May 2, 2024 • 57 mins
Live from the International Association of Computer Investigative Specialists (IACIS) with special guest Bill "the phone wizard" Aycock!!
Notes:
Three New SANS Posters
https://www.sans.org/posters/ios-third-party-apps-forensics-reference-guide-poster/
https://www.sans.org/posters/android-third-party-apps-forensics/https://www.sans.org/posters/dfir-advanced-smartphone-forensics/
New Release of Mushy
https://doubleblak.com/app.php?id=Mushy
Blue Crew Forensics
https://bluecrewforensics.com/2022/03/07/ios-app-intents/
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:09):
Welcome to the Digital Forensics Now podcast
Today's Thursday May 2nd 2024.
My name is Alexis Brignoni andI'm accompanied today live in
person, not on any computerswith the one and only Phone
wizard, the one that putsverified in verified labs, our
(00:30):
good friend and iAsys phoneinstructor Layton.
And as always, I have with methe Kahoot master, the advanced
mobile device presence classboat captain, the one and only
Heather Charpentier.
The music is hired up by ShaneIvers and can be found at
rumensoundcom.
Hello everybody at home andhello to Bill and Heather.
Speaker 3 (00:56):
Hello, hello hey what's up?
Speaker 1 (00:57):
everybody Super happy to be here.
I see folks coming into thechat.
Johan is around.
A salute to be here.
I see folks coming into thechat.
Johan is around.
A salute to Johan.
And we'll talk a little bitabout what he's been up to with
the leaves and helping out, youknow, maintaining the project.
I appreciate your help.
My friend Andrea is online too,so hi to my co-Florida examiner
(01:21):
, happy to be here.
So, as you can tell everybody,we're live, we're all here with
our nice ISIS.
Where is it?
Speaker 3 (01:29):
Oh yeah, hold on, I got it.
Speaker 1 (01:30):
I can muffle a little there you go ISIS shirts and
we're in our nice classroom hereat the Carribean Royale in nice
, sunny Orlando from where Ilive, right so Bill is teaching
with us and Bill, you're for lawenforcement, right Retired?
Speaker 2 (01:47):
Yes yes, retired in 2013.
So you know, I started policingwhen I was 19 years old.
So you know, my entire adultlife I've been a policeman.
So when I retired after 20years, I was 40 years old.
So why stop now?
Precisely Right, I mean.
(02:07):
So so start something else andso that's exactly what I did.
Speaker 1 (02:09):
So now you have your own lab doing forensics Yep.
Speaker 2 (02:11):
Doing.
So I just do cell phones Right.
So when you have your own shop,you can do whatever you want.
If you want to make, you know,clown balloons you know you can
do that but but uh, so I just docell phones, cause you know
that's my jam, right, I lovecell phones, and so that's all I
do is cell phones.
Speaker 1 (02:29):
See when I grew up.
I want to be like you.
Speaker 3 (02:32):
Me too.
I'm ready right now.
Speaker 1 (02:34):
No, I'm really happy to have Bill.
Bill has been covering some ofthe topics with us and hopefully
it's a busy man.
Hopefully you can come with usevery year.
Speaker 2 (02:40):
Yeah, so great benefits here, great benefits,
you know, and to give back partof giving back to the community,
and this is it, this is thecommunity, right?
So everyone is in thiscommunity and to give back is
just huge.
Speaker 3 (03:05):
Absolutely, Absolutely, which leads us to
being here at IASIS since thebeginning of last week.
We did a class in advancedmobile forensics last week and
then our second class is thisweek.
We're going to end thattomorrow.
We're all at the biggest IASISevent ever so far.
They said there's over 700students, over 150 staff members
and 23 courses in total.
Speaker 1 (03:22):
Yeah, it's been nice.
I will say I don't know why I'mkind of far away from the
center of the action.
So, like next time, if some ISSboard member is hearing, let's
put the advanced mobile deviceclass closer.
Speaker 3 (03:32):
Yeah, we're away from everybody like the redheaded
stepchildren.
Speaker 2 (03:36):
I have literally put in 15,000 steps a day.
I guess there's a pro benefitthere yeah definitely yeah.
Speaker 3 (03:44):
So there's a whole bunch of classes available down
here in Florida once a yearMobile forensics, advanced
mobile forensics, computerforensics, sqlite and many
others and I think the best partof being down here is
definitely the networking.
I would not have met Bill if Iwasn't down here, or Alexis or
Alexis last year actually so thenetworking is definitely top
(04:08):
notch.
Speaker 2 (04:09):
Definitely Part of you know.
Part of the big thing aboutIASIS is not only are you
networking here locally, likeNew York and Texas I mean that's
, that's far away.
But no, we're.
We're networking with peoplefrom New Zealand and England and
Australia and you know, themore brains that we put into
this group, the more problemswe're going to solve.
Speaker 3 (04:29):
Yeah, couldn't agree more with that.
Speaker 1 (04:31):
They're saying the mobile students are way cooler
though, so I have to agree 100percent.
That's from the chat.
I have to agree that we are.
Speaker 3 (04:40):
Oh, definitely.
Speaker 1 (04:41):
Or at least semi-cool nerds.
Speaker 3 (04:42):
They can't take our coolness.
That's why we're over here,hidden, that's right.
Speaker 2 (04:47):
They don't want to show their non-coolness, so they
put us down here.
Speaker 3 (04:52):
So not only networking with other colleagues
, other friends, but networkingwith the vendors.
There's a ton of vendors hereat this event and getting to
interact with those vendors andask questions about the products
is definitely a reallyimportant part of the conference
.
Speaker 1 (05:08):
Yeah, and you know it's really nice because
sometimes they go around.
They do not sometimes, but theydo this at night.
They have the vendor nights sofolks can go there learn about
the tools.
They do giveaways, so it's agood time and I'm really
impressed, since forever, I mean, I've been an ISIS member
certified for the last decadeactually 11 years this year and
this event is run totally byvolunteers.
(05:29):
All of us were volunteers, thepeople that run are volunteers
and it's an event that's amazingthat's done that way, people
giving it their time for free tomake this happen.
Speaker 2 (05:38):
Yeah, and you know about the vendors too.
It's not they're here for us,right, but we're also here for
them too.
I mean, as we come to theseevents, we bring issues or we
bring new things to them and andthey're very open to to
suggestions.
Or hey, would could your tooldo this?
(05:59):
And they write it down and theytake it back to R and D and
they they see what they can dowith that.
So not only are they here forthe students, right about their
new products or whatever, but weactually add to their existence
as well by making suggestionsand comments about their
products.
Speaker 1 (06:16):
And I would say, if you come to this event or other
events, totally like Bill'ssaying, reach out and say look,
this is the problem that I have,this is a solution that I found
, and see how can that befiltered into the tooling so
everybody can benefit.
So that's absolutely a goodpoint to come to these events.
Speaker 3 (06:30):
So I definitely have to share our class instructor
picture here.
So this is the group that'steaching the advanced mobile
device forensics class.
We have John Hyla, Alexis,myself and Bill and, of course,
our class mascot, Hannah.
Speaker 2 (06:49):
And what a handsome group I might have.
Speaker 3 (06:53):
Definitely.
And let me throw up.
I have one more, one morepicture of our lovely class
mascot, Hannah.
She was helping us teach theother day, understanding your
role, and she was understandingher role in the classroom.
Speaker 1 (07:09):
The best girl?
Yeah, really good girl.
Speaker 2 (07:11):
And it tells you can also tell the really advanced
classes have their own therapydog.
Speaker 1 (07:16):
Yes, Because Heather really drives a hard class.
Speaker 2 (07:21):
I'm good in my class, my blocks are nice and gentle,
when it starts getting a littlethick, you reach your hand down
and a therapy dog comes upbeside you and you can kind of
calm down a little bit.
Speaker 1 (07:35):
Yeah, no, hannah is an electronics detection dog and
John is the handler, and whatshe does is she goes and there's
, for example, a search warrantand they're looking for secreted
or hidden electronics.
She can detect through hersmell and finds them for the
folks.
So it's a pretty highly traineddog, but also the nicest dog
ever.
Speaker 3 (07:56):
So I think we're going to talk a little bit about
the training that's availableat IASIS and some other things
surrounding training.
Speaker 1 (08:03):
Yeah, so here on IASIS there's vendor courses
that the vendors come in hereprovide, like Celebrize, spider
Forensics and others, but wealso have the IASIS courses.
We are not vendor specificright, and I think we were
talking with Bill the other dayand he was discussing with us
that difference between the needfor vendor training and also
this methodology of how you doyour stuff.
(08:25):
You know.
Speaker 2 (08:26):
Yeah, I think it's so important.
So you know here and you knowit's everywhere.
But I think a, I think a, anexpert in our field.
That's what we are.
We're experts.
So we need to take thatseriously, that, that that
banner of expert, we need totake it seriously.
And so, as an expert, I I thinkthat, as as my training and as
(08:55):
my certification comes in, Ithink that first of all, I do
need a very focused expertiseand training on a tool.
So if I'm using a tool, Ishould be able to operate that
tool at expert level, know howto troubleshoot it, know how to
explain how it works in court,know how to troubleshoot it,
know how to explain how it worksin court.
So I want to be trained by thetool maker exactly how that tool
works and they train me on thattool.
So not only do I have a laserfocused training on the tool,
(09:16):
but then also to round out mytraining, to round out my
expertise, I also wantmethodology training.
So in here at IASIS, that's whatwe teach.
We teach methodology training.
So it's not specific on thetool, it's more the methodology
that encompasses the tool.
So when I go into court and Itestify, or when I'm working on
(09:37):
something, not only am Iapplying the specific tool
methodology that I've learned,but I'm also applying the
overall methodology.
Tool methodology that I'velearned, but I'm also applying
the overall methodology.
And you know sometimes when andwe all know that maybe one tool
doesn't get this artifact,maybe one tool doesn't do such a
great job on this, mymethodology training will
(09:57):
compensate for that, and so,because I know, I know the
methodology behind it, and sothat's what we're teaching here.
So I definitely recommend that,if you're working as an expert,
not only do you have specifictraining on the tools that
you're using, but also theoverall methodology training I
think is so important in what wedo no, and if I had to, we
don't have to choose.
Speaker 1 (10:15):
But if I had to choose, I would put that why are
the things done the way they'redone?
How are they structured, evenbefore the tool training?
Because at the end of the dayand this happened to all of us,
right, Like Bill was saying youget your tool to run, it's
either it might miss somethingor something that might not be
interpreted properly, becausenothing is perfect, right?
So at the end of the day, Ivalidate that tool and in some
(10:37):
jurisdictions the question iswell, you're an expert if you've
been trained by the toolmakerand I'm not minimizing that,
You've been trained by thetoolmaker and I'm not minimizing
that.
That's important.
But the tool can commitmistakes, right?
So it's up to us to have thattraining and some of our blocks.
What we do is we go well, thisis how you get, for example, to
a segb file format.
This is how it's done.
And we look at the hex, we lookat the offsets.
(10:57):
We do it by hand and then Igive you an automated tool to do
it.
And that goes to speak to whatBill's saying.
You got that methodology.
This is how you do this by handand this is how you automate it
and you can validate it.
And I think and we talked aboutthis some episodes back,
Heather and myself right Aboutbeing an operator.
We need to go back to thosebasics of our field, the
scientific basis of our field.
Speaker 2 (11:17):
Yeah, I agree, if you get stuck, if you focus too
much on the tool and not on themethodology, the overall
methodology, you might get stuckon something.
You might, you'll go as far asthe tool can take you and then
you're stuck.
But when you have methodologytraining you can work around
that roadblock and then bring inanother tool or re-implement
your tool in a different way.
So methodology training, theoverall methodology training, is
(11:41):
, I think, a must.
It should be in your CV, ifit's not.
Speaker 3 (11:44):
Absolutely, I think you will get stuck.
I don't think there's yeah,there's no question about it.
Eventually you will get stuckand the end product suffers from
that.
Speaker 1 (11:54):
Yeah, and there's this some students not every
student, some students have thisidea of okay, I take the class
and the class will tell me orteach me everything I need to
know about the topic.
And I mean, you can correct meor tell me your thoughts about
this, but the class, I'm here toteach you more how to think as
opposed to how to do the things.
And I say that because there'sno way in a class, in a week or
(12:15):
two weeks or a month or a year,that I could teach you every
single circumstance you mightfind or every problem you might
come across in your work.
Speaker 2 (12:23):
That's right.
You know.
So I have to teach you how tothink about the problem.
So when an unknown problemsurfaces, you can handle it.
And as we were in class, I meanthis was so.
I mean this is so great aswe're in class and as we're
talking about the topics we'retalking about.
So we're talking about in thisclass specifically, we really
focused on the artifacts, on howto find the artifacts, that
(12:48):
some of our tools are missing,right.
So you have a case where youhave a brand new chat program
come out.
No one's parsing that chatprogram, but yet this is
important to your case.
You've got a car.
You've got to pull thesemessages out.
How do you do that if your toolis not doing it?
And so in this class, we'reteaching you the method.
(13:10):
We're teaching you how torecognize what format it's in,
how to dig that stuff out andhow to put it out, how to bring
it out of that container into aformat that makes sense that you
can give to your prosecutor.
And so you know, in this, thisis how we teach the why of why
we're doing this, because atsome point point you're going to
have to employ this methodologyaway from the tools yeah, oh,
you're definitely going to haveto at some point.
Speaker 3 (13:30):
Um, I've had to numerous times.
I didn't think I could ever doit, but learning those, those, I
guess how to how to do ityourself so super important yeah
, yeah, like the like, the like,the uber app we talked about
last time.
Speaker 1 (13:43):
It's a level db database and if you're not
familiar with LevelDB, we teachit here as well.
But you can get smart on thatand you apply that method.
You say, okay, I don't knowthis.
I have a structure of how do Iget to know things, and you
apply that.
And then obviously you reachout to the community, reach out
to friends.
Like we said last episode and Igot to emphasize it again have
a tribe right and Bill now thatI know Bill really well,
(14:05):
spending for him two weeks, he'sdone.
Speaker 3 (14:08):
I'm going to be pestering him all the time.
Speaker 2 (14:10):
Oh, me too.
Me too, definitely.
Wasn't it cool that, as we werein class, we're teaching how to
dig these new artifacts outthat aren't supported, and as
we're in class, we're gettingemails on the list serve, on the
IASIS list serve, which is alist of it's a it's an email
service from all the IASISmembers.
We're seeing, sometimes, thevery application that we're
(14:33):
we're examples in class thatwe're giving.
People are asking questions.
