June 13, 2024 • 67 mins
Join us as we recount our recent travels to Argentina and the Techno Security & Digital Forensics conference. We'll share the highlights of our trips before diving into the core content.
What could possibly go wrong with a feature designed for user convenience? We'll scrutinize Microsoft's controversial "Recall" feature, exploring its significant privacy concerns and implications for digital forensics. From unencrypted data to automatic opt-ins, we speculate on the potential user backlash. We'll also dive into the latest tech updates, including CCL Solutions Group's enhancements to the Rabbit Hole tool and how these advancements can revolutionize data analysis processes.
Discover the capabilities of VFC from MD5 and the latest tools for examining data from platforms like Snapchat and Facebook. We'll introduce new and updated blogs, innovative Python scripts, and the latest additions to the LEAPPS in this packed episode. Stick around for an insightful discussion and a sneak peek at what's coming in future episodes.
Notes-
Rabbit Hole Updates and SQLite Blog/Cheatsheet
https://vimeo.com/948752153
https://www.cclsolutionsgroup.com/post/time-travelling-with-sqlite-journals-and-wal
https://vimeo.com/953570512
https://cdn.prod.website-files.com/5f02f2c93eab87a6ea84e2f3/665ed5e6ec5ef877d9d74dd2_sqlite-journal-cheatsheet.pdf
Copilot+ Recall disaster & Forensic Applications of Microsoft Recall
https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e
https://cybercx.com.au/blog/forensic-applications-of-microsoft-recall/
Rising Star Jeremy McBroom
https://yeahihaveaquestion.com/
Analysis of Browser Artefacts from File Sharing Services
https://us5.campaign-archive.com/?u=a5a2a1131e612711f02b96e2c&id=9555c3f865
https://github.com/cclgroupltd/ccl_chromium_reader
SQLite Freelist Page Checker
https://github.com/SpyderForensics/SQLite_Forensics
Forensics StartMe Page
https://start.me/p/q6mw4Q/forensics?locale=en
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:18):
Hello and welcome to the Digital Forensics Now
podcast.
Here we go.
Today is Thursday, june 13,2024.
My name is Alexis BrignoneBriggs and I'm accompanied by my
co-host, the one that puts techin techno, the Digital
(00:38):
Forensics Tool Quality AssuranceDoctor.
The one and only HeatherCharpentier.
The music is higher up by ShaneIvers and can be found at
sillermansoundcom.
Hello, heather.
Speaker 2 (00:56):
Hello.
Speaker 1 (00:58):
It's been quite a long time since we had a show.
Speaker 2 (01:01):
It has been.
We've missed two in a row.
Speaker 1 (01:07):
We've been busy.
We've been doing so many things.
Uh, I want to thank the folksthat are already, uh, showing up
.
Andrea, hi, I always see you inthe communicator as well.
I work, we were co-workers, butat a distance.
Uh, laurie is here and jess ishere.
I know bruno is going to belistening all the way from
Argentina, so I appreciate you,man.
(01:27):
So tell me, tell me what'sgoing on with you since last
time you went to Techno.
Speaker 2 (01:33):
I did First time at Techno.
I was super impressed, so itwas a great time.
I met so many new people, saw awhole bunch of people that I
haven't seen in a long time, orjust communicate with online,
right, you think you, you thinkyou know all these people and
then meet them in person, um,but the the conference itself
(01:54):
was awesome.
I went to every singlepresentation that I possibly
could.
Super bummed that I missed someof them, because you can't be
in two places at once, right?
Speaker 1 (02:04):
You can't do that, are you sure?
Speaker 2 (02:06):
Yeah, I can't Maybe you can.
Speaker 1 (02:09):
I worked the expectors to, apparently, but
that's another story.
Speaker 2 (02:12):
I had to pick and choose which ones to go to, but
it was really good.
The vendors that put onpresentations.
They didn't gear thepresentation to their tool.
It was nonspecific, they didn't.
They didn't gear thepresentation to their tool.
It was non-specific.
A lot of the vendors did umartifacts and talked about
topics that didn't solely relyon using their tools.
Um, and then they talked abouttheir tools at the end, so it
(02:35):
wasn't a sales pitch, which wasso refreshing you know that's,
that's, that's good, because,yeah, I don't need.
Speaker 1 (02:41):
I don't need sales pitches like we got those
constantly already.
Speaker 2 (02:44):
Exactly.
Some of the presentations werejust outstanding and it was a
great chance to ask all of yourquestions to the vendors without
having to do a support ticket.
That was like my favorite.
But, they were like okay,somebody else than Heather,
please.
Speaker 1 (03:01):
They could actually ask a question, that's not her.
Speaker 2 (03:06):
But it was really, was really really good.
I'm just gonna throw up somepictures from my uh, my trip oh,
look at that I got to hang outwith jessica, who's in the chat,
and josh hickman.
And um, there's my group up inthe right hand corner from the
new york state police, and ofcourse, the phone wizard hopped
in our picture there.
Speaker 1 (03:23):
My man.
Speaker 2 (03:25):
Went and had a little gym session with Amy Moles from
Arc Point.
We got the photo op.
Speaker 1 (03:31):
Oh, that's awesome.
Speaker 2 (03:32):
Yeah, and Caesar, caesar from.
Speaker 1 (03:34):
Hexordia as well, yeah.
Speaker 2 (03:36):
And then a couple of my coworkers there and then
continued just meeting peoplethat I had never met in person
Ronan from Celebrate I'd met himbefore, got to, got to catch up
and, um, adam from msab, metthe, met the forensic scooter
that does all your photos, thatsequel light the myth, the man,
the legend right there he's realhe's just as smart in person as
(04:00):
he is online, and debbie garnerof course and then um, of
course, was the voice of theiasis podcast, um, and then I
did a python class while I wasthere, so documented that I hope
you made me proud and then thelast day we had a really late
flight, so my co-workers and Igot some beach time in um, but
(04:23):
overall it was really awesomeLike so awesome that I've
already booked one of thehouseboats that Jessica Hyde was
on this year.
I booked one for next year, soit was that good.
It was good.
It was good.
I'm going to hide, I'm going tohide.
Speaker 1 (04:38):
I'm going to hide in your suitcase.
Speaker 2 (04:39):
You're going to find a way and you're going
definitely.
Speaker 1 (04:42):
I've got to start saving now.
Speaker 2 (04:47):
Start saving because you're going.
It was a really great time yeah.
Speaker 1 (04:51):
That's awesome man and I think that's become one of
the premier correct me if I'mwrong premier like digital
forensic-specific kind ofconferences, because you know,
sometimes they can mingle thewhole incident response, but
this seems to be really focusedfor examiners, right?
