From Disaster to Attainment: Crafting Digital Forensic Reports

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:10):
Welcome to the G-Talk Forensics Podcast.
Forensics Now Podcast.
Today is Thursday, april 11th2024.
My name is Alexis Brignoni, akaBriggs, and I'm accompanied by
my co-host, the Uber decoder,the fax compiler, the knowledge
distributor, the one and onlyHeather Charpentier.

(00:34):
The music is Hire Up by ShaneIvers and can be found at
silvermansoundcom.
Hello, heather.

Speaker 2 (00:46):
Hello.
Thank you for the greatintroduction, as always.

Speaker 1 (00:50):
The Uber decoder, I know you dig that.

Speaker 2 (00:53):
We'll talk about that later.
Folks, I do like it.

Speaker 1 (00:58):
Welcome everybody, Happy to have you here.
I see already folks starting toroll in.
Lori, good to see you and I'llsee you a little bit more later
I'll be talking to her classafter the show, so I'm really
excited about that.
Happy Thursday to Jess in thechat and Jeremy, tell me,

(01:19):
heather, what's been going onsince last time we were here.

Speaker 2 (01:22):
I've been working and I actually had to deal with
jury duty this week, so I gotsummoned for jury duty and had
to sit at the courthouse all daywaiting to see if I was going
to be selected for a jury and Iwas not, thankfully so that's a
constitutional responsibility,lady, come on, you should be sad
.
I testify enough.

(01:43):
I don't need to go sit onanother jury or on a jury yeah.

Speaker 1 (01:48):
Like I've been on all these chairs.
I don't need more chairs, yeah.

Speaker 2 (01:52):
No, I don't want to sit there.
Plus, I've done it before.
One time in your life is enough.

Speaker 1 (01:58):
No, it's, I mean, we joke about it.

Speaker 2 (02:10):
But obviously an important thing to do do as a
citizen, be part of a jury.

Speaker 1 (02:12):
But um, if somebody else can do that, that's fine
too, and we can do keep working.
They picked eight great peoplefor the jury, I'm sure
absolutely well, folks, folksmight remember that the eclipse
happened what two days ago orsomething like that.
Yes, yeah, yeah, so so that wasexciting.
Um, I think you saw less of thesun than me during the eclipse,
right?

Speaker 2 (02:25):
Yeah, ours wasn't super impressive.
I saw everybody's picturesonline and I was like I want to
be there.
Ours was really cloudy and justnot as good as all the other
locations.

Speaker 1 (02:36):
Gotcha, gotcha, yeah, no, we had here in Florida at
least where I was maybe like 50%, almost 60% of the sun, so I
thought it was still worthwhilechecking it out.
So I want to share with folks apicture here of some stargazers
at my house.
As you can see, we made surethat we spared no expense to

(03:01):
make sure that my kids didn'tget any any sunlight the direct
sunlight in their eyes.
So for the folks that arelistening, you know you have the
eclipse glasses, right?
Well, we took a paper plate,like you know, for food and, and
we cut it in a way that itcovered the top and the side so
they could only see through theeclipse lenses right, that's

(03:22):
perfect, and I mean see throughthe eclipse uh, lenses, right,
that's perfect.
Um, and I mean especially littleone super excited for all of
three minutes.
They're like okay, bye.
Oh, kevin says that his eyesstill hurt man I see that yeah,
get get that checked out.
That could be a problem keepyour glasses on yeah, I need you
with eyes.

(03:42):
You're the one that's runningthe, the, the repositories,
right now.
For folks who don't know what arepository is, it sounds like
something else, but no, it's aplace we put our code for our
projects.
Okay, don't get confused.

Speaker 2 (03:54):
Yeah, he cannot go blind.

Speaker 1 (03:56):
Exactly, oh no, but it was a great experience.
So I mean, let me take this out, and the kids enjoyed it.
I personally enjoyed it.
I'm hoping that at some pointI'll be able to travel somewhere
in the world to see a fulleclipse, because the next one is
going to be coming through theUS.

(04:16):
That's going to be kind offull-blown in Florida where I
could see it.
It's going to be in 20 years.

Speaker 2 (04:21):
Oh really.

Speaker 1 (04:22):
So, yeah, I'll be in my what 60-something.
So, see it, it's going to be in20 years.
Oh really, yeah, I'll be in mywhat 60-something.

Speaker 2 (04:26):
So I'm like you know what I might want to do that
before getting to almost 70.
I'm sure you'll go see it stillanyway.

Speaker 1 (04:33):
Yeah, I'll do both.
Hopefully, if everything goeswell and the universe wants me
alive, I'll enjoy it as well.

Speaker 2 (04:39):
Yeah, Jessica says how many attorneys would want a
digital forensic person on thejury.
Jessica says how many attorneyswould want a digital forensic
person on the jury.
Jessica, it was a civil trial.

Speaker 1 (04:48):
I was really worried they were going to pick me Most
likely both sides, right, yeah,on the civil side, of course,
yeah, yeah, but no, so that'swhat happened.
I did some parses.
We're going to talk about that.
Thanks to your work, heather,we did some parsers for a pretty
neat app, yeah, andpresentations and regular work.

(05:10):
So that's what happened thesetwo weeks.

Speaker 2 (05:12):
Nice.
Well, let's get into it then.
So I'm going to announce a jobalert that's coming up soon, if
anybody wants to move to thebeautiful Albany, new York, and
come work with me.
We're going to be posting ourcivilian positions within the
next, probably like week or two.

(05:33):
I would guess probably nextweek, but I'd say a week or two.
We're going to have severalspots open, and it starts from
like an entry level, and thenthere's additional job titles
for people with a little moreexperience.
So it would be based upon yourexperience.
It's not a remote job.
You would have to come and livein Albany, but the title is

(05:55):
Computer Forensic Analyst.
And let me put up the website.
It'll be on the page afterwardstoo, but this will be the
website that you'll want tocheck and look for that posting
in the future, near future.

Speaker 1 (06:10):
Yeah, and that's something that folks ask me well
, how do I get into this field?
And one of the things I tellthem is you know, obviously you
get your degrees or yourcertifications, all that good
stuff but one way is by lookingfor posting like this one where,
um, you go into a lawenforcement capacity and you
learn that aspect of the gtarforensics process and you can do

(06:30):
that for for your whole career.
This is excellent work.
I mean, I'm one of those, right, or or you eventually can
transition to the private sector, right, but that's a really
good way, obviously.
Uh, the new y State Police, youknow, really, you know a big
agency, well-known, good work'sbeing done there.

Speaker 2 (06:49):
Oh yeah, I should have said New York State Police.
I'm just assuming people knowwhere I work.
But yes, new York State Policeis where the job is.

Speaker 1 (06:57):
Exactly so, and you know, a really, really good
agency with a lot of impact inregards to the things that are
happening in the state.
I personally think it would bea great opportunity for anybody
and everybody if they get picked.
Be, on the lookout for thatposting.

Speaker 2 (07:13):
And you get to work with me.
I mean, what more could youwant?

Speaker 1 (07:19):
Everything was going up and now we're crashing.

Speaker 2 (07:23):
I'm scaring people away Damn I kid, I kid, I kid um
so some other things going onright now in the community are
capture the flags.
I don't know, um, I didn't knowthere were so many capture the
flags going on.
So one of the capture the flagsis Hexordia has a weekly

(07:46):
capture the flag.
It began April 1st and it'severy Monday at 11.
There's a new weekly challengeunlocked so for participants.
Each challenge lasts a week andthen there's additional ways to
earn points by writing blogsand there's bonus questions
throughout the weeks, and thoseare announced on Twitter or X

(08:07):
and LinkedIn.
The way to find thoseadditional bonus questions is to
follow Hexordia and JessicaHyde and Kevin Pagano and
Geraldine Bly and Cesar Casera,because they'll be posting those
challenge questions on thesocial media platforms.
It's a great way to getinvolved in the community and a

(08:28):
great way to get your start inblogging, especially since
there's those additional points.
If you're writing up the blogsand I read online too there's a
chance to win prizes, includingseats in some of the Haxordia
classes.

Speaker 1 (08:43):
Oh, and folks that I mean both of us, me and Heather
and myself we've been at some ofthose courses and they're
fantastic.
Jess and her team have madecourses with really relevant,
timely content to the work thatyou do.
Some of these courses you takesomewhere else.
You talk about conceptually,about how things are, and you

(09:04):
actually do them.
And I was chatting with Jessthe other day.
Of these courses you takesomewhere else you talk about
conceptually, about how thingsare, and you actually do them.
And I was uh chatting with withuh jess the other day and I
think you also get points by.
If you code, you can make someparsers.
And if you make a parser in oneof the leaps, the, the, the
project that the community weuse for uh parsing devices, you
get extra points for that too.
So it's a great way theblogging, the coding to put your

(09:29):
name out there, to learn andstart building your brand.
And if this is the first timeyou hear us speak here or you
missed last episode, I reallyinvite you to hear the last
episode.
We have a big section on how tobuild your brand in the digital
forensics space and this is oneof the things we discuss and
here's a real way of actuallymaking it happen, so take

(09:51):
advantage of it.

Speaker 2 (09:54):
Another capture the flag that's going on is with
Oxygen Forensics.
It hasn't started yet.
It's open for registration.
Right now, though April 8ththrough the 18th is registration
, and then the challenge detailswill be released on April 19th.
I think that you need to haveaccess to an Oxygen license to
participate.
Don't 100% quote me on that.

(10:15):
Reach out to Oxygen and findout if they'll do the trial
license.
But another great opportunityto do those capture the flags
and learn more about forensicsopportunity to do those, capture
the flags and learn more aboutforensics.