Hey, I came up with this newapp.
It's not being parsed.
Does anybody know how to getget application data out of it?
And it just happens to be theprogram that we were teaching
today, so it was as we weredoing it.
That's literally what happened.
Speaker 1 (14:48):
It is as we were doing it, I mean literally, we
were talking about that filethat day.
The JSON inside a SQL databaseand Bill told me that I told the
class hey, if we had, if theperson I think in this class
were have that method to be ableto address it, that was great.
Speaker 3 (15:04):
Yeah, that was awesome.
Actually, we got to put theemail, the listserv email, right
up on the screen and say thisis the exact reason why you need
to learn the artifacts we'reteaching in this class.
Speaker 1 (15:14):
Yeah, stephanie is saying from LinkedIn.
She's saying it's not justlearning how to use the tools,
it's knowing what they'reactually doing, right.
Yep, that's it.
Speaker 2 (15:22):
That's huge.
And you know when, when you gotestify on this, when you and I
man, I do a ton of testimonystuff and I do a ton of expert
witness on the stand and indeposition, and you have to know
, you don't have to know thespecifics of how the tool is
working, but you do have to knowthe basics.
You have to know hey, the toolis injecting a client and the
(15:42):
program's running on a client.
You have to know these things.
And she's exactly right.
You don't have to know, like,the dynamic details of it, but
you do need to know how it'sdoing what it's doing.
Speaker 3 (15:52):
Yeah, definitely.
Speaker 1 (15:53):
Absolutely, and there will be questions that you will
depend on that knowledge to beable to answer correctly, right,
especially in regards to thebackground of where something
came or is this an artifact thatindicates attribution or
indicates intent?
And again, you don't have to bethe coder of the program, but
you do need to have thatbackground.
(16:13):
So that's what we try to dohere.
Speaker 2 (16:15):
Yeah, agreed.
And when you're testifying, Imean you need to say that stuff
with some confidence, right, andyou're going to get a lot of
questions about your methodologytoo, sir.
You know, mr Aycock, what isyour methodology.
When you approach this, you'vegot to be able to explain your
methodology.
Speaker 1 (16:30):
I just, I just press a button here, right?
Yeah, I made out something.
Speaker 3 (16:34):
There are people who say that there are.
Shame on you.
Speaker 1 (16:40):
No, we uh, no, and again, it's also a good time.
Um, there's the event.
We go really nerdy during theday, then we go out at night and
we have a good time.
Really good people in thisevent.
So, uh, I'm hoping that they'llkeep me and keep us around for
a long time yeah if we didn'tbreak anything not yet we have
one more day.
Speaker 3 (17:02):
So, um, specifically related to this class, there's a
student in the class.
He's from Beverly Hills, hisname is Eugene Kim and he
decided that he wanted to writea testimonial about this class
and the class he did last week.
He did the MDF, the mobiledevice forensics class last week
, so I'm going to read it toeveryone who's listening.
(17:22):
He wrote hi guys, I am asubscriber to the podcast and a
recent attendee of MDF and thenew AMDF course.
In fact, I am in day four ofAMDF now.
I'm sure there are otherlisteners out there wondering if
the course is difficult.
I started last week with anovice level of experience.
I am happy to say theinstructors are truly awesome
(17:44):
and very committed to studentsuccess.
I've been surrounded byextremely knowledgeable
examiners and instructors whoare always very willing to help
out.
I never felt left behind orlost.
I learned so many techniquesthat far exceed any of the push
button methods we used before.
I'm so much better now afterthe last two weeks of learning
as a manager of a digitalforensics task force.
(18:05):
I highly recommend everyone gothrough MDF and AMDF.
If you're listening to thispodcast, you should be here.
Speaker 1 (18:12):
Oh, that's nice.
Yeah, it's very nice.
Speaker 3 (18:14):
I had to share.
It was very nice.
It's much appreciated, eugene,if you're listening.
Speaker 1 (18:19):
Checks in the mail.
Yeah, he is actually a reallycool guy.
Speaker 2 (18:26):
They have got a really cool setup.
I'm gonna next time I'm in thevalley doing some work, I'm
gonna go.
I'm gonna go see him yeah anduh.
Speaker 1 (18:30):
Actually, if you're in the valley, bring some
stickers from the uh, their pd,so you can give it to heather.
I just noticed, looking at atuh, looking at the feed here,
that you're kind of like asticker lacking I'm a little
light on the stickers.
Speaker 3 (18:43):
yeah, yeah, if anybody wants to send me
stickers.
Speaker 1 (18:46):
It has to be.
It has to be forensics relatedit can be just any stickers.
Okay, so I just want to notethat you know.
Speaker 3 (18:52):
Yes, they have to be forensics related, no problem.
Speaker 1 (18:55):
No, we appreciate his comments and, again, you know
we try to make the class betterand students will do reviews at
the end and we'll evolve theclass.
Speaker 3 (19:02):
Yeah, I like hearing too, like so people who are just
doing the push button forensicsand then they come to a class
and they're like I'm not doingthat anymore or or this is going
to change the way I work in mylab or how I instruct people to
work in my lab.
Speaker 1 (19:15):
That does I mean that we get paid with with those
type of comments, with thechanges people make in their
labs, with the changes peoplemake in their labs make their
workflow better, to bringjustice faster and more
efficiently.
That's our payment and you knowthere's, there's, there's no
money could compensate for that.
Speaker 2 (19:30):
And I think, I think at one point we all started like
that.
Right, we all started in a verysimple, simple mindset.
But I think our you know,especially for me, my sense of
duty, my sense of I've got tofind the truth no matter what.
I can't stop until I find itthat kind of attitude in a
forensicator is what drives us,it's a must.
(19:53):
And if you have that, you havethat driving mentality, good for
you.
Don't, don't suppress it, keepit going, because that's what's
driving this community to toexpert levels and to the truth
community to expert levels andto the truth.
Speaker 1 (20:08):
I mean, I don't know if this goes in the podcast, but
I started my little lab withliterally a little NAS network,
attached storage and a computerand a set of little write
blockers.
That was it.
Speaker 2 (20:18):
Yeah, I started with very little.
I had like a room in my garageright, so I mean it was humble
beginnings.
For sure, humble beginnings,yeah.
Speaker 1 (20:30):
I know Bill's killing it, by the way yeah, definitely
.
Speaker 2 (20:33):
I'm so glad you're here, bill so and I'll tell you,
I was talking to some peers andI'm like man, I'm here with the
smartest people.
I don't know what I'm doinghere.
I'm here with some big brainsand you guys are phenomenal to
watch you.
To sit here and watch Briggstalk about protobufs and level B
(21:00):
databases and he's giggling.
I mean, he's literally, he'slike he's giggling.
Speaker 1 (21:09):
I think about protobufs.
Yeah, I think about Porobus.
Speaker 2 (21:13):
Yeah, it's an inside joke, it is an inside joke To
see you both up here instructing.
I mean, it drives me to want toknow more.
Speaker 3 (21:23):
Don't sell yourself short.
I heard you instruct as well,and you killed it.
Speaker 2 (21:27):
I don't know about that.
I'll tell you to come to theseclasses and to see you guys and
to see everybody.
Right, it just drives me towant to know more, drives me
once, yeah, um john is makingfun of my.
Speaker 3 (21:46):
I thought john was at uh top golf john must be
listening to us from the staffdinner at top they all went to
the party, but we stay here.
Speaker 2 (21:51):
They probably got us on a screen.
We're only saying good thingsabout aces, okay don't fire us.
Speaker 1 (21:54):
Yeah, they all went there to party, but we stay here
.
They probably got us on ascreen.
Speaker 2 (21:56):
We're only saying good things about aces.
Speaker 1 (21:57):
Okay, Don't fire us and Boolean Grotto.
Speaker 2 (22:01):
Boof and Boolean.
Speaker 3 (22:06):
Oh, we've got Kachup and Cool Whip in there too.
Speaker 1 (22:09):
Yeah, somebody was in class.
I'm going to make that story.
So you know, obviously I'm fromPuerto Rico and I have an
eight-year-old and sometimes Ijust speak, you know, with my
accent.
I say, hey, you know, you wantsome ketchup in your hot dog and
he goes papito.
That's that in Spanish Papito.
It's not ketchup, it's ketchup.
And I'm like, really, man, areyou going to call me out like
that?
So now everybody's calling meout in class.
(22:30):
It's fun, I love it, it's agood night, it's a nice group of
people, the students.
Speaker 2 (22:35):
And I tell you what John to hear him talk about.
You know seg b-files right.
So, he's like the guy about segb-files.
Right To hear him talk abouthow he found it.
I don't know if I would have.
I may have stopped.
I mean literally I may havejust gone.
You know I'm going to get us toBriggs.
Forget it Right, I may havestopped, but John didn't.
(22:56):
Good job, no.
Speaker 1 (22:58):
And based on.
So I don't get tired of sayingthe story, I will say it again.
John figured out there's thisfile format in iOS devices that
has a bunch of important patternof life information and nobody
knew about it, at least nobodywithin the community and he at
it.
He kept at it and he came outwith it and I put it in a in a
blog post and it exploded andmyself and some of the examiners
(23:19):
built on that to create parsesfor it, and I wouldn't.
We wouldn't have gone there asfast as we did without him
laying that groundwork.
So we have him in classteaching with us and he explains
it's important to know the segbefore, but that's great.
But what I really like abouthis blog is he explains it's
important to know the seg before, but that's great.
But what I really like about hisblog is he explains the thought
process.
Like I found this unknown thinghow do I look for patterns in
the data?
How do I apply the sweeping ofthe offsets and hex, of those
(23:44):
bytes in hex?
Because we take those classesand we think, oh yeah, I know
how to count from binary, how tomake it in hex, and when am I
going to use this.
Well, when you find a file likea file like that, like he did,
that's what you're gonna use, ityou know, and that's the
importance, the.
Speaker 2 (23:59):
The importance is is giving them you know, arming
them with the information, butthen showing them how to deploy
it, showing, showing them thewhy of you, why you need to know
this and john was right on, Imean, he was.
Speaker 1 (24:12):
Hey, I found this file, didn't know what it was,
and I started looking atpatterns and I started started
finding, started doing testingand I found out what it was and
that was a huge find well andand even some of those, even
when he presents, because I Ifeel that I know those files
well, but I I got something outof every presenter and every,
even from the students he was.
He was talking about how helooks at the patterns and he can
(24:34):
look at the pattern of the hexand he sees some variations.
At the end he knows that's atimestamp.
And when I look at it and sayyou know what that makes
absolute sense.
I mean, we're going toreplicate here in the show that
we don't have the data here.
But if you look at the hex at acertain way you can tell that
some fields are timestamps basedon the configuration of the
hexes.
Now it's like when you see it,you cannot unsee it.
(24:56):
So now I'm looking at this, likeyou know what that's a
timestamp, and I'm pretty sureif I swipe it and then convert
it, it is going to be so.
Even myself that I'm aninstructor, I'm learning from
the other instructors, I'mlearning from the students.
It's such a great experience.
It's one of the two best weeksof the year for me to nerd out
in a good way.
Speaker 3 (25:14):
Yeah, this has definitely been great.
Lori is asking in the chat doyou have the link to that blog
post?
And we do so.
His site is Blue Crew Forensics, but when we end the podcast
tonight I'll put it in ourpodcast notes and you can go
read that blog post, becauseit's excellent.
Speaker 1 (25:30):
Absolutely, and we teach that in class.
We teach about the SEC B filesand both version one and version
two, and he covers those blocks.
I'm really happy that he's partof the instructor crew here.
Speaker 2 (25:40):
Excellent crew.
I mean not only in this class,but the MDF class too.
I mean, gosh man, these are theinstructors here.
I've never been disappointed.
They've always been industryleaders, always been industry
leaders.
And who better to learn from?
And you know, for us too, likeyou said, who better for me to
learn from than all of you guys?
(26:02):
Excellent.
Speaker 3 (26:04):
Oh, I've definitely learned a whole bunch of stuff
that I did not know these lasttwo weeks just from sitting in
the class and listening to theother instructors.
Speaker 1 (26:12):
If you're at home having FOMO like fear of missing
out.
Yes, you did miss out.
So tomorrow, pretty much, we'reending tomorrow the event.
So next year come from thebeginning and hang out with us
and let's have a good time.
Yeah definitely.
Speaker 2 (26:24):
It's definitely something that should be on your
list.
I mean, there's so many goodevents to go to, but this should
be on your to-do list.
I think that IASIS is not onlyis it an international
association that says a lot, butthe training is legit.
There's other trainings outthere too.
(26:46):
I'm not putting down anythingelse.
Sans classes, absolutely.
I would go to all those classes, absolutely.
Speaker 1 (26:53):
If you're new in the field and you're like well, how
can I do that?
You know it's a process, right?
You can, as you go through yourprocess, you go learning, make
sure you're able to have youexplain to your bosses, your
stakeholders hey look, this is agood developing event and make
sure you'll be able to make ithere.
Or use some program like SANShas, astudy program, that you
(27:14):
can go there and the prices arereduced.
So some of the stuff that wehave to do just to get that
knowledge.
So it's really worthwhile.
Speaker 3 (27:21):
There's scholarship programs for IASIS as well.
So, look for those every year.
Speaker 1 (27:25):
So Trey from Magnet is saying that the stickers are
in the mail for you.
Oh, thank you.
A big Magn sticker that youknow the two jeans.
Speaker 3 (27:35):
Oh yeah, it's a pair of jeans.
Actually, I want one of those Ilike so.
I'm just being, I'm being kindof we're picking, and now he's
not going to send me anystickers.
Yeah right, it's all your fault, it's my fault.
Speaker 1 (27:48):
Yeah, the new logo.
They look like two pair ofjeans together To pump the.
M.
You know what I mean?
It's just joking, I kid, I kidStickers on the mail.
Speaker 3 (27:55):
Thanks.
Speaker 1 (27:55):
Trey, we appreciate it.
Speaker 3 (27:56):
Yeah, so actually there's a couple of questions.
So what is the general makeupof students?
Private sector, law enforcement, novice, super experienced, I
would say everyone.
It's not just law enforcement.
There's private sector, there'sbeginners, there's really
experienced students and, withthe instructors as well, really
experienced instructors.
Speaker 1 (28:18):
All my background is criminal background, right, but
Med Bill we took a classtogether a few years back, but
now I really met him real well.
He works now in the privatesector.
We have a student that sitsover there that also works in
the private sector and I'vegotten a lot of understanding in
regards to how they go aboutdoing their work, how they will
testify in the civil arena andsome of the things that we
(28:39):
discussed I know I canincorporate into my own
presentation in the criminalside.
