DFN: 2nd Anniversary

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:15):
Welcome to the Digital Friendship Now podcast.
Today is Friday, August 29,2025.
My name is Alexis Brignone,here inside my car, aka Briggs,
and I'm accompanied by myco-host, the work-from-home
examiner, the management masterof disaster, the tester-in-chief

(00:36):
, the one and only HeatherFrontier.
The music is hired up by ShaneIvers and can be found at
silvermansoundcom Heather.

Speaker 2 (00:48):
Hello, work from home .
I went, yeah, I mean.

Speaker 1 (00:54):
I'm not doing any work from home today.
I'm being kind, you're just athome doing nothing.

Speaker 2 (01:01):
Pretty much.

Speaker 1 (01:08):
Look, look.
I started having a room for theshow, then I had a closet and
now in my, in my car, I'm justit's going backwards I was gonna
say have you been?

Speaker 2 (01:14):
have you been banished from the under the
stairs cupboard?

Speaker 1 (01:19):
yeah, no, I mean, I'm gonna do the show under a
bridge next time that I'm goingto touch bottom right there.

Speaker 2 (01:26):
It looks good.
I like the new office.
It's got a lot of windows.

Speaker 1 (01:33):
Yeah, not the computer kind, just playing
actual car windows For the folksthat are listening.
Yeah, I'm doing it from the car.
Today is an odd time for us tobe doing the show at 1 o'clock,
but schedule has been crazy andthe evening is crazy and the
evening last night was crazy, sowe're doing it today Now.
For example, christian Petersin the chat, you know he's very

(01:54):
excited.
He's, I think, well, it's wayearlier.

Speaker 2 (01:57):
It's not bedtime.
Yes, it's not bedtime, exactly.

Speaker 1 (02:04):
Hi Christian, at least the folks from other
places that want to be live.
They got a better chance ofdoing it at a more reasonable
time.

Speaker 2 (02:12):
Yeah, definitely, definitely.

Speaker 1 (02:15):
So, Heather, what's going on?
What's going on with you?
Tell me.

Speaker 2 (02:18):
So last podcast we did the what's Been Going On and
I didn't even mention that I'mnow working for Hexordia as a
trainer.
I can't believe I forgot tomention it.
So I'm working with thewonderful Jessica Hyde and her
great, her great crew and we'llbe training for some of her

(02:38):
classes.

Speaker 1 (02:40):
Well, that's, that's fantastic.
I, you know, we, we, we talkedtogether for what?
Two, three years now.
So I like the cut of your jib,so it's pretty good.
Folks are going to like theclass because the content I
haven't used any structure, sothey're extraordinarily lucky to
have you, so I'm really happyfor that.

Speaker 2 (02:56):
Oh, I'm so excited, can't wait to start, not next
week, the week after I start.

Speaker 1 (03:03):
So can't wait.
Yeah, no for sure.
And hopefully you can come insome of that referral money.
Yeah, I'll just send it down toyou.
What's been going on with you.
You don't need no referrals,You're worldwide known.

Speaker 2 (03:18):
Thanks.

Speaker 1 (03:20):
What's been going on with you?
The?

Speaker 2 (03:21):
last few weeks.

Speaker 1 (03:23):
Not much Before I tell you Forensic Wizard, my
good friend, is in the chat Also.
Kevin, our right-hand man withthe Leaps and Johan is also at a
more earlier time than usual,so good to see you here as well.

Speaker 2 (03:38):
He doesn't have to set his alarm and wake up in the
middle of the night.

Speaker 1 (03:43):
Or just watch it in the morning when he wakes up,
we're actually live.
No, johan's a good sport.
He shows up even though it'sreally late over where he's at,
so we appreciate it.
Yeah so, yeah, so, um, a lot ofwork, uh, really busy, um cases
coming in.
So, honestly, there's there'snothing really new new.
No trips, no nothing, just justwork, trying to survive, um,

(04:06):
adjusting to the changes andlooking forward to the future.

Speaker 2 (04:10):
Nice, very nice.

Speaker 1 (04:12):
Yeah.

Speaker 2 (04:13):
So we'll get right into our topics then for the day
.
So I can go back to workingfrom home.

Speaker 1 (04:22):
Appearance of working .
Yeah, let me tell you the factthat we have now a few folks in
the chat.
I'm surprised at this time, soI'm happy.
Thanks everybody.
Yeah, me too.
Like it's one o'clock, I don'tknow everybody, nobody will show
up, but um, I appreciate it,folks in their lunch hour just
showing up.
So thank you, yes thank you.

Speaker 2 (04:39):
So, uh, a few announcements.
So first, uh, I don't know ifeverybody saw or if you saw uh,
theans Difference Maker Awardsis now open.
So nominations are open nowthrough Monday, september 15th,
and there's quite a fewcategories for the SANS
Difference Maker Awardspractitioner of the year, for

(05:01):
three different categories, fourdifferent categories actually.
They have a community championof the year, rising star of the
year, media creator of the year,which can include podcast live
stream or book innovation of theyear, company of the year, ciso
of the year and lifetimeachievement award.
So if you know anybody who youwant to nominate for any of

(05:26):
those categories, that is opennow and you can google it or
we'll have.
I'm not going to keep that up.
Um, we'll.
We'll have the link in the shownotes for that are those all
the other categories now?

Speaker 1 (05:38):
is that?
Yeah, yep yeah, because a fewyears back, uh, we won the open
source tool of the year for theleaps, but I don't think that's
a category anymore, I guess it'smore directed at individuals as
opposed to toolingorganizations, I guess.

Speaker 2 (05:55):
Well, there's a company of the year.
An innovation of the year.
Maybe that would fit.

Speaker 1 (06:00):
Yeah, no, it's a good event.
I don't know if they did itwhen I went.
They did it in DC.
I don't know if they did itwhen I went.
They did it in DC.
I don't know if it's stillthere and they have a nice
dinner there and then they talkabout the awards and they stream
it.
So it's a good eventrecognizing folks that put the
work in.
So, like you said, if you knowsomebody that would be

(06:22):
encouraged by that recognition,then put them in.
Yeah absolutely.
Let's see what happens.

Speaker 2 (06:27):
Yes, absolutely so.
Another little announcementMagnet Forensics is going to
have a webinar airing onSeptember 17th.
It's going to be entitled AIUnpacked, number 5, the Great AI
Debate with with digitalforensics now.
So Alexis and I are going tojoin Brandon Epstein from Magnet

(06:50):
Forensics and we're going tohave an AI debate.
I know, last podcast I promisedthat there would be no AI this
week or this next episode, butwe do have to like just give a
quick announcement that that'llbe coming out on September 17th.

Speaker 1 (07:06):
I think I've become the official uh ai, curmudgeon.
Is that the word?
Curmudgeon?
Is that the word?
Yeah?
I was a hater, but yeah youknow, hater is a strong word.
It might still apply, it'sstill a strong word.

Speaker 2 (07:19):
So, uh, you know I thought I hated it and you have
completely surpassed my hatredfor AI.
No, no, no, no, no.