Speaker 1 (10:27):
Yeah, I'm pretty sure they'll, they'll be able to
give us I mean give the folksthe community uh, trial license
it's a great product.
It's a great product as well.

Speaker 2 (10:32):
I like oxygen a lot too, so yeah, and then the last
one, actually this capture theflag.
Just ended the belkasoft, butthe images are available.
So if anybody's looking fortest data, or really if you just
want to go do the capture theflag even though it's not still
actively a challenge, like it'snot up as as a active capture

(10:55):
the flag go get those images andcheck it out.
There's also blogs andwrite-ups that are starting to
come out on that capture theflag and the details of how
people were able to answer thequestions.
It's a great way to learn andlearn how other people were able
to solve them.
It might not be the way thatyou would have gone about it and
you may learn a new techniqueor two.

Speaker 1 (11:17):
Oh, absolutely, and I believe the images are just as
valuable as the exercisesthemselves, right as the CTF
itself, just as valuable as theexercises themselves, right as
the CTF itself.
Actually, I used that image totest out some of the parsers
that we were working on thisweek, heather and myself,
because he had to say some ofthose apps in there.
So, again, get the image andpractice with them.

(11:38):
And that's the whole thing withthis field.
If you're just reading and notpracticing, you're not getting
the full benefit or the fullgrowth that you could get
otherwise.
So, open those images and workwith them.

Speaker 2 (11:49):
Right, definitely.
I think that's all the Capture.
The Flag is going on right now.
Hopefully I didn't miss any.

Speaker 1 (11:56):
Oh no, it's Capture the Flag season.
Yeah, and I wish, sadly forboth of us we don't have enough
time.
Well, actually, let me say thiswe're actually ramping up to
start IASIS.
What in nine?

Speaker 2 (12:11):
days, I want to say Nine days.

Speaker 1 (12:13):
Yeah right, is that right?
Yeah, so that's why we haven'tbeen able to play in any of
these.

Speaker 2 (12:18):
Yeah.

Speaker 1 (12:19):
Because we'll be instructing the Advanced Mobile
Device Forensics course forIASIS.
I think there's still somespots that are filling out, so
do you want to hang out with usfor a week and nerd out?
Yeah, Come on.
It'll be Heather myself, John,Hila and Bill.
What's his name?
Bill?
I forgot his last name.

Speaker 2 (12:42):
Bill's going to be with us.

Speaker 1 (12:43):
Yes, we'll look it up , but uh it's a pretty a pretty
good, good, good group of peopleyeah, definitely, definitely.

Speaker 2 (12:51):
Um want to highlight too.
This week um magnet came outwith some new stuff for axiom um
, so they released uh version 8and in version 8, the first
thing I'll tell you guys aboutis mobile view.
So it gives a representation ofiOS and Android devices that
are being examined, presented inAxiom with the ability to

(13:13):
select the icons for supportedapps that are loaded on the
phone.
So I'm going to show a littlepreview of that.

Speaker 1 (13:21):
Let me yeah, and, as Sarah's bringing that up, I
think this way of looking at thedata it's how can I say this
it's really useful because we'reso used to looking at the data
the same way in all applications, in third-party applications.
What I mean by that is thecompanies that sell us tools.
They're different, but they'restill the same, like the movie,

(13:41):
right, I know you didn't getthat reference, but it's
different, but still the same.
I'll tell you about the movielater, okay, but this way it's
really intuitive and I don't seeanybody doing it this way, and
I think it's the next evolutionof how you can have folks with
minimal amount of computerknowledge be able to at least

(14:03):
pick out some of the artifacts,like low-hanging fruit artifacts
, and make our lives easier.
So you're going to show us howthat works, right.

Speaker 2 (14:10):
Yeah, I am, and I definitely love this.
I'm super picky about newfeatures in the tools, if you
haven't heard, and I really likethis one.
So I processed one of my testimages just the normal way.
Nothing changed with the wayyou go about processing it, but
over on the left-hand pane,under evidence sources, you can

(14:30):
choose a device and when youclick on the device, this image
of an iPhone comes up and it'sgot the icons to the
applications that are installedon my test device.
They're not exactly in the samelocation as they are on my test
device, so I wouldn't depend onit for that.
But the cool thing about thisis you can get a quick look at

(14:54):
the applications that areinstalled and then you can click
on any of the applications andit will bring you to the
artifacts that relate to theapplication.
So I clicked on the Apple Notesand it brought me to the three
notes that I have saved in thistest data.

Speaker 1 (15:14):
Yeah, and folks need to be aware.
You're looking at the kind oflike an image of the iPhone, in
this case with all the apps.
This is not a virtualization,so don't get confused.
Okay, you're not virtualizingthe phone or interacting with
the image being virtualized.
No, this is just arepresentation and the apps show
up on this screen as they werein the order they were processed

(15:37):
, right.
There's nothing special aboutit, right?

Speaker 2 (15:38):
right.

Speaker 1 (15:39):
But I Go ahead, no, no, go ahead, no, and the bottom
row will always look the same.
I think I heard Chris Vanceexplaining that in the video
that introduces the product.
So the bottom row stays thesame, but the apps will change
as you process new phones.
It's just the order.

Speaker 2 (15:55):
Right, and Jessica's pointing out in the chat that it
also will show you unsupportedapps.
So there's a little toggleabove the phone and you can
switch which.
Let me go back to the.
Let me go back.
Oh, and it crashed.
Okay, Well, it crashed, so I'mnot going to open it back up

(16:16):
right now.

Speaker 1 (16:17):
The demo gods always, at some point, catch up to us.
The demo gods will catch up tous.

Speaker 2 (16:28):
So I'm just going to tell you about that feature.
Above the phone there's alittle toggle where you can
switch over to unsupported appsand it will bring up icons for
unsupported apps on the image ofthe iPhone for my test data.
I really like that becausethey're not always right there
up front and in your face foryou to see the unsupported apps
right.
And when we go to our forensic,forensic tools, we see the
supported apps because that'swhat the tool supports and
that's what it's parsed.

Speaker 1 (16:49):
But this gives you the opportunity to go look for
those unsupported apps andfurther investigate them and and
describe me verbally like uh,so it shows like a placeholder
or it actually shows the icon.
How was the visualization ofthose supported?

Speaker 2 (17:03):
yeah, so.
So when I looked at them before, they weren't like an icon with
the app image, but they werejust little icons on the screen
and they had the package nameunderneath, so it would tell you
which application it was.

Speaker 1 (17:16):
Yeah, and that makes sense.
That tells me that obviouslythey have a data internally, I
would assume, linking the onesthat are unknown.
But the ones that are unknownhave the package, the package
name.
For folks that don't know whatthat is, it will be like it
looks like a URL, but in reverseright, like the name of
musicallycommusicallywhatever.

Speaker 2 (17:36):
And then you know what app that is by looking it
up, and then Magnet Forensicsput out a blog about it too,
about the mobile view.
That explains all of it infurther detail, but it's really,
really a neat feature in myopinion.

Speaker 1 (17:52):
Yeah, and I was saying a second ago that this
really helps with people are notsuper into the weeds like us
examiners are listening here, orfolks in this field.
The view is also portable, sowhen you make a portable case,
your reviewers non-technicalreviewers will be able to tag

(18:14):
the items through that viewwhich.
I think is extremely useful.
I foresee my users defaultingto that view from the get-go.

Speaker 2 (18:24):
Oh yeah, it'll be super helpful for non-technical
people definitely.

Speaker 1 (18:31):
And I find it interesting because companies
may spend a lot of money inadding a lot of features and
actually let me well, I'm goingto jump the gun here, heather,
so forgive me right, go aheadEven Magnet itself.
Something that we're going totalk about in a second is that
they added some AI stuff toAxiom 8, right, and in my mind

(18:52):
it's a lot of investment, timeand investment.
But I find it interesting thatjust how you view the data might
provide more direct andtranscendent impact that maybe
adding something as complex asAI Not that AI is bad right.
Ai is a good thing We'll talkabout it in a second and it has
its pros and cons.

(19:18):
But just imagining, how can wetake the usual way of doing
things and tweaking it andthinking of our users or the
different types of users how canwe make that more data
accessible?
Or the different types of users?
How can we make that more dataaccessible?
It can make changes that mightbe larger or more impactful than
what it seems at the beginning.
I'm really, really excitedabout the mobile view.
I'm really excited of seeinghow my stakeholders react to it

(19:40):
and I will report back whatfolks are thinking of the new
visualization feature.

Speaker 2 (19:46):
Yeah, besides my little crash right there, I've
been messing around with it andI really like it and it hasn't
crashed until now, of course.

Speaker 1 (19:53):
Look, the demo gods will do that.
They figure out.
Oh, you need to show this.
We're going to crash it just tospite you, yep, definitely.
You didn't give them anoffering before you started.

Speaker 2 (20:03):
That's the problem.

Speaker 1 (20:03):
It must be it Definitely.
You didn't give him an offeringbefore you started.

Speaker 2 (20:04):
That's the problem.
It must be it.
So the AI, the new AI featurein Axiom 8 is called Copilot and
there's another blog here thatMagnet Forensics put out and
that link will be on our pageafter.
But this one is part of theMagnet Idea Lab right now, so I
don't think we can discuss a tonof details.
Idea lab right now.

(20:27):
So I don't think we can discusslike a ton of details.
But it identifies deep fakesand um is able to quickly
surface evidence with the aitools in magna axiom.
So it's able to analyze imagesand videos to determine if
they're synthetic or generatedum.
And then it's also you're ableto do searches in the case data.
So, like in the chat threads ofthe web searches and the images
, you're able to use that AIfeature to do searches about the

(20:52):
data in your case.

