
It is crazy.
We're good on them, you know.
Speaker 2 (16:36):
Yeah, definitely.
Speaker 1 (16:37):
Yeah, so there's a couple the of that of the city.
You know, it's there rightthere next to the and to the bay
.
Beautiful places, beautifulbuildings.
I went to the winter, but it'snot a really bad winter, it's
pretty like a.
At least when I was there itwas kind of mild, it wasn't too
bad, so I liked it.
And uh see, is adam saying thattalk is kind of the same way,
(16:57):
the people don't don't put trashout, um, so yeah, all the
streets were super nice.
Something I found interesting Ithink it's the next one, it's
uh, they have this little, uh,oh, that's oh yeah, so young
took us to this rooftop bar.
What a great view from the roof.
That looks nice yeah, so I neverdrank.
But you know, since mario andyoung were kind of peer pressure
me, I took a little bit of adrink yeah, I try and get him to
(17:19):
have a drink with me.
No go, he gets over there withjung and mario and it's game on
yeah, I'm gonna say game on,like that's far away from what I
actually did.
Oh yeah, I don't drink yet, butit's okay.
So that was.
I was gonna talk about that.
So you said you see those thosekind of bumps there and folks
that cannot.
Sorry you're not seeing this,but it's like little bumps, like
(17:40):
.
They're kind of kind of waisthigh and they're kind of nice
like in the road so road.
So on top of them there's thisglass and when you look into
them, which is the next one,what you see down there is the
actual train station.
It's like a ceiling.
What's that called Ceilinglight?
Speaker 2 (17:53):
No, roof light, I don't know how to pronounce that
Sunlight Like a sunlight thing,but it goes straight down to
where the station is.
Speaker 1 (18:04):
It's fantastic.
And I was there like looking atpeople walking up and down like
I'm an idiot, but it was great,I loved it.
I loved it and then I had, Iwas lucky enough.
Oh, that's the train station,how beautiful it is, that's nice
.
And we went in just to check itout beautiful building,
everything so organized andpeople there to help you, hey,
what you need, where you want togo, all that type of stuff,
right.
So I was lucky enough to go tothe serious fraud office.
I think that's the next one,hopefully.
(18:25):
Oh no, before I do that, beforewe did that.
Okay, folks, folks are listening, you cannot see this.
I was walking, we're walkingthrough the city and we found a
business called the ding donglounge, right literally with uh
in in neon lights, and he saysmy mind is not that of a 10 year
old like what's a ding donglounge?
(18:47):
Like, like that's when you puthim to rest, when you're not,
you're not busy, like I put myding dongs in this lounge, just
whatever that means.
I don't know the ding donglounge.
Maybe that means something inNew Zealand, I don't know what
that means.
So, yeah, so moving on, movingright along after the ding dong
lounge.
What you see here is a pictureof the sky tower.
It reminds me of this one inthe one in san antonio what's
(19:08):
that called san antonio?
It's like a big tower.
They have a, a restaurant thatkind of goes in circles like
that goes around slowly so youcan see the city 360 view.
Oh, it was fantastic.
I have a picture.
The next one's a couple ofpictures from up there.
Yeah, oh, it's a beautiful city, matthew.
Yeah, I agree, it's a beautiful.
See us from a distance.
And then we went up there.
Uh, brent, uh, brent whale,he's one of the in the board of
(19:32):
IASIS.
The guy's a legend.
If you've been associated withIASIS, you know who Brent is.
And not only is he a legendtechnically speaking, because
his expertise is deep and reallyknowledgeable.
He's such a great human being,he's like the best host.
What a great guy.
So he took us there.
You can see the city there,like in the afternoon, really
pretty, also at night.
(19:53):
I took a picture at night fromwhile we're having dinner, going
around the city.
You can see the bridge there inthe back, crossing the bay.
Oh, what a fantastic experience.
Speaker 2 (20:02):
It's beautiful.
Speaker 1 (20:04):
Sorry, you missed it, heather.
Speaker 2 (20:05):
I was just going to say again, not jealous at all
that I couldn't go on that trip.
Speaker 1 (20:10):
And then I do want to talk about that's at night.
So I want to talk about theSears Fraud Office.
That's the next one.
So they work all sorts ofdifferent type of crimes,
corruption cases, superfantastic.
Their building, that's the nextone.
It's literally right there atthe bay, and let me show you how
it, how that's that picture Itook there, like in a glass and
(20:33):
a window, the bay behind me,that's their lunch room and I'm
like really, this is thelunchroom, jesus, like wow, what
a great view.
You hear the seagulls and theboats and all the birds,
whatever, it is right, greatpicture.
Um, I love the name seriousfraud office.
I'm making a making jung a joke, like as opposed to the funny
fraud office, I guess.
I mean he's, he's so polite hecannot chuckle at it because
(20:55):
he's polite.
It's a really bad joke, um, soyeah, it was.
Speaker 2 (20:59):
It was a great place adam's telling me that I got to
go to wilmington to techno andthat is the same as you going to
new zealand and I going to sayno, that it might not be exactly
the same.
Speaker 1 (21:13):
It's a few tiny differences.
It's closer though.
Speaker 2 (21:18):
Yeah, and I didn't have to take that horrible
flight.
Speaker 1 (21:21):
Oh, my God, what a pain in the behind.
All right, so what else we gotto wrap this up?
It's just, I love this trip somuch.
I have you all have to endurewith me.
So I um this picture on my right, I guess in the middle, that's
Brent, marius.
On the other side you see Jungand some of the other students
in the class from the differentagencies.
They have art everywhere.
That's the lobby of thebuilding, kind of this hanging
(21:42):
art, all the colors.
The native culture there is sorespected and it really
permeates throughout the cityand the people there and it's
permeates throughout the cityand the people there and it's so
fantastic.
I learned about the Maoriculture and even rugby and I
went to different places to eatand it was a fantastic trip.
Of course, all good things cometo an end, so I had to fly back
(22:02):
.
Thankfully it wasn't as bad asthe first.
The going out was better thanthe coming in Back to San
Francisco and then back toOrlando.
I think that's it.
Yep, go back to Orlando and uhand and uh here, but I hope to
return one day.
So there we go.
Thank you everybody for puttingup for 10 minutes story and
these pictures because I had toshare them, because that's where
(22:23):
it had to be shared.
Speaker 2 (22:24):
It looks so awesome.
I I hope to be able to go inthe future and if anybody is
thinking of joining as avolunteer for IASIS, do it.
Look, alex joined and he gotthe chance to go to New Zealand
and teach.
Those opportunities come upwhen you volunteer for the
organization as a, an instructoror a row coach or any other
capacity that they may haveavailable.
(22:45):
So definitely, definitely thinkabout it.
It's a great organization.
Speaker 1 (22:49):
And you volunteer, right.
So it's not paid, we don't geta single cent but we get the
experience sometimes oftraveling.
But even if you don't travel,the experience will be able to
develop that future generation Isay future, but kind of current
generation like examiners,being able to really make a
difference, not only throughyour own casework but through
the casework of others, butthrough the casework of others.
(23:09):
It's this overlapping, alwaysgrowing circle of good when you
put yourself in at the serviceof humanity, which is what ISIS,
I believe, does so highlyrecommend it.
Speaker 2 (23:20):
Agreed, so let's talk about some topics this week
then.
Speaker 1 (23:24):
Yeah, let's do it.
Speaker 2 (23:27):
So the newest version of Magnet.
I don't know if there's anybodylistening or anybody who
listens after we're not liveanymore.
If you haven't heard.
On the groups or the listservsthere is a little issue with
Magnet but there's a fix.
So if you updated to the latestversion of Magnet Axiom, you
might notice that it's runningslow and the word is that tech
(23:47):
support is aware and it's anissue with the NVIDIA CUDA
driver version.
There's a write up in theirsupport portal on Magnet's
website that addresses thesystem requirements that you
need to have for Magnet Axiomand Magnet Axiom Cyber, and one
of those requirements is thatthe appropriate runtime version
(24:09):
of CUDA must be between 11.2 and12.3.
So on those listservs andgroups where people were talking
back and forth about the issue,that was the fix.
They were saying they rolledback CUDA and didn't have the
problem anymore.
So kind of like a little publicservice announcement here.
If it's running slow, there isa fix.
Speaker 1 (24:30):
Yeah, and I'm going to make, I mean, I guess not
opinion, but it's running slow.
There is a fix.
Yeah, and I'm gonna make, Imean, I guess not opinion, but
it's an observation.
So you know, um, softwaredevelopment is that's how it is
right, you had the crowd stackthat I mentioned with a crashed
computer.
Sometimes some updates get sentand maybe some of that, uh,
chicken fall, drivers kind offall through the cracks, right,
or uh, some features are missing, uh, to the point that, like
(24:53):
having with Celebrite, they sentan email out stopping
development of the insightsproduct till some of those
issues were resolved.
Right.
And I'm saying that because,again, we tend to put our faith
on the tools, and you should.
But at the same time I sayfaith Faith is not a good word
we trust that they will work asthey should, but sometimes they
don't right and you need to beaware of that.
(25:17):
And hopefully vendors see Idon't want to talk out of line
because the amount of work as adeveloper that goes into these
products is immense, the amountof testing that they do is
immense, the amount of people,but sometimes it happens right.
And I know at the same time, Iknow I don't know this for these
companies I mentioned.
But in general there's alsopressures, right, that come from
(25:37):
being a public traded companythat has financial targeting
goals and product needs to bereleased at a certain times to
hit certain financial goals.
And the question is, how muchwould that influence the speed
of development?
I don't know.
But I guess my take is the hopethat these companies, the head
of these companies, understandthat companies are here to make
(25:57):
profits, for sure, but thesecompanies, they're more than
that, right.
The type of software that wedepend on is not any type of
software.
It's not like some game, likean app for a game, right, big
decisions are taken based onsome of the works of these tools
.
So hopefully, my hope is thatdevelopment cycles are not
(26:21):
shortened because of thatfinancial pressure.
Again, I'm not speaking out ofany particular knowledge, I'm
just opining in a general sense,knowing how the software
business works.
So just a thought you knowknowledge.
I'm just opining in the generalsense, knowing how the software
business works.
Speaker 2 (26:31):
So just just a thought you know you have
something coming up, so thedeeper con want to talk about
that yes, that's, I'm really,I'm really happy it was honored,
the sans.
Speaker 1 (26:43):
So the thing is, this sans has a, uh, community day,
um, and the thing with the Idon't, I don't know they call it
community day.
You have, you have a picture ofthat many sense that, yeah,
it's community day, yep,community day, um, and the thing
with the I don't, I don't knowif they call it community day,
you have, you have a picture ofthat many sense, yeah.
Speaker 2 (26:52):
It's community day, yep.
Speaker 1 (26:54):
Community day.
Speaker 2 (26:54):
I don't have the picture, but yeah.
Speaker 1 (26:56):
I have the picture.
That's why you don't have it.
I have it, so let me show.
Let me show folks a picture meand a few other folks for the
Community Learning Day that'sthe full name, and it's going to
take place in Miami on November17th.
I don't know if they're goingto be live.
(27:17):
Well, that's not live, but youknow, like kind of streamed or
something.
I'm not sure I need to figurethat out.
Lately, sans has been puttingstuff out for folks to watch for
free, if not live, maybe lateron, a few months later, a few
weeks later.
So what I'm going to be doingthere is I'm going to be talking
about again the lead platforms.
There is Python.
It's a multi-platform.
Also, we develop all the folkslike Kevin and all the folks
(27:42):
Johan.
We develop for Android, ios,parsers for those.
So how can we run them?
What can we get from them?
And also highlight someinteresting parsers that you
cannot see anywhere else and alittle bit of a lab setting when
people can run the tool.
So that's going to take placefrom 10 am to 12.
So I got maybe like almost twohours there.
(28:03):
That will do a little bit of alab environment.
So I'm going to highlight someof those, so I'm pretty stoked
about it.
Speaker 2 (28:08):
Yeah, and I'll put in the show notes afterwards.
There's an agenda for thatwhole event and there's a whole
bunch of other presentationsgoing on as well.
Speaker 1 (28:17):
Yeah, and I'm saying you know it's a yes, that's fine
, I mean I'll do it up.
So I'm saying amazing placesharing amazing knowledge,
win-win for everyone.
And that's something that Iwant to see.
I like seeing from vendors oreducation providers like SANS.
I like seeing from vendors oreducation providers like SANS
More community events like that.
Speaker 2 (28:36):
We need some of those .
So recently I was talking withAlex Kathnes from CCL Solution
Group and he has a new pluginparser and I'm going to show
everybody.
That is called mr skinny legsand I had no idea what the
reference was to.
(28:57):
I'm sure if there's any parentsin the chat they will probably
know what mr skinny legs is.
Speaker 1 (29:04):
I have a six-year-old and about to be, in a couple
weeks, nine-year-old, and I Iimmediately knew what was it
about, um I had absolutely noidea and I had to ask.
Speaker 2 (29:12):
But apparently it is a spider from Peppa Pig.
So I Googled Peppa Pig.
That is a strange children'sshow.
That pig is weird looking.
Speaker 1 (29:22):
Oh no, no, Peppa Pig is the best, and I love Miss
Rabbit.
She's like Miss Rabbit, doeseverything.
So that's how I feel at work.
I'm the Miss Rabbit of myoffice sometimes.
Speaker 2 (29:32):
Okay.
Speaker 1 (29:32):
Parents understand.
Speaker 2 (29:36):
If you say so.
If you say so, so yeah, so Ihad no idea what that was, but
the whole program, the pluginthat Alex created.
It provides a command lineinterface to run plugins against
Chrome or Chromium profilefolders, so let me just flip.
It currently has available forplugins.
(30:00):
It includes Discord chatmessages, dropbox session
storage, user activity, dropboxfile system, dropbox thumbnails,
google Drive files and folders,google Drive thumbnails, google
Drive usage, google searches,office 365, sharepoint, recent
files and user activity history,downloads, local storage and
(30:21):
session storage.
So I installed and tried it outand tried it out.
The tool requires that youinstall have installed Python
3.12 or above.
It's not a suggestion.
I learned the lengthier, harderway that you have to read the
(30:42):
readme and do what it says.
Speaker 1 (30:45):
So I want to say a quick comment there.
Yeah, I bet it's the ducktyping errors and all that,
Because it had to be with someof the Alex code.
By the way, folks that don'tknow Alex, he's like I would say
he's like the third co-host, Ithink.
Speaker 2 (30:58):
Even though he's never been on the show.
Speaker 1 (30:59):
Because we mentioned him like every other show.
Speaker 2 (31:01):
We do, we do, yeah, definitely.
Speaker 1 (31:04):
Alex is great and something I want to highlight
there all the places thatHeather talked about, what it
gets data off from, it's placesthat I believe some tools kind
of neglect a lot 100% yeah, buthas important information, which
Heather is going to show us,but has important information.
So I'm really happy that Alexand CCL, through Alex, is
(31:26):
actually putting this contentout.
But yeah, so you're installingPython 12, right?
Speaker 2 (31:31):
Yes, 3.12.
Make sure you have 3 312.
I'm actually going to shareAdam Furman's comment.
We all have to add to skinnylegs.
So Alex and I were actuallytalking about that prior to the
show, agreed.
There's so much that can beadded to skinny legs and I am
sure he will take allsuggestions, research, um
assistance on doing that 100%.