So we have students here fromall sides.
There's this concept of thecriminals and the criminal
investigators versus defense.
That doesn't exist here.
We're here for the science, andcriminal investigators versus
defense that doesn't exist here.
We're here for the science andwe're all colleagues, no matter
what type of work that you dohey, I think that's a really
(29:00):
good question, yeah, so do I.
Speaker 3 (29:01):
So Stephanie asks what would you suggest be the
first cert to attain for anovice to get into digital
forensics?
I'm starting from the bottomand working my way up.
Speaker 1 (29:12):
So where are you going, bill's?
Speaker 3 (29:13):
our guest.
That's how, bill's.
Speaker 1 (29:14):
I'm starting from the bottom and working my way up so
thoughts, so do I.
Bill's our guest.
That's how Bill's at the top ofthe year.
Speaker 2 (29:20):
So you know my in my experience, I was a tool
certified first, so I went with.
It was a Celebrite trainingbecause that was the tool that
was out there that we bought.
So I did tool specific trainingfirst and I became efficient
with that tool.
Now, once I got that training,I wasn't done.
(29:40):
I started using the tool.
I started utilizing my training.
I got some time under my beltright, I got some experience
using the tool.
Then I went to my nextcertification and that was more
methodology certification.
So I would recommend startingout small with a tool learn that
tool, get some experience withit, get some mileage with it,
(30:04):
get good with it and then, onceyou're there, then you're ready
for the next step, which wouldbe methodology training or maybe
another tool.
But I do not recommend takingone course and going
certification and then two weekslater or a week later go to
another course and then a weeklater go to another course.
I recommend getting thetraining, putting it into
(30:26):
practice, becoming apractitioner of that and then
moving to the next step becauseit becomes applicable.
That your next training themethodology.
You're thinking okay, so Icould apply it here, because
I've done that before.
So I think, tool training,first get one tool and then get
some experience and then move on.
What do you think?
Speaker 3 (30:48):
I think so.
If it's.
If the question was specific toIASIS, I would start with the
BCFE and the and then the CFCcertification.
I agree with the vendorspecific because you're going to
have to be using those tools,so you need to have some
training in the tools you'regoing to be using first.
But if it's IASIS specific, Iwould start with the BCFE.
Get your fundamentals out ofthe way right away.
Speaker 1 (31:09):
I'm going to be the odd man out.
So the BCFE is a hard class,right?
Yeah?
And from my perspective and Imean I agree with you it should
be the first one if you're here.
But that being said, agroundwork has to be done first.
From my perspective it's a hardclass.
And when she says that, well,I'm a novice, Well, it depends
(31:30):
how you define that, right.
If you're saying I'm a novice,but I know how networking works,
I know how computers works, Iknow all the parts of the
computer, I understand what afile system is, and that's not
limited to digital forensics,computer knowledge.
If you have that, well, you area novice only to the digital
forensics application.
But there are folks that comein that don't even have that.
For example, you're a from theroad because you like computers
(31:52):
and you come to the lab.
I cannot send you to BCFEstraight up because you're going
to fail.
You don't know the parts.
You don't know how networkingyou might think.
Well, who cares aboutnetworking?
You know what.
How the data moves from onecomputer to another, from one
phone to another, will be partof your investigations.
And that's not forensicknowledge, that's general
computer knowledge.
So I guess it's a long way ofsaying I would recommend, if
(32:13):
you're a real, real novice, goand get your Network Plus, and
that's from CompTIA.
It teaches you how networkingworks, what are protocols, what
are packets, how they moveacross the networking stack.
Get A Plus, also from CompTIA.
And just some examples.
On certifications how do theCPUs work?
What's CPU?
What's memory?
What's on certifications, howdo how the cpus work?
(32:37):
What's cpu?
What's memory?
What's what's the um?
Um, the swap space.
Right when a computer goes tosleep, the memory gets dumped to
the drive and that conceptlater gets applied when you say,
okay, does that memory dumpwhen the computer goes to sleep?
Is there's any forensicsignificance?
That's when the bcfe stuff inright, yeah, what do you guys?
Speaker 2 (32:51):
think about the.
So this is something relativelynew.
The, the, the bachelors ofdigital forensics, right, the
masters of digital forensics.
What do you think of thoseprograms, Heather?
Speaker 3 (33:05):
So, yeah, I, I have a master's degree in computer
forensics and I feel like Ilearned most of what I know in
forensics once I started my job,and I mean I got fundamentals
from school.
I'm not saying I didn't getanything from school, but I
graduated and came into a job ata police agency and had no idea
(33:28):
how to apply what I learned atschool and the courses that
they've sent me to is is how Iam where I am today.
I wouldn't, I wouldn'tattribute it, I wouldn't
attribute a very high percentageof that to my schooling.
Speaker 2 (33:40):
I know and I've I've had the same experience.
I don't I don't have abachelor's in digital forensics,
but I've I've heard the sameexperience and that that
question comes up a lot to me,especially with young examiners.
Uh, feel like they want to goto college or have a need to go
to college to get a digitalforensics degree.
And you know, maybe that helpsyou understand the fundamentals,
(34:01):
like Briggs was saying aboutyou know how the computer works,
how it's built, what's theworking knowledge of the
computer and how informationgoes through it.
That would probably be a usefulpart of that degree program.
But your on-the-job training,that's where you're really going
to get the application part ofit.
So you know, maybe an associatein some type of computer IT
(34:27):
something to get that basicstuff right, and then delve into
the forensics.
Speaker 1 (34:33):
I mean, we're not that far apart in age.
When we came about, there wasno degrees that did not exist.
There was no forensic degreethat didn't exist.
So people got certified and asyou got into the field, I think
that with enough time, as wecodify this knowledge more
strictly, I think people willneed to get degrees at some
point.
Not yet right, but at somepoint I think people will need
(34:54):
to get degrees at some point.
Not yet right, but at some point.
I think that's going to besomething that future
generations have to think.
When I get into this field,you've got to have a degree
because you're going to becomereally specialized.
Now we're not there yet andStephanie is saying in
Stephanie's case she says I tookA+, network+ and SecBookCamp
(35:16):
and from my perspective, if youhave that baseline and you have
understanding that is whatHeather and Bill are saying Get
your good tool trainings youhave like like your hammers and
your nails and your tools, andthen take the BCFE so then you
can then learn how to hammer andhow to measure and learn how to
build that house.
Speaker 2 (35:26):
Yeah, and it's like.
So, like you said, the hammerand the nail Right.
So you got to learn how to usethe hammer first, and then you
know, and then you learn whereto hammer right.
Speaker 1 (35:35):
Learn the hammer first, then learn where to
hammer.
Don't hammer your finger,please, and we all done that at
some point, right?
Speaker 2 (35:41):
I'm stretching this analogy to the max expect
nothing less of course of courseno, it's good stuff and um man
you guys got a great crew here.
Look at that.
It's just all kinds of chat.
Oh, yeah, yeah, yeah so youknow what.
Speaker 3 (35:59):
Back back to what you just said a minute ago, though
with the associates with havingthat computer knowledge.
I didn't have to have that toget the master's degree in
computer forensics, so I wentinto um, the computer forensics
master's degree with no computerknowledge.
So definitely you want thatassociates, or or you know
undergrad in something thatgives you the basics.
Speaker 2 (36:20):
You know.
But at the same time I want to.
I want to encourage that if, ifcollege is not your thing, you
don't have to go to college toget into our field.
You don't, you don't, you know?
I think that I think the mostuseful thing that a person can
have is up here, right.
I think it's the drive to bebetter, right To the drive to
(36:41):
dig down to the deepest parts ofthe well, for the truth, that
drive gets you far.
Speaker 1 (36:48):
Yeah, I want to try to look like a find it quickly
here, but I was reading I don'thave it in front of me, but I
was reading that even the WhiteHouse recently is promoting
trying to push a policy where tobe able to do certain jobs in
computers you don't have to havenecessarily a degree.
If you can show you have thataptitude, you have the knowledge
, and we had a discussion a fewweeks back.
(37:09):
Like somebody like Bill Gates,he just dropped out of college
and made Microsoft you cannotsay there's medicine, no
computers, because you don'thave a degree, right?
Just one example.
So yeah, absolutely, especiallyin infosec circles, the best
practitioners are not the bestpractitioners because they got a
doctorate in informationsecurity right.
They got it because they didthe work.
(37:31):
They actually are curious, havethe aptitude, have a note
they're not, not quitters, andthat's how they got developed
Right.
Yeah.
Speaker 2 (37:40):
And just jump in right, Just get in.
If you think you want to dothis, get in.
It's going to take, you'regoing to, you got some work,
legwork to do.
It's not going to be animmediate understanding and
knowing all, but so get, get,get started.
Speaker 1 (37:55):
Oh yeah, and and and.
Be flexible.
I got folks and, again, itdepends on what stage you are in
life, but you might need tomove somewhere where that
opportunity presents Right, andthe opportunity might not be in
your town and I'm not fromOrlando, I'm from Puerto Rico,
but I move over there, Can youtell?
Can you tell, in my kitchen, myproto box, above the beach.
But I, this is my experience, I, I had to, you know, look for
(38:18):
that opportunity and, and I'm sohappy that I did, I, I wouldn't
change anything yeah yeah well
Speaker 2 (38:26):
oh.
So she says well, I'm jumpingokay, good, what have?
I been saying jump off thecliff, yeah.
Speaker 1 (38:31):
Jump off the cliff.
Speaker 2 (38:31):
Yeah Right, jump off the cliff.
Just know what you're jumpingoff the cliff with.
Speaker 1 (38:36):
Yeah, exactly, I love this.
Bill is telling me that youjump off the cliff and you have
the parts you need to make thatparachute.
Speaker 2 (38:44):
So I would say you can either jump off the cliff
with a parachute or you can jumpoff the cliff with the stuff to
make a parachute Right, andit's up to you how fast you make
the parachute.
Hopefully you make it in time.
Speaker 3 (38:58):
I don't know where you're from, Stephanie, but if
you listened to the podcast lasttime we were on, we're hiring
at the New York State Police.
Maybe you can jump right in andwork over with me.
Speaker 1 (39:09):
There you go, the opportunity presents.
It might not be your time, butif you have the flexibility,
take it, yeah, and you won'tregret it.
All right.
So I mean, we're having so muchfun, I don't think we need to.
Well, actually, let's cover afew things.
Speaker 3 (39:23):
Yeah, we'll talk about a few things that have
happened.
Speaker 1 (39:26):
Yeah, let's talk about the, because we're about
to hit the top of the hour.
Let's talk about the stuffthat's happening in the leaps
and some of the sound stuff.
Speaker 3 (39:34):
Yeah, that sounds good.
Speaker 1 (39:35):
Hey, I'm going to step out All right, I got work
to do.
Ah, come on.
Speaker 2 (39:42):
Just 10 more minutes.
I actually work for a living,so I'm going to let you guys
have it.
Speaker 1 (39:46):
I agree.
Speaker 2 (39:47):
I mean, I just can't say how much, how how great it
was to be with you guys thisweek, these last two weeks and
uh, just you know, wow, what anhonor to be with you guys.
Speaker 3 (39:56):
Listen, we feel the exact same way about you.
This was awesome.
Speaker 2 (39:59):
Well, I had a great time.
Thank you to the audience forallowing me to be on your show
and thank you guys for allowingme to jump in on this, but I had
a great time.
Um, we're going to repeat it.
We're going to repeat it nextyear for sure?
Speaker 3 (40:19):
Oh, definitely.
Oh yeah, we'll get Don in herewith us and Hannah.
I think there are four of us.
But thank you guys, see youguys later, thanks, thank you
Bill.
So yeah.
So to hop over to another topic, the SANS put out some new
posters and I kind of justwanted to put up the links for
those new posters.
If you haven't ever utilizedthe SANS posters, get them.
They are like cheat sheets towhatever you'reparty app
(40:41):
forensics reference guide andthen the uh d first advanced
smartphone forensics referenceguide.
It must have been updatedbecause I have a copy of that.
So in my office we take those,those cheat sheets, and we blow
(41:03):
them up into like big postersize and get them laminated and
they're hanging in our lab.
They're excellent resource.
Speaker 1 (41:09):
I'm gonna just throw them up here real quick, yeah,
as you put them up.
Mattia Epifani, he's anexcellent examiner.
We discussed some of his workbefore on the podcast.
He stands commissioning,commissioning those posters, so
he could do it, and he's such agreat mobile forensic examiner,
world-class expert, and I'mreally now I'm going to flex a
little bit I'm really happy tosee that the Leaps project are
(41:34):
mentioned in some of the postersand some of my research into
some of the apps it's mentionedalso in the posters, so that's a
point of pride of me to havethere, so I'm so grateful for
the community to support it.
Speaker 3 (41:46):
Yeah, that's awesome.
So the posters are free.
You can just go download themon the website, but you have to
make an account.
But you want an account withSANS anyway, so make your
account and I'm just going toscroll them across the screen
here quick.
But this is what the posterswill look like.
Speaker 1 (42:02):
And.
Speaker 3 (42:02):
I suggest blowing them up, yeah.
Speaker 1 (42:04):
So the folks.
It might be a little bit little, but if you're watching, as
opposed to folks listening fromtheir car or whatever, as
opposed to folks listening fromtheir car or whatever what
you're going to see is thelittle icon for the app and it's
divided by types, like thebusiness apps, utilities, health
and fitness.
And I like it because you havethe app there and then all the
locations with printed data willreside for that app.
And I use this a lot becauseI'm like okay, I need to
(42:27):
validate LinkedIn.
Do I know the top of my headwhere that thing is?
I go quickly to the poster.
I see here's the data and I goget it and I validate or do
whatever research that I need todo.
So the posters are superhelpful.
Speaker 3 (42:39):
Right, I find myself forgetting all of the time where
you go find the artifacts toshow that a phone was wiped and
the date that it was wiped.
And they're on these postersand this is a quick reference
guide you can hop over to andfind those answers quickly.
Speaker 1 (42:54):
Yeah, show the green one.
So I was talking today aboutidentifying malware based on
heuristics and how it behaves.
I was teaching that class basedon work done by Josh Hickman, a
personal friend that wementioned a whole bunch of times
before, and so I was talkingabout that.
The poster has a section inregards to malware
identification and some malwareanalysis, so it goes beyond just
(43:16):
the apps.
It talks about other topicsthat are related that you might
not be aware that you need themuntil you need them.
Right, so you're going to go tothe poster and get some
reference points there, sopretty good stuff.