Speaker 1 (07:27):
Look, look, not hate, let's call it skepticism.
I'm the AI skeptic.
Okay, it's a little bit better.
Hey, look, I'm more than happyto be proven wrong.
So so I hope I'm wrong.
I don't think I am, but I don'tthink so either.
Well, this is the thing.
You see, since I'm themoderator, I'm already, you know
, buying her in so she can be onmy side in this debate.

(07:49):
No, I'm kidding.
The fact is that I believeskepticism is warranted for new
technologies.
I think we should all be askeptic of new and old
technologies in general, but no,I think it's important to also
have two sides to the story.
Right, we got the side thatspeaks to how good things are,
how beneficial they are, but wegot to also talk about, I
believe, the risks that thesetooling, new tools come with and

(08:13):
the proper methods andprocedures to effectuate the use
of it, if it's wanted.
So we have a debate on that.
I don't think we're going to bethat far off on this debate.
I think we come from how can Isay this?
An understanding that newtooling is a good thing.
So I think we both agree onthat, but we'll see how things
shake out.
Yeah, hopefully we're planningand we'll see what, how we can

(08:36):
plan this with Brandon to alsomaybe do a revisit in a longer
time format.
So we can go into more depthbecause this type of episodes
with magnet tend to be a littlebit more shorter based on the
format.
So stay tuned, you might have asecond go around with a bit
more time to go into moredetails.

Speaker 2 (08:55):
Yeah, and everybody can register for that now on the
magnet website too.
So just go sign up, and thewebinar again will be September
17th, and there you just gotyour little bit of ai in.
That's it.
I will find a way to put.

Speaker 1 (09:09):
I will find a way to complain and be more skeptical
about ai somewhere in the show.
I don't know where I'll find away oh, I know you will.

Speaker 2 (09:18):
Um, let's see.
So blogs there's a couple ofnew blogs out by the binary Hick
, josh Hickman fairly newentries that he has.
So the first one is calledFurther Observations more on iOS
search party and Josh takes alook into how iOS was keeping

(09:39):
tabs on what Find my compatibledevices it was seeing in the
wild Find my Compatible Devicesit Was Seeing in the Wild.
He investigates and performstesting in that blog on files
found in thecomappleicloudsearchpartyd
location and specifically hetalks about his testing related

(09:59):
to the observations database.
The research reveals thatretention time for that data is
likely around 24 hours, so morereason to get your extraction
ASAP.
But it confirms that iOSdevices are keeping track of all
of the Find my compatibledevices that they see, a lot

(10:19):
like the way Android does it,and it gives examiners another
source of location data on iOS.
Who doesn't love someadditional sources of location
data?

Speaker 1 (10:31):
Yeah, and a good thing about the article is that
he goes into the process of howthey were able to get.
He was able to get to it.
There's encryption involved andhe kind of briefly explains you
know where the IV is, or theinitialization vectors or the
salts that you need for thepasswords or the passcodes, and
then the keychain gets involved.

(10:51):
That's where the actual key isright and then what type of
encryption this database uses.
I don't think there is anautomated way of doing it right
now.
That's something that you know.
I know Kevin is in the chat.
We need to converse a littlebit about how can we implement
that.
In theory shouldn't be that bad, since already josh gave us all
the pieces that we need rightto do it.

(11:12):
It's just sitting down anddoing it.
It's just.
You know we're always lack oftime.
I'm talking about kevin.
Uh, he made a comment.
See, I'm gonna bring it againyou gotta do it talking about.
I guess, referring back to theprevious topic about the debate,
it's going to be like Geminiversus ChatGPT versus Claude and
I'm like, no, I think it'sgoing to be more of an AI in our

(11:33):
field, versus me being askeptic about AI in our field.
It's going to be, I guess, moreof a broader discussion.
But yeah, this whole Gemini wasa chat gbt versus claude.
That's a whole nother story foranother episode yeah, um.

Speaker 2 (11:52):
so josh hickman binary hick had another blog
recently too, um, and it'stitled not strange fed fellow
samsung rubin and digitalwell-being.
So this one is kind of like apublic service announcement for
all examiners that have reliedin the past on data from
Samsung's Rubin and DigitalWellbeing.

(12:12):
If you don't know what thosedatabases are, they're the
device pattern of life databasesfor a Samsung device, so kind
of just the pattern of how thedevice user is using that device
.
It covers some strange behaviorthat people have seen related
to those databases.
I know I've seen a little bitof strange behavior related to

(12:34):
those databases and other peoplehave called into Josh asking if
he knew about it.
So he went and examined it,tried to figure out why the
strange behavior was happening.
So if you encounter a phoneusing both Rubin and the digital
well-being, the two items needto be examined together in order
to get the full picture ofwhat's happening on the device.

(12:56):
He specifically talks in theblog about device unlocks and
odd behavior related to boots ofthe device.
So check that, check out thatblog and make sure you're
looking at those two databasestogether so you're not missing
important data related to yourcase.

Speaker 1 (13:15):
And these blogs are great.
I would have assumed that ifyou have a Samsung phone, it
will be only Ruben right?
You know, I had no idea thatyou could actually use both and
I think there was like aparticular entries I think it's
device locked or unlocked, Idon't remember which Then I'm
going to show up in one of thedata stores but not on the other

(13:36):
one, yep, which, again beingthe device unlocked, being part
of your case, of course.
So you definitely have to lookinto those and I appreciate
folks like Josh that put thisresearch out, because some of
these things I would have neverthought if you hadn't done that
testing.
So that's pretty awesome.

Speaker 2 (13:53):
Absolutely yeah, it is the unlocks that you're
talking about.
So in the Samsung, yeah, it'straditionally in the digital
well-being and in the Samsungit's pushed over to Rubin, the
device unlocks.

Speaker 1 (14:08):
Yeah, I think Rubin is also encrypted, but tooling
nowadays is able to encrypt thatand make it accessible to you.

Speaker 2 (14:13):
Yes, I love the Samsung Rubin stuff because it
also has some really goodlocation data in it, and when
the key store wasn't beingpulled for a very short period
of time by tools and I couldn'tget that data, needed it, and
this is another reason why weneed to have all of that data,
absolutely, yeah.
So a little tool that I sawrecently people were posting

(14:40):
about on LinkedIn from Monolith.
So Monolith Notes is a freetool that Monolith has right on
their website.
You just have to put your emailaddress in and they'll email
you an executable for their freenote-taking tool.
I'm just going to pop it up onthe screen here let's see.
If you don't know what Monolithis, they have, like, case

(15:03):
management software.
I have not gotten a chance touse their case management
software.
Have you?
Have you, alex?

Speaker 1 (15:11):
I have not.
I have not.

Speaker 2 (15:13):
Yeah.
So I hear really really goodthings about their case
management software.
So if anybody gets a chance ona demo or sees them at a
conference, definitely checkthat out.
But they do have this reallysimple, neat little note-taking
tool that is for free.
So it opens there and you canhit new case, put in all of your

(15:33):
case information.
I'm just going to put somestuff in here.
Let's see, see if I can.
There we go and then once youopen your case you can click on
new note, title your note, sowe'll call it case notes.
And once you have a title foryour note, there's this free

(15:56):
form text box here where you canjust start taking your notes,
taking notes, taking your notestaking notes.
Once you do that, there's anoption to export the current
note and it'll export that noteas a PDF and let me just pull it

(16:25):
.
Yeah, I'm just going to pull up.
I created a PDF from a littletest note here that I created,
so let me let me pop it up tothe screen here, if I can.
Of course, I am terrible withthe sharing of the screens.

