iOS 18’s Inactivity Reboots Explained: AFU to BFU Transitions with Chris Vance from Magnet Forensics

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:12):
Welcome to the Digital Forensics Now podcast.
Today is Thursday, November 14,2024.
My name is Alexis Brignoni, akaBriggs.
I'm accompanied by my co-hostand before I tell you my co-host
, I want to take the overlay soI can see your face, my co-host.
The justified tool grumbler,the organizer queen, the hardest

(00:37):
working squirrel east of theMississippi, the one and only
Heather Charpentier.

Speaker 2 (00:43):
Oh, my God the one and only Heather Charpentier.

Speaker 1 (00:46):
Oh my God.
The music is hired up by ShaneIvers and can be found at
silvermansoundcom.
Heather, heather, heather,hello, see this.
Abrupt endings.
I hate it.
Obviously you know why.
I had all these little monikersfor you this week.

Speaker 2 (01:01):
I do.
A few other people do too, butI definitely understand the
organizer queen especially.
I do, A few other people do too, but I definitely understand
the organizer queen especially,Thank you.
Thank you for that wonderfulintroduction.

Speaker 1 (01:12):
Well, today is a really special day and I'm glad
I'm seeing some folks alreadycoming in from YouTube, and so
if you can leave some comments,say hi, we got a special show
today, so we're going to reallyget to it.
Actually, you know what?
Yeah, I think we should get toit.

Speaker 2 (01:27):
Um, let's do it.

Speaker 1 (01:28):
Yeah, let's do it.
So we have a special guesttoday is the one and only
christopher vance, and I'll giveintro before I bring him in.
I know chris for many yearsactually.
We presented some years ago atthe D4 Summit one of the D4
Summits in Austin, I would saymaybe five, six years ago and he

(01:49):
is really well known in thecommunity, an expert that I
respect a lot as a person and,again, as an expert in what he
does.
Specializes in iOS when I methim, but now he specializes in
also some mobile forensics.
He works at Magnet Forensics,one of their resident experts
there, and we brought him in todiscuss the iOS 18 rebooting

(02:09):
issue.
That has been the talk of thenews and talk of the town, so
let me bring Chris in.
Hello, chris, hey everybody.

Speaker 2 (02:20):
Hi Chris.

Speaker 1 (02:21):
So we got some folks in the chat.
Hi everyone.
So again, Chris, I gave you anintroduction, but we all know
you really well.
Everybody knows you, so tell us.
So iOS devices are rebooting.
People are losing their minds.
Why is that?
What's happening?

Speaker 3 (02:39):
Yeah, and so this is an issue that we've been
tracking for kind of a while now.
This has been something thatI've been seeing and trying to
get my head around probably forat least the last six months,
maybe nine, and it wasn't reallycontained just to iOS 18.
This is something that's beengoing on.
There was a big delay in someof the access that we had in 17.

(03:04):
It was just, you know, 17 wasdifficult.
So a lot of folks were askingme hey, we got it to this phone.
We saw that it was rebooted.
What happened?
What's going wrong?
We keep seeing this and digginginto it.
We started looking at differentthings and trying to figure out
what's going on.

(03:29):
After a while, I started tonotice a trend, and that's one
of the big things that I do inmy job right now is I look at
the trends in the industry.
I look at, you know, I look atwhat's happening with a lot of
the different devices that areout there and I try to stay
ahead of them as much as Ipossibly can, just trying to get
like hey, what's the next thingthat the community is going to
want to know about?
So I can rip that apart first.
The big one has been like okay,so why is this happening?

(03:50):
So I started to notice after awhile, a certain pattern and
anytime anybody would ask me I'dlike pull out my best.
You know, good old fashioned,like Johnny Carson impersonation
like hold an envelope to myhead, let me guess you know,
good old fashioned, like JohnnyCarson impersonation like hold
an envelope to my head, let meguess iPhone 15s, probably
something it's like iOS 17, fouror higher, and they're like

(04:12):
how'd you do it?

Speaker 2 (04:14):
You said that to me recently.

Speaker 3 (04:15):
Yeah, it's nothing special, it's just that's what I
happened to notice, what wetypically found.
Now, I obviously don't haveaccess to all of these magic
devices out there Like I, it'snot like I can go out there and
get evidence items, but what Ifound from looking into anything
that did reboot, it was usuallya memory maintenance issue.

(04:36):
And this is just like anycomputer, right, when you run
too much in the process memoryfor too long, you are opening
yourself up to potential crashes.
And so what ios does is it says, hey, you know what process
memory's been running too highfor too long, we're just gonna

(04:57):
do a nice little soft reboot.
Because, if you think about it,what's really gonna happen to
the end user if I reboot mydevice?
Right, not much, right, maybeall of a sudden my contacts
aren't showing up number-wise toname-wise and I just got to
unlock my device.
So it's kind of like a nicelittle safety mechanism for them

(05:18):
.
They don't have to worry about,you know, a device going into a
kernel panic.
They don't have to worry aboutanything, know, major crashes
kind of happening, and anyonethat I got a hold of, even ones
that I may have purposefullytried to break myself, um, you
know magnet knows me.
Uh, folks that know me kind ofoutside of magnet.
My internal title at magnetliterally is the breaker of

(05:40):
things.
So I take my job very seriously.
Um, but when you know, even whenI was trying to do this myself,
I always, you know, got thesame call in the unified logs
system memory reset one wordsystem memory reset, and we put
that on the blog that we put outyesterday, because that's
typically what we saw when itwas a memory maintenance issue

(06:01):
is that's why the devicerebooted.
Yep.
Now cut forward to ios 18 andit was a little bit different.
Um, you know we were already.
You know we've we've beenlooking at ios 18 a lot.
I personally have, um, you knowwe do, uh, we do mobile
unpacked over a magnet, which ismy my web show.
I get to do once a month,basically just some like hey,

(06:23):
free stuff for the community.
I try to make it no product butlike, here's something that we
found.
18 was my big thing recently.
Digging into the artifactsdidn't see much of this one.
When all the big hoopla kind ofstarted, we dug in deeper, um,
digging in really deep, tryingto find what we could find, and

(06:43):
I started doing my own testingand, sure enough, almost to the
second 72 hours there it wentlike clockwork.
So we did a, we did a bunch oftesting internally.
Our guys are some of the bestof the best, of the best and
brightest that it comes to withour internal dev team and I

(07:05):
could not be more proud andprivileged to work with those
folks.
But I mean, I'm just theartifact monkey, as I call
myself.
I like to keep stuff apart andthey tell me what it actually
means.
But honestly, we were able tofind that.
You know, confirm what a lot offolks were saying.
It was added in 18.0.
It was originally a seven wasadded in 18.0.

(07:26):
It was originally a seven daytimer.
In 18.0 they shortened it tothree days, 72 hours, 18.1.
And uh, the only thing that isgoing to make this timer go away
is unlocking the device.
Um, it's not tied to theairplane mode or the network
settings.
It's not tied to the chargingstate.