Speaker 3 (43:26):
Really great resources.
Let me take it down here, yeah.
Speaker 1 (43:31):
So with the new posters we also have something
new with the leaps right.
Speaker 3 (43:35):
Yeah.
Speaker 1 (43:36):
And I know Johan again, Johan stays late because
it's all the way in Europe, so Iappreciate it.
Johan's still around.
If he wants to sleep, I willforgive him.
I guess, this time, this time.
So Johan was kind enough togenerate a new release for the
Leap, for A Leap, and I Leap,and the releases that he's
putting out.
They're really nice, becausenot only do you have an
(43:57):
executable for Windows, now youhave also binaries for Mac to
include the newest architecture,the M1s, m2s what's the
architecture I forgot?
Right now I'm the worst ARM.
Thank you, arm.
Okay, so the ARM architecture Iforgot right now I'm the worst
ARM ARM.
Speaker 3 (44:12):
Okay, I got to think.
Speaker 1 (44:15):
ARM architecture.
Yeah, so if you have a Mac andyou need to do some forensics
and I was discussing, we werediscussing with class that I'd
rather do like if I'm doing iOSforensics, I want to have a Mac
computer close by.
I want to do like environmentsin a like environment.
So in analysis you have to doit like that.
And the reason you know we gotsome time here so the reason we
(44:36):
want to do that we're discussingwith class is if you move a
file out of an APFS container,which is the Apple file system,
and you dump it in a Windowsfile system like NTFS, you're
going to lose data, the metadatathat comes with the files.
The moment you dump it in aforeign file system foreign for
the file file system is going toget lost.
(44:57):
And we don't realize that.
We're really, as examiners,we're really kind of trained in
Windows environments and to workall things Well.
No, you might need a Maccomputer to take that file out
of that container, drop it on anAPFS file system and then
analyze the metadata pointsright With proper, you know,
apple, ios, mac OS tools.
So highly, highly recommendthat you take those binaries,
(45:22):
have them available for your Macand do some examination on your
Mac.
Get smart on that.
It's going to help you out.
Speaker 3 (45:27):
Yeah, johan's in the comments saying that V-Leap and
R-Leap have also just beenreleased.
I don't know where you find thetime, well, apparently it's
late at night.
Yeah, definitely.
Now that we're going to be donewith the IASIS class, I plan on
helping with some things.
Speaker 1 (45:46):
No, we say a lot of time, but we really hope to do a
big push for the V-Leaps.
For the folks that are notaware, it's a Python platform
that we have and it's going tobe focused on processing
extraction from vehicles, cars,trucks, whatever, and we got
some nice people from thecommunity have donated test
images for us to figure out.
What artifacts can we find andthat will serve for the
(46:07):
community as another validationpoint?
Speaker 3 (46:09):
for vehicle forensics .
Those are hard to come bybecause I mean it's going to be
your case data, or is somebodyrenting cars to pull to pull the
modules, right?
I?
Speaker 1 (46:19):
mean copying a phone.
There's many ways of copying aphone, but getting data from a
car is one way and it's reallyphysically intensive.
Yeah, not as easy Not everybodyhas the equipment to do that,
so we get some images.
We're happy that we got thoseand we're going to hopefully try
to support them.
Speaker 3 (46:35):
Yeah definitely Other artifacts.
From the leaps Looks like therewere some other artifacts added
, so iLeap added.
I don't even know how to saythat.
Is it Zangie chats?
Speaker 1 (46:48):
I'm going to dictate.
It's going to be Zangie, yes,zangie chats chat.
Speaker 3 (46:54):
I'm gonna, I'm gonna dictate it's gonna be sangy.
Yes, all right.
So if you're seeing thatapplication in your iphones,
there's a parser now written forthat by matt beers and, um,
scott ponig, the from theforensic scooter.
He has done some major majorupdates to the photos that
sqlite parsers.
Um, so definitely check thoseout, because I mean there's a
lot that he added.
I don't I don't even know howhe does that either, where,
(47:14):
where he finds the time to writethe parsers for that.
Speaker 1 (47:18):
It's a SQLite database that we've done before
and he has like 100 queries forit for different purposes and
some of these queries involve somany tables good information
but the query itself could belike 100 lines of query and I'm
like wow, yeah, I'm like dude, Idon't know how you do it.
My eyes gloss over.
It's like the matrix looking atthat query.
Speaker 3 (47:39):
I'm happy with my little five line ones.
I'm starting with I'm going tostick there for a little while.
But also there's some additionsto ALEAP, so additional support
for Wire Messenger and supportfor the Health health mate app,
which includes accounts,tracking, location messages,
contacts, measurements anddevices yeah, no, there's and
that's, that's a, that's areally good uh, you know kind of
(48:01):
type of data, uh, to haveavailable.
Speaker 1 (48:03):
Um, actually I have.
I just got this email a fewhours ago.
There's some other you know,know, community developers or
you know forensic examiners thatwant to contribute.
We should be getting one forthe Likey application and it has
a whole bunch of data in thatapplication like location,
demographic data, message dataand it's kind of like an app.
(48:29):
This is kind of like a sidenote about when a popular app
either closes by force or bymandate, users are going to
migrate somewhere else.
So where are they migrating?
Right, and we do that becausewe want to make sure we have
some visibility into wherecriminals can also move to right
.
And TikTok recently by laweither has to be sold or it has
(48:51):
to be closed here in the UnitedStates, so that millions of
people that are there they'regoing to move to what
applications?
We need to have visibility onthat, and folks are already
thinking Lord, the next bigthing is going to be X.
We need to know how to parse itso, if something happens, we're
able to provide that service tothe community.
So I'm happy that folks arethinking ahead that way.
Speaker 3 (49:07):
Yeah, so I'm going, so I'm gonna, I'm gonna pop back
.
We're gonna do the update tomushy too, so important, yeah.
So, um, if you're not using ianwhiffen's tool, mushy, you
should be.
It's awesome, um, and he justreleased a new version.
It's 2.7.
I'm gonna actually share it onthe screen.
Hold on one second.
Yeah, but there's some majorupdates and what is?
Speaker 1 (49:30):
what's the concept of mushy?
What's the tool?
Speaker 3 (49:32):
so it's show.
It's showing data structures,right.
So we've talked about likeRabbit Hole before.
It's got similar capabilitiesto that.
Speaker 1 (49:40):
It's an excellent file viewer.
If you have some file formatsand you don't have a viewer to
kind of visualize them.
Mushi is going to do that foryou, so it's pretty neat.
Speaker 3 (49:49):
So did I put that up?
I did put that up, okay, good.
So yeah, this is a look.
I brought a SegB file in.
It's a SegB one, but one of theupdates to Moshi is it now
supports SegB version two, and Idon't think there's a ton of
schools supporting the SegBversion two.
Speaker 1 (50:09):
No, no, it's mostly outside of the forensic su
suites yeah um, it's gonna bemostly scripts or you know um
custom stuff yeah, so, um, heupdated the segby viewer.
Speaker 3 (50:22):
It's showing seconds and date filters and then
obviously the segby version 2support.
Um, new splash screen, new icon.
Um, the interface has changed alittle.
Uh, they're searching in his.
In his description it sayssearching.
That actually works now, so Ilike that.
Speaker 1 (50:38):
Um it worked before it works better.
Speaker 3 (50:41):
Yeah, it works better , exactly, exactly and um, this
must have been a feature request, but hold, shift and hover over
protobuf values to see theiroriginal bytes.
And it now supports abx files.
Speaker 1 (50:53):
So a bunch of major, major updates to mushy and if
you're doing android forensics,uh, you will come across abx
files, like guaranteed.
So, yeah, and, and the tool isgreat, it because what's the
cost of the tool?
Speaker 3 (51:05):
uh, the tool is free which you can't beat.
Speaker 1 (51:09):
That yeah, exactly you can't go wrong if it's good
and free, right, right.
Speaker 3 (51:11):
So yeah, um, I would definitely recommend downloading
that new version, checking itout.
Which you can't beat?
That, yeah, exactly.
You can't go wrong if it's goodand free, right right.
So yeah, I would definitelyrecommend downloading that new
version and checking it out.
I use it on the SEGB files Forthe ones that aren't supported
by, like the commercial tools.
I'll export them and get myquick look at them in Moshi.
Speaker 1 (51:26):
Oh, absolutely, I like the view.
Absolutely.
Imagine you're trying to use uh, there's nothing wrong with
that one, I'm gonna say.
But you have a big commercialtool and you want to see them,
but the process might take hoursbecause you can't really limit
it to the thing.
Right, and you have to run thewhole thing, whereas you can
quickly go into extraction, pullthe files, use a viewer and
determine is this somethingthat's worth me spending all
(51:47):
these hours of tool time exactly?
And if not, then I can move toother priority items and then go
back to this other time, right?
So there's a really importantpurpose in being able to triage
extractions or data sets withthese file viewers.
Speaker 3 (52:01):
Yeah, definitely.
So I think that can bring us tothe meme of the week.
Speaker 1 (52:06):
Yes, wait, wait, wait , wait, wait, wait, wait, wait.
You know what, you know whatI'm doing, right, you know what
we're doing.
What are we doing?
Speaker 3 (52:15):
We're celebrating the middle of the week.
Oh, my gosh, oh you know what?
Speaker 1 (52:17):
I don't have the fireworks on this box, oh.
Speaker 3 (52:21):
We're streaming from my crappy.
Speaker 1 (52:23):
Windows Boo Boo.
Next time we're doing the Mac.
Okay, I don't have fireworks,okay, sorry.
Speaker 3 (52:28):
I don't have fireworks.
Okay, he's got fireworks overon his computer so nobody can
see them but me.
Sorry, that's so sad.
Speaker 1 (52:34):
Okay.
Well, we celebrated the meme ofthe week over here, Okay.
So what do we have?
Speaker 3 (52:37):
Let me go grab it.
Hold on one second.
Speaker 1 (52:41):
Maybe we should go with two.
Speaker 3 (52:42):
We'll go with two.
All right, all right.
Speaker 1 (52:45):
You're getting a bonus.
Speaker 3 (52:46):
We're going to be memes of the week, so let's okay
, hold on one second.
I'm having technicaldifficulties, which happens
almost every time I use thecomputer.
There we go.
So here is meme of the weekNumber one.
Speaker 1 (53:07):
Okay, so I'll do this when you do the next one.
Speaker 3 (53:08):
Okay, sounds good, can you?
Speaker 1 (53:09):
zoom it All right.
So this would be that yeah, I,yeah, I got it.
Yeah, so this is the the bcfeexperience, so the isis
experience right, it has beenthe hardest week of training of
my life and it's the hardestweek of training so far because
isis is two weeks.
So if the first week was hard,don't't worry.
(53:30):
The second is coming right andit's tongue in cheek.
It's hard, but hard in a goodway, like yeah, I'm tired, but
my brain has grown a couplesizes, so it's a good time.
Speaker 3 (53:46):
Well, and related to the BCFE, we've also been here
for two weeks doing the training, so we could use this meme for
those purposes as well.
Speaker 1 (53:48):
That is true, we're also a little bit beat up too.
Speaker 3 (53:51):
Yeah, I might be ready for my own bed.
Let me do our second meme ofthe week here.
Let's see.
Speaker 1 (54:03):
After we saw the meme , we have to address this
question.
Speaker 3 (54:05):
Okay, yeah, definitely.
Speaker 1 (54:06):
Jason is saying that week one was definitely harder.
I bet the BCA team were doingthe data runs.
Speaker 3 (54:11):
Oh yeah, definitely Jason confirm the BC if you were
doing the data runs.
Oh yeah, definitely.
Speaker 1 (54:14):
Jason confirm that.
If you were doing.
The data runs on week one.
That's the case and that's true.
Speaker 3 (54:18):
That's the hardest week, All right.
Speaker 1 (54:20):
the second one.
Speaker 3 (54:21):
So when it's 2 am and you are still working the case
I don't need sleep, I needanswers.
I'm pretty sure everybody canrelate to that.
I don't want to go to sleep, Iwant the answers.
Speaker 1 (54:33):
Well, the thing is that you know everybody's
focused with the answer Right,and when I get the answers I
talk.
On the morning I go open thedoor to the investigative team.
I got the answers.
Guess what?
Speaker 3 (54:42):
They're all sleeping.
Speaker 1 (54:43):
Everybody went home.
Speaker 3 (54:44):
Yeah, they're all sleeping.
Speaker 1 (54:46):
I'm the only one there, so but you know what it
is all right.
Yeah, before we close, we havea comment there.
With the addition from alinkedin user, from the addition
of billy the leaves, can wealso expect a leap for social
media forensics?
Oh well, let me.
Let me give you an informationthat so we have also.
Our leap is for returns.
Now let's say it's a quickbrief of it.
(55:09):
If, if you are able to do like agoogle, take a google, um, take
, take out of your account, thatmeans that you log in and you
tell google, google, give me all.
My brief of it.
If you are able to do like aGoogle takeout of your account,
that means that you log in andyou tell Google, google, give me
all my data, and you pull thatout and you run it to the tool
from RLEAP.
You'll get some results.
On the other hand, if you're alaw enforcement officer and has
a search warrant and tell theprovider, hey, give me that data
.
Rleap also parses a whole bunchof those.
(55:30):
We parse Kik, we parse Snapchat, we parse not the full iCloud
return, but it's a lot of it, apart of it, a big chunk of
Google stuff, and we give youanother view of the data that
some tools either don't give youor pretty much the parser
doesn't exist, like for Kik.
I don't know of any returnparser that exists, only our
(55:52):
leap right, so we got.
Speaker 3 (55:54):
We got that as well, so you can check that out well,
and if you're specificallylooking for social media
forensics, there's social mediarelated artifacts included in I
leap and a leap for for androidsand iphones, um, and also if
you find a specific social mediaartifact that you want included
in one of those, you can sendit to anybody that's working on
(56:15):
the lead projects, or try andfigure out how it's all stored
yourself and learn how to writea parser to include with those
suites.
Speaker 1 (56:23):
Yeah, we have a class for that, but yeah, time has
run out.
Speaker 3 (56:27):
What's up?
Time has gone on.
I guess time has run out, yeah,yeah.
Speaker 1 (56:30):
Well, thank you, everybody at home, people that
were watching live, the folksthat are listening as they're
driving or doing about in theirin their home.
We appreciate you.
Make sure you hit us.
Hit us up on LinkedIn orLinkedIn page these are forensic
now podcast.
Tell us about ideas for theshow, tell us about questions,
problems that you face in yourexaminations, and we'll try to
(56:51):
either answer it ourselves orbring somebody to talk about
those, those concerns and make acommunity.