Speaker 1 (16:33):
There we go.
It's only been two years on theshow.
I can't.
I can't do it.

Speaker 2 (16:41):
I can't.
I know it's terrible.
So there it is.
It just literally creates alittle PDF with I had titled my
note, names and numbers, andthen I have the wizard of Oz
people here with their phonenumbers, and if you put in a new
note in the same case, it'lljust have another note page.

(17:01):
So check that out.
It's really cool, really easyto use, simple, especially if
you're a smaller department andmaybe you don't have note-taking
capabilities or note-takingsoftware in your office.
I know that I am queen of thesticky notes.
This may be an option to useinstead of the sticky notes.

Speaker 1 (17:22):
Yeah, yeah, I think that's.
Yeah, here's for discovery.
You have a page with three bythe sticky notes.
Yeah, yeah, I think that's.
Yeah, here's for discovery.
I have a page, you know, withthree by three sticky notes.

Speaker 2 (17:30):
So I do.
I scan them all in.
I've tried to get away fromthat, though, oh my gosh.

Speaker 1 (17:37):
I would have put that in the intro.

Speaker 2 (17:41):
Yeah, no, seriously, it's like a joke in the office,
because you come into my office,there are sticky notes
everywhere, so this little notetaking app is very helpful.

Speaker 1 (17:53):
Somebody will start using it now.

Speaker 2 (17:55):
Yeah, oh, I've been, yes, I've been trying it out,
definitely.

Speaker 1 (17:59):
I do my notes by hand also, but I have like a form
with little boxes that I writestuff in.
But, um, definitely tappingthem up is so much better.
Also, to again export them outand and and be able to give them
out looks way more professional, so maybe I should be able to
and try to type them out,instead of just having a form
that I scribble my notes in youwell, now you have a little tool

(18:19):
you can try out for that I justlike the price, you know oh, I
like the price too.

Speaker 2 (18:24):
It's a good price, yeah, um.
So what else do we have?
Uh, some recent chatter onLinkedIn I wanted to bring up.
So, uh, patrick Seward.
Uh, he is on LinkedIn and herecently had a post, uh, about
CSAM cases and he asked a wholebunch of really good questions

(18:45):
When's the last time you took aCSAM case to trial?
And he said in his experiencethey don't go to trial very
often, and in his very recentexperience with the CSAM trial
in Virginia, it suggested thatthe investigation and
preparation for the trial wereseriously lacking.
He, in his post, attributesthat to the fact that you know,

(19:07):
the CCM case doesn't usually goto trial.
So do we need to fullyinvestigate?
Do we need to fully prepare?
The answer is always yes tothose questions, but he's saying
he's seeing CCM cases weeklythat should not be prosecuted
due to lack of concrete provableevidence.
And my thoughts on that are theconcrete provable evidence is

(19:29):
probably there, but did we do agood enough job creating a
presentable report for court toshow that concrete provable
evidence?
I think of conversations I'vehad with people in the past
where they're like oh well, Ijust need those 10 images, I
don't need anything else, I justneed the 10 images and you

(19:50):
can't fully prosecute a CSAMcase just based off of 10 images
with no context to those imagesand no further artifacts that
show how they got there, wherethey went, who interacted with
them.
What do you think?

Speaker 1 (20:06):
Well, look, I mean, like always and we always.
This is to be a given, butwe're going to say it again the
opinions expressed here are oursand only ours, don't reflect
our employers or workplaces orany organizations we're
affiliated with.
Now, that being said, right.
Now, that being said, right, Idon't believe that the

(20:28):
prosecutors and theinvestigators go to trial
thinking they don't have whatthey need.
That doesn't mean they have it.
But I cannot attribute maliceor just say well, since this
case is always pleading, thenext one's going to plead.
Therefore, I'm not going toprepare.
I don't think that's what'sreally happening.

(20:55):
My take, or my perception, isthat a lot of people are working
these cases and, since theyhaven't gone to trial as much,
they haven't been put to thetest in regards to what's how
they are running these cases andthe knowledge they have about
the violations of law thatthey're working.
For example and I'll make oneup, it just came into my head
let's say the investigator islooking at somebody that had
CSAM in a mobile device.

(21:16):
If you have it, you possess it,and you're like well, it's your
phone, you have the code andyou had it.
Therefore, you possessed it.
Go to jail and don't go to jailand and you know, and don't go
to jail, don't what's inmonopoly.
You don't collect 20 and go tojail, something like that.
All right, yeah, all right donot pass go and do not pass go,
okay, all right.

(21:38):
Well, if you look at the againagain, this is an example I'm
making up.
But imagine your differentjurisdictions.
In some jurisdictions, thepossession violation or charge
might have the statute mightrequire for the person to be
able to say that he possessed it.
He had to be knowinglypossessed.
Well, what does knowingly meanright?

(21:58):
During the investigation, werethere statements that the person
knew that was there, because itmight've been by accident, it
might've been other situations,right?
And do we, as investigators,have the knowledge?
You say, well, that's on theprosecutor.
Well, is it, though?
Right?
And remember, the prosecutorssometimes work off of what we
tell them as investigators,right?
So I need, as an investigator,to have a clear understanding

(22:19):
what the statutes are and howthey're applicable as I'm doing
my investigation.
And if I don't have that,because I came into the unit and
the senior agent or seniordetective is just telling me oh,
this is how we do it and you doit how they do it, and that gap
expands, that knowledge gapexpands and I don't think people
are thinking to do anythingwrong.

Speaker 2 (22:39):
Oh, I don't either.

Speaker 1 (22:41):
Yeah, I think again, patrick's post still has a good
point, right?
Yes, we need to be betterprepared, we need to actually
know our statutes, we need toknow the technology behind it.
Just because you found thepictures using UFDR, a portable
case, well, that's not enough,right?
Because you can say, well, thepictures were not taken with the
phone Because, let's say, it'sa picture from CSUN that I know

(23:04):
from a previous series, thatexists, right, so therefore they
were received.
That's a charge.
Well, are you aware thatreceipt requires you to actually
show from where they werereceived?
Yes, right.

Speaker 2 (23:17):
Right, exactly.

Speaker 1 (23:18):
Just because their phone didn't take them, because
you've seen them somewhere else,doesn't mean that you can now
just by that fact sounds logicalin your head.
But that's not what the statuterequires.
You need to actually show thedistinct way this got from point
A to point B.
Are you looking that into yourcase or are you just hoping that
the person pleads out?
Right, but again, not withmalice.

(23:40):
I don't think the investigatorssometimes don't understand at
that level of detail what thestatute requires versus what the
forensics might show.
Which speaks and I'm getting inmy salt box here which speaks
to if you're working these casesactually if you work in any
source of cases and you got anelement that does use a
forensics in your unit or inyour organization, you need to

(24:02):
talk to them.
You need to brief them on yourcase, explain what your theory
of the investigation, yourtheory of the case, is right.
I am not going to get that bylooking at your case file.
Case file is full of facts.
It's just facts.
What we found, that's it.
But facts by themselves don'ttell me the story.
You need to explain to me whatthe theory of the case is theory

(24:22):
of the case and I can tell you,then, how forensics either
support or doesn't support thattheory of the case, because the
theory of the case could bewrong.
Maybe you're thinking thisperson is guilty and it's not.
Or maybe you're thinking it'sinnocent and it happens to be
guilty, right.
We might think this person isthe actual victim which has
happened in cases that I'veworked and then we figure out
the person was not a victim.

