March 14, 2024 • 66 mins
Unlock the secrets of advanced forensic analysis with us! We reveal essential training classes that every digital sleuth needs to stay ahead in an ever-changing tech landscape. Sign-on to be enlightened by experts in the captivating world of data structures through Hexordia's class and IACIS's comprehensive course. But it's not all about the classes; we're also sending a must-read book your way to sharpen that detective wit you pride yourself on.
Get ready to explore the controversial yet fascinating realm of facial recognition with our introduction of Exponent Faces, a X-Ways Forensics X-Tension. Whether it's identifying suspects or navigating the ethical minefields of biometric data, we're weighing in with all the expertise you could hope for.
Finally, journey with us as we dissect the pivotal role of soft skills and community support for forensic examiners, you'll find this episode is not just about the tech—it's about the people behind the screens who make justice possible. Join us, where knowledge is power and staying updated is as crucial as the evidence itself.
Notes:
IACIS Advanced Mobile Device Forensics
https://www.iacis.com/training/amdf-advanced-mobile-device-forensics/
DFIR Investigative Mindset-Brett Shavers
Book release March 22, 2024- 1/2 price for one week!
Facial Recognition in DFIR
https://www.apiforensics.com/blogs/announcing-exponent-faces.asp
https://abcnews.go.com/Business/controversy-illuminates-rise-facial-recognition-private-sector/story?id=96116545
Google Chrome Platform Notification Analysis
https://www.sans.org/blog/google-chrome-platform-notification-analysis/
The Digital Forensic Practitioner Survey (DFPulse2024)
https://bit.ly/dfpulse
What's New with the LEAPPs?
https://github.com/abrignoni
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:18):
Welcome everybody to the DirtArt Forensics Now
podcast.
Today is Thursday, march 14,2024.
My name is Alexis Brignoni, akaBriggs, and I'm accompanied by
my co-host, the one that putsthe power in power.
User the DirtArt Forensics toolentomologist.
(00:40):
The one person, qualityassurance program yes, the one
and only Heather Charpentier.
The music is hired up by ShaneIvers and can be found at
silvermansoundcom.
Hello everybody.
Speaker 2 (00:57):
Hello.
Thank you for the greatintroduction, as always.
Speaker 1 (01:03):
You like that entomologist I?
Speaker 2 (01:04):
like it.
Speaker 1 (01:05):
It was really good, yeah, yeah there's always some
little inner jokes and some ofthose inside jokes, as you say.
All right.
So again, I see a few folksalready coming in the chat.
Jessica is in the chat.
Hi, Deferredeva is in the chat.
Obviously, kevin, the main man,the man with the plan, is in
(01:25):
the chat, so happy to see youall there.
And Brett is in, so got to seeyou, my man.
All right, heather, so I knowyou got stuff to tell me because
you had a full last couple ofweeks, so what's going on with
you lately?
Speaker 2 (01:41):
I have the same response.
I always give busy, but Iactually yesterday attended
Hexordia's data structure classand I wanted to tell everybody
you have to attend this class.
It was awesome.
Jessica taught, she goes intodata structures found in mobile
devices in depth how to handlethem, how to look at them with
(02:06):
the commercial tooling, but alsowithout commercial tooling,
with open source tools, and itwas a really great day yesterday
in her class and actually Kevinwas in the class with me, so it
was really good yeah.
Speaker 1 (02:19):
Well, three luminaries between you, Kevin
and Jessica and folks, in caseyou're not familiar with data
structures, that's the basis ofwhere the data from your cases
comes from.
How are they organized, how arethey stored, how do I get them
out, how do I properly interpretthem?
And I've taken the class aswell, obviously highly
(02:42):
recommended and I'm really happyto see you know a provider like
Hexordia.
Going way beyond that, theformulaic tooling, like we teach
to the tool.
No, we're, they're teaching tothe deeper.
You know how the data is beingstored and it's really, really
important that we start lookinginto those and understanding it.
Speaker 2 (03:03):
So help you move away .
Help you move away from thepush button forensics, that's
for sure.
Speaker 1 (03:09):
Oh, absolutely, and even if you have to push a few
buttons at least you know, youknow what you're doing.
Speaker 2 (03:14):
Yes, exactly.
Speaker 1 (03:16):
So, like Kevin said, you know, never, never stop
learning, right, yeah, and inthis field you definitely cannot
, cannot stop learning.
Speaker 2 (03:22):
So so yeah, no.
Speaker 1 (03:23):
Well, what else is that?
Yeah, that class anything elsegoing on.
Speaker 2 (03:26):
Yeah, no, I mean same old stuff.
Go to work.
Come home, go to work, preparefor the podcast, start working
on IASIS material that we'regoing to do together.
Speaker 1 (03:36):
Oh yeah, we got to discuss that in a second At
least from my end, from my end.
Yeah from my end.
Yeah, I've.
So I'm in Florida and the oakpollen season is upon us.
Everything is covered withyellow muck from the trees and
it sucks.
I'm highly allergic, so I'vebeen taking all sorts of
(03:57):
antistamines.
So sorry if I look like death.
Speaker 2 (04:00):
You don't look like death.
Speaker 1 (04:02):
Yeah, right, yeah, sure, I believe you.
Yeah, but other than that, youknow just doing regular work and
you know just trying to get theclass, the class going.
Speaker 2 (04:13):
Yeah.
Speaker 1 (04:14):
Yeah, which, which is a good segue to that same topic
, right?
Speaker 2 (04:18):
It is, it is, it is.
Speaker 1 (04:20):
So so IASIS, the International Association of
Computer InvestigativeSpecialists so really renowned.
It's a organization that'svolunteer driven, and myself and
Heather were volunteers thereand we'll be teaching the
advanced mobile device, forinstance, course.
This is a brand new course andwhat we're going to talk about
(04:42):
Android and iOS, so so you knowit's going to be a great class
we are going to.
The class is going to take it'snot happen from April 22nd to
26th.
That's the first, the firstsession of that class, and then
we teach it again, right for adifferent group of students from
.
April 29th to May 3rd Right, sowe still have spots there.
Speaker 2 (05:06):
Yeah, there's, there's still spots in both
weeks.
So sign up, come and come andlearn from us in Orlando.
So there's a selling pointright there too.
No, in Orlando in April and May.
Speaker 1 (05:19):
Yeah, who else is us and who else is teaching with us
?
Speaker 2 (05:22):
So we have another instructor this year, john Hila.
He's going to join us and someof you may know him from his
research on the SEG B biome app,intense data in iOS.
I think he was the first personto write a blog on it and it's
on his page, blue Crew Forensics, if anybody's still interested
in reading that and checking outhis tools.
(05:43):
So he has an app intense parseron that website.
But he's going to be teachingwith us in April and May.
Speaker 1 (05:52):
Yeah, and I think it's a great catch that we had
well Heather did in getting himto instruct with us A really
sharp guy and really forwardleaning with all the new stuff
that's coming out, so I'm reallyhappy that he's with us.
Yeah, If you come to class, theclass will you get a laptop so
to work through the exerciseswith us, through the to the
(06:13):
course, which you can then takewith yourself, you know, take
home with you and do your workon that laptop.
So that's always a good to haveto be referenced materials and
some other things that we'regoing to give in that class.
And the location is in, like,say, New Orlando, Florida.
It's a great, nice place.
It's a little pool andeverything.
So in the afternoon you canchill out a little bit and talk
(06:35):
forensics with us.
There are different events andactivities that ISIS has at
night for examiners, so it'sgood stuff.
Speaker 2 (06:44):
Yes, it is Sign up.
Speaker 1 (06:46):
Yeah, the link.
The link is at the bottom ofthe screen and, for those that
are listening, we're going toput in the notes so you can
check it out and come hang outwith us in person at ISIS this
summer.
Speaker 2 (06:58):
All right.
So I wanted to talk about a newbook that's going to be coming
out and it is written by BrettShavers, who is in our chat or
is watching live today.
So, hi, brett.
It is titled DFI OurInvestigative Mindset.
It's not released yet he'sstill working on it but I've had
(07:19):
a chance to check it out and Iliterally feel like, as I was
reading it, that this book washitting every thought that was
in my head.
He talks about how to learn tobe a better investigator.
One of the first sentences inthe book is the DFI Our Mindset
is the missing piece in DFI Our,and I couldn't agree more.
(07:42):
To be able to do this type ofwork, you have to have that
mindset, the investigativemindset.
He hits on how to strengthenyour skills, how to be a better
examiner, the differencesbetween mindset of law
enforcement and civilian.
Do you need both?
What the difference is If youtake a position in a DFI Our job
(08:06):
, do you want to do it or areyou just taking that position to
move up?
And you have to want to do it,and this book really talks about
that and discusses ways toimprove your investigative
mindset.
I highly, highly recommend thebook when it comes out, and from
March 22nd the book is going tobe on sale for a week, so
(08:29):
everybody should check it outand purchase it when you have a
nice sale, that first week ofrelease, sorry, go ahead.
Speaker 1 (08:38):
No, no, no, I was going to say absolutely.
And this is the thing.
Right, I need to say this inevery show.
We say it.
We're not sponsored by anybody.
Brett didn't give us a kickbackto talk about his book, right?
We're not haters.
We're also not chills, right?
We just tell your honestopinion of things that we like
or we don't like.
(08:59):
And now, that being said, right,we do a lot about technical
stuff, about how to work a tool,how to work a data structure,
how to create a report, but thisbook is feeling this I'm going
to use that word this void inregards to what are the building
blocks, mentally, that you needto have in order to do a
(09:20):
complete examination.
Right, because anybody canpress buttons, but for you, you
can actually connect the dots inthe way that need to be
connected.
Right, and his book feels thatvoid.
Right, if you're in the privatesector, you can learn a lot
from his experience from beingin law enforcement.
(09:41):
Vice versa, you're in lawenforcement like we are.
You can learn a lot from hisexperiences when he leaves law
enforcement and goes to theprivate sector, right?
So how do you take those?
Again, I don't want to tell youwhat the book you have to read.
It's a quick note in regards towhat are, what's your mindset
in regards to your property,your attitude?
(10:01):
How do you approach theevidence?
How do you let the evidencespeak for itself?
Right, there's a whole bunch oflittle details there that
you'll be really, really wellimbued with that knowledge if
you read that book.
Okay, it's not, it's a densityread, but it's a profound read.
I found myself and I haven'tfinished it yet, but I found
(10:22):
myself rereading certainsections a couple of times
because that section had a lotto think about.
Does that make sense, heather?
Speaker 2 (10:32):
Yeah, no same thing.
I reread a couple sections onmy lunch break yesterday, so
definitely Jessica says the partabout curiosity.
I wouldn't agree more with youon that, jessica.
So curious people, I believe,make good investigators a lot of
times.
If you're really nosy, that'ssuch a good treat to have for
(10:52):
the investigative mindset, in myopinion.
I love that comment.
Speaker 1 (10:59):
Yeah, and Brett is saying that I could have
transcribed this podcast andwrote the same book.
Well, we appreciate that and,and you know, we, we, I guess
you know we have examiners thathave some time we, we, we can
converge right in in certainviews or certain opinions,
certain ways of dealing with thedata, because this is a science
, right, and, and that art is tobe able to present that science
(11:21):
effectively.
And and Brett's book is a goodway of getting a leg up.
I would recommend, especiallyfor people who are new into the
field they say you're coming asa new examiner, saying long for
me into a lab get that book andmake it part of your, your
growing process, that growingmindset.
Immediately, get that book andcheck it out.
Speaker 2 (11:42):
Definitely Hardest part to teach.
You're right too.
It's hard to teach somebody tobe an investigator.
It really is.
I always say for my office it'shalf sworn and half non sworn
members and the sworn memberscome off the road with that
investigative mindset alreadyand it's really really hard to
teach the non sworn members theinvestigative part.
(12:05):
But the book really lays outhow, how you can do that and how
they can do that for themselves.
Speaker 1 (12:12):
Yeah, and a broader point for the industry, right.
I would hope that more booksstart addressing that right and
I say addressing that.
There's other aspects, right,even some of the legal aspects
of of the job and do it in a, ina way that's accessible, like,
like, because Brett's way ofwriting is really accessible,
which is the way I like.
It's not encumbered by thesewords, it's actually pretty
(12:34):
clear, and we see more books indifferent topics that make that
accessible to examiners.
Speaker 2 (12:40):
Brett says, because DFIR is fun.
It is almost like playing avideo game.
We tend to forget we areworking to solve a mystery.
I definitely agree.
It is fun most of the timeuntil you get one of those cases
that just isn't so fun.
But you know some, some areboring.
But definitely agree with that.
Speaker 1 (13:02):
Yeah, I mean, there's always a routine area cases,
but in a way that that mindsetapplies to make sure that you're
doing the best job, that thatcan be done.
Now, that you can do the bestjob that can be done, yeah, and
that's what we're striving for.
So good stuff.
Speaker 2 (13:14):
Yeah, so definitely check it out.
March 22nd, I believe it'sgoing to come out.
Speaker 1 (13:19):
Yeah.
Speaker 2 (13:22):
So there was an announcement on LinkedIn.
I saw it and it was regardingfacial recognition in DFIR.
So API forensics announced therelease of exponent faces, which
is an add on extension for Xways forensics.
So if you're an X ways user,this can be used in conjunction
(13:45):
with X ways.
It detects matches, extractsfaces from photographs and video
files and accurately identifiesvictims, missing persons,
persons of interest withinvolumes of collective media.
They say the effective outcomesof the use of facial
(14:07):
recognition technology aredetermined by a number of
factors, and those factorsinclude the image itself, the
resolution of the image, theangle, the position, whether
there's obstructions to theperson's face, the vertical and
horizontal rotation of theperson's head and then, for
videos, the speed of the footagemeasured in frames per second.
(14:32):
I have not tried this out yet.
I just saw the post for it thisweek and I didn't have time to
grab the X-Ways dongle and tryit out, but I will be trying it
out in the future, so hopefullyother people will try it out.
I want to bring it back to thepodcast after I try it and give
a little bit of a review andhopefully people can weigh in
(14:54):
and try it out as well If youcurrently have an X-Ways license
.