Speaker 1 (20:55):
Yeah, I think they shouldn't keep it in the
download.
I don't want Microsoft to hearthat their AI is called Copilot,
just like Microsoft's.

Speaker 2 (21:04):
Oh yeah.

Speaker 1 (21:06):
You know what?
Maybe if you can write the wordinsights with E-Y-E, they can
write Copilot with a K or a Q.
Solved, problem solved, therewe go.
Copilot with a K, there we goand insights with E-Y-E.
Yeah, some folks are lost aboutthat joke.
I'm sorry you had to have tolisten to previous episodes to

(21:26):
get the joke.

Speaker 2 (21:30):
It's too long of an explanation yeah, I started to
mess with the ai thing.
I haven't really gotten into ityet and, um, I'm not so sure
that I'll be able to use thatthough in my agency.
Uh, there's some details aboutit that might just not fit with
our policies, but the it soundscool and I started to mess

(21:50):
around with it.

Speaker 1 (21:51):
Everybody should sign up yeah, and actually, actually
, I want to get into that alittle bit, right, because, um,
it reminds me of jurassic parkand I'm like, look, let me, let
me, let me, let, let me set thetable first.
Right, I'm not against theconcept or the tooling.
Right now I'm doing my devil'sadvocate portion of the show,
right?
So don't take me now as takinga position necessarily.

(22:13):
I just want to express someviewpoints, right.
So now, here I go.
Table's been set, it's like inJurassic Park, right, it's like.
You know, just because we havethe power to do it doesn't mean
that we maybe should have to doit, right, and that's the point,
right.
So obviously, for us that areexaminers and we know how this
works right, ai is afunctionality that uses a lot of

(22:36):
CPU cycles, specificallyGPU-CPU cycles, right, and for
those who are not familiar withthat, the way that works is they
have a big rig with a wholebunch of video, kind of video
card, looking things with thatvideo memory and processors and
stuff to do the heavy lifting ofan AI.
You got to remember that AI isa process that will take data,

(22:56):
will learn from it and willrespond and give you answers
based on natural languageinteractions.
What that means is that youwill ask the AI a question you
know, ai, were there any chatsabout X and Y during the last
year?
And the AI will say yes or no,or here they are, or whatever it
is okay.
So that requires a lot ofprocessing power.

(23:17):
That processing power is notyour forensic machine from 2003.
Right, yeah, no Running Windows10, and you're trying to
hopefully maybe update that to11, and hiding the Windows 7
ones that you have around, okay.
So what that means is that youhave to send that data out, and

(23:37):
that's where the complicationsmight happen.
Right, there's a lot ofpolicies in a lot of labs that
the computers need to besegmented from the outside world
for obvious reasons.
That protects in a chain ofcustody sense.
It protects the evidence frompossible taint in regards to
data being exfiltrated orsomebody coming in and putting

(23:58):
stuff where they shouldn't beand messing up that case.
Right, messing up that case,right.
So when you want to take thatdata and work with an AI with
the processing power, that's notin your site, it's remote.
That means that data needs toleave your site and that's a
host of complications.
The first complication is whereis this data placed right?

(24:20):
I mean, where is it?
Where does it go?
How is it secured?
What happens when it's intruded?
And again, I'm not sayinganything about magnet or axiom.
Okay, what I'm talking about is, in general sense, if you're in
the computer securityinformation space, you have to
assume that things will beintruded.
That's how this business works.
It's not if we're going to gethacked, it's when we're going to

(24:41):
get hacked right.
If we're going to get hacked iswhen we're going to get hacked
Right.
And based on that concept, weneed to understand if we're
having things on the cloud orbeing shuttled off somewhere
else, how is that being secure?
Just telling me, don't worry, Igot it, it's not going to cut
it Right.
The type of data, let's say.
I was thinking about thisyesterday.
I do my best, thinking when I'mshowering.
I was thinking what happenswhen you get grand jury data

(25:05):
right?
And when you get grand jurydata for folks who are not
familiar with that, it'sprovided for really specific
purposes.
It's secret, it's forinvestigations and the folks
that have access to it have tobe in a particular list to get
grand jury data right For theinvestigations based on that
probable cause and all that goodstuff right.
It's a really serious thing,extremely serious.

(25:28):
The control of this data isserious business.
Am I putting an outside entityin my access list from my grand
jury data Like, is that what'srequired now?
Well, the AI is.
Oh, I think I'm losing my videohere.
Can you hear me?

Speaker 2 (25:42):
Mm-hmm, I can hear you.

Speaker 1 (25:44):
All right, my video is kind of coming in now.
All right, so you can tell mewell, the machine is a machine
it doesn't know, right, so youcannot put a machine in this
type of list.
But again, the data now is notunder my full control, right?
So we have to start thinkingabout how our and our field in
general.
Is this something that we wantto do?

(26:04):
And if we're going to do it,how can we do this in a way
that's proper, right, thatactually follows the forensic
process?
I'm not criticizing it forputting this feature out in the
way they did.
I believe that the way you opennew ground is by walking
actually through it, right,moving in the woods and the

(26:27):
overgrown plants, making thatroad, if that makes sense.
But again, it needs us to workwith these providers to tweak
those features in ways thatfollow our policies, procedures
and the due tar forensic process.
I think Magnet has done that bythe fact that they've done it.
First of all, they've done it.

(26:48):
You have to register, you haveto opt in into it, and they put
some warnings right Before youstart using it, right?
Yes, so I believe Magna hasdone the due diligence to let
the users understand that, hey,we're making this available, but
it's on you, right?
It's like, again, we're givingyou a knife, you can butter your

(27:10):
bread or you can stab somebody,but don't come at me, because I
gave you the knife, right?
So there's a host of, I believe, issues there in just the
process of getting the data inand coming back to you, and how
are you going to use it, andthat's different from how we're
interacting with the AI itself,right?
What do you think about that?

Speaker 2 (27:26):
Yeah, no, definitely.
I mean I want to use it, ofcourse, but definitely have to
watch out for things that couldpotentially compromise the
evidence, I guess.

Speaker 1 (27:40):
Yeah, and I think, if I were to put my prediction
ahead, I think at some pointit's going to become a little
bit kind of unavoidable to startmoving data outside of fully
controlled, like physicallycontrolled environments, because
it's going to be blurred.
Those lines are being blurredmore and more, right, when you

(28:01):
think about data in yournetworks, especially agencies
that are across states, right,let's say an example, a big
state like Texas I'm making thisup, but imagine Texas and you
have this law enforcement agencythat operates in different
offices.
Well, those offices exchangedata within themselves, right,
the data is within theirnetworks, but physically, that
data is being shuttled acrossmiles and miles and miles, right

(28:23):
, right.
So we have to start thinkingabout how we're going to start,
how the data forensics conceptof labs, air gap labs, will fit
into this new space where thedemarcation is not so much
physical, it's virtual.
And how is that going to happen?
I don't have the answers, butwe'll see them.
We'll get that growth going,moving forward.

Speaker 2 (28:45):
Find out eventually right.

Speaker 1 (28:50):
I'll be processing a case from Mars.
That's what's gonna happen um.

Speaker 2 (28:55):
so, moving on out of that topic there, um, there's a
few, um a few good blogs thathave come out in the last couple
weeks too.
So, um, I hope everybodyfollows josh hickman, the binary
Hick.
If you don't, you need to.
Um, his blogs are awesome, butthe one that came out this past
week is about investigatingpower events on Samsung devices.

(29:17):
Um, it shows the powering event, shows the why.
So why did the user power downor why did the device power down
?
I'm sorry, the file that he'sreferencing in his blog is
called E.
It's like E, r, r, dot, p andit.

(29:38):
You need a full file system toobtain this file, but it
indicates things such as if theshutdown was user requested or
if the file may represent a nopower situation, values that
appear when the phone was on acharger, reboot events with user
requested indicators, and itshows phone crashes.

(29:58):
And the blog also goes on todiscuss other files related to
powering events, such as thepower off reset reason dottxt,
and the power off reset reasonbackuptxt.
And the last line of the blogis sometimes investigations can
come down to the smallestdetails, so having context

(30:19):
around events is always valuable.
I couldn't agree with that more.
So I saw this powering eventsblog and I thought immediately
of a case I had where you don'trealize that the small details
are going to be really importantto maybe your investigator or
your district attorney.
But I had a case where thepowering events were what was

(30:40):
important.
It was an iOS, but it wasreally important when that
device was powered off.
It was really important when itpowered back on and one of the
questions I was asked about thecase is how do you know the
battery didn't just die?
How do you know the userpowered it off?
So blogs like this justimmediately made me think of a
specific case that I had.

Speaker 1 (31:02):
Oh look, every artifact that's tied or ties or
lets me know about user actionsis a potential smoking gun
artifact.
That's just how it is.
Again, I repeat again, everyuser interaction artifact could
be the key to your case,definitely, and you might not

(31:24):
imagine.
And again, like your case is sogreat.
Actually, kevin is saying weneed to make some parses.
I think we have some, I thinkthe ER, we have it, but we have
to revisit those and maybe addsome of the detail from Josh's
new blog post.
I don't know if we're capturingI'm not sure we're capturing
all the details that Joshexplained in his blog post.