(24:43):
It was actually involved intothe you know for lack of a
better word conspiracy of thecrime, right?
So we have to have a reallyopen mind in regards to that.
Leave all those presuppositionsto the wayside.
Be biased in favor of truth wesaid this before but know your
violations, know your statutes,make sure you interface with
your examiner, make sure you'rewith your prosecutor and we give

(25:07):
him or her all the informationthat we have to make those very
decisions.
And and you know it, it's a lotof personal issues there, right
?
You can have an you know crustyold prosecutor that thinks he
knows everything and he's notaware how technology has changed
in the last 15 years, andthat's a challenge.
Or you have the brand newprosecutor.

(25:27):
That's brand spanking new, outof law degree college, just
passed the bar and has no ideaof the intricacies of working on
C-SAN cases and the multipleviolations and the expertise.
So you, as an investigator,have to bridge those gaps, those
personal issues, personalityissues, technological issues,
law issues and I don't know, andI don't know, I don't know.

(25:49):
That's something that I guessour training programs should
really start dialing in a littlebit more of that.
Hey, you're working this typeof violations as a detective.
This is what you need to know.
I don't know if that makessense.

Speaker 2 (26:03):
No, I absolutely agree.
So I mean the post where itsaid I said preparation for
trial is seriously lacking.
I'm not also not saying that itis done intentionally or with
malice, obviously.
I think sometimes neweranalysts or newer investigators
that are working in digitalforensics also may not be aware

(26:26):
yet of what they need toactually go to trial.
Maybe they haven't gone to atrial at all.
This will be their first trialand they just don't know what
they need to adequately testify.
But you're right, the only waythat we can all be on the same
page with that would be throughtraining and knowledge.

Speaker 1 (26:42):
100% A hundred percent, yeah.
And trials I've gone to a few.
Well gone.
I testified in quite a fewtrials and I think that the next
topic is going to speak alittle bit more about that, so I
don't want to get into it, butyou gotta let me put it this way
.
Of course, we got to preparefor trials, right, and like,

(27:03):
like Brett Shaver says in thenext point, next section, that's
a test for you, but imaginethere's no trials.
Imagine that didn.
And like Brett Shaver says inthe next point, next section,
that's a test for you, butimagine there's no trials.
Imagine that didn't exist.
It don't matter.
We have to have this convictionthat we are doing the best job
that could possibly any humanbeing do.
Right, that we're looking forthe evidence and the truth and

(27:26):
an understanding of what we'retrying to prove or disprove,
because we forget aboutdisproving.
The act of proving is just theother side of the coin of
disproof.
Right, it's one coin that hastwo sides, right, and we need to
be aware of that and act andthink in that way.
If I'm finding that there's agap in my knowledge where I am
not being able to effectivelycome to a certain conclusion,

(27:46):
that there's a gap in myknowledge where I am not being
able to effectively come to acertain conclusion.
That means I need to up my game.
That means I need to reach outto folks that have been doing it
longer, have some peer reviewin my reports or talk to
investigators that have beendoing this longer.
If you have in some offices, atthese federal offices, for
example, there's prosecutorsthat have a lot of experience
working in CSAM cases thatthey're managing some of those

(28:09):
safe Project, south Project,safe Childhood projects, there
we go.
Project Safe Childhood, therewe go.
I said it right now that managethat program.
It's a DOJ program, right, thatis focused on protecting
children.
Reach out to your point ofcontact there and hey, look,
this is the facts of my case andthere are resources that you
can use both at the state,federal and local level to make

(28:31):
sure you have the strongest casepossible because of if there's
we said it before on the showthere's no other violations, at
least from our perspective andI'm going to speak for both of
us.
I know you will agree that aremore important than protecting
women and children.
That's, that's just how it isright.
The most vulnerable elements ofsociety.
Um, we should be on this, on itand take it with the

(28:51):
seriousness and the importancethat it has.
There's no other biggerpriority than protecting those
that are vulnerable, and that'sour mission, and that's what we
do, and we need to do it right.

Speaker 2 (29:01):
Definitely agree.
So you kind of already startedtalking about Brett Shaver's
most recent article.
So it is courtroom trials arethe final exam for your work.
Why haven't you attended one?
His article talks about digitalforensics and evidence

(29:24):
professionals often lackingexposure to courtroom settings,
even though trials are the truetest, you know, and presentation
of your work.
So observing courtroomproceedings helps us understand
how evidence is challenged,admitted or excluded and shows
the importance of cleardocumentation, chain of custody
and communication.
So the overall theme of Brett'sarticle is he's encouraging
people to attend trials orhearings, not just when required

(29:47):
, but to build that confidenceto improve your practice.
And he says even a single dayin court can transform how
someone prepares and presentstheir evidence, making their
work more reliable anddefensible.
So I could not agree with thismore.
When I first started working inthis field my very first trial

(30:10):
it wasn't my first time in acourtroom because I was a
probation officer prior to doingdigital forensics, but it was
my very first time testifying tothe work that I was about to
present and I went without everhaving witnessed anybody else
testify in that manner and Ithink I did OK.
Could I have done better?

(30:30):
Certainly it was my very firsttrial.
But had I had that opportunityto go and watch some of the
people in the office who'd beentestifying for quite some time,
I think I would have done thingsquite a bit differently and I
would have known what was comingnext.
Because that was probably theworst part of it for me is I had
no idea where we were goingnext.
What was going to be the nextquestion?

(30:52):
Um, there was actually my veryfirst trial, uh, an objection to
something I said, uh, wherethey wanted to get, uh, my
entire phone tossed out.
Um, and I had no idea what Iwas supposed to do during that
part of the trial.
Do I sit there and listen?
Am I supposed to speak?
So getting that courtroomexposure is so, so, super

(31:14):
important.
New employees that come into myoffice I take to conferences,
to hearings, to trials.
We watch some of the moreseasoned examiners.
We watch some of the newerexaminers maybe it's their first
time testifying and thenafterwards, the following day or
if we have time that day, we'llhave like an after action

(31:34):
meeting where we talk about whatthey think they did good, what
they think they could improveupon, and it helps those new
people understand, but it alsoprovides that constructive
criticism for the person who wasjust on the stand.
I think that that is sobeneficial to somebody new and I
wish that had been availablewhen I first started.

Speaker 1 (31:57):
Well, and and and new people and people are not so
new.
For example, there might befolks that they come to work and
they are working a violation.
That's not one where you takepeople to jail too often, right?
Let's say you're working someintelligence cases.
Well, you're not going to beplacing a lot of people in jail
and do that for many years, andthen you move to a unit that's

(32:21):
working safe streets, which iswhat that means is we're working
cases with the locals trying tobust drug rings.
You know out on the street, getdrugs off the street.
Well, you're going to be doinga lot of arrests, most likely,
right?
So now what?
So what that means is that youneed to, as an investigator, no
matter what you're doing, havethat as part of your process in
your mind.