You can submit a request for a30-day trial.
You just have to provide yourX-Ways license number when you
go and request that 30-day trial.
So hopefully other people willtest it with me and we can all
collaborate here on the podcastand discuss it in the future.
Speaker 1 (15:17):
No, absolutely, and I can see a lot of views, so I
got a couple of thoughts on that.
Imagine you're working a Let meput it this way let's say a
mass shooting scenario where youget surveillance from multiple
cameras and let's say you got anidentified, possibly identified
suspect.
Can I determine if that suspectwas in the crowd?
(15:41):
Right, that's pretty tough,right?
Maybe?
Another example that I justcame to mind it's a real example
I had to Long time ago.
I had to find somebody that wastaking a Greyhound bus out of
the city.
We need to locate that personand the time frame of when that
person might have left waspretty wide.
So I had to sit down and lookat hours and hours and hours and
(16:04):
hours of footage Trying to seeif I could find that person.
Imagine if you have a toolingwhere you can say okay, well, I
have these templates or datapictures of the person I'm
looking for.
Have the tooling, go andquickly scrub that data set for
that face and tell me yo, I havea hit on Tuesday at 2 o'clock.
(16:27):
That would save a lot of time.
So I can see a lot of good usesfor that.
Now, correct me if I'm wrong,heather, but the way I read the
announcement, it seems that thistool is open also to the
general.
I say general, pop, I mean notsay that To the private sector
as well.
Do you got that vibe too?
Speaker 2 (16:45):
Yeah, I didn't see anything on the website that
said otherwise.
It looked like you can just goin and put your agency name and
sign up for that 30-day license,as long as you have an X-Ways
license to provide.
Speaker 1 (16:57):
Alright.
So now the second part whichcame to mind is Let me restart A
knife.
Right, you can butter yourbread, or you can stab somebody
right?
A little bit of extreme examples, right, any and every
technology can be dual-use,right?
(17:18):
It depends on the user, right?
So I use that as anintroduction to kind of say
every technology has itschallenges and its limitations,
right?
And I've been thinking about alittle bit about what happens if
we give that technology outsidethe confines of law enforcement
.
Don't get me wrong, people inlaw enforcement can have and
have and will in the future usethis technology wrongly.
(17:40):
We're not exempt from that,right.
So I'm not saying that.
Oh yeah, law enforcement reallyknows how to deal with it at a
whole 100% of the time.
I'm being honest here, right,obviously we strive not to make
mistakes.
And what makes mistakes Couldthat be?
Well, some of this technology,remember, is matching, like a
pattern matching.
It takes whatever analysis doesof that phase and tries to
match it upon other data sets.
(18:02):
That's a probabilistic nature,and we were talking to me and
Heather, we were talking alittle bit about probabilistic
things earlier the other day.
It's probabilistic, right, youknow, whatever.
70%, 40%, 30%, 50%, right?
At what point are we happy withthat percentage?
And after we get it, what do wedo with it?
Oh, the computer said it's thisperson.
(18:23):
That's the person.
Go grab the person.
We could grab the wrong person,right.
Like, just because the tool toldme this is a highly probable
match, does that mean that's amatch?
I mean, what do we need to do?
Well, it's a word that startswith I, investigation.
Yes, and again, I'll be honestwith everybody here.
(18:46):
Sometimes in our agencies ororganizations we start and
finish everything with what thetool says and we talk about
push-button forensics.
This is really prone for that,right, and we gotta be careful
with that.
The investigation doesn't stopbecause the computer said here's
X.
(19:07):
Actually, that's when it startsthe investigation.
We have to validate that.
Is this person actually with amatch?
Right, and yeah, tell us whatBritish is saying in the chat,
heather.
Speaker 2 (19:20):
Tools give clues, not answers.
Speaker 1 (19:23):
There you go, and it's really easy, really easy to
get confused, because a lot oftimes, the clue that the tool
gives us happens to also be theanswer a lot of times.
So that happens too, but youneed to make sure that that
actually is the actual answer.
Right, that is correct.
I gotta highlight this commentDerek is telling us every tool
(19:45):
is a weapon if you hold it right.
That's said by Andy Franco.
So what a great quote, right?
Historically and this is someresearch that I did for the show
today, historically, facerecognition tools tend to have
some issues recognizing folksthat are minority color, and all
(20:05):
of that, a lot of falsepositives.
Now, that being said, I'm nottalking about the tools
specifically that Heather ispresenting, so don't get
confused.
Yeah, I don't want to everybodyto think that I'm talking about
them or I'm talking aboutgeneral in general.
This thing now.
Now, this technology coulddefinitely get to a higher
probability level, absolutely,absolutely.
But it should not be made tomake a like the base for your
(20:29):
arrest.
That should not be the base forit, I believe.
Oh, yeah, the computer said so.
Therefore, I got by probablecause for my arrest.
No, that's the beginning.
Like, like, like.
But it's saying.
Another thing I want to say nowin regards to the private sector
applications of this Um privacyissues.
The first issue that I have orthink about is well, let's say,
(20:52):
private sectors are recordingyour faces as you go to the, to
their businesses and all that,and they had, they record those
faces.
Let's say, a client becomesrowdy in store and they kick him
out In the future.
That person comes to anotherstore, the system flags their
face and says, hey, you're notallowed to be here, you have
issues here and we told you notto come back.
(21:13):
Right, and you would think,well, that's, that's not a bad
thing.
Right, it's limiting access toundesirable people on a private
business.
Right, you don't have to allowpeople to go into your business
you don't want to.
I get that, but think about thisto be able to make that
template is grabbing everybody'sfaces.
Right, it's just not grabbingthis person's face, he grabs
everybody's.
And what happens with that dataIs there?
(21:34):
Are there any guarantees thatthis business is not going to
sell my face to other businesses?
Right, because maybe thisperson is indesirable in this
store and maybe another storethey're going to maybe share,
like undesirable face lists,right, or just plain share of
the faces.
I just see my notary reporthead.
Or the pretty old, old, old,oldish movie.
I have not so it's a Tom Cruisemovie saying the future and the
(21:57):
future.
As you go to stores, the storeskind of scan.
We go even without noticing,scan your eyes and know who you
are and give you ads Like on thestory customizes your ad and in
the movie he has to change hiseyes.
They put some other person'seyes.
It's a pretty good movie.
You should see it.
He goes and obviously the adsare for another person because
(22:20):
he has the other person's eyes,right?
The point I'm making with thatstory is do I want to get ads,
like when I go into a storebecause my face is being
recognized?
We're going to come out of,commoditize our biometric
likeness, right, and that's.
The questions are really hardquestions Is there?
Is there any legal framework forthat, right?
(22:40):
What?
What if that's hacked?
Right, I can change a passwordLike, oh yeah, it's coming, they
change my passwords and that'sit.
Can I change my face, right?
I mean, how do we do that?
At least, at least, at leastthe law enforcement labs, for
the most part, tend to be airgap, right, because we're going
(23:02):
to make sure that we keep the,the evidence in, intact, right,
so we have air gap networks, butI don't, I don't see private
sector companies using thistechnology in general in any air
gap manner.
So I can see databases withmillions of faces being hacked
and being sold, right.
So that's, that's something tobe to be considered.
(23:22):
How are they secured?
So you know, there's, there's alot that this technology is
going to bring.
I'm looking forward for youtesting it and yeah, me too.
Yeah, some of the communitytesting it see how, how you know
different applicabilities thatwe have, but I think it's an
emerging technology.
We'll see a lot of that beinglitigated legally in the courts
(23:45):
and in Congress, so we'll haveto keep an eye on that.
Speaker 2 (23:48):
So with the tool, though from API forensics that
works with X ways, that toolmatches against only the faces
that you provided it.
So I just don't want to.
I don't want to confuse it withlike scanning crowds, right?
So it's not doing that.
It's working with only the, thepictures that you provide it to
look, look through in yourinvestigation.
Speaker 1 (24:09):
Oh yeah, and folks need to understand, right, I'm
providing like both sides of theargument, right?
Yeah no, I believe there is aspace for this type of analogy.
I'm happy that companies likethis, this one, are actually
taking the lead and providingthat service.
So I'm not against itpersonally.
But, like I said, a knife couldbutter and I could kill.
So it's just to put it, puttingthat that those both sides out
(24:31):
there.
Speaker 2 (24:31):
So yeah, definitely so.
Um stands had a blog outrecently and it was related to
the Google Chrome platformnotification analysis, which has
to do with level DB files.
So if you haven't seen level DBfiles in your investigation,
(24:54):
start looking for them, becausethey are absolutely important to
your investigation.
I'm going to show a littlepicture here of what you're
looking for.
So this is from from the blogitself.
I took the picture from theblog and this is what your level
(25:16):
DB structure like, what yourstructure will look like for
your notifications.
So um.
So in Chrome they're everywhere, they're on computers, they're
in mobile devices, and the LEAPSsupport parsing the level DBs.
So does Arsenal.
(25:36):
Arsenal's level DB tool isawesome, for that Rabbit Hole
that we've talked about prioralso supports parsing the level
DBs, and the data that's in themcan be so helpful for an
investigation.
I actually have a case examplethat I can talk about.
I had a case where a teacherwas having a relationship with a
(25:57):
student and she had deleted allof the contact that she had had
with the student from her phoneand she didn't know about the
level DBs.
Obviously it's not somethingthat the user has access to, but
this is specific to the FCMlevel DBs, which is the Firebase
Cloud Messaging.
The pair were primarilycontacting each other on
(26:20):
Snapchat and, although all ofthe Snapchat data was gone and
the application had beenuninstalled, data related to
their communications was stillpresent in those level DB files.
I didn't get the actualmessages, but it was enough to
show that they werecommunicating and it was enough
to result in a plea deal.
They can be really important toyour investigations.
Speaker 1 (26:45):
I'm telling you it's really powerful.
The example you give is areally powerful example.
I like that example a lotbecause it corroborates the
presence of the communications,corroborates all the other
things in the case.
I'll tell folks some of theseFCMs I say FCM, but level DBs,
data storage or data structureswill have messages, will have
(27:07):
all sorts of information in themand we're really not looking
for them, like Jessica wassaying.
They're there and you don'tknow they're there.
We'll cover that in the IASISMobile Forensics course.
We also will cover it in moredetail in the Advanced course.
But it's important.
If you have any browser that'sworth anything.
(27:28):
We'll have tons of data in thelevel DBs.
I did some research some yearsago on Firefox Privacy Browser
for Android, which deletes allhistory.
Guess what?
I was able to find a lot of thepages that were visited within
some of the level DB stores fromthe Privacy Focus Browser.
If you look for it, you willfind this is a great blog that
(27:53):
folks should read.
In regards to that analysis, itexplains I think you mentioned
it some of the tooling thatcould be used.
You mentioned some of thetooling that could be used.
Speaker 2 (28:01):
I did.
Yep, arsenal level DB was one Imentioned.
Rabbit Hole, that we've talkedabout on the podcast previously,
and Arsenal, we've talked onthe podcast about previously too
, and Alip Sports at two.
I'm sure there's other tools.
If you've never come across one, do a global search across your
(28:21):
entire image for keywords thatare important to your case.
I guarantee in an Androiddevice they're going to hit in
one of those level DBs and thenfollow that trail.
Follow that trail.
Use some of these tools that Imentioned to look through the
level DBs, because you're goingto be surprised what's in there.
And Jessica actually mentionedto open source.
There's a CCL script from CCLSolutions.
Speaker 1 (28:43):
Yeah, Alex Caithness was the one that really pointed
in my attention towards levelDBs.
So you Google CCL Solutions,level DB and the name Alex
Caithness or a combination ofthe raw, you will get some of
those scripts and some reallygood detailed articles on how
they work and at a detailedlevel right, how they're offsets
(29:05):
and how they're organized.
So you'll be as an examiner.
You'll be well served bylooking into that.
That's why we're talking andremember all sorts of other
examples.
One more example yeah, we had acase Again, in general it is an
old case, but where the suspecthad written like a manifesto,
right, and it was using theGoogle Word thing.
(29:29):
What's that called the GoogleCloud Word thing?
Oh, you know, they have liketheir own version of PowerPoint
or version of Word or version ofExcel, but it's the Google one
and you access it through thebrowser, right?
If somebody in the chat knows,then let me know.
Speaker 2 (29:42):
I'm looking for it.
Speaker 1 (29:45):
So those type of Google Docs.
Thank you, jessica.
So the manifesto was done inGoogle Docs.
Well, guess what?
If you're offline and you'rewriting, there's no save button
for that, but the start is savedand you'll be like, well, where
is it saved?
Right, it's saved in a level DB, and we were able to find that
(30:07):
manifesto in that level DB fromthat Google document.
Ok, so thanks for Kevin alsoputting the name out the Google
Docs.
So they are storedautomatically in level DB.
They are stored, of course,when you get online, then that
gets pushed to the cloud and allthat good stuff, but the
remnants, or the full documentthat's being written, is going
(30:30):
to be in there, right?
So it's really worthwhile thatwe get familiar with these data
structures, just as we arefamiliar with SQLite or just as
we are familiar with XML, andyou might be like, what do you
need to do that, honestly?
So let's start looking intothose.
Speaker 2 (30:51):
All right.
Speaker 1 (30:56):
Yeah, so this is the best part of the show they
always like, right Is whatgrinds our gears section,
specifically, what grindsHeather's gear section Support
system not meeting the needs ofthe customers and I named the
episode is support and livesupport.
And the reason we're discussingthis?
(31:17):
For many reasons.
I'll tell you my reason.
I go into the D4 Discordchannel and I'm more of a lurker
just to see what's going on andI see a lot of folks saying,
hey, there's somebody fromcompany X available, Is there
somebody from company Yavailable?
And it makes me think why arewe asking for support from these
companies in a community chat?
Speaker 2 (31:39):
Right.
Speaker 1 (31:40):
What's happening with the support systems in, you
know, established by theproviders, that folks are not
gravitating to those first.
Where are they gravitating tokind of like side channels, when
, where they know, there'll befolks from these companies who
are not even reading orlistening to be able to get some
support?
And that made us think thatthere is an issue in how
(32:04):
examiners or tools for examinersare supported in this space.
