Brett Shavers Blogging Extravaganza!

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_03 (00:16):
Welcome to the Data Forensics Now podcast.
Today is Thursday, spookyOctober thirtieth, twenty twenty
five.
My name is Alexis the ScreamBriggs Brignoni.
And I'm accompanied by myco-host, The Ghost to my hunt,

(00:37):
The Vampire to my Bat, TheFrankenstein to my monster, the
scary, spooky, and always spookyHeather Charpentier.
The music is Hell Up by ShaneIvers and can be found at
silvermansound.com.
Yeah.

SPEAKER_00 (00:56):
Oh my god.

SPEAKER_05 (00:58):
I don't know if that even made it.
The audio made it.

SPEAKER_01 (01:01):
You're awfully spooky.
You sounded really muffled.

SPEAKER_05 (01:04):
I know, I know.
I'm gonna I'm gonna look so thefolks that are listening.
I had a uh screen mask onbecause it's Halloween, you
know, tomorrow.
Wait, let me put my hat on.
So so let me let me let me saythe intro because with that
mask, I bet nobody heard it.
I I said, you know, I'maccompanied by the co-host, my
co-host, the ghost to my haunt,the vampire to my bat, the

(01:25):
Frankenstein to my monster, thescary, spooky, and always kooky,
Heather Charpentier.
There we go.

SPEAKER_01 (01:31):
And he came up with that like 10 seconds ago.

SPEAKER_05 (01:35):
Yeah, it's a little burst of creativity after I had
a dose of Oreo cookies to getsome sugar in my system.
Now I'm hyper.

SPEAKER_01 (01:43):
Oh my gosh.
I did not dress up forHalloween, but I do have an
orange shirt on, so I'm justgoing as a pumpkin.

SPEAKER_05 (01:51):
The great pumpkin, like the peanuts.
Yes.
See, I I like my my my screammask because uh has it says it's
like rhinestones, it's like likeyou know, fancy and whatnot.

SPEAKER_01 (02:02):
Are you wearing that out trick-or-treating tomorrow?

SPEAKER_05 (02:05):
No, actually, I'm gonna be dressed out as uh as uh
Bruno from the Encanto movie.

SPEAKER_00 (02:10):
Oh, okay.

SPEAKER_05 (02:11):
So we we don't talk about me, you know?
Get it?

SPEAKER_00 (02:14):
Nope, I've never seen it.

SPEAKER_05 (02:16):
Oh well, I I'm not surprised.
I uh people might be surprisedthat you don't you're not
culture like that watchingDisney movies, but you know, I'm
not surprised.

SPEAKER_01 (02:24):
I watched the old Disney movies, like the 1970s,
80s, 90s ones.

SPEAKER_05 (02:29):
Yeah, when yeah, when you were in your 20s, I get
it.
But either way, um it's a greatmovie, Encanto's a great movie.
So I think I'll be trying toBruno.
So I'll have the picture for thenext the next episode.
So we can you can all laugh onmy wig.
It'll be great.

SPEAKER_01 (02:44):
So what's been going on?

SPEAKER_05 (02:46):
Um, so my end uh a lot of stuff, a lot of work, but
uh something cool that happened.
Let me put this up on thescreen.
Uh, what I have there is mesitting at this little stage
with the awesome Scott uhTucker, uh really uh uh uh an
expert.
He works mostly civil cases.
Fantastic.
We had a little debate at theOxygen Forensics, and I have

(03:09):
here a little wolf, you know,for the Oxygen folks.
Yeah, they were they were intown uh not too long ago, and uh
they had their um conference, umuh legacy, what was it?
Um Legacy and Logic conferencefor 2025, and they had us debate
a little bit on on the on AI.
Obviously, I was on the um AInot so good side.

(03:31):
Uh you were not.
I just told people that uh AI isan insult to uh life, but uh
other than that, it was I waspretty civil.

SPEAKER_01 (03:41):
Oh my gosh.
I think you're quoted sayingthat on several different
platforms, so I saw it.

SPEAKER_05 (03:47):
An insult to life itself.
It's not even my I didn't comeup with it.
It was Hario my uh um Mayasaki,the guy from from the cartoons,
the anime cartoons.
Anyways, the point is that itwas a great debate, and and
again, really, really nice, buta good good exchange of ideas on
what the limits of AI are andand some of the benefits as
well, and some of the proceduralthings we need to possibly be

(04:08):
aware, and and some might alsodisagree in many regards to the
use, uh, misuse, and and allthose functions.
So that was pretty good.
That's pretty neat.
How about you?
What's what what do you do sincelast time we were here?

SPEAKER_01 (04:20):
Honestly, not much.
I think I'm still sulkingbecause I'm not on vacation
anymore.
I think that's what I've beendoing since the last podcast.
I showed all my cute animals Igot to go see the last podcast,
and I literally have just beenupset about not being there.

SPEAKER_04 (04:38):
Yeah, no, I I I I hear you.
I hear you.

SPEAKER_01 (04:40):
Yeah, but nothing major, you know, just hanging
around and going to work, cominghome, getting ready for winter.
Oh, yeah.
Oh, it's freezing here.
It was like 26 degrees when Iwent to work the other morning,
so it it's cold already.

SPEAKER_05 (04:55):
Well, it's getting cold down here in Florida as
well.
It's a it's a like a uh uh oh, Imean, not not horrible freezing
temperatures like you, but it'sstill it's getting colder here
as well.

SPEAKER_01 (05:04):
So you it made it down to like 75.

SPEAKER_05 (05:07):
Uh actually it was 50 this morning, and I'm like,
I'm like, this is ridiculous.

SPEAKER_01 (05:11):
Did you have your parka on?

SPEAKER_05 (05:14):
Uh I have my uh Eskimo suit on.

SPEAKER_00 (05:16):
Ah, there you go.
There you go.

SPEAKER_05 (05:18):
Even my Ug the Ugg boots.

SPEAKER_00 (05:20):
Oh my gosh.

SPEAKER_05 (05:21):
I uh but uh wait wait.
Just to make it clear, I do notowe any Ugg boots, okay?
Just saying.

SPEAKER_00 (05:27):
We all just visualized it though.
So in our minds, you do.

SPEAKER_05 (05:32):
So so before we start, I'm gonna say a few hi's
to Christian is hanging outhere, so I'm happy uh he's here.
We're gonna talk about uh agreat addition to open source
software.
So we're gonna talk about that.
Kevin is there.
I know he liked my mask.
Um, you know, forensics withMatt is there, Natswami from
Twitter, so good to have youhere.

(05:52):
Yeah, and uh yeah.
Let's uh let's start the show.
What's what's what do we have?

SPEAKER_01 (05:58):
Let's do it.
So um wanted to mention uh thatthe celebrate CTF was just the
last week or so, and um I didnot play this time, however, I
was watching all of the greatcomments in the Discord on the
CTF challenge, some really funnygood questions.
Um but I wanted to just put upthe winning team.

(06:21):
I stole this from Celebrate's uhLinkedIn page.
The winning teams are there, socongratulations to all the
winning teams.
And then just kind of wanted todo like a little PSA for
everybody who missed out on theCTF or maybe just wants access
to the images afterwards.
Watch for all of the greatbloggers because they'll be
writing blogs about how theycame to the correct answers for

(06:44):
the questions on the CTF.
And you always have the chanceto take the or to do the CTF
after it's done at your own paceas well.

SPEAKER_05 (06:53):
Oh, I I love how uh the teams from uh from the
Pacific, right, did so well.
Thailand and Singapore, even thewin the individuals and winning
teams, um, they did they didawesome.
We got Romania up there on theirindividual number one.
So that was uh that was that'spretty cool.
And then uh representative fromthe US as well.
So that's that's pretty cool.

SPEAKER_01 (07:14):
Yeah, definitely.
Let me take that down.
All right.
Um, wanted to mention a coupleof scholarships that are
available if anybody's lookingto go to training but maybe
doesn't have the budget for thetraining.
The IASIS scholarships are upand active um again this year.
There's two the Will DockenScholarship and the Women in Law

(07:37):
Enforcement Scholarship.
For the Will Docken, um thescholarship will cover the
course tuition, and um therecipient will be furnished with
all the course materials,equipment, hotel accommodations,
everything at no cost.
To qualify for the scholarship,um, the applicant must be
employed by a city, county, orstate law enforcement agency to

(07:59):
conduct digital forensicexaminations.
And the agency cannot have morethan two personnel, including
full-time, part-time, temporary,or flexible, assigned to conduct
digital forensic examinations.
So the application period isopen now and it's listed uh
through November 30th.
And then the women in lawenforcement scholarship is it

(08:23):
covers the registration fee forIACS, and then there that that
is funded by Edith Santos.
And then there are additionaldonors that are gonna support um
up to$3,000 for travel expenses,so your flight, your
accommodations, your perdium,and then access to digital
forensic software packages forthe recipient of that
scholarship.

(08:43):
Applicant must be female,working in a law enforcement
agency, sworn or civilian.
So you don't have to be sworn,sworn, or civilian for that one.
Um, and then that is also openthrough November 30th.