(31:51):
So the tool requires that youinstall dependencies and that
you use a virtual environment.
The read me that goes along withthis script is excellent.
It's really detailed, walks youthrough the process.
Sometimes when I go to GitHuband I'm trying to run some of
those program scripts orwhatever it may be, I can't
(32:13):
figure out what I'm doingbecause the readme is a little
scarce.
This one is very detailed andnobody should have a problem.
I didn't have.
I had a couple problems but Ifigured them out pretty easily.
So it even addresses someissues that you could encounter
and how to overcome them rightin the readme.
So once it's all set up, thecommand.
(32:33):
Once it's all set up.
So here I have the three simplecommands to set it up.
You create the virtualenvironment, activate it and
then use the pip installrequirements to install the
requirements needed for it torun Just a screenshot of it
installing the requirements, andthen there's a simple script or
(32:55):
a simple command that runs theMr Skinny Legs Python script on
the user's Google profile folder.
So it's a little hard to seethere, but the user's Google
profile folder is located atyour users and then your
username, app data, local GoogleChrome user data, and then it's
(33:16):
the profile folder and maybeprofile one, two, three.
Mine was up to eight.
I noticed a while ago that myprofile folder was getting
rather large and I deleted it.
So I'm now up to eight, but thescript will then output to an
output folder in the Mr SkinnyLegs directory.
This is my error.
(33:39):
So when you go to run thescript on that Google profile
folder, the browser can't beopen, and it again took me a
very long time to figure outthat.
I just needed to close thebrowser and then rerun it.
Speaker 1 (33:56):
Remember what I told you?
Always look at the last line.
Yeah.
Operational error database islocked.
Speaker 2 (34:01):
Yeah, you have to read the last part I know, alex
actually ended up telling mehe's like did you close your
browser?
I said well, no, I didn't closemy browser.
I've run this.
I've run the script like threeor four more times and had the
same error three or four moretimes because I for some reason
can't, can't get it through myhead that the browser needs to
be closed.
So if anybody's listening,close the browser.
Speaker 1 (34:22):
SQLite is a single user database, so you can't be
trying to make it multi-user.
Speaker 2 (34:28):
Yeah, I tried.
It didn't work.
Once it kicks off, the processwill start.
This is what the screen willlook like.
It has the Mr Skinny Legs atthe top.
It tells you what plugins areloaded and what's going to be
running, and then I'm going toshare with you the actual output
folder.
Speaker 1 (34:49):
I always love the ASCII things.
You put the name of the tool inASCII on the top, like the
little symbols there.
I always dig those.
Speaker 2 (35:00):
All right, Let me share here.
There we go.
So it goes right into the MrSkinny Legs directory in an
output folder and let me see ifI can zoom in here.
I mean I think it's fine.
Okay, it's readable yeah.
(35:21):
So there's folders, datadump,discord, google, google Drive,
office 365, sharepoint I had inhere.
So Discord was actually one ofthe more interesting ones.
I launched Discord from thebrowser Alex's recommendation to
check this out and from thebrowser.
My messages are now parsed withthe Mr Skinny Legs plugin, the
(35:42):
parser for Discord.
It kicks it out in both a CSVversion and JSON on most of of
the artifacts, and let me pullup the csv here so I can show
you if I have one complaintabout this platform that we used
to show it's.
I need to have an easier pathto sharing.
(36:04):
So there we go.
I have, um, my discord messages.
I think I'm asking Alex aboutPeppa Pig in these.
I'm not going to leave it upfor long so you don't read all
of mine and Alex's messages.
However, I am asking him aboutthe Peppa Pig and what it means,
and then going on to ask aboutthe errors that I'm having.
(36:28):
Ask about the errors that I'mhaving.
So the JSON file I'm going toshare that as well, because I
brought that one up in RabbitHole.
Rabbit Hole is a tool thatwe've talked about on the
podcast quite a few times andRabbit Hole will also parse that
data from the JSON file.
So I brought it in under JSONand it has everything laid out
(36:51):
in the key value pairs there.
So I have the channel ID, themessage ID, the author ID, the
message type, the content and awhole bunch of other data that
comes in, along with thoseDiscord messages that are parsed
out.
And I think this is a messagewith me and Alex and I'm saying,
yay, the new release of RabbitHole is out.
So it pulled all of thosemessages.
Speaker 1 (37:13):
Yeah, why can't I find a place to download it?
Because you need to find theright link.
Speaker 2 (37:18):
I didn't have the right link.
Yeah, that's why.
Yeah, I'm full of errors, butso this is really really cool.
I thought this plugin wasawesome.
Speaker 1 (37:31):
Let me tell you something An expert is nothing
else than a person that has gonethrough all the wrong ways of
doing something till they get tothe right thing.
So that's what actually.
You should be proud of findingthe errors, because that one
makes you an expert.
That's a fact.
Speaker 2 (37:46):
Do I have to take the longest path every time though?
I don't know, I don't know, Idon't know.
Speaker 1 (37:51):
You took all paths.
There you go.
That's why we were all here.
Speaker 2 (37:56):
So Alex and I were talking before the show too and
he was telling me how heresearches these artifacts.
So I'm just going to pop upanother screen here.
You can, in your Google browser, just perform a Google search.
So I'm going to search just myown name and then if you hit F12
, we get a nice little pane overhere on the right-hand side,
(38:22):
and if I go to session storageand the googlecom I have that
search, that search I just madefor Heather Sharpentier with the
timestamp.
The timestamp can be decodedand other information all in
this pane and it can be used forresearch purposes, maybe to add
to this tool in the future.
Speaker 1 (38:42):
Yeah, so that screen for the folks that are listening
that's the developer optionsfrom the browser.
And it's pretty cool becausewhen you open the developer
options, you're seeing thedifferent structures and APIs
that the browser uses to displaythings to you.
And, heather, there is showingthe session storage, those APIs.
And for those who don't knowwhat an API is, imagine that
you're in a restaurant and youwant some food and you want to
(39:04):
order.
So you can't just be like, hey,bring me a salad.
Maybe they don't have salads,right, maybe it's a burger joint
.
Well, you have to look at themenu, right, you pick from the
menu and it goes to the kitchenand they can give you your food
based on the menu.
That API is the menu, right,it's the things that you can do
and how you're going to do them.
Right, you can order.
(39:25):
Now, in this case the, thekitchen where the stuff is kind
of kept and made in this casewill be level DB databases, okay
, and you can see their keyvalue pairs.
This is one way, as you'rebrowsing and looking, doing
different pages, to look atwhat's inside those level DB
stores through the API and then,with that knowledge that
Heather's saying, then we canfigure out.
(39:46):
Okay, there's importantinformation about this
particular session, storage of aparticular page.
Maybe we can pull those outwith Mr Skinnylegs and have it
in this format that we can lookat and read.
And I love I look at some ofthe code Alex was showing me.
I love how it's kind of inspirit, kind of compatible
spiritually with the Leapplatform and we're discussing
(40:09):
and at some point maybe we caneven make some integration.
So I'm really excited to see,yeah, seeing all this
development, communitydevelopment around parsing and
addressing areas of Dutarchforensics that I believe and I
think of us, we believe thathaven't been addressed by
third-party tools.
So we're trying to fill thatgap community-wise.
(40:31):
So I'm really happy about it.
Speaker 2 (40:36):
I am looking forward to helping with that.
I'm going to figure out how myskills will fit in to help add
additional plugins to that.
Speaker 1 (40:45):
Oh, absolutely.
I want to make a couple of morepoints.
Alex is saying the ASCII logois the most important part,
that's the part you need to takethe most time to figure out how
it's going to be all lined upand make it legit.
So I agree, I agree with himRight.
And Kevin is saying you know,maybe it's going to become
automated with Cape and thatwill be.
(41:05):
Cape is a tool done by EricZimmerman and he's such a great
he used to be used to work at myorganization.
Now he's in the private sector,great tool.
So that's another option thatwill be good to kind of look
into more integrations because,like Adam says, it's all about
community.
Right, we push the fieldforward, not from the vendors,
and we have that misconceptionthat you know the MSAB, so the
(41:27):
Celebrites or the FTKs orwhatever you mentioned the
company.
They know.
You know the MSABs or theCelebrites or the FTKs or
whatever you mentioned thecompany.
No, we as a community, we pushthem right and we have to make
them aware of the needs thatwe're trying to accomplish so
the field can move forward.
So, yeah, it's all aboutcommunity.
So, adam, you know, again,totally in sync.
Speaker 2 (41:46):
So outsourcing your responsibilities to tool
automation.
I know you have a lot to sayabout this one.
Speaker 1 (41:53):
Yeah, so, so, yeah, how much time we got.
I gotta get my eye on the clock, so we're going to make it
quick, so let me, let me show.
I think I have it here.
So, yeah, I was reading someposts, I think in threads or
somewhere else, and the postswere talking about some
automation, specifically notautomation, but AI.
(42:13):
So I'm going to share withfolks, I'm going to read for you
, a little bit of the posts thatpiqued my interest.
The thing was saying that theperson was saying this article
from a newspaper saying writingis hard because the process of
getting something onto the pagehelp us figure out what we think
, what we think about a topic, aproblem or an idea.
If we turn AI to do the writing, we're not going to be doing
(42:37):
the thinking either, or either.
And that really resonated withme right In two ways.
The first one is yeah,absolutely, If you are literally
let me just take this out ofthe screen If you are literally
just pushing.
And again, AI tooling isbecoming now part of our digital
forensics software.
They're there now in a coupleof third-party tools.
(43:05):
You got to be careful, right,when you look at a tool result
and you try to make sense of it.
There's a process of thinking,of connecting what this means
with other parts of the case andother artifacts, some of the
things that you need to followup on, because the tool doesn't
show you when you put an LLMright, this large data model or
whatever on it, and you ask itquestions and you take that
result.
My fear is that the examinersof the near future are going to
(43:28):
be happy with making a questionto the thing and then copy
pasting that result into ourreport and sending it out, right
, and there's no thinking there.
And the problem is that thistype of work requires deep
thinking, really understanding,and I just thought of a crazy
example.
Right, let's say you asked thetool Is there any?
(43:50):
I think we discussed thisbefore.
Is there any?
I think it actually came fromyou.
Correct me if I'm wrong, I'mgoing to say it.
You tell me.
Let's imagine you asked the LLMin cases of child abuse is
there any grooming prevalent onthis device, right?
And then it says, yeah, look atthere and you read it.
But when you read it in context, it's a mother telling his son
how much she loves him.
(44:10):
Yeah, Well, that's not grooming.
You know what I mean?
No, I think that's your example, right.
Speaker 2 (44:16):
It is.
I have a filter in a couple oftools that have done that and
the filter is great.
It will pull the grooming stuffout.
But you have to go read itafterwards because it is.
There have been conversationswith the mother and son and
mom's just saying I love you,honey, and that's not grooming.
Speaker 1 (44:32):
Imagine imagine somebody copy pasting that thing
there.
Are you kidding me?
Yeah?
And?
And push push folks as chat arealso talking.
Push button forensics, at leasttoday, used to be okay.
I just print out the report andthat's it, right, and maybe I
have no interpret interpretationknowledge.
I just put that out, which isbad.
The problem is that now pushbutton for us is going to be not
(44:54):
only just putting the reportout, but a possible
interpretation of that databased on the tool itself, and
that's going to compound theproblem more.
So I have a.
I have a a lot of issues withthat, um, because, uh, we're
doing like jurassic park, right,just because we can do it
doesn't mean that maybe weshould, or at least we should
slow it down a little bit.
Speaker 2 (45:15):
Well, it all sounds good to be faster, faster,
faster.
Speaker 1 (45:20):
But well, yeah, careful, yeah, it's just.
I guess that leads to the nextpoint that I really wanted to
bring, which I make in my post,is that that thought process of
the tool is going to.
I'm going to outsource myresponsibility of parsing of
understanding.
If the tool doesn't show it tome, I'm going to assume it
(45:40):
doesn't exist.
That type of thought process isnow migrating to how we are
trained value on the tool output.
It makes logical sense that howI learn to use the tool must be
the most fundamental andimportant data-first knowledge I
could obtain, and I push onthat.
(46:00):
I push on it hard, at leastfrom my perspective.
The idea that I am only allowedto speak intelligently about
using a tool because I gotcertified on that particular
tool, it's bonkers.
To me, it's just bonkers 100%.
I don't need to be certified intool X to be able to talk about
it Now.
Is it good to have acertification on it?
(46:22):
Sure, it's good, but the levelof knowledge and the level of
expertise that I expect fromexaminers of knowledge and the
level of expertise that I expectfrom examiners from every
practitioner in the field, hasto be more than or more deeper
than what the tool just providesto you in that type of
abstraction.
Right, you have to know enoughknowledge to understand that
(46:43):
this output, what it meansbehind the scenes, and that's
where we need to move towardsAnything less as things get more
abstracted.
First it was abstracted by thetool, Now it's abstracted by the
AI, Then it's going to beabstracted by the AI.
Asking the questions for youand putting you the report or us
letting it be that way and thenhaving courts believe that if
(47:04):
you don't have the certificationfrom the company, you can't
speak intelligently about usingthe tool, is ridiculous.
Speaker 2 (47:10):
That's the worst part .
That's the worst part, like Idon't understand where this
whole um you have to be.
You have to be certified in thetool and know how to filter and
how to um maybe sort thecolumns.
And if you have the fundamentalum knowledge of digital
forensics, you should be able toapply that to any tool.
Speaker 1 (47:38):
Well, and that's the discussion that window is
drifting away from.
And again, I speak highly ofAASIS.
I'm part of it and I'm proud ofbeing part of it AASIS is
founded on.
We're going to learn about thehacks, we're going to learn
about the data structures.
We're going to talk about howare things stored, even a little
bit of writing code, because ifall and this is something I
took from Alex Kathan, he's inthe chat If all the things we're
looking at comes from software,we need to know how software
(48:00):
works.
We need to understand some code, because the results come from
code.
Right, and we're moving awayfrom that and people strongly
believe that.
Well, if I know how to have thecertification from the tool and
tool, I hope nobody gets mad.
But it's true, and we weretalking about this before the
show.
If tool makers are starting toeven take away those things,
(48:21):
those like the hex why wouldnobody want to talk about hex?
Let's take it out of our class.
They are.
Speaker 2 (48:26):
They're starting to take it away.
It's insane.
The classes the classes that Itook when I first started in
2015, all incorporated a lot ofthe fundamentals in the
beginning classes, the starterclasses, and then they worked
that into how the tool works,getting rid of that fundamental
(48:51):
training and just teaching.
This is how the tool works andhere's your output and you're
good to go.
Now you're certified in usingthe tool.
I was always under theassumption, since I started uh
work in this field, that I hadto be certified in the tool to
be able to testify to theresults, and that is not true I
mean you could, you could becertified how to use a tool, but
I do not understand what thetool is providing to.
Speaker 1 (49:11):
You have no real understanding of what it means.
Definitely, and again, peoplethat make courses for these
vendors will be like, well, no,we talk about artifacts and OK,
that's fine, but then again, ifthe artifact again comes from a
data storage, it's put in someparticular way, it has some
nuance.
There's some things there thatif we don't discuss them and we
(49:32):
just discuss the artifact in thecontext of look at it as it's
parsed by us, that's a problem.