(07:48):
You can't put a mouse jiggleron this, right?
I read that one a lot.
Yeah, let's go back to themouse jiggler days.

Speaker 1 (07:57):
I wish.
Right, it's not a Windows box,yeah.

Speaker 3 (08:01):
It's not like we're waiting for it to go to sleep
mode or anything Right.
It's 100% tied to the lockstate.
So even trying something like Afailed password attempt which I
never recommend because you younever know what you're going to
do with that there's a lot ofthings that could go wrong there

(08:22):
, especially when you don't knowhow many times other people
have tried a password beforethey've given it to you.
You know it's just one of thosethings that's not going to work
.
The only thing that's going toreset that without using some
sort of tool is is going to be aactual Unlocking that device.
That is why, fundamentally,it's just going to change how we

(08:48):
have to deal with iPhones.
We have to treat every singleiOS device now as a volatile
piece of evidence, and I thinkthat's just the way we have to
look at it.
I don't really think it's goingto.
You know it's not great, but aslong as we start treating this
as just another volatile pieceof evidence, then we can handle

(09:10):
that.
We got three days that we knowwe have a timer, just like any
other piece of evidence,physical or non-physical, that
we have to work with.
We know.
You know, and not to datemyself of how long I've been
doing digital forensics, butwhen I first got into digital
forensics we still had calldetail records that had content.

(09:32):
We could get text messages likethe content of them.

Speaker 2 (09:37):
Oh, but we had to act fast, right.

Speaker 3 (09:41):
It was like we had 24 hours at max to get that
preservation order and we knewwe didn't get it.
We weren't getting it.
So it's kind of like that again.
We know we have to move quickon these things, we have to move
forward, we have to preservethat data.
I think there's going to be alot of back and forth kind of

(10:02):
arguments on legal wise withthis.
I think it's going to bring upsome good debates over what is
seizure, what is search.
I've got my own opinions aboutthis.
Some might say I'm wrong Ifrequently am but you know I've

(10:24):
got my own opinions about hey,imaging the device.
Is imaging the device.
I would, you know, kind of putthis the same way as I am
seizing a physical device tokeep somebody from tampering
with it, I'm seizing an image tokeep the device from tampering
with it.
You know I'm not searching it.
Jurisdictions aren't alwaysgoing to see it that way.

(10:46):
So I'm in good old FourthCircuit.
It's going to be very differentfrom Ninth Circuit, going to be
very different from the federalsystem, going to be very
different from, you know,international courts.

Speaker 1 (10:59):
So you know I can't speak for all of that and I'm
sure it's going to bring someawesome debates as we go along
with this and let me ask youthis, chris, because I mean part
of that is the whole access tocontent, right, because you're
saying I'm preserving, thereforeI'm accessing content and most
tools when they preserve that'snot preserved.
Let me say that when you start,even when you unlock it with a
tool, right, even if you don'tdo the extraction, it's going to

(11:22):
tell you what the IMEI is, whothe possible account is.
I mean, do you think vendorswill have to say, look, let's
give users like a preservationmode where not even that is
shown, right, because I couldsee some jurisdictions saying,
well, you got the IMEI, you gotidentifiers for the account,

(11:43):
numbers search.
So I think, maybe, what do youthink?
Maybe vendors should maybethink about providing, like this
preservation piece that doesn'tshow you absolutely anything,
maybe an ID indicator ofpreservation that's not tied to
anything on the device.
I don't know if that makessense to you.

Speaker 3 (11:56):
Yeah, no, I think there's.
I think there's a couple ofdifferent ways to look at it.
We've had some very livelyinternal discussions already
since this has kicked off and Ican't really say too much here.
But we have a plan movingforward on how we're going to
deal with it and how we're goingto handle it.

(12:18):
But I think vendors willprobably approach this
differently.
Some might opt for a systemwhere they do a collection with
absolutely zero display to theuser and just say, hey, it's
here, but you know, the momentthat you touch it we're going to
log that you touched it, kindof thing.

(12:39):
Like with an audit trail, whichI'm not opposed to because I
love logs.
I spend all day in logs, that'swhat I do.
But at the same time, you knowsome have talked about well,
what if the tool were to encryptthis file and you know the

(12:59):
decryption key would have to beused, and then that makes a
record of the fact that thedecryption key was generated?
You know, I think there's a lotof different ways the vendors
can tackle it.
I think that we will have tounderstand as a community and
I'm going to say this as someonewho works for a vendor that's

(13:20):
not going to happen overnight.
Backlogs are a thing, and I didnot learn this.
I used to be.
You know, I went from being aanalyst to being a trainer for
Magnet and some other vendors,to then suddenly working in
product management and internaldevelopment stuff, and boy did I

(13:41):
not realize how big backlog wasa thing for them too.
I mean, it's backlog is a dirtyword everywhere.
Um, but like we can't just goand like say, hey, forget
everything that we've beentalking about doing and now we
got to do this.
Um, I think vendors are goingto have to do some different

(14:02):
things.
Vendors might have to changethings and laws are going to
change the way we do things.
But it's going to take a littletime and I think that I think
we're just kind of in a bit of await and see moment with that
and just kind of see how thecommunity reacts.

Speaker 1 (14:20):
Yeah, go ahead.

Speaker 2 (14:22):
For now, though, so we don't always have access
immediately to these devicesthat are potentially going to be
rebooting within 72 hours.
Can you share anything aboutwhat the plans are to help that
to stop happening?
No, okay, but there are plansin the works.

Speaker 3 (14:41):
I hear all over the place, so I guess watch for it,
I can say, is, you know wealways have best intentions and
plans um to to provide the bestaccess day one.
But you know it's a cat andmouse game and it always will be

(15:01):
.
But the best I can say is, themoment that you get anybody can
get their hands on one of thesedevices, you've got to move
forward with preservation orcapturing it or whatever that's
going to end up looking like.
For whatever tool you're using,if you're in a space where you

(15:24):
have the passcode, you haveconsent, you know you're you're
not going to be in thatsituation.
This is going to be for deviceswhere and that's a big thing
we've had a lot of peoplewondering like how is it going
to impact in the corporatesystem or how's it going to?
It's really only going toimpact where you have a
non-compliant device, someonewho's unable to give up the

(15:46):
passcode or unwilling to give upthe passcode, and you have to
gain lawful access to thatdevice without the consenting
keys.
And that's really where it'sgoing to be an issue, and I
think that's just the one thingthat we're just going to have to
kind of see where it goes.
It's going to be a cat andmouse game for sure, but that's

(16:10):
what keeps us on our toes.

Speaker 1 (16:16):
No, go ahead.
No, go ahead, just real quick.
I mean, yeah, just real quick.
You mentioned how and I doappreciate the background, you,
because you're mentioning howmemory gets filled and for the
vendor I say vendor in the senseof providers like Apple right,
it's good for them to invite thedevice to restart, let's say
when the person's sleeping ornot using it, because then the
user doesn't see the product notworking correctly the

(16:41):
degradation of the product,right.
And I appreciate you sayingthat and tell me what you think
about the next thing I'm goingto say I've seen some folks,
especially in my law enforcementcircle, saying, well, apple did
this just to mess with us.
And my first take is, well,they owe it to their clients,
and I think what you said kindof feeds into that.