Would mingle the whole insertresponse, but it seems to be
really focused for examiners,right?
Speaker 2 (05:07):
would you say that?
Yeah, I would say so.
Everything I went to was um, Ipicked up all kinds of great uh
information that I'm going touse at work every day, so I
would say it was definitelygeared toward examiners look,
kevin is saying that, that heneeds to make it there next year
.
Speaker 1 (05:19):
So it's yes, he does then I'm gonna make the extra
effort, since I know kevin's, soI can go too.
So I'll start saving my pennies, like right away.
Speaker 2 (05:27):
You both have to, so yeah.
Speaker 1 (05:30):
That's awesome.
Well, I'm going to tell youabout what I did these last two,
three weeks.
Has it been four weeks?
I don't even know.
Speaker 2 (05:36):
Let's count.
Speaker 1 (05:37):
Yeah, we missed two podcasts All right, so that's
about four weeks, so look aboutfour weeks.
Speaker 2 (05:46):
so look forensic which is saying where is this
and when?
Yeah, tell us, where's technoat?
Yeah, I didn't even give thedetails of it.
So this year was the, was the25th anniversary and it's in
wilmington, north carolina, andit's the first week of june, so
it'll be his first week of june.
Uh, 2025 for next year allright.
Speaker 1 (05:58):
Yeah, it's a good point.
People need to know at least,at least where it is.
Thanks for the secret.
We sort of appreciate it.
So I went to and look.
Since you have such a nicepicture spread, I got to have
mine too.
So I went to beautiful BuenosAires, actually first to
Argentina, and then part of mytrip was going to Buenos Aires
(06:24):
and for folks that you know,everybody knows Buenos Aires,
beautiful city, the capital ofthe country of Argentina, you
see, here's the obelisk, it'slike the like the main
thoroughfare in the middle ofthe city.
And when they won the, thesoccer, you know, the world, the
world championship, right,everybody went there and
celebrated.
It's a beautiful place.
Here's how it looked during.
The day was cloudy that day butfrom the hotel was staying and
(06:45):
I was there to with the embassyto teach folks from a couple of
you know surrounding countriesand Argentinians on digital
forensics and some investigativetechniques.
So it was, it was such a greattime I was here teaching, doing
some exercises.
Shout out to Jess that helpedme out with some logistics of
the class, and Jessica Hydeshe's like awesome.
(07:05):
So her input was key for thisclass.
Everybody loved it.
So that's pretty good for thefirst week I had also my trainee
came with me, so she taughtsome blocks.
I got some felicitaciones,which means congratulations.
Thanks, my man.
It was great and you know, know, you would think well, that's
great, it couldn't get better.
(07:26):
Well, it actually got betterbecause I was able to eat like a
world-renowned pizza, guaranpizza.
I mean it's like ridiculouslydelicious.
This place has been founded in1932, so if you go to buenos
aires you gotta stop at thisplace multiple times.
Like everything is like freshlymade, it's fantastic.
(07:46):
So I enjoy that.
I know you're jealous.
Speaker 2 (07:48):
Yeah, very jealous.
I had pizza in North Carolina,a piece of pizza.
It wasn't quite the same asthat, I bet.
Speaker 1 (07:55):
It wasn't.
No, it wasn't, it was likeridiculously good, so I would
say top one, like the best pizzaI had period.
So yeah, and they said you know, the churrasco in Argentina is
crazy good.
So I had some ojo de bife,which is like a real big, thick
steak and because if you'rethere, you got to have some of
the Argentinian you know meatsthere.
(08:16):
So I also enjoyed that.
It was fantastic.
Now I'm on a diet.
It's time to catch up.
All right, I'm taking too longhere.
So then it got even.
I'm sorry, lori, but I lovedeep dish pizza specifically.
You know Lou Malati's is legitin Chicago.
I'm a big Chicago fan, but thisone, this one's a pretty good
(08:38):
hard competition, just saying so, yes, I went to Mar del Plata,
so that's on the coast, on theAtlantic coast, around four hour
drive from Buenos Aires.
So when my logo is there on themap I drove, I say I drove, I
didn't, they drove me all theway down to the little red
circles there in Mar del Plataand I never obviously never been
(08:59):
there and it was ridiculouslygorgeous.
It's like a medium-sized citybeaches, the coast, such a
laid-back atmosphere.
You can see here a littlestatue that somebody put we know
who it was An artist put itduring the pandemic.
People were like in a closed-inlockdown and he did it in the
(09:23):
middle of the night and nobodyknew where it came from.
So it was something that reallybrought you know, joy to the
city and figure out who it was.
The city is rich in history.
It's rich in architectural.
You know different arts andbuildings and the rocks they use
.
They're really well known forthe type of rocks they use to
make the buildings.
It's just honestly, I wanted totake the whole city and bring
it with me.
Speaker 2 (09:44):
It looks nice.
Speaker 1 (09:46):
I learned how to drink mate, which, again, I
haven't tried before, and now Ididn't put the picture here but
I was having some today Iactually they gave me a mate cup
with a bombilla, which is thestraw-looking thing that you
kind of use, and I was havingsome of that this morning.
It's a big cultural thing.
You know.
Sharing matter with friends,close friends, it's I don't know
(10:07):
how to explain it.
It really brings peopletogether in a way that is hard
to explain and if you're notthere, partaking of the
tradition, right.
So I was so, so lucky to dothat.
I was brought there to help outnot to help out to collaborate
and exchange with the FASTAUniversity.
It's a really well-knownCatholic University in the
(10:28):
country but also in the city.
The picture there some of thefolks that were nice to spend
some time with me there.
The gentleman on the far rightis Bruno Constanzo.
He is the InfoLab director andalso one of the professors at
the university.
He collaborated with us in theLEAPS programs, doing some
testing for us, speeding theprograms up.
(10:50):
He's done all sorts of things.
Super smart guy.
I hope that I'm like him when Igrow up.
So I appreciate himfacilitating us being there with
the local prosecutor's officeand the embassy and all that, so
a really nice guy.
And then here I am.
I'm there teaching a class andthen talking to the criminal
(11:15):
justice students there, whichwas a nice surprise.
I was expecting a few people,but then the whole room was full
.
It's awesome.
Speaker 2 (11:25):
Very cool yeah.
Speaker 1 (11:29):
Bruno's saying that he hopes to be like me when I
grow up.
I don't know about that man andthen so yeah, so that was.
It was great.