I think we're taking or leavingthat control that we have of
our field.
And at some point I discussedit with Josh Hickman, some other
friends the state might mandateus, right.
Yeah, definitely, and I don'tknow if that maybe it's a good
(49:55):
thing, it's a bad thing it's adiscussion for another day but
the state might require somecertain like doctors, like a
board exam of some sort, right,or engineers, right, and maybe
that's where we're heading If wekeep kind of outsourcing that
to the vendors, outsourcing thatto the vendors, outsourcing
that to the LLM, outsourcingthat to the tool.
Like Adam was saying, I hadthis comment here up on the
(50:15):
screen.
You still need to understandhow the tool came to its
conclusion, and you need tounderstand it because the tool
sometimes will come to the wrongconclusion or a conclusion that
could be misinterpreted.
The tool is not wrong, but whatyou see on screen can be easily
taken by another examiner whodoesn't have the knowledge or
has some motivation to notunderstand it.
The tool is not wrong, but whatyou see on screen can be easily
taken by another examiner whodoesn't have the knowledge or
has some motivation to notunderstand it and misinterpret
(50:36):
it.
And if you don't have theknowledge of how to kind of fix
that wrong or write that wrong,then what?
And you know a couple of folksin that post were saying well,
but you don't understand.
It's the prompt.
If you have a, it's from promptengineers.
They really think about it.
What happens when the AI itselfgenerates its own prompts?
(50:56):
You know Right.
So so what right?
Your job is to make sure thatthose details are correct, and
the only way you do that is byhaving a deep knowledge of
fundamentals.
Being an expert at something isnot magic, it's just knowing a
lot about of fundamentals.
Being an expert at something isnot magic, it's just knowing a
lot about the basics.
If you know a lot about thebasics, guess what?
You're an expert.
Speaker 2 (51:16):
Yeah, I mean, I find knowing a lot about the basics
to be way more important.
I have all the toolcertifications.
I do, I have them all and thenwhen it comes time to recertify
them, sometimes there's a littletest, but sometimes you don't
have to do anything to recertifyexcept say I went to training.
So you're telling me onDecember 31st I'm good to use
(51:38):
the tool and then on January 1stif I haven't recertified, I'm
no longer good to use the tool.
I just I don't get it.
I don't get it.
Speaker 1 (51:45):
It's like men in black that date It'll be like I
know Right, I forget everything.
Speaker 2 (51:47):
I ever learned what?
Speaker 1 (51:47):
what it's like men in black.
That date it'll be like phew.
Speaker 2 (51:50):
I know right.
I forget everything I everlearned.
Speaker 1 (51:51):
What tool?
What happened?
I totally forgot about how torun this tool or what it means.
No, and again, I'm giving kindof vendors a hard time.
But really the hard time is notthe vendors, right, it's us.
Right, it's our organizations.
If you're the head of a lab andyou have to make a choice
(52:11):
between, well, I'm going to forma curriculum, right, it's OK to
have vendor courses.
But as the lead of that lab,you got to make sure that that
curriculum also you hit thethings that you need to hit
Right.
Not only say, well, if I havethe five classes from X company,
(52:33):
I'm good, they're experts, goahead.
No, we can make sure that theyhit that.
Those fundamentals are there.
I'm a big proponent of in-housetraining and in-house
certification, especially inyour law enforcement that there
is no reason why I don't knowthe police department of CDX
couldn't work with otheragencies locally and develop a
certification that's suited forthem, the type of work that they
do for their region.
Right, and kind of bandtogether to make some good, good
(52:55):
, good curriculums for theregion, if that makes sense.
Speaker 2 (52:58):
I think that that could be coupled with webinars
and workshops and the freeonline trainings, actual
research, like get your newpeople or your new examiners to
actually do research anddevelopment and kind of be a
self-taught training.
I don't know.
I put a lot of weight into thatAgain, adam makes a good point.
Speaker 1 (53:20):
So the ISO requires to have tool training right and
we're not saying we shouldn'thave tool training right, and I
know Adam I think I know Adamagrees with me at this point
what we're saying is that tooltraining you should have it, but
tool training does notsubstitute, does not make you.
Tool training is not the UtahForensics really in large right,
it's part of the Utah Forensics, it's good to have.
(53:42):
But the fact of the matter isthere are so, so, so, so, so
many tools, even the ones youcreate yourself, that it's not
realistic to be certified inevery single tool, right, um?
So it should be part of it, um,and it's required for sure.
That's a good thing, um having,even if you're certified in it
or not, because you can havetool training and not have
certification on it, right um?
(54:03):
But to think that our, ourcurriculums are going to be tool
training with certification andhave enough of those I'm a
forensics expert.
I don't believe that's the case.
In my organization we have aprocess in-house that hits those
fundamentals which I agree with.
Aces is one organization thattheir courses, they hit the
(54:23):
fundamentals from the groundlevel, which I agree with, and I
think even vendors should startkind of not forgetting about
those as they develop theircurriculums.
Just, you cannot be an expertin a two week class, even if
they advertise it as that, right?
Oh, you don't have time.
You want to be an expert reallyquick, it's easy.
Take our $10,000 course.
I'm sorry, pr people, that'snot a thing.
Speaker 2 (54:45):
Yeah, not at all.
Speaker 1 (54:47):
Yeah, marketing people get out of here.
That's not a thing, but anyways, not at all.
Yeah, marketing people get outof here.
Speaker 2 (54:50):
That's that's not a thing, but anyways, two yeah,
two weeks is definitelydefinitely not long enough, um,
but you know, back to the backto the certifications and the
tools, though, too like you haveto have the certification to
create a report out of this tooland testify to this.
But what about the person'sdigital forensics degree, degree
that they have hundreds ofhours of training in?
I think that should have alittle more weight, as well than
(55:12):
the tool trainings.
Speaker 1 (55:14):
Oh, I agree, because this field came out at least the
practitioners didn't come fromuniversities.
They were like me.
When I started, there was nodegree ever.
It didn't exist.
The data for this degree, whatwas that?
It didn't exist, you had to getcertified only.
But I do make a good point aswe're moving towards more of a
systematic college leveleducation for this field.
It should be complementary andalso, again, there's different
(55:39):
training programs.
Some degrees are from auniversity and not be as good as
the others.
We get that.
But I mean a person that took atwo course week or had run a
tool I'm sorry.
I'm going to give more weightto a person that took a
two-course week on how to run atool.
I'm sorry.
I'm going to give more weightto the person that has four
years and had to take a binaryclass.
Like what's binary, what's hex?
I will really put a lot ofweight on that, me personally.
(56:02):
Again, one big point foreverybody Neither Heather nor
myself speaks for ourorganizations.
Okay, these are our opinions.
We don't reflect our employers.
Our opinions are ours andthey're subject to change at any
moment.
So we don't speak for ouremployers.
It's just us as practitioners,sharing what we think, so just
keep that in mind, yeahdefinitely so.
Speaker 2 (56:21):
Yeah, so this topic with the tool trainings though I
mean we started to kind of talkabout that last episode on the
meme of the week and I justthought we should maybe continue
it because a lot of people wereinterested in talking about it.
But I don't know.
A message out to the vendorsfor me, not my organization put
the fundamentals training backinto the basic tool trainings,
(56:43):
please.
If you've removed it noteverybody has- I agree, 100%,
100%.
Speaker 1 (56:50):
And talking about about tool development, right, I
think there's been some changesin how we look at some data, I
think in iOS, right, am I right?
Speaker 2 (57:01):
Oh yeah, yep, so other Mahalik Barnhart actually
just put a new blog out.
So Apple Apple has changed theway message retention is tracked
in the comapple mobile SMSplist.
The plist value for messageretention used to be keep
(57:21):
messages for days and then afterthat keep messages for days
field.
You would have a value of zerofor forever, 365 for a year or
30 for 30 days.
In iOS 17, you'll need to relyon the value that's found with
SS keep messages for the latestmessage retention setting.
(57:41):
So Heather has a nice littleblog that she just published on
Smarter Forensics, which is herblog.
I'll put it up in the shownotes after, so nobody has to
write it down.
But keep in mind, if you're inthat iOS 17, your message
(58:01):
retention will be found under adifferent value.
Speaker 1 (58:03):
Oh, absolutely, and actually I think Kevin is
already working on how to adaptour parsers to this new iOS 17
knowledge, because you're usedto looking at a place for one
thing and now it's different,and not only different.
The old thing is still there,but if it's iOS 17,.
It doesn't count.
Just because it's there doesn'tmean anything.
(58:24):
And again, that talks about atool reporting a value there.
Yeah, it might report the valuefrom the original setting, but
in iOS 17, it doesn't applyanymore.
So again, you got to be careful.
You got to make sure you keepup to speed with the things that
are happening.
And right now, if you were toparse on iOS 17 on many tools,
(58:45):
they will tell you the retentionlevel for these messages.
It's going to be wrong if theyhaven't looked at this new field
within the file, which again,is exactly what we're talking
about.
That's not going to work.
We cannot outsource.
We need to be in the know, bepart of the community, to keep
ourselves up to date.
Speaker 2 (59:03):
Kevin says more testing, but it's coming.
And of course Adam writes doyou sleep, kevin?
I don't think he does, and ofcourse Adam writes do you sleep,
kevin?
Speaker 1 (59:11):
I don't think he does .
Speaker 2 (59:11):
No, he definitely does not.
Speaker 1 (59:13):
He doesn't, he's got a baby too.
Yeah, exactly.
Speaker 2 (59:16):
Yeah, there's no chance he's sleeping ever.
Speaker 1 (59:19):
Look, I empathize with him.
I went through it twice.
He's going through his firstbeautiful child, so he doesn't
sleep.
So I feel you, man.
Another blog that's out, thatis definitely worth checking out
, I feel you man.
Speaker 2 (59:31):
Another blog that's out that is definitely worth
checking out the Identity LookupService.
So it's a blog by and I hope Idon't kill his name, but Django
Django.
I'm not even going to try.
I'm not going to try the lastone.
No, try, try.
Speaker 1 (59:45):
Just the D sign.
Try it that way, django Fiola,fiola.
Speaker 2 (59:49):
Okay, got it.
So his blog talks about theidentity services ID status
cache, plist, and how it cachesrecords of the Apple user ID
authentication data.
Even if the data has beendeleted from the phone's
directory, the authenticationfile remains intact, containing
(01:00:11):
contact and communicationrecords that you can parse.
So it's important to note thatthis data only confirms that an
authentication occurred, butdoes not mean that a
conversation happened or that amessage was actually sent.
And actually I had thatmisconception when I first
started looking at these records.
I saw the authentication and Iassumed that I was going to find
if it wasn't deleted.
I was going to find a messageto go along with an SMS
(01:00:33):
authentication.
But be careful of that.
You don't want to use thatartifact and say, oh yeah, they
messaged this person, becauseit's not necessarily true.
Speaker 1 (01:00:42):
And and every every time I hear somebody explained
this interaction and see theyit's like well, moving right
along, like like yeah, it's sobadly, we talk about that a lot
but it's so badly explained whenin some, in some circles.
So I appreciate him kind ofbringing that up and giving us a
chance to really, and you tounderline the significance and
(01:01:03):
then the caveats yeah, so, um,along with this blog, uh, he,
there's also support.
Speaker 2 (01:01:09):
support now that was submitted to iLeap and has been
added to iLeap for the identitylookup service.
I have some screenshots of that, actually.
Speaker 1 (01:01:17):
I'll pull those up, yeah bring them up, and I like
it a lot because theinteractions have this kind of
unique ID right that, even if ithappened or not, at least you
can tell what the interactionwas with, what it was a message,
was it FaceTime, whatever itwas.
So what he did I was looking atthe code before I merged it and
(01:01:40):
it's pretty neat because youcan see how you can at least
figure out what that interactionwas intended towards, which
kind of gives you some knowledgein what the intention of the
user was, if that makes sense.
Speaker 2 (01:01:53):
It does, yeah, so that's what it'll look like when
you run this now on iLeap whichI'm excited about this one to
see a different view.
I mean, I've used Celebrite andit's parsed right in Celebrite,
but this is nice to have asecond tool there verifying the
authentication.
Speaker 1 (01:02:12):
Yeah, you can see their axiom too yeah, axiom too.
Yeah, absolutely yeah, and youcan see, I'm sure, several
others yeah, under service type,you see email, you see
telephone, you can see message.
Yeah, then what the uh, whatthat search was done for the
entity lookup service wasrelated to so and then.
So I think that's that's prettyneat.
I again, like you're saying, Ilove to have open source things
because we can.
Then it's not a black box, youcan look at how it's actually
(01:02:34):
parsed and have a good sense, aconfidence on what that output
is.
So whenever we can do thatourselves as a community, it's a
big add.
You don't have I tell peoplethat are listening you don't
have to create this new thingfor it to have value new thing
for it to have value.
If you can create somethingthat's already being done, but
do it in a manner that'stransparent and available and
reachable for the community, youare doing an incredible
(01:03:02):
contribution to the generalknowledge in the field.
Okay, if you can take somethingout of that black box and let
us understand how it works, it'sgoing to be extremely useful
and well-received.
So don't get discouraged.
Don't look for the unicornartifact that nobody's seen.
You know what I mean.
The things that we know help usunderstand them better.
Speaker 2 (01:03:19):
So also with the leaps.
Let me pull up.
Gabe Birchfields wrote aLinkedIn post recently.
I'm going to share that witheverybody.
There we go, so I'm going tojust read it.
Forensic examiners,practitioners, never hesitate to
(01:03:42):
reach out when you needassistance or a second opinion.
I was recently conducting anexamination on a Samsung Galaxy
on an ICAC investigation.
All of the easy evidence hadbeen deleted by the user.
However, I know not everythingis gone.
The images and videosassociated with the cyber tip
had been deleted.
The internet browser historyand downloads had been deleted.
(01:04:02):
That's it, right.
Wrong LDBs to the rescue.
So the level DBs, a sharedprotobuf associated with the
Samsung browser, had the data Iwanted, but it wasn't easy to
display it to a non-forensicperson Keys, values, timestamps,
compression not easy to conveyto a jury.
I got a hold of Alexis Brignoneand said can you help me make
(01:04:23):
this look nice?
More or less Within a shortperiod of time, he added it to
his ALEAP tool as a parsedartifact Samsung browser shared
protobuf.
Thanks for the assistance, andnow everyone has access to this
artifact with his tool.
I also want to thank IanWhiffen for creating Mushy, a
free tool that allowed me to seethe level DB values easier to
begin with.
Never give up when you thinkthere is no evidence.
(01:04:45):
Don't depend on one tool tofind everything you need.
Do some forensic digging andmake every case count.
Speaker 1 (01:04:53):
I mean, I mean honestly.
After that, I could be likewell, thank you for being here.
We're going to close the show.
Speaker 2 (01:04:59):
I love this post because we talk about the level
DBs a lot and how, um, howthey're commonly like they're
skipped over, they're looked,they're not looked at.
Um, some people don't even knowwhat they are.
Um, and I think, having thesecases where they aided in in
maybe, maybe, um generating anarrest or a conviction, um, the
(01:05:19):
more you share this, I think,the more people will begin to
start taking the LevelDBseriously.
Speaker 1 (01:05:26):
There's a lot of data in there.
Oh, and all sorts of formats.
In this case, the LevelDB hadProBuff in it, so you had to do
an extra level of notabstraction but file formatting
there and it was good.