Right, and we're not talkingabout any particular vendor, I
believe.
We believe, and if I'm wrong,heather, we believe that it's
more endemic in regards to babysoftware development in general.
I don't know, right, but in ourfield we see it a lot and you
see folks doing all thoserequests in all those places,
right?
Speaker 2 (32:26):
I would say on Discord, in the Google groups,
on the IACIS listserv, there aretons of support requests and
they are they're actuallytagging the company saying can
you help me with this?
And I think, well, I have apersonal opinion on what some of
the reasons are, I guess.
So when I go into support onany tool no tools in specific I
(32:50):
go into the support portal,whether it be a chat or I have
to open a ticket.
The first, one of the firstthings that I always get from
support is can you send me yourdata extraction?
Well, the answer is no, I workfor a law enforcement agency and
that is evidence.
I am not sending you my dataextraction and I cannot send you
my data extraction.
(33:10):
So I think the second questionI'll be asked well, can we set
up a meeting where I can remoteinto your, into your machine?
No, it's on a sandbox network.
I can't have people remotinginto our sandbox network.
I work for a law enforcementagency, so it's just we can't.
(33:31):
We can't do that.
I think another reason is thatsometimes you get wrong
information.
So I had one of the really newpeople in my office reach out to
a support and they wererequesting assistance on a phone
, asked what their options werefor this phone and the answer
(33:52):
was chip off.
But that phone had, likeAndroid 11 on it and if you chip
that off, you're done.
He, luckily he came to me andis like, is this right?
And I'm like, oh my God, no,thank God, he wasn't trained in
chip off.
It'd be chipping off a phonethat couldn't be chipped off.
(34:13):
We would never let that happen.
Speaker 1 (34:14):
And even if it was chipped off, you're going to get
what an encrypted blob right.
So you're getting nothing outof it.
Speaker 2 (34:20):
Yeah.
So of course I hopped back inthe chat and I'm like, who told
my new person to chip this phoneoff?
Please correct this mistakebefore somebody does it.
But also, I mean I've hadnumerous different places just
unanswered support tickets, Likewe can't replicate your problem
, Sorry, and it's frustrating.
(34:43):
And it's not only frustratingbut it takes up a lot of time
for whoever the examiner isasking for the support help.
I know me personally if I'masked to do all of these things
and then send screenshots andthen can you try this or can you
try that?
I've actually been asked touninstall the version I have and
(35:07):
reinstall a new version thatthey want me to try.
And no, I can't.
The extractions I have open.
Some of them take like overeight hours to open If it's in
certain tools or maybe I havelike 10 things going on.
I can't just shut my machinedown at that time and just to
troubleshoot an issue, so it canend up taking up your whole day
(35:29):
.
I think that these things arewhat deter people from
submitting support tickets.
The problem with that is itleads to the company being
surprised when you tell them ofyour issues.
Right, no one else is reportingthis.
You're the only one reportingthis, and I'm not the only one
reporting it, or whoever'sreporting is not the only one
(35:49):
reporting it.
It's just they don't want to gothrough the painful process of
submitting a support ticket.
What do you think?
Speaker 1 (35:58):
Look, I mean, no, I agree with you and this is so.
Maybe folks that are in thespace will say well, you're
complaining.
What's the solution?
And it's not easy, like.
I think the main thing is thistype of support system.
It was being used to supporteverything and anything In any
company, software ornon-software, right, this type
of help desk method, and I getit, it's needed, but I believe
(36:23):
and again, you can jump in andtell me I'm wrong or not the
factors, especially with lawenforcement and digital
forensics, it should be a littlebit different.
I want my help desk to be powerusers, right, and the first
level of solution from myperspective is I have this
problem right.
(36:43):
Tell me, within the tool, howcan I go around it as we're
dealing with the underlyingproblem.
Does that make sense?
And I think folks go to theDiscord because the folks that
are there for the companies tendto be examiners as them right,
yes 100%, and then thoseexaminers can tell you oh well,
(37:05):
maybe you can try this and thisand that, but you're not going
to get that straight up fromyour help desk.
There's kind of that knowledgegap from I mean I might be wrong
, but that's my experienceBetween the folks that are maybe
you're interacting in the IACSlistserv versus the folks you
interact within the help deskstructure, right.
So I believe that needs tochange a little bit, and so
(37:27):
that's one thing.
Another thing is the whole giveme your logs type of thing,
right, and I understand you needyour logs.
So I got a couple of critiques.
Some of these logs eitherthey're in code, when they tell
you, well, the error was errorxx3935.
I'm as a user doesn't serve meanything, or the logs are
(37:50):
encrypted.
I cannot see them.
So, whatever the issue is, theball is hitting from me, it's
provided to the company and thenyou might sit forever and
nothing happens, right?
I would like for moretransparency as you can see here
in my marquee for the week thatthat's the word of the week
more transparency in regards towhat the limitation of the tool
is.
Look the tool crapped out on x.
(38:12):
I want to know that becauseeven if you'd have the solution,
and again, that's OK.
At least I can go and dosomething else, either manually,
or be able to fix what thepossible issue is on the back
end, as, again, we're lookingfor the long term solutions.
So I would like to see moretransparency, and it shouldn't
(38:32):
be, from my perspective.
You just give me the logs andsometimes you give them the logs
and they're like I don't seenothing in those logs, right, at
least they tell you that Idon't know, I cannot confirm it,
I cannot read your logs, Icannot encrypt them, or it's all
in code.
It's codes that I don'tunderstand what they mean.
The meaning of that code isbecause it allows you right.
And they might tell me well,there's some proprietary
information there.
(38:53):
Look again, more transparencyon the limitations will be
helpful, and I understand nocompany wants to tell you well,
my tool sucks at x.
They don't want to tell youthat.
They want to tell you we'regood at everything, or at least
we're good at x, y and z, right?
So there has to be a balance inregards to what the tool is not
doing or where it's bugging outand how can we go about it.
(39:15):
And I believe, again, examinersfor the companies are really
good at interacting, but thehelp that's kind of failing on
that.
So you have two parallelsupport systems and, like Kevin
is saying, and yeah.
I think you're putting it up.
Yeah, can you read it, Heather?
Speaker 2 (39:34):
It's infuriating to be brushed off by support just
so they can close the ticket andsometimes it seems like that is
the goal.
Let's just get this closed asquickly as possible, whether
there's a resolution or notAbsolutely.
Speaker 1 (39:51):
You have a ticket sitting there for months and
then all of a sudden itdisappears.
What happened?
So I guess the solution, atleast from my perspective, is
the knowledge gap between thepeople in the help desk and the
examiners that work for thecompany, either doing forensics
or being front facing for theenterprise.
With the examiners there has tobe some parity there so there
(40:13):
could be really productiveconversations.
I send you an email, you sendme an email.
I send you an email for days ondays for dumb stuff, stuff,
that's like.
Why are you telling me this?
Can you get somebody on theline that knows what they're
doing?
Speaker 2 (40:32):
This is my coworker writing in here.
Your ticket has been escalatedto our Black Hole Division for
additional analysis.
Pretty spot on.
Speaker 1 (40:44):
The Black Hole looks like a trash can.
Speaker 2 (40:47):
Exactly, it's the bottom of a trash can.
Speaker 1 (40:51):
And again, I've seen this with support tickets and
editing in any other enterprises.
But I think that's somethingthat these, the companies in the
space, could grow from and say,look, we're going to change
that, we're going to put somenumbers in regards to issues
that are accumulating and if thecompany decides to have a dual
(41:11):
track of reports let's say thefolks that talk at the listserv
plus the tickets then keep trackof that in a way that the
company actually the informationfilters through.
And we're not reinventing thewheel, because I'm pretty sure
that some person says, hey, cansomebody at company X send me a
DM for an issue?
And I bet those poor folks getthat issue 10 times or 20 times
(41:36):
from 20 different people.
So how is that being aggregatedand making part of the
knowledge base so that it couldeither be addressed or that
workaround solution be pushedout, and again presenting it in
a way, I guess, for managementso they don't feel like, oh,
we're seeing our tools crap.
No, that's not what we're saying.
We're saying the tool will dothese things.
(41:57):
And as we work to present thisin this manner, there's another
solution for you.
You're in the solutionproviding business and the
solution providing businesscannot be constrained only by
the interfacing with the tool,especially when your tool is
either bugging out or failingsat something.
Right?
Am I?
(42:18):
Am I based on that, heather?
Speaker 2 (42:19):
No, you absolutely, absolutely hit it.
One thing I will add, though Ihave it not all support
personnel or help is bad.
I've had great interactionswith support as well.
I just want to make that clear.
I want to make that clear and Iwill say that on the Discord,
Google groups and actually justpeople who have personally
(42:41):
helped me from some of thecompanies, the help has been
excellent, so I don't want tomake it all sound bad.
If I had to say one thing thatI would suggest to people in the
community, it would be you needto be reporting all of your
support issues to the company sothey realize that, hey, this is
actually an issue, as painfulas it is sometimes to do those
(43:06):
support tickets.
If we don't do them, they'renot going to know, or they're
not going to know, how much of aproblem it is for how many
people.
Speaker 1 (43:14):
Oh, thank you for saying that, because you hit an
L on the head right At the otherday.
We got to play the game that'sin front of us, all right, and
if this game requires us to dotickets, do the ticket.
Look, even if you find analternate solution and you're
like, well, I find a solution,who cares?
No, no, still put the ticket in, even if you don't expect an
(43:34):
answer because you solved it insome other way.
Ok, do it, because you'rehelping yourself and you're
helping others down the road.
So we got to play the game asit's played right now.
And thank you for saying that,heather.
That's totally on point.
Speaker 2 (43:51):
All right, so we can move away from that.
I guess it's my soapbox week.
I stole it from you.
Speaker 1 (43:56):
Oh no, I said it was what grinds Heather's ears and
it's being finely grounded.
Speaker 2 (44:03):
Well thanks, Well done, well done.
Speaker 1 (44:09):
All right, so yeah, go ahead.
Yes so we have the changinggears again.
We're going to talk aboutsomething that I believe is
really important, and it'sservice.
I know most people like to doservice, but I'm going to ask
from the community all the DITARForensic Now community to do me
a personal favor.
(44:29):
Ok, as a personal favor, I wantyou to go to the survey We'll
provide the link in a second andit's the DITAR Forensic
Practitionary Survey, all right,or the DF Pulse 2024.
This is done by Professor MarkScanlon and the School of
Computer Science from theUniversity College of Dublin in
(44:51):
Ireland.
All right, and it's also anassociation with a couple of
professors from the Universityof Luzon in Switzerland and
professors from the Universityof Oxford in the United Kingdom
right, as well as the Universityof Nottingham in the United
Kingdom.
So I mentioned that becausethis is academics and academics
from world renownedorganizations that are asking us
(45:14):
right in regards to what'shappening in our field.
They're asking because theywant to know what's the
interface between academia andus as practitioners.
How can academia inform us andhow do we inform them?
Does that make sense, heather?
Yes, and I believe this isimportant.
Last episode we had a.
(45:35):
We discussed briefly anacademic article in regards to
error.
Error, it's not projection likeerror.
I'm having a brain, a brain.
Speaker 2 (45:48):
I don't know what word you're looking for.
Speaker 1 (45:50):
Well, some errors within our analysis.
What causes of errors in ouranalysis, in our work?
I guess that's the best way ofsaying it.
And to me it's reallyeye-opening, and I mentioned
last episode that this academicunderstanding made me aware of
this possible pitfalls, so Icould mitigate them before I get
them, and seeing it in thatsort of structure, an academic
(46:12):
structure, helped me a lot,right?
So it's important for us toalso be informing the academics
that systemize all thatknowledge and then they
providing it to us.
So please, please, please,please, please, please, pretty
please.
Look, we don't ask you foranything.
We don't ask you for money.
We don't ask you for nothing inthis podcast.
This community doesn't ask youfor anything, Only that we ask.
(46:33):
At least this time I'm going toask you to go to this link it's
going to be bitly, bitly, slashdfpulse and do that survey.
It's going to be around 30minutes, a bit longer survey.
I'm going to do it tonight.
Speaker 2 (46:47):
Yeah.
Speaker 1 (46:48):
So we're going to set the example.
Speaker 2 (46:50):
So I'm going to do it tonight, I'll do mine too.
Speaker 1 (46:55):
And go there and please participate in this
survey from the universities.
It's going to help everybodyand help yourself.
Speaker 2 (47:06):
So we are now to what's new with the leaps, and
there's a bunch of new stuffwith the leaps, so I'll let you
start that off.
Speaker 1 (47:14):
All right.
So this is a lot of stuffhappening, so we have a couple
of artifacts that weren't addedand we changed the graphical
user interface a little bit, solet's get with that.
First, we have the Burner app.
It's now supported in iOS andthat was done by Yango Faiola
(47:36):
and I think we have a screenshotof that.
I don't have a screenshot ofthat.
Speaker 2 (47:40):
There was just the burner icon was up.
Speaker 1 (47:43):
But we do have the link to the article.
I think it's in Portuguese orit's in French.
I think it's Portuguese, right?
Either way, don't worry aboutit.
I couldn't read it.
Speaker 2 (47:54):
That's all I know.
Speaker 1 (47:56):
Yeah, but Google Translate does a great job.
So if you have Google Chrome,it immediately adds.
You want to translate it toEnglish?
You say yes.
And you can read it there.
It's really good.
So the burner app is supportedand we have that in iLeap For
the folks that are new.
That's an open source toolingthat the community created and
(48:17):
supported and it will take afull, fast system extraction
from an iOS device and get stuff, parse it out for you and get
you stuff.
That's just useful.
So that's the burner.
Kevin Pagano, one of the maindevelopers for those projects
with me, my right hand man, hedid an artifact on keyboard
usage stats, which is prettyneat.
(48:38):
So you got there, how manywords were typed, how many words
auto corrected, the suggestionbar, and that's important
because it will tell you a lotabout the user and that goes to
that pattern of life.
Those are investigators.
No, and I'm not going to saythem here, but there are certain
words that might be importantfor your investigation that
(49:01):
indicate activities, behaviors,likings of the suspect that you
will not find anywhere else.