(17:03):
This might be more of a featurefor better, for kind of
cleaning that memory out, forthe system works better, more
than just trying to thwartanything as a security measure.
I would say.
I mean, I guess we can't readApple's mind, but what are your
thoughts on that?

Speaker 3 (17:18):
Yeah, and we can't read Apple's mind.
I mean, like, if you and you'llappreciate, this is one of my
green bubble friends but if wetake a look at the Android
ecosystem, I mean some of theAndroid devices have been doing
this for a while.
Yeah, sure, graphene has beendoing this for a long time.
Obviously, graphene is securityfocused but at the same time,

(17:41):
you know, we have, in iOS, neverreally had that issue before,
but we've never had all of thethings running on the iPhone
that we've quite had at thislevel before.
It has been very interestingfor me to watch all of the

(18:03):
things that are running on alocked iPhone throughout this
process.
And a lot of folks say, youknow, like there can't be that
much going on right, there can'tbe that much happening on a
device that's just locked in anairplane mode and you know
there's a lot going on.
Like you hook one of thesethings up and you watch stream

(18:26):
and I'm not talking about highlevel, you know, hooking into
the device, just streaming theunified logs.
It's insane how many processesare running, how many things are
happening in the background.
There's a lot more than youthink and Apple does have a
responsibility to theircustomers, especially as their

(18:50):
customers, more and more, are indifferent sectors.
They're in the governments allover the world being used.
They're in private industry allover the world.
They're in the militaries allover the world and, being in
that space, they want to makesure their devices are well
protected.
They want to make sure theirdevices are well protected

(19:12):
against different kinds ofattacks and one of the best ways
to clear out, you know, badstuff is to reboot your device.
You know, and so I think Appledoing this do.
I think it was a securitymeasure.
Potentially, apple hasn'tupdated the security document

(19:33):
guide yet, as I said in the blogthat I wrote, that went out.
You know it's been a couple ofmonths but still haven't put it
out yet.
So you know, probably aroundJanuary February we might get
one, but I think, in my personalopinion, it was probably a
security measure.
Was it specifically to messwith the digital forensics

(19:56):
industry?
No, this is a service to theoverall end user, to protect the
overall end user's privacy, toprotect the overall end user's
general experience, because themore that an end user's device
just has problems, they're notgoing to like it.

(20:17):
It's an inactivity timer, soit's not like it's just going to
happen overnight to the samepoint.
So it's also does make me.
Maybe I'm just projecting, butI feel a little hurt by it.
Apple, come on.
But at the end of it itprobably was a security measure

(20:41):
for the general user.
I mean, apple has said foryears they're the privacy phone
and that's been their positionfor a long time.

Speaker 1 (20:52):
No, that makes absolute sense.
Go ahead, heather, you had aquestion.

Speaker 2 (20:56):
No, actually you already talked about it.

Speaker 1 (20:58):
Oh, okay, perfect, no , so I guess the last point I
would like to make is so youmentioned about treating devices
right as volatile.
Right, and we kind of knew thisbecause, like knowledge C, you
know every day you miss.
You miss data or the biomes now, but like we never, like we say
it, but people leave it therefor a few days and they don't

(21:18):
mind about it, but now they losethe access right.
So any best practices you canshare right now in regards to
that, or are we just stuck withhaving to hopefully unlock it
and go from there?
I mean, what's your state ofplay right now?

Speaker 3 (21:32):
Honestly, my best practices haven't changed at all
.
I've said the same thing.
So since I was back in trainingand I helped to develop some of
the original mobile classes formagnet, you know, same thing
I've been preaching for years issoon as that device comes into
your possession, image it.

(21:54):
I don't care if you have 1,700cases in the backlog ahead of it
, that's fine.
Image it today, not six monthsfrom now, not six weeks from now
, not six days from now Today.
Get it imaged as soon as youpossibly can once it comes in

(22:16):
the lab.
And a lot of folks ask me why.
A few years ago and I haven'tupdated in a long time, and
shame on me Been a little busy Afew years ago and I haven't
updated in a long time, andshame on me, been a little busy.
But I wrote a bit of a guide onthe volatility of iOS data and
I looked at data across the iOSfile system and I measured how
volatile is this data?

(22:37):
Some of the artifacts that weknow and love 24 hours, that we
know and love 24 hours, likesome of the records and some of
the databases you're onlygetting in the last 24 hours
worth of right PowerLog, one ofmy personal favorites, you know.
I mean, as Alexa said, we did aSANS presentation years ago.

(22:58):
He could not get me to shut upabout the PowerLog database back
then.
Right and that thing 14 days.
You know that's half of what weget in Knowledge C or the.
You know seg Bs, because weprobably should call them seg Bs
and not biomes.

Speaker 1 (23:16):
Thank you.
Thank you, Chris.

Speaker 2 (23:18):
You just made his night.

Speaker 3 (23:20):
I take full my own part of that responsibility for
all the blogs that I wrote onthem, because we as a community
are not the most imaginativebunch when it comes to naming.
Hey, what do we call it?
It's in a folder called biomes.
That's a good idea, but we got28 to 30 days, whatever you want
to say.
There Power logs were 14.

(23:41):
Some of those records are 24hours.
We've got cache locations areseven days.
Yeah, why wait?
What's the harm in imaging now,if you have legal jurisdiction,
if you have the authority tosearch that device, why wait?
You are not gaining any newdata by waiting and you only are

(24:07):
opening yourself up to thepotential for less data.
Yep, the data is not like thatimage.
If I take that image today,it's not going to change.
In six months, when I finallyget around to analyzing the case
, that image is still going tobe the same.
And I know it's still going tobe the same because I'm going to
have all the right hash valuesversus if I just take the phone.

(24:29):
Well, now I don't really knowwhat I could have missed.
So my opinion is unchanged from.
I mean, like to me.
Yeah, this is a thing we haveto deal with, but I don't see it
as a doom and gloom, I see itas just proving my point get the
device, get it imaged.

(24:49):
Get it imaged, yes, definitely.

Speaker 1 (24:56):
Definitely.
I mean, chris, we appreciateyou taking the time to speak
with us and speak to thecommunity about this issue.
That's been like a reallyreally hot button relevant thing
.
So we appreciate you for comingon and we're going to bring you
next time for other things, ifyou let us, definitely.
All right, I appreciate it, man, and we're going to bring you
next time for other things, ifyou let us Exactly Definitely.
All right, I appreciate it, man.

(25:18):
Again, thank you for the SecBthing.
I'm going to mention more aboutthat later.

Speaker 2 (25:21):
Yeah, and anybody listening will share that blog
post that Chris wrote.
We'll share that in the shownotes.
Thank you so much, Chris.

Speaker 1 (25:32):
All right, awesome.