Actually, I was in New Zealandwhen he sent me the request and
I started looking at it andduring the so I wasn't teaching
(01:05:47):
the whole time, right, I hadother two instructors, so when
they were teaching I was able tokind of start doing some of
that code and before I left NewZealand we had it done because,
as community members, you knowthe community is really helpful
and I know he needed this for acase.
So I was really happy andexcited to be able to to help
them push the case forward andbring justice to the victims.
And it was amazing the amountof data that was there Amazing.
(01:06:11):
And and I'm glad that noweverybody can benefit from it,
If you have a case with aSamsung device, do run a leap,
because you're going to get somegood stuff that you might not
expect.
And again, thanks for Gabe fordoing the research.
I couldn't do my part if he haddone the digging, so we worked
together and we got that output,so I'm really pleased with it
Awesome.
Speaker 2 (01:06:30):
One more.
What's new with the leap?
So metadata forensics actuallyadded a watch sleep data report.
So it is sleep data.
The artifacts provide a glancereview to sleep periods when the
Apple watch is worn.
Uh, the data is broken intosleep States following Apple's
use of them and breaks down thedata to mirror the health
(01:06:52):
applications review of sleep.
I have a couple of screenshotsof this too.
So, whoops, hold on one secondthere we go.
So, um, there's the health sleepall watch sleep data report has
(01:07:13):
sleep start time, sleep state,sleep end time and um the sleep
state hours, minutes and seconds.
Speaker 1 (01:07:19):
Yeah, and and and the guy that does the coding for
them for these artifacts, I hisname slips the sleep state,
hours, minutes and seconds, yeah, and the guy that does the
coding for them, for theseartifacts, his name slips my
mind.
What a great guy.
Speaker 2 (01:07:27):
James McGee.
Speaker 1 (01:07:29):
James McGee.
What a gentleman.
What a gentleman.
He's a good guy.
I'm really happy that again himand through metadata forensics,
who he works for they made thisavailable to the public.
I cannot thank him and thecompany he works for for again
helping the community haveaccess to this data.
Speaker 2 (01:07:48):
Just a second screenshot too.
So we have some more sleepperiod report now with the sleep
start time and the time in bed.
Time of sleep awake duration,rem duration, core duration,
deep duration.
So it's got the percentages ofof when you're awake and when
you're in those other states ofsleep.
Speaker 1 (01:08:06):
Oh yeah, and it goes without saying how important
this might be on all sorts ofcases, right, especially events
that happen in the middle of thenight and you're like what
happened here.
That's definitely helpful.
Speaker 2 (01:08:17):
Definitely.
Let's see.
I think now we are toeverybody's favorite part, the
meme of the week.
Yeah, and the meme of the weekbrings that in a little bit.
(01:08:41):
So we have a meme with AI,third party tool, parsers,
analytics, automation, and it isa shooter from the Olympics
with all the gear on the specialglasses, turkey, who walked in
like he just rolled out of bed,pointed the gun and won the
silver.
I think he's my new hero.
Speaker 1 (01:09:10):
He has his little glasses on and just oh, my God.
His hand in his pocket.
He's like you know what?
I'm just here to win some, somemedals, ok.
Speaker 2 (01:09:21):
I that some of the comments that have been going
around on his pictures are justamazing.
Somebody, somebody said thathis wife sent him out to the
store to get milk and he stoppedoff at the olympics and won the
silver.
Um, there's just some reallygood comments on it and he looks
, he looks badass well, he looksbadass because of the
simplicity right.
Speaker 1 (01:09:40):
Yes, yes like and that kind of speaks to when you
have fundamental knowledge,right, a hex editor, and you
just look at the hex and so what?
But when you know what you'relooking at, right, you can be
pretty dangerous in a good way,right?
So the simplicity, being ableto get the job in a simple,
direct way, gives you thatbadass attitude, but you get to
(01:10:02):
your results in a way that'sunshakable, right.
Somebody might try to come atyou and say things, but no, you
know what's going on.
When you have thosefundamentals, you will get that
silver or gold without so manygoing arounds.
Speaker 2 (01:10:17):
Yeah, exactly.
Speaker 1 (01:10:20):
Actually, one more thing.
Alex is saying that about thatfile that we're talking about,
that we're working on.
He may have some more info onit and some extra code, which
again, oh good, I'm all for for,for making things better.
So I'm so happy that again,even the show we can have a even
grow, we did something, we caneven make it better.
So, uh, that's what's important.
(01:10:40):
You're here and let otherpeople know, uh, you know,
there's some community resources, we can even make it better.
So that's important that you'rehere and let other people know
that there's some communityresources that we can interact
and exchange information.
Speaker 2 (01:10:49):
It's good stuff.
Speaker 1 (01:10:49):
Yeah, definitely All right.
So we have come to the end ofthe show.
We took a little bit longer,but at this point I'm not going
to say that anymore, because theshow is now like an hour and 10
every single time.
So we finished just in time.
Speaker 2 (01:11:00):
Yeah, I didn't think we had enough topics this week.
Apparently we did.
Speaker 1 (01:11:03):
Well, I mean I took half of it just talking about
New Zealand.
That's true, Well, Heatheranything else, with the good of
the order.
No, I think I'm good.
Thank you very much.
No, thank you, and thank youall the folks that are in the
chat.
We love you, we appreciate yourthoughts, we learn from you and
we'll be hopefully in the nextcouple of weeks, although you'll
be traveling, I think, right.
Speaker 2 (01:11:24):
I'm here for the next one.
We're good.
We're good for the next one intwo weeks.
Speaker 1 (01:11:28):
Yeah, you got to travel out, but always keep
track of our LinkedIn likepersonal ones, also the Utah 46
Now podcast, linkedin and thesocial media so you can know
where's the show.
See media, so you can know, uh,where's the show.
Um, uh, there's a see.
We're not gonna hit it nowbecause we're closing the show,
but somebody has a question?
Yeah, open it up if you can, we?
I just say we both hit at thesame time yeah about a dot mob
(01:11:51):
file in the files providerstories photo picker.
What I suggest, mark, youshould do is get go to the the
defer uh discord and go to thedefer discord and go for discord
and ask your question in thedecoding section and maybe some
folks there might be able tohelp.
You know, you don't have towait for us or for folks in this
, in this chat.
Speaker 2 (01:12:12):
Yeah, you know what?
To just looking at it quicklythough, google file file
provider storage and just putthe word forensics after there's
a blog.
There's a blog on that, I knowthere is.
Speaker 1 (01:12:22):
And it should come right up.
Speaker 2 (01:12:23):
It should come right up.
The key is to anything you'researching that's forensic
related.
Put the word forensics at theend of your search and I think
you'll find a good blog on that.
Speaker 1 (01:12:32):
Fantastic, and again, also the deferred discourse a
great resource.
We probably have some questionsinteracting and it's open 24
seven, so so do that.
Thank you everybody for forbeing here and and thank you for
appreciating the memes, andwe'll be seeing each other,
hopefully, if all goes well, thenext weeks.
Yes, so take care and talk toeverybody soon.
Speaker 2 (01:12:53):
Thank you, bye, bye, bye, thank you.
All right, welcome to the Digital Forensics Now
podcast, episode 21.
And if you're not a programmer,episode 22.
Today is Thursday, august 8th,2024.
Almost almost a year of theshow.
We're reaching it almost there.
My name 2024.
Almost almost a year of theshow.
We're reaching it Almost there.
My name almost my name isAlexis Brignone, aka Briggs, and
(00:31):
I'm accompanied by my co-host,new York, snow White, the one
that teemo's until she cannotteemo anymore.
The lean and mean, but mostlymean.
Mean, but only when she'shungry.
Oh, and when they talk lita,francis, crap the one and only
(00:53):
heather charpentier.
The music is higher up by shaneivers and can be found at
silvermansoundcom.
Yay, and I mentioned, I think,most of it.
It was intelligible, hopefully.
Hello, heather.
Speaker 2 (01:09):
I can understand the whole thing.
That was an interesting intro.
Speaker 1 (01:14):
Yeah, don't worry folks, if you're listening,
tuning in.
We're going to explain theintro little by little as we go
along, which, by the way, Ithink we can notice a difference
here in my setup here.
Speaker 2 (01:27):
Yeah, alex has been banished to the closet.
I do, I do.
Speaker 1 (01:32):
I like it though it's funny because you know, if any
any harry harry potter fans inthe in the chat here I see um,
um, oh, they're just like hey,adam, adam, adam is on the chat
hi adam so we're good to see youstaying up late all the way
from the uk.
Um, so yeah, so we'll make thatjoke in a second.
(01:54):
So, um, you see, harry potterfans, you know that harry potter
lived on the cupboard under thestairs.
This is literally under thestairs in my house.
I'm a little bit of a HarryPotter set up here.
Speaker 2 (02:09):
It looks good.
It looks good.
Speaker 1 (02:10):
What's that?
What's that I'm saying?
What's that I'm saying?
Can you read it, Heather?
Speaker 2 (02:15):
Still watching HBO Thanks to Heather, and waiting
for Briggs to wear the shirt.
If you know, you know.
Speaker 1 (02:21):
Yeah, yeah, that's true, I had the shirt.
Speaker 2 (02:27):
I need to wear it, and if you watch a previous
version, you know why he'swatching my hbl yeah, previous
episode.
Speaker 1 (02:31):
So if you don't know what the uh, what the uh, what
they put things on the moviethat easter egg, if you don't
understand that easter egg, youneed to watch a previous episode
to get it yes, yeah, referenceuh, anyway, so yeah, so this is
my, my is my cupboard under thestairs office.
Speaker 2 (02:46):
It's good, but you don't have as many wall signs
and I don't know, my wall signsare kind of starting to show
yours up.
Speaker 1 (02:51):
Yeah, well, I mean, I don't have many walls to begin
with.
Speaker 2 (02:55):
Or door signs, sorry.
Speaker 1 (02:58):
Yeah, like this thing , like I cannot extend my arms
to my right, I won't fit here.
Kevin is in the chat.
Hello, kevin, it's always goodto have all the main folks under
the Leap repo and mainmastermind of all good things.
So yeah, so everybody can seemy menu office.
(03:19):
So I mean office is new foreverybody.
Hopefully it's good.
How about you?
What have you been doing up?
What's up with you lately?
Speaker 2 (03:25):
Oh, I mean not a ton.
I am a new bird lady.
I thought I would share thatwith everybody.
My parents got me the birdbuddy, the camera for outdoors
to capture video and images ofbirds, and I am I'm obsessed
with it.
So yeah, I'm gathering.
(03:46):
I call it like my old ladyhabit.
I'm gathering my my old ladyhobbies, I guess.
So here's my birds.
Speaker 1 (03:54):
I have the hummingbird attachment and, and
let me tell you you said so, sheso.
So, folks, she sent me thepicture of the hummingbirds come
in right, also the squirrelsand all the birds and I'm like
how many animals.
So I say she's Snow White right, like they all congregate now
in front of her feeding cameraand it's uncanny, it's amazing.
Speaker 2 (04:14):
Yeah, the squirrels have figured out how to climb
the pole.
Well, I'm sure they knew how todo that, but they climb the
pole, get in there and eat allthe bird seed.
So that's kind of what I'vebeen up to watching my bird cam.
Speaker 1 (04:25):
I mean look, look.
I mean the next thing isknitting and you'll be set.
Speaker 2 (04:29):
I know that's funny you say that because I made a
post that says I'm a cat lady.
Now I'm a bird lady.
I'm going to be sitting on mycouch knitting a damn Afghan
soon.
Speaker 1 (04:38):
So I'm not doing that .
Can you make a beanie for me atleast?
Sure, I have this hat, as youcan see my hat right, I did not
put gel on my hair, and so then,okay, I'll confess I'm trying
to be the next Justin Tolman.
Speaker 2 (05:00):
But unaffiliated.
See, there's no company namehere.
Speaker 1 (05:03):
Oh, if you don't know who Justin Tolman is, he works
for Xterrao and I don't thinkI've ever seen him without a hat
on, ever I think I think heshowers with it on.
No, okay, look, justin is doinga great podcast, ftk over the
air, if I'm not mistaken.
Yeah, their last episode theyhad, uh, the guy from medics.
He's a great guy.
What's his name?
Um?
uh brandon epstein yeah, oh,brandon epstein, epstein, oh,
what an awesome interview.
(05:24):
So if you, and about AI and howthat works with LLMs used to
identify things in data, and howthat relates to the concept of
black box, and should that beintroduced at court on the
Daubert standards, all those, um, you should, you should go and
watch that podcast, videopodcast, um stream stream is
(05:48):
fantastic.
So, but again, a lot of lovefor justin.
Yes, yes, you know, I know hewas born with that hat, so you
might as well keep it.
Keep it on him at all times.
It's all good, I'm trying tolook, I'm trying to be like you,
man you're not quite there, yetyou're getting there oh
definitely not.
I don't think I'll ever getthere.
He's just one of them.
I'm a cheap imitation, anyways.
Speaker 2 (06:08):
So what have you been up to?
I already know quite a storythat you have.
Speaker 1 (06:13):
And I will make it after I make one last point Okay
, sign on the side of you.
That's a new sign.
I love it.
Speaker 2 (06:18):
It is it is.
So it's from Etsy.
I love Etsy.
It's not from Timu, even thoughyou decided that you should
pick on me about Timu in theintro.
But it says digital forensicsnow and I've got the little
twinkle lights behind it andcame out pretty good.
Speaker 1 (06:33):
So I made it.
Yeah, oh, looks great.
I mean you couldn't ask for iton Timu, because it's not going
to be here yet.
It's going to take like eightmonths to at least from some
China sweatshop somewhere, Idon't know.
Speaker 2 (06:42):
Anyways, I love my Timu.
Speaker 1 (06:45):
Before I go into what I've done, lori's saying no, no
knitting crochet.
Okay, get your old lady thingsin gear.
Speaker 2 (06:52):
Lori, that still adds to my old lady list, but I'm
going to embrace it.
I'm going to embrace it.
Speaker 1 (06:59):
I think you should, and we've been asked if we, if
we'd be liking the olympics.
We have, we have, we haven'tyeah about it.
Yeah, definitely definitelyit'll stay all the way to the
end.
So, yeah, so, um, since you ask, I'm gonna have a whole
presentation about what I'vebeen up to lately, since we have
the show, so let's, let's bringit up, let's bring up the
(07:19):
slides, okay.
So, uh, everybody, this is ourshow you have to put up with me.
So we had had, for the firsttime, iasis, and you can see my
shirt here.
It says IASIS.
We had, or, this side, we wereasked to teach the mobile device
forensics course in New Zealand.
What a beautiful place.
Speaker 2 (07:40):
I'm not jealous at all that I didn't get to go, not
even a little bit.
Speaker 1 (07:44):
No, no, I mean of course not Like the Friends
episode.
I'm not jealous, I'm notenvious at all.
So yeah, so you know the tripstarted here in Orlando, so
that's where I live, so I waspretty happy and let's get it
going.
So yeah, so I was in Orlando,happily going, for I'm really
happy, and you know I started mytrip.
I went from Orlando to SanFrancisco because you know you
(08:06):
get to fly across the country,across the Pacific, but then we
get to San Francisco.
Guess what?
Right, my flight was delayedfor some little technical
problem, don't?
worry guys, it's just delayedand Andrea is up in the chat.