It was such an experience of alifetime for me and people were
so warm and so happy to receivethe information and also to
share with me how they do thingsand hopefully we can, you know,
hopefully we will take some ofthat knowledge with the tooling
(11:51):
and and different things that wedo around the world, so that
was super awesome that's awesome.
Speaker 2 (11:56):
Those pictures are great.
Speaker 1 (11:57):
The beaches look beautiful I need to come back at
some point.
We wish you should go back.
Speaker 2 (12:02):
It's great anyways I'll go with you if you need
somebody to help you teachsomething, or, or be your
secretary, I really don't careyeah, yeah, you, you want to do,
want to stay too.
Speaker 1 (12:12):
I was eating this pastry.
It's like a croissant, it's notlike.
It's like they have a croissant, it's just that this croissant,
the two edges kind of meet andthey call it half moons, and I'm
addicted to the stuff.
I need to to be away from it.
They fill them with cream, theyfill them with chocolate and
all sorts of stuff, and theywere feeding me that like every
five, every five minutes, andI'm like no, no, no, no, no, no,
no, no, no, no, no, no, no no,no.
Speaker 2 (12:39):
So we wanted to mention too.
This weekend is Father's Day,so happy Father's.
Day to all the fathers that arelistening or out there.
Speaker 1 (12:49):
Thank you, I appreciate it.
I'm one of those.
No, and as you mentionedFather's Day, you know kids,
they start making some art atschool or daycare, whatever they
are, and here's the one my kiddid for me, my oldest.
I'm like what's that on my chin?
He says that's your beard.
I'm like I don't have a beard,but I found it funny because
(13:11):
kids are so perceptive.
He says here's his favoritething to eat and he puts a
picture of me sitting with alittle table.
And I show you that picture.
Right, right, heather.
Yes, Doesn't my table look likethat little table?
Speaker 2 (13:25):
right, right heather?
Yes, doesn't my table look likethat little table yes, it's one
of those little folding tablesfolding tables to your recliner.
He drew it perfectly well hedrew it exactly right and yeah
one part.
Speaker 1 (13:34):
You know it's kind of sad but it is what it is right.
He says when he comes to work,when he comes home from work, he
likes to work on his computer.
Yeah, so like when I come fromwork I keep working and I'm a
bit guilty of that, but in mydefense, uh, weekends are are
for for the kids, to play withthem and take them out and do
different things I just foundthe he is so good at riding
(13:54):
bikes intriguing.
So you're really good at ridingbikes, huh oh, I mean he's
impressed that I don't fall, Iguess oh my, that's so cute.
He always says I love you and Ido.
And if you're a parent and yousay, you should say it more,
that's, at the end of the day,that's what kids will remember.
We won't remember all theexpensive gifts.
(14:15):
They won't remember the trips.
We will.
We'll all been sons and we'llall been daughters, so we'll
remember the love our parentsgave us.
So I'm trying to do as much asmy mom and my dad did for me.
Speaker 2 (14:29):
So this week we have so much to talk about that it's
going to spill into a coupleweeks worth of chats.
But so there's some updates toRabbit Hole.
We've talked about Rabbit Holeon the show before.
That is CCL Solutions Grouptool app by Alex Kaithness.
There's added SegB, so you canparse the SegBs in Rabbit Hole
(14:54):
now.
He added hex viewerenhancements.
And then the big new featurefor Rabbit Hole is called runs.
So the runs are a way to definea sequence of operations that
you performed and set filters,and it'll automate it for future
purposes.
Instead of having to redo whatyou've done over and over again
(15:15):
or writing a line of code, arabbit hole will take care of
that for you in a saved runfeature.
Speaker 1 (15:21):
So, like you, point it towards the data set and it
does whatever it does and pullseverything out.
I guess, right?
Speaker 2 (15:27):
Well, you do your process the first time, but you
use the runs feature to kind oflike I guess, for lack of better
terms save it or preset whatthose filters are going to be to
pull that data out of the sametype of data store in the future
.
Speaker 1 (15:41):
Gotcha, gotcha.
Speaker 2 (15:42):
So it automates your process.
Speaker 1 (15:44):
That's awesome.
And if you're a new listener,you're like what's SecP type of
data store in the future?
Gotcha gotcha.
So it automates your process.
That's awesome.
And if you're a new listener,you're like what's SecP?
Those are in Mac devices, Imean Apple devices, ios, ipads,
and they have a whole bunch ofpattern of life information
there, and I think we talkedabout it in the past in other
episodes, and this is whatyou're describing is so powerful
because then, instead of havingto go kind of by hand every
(16:04):
single time, if you have, likeyou said, that run set, you can
point it at whatever you needand boom it's out.
It saves you so much time forthat validation, so that's
awesome.
Speaker 2 (16:16):
If you want to see it like, I guess, a demo of what
I'm talking about, if you go totheir web page, alex has done a
demo of those new features soI'll put the link in the show
notes so everybody can get tothat video.
But also with CCL Solutionsthere's a new cheat sheet, a new
blog and cheat sheet.
It's about SQLite files and thejournal and wall files.
(16:40):
You can find that on theirwebsite and then I'm just going
to throw the cheat sheet up herereal quick.
Here we go, let me take thatdown.
So this is the cheat sheetthat's available on their
website and it just talks to youabout the SQLite database and
how the journal files and thewrite-ahead logs work with
(17:00):
SQLite databases.
Great, little resource.
Speaker 1 (17:04):
Yeah, and it's always good to have that on hand.
I've been teaching SQLite, Imean, for years now, and it's a
skill set that's always, alwaysneeded.
You got new people coming inand even though SQLite I've been
predicting it's going to be onthe outs, it still hangs on and
it still shows everywhere.
So it's worthwhile tounderstand the differences
(17:24):
between the wall files, thejournal files and how can you
recover stuff from it and allthat.
Speaker 2 (17:30):
Yeah, and how they operate.
Because I mean when I firststarted looking at SQLite
databases, I didn't understandthat, and having a cheat sheet
like this is just so helpful,especially if you're newer and a
beginner with SQLite databases.
Speaker 1 (17:43):
Absolutely, or instructors, you can hand those
out.
Speaker 2 (17:45):
Yeah, definitely.
Well, I've already put it inour resources material for next
year's IASIS.
So it's there.
Speaker 1 (17:53):
Christian from LinkedIn is saying I thought you
said cheeky instead of cheat.
No, no, no, cheat cheat, notcheeky.
It could be a cheeky cheatcheat, but no Cheeky cheat cheat
.
Speaker 2 (18:02):
It's just a cheat sheet, my man, so yeah.
So check that out.
On um, the links will be in theshow notes at the end of of
tonight awesomeness, good stuffso co-pilot and recall.