Speaker 2 (25:33):
So that was, yeah, you heard it from the source
what we should be doing withthese phones.
We should stop freaking out,because everybody's freaking out
.

Speaker 1 (25:41):
I was freaking out.

Speaker 2 (25:42):
Yes, and just do what we all say we should do, and do
it faster.

Speaker 1 (25:48):
Yeah, I mean, and it goes with that, due diligence,
right, look, if actually I thinkwe should get into the topic,
right, chris was mentioningreally clearly about, well, data
preservation, right, what's thedeal with that?
And it depends, he said, on thestate, literally where you live
or where you are working, right, and the jurisdiction that
you're working right.
So I mean, what do we have onthat?

(26:11):
I mean, what are the differentpractices that you come around?

Speaker 2 (26:14):
I mean.
So the question is should we beable to extract the data?
A lot of people actually havebeen mentioning it on LinkedIn.
Should we be able to extractthe data before legal authority
to search the data is signed, isapproved by a court, by a judge
?
And I think Jessica Hydeactually has a post on her
LinkedIn right now where there'sa back and forth between a lot

(26:35):
of people in the communitytalking about the pros, the cons
, what they think is going tohappen in the future with this,
but there's some comments onthere that I thought were worth
sharing.
Let me grab those.
Absolutely so, chris.

(26:57):
I grabbed one of chris vance's.
He equates it to taking thephysical device so it can't be
tampered with.
We're simply taking the data,so it can't be tampered with.
He said that on on jessica'spost and he just said it in his
uh, his uh talk a minute ago.
Um, there's also talk about howmost judges don't understand
data.
Superior courts generate adecision without comprehending

(27:18):
what they're deciding on.
This then trickles to the lowercourts, who generate decisions
without comprehending what theother judges who didn't
comprehend generated decisionson, and we look like deer in the
headlights while thesedecisions are made because of
how inaccurate those decisionsare.
Tom uh, tom Lilienthal wrotethat.

Speaker 1 (27:36):
I thought that was an excellent fact about the
knowledge.
I think that speaks to the factthat we're depending a lot of
case law, right.
At least from my perspective,the ideal scenario is to have
whatever lawmakers from thatjurisdiction say you're allowed
to do these things, you're notallowed to do these things and
have proper codification of whatthat is.

(27:57):
But we don't, right.
So we depend on the case law.
Like he was saying, a judgecase on back case law, and then
other judges depend on that caselaw and then it gets propagated
and and, like you were saying,I think that speaks to the
technical expertise of thejudges but also the person
explaining to it.
Let me bring Brett, becauseBrett is in the chat.

(28:18):
Brett is great.
He says, well, how aboutexigent circumstances?
Right, and that's a tough one,right, Because you could say,
well, if I don't preserve this,I'm going to lose it.
That's an exigent circumstance.
But on that jurisdiction, whatdoes exigent circumstance mean?
In some jurisdiction it mightmean, like, the loss of data is
not an exegem circumstance.
In a jurisdiction, maybe it'sjust the loss of life or

(28:42):
something of the sort, right, ormaybe some.
If we don't get this data, youknow there's a time bomb, right,
some sticking, or we got akidnap person right and again,
that's a good point, it's notgoing to be wrong.
Can we maybe build some caselaw around considering the loss
of data as an extremecircumstance?
That's a good point, I mean.
I think it's a good argument aswell.
Also, there's counter argumentson how do we do that.

(29:03):
I'm going to give my opinionreal quick, because that's what
I do here.
Go for it.
Yeah, I think one way ofthreading that needle between
case law and preserving andseizing because now we're making
this distinction in the digitalrealm, like Jess was saying in
the chat, that preservation isnot search, right, that seizure,
actually we can even separateit further.

(29:25):
You got seizure, I got thething, the physical thing, then
the concepts I preserve, andthen I have to look, I look into
them, right.
So there's different aspectsthere and sometimes I believe
the law is not really clear andwhat the interplay is on that.
So one way of turning the needleI think and I mentioned with
Chris is maybe the tools need togive us some way of preserving
blindly preserving data right.

(29:47):
Put that blindfold in front ofus and saying we got the data
and, yes, we got it.
I don't know what it is.
I have no way of knowing whatit is, because I don't think
courts want to just trustblindly.
They'd rather have us be blindthan they trust blind, which I
guess kind of makes some sensein a certain way, right, yeah,
and if toolmakers, I believe andthis is an opinion, again, I

(30:08):
don't oh, we haven't said it,but we have't said it, we have
to say it Any opinions expressedby Heather or myself, they're
only talking about ourselves asexaminers in the community and
do not represent the opinions,beliefs or practices of our
employers.
They have nothing to do withthem, okay, so back to the
comment.
If vendors go about doing that,then I think that pre-results a
lot, because we, as examiners,we can deal with the looking at

(30:30):
the data, but we, as examiners,we can deal with looking at the
data, but the extraction of thedata, that's a thing that we can
outsource to vendors for manyreasons that are obvious, right
in regards to be able topreserve the access and other
things and the research thatgoes into it and so forth.
So I don't know, maybe vendorsshould start thinking of hey,
let's create some like apreservation mode, maybe, right,
not just extraction and parsing, maybe preservation under

(30:52):
extraction and parsing, maybepreservation under extraction
and then regular extraction andthen your parsing as part of the
workflow that needs to happenin order to kind of create good
case law, I think.

Speaker 2 (31:02):
Right, yeah, it all has to start with the case law.
So I'm going to cite a case,actually Riley v California.
This just shows how kind of outof touch people are about
digital evidence.
But they held in Riley vCalifornia and it's not the
entirety of this case, but theyheld that police officers have
the ability to preserve evidencewhile waiting a search warrant

(31:24):
by disconnecting the phone fromthe network and placing it in a
Faraday bag.
So that just doesn't workanymore with mobile devices.
That's not preserving anythingand I think that's probably
still the understanding of a lotof people who just who are
making the decisions, who justaren't aware of how digital
evidence works.

Speaker 1 (31:45):
Well, I mean.
I think it speaks to the threatscenario of somebody remoting
into the phone, right, anddeleting things.
Oh, that for sure, yeah, that'sthe mentality behind it, which,
again, it's a mentality that'svalid, but it's also really
dated, right, because now weknow, especially with the newer
say newer phones, right, thatthe destruction process, not so
much somebody coming in whichcould happen, it's the phone

(32:09):
itself, like Chris was saying,the normal operations of the
phone.
There's so much things going on, right.
So now we have to take intoaccount a non-malicious actor
here, which is the phone itself,right.
And how do we update thatacross all the stakeholders?
That's a tall order.
So I think tooling that doessome of that for us can help,
but that doesn't substitute,again, us being able as a

(32:32):
community, to explain to thestakeholders what the deal is,
how this actually operates, andgiving the proper arguments for
being able to allow what we nowbelieve we should push, which is
that seizure, that preservationand that search.
And I appreciate that.
Jess kindly put it in the chatas a good summary yeah, perfect,
yeah, so that's a good thing.