Hey Andrea, so good to see youalways.
She's killing it, by the way,she works not with me in my
office, but in my organization,and she's killing it so.
Speaker 2 (08:26):
I know I was going to try and get her to come work
for us.
Speaker 1 (08:33):
And then I saw that she came and started working for
that.
Too bad Too bad, sorry for you.
All.
Right, so good for us.
So, yeah, so a little problem.
And that little problem turnedout to be something else.
So I'm running to make myflight to New Zealand and I'm
telling Heather you, I'm runningto make my flight to New
Zealand and I'm telling Heatheryou know, I got to get there,
heather's like you got to runright.
And as I'm running I see thescreens turning a weird, weird
(08:55):
but known shade of blue.
Yeah, so, literally, I sentHeather a picture here.
It's blurry because I'm runningto the plane.
I said look at this, heather,that's a screen Folks are not
listening.
It's a screen, folks that arenot listening.
It's a screen fromadvertisement in the airport and
it has a blue screen of death.
And I'm like that's kind ofweird that it's advertisement
screen has a blue screen ofdeath.
Right, because I didn't knowwhat was happening.
Well, as you all know, the crowdstrike mageddon had hit the
(09:17):
airports.
And, for those that haven'theard, um, this edr company, you
know, kind of cyber securitycompany, they put clients on the
endpoints in your network andthey, you know, make sure that
they keep the endpoints safefrom malware and ransomware
stuff like that.
Well, they sent an update.
The update just started bluescreening all the computers,
like literally all the computersin the airport.
(09:39):
So let's see the next slide.
I mean it was so bad that allthe screens about you know
departures or where your luggageis all blue screen all across
the airport, the terminals, allacross the airport.
So we're stuck and I'm likewhat are we going to do?
Right, no hotels, becausethere's no vouchers, there's
nothing.
So I had to sleep on the floor.
I was lucky enough to finagleand opened you can see me there.
(10:04):
Finagle and opened, you can seeme there and open a port to
charge my stuff because I'mspending the night on the.
On that.
I spent most of the night inthat spot on the floor of the
airport um, all hundreds andhundreds of us, because we were
kind of fighting over the notfighting, that's not true, but
kind of looking for ports tocharge, so anyhow.
So I slept there a little bitand uh, yeah, I'm lucky, I had
all my luggage with me.
(10:24):
I had it all carry on, becauseI packed really tight and you
had to put nothing under theplane.
So at least I kept it with me.
Some folks couldn't even gettheir luggage and the lines were
ridiculous I think it's thenext one.
The lines were ridiculous toget that.
So, yeah, look at the lines andtime to rebook.
So I was originally slated tofly straight to Auckland in New
(10:46):
Zealand and nope, the next one.
They flew me down to Melbournein Australia first.
So before I left, I was sostinky I had to take a shower,
and I discovered that you cantake a shower at the SFO, san
Francisco the airport, if youpay 30 bucks for 30 minutes.
It's the most expensive showerI've taken, but it was totally
(11:07):
worth every single dollar.
Yeah, so I got a ticket.
There we go.
So I went to Melbourne first.
So I started that flight acrossthe Pacific and I got lucky
because, thankfully, I think Iwas the only person on that
plane that had a whole row formyself, which is the universe
(11:30):
giving me a break, because I wasabout to break down emotionally
over the whole thing.
Speaker 2 (11:36):
I would have.
Speaker 1 (11:38):
Yeah, poor Heather had to hear my cries so I was
able to actually lay down, putyour seatbelt, and I literally
put my seatbelt as I'm layingdown I'm like I'm not sitting up
and then you know, that's alittle bit, I guess the sunrise
over the Pacific Really nice.
Yeah, no, it was tough.
(12:00):
So we got there to Melbourneand they had to fly kind of
backwards again to the otherside, to New Zealand there, and
that's another three and a halfhours.
While I waited in Melbournethey had Hungry Jack's.
I'm like, what is Hungry Jack's?
Well then I figured out that'sjust Burger King, like literally
Burger King.
It's just called Hungry Jack'sthere.
Oh really, yeah, oh, the samething.
Although they have a burger,it's took a whopper, like
(12:26):
whopper meat, and put it in abig mac.
It was kind of it was kind ofweird, like a big mac made out
of whoppers they have.
I don't know what the name ofthat was, but it was actually
pretty good.
I guess they don't get sued fordoing that over there, as
opposed to the us anyways, Idon't know.
There you can see me flyingback and flying to auckland, and
they're right now.
When I got there, what afantastic place.
I stayed at a hotel next to theSparks Arena.
It was pretty nice.
Adam told me that McDonald'sover there is called Mackey's or
(12:49):
Macy's.
I don't know how to pronounceit.
Adam, mackey's, macy's, I don'tknow.
I guess Mackey's sounds better.
I don't know.
Speaker 2 (12:57):
McDonald's, Mackey's, yeah.
Speaker 1 (12:59):
Mickey D's, I guess it's over here also.
One of the things that I foundinteresting is that they drive
on the wrong side of the roadand again, I'll go right wrong,
get it, get it.
But which it was funny, becauseis there Vegemite over there?
I do not know if they had it inNew Zealand, I know they have
it in Australia.
Anyway, that's Matthew asking.
(13:20):
So I have to be careful becauseI'm used to looking certain
ways across the street.
So I have to be careful becauseI'm used to looking certain
ways across the street.
And here's the opposite.
Right, you expect cars comingfrom one direction.
They're coming from the otherone.
So, yeah, on the right side ofthe road, I don't know about
that.
Oh, there we go.
See, now I just pissed offother people.
Speaker 2 (13:40):
I got to share that one, the correct, civilized side
of the road.
Speaker 1 (13:47):
You mean, see, now I got everybody mad.
Look, there's the right andthere's the other side.
Sorry, no, I kid, I kid, I kidactually.
Oh, and that's another thing.
So Brent Whale is going to pickus up and I'm going to start,
you know, walking to get intothe car and he's like it's on
(14:08):
the other side.
Oh geez, I'm not driving,obviously.
So I need to sit on the otherside.
You know what I mean.
Anyway, sorry I'm taking toolong on this story, but let me
hurry up.
So here I am.
So it was a great event.
It was hosted by Customs, newZealand Customs Office.
What a great group of people.
They have a tremendous lab withamazing examiners there.
There were also some otherfolks from other agencies that
(14:28):
I'm not going to disclose here,and it was.
It was a great event.
I was teaching with a couple offolks.
I was teaching, I think, thenext slide.
Yep, I was teaching with JohnSun, right there, he's, he's
there from from New Zealand.
I went Mario Marendon.
He's a great examiner.
He's the class lead for theMobile Devices, for Enses course
, and the same way that Heatheris the lead for the advanced
(14:51):
course, for the course I teachwith her, so I know the two
leads.
So it's fantastic for me.
I got to teach with Mario andthere we are, so we gave the
class and that's me teachingSQLite, because I mean well, SQL
within SQLite, right, and wetaught a whole bunch of data
structures.
Something I found interestingabout New Zealand is that the
(15:13):
plugs are different.
I can expect that, but I lovethe little to turn the lights on
and off.
What's that called the switches?
Yeah, because they're tiny andkind of like little coins.
It's not in the US it's calledsticking out like a stick, like
that.
Right, I found they were cute,I like those.
So I learned the joys ofdrinking LMP.
(15:35):
So also really fantastic.
I know it has some lemons in it, what else is there, I don't
know, but it was fantastic.
So I drank quite a few of those.
It's a local software.
I mean software, soft drink.
My brain was thinking aboutthings.
Right, see, adam is saying.
See, he has the oppositereaction when he goes in the US,
(16:03):
wants to get in the car, hewants to get in the driver's
seat because he's confused.
Right, yeah, so good, yeah, onething that I noticed about
auckland what a beautiful cityis, so clean heather I I was.
I was trying to go out of myway to find trash, either on a
sidewalk, on the curb, I evenI'm so crazy like that I saw a
little alleyway between twobuildings and I went down that
alleyway looking for trash thatwas clean, clean too.
(16:23):
All alleyways have no, yeah, no,no trash Like like how did, how
did they do this?
That picture that you see therelooks all clean and like wash
and clean.
That's the whole freaking city.
It's like that.
That's crazy.
Speaker 2 (16:33):
That's crazy.
Speaker 1 (16:34):
It is crazy.
We're good on them, you know.
Speaker 2 (16:36):
Yeah, definitely.
Speaker 1 (16:37):
Yeah, so there's a couple the of that of the city.
You know, it's there rightthere next to the and to the bay
.
Beautiful places, beautifulbuildings.
I went to the winter, but it'snot a really bad winter, it's
pretty like a.
At least when I was there itwas kind of mild, it wasn't too
bad, so I liked it.
And uh see, is adam saying thattalk is kind of the same way,
(16:57):
the people don't don't put trashout, um, so yeah, all the
streets were super nice.
Something I found interesting Ithink it's the next one, it's
uh, they have this little, uh,oh, that's oh yeah, so young
took us to this rooftop bar.
What a great view from the roof.
That looks nice yeah, so I neverdrank.
But you know, since mario andyoung were kind of peer pressure
me, I took a little bit of adrink yeah, I try and get him to
(17:19):
have a drink with me.
No go, he gets over there withjung and mario and it's game on
yeah, I'm gonna say game on,like that's far away from what I
actually did.
Oh yeah, I don't drink yet, butit's okay.
So that was.
I was gonna talk about that.
So you said you see those thosekind of bumps there and folks
that cannot.
Sorry you're not seeing this,but it's like little bumps, like
(17:40):
.
They're kind of kind of waisthigh and they're kind of nice
like in the road so road.
So on top of them there's thisglass and when you look into
them, which is the next one,what you see down there is the
actual train station.
It's like a ceiling.
What's that called Ceilinglight?
Speaker 2 (17:53):
No, roof light, I don't know how to pronounce that
Sunlight Like a sunlight thing,but it goes straight down to
where the station is.
Speaker 1 (18:04):
It's fantastic.
And I was there like looking atpeople walking up and down like
I'm an idiot, but it was great,I loved it.
I loved it and then I had, Iwas lucky enough.
Oh, that's the train station,how beautiful it is, that's nice
.
And we went in just to check itout beautiful building,
everything so organized andpeople there to help you, hey,
what you need, where you want togo, all that type of stuff,
right.
So I was lucky enough to go tothe serious fraud office.
I think that's the next one,hopefully.
(18:25):
Oh no, before I do that, beforewe did that.
Okay, folks, folks are listening, you cannot see this.
I was walking, we're walkingthrough the city and we found a
business called the ding donglounge, right literally with uh
in in neon lights, and he saysmy mind is not that of a 10 year
old like what's a ding donglounge?
(18:47):
Like, like that's when you puthim to rest, when you're not,
you're not busy, like I put myding dongs in this lounge, just
whatever that means.
I don't know the ding donglounge.
Maybe that means something inNew Zealand, I don't know what
that means.
So, yeah, so moving on, movingright along after the ding dong
lounge.
What you see here is a pictureof the sky tower.
It reminds me of this one inthe one in san antonio what's
(19:08):
that called san antonio?
It's like a big tower.
They have a, a restaurant thatkind of goes in circles like
that goes around slowly so youcan see the city 360 view.
Oh, it was fantastic.
I have a picture.
The next one's a couple ofpictures from up there.
Yeah, oh, it's a beautiful city, matthew.
Yeah, I agree, it's a beautiful.
See us from a distance.
And then we went up there.
Uh, brent, uh, brent whale,he's one of the in the board of
(19:32):
IASIS.
The guy's a legend.
If you've been associated withIASIS, you know who Brent is.
And not only is he a legendtechnically speaking, because
his expertise is deep and reallyknowledgeable.
He's such a great human being,he's like the best host.
What a great guy.
So he took us there.
You can see the city there,like in the afternoon, really
pretty, also at night.
(19:53):
I took a picture at night fromwhile we're having dinner, going
around the city.
You can see the bridge there inthe back, crossing the bay.
Oh, what a fantastic experience.
Speaker 2 (20:02):
It's beautiful.
Speaker 1 (20:04):
Sorry, you missed it, heather.
Speaker 2 (20:05):
I was just going to say again, not jealous at all
that I couldn't go on that trip.
Speaker 1 (20:10):
And then I do want to talk about that's at night.
So I want to talk about theSears Fraud Office.
That's the next one.
So they work all sorts ofdifferent type of crimes,
corruption cases, superfantastic.
Their building, that's the nextone.
It's literally right there atthe bay, and let me show you how
it, how that's that picture Itook there, like in a glass and
(20:33):
a window, the bay behind me,that's their lunch room and I'm
like really, this is thelunchroom, jesus, like wow, what
a great view.
You hear the seagulls and theboats and all the birds,
whatever, it is right, greatpicture.
Um, I love the name seriousfraud office.
I'm making a making jung a joke, like as opposed to the funny
fraud office, I guess.
I mean he's, he's so polite hecannot chuckle at it because
(20:55):
he's polite.
It's a really bad joke, um, soyeah, it was.
Speaker 2 (20:59):
It was a great place adam's telling me that I got to
go to wilmington to techno andthat is the same as you going to
new zealand and I going to sayno, that it might not be exactly
the same.
Speaker 1 (21:13):
It's a few tiny differences.
It's closer though.
Speaker 2 (21:18):
Yeah, and I didn't have to take that horrible
flight.
Speaker 1 (21:21):
Oh, my God, what a pain in the behind.
All right, so what else we gotto wrap this up?
It's just, I love this trip somuch.
I have you all have to endurewith me.
So I um this picture on my right, I guess in the middle, that's
Brent, marius.
On the other side you see Jungand some of the other students
in the class from the differentagencies.
They have art everywhere.
That's the lobby of thebuilding, kind of this hanging
(21:42):
art, all the colors.
The native culture there is sorespected and it really
permeates throughout the cityand the people there and it's
permeates throughout the cityand the people there and it's so
fantastic.
I learned about the Maoriculture and even rugby and I
went to different places to eatand it was a fantastic trip.
Of course, all good things cometo an end, so I had to fly back
(22:02):
.
Thankfully it wasn't as bad asthe first.
The going out was better thanthe coming in Back to San
Francisco and then back toOrlando.
I think that's it.
Yep, go back to Orlando and uhand and uh here, but I hope to
return one day.
So there we go.
Thank you everybody for puttingup for 10 minutes story and
these pictures because I had toshare them, because that's where
(22:23):
it had to be shared.
Speaker 2 (22:24):
It looks so awesome.
I I hope to be able to go inthe future and if anybody is
thinking of joining as avolunteer for IASIS, do it.
Look, alex joined and he gotthe chance to go to New Zealand
and teach.
Those opportunities come upwhen you volunteer for the
organization as a, an instructoror a row coach or any other
capacity that they may haveavailable.
(22:45):
So definitely, definitely thinkabout it.
It's a great organization.
Speaker 1 (22:49):
And you volunteer, right.
So it's not paid, we don't geta single cent but we get the
experience sometimes oftraveling.
But even if you don't travel,the experience will be able to
develop that future generation Isay future, but kind of current
generation like examiners,being able to really make a
difference, not only throughyour own casework but through
the casework of others, butthrough the casework of others.
(23:09):
It's this overlapping, alwaysgrowing circle of good when you
put yourself in at the serviceof humanity, which is what ISIS,
I believe, does so highlyrecommend it.