(32:42):
Something as simple as goingwith some other agents that are
testifying to the localcourthouse from your district or
your division, wherever you'reat, only just sitting in the
room helps, because the momentyou sit in that room yourself,
you are familiar with the placewhere people sit.
The defense goes here, theprosecution goes there.

(33:02):
That's the testimony box.
This is where the transcriberperson goes, the judge sits over
here, the jury goes over thereand you get a feel for the room
and that keeps your nerves downbecause you're not walking into
this unknown space.
I'm familiar with the space, Iknow the protocols and
procedures for that courthouse.
When the judge comes out we allstand up and then we all sit

(33:23):
down.
We're told to be set to sitdown.
You get familiar with that andthat helps keep those nerves
down because you're nervousbecause it's an unknown
environment.
Then make it known and part ofthe process isn't only going to
the courthouse Some things thatI do.
I read a lot of books aboutdebating, not because I'm going
to debate at court.
You don't want to do that.
You're not to debate, you're totestify.

(33:48):
But the act of understandinghow to present ideas clearly
will help you.
When you testify you can havethe best examination in the
world and if you cannot conveythe conclusions in a way that's
understandable to the jury andcredible that the jury will
believe that you know whatyou're talking about, you can
lose the case.
And we talked about this,heather and myself, in the past,

(34:09):
where great cases that webelieve should have gone one way
for a lack of presentation goanother way, and only a lack of
presentation, a lack of clarityon your credentials.
Don't put stuff in yourdocumentation about your resumes
that that will make you lookgood if you cannot back it up.

(34:29):
Does that make sense?
Yeah, oh, definitely.
Going to court is not only howyou prepare your documentation
and how you show your evidence.
It's also about how you presentyourself.
And you know people take theirresumes and you know at some
point we embellish them a littlebit because we want to get
hired for a job or whatever.
Courthouse.
There's no embellishment.
You're not there to get a job.

(34:50):
All right, your resume has toaccurately reflect what you did.
Your experience has to actuallyreflect things you have done.
All right, the certificationshave to actually reflect things
that you have acquired andmaintained.
If you maintain them and if youdon't, you don't make that
clear.
Does that make sense?

(35:11):
So it involves a whole bunch ofthings that also translate to
other parts of your job, becauseif you make an effort to know
your environment, you make aneffort to understand how to
present things clearly.
You read books about debating,read books about public speaking
.
Right, that will filter out therest of your life.
It's not only in the courthouse.
You'll be better when you talkto your manager, so your squad
when you're presenting things,or you'll be better when you do
a presentation to the community.

(35:32):
You'll be better whenever youlike.
In my case, I hope to retire atsome point and go and work for
a private sector make my owncompany, I don't know but you
will have some skills that youbuild out to your career that
will help you and it will helpyou overall.
So I guess I can't explain that.
Expand the concept thatwhatever things that you do in
preparation for court, they'realso preparation for life and

(35:54):
and we forget about those we'retoo busy looking at instagram in
the afternoon to actually spenda few minutes.
Why are you laughing?

Speaker 2 (36:01):
yeah, I am, I am, I'm addicted.

Speaker 1 (36:07):
TikTok.
Yeah, we spent.
Some people spend time onTikTok.
They could have spent onsomething else, learning how to
present things in a better way.
Look, I'm saying that becausethat person is me.

Speaker 2 (36:19):
There's like cute little animals dressed in jeans
and outfits and stuff.
Stop.

Speaker 1 (36:25):
Yeah, there's AI babies that need to tell you
something.
No, but breast point is greatand and please, go, go, even if
you're not testifying, go andwatch other people testify,
watch trials on on youtube andthen see how they went what's
good, what's bad.
Take what's good and whatnoteven watch other sections,
sections.

Speaker 2 (36:45):
So I took a group of of newer examiners one time to
go watch one of our analyststestify and she didn't end up
getting on that day.
But you know who else testifiedDNA, firearms and a couple of
the me and they got to sitthrough that.
They'd never seen anything likethat or that type of testimony
either.
So if you can't get in to seeone of your examiners, just go

(37:07):
watch a trial any trial.

Speaker 1 (37:10):
The rigor, the rigor that the folks that do DNA, they
do ballistics, they do all theother fields, that rigor is so
impressive.
That's the rigor of work thatwe need to have as well in our
field.
That we should emulate Like yousaid, just because they're not
doing forensics in computersdoesn't mean there's nothing for
you to learn from them.

Speaker 2 (37:29):
There's a lot you can learn from them.

Speaker 1 (37:31):
So that's a great point, how they do their
presentation and the detail andthe rigor in which they do their
presentation worthwhilewatching, even if it's not about
computers or phones.

Speaker 2 (37:42):
Definitely, definitely.
So we have a question.
So have you ever gone through adauber and do you think a
dauber is the same for criminaldefense expert and prosecution
expert?
I've actually never sat for adauber hearing.
I don't know if you have, but Ihave not.
I've watched them.
So specifically there weredauber hearings in that Karen
Reed trial that was all the buzznot too long ago.

(38:04):
I think they questioned thecriminal defense experts just as
they did the prosecutionexperts in that.
But that's kind of my only realexperience is just what I've
seen.
I haven't actually gone throughthat process.

Speaker 1 (38:20):
Yeah, I've gone through it a couple of times but
it was for me.
It was fairly easy.
It was just it was more of myqualifications and there was no
contesting the qualifications.
The award gets complicated whenthe sides are contesting
something specific about theperson or the process, the

(38:41):
procedure that the examiner orthe scientist used for something
.
That's where it gets dicey,because I think again, these are
my opinions Look, it's an oldcommercial that said you know,
I'm not a doctor, but I stayedat Holiday Inn last night.
It's a really old commercial.
People that are old as me willknow the reference.
So yeah, I stayed at HolidayInn last night.

(39:01):
I'm no lawyer.
But what you see is thatthere's an issue with the
process, because dauber is notonly about the qualification of
the expert, it's also about themethodology, how the work is
being done right, and you canlook that up.
In the rules of, you know,federal criminal procedure they
state clearly that is thisprocess accepted in the field.

(39:23):
It was the error rate.
It's a repl, replicable.
It could be done again.
Those get somewhat dicey but,like Heather says, it could
apply to both sides right, bothdefense and prosecution.
Absolutely, there's somethingthat needs to be questioned.
For me it's being, like I said,pretty easy.
It was more of myqualifications Just presented.
The judge agreed that I was anexpert, same with the expert of

(39:53):
the defense and, at the end ofthe day, judges, my opinion is
that they defer a lot to thejudgment of the jury.
So if, if something might be,it's not super clear cut that
it's not scientific or whateverit is, then the jury will make
the decision what's true or not.
That is my opinion, of course,my opinion for what it's worth.
All right, I'm not talking inthe name of anybody else.
That's what I've seen, that thejudges will listen.
If they don't see anythingglaringly obviously wrong, then

(40:15):
they'll let the jury decide whatthe truth is.
Sometimes for me, some of thosedecisions I might have as a
citizen and knowledge in myfield, I might gone on one side
of the opinion or the other sideof the opinion.
But the judges have the legalknowledge to determine when it's
appropriate to put something infront of the jury and when

(40:37):
something is not worthy ofputting in front of the jury.
And that's the judge'sdiscretion, based on their
training, their legal experienceand their authority, and that's
respected and we go by what thejudges and the jurors say and
that's the final.