Speaker 2 (32:53):
I think she definitely started a big
conversation on linkedin.
So if people have differentopinions or are seeing different
things in their jurisdictions,join that conversation in the
comments on on her linkedin post, on jessica hyatt's linkedin
post, because there's alreadysome great ideas and um kind of
like back and forth in thecomments.

Speaker 1 (33:12):
Oh yeah, the best thing about the show is if
you're listening in the podcastlater, watching the video later.
Well, watching the video,you'll see the comments, but if
you're listening only, you'regoing to miss the experts we
have in the chat we have themost.
Oh yeah, I think this is themost expert pack hour you will
ever come across on DigitalForensics, and I'm not kidding,

(33:33):
I'm not exaggerating here.
Like right now in the chat, yougot Brett giving some other
scenarios, like legal scenarios.
Let's imagine a suspect thatgoes into a house searching a
suspect without a warrant, right?
So and that's the whole pointabout case law right, there's a
lot of quote unquote, exceptionsor circumstances.
Now, how do those relate to ourdigital realm?
And we're living in the momentthat those are being made, so

(33:59):
always take time to think uh,reach out to folks that have
been around longer, like a jess,like a brett, like a heather,
right here?
Right, and because you want tomake sure that that, that
whenever you talk to yourprosecutors or your stakeholders
, you're giving your bestexplanation, your best argument,
because we depend on you toactually push forward good case
law, right that your judges andyour jury not juries, but your
judges and the peopleresponsible.
Explanation your best argumentbecause we depend on you to
actually push forward good caselaw, right that your judges and
your jury not juries, but yourjudges and the people
responsible give you goodprocedures, good case law that

(34:19):
makes everybody's work moreefficient, better, faster and
brings justice, you know, withspeed, if that makes sense.

Speaker 2 (34:26):
Yeah, and let's face it, nobody wants their name on
the bad case law.
So make sure you're researchingand have those good
explanations on why it'snecessary.
I think there's plenty ofexplanation on why it's
necessary to preserve that data.
It just needs to be paid to thepeople that make the decisions
in a competent manner so that wecan get this moving.

Speaker 1 (34:50):
Absolutely and again, from all aspects.
One last thing I want to sayhere is that SWAG DE is coming
out with some protocols and bestpractices on the preservation
feature of digital mobile items,and if you're not familiar with
this group, we're talking aboutexperts that come together and
have meet multiple times a yearto be at the forefront of
technology and how that willimpact law and our work that we

(35:13):
do.
So I highly recommend uh folksto follow their, their products
and their meetings.
I wish I'm one day I will go toa meeting I gotta go too.
As soon as it's back over on theeast coast, I'm going yeah,
look, I might, I might paint myown way because that's that's,
that's, yeah.
So it's really good to follow,so it's highly highly
recommended.
So you got any other thoughtson the topic.

Speaker 2 (35:33):
Oh, go ahead yeah, no , just just jessica said there's
some thought um, some thoughtsthat oppose the idea of
preserving the evidence withouthaving the proper legal
authority in place and um, I wasreading some of those today.
Definitely go check them out.
There's some really good pointson opposition to it and really
good points on support for it.
So definitely definitely checkthose out.

Speaker 1 (35:55):
Yeah, absolutely Absolutely so.
And again, developments I meanwe talk about pretty much the
first half hour developments iniOS, right?
But I think we should take sometime to talk a little bit about
some developments in Android 15, which came out at least I got
the update maybe a few days ago,right, so it's pretty recent.
So what do we got on android?
So you know, we don't feel leftout in the show yeah, let's add

(36:17):
some android.

Speaker 2 (36:18):
So I specifically um was taking a look at an android
15 update called private space.
So if you haven't heard ofprivate space yet, it's um in
the android I'm gonna actuallypull up.
I did a little powerpoint toshow how it works, so let me,
let me find that real quick andand.

Speaker 1 (36:39):
That update is rolling out for everybody pretty
soon, if you don't have italready.

Speaker 2 (36:42):
So yeah, so immediately had to go test it
and check it out.
Um, but now in the androidunder settings, security and
privacy, there's a new um areaunder privacy called private
space.
It says it'll keep private appslocked and hidden.
To set that up, you just clickon the private space and go
through the steps to set it up.

(37:02):
It tells you all about whatthat is, how it hides and locks
your private apps in a separatespace, and it has its own
dedicated Google account forextra security.
So you can set it to your umyour Google account you already
have, but you can also set it toa brand new um Google account
when you do the setup.
So I set the private space upon my test phone and created a

(37:27):
new um Gmail account to for theGoogle account, gmail account
for the Google account, set itup, created a password and then
it creates the new private space.
Once you create the new privatespace, it asks you how you want
to lock your private space.
The options are pattern withfingerprint, pin with

(37:48):
fingerprint or password withfingerprint, and one thing I
thought it was going to do isjust grab the fingerprint that I
use on my device already, andit didn't.
It had me reset up an entirelynew fingerprint so that private
space could be locked with thefingerprint of a different user.
If you wanted to do that, itdoesn't draw from your original
user account.

(38:08):
I set mine up with a pattern inthe fingerprint, okay, and it
says all set.
When you're done, then tolocate your private space, you
go to the app screen and scrollall the way to the bottom of all
of the installed apps that areon your Android device.
At the bottom there's just alittle spot that says private

(38:30):
with a lock.
You touch that lock and thefingerprint unlock will pop up.
You can also choose to use thepattern lock if you want to.
The fingerprint unlock will popup.
You can also choose to use thepattern lock if you want to, and
then you have your own privatespace.
It comes pre-installed withcamera, chrome contacts, files,

(38:52):
photos, pixel buds becausemine's a pixel and the Play
Store.
I installed Snapchat on thisparticular device, but then I
also put it on another deviceand installed a few more apps
just to check it out.
In the settings of the privatespace, you also have some
options to change that lock.
You can change the options onhow it locks, so I have mine set
to.
Every time my device locks thatprivate space locks but you can

(39:14):
set it to other options.
Where it doesn't lock, itremains open.
When your device is openthere's the option to hide the
private space.
I didn't try that because Ididn't want to see if it
disappeared on me.
I didn't want to have to tryand figure out how to find it
and then be scrambling for myexplanation here.
But I will try it and then youcan delete the private space.

(39:34):
I extracted my phone afterwards.
I have not had a ton of time tomess around with the artifacts
that are stored there.
But it comes in as a wholeseparate user account under data
user and then whatever numberit assigns the user account in

(39:55):
my book Go ahead.

Speaker 1 (39:57):
No, no, I was going to say, and folks that are not
listening, this is a great imagethat Heather puts up because
you can see those userdirectories, both user and user
DE, and you can see the twoaccounts and if you're familiar
with Android forensics, the zerotends to be that main user
right, and then you see that yousee 10.
And this kind of makes sensebecause Heather said a second
ago, you set a new, you can setup a new google account.