SPEAKER_04 (08:55):
Oh, that's awesome.

SPEAKER_05 (08:56):
Uh, you know, apply for that.
Hopefully you get it.
Uh and you know, we as fulldisclosure, we're volunteers as
well for IACIS and we teach theadvanced mobile device forensics
course.
And uh we believe in the IASISmission and the content.
Uh we know that that's reallygood, so it'll be a great
benefit.
Um, and if you have uh uh youknow a way of going there
without needing a scholarship,then take advantage of that.

(09:18):
Uh it's a great it's a greatopportunity to learn and also a
great time to network, and youend up meeting awesome people
like like Heather here.

SPEAKER_01 (09:25):
Oh, yeah.
And awesome people like Alexishere.

SPEAKER_05 (09:30):
Oh, yeah, I don't know if I fit in the definition,
but it's okay.
You'll you'll meet me as well.

SPEAKER_01 (09:36):
Um uh kind of along the same lines, some training
opportunities.
So uh Alexis was just talkingabout IASIS.
Those two scholarships that Imentioned are for the event in
April in Orlando, but there isalso an event this year in
January in Reno.
And just wanted to give areminder that specialized
classes, so not the BCFE class,all of the specialized classes

(09:59):
are going to be running an eventum for a week in January in
Reno.
So if anybody is looking toregister, the registration is
still open and another chance tomeet us.
You can come hang out.
Let's work forensics together.

SPEAKER_05 (10:13):
No, yeah.
I mean, uh, you'll you'll hearme, you'll hear me rant about
data structures, which is alwaysfun.
So come on, come on over.

SPEAKER_01 (10:19):
I'll try and keep his AI rants to a minimum, I
promise, for whoever wants tosign up.

SPEAKER_05 (10:26):
We'll do those in the breaks and maybe at lunch or
or after hours.

SPEAKER_01 (10:30):
Well, there's always at least the one student that is
like AI can do this for me,right?
So you can go a debate withAlexis at lunchtime.

SPEAKER_05 (10:38):
You'll see me, you'll see the smoke from my
ears coming out in the back.

SPEAKER_01 (10:42):
Um, another turning opportunity I want to mention,
but first, full disclosure, I docurrently work for Hexordia as a
contract trainer.
I have been um doing myco-teaches so that I can be a uh
part-time teacher for Hexordia,but I did want to mention one of
the classes that Hexordia isproviding.

(11:03):
So I recently had the umprivilege to attend the very
first Hexordia expert witnesstestimony class.
We did it online.
Um, it is taught by aninstructor, uh, two instructors,
and one is an attorney.
So we have law enforcement andattorney uh both teaching the
expert witness testimony class.

(11:25):
It was a great class, in myopinion.
We went through like all of thedifferent types of hearings and
court attire and court etiquetteand everything you can think of,
court types of things that youmight run into as a digital
forensic analyst, um, up on upon the stand.
And then at the very end, we dida uh MOOC court or mock trial.

(11:46):
Um, I just really think that isvery beneficial for people in
the digital forensics field,especially if you're new to this
and you've never testified.
Um, it really gives you an ideaof what types of questions you
might be asked and kind of howto conduct yourself at a trial.

SPEAKER_05 (12:05):
There is such a need for this type of um expert
witness courses and with a mootcourt components.
Yes.
Um we we we have I say we in thecontext of the full community,
we train folks and then weexpect them to be good at trial,
at presenting.
And you know, you're like, well,I took 20 hours of this, 30

(12:26):
hours of that, and and and howto use this tool, how to use
that tool.
Well, do you have you everexperienced a court room?
No, have you ever been inside ofone?
Do you know where you go andsit?
Do you know where you testify?
Well, I saw it on TV.
Uh, I don't think that cuts it,right?

SPEAKER_00 (12:40):
It is not the same.

SPEAKER_05 (12:43):
So so having courses that do that, uh, that kind of
expose you to that umenvironment and what are the
best practices in order topresent.
Because again, when we discusseduh the show, you can have the
best arguments, all the thefactual items on your side.
And if you're not able to conveyit, convey it clearly and in a
credible manner so that the jurycan not only understand it but

(13:06):
believe you, then uh you you'regonna you're gonna fail at at
the mission.
So uh highly recommended to lookfor those classes.
It could be Xordias or anyothers.
Um if you hear of any others,let us know, and we'll be happy
to also uh make him uh known tothe community.

SPEAKER_01 (13:20):
Yeah, I have actually seen one on NW3C's
website, but I haven't seen anydates for it up there yet.
So hopefully they'll run theirsagain as well.
Um just one more thing on that.
So when I very first started inforensics in uh 2015, uh
Lieutenant calls me in and islike, okay, what type of
training do you want?
And my my number one was I wantsome kind of training in how to

(13:42):
testify.
He's like, Oh yeah, we'll findyou something.
Yeah, uh, there was nothing thatI know of, and I don't know if
they actually looked foranything for me, but I didn't
get the training and I went forone of my very first trials, a
homicide trial, and I got thereand I had no idea what I was
doing.
And the prosecutor was an oldman and he was so nice, but he

(14:03):
handed me um a page of questionshe wanted to ask me from a
Wikipedia page that was notmeant for a mobile device
examination whatsoever.
And I immediately panicked andhad to sit down and write my own
questions.
So um training in that wouldhave been helpful before I sat
down and wrote my own questions.

SPEAKER_05 (14:23):
Well, I mean, the fact that you have to write your
own questions, people will belike, what?
That's actually not thatuncommon.

SPEAKER_00 (14:29):
No, it's not.

SPEAKER_05 (14:31):
I mean, you're the technical expert, right?
So you you cannot tell yourstakeholders, your
investigators, and say your yourprosecutors, whatever, or your
client if you're in this on theprivate sector.
This is the detailed stuff, andthis is what it means.
And the best possible way toconvey that knowledge might be
this way.
Of course, the the person doingthe presentation, the lawyer,

(14:52):
will always approach it from theway they need to approach it
based on the law.
Right.
But you can give them that headsup.
So that's that's somethingthat's it's see look, it's hard,
it's hard being.
This is my first testifying on amurder trial with no training.
Yes, and I I didn't even knowhow to make questions here.
You know what I mean?

SPEAKER_01 (15:09):
Yes.
I will give the prosecutor propsthough.
So I was so scared of how it wasgonna go.
He went in there and asked thosequestions as if he'd been doing
digital forensics for twodecades.
He was amazing.
I was like, where did you comefrom?
A minute ago, you handed me aWikipedia page, it was it was
great.

SPEAKER_05 (15:28):
So welcome.
Look, uh, what is they say uh uhpreachers, uh politicians, and
lawyers, which actually is a lotof overlap between all three
lately.
Um there is a lot of uh uhcontrol of the stage and being
able to act in a way and presentthemselves in a certain way, so
it makes absolute sense to me.

SPEAKER_01 (15:48):
He did great, so but a little nerve-wracking, just a
little.

SPEAKER_05 (15:53):
Yeah, no kidding.

SPEAKER_01 (15:56):
All right, so the next few topics for the podcast
all have to do with BrettShavers because he has been on a
roll with his blogs and sharingof information uh to the
community.
Um I'm gonna start with a pagethat he put up on LinkedIn
recently that has free uh defertest images and industry tools

(16:20):
to analyze them.
He stresses that real learningcomes from analyzing, comparing
tools, and documenting yourfindings, not just collecting
the data.
And his key message waspractice, validate, and
understand how tools work, uh,whichever ones you use.
So there is a page, and I'll putit in the show notes so
everybody can go to it, but onBrett's uh D for training page,

(16:44):
there's a section for downloadswith test images.

SPEAKER_05 (16:49):
Yeah, and test images are so important.
Uh like like Brett wrote, youhave this output from your tool,
and it says this is a chat.
If you have no understanding ofwhere it came from, you're gonna
have some problems, right?
And a good way of of actuallyinteracting with your tools is
you take a tool set that's knowndata and look at it through your

(17:12):
tool, see if it's missingsomething, see where it got it
from, where the tool got itfrom.
Um, I I just we discussed thisin previous episodes where a
tool will give you, let's say,the chats, the images, the
timestamp, who's talking to who,but it will not give you um
other fields, like for example,is this the administrator of
that chat group?
And that might be important.

(17:33):
But when you have a test image,you can see that, see what the
tool shows, but then go to thesource from the test image.
It's data that's been alreadypre-populated for you, which
saves a lot of time, and thensee what else you might be
missing from your tool, right?
So experiment with those.
I I use what we use, uh thefolks that develop the leaps,
open source tooling for dataforensics for the community,

(17:54):
mostly mobile devices, Androidand iOS, among others.
We use these all the time.
And I would hope, you know,every every time it's a new iOS,
I'm hoping that that JoshHickman, you know, throws you
know, makes a new iOS image orwhen the new Android comes out
because they're invaluable.
So many artifacts that wecreated to the tool based on
that test data that folks likeJosh Higman put out.