Speaker 3 (56:59):
Definitely All right, thank you.
Speaker 1 (57:00):
Thank you, everybody.
Let me let me get the music onfor for saying goodbye, and
we'll see each other in twoweeks, yeah.
All right, bye, bye, outroMusic.
Welcome to the Digital Forensics Now podcast
Today's Thursday May 2nd 2024.
My name is Alexis Brignoni andI'm accompanied today live in
person, not on any computerswith the one and only Phone
wizard, the one that putsverified in verified labs, our
(00:30):
good friend and iAsys phoneinstructor Layton.
And as always, I have with methe Kahoot master, the advanced
mobile device presence classboat captain, the one and only
Heather Charpentier.
The music is hired up by ShaneIvers and can be found at
rumensoundcom.
Hello everybody at home andhello to Bill and Heather.
Speaker 3 (00:56):
Hello, hello hey what's up?
Speaker 1 (00:57):
everybody Super happy to be here.
I see folks coming into thechat.
Johan is around.
A salute to be here.
I see folks coming into thechat.
Johan is around.
A salute to Johan.
And we'll talk a little bitabout what he's been up to with
the leaves and helping out, youknow, maintaining the project.
I appreciate your help.
My friend Andrea is online too,so hi to my co-Florida examiner
(01:21):
, happy to be here.
So, as you can tell everybody,we're live, we're all here with
our nice ISIS.
Where is it?
Speaker 3 (01:29):
Oh yeah, hold on, I got it.
Speaker 1 (01:30):
I can muffle a little there you go ISIS shirts and
we're in our nice classroom hereat the Carribean Royale in nice
, sunny Orlando from where Ilive, right so Bill is teaching
with us and Bill, you're for lawenforcement, right Retired?
Speaker 2 (01:47):
Yes yes, retired in 2013.
So you know, I started policingwhen I was 19 years old.
So you know, my entire adultlife I've been a policeman.
So when I retired after 20years, I was 40 years old.
So why stop now?
Precisely Right, I mean.
(02:07):
So so start something else andso that's exactly what I did.
Speaker 1 (02:09):
So now you have your own lab doing forensics Yep.
Speaker 2 (02:11):
Doing.
So I just do cell phones Right.
So when you have your own shop,you can do whatever you want.
If you want to make, you know,clown balloons you know you can
do that but but uh, so I just docell phones, cause you know
that's my jam, right, I lovecell phones, and so that's all I
do is cell phones.
Speaker 1 (02:29):
See when I grew up.
I want to be like you.
Speaker 3 (02:32):
Me too.
I'm ready right now.
Speaker 1 (02:34):
No, I'm really happy to have Bill.
Bill has been covering some ofthe topics with us and hopefully
it's a busy man.
Hopefully you can come with usevery year.
Speaker 2 (02:40):
Yeah, so great benefits here, great benefits,
you know, and to give back partof giving back to the community,
and this is it, this is thecommunity, right?
So everyone is in thiscommunity and to give back is
just huge.
Speaker 3 (03:05):
Absolutely, Absolutely, which leads us to
being here at IASIS since thebeginning of last week.
We did a class in advancedmobile forensics last week and
then our second class is thisweek.
We're going to end thattomorrow.
We're all at the biggest IASISevent ever so far.
They said there's over 700students, over 150 staff members
and 23 courses in total.
Speaker 1 (03:22):
Yeah, it's been nice.
I will say I don't know why I'mkind of far away from the
center of the action.
So, like next time, if some ISSboard member is hearing, let's
put the advanced mobile deviceclass closer.
Speaker 3 (03:32):
Yeah, we're away from everybody like the redheaded
stepchildren.
Speaker 2 (03:36):
I have literally put in 15,000 steps a day.
I guess there's a pro benefitthere yeah definitely yeah.
Speaker 3 (03:44):
So there's a whole bunch of classes available down
here in Florida once a yearMobile forensics, advanced
mobile forensics, computerforensics, sqlite and many
others and I think the best partof being down here is
definitely the networking.
I would not have met Bill if Iwasn't down here, or Alexis or
Alexis last year actually so thenetworking is definitely top
(04:08):
notch.
Speaker 2 (04:09):
Definitely Part of you know.
Part of the big thing aboutIASIS is not only are you
networking here locally, likeNew York and Texas I mean that's
, that's far away.
But no, we're.
We're networking with peoplefrom New Zealand and England and
Australia and you know, themore brains that we put into
this group, the more problemswe're going to solve.
Speaker 3 (04:29):
Yeah, couldn't agree more with that.
Speaker 1 (04:31):
They're saying the mobile students are way cooler
though, so I have to agree 100percent.
That's from the chat.
I have to agree that we are.
Speaker 3 (04:40):
Oh, definitely.
Speaker 1 (04:41):
Or at least semi-cool nerds.
Speaker 3 (04:42):
They can't take our coolness.
That's why we're over here,hidden, that's right.
Speaker 2 (04:47):
They don't want to show their non-coolness, so they
put us down here.
Speaker 3 (04:52):
So not only networking with other colleagues
, other friends, but networkingwith the vendors.
There's a ton of vendors hereat this event and getting to
interact with those vendors andask questions about the products
is definitely a reallyimportant part of the conference
.
Speaker 1 (05:08):
Yeah, and you know it's really nice because
sometimes they go around.
They do not sometimes, but theydo this at night.
They have the vendor nights sofolks can go there learn about
the tools.
They do giveaways, so it's agood time and I'm really
impressed, since forever, I mean, I've been an ISIS member
certified for the last decadeactually 11 years this year and
this event is run totally byvolunteers.
(05:29):
All of us were volunteers, thepeople that run are volunteers
and it's an event that's amazingthat's done that way, people
giving it their time for free tomake this happen.
Speaker 2 (05:38):
Yeah, and you know about the vendors too.
It's not they're here for us,right, but we're also here for
them too.
I mean, as we come to theseevents, we bring issues or we
bring new things to them and andthey're very open to to
suggestions.
Or hey, would could your tooldo this?
(05:59):
And they write it down and theytake it back to R and D and
they they see what they can dowith that.
So not only are they here forthe students, right about their
new products or whatever, but weactually add to their existence
as well by making suggestionsand comments about their
products.
Speaker 1 (06:16):
And I would say, if you come to this event or other
events, totally like Bill'ssaying, reach out and say look,
this is the problem that I have,this is a solution that I found
, and see how can that befiltered into the tooling so
everybody can benefit.
So that's absolutely a goodpoint to come to these events.
Speaker 3 (06:30):
So I definitely have to share our class instructor
picture here.
So this is the group that'steaching the advanced mobile
device forensics class.
We have John Hyla, Alexis,myself and Bill and, of course,
our class mascot, Hannah.
Speaker 2 (06:49):
And what a handsome group I might have.
Speaker 3 (06:53):
Definitely.
And let me throw up.
I have one more, one morepicture of our lovely class
mascot, Hannah.
She was helping us teach theother day, understanding your
role, and she was understandingher role in the classroom.
Speaker 1 (07:09):
The best girl?
Yeah, really good girl.
Speaker 2 (07:11):
And it tells you can also tell the really advanced
classes have their own therapydog.
Speaker 1 (07:16):
Yes, Because Heather really drives a hard class.
Speaker 2 (07:21):
I'm good in my class, my blocks are nice and gentle,
when it starts getting a littlethick, you reach your hand down
and a therapy dog comes upbeside you and you can kind of
calm down a little bit.
Speaker 1 (07:35):
Yeah, no, hannah is an electronics detection dog and
John is the handler, and whatshe does is she goes and there's
, for example, a search warrantand they're looking for secreted
or hidden electronics.
She can detect through hersmell and finds them for the
folks.
So it's a pretty highly traineddog, but also the nicest dog
ever.
Speaker 3 (07:56):
So I think we're going to talk a little bit about
the training that's availableat IASIS and some other things
surrounding training.
Speaker 1 (08:03):
Yeah, so here on IASIS there's vendor courses
that the vendors come in hereprovide, like Celebrize, spider
Forensics and others, but wealso have the IASIS courses.
We are not vendor specificright, and I think we were
talking with Bill the other dayand he was discussing with us
that difference between the needfor vendor training and also
this methodology of how you doyour stuff.
(08:25):
You know.
Speaker 2 (08:26):
Yeah, I think it's so important.
So you know here and you knowit's everywhere.
But I think a, I think a, anexpert in our field.
That's what we are.
We're experts.
So we need to take thatseriously, that, that that
banner of expert, we need totake it seriously.
And so, as an expert, I I thinkthat, as as my training and as
(08:55):
my certification comes in, Ithink that first of all, I do
need a very focused expertiseand training on a tool.
So if I'm using a tool, Ishould be able to operate that
tool at expert level, know howto troubleshoot it, know how to
explain how it works in court,know how to troubleshoot it,
know how to explain how it worksin court.
So I want to be trained by thetool maker exactly how that tool
works and they train me on thattool.
So not only do I have a laserfocused training on the tool,
(09:16):
but then also to round out mytraining, to round out my
expertise, I also wantmethodology training.
So in here at IASIS, that's whatwe teach.
We teach methodology training.
So it's not specific on thetool, it's more the methodology
that encompasses the tool.
So when I go into court and Itestify, or when I'm working on
(09:37):
something, not only am Iapplying the specific tool
methodology that I've learned,but I'm also applying the
overall methodology.
Tool methodology that I'velearned, but I'm also applying
the overall methodology.
And you know sometimes when andwe all know that maybe one tool
doesn't get this artifact,maybe one tool doesn't do such a
great job on this, mymethodology training will
(09:57):
compensate for that, and so,because I know, I know the
methodology behind it, and sothat's what we're teaching here.
So I definitely recommend that,if you're working as an expert,
not only do you have specifictraining on the tools that
you're using, but also theoverall methodology training I
think is so important in what wedo no, and if I had to, we
don't have to choose.
Speaker 1 (10:15):
But if I had to choose, I would put that why are
the things done the way they'redone?
How are they structured, evenbefore the tool training?
Because at the end of the dayand this happened to all of us,
right, Like Bill was saying youget your tool to run, it's
either it might miss somethingor something that might not be
interpreted properly, becausenothing is perfect, right?
So at the end of the day, Ivalidate that tool and in some
(10:37):
jurisdictions the question iswell, you're an expert if you've
been trained by the toolmakerand I'm not minimizing that,
You've been trained by thetoolmaker and I'm not minimizing
that.
That's important.
But the tool can commitmistakes, right?
So it's up to us to have thattraining and some of our blocks.
What we do is we go well, thisis how you get, for example, to
a segb file format.
This is how it's done.
And we look at the hex, we lookat the offsets.
(10:57):
We do it by hand and then Igive you an automated tool to do
it.
And that goes to speak to whatBill's saying.
You got that methodology.
This is how you do this by handand this is how you automate it
and you can validate it.
And I think and we talked aboutthis some episodes back,
Heather and myself right Aboutbeing an operator.
We need to go back to thosebasics of our field, the
scientific basis of our field.
Speaker 2 (11:17):
Yeah, I agree, if you get stuck, if you focus too
much on the tool and not on themethodology, the overall
methodology, you might get stuckon something.
You might, you'll go as far asthe tool can take you and then
you're stuck.
But when you have methodologytraining you can work around
that roadblock and then bring inanother tool or re-implement
your tool in a different way.
So methodology training, theoverall methodology training, is
(11:41):
, I think, a must.
It should be in your CV, ifit's not.
Speaker 3 (11:44):
Absolutely, I think you will get stuck.
I don't think there's yeah,there's no question about it.
Eventually you will get stuckand the end product suffers from
that.
Speaker 1 (11:54):
Yeah, and there's this some students not every
student, some students have thisidea of okay, I take the class
and the class will tell me orteach me everything I need to
know about the topic.
And I mean, you can correct meor tell me your thoughts about
this, but the class, I'm here toteach you more how to think as
opposed to how to do the things.
And I say that because there'sno way in a class, in a week or
(12:15):
two weeks or a month or a year,that I could teach you every
single circumstance you mightfind or every problem you might
come across in your work.
Speaker 2 (12:23):
That's right.
You know.
So I have to teach you how tothink about the problem.
So when an unknown problemsurfaces, you can handle it.
And as we were in class, I meanthis was so.
I mean this is so great aswe're in class and as we're
talking about the topics we'retalking about.
So we're talking about in thisclass specifically, we really
focused on the artifacts, on howto find the artifacts, that
(12:48):
some of our tools are missing,right.
So you have a case where youhave a brand new chat program
come out.
No one's parsing that chatprogram, but yet this is
important to your case.
You've got a car.
You've got to pull thesemessages out.
How do you do that if your toolis not doing it?
And so in this class, we'reteaching you the method.
(13:10):
We're teaching you how torecognize what format it's in,
how to dig that stuff out andhow to put it out, how to bring
it out of that container into aformat that makes sense that you
can give to your prosecutor.
And so you know, in this, thisis how we teach the why of why
we're doing this, because atsome point point you're going to
have to employ this methodologyaway from the tools yeah, oh,
you're definitely going to haveto at some point.
Speaker 3 (13:30):
Um, I've had to numerous times.
I didn't think I could ever doit, but learning those, those, I
guess how to how to do ityourself so super important yeah
, yeah, like the like, the like,the uber app we talked about
last time.
Speaker 1 (13:43):
It's a level db database and if you're not
familiar with LevelDB, we teachit here as well.
But you can get smart on thatand you apply that method.
You say, okay, I don't knowthis.
I have a structure of how do Iget to know things, and you
apply that.
And then obviously you reachout to the community, reach out
to friends.
Like we said last episode and Igot to emphasize it again have
a tribe right and Bill now thatI know Bill really well,
(14:05):
spending for him two weeks, he'sdone.
Speaker 3 (14:08):
I'm going to be pestering him all the time.
Speaker 2 (14:10):
Oh, me too.
Me too, definitely.
Wasn't it cool that, as we werein class, we're teaching how to
dig these new artifacts outthat aren't supported, and as
we're in class, we're gettingemails on the list serve, on the
IASIS list serve, which is alist of it's a it's an email
service from all the IASISmembers.
We're seeing, sometimes, thevery application that we're
(14:33):
we're examples in class thatwe're giving.
People are asking questions.
Hey, I came up with this newapp.
It's not being parsed.
Does anybody know how to getget application data out of it?
And it just happens to be theprogram that we were teaching
today, so it was as we weredoing it.
That's literally what happened.
Speaker 1 (14:48):
It is as we were doing it, I mean literally, we
were talking about that filethat day.