(40:19):
You have to set new uhfingerprints.
You have a whole set of apps, acopy, but another set of apps
in the space.
So it's this is literallycreating another user for this
enable, this ability.
Right, and this is somethingthat I was predicted.
Some folks figure it out, maybea year, more than a year ago, by
looking at some of the codebase that's being pulled out, uh

(40:40):
, pushed out by google in inandroid, right, how they're
using that, that second like anextra user for these purposes.
But this is not the first timewe've seen this right.
I think we saw it on samsung'sfirst, I think, right the secure
folder yeah, so if you'refamiliar with secure folder,
what 150, I think right.

Speaker 2 (40:58):
Yeah, 150.

Speaker 1 (40:59):
Yeah, user 150, your Samsung device.
That's a secure folder.
The moment you see that there,you know a secure folder.
It's sitting there from thatphone.
So I think it's more like animplementation, like Google's
implementation of, maybe, stuffthat Samsung has been doing for
a while now.

Speaker 2 (41:15):
Yeah, oh, definitely been doing for a while now.
Yeah, oh, definitely.
So this set up on one of mydevices.
It's set it up as user account10.
And then the other one it setit up as user account 11.
I'm not quite sure what thedifference was there, like if I
had something else installed onone of the phones, but I have a
10 and 11 on each phone.
And then in, like, parsing thedata with some of the tools that

(41:39):
we all love and use, um, someof this stuff is parsed If you
have access, obviously, when youdo the extraction, if you have
access to that private space, um, a tool that will pull the data
and bypass that lock.
Um, some of it's parsed.
Installed applications areparsed.
Applications are parsed for theprivate space account.
I found some of my chatmessages, so I had text me

(42:04):
installed on one of my devicesand when I pulled it, the text
me messages were there and youcan differentiate where that app
was residing just based on thepath.
That 10 or 11 user account willbe in the path versus the
original path, for the zero userwill be in the path versus the
original path for the zero user.
I did notice that some stuffwasn't parsed exactly perfect

(42:26):
With the installed applications.
On some tools I was gettingjust the installed applications
from the new private spaceaccount and I wasn't seeing the
data surrounding the installedapplications for the original
space account and I wasn'tseeing the data surrounding the
installed applications for theoriginal user account.
And then on some tools I sawmore data than others, just
parsing which is to be expectedin between tools.

(42:48):
But, good news, there wereupdates made to a leap by
someone I know to account forthe additional user account and
the installed applications thatreside in the private space.

Speaker 1 (43:00):
Yeah, whoever that was, I don't like him, I think
he's yeah, I don't either.
He's full of himself.

Speaker 2 (43:05):
He's sketchy, but it's a really cool app to check
out or account to check out onyour test phones.
Try that out, see if it'll evenextract.
I mean you have to have access,so you'd have to have access to
unlock the device and unlockthe private space to be able to
pull that data for now until wehave brute force options for

(43:29):
Android 15.
But definitely a lot of coolstuff to check out and see how
that works and contribute backto the community with your
findings.

Speaker 1 (43:41):
Yeah, and please I mean, if you're dealing with a
Samsung, I'm sorry, an Android15 device, no matter what, it is
right and you have multipleextraction tools, try them all
right, because in our experience, a particular workflow might
give you some of that personalspace data and another workflow,
even within the same tools,might not, and I cannot pinpoint

(44:02):
why.
That is because you got toremember that some of these
extraction methods they'reabstractions to us.
They tell you press here to getthis and that's it.
We don't see the inner workingsof it.
So my recommendation is trydifferent workflows between
tools and different workflowswithin the one tool that you're
using.
All right, because you mightget more data from the personal

(44:24):
space in one workflow that youwill get from another one.

Speaker 2 (44:27):
Right.
Right, there's a question Doyou have to unlock the private
space using the passcode orfingerprint prior to acquisition
?
I have found that yes, for now,but, like I said, when there's
those brute force options addedto tools, whatever your tool of
choice is, it should be able toadditionally brute force that
private space is myunderstanding.

(44:49):
Hopefully I'm correct aboutthat.
We'll see in the future whenthere's brute force support for
the Android 15s.

Speaker 1 (44:57):
Yeah, and again that speaks to also what process will
we use for this right?
And there's a lot ofvariability there.
Maybe we can get to the phoneand it's fingerprint.
Can we get a court order tocompel the fingerprint from a
suspect?
Like again, it all builds up.
It's like another level morethan now we have to go through,
and the first thing we need todo to go through these levels is

(45:18):
know that they're there.
That's why we're putting thisout in the community, so you're
all aware of what differentissues might come.
If you're finding Android 15sand you're expecting something
to be on the phone and it's notthere, well, think about it.
It might be inside a privatespace.
How do we go about it?
How do we go unlocking that?
Maybe in our interviewprocedures, add that as an
investigator Say, hey, yeah,what's your pin code, right?

(45:39):
What's the private space?
What do you mean about?
Well, you know what I'm talkingabout and also kind of elicit
that information in ourinterviews or interrogation
techniques.
I mean the knowledge needs tobe out there.
So then investigators,detectives and examiners and
even prosecutors can adjust andcivil world as well for
discovery procedures and civillitigation can adjust to this
new technology that's coming out.

Speaker 2 (45:59):
Right, definitely.
Well, that's what I have onAndroid 15 so far.
I'm looking forward to lookingfor other things to test and
present, but so far that's whatI've started with.

Speaker 1 (46:10):
Oh no, and it's good stuff, this whole having
multiple users that are tied tothe one user.
That speaks also to provenance.
Right, we have multiple useraccounts here.
Are they tied to a privatespace?
Are they tied to a securefolder?
Are they tied to an actualother user?
Right, we need to make surethat our tools differentiate
between those and give us theproper information.
I don't want only the historyof install apps for my main user

(46:35):
.
What about user 10?
What about user 11,?
Right, Our tools need torespond to that, and right now,
some of them don't.
And even the community toolinglike iLeap we had to scramble,
right.
Yeah, jessica, heather, I'mreading Jessica now.
Heather told me about it and wejumped on it just to make sure
that we can provide that support.

Speaker 2 (46:55):
So that's something to be on the lookout Well and
have it done before we presentedthis tonight.

Speaker 1 (46:59):
Definitely Of course, make it all look sensible and
look good.

Speaker 2 (47:04):
Yeah, definitely, definitely, but yeah, so if
anybody has additional thingsthey're seeing in Android 15,
write to me.
I would love to hear about itand I'll do some testing.
I love testing stuff, so I'lldo some testing for you, if you
don't have the devices or don'thave the time or capability at
the moment to do it.

Speaker 1 (47:22):
And if you're wondering how do I get rid of
these, get a hold of these nicepeople that are talking to me
here on this podcast, there'stwo main ways.
Right, you can go and look forour LinkedIn presence Digital
Forensics Now podcast and searchus there.
Or you can go to Blue Skyheather blue sky no, it's like
it's a kind of a twitter likesocial media site.

