July 31, 2025 • 76 mins
We're back! After a short break we are back to discuss the growing crossover between real-world events and digital evidence in court cases, highlighting how device data can make or break timelines in high-stakes investigations.
This episode covers:
- Ian Whiffin’s latest forensic work, including iOS power log timestamps, Apple Health data reliability, iPhone battery temperature readings, and IR Doppler functionality – with examples of how these artifacts were used in a recent homicide trial to validate timelines and environmental conditions.
- Kevin Pagano’s App Store Package Search tool, which translates obscure bundle IDs into recognizable app information for easier analysis.
- Concerns over the growing reliance on AI in digital forensics, emphasizing the need for human expertise and proper validation in every step of the process.
- A demonstration of LUMYX, a mapping tool that converts extracted location data into customizable visual timelines for courtroom presentations.
- Updates on LAVA (LEAPPS Artifact Viewer App) and guidance on writing LAVA-compliant artifacts to improve reporting workflows.
Notes:
Ian's FOUR Newest Blogs
https://www.doubleblak.com/blogPost.php?k=powerlog
https://www.doubleblak.com/blogPost.php?k=healthaccuracy
https://www.doubleblak.com/blogPost.php?k=temperature
https://www.doubleblak.com/blogPost.php?k=doppler
Ian Whiffin Testimony
https://www.youtube.com/watch?v=kahgl-mIUFE
Kevin Pagano Stark4n6 app store package search
https://www.stark4n6.com/2025/07/introducing-asp-app-store-package-search.html
https://github.com/stark4n6
Elcomsoft Article- AI driven Password Recovery Myth or Reality?
https://blog.elcomsoft.com/2025/07/ai-driven-password-recovery-myth-or-reality/
Beyond the Badge AI's role in Modern Investigations
https://www.magnetforensics.com/blog/beyond-the-badge-ais-role-in-modern-investigations/
LUMYX
https://lumyx.com/
LEAPPs
leapps.org
How to make LAVA Compliant LEAPP Artifacts
https://www.linkedin.com/video/live/urn:li:ugcPost:7356497708628520962/
UFADE
https://cp-df.com/en/blog/ufade_touch.html
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:17):
Welcome to the Digital Forensics Now podcast.
Today is Thursday, july 31st2025.
And my name is Alexis Brignoni,aka Briggs, and I'm accompanied
by my co-host, theeducator-in-chief, the visionary
of the North and one of theCassandras, like myself, of the
(00:38):
digital forensics world.
I'll tell you what that meanslater the one and only Heather
Charpentier.
I'll tell you what that meanslater, the one and only Heather
Charpentier.
The music is Hired Up by ShaneIvers and can be found at
silvermansoundcom.
Alrighty and look, I had a niceintro and outro.
I didn't cut it off like that.
Speaker 2 (00:58):
Yes, that was very good.
Speaker 1 (01:00):
What's up, Heather?
What's going on?
Speaker 2 (01:02):
Nothing, nothing Long time no podcast.
Yeah, we've've been busy, buteverybody's busy, right I know,
I think last time it was myfault, the time before it was
your fault and we just yeah,finally, we have made time to
have another episode, so howeverthis episode comes out, it's
gonna be both of our faults.
So that's okay, that's okay,it's gonna be good yeah, so so,
(01:26):
let me explain real quick.
Speaker 1 (01:27):
So so, cassandra yeah it's a mythological figure and
she was really pretty, andapollo was thought that she was
really pretty.
So he, he gave her the gift ofprophecy, but she didn't like
him in return, right, so so his,her, her punishment.
You know, the gods are sofickle and I guess anti-woman
(01:48):
gave her a curse, and the curseis that she will be able to know
the future, but nobody willbelieve her.
Speaker 2 (01:54):
Oh.
Speaker 1 (01:56):
So, yeah, we suffer from some of that syndrome
sometimes, but it's okay, it'sokay, we keep going on, we keep
marching on, definitely,definitely.
So it's been a while okay, wekeep going on, we keep marching
on.
Speaker 2 (02:04):
Definitely, definitely.
So it's been a while.
What have you been up to?
Speaker 1 (02:09):
So let me think so.
I've been doing regular workstuff, which is fine.
I got invited to speak on mylocal ISC2 chapter.
Isc2 is an organization thathey look at that, that's me.
They're in charge of multipleindustry-wide certifications.
The most well-known is theCISSP.
So that's pretty neat.
(02:29):
And I was talking there aboutlog archives and it was
interesting because we startedwith log archives and we ended
up talking about a milliondifferent topics that had
nothing to do with log archives.
But eventually I brought itback in and then I gave
everybody a quick show of Lava,which we'll talk about a little
bit later.
And don't worry, it's not lavafrom a volcano.
Speaker 2 (02:48):
We'll explain that later on in the show it looks
like it, though it looks like ityeah, a little bit.
Speaker 1 (02:54):
It's hot, no, but it was good, it was a good.
Uh, it was a good day.
Um, as I said real quick thatjohan is in the chat and johan
is like the man, so we love him.
He's one of the main developersfor the Leaps and Lava from the
Leap site, so we love him.
Gio is the chat as well, damien, so a lot of respect for Damien
, glad to see him there, and Ihope Christian Peter is there as
(03:19):
well, so that's exciting andMatthew was in there before we
even started saying hi.
So yeah, so hi to everybodythat's rolling in, so we
appreciate having you here, andMatthew was in there before we
even started saying hi, so yeah,so hi to everybody that's
rolling in, so we appreciate youhaving you here, nice.
Speaker 2 (03:32):
So I actually I did a conference since the last
podcast too.
I was asked to speak at theHTCIA conference about the leaps
, and I think originally they'relike oh, do you and Alex want
to do it?
But you're a little far awayfrom Massachusetts so I went
solo Hopefully I did it justicebut got to go give a
(03:53):
presentation on the leaps, howthey work, what types of
artifacts they parse, how peoplecan contribute to the project.
And then I did a little demo atthe end of Lava as well, to
show what the new format isgoing to look like and kind of
how it's going to work.
Speaker 1 (04:09):
Oh, that's fun.
Yeah, that's fantastic.
We're really looking forward toall that.
Speaker 2 (04:13):
Yeah, it was a.
It was a good time.
Speaker 1 (04:16):
Yeah, and you look so fancy in that picture.
Fancy, fancy, fancy pants,literally.
Speaker 2 (04:21):
I can dress up sometimes, yeah.
Speaker 1 (04:23):
Fancy smarty pants.
You got them both.
Speaker 2 (04:27):
Well, thank you.
Speaker 1 (04:28):
Real quick before I forget.
So you know, I saw Christian inthe chat and Christian is kind
of working on like a little.
Everybody don't know Christian,great guy, genius guy he's
doing.
He made Ufate, which is atooling to deal with iOS devices
and you can pull all sorts ofdata extractions and lock
archives and sysdiagnose allsorts of things right.
So he's making a little likeUfate, quote, unquote, touch
(04:51):
where you can, you know, run thesystem and use a touchscreen
and do everything in anintegrated thing.
So I'm really looking forwardto looking at the build.
I think he has a blog post onit.
Speaker 2 (05:03):
He does.
I was trying to find thepicture because it's so cool, so
I'm looking for it while you'retalking here.
Speaker 1 (05:08):
Yeah hold on, I'm gonna, I'm gonna send the link
because here it is.
Speaker 2 (05:11):
I got it.
You found it okay, oh yeah mydesktop is a mess right now let
me do a little share here.
Uh, share screen.
Speaker 1 (05:20):
Oh, you're sending it to me too yeah, just just just
a blog link, but I'll put thatin the show notes.
Speaker 2 (05:26):
But there's the little.
He's got it all set up outdoorswith the Ufade Touch.
I think that's hilarious yeah.
Speaker 1 (05:31):
I don't know what I mean In quotes.
We don't want to get well notwe but we don't want him to get
sued by any other companies.
So, ufade, what do we call it?
Speaker 2 (05:45):
Ufade, you know, screen, touchscreen or something
like that.
I added some more to make adifference.
Well, he has.
He has on his post.
I'm proud to introduce theUfade Field Operator Connection
and Acquisition Kit.
Speaker 1 (05:54):
FOCA.
Is that it?
Speaker 2 (05:56):
Field.
Speaker 1 (05:56):
Operator Connection Acquisition Kit FOCA.
I don't know, it's funnybecause FOCA in Spanish is seal,
like a seal.
Oh, Anyway, we're digressingway off topic here, but no, so
it's pretty neat.
So I like that and I'm actuallylooking forward to doing my own
build and go for there.
So I have here Cacique issaying, if possible, it would be
(06:17):
nice Actually.
I could put this on the screenright.
It would be nice to see anexample using a UFIT extraction
to create an ILEAP report.
So thankfully we have atester-in-chief in this show.
Speaker 2 (06:28):
I'm on it, that's not me, so that would be awesome.
Speaker 1 (06:32):
So thanks for the idea.
Speaker 2 (06:33):
Yeah, definitely Love doing the live demos so I can
screw up live on air.
It's fun.
Speaker 1 (06:39):
Yeah, it is.
It has been a really good time,but you have to watch all
episodes for that.
Speaker 2 (06:43):
Yeah, definitely.
Speaker 1 (06:46):
So let's get back on track.
So what are we doing first here?
Speaker 2 (06:50):
So some new blogs and actually they're a few weeks
old now because we haven't beenlive but Ian Whiffen has some
new blogs, four new blogs to beexact.
He hadn't had a newer blog inquite some time, had a newer
blog in a little quite some time, but um, anybody who's been
following the trial of karenreed out of boston uh saw ian
(07:10):
testify to some artifacts andthese blogs correlate with his
testimony in that case.
So the first um was about thecurrent power log and monotonic
clock and the article focused onpower log databases used in ios
devices, uh, and that they usea monotonic clock.
And the article focused onpower log databases used in iOS
devices and that they use amonotonic clock timestamp format
different from the standardtimestamp methods used across
(07:33):
iOS.
So the timestamps show elapsedtime since boot, not wall clock
time.
And he goes on to explain howthese timestamps work, how they
impact your forensic analysisand what you should keep in mind
when you're interpreting thepower log data.
Speaker 1 (07:52):
Yeah, and I'm going to give my take on how I
understood it from a layman'sperspective and the way I see it
is, you got your monotonicclock.
It kind of goes.
Imagine that you have your oldschool wristwatches that have
little quartz in it and it goesright as it goes.
Uh, with time, those, the timewill drift right and your watch
will get out of sync with realtime.
(08:14):
And we could discuss about whatreal time means.
Right, how do we measure timeand how precise it is and how we
measure it in the past.
Now we have atomic clocks andtime itself is relative to the
speed that you're moving.
But we're not going to go intoany of that.
But the point we're trying tosay is that, as your clock, for
many factors we're not going todiscuss today, loses that
(08:37):
relation with what we considerto be the time to be at this
moment, we have to makeadjustments to it.
Right, and that's somethingthat happens in all sorts of
endeavors human endeavors thatuses watches.
So the way the phone does isfor those monotonic times.
It takes, uh, takes a note ofthe network time that comes to
your phone, right, and then itsays okay, so this is the
monotonic time, the time that'skind of constant, independent of
(08:59):
the clock or the system clock,and then it's going to measure
when them, it's going to keepwhere that time was taken and
then the offset between the twotimes the quote unquote real
time and the time that the phoneis kind of going off of
monotonic, and then that's keptin the database.
So what Ian shows is how to dothat calculation.
(09:20):
He says okay, this is themonotonic time, go to this part
of the database, look for theproper offsetting time and then
do the calculation.
Of course I'm simplifying this.
You have to read his blog postand then you know what the time
is, so you can't just grab thattime and say, hey, it happened
here, because it doesn't.
He does the example of turningon the flashlight on his phone,
(09:43):
which is not really the.
It's kind of the flashlight,but it's more like the flash
from the pictures.
And if you take the time as is,it's going to be off by days
and days, right, but after youdo the calculations it has a
difference of five seconds,consistent five seconds, which
is how that artifact behaves.
Why does it do that?
Because that's how Apple madeit, whereas other artifacts
don't have that five seconddelation.
(10:04):
But that's the point right, youhave to test, make sure you
understand what do timestampsmean?
And he gives an example of theMagnet Forensics Axiom tool
which has that monotonic time,the real time, and then the
different calculated times.
As you go making those analyses, the base times and all that.
I read that article.
(10:25):
I think it's important Ifyou're going to use the power
log for you know, to showactivity, you need to understand
how to calculate those times.
Don't take the times as is,because you'll be wrong.
You need to do some math tofigure that out.
Speaker 2 (10:38):
And definitely I mean it's showcased in the trial
that he was testifying aboutthis and where, if you do just
put it in a report and send thereport to court, it potentially
is going to be questioned bysomebody who maybe doesn't
understand it that much.
So if you understand it, youcan get out ahead of that for a
trial or court hearing.
Speaker 1 (10:59):
Well, and it speaks to something that we said a
whole bunch of times, right,heather, that if you say I say
smoking gold, quote, unquote,but things you're going to
present at court, you need toreally understand why you pick
them and what they mean, becausethere will be another, an
expert, that might know morethan you, and there's nothing
wrong right to question you.
There's nothing wrong to bequestioned by somebody that
knows more than you.
It will be nothing wrong if youactually know what you're
(11:23):
talking about, because in thatcase the person that knows more
than you at the end you're goingto end up what Agreeing, right?
If you're correct and theperson that knows more also
knows, then that person knows.
So we both agree, then right.
So don't be afraid of somebodythat might know more than you in
different things, as long asyou do understand the precise
things you need to talk about.
Speaker 2 (11:43):
Because if you have control over that all the rest,
who cares?
Speaker 1 (11:46):
At least you know, conceptually speaking.
Speaker 2 (11:49):
Exactly so.
Another artifact that wasshowcased in that trial and
there's a new blog on is theApple Health Accuracy and
Reliability.
So this article, everybody takea look at it, because there's a
ton of testing and comparisonsin this article.
But it a look at it becausethere's a ton of testing and
comparisons in this article.
But it evaluates how accuratelyApple Health tracks steps,
(12:11):
distance, floors climbed and,like I said, it has the real
world testing that Ian performedand comparisons with academic
studies to access thatreliability.
And then I want everybody toread it.
But the conclusions at the endare that the number of steps
recorded is reasonably reliable.
(12:31):
Indicator of steps taken whenwalking the distance is not as
reliable.
So really take a look at thosestudies and do some testing
yourselves to kind of gauge thatreliability in your own cases.
To kind of gauge thatreliability in your own cases.
Speaker 1 (12:45):
Well, and it's kind of tough.
Right, because I can see, youcan see steps being measured
based on the way the body moves.
Right, because you can measuresteps in a treadmill when you're
not going anywhere.
Right, right, there's nomovement on a treadmill, you're
standing in the same spot.
But the steps are counted right, so those steps are not in
(13:05):
relation to movement forward orbackwards or to the side, so no
spatial movement.
So it calculates it based oncertain determinations of the
sensors on the device.
Right.
But think about then, like thearticle goes on explaining in
different ways right, I amtaller than you, a little bit
more taller than you, right?
(13:26):
So my, when I walk, I, my stepsare gonna go farther than yours
.
So well, my step might be oneand a half of your steps right,
yeah, exactly and it's countedas one step for you and one step
for me.
So, but I'll get there fasterthan you, so what does that mean
?
So it's in and that's the thingin.
In digital forensics we've beenat least the old school folks
like us.
There was this vibe back in theday where it has to be binary,
(13:49):
one or zero, true or false,either this or that, and there's
a lot of gray areas.
Right, are those steps accurate?
Well, they are accurate.
Is this accurate?
Well, it depends.
What's the gate, the person,right.
Speaker 2 (14:00):
Yeah, exactly.
Speaker 1 (14:06):
How tall they are, how long are their steps.
So you know it's, it's uh.
There's some, some elementsthat we can't control.
We can only give uh reasonableapproximations, and that's
something that we need to startopening our minds as examiners,
that not everything is a uh,true or false binary.
There's a lot of uh, of grayareas, and we need to account
for that in our analysis.
Speaker 2 (14:22):
It's funny you say the gate and the steps, because
we actually had a case where weneeded to do some testing and
the analysts in our office, whowho was going to perform the
testing with Apple health, wasgoing around desk to desk to
find out who in the office waslike five foot nine.
And she picked the person whowas closest to the suspects to
the suspect's height to do hertesting, and that was a really
(14:42):
smart move.
Speaker 1 (14:43):
Yeah, no, I liked suspect's height to do her
testing and that was a reallysmart move.
Speaker 2 (14:48):
Yeah, I like that.
I didn't know that story.
I like that story, oh yeah.
So one last thing, though, inthe Apple Health reliability.
So there's a part in thearticle that talks about how
it's possible to record bothsteps and flights climbed while
you're driving in a vehicle andthe device is being held.
So that's another thing to keepin mind.
Are you sure that the personwas taking steps or going up a
(15:12):
flight of stairs?
Maybe, not necessarily.
Speaker 1 (15:15):
Maybe they were inside.
You know they were in Londoninside a double-decker bus as
they're going to the secondfloor of the bus, I don't know.
Geraldine's in the chat and shesays that she also did that.
For a case, I'm assuming shehad to get somebody with a
particular body type to do sometesting.
So there you go.
Genius minds.
That's amazing.
Speaker 2 (15:36):
I'll have to have you compare your analysis with
Giovanna in my office, becauseshe's the one that did that for
a case, so she would love totalk to you about it, oh you met
, giovanna you met.
Giovanna, yeah, she's the onethat was going desk to desk.
Are you five foot nine?
Are you five foot nine?
Speaker 1 (15:52):
I am not surprised that it was her.
Speaker 2 (15:55):
You can picture it.
Yeah, I totally can.
So Ian's next blog so we havefour here so is the iPhone
internal battery temperature.
So in this blog, apple iPhonesinclude an internal thermometer
that monitors the batterytemperature to manage safety and
device performance.