The JSON inside a SQL databaseand Bill told me that I told the
class hey, if we had, if theperson I think in this class
were have that method to be ableto address it, that was great.
Speaker 3 (15:04):
Yeah, that was awesome.
Actually, we got to put theemail, the listserv email, right
up on the screen and say thisis the exact reason why you need
to learn the artifacts we'reteaching in this class.
Speaker 1 (15:14):
Yeah, stephanie is saying from LinkedIn.
She's saying it's not justlearning how to use the tools,
it's knowing what they'reactually doing, right.
Yep, that's it.
Speaker 2 (15:22):
That's huge.
And you know when, when you gotestify on this, when you and I
man, I do a ton of testimonystuff and I do a ton of expert
witness on the stand and indeposition, and you have to know
, you don't have to know thespecifics of how the tool is
working, but you do have to knowthe basics.
You have to know hey, the toolis injecting a client and the
(15:42):
program's running on a client.
You have to know these things.
And she's exactly right.
You don't have to know, like,the dynamic details of it, but
you do need to know how it'sdoing what it's doing.
Speaker 3 (15:52):
Yeah, definitely.
Speaker 1 (15:53):
Absolutely, and there will be questions that you will
depend on that knowledge to beable to answer correctly, right,
especially in regards to thebackground of where something
came or is this an artifact thatindicates attribution or
indicates intent?
And again, you don't have to bethe coder of the program, but
you do need to have thatbackground.
(16:13):
So that's what we try to dohere.
Speaker 2 (16:15):
Yeah, agreed.
And when you're testifying, Imean you need to say that stuff
with some confidence, right, andyou're going to get a lot of
questions about your methodologytoo, sir.
You know, mr Aycock, what isyour methodology.
When you approach this, you'vegot to be able to explain your
methodology.
Speaker 1 (16:30):
I just, I just press a button here, right?
Yeah, I made out something.
Speaker 3 (16:34):
There are people who say that there are.
Shame on you.
Speaker 1 (16:40):
No, we uh, no, and again, it's also a good time.
Um, there's the event.
We go really nerdy during theday, then we go out at night and
we have a good time.
Really good people in thisevent.
So, uh, I'm hoping that they'llkeep me and keep us around for
a long time yeah if we didn'tbreak anything not yet we have
one more day.
Speaker 3 (17:02):
So, um, specifically related to this class, there's a
student in the class.
He's from Beverly Hills, hisname is Eugene Kim and he
decided that he wanted to writea testimonial about this class
and the class he did last week.
He did the MDF, the mobiledevice forensics class last week
, so I'm going to read it toeveryone who's listening.
(17:22):
He wrote hi guys, I am asubscriber to the podcast and a
recent attendee of MDF and thenew AMDF course.
In fact, I am in day four ofAMDF now.
I'm sure there are otherlisteners out there wondering if
the course is difficult.
I started last week with anovice level of experience.
I am happy to say theinstructors are truly awesome
(17:44):
and very committed to studentsuccess.
I've been surrounded byextremely knowledgeable
examiners and instructors whoare always very willing to help
out.
I never felt left behind orlost.
I learned so many techniquesthat far exceed any of the push
button methods we used before.
I'm so much better now afterthe last two weeks of learning
as a manager of a digitalforensics task force.
(18:05):
I highly recommend everyone gothrough MDF and AMDF.
If you're listening to thispodcast, you should be here.
Speaker 1 (18:12):
Oh, that's nice.
Yeah, it's very nice.
Speaker 3 (18:14):
I had to share.
It was very nice.
It's much appreciated, eugene,if you're listening.
Speaker 1 (18:19):
Checks in the mail.
Yeah, he is actually a reallycool guy.
Speaker 2 (18:26):
They have got a really cool setup.
I'm gonna next time I'm in thevalley doing some work, I'm
gonna go.
I'm gonna go see him yeah anduh.
Speaker 1 (18:30):
Actually, if you're in the valley, bring some
stickers from the uh, their pd,so you can give it to heather.
I just noticed, looking at atuh, looking at the feed here,
that you're kind of like asticker lacking I'm a little
light on the stickers.
Speaker 3 (18:43):
yeah, yeah, if anybody wants to send me
stickers.
Speaker 1 (18:46):
It has to be.
It has to be forensics relatedit can be just any stickers.
Okay, so I just want to notethat you know.
Speaker 3 (18:52):
Yes, they have to be forensics related, no problem.
Speaker 1 (18:55):
No, we appreciate his comments and, again, you know
we try to make the class betterand students will do reviews at
the end and we'll evolve theclass.
Speaker 3 (19:02):
Yeah, I like hearing too, like so people who are just
doing the push button forensicsand then they come to a class
and they're like I'm not doingthat anymore or or this is going
to change the way I work in mylab or how I instruct people to
work in my lab.
Speaker 1 (19:15):
That does I mean that we get paid with with those
type of comments, with thechanges people make in their
labs, with the changes peoplemake in their labs make their
workflow better, to bringjustice faster and more
efficiently.
That's our payment and you knowthere's, there's, there's no
money could compensate for that.
Speaker 2 (19:30):
And I think, I think at one point we all started like
that.
Right, we all started in a verysimple, simple mindset.
But I think our you know,especially for me, my sense of
duty, my sense of I've got tofind the truth no matter what.
I can't stop until I find itthat kind of attitude in a
forensicator is what drives us,it's a must.
(19:53):
And if you have that, you havethat driving mentality, good for
you.
Don't, don't suppress it, keepit going, because that's what's
driving this community to toexpert levels and to the truth
community to expert levels andto the truth.
Speaker 1 (20:08):
I mean, I don't know if this goes in the podcast, but
I started my little lab withliterally a little NAS network,
attached storage and a computerand a set of little write
blockers.
That was it.
Speaker 2 (20:18):
Yeah, I started with very little.
I had like a room in my garageright, so I mean it was humble
beginnings.
For sure, humble beginnings,yeah.
Speaker 1 (20:30):
I know Bill's killing it, by the way yeah, definitely
.
Speaker 2 (20:33):
I'm so glad you're here, bill so and I'll tell you,
I was talking to some peers andI'm like man, I'm here with the
smartest people.
I don't know what I'm doinghere.
I'm here with some big brainsand you guys are phenomenal to
watch you.
To sit here and watch Briggstalk about protobufs and level B
(21:00):
databases and he's giggling.
I mean, he's literally, he'slike he's giggling.
Speaker 1 (21:09):
I think about protobufs.
Yeah, I think about Porobus.
Speaker 2 (21:13):
Yeah, it's an inside joke, it is an inside joke To
see you both up here instructing.
I mean, it drives me to want toknow more.
Speaker 3 (21:23):
Don't sell yourself short.
I heard you instruct as well,and you killed it.
Speaker 2 (21:27):
I don't know about that.
I'll tell you to come to theseclasses and to see you guys and
to see everybody.
Right, it just drives me towant to know more, drives me
once, yeah, um john is makingfun of my.
Speaker 3 (21:46):
I thought john was at uh top golf john must be
listening to us from the staffdinner at top they all went to
the party, but we stay here.
Speaker 2 (21:51):
They probably got us on a screen.
We're only saying good thingsabout aces, okay don't fire us.
Speaker 1 (21:54):
Yeah, they all went there to party, but we stay here
.
They probably got us on ascreen.
Speaker 2 (21:56):
We're only saying good things about aces.
Speaker 1 (21:57):
Okay, Don't fire us and Boolean Grotto.
Speaker 2 (22:01):
Boof and Boolean.
Speaker 3 (22:06):
Oh, we've got Kachup and Cool Whip in there too.
Speaker 1 (22:09):
Yeah, somebody was in class.
I'm going to make that story.
So you know, obviously I'm fromPuerto Rico and I have an
eight-year-old and sometimes Ijust speak, you know, with my
accent.
I say, hey, you know, you wantsome ketchup in your hot dog and
he goes papito.
That's that in Spanish Papito.
It's not ketchup, it's ketchup.
And I'm like, really, man, areyou going to call me out like
that?
So now everybody's calling meout in class.
(22:30):
It's fun, I love it, it's agood night, it's a nice group of
people, the students.
Speaker 2 (22:35):
And I tell you what John to hear him talk about.
You know seg b-files right.
So, he's like the guy about segb-files.
Right To hear him talk abouthow he found it.
I don't know if I would have.
I may have stopped.
I mean literally I may havejust gone.
You know I'm going to get us toBriggs.
Forget it Right, I may havestopped, but John didn't.
(22:56):
Good job, no.
Speaker 1 (22:58):
And based on.
So I don't get tired of sayingthe story, I will say it again.
John figured out there's thisfile format in iOS devices that
has a bunch of important patternof life information and nobody
knew about it, at least nobodywithin the community and he at
it.
He kept at it and he came outwith it and I put it in a in a
blog post and it exploded andmyself and some of the examiners
(23:19):
built on that to create parsesfor it, and I wouldn't.
We wouldn't have gone there asfast as we did without him
laying that groundwork.
So we have him in classteaching with us and he explains
it's important to know the segbefore, but that's great.
But what I really like abouthis blog is he explains it's
important to know the seg before, but that's great.
But what I really like about hisblog is he explains the thought
process.
Like I found this unknown thinghow do I look for patterns in
the data?
How do I apply the sweeping ofthe offsets and hex, of those
(23:44):
bytes in hex?
Because we take those classesand we think, oh yeah, I know
how to count from binary, how tomake it in hex, and when am I
going to use this.
Well, when you find a file likea file like that, like he did,
that's what you're gonna use, ityou know, and that's the
importance, the.
Speaker 2 (23:59):
The importance is is giving them you know, arming
them with the information, butthen showing them how to deploy
it, showing, showing them thewhy of you, why you need to know
this and john was right on, Imean, he was.
Speaker 1 (24:12):
Hey, I found this file, didn't know what it was,
and I started looking atpatterns and I started started
finding, started doing testingand I found out what it was and
that was a huge find well andand even some of those, even
when he presents, because I Ifeel that I know those files
well, but I I got something outof every presenter and every,
even from the students he was.
He was talking about how helooks at the patterns and he can
(24:34):
look at the pattern of the hexand he sees some variations.
At the end he knows that's atimestamp.
And when I look at it and sayyou know what that makes
absolute sense.
I mean, we're going toreplicate here in the show that
we don't have the data here.
But if you look at the hex at acertain way you can tell that
some fields are timestamps basedon the configuration of the
hexes.
Now it's like when you see it,you cannot unsee it.
(24:56):
So now I'm looking at this, likeyou know what that's a
timestamp, and I'm pretty sureif I swipe it and then convert
it, it is going to be so.
Even myself that I'm aninstructor, I'm learning from
the other instructors, I'mlearning from the students.
It's such a great experience.
It's one of the two best weeksof the year for me to nerd out
in a good way.
Speaker 3 (25:14):
Yeah, this has definitely been great.
Lori is asking in the chat doyou have the link to that blog
post?
And we do so.
His site is Blue Crew Forensics, but when we end the podcast
tonight I'll put it in ourpodcast notes and you can go
read that blog post, becauseit's excellent.
Speaker 1 (25:30):
Absolutely, and we teach that in class.
We teach about the SEC B filesand both version one and version
two, and he covers those blocks.
I'm really happy that he's partof the instructor crew here.
Speaker 2 (25:40):
Excellent crew.
I mean not only in this class,but the MDF class too.
I mean, gosh man, these are theinstructors here.
I've never been disappointed.
They've always been industryleaders, always been industry
leaders.
And who better to learn from?
And you know, for us too, likeyou said, who better for me to
learn from than all of you guys?
(26:02):
Excellent.
Speaker 3 (26:04):
Oh, I've definitely learned a whole bunch of stuff
that I did not know these lasttwo weeks just from sitting in
the class and listening to theother instructors.
Speaker 1 (26:12):
If you're at home having FOMO like fear of missing
out.
Yes, you did miss out.
So tomorrow, pretty much, we'reending tomorrow the event.
So next year come from thebeginning and hang out with us
and let's have a good time.
Yeah definitely.
Speaker 2 (26:24):
It's definitely something that should be on your
list.
I mean, there's so many goodevents to go to, but this should
be on your to-do list.
I think that IASIS is not onlyis it an international
association that says a lot, butthe training is legit.
There's other trainings outthere too.
(26:46):
I'm not putting down anythingelse.
Sans classes, absolutely.
I would go to all those classes, absolutely.
Speaker 1 (26:53):
If you're new in the field and you're like well, how
can I do that?
You know it's a process, right?
You can, as you go through yourprocess, you go learning, make
sure you're able to have youexplain to your bosses, your
stakeholders hey look, this is agood developing event and make
sure you'll be able to make ithere.
Or use some program like SANShas, astudy program, that you
(27:14):
can go there and the prices arereduced.
So some of the stuff that wehave to do just to get that
knowledge.
So it's really worthwhile.
Speaker 3 (27:21):
There's scholarship programs for IASIS as well.
So, look for those every year.
Speaker 1 (27:25):
So Trey from Magnet is saying that the stickers are
in the mail for you.
Oh, thank you.
A big Magn sticker that youknow the two jeans.
Speaker 3 (27:35):
Oh yeah, it's a pair of jeans.
Actually, I want one of those Ilike so.
I'm just being, I'm being kindof we're picking, and now he's
not going to send me anystickers.
Yeah right, it's all your fault, it's my fault.
Speaker 1 (27:48):
Yeah, the new logo.
They look like two pair ofjeans together To pump the.
M.
You know what I mean?
It's just joking, I kid, I kidStickers on the mail.
Speaker 3 (27:55):
Thanks.
Speaker 1 (27:55):
Trey, we appreciate it.
Speaker 3 (27:56):
Yeah, so actually there's a couple of questions.
So what is the general makeupof students?
Private sector, law enforcement, novice, super experienced, I
would say everyone.
It's not just law enforcement.
There's private sector, there'sbeginners, there's really
experienced students and, withthe instructors as well, really
experienced instructors.
Speaker 1 (28:18):
All my background is criminal background, right, but
Med Bill we took a classtogether a few years back, but
now I really met him real well.
He works now in the privatesector.
We have a student that sitsover there that also works in
the private sector and I'vegotten a lot of understanding in
regards to how they go aboutdoing their work, how they will
testify in the civil arena andsome of the things that we
(28:39):
discussed I know I canincorporate into my own
presentation in the criminalside.
So we have students here fromall sides.
There's this concept of thecriminals and the criminal
investigators versus defense.
That doesn't exist here.
We're here for the science, andcriminal investigators versus
defense that doesn't exist here.