So they're not part of anydictionary in the planet, but if
you see them as part of thatusage stats, in regards to the
words that are corrected ortyped, that will give you an
inkling on what that person isdoing or not doing, what their
(49:25):
interests are.
So you can see a little reportthere of the lexicon from that
device and let's look at theother user stats and there we go
.
That's the kind of statisticshow many were typed, how many
were auto corrected and from thesuggestion bar.
(49:46):
So this type of artifact andthere's tons of that that the
LEAP support and your forensictool support will let you know
about information about thatuser there might be of
importance.
Another one that I'm reallyhappy about and it was done by
Evangelos Dragonas and PanosNakoti and they're great
examiners and they havedeveloped.
(50:07):
Especially Evangelos.
This has done a lot ofartifacts.
This one is for chat GPT andthat's pretty neat and I think
they did it for both iOS,android and for RLEAP.
Rleap is a tool that doesreturns, so as you pull data
from the services, you can parseit and get value out of it, and
it's pretty neat.
You can see the conversationthat you have with chat GPT.
(50:27):
You can see the metadata aboutthat conversation.
If you uploaded any media, thepreferences, you can see there
the creation time, themodification time of that
conversation was the title.
So it's pretty interesting.
Lately and I'm telling you,chat GPT is becoming like a
really world-use tool.
I don't think any other toolsupports chat, gpt parsing.
(50:50):
That I know of, you know of anyother?
Speaker 2 (50:52):
I haven't seen any.
I haven't seen any at all yet.
Speaker 1 (50:55):
Yeah, so ILEAP and ALEAP from Android, ios do
support it, and if you'relooking for it, you're not going
to right, and that's kind ofthe rule with these type of
things, right?
But at least this open-sourcetooling will give you a head
stop and it's filling that gapuntil the big players in the
space, the third-party providers, are able to catch up, right?
(51:16):
What was the chat saying?
Speaker 2 (51:18):
It may have been handy on the recent CTF, and
Kevin says the same thing thatalso may have been handy on the
recent CTF.
Speaker 1 (51:27):
And that's a good point I have.
When there's CTFs, capture theflag.
That's the competition whereeither our organization puts out
an image for folks to gothrough it and answer questions
about that image.
The person that answers themost questions or answers them
all, wins the competition.
Well, guess what?
That gives you ideas of how toget to data and if they're not
(51:49):
supported, then you can go intotooling like this one that's
open-source and provide somesupport.
So CTFs are a really good wayof learning and learning,
obviously, new things that leadto applicable, repeatable
tooling for everybody.
So that's pretty neat and Ilove that.
Chat GPT.
(52:09):
The big one that I left for meis the big one that I left at
the end Is the graphical userinterface change.
Right, let's bring up.
So this is the change.
I'll show you a couple ofpictures, literally two.
The first one we're going toshow you.
Do you have it?
I sent it to you, yeah.
So the first one is how isgoing to the interface, is going
to be looking?
And this is soon.
We're going to merge this intothe project soon.
(52:30):
So before you had on the leftall the artifacts and on the
right a little section for thelogs to go through telling you
what's the tool doing as it'sparsing your data.
So now you have a really big,nice screen that it will have
all your artifacts for you topick, pretty readable.
Speaker 2 (52:48):
What did I just do?
Speaker 1 (52:52):
Hey, look at that, we're sideways.
Let me change it.
There we go, and then what weneed to do is this Boom.
Speaker 2 (53:01):
Okay, perfect, sorry about that I got you.
Speaker 1 (53:05):
So the folks that are listening we have the screen
kind of went haywire on us alittle bit, but we got it fixed
All right.
So now when you hit process,it's going to then take, it's
going to show you only the logscreen there.
So let's show them thatwhenever you can, and I like
that a lot.
I try to leave what I preachand I was talking a second about
(53:27):
transparency, about how toolingsometimes hide the ball from us
in regards to what thelimitations are, or when a
problem happens is hitting somelog that you cannot understand
or decrypt.
My perception or philosophyabout it is that the error
should be upfront and your handdid this change.
(53:48):
I want to say 20 things at thesame time.
Let me go step by step.
I'll talk about why the change,but I like it because, even
without me telling him, hereally picked up on what the
idea, the philosophy behind theproject is.
Now you can see those logs ashe's going through.
If something breaks or there'san issue, you're going to have
it really highlighted, reallybold in your face as you're
(54:12):
going through it.
Now you might say, well, whatif it passes?
I didn't see it, it's okay.
Those same readable logs areavailable in your report.
So then you can go back andfigure out where the tool failed
or where something happened.
So then you can backtrack andfigure out if you're missing
data.
I believe strongly in that.
I believe that the limitationsshould be put upfront and we
(54:35):
shouldn't be ashamed of them,because that's how we get things
to be better.
Maybe my philosophy is likethat because I don't have a
product to sell.
Speaker 2 (54:45):
Maybe I don't know.
Speaker 1 (54:47):
But I would hope the industry moves in that way.
Do those errors upfront.
Okay, now what I want to saythe reason we did that big
change is because the librarieswe were using to generate the
graphical user interface, theywere freely available and
overnight they decided to chargefor them.
And again, I'm not criticizingthat, right, folks do some work
(55:11):
and they decided well, I thinkwe want to get paid for it.
That's okay, and folks thatvalue that and have the money
can do it.
Now, since this is a tool thatwe provide fully to the whole
community, I want to make surethat it's free and I don't
charge for it, and I don'tbelieve that folks should pay
for libraries, extra librariesthere.
So what Johan did, and again, so, look, I'm so grateful for the
(55:34):
work he did.
He took the graphical interfaceand did it natively within
Python.
I say natively in the sense ofusing libraries that come with
Python already with theinterpreter that they're free to
use.
They come with it.
That library is the kinder andhe did an incredible job.
It's a lot of code to generatea graphical user interface the
(55:58):
way he did it and I'm gratefulfor it.
And I know the community willalso be grateful when they
interact with it and we haveplans again long term for more
changes to the tooling.
And you know it really gratifiesme, like when Heather said that
one of her cases some of thedata that came out through the
tool solved and made somebodythat was guilty plea, and you
(56:20):
know that makes me really happy.
That's why we do it.
We do it because it's the rightthing to do and that's our
payment and I know Johan agreesand all the photo developers
behind the project.
We do it because of that.
If you have any good storiesabout using the tool, let us
know.
Let us know some successstories.
I mean you don't have to tellthe details of your case because
(56:41):
we know some of that stuff is,you know is confidential, but if
you need to, you can tell uslike main plots.
That really really powers usand gives us energy to continue
doing what we're doing.
So again, thank you for Johan,thank you for Kevin, thank you
for all the other folks that Imentioned that keep putting
stuff into the project.
It's a project buy and for thecommunity.
(57:01):
So again, thank you so much.
Speaker 2 (57:03):
Yeah, definitely a big week for the leaps.
Speaker 1 (57:05):
Absolutely.
Speaker 2 (57:08):
So that brings us to everybody's favorite, the meme
of the week.
Let me share.
Speaker 1 (57:16):
Let's see here I always, I always like the meme
of the week.
Speaker 2 (57:21):
So this was my pick for the week out of the memes
that came up on Alexis'sLinkedIn, and it reads are
carved items and items in thetrash bin, deleted files.
Well, yes, well, actually no.
So I mean, I love this onebecause I think it was Jessica
(57:43):
in the class and I'm not goingto give away the details of your
class, jessica, but yesterdayshe was saying just because a
tool says something is deleteddoesn't mean it was deleted.
There can be numerous otherreasons that it's showing as
deleted in your tools, andthey're just there are.
It could be in the trash bin.
There's just tons of reasons itcould actually be showing
(58:04):
deleted and this meme just hitat the perfect time for me, so I
chose it.
Speaker 1 (58:09):
Sorry, yeah, this is one of my favorite memes.
Yeah, and all the stories thatcould be told about that meme,
right?
Speaker 2 (58:17):
Yeah.
Speaker 1 (58:18):
All of my favorite.
Speaker 2 (58:25):
Oh, I can't hear you.
Speaker 1 (58:27):
You can think of different examples of the meme,
how that applies.
So, for example, you thinkabout when you carve an item out
of an allocated space and whenyou look at stuff from the trash
bin and your prosecutor asksyou so are those files deleted?
Well, if you use the termdeleted, right?
Well, the answer is yes, butthat's like what is said in the
(58:48):
chat it's an imprecise answer toan imprecise question.
Right, Is it deleted?
Well, what do you mean bydeleted?
Because deleted can havedifferent meanings.
Right, and I see a movement,and actually Jessica is the one
that cannot put me in thatdirection.
Don't talk about files thatwere deleted.
Let's talk about recovereditems.
That's a little bit more precise.
(59:09):
Of course there's some contextwhere you need to use the word
deleted.
That means that we need to bemore precise when we use it, and
I found myself telling myprosecutor well, yes, it deleted
, but no really Right, Becausesomething in a trash bin is
still allocated right, and ithas all the metadata.
It has everything.
(59:29):
It's just kind of quote,unquote, moved from one place to
another right To the deletion.
It's not really deleted.
Now, allocated is deleted butdifferent, right, there's no
metadata.
You might have a file that'shalf of the file, a quarter of
the file, not complete, right,Just the header, a little bit
more.
So it depends, right.
What was the chat saying?
Speaker 2 (59:51):
So allocated?
Accessible, inaccessible.
Oh, the joys of explaining thatin court.
That's Paul Lorenz.
Speaker 1 (59:59):
Oh my, that's yeah, absolutely.
What is what is saying?
What's Brett saying?
Speaker 2 (01:00:04):
Brett says two separate things deletion,
intention and how, and recoverypartially, fully, none.
Speaker 1 (01:00:10):
Yep.
So even when you use the worddeletion and recovery, there's
also new ones within it, andwhat Paul and Brett are saying
speaks to a concept that I wastaught to be presented as a tech
terms.
These technological terms right, we need to dominate them, and
we have this bad habit of tryingto use shorthand words to mean
(01:00:31):
things.
This is a scientific endeavor.
There's precise words forprecise things and we need to
start using them.
If you're an examiner and youhave trainees, you have to ding
them a little bit and say whoa,that's like a database, right?
No, no, no, it's not a database, it's this, it's a JSON file,
right?
A database.
You can mean different thingsby it.
(01:00:53):
It could be relational, itcould be no SQL, it could be
different things, right?
Precise terms, as best as wecan for precise items or precise
procedures, and even if youhave to spend some time
explaining it, I rather do thatand take my time and explain it
than have people confuse and Iknow my prosecutors don't like
it because they want me to goget over with my part fast.
(01:01:15):
But I'm like nope, sorry, yougot to stick with me, you got to
bear with me, you got to thankme at the end, okay.
So, bear with me.
Speaker 2 (01:01:27):
Jessica says deleted means something to the user, Try
or affect.
We need to be careful 100%.
Speaker 1 (01:01:33):
Yeah, the term can be loaded right.
When you say something isdeleted, intentionality could be
part of that.
Right.
The try or affect.
What she means by that is thejury, for example, the ones that
decide what actually happenedor not.
They could think what's deletedthe person did an overt action
on purpose to.
And you got to be carefulbecause some things are
(01:01:54):
quote-unquote deleted that don'trequire my user interaction.
There's no intentionality thereto obfuscate or obstruct any
justice, right?
So we got to be really andthat's a great point we got to
be really careful and reallyprecise in how we say things,
because maybe what you said isnot false, but the impression
(01:02:17):
that it might cause on thehearer might be, and that's just
a big of a problem as sayingsomething wrongly or make a
mistake or just say something.
That's totally off the wall,right.
Speaker 2 (01:02:29):
Yeah, brett says, bad testimony equals bad case law,
and we do not want that as acommunity, for sure.
Speaker 1 (01:02:36):
Oh, absolutely.
And if you got bad case law,eventually it's not going to
bite you today, it's going tobite you and everybody else
tomorrow, exactly.
And for the folks that are notfamiliar with this law
enforcement field, that meansthat the consequences of you
being careless could affect youand everybody else down the road
.
So do this for you, but alsothink of doing this rightly for
(01:03:00):
me, when it's my turn, and forothers.
Speaker 2 (01:03:04):
Yeah, we've got a cough recover folders.
Cough hack, pass out comment.
Speaker 1 (01:03:12):
Oh my goodness, especially with the mobile.
And oh my goodness, yeah,there's a lot, and I appreciate
you brought this meme as just aselection because it really
talks about, then again, ourfundamentals, and our
fundamentals are important howwe refer to things, what are the
meaning of things in the propercontext, the intentionality
(01:03:34):
that a word might bring or notbring, and those are things that
need to be constantly reminded,especially with new
technologies.
When chat GPT comes in andstuff comes with chat GPT,
what's the interplay betweenwhat I asked and what I received
right?
How can we ascribe that to theperson, not to the computer, or
vice versa?
We need to continuously makesure that we evolve those
(01:03:58):
technical terms and define themproperly and explain them
properly, and we talk about thatin a few shows back how those
soft skills as examiners aregoing to be important, more
important as time goes by.
Speaker 2 (01:04:13):
I'm going to go back and just post one comment that I
missed earlier because Ithought it was kind of funny.
But Arsenal is demanding thatBrett give the people a
publication date, and I thoughtit was funny and I missed
putting it up earlier.
So, brett, if you have apublication date for the book, a
solid, definite date, it lookslike you're being called out by
Arsenal here.
Speaker 1 (01:04:34):
Well, and Brett response right.
What's the date?
Speaker 2 (01:04:38):
So it's definitely the March 22nd that I mentioned.
That week It'll be on sale, soyeah, no, let's all get it.
Speaker 1 (01:04:48):
What else is Brett saying?
Speaker 2 (01:04:49):
Half price for one week starting March 22nd.
Speaker 1 (01:04:53):
All right.
So everybody, you heard it herefirst, we got that scoop.
Go check it out.
Half price March 22nd, Go getit.
Oh well, first of all, Heather,thank you, it was a fun, fun
episode.
I really liked it yeah thankyou.
Me too, and thank you everybodyin the chat and the folks that
(01:05:16):
are watching and listening live.