His post on this explores howclosely the internal readings
(16:17):
reflect external conditions andhe does controlled experiments
that test this, not reliability.
Does controlled experimentsthat test this, not reliability,
but test this functionality ofthe iOS.
Speaker 1 (16:28):
Well, I would say it's a new applicability, right?
Because obviously the phone andfor folks that don't know, why
would the phone want to keeptrack of its own temperature,
Like for what purposes?
Actually, it's kind of funnybecause the phone needs to know
(16:52):
if it has a fever yeah.
Speaker 2 (16:53):
if it's overheated, yeah, if the phone has a fever
it's too high, yeah, the phonewill, as you know, heather will
do what?
Speaker 1 (16:55):
yeah, it'll die or blow up or catch on fire?
Yeah, if you leave it, but thephone doesn't want to do that.
So the phone automatically doeswhat?
because it sells off right and Ihave phones that where I have
like in a dash and I'm talkingto the dash and it gives you an
alert this one is too hot, I'mgonna shut myself down, and it
goes.
Yeah, it shuts itself down.
If it doesn't, like heathersaid, it's gonna burn or
whatever, right, right so.
But notice how how smart uhthis applicability issue, right.
(17:20):
So ian thought, okay, it's,it's, if it's measuring
temperature, its own temperature, it.
It rests to reason that if Itake that phone and put it on
the dash, it's going to get toohot, right.
If I put it in a freezer, it'sgoing to get really cold, right?
So external temperatures haveto affect in some way those
measurements beyond whatever thebaseline temperature of the
electronics of the device are,and that's genius.
(17:43):
I was like, oh my God of thedevice are.
And that's genius.
I was like, oh my God.
So you look at a phonefunctionality and you can be
creative and do your testing,like he did, and see what that
tells you about the real worldaround it.
What's happening in the 3D or4D, with time world that it was.
And again, the example that wewould be using, based on this
(18:06):
post, is the current retrial,where the phone was outside I
say outside, like in the snow,for a certain amount of time.
So would the logs pick up thatcoldness, right?
So that's amazing.
You can tell a lot of where thephone was based on the
temperature, right?
If it was hot in the snow, thenmost likely it wasn't in the
(18:29):
snow, or vice versa, was it coldinside a warm place, then it
wasn't inside a warm place.
I thought it was an amazinganalysis and a really creative
use of finding new applicabilityto an artifact that most of us
may have overlooked as notimportant.
Speaker 2 (18:43):
Yeah, I don't think I would have thought of it
because I mean, this trial was ahomicide trial.
Why?
Why do I care what temperaturethe battery is?
Um, but it, if you get a chanceof anybody listening, gets a
chance to just go watch thatpart of the testimony.
If you don't want to watch thewhole trial, you can find it on
the court TV YouTube.
But the the internal batterytemperature testimony was one of
(19:05):
my favorite parts of histestimony in this trial.
Speaker 1 (19:08):
Oh, absolutely, and we're going to put.
Folks are asking.
I tried to put the links on thechat and it came out really bad
, so I'll have it in the shownotes at the end too, yeah.
Yeah, they'll be there, butI'll be helpful.
I'm putting there for the folksthat are live right now and it
just it came out really bad.
So, like Heather said, there'llbe at the end of the show.
(19:29):
You can grab it from there Allthe links.
Speaker 2 (19:30):
Yeah, definitely.
Um, and so the last one, thelast new His post is exploring
the front IR Doppler function ofan iPhone.
It's a motion detection processthat triggers when iOS suspects
the user is attempting tounlock their device.
Speaker 1 (19:54):
I completely had a misunderstanding of what the
pocket state meant previously,but it's literally looking to
see if they're attempting tounlock their device in different
manners and like and what, what, what, what manners?
Can you give us a quick?
Speaker 2 (20:09):
I can, so I'm just going to take this right from
Ian's blog, but definitely goread it, cause it's awesome.
So it can.
It's triggered by the devicescreen being touched, the side
button being pressed, raising towake or receiving a call, among
a few other things that he haslisted here, but the one that I
kind of hone in on is the sidebutton being pressed, because
(20:31):
that is the artifact that waspresented in that same case that
we're talking about, the KarenReed case, and this artifact was
used to show that the sidebutton had been pressed Right.
Speaker 1 (20:44):
That's insane.
I really picked up on the factthat when you take the phone and
you look at it, you'reattempting to open it and it has
Face ID, it will open.
But I always find itinteresting because you know, if
you see infrared cameras, whenthe infrared functionality is
enabled and you're recording aspace, somebody works with the
phone and that phone isconstantly, like you know,
(21:06):
flashing infrared to your faceand you can see it.
Phone is constantly, like youknow, flashing infrared to your
face and you can see it and it's.
It's so some a little bitunnerving in a sense, because
you're there in somebody sittingin the dark looking at their
phone and that thing is justflashing your face with infrared
all the time.
Yeah, um, so how, how, how doesthat that interaction between
that light I say light, but waveemitting source, right, and how
(21:27):
does that reflect in regards tothe intent of the user or when
they hit the button?
It's interesting stuff.
You need to read this, folks,and kind of have an awareness.
You might not need it today butyou will definitely need it
tomorrow.
The convergence between digitaldata and events in the real
world.
They're coupled, they'recoupling even more and more and
more in court cases, and we saythat because, again, as they
(21:50):
should we have experts both onprosecution and the defense side
, and the level of expertise isrising.
The tools right now are givingyou more to think and analyze,
so you need to up that knowledgeand you have to really be aware
of stuff like that.
That's on the cutting edge.
Speaker 2 (22:06):
Yeah, and I didn't say this for the iPhone Pocket
State, but that is actually outof the unified logs.
So we previously spoke aboutthe unified logs and the
importance of analyzing theunified logs and the fact that
it's not so easy to analyzethose logs, but we gave some
indications on how to make thatprocess a little bit easier.
So if anybody's looking to umlooking to read more about that
(22:30):
too, Alexis has a blog on how toprocess those and and put them
into an easier format to viewusing the leaps, so go right out
to his blog for that.
I'll put that in the show notestoo.
Speaker 1 (22:42):
Yeah, and a quick note there double black, um,
that's Ian's blog.
Um, even Geraldine, anothergreat expert here from Central
Florida, she says that Ian is onfire even helping validate some
stuff in her case, and he'ssuch a great guy, great resource
to the community, so Iappreciate all the work that he
does yeah, I agree, geraldine.
Speaker 2 (23:02):
I've had his help like three or four times in the
last two weeks and I don't knowhow he finds the time to answer
all of these questions.
Sometimes I almost I'm like,almost feel bad.
Am I harassing him?
Because I know like 40 000other people are harassing him
right now too well, it's, it's,so it's harassment all the way
down, because you have a same,and then people harass you and
(23:22):
another person harasses theperson that harasses you.
Speaker 1 (23:24):
We're all.
We're all.
I mean harassing not in a in ain a bad way, right yeah, in a
good way absolutely if there is.
We're just asking questions toeach other.
Let's not use the wordharassment.
Speaker 2 (23:35):
It has it has another meaning in the world I feel
like I'm harassing is why I usethat word.
Speaker 1 (23:40):
So no, let's just say you're bothering him, it's much
better okay all right, yeah, um, but so, yeah.
Speaker 2 (23:47):
So the the blogs are excellent.
You have to go check them out,um, and I'll put the links all
in the show notes, because theseare some really great artifacts
that hopefully, um, as long aspeople know about them, they can
be used in other criminal casesor whatever type of case you're
working on no, and theirreference materials.
Speaker 1 (24:05):
Um, I I go to his blog all the time because I know
he did some work on some hcstuff or whatever it was that I
need and it's a great reference.
Uh, yeah, source, so go checkit out yeah, definitely.
Speaker 2 (24:16):
Um, let's see what we have here.
Kevin pagano, stark forensics,has a new tool called app store
package search.
So the app store package search.
I I'm going to actually showthis one.
Let me find it here.
Yeah, go ahead.
Speaker 1 (24:34):
Just a quick question , kevin again.
Kevin is a friend of the show,obviously, and he also worked
with us in the leaps, so youhave heard about him throughout
all our episodes, so he alwayskeeps coming up with new stuff.
Speaker 2 (24:46):
Yeah.
So it's a Python-based GUI toolbuilt by Kevin and it allows
users to query the Apple AppStore bundle ID or Atom ID,
supporting both single entriesand batch lists, and then it
outputs into a few differenttypes that we have.
It'll output directly to theconsole, to a text file, to a
(25:08):
SQLite database or to both atext file and a SQLite database.
So I grabbed a couple of bundleIDs just to kind of show you
how it works.
I'm just going to copy one here, if I can get it to go in.
There we go dot com dot.
(25:32):
Toyota group peekaboo.
If you don't know what that is,it is Snapchat, which there's
not really an indicator in thatbundle ID what it is.
But this tool, if I do the runlookup, will show you
information that one didn't workfor some reason.
Oh, I'm not on bundle ID.
Make sure you choose bundle IDand then hit run lookup and
it'll show you information aboutthe application.
So current version, releasedate when it was initially
(25:54):
released, the track name isSnapchat, so we now know that
that's the Snapchat application,along with the URL and then
like just a general idea of whatthe app is used for right there
on the screen in this toolSuper quick, super easy.
You can take that informationright out of your extraction,
throw it in this tool and haveall of those details at your
(26:14):
fingertips.
Speaker 1 (26:15):
Yeah, and for folks that are not familiar with
bundle IDs, that's the internalname of the apps, like Heather
was saying, the Peekaboo ICUbundle ID.
It's actually Snapchat, right.
Speaker 2 (26:26):
Mm-hmm.
Speaker 1 (26:27):
And same thing with Discord.
Discord is musically somethingSnapchat, right, Mm-hmm.
And same thing with Discord.
Discord is musically something,something right, yeah, musically
, yep, yeah, so.
And again, you'll see thisbundles ID that show up in
different databases and youmight question yourself what is
this app?
I have no idea.
And they start like a URL inreverse, like
comwhateverwhatever, as opposedto a URL that ends in com.
This is the opposite.
(26:49):
It starts with com, so COM, soyeah, you can put it there.
It will answer those questionsand, like Heather said, a whole
bunch of more information thatyou can use in order to
understand the use of the app onthe device.
Speaker 2 (27:02):
Yeah, and you know, helpful, definitely in the
investigations.
But I always use the exampleexample, like the application
usage artifacts.
Usually the application usageartifacts show that um bundle id
and that is what was being used.
Is your prosecutor, or whoeveryour report is going out to,
going to know what comtoyopagroup peekaboo is?
(27:24):
They're not.
So we can use this to then givea little bit of context for our
reports for people who may nothave that knowledge on what what
these mean.
Speaker 1 (27:34):
Absolutely, and there's a whole bunch of.
I think I know this one, butI'm not sure.
Put it in yeah, get the, getthe right name and carry on
Definitely.
Speaker 2 (27:41):
All right, Let me, I'm going to just pop up real
quick there.
Pop up real quick.
There's a blog on it too.
So on starkforensicscom there'sintroducing ASP App Store
Package Search.
So if you want to learn moreabout it other than what I just
said, go read the blog, and thenthe application itself is
available on Kevin's StarkForensics GitHub page.
Speaker 1 (28:05):
Yeah, kristen is saying that there's also a.
Sorry hub page.
Yeah, kristen is saying thatthere's also a sorry, that's so
good, I'll pull it up.
It's also the uh recommendation.
V9 parser has only atom ids,which is fine.
It's a good thing.
My both checking out, but Ithink uh, kevin's also.
You can also search by atom idif you can.
Speaker 2 (28:24):
You can, yep, you absolutely can so so you got,
you got.
Speaker 1 (28:27):
You got those both ways of doing that.
Speaker 2 (28:30):
Right, All right.
So let's see here AI would itbe a Digital Forensics Now
podcast if we didn't talk aboutAI?
Speaker 1 (28:43):
Would it be Thursday or any of the other week?
Would it be?
There's no AI involved, ofcourse not.
Speaker 2 (28:48):
So we were talking before the show and we have a
couple of topics right now on AI, and I said I'm going to
promise anybody who's listeningor viewing tonight that the next
podcast will be completely AIfree.
I'm not going to utter the wordone time and Alexis says that
he can't abide by that same rule, so I'll make the promise for
(29:08):
myself that the next podcast isgoing to be AI free.
Speaker 1 (29:13):
Look, look.
I am that voice in the desertpreaching constraint, preaching
slowness in regards to thesetechnologies.
I'm the one that says justbecause they exist doesn't mean
that we have to, you know, buyinto all the hype.
We've got to really assess itand take our time doing things.
Speaker 2 (29:32):
But but it seems like it's.
Speaker 1 (29:34):
It's the only thing people talk about anymore yeah,
no, I mean, there's a lot ofmarketing, right, I saw kind of
off topic, but there's this,this lady and she's recording
yes, somebody's driving, she'sin the passenger seat.
She's recording all thebillboards on the street and
she's like all the billboards onthe street and she's like all
the billboards are about AI.
Gemini and ChatGPT, and evenyour hospitals are now using AI,
(29:57):
for whatever reasons, andthere's a big marketing push for
these technologies, because Ithink me opining.
When you go into something,you're going to try to make an
ROI, a return on investment, onit.
So this AI thing that we did,we jumped in more.
We've got to get something outof it, right, so let's advertise
it, but there's neither herenor there.
(30:17):
Yes, there'll be some AI hereand I don't think we'll be able
to avoid it, but maybe we can.
Speaker 2 (30:22):
For next episode, we're going to try, we're going
to really try, I'm going towrite out the topics and not let
you contribute to the topicsnext week, so what if it's a
good rant?
If you send me an AI topic.
Speaker 1 (30:37):
I'm going to veto it, All right.
Speaker 2 (30:39):
But we'll see if it's really good.
Maybe I'll change my mind.
So first, ai topic.
Alcumsoft had an articlerecently.
Ai-driven password recoverymyth or reality was the title,
and the post explored whether AIcan meaningfully enhance
password recovery within digitalforensics.
(31:00):
Talks about the LLMs can theysuggest password formats or
rules which might help guidewordless generation?
But then it also takes intoaccount that they don't actually
crack passwords.
They lack the real world usercontext and the guesses are
often too generic.
So what are your thoughts onthat?
Speaker 1 (31:22):
AI in general has no context.
I don't know if you, maybe youhave, I'm going to tell you, to
tell me if you're not.
I'm talking to the chat GPTthing or the whatever generative
AI Because, again, make thepoint, we're talking about
generative.
Speaker 2 (31:33):
AI.
Speaker 1 (31:33):
AI is really encompassing and not everything
uses LLMs Like.
Llm and AI are not synonymous.
So, anyways, I digress and I'mtalking to it, asking some
questions and say and changethis, change this, change that
From whatever you said.
Change.
And at a certain point the LLMloses track of what the topic is
and it comes up with some crazything.
(31:55):
I don't know where I'm like.
I have to constantly remind thething, give it context Based on
the exercise where we did this,this and that.
Therefore this, this and that,right, to kind of keep it on
track.
Yes, my assumption is thatthere's so many tokens that the
system can hold in order tooperate with the request that
you're giving it.
(32:16):
And if you go beyond thatthreshold, as time goes by,
whatever's way back in quoteunquote, memory is lost, yes, so
even when you're talking to it,it loses context, right.
So again, that speaks to thiswhole.
I'm going to go into a littlemini rant, this whole concept of
I'm going to just ask questionsand the thing will know what
(32:36):
I'm talking about and will giveme the results I want, and if
the results are not there, thatmeans that they don't exist.
That's a fallacy.
You got to be really careful,because as you're interacting
with the systems, the systemitself will lose track of
context, because context is nota thing the AI doesn't
understand, doesn't thinkthere's no formal reasoning.
You might be able to open itsworking space to more tokens and
(32:59):
that's fine, but that doesn'tmean there's an understanding of
context.
Right, look if there's anythingcontextual within the LLM
training data.
It might not be what you expect, right?
That's why we see LLMs.
When women ask for information,for example, how much should I
(33:20):
ask in salary-wise for aposition, right and versus a man
?
How much should I ask, sorry,wise, for a position both being
the same position, the lm, lowballs, the female and and high
balls that's a word I don't knowbut tells the male to ask for
more but tells the female to askfor less.
Okay, it's like where's thatcontext came from?
(33:41):
Right, from society.
The lm is within it, right,right, so so there's context in
between what the tap ishappening now and the context of
how the thing has been trainedand it's just from my
perspective, autocomplete onsteroids.
It will autocomplete thatrequest based on that context.
That has been quote, unquotetraining.
So I guess, long story short,I'm not surprised by Elkhornsoft
(34:04):
accurately noticed and notingthat the system lacks context to
give you meaningful iterationsof passwords, something that a
human can do.
And Geraldine, she's on theshow.
She is amazing at that.
I don't know, I think she doesmagic or something she's like.
I know this about my suspectthe password might be this one,
Boom.
And it happens to be like howdo you do it, girl?
Speaker 2 (34:26):
Oh, I love that we have one of those in our office
too.
That I I just can't believe it.
They'll, they'll guess the damnpassword.
I didn't know.
Geraldine did that, so that'sawesome.
Speaker 1 (34:36):
A couple of cases, that's awesome that's, that's no
, that's no, no, llm, that's ahuman, human power going there.
So, right and again, again.
I don't want to people think,yeah, I'm always, you know,
urinating on on conflicts, theAI conflicts, yeah, I do.
But I do recognize.
I think I can say this for bothyou correct me if I'm wrong but
(34:56):
there is a place for generativeAI.
There's some things that canhelp right, definitely.
But if you believe the hype,you're going to depend on the
generative AI way more than youshould and you're going to start
then the generative AI way morethan you should and you're
going to start then making wrongassumptions and committing
mistakes.
Mistakes will be easilyavoidable and then you'll be, in
the best case scenario,embarrassed.