Speaker 2 (23:20):
Agreed, so let's talk about some topics this week
then.
Speaker 1 (23:24):
Yeah, let's do it.
Speaker 2 (23:27):
So the newest version of Magnet.
I don't know if there's anybodylistening or anybody who
listens after we're not liveanymore.
If you haven't heard.
On the groups or the listservsthere is a little issue with
Magnet but there's a fix.
So if you updated to the latestversion of Magnet Axiom, you
might notice that it's runningslow and the word is that tech
(23:47):
support is aware and it's anissue with the NVIDIA CUDA
driver version.
There's a write up in theirsupport portal on Magnet's
website that addresses thesystem requirements that you
need to have for Magnet Axiomand Magnet Axiom Cyber, and one
of those requirements is thatthe appropriate runtime version
(24:09):
of CUDA must be between 11.2 and12.3.
So on those listservs andgroups where people were talking
back and forth about the issue,that was the fix.
They were saying they rolledback CUDA and didn't have the
problem anymore.
So kind of like a little publicservice announcement here.
If it's running slow, there isa fix.
Speaker 1 (24:30):
Yeah, and I'm going to make, I mean, I guess not
opinion, but it's running slow.
There is a fix.
Yeah, and I'm gonna make, Imean, I guess not opinion, but
it's an observation.
So you know, um, softwaredevelopment is that's how it is
right, you had the crowd stackthat I mentioned with a crashed
computer.
Sometimes some updates get sentand maybe some of that, uh,
chicken fall, drivers kind offall through the cracks, right,
or uh, some features are missing, uh, to the point that, like
(24:53):
having with Celebrite, they sentan email out stopping
development of the insightsproduct till some of those
issues were resolved.
Right.
And I'm saying that because,again, we tend to put our faith
on the tools, and you should.
But at the same time I sayfaith Faith is not a good word
we trust that they will work asthey should, but sometimes they
don't right and you need to beaware of that.
(25:17):
And hopefully vendors see Idon't want to talk out of line
because the amount of work as adeveloper that goes into these
products is immense, the amountof testing that they do is
immense, the amount of people,but sometimes it happens right.
And I know at the same time, Iknow I don't know this for these
companies I mentioned.
But in general there's alsopressures, right, that come from
(25:37):
being a public traded companythat has financial targeting
goals and product needs to bereleased at a certain times to
hit certain financial goals.
And the question is, how muchwould that influence the speed
of development?
I don't know.
But I guess my take is the hopethat these companies, the head
of these companies, understandthat companies are here to make
(25:57):
profits, for sure, but thesecompanies, they're more than
that, right.
The type of software that wedepend on is not any type of
software.
It's not like some game, likean app for a game, right, big
decisions are taken based onsome of the works of these tools
.
So hopefully, my hope is thatdevelopment cycles are not
(26:21):
shortened because of thatfinancial pressure.
Again, I'm not speaking out ofany particular knowledge, I'm
just opining in a general sense,knowing how the software
business works.
So just a thought you knowknowledge.
I'm just opining in the generalsense, knowing how the software
business works.
Speaker 2 (26:31):
So just just a thought you know you have
something coming up, so thedeeper con want to talk about
that yes, that's, I'm really,I'm really happy it was honored,
the sans.
Speaker 1 (26:43):
So the thing is, this sans has a, uh, community day,
um, and the thing with the Idon't, I don't know they call it
community day.
You have, you have a picture ofthat many sense that, yeah,
it's community day, yep,community day, um, and the thing
with the I don't, I don't knowif they call it community day,
you have, you have a picture ofthat many sense, yeah.
Speaker 2 (26:52):
It's community day, yep.
Speaker 1 (26:54):
Community day.
Speaker 2 (26:54):
I don't have the picture, but yeah.
Speaker 1 (26:56):
I have the picture.
That's why you don't have it.
I have it, so let me show.
Let me show folks a picture meand a few other folks for the
Community Learning Day that'sthe full name, and it's going to
take place in Miami on November17th.
I don't know if they're goingto be live.
(27:17):
Well, that's not live, but youknow, like kind of streamed or
something.
I'm not sure I need to figurethat out.
Lately, sans has been puttingstuff out for folks to watch for
free, if not live, maybe lateron, a few months later, a few
weeks later.
So what I'm going to be doingthere is I'm going to be talking
about again the lead platforms.
There is Python.
It's a multi-platform.
Also, we develop all the folkslike Kevin and all the folks
(27:42):
Johan.
We develop for Android, ios,parsers for those.
So how can we run them?
What can we get from them?
And also highlight someinteresting parsers that you
cannot see anywhere else and alittle bit of a lab setting when
people can run the tool.
So that's going to take placefrom 10 am to 12.
So I got maybe like almost twohours there.
(28:03):
That will do a little bit of alab environment.
So I'm going to highlight someof those, so I'm pretty stoked
about it.
Speaker 2 (28:08):
Yeah, and I'll put in the show notes afterwards.
There's an agenda for thatwhole event and there's a whole
bunch of other presentationsgoing on as well.
Speaker 1 (28:17):
Yeah, and I'm saying you know it's a yes, that's fine
, I mean I'll do it up.
So I'm saying amazing placesharing amazing knowledge,
win-win for everyone.
And that's something that Iwant to see.
I like seeing from vendors oreducation providers like SANS.
I like seeing from vendors oreducation providers like SANS
More community events like that.
Speaker 2 (28:36):
We need some of those .
So recently I was talking withAlex Kathnes from CCL Solution
Group and he has a new pluginparser and I'm going to show
everybody.
That is called mr skinny legsand I had no idea what the
reference was to.
(28:57):
I'm sure if there's any parentsin the chat they will probably
know what mr skinny legs is.
Speaker 1 (29:04):
I have a six-year-old and about to be, in a couple
weeks, nine-year-old, and I Iimmediately knew what was it
about, um I had absolutely noidea and I had to ask.
Speaker 2 (29:12):
But apparently it is a spider from Peppa Pig.
So I Googled Peppa Pig.
That is a strange children'sshow.
That pig is weird looking.
Speaker 1 (29:22):
Oh no, no, Peppa Pig is the best, and I love Miss
Rabbit.
She's like Miss Rabbit, doeseverything.
So that's how I feel at work.
I'm the Miss Rabbit of myoffice sometimes.
Speaker 2 (29:32):
Okay.
Speaker 1 (29:32):
Parents understand.
Speaker 2 (29:36):
If you say so.
If you say so, so yeah, so Ihad no idea what that was, but
the whole program, the pluginthat Alex created.
It provides a command lineinterface to run plugins against
Chrome or Chromium profilefolders, so let me just flip.
It currently has available forplugins.
(30:00):
It includes Discord chatmessages, dropbox session
storage, user activity, dropboxfile system, dropbox thumbnails,
google Drive files and folders,google Drive thumbnails, google
Drive usage, google searches,office 365, sharepoint, recent
files and user activity history,downloads, local storage and
(30:21):
session storage.
So I installed and tried it outand tried it out.
The tool requires that youinstall have installed Python
3.12 or above.
It's not a suggestion.
I learned the lengthier, harderway that you have to read the
(30:42):
readme and do what it says.
Speaker 1 (30:45):
So I want to say a quick comment there.
Yeah, I bet it's the ducktyping errors and all that,
Because it had to be with someof the Alex code.
By the way, folks that don'tknow Alex, he's like I would say
he's like the third co-host, Ithink.
Speaker 2 (30:58):
Even though he's never been on the show.
Speaker 1 (30:59):
Because we mentioned him like every other show.
Speaker 2 (31:01):
We do, we do, yeah, definitely.
Speaker 1 (31:04):
Alex is great and something I want to highlight
there all the places thatHeather talked about, what it
gets data off from, it's placesthat I believe some tools kind
of neglect a lot 100% yeah, buthas important information, which
Heather is going to show us,but has important information.
So I'm really happy that Alexand CCL, through Alex, is
(31:26):
actually putting this contentout.
But yeah, so you're installingPython 12, right?
Speaker 2 (31:31):
Yes, 3.12.
Make sure you have 3 312.
I'm actually going to shareAdam Furman's comment.
We all have to add to skinnylegs.
So Alex and I were actuallytalking about that prior to the
show, agreed.
There's so much that can beadded to skinny legs and I am
sure he will take allsuggestions, research, um
assistance on doing that 100%.
(31:51):
So the tool requires that youinstall dependencies and that
you use a virtual environment.
The read me that goes along withthis script is excellent.
It's really detailed, walks youthrough the process.
Sometimes when I go to GitHuband I'm trying to run some of
those program scripts orwhatever it may be, I can't
(32:13):
figure out what I'm doingbecause the readme is a little
scarce.
This one is very detailed andnobody should have a problem.
I didn't have.
I had a couple problems but Ifigured them out pretty easily.
So it even addresses someissues that you could encounter
and how to overcome them rightin the readme.
So once it's all set up, thecommand.
(32:33):
Once it's all set up.
So here I have the three simplecommands to set it up.
You create the virtualenvironment, activate it and
then use the pip installrequirements to install the
requirements needed for it torun Just a screenshot of it
installing the requirements, andthen there's a simple script or
(32:55):
a simple command that runs theMr Skinny Legs Python script on
the user's Google profile folder.
So it's a little hard to seethere, but the user's Google
profile folder is located atyour users and then your
username, app data, local GoogleChrome user data, and then it's
(33:16):
the profile folder and maybeprofile one, two, three.
Mine was up to eight.
I noticed a while ago that myprofile folder was getting
rather large and I deleted it.
So I'm now up to eight, but thescript will then output to an
output folder in the Mr SkinnyLegs directory.
This is my error.
(33:39):
So when you go to run thescript on that Google profile
folder, the browser can't beopen, and it again took me a
very long time to figure outthat.
I just needed to close thebrowser and then rerun it.
Speaker 1 (33:56):
Remember what I told you?
Always look at the last line.
Yeah.
Operational error database islocked.
Speaker 2 (34:01):
Yeah, you have to read the last part I know, alex
actually ended up telling mehe's like did you close your
browser?
I said well, no, I didn't closemy browser.
I've run this.
I've run the script like threeor four more times and had the
same error three or four moretimes because I for some reason
can't, can't get it through myhead that the browser needs to
be closed.
So if anybody's listening,close the browser.
Speaker 1 (34:22):
SQLite is a single user database, so you can't be
trying to make it multi-user.
Speaker 2 (34:28):
Yeah, I tried.
It didn't work.
Once it kicks off, the processwill start.
This is what the screen willlook like.
It has the Mr Skinny Legs atthe top.
It tells you what plugins areloaded and what's going to be
running, and then I'm going toshare with you the actual output
folder.
Speaker 1 (34:49):
I always love the ASCII things.
You put the name of the tool inASCII on the top, like the
little symbols there.
I always dig those.
Speaker 2 (35:00):
All right, Let me share here.
There we go.
So it goes right into the MrSkinny Legs directory in an
output folder and let me see ifI can zoom in here.
I mean I think it's fine.
Okay, it's readable yeah.
(35:21):
So there's folders, datadump,discord, google, google Drive,
office 365, sharepoint I had inhere.
So Discord was actually one ofthe more interesting ones.
I launched Discord from thebrowser Alex's recommendation to
check this out and from thebrowser.
My messages are now parsed withthe Mr Skinny Legs plugin, the
(35:42):
parser for Discord.
It kicks it out in both a CSVversion and JSON on most of of
the artifacts, and let me pullup the csv here so I can show
you if I have one complaintabout this platform that we used
to show it's.
I need to have an easier pathto sharing.
(36:04):
So there we go.
I have, um, my discord messages.
I think I'm asking Alex aboutPeppa Pig in these.
I'm not going to leave it upfor long so you don't read all
of mine and Alex's messages.
However, I am asking him aboutthe Peppa Pig and what it means,
and then going on to ask aboutthe errors that I'm having.
(36:28):
Ask about the errors that I'mhaving.
So the JSON file I'm going toshare that as well, because I
brought that one up in RabbitHole.
Rabbit Hole is a tool thatwe've talked about on the
podcast quite a few times andRabbit Hole will also parse that
data from the JSON file.
So I brought it in under JSONand it has everything laid out
(36:51):
in the key value pairs there.
So I have the channel ID, themessage ID, the author ID, the
message type, the content and awhole bunch of other data that
comes in, along with thoseDiscord messages that are parsed
out.
And I think this is a messagewith me and Alex and I'm saying,
yay, the new release of RabbitHole is out.
So it pulled all of thosemessages.
Speaker 1 (37:13):
Yeah, why can't I find a place to download it?
Because you need to find theright link.
Speaker 2 (37:18):
I didn't have the right link.
Yeah, that's why.
Yeah, I'm full of errors, butso this is really really cool.
I thought this plugin wasawesome.
Speaker 1 (37:31):
Let me tell you something An expert is nothing
else than a person that has gonethrough all the wrong ways of
doing something till they get tothe right thing.
So that's what actually.
You should be proud of findingthe errors, because that one
makes you an expert.
That's a fact.
Speaker 2 (37:46):
Do I have to take the longest path every time though?
I don't know, I don't know, Idon't know.
Speaker 1 (37:51):
You took all paths.
There you go.
That's why we were all here.
Speaker 2 (37:56):
So Alex and I were talking before the show too and
he was telling me how heresearches these artifacts.
So I'm just going to pop upanother screen here.
You can, in your Google browser, just perform a Google search.
So I'm going to search just myown name and then if you hit F12
, we get a nice little pane overhere on the right-hand side,
(38:22):
and if I go to session storageand the googlecom I have that
search, that search I just madefor Heather Sharpentier with the
timestamp.
The timestamp can be decodedand other information all in
this pane and it can be used forresearch purposes, maybe to add
to this tool in the future.
Speaker 1 (38:42):
Yeah, so that screen for the folks that are listening
that's the developer optionsfrom the browser.
And it's pretty cool becausewhen you open the developer
options, you're seeing thedifferent structures and APIs
that the browser uses to displaythings to you.
And, heather, there is showingthe session storage, those APIs.
And for those who don't knowwhat an API is, imagine that
you're in a restaurant and youwant some food and you want to
(39:04):
order.
So you can't just be like, hey,bring me a salad.
Maybe they don't have salads,right, maybe it's a burger joint
.
Well, you have to look at themenu, right, you pick from the
menu and it goes to the kitchenand they can give you your food
based on the menu.
That API is the menu, right,it's the things that you can do
and how you're going to do them.
Right, you can order.
(39:25):
Now, in this case the, thekitchen where the stuff is kind
of kept and made in this casewill be level DB databases, okay
, and you can see their keyvalue pairs.
This is one way, as you'rebrowsing and looking, doing
different pages, to look atwhat's inside those level DB
stores through the API and then,with that knowledge that
Heather's saying, then we canfigure out.
(39:46):
Okay, there's importantinformation about this
particular session, storage of aparticular page.
Maybe we can pull those outwith Mr Skinnylegs and have it
in this format that we can lookat and read.
And I love I look at some ofthe code Alex was showing me.
I love how it's kind of inspirit, kind of compatible
spiritually with the Leapplatform and we're discussing
(40:09):
and at some point maybe we caneven make some integration.
So I'm really excited to see,yeah, seeing all this
development, communitydevelopment around parsing and
addressing areas of Dutarchforensics that I believe and I
think of us, we believe thathaven't been addressed by
third-party tools.