(18:17):
So uh uh I I wish I was amillionaire because I would pay
them just to make test data forthe community.

SPEAKER_01 (18:22):
Yeah, so his documentation is out of this
world.
Um, I I do test data too.
Uh I don't have it up public,but I do test data and my
documentation, like sometimes Ijust forget to write down if I
sent a message or placed a callor deleted something.
His is spot on.
It is like everything he doeswith the phone, including

(18:42):
turning the volume up, poweringit off.
Like he's very, very detailed umin his documentation.

SPEAKER_05 (18:49):
So before I say something else about Josh,
because he wants his articles tohelp me this week.
So I take the advantages, uh,the opportunity to say that
before that, Kevin is sayingthat he has that's why he has an
archive of CTF images.
Same thing, it's data that'sbeen populated for the CTFs, and
sometimes it's apps that mightnot be that um like that common
because it's it's good to um putsome throw some curveballs in

(19:10):
some of the CTFs, but you learnfrom it and also you support
that at whatever app that is.
Uh, I remember an app that wasobscure.
I was I think I mentioned it ina previous episode on a
kidnapping, and uh nobody knewnothing about it, and I made
parsers for it, and it ended upbeing Discord, which I think is

(19:30):
a pretty popular app now.
Yeah, but back in the day,nobody knew what Discord was.
Maybe it was kind of starting tobe uh common for some from
gamers, some specific games, butnobody knew about Discord, and
now Discord is everywhere, soyou never know, right?
So it's it's good to have those.
I was gonna say quickly um Joshhad an article on how to look at
uh some signal clones in asense, um encrypted chatting

(19:54):
applications, and how you can goabout getting the IDs or the
initialization vectors and thedifferent uh hashes, how to
decrypt things to get thepasswords that you need or
passphrases that you need toopen those databases.
And I was reading his article, Iwas able to get some of the
values from the key store inAndroid using tooling, and I was
able to decrypt the signaldatabase um you know, quasi.

(20:14):
I gotta say quasi manuallybecause I still depended on the
key store.
Yeah, but at least able todecrypt it that way.
The the point with that being itit helped me in a case because
in this case, for whateverreason, none of my tooling was
giving me it was not parsing theextraction.
The expassed extraction wasgood.
I don't know why, because I ranit on A-Leap and it ran.
You know, I just want to throwthat out there.

(20:36):
So A Leap, A-Leap got all thestuff that I needed, but I was
able to tell through A-Leap thatI was missing signal.
So I went through the processand and Josh's article and test
data and all that helped mequite a lot.
So I I guess the long storyshort, try to be connected to
the community, read blogs likeBrett's that will keep you up to
date on what's going on on Joshand the like, and use your

(20:57):
forensic images that are free,you know, test images, and try
to strive to learn.
Whoever tells you, I don't needtraining, I don't need to learn
new things, the computer will doit for me.
I will press a button, AI willcome and do my job.
Well, maybe AI might come and doyour job and then you know leave
you with no job.
Yeah, if all you do is that,right?
So you gotta you gotta growyourself.
Um, Brun is here, uh uh Bruno.

(21:20):
That's not the Brunei I was Iwas thinking of.
But hi.

SPEAKER_01 (21:25):
Um besides just the test images and um and tools on
the site, if you just go to theD for training site, there's
also access to the blogs thatBrett writes, um, and access to
other articles.
Uh, there's also uh upcomingtrainings, uh big list of
upcoming trainings from all thevendors and any any trainings

(21:45):
that you can find.

SPEAKER_04 (21:47):
Oh, absolutely.
Absolutely.

SPEAKER_01 (21:50):
All right, we're gonna continue on with Brett
because he has written like 15blogs this week.
I'm over exaggerating, but a lotof blogs since the last um
podcast.
So there's a couple that kind ofgo together.
Um, there's one titled There's aLot More to a Trial Than You May
Know, even if you have testifieda hundred times.

(22:12):
And another one called This CaseAlmost Made Me Quit, Deefer.
It should have made the news.
And Brett is recounting um acorrupt case where evidence
vanished.
This is according to his blog.
Evidence vanished, officialslied, and judges ignored the
proof, yet they still won.
So his takeaway in these blogs,or what I what I narrowed it

(22:34):
down to as his takeaway, is indigital forensics, truth alone
doesn't win, airtightdocumentation and procedure do.
He urges professionals to maketheir work defensible under
pressure and invites them to hiswebinar on how to survive legal
and institutional challengesthrough solid reporting and
evidence handling.
I'll let you go.

(22:54):
I'll give the details of thatwebinar here at the end.

SPEAKER_05 (22:58):
Uh, that's it's it's really uh it's really tough uh
emotionally for me because I Idon't want to believe that and
again I cannot talk from thegovernment side in a sense, us
being uh a representative inthat sense.
It's hard for me to accept thatthat folks in in positions of
authority tasked withprosecuting crimes will let

(23:21):
their biases run rampant, right?
And again, I don't know thedetails of this case, so I'm not
I'm not speaking to this case,okay?
I have no even Brett himselfdoesn't really tell us what the
case is.

SPEAKER_01 (23:31):
I know I have a hundred questions when he does
the webinar.
I'm hoping it's some kind oflive thing.

SPEAKER_05 (23:36):
Yeah, so so the article doesn't tell you what
case is.
So I want to make that clear.
I'm not talking about anythingspecific, okay?
No case specific.
I'm not pointing my finger atnobody.
I'm talking about ingeneralities, right?
Um, that so it's hard for me tosee that we let our biases, and
that's tough because we we wantto say, well, I have no biases.
I come against no biases arethere, right?
And if you don't startrecognizing that you have

(23:56):
biases, that you're biased in acertain way, you will not be
able to fix that bias toneutralize it.
And how do you neutralize it?
Power that is what Brett'ssaying is by following proper
procedure, following and keepingthe evidence based on the
scientific way of doing things.
The scientific method takes awaythat bias.

(24:18):
Okay, and even if you're talkingabout your understanding of what
something means, you need tothen, like science does, peer
review that.
If I'm if I'm gonna go to thecase agent, hey, what do you
think about this?
And the case agent is alreadymarried to the idea that a
particular person is guilty.
Well, what do you what do youexpect to hear?

(24:39):
Do you expect to hear any youknow third unbiased opinions?
Like, of course not, right?
And okay, I'm not saying go andmake your case public.
I guess what I'm trying to sayis have a support system within
your labs or in yourorganizations when you can
actually present things andexpect constructive criticism
and criticism that will take youto task when when something just

(24:59):
doesn't feel right.
Okay.
Um I will say more.
So again, we as examiner, wedon't control the whole case.
I don't control the behavior ofthe prosecutor, I don't control
the behavior of theinvestigator, I don't control
the behavior of the lawyers, Ican only control my sphere.
I want to make sure that myevidence and my procedure and my
ethical manner is correct.

(25:21):
And we and this is the thing forme from last year, right?
Attention to detail, right?
Um, make sure you have yourproperty, your moral uh
character, and your duediligence.
Those are the three main things,right?
I say that because somebodymight do something in your case
that's not appropriate, but youhave the truth on your side,
right?
You have what the facts are, andsometimes those errors or those

(25:44):
misguided uh actions might betaken care of by the judge in a
certain way, okay?
And that doesn't mean that thecase will flounder.
Make sense?
But if if we have problems onone side and then problems of
the other side, and then you arealso a problem, well, the case
the case will totally fail,right?
And and the idea is to make surethat the truth gets out there so

(26:08):
the truth can actually setpeople free, right?
Either set free the victims,right?
Or set free uh a person that'sguilty.
When I say set free the victim,it's by giving the proper
punishment to those that areguilty.
That sets the victim free in asense, if that makes sense,
right?
So there's freedom in truth,either way.
Yes, that's I love that.
So but you gotta make sure thatyou want to say that you're

(26:29):
really focused on your peace.
If you see something that's notright, again, your probability
requires you to call that out,right?
And make sure you interface withtruth at all times.
And uh don't go on theassumption that everybody will
have those three qualities thatyou're striving to.
Um, because they might not.
And it don't matter if it's inlaw enforcement, civil.
Um, we are our brothers' keeperin a sense for borrowing

(26:53):
borrowing a uh uh religiousanalogy here um to make sure
that the job gets done.

SPEAKER_01 (26:58):
Oh yeah, by reading this, it sounded like a civil
case anyway, uh, too.
So I mean, but may have starteddifferently.
I want more details.
I need to talk to Brad aboutthis because I read both
articles and I I just reallywant to read the entire case.
Well, no, I don't know if it'savailable, but I would love to.

SPEAKER_05 (27:15):
Um, I mean, uh I would assume, right?
If it's in court, it has to beopen.
But right again, again, we'llsee what the webinar says
because I need to sign up.
But um uh I was gonna say thatum um oh see now I lost my final
thought.
Okay.
Okay, I remember now.
It don't matter, right, if ifyou're in civil court or if

(27:37):
you're in in uh in criminalcourt, the system is
adversarial, right?
The system, the idea is toreally put the two competing
ideas and fight against eachother to determine where reality
lies, right?
With that really uh deep and andand sometimes hard, harsh uh
contrast and and clash, right,between the two points, right?