And then the applications, the,the forensic applications of
(18:23):
Microsoft recall.
I'll let you start talkingabout that one.
Speaker 1 (18:26):
Yeah, so it's interesting because I linked it
and I put a link to an articlewritten by Kevin Beaumont I
don't know how to pronounce it.
He's a really well-knownresearcher.
I think he's from the UK, butsuper well-known.
He actually worked at Microsofta little bit.
He does all sorts of intrusion,response research, right, and
(18:50):
he came and he did an articleanalyzing this recall function.
And, for those who haven't heard, what Microsoft was planning or
kind of planned and did wascreate this functionality in
Windows, that it takesscreenshots of everything you're
doing, ocrs on the screen,keeps the screenshot, and that
OCR data dumps it in a SQLitedatabase.
The idea behind it is to belike well, what was I doing an
(19:12):
hour ago or a second ago, orthree days ago, a year ago?
The Natella is it Satya Natella?
I think it's his name.
There's a CEO for Microsoft.
He's saying that describe it asa photographic memory of your
computer, which, I'll be honest,I don't know about you, but I'm
thinking that's somethinganybody asked for.
Yeah, that's right.
Do I need a photographic memoryon my computer?
Speaker 2 (19:35):
I mean, I'm always deleting stuff.
Yeah, exactly.
Speaker 1 (19:39):
I mean, you know I understand having backups of
certain things, but do I want itto remember every single thing
that it does?
And the point that theresearcher was making in the
article is that computers ingeneral, and also in specific
Microsoft, they're known to beintruded with some frequency.
So imagine some bad actorgetting into the computer and
(20:01):
then pulling that database out,which at that point happened to
be not encrypted in the clearthat you could just see
everything there, right.
So it became a little privacynightmare and I put that link in
a little comments.
I commented on my LinkedIn thatI predict Microsoft's going to
backtrack, either eliminate itor change it quickly.
(20:23):
And it was true it's been themost viewed LinkedIn post that I
had ever, because people arereally interested in this stuff
how that recall thing works oris supposed to work, right.
Speaker 2 (20:36):
So you have to opt into it now, correct?
Speaker 1 (20:38):
So, yeah, so some of the things they did to kind of
alleviate those concerns,because people were going crazy,
yeah, crazy.
I'm being kind in thedescription of how people are
going crazy, yeah, it's crazy.
I'm being kind in thedescription of how people are
about it.
They're saying they're going toencrypt the database.
You have to opt in, like, yeah,I want this feature to be
enabled Before it was enabled bydefault.
So no, you have to be optinginto it, it's encrypted.
(20:59):
So people are saying I'm goingto go, This's going to be this
year is going to be the Linux ofwell, the year of Linux because
of this.
They're like, no, I won't.
But yeah, Kevin is saying, yeah, they're encrypting the
database too.
That's right.
And again, that brings aninteresting point of where the
market is heading right.
(21:20):
They put this feature that hasall this data that's kept there
and people didn't want it andthe big issue wasn't so much
that it was remembering, it wasthat it was not encrypted.
No attention into privacy.
You know what I mean.
So, yeah, I don't know.
I mean, what do you think aboutthat?
Speaker 2 (21:41):
So yeah, I would never opt in for that.
I'll be curious to see ifpeople do opt into it, if it
ever shows up in one of ourforensic investigations.
I mean, I'm sure somebody outthere is going to.
I would not.
And I wonder if, like in thefuture, um, if they're gonna
kind of change it so you saveonly the data you want to save,
(22:01):
kind of like backing up to thecloud, like you choose which
which data you want to back up.
Speaker 1 (22:05):
I don't know yeah, yeah, again, I think the I mean
this is my I mean I don't know.
I don't know nothing aboutmicrosoft or any other companies
, but my thought process is someof that stuff they're saying,
yeah, it's going to recall foryou, but I see it from my
perspective as another datasource for them to feed their
ais.
You, you know what I mean.
And even if it's a local hostedAI, it needs a lot of data to
(22:28):
kind of predict what you'regoing to do and interact with
you.
And I'm pretty I say prettysure I don't know anything, but
I think that that might be oneof the reasons where you have
these big data sets that theycan feed off to build the
product.
I mean, is it going to be sentto Microsoft Home in some
anonymized fashion?
I don't know.
(22:48):
And again, people don't takethis as gospel.
I'm just saying what I thinkmight be the underlying reason.
I have no evidence for it, Ididn't read it anywhere and I'm
just saying that because I'mseeing a lot of companies kind
of like thinking where are wegoing to get our data to feed
our AIs?
Because now everything has anAI.
I made a meme of a guy.
(23:08):
It was Tom Cruise, not TomCruise, it was the guy from
Titanic, leonardo DiCaprio.
Leonardo DiCaprio saying sell methis pen.
And the guy takes the pen andsays it has AI and deepfake,
deepfake, yeah, recognizingsoftware or whatever.
Right, that's where the marketis heading and they need those
(23:33):
data sources.
That being said, I believe thatpeople are also moving in the
opposite direction in regards tohow they're providing that
information right Now.
The Wolf of Wall Street yeah,that's where they click from.
Thanks, kevin, that's the clickfrom the Wolf of Wall Street.
Sell me.
This's where they click from.
Thanks, kevin, that's the clipfrom the Wolf of Wall Street.
Sell me this pen.
It has AI and deepfakerecognition.
Yeah, people are moving awayfrom that.
(23:53):
People really put a lot ofresistance for non-encrypted
always-on recording program,whatever, and they're not the
only ones.
For example, we talk about sometime about Google locations or
well, not locations Google Maps,how it kept your locations, and
now it's changing completely.
Speaker 2 (24:13):
Yeah, we kind of mentioned this on a previous
episode, but now it'simplemented correct.
Speaker 1 (24:19):
Yeah, yeah, I think.
Yeah.
I don't know if you've seen onyour phone, or at least on mine.
It gave me an alert about thechanges and I took some
screenshots that I shared inLinkedIn.
Speaker 2 (24:28):
Which are right here.
Speaker 1 (24:30):
Yeah, they look at you, always prepared.
Speaker 2 (24:32):
I went and stole them off your LinkedIn so it kind of
just shows you the differentsettings, the timeline settings
for the Google Maps inside ofthe account and what types of
changes are going to be made.
I think right, so the data issaved locally.
Speaker 1 (24:48):
Yes, yes.
Speaker 2 (24:49):
And if the data is backed up, it'll be encrypted
and then for Google to see thedata the user has to opt in.