(35:17):
In worst case scenario, you'llbe in really big trouble.
Yeah.
Like kicked right out of court.
Yes, yeah, and even worse.
Speaker 2 (35:28):
Potentially, permanently.
Yeah, yeah.
Speaker 1 (35:31):
No, I mean, and I was saying in his articles, yeah,
that the consequence, thepersonal consequences, are
immense, right, but theconsequences to society of a
person that's innocent beingconvicted or a convicted person
going free, right, right, right,beyond, and you're correct, but
also beyond the effects of theperson committing not committing
but doing the analysis with anNLM tool, right.
(35:53):
So a lot of stake here, andthat's why we need to think and
not just outsource.
We've got to go through areally thoughtful process on how
we integrate this technologyinto our workflows and if we do
that and which I'll have morecrap to talk about in the next
segment- yeah, just a minute,right Just a minute.
Speaker 2 (36:13):
You know I use it.
I use it for things, but Idefinitely try and minimize it.
I don't want to use it incasework.
I just I don't want to do Iutilize it and look and see what
the results are.
Yeah, right now I'm actuallydoing a comparison on how, like,
media categorization works inthe tools we use and it's taking
me some time, but it's.
It's also like I'm not.
(36:35):
It's not there in my opinion,but we'll see.
I'm not done testing, so Idon't want to like crap all over
it.
You know what I mean.
But, but I'm just.
It's just not something that Iwant to use.
I feel like I have a betterhandle on the way I want to
categorize my media myself,versus letting something else do
it for me.
Speaker 1 (36:55):
Yeah, and again that's a whole conversation
about a false positives, falsenegatives and error rates, which
we can do a show on that later.
But you have to be reallycareful, I like.
So I did a blog post and I got,I did my blog post, I did it on
my own, I organized it how Ithink, but they have to do a
slide deck on it and I'm like.
So what I did was I have Prezihas a little AI on it.
(37:19):
I fed it my blog and then itmade me a nice you know kind of
placeholders with the topics.
And again I have to go throughit and do things, but it was
easy in the sense that, oh yeah,this actually flow, flows with
my blog posts, but it's my blogposts, right, right.
So I find value on that.
So that way I can do my slidesway faster than me trying to do
(37:41):
the organization.
How many slides do I need?
Because the AI takes my owncontent and then kind of
categorizes it in a way that'sfit for a presentation.
So I do think there's valuethere don't get me wrong and
that's why I did my presentationfor isc2 and I think I came out
pretty good.
Um, but what I, what I want todo, I don't want to do, is have
the ai tell me my presentation,um, for example, uh, yeah, for
(38:04):
you don't want it to write thecontent?
yeah yeah, I mean and and againit's the temptation of doing
that is strong At some point.
I'm going to run a little offtopic here.
Have you heard about the deadinternet theory?
You know what that means.
So imagine an internet whereall this content is created by
machines, right?
Yep, the blog posts and, as youknow, a lot of machines go into
(38:27):
the comments and comment onthose blog posts, right?
So at some point the internetis going to be machines putting
content and other machinesresponding to that content.
Oh, geez, right, and actuallythat's kind of happening, right,
yeah, I see a lot of botsanswering on different things
and with generative AI, I see,at some point people will get
(38:47):
tired of all the fakenessbecause like uh x has uh, now,
like uh, you know generative aithing it's called grok or
something and you can make like,like, like a fake girlfriend or
some sort of femalecompanionship.
Speaker 2 (39:02):
You seen that in the news I think I've seen a couple
headlines on it, but Iimmediately passed those
articles over.
Speaker 1 (39:11):
We both grew up when there was no internet, so maybe
we're inoculated because of that.
We had to live most of our liveswithout internet.
But the point I'm making withthat is, at some point, all this
AI interaction among AI peoplewill leave the internet and that
will put a premium.
From how I see, the conclusionof this argument which I think
there's some truth to it is thatthere will be a premium on
(39:33):
human interactions because we'llbe surrounded in a sea awash in
fake AI posts and comments andarticles and blog posts and
presentations that people willnot know what to trust and they
want they guarantee that a human, a person made this or talk to
this artisanal content made byhumans right, which to me means
(39:56):
look, if you're in this field,really work on your people
skills, work on doing the bestcontent that you do that shows
your experience and yourhumanity, because there will be
a premium for that.
No artificial quote-unquoteintelligence is a substitute for
that human interaction and thehuman experience.
No matter how much the ai triesto replicate it, it will not be
able to.
(40:17):
Um, because that's anotherphilosophical point I'm gonna
leave it there so, so, yeah, soI mean I even I kind of halfway
remember why I brought this up,but um, again, that that speaks
to in this career, make surethat your humanity, your
humanity shines through when you, when you do your presentations
and your case studies, or youpresent a court to your
prosecutors and on the like.
(40:37):
Bring your humanity with you,your perspective.
Don't don't think thatpackaging air content is gonna
take you somewhere, because atsome point everybody will be
doing the same.
And and what are you bringingto the table?
Speaker 2 (40:47):
you know nothing, exactly more dead internet.
Ai, no, thank you.
Everybody will be doing thesame.
And what are you bringing?
Speaker 1 (40:50):
to the table.
Nothing Exactly More deadinternet AI, no thank you To
keep going with the AI topic.
Speaker 2 (40:57):
So recently, Magnet actually did a blog Trey Amick
and I don't remember who else itwas but they did a blog on,
beyond the badge, AI's role inmodern investigation.
So they kind of hit on how aiis now a core aid in policing.
It's handling massive uhcomplex data sets, um.
(41:19):
It's looking for patterns andlinks faster than a manual
review, uh.
And then it talks aboutautomating transcripts, keyword
scans, cross evidence,association, triaging and
prioritizing items soinvestigators focus on the
higher value tasks.
Talks about media integrity andmagnets actually they're tools
(41:39):
that integrate the media, how todetect manipulated images and
videos and identify likelygenerators.
Um talks about text analysis.
They hit on the bias um in AIand they hit on um crime
analysis.
So combining crime, uh, crimestats, social data and other
(41:59):
factors Um, that's a lot.
That's a lot in one article.
But I'm just going to hop backreal quick to the um, to the
very first thing I said, whereit's becoming a core aid in
policing, handling massivecomplex digital evidence and
surfacing patterns and linksfaster than manual review.
(42:20):
I'm not sold on that sentence.
I'm not sold on the fact thatit's faster than manual review.
It's faster than manual review.
And the reason I say that isjust some of the testing I've
done on some of the differentfunctionalities and I'm not
speaking of magnet specificallyeither it just happens that they
did the blog on this but acrossthe board some of the
(42:42):
functionality, I'm finding thatmy manual review is actually
faster, not always, um.
It definitely is a good tool touse as an aid, um, but
sometimes it's, I guess, goingback.
You're gonna have to go backand do that manual review anyway
in some circumstances, and whattime is it really saving me?
Speaker 1 (43:05):
so that's my take on that no, and I agree, and I like
how you put it because you saidI like what you said.
So I have to go back, right,and what we're doing is we're
taking the tasks we used to doupfront, right, with the
analysis, the checking, makesure it's correct, to get to
conclusions.
Now we're asking the system togive me the conclusions and
(43:26):
we're putting all that to theend.
Right, are we saving time?
No, I mean, we're just justputting, moving in here from
here to there.
Now, that being said, that's theassumption that the person
running this thing would willcare to now put it on the end
and doing it at least in the oldway of doing things quote
unquote old way of doing this,doing this.
(43:48):
To get to the conclusions, youneed to do some upfront work,
but when you get to theconclusion because the magic box
told me so and you go to theverification and I use
verification purposely, notvalidation, verification
purposely you go to theverification stage At the end,
what I foresee and tell me ifyou agree or not, is a lot of
people are just going to skip italtogether.
(44:08):
What I foresee and tell me, ifyou agree or not, is a lot of
people are just going to skip itall together.
They will feel happy and dandywith the answer and never care
to check if the answer isactually supported fully based
on what's there.
Speaker 2 (44:17):
Looks good to me.
Speaker 1 (44:19):
It makes sense.
Next, Go make the arrest right.
What Next?
Speaker 2 (44:25):
Yeah, no, I absolutely agree.
Speaker 1 (44:26):
Yeah, you will save time if you decide to ignore the
later part of the process.
Right, and that tells me, inregards to higher value tasks,
what's a higher value task?
So let me see, I'm going to askyou I don't know how that works
in your organization, but, forexample, making the analysis.
So let's say there's some chatsand see how they're really
correlated to the crime.
Is that something the examinerdoes or the investigator?
Speaker 2 (44:45):
does so it depends.
There are times where it'll belike a collaboration, so they
may have the reader and they maybe looking at something while
I'm looking at something, but Iwould say most of the time it's
the examiner.
We're doing, we're reading thechats.
Speaker 1 (45:04):
Well, with AI, I think I believe it's going to
change right?
The examiner won't be, so thinkabout this.
Right, in order for thegenerative AI LLM to give you
answers, you have to ask itquestions.
Who's the person that knowsmost about the case?
Is it you or the case agent?
Right?
A case agent in my situation?
The case agent, right?
Yeah, absolutely, this personwill do the questions right and
(45:26):
they will upfront that with thatinteraction.
It's not going to be with you,the examiner, it's going to be
with the artificial intelligence, and they will get the results.
They will get excited and theywill dump it, hopefully, if they
do that, because they might gowith it on you to make sure that
things are happening how theyshould.
And that's a big shift I see inhow we are solving these cases.
First, because if the persongetting the answers from the AI
(45:51):
is the investigator, is a caseagent.
That person has no idea howLLMs work, how to go about
asking it, how about maintainingcontext which you mentioned a
second ago with the LLM, so itcould get a proper response if
there is one to be done.
This person doesn't know how toverify if there's some
responses that have not beenconsidered not considered, but
(46:14):
included in the LLM's data set.
In a sense, there is a wholebunch of things and when we're
going to present this at court.
How was this obtained?
Well, the investigator askedthe LLM some questions.
Well, can the investigatorexplain to us how the LLM works?
Well, I, the investigator,explain to us how the alignment
works.
Well, I just put questions.
That gives me magical answers.
There will be a realignment onhow our work processes are done
(46:35):
if generative AI becomes thatabstraction, because it's an
abstraction that we're adding toit, because it plays a central
role in our workflow.
We're moving verification fromthe start to the end.
We're moving verification fromthe start to the end.
We're moving the interactionsaway from the examiner and
dumping them, making prompts tothe investigator and then the
(46:57):
examiner comes on the back endtrying to make sure that that
thing is accurate.
And that's the saving timethere.
The more I hear about how theseprocesses are imagined, how
they could change, I don't see alot of time savings there.
Speaker 2 (47:17):
I just see opportunities for folks to cut a
lot of corners and hoping thatthings go well.
I 100% agree with that.
100% the cutting the cornerscomment 100%.
Speaker 1 (47:25):
And look again.
People might tell me well, thisis here to stay.
And that might be the case.
No matter what we say, it'slike.
Well, you know what, since thefolks at DFN the DFN now said
that this is not a good idea,then we're going to shut it down
.
Speaker 2 (47:40):
Yeah, that's not going to happen, that's not
happening right.
Speaker 1 (47:43):
So, yeah, it might be here to stay, that's fine, but
then we need to be reallyconscious in how do we train
people, what are the protocols,the best practices?
That we adhere to it, becauseif we don't, the courts are
going to impose it upon us andit might not be the most
scientific way of doing thingsif we don't get our act together
(48:03):
.
Speaker 2 (48:04):
Agreed, are we done with our AI piece?
Speaker 1 (48:09):
I got more ranting in me, but I think that's been
enough.
Speaker 2 (48:12):
I think we've hit it.
We've hit it yeah.
Speaker 1 (48:15):
I have enough for next episode, Ah no.
Speaker 2 (48:21):
So, all right, let's totally shift gears away from AI
.
I don't know who out there hasheard of Lumix.
Who hasn't heard of Lumix?
But if you haven't, you'regoing to want to check it out.
I first heard of it and I thinkyou did too right, ed.
I did oh you've got a littlepresent from them.
Speaker 1 (48:41):
Yeah, they were handing out to the attendees.
It's a little like 3D printed.
It's like dragons with a snake,you know kind of a dragon.
It's just basically the wings.
But it said here at the bottommade by Lumix.
Speaker 2 (48:53):
Oh, I didn't even realize that was on the bottom.
Speaker 1 (48:56):
Yeah, yeah, attention to details, girl.
What am I telling?
Speaker 2 (48:58):
you, I didn't get one .
I'll have to go back.
Speaker 1 (49:02):
Yeah, tell them to make you know for the next
conference.
Go grab one.
Speaker 2 (49:06):
There we go, there we go, there we go, so Lumix.
So Alec Hurst and Phil Thrasher, both previously worked at
Grayshift and Magnet and nowthey've co-founded together the
company Lumix.
I'm going to give a walkthroughof what that is right now.
Let me get my screen up here,all right?
(49:27):
So this is the website for forLumix and just a brief
background.
They describe, they describe.
I talked to Alec today.
They describe themselves asnerdy builders.
Their goal is to build a trulyvaluable tool to accommodate
everyone.
They believe there are still somany things to be built in this
industry and they're workingwith law enforcement to
(49:48):
understand what it is lawenforcement needs, which I
absolutely love.
They're working with lawenforcement to understand what
it is law enforcement needs,which I absolutely love.
So, lumix, I'm going to pull itup.
You go to the Lumix website andcreate a login.
Let me just log myself in herereal quick.
Speaker 1 (50:04):
No, I'm not going to share my password, as opposed to
all the times that you have.
Speaker 2 (50:09):
Yeah, I know.
So once you create an accounton Lumix, you can sign in, and
this actually brought me up totheir sample.
So what Lumix is is you canfeed this site data to map.
All you do is go to the top andclick create case.
So we'll just create a testcase Test case, I think I'm on
(50:31):
like test case six or five orsomething We'll do.
Five or six worked.
Speaker 1 (50:36):
New folder 10.
Speaker 2 (50:37):
Yeah, new folder 10, exactly.
And then you do save and open.
When you do the save and openover here on the right-hand side
, it tells you what types offiles you can upload.
So what they currently supportare UFDR files.
So, the Celebrate Reader, youcan drag the entire UFDR right
(50:59):
onto the click to upload part,or drag and drop part and it
will process your UFDR.
It'll also support KMLs, soit'll support KMLs exported from
your tools like CelebrateMagnet Burla files.
It'll support all of those KMLsand then any other KML that you
(51:19):
might have that you want todrop into this software.
Speaker 1 (51:23):
It just needs to include the latitude, longitude
and timestamp for this tool toprocess and a quick point here
for folks that are listening andnot watching the podcast, but
listening to it.
The tool I like.
It is like a mappingapplication.
It's kind of dark mode-ishwhich I love, the dark mode-ish
thing right and you see a map ofthe United States and an option
(51:45):
to upload the different dataformats that Heather has just
been explaining.
So really really, really slick,Nice.
I can see that you know beingused in many, having many use
cases, Definitely.
Speaker 2 (51:57):
So earlier today I dragged a UFDR, a reader file,
from my test phone into the tool.
I did it ahead of time becauseI thought it was going to take
too long to demo on the podcast.
However, it processed my UFDRin about two minutes.
It was an entire UFDR file too.
(52:18):
So one of the things I askedAlec about today is will there
be an offline version?
And he said eventually, but notfor now.
And he made it a point to tellme that dragging the UFDR into
the engine works in the browserand it's only taking the
location, that dragging the UFDRinto the engine works in the
browser and it's only taking thelocation data from that UFDR.
It's not touching any of theother data that may be present
(52:39):
in your UFDR.
Does that mean it's okay totake your files and upload them
to the site?
I can't answer that for anybodylistening.
You have to go by yourdepartment's policies and your
SOPs.
Yeah, go ahead.
No, no, you go ahead.
I interrupted you.
I'll just say I use my testdata for the purposes of this
(53:00):
presentation.
Speaker 1 (53:00):
I mean, I can see, I mean it shouldn't be too much of
a hassle for them to come, youknow, for a law enforcement
version that it's in-prem orsome sort of cloud that's
controlled by the agency and notby them.
So I'm pretty sure that I meanI'm talking out of turn here,
but I'm pretty sure that shouldbe no problem down the road.
Speaker 2 (53:19):
Right and it sounded like that was already on their
radar, so that should happen.
I do want to say, before Istart showing you the mapping
tool, that the price is rightright now.
It is free currently, sothey're allowing all of the
functionality to be free forindividual accounts.
(53:40):
It's completely unrestricted,and the idea that they have
behind that is to make a greatproduct that people can't live
without is what Alex said today.
They're looking for feedback,they're looking for input.
They're very receptive tofeedback.
I've already sent an email, andso have other people in my
office.
There's a feedback tab right onthe screen.
You can see it up toward thetop.
(54:01):
That goes right to Alec, andthey get back to you immediately
and want to talk about not justissues you're having with the
tool, but maybe things you wantto see in the tool or things
that you like or dislike aboutthe tool.
They're very open to thatcriticism constructive criticism
.
So this is from my UFDR.
(54:24):
If anybody tuned into the lastpodcast, I talked about my
Easter trip to my parents.
I'm using the same data, thesame data set.
Talked about my Easter trip tomy parents.
I'm using the same data, thesame data set.
So just a few of the differentthings you can do with the tool.
If you come down on the bottom,there's a filter, timeframe and
(54:45):
sources.
So let me just get this to comeup here.
Ah, there we go.
Good, the sources appeared.
So you can change the name ofyour project here.
You can set a timeframe.
I have it set for April 19thbecause I knew I had a good
location set there.
You could set it for the dateand time of your incident.
But another really cool feature,if you bring the UFDR in, is it
will list out the data sourcesfor locations.
(55:06):
So we've got Apple Photos,we've got the AirTag locations,
find my Journal, life360, thenative locations.
So you can take that and weedout the locations that you know
are maybe not so reliable andjust use the locations that
you're interested in showinghere on the map.