I've been keeping an eye on thefolks also in Instagram and the
folks in LinkedIn, and if youdon't see me commenting in
LinkedIn because I can only haveso many hands, know that we see
you and we appreciate you.
Yeah, send us comments, topicsyou would like us to speak about
(01:05:38):
.
You can send it to our DitaForensics Now podcast page in
LinkedIn.
Just searches and you'll findus.
Or hit Heather, hit myself up.
Send us a friend request and weshould be good.
Anything else for the good ofthe order, heather.
Speaker 2 (01:05:53):
No, that's it.
Thank you so much, everyone.
Speaker 1 (01:05:56):
Thank you, and with that we'll see each other in a
couple of weeks yeah.
All right everybody.
Thank you for being here andwe'll see you take care.
Thanks, Bye.
Speaker 2 (01:06:06):
Bye, bye.
Welcome everybody to the DirtArt Forensics Now
podcast.
Today is Thursday, march 14,2024.
My name is Alexis Brignoni, akaBriggs, and I'm accompanied by
my co-host, the one that putsthe power in power.
User the DirtArt Forensics toolentomologist.
(00:40):
The one person, qualityassurance program yes, the one
and only Heather Charpentier.
The music is hired up by ShaneIvers and can be found at
silvermansoundcom.
Hello everybody.
Speaker 2 (00:57):
Hello.
Thank you for the greatintroduction, as always.
Speaker 1 (01:03):
You like that entomologist I?
Speaker 2 (01:04):
like it.
Speaker 1 (01:05):
It was really good, yeah, yeah there's always some
little inner jokes and some ofthose inside jokes, as you say.
All right.
So again, I see a few folksalready coming in the chat.
Jessica is in the chat.
Hi, Deferredeva is in the chat.
Obviously, kevin, the main man,the man with the plan, is in
(01:25):
the chat, so happy to see youall there.
And Brett is in, so got to seeyou, my man.
All right, heather, so I knowyou got stuff to tell me because
you had a full last couple ofweeks, so what's going on with
you lately?
Speaker 2 (01:41):
I have the same response.
I always give busy, but Iactually yesterday attended
Hexordia's data structure classand I wanted to tell everybody
you have to attend this class.
It was awesome.
Jessica taught, she goes intodata structures found in mobile
devices in depth how to handlethem, how to look at them with
(02:06):
the commercial tooling, but alsowithout commercial tooling,
with open source tools, and itwas a really great day yesterday
in her class and actually Kevinwas in the class with me, so it
was really good yeah.
Speaker 1 (02:19):
Well, three luminaries between you, Kevin
and Jessica and folks, in caseyou're not familiar with data
structures, that's the basis ofwhere the data from your cases
comes from.
How are they organized, how arethey stored, how do I get them
out, how do I properly interpretthem?
And I've taken the class aswell, obviously highly
(02:42):
recommended and I'm really happyto see you know a provider like
Hexordia.
Going way beyond that, theformulaic tooling, like we teach
to the tool.
No, we're, they're teaching tothe deeper.
You know how the data is beingstored and it's really, really
important that we start lookinginto those and understanding it.
Speaker 2 (03:03):
So help you move away .
Help you move away from thepush button forensics, that's
for sure.
Speaker 1 (03:09):
Oh, absolutely, and even if you have to push a few
buttons at least you know, youknow what you're doing.
Speaker 2 (03:14):
Yes, exactly.
Speaker 1 (03:16):
So, like Kevin said, you know, never, never stop
learning, right, yeah, and inthis field you definitely cannot
, cannot stop learning.
Speaker 2 (03:22):
So so yeah, no.
Speaker 1 (03:23):
Well, what else is that?
Yeah, that class anything elsegoing on.
Speaker 2 (03:26):
Yeah, no, I mean same old stuff.
Go to work.
Come home, go to work, preparefor the podcast, start working
on IASIS material that we'regoing to do together.
Speaker 1 (03:36):
Oh yeah, we got to discuss that in a second At
least from my end, from my end.
Yeah from my end.
Yeah, I've.
So I'm in Florida and the oakpollen season is upon us.
Everything is covered withyellow muck from the trees and
it sucks.
I'm highly allergic, so I'vebeen taking all sorts of
(03:57):
antistamines.
So sorry if I look like death.
Speaker 2 (04:00):
You don't look like death.
Speaker 1 (04:02):
Yeah, right, yeah, sure, I believe you.
Yeah, but other than that, youknow just doing regular work and
you know just trying to get theclass, the class going.
Speaker 2 (04:13):
Yeah.
Speaker 1 (04:14):
Yeah, which, which is a good segue to that same topic
, right?
Speaker 2 (04:18):
It is, it is, it is.
Speaker 1 (04:20):
So so IASIS, the International Association of
Computer InvestigativeSpecialists so really renowned.
It's a organization that'svolunteer driven, and myself and
Heather were volunteers thereand we'll be teaching the
advanced mobile device, forinstance, course.
This is a brand new course andwhat we're going to talk about
(04:42):
Android and iOS, so so you knowit's going to be a great class
we are going to.
The class is going to take it'snot happen from April 22nd to
26th.
That's the first, the firstsession of that class, and then
we teach it again, right for adifferent group of students from
.
April 29th to May 3rd Right, sowe still have spots there.
Speaker 2 (05:06):
Yeah, there's, there's still spots in both
weeks.
So sign up, come and come andlearn from us in Orlando.
So there's a selling pointright there too.
No, in Orlando in April and May.
Speaker 1 (05:19):
Yeah, who else is us and who else is teaching with us
?
Speaker 2 (05:22):
So we have another instructor this year, john Hila.
He's going to join us and someof you may know him from his
research on the SEG B biome app,intense data in iOS.
I think he was the first personto write a blog on it and it's
on his page, blue Crew Forensics, if anybody's still interested
in reading that and checking outhis tools.
(05:43):
So he has an app intense parseron that website.
But he's going to be teachingwith us in April and May.
Speaker 1 (05:52):
Yeah, and I think it's a great catch that we had
well Heather did in getting himto instruct with us A really
sharp guy and really forwardleaning with all the new stuff
that's coming out, so I'm reallyhappy that he's with us.
Yeah, If you come to class, theclass will you get a laptop so
to work through the exerciseswith us, through the to the
(06:13):
course, which you can then takewith yourself, you know, take
home with you and do your workon that laptop.
So that's always a good to haveto be referenced materials and
some other things that we'regoing to give in that class.
And the location is in, like,say, New Orlando, Florida.
It's a great, nice place.
It's a little pool andeverything.
So in the afternoon you canchill out a little bit and talk
(06:35):
forensics with us.
There are different events andactivities that ISIS has at
night for examiners, so it'sgood stuff.
Speaker 2 (06:44):
Yes, it is Sign up.
Speaker 1 (06:46):
Yeah, the link.
The link is at the bottom ofthe screen and, for those that
are listening, we're going toput in the notes so you can
check it out and come hang outwith us in person at ISIS this
summer.
Speaker 2 (06:58):
All right.
So I wanted to talk about a newbook that's going to be coming
out and it is written by BrettShavers, who is in our chat or
is watching live today.
So, hi, brett.
It is titled DFI OurInvestigative Mindset.
It's not released yet he'sstill working on it but I've had
(07:19):
a chance to check it out and Iliterally feel like, as I was
reading it, that this book washitting every thought that was
in my head.
He talks about how to learn tobe a better investigator.
One of the first sentences inthe book is the DFI Our Mindset
is the missing piece in DFI Our,and I couldn't agree more.
(07:42):
To be able to do this type ofwork, you have to have that
mindset, the investigativemindset.
He hits on how to strengthenyour skills, how to be a better
examiner, the differencesbetween mindset of law
enforcement and civilian.
Do you need both?
What the difference is If youtake a position in a DFI Our job
(08:06):
, do you want to do it or areyou just taking that position to
move up?
And you have to want to do it,and this book really talks about
that and discusses ways toimprove your investigative
mindset.
I highly, highly recommend thebook when it comes out, and from
March 22nd the book is going tobe on sale for a week, so
(08:29):
everybody should check it outand purchase it when you have a
nice sale, that first week ofrelease, sorry, go ahead.
Speaker 1 (08:38):
No, no, no, I was going to say absolutely.
And this is the thing.
Right, I need to say this inevery show.
We say it.
We're not sponsored by anybody.
Brett didn't give us a kickbackto talk about his book, right?
We're not haters.
We're also not chills, right?
We just tell your honestopinion of things that we like
or we don't like.
(08:59):
And now, that being said, right,we do a lot about technical
stuff, about how to work a tool,how to work a data structure,
how to create a report, but thisbook is feeling this I'm going
to use that word this void inregards to what are the building
blocks, mentally, that you needto have in order to do a
(09:20):
complete examination.
Right, because anybody canpress buttons, but for you, you
can actually connect the dots inthe way that need to be
connected.
Right, and his book feels thatvoid.
Right, if you're in the privatesector, you can learn a lot
from his experience from beingin law enforcement.
(09:41):
Vice versa, you're in lawenforcement like we are.
You can learn a lot from hisexperiences when he leaves law
enforcement and goes to theprivate sector, right?
So how do you take those?
Again, I don't want to tell youwhat the book you have to read.
It's a quick note in regards towhat are, what's your mindset
in regards to your property,your attitude?
(10:01):
How do you approach theevidence?
How do you let the evidencespeak for itself?
Right, there's a whole bunch oflittle details there that
you'll be really, really wellimbued with that knowledge if
you read that book.
Okay, it's not, it's a densityread, but it's a profound read.
I found myself and I haven'tfinished it yet, but I found
(10:22):
myself rereading certainsections a couple of times
because that section had a lotto think about.
Does that make sense, heather?
Speaker 2 (10:32):
Yeah, no same thing.
I reread a couple sections onmy lunch break yesterday, so
definitely Jessica says the partabout curiosity.
I wouldn't agree more with youon that, jessica.
So curious people, I believe,make good investigators a lot of
times.
If you're really nosy, that'ssuch a good treat to have for
(10:52):
the investigative mindset, in myopinion.
I love that comment.
Speaker 1 (10:59):
Yeah, and Brett is saying that I could have
transcribed this podcast andwrote the same book.
Well, we appreciate that and,and you know, we, we, I guess
you know we have examiners thathave some time we, we, we can
converge right in in certainviews or certain opinions,
certain ways of dealing with thedata, because this is a science
, right, and, and that art is tobe able to present that science
(11:21):
effectively.
And and Brett's book is a goodway of getting a leg up.
I would recommend, especiallyfor people who are new into the
field they say you're coming asa new examiner, saying long for
me into a lab get that book andmake it part of your, your
growing process, that growingmindset.
Immediately, get that book andcheck it out.
Speaker 2 (11:42):
Definitely Hardest part to teach.
You're right too.
It's hard to teach somebody tobe an investigator.
It really is.
I always say for my office it'shalf sworn and half non sworn
members and the sworn memberscome off the road with that
investigative mindset alreadyand it's really really hard to
teach the non sworn members theinvestigative part.
(12:05):
But the book really lays outhow, how you can do that and how
they can do that for themselves.
Speaker 1 (12:12):
Yeah, and a broader point for the industry, right.
I would hope that more booksstart addressing that right and
I say addressing that.
There's other aspects, right,even some of the legal aspects
of of the job and do it in a, ina way that's accessible, like,
like, because Brett's way ofwriting is really accessible,
which is the way I like.
It's not encumbered by thesewords, it's actually pretty
(12:34):
clear, and we see more books indifferent topics that make that
accessible to examiners.
Speaker 2 (12:40):
Brett says, because DFIR is fun.
It is almost like playing avideo game.
We tend to forget we areworking to solve a mystery.
I definitely agree.
It is fun most of the timeuntil you get one of those cases
that just isn't so fun.
But you know some, some areboring.
But definitely agree with that.
Speaker 1 (13:02):
Yeah, I mean, there's always a routine area cases,
but in a way that that mindsetapplies to make sure that you're
doing the best job, that thatcan be done.
Now, that you can do the bestjob that can be done, yeah, and
that's what we're striving for.
So good stuff.
Speaker 2 (13:14):
Yeah, so definitely check it out.
March 22nd, I believe it'sgoing to come out.
Speaker 1 (13:19):
Yeah.
Speaker 2 (13:22):
So there was an announcement on LinkedIn.
I saw it and it was regardingfacial recognition in DFIR.
So API forensics announced therelease of exponent faces, which
is an add on extension for Xways forensics.
So if you're an X ways user,this can be used in conjunction
(13:45):
with X ways.
It detects matches, extractsfaces from photographs and video
files and accurately identifiesvictims, missing persons,
persons of interest withinvolumes of collective media.
They say the effective outcomesof the use of facial
(14:07):
recognition technology aredetermined by a number of
factors, and those factorsinclude the image itself, the
resolution of the image, theangle, the position, whether
there's obstructions to theperson's face, the vertical and
horizontal rotation of theperson's head and then, for
videos, the speed of the footagemeasured in frames per second.
(14:32):
I have not tried this out yet.
I just saw the post for it thisweek and I didn't have time to
grab the X-Ways dongle and tryit out, but I will be trying it
out in the future, so hopefullyother people will try it out.
I want to bring it back to thepodcast after I try it and give
a little bit of a review andhopefully people can weigh in
(14:54):
and try it out as well If youcurrently have an X-Ways license
.
You can submit a request for a30-day trial.
You just have to provide yourX-Ways license number when you
go and request that 30-day trial.
So hopefully other people willtest it with me and we can all
collaborate here on the podcastand discuss it in the future.
Speaker 1 (15:17):
No, absolutely, and I can see a lot of views, so I
got a couple of thoughts on that.
Imagine you're working a Let meput it this way let's say a
mass shooting scenario where youget surveillance from multiple
cameras and let's say you got anidentified, possibly identified
suspect.
Can I determine if that suspectwas in the crowd?
(15:41):
Right, that's pretty tough,right?
Maybe?
Another example that I justcame to mind it's a real example
I had to Long time ago.
I had to find somebody that wastaking a Greyhound bus out of
the city.
We need to locate that personand the time frame of when that
person might have left waspretty wide.