Speaker 1 (24:57):
Yes, yeah, and even if you opt in, there's some
timeframes.
You have to do an extra opt-into be like, yeah, I want it to
be forever, or you know, deletedin X amount of hours or X
amount of days right it's in.
You know now, you know this justbeing real here with everybody.
I mean, our audience is mostlyfolks that do this in the
(25:17):
private sector investinvestigation in private sector
or playing you know publicservants doing this for criminal
investigations.
And this is going to be aproblem for lawful extraction or
obtain data lawfully right,definitely, because now that's
the point I was making thesecompanies are moving.
(25:38):
The companies are moving thisway because that's what the
users want.
They want their data to beinvisible, even to the people
holding it.
So the companies are saying,yeah, I have the data police
officer.
Here you go, it's encryptedblob and we don't have the
password.
Good luck, right, yeah, andthat's going to be a hindrance
in that sense, which to me meansthat we should start thinking
(26:02):
of going back to basics, thosetraditional investigative
techniques, bringing them backto life again, and then also try
to be creative in regards tohow we do stuff.
I heard folks saying, well, weneed legislation about it.
Is that going to be a thing Idon't see.
I mean, I'm opining right asanother citizen.
I got no inside information ofanything, but I don't see any
(26:23):
appetite in Congress to tellcompanies to to not do these
things, and that's what thepublic wants and that's where we
, that's what we're movingtowards, period.
Speaker 2 (26:32):
Yeah.
Speaker 1 (26:33):
I mean, I think, I think you're right.
Speaker 2 (26:36):
I definitely think you're right.
I think all kinds of providersare going to start storing the
data this way, and you're right.
The search warrant is not nolonger going to be as helpful to
the service provider.
Speaker 1 (26:47):
Yeah, yeah, they will have to be.
How can I say this?
A lot of it's easy and I'll bestraight with everybody.
It's easy to go and tell me hey, examiner, just get this stuff
from the phone, tell me whenyou're done.
Another thing is that agent orthat person to actually do the
groundwork.
What's the word I'm looking for?
I heard an expression of likewhen your sole of your foot or
(27:11):
your shoe gets all kind of likeused.
You walk so much.
I don't know the expression,but I'll find it later.
Speaker 2 (27:19):
Yeah, that's fine.
Somebody will throw it into thecomments, somebody will throw
it.
Speaker 1 (27:22):
Somebody will throw it into the comments, somebody
will throw it.
You have to go out and reallydo that.
Walk and burn out that sole ofyour foot, doing some
investigative work that requiresyou to be out and about.
You know what I mean.
Just telling me here's thephone and good luck, it's not
going to help the victims orbring justice.
We have to do more, and thatgoes back to those Wear the
soles of your shoes.
(27:42):
Thanks, yeah, we have to dothat work even more.
So we have this sometimesunhealthy dependence on
technological sources of data.
You know computers, cell phones, stuff like that and that's not
enough.
We've been watching and we'renot going to comment on this
trial that we're watching,no-transcript.
(28:03):
I was watching this trial onCourt TV and detailed data has
meaning on its own, but evenmore powerful when there's some
corroborating surrounding piecesof evidence Just because you
have a video recording.
The video recording has to giveyou all angles.
So that means you need to gofurther and get eyewitness
(28:24):
testimony and get some physicalmeasurements of things that
happen to be able to build orcorroborate some of that stuff.
So there's just a lot of workto be done and we need to think
that way, I think.
Speaker 2 (28:36):
Yeah, definitely.
Speaker 1 (28:37):
Look here Christian is saying Rob Abrams told him to
firm it up.
Right, yeah, you've got to firmsome of that stuff up, and
sometimes, if it's notaccessible via you know digital
means, you have to then thinkabout how you're going to get to
it some other way yeah,definitely.
Speaker 2 (28:57):
Um, so before we went away for a couple of weeks, I
posted uh, a post asking whattopics listeners want to discuss
or want to hear about, andwe're going to just take one of
our listener requested topicsand talk a little bit about that
.
So, jeremy McBroom, who isawesome I got to meet him at
Techno.
(29:17):
He's a student and he's goingto be a rising star in the
digital forensics world.
I'm 100% sure of it.
His question was past caseworkthat changed your perception of
looking at digital evidence orimpacted how you conduct your
examinations.
So he wanted to know, wanted usto discuss that as a topic.
(29:38):
I thought about this questionand I have to say so, when I
first started my job at the lab,I was immediately overwhelmed
by the knowledge that I did nothave.
I had no idea what people weretalking about.
When I would stand in a groupof coworkers, I would have to go
Google the different terms theywere using and I actually
(29:59):
called my mother, I think thefirst or second week of starting
my job, and said I have to quitthis.
This is not for me.
So glad I stayed this this isnot for me.
Speaker 1 (30:11):
So glad I stayed.
I believe you, but knowing youis so hard to believe you know
so it's just so proficient, soproficient in what you do, that
it's really hard to believe,honestly.
Speaker 2 (30:22):
Oh it was bad, I wanted out.
I'm like I have no idea whatI'm doing, like I'm a fish out
of water here.
I have no idea what I'm doing.
Fish out of water here, I haveno idea what I'm doing.
So, with all of that said, Ithink there are some cases that
changed my perception on notjust looking at the digital
evidence but making me want tostay at the job at the time.
One of my very first cases itwas a really horrible CSAM, so a
child sexual abuse materialcase, and it resulted in a 360
(30:48):
year sentence for the defendant.
So to know that I was part ofthat definitely made me value
the weight of the digitalevidence and my part in that,
how I was able to help.
Speaker 1 (31:00):
Absolutely.
Speaker 2 (31:02):
And then my perception of looking at digital
evidence.
There's several cases over thecourse of my time at the lab
that have changed my perceptionof how I look at digital
evidence.
I would always just look forthe evidence to begin with,
because I really didn't knowwhat I was doing at first, right
, so an example of that is a CCMcase.
(31:23):
I might just be looking forpictures and videos, but you
have to look for the supportiveevidence that goes along with
those pictures and videos.
And I think conferences withprosecutors and testifying
really helped change myperception, because I would
provide them with what I thoughtwas the evidence and then
they'd ask me a question aboutthat evidence that I couldn't
(31:45):
answer.
The answer was in most likelyin the data that I had extracted
, but I hadn't thought of that,I guess for lack of better terms
there.
One specific case is a homicidecase I was working on.
I had an artifact that showedthe defendant had turned the
(32:05):
phone off and I showed that,that they turned the phone off
during the time of this homicideand the question was well, how
do you know that the batterydidn't just die?
And I think I've given thisexample on the podcast before,
but sitting there.