We're here for the science andwe're all colleagues, no matter
what type of work that you dohey, I think that's a really
(29:00):
good question, yeah, so do I.
Speaker 3 (29:01):
So Stephanie asks what would you suggest be the
first cert to attain for anovice to get into digital
forensics?
I'm starting from the bottomand working my way up.
Speaker 1 (29:12):
So where are you going, bill's?
Speaker 3 (29:13):
our guest.
That's how, bill's.
Speaker 1 (29:14):
I'm starting from the bottom and working my way up so
thoughts, so do I.
Bill's our guest.
That's how Bill's at the top ofthe year.
Speaker 2 (29:20):
So you know my in my experience, I was a tool
certified first, so I went with.
It was a Celebrite trainingbecause that was the tool that
was out there that we bought.
So I did tool specific trainingfirst and I became efficient
with that tool.
Now, once I got that training,I wasn't done.
(29:40):
I started using the tool.
I started utilizing my training.
I got some time under my beltright, I got some experience
using the tool.
Then I went to my nextcertification and that was more
methodology certification.
So I would recommend startingout small with a tool learn that
tool, get some experience withit, get some mileage with it,
(30:04):
get good with it and then, onceyou're there, then you're ready
for the next step, which wouldbe methodology training or maybe
another tool.
But I do not recommend takingone course and going
certification and then two weekslater or a week later go to
another course and then a weeklater go to another course.
I recommend getting thetraining, putting it into
(30:26):
practice, becoming apractitioner of that and then
moving to the next step becauseit becomes applicable.
That your next training themethodology.
You're thinking okay, so Icould apply it here, because
I've done that before.
So I think, tool training,first get one tool and then get
some experience and then move on.
What do you think?
Speaker 3 (30:48):
I think so.
If it's.
If the question was specific toIASIS, I would start with the
BCFE and the and then the CFCcertification.
I agree with the vendorspecific because you're going to
have to be using those tools,so you need to have some
training in the tools you'regoing to be using first.
But if it's IASIS specific, Iwould start with the BCFE.
Get your fundamentals out ofthe way right away.
Speaker 1 (31:09):
I'm going to be the odd man out.
So the BCFE is a hard class,right?
Yeah?
And from my perspective and Imean I agree with you it should
be the first one if you're here.
But that being said, agroundwork has to be done first.
From my perspective it's a hardclass.
And when she says that, well,I'm a novice, Well, it depends
(31:30):
how you define that, right.
If you're saying I'm a novice,but I know how networking works,
I know how computers works, Iknow all the parts of the
computer, I understand what afile system is, and that's not
limited to digital forensics,computer knowledge.
If you have that, well, you area novice only to the digital
forensics application.
But there are folks that comein that don't even have that.
For example, you're a from theroad because you like computers
(31:52):
and you come to the lab.
I cannot send you to BCFEstraight up because you're going
to fail.
You don't know the parts.
You don't know how networkingyou might think.
Well, who cares aboutnetworking?
You know what.
How the data moves from onecomputer to another, from one
phone to another, will be partof your investigations.
And that's not forensicknowledge, that's general
computer knowledge.
So I guess it's a long way ofsaying I would recommend, if
(32:13):
you're a real, real novice, goand get your Network Plus, and
that's from CompTIA.
It teaches you how networkingworks, what are protocols, what
are packets, how they moveacross the networking stack.
Get A Plus, also from CompTIA.
And just some examples.
On certifications how do theCPUs work?
What's CPU?
What's memory?
What's on certifications, howdo how the cpus work?
(32:37):
What's cpu?
What's memory?
What's what's the um?
Um, the swap space.
Right when a computer goes tosleep, the memory gets dumped to
the drive and that conceptlater gets applied when you say,
okay, does that memory dumpwhen the computer goes to sleep?
Is there's any forensicsignificance?
That's when the bcfe stuff inright, yeah, what do you guys?
Speaker 2 (32:51):
think about the.
So this is something relativelynew.
The, the, the bachelors ofdigital forensics, right, the
masters of digital forensics.
What do you think of thoseprograms, Heather?
Speaker 3 (33:05):
So, yeah, I, I have a master's degree in computer
forensics and I feel like Ilearned most of what I know in
forensics once I started my job,and I mean I got fundamentals
from school.
I'm not saying I didn't getanything from school, but I
graduated and came into a job ata police agency and had no idea
(33:28):
how to apply what I learned atschool and the courses that
they've sent me to is is how Iam where I am today.
I wouldn't, I wouldn'tattribute it, I wouldn't
attribute a very high percentageof that to my schooling.
Speaker 2 (33:40):
I know and I've I've had the same experience.
I don't I don't have abachelor's in digital forensics,
but I've I've heard the sameexperience and that that
question comes up a lot to me,especially with young examiners.
Uh, feel like they want to goto college or have a need to go
to college to get a digitalforensics degree.
And you know, maybe that helpsyou understand the fundamentals,
(34:01):
like Briggs was saying aboutyou know how the computer works,
how it's built, what's theworking knowledge of the
computer and how informationgoes through it.
That would probably be a usefulpart of that degree program.
But your on-the-job training,that's where you're really going
to get the application part ofit.
So you know, maybe an associatein some type of computer IT
(34:27):
something to get that basicstuff right, and then delve into
the forensics.
Speaker 1 (34:33):
I mean, we're not that far apart in age.
When we came about, there wasno degrees that did not exist.
There was no forensic degreethat didn't exist.
So people got certified and asyou got into the field, I think
that with enough time, as wecodify this knowledge more
strictly, I think people willneed to get degrees at some
point.
Not yet right, but at somepoint I think people will need
(34:54):
to get degrees at some point.
Not yet right, but at some point.
I think that's going to besomething that future
generations have to think.
When I get into this field,you've got to have a degree
because you're going to becomereally specialized.
Now we're not there yet andStephanie is saying in
Stephanie's case she says I tookA+, network+ and SecBookCamp
(35:16):
and from my perspective, if youhave that baseline and you have
understanding that is whatHeather and Bill are saying Get
your good tool trainings youhave like like your hammers and
your nails and your tools, andthen take the BCFE so then you
can then learn how to hammer andhow to measure and learn how to
build that house.
Speaker 2 (35:26):
Yeah, and it's like.
So, like you said, the hammerand the nail Right.
So you got to learn how to usethe hammer first, and then you
know, and then you learn whereto hammer right.
Speaker 1 (35:35):
Learn the hammer first, then learn where to
hammer.
Don't hammer your finger,please, and we all done that at
some point, right?
Speaker 2 (35:41):
I'm stretching this analogy to the max expect
nothing less of course of courseno, it's good stuff and um man
you guys got a great crew here.
Look at that.
It's just all kinds of chat.
Oh, yeah, yeah, yeah so youknow what.
Speaker 3 (35:59):
Back back to what you just said a minute ago, though
with the associates with havingthat computer knowledge.
I didn't have to have that toget the master's degree in
computer forensics, so I wentinto um, the computer forensics
master's degree with no computerknowledge.
So definitely you want thatassociates, or or you know
undergrad in something thatgives you the basics.
Speaker 2 (36:20):
You know.
But at the same time I want to.
I want to encourage that if, ifcollege is not your thing, you
don't have to go to college toget into our field.
You don't, you don't, you know?
I think that I think the mostuseful thing that a person can
have is up here, right.
I think it's the drive to bebetter, right To the drive to
(36:41):
dig down to the deepest parts ofthe well, for the truth, that
drive gets you far.
Speaker 1 (36:48):
Yeah, I want to try to look like a find it quickly
here, but I was reading I don'thave it in front of me, but I
was reading that even the WhiteHouse recently is promoting
trying to push a policy where tobe able to do certain jobs in
computers you don't have to havenecessarily a degree.
If you can show you have thataptitude, you have the knowledge
, and we had a discussion a fewweeks back.
(37:09):
Like somebody like Bill Gates,he just dropped out of college
and made Microsoft you cannotsay there's medicine, no
computers, because you don'thave a degree, right?
Just one example.
So yeah, absolutely, especiallyin infosec circles, the best
practitioners are not the bestpractitioners because they got a
doctorate in informationsecurity right.
They got it because they didthe work.
(37:31):
They actually are curious, havethe aptitude, have a note
they're not, not quitters, andthat's how they got developed
Right.
Yeah.
Speaker 2 (37:40):
And just jump in right, Just get in.
If you think you want to dothis, get in.
It's going to take, you'regoing to, you got some work,
legwork to do.
It's not going to be animmediate understanding and
knowing all, but so get, get,get started.
Speaker 1 (37:55):
Oh yeah, and and and.
Be flexible.
I got folks and, again, itdepends on what stage you are in
life, but you might need tomove somewhere where that
opportunity presents Right, andthe opportunity might not be in
your town and I'm not fromOrlando, I'm from Puerto Rico,
but I move over there, Can youtell?
Can you tell, in my kitchen, myproto box, above the beach.
But I, this is my experience, I, I had to, you know, look for
(38:18):
that opportunity and, and I'm sohappy that I did, I, I wouldn't
change anything yeah yeah well
Speaker 2 (38:26):
oh.
So she says well, I'm jumpingokay, good, what have?
I been saying jump off thecliff, yeah.
Speaker 1 (38:31):
Jump off the cliff.
Speaker 2 (38:31):
Yeah Right, jump off the cliff.
Just know what you're jumpingoff the cliff with.
Speaker 1 (38:36):
Yeah, exactly, I love this.
Bill is telling me that youjump off the cliff and you have
the parts you need to make thatparachute.
Speaker 2 (38:44):
So I would say you can either jump off the cliff
with a parachute or you can jumpoff the cliff with the stuff to
make a parachute Right, andit's up to you how fast you make
the parachute.
Hopefully you make it in time.
Speaker 3 (38:58):
I don't know where you're from, Stephanie, but if
you listened to the podcast lasttime we were on, we're hiring
at the New York State Police.
Maybe you can jump right in andwork over with me.
Speaker 1 (39:09):
There you go, the opportunity presents.
It might not be your time, butif you have the flexibility,
take it, yeah, and you won'tregret it.
All right.
So I mean, we're having so muchfun, I don't think we need to.
Well, actually, let's cover afew things.
Speaker 3 (39:23):
Yeah, we'll talk about a few things that have
happened.
Speaker 1 (39:26):
Yeah, let's talk about the, because we're about
to hit the top of the hour.
Let's talk about the stuffthat's happening in the leaps
and some of the sound stuff.
Speaker 3 (39:34):
Yeah, that sounds good.
Speaker 1 (39:35):
Hey, I'm going to step out All right, I got work
to do.
Ah, come on.
Speaker 2 (39:42):
Just 10 more minutes.
I actually work for a living,so I'm going to let you guys
have it.
Speaker 1 (39:46):
I agree.
Speaker 2 (39:47):
I mean, I just can't say how much, how how great it
was to be with you guys thisweek, these last two weeks and
uh, just you know, wow, what anhonor to be with you guys.
Speaker 3 (39:56):
Listen, we feel the exact same way about you.
This was awesome.
Speaker 2 (39:59):
Well, I had a great time.
Thank you to the audience forallowing me to be on your show
and thank you guys for allowingme to jump in on this, but I had
a great time.
Um, we're going to repeat it.
We're going to repeat it nextyear for sure?
Speaker 3 (40:19):
Oh, definitely.
Oh yeah, we'll get Don in herewith us and Hannah.
I think there are four of us.
But thank you guys, see youguys later, thanks, thank you
Bill.
So yeah.
So to hop over to another topic, the SANS put out some new
posters and I kind of justwanted to put up the links for
those new posters.
If you haven't ever utilizedthe SANS posters, get them.
They are like cheat sheets towhatever you'reparty app
(40:41):
forensics reference guide andthen the uh d first advanced
smartphone forensics referenceguide.
It must have been updatedbecause I have a copy of that.
So in my office we take those,those cheat sheets, and we blow
(41:03):
them up into like big postersize and get them laminated and
they're hanging in our lab.
They're excellent resource.
Speaker 1 (41:09):
I'm gonna just throw them up here real quick, yeah,
as you put them up.
Mattia Epifani, he's anexcellent examiner.
We discussed some of his workbefore on the podcast.
He stands commissioning,commissioning those posters, so
he could do it, and he's such agreat mobile forensic examiner,
world-class expert, and I'mreally now I'm going to flex a
little bit I'm really happy tosee that the Leaps project are
(41:34):
mentioned in some of the postersand some of my research into
some of the apps it's mentionedalso in the posters, so that's a
point of pride of me to havethere, so I'm so grateful for
the community to support it.
Speaker 3 (41:46):
Yeah, that's awesome.
So the posters are free.
You can just go download themon the website, but you have to
make an account.
But you want an account withSANS anyway, so make your
account and I'm just going toscroll them across the screen
here quick.
But this is what the posterswill look like.
Speaker 1 (42:02):
And.
Speaker 3 (42:02):
I suggest blowing them up, yeah.
Speaker 1 (42:04):
So the folks.
It might be a little bit little, but if you're watching, as
opposed to folks listening fromtheir car or whatever, as
opposed to folks listening fromtheir car or whatever what
you're going to see is thelittle icon for the app and it's
divided by types, like thebusiness apps, utilities, health
and fitness.
And I like it because you havethe app there and then all the
locations with printed data willreside for that app.
And I use this a lot becauseI'm like okay, I need to
(42:27):
validate LinkedIn.
Do I know the top of my headwhere that thing is?
I go quickly to the poster.
I see here's the data and I goget it and I validate or do
whatever research that I need todo.
So the posters are superhelpful.
Speaker 3 (42:39):
Right, I find myself forgetting all of the time where
you go find the artifacts toshow that a phone was wiped and
the date that it was wiped.
And they're on these postersand this is a quick reference
guide you can hop over to andfind those answers quickly.
Speaker 1 (42:54):
Yeah, show the green one.
So I was talking today aboutidentifying malware based on
heuristics and how it behaves.
I was teaching that class basedon work done by Josh Hickman, a
personal friend that wementioned a whole bunch of times
before, and so I was talkingabout that.
The poster has a section inregards to malware
identification and some malwareanalysis, so it goes beyond just
(43:16):
the apps.
It talks about other topicsthat are related that you might
not be aware that you need themuntil you need them.
Right, so you're going to go tothe poster and get some
reference points there, sopretty good stuff.
Speaker 3 (43:26):
Really great resources.
Let me take it down here, yeah.
Speaker 1 (43:31):
So with the new posters we also have something
new with the leaps right.
Speaker 3 (43:35):
Yeah.
Speaker 1 (43:36):
And I know Johan again, Johan stays late because
it's all the way in Europe, so Iappreciate it.