Speaker 2 (40:50):
And we go by what the judges and the jurors say, and
that's the final word Absolutely.
So, before we end that, just goto a courtroom and sit for a
trial, sit for some of thehearings, sit for whatever you
can.
It will greatly help you in thefuture.
Absolutely.

Speaker 1 (41:08):
There's one follow up question and then we'll move to
the topic.
Absolutely, there's onefollow-up question and then
we'll move to the topic.
Sure, josh is also asking well,what if they ask you about
error rates, for example, andmetadata?
What do you say?
Well, again, that speaks to howwell do you know your field?
Right, if I'm going to use amethod right, that's a black box

(41:30):
that I cannot explain how theoutputs, or I couldn't verify
the outputs I'm going to be introuble, right?
And imagine, imagine that youtake some AI, ask it a question,
you take the answer and give itto the court.
Well, what about the error rateof the AI?
I don't know, I just had the AItell me the answer.
Oh, you're going to be introuble, right?

(41:50):
So I guess what I'm saying withthat is whatever your procedure
is that you're going to use,you got to understand how good
or how bad it is With metadata.
It's a process that's sowell-known, right, that's been
verified a lot.

Speaker 2 (42:04):
I don't know if I do I have you still, heather?
Yes, I think I'm losing myinternet here.

Speaker 1 (42:11):
Oh no, I got you.
I can still hear you.
Okay, perfect.
And so, again, you really haveto understand what process are
you using, right and what aretrying to tell you with that
right?
And again, a process where it'shard to calculate error rates.
Well, you need to think aboutthat.
Maybe you want to use anotherprocess to get to your answer, a

(42:33):
process that has a better trackrecord, that's more in use with
the field and that you, theexaminer, understand, all right,
and you go with that.
So your preparation, how yourun your cases just taking
shortcuts might get you therefaster, but then it's going to
bring you back to the beginningif you don't understand what you
just did.
Does that sound good to you,heather?

(42:55):
What do you think?

Speaker 2 (42:56):
It does, and I'm going to call out Josh in our
comments for helping you getmore AI into this episode, when
it was supposed to be AI-free.

Speaker 1 (43:06):
I told you I was going to try.
I was going to try.

Speaker 2 (43:08):
I know You're being quite successful at it.
I have to put one other commentup.
Yeah, so this is my coworker.
Kevin Selhoff says that's why Ilike to get arrested regularly,
so I can get courtroomexperience.

Speaker 1 (43:24):
That's great.
That's great, kevin, yeah, yeah.
Of all the places I could sitat court, the defendant's table
is the one I don't want to besitting at.

Speaker 2 (43:33):
Yeah, me either.
I try to avoid that.
Kevin tries to avoid it as well.
Yeah, no, oh boy, he's at workwatching this, I bet.
So yeah, I just want to throw alittle dig into Kevin.
I'm not at work.
Ha, ha, ha.

Speaker 1 (43:54):
Well, he's working and listening, so we appreciate
you man.
Thanks for the joke.
I'm going to assume it's a joke, okay.

Speaker 2 (44:01):
Oh, it better be.
It better be right.
So, artifact of the Week.
Been doing the Artifact of theweek.
So my question to everybody isare you getting those bfu
extractions?
Um, if your phone is in abefore first unlock status, is
it worth getting that beforefirst unlock?

(44:23):
Partial file system extraction,extraction.
I say yes.
The reason I say yes couldthere actually be illicit images
and videos in a BFU that relateto the device user?
I used to say probably not,because the BFU really didn't
have the capability of gettingthrough the security mechanisms

(44:46):
to reach, like it doesn't havethe capability to reach the DCIM
folder or the third-party appfolders.
But there's some otherlocations in these devices that
a BFU is able to interact withand pull images and videos that
may be related to the deviceuser.

(45:07):
So I'm going to just throw aquick little PowerPoint up here
because it's easier than metrying to work with these
sharing screens.
But have you ever heard of fileprovider storage?
So I hadn't, until I did a BFUon one of my test phones and I
saw images and videos that I hadactually taken with my test

(45:29):
device in.
And I saw images and videosthat I had actually taken with
my test device in this file path.
So file provider storage isanother source of user data in a
BFU extraction, and the wayApple explains it is iOS.
File provider storage is afeature introduced in iOS 11
that allows third-party apps tointeract with files stored on
the device or in cloud-basedstorage devices.

(45:51):
The feature enables apps topresent a unified view of files
from multiple sources, such asiCloud Drive, dropbox, google
Drive and OneDrive, and allowsusers to manage and interact
with those files directly withinthe app.
So why is this good for the BFU?
This is good for the BFUbecause that file provider

(46:12):
storage will show you theseimages and videos with the
metadata.
So all of the images and videosfrom my test data were showing
that they were taken with theiPhone 7.
And that's the test phone Iused.
And that file path actuallyalso contains a trash folder.

(46:34):
So I haven't quite figured outwhat the trash folder means to
potential to get user images andvideos and potential to maybe,
in your CSAM cases, have thoseillicit images and videos access

(46:55):
to them.

Speaker 1 (46:58):
And depending on the again, this is a section of the
iOS workings that we do moreresearch on, as Heather said.
But I've seen in other caseswhere the file provider, there's
a little field called metadataand if you go and look into it
you will find additionalinformation about that file.

(47:19):
In one of those I found a URLand that URL we visited, you
know, on an online un-attributeddevice law enforcement computer
and we found a copy of thatCSAM, that image, which stands
to reason.
That's the possible origin.
Then later we were able to lookat some other artifacts because

(47:42):
we had a full file system atthat point.
But we were able to then lookat some other artifacts and
correlate them with that image.
It's coming from the link onthe website.
But the main point is thatthere might be some good
evidence and we're thinking well, bfus, there's nothing there,
it's trash.
No, there might be someevidence there that might be
useful for your CSAM cases andwe want to make you aware that

(48:03):
this is one of those locations.
Same thing with I was talkingwith Heather the photo picker
functionality of an iOS device.
Whenever you go into any appand you're going to select that
picture, let me give you abackground for the folks.
Back in the day, when you wentto share a picture with an app,
the app would have access to allyour pictures, like the whole
album, right?

(48:24):
Well, the photo pickerfunctionality now segregates
that.
The photo picker will only sendthe pictures you want to the
app and nothing more.
Apps don't have full access toyour albums and your pictures
anymore.
That's why it's calledPhotoSpeaker.
But the moment you selectPhotoPicker, certain copies of
those images get placed in thesedifferent directories within

(48:44):
PhotoPicker itself and some ofthem might remain, some of them
might be shown in differentextractions.
So start opening your mind andstart understanding.
Well, what's the photo pickerfunctionality for?
What's that file storage thatwe're talking about
functionality for?
Where have I seen it?
And do more testing and this issomething that as a community,
we should all be involved in,not just wait for Heather to do

(49:04):
it and then say, well, heathersaid no, get some test phones,
try it yourself, do some BFUextractions and see what you can
get, what you don't get, andhelp us kind of figure out.
And verification of that dataand then validation of the
process that Apple uses, so wecan take that and make proper
conclusions from those.