So I chose native locationsbecause that's coming from those
(55:27):
cache SQLite in the iOS, whichwe know have a very good
reliability.
Once I chose my timeframe andthe locations, I can, on the
bottom here, move around to thedifferent times.
So if you can see my cursormoving around as I do, that, the
(55:48):
date and time is changing.
That's where you would go downand maybe hop to a specific
event time that you're lookingfor right down here in the
bottom.
Speaker 1 (55:58):
Yeah, and it's like a little bit of a histogram of
activity.
I say activity in the sense ofdata points, right, the more
data points, you see that littlecurvature kind of go higher or
lower, depending on how manydata points you have during that
time frame.
Speaker 2 (56:14):
Yeah, so this whole middle section is when I stayed
at my parents' house for the day, and then the higher sections
you'll see are when my travel tomy parents' house in the
morning and my travel home frommy parents' house at the end of
the day.
Speaker 1 (56:26):
Something that I love about those type of graphs is
that, based on the highs and thelows, you can make broad
interpretation of the is that,based on the highs and the lows,
you can make broadinterpretation of the data
without looking at the detail.
And I always found that to beso intellectually stimulating
because you can quickly see andsay okay, I want to focus on
this peak here because there wasa lot of movement, a lot of X
or whatever Y and C right, so Ifound that to be pretty nice.
(56:47):
I like those.
Speaker 2 (56:48):
Yeah, very cool.
So you can see numbers downhere on the bottom.
So prior to prior to the showtonight, I set this up to show
some events because this is oneof my favorite features in this
tool so you can click on anydate and time and add in events.
So if you look at this numberone over here on the right hand
(57:09):
side, I added an event that Ihad a picture out of the, out of
the extraction, thathighlighted that you could
(57:37):
upload the actual picture of theevent you're showing.
Speaker 1 (57:40):
So so you're putting like information attached to
whatever event, correct?
Speaker 2 (57:45):
Yeah, yep.
So I mean this was, this was myStarbucks stop.
So I literally clicked on thatminute that I got to Starbucks
and I titled it Starbucks.
It has the date and time of theevent that I was highlighting.
You can put a description.
If you have a description Ididn't have one, I mean I just
went to Starbucks and then thelocation data, so the latitude
and longitude is next.
(58:06):
It tells you which source it'scoming from, so the native
locations and then the mediathat I chose to include is there
on the event.
Speaker 1 (58:15):
Very nice.
Speaker 2 (58:16):
Yeah, so they have this follow mode on the bottom.
So the follow mode actually thecursor follows the map, and I'm
going to actually turn that onfor this purpose.
You can set the speed here.
So the speed that you want thisto play, I'm gonna slow it down
a little bit but still kind ofkeep it fast enough that we're
(58:38):
not sitting here watching themap all night.
Um, and then down here you canset it to loop or you can set it
to pause on those events.
So if you're presenting this ina courtroom and those events are
important, to stop at thatpoint in time on the video and
speak to the jury about theevents, this function here will
(58:58):
actually cause the playback tostop anywhere you've placed an
event in your timeline.
So once that is on, I'm goingto just hit play and let's see.
Let me get rid of my Starbucksevent quick.
Just hit a play, we'll see ifI've got it going too fast or
not.
I might.
It's going throughout mymorning and then it stops
(59:22):
because it hit my number oneevent, which has me at home.
I just pick back up and hit theplay again.
Now it's got me at home.
I'm at home for a little whilehere it's going to come up on my
starbucks trip and hit thenumber two event here in a
second.
Nothing's moving because Ihaven't left my house yet okay,
I was gonna say maybe you.
Speaker 1 (59:41):
I thought you were too far away in this area, but
nope.
Speaker 2 (59:44):
So I just started to move.
I am gonna scroll in a littlebit, though, because it is too
far away.
So I left my house, went to theStarbucks event and the map
stopped on the Starbucks event.
So I'm now going to hit play soI can go get my energy drink
here, so I just go right nextdoor to unstoppable nutrition,
and that's the logo I put in inthe picture.
So it stopped on my third eventand now I'm going to hit play
(01:00:07):
because it's a little bit of atrip to get to my fourth event.
I'm going to cruise up to myparents' house here, so it's in
follow mode.
So the map is following myroute and I'm headed up.
I'm almost to my parents' househere and I put the fourth event
just before I arrive at myparents' house and I titled it
(01:00:30):
Approaching Parents and I putlike a little bird's eye view of
my, my dad's house as the media.
There I can hit play, um, andthen I I'm going to let it run.
I stay there.
I talked about this in the lastpodcast, but I stay there for
the day and actually those fewpoints that I talked about in
the last podcast, that were justinaccurate data points.
You can see them over here.
It looks like I went into thewoods, buried the body and I'm
(01:00:55):
just going to.
I'm going to speed this upthrough this section because I
stay at my parents for quite afew hours and then I'm going to
start my trip home again here.
So I leave my parents' house andI'm headed back down and then
I'm going to set those eventsonce I'm headed home that I
talked about in the last podcast, where it was raining so hard
(01:01:16):
that I had to get off of themain highway.
So here's number five and Ihave the media event for Dunkin'
Donuts.
If we scroll in, you can seethat I pulled off the exit and
I'm actually going to justswitch it real quick to the
satellite view.
You can also switch it to thesatellite view.
I know you liked the dark mode,but I'm going to switch it to
(01:01:39):
the satellite view for the restof this trip, just to kind of
show that.
Let me zoom back out real quick.
So I'm what's up.
So I'm what's up.
You can't hear me.
Speaker 1 (01:01:57):
Mine.
Speaker 2 (01:01:58):
Oh, yours Okay.
So then I got off the exitagain to Stewart's, which is a
gas station up here, and thenyou can watch the rest of the
trip where I am headed home.
Speaker 1 (01:02:11):
I'm actually gonna back out all right, can you hear
me now?
Speaker 2 (01:02:15):
I can hear you now yeah, I'm not using my main
microphone because it dies, soI'm using oh no but I'm here,
I'm here okay so then I take thetrip and I'm home now and the
rest of the trip uh, my locationstay at home.
So I I love this.
I love that you can add theevents.
There's some suggestions.
I'm going to give them for mypersonal preference on the tool,
(01:02:38):
but I think this has greatpotential to be like perfect for
courtroom presentation.
Speaker 1 (01:02:47):
Oh yeah, I like how the, how the line of it moves,
the, the, the leading part ofthe line is white and as it goes
it turns like orangey At leasta trail across the map that you
can follow.
It's really visually appealing,like you said.
So definitely for exhibits orjust to show, you know, whatever
data you want to show.
(01:03:07):
Um, it's, it's, it's, it'ssuper nice, it's a great,
definitely station tool.
I, I think we're really, and wejust we discussed this before
in the podcast and in otherplaces uh, some of the due to
forensics tooling is reallyshort.
On the presentation aspectsright, the report htm are not
really good looking.
The mapping applicationsthey're, they're grabbing.
(01:03:28):
I'm gonna make not mix it up,but let's say, let's say bang or
whatever, I don't know some,some other mapping application,
third party, that's not reallysuited for purposes.
So, you know, I can see theseguys kind of like, like doing
this.
Of course, and I mean to saythis obviously, this is a free
tool that we're trial, thatwe're trying to share with you.
(01:03:49):
We receive no, uh, financialanything from any of this, right
, yeah, we don't speak for ourworkplaces or anybody else, we
just speak for ourselves asmembers of the community and we
appreciate the guys from Lubixjust saying hey, you know, maybe
you want to try this out andsee if you like it and show
folks and that's our decision.
But again, there's no quid proquo anywhere.
(01:04:12):
We do things because we thinkthey're cool and we'll continue
to do so.
Speaker 2 (01:04:17):
Yeah, so obviously.
So, based on certain cases thatI might be working, there are
things I would change.
There are a little bit of theplayback.
It's a little like hippie to me, but I'm going to try putting
multiple cases in here, testingit out and then provide the
feedback.
Leave the feedback on thingsthat need to be fixed or things
(01:04:40):
that you want as features.
So when I first went and triedthis, I imported my KML in and
it didn't work.
It was a KML that I had createdand it's something just didn't
work right.
I put the note in for thefeedback that it wasn't working
with my KML and it was fixed bythe next day.
So now, the way I created myKML, it should work for
everybody and literally I wasjust adding the timestamps,
(01:05:02):
latitude and longitude.
So if something's not working,report it.
If you want to see new features, get it on their list.
If you just don't likesomething, they're very, very,
very open.
Speaker 1 (01:05:18):
Yeah, I wonder if this supports, or they should
support, like cell toweranalysis.
You know from call detailrecords logs, right, oh yeah
yeah, so I think that'ssomething they should also look
into.
Right, let's say, hey look, wehave this information from the
providers of the cell towers.
These are the records from thecalls and even, you know,
correlate those to the map.
So I think that if they don'tdo that, I think they should
yeah, well, you to put thatright in that feedback
(01:05:41):
absolutely yeah, definitely, sodefinitely a cool new tool,
completely free right now.
Speaker 2 (01:05:47):
Go try it out.
Whether it be your test data or, if your agency permits, you
could put um, actual case dataup there's also out.
Whether it be your test data or, if your agency permits, you
could put actual case data upthere's.
Also, if you don't have anytest data or you don't have a
case that you can put in, theyhave samples in here.
So when you do the create newcase, there's try a sample case
down here on the bottom.
If you click on that, all oftheir sample cases will pop up
(01:06:10):
over on the left side.
They have LPR hit.
They have surveillance video.
They have incident location.
They have victim locationthere's a burla one in here
somewhere.
So check out their sample casedata.
If you don't have any data ofyourself to try, of your own to
try.
Speaker 1 (01:06:27):
Awesome.
Speaker 2 (01:06:28):
Yeah, all right, I'm going to take that down.
Awesome, yeah, all right, I'mgonna take that down and I'll
put the site up.
Well, it's lumixcom but I'llput the site up on on the show
notes.
Sweet yeah, so we're at the,we're at the.
What's new with the leaps?
What do you got?
Speaker 1 (01:06:45):
so I got a parser and'm not going to show it here
because of time constraintswe're already past the hour.
But I made a parser for ChatGPTfrom test data that was
provided by a community memberand, pretty neat, it's one of
the first artifacts, fullartifacts that I made Lava
compliant and that's somethingthat I want to discuss because
(01:07:10):
Lava will be out soon.
And if you wonder and I'mlooking to the side here because
I'm looking for my thing therewe go.
So Lava stands for LeapsArtifact Viewer App and what
that allows you to do is you cango and take a report from the
Leaps, use Lava to view it andLava will not choke on the 2 gig
(01:07:32):
HTML file that right now theLeaps provides.
Right, I did this what five,six, seven years ago, and main
reporting for the Leaps was justpure HTML and some other things
.
Well, now we're using Lava tolook at the data and not
depending on those HTMLs which,with our viewer, it can ingest
and let you look and export awhole bunch of stuff.
(01:07:54):
So the first thing I wanteverybody to do is to go to
leapsorg and sign there for ournewsletter or mail, not
newsletter for our mailing list.
I don't have a newsletter.
I have a mailing list and theidea is that the moment Lava is
released which will be soonerrather than later you will have
(01:08:15):
I think you were putting that upyou will have a notice that you
can go and download it.
I'm going to give you a supershort sneak peek because a
really good communicatorinstructor in the community will
provide soon a video of all thefeatures that you know who this
(01:08:35):
person is heather who's doingthat?
I don't know, some person, I, Ireally like her except when I
don't.
So I'm not gonna steal herthunder for her video.
But you see kind of the formatartifacts on the left.
You can see some of the entrieshere on the right.
I like the fact that I can openthose media and kind of blow
some up real nicely.
Um, it has a video, it playsthe video, they're automatic.
(01:08:59):
It leaves in lava, you know,leaping love, okay, so, uh, so I
think it's pretty good.
It's a work, great work done byjames on the lava side and by
Johan, I think, if he's notasleep yet.
Speaker 2 (01:09:14):
He could be sleeping by now.
Speaker 1 (01:09:18):
He did a lot of work on the leaf side and James on
the lava side, and then Kevin,myself and others just trying to
work on updating the olderartifacts and then also adding
new ones, like the one that Idid for ChatGPT.
This one is just a fake onethat I used for my presentation
the other day.
I used to show folks how thatworks.
(01:09:39):
I think Kevin is in the chat.
He was eating lobster.
Yes, If that's the case, you'reexcused.
You don't have to be here ontime if you're eating lobster.
That's a good reason to be herelate.
Speaker 2 (01:09:49):
You could have invited us, though I'm a little
hurt.
Speaker 1 (01:09:53):
Yeah, I'm hungry as well apparently yeah exactly,
but yeah, so please do sign upfor the mailing list so you can
notice when lava comes out.
There's a lot of ideas we havethat we'll keep adding to it as
the time passes, so it'll beawesome.
Look, if you're still hungry,you can look at the pictures.
Speaker 2 (01:10:17):
Thanks, thanks, I appreciate it.
Speaker 1 (01:10:20):
Open a can of sardines and imagine it's just
the seafood taste, or smell atleast.
Speaker 2 (01:10:26):
No, no, no, no Good stuff.
But speaking of lava, alexisjust did a video and it's posted
to his linkedin right now uh,there's a link to it on how to
make lava compliant leapartifacts.
So if you are a contributor oryou are looking to become a
contributor to the artifacts andwriting your own artifacts to
(01:10:49):
put into the leaps, watch thatvideo.
It's very clear on how tocreate the artifacts that will
work with the new lava viewerand I think Alexis has been
trying to tell me for how longhow to create artifacts and this
video I actually wrote to himlast night and I'm like my God,
I finally understand what filesfound means in the script, or
(01:11:12):
there were like 10 things that Ifinally learned for the very
first time last night.
So it it helped clear up a lotof things that I was wondering
about how to write the lavacompliance scripts.
So I think it's a great videofor um anybody to watch, whether
you're already writing the umartifacts or whether you want to
get into writing the artifacts.
Speaker 1 (01:11:30):
And again, all credit to James and Johan the way they
work together to make thoseimplementation changes.
Doing artifacts now is wayeasier than how it used to be.
It's less lines of code fromthe leap end and it produces all
the good stuff that Lava willshow to you and that's behind
(01:11:51):
the scenes.
You don't have to worry aboutit.
The code, the platform, takescare of that.
So again, lots of kudos, and Iappreciate their partnership for
being members of the communityand doing this for the love of
the community.
So we're really excited aboutthe project and continue to
develop it.
Speaker 2 (01:12:08):
Definitely All right.
We are to the end the meme ofthe week.
Let me get my screen and sharehere.
I think this is one of myfavorites, so uh it is.
Once I became a digitalforensic examiner, I finally
understood the scene where yodagets so tired of answering
(01:12:30):
Luke's questions he just dies.
Speaker 1 (01:12:35):
And obviously that comes from Star Wars, right when
yeah.
What's the, what's the plan,the Dagobah, the Goldblatter I
was saying in English and youknow, I know you don't know it
because you don't watch themovies.
Speaker 2 (01:12:45):
but I don't.
Speaker 1 (01:12:47):
Yoda's been training right Luke Skywalker and
becoming a Jedi.
Speaker 2 (01:12:57):
And he has all these questions and's like I'm just
gonna lay down here, man, andjust I just died.
I feel like it's been that kindof week, right.
So there's so many questionsthat it's like, oh my god, maybe
if I just play dead thequestions will stop coming in
yeah, because go ahead, go aheadno, I was just gonna say, all
kidding aside, though, I loveanswering the questions.
I'm not trying to sound like Idon't, but yeah, this meme just
hits this week with the numberof questions rolling in.
Speaker 1 (01:13:19):
I have no issue helping people out Me either If
I'm telling you or answeringthat question for the 10th time.
Speaker 2 (01:13:25):
Exactly.
Speaker 1 (01:13:27):
Yeah, I'm going to go lay down here and I'll leave my
body and come back in a fewhours.
Speaker 2 (01:13:32):
Yeah, exactly.
Speaker 1 (01:13:33):
Because closing the door to my office is not going
to cut it.
It doesn't.
No, they will knock.
They will just throw it down.
They will come in, they willbring the door down with a
battering ram.
It'll be like boom and they'regoing to come in In our
workplaces they're prettyproficient with battering rams
In our workplaces.
They're pretty proficient withbathrooms and they will come
into the office to ask thequestion.
Speaker 2 (01:13:52):
It's not only at the door.
It's at the door, it's in theemail, it's creeping into the
LinkedIn questions.
It's the text messages.
Speaker 1 (01:14:00):
It's from one side of the bathroom to the next.
Speaker 2 (01:14:03):
Oh, yeah, oh, I haven't had that happen yet, oh
yeah, I'm coming to the bathroom.
Hey, hi, hi, hey bathroom, hey,hi, hi, hey.
And we're there, hey.
Speaker 1 (01:14:09):
Hey, you know I've been looking at the internet
about this electronic thing.
What do you know about?
Like dude, can I?
Can I use the bathroom at peace?
Speaker 2 (01:14:17):
well, I'll have a first with that eventually, I'm
sure, but not yet so well ithasn't been straight.
Speaker 1 (01:14:23):
You talk for us the questions but, as you know, if
you're the df person, you aretech support?
Speaker 2 (01:14:27):
oh yeah, in their mind.
Speaker 1 (01:14:28):
You're your tech support.
You know about Windows, youknow about anything.
You know computers right.
Speaker 2 (01:14:33):
Oh yes.
Speaker 1 (01:14:33):
You must know this obscure thing that I saw on
Instagram.
I'm like dude.
I had no idea what you'retalking about.
I do not.
Speaker 2 (01:14:39):
I can find the artifacts and figure out what
the artifacts mean, no problem.
But ask me to set up some kindof workstation, forget it
workstation forget it.
Everybody thinks I can do it.
Speaker 1 (01:14:54):
I don't, I don't, I don't know what printer is
better.