When I was asked that question,I didn't know that the battery
didn't just die.
I had evidence that pointedtoward it being turned off.
But the evidence in that datashowing that the battery didn't
(32:27):
just die and that the deviceowner had been charging it for a
couple of hours prior to itbeing turned off, it was there
so I think going into thesecases and having conversations
with people who are involved hasreally changed my perception of
looking at digital evidence andhow I conduct the examinations
(32:48):
my perception at looking atdigital evidence and how I
conduct the examinations.
Speaker 1 (32:50):
Oh, don't you.
I mean that's, that's, that'ssome point.
And I love when you tell thatstory about, about the dead
battery, because it's just not,it's just not.
The artifact is what is themeaning in context, in the real
world, of the artifact and andsometimes we're, we're kind of
use of being you know, oh, theseartifacts, five things were
bookmarked or tagged from thecase.
And here you go, here's aone-pager report.
(33:10):
How does that connect with thetheory of the case and I know we
do a lot of cases, like weexaminers in general, but we can
be divorced from the mainarticles or artifacts of the
case and how that provides lightinto that theory of the case.
So I provides light into thattheory of the case.
So I agree 100% with you andfor me I'm going to come from
(33:32):
another angle.
Actually, yesterday was theeighth year anniversary, I
believe, of the Pulse shootingin Orlando, which was a pretty
traumatic day for the office,significant day personally.
I was woken up at what was it?
4 o'clock in the morning andtelling me to suit up, that they
needed me right away, and I washalf asleep trying to figure
(33:54):
out what was happening.
I started racing to respond tothe shooting and the thing that
changed my perspective from thatexperience I'm not going to
give any details on theexperience.
I'm not going to give anydetails on the experience, but
it's the importance of you,examiner, that are listening to
convey to your stakeholderswhat's important at a particular
(34:16):
time, especially if it's urgent.
Everybody has things to do,everybody has things they need
to accomplish, but when we talkabout digital evidence being
volatile, it is, and it's evenmore so in challenging
environments.
I'm trying to say a lot withoutsaying much.
Hopefully, you folks can getthe vibe of what I'm trying to
(34:38):
get at and you might findyourself like I was, and you
know I'm at the bottom of thetotem pole.
I'm just another dude thatworks right.
I'm not a supervisor, I'm not anobody.
I'm not a nobody.
And sometimes you have to belook, knock on that door and
talk to the person running thething and say look, sir, sorry
to bother you, or, ma'am, I needsome important information for
(34:59):
you.
This is what I do and this isthe things that need to happen
for these particular things thatyou need, and we need to act on
it now, and it takes a littlebit of bravery from or just
plain um seal for the work thatwe do to do that, and it changed
my perspective.
Um, sometimes you have to speakout and you have to.
You have to do what you have todo.
(35:19):
Um, not they won't always listento you.
Thankfully, at least from myperspective, I was listened to
and and we move forward.
But even if they don't, youhave to speak out.
It's not on you to take thedecision, but it's on you to
tell the people that will makethe decision, give them the
proper information they need tomake the decisions, whatever
that decision is.
For that, that changed myperspective a lot in how I
(35:42):
communicate and things atparticular moments.
So hopefully that makes sense.
Speaker 2 (35:49):
It does.
Christian says the examiner'smind is even more volatile, or
the first responders for thatmatter.
I couldn't agree more.
I think everyone's capabilitiesand perception evolve the more
training and experience thatthey gain.
You're going to change andimprove with each case you work
on.
Speaker 1 (36:06):
Absolutely Talking about improvement.
I now have to show this.
So you know you improve so muchand Scott is absolutely right.
He says that now you're famousand you are.
People were lining up at Tegnoto meet you and you know it's
true.
Oh, my God, you know it's true,you know it's true.
Speaker 2 (36:24):
Everybody was saying the same thing to Scott the
forensic scooter oh my God, it.
You know, it's true.
Everybody was saying the samething to scott the forensic
scooter.
Speaker 1 (36:35):
Oh my god, it's the forensic scooter so he can say
that, but he, uh, he was gettingjust as many comments.
Um, look, folks are listening.
This community, and everybodythat's listening knows it's
pretty small, it's smallish anduh, we're all colleagues and we
rub you know.
Oh, you're famous.
The community is so small thateverybody's famous because we
all know each other.
Yes, yeah, so yeah, I mean, youknow, it's a great place to be.
(36:56):
I couldn't be any more lucky todo what we do, so Definitely so
.
Speaker 2 (37:01):
Speaking of Jeremy McBroom, who I saw is in the
chats, we wanted to talk alittle bit.
He has a blog now, so it iscalled yeah I have a question
and it's at yeah I have aquestion dot com and he says on
his page that he entered theforensics world and found that
he had a lot of questions.
So there's so much to learn andeven though he will never learn
(37:24):
it all, he wanted to share whathe does learn, so he has a
beginner-friendly blog.
Last time I looked there werelike 10 entries, with a whole
bunch of them being aboutWindows forensic examinations,
and he just recently did awrite-up on his time at Techno.
So check it out because it'sawesome and I can't wait to see
(37:44):
his research evolve.
Speaker 1 (37:47):
I love the Socratic name of the blog.
I have a question.
I love the name and look,kevin's going to put it on his
blog roll on his Start Me page.
Speaker 2 (37:59):
Very good.
Speaker 1 (38:00):
And we talked about Kevin's Start Me page before, so
we should put it back on thenotes so people can have it.
It's a great resource.
Definitely, if you don't knowwhat we're talking about, it's
the notes, so people can have it.
Oh yeah, it's a great resource.
Speaker 2 (38:09):
Definitely.
If you don't know what we'retalking about, it's the
Forensics Start Me page and ithas literally everything you can
think of links to everythingyou can think of.
Speaker 1 (38:18):
All the resources are there.
Speaker 2 (38:20):
Mm-hmm.
All right, so the next topicanalysis of browser artifacts
from file sharing services.
The blog that we're going tohighlight is probably about six
months old, but it has somereally really good artifacts in
it, especially if you're workingCSAM cases, because it's file
(38:41):
sharing services and they sharetheir files.
So I'm going to throw up sharemy screen here.
There we go, I might be gettingbetter a little better at
sharing my screen.
Speaker 1 (38:56):
Oh, you're being flawless this whole episode.
Knock on wood, keep it up.
Speaker 2 (39:00):
No, now I'm bound to screw something up.
Speaker 1 (39:02):
Yeah, it's going to freeze or something.