(31:45):
So, kevin and myself, we needto give it a look.
But yeah, and keep that in mind, folks, when you look at
artifacts, they're not sterilethings numbers and letters,
right, they tell us about whatthe user did with the phone and
when the user did it.
Turning the phone off I don'tknow when I go to sleep,
although nobody does that, butwhen you go to sleep might not

(32:06):
be that important, but turningthe phone off before you walked
in I'm making this up to rob abank, right?
That's a big deal, yeah, yeah, Imean, let me turn this off.
I don't want to be trackedmoving forward, right, and
that's just a silly example, butthose are important and you
have to think about, especiallywithin the pattern of life

(32:26):
analysis, when things happen.
When you hit a button to turnthe screen on, power it off,
like you're saying in yourexample, um, actually, I read I
mean that reminds me of a newsarticle that I read about a case
where this person was sayingthat he, I think it was a murder
case like that, and the personsaid, well, um, uh, within the

(32:48):
time of the murders, I lostpower on my phone.
Right, I lost power, so that'swhy my phone was off.
And that was not true.
You could see that the phonehad power, like whatever
percentage, and the after themurders, then the percentage you
know started increased becauseit got it got plugged in, right,
things like that.
So, uh, really, really, reallyexciting blog post when some

(33:08):
stuff like that comes out.

Speaker 2 (33:09):
So yeah, in my case, specifically, that question was
presented.
How do you know?
The battery didn't just die and, using those pattern of life
events, I was able to see thatthe phone had been plugged in
and charging for like the priorthree hours, so there's no way
it would have died.
I mean, we're probably at 100%.
Yeah.

Speaker 1 (33:31):
I love those kind of Columbo moments.
One more thing.

Speaker 2 (33:37):
But it was definitely something I didn't even think
to look for because I at thetime just didn't see why it
would be important.
But once you have all of thedetails of the case, those
little things become important Imean, there's nothing more to
add.

Speaker 1 (33:51):
You're absolutely correct so my favorite so, but
before you start, I'm gonna nowI I'm gonna take the soapbox
that I had last week, and nowI'm gonna put it on your side of
the screen, and now it's yourturn to give us the meat of this
episode.
I'm really excited about thistopic.

Speaker 2 (34:13):
So I'm always talking about reporting and how I hate
the reports, but as the examiner, it's our job to be able to
create an impactful forensicanalysis report right.
So even if you don't like theway maybe certain tools kick out
reports, create your ownreports.
So I just kind of wanted to goover like some of the things I

(34:36):
find are important and hopefullyyou'll join me here with us.
But there's some of the thingsI think are important with
reporting.
So one of the very first thingsis know the details of the case
prior to starting the analysisand reporting.
There's nothing worse thangoing down a rabbit hole and
chasing what you think isevidence, just to find out that

(34:57):
it has absolutely nothing to dowith your case and I am speaking
from experience on that one.
It may look like oh my God,this is the artifact, that's
going to be it, and if you don'thave have all the details of
your case, it's can end up justbeing a giant waste of time yep,
no, uh, look, uh, the thereporting I I named when I put

(35:21):
the episode together.

Speaker 1 (35:22):
Like to put it out for everybody, I put reporting
for this section from frompossible disaster to attainment
right, and I did that on purposeand Heather's going to go
through those reasons.
Right, the reporting how do youportray the information?
Right?
First of all, either you useyour time wisely or not, but
also you can make and break yourcase right.
Right, and I didn't say we'regoing to go from reporting, from

(35:44):
disaster to success, or fromdisaster to I don't know, to
achievement.
Right, because this field we'renot here to win.
Hopefully that makes sense forfolks.
I'm not here, I'm not winninganything, right?
I guess the win is to be ableto portray the facts in the most
clear manner, portray reality,or portray what's on these

(36:08):
devices in a way that'sconsistent with how they were
actually used in the real worldat a particular point in time.
That's our attainment right.
This is not a me.
I'm going to win the case.
I'm going to make sure theperson is innocent or guilty.
As examiners, we don't see theworld this way.
Right, and reporting is thelast piece that could make or
break this whole thing.

Speaker 2 (36:30):
Right.
So with reporting, in myopinion, pumping out reports
created by tools is not enough.
So it's not enough when itcomes to reporting, forensic
analysis of any digital evidence.
Dumping all the parsed datainto a reader or a portable case
is not a forensic analysis.
A non-existent or poorlywritten report can put the

(36:53):
outcome of an entire case atrisk and also put your integrity
and the risk of the integrityof your entire agency.
If there's not a detailedreport to go along with those
tool reports, I'd say if you'regoing to take the time, go along
with those tool reports.
I'd say, if you're going totake the time and say that
you're performing an analysis,the report is going to be that
crucial part that is able toportray the data that you've

(37:16):
seen.
You see the entire story toyour case.
Now put it down on paper sosomebody else sees the same
thing that you see.
That make sense.

Speaker 1 (37:25):
No, absolutely.
And when you make the point ofjust pumping out the report,
it's not enough.
One of the reasons that you'resaying it's not enough is that a
lot of times, you havesomething on your screen okay, I
want this right.
I hit the report.
It doesn't look as it looked inmy processing screen.
What happened here?
Either something is extra I didnot want this.

(37:47):
Why is this here?
This loses focus of what I wantor where's the stuff that I
actually wanted?
Right, exactly, exactly.
So the report can, either yougot to make sure that
something's not missing, makesure that nothing is being added
and, like you're saying, mostlikely you're going to have to
redo a lot of it.

Speaker 2 (38:06):
Right, absolutely.
I definitely agree with that.
I think another example of that, too, is the artifacts that a
non-technical person doesn'tnecessarily understand, right?
So you and I had a conversation, I think last week about about
TikTok, and the applicationpackage name doesn't have the
word TikTok in it anywhere.

(38:26):
It says musically, which iswhat TikTok used to be.
But a non-technical person thatyou're submitting your report
to, if TikTok is important andthey're looking for that
application usage, they're notgoing to see it because they're
not looking for musically.
And if you're not adequatelyexplaining that in your report,
like, hey, tiktok is your mainapplication for this case and

(38:47):
this is what it's called, andhere's where I'm showing you
that it was being utilized onthis device they're never going
to see it.

Speaker 1 (38:55):
That's a great example and I appreciate it.
I'm going to steal it from youfrom now on, just so you know.

Speaker 2 (38:59):
I thought I stole it from you.

Speaker 1 (39:00):
kind of Well, you made it better and I love it,
because just the fact that adifference in name, in one
little name how we refer to itas a user and how the system
internally refers to it, can canmake it makes a big difference.
So I, I love that how you, howyou, uh, how you put it together

(39:21):
.

Speaker 2 (39:21):
I, I'm gonna steal it from you, thanks I use that
little trick when I used toteach at a college too, so I
would do practicals and thatwould be it Like.
Look at the application usageand tell me if these
applications were being used onthe phone.
And I'd always throw in TikTok,because it doesn't have the
name Gmail also doesn't have theword Gmail in it, it's GM.
So if you're just doing asearch in the search bar, you'll

(39:44):
miss that, and they almostalways got it wrong.

Speaker 1 (39:48):
So tricky question.
That's what we call in thisbusiness, a teaching moment
lesson Absolutely.

Speaker 2 (39:55):
Yeah.
So I think, though, the toolreports are necessary.
You have to have the toolreports to show the artifacts
that you're seeing, whether itbe a reader or a PDF or an HTML
or whatever.
They need to be included, butthere needs to be that write-up
from you explaining the evidencethat you're putting out in that

(40:16):
tool report.
Believe it or not, noteverything in the phone comes
out in the PDF, html reader orwhatever format you're choosing,
so you may see things whileyou're analyzing data that end
up being key items to your case,and you have to figure out how
to create your own report onthat.
I just reach out to Alexis andhave him add it to the leaps for

(40:40):
me, and then I have my report,but you can't always do that
right, so you have to figure outhow to create your own report
and how to make sure you'reaccurately displaying and
explaining those artifacts.

Speaker 1 (40:52):
Yeah, and I think people don't.
I call those well.
You explain two things.
You explain first you explainwell the stuff that you write
about the report, the toolreport, and then the tool report
and how sometimes the toolreport is not up to spec and you
have to create kind of your own.
So I get that.
Now I want to talk about thefirst part, the part, that one
that you write.
I call that a narrative, yournarrative of your work.

(41:14):
Right, and I believe this is anopinion.
I believe some people areafraid of writing narratives in
detail.
And why would that be Well?
Because when you write anarrative and you bring that to
court, guess what's going tohappen with that narrative.

Speaker 2 (41:26):
It's going to be what You're going to get questioned.

Speaker 1 (41:27):
It's going to be like bingo you're going to get
questioned, right, and peopledon't want to be questioned,
right, and my take on that iswell, that's why you're here to
be able to look if you'reworking on something and you're
not sure.
Reach out to other colleagues.
Colleagues, make sure youunderstand what's going on.
Make your narrative, because wedepend on you to explain these

(41:50):
to the stakeholders, to the, tothe board, to the boss, to the
juries, to the prosecutors, tothe defense attorney.
That is depending on you to tohelp in.
You know, defend properly thisaccused person, right?
You?
You have to write yournarratives and not be afraid of
them, because you know yourstuff and if you don't know it,

(42:10):
then you can learn it that's.
That's what we're here for right, and so that's why people are
afraid of that.
They don't want to, they don'twant to be questioned too hard,
so they think the solution iswell, I'm not going to say that
much.
And actually actually the flipside of that is when, when you
don't say a lot I mean you'renot really specific on certain
things you end up having morequestions than what you would

(42:31):
have otherwise if you had made agood narrative.

Speaker 2 (42:34):
Or no questions at all, because it's not understood
and whoever receives theevidence is just not even going
to use it, because they don'tunderstand.