I haven't in years that I couldfigure myself in years I
haven't sorry oh, man, yeah.
Speaker 2 (01:15:01):
So it's been one of those kinds of weeks so
everybody gets to see the lovelyyoda dying scene I hope
everybody enjoyed this one of myfavorite memes yeah, so that's
the end.
That's all we got like theLooney Tunes.
Speaker 1 (01:15:15):
That's all folks we appreciate, obviously.
And Kermit, if I'm wrong, doyou have anything good or to say
for the good of the order here?
Speaker 2 (01:15:24):
I'm good.
Thank you so much for everybodywho joined tonight and
everybody who listens tomorrowabsolutely so.
Speaker 1 (01:15:31):
We're going to call it a night, we're going to play
the music and we'll see you all,hopefully in a couple of weeks,
if not whenever we say we'regoing to have one of these again
.
Speaker 2 (01:15:39):
Right, exactly.
Speaker 1 (01:15:41):
Take care.
Have a good night.
Speaker 2 (01:15:43):
Bye, bye, thank you you.
Welcome to the Digital Forensics Now podcast.
Today is Thursday, july 31st2025.
And my name is Alexis Brignoni,aka Briggs, and I'm accompanied
by my co-host, theeducator-in-chief, the visionary
of the North and one of theCassandras, like myself, of the
(00:38):
digital forensics world.
I'll tell you what that meanslater the one and only Heather
Charpentier.
I'll tell you what that meanslater, the one and only Heather
Charpentier.
The music is Hired Up by ShaneIvers and can be found at
silvermansoundcom.
Alrighty and look, I had a niceintro and outro.
I didn't cut it off like that.
Speaker 2 (00:58):
Yes, that was very good.
Speaker 1 (01:00):
What's up, Heather?
What's going on?
Speaker 2 (01:02):
Nothing, nothing Long time no podcast.
Yeah, we've've been busy, buteverybody's busy, right I know,
I think last time it was myfault, the time before it was
your fault and we just yeah,finally, we have made time to
have another episode, so howeverthis episode comes out, it's
gonna be both of our faults.
So that's okay, that's okay,it's gonna be good yeah, so so,
(01:26):
let me explain real quick.
Speaker 1 (01:27):
So so, cassandra yeah it's a mythological figure and
she was really pretty, andapollo was thought that she was
really pretty.
So he, he gave her the gift ofprophecy, but she didn't like
him in return, right, so so his,her, her punishment.
You know, the gods are sofickle and I guess anti-woman
(01:48):
gave her a curse, and the curseis that she will be able to know
the future, but nobody willbelieve her.
Speaker 2 (01:54):
Oh.
Speaker 1 (01:56):
So, yeah, we suffer from some of that syndrome
sometimes, but it's okay, it'sokay, we keep going on, we keep
marching on, definitely,definitely.
So it's been a while okay, wekeep going on, we keep marching
on.
Speaker 2 (02:04):
Definitely, definitely.
So it's been a while.
What have you been up to?
Speaker 1 (02:09):
So let me think so.
I've been doing regular workstuff, which is fine.
I got invited to speak on mylocal ISC2 chapter.
Isc2 is an organization thathey look at that, that's me.
They're in charge of multipleindustry-wide certifications.
The most well-known is theCISSP.
So that's pretty neat.
(02:29):
And I was talking there aboutlog archives and it was
interesting because we startedwith log archives and we ended
up talking about a milliondifferent topics that had
nothing to do with log archives.
But eventually I brought itback in and then I gave
everybody a quick show of Lava,which we'll talk about a little
bit later.
And don't worry, it's not lavafrom a volcano.
Speaker 2 (02:48):
We'll explain that later on in the show it looks
like it, though it looks like ityeah, a little bit.
Speaker 1 (02:54):
It's hot, no, but it was good, it was a good.
Uh, it was a good day.
Um, as I said real quick thatjohan is in the chat and johan
is like the man, so we love him.
He's one of the main developersfor the Leaps and Lava from the
Leap site, so we love him.
Gio is the chat as well, damien, so a lot of respect for Damien
, glad to see him there, and Ihope Christian Peter is there as
(03:19):
well, so that's exciting andMatthew was in there before we
even started saying hi.
So yeah, so hi to everybodythat's rolling in, so we
appreciate having you here, andMatthew was in there before we
even started saying hi, so yeah,so hi to everybody that's
rolling in, so we appreciate youhaving you here, nice.
Speaker 2 (03:32):
So I actually I did a conference since the last
podcast too.
I was asked to speak at theHTCIA conference about the leaps
, and I think originally they'relike oh, do you and Alex want
to do it?
But you're a little far awayfrom Massachusetts so I went
solo Hopefully I did it justicebut got to go give a
(03:53):
presentation on the leaps, howthey work, what types of
artifacts they parse, how peoplecan contribute to the project.
And then I did a little demo atthe end of Lava as well, to
show what the new format isgoing to look like and kind of
how it's going to work.
Speaker 1 (04:09):
Oh, that's fun.
Yeah, that's fantastic.
We're really looking forward toall that.
Speaker 2 (04:13):
Yeah, it was a.
It was a good time.
Speaker 1 (04:16):
Yeah, and you look so fancy in that picture.
Fancy, fancy, fancy pants,literally.
Speaker 2 (04:21):
I can dress up sometimes, yeah.
Speaker 1 (04:23):
Fancy smarty pants.
You got them both.
Speaker 2 (04:27):
Well, thank you.
Speaker 1 (04:28):
Real quick before I forget.
So you know, I saw Christian inthe chat and Christian is kind
of working on like a little.
Everybody don't know Christian,great guy, genius guy he's
doing.
He made Ufate, which is atooling to deal with iOS devices
and you can pull all sorts ofdata extractions and lock
archives and sysdiagnose allsorts of things right.
So he's making a little likeUfate, quote, unquote, touch
(04:51):
where you can, you know, run thesystem and use a touchscreen
and do everything in anintegrated thing.
So I'm really looking forwardto looking at the build.
I think he has a blog post onit.
Speaker 2 (05:03):
He does.
I was trying to find thepicture because it's so cool, so
I'm looking for it while you'retalking here.
Speaker 1 (05:08):
Yeah hold on, I'm gonna, I'm gonna send the link
because here it is.
Speaker 2 (05:11):
I got it.
You found it okay, oh yeah mydesktop is a mess right now let
me do a little share here.
Uh, share screen.
Speaker 1 (05:20):
Oh, you're sending it to me too yeah, just just just
a blog link, but I'll put thatin the show notes.
Speaker 2 (05:26):
But there's the little.
He's got it all set up outdoorswith the Ufade Touch.
I think that's hilarious yeah.
Speaker 1 (05:31):
I don't know what I mean In quotes.
We don't want to get well notwe but we don't want him to get
sued by any other companies.
So, ufade, what do we call it?
Speaker 2 (05:45):
Ufade, you know, screen, touchscreen or something
like that.
I added some more to make adifference.
Well, he has.
He has on his post.
I'm proud to introduce theUfade Field Operator Connection
and Acquisition Kit.
Speaker 1 (05:54):
FOCA.
Is that it?
Speaker 2 (05:56):
Field.
Speaker 1 (05:56):
Operator Connection Acquisition Kit FOCA.
I don't know, it's funnybecause FOCA in Spanish is seal,
like a seal.
Oh, Anyway, we're digressingway off topic here, but no, so
it's pretty neat.
So I like that and I'm actuallylooking forward to doing my own
build and go for there.
So I have here Cacique issaying, if possible, it would be
(06:17):
nice Actually.
I could put this on the screenright.
It would be nice to see anexample using a UFIT extraction
to create an ILEAP report.
So thankfully we have atester-in-chief in this show.
Speaker 2 (06:28):
I'm on it, that's not me, so that would be awesome.
Speaker 1 (06:32):
So thanks for the idea.
Speaker 2 (06:33):
Yeah, definitely Love doing the live demos so I can
screw up live on air.
It's fun.
Speaker 1 (06:39):
Yeah, it is.
It has been a really good time,but you have to watch all
episodes for that.
Speaker 2 (06:43):
Yeah, definitely.
Speaker 1 (06:46):
So let's get back on track.
So what are we doing first here?
Speaker 2 (06:50):
So some new blogs and actually they're a few weeks
old now because we haven't beenlive but Ian Whiffen has some
new blogs, four new blogs to beexact.
He hadn't had a newer blog inquite some time, had a newer
blog in a little quite some time, but um, anybody who's been
following the trial of karenreed out of boston uh saw ian
(07:10):
testify to some artifacts andthese blogs correlate with his
testimony in that case.
So the first um was about thecurrent power log and monotonic
clock and the article focused onpower log databases used in ios
devices, uh, and that they usea monotonic clock.
And the article focused onpower log databases used in iOS
devices and that they use amonotonic clock timestamp format
different from the standardtimestamp methods used across
(07:33):
iOS.
So the timestamps show elapsedtime since boot, not wall clock
time.
And he goes on to explain howthese timestamps work, how they
impact your forensic analysisand what you should keep in mind
when you're interpreting thepower log data.
Speaker 1 (07:52):
Yeah, and I'm going to give my take on how I
understood it from a layman'sperspective and the way I see it
is, you got your monotonicclock.
It kind of goes.
Imagine that you have your oldschool wristwatches that have
little quartz in it and it goesright as it goes.
Uh, with time, those, the timewill drift right and your watch
will get out of sync with realtime.
(08:14):
And we could discuss about whatreal time means.
Right, how do we measure timeand how precise it is and how we
measure it in the past.
Now we have atomic clocks andtime itself is relative to the
speed that you're moving.
But we're not going to go intoany of that.
But the point we're trying tosay is that, as your clock, for
many factors we're not going todiscuss today, loses that
(08:37):
relation with what we considerto be the time to be at this
moment, we have to makeadjustments to it.
Right, and that's somethingthat happens in all sorts of
endeavors human endeavors thatuses watches.
So the way the phone does isfor those monotonic times.
It takes, uh, takes a note ofthe network time that comes to
your phone, right, and then itsays okay, so this is the
monotonic time, the time that'skind of constant, independent of
(08:59):
the clock or the system clock,and then it's going to measure
when them, it's going to keepwhere that time was taken and
then the offset between the twotimes the quote unquote real
time and the time that the phoneis kind of going off of
monotonic, and then that's keptin the database.
So what Ian shows is how to dothat calculation.
(09:20):
He says okay, this is themonotonic time, go to this part
of the database, look for theproper offsetting time and then
do the calculation.
Of course I'm simplifying this.
You have to read his blog postand then you know what the time
is, so you can't just grab thattime and say, hey, it happened
here, because it doesn't.
He does the example of turningon the flashlight on his phone,
(09:43):
which is not really the.
It's kind of the flashlight,but it's more like the flash
from the pictures.
And if you take the time as is,it's going to be off by days
and days, right, but after youdo the calculations it has a
difference of five seconds,consistent five seconds, which
is how that artifact behaves.
Why does it do that?
Because that's how Apple madeit, whereas other artifacts
don't have that five seconddelation.
(10:04):
But that's the point right, youhave to test, make sure you
understand what do timestampsmean?
And he gives an example of theMagnet Forensics Axiom tool
which has that monotonic time,the real time, and then the
different calculated times.
As you go making those analyses, the base times and all that.
I read that article.
(10:25):
I think it's important Ifyou're going to use the power
log for you know, to showactivity, you need to understand
how to calculate those times.
Don't take the times as is,because you'll be wrong.
You need to do some math tofigure that out.
Speaker 2 (10:38):
And definitely I mean it's showcased in the trial
that he was testifying aboutthis and where, if you do just
put it in a report and send thereport to court, it potentially
is going to be questioned bysomebody who maybe doesn't
understand it that much.
So if you understand it, youcan get out ahead of that for a
trial or court hearing.
Speaker 1 (10:59):
Well, and it speaks to something that we said a
whole bunch of times, right,heather, that if you say I say
smoking gold, quote, unquote,but things you're going to
present at court, you need toreally understand why you pick
them and what they mean, becausethere will be another, an
expert, that might know morethan you, and there's nothing
wrong right to question you.
There's nothing wrong to bequestioned by somebody that
knows more than you.
It will be nothing wrong if youactually know what you're
(11:23):
talking about, because in thatcase the person that knows more
than you at the end you're goingto end up what Agreeing, right?
If you're correct and theperson that knows more also
knows, then that person knows.
So we both agree, then right.
So don't be afraid of somebodythat might know more than you in
different things, as long asyou do understand the precise
things you need to talk about.
Speaker 2 (11:43):
Because if you have control over that all the rest,
who cares?
Speaker 1 (11:46):
At least you know, conceptually speaking.
Speaker 2 (11:49):
Exactly so.
Another artifact that wasshowcased in that trial and
there's a new blog on is theApple Health Accuracy and
Reliability.
So this article, everybody takea look at it, because there's a
ton of testing and comparisonsin this article.
But it a look at it becausethere's a ton of testing and
comparisons in this article.
But it evaluates how accuratelyApple Health tracks steps,
(12:11):
distance, floors climbed and,like I said, it has the real
world testing that Ian performedand comparisons with academic
studies to access thatreliability.
And then I want everybody toread it.
But the conclusions at the endare that the number of steps
recorded is reasonably reliable.
(12:31):
Indicator of steps taken whenwalking the distance is not as
reliable.
So really take a look at thosestudies and do some testing
yourselves to kind of gauge thatreliability in your own cases.
To kind of gauge thatreliability in your own cases.
Speaker 1 (12:45):
Well, and it's kind of tough.
Right, because I can see, youcan see steps being measured
based on the way the body moves.
Right, because you can measuresteps in a treadmill when you're
not going anywhere.
Right, right, there's nomovement on a treadmill, you're
standing in the same spot.
But the steps are counted right, so those steps are not in
(13:05):
relation to movement forward orbackwards or to the side, so no
spatial movement.
So it calculates it based oncertain determinations of the
sensors on the device.
Right.
But think about then, like thearticle goes on explaining in
different ways right, I amtaller than you, a little bit
more taller than you, right?
(13:26):
So my, when I walk, I, my stepsare gonna go farther than yours
.
So well, my step might be oneand a half of your steps right,
yeah, exactly and it's countedas one step for you and one step
for me.
So, but I'll get there fasterthan you, so what does that mean
?
So it's in and that's the thingin.
In digital forensics we've beenat least the old school folks
like us.
There was this vibe back in theday where it has to be binary,
(13:49):
one or zero, true or false,either this or that, and there's
a lot of gray areas.
Right, are those steps accurate?
Well, they are accurate.
Is this accurate?
Well, it depends.
What's the gate, the person,right.
Speaker 2 (14:00):
Yeah, exactly.
Speaker 1 (14:06):
How tall they are, how long are their steps.
So you know it's, it's uh.
There's some, some elementsthat we can't control.
We can only give uh reasonableapproximations, and that's
something that we need to startopening our minds as examiners,
that not everything is a uh,true or false binary.
There's a lot of uh, of grayareas, and we need to account
for that in our analysis.
Speaker 2 (14:22):
It's funny you say the gate and the steps, because
we actually had a case where weneeded to do some testing and
the analysts in our office, whowho was going to perform the
testing with Apple health, wasgoing around desk to desk to
find out who in the office waslike five foot nine.
And she picked the person whowas closest to the suspects to
the suspect's height to do hertesting, and that was a really
(14:42):
smart move.
Speaker 1 (14:43):
Yeah, no, I liked suspect's height to do her
testing and that was a reallysmart move.
Speaker 2 (14:48):
Yeah, I like that.
I didn't know that story.
I like that story, oh yeah.
So one last thing, though, inthe Apple Health reliability.
So there's a part in thearticle that talks about how
it's possible to record bothsteps and flights climbed while
you're driving in a vehicle andthe device is being held.
So that's another thing to keepin mind.
Are you sure that the personwas taking steps or going up a
(15:12):
flight of stairs?
Maybe, not necessarily.
Speaker 1 (15:15):
Maybe they were inside.
You know they were in Londoninside a double-decker bus as
they're going to the secondfloor of the bus, I don't know.
Geraldine's in the chat and shesays that she also did that.
For a case, I'm assuming shehad to get somebody with a
particular body type to do sometesting.
So there you go.
Genius minds.
That's amazing.
Speaker 2 (15:36):
I'll have to have you compare your analysis with
Giovanna in my office, becauseshe's the one that did that for
a case, so she would love totalk to you about it, oh you met
, giovanna you met.
Giovanna, yeah, she's the onethat was going desk to desk.
Are you five foot nine?
Are you five foot nine?
Speaker 1 (15:52):
I am not surprised that it was her.
Speaker 2 (15:55):
You can picture it.
Yeah, I totally can.
So Ian's next blog so we havefour here so is the iPhone
internal battery temperature.
So in this blog, apple iPhonesinclude an internal thermometer
that monitors the batterytemperature to manage safety and
device performance.
His post on this explores howclosely the internal readings
(16:17):
reflect external conditions andhe does controlled experiments
that test this, not reliability.
Does controlled experimentsthat test this, not reliability,
but test this functionality ofthe iOS.
Speaker 1 (16:28):
Well, I would say it's a new applicability, right?
Because obviously the phone andfor folks that don't know, why
would the phone want to keeptrack of its own temperature,
Like for what purposes?
Actually, it's kind of funnybecause the phone needs to know
(16:52):
if it has a fever yeah.
Speaker 2 (16:53):
if it's overheated, yeah, if the phone has a fever
it's too high, yeah, the phonewill, as you know, heather will
do what?
Speaker 1 (16:55):
yeah, it'll die or blow up or catch on fire?
Yeah, if you leave it, but thephone doesn't want to do that.
So the phone automatically doeswhat?
because it sells off right and Ihave phones that where I have
like in a dash and I'm talkingto the dash and it gives you an
alert this one is too hot, I'mgonna shut myself down, and it
goes.
Yeah, it shuts itself down.