So we're trying to fill thatgap community-wise.
(40:31):
So I'm really happy about it.
Speaker 2 (40:36):
I am looking forward to helping with that.
I'm going to figure out how myskills will fit in to help add
additional plugins to that.
Speaker 1 (40:45):
Oh, absolutely.
I want to make a couple of morepoints.
Alex is saying the ASCII logois the most important part,
that's the part you need to takethe most time to figure out how
it's going to be all lined upand make it legit.
So I agree, I agree with himRight.
And Kevin is saying you know,maybe it's going to become
automated with Cape and thatwill be.
(41:05):
Cape is a tool done by EricZimmerman and he's such a great
he used to be used to work at myorganization.
Now he's in the private sector,great tool.
So that's another option thatwill be good to kind of look
into more integrations because,like Adam says, it's all about
community.
Right, we push the fieldforward, not from the vendors,
and we have that misconceptionthat you know the MSAB, so the
(41:27):
Celebrites or the FTKs orwhatever you mentioned the
company.
They know.
You know the MSABs or theCelebrites or the FTKs or
whatever you mentioned thecompany.
No, we as a community, we pushthem right and we have to make
them aware of the needs thatwe're trying to accomplish so
the field can move forward.
So, yeah, it's all aboutcommunity.
So, adam, you know, again,totally in sync.
Speaker 2 (41:46):
So outsourcing your responsibilities to tool
automation.
I know you have a lot to sayabout this one.
Speaker 1 (41:53):
Yeah, so, so, yeah, how much time we got.
I gotta get my eye on the clock, so we're going to make it
quick, so let me, let me show.
I think I have it here.
So, yeah, I was reading someposts, I think in threads or
somewhere else, and the postswere talking about some
automation, specifically notautomation, but AI.
(42:13):
So I'm going to share withfolks, I'm going to read for you
, a little bit of the posts thatpiqued my interest.
The thing was saying that theperson was saying this article
from a newspaper saying writingis hard because the process of
getting something onto the pagehelp us figure out what we think
, what we think about a topic, aproblem or an idea.
If we turn AI to do the writing, we're not going to be doing
(42:37):
the thinking either, or either.
And that really resonated withme right In two ways.
The first one is yeah,absolutely, If you are literally
let me just take this out ofthe screen If you are literally
just pushing.
And again, AI tooling isbecoming now part of our digital
forensics software.
They're there now in a coupleof third-party tools.
(43:05):
You got to be careful, right,when you look at a tool result
and you try to make sense of it.
There's a process of thinking,of connecting what this means
with other parts of the case andother artifacts, some of the
things that you need to followup on, because the tool doesn't
show you when you put an LLMright, this large data model or
whatever on it, and you ask itquestions and you take that
result.
My fear is that the examinersof the near future are going to
(43:28):
be happy with making a questionto the thing and then copy
pasting that result into ourreport and sending it out, right
, and there's no thinking there.
And the problem is that thistype of work requires deep
thinking, really understanding,and I just thought of a crazy
example.
Right, let's say you asked thetool Is there any?
(43:50):
I think we discussed thisbefore.
Is there any?
I think it actually came fromyou.
Correct me if I'm wrong, I'mgoing to say it.
You tell me.
Let's imagine you asked the LLMin cases of child abuse is
there any grooming prevalent onthis device, right?
And then it says, yeah, look atthere and you read it.
But when you read it in context, it's a mother telling his son
how much she loves him.
(44:10):
Yeah, Well, that's not grooming.
You know what I mean?
No, I think that's your example, right.
Speaker 2 (44:16):
It is.
I have a filter in a couple oftools that have done that and
the filter is great.
It will pull the grooming stuffout.
But you have to go read itafterwards because it is.
There have been conversationswith the mother and son and
mom's just saying I love you,honey, and that's not grooming.
Speaker 1 (44:32):
Imagine imagine somebody copy pasting that thing
there.
Are you kidding me?
Yeah?
And?
And push push folks as chat arealso talking.
Push button forensics, at leasttoday, used to be okay.
I just print out the report andthat's it, right, and maybe I
have no interpret interpretationknowledge.
I just put that out, which isbad.
The problem is that now pushbutton for us is going to be not
(44:54):
only just putting the reportout, but a possible
interpretation of that databased on the tool itself, and
that's going to compound theproblem more.
So I have a.
I have a a lot of issues withthat, um, because, uh, we're
doing like jurassic park, right,just because we can do it
doesn't mean that maybe weshould, or at least we should
slow it down a little bit.
Speaker 2 (45:15):
Well, it all sounds good to be faster, faster,
faster.
Speaker 1 (45:20):
But well, yeah, careful, yeah, it's just.
I guess that leads to the nextpoint that I really wanted to
bring, which I make in my post,is that that thought process of
the tool is going to.
I'm going to outsource myresponsibility of parsing of
understanding.
If the tool doesn't show it tome, I'm going to assume it
(45:40):
doesn't exist.
That type of thought process isnow migrating to how we are
trained value on the tool output.
It makes logical sense that howI learn to use the tool must be
the most fundamental andimportant data-first knowledge I
could obtain, and I push onthat.
(46:00):
I push on it hard, at leastfrom my perspective.
The idea that I am only allowedto speak intelligently about
using a tool because I gotcertified on that particular
tool, it's bonkers.
To me, it's just bonkers 100%.
I don't need to be certified intool X to be able to talk about
it Now.
Is it good to have acertification on it?
(46:22):
Sure, it's good, but the levelof knowledge and the level of
expertise that I expect fromexaminers of knowledge and the
level of expertise that I expectfrom examiners from every
practitioner in the field, hasto be more than or more deeper
than what the tool just providesto you in that type of
abstraction.
Right, you have to know enoughknowledge to understand that
(46:43):
this output, what it meansbehind the scenes, and that's
where we need to move towardsAnything less as things get more
abstracted.
First it was abstracted by thetool, Now it's abstracted by the
AI, Then it's going to beabstracted by the AI.
Asking the questions for youand putting you the report or us
letting it be that way and thenhaving courts believe that if
(47:04):
you don't have the certificationfrom the company, you can't
speak intelligently about usingthe tool, is ridiculous.
Speaker 2 (47:10):
That's the worst part .
That's the worst part, like Idon't understand where this
whole um you have to be.
You have to be certified in thetool and know how to filter and
how to um maybe sort thecolumns.
And if you have the fundamentalum knowledge of digital
forensics, you should be able toapply that to any tool.
Speaker 1 (47:38):
Well, and that's the discussion that window is
drifting away from.
And again, I speak highly ofAASIS.
I'm part of it and I'm proud ofbeing part of it AASIS is
founded on.
We're going to learn about thehacks, we're going to learn
about the data structures.
We're going to talk about howare things stored, even a little
bit of writing code, because ifall and this is something I
took from Alex Kathan, he's inthe chat If all the things we're
looking at comes from software,we need to know how software
(48:00):
works.
We need to understand some code, because the results come from
code.
Right, and we're moving awayfrom that and people strongly
believe that.
Well, if I know how to have thecertification from the tool and
tool, I hope nobody gets mad.
But it's true, and we weretalking about this before the
show.
If tool makers are starting toeven take away those things,
(48:21):
those like the hex why wouldnobody want to talk about hex?
Let's take it out of our class.
They are.
Speaker 2 (48:26):
They're starting to take it away.
It's insane.
The classes the classes that Itook when I first started in
2015, all incorporated a lot ofthe fundamentals in the
beginning classes, the starterclasses, and then they worked
that into how the tool works,getting rid of that fundamental
(48:51):
training and just teaching.
This is how the tool works andhere's your output and you're
good to go.
Now you're certified in usingthe tool.
I was always under theassumption, since I started uh
work in this field, that I hadto be certified in the tool to
be able to testify to theresults, and that is not true I
mean you could, you could becertified how to use a tool, but
I do not understand what thetool is providing to.
Speaker 1 (49:11):
You have no real understanding of what it means.
Definitely, and again, peoplethat make courses for these
vendors will be like, well, no,we talk about artifacts and OK,
that's fine, but then again, ifthe artifact again comes from a
data storage, it's put in someparticular way, it has some
nuance.
There's some things there thatif we don't discuss them and we
(49:32):
just discuss the artifact in thecontext of look at it as it's
parsed by us, that's a problem.
I think we're taking or leavingthat control that we have of
our field.
And at some point I discussedit with Josh Hickman, some other
friends the state might mandateus, right.
Yeah, definitely, and I don'tknow if that maybe it's a good
(49:55):
thing, it's a bad thing it's adiscussion for another day but
the state might require somecertain like doctors, like a
board exam of some sort, right,or engineers, right, and maybe
that's where we're heading If wekeep kind of outsourcing that
to the vendors, outsourcing thatto the vendors, outsourcing
that to the LLM, outsourcingthat to the tool.
Like Adam was saying, I hadthis comment here up on the
(50:15):
screen.
You still need to understandhow the tool came to its
conclusion, and you need tounderstand it because the tool
sometimes will come to the wrongconclusion or a conclusion that
could be misinterpreted.
The tool is not wrong, but whatyou see on screen can be easily
taken by another examiner whodoesn't have the knowledge or
has some motivation to notunderstand it.
The tool is not wrong, but whatyou see on screen can be easily
taken by another examiner whodoesn't have the knowledge or
has some motivation to notunderstand it and misinterpret
(50:36):
it.
And if you don't have theknowledge of how to kind of fix
that wrong or write that wrong,then what?
And you know a couple of folksin that post were saying well,
but you don't understand.
It's the prompt.
If you have a, it's from promptengineers.
They really think about it.
What happens when the AI itselfgenerates its own prompts?
(50:56):
You know Right.
So so what right?
Your job is to make sure thatthose details are correct, and
the only way you do that is byhaving a deep knowledge of
fundamentals.
Being an expert at something isnot magic, it's just knowing a
lot about of fundamentals.
Being an expert at something isnot magic, it's just knowing a
lot about the basics.
If you know a lot about thebasics, guess what?
You're an expert.
Speaker 2 (51:16):
Yeah, I mean, I find knowing a lot about the basics
to be way more important.
I have all the toolcertifications.
I do, I have them all and thenwhen it comes time to recertify
them, sometimes there's a littletest, but sometimes you don't
have to do anything to recertifyexcept say I went to training.
So you're telling me onDecember 31st I'm good to use
(51:38):
the tool and then on January 1stif I haven't recertified, I'm
no longer good to use the tool.
I just I don't get it.
I don't get it.
Speaker 1 (51:45):
It's like men in black that date It'll be like I
know Right, I forget everything.
Speaker 2 (51:47):
I ever learned what?
Speaker 1 (51:47):
what it's like men in black.
That date it'll be like phew.
Speaker 2 (51:50):
I know right.
I forget everything I everlearned.
Speaker 1 (51:51):
What tool?
What happened?
I totally forgot about how torun this tool or what it means.
No, and again, I'm giving kindof vendors a hard time.
But really the hard time is notthe vendors, right, it's us.
Right, it's our organizations.
If you're the head of a lab andyou have to make a choice
(52:11):
between, well, I'm going to forma curriculum, right, it's OK to
have vendor courses.
But as the lead of that lab,you got to make sure that that
curriculum also you hit thethings that you need to hit
Right.
Not only say, well, if I havethe five classes from X company,
(52:33):
I'm good, they're experts, goahead.
No, we can make sure that theyhit that.
Those fundamentals are there.
I'm a big proponent of in-housetraining and in-house
certification, especially inyour law enforcement that there
is no reason why I don't knowthe police department of CDX
couldn't work with otheragencies locally and develop a
certification that's suited forthem, the type of work that they
do for their region.
Right, and kind of bandtogether to make some good, good
(52:55):
, good curriculums for theregion, if that makes sense.
Speaker 2 (52:58):
I think that that could be coupled with webinars
and workshops and the freeonline trainings, actual
research, like get your newpeople or your new examiners to
actually do research anddevelopment and kind of be a
self-taught training.
I don't know.
I put a lot of weight into thatAgain, adam makes a good point.
Speaker 1 (53:20):
So the ISO requires to have tool training right and
we're not saying we shouldn'thave tool training right, and I
know Adam I think I know Adamagrees with me at this point
what we're saying is that tooltraining you should have it, but
tool training does notsubstitute, does not make you.
Tool training is not the UtahForensics really in large right,
it's part of the Utah Forensics, it's good to have.
(53:42):
But the fact of the matter isthere are so, so, so, so, so
many tools, even the ones youcreate yourself, that it's not
realistic to be certified inevery single tool, right, um?
So it should be part of it, um,and it's required for sure.
That's a good thing, um having,even if you're certified in it
or not, because you can havetool training and not have
certification on it, right um?
(54:03):
But to think that our, ourcurriculums are going to be tool
training with certification andhave enough of those I'm a
forensics expert.
I don't believe that's the case.
In my organization we have aprocess in-house that hits those
fundamentals which I agree with.
Aces is one organization thattheir courses, they hit the
(54:23):
fundamentals from the groundlevel, which I agree with, and I
think even vendors should startkind of not forgetting about
those as they develop theircurriculums.
Just, you cannot be an expertin a two week class, even if
they advertise it as that, right?
Oh, you don't have time.
You want to be an expert reallyquick, it's easy.
Take our $10,000 course.
I'm sorry, pr people, that'snot a thing.
Speaker 2 (54:45):
Yeah, not at all.
Speaker 1 (54:47):
Yeah, marketing people get out of here.
That's not a thing, but anyways, not at all.
Yeah, marketing people get outof here.
Speaker 2 (54:50):
That's that's not a thing, but anyways, two yeah,
two weeks is definitelydefinitely not long enough, um,
but you know, back to the backto the certifications and the
tools, though, too like you haveto have the certification to
create a report out of this tooland testify to this.
But what about the person'sdigital forensics degree, degree
that they have hundreds ofhours of training in?
I think that should have alittle more weight, as well than
(55:12):
the tool trainings.
Speaker 1 (55:14):
Oh, I agree, because this field came out at least the
practitioners didn't come fromuniversities.
They were like me.
When I started, there was nodegree ever.
It didn't exist.
The data for this degree, whatwas that?
It didn't exist, you had to getcertified only.
But I do make a good point aswe're moving towards more of a
systematic college leveleducation for this field.
It should be complementary andalso, again, there's different
(55:39):
training programs.
Some degrees are from auniversity and not be as good as
the others.
We get that.
But I mean a person that took atwo course week or had run a
tool I'm sorry.
I'm going to give more weightto a person that took a
two-course week on how to run atool.
I'm sorry.
I'm going to give more weightto the person that has four
years and had to take a binaryclass.
Like what's binary, what's hex?
I will really put a lot ofweight on that, me personally.
(56:02):
Again, one big point foreverybody Neither Heather nor
myself speaks for ourorganizations.
Okay, these are our opinions.
We don't reflect our employers.
Our opinions are ours andthey're subject to change at any
moment.
So we don't speak for ouremployers.
It's just us as practitioners,sharing what we think, so just
keep that in mind, yeahdefinitely so.
Speaker 2 (56:21):
Yeah, so this topic with the tool trainings though I
mean we started to kind of talkabout that last episode on the
meme of the week and I justthought we should maybe continue
it because a lot of people wereinterested in talking about it.
But I don't know.
A message out to the vendorsfor me, not my organization put
the fundamentals training backinto the basic tool trainings,
(56:43):
please.