Speaker 2 (49:23):
Yeah, I actually bring this up because it just
came up One of my co-workers.
It just came up One of myco-workers, one of the analysts
in my office, saw stuff in afile provider storage and was
like how is this in a BFU and soand potentially may never get
the full file system extraction.
Had he not gotten the BFUextraction because, ah, there's

(50:01):
nothing in those, or had he noteven reviewed the BFU extraction
, he may never know that thatevidence lies right there in
that partial file system.

Speaker 1 (50:09):
That's amazing.

Speaker 2 (50:10):
Yeah, uh, there's another.
Another thing too recently wesaw uh in a BFU.
So I don't know if everybody'saware of Scott Koenig, the
forensic scooter, and hiswonderful work on the iOS
photossqlite.
So recently I've seen in someof the tests uh test, bfu
extractions, some of the sharedwith you syndication photo

(50:31):
library related images andvideos.
That's also gonna be actualuser images and videos.
The only downside to thosebeing in the BFU is you don't
have access to the photossqlitedatabase in the BFU, so it's
kind of hard to trace theorigination of the photos or
know which apps they came from.

(50:52):
But it's still good evidence ifthe images and videos are there
.
I mean, what if you have thevideo of the homicide?
Do we really at that point needto know which app it came from?
In the Photossqlite We've gotthe act being committed.
So I mean, just don't discountthose BFU extractions Absolutely

(51:12):
.

Speaker 1 (51:13):
No, I don't know.
That's yep and this feels likecyclical right.
We have access.
Then they cut off the accessthe vendors, and then we're back
to logical BFUs, but then weget the access.
So we need to be reallyproficient in trying to squeeze
as much data out of whateverexpression that we want or that
we have.

(51:34):
So, yeah, don't disregard it.
Always do your again, your duediligence, Be a property, Make
sure that you do a good job.
And attention to detail.
So three most important things.

Speaker 2 (51:48):
So what's new with the leaps we have this week?
So I'm going to call I'm goingto call myself out first and you
can talk about the new, the newparsers, but I'm going to call
myself out because I've beensaying that I was going to
record and put up an instructinstructional video related to

(52:08):
lava and its functionality.
Lava is going to be the newviewer for the leaps and I'm
going to make that promise todaythat I will get it by the end
of the week.
And if I tell everybody on here, then I have to do it.
I keep putting it off, I gettoo busy or something comes up.
So look forward to thatinstructional video so you guys
can get a look at lava and howit's going to work with the

(52:32):
leaps in the future, becauseit's going to be probably coming
out pretty soon.

Speaker 1 (52:38):
So and I also have a video already of how to make
artifacts Lava compliant andthen Heather's going to really
showcase the viewer and all thedifferent things that we're
putting into it.
Well, we is a lot of people.
There's a lot Johan and Kevinand James, but not me.

(52:58):
I'm not touching the Lava Code.

Speaker 2 (53:02):
Johan says, we will remind you.
Thank you, johan, thank you.
That's what I need.

Speaker 1 (53:14):
Other new things with the leaps.
What do you got?
Yeah, so.
So somebody had a catch up, asituation where the applications
were not showing us the stuffand and we I let me step back we
had a person in the leaps andwe I, so let me step back.
We had a parser in the leaps,but the parser needed updating.
And looking at the parser, theway it was extracting the data,

(53:38):
there was a better way of doingit.
So I took the opportunity forthe request and then remade it,
refactor it, and it's workingreally good now.
So it is interesting.
It's interesting because it's aSQL database, right?
Correct me if I'm wrong,heather, it is, and inside the
database it has Protobuf in it,right?

Speaker 2 (53:54):
It does.
And inside the.

Speaker 1 (53:56):
Protobuf there's JSON .

Speaker 2 (53:57):
Yes, yes, yep, so I can see it and I'm like, okay, I
need the data that is insidethe database, inside the
Protobuf, inside the JSON, and Iknow I can get it out of the
SQLite database.
But I called in reinforcementsfor the additional nested data.
It wasn't too hard.

Speaker 1 (54:17):
It's just that the previous Say what.

Speaker 2 (54:20):
No, no, you're good.

Speaker 1 (54:22):
Oh yeah, so it wasn't that hard to get out, as long
as you understand whatPortableFace, what JSON is, what
SQLite is.
And our previous parser wasdoing some casting that I didn't
like, so we just fixed it.
It's working really good, soI'm happy that that it does.
Everybody can benefit, benefitfrom that.
So so that's the cash app verynice.
And then, um, I did one for ourleap for the returns.

(54:44):
Um, snapchat changed the formatof their returns so, um, I did
one for for the conversationwith Snapchat.
I also make it Lava compliant,which is pretty convenient
Usually on this and correct meif I'm wrong, tell me about your
experience, but for me, themain two ones are the
conversations and the memorieswhen they get those returns.

(55:05):
I don't have a sample data ofthe memory, so I'm waiting for
someone to tell me hey, I gotsome data I can share with you
and then, with that, when Iprovide some examples, then I
can actually update it.
But for now I can only updateconversations, as the data said
that I had on hand for thelatest return.
So that's done.
So that's pretty good, nice.
And then there's a couple ofmore things that have been

(55:25):
merged about application stateDB and showing some metadata
about application usage in iOS.
I haven't had time to run itand test it, but I know it's
been merged because Kevin andsome of the folks on the team
also are able to do testing andmerge as needed.
So it doesn't have to be onlyme, thank goodness.

(55:46):
So we've got capable peoplechecking those out.
So I've got to test it myselfand see what other new data
points that needed.
So it doesn't have to be onlyme, thank goodness.
Um, so we got capable peoplechecking those out, so I'm gonna
I gotta test it myself and seewhat other new data points that
artifact has.
But it's for the applicationstatedb.
Really useful is the main wayof understanding what
applications are installed onthe device.
It maps the bundle id or thename of the application with the

(56:08):
uh folder directory where theapplication lives.
It also tells you what the appis and what the sandbox is, but
this parser adds additionalinformation from that database
that we don't have right now.
So that's pretty cool.

Speaker 2 (56:22):
Nice, I have to test that out too.

Speaker 1 (56:23):
And Lava is still going yeah, yeah, no, I had to
run it.
I had to run a couple of thingsto be up to date with all the
things that are changing.

Speaker 2 (56:33):
Nice, so look for the videos on how to use Lava
coming up shortly.

Speaker 1 (56:38):
No, it's going to be awesome.
I think folks are going to digit.

Speaker 2 (56:40):
Yeah, so we had an exciting day a couple of days
ago, right August 25th was thetwo-year anniversary of the
Digital Forensics Now podcast,so we've been doing this for two
years now, which is insane.
August 25th was the two yearanniversary of the digital
forensics now podcast, so we'vebeen doing this for two years
now, which is insane.
Yeah, with no fireworks in thecar huh, oh, what, what?