Speaker 2 (39:05):
I'll put the link in the show notes, but this is a
paper focused on web browserartifacts created from file
sharing services like GoogleDrive, dropbox, mega and then
the cloudmailru, which is aRussian mail site.
It has where the artifacts arelocated, how they can be
interpreted forensically and howthey can be used in your
(39:27):
investigation.
It's a really great resource.
Speaker 1 (39:31):
Yeah, it reminds me of Mattia Epifani from SANS.
He has something similar, butfor Android and iOS.
It's kind of a similar formatwhere you have the app and the
different things the app has andwhere they're located, which I
use constantly, and this one isalso I'm adding it to my
collection of use all the timesheets.
Speaker 2 (39:54):
Yeah, definitely, and announced today by Alex Capness
of CCL Solutions.
There are some parsers forthese artifacts built upon the
open source project Chromium,and he has some parsers on the
CCL Solutions GitHub and theywere recently updated.
He posted like five hours agoor something, that these scripts
(40:16):
were recently updated.
So if you are looking at theseartifacts, go check out the
scripts and parsers.
Speaker 1 (40:23):
Yeah, and let me give folks a little bit of a
technical background on that.
If you're not familiar withLevelDB databases in Chrome or
not only Chrome, any type ofbrowser you have to really check
those out.
By the way, alex is on the chat.
Yeah, I see him.
Let's see what he's saying.
Can you put it on screen?
Speaker 2 (40:41):
Oh yeah, so that browser artifact paper was based
on CCL research.
I believe there's a moredetailed paper If you know who
to ask.
Speaker 1 (40:50):
Ah, we don't want to ask.
Speaker 2 (40:52):
I think we do, and then we have a little, a little
hint yeah.
Speaker 1 (40:58):
You know, we have almost the same name, so
hopefully that that will give usan in into that paper.
Speaker 2 (41:03):
Yeah, I think so.
Speaker 1 (41:05):
No, but like, like, yeah, I think so.
No, but, like Alex was saying,there's some level DBs in these
browsers that contain a lot ofinformation that you're not
going to get otherwise, andthere's a lot of different
structures within browsers thatregular third-party tools
scratch the surface on.
So you need to really dig inand this research paper and the
tooling, the Python scripts thatgo with it invaluable resource.
(41:27):
So check them out, yeahdefinitely so.
Speaker 2 (41:31):
I have not talked about a paid tool in quite some
time, but I recently had achance to demo and try out VFC
from the company MD5.
So they're a company that isout of the uk and they provide
digital forensic and e-discoveryservices, but they also have
(41:53):
this tool called vfc.
So vfc mount, which is able tomount images for you, is a free
tool.
And then they have vfc lab.
So the vfc lab has a wholebunch of features.
I'm probably not even going tohit half of them, but they have
a password bypass tool.
They have a standalone VM.
(42:14):
You can launch your mountedimage into a virtual machine.
They have the capability toinject files, so it allows you
to inject third-party analysissoftware into the VM.
While VFC is generating the VM,there's triage tools inside
that will pull out recentlyaccessed files, recent apps,
(42:37):
recent URLs, installedapplications, documents, windows
history and more, and I wasable to try out the virtual
machine, so I have some slideshere just to show you what the
tool looks like and itscapabilities.
So this here is the VFC mount,which is the free tool that you
(43:01):
can use to mount images.
Speaker 1 (43:04):
And images like EO1 type of images, stuff like that,
right yes exactly.
Speaker 2 (43:10):
So I mounted an image and then was able to go in and
choose the partition right.
So I'll choose the partitionwhere the user data is and the
tool will analyze that and onceit does, you have the option to
launch the E01 into a virtualmachine.
So there's our little buttonslaunch later, launch now, and it
(43:34):
launches right into a virtualmachine.
But the cool thing about thiswas that it bypassed the
passcode.
For me, it was able to utilizethe software to bypass the
password and then when Irelaunched, I was into the
actual user's desktop.
I don't know what the passwordwas to this, but it enabled me
(44:01):
the capability to just put inany password and launch into the
user's computer.
Speaker 1 (44:08):
Yeah, I mean the technique is not new, right?
You just go to the registry andyou blank it out or name it
what you want.
So it's a super old technique.
But I like the automation andwe've seen other tools.
Like Christian was saying inthe chat I was reading that
NCASE used to do that.
I think also some folks in thechat, arsenal Image Mounter does
(44:29):
it as well.
So this is another tool kind ofwithin that space.
So I'm really glad to see thespace, you know, kind of
competing, different companiescompeting in the space to make
sure that we get the bestproduct for our cases.
Mounting images this way tovisualize the environment as the
users had it Incredible toolwhen you're preparing exhibits
(44:53):
for trial or whatever it is.
Speaker 2 (44:56):
Yeah, we previously, so I'm showing this tool today.
We previously did do a demo ofArsenal as well, which has
similar capabilities.
So check that out as well andthen go out and try them.
Ask for a demo, see which toolyou like better, um see if your
agency will buy it for you.
Speaker 1 (45:12):
But this, this tool, was great no, absolutely great
point, um, and folks arecontinuing to evolve these tools
and and we'll we're thebeneficiaries, so that's, that's
awesomeness um, one other thingthat I will mention too, is
they, uh, a portable version ofthe VFC, so you can take it out
in the field with you.
Speaker 2 (45:33):
If you're out in the field trying to examine, there's
a portable.
Speaker 1 (45:38):
Like you run it without installing, like kind of
portable like that.
Speaker 2 (45:42):
Yeah, on scene.
So it's the same functionalityas the VFC lab, but it has added
features to make you be able touse it in the field.
Speaker 1 (45:53):
Okay, it'll be interesting to research what
those are.
Yeah, absolutely.
Speaker 2 (45:55):
Yeah that I didn't demo, so maybe a future demo.
Speaker 1 (45:58):
No, no, no, Absolutely, absolutely.
Oh good stuff, I like it, Ilike it.
Speaker 2 (46:03):
Yeah, definitely, yeah, definitely.
Another person that I not met,because I've met him before but
got to see at Techno, is DamianAtto.
So he's the director ofprofessional services at Spider
Forensics and he has juststarted a SQLite free list page
(46:25):
checker that he's hosting on thespider forensics GitHub.
So there's some Python scriptsand it will iterate through the
free list trunk pages andidentify all of the free list
leaf pages in a SQLite database.
So I'm going to show youactually how that works.
Speaker 1 (46:43):
And those who don't know, damien he teaches courses
at IASIS as well on databasesand different data storage
structures, so he has a reallygood class.
I think he does it under,obviously, the company Spider
Forensics, but they are offeredat IASIS and that's where I met
him.