So I had to sit down and lookat hours and hours and hours and
(16:04):
hours of footage Trying to seeif I could find that person.
Imagine if you have a toolingwhere you can say okay, well, I
have these templates or datapictures of the person I'm
looking for.
Have the tooling, go andquickly scrub that data set for
that face and tell me yo, I havea hit on Tuesday at 2 o'clock.
(16:27):
That would save a lot of time.
So I can see a lot of good usesfor that.
Now, correct me if I'm wrong,heather, but the way I read the
announcement, it seems that thistool is open also to the
general.
I say general, pop, I mean notsay that To the private sector
as well.
Do you got that vibe too?
Speaker 2 (16:45):
Yeah, I didn't see anything on the website that
said otherwise.
It looked like you can just goin and put your agency name and
sign up for that 30-day license,as long as you have an X-Ways
license to provide.
Speaker 1 (16:57):
Alright.
So now the second part whichcame to mind is Let me restart A
knife.
Right, you can butter yourbread, or you can stab somebody
right?
A little bit of extreme examples, right, any and every
technology can be dual-use,right?
(17:18):
It depends on the user, right?
So I use that as anintroduction to kind of say
every technology has itschallenges and its limitations,
right?
And I've been thinking about alittle bit about what happens if
we give that technology outsidethe confines of law enforcement
.
Don't get me wrong, people inlaw enforcement can have and
have and will in the future usethis technology wrongly.
(17:40):
We're not exempt from that,right.
So I'm not saying that.
Oh yeah, law enforcement reallyknows how to deal with it at a
whole 100% of the time.
I'm being honest here, right,obviously we strive not to make
mistakes.
And what makes mistakes Couldthat be?
Well, some of this technology,remember, is matching, like a
pattern matching.
It takes whatever analysis doesof that phase and tries to
match it upon other data sets.
(18:02):
That's a probabilistic nature,and we were talking to me and
Heather, we were talking alittle bit about probabilistic
things earlier the other day.
It's probabilistic, right, youknow, whatever.
70%, 40%, 30%, 50%, right?
At what point are we happy withthat percentage?
And after we get it, what do wedo with it?
Oh, the computer said it's thisperson.
(18:23):
That's the person.
Go grab the person.
We could grab the wrong person,right.
Like, just because the tool toldme this is a highly probable
match, does that mean that's amatch?
I mean, what do we need to do?
Well, it's a word that startswith I, investigation.
Yes, and again, I'll be honestwith everybody here.
(18:46):
Sometimes in our agencies ororganizations we start and
finish everything with what thetool says and we talk about
push-button forensics.
This is really prone for that,right, and we gotta be careful
with that.
The investigation doesn't stopbecause the computer said here's
X.
(19:07):
Actually, that's when it startsthe investigation.
We have to validate that.
Is this person actually with amatch?
Right, and yeah, tell us whatBritish is saying in the chat,
heather.
Speaker 2 (19:20):
Tools give clues, not answers.
Speaker 1 (19:23):
There you go, and it's really easy, really easy to
get confused, because a lot oftimes, the clue that the tool
gives us happens to also be theanswer a lot of times.
So that happens too, but youneed to make sure that that
actually is the actual answer.
Right, that is correct.
I gotta highlight this commentDerek is telling us every tool
(19:45):
is a weapon if you hold it right.
That's said by Andy Franco.
So what a great quote, right?
Historically and this is someresearch that I did for the show
today, historically, facerecognition tools tend to have
some issues recognizing folksthat are minority color, and all
(20:05):
of that, a lot of falsepositives.
Now, that being said, I'm nottalking about the tools
specifically that Heather ispresenting, so don't get
confused.
Yeah, I don't want to everybodyto think that I'm talking about
them or I'm talking aboutgeneral in general.
This thing now.
Now, this technology coulddefinitely get to a higher
probability level, absolutely,absolutely.
But it should not be made tomake a like the base for your
(20:29):
arrest.
That should not be the base forit, I believe.
Oh, yeah, the computer said so.
Therefore, I got by probablecause for my arrest.
No, that's the beginning.
Like, like, like.
But it's saying.
Another thing I want to say nowin regards to the private sector
applications of this Um privacyissues.
The first issue that I have orthink about is well, let's say,
(20:52):
private sectors are recordingyour faces as you go to the, to
their businesses and all that,and they had, they record those
faces.
Let's say, a client becomesrowdy in store and they kick him
out In the future.
That person comes to anotherstore, the system flags their
face and says, hey, you're notallowed to be here, you have
issues here and we told you notto come back.
(21:13):
Right, and you would think,well, that's, that's not a bad
thing.
Right, it's limiting access toundesirable people on a private
business.
Right, you don't have to allowpeople to go into your business
you don't want to.
I get that, but think about thisto be able to make that
template is grabbing everybody'sfaces.
Right, it's just not grabbingthis person's face, he grabs
everybody's.
And what happens with that dataIs there?
(21:34):
Are there any guarantees thatthis business is not going to
sell my face to other businesses?
Right, because maybe thisperson is indesirable in this
store and maybe another storethey're going to maybe share,
like undesirable face lists,right, or just plain share of
the faces.
I just see my notary reporthead.
Or the pretty old, old, old,oldish movie.
I have not so it's a Tom Cruisemovie saying the future and the
(21:57):
future.
As you go to stores, the storeskind of scan.
We go even without noticing,scan your eyes and know who you
are and give you ads Like on thestory customizes your ad and in
the movie he has to change hiseyes.
They put some other person'seyes.
It's a pretty good movie.
You should see it.
He goes and obviously the adsare for another person because
(22:20):
he has the other person's eyes,right?
The point I'm making with thatstory is do I want to get ads,
like when I go into a storebecause my face is being
recognized?
We're going to come out of,commoditize our biometric
likeness, right, and that's.
The questions are really hardquestions Is there?
Is there any legal framework forthat, right?
(22:40):
What?
What if that's hacked?
Right, I can change a passwordLike, oh yeah, it's coming, they
change my passwords and that'sit.
Can I change my face, right?
I mean, how do we do that?
At least, at least, at leastthe law enforcement labs, for
the most part, tend to be airgap, right, because we're going
(23:02):
to make sure that we keep the,the evidence in, intact, right,
so we have air gap networks, butI don't, I don't see private
sector companies using thistechnology in general in any air
gap manner.
So I can see databases withmillions of faces being hacked
and being sold, right.
So that's, that's something tobe to be considered.
(23:22):
How are they secured?
So you know, there's, there's alot that this technology is
going to bring.
I'm looking forward for youtesting it and yeah, me too.
Yeah, some of the communitytesting it see how, how you know
different applicabilities thatwe have, but I think it's an
emerging technology.
We'll see a lot of that beinglitigated legally in the courts
(23:45):
and in Congress, so we'll haveto keep an eye on that.
Speaker 2 (23:48):
So with the tool, though from API forensics that
works with X ways, that toolmatches against only the faces
that you provided it.
So I just don't want to.
I don't want to confuse it withlike scanning crowds, right?
So it's not doing that.
It's working with only the, thepictures that you provide it to
look, look through in yourinvestigation.
Speaker 1 (24:09):
Oh yeah, and folks need to understand, right, I'm
providing like both sides of theargument, right?
Yeah no, I believe there is aspace for this type of analogy.
I'm happy that companies likethis, this one, are actually
taking the lead and providingthat service.
So I'm not against itpersonally.
But, like I said, a knife couldbutter and I could kill.
So it's just to put it, puttingthat that those both sides out
(24:31):
there.
Speaker 2 (24:31):
So yeah, definitely so.
Um stands had a blog outrecently and it was related to
the Google Chrome platformnotification analysis, which has
to do with level DB files.
So if you haven't seen level DBfiles in your investigation,
(24:54):
start looking for them, becausethey are absolutely important to
your investigation.
I'm going to show a littlepicture here of what you're
looking for.
So this is from from the blogitself.
I took the picture from theblog and this is what your level
(25:16):
DB structure like, what yourstructure will look like for
your notifications.
So um.
So in Chrome they're everywhere, they're on computers, they're
in mobile devices, and the LEAPSsupport parsing the level DBs.
So does Arsenal.
(25:36):
Arsenal's level DB tool isawesome, for that Rabbit Hole
that we've talked about prioralso supports parsing the level
DBs, and the data that's in themcan be so helpful for an
investigation.
I actually have a case examplethat I can talk about.
I had a case where a teacherwas having a relationship with a
(25:57):
student and she had deleted allof the contact that she had had
with the student from her phoneand she didn't know about the
level DBs.
Obviously it's not somethingthat the user has access to, but
this is specific to the FCMlevel DBs, which is the Firebase
Cloud Messaging.
The pair were primarilycontacting each other on
(26:20):
Snapchat and, although all ofthe Snapchat data was gone and
the application had beenuninstalled, data related to
their communications was stillpresent in those level DB files.
I didn't get the actualmessages, but it was enough to
show that they werecommunicating and it was enough
to result in a plea deal.
They can be really important toyour investigations.
Speaker 1 (26:45):
I'm telling you it's really powerful.
The example you give is areally powerful example.
I like that example a lotbecause it corroborates the
presence of the communications,corroborates all the other
things in the case.
I'll tell folks some of theseFCMs I say FCM, but level DBs,
data storage or data structureswill have messages, will have
(27:07):
all sorts of information in themand we're really not looking
for them, like Jessica wassaying.
They're there and you don'tknow they're there.
We'll cover that in the IASISMobile Forensics course.
We also will cover it in moredetail in the Advanced course.
But it's important.
If you have any browser that'sworth anything.
(27:28):
We'll have tons of data in thelevel DBs.
I did some research some yearsago on Firefox Privacy Browser
for Android, which deletes allhistory.
Guess what?
I was able to find a lot of thepages that were visited within
some of the level DB stores fromthe Privacy Focus Browser.
If you look for it, you willfind this is a great blog that
(27:53):
folks should read.
In regards to that analysis, itexplains I think you mentioned
it some of the tooling thatcould be used.
You mentioned some of thetooling that could be used.
Speaker 2 (28:01):
I did.
Yep, arsenal level DB was one Imentioned.
Rabbit Hole, that we've talkedabout on the podcast previously,
and Arsenal, we've talked onthe podcast about previously too
, and Alip Sports at two.
I'm sure there's other tools.
If you've never come across one, do a global search across your
(28:21):
entire image for keywords thatare important to your case.
I guarantee in an Androiddevice they're going to hit in
one of those level DBs and thenfollow that trail.
Follow that trail.
Use some of these tools that Imentioned to look through the
level DBs, because you're goingto be surprised what's in there.
And Jessica actually mentionedto open source.
There's a CCL script from CCLSolutions.
Speaker 1 (28:43):
Yeah, Alex Caithness was the one that really pointed
in my attention towards levelDBs.
So you Google CCL Solutions,level DB and the name Alex
Caithness or a combination ofthe raw, you will get some of
those scripts and some reallygood detailed articles on how
they work and at a detailedlevel right, how they're offsets
(29:05):
and how they're organized.
So you'll be as an examiner.
You'll be well served bylooking into that.
That's why we're talking andremember all sorts of other
examples.
One more example yeah, we had acase Again, in general it is an
old case, but where the suspecthad written like a manifesto,
right, and it was using theGoogle Word thing.
(29:29):
What's that called the GoogleCloud Word thing?
Oh, you know, they have liketheir own version of PowerPoint
or version of Word or version ofExcel, but it's the Google one
and you access it through thebrowser, right?
If somebody in the chat knows,then let me know.
Speaker 2 (29:42):
I'm looking for it.
Speaker 1 (29:45):
So those type of Google Docs.
Thank you, jessica.
So the manifesto was done inGoogle Docs.
Well, guess what?
If you're offline and you'rewriting, there's no save button
for that, but the start is savedand you'll be like, well, where
is it saved?
Right, it's saved in a level DB, and we were able to find that
(30:07):
manifesto in that level DB fromthat Google document.
Ok, so thanks for Kevin alsoputting the name out the Google
Docs.
So they are storedautomatically in level DB.
They are stored, of course,when you get online, then that
gets pushed to the cloud and allthat good stuff, but the
remnants, or the full documentthat's being written, is going
(30:30):
to be in there, right?
So it's really worthwhile thatwe get familiar with these data
structures, just as we arefamiliar with SQLite or just as
we are familiar with XML, andyou might be like, what do you
need to do that, honestly?
So let's start looking intothose.
Speaker 2 (30:51):
All right.
Speaker 1 (30:56):
Yeah, so this is the best part of the show they
always like, right Is whatgrinds our gears section,
specifically, what grindsHeather's gear section Support
system not meeting the needs ofthe customers and I named the
episode is support and livesupport.
And the reason we're discussingthis?
(31:17):
For many reasons.
I'll tell you my reason.
I go into the D4 Discordchannel and I'm more of a lurker
just to see what's going on andI see a lot of folks saying,
hey, there's somebody fromcompany X available, Is there
somebody from company Yavailable?
And it makes me think why arewe asking for support from these
companies in a community chat?
Speaker 2 (31:39):
Right.
Speaker 1 (31:40):
What's happening with the support systems in, you
know, established by theproviders, that folks are not
gravitating to those first.
Where are they gravitating tokind of like side channels, when
, where they know, there'll befolks from these companies who
are not even reading orlistening to be able to get some
support?
And that made us think thatthere is an issue in how
(32:04):
examiners or tools for examinersare supported in this space.
Right, and we're not talkingabout any particular vendor, I
believe.
We believe, and if I'm wrong,heather, we believe that it's
more endemic in regards to babysoftware development in general.
I don't know, right, but in ourfield we see it a lot and you
see folks doing all thoserequests in all those places,
right?
Speaker 2 (32:26):
I would say on Discord, in the Google groups,
on the IACIS listserv, there aretons of support requests and
they are they're actuallytagging the company saying can
you help me with this?
And I think, well, I have apersonal opinion on what some of
the reasons are, I guess.
So when I go into support onany tool no tools in specific I
(32:50):
go into the support portal,whether it be a chat or I have
to open a ticket.
The first, one of the firstthings that I always get from
support is can you send me yourdata extraction?
Well, the answer is no, I workfor a law enforcement agency and
that is evidence.