(27:59):
Don't worry about that.
So sometimes we worry aboutwell, I want to win.
No, you don't I don't care aboutwinning.
I don't care about that.
I don't uh the only thing I careabout is to for the facts.
This is what happened.
I follow the process, my biasesare only for the truth.
And when that clash happens, youdon't have to be worried about
it.
You don't have to care.
You're right if you if you havethe right on the correctness on

(28:21):
your side and you're presentingit in the best way possible,
then things will fall where theyfall, right?
Um, but that's important.
If we don't do that, we don'tstrive to do that, our biases
will creep in and we won't evenrealize it.
It it gets so bad that in somecases that I've seen in the
news, either side, whatever sideit's arguing for something, even
when presented with facts, theystill cannot accept it.

(28:46):
Right?
It becomes so personalized whenwe have opinions about things,
right?
And we feel uh attacked by truthwhen we have an opinion.
Well, do you don't need to haveopinions, right?
Yeah, and don't have an opinionabout it.
Go for the facts, go for what isand let it be.

SPEAKER_01 (29:02):
Yeah, definitely.
So the free webinar uh coming upis called Fighting City Hall
DFIR Lessons from a Pro SePlaintiff.
It is Wednesday, November 12thfrom 11:30 to 12:30 mountain
time.
Um, you can register for it onthe site that I have up on the

(29:23):
screen, or it'll be in the shownotes if you want to go get it
from there.
It is free.
Uh free registration for thiswebinar.
So check it out.

SPEAKER_05 (29:32):
I I want to say something, and again, I'm I'm
really it it to me it's totallyum clear.
So it's been said that anyonethat has himself or herself for
a lawyer has a client, has afool for a client.
Have you heard that?

SPEAKER_02 (29:46):
Yes.

SPEAKER_05 (29:47):
Well, actually, I love it because Brett totally is
the exception to that rule.

SPEAKER_02 (29:51):
Yeah, that's true.

SPEAKER_05 (29:53):
And it and if you don't know Brett, you'll be
like, he's nuts, but I knowBrett, and I and that makes
sense to me.
He he literally, you know, kindof represented himself.
To the process and and won.
So that tells you the type ofcharacter this guy is.
So I'm really looking forwardfor this uh this uh webinar
about um you know and uh whatbut the content that he's gonna
bring.

SPEAKER_01 (30:12):
Yeah, me too.
I hope I can make it while it'sgoing on and ask questions.
But if not, there's also a noteon the site that it'll be still
up and available to watch if youmiss it at that time for 48
hours.

SPEAKER_05 (30:22):
So there you go.
Go go watch it, do it.

SPEAKER_01 (30:25):
Yeah, definitely.
All right.
So again, Brett was on a roll,so uh, we have more blogs.
So um I was there when digitalforensics lost its soul, is one
of the blogs that Brett wroterecently.
He's arguing that um DFIR hasdrifted from its investigative
roots into a credential-driven,tool-focused industry.

(30:48):
Early forensics was built byinvestigators seeking truth, now
school's mass-producedtechnologists who can parse data
but not interpret behavior ordefend conclusions.
So he's blaming profit-driveneducation for replacing judgment
with checklists and confidencewith credentials.
Um, I definitely have lots ofopinions on this one.

(31:09):
You go first.

SPEAKER_05 (31:12):
Uh see, the the thing with automation, no matter
what what type of automation is,it don't care if it's LLMs or
not, they will skip the skillyou.
The skill.
And and that makes sense, right?
Um, you know, we don't usehorses anymore, so we use cars.
So don't ask me to change a uh ashoe for a horse.
You know, that's not that's nothappening, right?

(31:32):
And I'm being kind of facetiousabout it, but the point is,
yeah, tools are good, right?
But at a certain level, we needto keep actually make time to
keep our foundational skills.
Because the part that thevendors and the schools and the
colleges and the degrees, thepart that they don't tell you,
or at least they don't theydon't do it as much as they
should, is that when theabstraction, because these tools

(31:54):
are abstractions, here's thedata on one side, and here's the
results on the other one, andyou're not looking at the data
directly.
The tools in abstract in themiddle, right?
Those abstractions will failyou.
Imagine yourself, you have yourdata, and then you have a tool
and you have AI on it, and youask AI, and then you have a
result.
We have four or five levels ofabstraction from the actual

(32:17):
data.
And if you don't have theability to remove as many
abstractions as you can, youwon't be able to come to
conclusions about the data thatare proper, either to verify or
verify, verify, or validate thetool, or again, verify the
actual data you're talkingabout.
Of course, I cannot remove everyabstraction.
I can't be like, well, let melook at the zero-some one

(32:39):
directly, you know, or theelectrical charges on the hard
disk.
Like, and I can't, I can't dothat.
There'll be some abstractions Icannot do manually, but remove
as much as you can.
And we're not doing that, we'renot teaching that.
Actually, actively I see folksin different labs and
organizations arguing againstfoundational training, and I can

(33:00):
take it, it drives me nuts.
If you don't want to learnfoundational things, what what
do you want?
Just just where do I hit go andwhere do I hit print?
I need you when the print or thego is not enough.
When I tell you as aninvestigator, I have the X, Y,
and C app, you can't come to meand say, Well, the tool didn't

(33:21):
show me anything.
No, I need you to go in and goget it.
You need that foundationaltraining.

SPEAKER_01 (33:26):
Well, the find evidence button isn't good
enough.
Come on.
That's all I do.

SPEAKER_05 (33:32):
Oh okay, I'm gonna okay, so I'm gonna kick you from
the show right now, and you'renot allowed to come back until
you renounce that heresy.
You're a heretic.

SPEAKER_00 (33:40):
I take it back.

SPEAKER_01 (33:44):
Yeah, no, I couldn't agree with you more.
The foundational, uh, thefoundational stuff has to be
there.
And I think in the blog, one ofthe one of the points Brat
makes, the that I justabsolutely agree with, and I
always agree with this, and Ithink I've said it a hundred
times, probably already ahundred times on the on the
podcast, is the education, um,the colleges, if you're going

(34:06):
for a degree, those foundationaluh teachings should be in your
digital forensics degree.
It shouldn't be stuff that is800 years old that doesn't apply
anymore, and you know, we justhaven't updated the curriculum.
I just feel like we're lackingin the education department.

SPEAKER_05 (34:25):
Well, as students also need, I mean prospective
students need to be uh goodconsumers, and that applies that
applies to everything, right?
Especially now.
Um, oh, it's a degree fromwhatever university.
Oh, I got it.
Where's my job?
No, you got to be a goodconsumer.
Look at the syllabus, go to talkto folks in the field.
Hey, does this look good?
Is this something that maps tothe skills that I will need to

(34:46):
do the job that that you'redoing?
Um, and you know, do yourresearch, real research, before
you jump into a particularcertification or course because
they will take your money, butthat doesn't mean that what they
teach you is gonna be you knowcomparable, equitable to the
money that you put in, right?

SPEAKER_01 (35:02):
Yes, my student loan payment proves what you just
said.

SPEAKER_05 (35:06):
Oh well, again, good thing that you're uh uh uh a
self-driven person.
So you you're way beyond thatdegree or any other degree.

SPEAKER_02 (35:14):
Oh well, thank you.

SPEAKER_05 (35:16):
And I wanna I want to add something else also.
Um in terms of the abstractions.
I think it's a concept that thatfolks never heard or don't think
about.
I think we should think about itmore.
Uh the more we think about thereality of the world, which is
what we're trying to discoverthrough digital means, the more
tooling, the more things we putbetween us and that recording or

(35:36):
that witness evidence data, theharder it will be for us to say
something that's not filtered bythat abstraction.
Okay?
And and philosophically, we needto start thinking this way
because that will make us notindependent of the tools, we'll
be the we'll depend on them forsure, but you will be able to

(35:57):
then look at the data in adifferent way.
You'll be able to find avenuesof investigation that the tool
won't show you because the toolonly abstracts in the way that
it's programmed.
If you like Brett's saying inhis article in the previous one,
right, if you don't understandwhere the stuff's coming from,
how is it stored, how thecomputer goes about to getting
things, right?

(36:17):
You will not know what you don'tknow or you don't need.
For example, we were we've beentelling um some vendors in the
space that we need level DBviewers, and nobody cared for
many years because vendorsapparently thought that the only
viewer they they that we neededwas SQLite.
Yeah.
And we're like, no, we needlevel DB, and we're you know
moaning and asking and asking.
And now I can see some vendors,I've seen vendors recently

(36:38):
adding some level DBs.
What does that mean?
It means that if you're herelistening to me and you don't
know what a level DB is, thatmeans that you're losing a lot
in your investigations, right?
The abstraction of the tool thatonly puts out at least now they
have a viewer.
Before how many cases you havelevel DV stuff that might be
useful?
Well, you don't know because youdidn't know what you didn't
know.
So I again think of tools ofabstractions, which means you

(37:02):
will always miss something ifyou solely depend on the
abstraction.
Try to get as close to thesource of the reality as you can
for the things that matter.
Because I can already hearpeople saying, Oh, breaks things
I have all the time in theworld.
Like I have I'm sitting at myhouse at work just doing
nothing.
You know, I have 50 computers togo through.
I get it, and 20 phones, I getit.