If you've removed it noteverybody has- I agree, 100%,
100%.
Speaker 1 (56:50):
And talking about about tool development, right, I
think there's been some changesin how we look at some data, I
think in iOS, right, am I right?
Speaker 2 (57:01):
Oh yeah, yep, so other Mahalik Barnhart actually
just put a new blog out.
So Apple Apple has changed theway message retention is tracked
in the comapple mobile SMSplist.
The plist value for messageretention used to be keep
(57:21):
messages for days and then afterthat keep messages for days
field.
You would have a value of zerofor forever, 365 for a year or
30 for 30 days.
In iOS 17, you'll need to relyon the value that's found with
SS keep messages for the latestmessage retention setting.
(57:41):
So Heather has a nice littleblog that she just published on
Smarter Forensics, which is herblog.
I'll put it up in the shownotes after, so nobody has to
write it down.
But keep in mind, if you're inthat iOS 17, your message
(58:01):
retention will be found under adifferent value.
Speaker 1 (58:03):
Oh, absolutely, and actually I think Kevin is
already working on how to adaptour parsers to this new iOS 17
knowledge, because you're usedto looking at a place for one
thing and now it's different,and not only different.
The old thing is still there,but if it's iOS 17,.
It doesn't count.
Just because it's there doesn'tmean anything.
(58:24):
And again, that talks about atool reporting a value there.
Yeah, it might report the valuefrom the original setting, but
in iOS 17, it doesn't applyanymore.
So again, you got to be careful.
You got to make sure you keepup to speed with the things that
are happening.
And right now, if you were toparse on iOS 17 on many tools,
(58:45):
they will tell you the retentionlevel for these messages.
It's going to be wrong if theyhaven't looked at this new field
within the file, which again,is exactly what we're talking
about.
That's not going to work.
We cannot outsource.
We need to be in the know, bepart of the community, to keep
ourselves up to date.
Speaker 2 (59:03):
Kevin says more testing, but it's coming.
And of course Adam writes doyou sleep, kevin?
I don't think he does, and ofcourse Adam writes do you sleep,
kevin?
Speaker 1 (59:11):
I don't think he does .
Speaker 2 (59:11):
No, he definitely does not.
Speaker 1 (59:13):
He doesn't, he's got a baby too.
Yeah, exactly.
Speaker 2 (59:16):
Yeah, there's no chance he's sleeping ever.
Speaker 1 (59:19):
Look, I empathize with him.
I went through it twice.
He's going through his firstbeautiful child, so he doesn't
sleep.
So I feel you, man.
Another blog that's out, thatis definitely worth checking out
, I feel you man.
Speaker 2 (59:31):
Another blog that's out that is definitely worth
checking out the Identity LookupService.
So it's a blog by and I hope Idon't kill his name, but Django
Django.
I'm not even going to try.
I'm not going to try the lastone.
No, try, try.
Speaker 1 (59:45):
Just the D sign.
Try it that way, django Fiola,fiola.
Speaker 2 (59:49):
Okay, got it.
So his blog talks about theidentity services ID status
cache, plist, and how it cachesrecords of the Apple user ID
authentication data.
Even if the data has beendeleted from the phone's
directory, the authenticationfile remains intact, containing
(01:00:11):
contact and communicationrecords that you can parse.
So it's important to note thatthis data only confirms that an
authentication occurred, butdoes not mean that a
conversation happened or that amessage was actually sent.
And actually I had thatmisconception when I first
started looking at these records.
I saw the authentication and Iassumed that I was going to find
if it wasn't deleted.
I was going to find a messageto go along with an SMS
(01:00:33):
authentication.
But be careful of that.
You don't want to use thatartifact and say, oh yeah, they
messaged this person, becauseit's not necessarily true.
Speaker 1 (01:00:42):
And and every every time I hear somebody explained
this interaction and see theyit's like well, moving right
along, like like yeah, it's sobadly, we talk about that a lot
but it's so badly explained whenin some, in some circles.
So I appreciate him kind ofbringing that up and giving us a
chance to really, and you tounderline the significance and
(01:01:03):
then the caveats yeah, so, um,along with this blog, uh, he,
there's also support.
Speaker 2 (01:01:09):
support now that was submitted to iLeap and has been
added to iLeap for the identitylookup service.
I have some screenshots of that, actually.
Speaker 1 (01:01:17):
I'll pull those up, yeah bring them up, and I like
it a lot because theinteractions have this kind of
unique ID right that, even if ithappened or not, at least you
can tell what the interactionwas with, what it was a message,
was it FaceTime, whatever itwas.
So what he did I was looking atthe code before I merged it and
(01:01:40):
it's pretty neat because youcan see how you can at least
figure out what that interactionwas intended towards, which
kind of gives you some knowledgein what the intention of the
user was, if that makes sense.
Speaker 2 (01:01:53):
It does, yeah, so that's what it'll look like when
you run this now on iLeap whichI'm excited about this one to
see a different view.
I mean, I've used Celebrite andit's parsed right in Celebrite,
but this is nice to have asecond tool there verifying the
authentication.
Speaker 1 (01:02:12):
Yeah, you can see their axiom too yeah, axiom too.
Yeah, absolutely yeah, and youcan see, I'm sure, several
others yeah, under service type,you see email, you see
telephone, you can see message.
Yeah, then what the uh, whatthat search was done for the
entity lookup service wasrelated to so and then.
So I think that's that's prettyneat.
I again, like you're saying, Ilove to have open source things
because we can.
Then it's not a black box, youcan look at how it's actually
(01:02:34):
parsed and have a good sense, aconfidence on what that output
is.
So whenever we can do thatourselves as a community, it's a
big add.
You don't have I tell peoplethat are listening you don't
have to create this new thingfor it to have value new thing
for it to have value.
If you can create somethingthat's already being done, but
do it in a manner that'stransparent and available and
reachable for the community, youare doing an incredible
(01:03:02):
contribution to the generalknowledge in the field.
Okay, if you can take somethingout of that black box and let
us understand how it works, it'sgoing to be extremely useful
and well-received.
So don't get discouraged.
Don't look for the unicornartifact that nobody's seen.
You know what I mean.
The things that we know help usunderstand them better.
Speaker 2 (01:03:19):
So also with the leaps.
Let me pull up.
Gabe Birchfields wrote aLinkedIn post recently.
I'm going to share that witheverybody.
There we go, so I'm going tojust read it.
Forensic examiners,practitioners, never hesitate to
(01:03:42):
reach out when you needassistance or a second opinion.
I was recently conducting anexamination on a Samsung Galaxy
on an ICAC investigation.
All of the easy evidence hadbeen deleted by the user.
However, I know not everythingis gone.
The images and videosassociated with the cyber tip
had been deleted.
The internet browser historyand downloads had been deleted.
(01:04:02):
That's it, right.
Wrong LDBs to the rescue.
So the level DBs, a sharedprotobuf associated with the
Samsung browser, had the data Iwanted, but it wasn't easy to
display it to a non-forensicperson Keys, values, timestamps,
compression not easy to conveyto a jury.
I got a hold of Alexis Brignoneand said can you help me make
(01:04:23):
this look nice?
More or less Within a shortperiod of time, he added it to
his ALEAP tool as a parsedartifact Samsung browser shared
protobuf.
Thanks for the assistance, andnow everyone has access to this
artifact with his tool.
I also want to thank IanWhiffen for creating Mushy, a
free tool that allowed me to seethe level DB values easier to
begin with.
Never give up when you thinkthere is no evidence.
(01:04:45):
Don't depend on one tool tofind everything you need.
Do some forensic digging andmake every case count.
Speaker 1 (01:04:53):
I mean, I mean honestly.
After that, I could be likewell, thank you for being here.
We're going to close the show.
Speaker 2 (01:04:59):
I love this post because we talk about the level
DBs a lot and how, um, howthey're commonly like they're
skipped over, they're looked,they're not looked at.
Um, some people don't even knowwhat they are.
Um, and I think, having thesecases where they aided in in
maybe, maybe, um generating anarrest or a conviction, um, the
(01:05:19):
more you share this, I think,the more people will begin to
start taking the LevelDBseriously.
Speaker 1 (01:05:26):
There's a lot of data in there.
Oh, and all sorts of formats.
In this case, the LevelDB hadProBuff in it, so you had to do
an extra level of notabstraction but file formatting
there and it was good.
Actually, I was in New Zealandwhen he sent me the request and
I started looking at it andduring the so I wasn't teaching
(01:05:47):
the whole time, right, I hadother two instructors, so when
they were teaching I was able tokind of start doing some of
that code and before I left NewZealand we had it done because,
as community members, you knowthe community is really helpful
and I know he needed this for acase.
So I was really happy andexcited to be able to to help
them push the case forward andbring justice to the victims.
And it was amazing the amountof data that was there Amazing.
(01:06:11):
And and I'm glad that noweverybody can benefit from it,
If you have a case with aSamsung device, do run a leap,
because you're going to get somegood stuff that you might not
expect.
And again, thanks for Gabe fordoing the research.
I couldn't do my part if he haddone the digging, so we worked
together and we got that output,so I'm really pleased with it
Awesome.
Speaker 2 (01:06:30):
One more.
What's new with the leap?
So metadata forensics actuallyadded a watch sleep data report.
So it is sleep data.
The artifacts provide a glancereview to sleep periods when the
Apple watch is worn.
Uh, the data is broken intosleep States following Apple's
use of them and breaks down thedata to mirror the health
(01:06:52):
applications review of sleep.
I have a couple of screenshotsof this too.
So, whoops, hold on one secondthere we go.
So, um, there's the health sleepall watch sleep data report has
(01:07:13):
sleep start time, sleep state,sleep end time and um the sleep
state hours, minutes and seconds.
Speaker 1 (01:07:19):
Yeah, and and and the guy that does the coding for
them for these artifacts, I hisname slips the sleep state,
hours, minutes and seconds, yeah, and the guy that does the
coding for them, for theseartifacts, his name slips my
mind.
What a great guy.
Speaker 2 (01:07:27):
James McGee.
Speaker 1 (01:07:29):
James McGee.
What a gentleman.
What a gentleman.
He's a good guy.
I'm really happy that again himand through metadata forensics,
who he works for they made thisavailable to the public.
I cannot thank him and thecompany he works for for again
helping the community haveaccess to this data.
Speaker 2 (01:07:48):
Just a second screenshot too.
So we have some more sleepperiod report now with the sleep
start time and the time in bed.
Time of sleep awake duration,rem duration, core duration,
deep duration.
So it's got the percentages ofof when you're awake and when
you're in those other states ofsleep.
Speaker 1 (01:08:06):
Oh yeah, and it goes without saying how important
this might be on all sorts ofcases, right, especially events
that happen in the middle of thenight and you're like what
happened here.
That's definitely helpful.
Speaker 2 (01:08:17):
Definitely.
Let's see.
I think now we are toeverybody's favorite part, the
meme of the week.
Yeah, and the meme of the weekbrings that in a little bit.
(01:08:41):
So we have a meme with AI,third party tool, parsers,
analytics, automation, and it isa shooter from the Olympics
with all the gear on the specialglasses, turkey, who walked in
like he just rolled out of bed,pointed the gun and won the
silver.
I think he's my new hero.
Speaker 1 (01:09:10):
He has his little glasses on and just oh, my God.
His hand in his pocket.
He's like you know what?
I'm just here to win some, somemedals, ok.
Speaker 2 (01:09:21):
I that some of the comments that have been going
around on his pictures are justamazing.
Somebody, somebody said thathis wife sent him out to the
store to get milk and he stoppedoff at the olympics and won the
silver.
Um, there's just some reallygood comments on it and he looks
, he looks badass well, he looksbadass because of the
simplicity right.
Speaker 1 (01:09:40):
Yes, yes like and that kind of speaks to when you
have fundamental knowledge,right, a hex editor, and you
just look at the hex and so what?
But when you know what you'relooking at, right, you can be
pretty dangerous in a good way,right?
So the simplicity, being ableto get the job in a simple,
direct way, gives you thatbadass attitude, but you get to
(01:10:02):
your results in a way that'sunshakable, right.
Somebody might try to come atyou and say things, but no, you
know what's going on.
When you have thosefundamentals, you will get that
silver or gold without so manygoing arounds.
Speaker 2 (01:10:17):
Yeah, exactly.
Speaker 1 (01:10:20):
Actually, one more thing.
Alex is saying that about thatfile that we're talking about,
that we're working on.
He may have some more info onit and some extra code, which
again, oh good, I'm all for for,for making things better.
So I'm so happy that again,even the show we can have a even
grow, we did something, we caneven make it better.
So, uh, that's what's important.
(01:10:40):
You're here and let otherpeople know, uh, you know,
there's some community resources, we can even make it better.
So that's important that you'rehere and let other people know
that there's some communityresources that we can interact
and exchange information.
Speaker 2 (01:10:49):
It's good stuff.
Speaker 1 (01:10:49):
Yeah, definitely All right.
So we have come to the end ofthe show.
We took a little bit longer,but at this point I'm not going
to say that anymore, because theshow is now like an hour and 10
every single time.
So we finished just in time.
Speaker 2 (01:11:00):
Yeah, I didn't think we had enough topics this week.
Apparently we did.
Speaker 1 (01:11:03):
Well, I mean I took half of it just talking about
New Zealand.
That's true, Well, Heatheranything else, with the good of
the order.
No, I think I'm good.
Thank you very much.
No, thank you, and thank youall the folks that are in the
chat.
We love you, we appreciate yourthoughts, we learn from you and
we'll be hopefully in the nextcouple of weeks, although you'll
be traveling, I think, right.
Speaker 2 (01:11:24):
I'm here for the next one.
We're good.
We're good for the next one intwo weeks.
Speaker 1 (01:11:28):
Yeah, you got to travel out, but always keep
track of our LinkedIn likepersonal ones, also the Utah 46
Now podcast, linkedin and thesocial media so you can know
where's the show.
See media, so you can know, uh,where's the show.
Um, uh, there's a see.
We're not gonna hit it nowbecause we're closing the show,
but somebody has a question?
Yeah, open it up if you can, we?
I just say we both hit at thesame time yeah about a dot mob
(01:11:51):
file in the files providerstories photo picker.
What I suggest, mark, youshould do is get go to the the
defer uh discord and go to thedefer discord and go for discord
and ask your question in thedecoding section and maybe some
folks there might be able tohelp.
You know, you don't have towait for us or for folks in this
, in this chat.
Speaker 2 (01:12:12):
Yeah, you know what?
To just looking at it quicklythough, google file file
provider storage and just putthe word forensics after there's
a blog.
There's a blog on that, I knowthere is.
Speaker 1 (01:12:22):
And it should come right up.
Speaker 2 (01:12:23):
It should come right up.
The key is to anything you'researching that's forensic
related.
Put the word forensics at theend of your search and I think
you'll find a good blog on that.
Speaker 1 (01:12:32):
Fantastic, and again, also the deferred discourse a
great resource.
We probably have some questionsinteracting and it's open 24
seven, so so do that.
Thank you everybody for forbeing here and and thank you for
appreciating the memes, andwe'll be seeing each other,
hopefully, if all goes well, thenext weeks.
Yes, so take care and talk toeverybody soon.
Speaker 2 (01:12:53):
Thank you, bye, bye, bye, thank you.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com