(47:44):
Now go to blue sky and alsolook for digital forensics now
podcast there.
Before heather jumps on mywhole blue sky comment, I want
to say that we are trying to getexaminers into blue sky because
I believe it's a good method ofkind of short, quick
communication, establishedconversations that other
platforms are kind of cumbersomeor are full of junk.
In a sense, I'm hoping we cancreate the Twitter experience of

(48:06):
seven, eight years ago withinBlue Sky.
So I see a lot of good peoplemoving in.
It has a lot of momentum.
The moderation tools in Blue Skyare fantastic, so at least we
can keep some of that vitrioland other social media out of it
.
So I highly recommend folksthat are listening to get a blue
sky account so they canparticipate, be part of the

(48:27):
conversation.
I have a call, a starter pack.
Look for abrick noni dot bluesky dot social, bsqi dot social
and hit my starter pack.
If you hit the starter pack youcan follow.
I think maybe 15, 20 of thebest blue sky accounts so far
and I'll keep adding more.

(48:47):
So you cannot kind of startwith a group, a good group of
people to follow from the get-goagain in blue sky, heather blue
sky so he keeps enunciatingblue sky like that, because I
think it sounds better as blueski.
No, look, I mean another.
You're embarrassing yourself infront of a thousand people.
That's not like brew ski, likeyou're drinking some beer.

(49:09):
It doesn't sound like a bluesky, like brew ski.

Speaker 2 (49:12):
You can meet up with your friends, have a brew ski
while you're on blue ski.
Oh, my goodness, I don't know,I have a brewski while you're on
blue ski.
Oh my goodness, I don't know.
I'm just saying in the brewski.

Speaker 1 (49:24):
I know that, kevin pagano agrees with me to have a
brewski on the blue ski right, Iknow he's in there.
You better not make a stickerabout brewski and blue ski
because I think we're gonna haveto have one.
I will disown you both see,there you go now.

Speaker 2 (49:32):
Kevin showed up, see brewski and blue ski oh, my
goodness.

Speaker 1 (49:40):
Anyways, blue sky, that's.
That's what is happening rightnow.
So everybody go over, get mystarter pack in my account and
let's, let's, let's, keepconversing okay I agree I do
like the app though it's good.
It's good.
Yeah, it's kind of glitchylately because a lot of people
jumping in millions of people atthe same time, but let's stick
with it, I think.
I think it's the future of, ofthe social space short, short

(50:03):
form social space, because it'snot really a a site, it's more
of a protocol.
But that's a discussion foranother day.
Uh, how much time we haveheather.
What should we cover?
Should we start winding now?
Should cover one more thing, Imean we're gonna show the.

Speaker 2 (50:14):
we're gonna show the sans poster, um, because I those
sans posters are just sohelpful to everyone.
But this will only take me aminute, so let me throw.

Speaker 1 (50:22):
What you look at.
I'm going to give people apreview for next show.
I want to tell you straight upI wanted to show how the FTK
Imager version that they pulledout I mean pushed and then
pulled back how it worked withBitLocker.
So I want to show that, but Ithink it's going to be an anchor
for next episode.
For next episode, if you'rewondering how FTK Imager is
going to be working withBitLocker, we're going to kind

(50:43):
of show you that as a preview oftheir future releases that they
hopefully don't pull back later.
Yeah, all right, let's talkabout this poster.
What do we have here?

Speaker 2 (50:52):
So we have a Mac and iOS iOS forensic analysis and
incident response poster createdby Catherine Headley and Sarah
Edwards.
It includes location ofartifacts and explanations for
artifacts in iOS and Mac.
Let me just give a quickrundown of what we're seeing on
the poster Native applications,network information, file and

(51:14):
folder sharing, programexecution, application usage,
connected impaired devices andbackups, application data,
deleted files and file knowledge, file folder opening, account
usage system and userinformation, acquiring and
mounted images, volumes andexternal device and USB usage

(51:35):
and log files, and much more.
So if you have not made anaccount on SANS, make your
account and go into I think it'sthe resources tab, but it's
something like that theresources tab and find the SANS
posters.
There are tons of these, notjust for Mac and iOS for all
different kinds of thingsforensics and go grab these

(51:55):
posters because they're awesome.

Speaker 1 (51:58):
Yeah, and I appreciate that Chris was saying
that the biome directory thatcontains secb files, it should
not be called biome, it shouldbe called secb, and I agree with
him.
And for post-op, what is thisguy talking about?
So some time ago, whenknowledge C in iOS devices

(52:21):
started the data disappearing,it popped up in this biome
directory in some files thatwe've never seen before and,
based on research done by JohnHyla, by Geraldine Bly and some
others in the community and mekind of attached to them, we
figured out how it's parsed andthey have this header called

(52:42):
segb, s-e-g-b, right, and Ibelieve they should be called
segb right Because there's segbfiles outside of the biome right
.
And the example I was givingHeather is, like you know, share
folders.
When you look at an Android app, right, those always have XMLs.
We don't call them share folderfiles, we call them XML files
because that's the file type andbiome is not a file type.
But you know it's okay to agree, to disagree with how they're

(53:06):
named, but I like the fact thatChris is on my side that maybe
we should name him somethingelse, especially since it's his
fault.

Speaker 2 (53:13):
He's the one that at the beginning make a whole bunch
of yeah articles about it.
It was so easy to do becausethat's the first place we saw
them and we didn't know theywere everywhere else.
But yeah, you're right, weshould adapt with the changing
times, now that we see them allover the devices, exactly so I
want to make that point again.

Speaker 1 (53:31):
The poster is fine.
It says biome, but everybodysays biome.
But uh, a little by little, I'mgonna try to have people call
it segbeast instead of biomes.

Speaker 2 (53:40):
Yeah, what do you think?
Do you have time to brieflyspeak about the new release for
the leaps?

Speaker 1 (53:46):
No, no, I don't have time, and the reason for that is
that my zip file with it gotcorrupted and it's not opening,
so the universe gave me a hardstop.
So let me just quicklyverbalize something we're making
for the leaps and if you use itthe first time you heard about
them.
There is a Python frameworkthat's used to parse different

(54:06):
extractions from iOS ALEAPs,different things, and we have a
good group of people.
Johan is in the chat.
One of those group, kevin, isin the chat as well.
We got James also.
We got John, hilila as well,myself, heather, a few others.
We're working really hard and tomake sure that when you use
this type of framework and yourtooling, we're moving to a new

(54:28):
type of reporting system so youdon't have to depend on HTML
reports that could crash yourbrowser if it's too big.
We're now using what's calledlava to make that reporting.
Uh, today I got word that johan, which is in the chat, and I I
couldn't.
First of all, johan is all theway in europe, so I'm
appreciated that he's listeningat this time, whatever hour.
It is ungodly hour where he'sat, but he tested today with a

(54:51):
million records, health records,the uh, the viewer that we're
creating and it handled it noproblem which you cannot do as
an HTML report.
And that will open the door forme at least.
I'm the big kind of, prettymuch the sole maintainer of
RLEAP for returns from providers, and if you get a return from
Facebook or Meta, it's going tobe HTML right and it will crash

(55:12):
your browser.
No doubt it will crash yourbrowser.
So now I will have a tool to beable to make the reports Lava
format and it will not becrashed no matter how big it is,
which I'm really excited about.
What I'm going to do next weeknot next week, the next show,
the week after, although we haveto look at the schedule, I
don't know if it's.
Thanksgiving, so we'll have tothink about that.