(37:22):
I'm I'm I'm on the field withyou, man, and gal.
I I I'm I'm in I'm my hands aredirty.
I I did so many computers thisweek on phones, anyways.
But what does that mean?
It means that if you think thatthe tool gave you something
that's really important for yourcase, you need to go and go
beyond the abstraction.
If the investigator tells you,you know, a lead of, hey, look,

(37:43):
these apps were involved, orthese conversations had this
content, then you have to get astep out of the abstraction and
go for those.
That's communication isimportant.
If you have particular taskingfrom your stakeholder, be it
your lawyers, the board of thecompany, or a prosecutor, again,
you gotta go outside of theabstraction to be able to
accomplish that tasking.
So at least my takeaway for thisepisode think of tools of

(38:06):
abstractions and how you needto, at a certain level, go
closer and deeper to the sourcedata to get the results that we
need.

SPEAKER_01 (38:15):
Definitely.

SPEAKER_05 (38:16):
Sorry, I'm out of my box now.

SPEAKER_01 (38:17):
No, you're fine.
No, I have more blogs from Brettanyway.
Two more.
I only have two more.
Um, so the next one is the endof DFIR again.
So Brett says every few yearspeople claim digital forensics
is is dead.
First encryption, bitlocker,cloud, now AI.
None of these killed the field,each forced it to adapt and

(38:39):
evolve.
Um AI, however, is different.
It can create that fakeevidence, deep fakes, uh, false,
all kinds of false fakeevidence.
Um but Brett insists thatforensics will survive through
its usual cycle of fear,adaptation, expansion, noting
that AI won't kill forensics,just expose laziness.

SPEAKER_04 (39:03):
Yeah, I I that last part is key.

SPEAKER_05 (39:05):
It's it's so key because the future, the AI, and
so again, when we say AI, wetalk about generative tooling,
right?
LLMs, things that are umindeterministic, okay?
Um, that's gonna be a lot ofchange that we don't really know
how it's gonna play out.
Um, and I say that because theonly thing that generative AI
can guarantee is inconsistency.

(39:27):
That's that's just fact.
And you if you like LLMs andyou're like me uh saying that,
I'm gonna say it again.
You can only guaranteeinconsistencies.

SPEAKER_01 (39:35):
You're gonna get some hate mail.

SPEAKER_05 (39:37):
More.
So that's where the lazinesscomes in, right?
It will generate aninconsistency and the lazy
person won't catch it.
And and then what, right?
Uh you you're gonna be you'regonna be called out or let go or
whatever.
And and again, that's assumingthat that you're using uh your
LLMs in your investigativeprocess or actual accessing
evidence.
I don't believe that we shoulduh have LLMs go through data.

(40:02):
It's a philosophical um how canI say this procedural
standpoint.
I know of tools, and I'm notcriticizing tools that actually
do that, right?
Because I don't want to bemisconstrued, right?
Um for example, I'm gonna saythis real quick a jury from uh
Belkasov, we had a great uhconversation in LinkedIn
debating the pros and cons.
It was so good, I think it madeit to some present really

(40:22):
presentation, some yeah, yeah,some presentations and some
screenshots you put it outthere, like our debate, right?
And look, I don't I'm not we hada great, you know, it's a
friendly, it's a debate.
We heated but friendly, becauseyou know, I like the guy and we
like each other and we'recolleagues.
But I'm not putting hate on himor vendors that put the thing on
the LLM on the tool to accessthe sort the uh the evidence.

(40:43):
They're they're allowed to dothat, right?
Now the question is what are yougonna do about it?
Do you have the procedures to doabout it?
And if you do, then again, youwill have to account for
yourself, right?
My opinion is that I don't thinkthe LLM technologies are at the
point where I want themaccessing directly my evidence
and giving me inferences,because that's what it does,
inferences from my evidence.

(41:04):
That's my position, right?
I'm not saying that I'm rightand the jury is wrong, or vice
versa.
I'm not saying that.
This is something that everybodyneeds to be knowledgeable to
come to their own conclusionsuntil the point comes where
either the community or your ownorganization will set some
rules, right?
Why will what I would like tosee?
I would like to seeorganizations say, if you're
using narrative AI, it needs tobe disclosed, either on the

(41:25):
report, well, not either, on thereport and through discovery
methods, right?
And I want to see your prompts.
The prompts will be part ofdiscovery in the same way that
if I have a list of search termsshould also be part of
discovery.
Because taking into account thatthis indeterministic procedure
is influenced by the prompt orthe question that you're making

(41:47):
to it, right?
So, what does that say about meas the investigator?
That should be describable,that's my opinion.
And somebody may have adifferent opinion.
And if the industry agrees withmy opinion, then this is
something that will be imposedupon you, then you have to do it
no matter what.
But we're not there yet.
So I I would encourage people tothink about these things.
If you're gonna use these LLMs,be really careful about it.

(42:08):
Because if you're not, likeBrett says, is it's gonna out
you out in a really bad way.
And if it affects your case, uhI I cannot even imagine
repercussions, not only to you,like like Heather said, but to
justice itself.
And we don't want that tohappen.

SPEAKER_01 (42:23):
Well, and those prompts, uh, what if they're
outside of the scope of thewarrant?

SPEAKER_05 (42:27):
Yeah.
Oh my goodness.

SPEAKER_01 (42:29):
Should definitely be discoverable.
We should not be asking AIthings that are outside of the
scope of a warrant ever.

SPEAKER_05 (42:34):
Well, and I heard people saying, Well, but it
might be, it was, but I wasgonna find it anyway, like it
was unavoidable.
And I forgot what the the termthe legal term for that is.
And and you know, I I get that,but do we really want this
all-knowing eye?
I say all-knowing, but thisthing that will eat up all this
evidence and can lead you eitherastray or in a direction that's
not allowed, and say, well, it'san unavoidable discovery.

(42:57):
Um, that's that's a reallyshady, for my opinion, backdoor
to the privacy rights and thecontrols that the judges have
upon what are you allowed tolook now.
Don't get me wrong, and actuallylet me say something about this
real quick with abstractionsagain.
My day think today'sabstractions.
Sometimes our our stakeholderswill take our abstractions and

(43:20):
misinterpret them and then giveus certain limits, right?
For example, lately I've beenseeing a lot of stakeholders
telling me, Well, here's yourextraction.
I only want you to get stufffrom this date to this date.
Okay, so how many so we gotmodified dates, creation dates,
access dates?
So what what if what if four ofthe four, three are outside of

(43:42):
the time range, but one is?

SPEAKER_01 (43:44):
They usually are.

SPEAKER_05 (43:46):
So which one am I is the create it?
But okay, what about if it's afile that has uh all those
timestamps, but inside of thefile, say a database, there's
like a million entries with adifferent million timestamps,
right?
So how do I go about that,right?

SPEAKER_01 (44:00):
Um or the files that have no timestamp.
Oh, it's there, you just have togo find it.

SPEAKER_05 (44:06):
And it might be evidentiary, but no timestamps,
that means I'm not gonna evenaddress them.
Like they like they're notthere.
They're invisible to me.
And that's tough because theabstraction has kind of wrongly
uh taught our stakeholders thatoh, everything has a timestamp
and it's one, and you can filterthrough it and get an accurate
thing, accurate in my mind ofwhat I want, right?

(44:28):
So it's it's it's tough, right?
We need to make sure that thatwe take those nuances up to our
stakeholders so they canactually give us the proper
parameters to do the search andstill respect the constitution,
still respect the privacy rightsof of whoever or whatever it is
that we're working on, right?
Um, and and don't look forexcuses to to not follow the the

(44:50):
the get directions you've beengiving, right?
Um we need to think about thosethings, it's part of of why
we're here.
Definitely, and why the LLM willnever take your place if you're
doing the right thing.
There.
There you go.

SPEAKER_01 (45:04):
All right, last Brett Shaver's uh blog, and this
one is my favorite.
So uh a couple of weeks ago,Alexis put up a um a post about
deleted artifacts marked asdeleted and why it's a loaded
word.
And Brett uh got involved in theconversation in the comments.
There was there were quite a fewcomments on the post and uh

(45:27):
wrote a blog about it.
So this one is uh entitled Howto Wreck Your Report, Affidavit
and Testimony with one word.
So he was expanding on Alexis'spost that deleted is a loaded
word.
He explains that using deletedcarelessly in digital forensics,
reports, or testimony can implyintent instead of simply
describing a state which candestroy credibility in court.