If it doesn't, like heathersaid, it's gonna burn or
whatever, right, right so.
But notice how how smart uhthis applicability issue, right.
(17:20):
So ian thought, okay, it's,it's, if it's measuring
temperature, its own temperature, it.
It rests to reason that if Itake that phone and put it on
the dash, it's going to get toohot, right.
If I put it in a freezer, it'sgoing to get really cold, right?
So external temperatures haveto affect in some way those
measurements beyond whatever thebaseline temperature of the
electronics of the device are,and that's genius.
(17:43):
I was like, oh my God of thedevice are.
And that's genius.
I was like, oh my God.
So you look at a phonefunctionality and you can be
creative and do your testing,like he did, and see what that
tells you about the real worldaround it.
What's happening in the 3D or4D, with time world that it was.
And again, the example that wewould be using, based on this
(18:06):
post, is the current retrial,where the phone was outside I
say outside, like in the snow,for a certain amount of time.
So would the logs pick up thatcoldness, right?
So that's amazing.
You can tell a lot of where thephone was based on the
temperature, right?
If it was hot in the snow, thenmost likely it wasn't in the
(18:29):
snow, or vice versa, was it coldinside a warm place, then it
wasn't inside a warm place.
I thought it was an amazinganalysis and a really creative
use of finding new applicabilityto an artifact that most of us
may have overlooked as notimportant.
Speaker 2 (18:43):
Yeah, I don't think I would have thought of it
because I mean, this trial was ahomicide trial.
Why?
Why do I care what temperaturethe battery is?
Um, but it, if you get a chanceof anybody listening, gets a
chance to just go watch thatpart of the testimony.
If you don't want to watch thewhole trial, you can find it on
the court TV YouTube.
But the the internal batterytemperature testimony was one of
(19:05):
my favorite parts of histestimony in this trial.
Speaker 1 (19:08):
Oh, absolutely, and we're going to put.
Folks are asking.
I tried to put the links on thechat and it came out really bad
, so I'll have it in the shownotes at the end too, yeah.
Yeah, they'll be there, butI'll be helpful.
I'm putting there for the folksthat are live right now and it
just it came out really bad.
So, like Heather said, there'llbe at the end of the show.
(19:29):
You can grab it from there Allthe links.
Speaker 2 (19:30):
Yeah, definitely.
Um, and so the last one, thelast new His post is exploring
the front IR Doppler function ofan iPhone.
It's a motion detection processthat triggers when iOS suspects
the user is attempting tounlock their device.
Speaker 1 (19:54):
I completely had a misunderstanding of what the
pocket state meant previously,but it's literally looking to
see if they're attempting tounlock their device in different
manners and like and what, what, what, what manners?
Can you give us a quick?
Speaker 2 (20:09):
I can, so I'm just going to take this right from
Ian's blog, but definitely goread it, cause it's awesome.
So it can.
It's triggered by the devicescreen being touched, the side
button being pressed, raising towake or receiving a call, among
a few other things that he haslisted here, but the one that I
kind of hone in on is the sidebutton being pressed, because
(20:31):
that is the artifact that waspresented in that same case that
we're talking about, the KarenReed case, and this artifact was
used to show that the sidebutton had been pressed Right.
Speaker 1 (20:44):
That's insane.
I really picked up on the factthat when you take the phone and
you look at it, you'reattempting to open it and it has
Face ID, it will open.
But I always find itinteresting because you know, if
you see infrared cameras, whenthe infrared functionality is
enabled and you're recording aspace, somebody works with the
phone and that phone isconstantly, like you know,
(21:06):
flashing infrared to your faceand you can see it.
Phone is constantly, like youknow, flashing infrared to your
face and you can see it and it's.
It's so some a little bitunnerving in a sense, because
you're there in somebody sittingin the dark looking at their
phone and that thing is justflashing your face with infrared
all the time.
Yeah, um, so how, how, how doesthat that interaction between
that light I say light, but waveemitting source, right, and how
(21:27):
does that reflect in regards tothe intent of the user or when
they hit the button?
It's interesting stuff.
You need to read this, folks,and kind of have an awareness.
You might not need it today butyou will definitely need it
tomorrow.
The convergence between digitaldata and events in the real
world.
They're coupled, they'recoupling even more and more and
more in court cases, and we saythat because, again, as they
(21:50):
should we have experts both onprosecution and the defense side
, and the level of expertise isrising.
The tools right now are givingyou more to think and analyze,
so you need to up that knowledgeand you have to really be aware
of stuff like that.
That's on the cutting edge.
Speaker 2 (22:06):
Yeah, and I didn't say this for the iPhone Pocket
State, but that is actually outof the unified logs.
So we previously spoke aboutthe unified logs and the
importance of analyzing theunified logs and the fact that
it's not so easy to analyzethose logs, but we gave some
indications on how to make thatprocess a little bit easier.
So if anybody's looking to umlooking to read more about that
(22:30):
too, Alexis has a blog on how toprocess those and and put them
into an easier format to viewusing the leaps, so go right out
to his blog for that.
I'll put that in the show notestoo.
Speaker 1 (22:42):
Yeah, and a quick note there double black, um,
that's Ian's blog.
Um, even Geraldine, anothergreat expert here from Central
Florida, she says that Ian is onfire even helping validate some
stuff in her case, and he'ssuch a great guy, great resource
to the community, so Iappreciate all the work that he
does yeah, I agree, geraldine.
Speaker 2 (23:02):
I've had his help like three or four times in the
last two weeks and I don't knowhow he finds the time to answer
all of these questions.
Sometimes I almost I'm like,almost feel bad.
Am I harassing him?
Because I know like 40 000other people are harassing him
right now too well, it's, it's,so it's harassment all the way
down, because you have a same,and then people harass you and
(23:22):
another person harasses theperson that harasses you.
Speaker 1 (23:24):
We're all.
We're all.
I mean harassing not in a in ain a bad way, right yeah, in a
good way absolutely if there is.
We're just asking questions toeach other.
Let's not use the wordharassment.
Speaker 2 (23:35):
It has it has another meaning in the world I feel
like I'm harassing is why I usethat word.
Speaker 1 (23:40):
So no, let's just say you're bothering him, it's much
better okay all right, yeah, um, but so, yeah.
Speaker 2 (23:47):
So the the blogs are excellent.
You have to go check them out,um, and I'll put the links all
in the show notes, because theseare some really great artifacts
that hopefully, um, as long aspeople know about them, they can
be used in other criminal casesor whatever type of case you're
working on no, and theirreference materials.
Speaker 1 (24:05):
Um, I I go to his blog all the time because I know
he did some work on some hcstuff or whatever it was that I
need and it's a great reference.
Uh, yeah, source, so go checkit out yeah, definitely.
Speaker 2 (24:16):
Um, let's see what we have here.
Kevin pagano, stark forensics,has a new tool called app store
package search.
So the app store package search.
I I'm going to actually showthis one.
Let me find it here.
Yeah, go ahead.
Speaker 1 (24:34):
Just a quick question , kevin again.
Kevin is a friend of the show,obviously, and he also worked
with us in the leaps, so youhave heard about him throughout
all our episodes, so he alwayskeeps coming up with new stuff.
Speaker 2 (24:46):
Yeah.
So it's a Python-based GUI toolbuilt by Kevin and it allows
users to query the Apple AppStore bundle ID or Atom ID,
supporting both single entriesand batch lists, and then it
outputs into a few differenttypes that we have.
It'll output directly to theconsole, to a text file, to a
(25:08):
SQLite database or to both atext file and a SQLite database.
So I grabbed a couple of bundleIDs just to kind of show you
how it works.
I'm just going to copy one here, if I can get it to go in.
There we go dot com dot.
(25:32):
Toyota group peekaboo.
If you don't know what that is,it is Snapchat, which there's
not really an indicator in thatbundle ID what it is.
But this tool, if I do the runlookup, will show you
information that one didn't workfor some reason.
Oh, I'm not on bundle ID.
Make sure you choose bundle IDand then hit run lookup and
it'll show you information aboutthe application.
So current version, releasedate when it was initially
(25:54):
released, the track name isSnapchat, so we now know that
that's the Snapchat application,along with the URL and then
like just a general idea of whatthe app is used for right there
on the screen in this toolSuper quick, super easy.
You can take that informationright out of your extraction,
throw it in this tool and haveall of those details at your
(26:14):
fingertips.
Speaker 1 (26:15):
Yeah, and for folks that are not familiar with
bundle IDs, that's the internalname of the apps, like Heather
was saying, the Peekaboo ICUbundle ID.
It's actually Snapchat, right.
Speaker 2 (26:26):
Mm-hmm.
Speaker 1 (26:27):
And same thing with Discord.
Discord is musically somethingSnapchat, right, Mm-hmm.
And same thing with Discord.
Discord is musically something,something right, yeah, musically
, yep, yeah, so.
And again, you'll see thisbundles ID that show up in
different databases and youmight question yourself what is
this app?
I have no idea.
And they start like a URL inreverse, like
comwhateverwhatever, as opposedto a URL that ends in com.
This is the opposite.
(26:49):
It starts with com, so COM, soyeah, you can put it there.
It will answer those questionsand, like Heather said, a whole
bunch of more information thatyou can use in order to
understand the use of the app onthe device.
Speaker 2 (27:02):
Yeah, and you know, helpful, definitely in the
investigations.
But I always use the exampleexample, like the application
usage artifacts.
Usually the application usageartifacts show that um bundle id
and that is what was being used.
Is your prosecutor, or whoeveryour report is going out to,
going to know what comtoyopagroup peekaboo is?
(27:24):
They're not.
So we can use this to then givea little bit of context for our
reports for people who may nothave that knowledge on what what
these mean.
Speaker 1 (27:34):
Absolutely, and there's a whole bunch of.
I think I know this one, butI'm not sure.
Put it in yeah, get the, getthe right name and carry on
Definitely.
Speaker 2 (27:41):
All right, Let me, I'm going to just pop up real
quick there.
Pop up real quick.
There's a blog on it too.
So on starkforensicscom there'sintroducing ASP App Store
Package Search.
So if you want to learn moreabout it other than what I just
said, go read the blog, and thenthe application itself is
available on Kevin's StarkForensics GitHub page.
Speaker 1 (28:05):
Yeah, kristen is saying that there's also a.
Sorry hub page.
Yeah, kristen is saying thatthere's also a sorry, that's so
good, I'll pull it up.
It's also the uh recommendation.
V9 parser has only atom ids,which is fine.
It's a good thing.
My both checking out, but Ithink uh, kevin's also.
You can also search by atom idif you can.
Speaker 2 (28:24):
You can, yep, you absolutely can so so you got,
you got.
Speaker 1 (28:27):
You got those both ways of doing that.
Speaker 2 (28:30):
Right, All right.
So let's see here AI would itbe a Digital Forensics Now
podcast if we didn't talk aboutAI?
Speaker 1 (28:43):
Would it be Thursday or any of the other week?
Would it be?
There's no AI involved, ofcourse not.
Speaker 2 (28:48):
So we were talking before the show and we have a
couple of topics right now on AI, and I said I'm going to
promise anybody who's listeningor viewing tonight that the next
podcast will be completely AIfree.
I'm not going to utter the wordone time and Alexis says that
he can't abide by that same rule, so I'll make the promise for
(29:08):
myself that the next podcast isgoing to be AI free.
Speaker 1 (29:13):
Look, look.
I am that voice in the desertpreaching constraint, preaching
slowness in regards to thesetechnologies.
I'm the one that says justbecause they exist doesn't mean
that we have to, you know, buyinto all the hype.
We've got to really assess itand take our time doing things.
Speaker 2 (29:32):
But but it seems like it's.
Speaker 1 (29:34):
It's the only thing people talk about anymore yeah,
no, I mean, there's a lot ofmarketing, right, I saw kind of
off topic, but there's this,this lady and she's recording
yes, somebody's driving, she'sin the passenger seat.
She's recording all thebillboards on the street and
she's like all the billboards onthe street and she's like all
the billboards are about AI.
Gemini and ChatGPT, and evenyour hospitals are now using AI,
(29:57):
for whatever reasons, andthere's a big marketing push for
these technologies, because Ithink me opining.
When you go into something,you're going to try to make an
ROI, a return on investment, onit.
So this AI thing that we did,we jumped in more.
We've got to get something outof it, right, so let's advertise
it, but there's neither herenor there.
(30:17):
Yes, there'll be some AI hereand I don't think we'll be able
to avoid it, but maybe we can.
Speaker 2 (30:22):
For next episode, we're going to try, we're going
to really try, I'm going towrite out the topics and not let
you contribute to the topicsnext week, so what if it's a
good rant?
If you send me an AI topic.
Speaker 1 (30:37):
I'm going to veto it, All right.
Speaker 2 (30:39):
But we'll see if it's really good.
Maybe I'll change my mind.
So first, ai topic.
Alcumsoft had an articlerecently.
Ai-driven password recoverymyth or reality was the title,
and the post explored whether AIcan meaningfully enhance
password recovery within digitalforensics.
(31:00):
Talks about the LLMs can theysuggest password formats or
rules which might help guidewordless generation?
But then it also takes intoaccount that they don't actually
crack passwords.
They lack the real world usercontext and the guesses are
often too generic.
So what are your thoughts onthat?
Speaker 1 (31:22):
AI in general has no context.
I don't know if you, maybe youhave, I'm going to tell you, to
tell me if you're not.
I'm talking to the chat GPTthing or the whatever generative
AI Because, again, make thepoint, we're talking about
generative.
Speaker 2 (31:33):
AI.
Speaker 1 (31:33):
AI is really encompassing and not everything
uses LLMs Like.
Llm and AI are not synonymous.
So, anyways, I digress and I'mtalking to it, asking some
questions and say and changethis, change this, change that
From whatever you said.
Change.
And at a certain point the LLMloses track of what the topic is
and it comes up with some crazything.
(31:55):
I don't know where I'm like.
I have to constantly remind thething, give it context Based on
the exercise where we did this,this and that.
Therefore this, this and that,right, to kind of keep it on
track.
Yes, my assumption is thatthere's so many tokens that the
system can hold in order tooperate with the request that
you're giving it.
(32:16):
And if you go beyond thatthreshold, as time goes by,
whatever's way back in quoteunquote, memory is lost, yes, so
even when you're talking to it,it loses context, right.
So again, that speaks to thiswhole.
I'm going to go into a littlemini rant, this whole concept of
I'm going to just ask questionsand the thing will know what
(32:36):
I'm talking about and will giveme the results I want, and if
the results are not there, thatmeans that they don't exist.
That's a fallacy.
You got to be really careful,because as you're interacting
with the systems, the systemitself will lose track of
context, because context is nota thing the AI doesn't
understand, doesn't thinkthere's no formal reasoning.
You might be able to open itsworking space to more tokens and
(32:59):
that's fine, but that doesn'tmean there's an understanding of
context.
Right, look if there's anythingcontextual within the LLM
training data.
It might not be what you expect, right?
That's why we see LLMs.
When women ask for information,for example, how much should I
(33:20):
ask in salary-wise for aposition, right and versus a man
?
How much should I ask, sorry,wise, for a position both being
the same position, the lm, lowballs, the female and and high
balls that's a word I don't knowbut tells the male to ask for
more but tells the female to askfor less.
Okay, it's like where's thatcontext came from?
(33:41):
Right, from society.
The lm is within it, right,right, so so there's context in
between what the tap ishappening now and the context of
how the thing has been trainedand it's just from my
perspective, autocomplete onsteroids.
It will autocomplete thatrequest based on that context.
That has been quote, unquotetraining.
So I guess, long story short,I'm not surprised by Elkhornsoft
(34:04):
accurately noticed and notingthat the system lacks context to
give you meaningful iterationsof passwords, something that a
human can do.
And Geraldine, she's on theshow.
She is amazing at that.
I don't know, I think she doesmagic or something she's like.
I know this about my suspectthe password might be this one,
Boom.
And it happens to be like howdo you do it, girl?
Speaker 2 (34:26):
Oh, I love that we have one of those in our office
too.
That I I just can't believe it.
They'll, they'll guess the damnpassword.
I didn't know.
Geraldine did that, so that'sawesome.
Speaker 1 (34:36):
A couple of cases, that's awesome that's, that's no
, that's no, no, llm, that's ahuman, human power going there.
So, right and again, again.
I don't want to people think,yeah, I'm always, you know,
urinating on on conflicts, theAI conflicts, yeah, I do.
But I do recognize.
I think I can say this for bothyou correct me if I'm wrong but
(34:56):
there is a place for generativeAI.
There's some things that canhelp right, definitely.
But if you believe the hype,you're going to depend on the
generative AI way more than youshould and you're going to start
then the generative AI way morethan you should and you're
going to start then making wrongassumptions and committing
mistakes.
Mistakes will be easilyavoidable and then you'll be, in
the best case scenario,embarrassed.
(35:17):
In worst case scenario, you'llbe in really big trouble.
Yeah.
Like kicked right out of court.
Yes, yeah, and even worse.
Speaker 2 (35:28):
Potentially, permanently.
Yeah, yeah.
Speaker 1 (35:31):
No, I mean, and I was saying in his articles, yeah,
that the consequence, thepersonal consequences, are
immense, right, but theconsequences to society of a
person that's innocent beingconvicted or a convicted person
going free, right, right, right,beyond, and you're correct, but
also beyond the effects of theperson committing not committing
but doing the analysis with anNLM tool, right.
(35:53):
So a lot of stake here, andthat's why we need to think and
not just outsource.
We've got to go through areally thoughtful process on how
we integrate this technologyinto our workflows and if we do
that and which I'll have morecrap to talk about in the next
segment- yeah, just a minute,right Just a minute.
Speaker 2 (36:13):
You know I use it.
I use it for things, but Idefinitely try and minimize it.
I don't want to use it incasework.
I just I don't want to do Iutilize it and look and see what
the results are.