I am not sending you my dataextraction and I cannot send you
my data extraction.
(33:10):
So I think the second questionI'll be asked well, can we set
up a meeting where I can remoteinto your, into your machine?
No, it's on a sandbox network.
I can't have people remotinginto our sandbox network.
I work for a law enforcementagency, so it's just we can't.
(33:31):
We can't do that.
I think another reason is thatsometimes you get wrong
information.
So I had one of the really newpeople in my office reach out to
a support and they wererequesting assistance on a phone
, asked what their options werefor this phone and the answer
(33:52):
was chip off.
But that phone had, likeAndroid 11 on it and if you chip
that off, you're done.
He, luckily he came to me andis like, is this right?
And I'm like, oh my God, no,thank God, he wasn't trained in
chip off.
It'd be chipping off a phonethat couldn't be chipped off.
(34:13):
We would never let that happen.
Speaker 1 (34:14):
And even if it was chipped off, you're going to get
what an encrypted blob right.
So you're getting nothing outof it.
Speaker 2 (34:20):
Yeah.
So of course I hopped back inthe chat and I'm like, who told
my new person to chip this phoneoff?
Please correct this mistakebefore somebody does it.
But also, I mean I've hadnumerous different places just
unanswered support tickets, Likewe can't replicate your problem
, Sorry, and it's frustrating.
(34:43):
And it's not only frustratingbut it takes up a lot of time
for whoever the examiner isasking for the support help.
I know me personally if I'masked to do all of these things
and then send screenshots andthen can you try this or can you
try that?
I've actually been asked touninstall the version I have and
(35:07):
reinstall a new version thatthey want me to try.
And no, I can't.
The extractions I have open.
Some of them take like overeight hours to open If it's in
certain tools or maybe I havelike 10 things going on.
I can't just shut my machinedown at that time and just to
troubleshoot an issue, so it canend up taking up your whole day
(35:29):
.
I think that these things arewhat deter people from
submitting support tickets.
The problem with that is itleads to the company being
surprised when you tell them ofyour issues.
Right, no one else is reportingthis.
You're the only one reportingthis, and I'm not the only one
reporting it, or whoever'sreporting is not the only one
(35:49):
reporting it.
It's just they don't want to gothrough the painful process of
submitting a support ticket.
What do you think?
Speaker 1 (35:58):
Look, I mean, no, I agree with you and this is so.
Maybe folks that are in thespace will say well, you're
complaining.
What's the solution?
And it's not easy, like.
I think the main thing is thistype of support system.
It was being used to supporteverything and anything In any
company, software ornon-software, right, this type
of help desk method, and I getit, it's needed, but I believe
(36:23):
and again, you can jump in andtell me I'm wrong or not the
factors, especially with lawenforcement and digital
forensics, it should be a littlebit different.
I want my help desk to be powerusers, right, and the first
level of solution from myperspective is I have this
problem right.
(36:43):
Tell me, within the tool, howcan I go around it as we're
dealing with the underlyingproblem.
Does that make sense?
And I think folks go to theDiscord because the folks that
are there for the companies tendto be examiners as them right,
yes 100%, and then thoseexaminers can tell you oh well,
(37:05):
maybe you can try this and thisand that, but you're not going
to get that straight up fromyour help desk.
There's kind of that knowledgegap from I mean I might be wrong
, but that's my experienceBetween the folks that are maybe
you're interacting in the IACSlistserv versus the folks you
interact within the help deskstructure, right.
So I believe that needs tochange a little bit, and so
(37:27):
that's one thing.
Another thing is the whole giveme your logs type of thing,
right, and I understand you needyour logs.
So I got a couple of critiques.
Some of these logs eitherthey're in code, when they tell
you, well, the error was errorxx3935.
I'm as a user doesn't serve meanything, or the logs are
(37:50):
encrypted.
I cannot see them.
So, whatever the issue is, theball is hitting from me, it's
provided to the company and thenyou might sit forever and
nothing happens, right?
I would like for moretransparency as you can see here
in my marquee for the week thatthat's the word of the week
more transparency in regards towhat the limitation of the tool
is.
Look the tool crapped out on x.
(38:12):
I want to know that becauseeven if you'd have the solution,
and again, that's OK.
At least I can go and dosomething else, either manually,
or be able to fix what thepossible issue is on the back
end, as, again, we're lookingfor the long term solutions.
So I would like to see moretransparency, and it shouldn't
(38:32):
be, from my perspective.
You just give me the logs andsometimes you give them the logs
and they're like I don't seenothing in those logs, right, at
least they tell you that Idon't know, I cannot confirm it,
I cannot read your logs, Icannot encrypt them, or it's all
in code.
It's codes that I don'tunderstand what they mean.
The meaning of that code isbecause it allows you right.
And they might tell me well,there's some proprietary
information there.
(38:53):
Look again, more transparencyon the limitations will be
helpful, and I understand nocompany wants to tell you well,
my tool sucks at x.
They don't want to tell youthat.
They want to tell you we'regood at everything, or at least
we're good at x, y and z, right?
So there has to be a balance inregards to what the tool is not
doing or where it's bugging outand how can we go about it.
(39:15):
And I believe, again, examinersfor the companies are really
good at interacting, but thehelp that's kind of failing on
that.
So you have two parallelsupport systems and, like Kevin
is saying, and yeah.
I think you're putting it up.
Yeah, can you read it, Heather?
Speaker 2 (39:34):
It's infuriating to be brushed off by support just
so they can close the ticket andsometimes it seems like that is
the goal.
Let's just get this closed asquickly as possible, whether
there's a resolution or notAbsolutely.
Speaker 1 (39:51):
You have a ticket sitting there for months and
then all of a sudden itdisappears.
What happened?
So I guess the solution, atleast from my perspective, is
the knowledge gap between thepeople in the help desk and the
examiners that work for thecompany, either doing forensics
or being front facing for theenterprise.
With the examiners there has tobe some parity there so there
(40:13):
could be really productiveconversations.
I send you an email, you sendme an email.
I send you an email for days ondays for dumb stuff, stuff,
that's like.
Why are you telling me this?
Can you get somebody on theline that knows what they're
doing?
Speaker 2 (40:32):
This is my coworker writing in here.
Your ticket has been escalatedto our Black Hole Division for
additional analysis.
Pretty spot on.
Speaker 1 (40:44):
The Black Hole looks like a trash can.
Speaker 2 (40:47):
Exactly, it's the bottom of a trash can.
Speaker 1 (40:51):
And again, I've seen this with support tickets and
editing in any other enterprises.
But I think that's somethingthat these, the companies in the
space, could grow from and say,look, we're going to change
that, we're going to put somenumbers in regards to issues
that are accumulating and if thecompany decides to have a dual
(41:11):
track of reports let's say thefolks that talk at the listserv
plus the tickets then keep trackof that in a way that the
company actually the informationfilters through.
And we're not reinventing thewheel, because I'm pretty sure
that some person says, hey, cansomebody at company X send me a
DM for an issue?
And I bet those poor folks getthat issue 10 times or 20 times
(41:36):
from 20 different people.
So how is that being aggregatedand making part of the
knowledge base so that it couldeither be addressed or that
workaround solution be pushedout, and again presenting it in
a way, I guess, for managementso they don't feel like, oh,
we're seeing our tools crap.
No, that's not what we're saying.
We're saying the tool will dothese things.
(41:57):
And as we work to present thisin this manner, there's another
solution for you.
You're in the solutionproviding business and the
solution providing businesscannot be constrained only by
the interfacing with the tool,especially when your tool is
either bugging out or failingsat something.
Right?
Am I?
(42:18):
Am I based on that, heather?
Speaker 2 (42:19):
No, you absolutely, absolutely hit it.
One thing I will add, though Ihave it not all support
personnel or help is bad.
I've had great interactionswith support as well.
I just want to make that clear.
I want to make that clear and Iwill say that on the Discord,
Google groups and actually justpeople who have personally
(42:41):
helped me from some of thecompanies, the help has been
excellent, so I don't want tomake it all sound bad.
If I had to say one thing thatI would suggest to people in the
community, it would be you needto be reporting all of your
support issues to the company sothey realize that, hey, this is
actually an issue, as painfulas it is sometimes to do those
(43:06):
support tickets.
If we don't do them, they'renot going to know, or they're
not going to know, how much of aproblem it is for how many
people.
Speaker 1 (43:14):
Oh, thank you for saying that, because you hit an
L on the head right At the otherday.
We got to play the game that'sin front of us, all right, and
if this game requires us to dotickets, do the ticket.
Look, even if you find analternate solution and you're
like, well, I find a solution,who cares?
No, no, still put the ticket in, even if you don't expect an
(43:34):
answer because you solved it insome other way.
Ok, do it, because you'rehelping yourself and you're
helping others down the road.
So we got to play the game asit's played right now.
And thank you for saying that,heather.
That's totally on point.
Speaker 2 (43:51):
All right, so we can move away from that.
I guess it's my soapbox week.
I stole it from you.
Speaker 1 (43:56):
Oh no, I said it was what grinds Heather's ears and
it's being finely grounded.
Speaker 2 (44:03):
Well thanks, Well done, well done.
Speaker 1 (44:09):
All right, so yeah, go ahead.
Yes so we have the changinggears again.
We're going to talk aboutsomething that I believe is
really important, and it'sservice.
I know most people like to doservice, but I'm going to ask
from the community all the DITARForensic Now community to do me
a personal favor.
(44:29):
Ok, as a personal favor, I wantyou to go to the survey We'll
provide the link in a second andit's the DITAR Forensic
Practitionary Survey, all right,or the DF Pulse 2024.
This is done by Professor MarkScanlon and the School of
Computer Science from theUniversity College of Dublin in
(44:51):
Ireland.
All right, and it's also anassociation with a couple of
professors from the Universityof Luzon in Switzerland and
professors from the Universityof Oxford in the United Kingdom
right, as well as the Universityof Nottingham in the United
Kingdom.
So I mentioned that becausethis is academics and academics
from world renownedorganizations that are asking us
(45:14):
right in regards to what'shappening in our field.
They're asking because theywant to know what's the
interface between academia andus as practitioners.
How can academia inform us andhow do we inform them?
Does that make sense, heather?
Yes, and I believe this isimportant.
Last episode we had a.
(45:35):
We discussed briefly anacademic article in regards to
error.
Error, it's not projection likeerror.
I'm having a brain, a brain.
Speaker 2 (45:48):
I don't know what word you're looking for.
Speaker 1 (45:50):
Well, some errors within our analysis.
What causes of errors in ouranalysis, in our work?
I guess that's the best way ofsaying it.
And to me it's reallyeye-opening, and I mentioned
last episode that this academicunderstanding made me aware of
this possible pitfalls, so Icould mitigate them before I get
them, and seeing it in thatsort of structure, an academic
(46:12):
structure, helped me a lot,right?
So it's important for us toalso be informing the academics
that systemize all thatknowledge and then they
providing it to us.
So please, please, please,please, please, please, pretty
please.
Look, we don't ask you foranything.
We don't ask you for money.
We don't ask you for nothing inthis podcast.
This community doesn't ask youfor anything, Only that we ask.
(46:33):
At least this time I'm going toask you to go to this link it's
going to be bitly, bitly, slashdfpulse and do that survey.
It's going to be around 30minutes, a bit longer survey.
I'm going to do it tonight.
Speaker 2 (46:47):
Yeah.
Speaker 1 (46:48):
So we're going to set the example.
Speaker 2 (46:50):
So I'm going to do it tonight, I'll do mine too.
Speaker 1 (46:55):
And go there and please participate in this
survey from the universities.
It's going to help everybodyand help yourself.
Speaker 2 (47:06):
So we are now to what's new with the leaps, and
there's a bunch of new stuffwith the leaps, so I'll let you
start that off.
Speaker 1 (47:14):
All right.
So this is a lot of stuffhappening, so we have a couple
of artifacts that weren't addedand we changed the graphical
user interface a little bit, solet's get with that.
First, we have the Burner app.
It's now supported in iOS andthat was done by Yango Faiola
(47:36):
and I think we have a screenshotof that.
I don't have a screenshot ofthat.
Speaker 2 (47:40):
There was just the burner icon was up.
Speaker 1 (47:43):
But we do have the link to the article.
I think it's in Portuguese orit's in French.
I think it's Portuguese, right?
Either way, don't worry aboutit.
I couldn't read it.
Speaker 2 (47:54):
That's all I know.
Speaker 1 (47:56):
Yeah, but Google Translate does a great job.
So if you have Google Chrome,it immediately adds.
You want to translate it toEnglish?
You say yes.
And you can read it there.
It's really good.
So the burner app is supportedand we have that in iLeap For
the folks that are new.
That's an open source toolingthat the community created and
(48:17):
supported and it will take afull, fast system extraction
from an iOS device and get stuff, parse it out for you and get
you stuff.
That's just useful.
So that's the burner.
Kevin Pagano, one of the maindevelopers for those projects
with me, my right hand man, hedid an artifact on keyboard
usage stats, which is prettyneat.
(48:38):
So you got there, how manywords were typed, how many words
auto corrected, the suggestionbar, and that's important
because it will tell you a lotabout the user and that goes to
that pattern of life.
Those are investigators.
No, and I'm not going to saythem here, but there are certain
words that might be importantfor your investigation that
(49:01):
indicate activities, behaviors,likings of the suspect that you
will not find anywhere else.
So they're not part of anydictionary in the planet, but if
you see them as part of thatusage stats, in regards to the
words that are corrected ortyped, that will give you an
inkling on what that person isdoing or not doing, what their
(49:25):
interests are.
So you can see a little reportthere of the lexicon from that
device and let's look at theother user stats and there we go
.
That's the kind of statisticshow many were typed, how many
were auto corrected and from thesuggestion bar.
(49:46):
So this type of artifact andthere's tons of that that the
LEAP support and your forensictool support will let you know
about information about thatuser there might be of
importance.
Another one that I'm reallyhappy about and it was done by
Evangelos Dragonas and PanosNakoti and they're great
examiners and they havedeveloped.
(50:07):
Especially Evangelos.
This has done a lot ofartifacts.