Johan's still around.
If he wants to sleep, I willforgive him.
I guess, this time, this time.
So Johan was kind enough togenerate a new release for the
Leap, for A Leap, and I Leap,and the releases that he's
putting out.
They're really nice, becausenot only do you have an
(43:57):
executable for Windows, now youhave also binaries for Mac to
include the newest architecture,the M1s, m2s what's the
architecture I forgot?
Right now I'm the worst ARM.
Thank you, arm.
Okay, so the ARM architecture Iforgot right now I'm the worst
ARM ARM.
Speaker 3 (44:12):
Okay, I got to think.
Speaker 1 (44:15):
ARM architecture.
Yeah, so if you have a Mac andyou need to do some forensics
and I was discussing, we werediscussing with class that I'd
rather do like if I'm doing iOSforensics, I want to have a Mac
computer close by.
I want to do like environmentsin a like environment.
So in analysis you have to doit like that.
And the reason you know we gotsome time here so the reason we
(44:36):
want to do that we're discussingwith class is if you move a
file out of an APFS container,which is the Apple file system,
and you dump it in a Windowsfile system like NTFS, you're
going to lose data, the metadatathat comes with the files.
The moment you dump it in aforeign file system foreign for
the file file system is going toget lost.
(44:57):
And we don't realize that.
We're really, as examiners,we're really kind of trained in
Windows environments and to workall things Well.
No, you might need a Maccomputer to take that file out
of that container, drop it on anAPFS file system and then
analyze the metadata pointsright With proper, you know,
apple, ios, mac OS tools.
So highly, highly recommendthat you take those binaries,
(45:22):
have them available for your Macand do some examination on your
Mac.
Get smart on that.
It's going to help you out.
Speaker 3 (45:27):
Yeah, johan's in the comments saying that V-Leap and
R-Leap have also just beenreleased.
I don't know where you find thetime, well, apparently it's
late at night.
Yeah, definitely.
Now that we're going to be donewith the IASIS class, I plan on
helping with some things.
Speaker 1 (45:46):
No, we say a lot of time, but we really hope to do a
big push for the V-Leaps.
For the folks that are notaware, it's a Python platform
that we have and it's going tobe focused on processing
extraction from vehicles, cars,trucks, whatever, and we got
some nice people from thecommunity have donated test
images for us to figure out.
What artifacts can we find andthat will serve for the
(46:07):
community as another validationpoint?
Speaker 3 (46:09):
for vehicle forensics .
Those are hard to come bybecause I mean it's going to be
your case data, or is somebodyrenting cars to pull to pull the
modules, right?
I?
Speaker 1 (46:19):
mean copying a phone.
There's many ways of copying aphone, but getting data from a
car is one way and it's reallyphysically intensive.
Yeah, not as easy Not everybodyhas the equipment to do that,
so we get some images.
We're happy that we got thoseand we're going to hopefully try
to support them.
Speaker 3 (46:35):
Yeah definitely Other artifacts.
From the leaps Looks like therewere some other artifacts added
, so iLeap added.
I don't even know how to saythat.
Is it Zangie chats?
Speaker 1 (46:48):
I'm going to dictate.
It's going to be Zangie, yes,zangie chats chat.
Speaker 3 (46:54):
I'm gonna, I'm gonna dictate it's gonna be sangy.
Yes, all right.
So if you're seeing thatapplication in your iphones,
there's a parser now written forthat by matt beers and, um,
scott ponig, the from theforensic scooter.
He has done some major majorupdates to the photos that
sqlite parsers.
Um, so definitely check thoseout, because I mean there's a
lot that he added.
I don't I don't even know howhe does that either, where,
(47:14):
where he finds the time to writethe parsers for that.
Speaker 1 (47:18):
It's a SQLite database that we've done before
and he has like 100 queries forit for different purposes and
some of these queries involve somany tables good information
but the query itself could belike 100 lines of query and I'm
like wow, yeah, I'm like dude, Idon't know how you do it.
My eyes gloss over.
It's like the matrix looking atthat query.
Speaker 3 (47:39):
I'm happy with my little five line ones.
I'm starting with I'm going tostick there for a little while.
But also there's some additionsto ALEAP, so additional support
for Wire Messenger and supportfor the Health health mate app,
which includes accounts,tracking, location messages,
contacts, measurements anddevices yeah, no, there's and
that's, that's a, that's areally good uh, you know kind of
(48:01):
type of data, uh, to haveavailable.
Speaker 1 (48:03):
Um, actually I have.
I just got this email a fewhours ago.
There's some other you know,know, community developers or
you know forensic examiners thatwant to contribute.
We should be getting one forthe Likey application and it has
a whole bunch of data in thatapplication like location,
demographic data, message dataand it's kind of like an app.
(48:29):
This is kind of like a sidenote about when a popular app
either closes by force or bymandate, users are going to
migrate somewhere else.
So where are they migrating?
Right, and we do that becausewe want to make sure we have
some visibility into wherecriminals can also move to right
.
And TikTok recently by laweither has to be sold or it has
(48:51):
to be closed here in the UnitedStates, so that millions of
people that are there they'regoing to move to what
applications?
We need to have visibility onthat, and folks are already
thinking Lord, the next bigthing is going to be X.
We need to know how to parse itso, if something happens, we're
able to provide that service tothe community.
So I'm happy that folks arethinking ahead that way.
Speaker 3 (49:07):
Yeah, so I'm going, so I'm gonna, I'm gonna pop back
.
We're gonna do the update tomushy too, so important, yeah.
So, um, if you're not using ianwhiffen's tool, mushy, you
should be.
It's awesome, um, and he justreleased a new version.
It's 2.7.
I'm gonna actually share it onthe screen.
Hold on one second.
Yeah, but there's some majorupdates and what is?
Speaker 1 (49:30):
what's the concept of mushy?
What's the tool?
Speaker 3 (49:32):
so it's show.
It's showing data structures,right.
So we've talked about likeRabbit Hole before.
It's got similar capabilitiesto that.
Speaker 1 (49:40):
It's an excellent file viewer.
If you have some file formatsand you don't have a viewer to
kind of visualize them.
Mushi is going to do that foryou, so it's pretty neat.
Speaker 3 (49:49):
So did I put that up?
I did put that up, okay, good.
So yeah, this is a look.
I brought a SegB file in.
It's a SegB one, but one of theupdates to Moshi is it now
supports SegB version two, and Idon't think there's a ton of
schools supporting the SegBversion two.
Speaker 1 (50:09):
No, no, it's mostly outside of the forensic su
suites yeah um, it's gonna bemostly scripts or you know um
custom stuff yeah, so, um, heupdated the segby viewer.
Speaker 3 (50:22):
It's showing seconds and date filters and then
obviously the segby version 2support.
Um, new splash screen, new icon.
Um, the interface has changed alittle.
Uh, they're searching in his.
In his description it sayssearching.
That actually works now, so Ilike that.
Speaker 1 (50:38):
Um it worked before it works better.
Speaker 3 (50:41):
Yeah, it works better , exactly, exactly and um, this
must have been a feature request, but hold, shift and hover over
protobuf values to see theiroriginal bytes.
And it now supports abx files.
Speaker 1 (50:53):
So a bunch of major, major updates to mushy and if
you're doing android forensics,uh, you will come across abx
files, like guaranteed.
So, yeah, and, and the tool isgreat, it because what's the
cost of the tool?
Speaker 3 (51:05):
uh, the tool is free which you can't beat.
Speaker 1 (51:09):
That yeah, exactly you can't go wrong if it's good
and free, right, right.
Speaker 3 (51:11):
So yeah, um, I would definitely recommend downloading
that new version, checking itout.
Which you can't beat?
That, yeah, exactly.
You can't go wrong if it's goodand free, right right.
So yeah, I would definitelyrecommend downloading that new
version and checking it out.
I use it on the SEGB files Forthe ones that aren't supported
by, like the commercial tools.
I'll export them and get myquick look at them in Moshi.
Speaker 1 (51:26):
Oh, absolutely, I like the view.
Absolutely.
Imagine you're trying to use uh, there's nothing wrong with
that one, I'm gonna say.
But you have a big commercialtool and you want to see them,
but the process might take hoursbecause you can't really limit
it to the thing.
Right, and you have to run thewhole thing, whereas you can
quickly go into extraction, pullthe files, use a viewer and
determine is this somethingthat's worth me spending all
(51:47):
these hours of tool time exactly?
And if not, then I can move toother priority items and then go
back to this other time, right?
So there's a really importantpurpose in being able to triage
extractions or data sets withthese file viewers.
Speaker 3 (52:01):
Yeah, definitely.
So I think that can bring us tothe meme of the week.
Speaker 1 (52:06):
Yes, wait, wait, wait , wait, wait, wait, wait, wait.
You know what, you know whatI'm doing, right, you know what
we're doing.
What are we doing?
Speaker 3 (52:15):
We're celebrating the middle of the week.
Oh, my gosh, oh you know what?
Speaker 1 (52:17):
I don't have the fireworks on this box, oh.
Speaker 3 (52:21):
We're streaming from my crappy.
Speaker 1 (52:23):
Windows Boo Boo.
Next time we're doing the Mac.
Okay, I don't have fireworks,okay, sorry.
Speaker 3 (52:28):
I don't have fireworks.
Okay, he's got fireworks overon his computer so nobody can
see them but me.
Sorry, that's so sad.
Speaker 1 (52:34):
Okay.
Well, we celebrated the meme ofthe week over here, Okay.
So what do we have?
Speaker 3 (52:37):
Let me go grab it.
Hold on one second.
Speaker 1 (52:41):
Maybe we should go with two.
Speaker 3 (52:42):
We'll go with two.
All right, all right.
Speaker 1 (52:45):
You're getting a bonus.
Speaker 3 (52:46):
We're going to be memes of the week, so let's okay
, hold on one second.
I'm having technicaldifficulties, which happens
almost every time I use thecomputer.
There we go.
So here is meme of the weekNumber one.
Speaker 1 (53:07):
Okay, so I'll do this when you do the next one.
Speaker 3 (53:08):
Okay, sounds good, can you?
Speaker 1 (53:09):
zoom it All right.
So this would be that yeah, I,yeah, I got it.
Yeah, so this is the the bcfeexperience, so the isis
experience right, it has beenthe hardest week of training of
my life and it's the hardestweek of training so far because
isis is two weeks.
So if the first week was hard,don't't worry.
(53:30):
The second is coming right andit's tongue in cheek.
It's hard, but hard in a goodway, like yeah, I'm tired, but
my brain has grown a couplesizes, so it's a good time.
Speaker 3 (53:46):
Well, and related to the BCFE, we've also been here
for two weeks doing the training, so we could use this meme for
those purposes as well.
Speaker 1 (53:48):
That is true, we're also a little bit beat up too.
Speaker 3 (53:51):
Yeah, I might be ready for my own bed.
Let me do our second meme ofthe week here.
Let's see.
Speaker 1 (54:03):
After we saw the meme , we have to address this
question.
Speaker 3 (54:05):
Okay, yeah, definitely.
Speaker 1 (54:06):
Jason is saying that week one was definitely harder.
I bet the BCA team were doingthe data runs.
Speaker 3 (54:11):
Oh yeah, definitely Jason confirm the BC if you were
doing the data runs.
Oh yeah, definitely.
Speaker 1 (54:14):
Jason confirm that.
If you were doing.
The data runs on week one.
That's the case and that's true.
Speaker 3 (54:18):
That's the hardest week, All right.
Speaker 1 (54:20):
the second one.
Speaker 3 (54:21):
So when it's 2 am and you are still working the case
I don't need sleep, I needanswers.
I'm pretty sure everybody canrelate to that.
I don't want to go to sleep, Iwant the answers.
Speaker 1 (54:33):
Well, the thing is that you know everybody's
focused with the answer Right,and when I get the answers I
talk.
On the morning I go open thedoor to the investigative team.
I got the answers.
Guess what?
Speaker 3 (54:42):
They're all sleeping.
Speaker 1 (54:43):
Everybody went home.
Speaker 3 (54:44):
Yeah, they're all sleeping.
Speaker 1 (54:46):
I'm the only one there, so but you know what it
is all right.
Yeah, before we close, we havea comment there.
With the addition from alinkedin user, from the addition
of billy the leaves, can wealso expect a leap for social
media forensics?
Oh well, let me.
Let me give you an informationthat so we have also.
Our leap is for returns.
Now let's say it's a quickbrief of it.
(55:09):
If, if you are able to do like agoogle, take a google, um, take
, take out of your account, thatmeans that you log in and you
tell google, google, give me all.
My brief of it.
If you are able to do like aGoogle takeout of your account,
that means that you log in andyou tell Google, google, give me
all my data, and you pull thatout and you run it to the tool
from RLEAP.
You'll get some results.
On the other hand, if you're alaw enforcement officer and has
a search warrant and tell theprovider, hey, give me that data
.
Rleap also parses a whole bunchof those.
(55:30):
We parse Kik, we parse Snapchat, we parse not the full iCloud
return, but it's a lot of it, apart of it, a big chunk of
Google stuff, and we give youanother view of the data that
some tools either don't give youor pretty much the parser
doesn't exist, like for Kik.
I don't know of any returnparser that exists, only our
(55:52):
leap right, so we got.
Speaker 3 (55:54):
We got that as well, so you can check that out well,
and if you're specificallylooking for social media
forensics, there's social mediarelated artifacts included in I
leap and a leap for for androidsand iphones, um, and also if
you find a specific social mediaartifact that you want included
in one of those, you can sendit to anybody that's working on
(56:15):
the lead projects, or try andfigure out how it's all stored
yourself and learn how to writea parser to include with those
suites.
Speaker 1 (56:23):
Yeah, we have a class for that, but yeah, time has
run out.
Speaker 3 (56:27):
What's up?
Time has gone on.
I guess time has run out, yeah,yeah.
Speaker 1 (56:30):
Well, thank you, everybody at home, people that
were watching live, the folksthat are listening as they're
driving or doing about in theirin their home.
We appreciate you.
Make sure you hit us.
Hit us up on LinkedIn orLinkedIn page these are forensic
now podcast.
Tell us about ideas for theshow, tell us about questions,
problems that you face in yourexaminations, and we'll try to
(56:51):
either answer it ourselves orbring somebody to talk about
those, those concerns and make acommunity.
Speaker 3 (56:59):
Definitely All right, thank you.
Speaker 1 (57:00):
Thank you, everybody.
Let me let me get the music onfor for saying goodbye, and
we'll see each other in twoweeks, yeah.
All right, bye, bye, outroMusic.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com