Speaker 1 (56:59):
No fireworks, how could that be?
Let's see.

Speaker 2 (57:01):
I don't know, I didn't see any fireworks.

Speaker 1 (57:03):
Well, look, look, I'm going to give you some, uh, I'm
going to give you some lasers.

Speaker 2 (57:07):
Oh, there we go, there we go.

Speaker 1 (57:09):
Warm it up and then, yeah, you go two years.

Speaker 2 (57:14):
Perfect.

Speaker 1 (57:16):
Two years yeah.
You can have one with cake orsomething, but you only have
balloons.
Now, if you're listening, I'mjust putting reactions on the
screen and there's balloons andfireworks going off.
So me being silly yeah.

Speaker 2 (57:29):
So yeah, two years, two years insane.
Um, I can't believe it's beentwo years.

Speaker 1 (57:32):
I'm a lot less nervous now you sure, you sure,
and and you, you.
Let's leave it there.
I'm just gonna make some jokes,but it's okay, so good oh, you
can, it won't hurt my feelingsno, no, yeah.
When we started, heatherwouldn't say a word.
She was really quiet, and now Ihave to fight her to just tell

(57:56):
me to shut up no, I I talk toomuch as this, so it's good.
It's a good thing that you'remore targeted now I'm just
trying to compete with you nowwell, that's a good thing.
that's a good thing.
I want that People are superbored of me right away.
So I appreciate you growinginto the co-host position and
you're awesome and I'm gladyou're happy.
So thank you.

Speaker 2 (58:17):
So for the two years of Digital Forensics Now podcast
, we're going to do a littlegiveaway for two people.
So I'm going to put up ourlovely little wheel here.
Let me share my screen.
Lovely little wheel here, letme share my screen.

Speaker 1 (58:30):
Thank you, johan, for the happy two years.
It's, it's, it's amazing.
We never thought we'd be doingthis for this long, or that.

Speaker 2 (58:36):
Oh my God, I know.

Speaker 1 (58:37):
Yeah, we really get, you know, value out of it, so
we're happy that that's the case.
All right, do it, heather, doit.

Speaker 2 (58:44):
Anybody, anybody who liked and shared the post I put
up earlier in the week will geta chance to win something that
I'm going to surprise you with.
So I'm going to spin the wheelfor our first winner.
And our first winner is Roberto.
Oh no, that's not what itlanded on.

(59:05):
Okay, my screen looks different.

Speaker 1 (59:08):
I think that's our winner.
Our winner is Roberto.
It landed on.
Okay, my screen looks different, I think.
Yeah, no, it's roberto, but thething that's our winner?
Yep, our winner is robertoorzocco oh, I can't see, I'm all
I can't see.

Speaker 2 (59:23):
All right, let me let me spin it for the next one,
yeah.
I think it's not landing on theright one.
Yeah, and Ashley.
Ashley is our second one.
Wow, wanted her to win it, didit, did I?

Speaker 1 (59:43):
know, ashley, I know.

Speaker 2 (59:44):
Okay.

Speaker 1 (59:45):
She's awesome, she's great.
I was going to feel sorry, likegirl, you, you, your name came
up, but then you didn't.
But then she actually won.

Speaker 2 (59:51):
really, yeah, I'm going with the two that the
pointer actually pointed to andthen I don't know what's up with
the Wheel of Names website butthe two that it actually pointed
to, roberto and Ashley I'llreach out to you on LinkedIn and
just ask you for your addressat some point so I can send you
some digital forensics.
Now.

Speaker 1 (01:00:08):
podcast swag oh I'm I'm so happy that actually
actually won all the merits inthe second run.
Definitely.
I don't know what's up with mywheel.
Bad for her.
Me too, I don't know what's upwith the wheel the wheel is
broken.

Speaker 2 (01:00:25):
Yes, um, so I'll reach out to both of you, the
wheel of misfortune.
Yeah, and now we're to ourfavorite part of the show, the
meme of the week.
So let me share the meme of theweek and I think everybody is

(01:00:48):
going to agree with us on thisone.
Let's see here.
Let's see it.
Here we go.
So we have, um, the groceriesall knocked off of the shelves
in the grocery store into themiddle of the aisle.
It is an absolute disaster.
And the meme reads also I needyou to finish this case that the
other examiner started.
I don't know how things havebeen going, and and this doesn't

(01:01:08):
just apply to work Like this iseverything in my life right now
, so I don't know how thingshave been going for you, but
this summed it up for me, whichis why I chose it.

Speaker 1 (01:01:19):
And then they have to take my case and all my notes
are done.
The notes of the exam are inpost-its and I'm like what is
this?
How are they supposed to go, Isthis?

Speaker 2 (01:01:28):
how this goes.
These are post-its.

Speaker 1 (01:01:30):
What the heck is this ?
I'm supposed to finish thiscase now, and then you know your
ears are ringing becausethey're thinking of you.

Speaker 2 (01:01:38):
It's just the.
Also, I need you to finish thispart, and it's in every aspect
at the moment.
So, the to-do list is insane.

Speaker 1 (01:01:50):
Yeah, the also word there really brings it home for
you.

Speaker 2 (01:01:53):
Yeah, it totally, totally, totally does.
I think you've kind of had thesame thing going on lately.

Speaker 1 (01:02:00):
Yeah, at a certain level, the work that we do,
we're kind of the cleanup guysin a sense, because you know,
something happened right andthere's some theories of what
happened.
But it's up to us, the folks onthe back end, to actually put
some of those pieces together ina really structured and
approvable way.

(01:02:20):
So we end up having to do thattype of work and clean up all
the time, all the time.
But it's good, it's all good,we do it with a good attitude,
hopefully.
Of course, always right, ofcourse, we don't curse or get
mad at other people.
I don't.

Speaker 2 (01:02:39):
So that's it.
That's all I've got Two years,two years done.

Speaker 1 (01:02:45):
Yeah, this baby is now what it's going to eat?
Solids now.
It's eating solids now, so it'swalking possibly, who knows?

Speaker 2 (01:02:53):
Terrible twos are over.

Speaker 1 (01:02:55):
Well, actually they're starting, so let's hope
they're not that terrible yeah.

Speaker 2 (01:03:02):
All right.

Speaker 1 (01:03:03):
Well, thank you for the show, heather.
Thank you, thank you for beingwith me and my crappy connection
from my car for the showHeather.
Thank you, be patient with meand my crappy connection from my
car.
We will plan for hopefully notanother month to go by, because
it's just slightly crazy, butwe're trying to do what we're
supposed to be and we'll let youkeep you all posted.
Follow us on the DetailForensics Now podcast.

(01:03:26):
Linkedin page for updates,heather's page, my page and
anything else for the otherHeather.

Speaker 2 (01:03:33):
That's it.
Thank you so much, everybodyfor tuning in.
Today at the strange hour wehave the podcast.

Speaker 1 (01:03:39):
Strange hour, strange day it's all good.
Thank you, take care, folks,see you soon.
Bye, there we go.
A different song for you rightthere yeah, we'll see you next

(01:04:20):
time.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Breakfast Club

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}DFN: 2nd Anniversary

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

The Breakfast Club

All Episodes

DFN: 2nd Anniversary

Stuff You Should Know