(45:51):
Um, in technical tools, deletedmay mean different things.
It could mean system cleanup,cash removal, um, many different
things, and not necessarily thatthe suspect intentionally
deleted something.
So uh Brad in his blog wasurging examiners to use precise,
defensible language likepreviously existing or mark

(46:11):
deleted um to define whatdeleted data means.
And the takeaway was be exactwith terminology.
One vague word can shift acase's perception and damage an
expert's reputation.
Precision in language is a vitalis as vital as precision in
analysis.

SPEAKER_05 (46:31):
Deutard forensics is the realm that has the most
overloaded terms ever.
Okay.
And I picked on on deleted, andI'm so happy that Brett also
decided to expound on my commentbecause Brett is such a great
communicator, right?
It's uh 10 times thecommunicator I will ever hope to
be.
So I do appreciate his input.

(46:52):
Um, look, let's say they tellyou, accusing you of deleting
purposely some important pieceof item of evidence from your
mobile device, and until youdeleted that information and
you're like, I didn't deleteanything, right?
Well, what what happens if theinformation was contained in the
record of a tab of a browser,right?

(47:15):
Can you delete a tab in the sameway you delete the history of
your browser?

SPEAKER_02 (47:20):
No.

SPEAKER_05 (47:21):
No, I mean you don't delete tabs.
What do you do with tabs?
You what?

SPEAKER_00 (47:24):
Close them.

SPEAKER_05 (47:24):
You close them, right?
Now the database will recordthat entry as deleted, right?
But then that's the overloadnessof the word.
When you go to court and peopleare not technical, and they want
to use the word deleted, meaningintentional user, you know,
attribution to that as amalicious thing that you're
doing to obscure some activity.

(47:47):
And the technical term actuallymeans when data is not
referenced anymore, let's say bya pointer or referenced by a uh
a file system or within thedatabase itself, right?
It's one word for the twothings.
Now what?
We we need to be aware.
You can't just assume I use theword delete it without that
context.
That's why Brett encourages usto say more to make it clear

(48:11):
what the word means and how themeaning might change as the
context changes.
Because that such roo issomething that lawyers and
people like that are reallyskilled on.
So if you have to understandyour terminology and know what
it means in one context and whatit means in another.
And it's not the only one.
We talk about unallocated.
Well, what's what unallocatedmean, right?

(48:32):
Depends on that, on thatcontext, right?
Even when you speak aboutunallocated, and does it have
timestamps?
Well, it depends, right?
If it's an allocated from thefile system perspective, no, but
a file might have a timestampwithin it, even if it's from an
allocated space that I was ableto carve it out.
I mean, there's a lot of nuancethere, and that's why, and in

(48:53):
some training that I've gonethrough, we have they have a
portion called tech terms, whichI love that they had the
examiner learn a whole bunch ofterms, um, you know, what's an
allocated, what's deleted,what's uh parsing, what's
whatever it is, a lot of terms.
And then you have to present andand and present those to a
panel.
And the panel will ask youquestions about that term, and I

(49:14):
love that because it reallyforces you to understand the
term at a deeper level and withanalogies to make that clear.
And me as a questionnaire, I'vebeen part of those panels, I try
to break break them down alittle bit.
I mean, not in a mean way, butkind of push them a little bit
in regards to changing thecontext of their how they're
defining something.
And so I could see how they caninstruct me on, oh well, this is

(49:37):
true, but in this context, ithas this other additional
meaning, which does not apply tothe discussion we're having now.
Make sense?
So that's something that maybeyou can think of your training
scenarios, add a list of 50, 100tech terms so people can start
learning to how to manipulate,not manipulate, but uh explain
better in those terms,independent of that context.

unknown (49:55):
Yeah.

SPEAKER_01 (49:56):
Uh Mark from Arsenal put a comment up.
I'm gonna put it up.
Um, I was in back-to-backdepositions with expert
witnesses claiming the end caserecover folders function,
recovered files and foldersdeleted by the user.
They were both eventuallybounced from the cakes.

SPEAKER_03 (50:11):
Yikes.

SPEAKER_01 (50:13):
I mean, as they should be, and just luckily it,
you know, it wasn't one of us.
You know, um, but they shouldbe.
I mean, understanding that, Imean, I I would I would consider
that one of the likefoundational things that we need
to learn when we very firststart in the digital forensics
field, and understanding thatand being able to explain it,

(50:34):
then we don't run the risk ofbeing bounced from the case like
like these two.

SPEAKER_05 (50:38):
Well, and and Mark's come and really adds what Brett
said at the beginning with this,right?
When he was saying you need toknow your tools and actually
understand when they use recoverfolders to describe something
the tool pulled out, you need toknow what that actually is,
right?

SPEAKER_02 (50:51):
Yeah.

SPEAKER_05 (50:52):
In order for you to be able to intelligently speak
about it.
Yeah, so that's the first thing.
And if if that the word recoverand folders has a lot of
meaning, the word folders has alot of meaning within file
systems, and it could berepresented itself differently
from file system to file system.
If somebody tells you, yeah, Iknow what file system is because
one time I did FAT16, I knoweverything about file systems
from now on, no matter what, youbut you're nuts, right?

(51:13):
No, every file system isdifferent, and what it means is
different.
How you recover it is different.
So you need to understand whatthat means to your tool if
you're using that tool.
If not, you bounce from thecase.
That's that's a really like yousaid harsh, but a fair, fair
punishment.

SPEAKER_01 (51:30):
It is.
I mean, that's the difference ofsomebody um potentially going
away to prison for something thecrime they didn't commit.

SPEAKER_05 (51:39):
I mean, I'm okay.
Well, you you're saying thatthis particular artifact, this
tool, is user isuser-attributable when file
system and the and the operatingsystem, say property, the
operating system itself movesthe least folders around
willy-nilly all the time, right?
Especially on phones.
Uh for example, in iOS, if youtake an app and you you just

(52:00):
updated it, and always updated,it's fine.
It takes the data folder, sowhere the stuff that you did
was, it takes the app folderwhere it is, it takes uh a
couple more folders, which areright now.
I top of my head and rememberwhat they do, and it takes the
data, nukes those folders,creates no newer GWID name
folders, and then puts the stuffin there.

(52:21):
Yeah, totally brand new.
All those other folders that youhad or the structure you had,
they're gone.
When you update it or when youuninstall it and reinstall it,
though all those GWID changes,right?
I did I meant to do that.
Did I know that the my operatingsystem is gonna delete all those
directories and make new ones toput different things in there?
And uh of course I don't knowthat as a as the user, but me as

(52:46):
the examiner, I need to knowthat because now I can go to
mobile installation logs andlook at a history of those
folders being created, notcreated, and it tells me about
user activity when the app wasinstalled, when the app was
deleted, when the app was uhupdated, and how that looks,
right?
You need to have thatunderstanding.
You can't just press a buttonand then like like you like
Heather says, forensically guesswhat's the meaning of recovered

(53:10):
folders on your tool.
Oh no, that's that's really badnews.

SPEAKER_01 (53:14):
I am not a fan of forensic guessing.
You could do it in your officewith your door closed, make that
guess, and then figure it out.
Don't don't publicly announceyour guesses.

SPEAKER_05 (53:27):
For sure.

SPEAKER_01 (53:28):
Uh so yeah, so um, I mean, Brett, amazing writer, and
we just had to cover all of thewonderful content he's been
putting out lately.

SPEAKER_05 (53:38):
Yeah, it's all it's all it's all love for Brett at
all times.

SPEAKER_01 (53:42):
Oh, you made it do it on the screen.

SPEAKER_05 (53:45):
Yeah, for those of that didn't see it.
I also had hearts, really heartscoming out of my of my person
here for Brett.

SPEAKER_01 (53:52):
Um, all right, let's shift gears and let's look at
some tools.
Uh, we have a tool update and atool release that we're gonna
cover quick before the end ofthe show.
So the very first um is theupdate.
Rabbit hole had a recent update.
Last um last podcast, Imentioned that Rabbit Hole had

(54:12):
an announcement to make, butnobody knew what the
announcement was.
Um during our little break herebefore the this podcast, the
announcement came out, and AlexCaithness recently reported the
release of Rabbit Hole versionthree.
The standout new feature ofversion three is its ability to
recover deleted data from SQLitedatabases.

(54:33):
Recovered records are rebuiltinto a database so you can
rapidly and effortlessly explorequery and report on them just as
if they were live.
So I'm sharing my screen hereand I have Rabbit Hole up, and
I'm gonna open up um a littledatabase that I created earlier
today.
Let's see.

(54:56):
Let me find it.
Oh, there it is.
Password.
Rabbit hole recognizes that it'sa SQLite database.
I'm gonna choose it.
And now we have, let me do alittle zoom here.

(55:19):
There we go.
There we go.
Now we have the database withpasswords.
I have five passwords in mydatabase.
And if you take a look at theunderscore ID, uh I have one,
three, six, seven, and ten.

(55:41):
So that is because I deletedsome of the passwords in my
password database.
Alex actually has a video thathe did showing other features,
but I'm gonna show the datarecovery portion.
So let me back out here.
So this is the data recoveryportion.