Speaker 1 (42:42):
Oh my goodness, yeah, and it could be a oh yeah, yeah
, and it could be a oh yeah.
I mean it could be a disasterin the sense of, in the criminal
sense, a miscarriage of justiceor something not coming across
as it should and make a bigdifference in a case

(43:11):
no-transcript and you know thatit's going to be highlighted at
a trial.

Speaker 2 (43:14):
you have to validate what your assumption is.
It's fine to sit in your officeand be like, oh, I think this
is what this means, or I'mpretty sure this is what this
means.
But even if you're 99% sure ofwhat an artifact means and if
it's going to be a key artifactin your case, it needs to be
verified.
You need to know.
You're correct in thatnarrative, in that write-up.

(43:37):
So testing, verifying everyartifact in a case Is anybody
going to do that?
Yeah, not a chance.

Speaker 1 (43:45):
Absolutely.

Speaker 2 (43:46):
But the items that are important have to be.

Speaker 1 (43:49):
Oh, absolutely, and I want to comment because you're
hitting great points.
I just want to quickly, beforeI hit on those, share some of
the comments from the chat.
Jessica's saying that you knowshe has a strong opinion on this
and I agree with her.
The narrative is what explainsthe truth of the data, and that
is our job.
Like that's the part that's thevalue that you bring where
you're explaining that data.

(44:10):
I also have a comment here howyou know it shows prosecutors or
stakeholders what the value ofthat information is.
If we're not doing that, thenyou know what are we doing,
right.

Speaker 2 (44:23):
Exactly.

Speaker 1 (44:24):
Yeah, and I just had a point you had to make a second
ago and I lost it for showingthe comments.
Give me a quick synopsis of thelast thing you said and I'll
pick up from that.

Speaker 2 (44:35):
So I was just saying the forensic guessing Never
guess, you can guess in youroffice.
Thank you, thank you, thank you.
Yeah, so I was not getting intothat.

Speaker 1 (44:41):
So there's just a thing I want folks to understand
, right, and I agree with you noforensic guessing.
And this speaks to how, asexaminers, we need to keep a
constant growth mindset.
I say that because, true, somethings will come down to a
validation and a verification,but some things will come down
to your expert opinion, and anexpert opinion is not the same

(45:04):
as a forensic guessing.
It's really different.
It's not the same thing, right?
Not the same as a forensicguessing.
It's really different.
It's not the same thing, right,you build on your knowledge,
your training and yourexperience to explain what's the
highly likely probability ofsomething coming out the way it
did.
And that's your expert opinion.
That's something that, if youconsult other experts, hopefully

(45:25):
nine out of 10 dentists willagree with you.
Right?
I say dentist because of thetoothpaste, remember oh no, I
know the commercial.

Speaker 2 (45:35):
First time I knew what you were talking about.

Speaker 1 (45:37):
Ok, good, good, good.
So I really and again, thatyour research, your validation,
your testing will build upon youthe experience, the knowledge,
the training, the experienceenough to be the training, the
experience enough to be able tosay well, in my expert opinion,
based on my training andexperience, this is what's
happening here, this is how thisbehavior on the phone relates

(45:57):
to the behavior of the user, andit's not guessing.
If you think an expert opinionis me, well, I think it might be
this.
That's my opinion.
You're not understanding whatyou're actually conveying.

Speaker 2 (46:15):
Right.
So expert opinion, forensicguessing, they're not at all the
same thing.
So some of the components of agood report in my opinion notes
you have to have a detailedaccount of what you did with the
device, the second it comesinto your custody.
So how you received the item,was it powered on, powered off,
damaged, locked?
Did you have to manipulate thedevice to obtain the extraction?
Are there identifying markings?

(46:36):
How did you extract the datafrom the device?
What tools, including theversions, and why include the
versions?
If you have to go back and doanother extraction, or maybe
there was a bug in the tool in acertain version, documenting
those versions is going to bereally, really important.
Um, so you know if any of thatoccurred in in that certain case

(46:56):
.
And then, um, what type ofextraction also is super
important to make sure it'sdocumented oh yeah, there's.

Speaker 1 (47:03):
There's been cases where how a tool describes a
field might change theinterpretation of what actually
happened and the tool wasn'twrong.
The tool is showing you thedata that's there, but the
toolmaker put, let's say,timestamp on a field and
creation timestamp, and it maynot have been a creation
timestamp, it might be atimestamp for something else,

(47:24):
right and just the word creation.
It might not be wrong, maybeit's creation in a different
sense, but it changes themeaning.
So when you I agree with youwhen you have down those
versions right as things movealong to the case, then we can
refer to those and explain whythings show the way they were
shown, because we did it at thattime with this version and now,

(47:45):
as the case has progressed, wehave been able to refine that
understanding based on newtooling, new versioning, or
testing and validation.

Speaker 2 (47:53):
Right.
If all of this is notdocumented too, how is the
examiner supposed to rememberwhat they did?
I know I have.
I don't even know how manycases I have, and sometimes it's
years before you have totestify on a case or have to go
back and look at that case againand what you've done and how
many cases have you done sincethat case.

(48:14):
So I would forget what I did ona particular case if I didn't
have good detailed notesoutlining every step I took.

Speaker 1 (48:24):
Oh, absolutely.
And that goes to what Laurie issaying in the chat.
Right, it must be repeatable,because that one makes it
forensic right, being able tosay, okay, examiner, unknown
examiner, here's the process,and do it.
But to your point, to me and Iagree with you we work so many
cases, right.
Even in one case, you mighthave like five phones and 10

(48:46):
computers, right.
So what happened with computerA Dude?
I need to refresh myrecollection, definitely.
And that's how it is.
I've been in court where I knowwhat happened, but it's so much
of it that I need myrecollection to be refreshed.
And what do I get?
I get the report.

(49:07):
If I wrote a crappy report,there's going to be problems.
Actually, I got a story forthat, but no, I cannot.
Okay, well, anyways, the pointis this Make sure you make sure
no, no, no make sure we writegood reports, and when you need
them, they'll be, they'll cometo your aid and you will
remember oh, of course, this iswhat happened Boom, boom, boom,
boom, boom, boom.
But if you don't take thosenotes, you might find yourself.

(49:33):
What's the saying in English?
Up a creek without a paddle.
Did I get that right?

Speaker 2 (49:35):
Yeah, I think so Awesome, I got it Good.
Also, though without thosedetailed notes, suppose someone
else has to testify for you.
For some reason you're notavailable or you're not around
anymore.
You're not available.
They need to have a document ofall of the actions you took in
your case so that they're ableto, one, reanalyze it and make
sure they agree with yourfindings.
But, two, I couldn't testify.

(49:57):
I couldn't testify to a case ifI didn't know all the steps
that were taken in thosebeginning stages of the process.

Speaker 1 (50:04):
Oh yeah, and I want to share a comment here from Sam
.
I can tell from the report ifthe analyst understands the case
, which is true, and I want toframe that in the context of
peer review.
All right, before you put stuffout, have another analyst,
another examiner, go throughyour stuff and they might tell

(50:24):
you I think you're notinterpreting this or
understanding it correctly.
Right, and they might tell youI think you're not interpreting
this or understanding itcorrectly, right, or maybe what
you have is correct, but maybewe present it in this other
manner.
It's actually more to the pointof what you're trying to make.
So thanks for that comment.
Your reporting has to go tosome sort of peer review and I
understand some of us are in notme anymore but some folks might

(50:47):
be in single examiner labs.
When you're the person thatdoes the labs and fixes the
computers and deals with theinternet and installs things, I
get it right.
But when we spoke about it lasttime, make sure you start
making a circle of colleaguesthat you can reach out for
mentoring, for guidance, forpeer reviews and start building

(51:10):
community, even if you're in aone-person lab.

Speaker 2 (51:13):
Agree.
So Sam works in my office andhe does all of my reviews and
all of most of the examiners inour office reviews, so I
definitely get that comment hejust made.
You can you can tell?
You can tell if the persondoing the work has any idea what
the artifacts mean just by thereport.

Speaker 1 (51:29):
Absolutely.

Speaker 2 (51:32):
So I would say when it gets time to actually start
crafting or start doing theanalysis, as I'm analyzing
extracted data from a device,I'm always crafting the report
in my head as I go.
By the time I'm ready to writethe report, I already know
exactly how I want it to look.
Now I just have to get the toolreports to fit what I have in

(51:52):
my head and then my writtenreport to fit that.
But keep in mind of your endproduct as you're working on the
analysis and all the waythrough the analysis.

Speaker 1 (52:03):
And that comes with experience.
You might be a new person andthink, oh, how do I do that?
And don't worry, it comes withexperience.
It comes with experience.
You might be a new person andthink, oh, how do I do that?
And don't worry, it comes withexperience.
It comes with you understandingwhen you start working the case
.
You know how the phone works.
You have this background ofinformation that, as you see
artifacts coming to your purview, you're able to start creating,
like Heather says, in yourimage, a picture of what's

(52:25):
happening in the real world atthat time and how those things
go together.
And you don't write thoseimmediately, right?
You start creating that in yourmind and then you put it in a
good, really way of doing it.
One comment here.
I want to share a comment here.
Jessica Hyde says that checkout the peer review checklist
for mobile forensics.
She has Exordia has done, and Ithink it's Exordia was I can't

(52:49):
remember if it was another onthe DFRWS, so Jessica will
correct me in the chat if it'sthe FDFRWS or it was Exordia.
But either way, they puttogether a great peer review
checklist for mobile forensicsthat you can check out, and
checklists for me are reallygood starting points to make a
solid peer review process.
The checklist is not theendpoint.
It's a solid starting point tomake sure that your endpoint,

(53:11):
your finished product, is ofquality.
So we're going to look at that.
I don't have the link here, butwe're going to look it up and
put it in the show notes sofolks can benefit from it.