This one is for chat GPT andthat's pretty neat and I think
they did it for both iOS,android and for RLEAP.
Rleap is a tool that doesreturns, so as you pull data
from the services, you can parseit and get value out of it, and
it's pretty neat.
You can see the conversationthat you have with chat GPT.
(50:27):
You can see the metadata aboutthat conversation.
If you uploaded any media, thepreferences, you can see there
the creation time, themodification time of that
conversation was the title.
So it's pretty interesting.
Lately and I'm telling you,chat GPT is becoming like a
really world-use tool.
I don't think any other toolsupports chat, gpt parsing.
(50:50):
That I know of, you know of anyother?
Speaker 2 (50:52):
I haven't seen any.
I haven't seen any at all yet.
Speaker 1 (50:55):
Yeah, so ILEAP and ALEAP from Android, ios do
support it, and if you'relooking for it, you're not going
to right, and that's kind ofthe rule with these type of
things, right?
But at least this open-sourcetooling will give you a head
stop and it's filling that gapuntil the big players in the
space, the third-party providers, are able to catch up, right?
(51:16):
What was the chat saying?
Speaker 2 (51:18):
It may have been handy on the recent CTF, and
Kevin says the same thing thatalso may have been handy on the
recent CTF.
Speaker 1 (51:27):
And that's a good point I have.
When there's CTFs, capture theflag.
That's the competition whereeither our organization puts out
an image for folks to gothrough it and answer questions
about that image.
The person that answers themost questions or answers them
all, wins the competition.
Well, guess what?
That gives you ideas of how toget to data and if they're not
(51:49):
supported, then you can go intotooling like this one that's
open-source and provide somesupport.
So CTFs are a really good wayof learning and learning,
obviously, new things that leadto applicable, repeatable
tooling for everybody.
So that's pretty neat and Ilove that.
Chat GPT.
(52:09):
The big one that I left for meis the big one that I left at
the end Is the graphical userinterface change.
Right, let's bring up.
So this is the change.
I'll show you a couple ofpictures, literally two.
The first one we're going toshow you.
Do you have it?
I sent it to you, yeah.
So the first one is how isgoing to the interface, is going
to be looking?
And this is soon.
We're going to merge this intothe project soon.
(52:30):
So before you had on the leftall the artifacts and on the
right a little section for thelogs to go through telling you
what's the tool doing as it'sparsing your data.
So now you have a really big,nice screen that it will have
all your artifacts for you topick, pretty readable.
Speaker 2 (52:48):
What did I just do?
Speaker 1 (52:52):
Hey, look at that, we're sideways.
Let me change it.
There we go, and then what weneed to do is this Boom.
Speaker 2 (53:01):
Okay, perfect, sorry about that I got you.
Speaker 1 (53:05):
So the folks that are listening we have the screen
kind of went haywire on us alittle bit, but we got it fixed
All right.
So now when you hit process,it's going to then take, it's
going to show you only the logscreen there.
So let's show them thatwhenever you can, and I like
that a lot.
I try to leave what I preachand I was talking a second about
(53:27):
transparency, about how toolingsometimes hide the ball from us
in regards to what thelimitations are, or when a
problem happens is hitting somelog that you cannot understand
or decrypt.
My perception or philosophyabout it is that the error
should be upfront and your handdid this change.
(53:48):
I want to say 20 things at thesame time.
Let me go step by step.
I'll talk about why the change,but I like it because, even
without me telling him, hereally picked up on what the
idea, the philosophy behind theproject is.
Now you can see those logs ashe's going through.
If something breaks or there'san issue, you're going to have
it really highlighted, reallybold in your face as you're
(54:12):
going through it.
Now you might say, well, whatif it passes?
I didn't see it, it's okay.
Those same readable logs areavailable in your report.
So then you can go back andfigure out where the tool failed
or where something happened.
So then you can backtrack andfigure out if you're missing
data.
I believe strongly in that.
I believe that the limitationsshould be put upfront and we
(54:35):
shouldn't be ashamed of them,because that's how we get things
to be better.
Maybe my philosophy is likethat because I don't have a
product to sell.
Speaker 2 (54:45):
Maybe I don't know.
Speaker 1 (54:47):
But I would hope the industry moves in that way.
Do those errors upfront.
Okay, now what I want to saythe reason we did that big
change is because the librarieswe were using to generate the
graphical user interface, theywere freely available and
overnight they decided to chargefor them.
And again, I'm not criticizingthat, right, folks do some work
(55:11):
and they decided well, I thinkwe want to get paid for it.
That's okay, and folks thatvalue that and have the money
can do it.
Now, since this is a tool thatwe provide fully to the whole
community, I want to make surethat it's free and I don't
charge for it, and I don'tbelieve that folks should pay
for libraries, extra librariesthere.
So what Johan did, and again, so, look, I'm so grateful for the
(55:34):
work he did.
He took the graphical interfaceand did it natively within
Python.
I say natively in the sense ofusing libraries that come with
Python already with theinterpreter that they're free to
use.
They come with it.
That library is the kinder andhe did an incredible job.
It's a lot of code to generatea graphical user interface the
(55:58):
way he did it and I'm gratefulfor it.
And I know the community willalso be grateful when they
interact with it and we haveplans again long term for more
changes to the tooling.
And you know it really gratifiesme, like when Heather said that
one of her cases some of thedata that came out through the
tool solved and made somebodythat was guilty plea, and you
(56:20):
know that makes me really happy.
That's why we do it.
We do it because it's the rightthing to do and that's our
payment and I know Johan agreesand all the photo developers
behind the project.
We do it because of that.
If you have any good storiesabout using the tool, let us
know.
Let us know some successstories.
I mean you don't have to tellthe details of your case because
(56:41):
we know some of that stuff is,you know is confidential, but if
you need to, you can tell uslike main plots.
That really really powers usand gives us energy to continue
doing what we're doing.
So again, thank you for Johan,thank you for Kevin, thank you
for all the other folks that Imentioned that keep putting
stuff into the project.
It's a project buy and for thecommunity.
(57:01):
So again, thank you so much.
Speaker 2 (57:03):
Yeah, definitely a big week for the leaps.
Speaker 1 (57:05):
Absolutely.
Speaker 2 (57:08):
So that brings us to everybody's favorite, the meme
of the week.
Let me share.
Speaker 1 (57:16):
Let's see here I always, I always like the meme
of the week.
Speaker 2 (57:21):
So this was my pick for the week out of the memes
that came up on Alexis'sLinkedIn, and it reads are
carved items and items in thetrash bin, deleted files.
Well, yes, well, actually no.
So I mean, I love this onebecause I think it was Jessica
(57:43):
in the class and I'm not goingto give away the details of your
class, jessica, but yesterdayshe was saying just because a
tool says something is deleteddoesn't mean it was deleted.
There can be numerous otherreasons that it's showing as
deleted in your tools, andthey're just there are.
It could be in the trash bin.
There's just tons of reasons itcould actually be showing
(58:04):
deleted and this meme just hitat the perfect time for me, so I
chose it.
Speaker 1 (58:09):
Sorry, yeah, this is one of my favorite memes.
Yeah, and all the stories thatcould be told about that meme,
right?
Speaker 2 (58:17):
Yeah.
Speaker 1 (58:18):
All of my favorite.
Speaker 2 (58:25):
Oh, I can't hear you.
Speaker 1 (58:27):
You can think of different examples of the meme,
how that applies.
So, for example, you thinkabout when you carve an item out
of an allocated space and whenyou look at stuff from the trash
bin and your prosecutor asksyou so are those files deleted?
Well, if you use the termdeleted, right?
Well, the answer is yes, butthat's like what is said in the
(58:48):
chat it's an imprecise answer toan imprecise question.
Right, Is it deleted?
Well, what do you mean bydeleted?
Because deleted can havedifferent meanings.
Right, and I see a movement,and actually Jessica is the one
that cannot put me in thatdirection.
Don't talk about files thatwere deleted.
Let's talk about recovereditems.
That's a little bit more precise.
(59:09):
Of course there's some contextwhere you need to use the word
deleted.
That means that we need to bemore precise when we use it, and
I found myself telling myprosecutor well, yes, it deleted
, but no really Right, Becausesomething in a trash bin is
still allocated right, and ithas all the metadata.
It has everything.
(59:29):
It's just kind of quote,unquote, moved from one place to
another right To the deletion.
It's not really deleted.
Now, allocated is deleted butdifferent, right, there's no
metadata.
You might have a file that'shalf of the file, a quarter of
the file, not complete, right,Just the header, a little bit
more.
So it depends, right.
What was the chat saying?
Speaker 2 (59:51):
So allocated?
Accessible, inaccessible.
Oh, the joys of explaining thatin court.
That's Paul Lorenz.
Speaker 1 (59:59):
Oh my, that's yeah, absolutely.
What is what is saying?
What's Brett saying?
Speaker 2 (01:00:04):
Brett says two separate things deletion,
intention and how, and recoverypartially, fully, none.
Speaker 1 (01:00:10):
Yep.
So even when you use the worddeletion and recovery, there's
also new ones within it, andwhat Paul and Brett are saying
speaks to a concept that I wastaught to be presented as a tech
terms.
These technological terms right, we need to dominate them, and
we have this bad habit of tryingto use shorthand words to mean
(01:00:31):
things.
This is a scientific endeavor.
There's precise words forprecise things and we need to
start using them.
If you're an examiner and youhave trainees, you have to ding
them a little bit and say whoa,that's like a database, right?
No, no, no, it's not a database, it's this, it's a JSON file,
right?
A database.
You can mean different thingsby it.
(01:00:53):
It could be relational, itcould be no SQL, it could be
different things, right?
Precise terms, as best as wecan for precise items or precise
procedures, and even if youhave to spend some time
explaining it, I rather do thatand take my time and explain it
than have people confuse and Iknow my prosecutors don't like
it because they want me to goget over with my part fast.
(01:01:15):
But I'm like nope, sorry, yougot to stick with me, you got to
bear with me, you got to thankme at the end, okay.
So, bear with me.
Speaker 2 (01:01:27):
Jessica says deleted means something to the user, Try
or affect.
We need to be careful 100%.
Speaker 1 (01:01:33):
Yeah, the term can be loaded right.
When you say something isdeleted, intentionality could be
part of that.
Right.
The try or affect.
What she means by that is thejury, for example, the ones that
decide what actually happenedor not.
They could think what's deletedthe person did an overt action
on purpose to.
And you got to be carefulbecause some things are
(01:01:54):
quote-unquote deleted that don'trequire my user interaction.
There's no intentionality thereto obfuscate or obstruct any
justice, right?
So we got to be really andthat's a great point we got to
be really careful and reallyprecise in how we say things,
because maybe what you said isnot false, but the impression
(01:02:17):
that it might cause on thehearer might be, and that's just
a big of a problem as sayingsomething wrongly or make a
mistake or just say something.
That's totally off the wall,right.
Speaker 2 (01:02:29):
Yeah, brett says, bad testimony equals bad case law,
and we do not want that as acommunity, for sure.
Speaker 1 (01:02:36):
Oh, absolutely.
And if you got bad case law,eventually it's not going to
bite you today, it's going tobite you and everybody else
tomorrow, exactly.
And for the folks that are notfamiliar with this law
enforcement field, that meansthat the consequences of you
being careless could affect youand everybody else down the road
.
So do this for you, but alsothink of doing this rightly for
(01:03:00):
me, when it's my turn, and forothers.
Speaker 2 (01:03:04):
Yeah, we've got a cough recover folders.
Cough hack, pass out comment.
Speaker 1 (01:03:12):
Oh my goodness, especially with the mobile.
And oh my goodness, yeah,there's a lot, and I appreciate
you brought this meme as just aselection because it really
talks about, then again, ourfundamentals, and our
fundamentals are important howwe refer to things, what are the
meaning of things in the propercontext, the intentionality
(01:03:34):
that a word might bring or notbring, and those are things that
need to be constantly reminded,especially with new
technologies.
When chat GPT comes in andstuff comes with chat GPT,
what's the interplay betweenwhat I asked and what I received
right?
How can we ascribe that to theperson, not to the computer, or
vice versa?
We need to continuously makesure that we evolve those
(01:03:58):
technical terms and define themproperly and explain them
properly, and we talk about thatin a few shows back how those
soft skills as examiners aregoing to be important, more
important as time goes by.
Speaker 2 (01:04:13):
I'm going to go back and just post one comment that I
missed earlier because Ithought it was kind of funny.
But Arsenal is demanding thatBrett give the people a
publication date, and I thoughtit was funny and I missed
putting it up earlier.
So, brett, if you have apublication date for the book, a
solid, definite date, it lookslike you're being called out by
Arsenal here.
Speaker 1 (01:04:34):
Well, and Brett response right.
What's the date?
Speaker 2 (01:04:38):
So it's definitely the March 22nd that I mentioned.
That week It'll be on sale, soyeah, no, let's all get it.
Speaker 1 (01:04:48):
What else is Brett saying?
Speaker 2 (01:04:49):
Half price for one week starting March 22nd.
Speaker 1 (01:04:53):
All right.
So everybody, you heard it herefirst, we got that scoop.
Go check it out.
Half price March 22nd, Go getit.
Oh well, first of all, Heather,thank you, it was a fun, fun
episode.
I really liked it yeah thankyou.
Me too, and thank you everybodyin the chat and the folks that
(01:05:16):
are watching and listening live.
I've been keeping an eye on thefolks also in Instagram and the
folks in LinkedIn, and if youdon't see me commenting in
LinkedIn because I can only haveso many hands, know that we see
you and we appreciate you.
Yeah, send us comments, topicsyou would like us to speak about
(01:05:38):
.
You can send it to our DitaForensics Now podcast page in
LinkedIn.
Just searches and you'll findus.
Or hit Heather, hit myself up.
Send us a friend request and weshould be good.
Anything else for the good ofthe order, heather.
Speaker 2 (01:05:53):
No, that's it.
Thank you so much, everyone.
Speaker 1 (01:05:56):
Thank you, and with that we'll see each other in a
couple of weeks yeah.
All right everybody.
Thank you for being here andwe'll see you take care.
Thanks, Bye.
Speaker 2 (01:06:06):
Bye, bye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com