Yeah, right now I'm actuallydoing a comparison on how, like,
media categorization works inthe tools we use and it's taking
me some time, but it's.
It's also like I'm not.
(36:35):
It's not there in my opinion,but we'll see.
I'm not done testing, so Idon't want to like crap all over
it.
You know what I mean.
But, but I'm just.
It's just not something that Iwant to use.
I feel like I have a betterhandle on the way I want to
categorize my media myself,versus letting something else do
it for me.
Speaker 1 (36:55):
Yeah, and again that's a whole conversation
about a false positives, falsenegatives and error rates, which
we can do a show on that later.
But you have to be reallycareful, I like.
So I did a blog post and I got,I did my blog post, I did it on
my own, I organized it how Ithink, but they have to do a
slide deck on it and I'm like.
So what I did was I have Prezihas a little AI on it.
(37:19):
I fed it my blog and then itmade me a nice you know kind of
placeholders with the topics.
And again I have to go throughit and do things, but it was
easy in the sense that, oh yeah,this actually flow, flows with
my blog posts, but it's my blogposts, right, right.
So I find value on that.
So that way I can do my slidesway faster than me trying to do
(37:41):
the organization.
How many slides do I need?
Because the AI takes my owncontent and then kind of
categorizes it in a way that'sfit for a presentation.
So I do think there's valuethere don't get me wrong and
that's why I did my presentationfor isc2 and I think I came out
pretty good.
Um, but what I, what I want todo, I don't want to do, is have
the ai tell me my presentation,um, for example, uh, yeah, for
(38:04):
you don't want it to write thecontent?
yeah yeah, I mean and and againit's the temptation of doing
that is strong At some point.
I'm going to run a little offtopic here.
Have you heard about the deadinternet theory?
You know what that means.
So imagine an internet whereall this content is created by
machines, right?
Yep, the blog posts and, as youknow, a lot of machines go into
(38:27):
the comments and comment onthose blog posts, right?
So at some point the internetis going to be machines putting
content and other machinesresponding to that content.
Oh, geez, right, and actuallythat's kind of happening, right,
yeah, I see a lot of botsanswering on different things
and with generative AI, I see,at some point people will get
(38:47):
tired of all the fakenessbecause like uh x has uh, now,
like uh, you know generative aithing it's called grok or
something and you can make like,like, like a fake girlfriend or
some sort of femalecompanionship.
Speaker 2 (39:02):
You seen that in the news I think I've seen a couple
headlines on it, but Iimmediately passed those
articles over.
Speaker 1 (39:11):
We both grew up when there was no internet, so maybe
we're inoculated because of that.
We had to live most of our liveswithout internet.
But the point I'm making withthat is, at some point, all this
AI interaction among AI peoplewill leave the internet and that
will put a premium.
From how I see, the conclusionof this argument which I think
there's some truth to it is thatthere will be a premium on
(39:33):
human interactions because we'llbe surrounded in a sea awash in
fake AI posts and comments andarticles and blog posts and
presentations that people willnot know what to trust and they
want they guarantee that a human, a person made this or talk to
this artisanal content made byhumans right, which to me means
(39:56):
look, if you're in this field,really work on your people
skills, work on doing the bestcontent that you do that shows
your experience and yourhumanity, because there will be
a premium for that.
No artificial quote-unquoteintelligence is a substitute for
that human interaction and thehuman experience.
No matter how much the ai triesto replicate it, it will not be
able to.
(40:17):
Um, because that's anotherphilosophical point I'm gonna
leave it there so, so, yeah, soI mean I even I kind of halfway
remember why I brought this up,but um, again, that that speaks
to in this career, make surethat your humanity, your
humanity shines through when you, when you do your presentations
and your case studies, or youpresent a court to your
prosecutors and on the like.
(40:37):
Bring your humanity with you,your perspective.
Don't don't think thatpackaging air content is gonna
take you somewhere, because atsome point everybody will be
doing the same.
And and what are you bringingto the table?
Speaker 2 (40:47):
you know nothing, exactly more dead internet.
Ai, no, thank you.
Everybody will be doing thesame.
And what are you bringing?
Speaker 1 (40:50):
to the table.
Nothing Exactly More deadinternet AI, no thank you To
keep going with the AI topic.
Speaker 2 (40:57):
So recently, Magnet actually did a blog Trey Amick
and I don't remember who else itwas but they did a blog on,
beyond the badge, AI's role inmodern investigation.
So they kind of hit on how aiis now a core aid in policing.
It's handling massive uhcomplex data sets, um.
(41:19):
It's looking for patterns andlinks faster than a manual
review, uh.
And then it talks aboutautomating transcripts, keyword
scans, cross evidence,association, triaging and
prioritizing items soinvestigators focus on the
higher value tasks.
Talks about media integrity andmagnets actually they're tools
(41:39):
that integrate the media, how todetect manipulated images and
videos and identify likelygenerators.
Um talks about text analysis.
They hit on the bias um in AIand they hit on um crime
analysis.
So combining crime, uh, crimestats, social data and other
(41:59):
factors Um, that's a lot.
That's a lot in one article.
But I'm just going to hop backreal quick to the um, to the
very first thing I said, whereit's becoming a core aid in
policing, handling massivecomplex digital evidence and
surfacing patterns and linksfaster than manual review.
(42:20):
I'm not sold on that sentence.
I'm not sold on the fact thatit's faster than manual review.
It's faster than manual review.
And the reason I say that isjust some of the testing I've
done on some of the differentfunctionalities and I'm not
speaking of magnet specificallyeither it just happens that they
did the blog on this but acrossthe board some of the
(42:42):
functionality, I'm finding thatmy manual review is actually
faster, not always, um.
It definitely is a good tool touse as an aid, um, but
sometimes it's, I guess, goingback.
You're gonna have to go backand do that manual review anyway
in some circumstances, and whattime is it really saving me?
Speaker 1 (43:05):
so that's my take on that no, and I agree, and I like
how you put it because you saidI like what you said.
So I have to go back, right,and what we're doing is we're
taking the tasks we used to doupfront, right, with the
analysis, the checking, makesure it's correct, to get to
conclusions.
Now we're asking the system togive me the conclusions and
(43:26):
we're putting all that to theend.
Right, are we saving time?
No, I mean, we're just justputting, moving in here from
here to there.
Now, that being said, that's theassumption that the person
running this thing would willcare to now put it on the end
and doing it at least in the oldway of doing things quote
unquote old way of doing this,doing this.
(43:48):
To get to the conclusions, youneed to do some upfront work,
but when you get to theconclusion because the magic box
told me so and you go to theverification and I use
verification purposely, notvalidation, verification
purposely you go to theverification stage At the end,
what I foresee and tell me ifyou agree or not, is a lot of
people are just going to skip italtogether.
(44:08):
What I foresee and tell me, ifyou agree or not, is a lot of
people are just going to skip itall together.
They will feel happy and dandywith the answer and never care
to check if the answer isactually supported fully based
on what's there.
Speaker 2 (44:17):
Looks good to me.
Speaker 1 (44:19):
It makes sense.
Next, Go make the arrest right.
What Next?
Speaker 2 (44:25):
Yeah, no, I absolutely agree.
Speaker 1 (44:26):
Yeah, you will save time if you decide to ignore the
later part of the process.
Right, and that tells me, inregards to higher value tasks,
what's a higher value task?
So let me see, I'm going to askyou I don't know how that works
in your organization, but, forexample, making the analysis.
So let's say there's some chatsand see how they're really
correlated to the crime.
Is that something the examinerdoes or the investigator?
Speaker 2 (44:45):
does so it depends.
There are times where it'll belike a collaboration, so they
may have the reader and they maybe looking at something while
I'm looking at something, but Iwould say most of the time it's
the examiner.
We're doing, we're reading thechats.
Speaker 1 (45:04):
Well, with AI, I think I believe it's going to
change right?
The examiner won't be, so thinkabout this.
Right, in order for thegenerative AI LLM to give you
answers, you have to ask itquestions.
Who's the person that knowsmost about the case?
Is it you or the case agent?
Right?
A case agent in my situation?
The case agent, right?
Yeah, absolutely, this personwill do the questions right and
(45:26):
they will upfront that with thatinteraction.
It's not going to be with you,the examiner, it's going to be
with the artificial intelligence, and they will get the results.
They will get excited and theywill dump it, hopefully, if they
do that, because they might gowith it on you to make sure that
things are happening how theyshould.
And that's a big shift I see inhow we are solving these cases.
First, because if the persongetting the answers from the AI
(45:51):
is the investigator, is a caseagent.
That person has no idea howLLMs work, how to go about
asking it, how about maintainingcontext which you mentioned a
second ago with the LLM, so itcould get a proper response if
there is one to be done.
This person doesn't know how toverify if there's some
responses that have not beenconsidered not considered, but
(46:14):
included in the LLM's data set.
In a sense, there is a wholebunch of things and when we're
going to present this at court.
How was this obtained?
Well, the investigator askedthe LLM some questions.
Well, can the investigatorexplain to us how the LLM works?
Well, I, the investigator,explain to us how the alignment
works.
Well, I just put questions.
That gives me magical answers.
There will be a realignment onhow our work processes are done
(46:35):
if generative AI becomes thatabstraction, because it's an
abstraction that we're adding toit, because it plays a central
role in our workflow.
We're moving verification fromthe start to the end.
We're moving verification fromthe start to the end.
We're moving the interactionsaway from the examiner and
dumping them, making prompts tothe investigator and then the
(46:57):
examiner comes on the back endtrying to make sure that that
thing is accurate.
And that's the saving timethere.
The more I hear about how theseprocesses are imagined, how
they could change, I don't see alot of time savings there.
Speaker 2 (47:17):
I just see opportunities for folks to cut a
lot of corners and hoping thatthings go well.
I 100% agree with that.
100% the cutting the cornerscomment 100%.
Speaker 1 (47:25):
And look again.
People might tell me well, thisis here to stay.
And that might be the case.
No matter what we say, it'slike.
Well, you know what, since thefolks at DFN the DFN now said
that this is not a good idea,then we're going to shut it down
.
Speaker 2 (47:40):
Yeah, that's not going to happen, that's not
happening right.
Speaker 1 (47:43):
So, yeah, it might be here to stay, that's fine, but
then we need to be reallyconscious in how do we train
people, what are the protocols,the best practices?
That we adhere to it, becauseif we don't, the courts are
going to impose it upon us andit might not be the most
scientific way of doing thingsif we don't get our act together
(48:03):
.
Speaker 2 (48:04):
Agreed, are we done with our AI piece?
Speaker 1 (48:09):
I got more ranting in me, but I think that's been
enough.
Speaker 2 (48:12):
I think we've hit it.
We've hit it yeah.
Speaker 1 (48:15):
I have enough for next episode, Ah no.
Speaker 2 (48:21):
So, all right, let's totally shift gears away from AI
.
I don't know who out there hasheard of Lumix.
Who hasn't heard of Lumix?
But if you haven't, you'regoing to want to check it out.
I first heard of it and I thinkyou did too right, ed.
I did oh you've got a littlepresent from them.
Speaker 1 (48:41):
Yeah, they were handing out to the attendees.
It's a little like 3D printed.
It's like dragons with a snake,you know kind of a dragon.
It's just basically the wings.
But it said here at the bottommade by Lumix.
Speaker 2 (48:53):
Oh, I didn't even realize that was on the bottom.
Speaker 1 (48:56):
Yeah, yeah, attention to details, girl.
What am I telling?
Speaker 2 (48:58):
you, I didn't get one .
I'll have to go back.
Speaker 1 (49:02):
Yeah, tell them to make you know for the next
conference.
Go grab one.
Speaker 2 (49:06):
There we go, there we go, there we go, so Lumix.
So Alec Hurst and Phil Thrasher, both previously worked at
Grayshift and Magnet and nowthey've co-founded together the
company Lumix.
I'm going to give a walkthroughof what that is right now.
Let me get my screen up here,all right?
(49:27):
So this is the website for forLumix and just a brief
background.
They describe, they describe.
I talked to Alec today.
They describe themselves asnerdy builders.
Their goal is to build a trulyvaluable tool to accommodate
everyone.
They believe there are still somany things to be built in this
industry and they're workingwith law enforcement to
(49:48):
understand what it is lawenforcement needs, which I
absolutely love.
They're working with lawenforcement to understand what
it is law enforcement needs,which I absolutely love.
So, lumix, I'm going to pull itup.
You go to the Lumix website andcreate a login.
Let me just log myself in herereal quick.
Speaker 1 (50:04):
No, I'm not going to share my password, as opposed to
all the times that you have.
Speaker 2 (50:09):
Yeah, I know.
So once you create an accounton Lumix, you can sign in, and
this actually brought me up totheir sample.
So what Lumix is is you canfeed this site data to map.
All you do is go to the top andclick create case.
So we'll just create a testcase Test case, I think I'm on
(50:31):
like test case six or five orsomething We'll do.
Five or six worked.
Speaker 1 (50:36):
New folder 10.
Speaker 2 (50:37):
Yeah, new folder 10, exactly.
And then you do save and open.
When you do the save and openover here on the right-hand side
, it tells you what types offiles you can upload.
So what they currently supportare UFDR files.
So, the Celebrate Reader, youcan drag the entire UFDR right
(50:59):
onto the click to upload part,or drag and drop part and it
will process your UFDR.
It'll also support KMLs, soit'll support KMLs exported from
your tools like CelebrateMagnet Burla files.
It'll support all of those KMLsand then any other KML that you
(51:19):
might have that you want todrop into this software.
Speaker 1 (51:23):
It just needs to include the latitude, longitude
and timestamp for this tool toprocess and a quick point here
for folks that are listening andnot watching the podcast, but
listening to it.
The tool I like.
It is like a mappingapplication.
It's kind of dark mode-ishwhich I love, the dark mode-ish
thing right and you see a map ofthe United States and an option
(51:45):
to upload the different dataformats that Heather has just
been explaining.
So really really, really slick,Nice.
I can see that you know beingused in many, having many use
cases, Definitely.
Speaker 2 (51:57):
So earlier today I dragged a UFDR, a reader file,
from my test phone into the tool.
I did it ahead of time becauseI thought it was going to take
too long to demo on the podcast.
However, it processed my UFDRin about two minutes.
It was an entire UFDR file too.
(52:18):
So one of the things I askedAlec about today is will there
be an offline version?
And he said eventually, but notfor now.
And he made it a point to tellme that dragging the UFDR into
the engine works in the browserand it's only taking the
location, that dragging the UFDRinto the engine works in the
browser and it's only taking thelocation data from that UFDR.
It's not touching any of theother data that may be present
(52:39):
in your UFDR.
Does that mean it's okay totake your files and upload them
to the site?
I can't answer that for anybodylistening.
You have to go by yourdepartment's policies and your
SOPs.
Yeah, go ahead.
No, no, you go ahead.
I interrupted you.
I'll just say I use my testdata for the purposes of this
(53:00):
presentation.
Speaker 1 (53:00):
I mean, I can see, I mean it shouldn't be too much of
a hassle for them to come, youknow, for a law enforcement
version that it's in-prem orsome sort of cloud that's
controlled by the agency and notby them.
So I'm pretty sure that I meanI'm talking out of turn here,
but I'm pretty sure that shouldbe no problem down the road.
Speaker 2 (53:19):
Right and it sounded like that was already on their
radar, so that should happen.
I do want to say, before Istart showing you the mapping
tool, that the price is rightright now.
It is free currently, sothey're allowing all of the
functionality to be free forindividual accounts.
(53:40):
It's completely unrestricted,and the idea that they have
behind that is to make a greatproduct that people can't live
without is what Alex said today.
They're looking for feedback,they're looking for input.
They're very receptive tofeedback.
I've already sent an email, andso have other people in my
office.
There's a feedback tab right onthe screen.
You can see it up toward thetop.
(54:01):
That goes right to Alec, andthey get back to you immediately
and want to talk about not justissues you're having with the
tool, but maybe things you wantto see in the tool or things
that you like or dislike aboutthe tool.
They're very open to thatcriticism constructive criticism
.
So this is from my UFDR.
(54:24):
If anybody tuned into the lastpodcast, I talked about my
Easter trip to my parents.
I'm using the same data, thesame data set.
Talked about my Easter trip tomy parents.
I'm using the same data, thesame data set.
So just a few of the differentthings you can do with the tool.
If you come down on the bottom,there's a filter, timeframe and
(54:45):
sources.
So let me just get this to comeup here.
Ah, there we go.
Good, the sources appeared.
So you can change the name ofyour project here.
You can set a timeframe.
I have it set for April 19thbecause I knew I had a good
location set there.
You could set it for the dateand time of your incident.
But another really cool feature,if you bring the UFDR in, is it
will list out the data sourcesfor locations.
(55:06):
So we've got Apple Photos,we've got the AirTag locations,
find my Journal, life360, thenative locations.
So you can take that and weedout the locations that you know
are maybe not so reliable andjust use the locations that
you're interested in showinghere on the map.
So I chose native locationsbecause that's coming from those
(55:27):
cache SQLite in the iOS, whichwe know have a very good
reliability.
Once I chose my timeframe andthe locations, I can, on the
bottom here, move around to thedifferent times.
So if you can see my cursormoving around as I do, that, the
(55:48):
date and time is changing.
That's where you would go downand maybe hop to a specific
event time that you're lookingfor right down here in the
bottom.
Speaker 1 (55:58):
Yeah, and it's like a little bit of a histogram of
activity.
I say activity in the sense ofdata points, right, the more
data points, you see that littlecurvature kind of go higher or
lower, depending on how manydata points you have during that
time frame.
Speaker 2 (56:14):
Yeah, so this whole middle section is when I stayed
at my parents' house for the day, and then the higher sections
you'll see are when my travel tomy parents' house in the
morning and my travel home frommy parents' house at the end of
the day.
Speaker 1 (56:26):
Something that I love about those type of graphs is
that, based on the highs and thelows, you can make broad
interpretation of the is that,based on the highs and the lows,
you can make broadinterpretation of the data
without looking at the detail.