Speaker 2 (53:23):
So with the artifacts .
If it's important to your case,explain it.
Explain what it is, explain howit relates to the other
artifacts in your report,explain how it relates to your
case.
Explain how it got on thedevice.
Explain if it was shared, if itwas deleted.
Explain the location you foundit and what that location means.

(53:44):
And if you do not explain itthere, there's a high likelihood
that no one will everunderstand why you included it
or how it relates to your case.

Speaker 1 (53:54):
Oh, absolutely, and I think again, especially, I
would say to you folks, but thisapplies for everybody.
You've got to take note of thethings Heather is sharing with
you.
You will see your users reactto those changes positively.
Your prosecutors will bedelving into your report and
getting the information that'sactionable, that they need to

(54:15):
make their case.

Speaker 2 (54:16):
Yeah, and they want to know that.
Like the prosecutors in my area, they want to know what all
this stuff means and theyremember it a lot of times the
next time I go to court on adifferent case.
So being able to explain thatis super important.

Speaker 1 (54:30):
Yeah, it's part of building that brand.
People know what to expect fromyou as an examiner and what to
think that you're teaching themright.
You're actually teaching them.
You're not giving them just afish.
You're teaching them, in asense, to fish right, because
they can now look at thosereports and really have a sense
of that mental picture thatyou're trying to portray to them
.

Speaker 2 (54:48):
Right and they're better able, able to better
prosecute the case when theyknow what something means and
they know what questions to ask.

Speaker 1 (54:56):
Absolutely.

Speaker 2 (54:58):
So another thing if you're using language that's not
known to others whether it beothers outside of your agency or
others outside of the DFIRcommunity define what you're
talking about.
So I use CSAM as an example,because not everybody knows what
CSAM means.
We do, a lot of us do.
The jury is going to have noidea what you're talking about

(55:19):
if you say CSAM in your report.
So spelling it out as child sexabuse material and defining
those terms in your report andin your testimony is super,
super important.

Speaker 1 (55:31):
I had a case where I was going to I had to explain
how the user I was accessingcertain files, and it's the LNK
files, or link files.
You have to explain what thatis.
Well, these files are createdin this manner, they have this
information, they keep thestatus tense from here to here
and then, after you set thattable, set that groundwork, then

(55:53):
you can say therefore, the userwas accessing these things at
this time.
Right, you have to make those.
I had another case where I hadto do a little bit of
virtualization.
So I took one of those shareprograms, I took some of those
data lists that indicate whatthe person was sharing and I put
it in a virtual machine and Iopened it and I showed look,

(56:14):
this is how the user saw it.
This is not the user computer,but this is the information that
was in this, and then youexplain what it is, and then
that makes some sense.
If you don't explain thoseterms, you cannot assume that
your users know what you'retalking about.
You have to write your reportslike they don't know, because
they don't know.

Speaker 2 (56:34):
Yeah, exactly.

Speaker 1 (56:36):
And in my agency we spend a lot of time training our
examiners on how to properlydefine technical terms we call
them tech terms and we spend alot of effort, conscious effort,
in our training program to dothat.
I don't want people to be kindof like forensic, guessing what
that means right now you have,we have a way of saying it and

(56:57):
we try to impress that upon ourtrainees in their growth process
.

Speaker 2 (57:03):
And then the last thing I wanted to touch on for
reporting, which I think isreally important, is timelining.
So the way that tools reportartifacts often groups the
artifacts and the way thatthey're grouped in whether it be
category like these are all webhistory or these are all calls

(57:25):
doesn't always get that timelineof events across in your report
right, so the timeline's lost.
We see calls over in thissection, we see messages over in
this section and even thoughthey relate to each other and
they're important, if you don'thave a good way of timelining
that for a report, it may not bedepicted in the way that you

(57:45):
want it to be depicted topresent your case.
So whoever is going to createme the perfect timelining tool
out there, I'm ready for it.

Speaker 1 (57:56):
The whole forensic process.
It's the base.
The foundation is timestamps,timelining when things happen.

Speaker 2 (58:05):
Yes.

Speaker 1 (58:08):
And if you look at a lot of our look, want to say I'm
not a lawyer, right, and I didnot stay at a Holiday Inn last
night.
That's a really old reference.
Actually, I don't blame you ifyou don't get it.
Okay, get it on.
Yeah, I don't blame you, it'sreally old, but the charges
right.
The legal, you know.
The statutes right.
They require when did thishappen?
Right, because if it happenedtoo too long ago, then what

(58:30):
happens with that charge?
It gets dropped, but what's theone I'm looking for?
It gets.
Oh my goodness, when a chargeis too old and you cannot charge
anymore, I forgot the word now.

Speaker 2 (58:39):
Like beyond the statute of limitations.

Speaker 1 (58:41):
That's the word.
Thank you, yeah, it might bethat it's beyond the statute of
limitations, right?
So it needs to have a timestamp.
A timestamp and a lot ofcharges.
When did it happen?
Do we have jurisdiction?
Right so the combination of?
But even when it happened, whendid it happen?
And I think we agree on this, Iknow we agree on this.
Our tools do a poor job attimelining.

(59:03):
How they represent that, andsometimes how they represent it
in the tool looks great and thenwhen you put it in the report,
it looks like crap.

Speaker 2 (59:11):
Yes, or it's missing half of the data that you see in
the tool.

Speaker 1 (59:14):
So we've been making this point for a couple of years
now.
Hopefully reporting really getsthe attention or at least a
quarter of the attention thatsome of the AI tooling is
getting.

Speaker 2 (59:29):
Yeah, I wish it would come first.
I'd love a nice report beforewe add all of the fancy bells
and whistles.

Speaker 1 (59:35):
Yeah, and again, it's a general comment, right?
Nobody thinks I'm talking aboutany particular company.
No, or anything like that, it'sall, oh yeah, again, we're not
shills and we're not haters,we're just commenting.

Speaker 2 (59:56):
So I mean, those are the elements that I find to be
super important for my forensicreports.

Speaker 1 (59:59):
I don't know if anybody in the comments had
anything to add, let me share,because I want to show quickly,
because Jessica gave me the linkfor the checklist, so I want to
show people how that looks, ifI could actually let me pull
this out here.
There we go.
So let me see if I can share it, because I don't want to share
a screen that I shouldn't besharing.

(01:00:20):
Which one is screen two?
Let's open screen two.
Yeah, screen two Perfect, allright, so let me make this big.
So what you see here is fromthe Exordia page and again,

(01:00:49):
we'll put the link.
It'll be long but we'll put thelink in the show notes.
You can see here peer reviewfor mobile forensics and then
you can press the button todownload the PDF.
I'm going to scroll down and,for folks that are listening,
you can see here, for example, asection for scope Do you have
scope and all the items you needfor scope, the acquisition
tools?
Um, do we have all the aspectsneeded in regards to
verification, in regards to ifthe how you got is a forensic
tool, not forensic tool, and thelist goes on and on right, and
it's a really, really, reallydetailed.
It gives you forms so how youuh document your tooling and
your reporting, so please checkthat out.

(01:01:10):
It has, like I said, peerreview for mobile checklist and
the tool reporting document, sowe're going to put that link on
the show notes.

Speaker 2 (01:01:21):
Okay, that's all I have for reporting, but
definitely a topic that I amsuper interested in.

Speaker 1 (01:01:31):
We'll keep being that voice in the desert and making
sure that the companies at somepoint up their game in the
reporting section.

Speaker 2 (01:01:39):
Yeah, so I want to talk about another blog that
came out and this is by Lori,who is in our chat tonight, and
she did research related to theuse of walkie-talkie style
applications.
She specifically chose theapplication Buzz.

(01:02:02):
It's B-U-Z and Buzz advertisesthat the app allows you to
effortlessly connect with familyand friends, stay connected
through voice even when yourphone is locked.
So she and her blog definitelygo check it out.
I'll put the link up in asecond.
But she creates a mock story togo along with her research,
which I absolutely love, and shedetails the process of

(01:02:25):
generating the test data reallythoroughly.
She investigates the storagelocations and the databases
related generating the test datareally thoroughly.
She investigates the storagelocations and the databases
related to the application andthen at the end she says her
next project is to write aPython parser for iLeap.
So I'm super excited to seeyour parser for iLeap, Lori.

Speaker 1 (01:02:43):
Oh, absolutely, and that's definitely a happy moment
oh yeah, you're going to havethe fireworks.
I put some fireworks therecelebrating I'm going to be
communicating with Lori and kindof helping her a little bit,
Kind of kickstart that processon automating her research.
And I like the story a lot.
Like you know, when they weretrying to steal some things how

(01:03:05):
they're communicating, that waspretty neat.
It was a pretty engaging read.

Speaker 2 (01:03:09):
Yeah, I loved that.
I don't think I've ever seenthe mock story in another blog,
not that I've read.
Anyway, I thought it was agreat idea.

Speaker 1 (01:03:16):
Oh, I agree, and that's a good example for again,
folks, if you're new in thefield, you do what Lori did and
we all benefit.
Right, we're going to create anartifact.
If you going to create anartifact, if you see that,
coming across your data sets,you're going to be picked up
automatically and do the samething.
Look for different apps thatyou think have value, do a study

(01:03:36):
, make a, make a mock case outof it and let us know.
And and if you want to learnhow to automate some of that, I
have a full free class onyoutube on how to use python to
make those.
You want to do that?
Or use one of the third-partytools or custom artifacts from
tooling to make it and startsharing that information.
So again, laurie, thank you forthat blog post.
I really enjoyed it.