Speaker 2 (55:34):
Figure it out.

Speaker 1 (55:34):
Yeah, for the next show.
I that, but figure it out.
Yeah, for the next show.
We're going to show you howthat looks within uh the report
directory from I lead 2.0, whichis out already.
And then keep your lookout forthe cyber social hub conference.
It's coming up in decemberwhere uh james, um, he's going
to be showing uh lava, likeunveiling it to the world, like
what we have so far.
I mean, it's not ready forrelease yet, but we're gonna

(55:56):
show people how it looks.
So that's where we are with theleaves and we'll give you more
info on the next episode verygood.
Um, I think we can be at thememe of the week then yeah,
that's the best part of the showlet me share my screen here
johan says it's 1 am where he'sat oh geez, that's dedication,

(56:19):
thank you he wakes up.

Speaker 2 (56:22):
Either he goes to bed really late or wakes up really
early so I scoured your linkedinto find one of the famous
alexis brignone memes.

Speaker 1 (56:32):
I'll let you explain it so there's this movie that
nicholas cage kind of playshimself, right, and, uh, the guy
from the mandalorian, he'ssuper famous.
What's his name?
Uh, he's chilean.
I, I just I just missed hisname.
He's a great dude.
So the other actor, he'splaying like this drug lord and
he really admires nicholas cage.
Right, he's nicholas cage kindof playing himself in the movie

(56:53):
and he's looking at nicholascage, looking at this guy like
what the heck?
Right, and the other guy isreally smiling at him.
So Nicolas Cage says examiner,waiting days for a tool to parse
, you know this kind of tiredlooking face.
And the other guy is reallyhappy and it says me already
finding the main items by hand.
And I did that to kind ofillustrate the point that sure,

(57:15):
we have automation to help us,but it all depends, depends,
like we say in this business,right?
Um, if you need somethingspecific, sometimes the
automation is not the firstthing you should do, right, or
maybe, okay, do the automation,but if you need something, now
there's go back to your basisbasics.
Make sure you're keeping youknow sharp as a good sharp knife
so you can cut and get to thatmeat quickly.

(57:37):
Right, I was talking with mynot trainee anymore my
ex-trainee, because she gotcertified and she's not a
full-blown examiner.

Speaker 2 (57:45):
Congratulations.

Speaker 1 (57:46):
Yeah, I'm not going to say her name because I didn't
, you know, I didn't get herpermission, I didn't ask her to
be in the show, right?
So I'm process of full blownexaminer and we're reviewing,
for example, how to go straight,how to find in ios devices a
particular app that's not on,that's unparsed.
How can I go find the straightup?
I don't have to wait for thetool.
Pedro pascal, thank you,christopher.

(58:06):
Pedro pascal, I love, I lovehim.
I'm totally in love with thatguy.
I, he, he can sit down and readthe phone book and I will.
I will watch it.
He's done, pedro is fantasticanyways, fantastic.
Anyways, back to my story.
We were discussing, or kind ofreviewing, how do we get to
particular apps that are onparse straight up without having
to wait for the tools to tellme anything, and there's a

(58:28):
couple of two-step procedureusing to make it.
I cheat a little bit.
I use iLeaf for that, but mostof the work is done by hand,
right, and I was actuallyparsing which.
But most of the work is done byhand, right, and I was actually
parsing which.
I just finished this today.
I think it's text-free or freetext, one of those texting apps,
right?
That's not supported by anytool.
Right now, it's by hand.
That's how you do it.
So, yeah, let's be more PedroPascal and less Nick Cage in

(58:52):
this context.
Right, let's just keep ourknives, our tools, sharp and
getting the job done.

Speaker 2 (59:01):
This meme works great too with the updates.
So Android 15 updated.
We now have private space.
Is everything parsed in privatespace?
No, you're going to be findingthe main items by hand, possibly
on anything that's newlyreleased and not yet supported
by your tools, so it actuallyfit right into our topics for
the night.

Speaker 1 (59:18):
Oh, absolutely, and I think it's too close.
I want to share what Heather issaying.
Right, there's some methodology.
I said Jess, I said HeatherJess.
Now it's the opposite.
I was looking at her and nowlooking at you and reading her,
so I get it more confused.
You know what happens with mykids.
I call one the other name allthe time.
Anyways, I digress.
There's a methodology forparsing unsupported apps and we

(59:39):
need to identify them cases.
Absolutely.
One of the big things that Ilike to do when I'm brought in
to speak in regards to parsingdigital data is talking about
that methodology.
There are steps and there arethings you, as an examiner, need
to do with your skill setyou've been trained to to be
able to get to these datastructures and successfully get

(01:00:00):
the data out for ourstakeholders.
So let's not keep track of that, let's not keep that out of our
minds and let's keep it there.
Let's do it.

Speaker 2 (01:00:07):
Agreed.

Speaker 1 (01:00:09):
Awesome.

Speaker 2 (01:00:10):
All right.

Speaker 1 (01:00:10):
Anything else for the Grow the Order header?

Speaker 2 (01:00:12):
I have nothing else, no.

Speaker 1 (01:00:15):
Well, I want to thank .
First of all, I want to thankChris for being in the show with
us.
I appreciate also MagnetForensics for letting him,
allowing him to talk to us inregards to what the work they've
been doing on this feature andwe're more than happy to you
know, different vendors, youknow, reach out to us and and
collaborate in things that tohelp the community.
We're happy to do that.

(01:00:35):
I also want to thank all thefolks in the chat, all the big
group of experts there, all thecommunity that we're building.
Let's go to BlueSky or BlueSky.

Speaker 2 (01:00:46):
You said it right.

Speaker 1 (01:00:47):
Yeah.

Speaker 2 (01:00:49):
Humoring me, I'm just indulging you.
There we go.

Speaker 1 (01:00:52):
Humoring is better.
I'm humoring you and thanks forall the folks in the chat and
all the folks that are going tobe listening.
Later you can reach out to uson our social media and in our
Buzzsprout page there's a littlesend us a message section that
you can use and let us know yourthoughts.

Speaker 2 (01:01:08):
So with that, yeah, I definitely want to just mirror
your thanks to Chris.
That was great.
We could have explained thethings in his blog, but nothing
better than having the source ofthe blog come on and explain
the artifacts and how he came tohis conclusion.
So thank you so much for that.

Speaker 1 (01:01:26):
Oh, absolutely, and he's.
He's such a great speaker I.
He's really funny but butreally depth.
You know really deep in what hespeaks about, so I appreciate
having him here.
All right, well, we don't havea date for the next show, but
we'll keep on social media.
How is our comments?
So we'll figure it out andwe'll let you know, we'll figure
it out.
All right, Take care.
Have a good night everybody.

Speaker 2 (01:01:46):
Thank you.
Outro Music

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Boysober

Crime Junkie