And I always found that to beso intellectually stimulating
because you can quickly see andsay okay, I want to focus on
this peak here because there wasa lot of movement, a lot of X
or whatever Y and C right, so Ifound that to be pretty nice.
(56:47):
I like those.
Speaker 2 (56:48):
Yeah, very cool.
So you can see numbers downhere on the bottom.
So prior to prior to the showtonight, I set this up to show
some events because this is oneof my favorite features in this
tool so you can click on anydate and time and add in events.
So if you look at this numberone over here on the right hand
(57:09):
side, I added an event that Ihad a picture out of the, out of
the extraction, thathighlighted that you could
(57:37):
upload the actual picture of theevent you're showing.
Speaker 1 (57:40):
So so you're putting like information attached to
whatever event, correct?
Speaker 2 (57:45):
Yeah, yep.
So I mean this was, this was myStarbucks stop.
So I literally clicked on thatminute that I got to Starbucks
and I titled it Starbucks.
It has the date and time of theevent that I was highlighting.
You can put a description.
If you have a description Ididn't have one, I mean I just
went to Starbucks and then thelocation data, so the latitude
and longitude is next.
(58:06):
It tells you which source it'scoming from, so the native
locations and then the mediathat I chose to include is there
on the event.
Speaker 1 (58:15):
Very nice.
Speaker 2 (58:16):
Yeah, so they have this follow mode on the bottom.
So the follow mode actually thecursor follows the map, and I'm
going to actually turn that onfor this purpose.
You can set the speed here.
So the speed that you want thisto play, I'm gonna slow it down
a little bit but still kind ofkeep it fast enough that we're
(58:38):
not sitting here watching themap all night.
Um, and then down here you canset it to loop or you can set it
to pause on those events.
So if you're presenting this ina courtroom and those events are
important, to stop at thatpoint in time on the video and
speak to the jury about theevents, this function here will
(58:58):
actually cause the playback tostop anywhere you've placed an
event in your timeline.
So once that is on, I'm goingto just hit play and let's see.
Let me get rid of my Starbucksevent quick.
Just hit a play, we'll see ifI've got it going too fast or
not.
I might.
It's going throughout mymorning and then it stops
(59:22):
because it hit my number oneevent, which has me at home.
I just pick back up and hit theplay again.
Now it's got me at home.
I'm at home for a little whilehere it's going to come up on my
starbucks trip and hit thenumber two event here in a
second.
Nothing's moving because Ihaven't left my house yet okay,
I was gonna say maybe you.
Speaker 1 (59:41):
I thought you were too far away in this area, but
nope.
Speaker 2 (59:44):
So I just started to move.
I am gonna scroll in a littlebit, though, because it is too
far away.
So I left my house, went to theStarbucks event and the map
stopped on the Starbucks event.
So I'm now going to hit play soI can go get my energy drink
here, so I just go right nextdoor to unstoppable nutrition,
and that's the logo I put in inthe picture.
So it stopped on my third eventand now I'm going to hit play
(01:00:07):
because it's a little bit of atrip to get to my fourth event.
I'm going to cruise up to myparents' house here, so it's in
follow mode.
So the map is following myroute and I'm headed up.
I'm almost to my parents' househere and I put the fourth event
just before I arrive at myparents' house and I titled it
(01:00:30):
Approaching Parents and I putlike a little bird's eye view of
my, my dad's house as the media.
There I can hit play, um, andthen I I'm going to let it run.
I stay there.
I talked about this in the lastpodcast, but I stay there for
the day and actually those fewpoints that I talked about in
the last podcast, that were justinaccurate data points.
You can see them over here.
It looks like I went into thewoods, buried the body and I'm
(01:00:55):
just going to.
I'm going to speed this upthrough this section because I
stay at my parents for quite afew hours and then I'm going to
start my trip home again here.
So I leave my parents' house andI'm headed back down and then
I'm going to set those eventsonce I'm headed home that I
talked about in the last podcast, where it was raining so hard
(01:01:16):
that I had to get off of themain highway.
So here's number five and Ihave the media event for Dunkin'
Donuts.
If we scroll in, you can seethat I pulled off the exit and
I'm actually going to justswitch it real quick to the
satellite view.
You can also switch it to thesatellite view.
I know you liked the dark mode,but I'm going to switch it to
(01:01:39):
the satellite view for the restof this trip, just to kind of
show that.
Let me zoom back out real quick.
So I'm what's up.
So I'm what's up.
You can't hear me.
Speaker 1 (01:01:57):
Mine.
Speaker 2 (01:01:58):
Oh, yours Okay.
So then I got off the exitagain to Stewart's, which is a
gas station up here, and thenyou can watch the rest of the
trip where I am headed home.
Speaker 1 (01:02:11):
I'm actually gonna back out all right, can you hear
me now?
Speaker 2 (01:02:15):
I can hear you now yeah, I'm not using my main
microphone because it dies, soI'm using oh no but I'm here,
I'm here okay so then I take thetrip and I'm home now and the
rest of the trip uh, my locationstay at home.
So I I love this.
I love that you can add theevents.
There's some suggestions.
I'm going to give them for mypersonal preference on the tool,
(01:02:38):
but I think this has greatpotential to be like perfect for
courtroom presentation.
Speaker 1 (01:02:47):
Oh yeah, I like how the, how the line of it moves,
the, the, the leading part ofthe line is white and as it goes
it turns like orangey At leasta trail across the map that you
can follow.
It's really visually appealing,like you said.
So definitely for exhibits orjust to show, you know, whatever
data you want to show.
(01:03:07):
Um, it's, it's, it's, it'ssuper nice, it's a great,
definitely station tool.
I, I think we're really, and wejust we discussed this before
in the podcast and in otherplaces uh, some of the due to
forensics tooling is reallyshort.
On the presentation aspectsright, the report htm are not
really good looking.
The mapping applicationsthey're, they're grabbing.
(01:03:28):
I'm gonna make not mix it up,but let's say, let's say bang or
whatever, I don't know some,some other mapping application,
third party, that's not reallysuited for purposes.
So, you know, I can see theseguys kind of like, like doing
this.
Of course, and I mean to saythis obviously, this is a free
tool that we're trial, thatwe're trying to share with you.
(01:03:49):
We receive no, uh, financialanything from any of this, right
, yeah, we don't speak for ourworkplaces or anybody else, we
just speak for ourselves asmembers of the community and we
appreciate the guys from Lubixjust saying hey, you know, maybe
you want to try this out andsee if you like it and show
folks and that's our decision.
But again, there's no quid proquo anywhere.
(01:04:12):
We do things because we thinkthey're cool and we'll continue
to do so.
Speaker 2 (01:04:17):
Yeah, so obviously.
So, based on certain cases thatI might be working, there are
things I would change.
There are a little bit of theplayback.
It's a little like hippie to me, but I'm going to try putting
multiple cases in here, testingit out and then provide the
feedback.
Leave the feedback on thingsthat need to be fixed or things
(01:04:40):
that you want as features.
So when I first went and triedthis, I imported my KML in and
it didn't work.
It was a KML that I had createdand it's something just didn't
work right.
I put the note in for thefeedback that it wasn't working
with my KML and it was fixed bythe next day.
So now, the way I created myKML, it should work for
everybody and literally I wasjust adding the timestamps,
(01:05:02):
latitude and longitude.
So if something's not working,report it.
If you want to see new features, get it on their list.
If you just don't likesomething, they're very, very,
very open.
Speaker 1 (01:05:18):
Yeah, I wonder if this supports, or they should
support, like cell toweranalysis.
You know from call detailrecords logs, right, oh yeah
yeah, so I think that'ssomething they should also look
into.
Right, let's say, hey look, wehave this information from the
providers of the cell towers.
These are the records from thecalls and even, you know,
correlate those to the map.
So I think that if they don'tdo that, I think they should
yeah, well, you to put thatright in that feedback
(01:05:41):
absolutely yeah, definitely, sodefinitely a cool new tool,
completely free right now.
Speaker 2 (01:05:47):
Go try it out.
Whether it be your test data or, if your agency permits, you
could put um, actual case dataup there's also out.
Whether it be your test data or, if your agency permits, you
could put actual case data upthere's.
Also, if you don't have anytest data or you don't have a
case that you can put in, theyhave samples in here.
So when you do the create newcase, there's try a sample case
down here on the bottom.
If you click on that, all oftheir sample cases will pop up
(01:06:10):
over on the left side.
They have LPR hit.
They have surveillance video.
They have incident location.
They have victim locationthere's a burla one in here
somewhere.
So check out their sample casedata.
If you don't have any data ofyourself to try, of your own to
try.
Speaker 1 (01:06:27):
Awesome.
Speaker 2 (01:06:28):
Yeah, all right, I'm going to take that down.
Awesome, yeah, all right, I'mgonna take that down and I'll
put the site up.
Well, it's lumixcom but I'llput the site up on on the show
notes.
Sweet yeah, so we're at the,we're at the.
What's new with the leaps?
What do you got?
Speaker 1 (01:06:45):
so I got a parser and'm not going to show it here
because of time constraintswe're already past the hour.
But I made a parser for ChatGPTfrom test data that was
provided by a community memberand, pretty neat, it's one of
the first artifacts, fullartifacts that I made Lava
compliant and that's somethingthat I want to discuss because
(01:07:10):
Lava will be out soon.
And if you wonder and I'mlooking to the side here because
I'm looking for my thing therewe go.
So Lava stands for LeapsArtifact Viewer App and what
that allows you to do is you cango and take a report from the
Leaps, use Lava to view it andLava will not choke on the 2 gig
(01:07:32):
HTML file that right now theLeaps provides.
Right, I did this what five,six, seven years ago, and main
reporting for the Leaps was justpure HTML and some other things
.
Well, now we're using Lava tolook at the data and not
depending on those HTMLs which,with our viewer, it can ingest
and let you look and export awhole bunch of stuff.
(01:07:54):
So the first thing I wanteverybody to do is to go to
leapsorg and sign there for ournewsletter or mail, not
newsletter for our mailing list.
I don't have a newsletter.
I have a mailing list and theidea is that the moment Lava is
released which will be soonerrather than later you will have
(01:08:15):
I think you were putting that upyou will have a notice that you
can go and download it.
I'm going to give you a supershort sneak peek because a
really good communicatorinstructor in the community will
provide soon a video of all thefeatures that you know who this
(01:08:35):
person is heather who's doingthat?
I don't know, some person, I, Ireally like her except when I
don't.
So I'm not gonna steal herthunder for her video.
But you see kind of the formatartifacts on the left.
You can see some of the entrieshere on the right.
I like the fact that I can openthose media and kind of blow
some up real nicely.
Um, it has a video, it playsthe video, they're automatic.
(01:08:59):
It leaves in lava, you know,leaping love, okay, so, uh, so I
think it's pretty good.
It's a work, great work done byjames on the lava side and by
Johan, I think, if he's notasleep yet.
Speaker 2 (01:09:14):
He could be sleeping by now.
Speaker 1 (01:09:18):
He did a lot of work on the leaf side and James on
the lava side, and then Kevin,myself and others just trying to
work on updating the olderartifacts and then also adding
new ones, like the one that Idid for ChatGPT.
This one is just a fake onethat I used for my presentation
the other day.
I used to show folks how thatworks.
(01:09:39):
I think Kevin is in the chat.
He was eating lobster.
Yes, If that's the case, you'reexcused.
You don't have to be here ontime if you're eating lobster.
That's a good reason to be herelate.
Speaker 2 (01:09:49):
You could have invited us, though I'm a little
hurt.
Speaker 1 (01:09:53):
Yeah, I'm hungry as well apparently yeah exactly,
but yeah, so please do sign upfor the mailing list so you can
notice when lava comes out.
There's a lot of ideas we havethat we'll keep adding to it as
the time passes, so it'll beawesome.
Look, if you're still hungry,you can look at the pictures.
Speaker 2 (01:10:17):
Thanks, thanks, I appreciate it.
Speaker 1 (01:10:20):
Open a can of sardines and imagine it's just
the seafood taste, or smell atleast.
Speaker 2 (01:10:26):
No, no, no, no Good stuff.
But speaking of lava, alexisjust did a video and it's posted
to his linkedin right now uh,there's a link to it on how to
make lava compliant leapartifacts.
So if you are a contributor oryou are looking to become a
contributor to the artifacts andwriting your own artifacts to
(01:10:49):
put into the leaps, watch thatvideo.
It's very clear on how tocreate the artifacts that will
work with the new lava viewerand I think Alexis has been
trying to tell me for how longhow to create artifacts and this
video I actually wrote to himlast night and I'm like my God,
I finally understand what filesfound means in the script, or
(01:11:12):
there were like 10 things that Ifinally learned for the very
first time last night.
So it it helped clear up a lotof things that I was wondering
about how to write the lavacompliance scripts.
So I think it's a great videofor um anybody to watch, whether
you're already writing the umartifacts or whether you want to
get into writing the artifacts.
Speaker 1 (01:11:30):
And again, all credit to James and Johan the way they
work together to make thoseimplementation changes.
Doing artifacts now is wayeasier than how it used to be.
It's less lines of code fromthe leap end and it produces all
the good stuff that Lava willshow to you and that's behind
(01:11:51):
the scenes.
You don't have to worry aboutit.
The code, the platform, takescare of that.
So again, lots of kudos, and Iappreciate their partnership for
being members of the communityand doing this for the love of
the community.
So we're really excited aboutthe project and continue to
develop it.
Speaker 2 (01:12:08):
Definitely All right.
We are to the end the meme ofthe week.
Let me get my screen and sharehere.
I think this is one of myfavorites, so uh it is.
Once I became a digitalforensic examiner, I finally
understood the scene where yodagets so tired of answering
(01:12:30):
Luke's questions he just dies.
Speaker 1 (01:12:35):
And obviously that comes from Star Wars, right when
yeah.
What's the, what's the plan,the Dagobah, the Goldblatter I
was saying in English and youknow, I know you don't know it
because you don't watch themovies.
Speaker 2 (01:12:45):
but I don't.
Speaker 1 (01:12:47):
Yoda's been training right Luke Skywalker and
becoming a Jedi.
Speaker 2 (01:12:57):
And he has all these questions and's like I'm just
gonna lay down here, man, andjust I just died.
I feel like it's been that kindof week, right.
So there's so many questionsthat it's like, oh my god, maybe
if I just play dead thequestions will stop coming in
yeah, because go ahead, go aheadno, I was just gonna say, all
kidding aside, though, I loveanswering the questions.
I'm not trying to sound like Idon't, but yeah, this meme just
hits this week with the numberof questions rolling in.
Speaker 1 (01:13:19):
I have no issue helping people out Me either If
I'm telling you or answeringthat question for the 10th time.
Speaker 2 (01:13:25):
Exactly.
Speaker 1 (01:13:27):
Yeah, I'm going to go lay down here and I'll leave my
body and come back in a fewhours.
Speaker 2 (01:13:32):
Yeah, exactly.
Speaker 1 (01:13:33):
Because closing the door to my office is not going
to cut it.
It doesn't.
No, they will knock.
They will just throw it down.
They will come in, they willbring the door down with a
battering ram.
It'll be like boom and they'regoing to come in In our
workplaces they're prettyproficient with battering rams
In our workplaces.
They're pretty proficient withbathrooms and they will come
into the office to ask thequestion.
Speaker 2 (01:13:52):
It's not only at the door.
It's at the door, it's in theemail, it's creeping into the
LinkedIn questions.
It's the text messages.
Speaker 1 (01:14:00):
It's from one side of the bathroom to the next.
Speaker 2 (01:14:03):
Oh, yeah, oh, I haven't had that happen yet, oh
yeah, I'm coming to the bathroom.
Hey, hi, hi, hey bathroom, hey,hi, hi, hey.
And we're there, hey.
Speaker 1 (01:14:09):
Hey, you know I've been looking at the internet
about this electronic thing.
What do you know about?
Like dude, can I?
Can I use the bathroom at peace?
Speaker 2 (01:14:17):
well, I'll have a first with that eventually, I'm
sure, but not yet so well ithasn't been straight.
Speaker 1 (01:14:23):
You talk for us the questions but, as you know, if
you're the df person, you aretech support?
Speaker 2 (01:14:27):
oh yeah, in their mind.
Speaker 1 (01:14:28):
You're your tech support.
You know about Windows, youknow about anything.
You know computers right.
Speaker 2 (01:14:33):
Oh yes.
Speaker 1 (01:14:33):
You must know this obscure thing that I saw on
Instagram.
I'm like dude.
I had no idea what you'retalking about.
I do not.
Speaker 2 (01:14:39):
I can find the artifacts and figure out what
the artifacts mean, no problem.
But ask me to set up some kindof workstation, forget it
workstation forget it.
Everybody thinks I can do it.
Speaker 1 (01:14:54):
I don't, I don't, I don't know what printer is
better.
I haven't in years that I couldfigure myself in years I
haven't sorry oh, man, yeah.
Speaker 2 (01:15:01):
So it's been one of those kinds of weeks so
everybody gets to see the lovelyyoda dying scene I hope
everybody enjoyed this one of myfavorite memes yeah, so that's
the end.
That's all we got like theLooney Tunes.
Speaker 1 (01:15:15):
That's all folks we appreciate, obviously.
And Kermit, if I'm wrong, doyou have anything good or to say
for the good of the order here?
Speaker 2 (01:15:24):
I'm good.
Thank you so much for everybodywho joined tonight and
everybody who listens tomorrowabsolutely so.
Speaker 1 (01:15:31):
We're going to call it a night, we're going to play
the music and we'll see you all,hopefully in a couple of weeks,
if not whenever we say we'regoing to have one of these again
.
Speaker 2 (01:15:39):
Right, exactly.
Speaker 1 (01:15:41):
Take care.
Have a good night.
Speaker 2 (01:15:43):
Bye, bye, thank you you.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!