Speaker 2 (01:03:58):
I did too.
So what's new with the leapsthese last two weeks?

Speaker 1 (01:04:04):
Yeah, so oh yeah, no, I got a great contribution from
an expert that lives in NewYork, that works for the New
York State Police.
Why don't you tell us about herwork, heather?
What does she do?

Speaker 2 (01:04:20):
Oh yeah, I don't think I know her.
I think you do thing you do, soum, I'm not my myself and
another analyst in in my officeactually found some data related
to the uber app and, um, it'slevel dbs in an ios, which I
think this is the first timethat I've actually seen level

(01:04:43):
dbs in an ios.
That I that I needed to get thedata right.

Speaker 1 (01:04:48):
Oh my god sam is saying that she wouldn't stop
talking about it.

Speaker 2 (01:04:53):
This morning at work, I was very excited, so I may
have gone around saying that Icreated my second um artifact,
for I leap this yesterday.
So yes, I'm excited about it.

Speaker 1 (01:05:07):
Leave me alone, sam and you should be excited.

Speaker 2 (01:05:10):
Yes, yeah, so I didn't create the the parser for
the level db stuff.
Alexis did um, but I createdone for a database related to
the uber uber places, so it umwas places that were visited
with the uber app.

Speaker 1 (01:05:24):
Um, and go ahead, tell about your level dbs yeah,
so before we go into level dbs,uh, I'm not gonna let her
downplay.
Downplay her effort okay it's asqlite database that has json
in it.
Right, and she went and she wasable to use json extract
functionalities.
Understand what the keys andthe values are.
Is there a list or dictionarieswithin them?

(01:05:46):
Um, that's key other key valuepairs and she parsed them like a
boss.

Speaker 2 (01:05:51):
I complained a little , because I don't understand why
there's like lists insidedictionaries, inside other
things, like just put it therefor me, but um, they don't.
And I did figure it out thoughoh my goodness.

Speaker 1 (01:06:04):
Okay, we're gonna continue to have this ongoing
discussion no, no, you will getit okay.
No, I mean, I I wish it wassimpler, but no, it is what it
is and actually you did a greatjob, so I want folks know that.
Uh, I'm really proud of thatwork and and that's pretty
awesome right I actually likethe challenge.

Speaker 2 (01:06:23):
Anyway, I'm just complaining to complain that
that makes it fun too.

Speaker 1 (01:06:28):
Yeah, well, and the thing, folks, the thing with
this type of stuff is that isUber an important part of your
cases?
It is, even if your case is notabout Uber itself, right,
something that happened withUber.
Uber and I'm going to go intoit right now has location data.
Okay, because if you're adriver or if you're a rider, it

(01:06:50):
stays within the app.
And the interesting thing thatthat heather and her office
they're a co-worker and someanalysts they're found was that
they're being, they're usinglevel dvs, and we are so used at
seeing level dvs in the contextof of the browsers, or maybe
fcMs in Androids and again, wetalk about this in other
episodes, so I don't want torelabor the point for folks that

(01:07:13):
are regular listeners.
If you're not a regularlistener, go a few episodes back
.
Okay, we're used to seeing themthere.
But this is the first time thatme or Hilda and myself have
seen it as being the main datastructure for an app, which I
found it to be super interesting.
What it has on the inside ishas the typical level DB, you
know, formatting key values, butthe binary large object in it

(01:07:37):
is JSON.
It says here the parser soundsuber helpful.

Speaker 2 (01:07:41):
It sure does.

Speaker 1 (01:07:43):
Well, that's why I started the show saying that
Heather was the Uber decoder.
Wink, wink, nod, nod.
Get it now.
Right, the Uber decoder, so?
But yeah, no, it has JSON datawithin it and when you look at
it, it tells you the timestamp,it tells you the lat and the
longs, the speed movement of thevehicle, it tells you a little

(01:08:06):
bit of what the app was doing.
Right, Are you searching for arider?
Right, Because you're a driver.
Are you at the home screen?
What screen are you?
Right?
There's a bunch of data insidethose level DBs.
I believe that most examinersin our space are not aware that
they even exist.

(01:08:26):
Okay, and that's troublingbecause we're seeing it more and
more.
By the way, we're going to bediscussing LevelDVs in
excruciating detail in nine daysin the IASIS class.
You'll be bored.
No, I'm just kidding.
You're going to know a lotabout them, but yeah, it's

(01:08:47):
important.
Look, I got folks saying thatthere's been capital in the chat
, capital on murder convictionsbased on Uber data right, and
some of that data you can get,obviously through legal process,
right.
But when there's data on thedevice that you can get that
immediately that might beactionable for your case, you
cannot put a price on it.

(01:09:07):
I don't want to wait weeks toget something when I have it
right in my hand right now and Icould give it to my detectives
or my agents and go out andcontinue the case immediately.
As time passes and we talkedabout this in other episodes as
time passes, evidence degrades.
Digital evidence degrades.

(01:09:27):
Real-world evidence degrades.
Recoll evidence degrades.
Real world evidence degrades.
Recollections of witnessesdegrade with time.
We need to move fast and oneway is being aware of this data
store so we can get to the dataas quickly as possible.

Speaker 2 (01:09:43):
So also with the Leafs.
A new vehicle.
Artifact right.

Speaker 1 (01:09:47):
Yes, yes, thank you for bringing that up, because,
yeah, so yeah, and really thankyou because, and I mentioned in
the last episode, we're reallygoing to be focused on working
vehicle extractions after IASISJuly to the end of the year, and
hopefully we can get a lot ofsupport for vehicles, because
vehicles again, I'm going torepeat it, I believe will be one
of our main data sources movingforward.

(01:10:09):
For as long as they'reavailable, most of them are not
in an encrypted state, so we canget to them.
And even if they startedencrypting all cars today, right
, you're going to have cars thatare not in that state, that
came out in previous years, onthe road for decades, right,
right, so there will be always agood data source.
So you gave me some data, sometest data, and I made a parser

(01:10:33):
for a RAM 1,500 or 1,600?

Speaker 2 (01:10:36):
I forgot what the number was 1,500.

Speaker 1 (01:10:38):
Yeah, 1,500 RAM and I was surprised how much data was
there.
We got geolocations, and theinteresting thing for me as a
developer was that these logsare text files, right, you can
read them with your eyes, right,but they were compressed as
star GC files, a compressedformat, and if you don't

(01:10:59):
decompress it and then go intoit, you're not going to get to
it.
Right, and sometimes our tools,if you don't set them correctly
, they might not decompressthose files, which means they
will not get those files in theclear text, which means they
will not be indexed, which meansthat if you look for lat and
long, you will not get hits onthose files, even though they

(01:11:20):
are full of lat and longs, likelat and longitudes, right?
Does that make sense, heather?
Yeah, absolutely.
So you got to look at yoursources and make sure that
you're taking the steps to makesure that data is there.
Christopher Vance is saying andagain, I cannot respect Chris
Vance more.
He works any more than I doright now.
He works for Magnet, one of thelead researchers there.

(01:11:43):
He agrees 10 out of 10, agreeon vehicles.
It's a chance to keep ourchip-off skills relevant and
absolutely Heather, I meanexplain to the folks why he's
saying that about chip offs.

Speaker 2 (01:11:55):
Like all the vehicles we're doing chip offs on, if
they're not supported by one ofthe only tools Burla, right Then
we're taking the memory chipoff and reading that data and
either parsing it ourselves orhoping that maybe Burla will
parse some of the data from thechip off, or going to VLEAP or
other tools that might handlevehicles.

(01:12:16):
But chip off is super relevantin vehicle forensics right now.

Speaker 1 (01:12:21):
Yeah, I mean, for a long time we used to do it for
phones, but phones becamefile-based encryption and it's
useless.
I mean I guess you could getcheaper from a phone a bunch of
encrypted data.
Good luck, you're not going toget into it.
But cars are not like you'resaying.
They're not like that so far.
So we get some data.
Like Jessica's saying in thechat, people update phones more

(01:12:42):
frequently than cars.
Some cars get updated likenever.
So there are good data sourcesand obviously I'm going to have
people understand.
Some people sometimes don'tunderstand where we're coming
from.
We're talking about in everyconversation we have about this
type of topics in this podcast.
It's about lawful access access.

(01:13:04):
What that means is that we goand we make sure that we either
there's a person, a victim, thatconsents to get this data, or
we go to the legal process withprobable cause, prosecutors and
judges to agree for us to dothis.
There is no circumstance wherewe would do any of this analysis

(01:13:24):
just because, because we'recurious, because I have the
ability and I have the tools.
That's not a thing.
And if that happens, because ithas happened, the person
responsible will be prosecutedto the full extent of the law
and I want to make that clearfor folks that are not in our
field.
We talk about this because it'sour field, right?
But it goes on the assumptionthat all this data is extracted
and accessed with lawfulextraction, for lawful purposes.

(01:13:48):
So let's make that crystalclear.

Speaker 2 (01:13:53):
Also new with the leaps.
We have a new blog by StarkForensics, kevin, about the
Splitwise app.

Speaker 1 (01:14:01):
And that was an interesting app because it's an
app for money and if there's onething that will help you in
your case, it's following themoney money and if there's one
thing that will help you in yourcase, it's following the money.
And that app has informationabout groups of accounts where
you pay things, where youreceive money, send money, where
do you send it to?
And this is a good example ofwhy doing CTFs is important.
So Kevin was looking at theBelkasoft CTF image and he found

(01:14:30):
out that Splitwise app wasinstalled there and he made his
analysis and if he found tons ofgood information for that app,
he immediately made a blog post,immediately made an artifact
for the leaps for it.
And again, if you make thoseartifacts, you automate them.
When you run your nextextraction they're going to come
and kind of be apparent, whichthey wouldn't be otherwise.