(56:01):
Um, my database is alreadyloaded in.
So all I need to do is hitanalyze database right up here.
When I hit analyze database, Ican pick which table I want to
analyze.
I only have one table in thisdatabase.
I made it really simple so uh itwouldn't take too long during
the podcast.
So I'm gonna pick the passwordstable.

(56:22):
And you can see down here wehave the passwords table, we
have the different columns, andwe have the types.
So what I'm gonna do next isjust leave the settings by
default.
You can change things to um haveit not recover fields that have
a null entry.
You can use um there's a regexsetting here for the text where

(56:43):
you can set a regex on likespecific data if you know what
you're looking for.
Um, but I'm just gonna go forperform recovery.
Um I'm gonna do no to this.
It um it's telling me that's toogeneral and could lead to a
disproportionate number of falsepositives.
I'm just gonna go for the falsepositives.
That's where you would narrowyour search a little.

(57:03):
So now if we open up into therewe go.
The data now has these umadditional tables here.
And if we look in this epilogue,because that's what that's what
rabbit hole named it, compositetable.
Let me zoom out here so you cansee.
We have recovered entries.

(57:25):
Um, we have this is my otherpassword, password one, two,
three.
Give me your password now orelse.
Give me your password now.
Not sharing my HBO password onthis episode of DFN.
It's an important one.

SPEAKER_05 (57:41):
Well, first of all, um what a what aggressive
passwords tease.
But yeah, you're not revealing.
Yeah, no, no, no, no hexpasswords on the screen.

SPEAKER_01 (57:52):
So um, let's see.
So there are some invalidlooking results from where the
structure of some data in thedatabase um file matched the
signatures generated, butthey're not quite right.
You can add validation to thesignatures to reduce um the
number of false positives, andthat's back on the previous
screen.
I'm just gonna show you what weget without adding those uh

(58:12):
those filters.
So I had deleted five passwords,and and here are the five
passwords that I had deleted,and they came right along with
the timestamps, and I did allthe timestamps the same.
So um there's another table herethat contains um metadata about
how the records were recoveredand where in the physical files

(58:34):
they can be found.
So we have here in this metadatacolumn you can see the data
sources, the database image,success, and it's found at
offset 3975, page number one.
So we'll have these records hereas well that help um determine
where they're being recoveredfrom.

SPEAKER_05 (58:55):
Alex is such an elegant coder.
Oh my goodness.
Uh yeah, he's good.
I love I love that he calls itepilogue.
I bet there's some story behindit.

SPEAKER_02 (59:03):
Oh, I'm sure.

SPEAKER_05 (59:04):
Yeah, but the whole being like, you know, after all
this processing, look at all thethings we have in this epilogue.
I just love the concept.
Um, I just want to say that youdidn't salt or encrypt your
password, so I'm highlydisappointed in you.

SPEAKER_01 (59:16):
Listen, this was a nice little easy database to
just give a quick demonstration.
I was gonna pull in a databasefrom an extraction, then I'm
like, ah, who knows if anythingwas even deleted.
So I just made my own.

SPEAKER_05 (59:29):
Oh, I I I just I'm just teasing.
Yeah, no, that's I know, I know.
This is a great example becauseyou know, everybody you could
see or hear um how the toolingreally streamlines this part of
the recovery process.
And there's oh we always getthat question was there
something else in the SQLite?
Well, tools like this one areare such a great uh way of
really doing that analysis.

(59:50):
And this is something that uh uhRabbit Hole really needed.
And the amount of granularitythat Alex has added to the tool,
I just love.
Love it.
You can really filter down andreally focus on the things you
need with all the different uhknobs and turns that he puts on
the tool.
So I'm really excited for it.
Um, so and I'm I'm ready to useit and ready to use it.

SPEAKER_01 (01:00:13):
Uh yes, I've been testing it out.
So very excited to have that.
All right.
So next, oh, I want to say tooabout the rabbit hole.
If you've never tried it, um, goon their website.
I'll put the link in the in theshow notes, but go on the
website, you can get a 30-dayfree trial.
Um, you're gonna want itafterwards, probably, but try it
for 30 days for free first.

SPEAKER_05 (01:00:35):
Um, see, see, let Mark's saying we want real
passwords, Heather.
Come on, you know, I'm so so sowe can get your HBO again so we
can watch all the TV shows,please.

SPEAKER_01 (01:00:45):
No way.
Although I'm really playing withfire with this next demo because
I have my I have my personalphone hooked up to it to show
you how this next one works.
Because I left my Android Testphone at work.

SPEAKER_05 (01:01:00):
So oh, this is gonna be good.
Look, if if you're if if you'relistening if you're kind of
newest to the show and you don'tknow the inside joke, you gotta
look for the HBO episode, and soyou can follow, follow along,
follow with the inside joke.
But yeah, go ahead.

SPEAKER_01 (01:01:11):
You can see how they're doing stupid things.
Um all right, Alex is released.
That is the Android LogicalExtractor.
I think it needs a new name, um,but that's besides the point.
It's a go ahead.

SPEAKER_05 (01:01:25):
I think it's a beautiful, beautiful, totally uh
utility plus name, Alex.
Android, what was it?
What does it mean again?

SPEAKER_01 (01:01:33):
It is Android Logical Extractor.

SPEAKER_05 (01:01:36):
There you go.
Obviously, name in my honor.
Thank you.
Thank you so much.

SPEAKER_01 (01:01:40):
So this is uh created by Christian Peter and
it's available for testing.
Uh he he put a little note init, so I'm gonna read his little
note.
He's been considering for sometime whether now is the right
moment to make the repositorypublic.
There's still some things hewould like to integrate.
And if he waited for everythingto be complete, it would likely
take months.
So there's no binary releaseyet.
Everything's still in the earlystages.

(01:02:03):
So he expects that there will bebugs, and he's hoping that
people that are testing it outwill provide feedback.
So if you test out Alex and findbugs, please report um and give
feedback to Christian on hisGitHub page.
And the GitHub page will be inthe show notes.
He also I want to make a quicknote he also um recognizes

(01:02:23):
Matia.
So many of the artifact ourAndroid features are based on
Matias Android Triage, and I'llput the link to Android Triage
in the show notes as well.

SPEAKER_05 (01:02:34):
Uh real quick, Android Triage, I've used it
quite a few times, is the bestADB uh-based tooling that you
will find.
It will pull everything andanything an ADB can pull for
you.
Okay, so so keep that there.
The fact that now there is thisum interface that's been built
through Alex makes it evenbetter.

(01:02:56):
So uh do do check both out.

SPEAKER_01 (01:02:59):
So um really simple to run.
I'm just gonna do a commandprompt here from the directory
where Alex is, and I'm gonna doPython Alex PY.
We'll give it an enter.
Just takes a sec to open.
Um prior to this, I installedthe requirements that were
listed in the requirements txtand also um platform tools.

(01:03:21):
But how to do that is right inthe readme of the tool.
So it takes away any guessworkif you're not like super
familiar with using command lineto install requirements.
So we see here that I have Ialready have my phone.
Um, USB debugging is on.
I've already trusted my device,I have it plugged into the
computer, and immediately uponlaunching Alex, I have

(01:03:49):
information about the device.
Uh Heather's Pixel 10, and thennow you have all my MAC
addresses and how much space Iuse and all that good stuff.

SPEAKER_04 (01:03:58):
I love I love the little bar there, you know, kind
of showing how much space.
I love I love those details.

SPEAKER_01 (01:04:05):
I lost the magnifier.
There it is.
Okay.
So then here you can choose youroutput directory.
I have a little folder for Alextesting.
We'll hit okay and the options.
So the ops this looks a lot likeUFade, right?
It looks just like UFAD, but wehave different options for the
Android.
So we have save device info, wehave create a PDF report of the

(01:04:25):
that device info, and I'll showyou those because I already
created them.
Um, the acquisition options, wehave pull just the content of SD
card as a folder.
We have perform an ADB backup,we have a logical plus, which is
an advanced logical backup as azip file with the UFD file ready
for physical analyzer andcelebrate.

(01:04:46):
And then we have a partiallyrestored file system backup
under logging options.
We have logcat dump, dump sys,and bug report.
And then advanced options, whichI love this option.
I'm gonna show it, are the takescreenshots and the chat capture
and the query content provider.
So I'm gonna do I'm gonna do thechat capture.

(01:05:08):
I'm just gonna fancy.

SPEAKER_04 (01:05:10):
That's really fancy.

SPEAKER_01 (01:05:11):
WhatsApp.
I'm gonna do a WhatsApp.
Um, and we'll just Orlando.
I have a chat in WhatsApp thatdoesn't have any messages in it.
So it's my personal phone.
I don't want to be sharing allmy messages.
People will see what I say aboutthem.

SPEAKER_04 (01:05:27):
Yeah, don't don't put our our chat messages there
because you know there'll bepeople be mad at us.