(01:14:54):
And if you're not looking forit, at least the tool will look
for you.
And I'm going to make one quickpoint on that.
My habit in my cases is I run mytools, I look at the things
that I know I have there and Ido a sanity check.
I look at the things that Iknow I have there and I do a
sanity check.
That means if it's an Androiddevice, I look at the data data
folder and look at the bundleIDs, glance them to make sure

(01:15:14):
there's not one that you knowkind of sticks out that I
haven't seen before.
So I look right If I'm doing aniOS.
You cannot do that with iOS,but what you can do is I have a
list with my own tooling basedon different data sources in iOS
devices.
That tells me all the apps thatare installed with their names,

(01:15:34):
and I go quickly and do asanity check, make sure that I'm
not missing something.
Let me rephrase that Makingsure that the tools are missing
something that needs to belooked at.
Does that make sense, heather?

Speaker 2 (01:15:45):
Yeah, absolutely.
I do the same thing, I mean alot of times.
I'll bring it into one of thecommercial tools and I
immediately go right to theinstalled applications.
Because, it's not going to justshow you the installed
applications that the toolsupports.
It'll show you all of theapplications, so take a look
through and find the ones you'reright that you don't recognize
or that the tool is saying theydon't support.

Speaker 1 (01:16:06):
Well, let me give folks a little bit of an
advanced suggestion.
Right and again, this is fine.
What you're doing is fine, it'snot wrong, and I do it too, but
I really like doing.
How can I say this?
Let me step back In iOS.
There's two easy main ways offiguring out if applications are
installed.
The application statedb that'swhat everybody uses.

(01:16:34):
It's a database that has thosethere.
But there's also and Jessica isagreeing with me, right the
appstatedb.
But there's also each, everyapplication folder has a dot, a
file that starts with a dot.
When a file in a Unix, Linux,macOS system starts with a dot,
it's invisible to the user.
Okay, Starts with a dot.
That plist that starts with adot has information about the
app that resides in thatdirectory.
Does that make sense, Heather?
Yes, All right, my tooling Isay my tooling, but the leap

(01:16:54):
tooling, the community tooling,takes those dot files and
extracts that information forthem.
Why is that important?
Sometimes and I've seen it morethan once when you delete an
application on an iOS device, itwill leave the App State
database, but that folder of theapp it hasn't been garbage
collected yet.
When you make the image and youfind a folder, it's empty.

(01:17:17):
It has stuff, but it has thatfile there and you can say, look
, this phone doesn't seem likethis application is here, but
that folder is there and itbelonged to this application.
An example that might be realor not the Dropbox application
was deleted before the officersgot to the phone right, and it

(01:17:37):
doesn't show in the AppState DB.
But the folder wasn't garbagecollected and the file, the
plist inside of it, told me thatthat good folder was for the
Dropbox application, which isthe reason we were at that door
that day.
Does that make sense, Heather?

Speaker 2 (01:17:53):
Yeah, absolutely makes sense.

Speaker 1 (01:17:54):
So I'm just going to give the folks an extra step to
possibly take when they'redealing with this Always think
of have a sanity check to makesure you're not missing
something.
That's the big takeaway.

Speaker 2 (01:18:05):
Agree, agree, 100%.
So that brings us toeverybody's favorite, the meme
of the week.
Woo-hoo, where's your fireworks?
Right yeah?

Speaker 1 (01:18:18):
yeah, well, actually, they're right here.
Actually, since I used thefireworks already, I think I'm
going to go with some lasers.
There we go, ah, perfectperfect, there we go.

Speaker 2 (01:18:32):
Some confetti just for good measure, all right, so
I am pretty sure this is my newfavorite.
Um, I absolutely love this meme.
I can't scroll in.
Okay, so we have nine differentscenarios of monitors for a
digital forensic analyst right,the one monitor computer for the
new examiner.
The very large screen monitorfor an examiner, two monitors

(01:18:56):
for the reviewer, a monitor anda longer monitor for the
examiner.

Speaker 1 (01:19:01):
Which, by the way, the reviewer has two monitors,
but there's two small monitors.

Speaker 2 (01:19:05):
Small, yeah, small monitors.

Speaker 1 (01:19:07):
I'm sorry reviewer, I'm not going to give you my
curve OLED.
You're going to get two littlemonitors and be happy with that.

Speaker 2 (01:19:15):
And then it goes on with nine different versions.
My very favorite is number six,though.
We have six monitors, threestacked on three, and that is
the supervisor that does not doforensics, and I think that's
why I love this meme.
That's why I love this meme thebest.

Speaker 1 (01:19:33):
I think this meme had a whole bunch of hundreds of
reactions and a whole bunch of40 something comments, and I
think it's because everybodyknows that supervisor that has
the best equipment, even thoughthey do none of the technical
work.
Yes, let me see, sam.
Sam, we're not, look, look.
This is a general comment.
We're not talking about youroffice, okay, or about any

(01:19:54):
specific office not even myoffice, it's other people's
office.

Speaker 2 (01:19:57):
I actually made that joke because one of our, our um,
our bosses, our supervisors,has that that setup.
But he does do.
He does do a lot of forensicsstill too so so I can't really
pick on him about it, but I didshow him the meme and he looks
at his setup and he's like oh,oh no.

Speaker 1 (01:20:16):
And even if he didn't , you better say that he did
okay, oh, yeah, yeah, no, thesetups and I think the setups
again, I come up with thesebecause it's a reflection of
what we do day to day and we seeourselves in it and we laugh
about it.
But it's true.
Right At the end of the day, wedeal with what we have, and

(01:20:37):
what we have will reflect who weare and my monitors.
I had the eight, which is twobig vertical monitors and one
horizontal, but I changed it twobig vertical monitors and one
horizontal, but I changed it.
Now I have a big, big, big, bigbig, you know kind of curve
monitor.
It took me years to be able toprocure that Government

(01:20:58):
procurement.
You know how it is.
And then I have some smallerones, but again that that
changes.
Oh, before we close the show, Iwant to.
Chris actually looked up.
I mean he knows it by memory.
The file that we're talkingabout, the plist file, is the
comapplemobile containermanagement metadata plist and I

(01:21:20):
leave those, like Chris issaying in the chat, in mass.
I make a list and whatapplication is relevant to that
particular P-list, and so checkthat out.
You will get a real good senseof what's been installed on that
device.
But going back to the memes, Ithink we should not only portray

(01:21:46):
the truth of our cases and ourwork but also share with each
other what makes the job funny,what makes the job fun, what
makes the job us right, andstart building that community
also through that.
A lot of our job is serious,traumatic, in some ways right,
but we can also take joy and letthat happiness, happiness also

(01:22:10):
go as far as as as we can.
And I mean this is one way wecan do it.

Speaker 2 (01:22:15):
And we can use it to pick on the supervisors that
don't do forensics.
So I mean it's a win, win.

Speaker 1 (01:22:24):
There's a.
There's a meme that is like youknow pick the Uno cards Like
one card.
Oh yeah, stop picking on yourbosses.
Or take 25 Uno cards and I have50 Uno cards now I won't make
fun of that.
I'm kidding.
Actually, I have a really goodboss, by the way, and I'm not
kidding about that.
So a commenter on LinkedIn issaying keep the memes coming,

(01:22:49):
don't you worry.
My field of memes has beenplanted and the memes are
growing, so you don't have toworry about that.
Well, heather, I think we'vereached the end of the show.

Speaker 2 (01:23:04):
We have.

Speaker 1 (01:23:05):
Thank you everybody.
At this point we're not lookingat the clock anymore, we just
go yeah.

Speaker 2 (01:23:11):
This is our show.

Speaker 1 (01:23:13):
This is our show and we'll stop whenever we feel like
it, Exactly.
Oh no, I hope you enjoyed it.
I sure did.

Speaker 2 (01:23:20):
Yes, absolutely.

Speaker 1 (01:23:21):
And I hope the folks listening and watching enjoyed
it as well.

Speaker 2 (01:23:24):
Yeah, thank you.

Speaker 1 (01:23:25):
Please reach out to us on our LinkedIn Digital
Forensics Now podcast.
Send us your ideas for topics,send us your questions, send us
your comments.
Make it constructive, please.
I'm sensitive.

Speaker 2 (01:23:39):
I'll deal with those other comments.
All right, all right.

Speaker 1 (01:23:43):
Thank you, everybody.
And any last word for the groupof the order.
Heather, no, that's it.
Thank you very much, everybody.
And any last word for the groupof the order.

Speaker 2 (01:23:48):
Heather.
No, that's it.
Thank you very much, everybody.

Speaker 1 (01:23:50):
All right, we'll be seeing each other at IASIS.
We don't know what we're goingto do.
I'm hoping to do something, butwe'll see.

Speaker 2 (01:23:57):
Yeah.

Speaker 1 (01:23:57):
Something fun during the IASIS week, so we'll see
what we can come up with, butour net podcast will be through
the training in IASIS, so be onthe lookout for that.

Speaker 2 (01:24:06):
Yeah.

Speaker 1 (01:24:07):
And with that everybody have a good night.
See you soon.
Good night, Bye.
Outro Music.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}From Disaster to Attainment: Crafting Digital Forensic Reports

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

From Disaster to Attainment: Crafting Digital Forensic Reports

On Purpose with Jay Shetty