SPEAKER_01 (01:05:33):
And now you can see.
And what it's doing is it'slooping through.
The screen is actually moving onmy phone.
I can see it moving, and it'sjust moving through an old
Orlando chat that we actuallyremoved all the members from
because we're not using itanymore from Iasis, right?
But so literally you can see itmoving on your screen, but I can
also see it moving here on myphone.

(01:05:53):
And as it's doing that, it'scapturing screenshots and text
files, and I believe PDFs too,but we'll check it out because
it's gonna be in my folder.

SPEAKER_05 (01:06:01):
That's that's so is that I get so I guess it works
with some apps, it doesn't workwith it.
Do you know?
I mean, I'm just curious becausethis functionality is so useful.

SPEAKER_01 (01:06:10):
I've only tried WhatsApp and um I might have
tried signal as well.
I've only tried WhatsApp, we'llgo with because I don't remember
if I tried signal or not.
Um so I canceled it so we couldgo back and I'll show you what
that looks like in the folderhere.
Uh let's see.
So I put my Alex testing here onthis drive.

(01:06:33):
And we can see here, I did I didall everything the tool would do
earlier.
I did with one of them.
So we have the backup ADB, thedump state, we have the um
here's I'm just gonna actuallyopen up one of the reports.
Let me move it over.
But this is one of thosereports, and you're gonna see
all the apps I have.
We'll go through them fast.

(01:06:54):
So we've got the Alex devicereport, Heather's test phone,
all my information, and then allthe apps I have on my phone.
Right with the versions.
So if we need to create sometest data, we know the version
of those applications.

SPEAKER_05 (01:07:08):
Look, Christian says it should work for every chat
app.

SPEAKER_01 (01:07:11):
Oh, beautiful, beautiful.

SPEAKER_05 (01:07:12):
That's um, I mean, can you imagine?
So let's say you have a phone,you're able to get the the
pinko, right?
But your tool is not supportinga full file system.
And what you want is aparticular chat or series of
chats, just go and get it.
This is this is so useful.
I just I just love this.
Or or maybe it's it could be onconsent, and you were told the

(01:07:32):
only thing you need is this,right?
Based on the judge order orwhatever.
You just go there and and pullthat out based on those
instructions, right?
Um, this is this is amazing.
I I this is a greatfunctionality.
I love it.

SPEAKER_01 (01:07:44):
So here's where the screenshots came into a folder
called screenshots.
WhatsApp is what I named it.
So it came into the WhatsAppfolder.
Uh Orlando was the name of theactual chat that I named it.
And then inside of here, let meback out.
We have a PDF, a PNG, and a textversion of each of those
screenshots.
So let's take a look at the PDF.

(01:08:06):
So here we go.
Oops.
I've got all the stuff open onthe sides here.
Let's get rid of that.
An AI assistant on my Adobe.
I never asked for that.

unknown (01:08:18):
Alright.

SPEAKER_05 (01:08:20):
Look, you don't you don't need to ask for AI to be
thrown into everything.

SPEAKER_01 (01:08:25):
It's infiltrating everything.

SPEAKER_05 (01:08:27):
You're totally will have AI soon enough.
Don't worry about it.

SPEAKER_01 (01:08:30):
Oh my gosh.
So we have the device, andthere's some basic information
about the device.
The screenshot came from, thename of the screenshot, hash
value, and um the app and chatas named by me.
So that's the PDF version.
Then you've got the PNG.

SPEAKER_05 (01:08:49):
Well, I love the PDF because it's like this
screenshot has what I need.
That's just it's ready for it'sready for my report straight up.

SPEAKER_01 (01:08:56):
Yeah, the PDF has the additional information.
You know, I haven't even openeda text yet.
I'm not 100% sure what the textis, but Christian's in the
notes.
Maybe he'll tell me.

SPEAKER_05 (01:09:05):
Is that a hash, Christian?

SPEAKER_01 (01:09:07):
Oh, maybe.

SPEAKER_05 (01:09:08):
Because it looks like some sort of hash.
But again, I'm missing.
Well, you know what?
I'm just guessing.

SPEAKER_01 (01:09:13):
Let's compare it.
It is, it's the hash.
I compared it to the PDF.
Perfect.

SPEAKER_05 (01:09:17):
Okay, look at that.

SPEAKER_01 (01:09:18):
You're a good guesser.

SPEAKER_05 (01:09:20):
Well, it's informed by experience.
So I'm just gonna say that.

SPEAKER_01 (01:09:23):
So we have all I did each and every one of the
options here.
Um, we'll open one more here.
Let's look at the I don't wantto open in that.
Uh that's alright.
Hold on, I'm gonna crash my myuh notepad.
Let's open it in notepad.
So this one is the dump sys, andwe've got it all here.
We've got currently runningservices on the device, and just

(01:09:48):
an entire log of the dump sys.
Pretty neat.
Pretty neat.
Yeah, I love it.
My let's see if we can find soyeah.
So I know what my um my wifi ishere, so we can see there on the
screen.
I just did a search for my anydancer Wi-Fi, and there it is.

SPEAKER_04 (01:10:08):
Oh, look at that.
Look at that.
Very nice.

SPEAKER_01 (01:10:11):
So awesome, awesome tool.
I suggest that everybody go outand try it.
It's it's a wonderful priceright now, too.
You can get it really cheap.

unknown (01:10:22):
It's free.

SPEAKER_05 (01:10:23):
Yeah, I was gonna say if you don't like it, uh,
you know, Christian will giveyou your money back.

SPEAKER_01 (01:10:27):
So he will, he will, but no, all seriousness,
seriousness, though.
If you're gonna go try it out,please report any issues that
you see because we make this thebest tool for the community.

SPEAKER_04 (01:10:37):
Absolutely.

SPEAKER_01 (01:10:39):
All right, let me close that.
And that brings us to the end ofthe show.
So we have to do the meme of theweek.

SPEAKER_05 (01:10:50):
Yay, my death favorite part.

SPEAKER_01 (01:10:52):
Let me take this off of the screen.
Here is our meme of the week.
We have a Snickers candy bar,and the caption says, Check your
kids Halloween candy carefully.
Vendors tried to hide, andinside the candy bar you can see
a little box that says chat GPTon it.

SPEAKER_05 (01:11:12):
I uh I yeah, this is a meme I made some time ago, but
uh, you know, it's it's so topuh topical for the Halloween
section.
It is there's chat GPT, I saychat GPT, but LMs everywhere,
even where there don't need tobe one.
I don't need a chat box in mybrowser.
Why would I want one?

(01:11:32):
It has to the point that OpenAIhas made a straight-up browser,
straight up browser, which Ithink is pretty hilarious
because this is my this is mypersonal opinion.
I don't speak for my job, Iknow, but either way, none of
the things we said todayrepresent our employers are
opinions and opinions only.
Um look, if if you're trying tomuscle into Google's ad revenue
by making a browser, um your usecase of your technology is

(01:11:56):
obviously not as clear as youwant to make us believe.
Yeah.
Uh but that's me being the AIcritic.
But yeah, no, um, this is true.
You see LLMs being puteverywhere, and and folks,
companies and vendors think,well, I am my strategy is to
have LLMs.
That's not a strategy.
Like a strategy is I have aproblem and I'm gonna solve it

(01:12:17):
in a certain way.
Just throwing LLM into things isnot a strategy, it's just you
throwing stuff into things,right?
Um, so a proper use oftechnology and and actual useful
use cases for it is moreimportant than just having it,
right?
It reminds me of Jurassic Park.
Just because you know you can'tdo it doesn't mean that you
should.

(01:12:38):
But yeah, it's Chat GPT iseverywhere.
That's how it is, folks.
Be careful when you buy yourcandy.

SPEAKER_01 (01:12:44):
Oh well, that's it.
That's all we've got for theweek.

SPEAKER_05 (01:12:49):
Yeah, no, again, thank you everybody for being
here.
Um, all the folks, some folksjust join in when we're leaving,
so sorry about that.

SPEAKER_00 (01:12:58):
Watch it on YouTube.

SPEAKER_05 (01:12:59):
Yes, just subscribe and then you'll know when we're
going live and you can hang out,hang out with us.
Again, thank you for Christians,thank you for Brett and Kevin
and Mary that I saw her there,and for Mark, and uh all the
folks uh who else am I missing,and Bruno and and Forensic with
Matt, all the folks that uh chatwith us today.

(01:13:19):
Your input is so valuable.
We love you, and uh we don'tknow when the next episode will
be.
We hope soon.

SPEAKER_01 (01:13:25):
Yeah, oh definitely.
Let's shoot for two weeks.

SPEAKER_05 (01:13:27):
All right, well we'll we'll try that out and
we'll see you there.
Anything else for the good ofthe order, Heather?

SPEAKER_01 (01:13:32):
That's it, thank you so much.

SPEAKER_05 (01:13:33):
All right, folks, we're gonna finish up with the
song if I can find it, and uh,we'll see you again next time.
Take care.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Brett Shavers Blogging Extravaganza!

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

All Episodes

Brett Shavers Blogging Extravaganza!

Stuff You Should Know