He had me speak at his classquickly about a few short topics
(47:04):
, so really nice guy.
Speaker 2 (47:05):
Nice.
So let me share my screen here.
Okay, so his scripts use python, so python and then, um, I'm
going to just show first thesqlite header parser.
So if you're not familiar withthe sqlite header, there's a ton
of data inside of the sqliteheader that gives you
(47:26):
information not familiar withthe SQLite header.
There's a ton of data inside ofthe SQLite header that gives
you information about the SQLitedatabase.
It'll give you the page size.
It'll give you whethervacuuming is turned on or off.
It tells you if it's utilizinga journal file or a wall file,
and he has automated the processof pulling this data out of the
database.
(47:47):
So this is what it will looklike.
You can also output it to a CSV, which would be great for your
investigations or reports.
But if you look here on myscreen, we can see that the page
size is 4096, that it'sutilizing this is the address
(48:07):
book SQLite from an iOS.
It's utilizing the write aheadlog In this particular database,
I believe.
So auto vacuum is not on.
But he also has, in this scriptover on the right hand side, an
examiner tip, in this scriptover on the right-hand side, an
(48:33):
examiner tip.
So it'll tell you informationabout these different, I guess,
different things that are storedinside of the SQLite header.
So like this one auto vacuum.
So it tells you, if auto vacuumis enabled, there will be no,
no free pages.
So it just gives you littleclues as to what you're looking
at, and I am going to run thenext one here.
(48:59):
This is the free list pagesscript.
Oops, I forgot something, soyou had to go say I wasn't going
to screw anything up.
Speaker 1 (49:11):
You're just missing one argument.
You have an equal before theargument.
Take it out.
Yeah, just a little argument,that's it.
Speaker 2 (49:16):
There we go.
So in this particular databasethere are five free list pages
and it gives you the page number, the file offset that you can
find those free list pages, thepage type, the allocated cells,
and it tells you it does anunallocated check.
So it'll tell you if that pagehas non-zero values located
(49:39):
within the page.
Unallocated space.
Speaker 1 (49:42):
I like that.
I mean hopefully, yeah,hopefully, he builds, he goes to
the next step and then says andwe pulled out the content of
that note or whatever it is youknow.
Speaker 2 (49:53):
I think he's planning on expanding these scripts.
According to him when we wereat Techno, he's planning on
expanding his work on these.
Speaker 1 (50:02):
No, that's super useful.
I like the detail because a lotof the recovery tools, even
open source ones, they just pullthe stuff out and the traceback
is hard.
This type of traceback is easyand the folks that are just
listening we have on the screena nice little table with every
little column explaining what itis.
So if you pair that with theactual data being pulled out,
(50:23):
gold, gold.
Speaker 2 (50:24):
Yeah, and then there's a third.
It's the page info, so let mejust hit that one.
I'm just going to Gold, gold,yeah.
And then there's a third.
It's the page info, so let mejust hit that one.
Just scroll back up here.
Speaker 1 (50:42):
It will give you the page number, file offset, page
flag and page type for the pages.
Yeah, some of that stuff isgood informational stuff.
Obviously you know if thingsare where they need to be then
you then you'll see it in adatabase right when you run a
query.
But I'm really interested inthe recovery aspect of of these
databases.
Um, so any tool that gives thatdetail and then actually does
some recovery.
It's stuff that I'm alwayshappy to to have.
(51:04):
So good job, good job on damiento start putting that content
out, that tool out.
Speaker 2 (51:08):
Thank you.
I'll put the link to his GitHubpage in the show notes.
Speaker 1 (51:15):
Heck yeah Good stuff.
Speaker 2 (51:16):
Yeah, so we are at what's New with the Leaps.
Speaker 1 (51:22):
There's always something new.
Folks.
Folks come to me While I wasout in Mar del Plata in
Argentina.
My god, some data, that aboutan Audi app in your phone, in
the iOS device, and it's prettyneat because it has some JSON
data about the trips the vehiclehas done, which is amazing.
(51:43):
You don't think.
You don't think about maybe thefall I'm sorry the vehicle
putting data in your phone.
Don't think about maybe thephone I'm sorry the vehicle
putting data in your phone.
We actually think about.
Well, we connect our phone tothe car and then it sucks in my
data into the car infotainmentsystem that then later can be
recovered.
But this is the opposite, right, the phone is sucking in
information from the vehicle andit has the trip, how the trip,
(52:08):
how long, how many miles, thespeed, a bunch of stuff.
So it's all JSON data, so it'snot hard to parse.
So I did a couple of parsersfor that.
So that's in there, in I leap.
Now, if you have an Audi, youknow app for your career car,
pretty cool.
And then Francis, cooler againhe's up.
But in during those times headded some of those more of the
(52:29):
photos of SQLite queries, andwe're working on optimizing some
of those, I mean some of these.
It's kind of tough because someof these queries are humongous
and the question is well, do Iput them in memory?
It's not a discussion I washaving with or not a discussion,
a conversation I was havingwith Bruno the engineer up in
Argentina.
How do we optimize that?
Well, the first option is putit all in memory.
(52:49):
But some of these queries arehuge, like huge.
So if you want to put a querythat's supposed to be a couple
of gigs, then what right?
If you don't have enough memoryor using a computer, that's not
the best, because let's be realhere, we don't all have Talinos
in our labs and we wish, or aBitMind's computer.
(53:11):
I don't want to be, I'm open toany of those.
So then what?
So we're discussing how to makethat fast.
So some of these queries aregoing to not be enabled by
default in the tooling.
So folks need to look at FrancisCooter's blog where he explains
each query where it does.
(53:32):
And then my suggestion is ifyou need to do some deep
analysis on the photossqldatabase for your cases, go look
at his blog and you can pickout which queries are more
suited for your investigationand you can run those.
Now.
If you have all the time in theworld, then you know, just run
them all and just wait.
If you have enough time in theworld, who cares Wait.
(53:52):
So it all depends.
A quick note Laurie is sayinghas anyone researched and tested
the MyChevrolet app?
I haven't, but if you have aChevy and you can put the app on
it and create some test dataand send it my way, I'll be
happy to give it a look and ifnot, use somebody.
Yeah, bruno's saying get morecomputers and more RAM.
(54:12):
So that would be the idealissue.
He's joking.
Obviously it's not alwayspossible, but yeah, so we're
going to try to work on findingways of speeding that process in
tooling.
And for the coders out there,when I started coding almost 20
(54:32):
years ago or more, we weretaught to be efficient with our
code.
Nowadays, systems are sopowerful that code is sloppy
because we're going tocompensate on the back end with
a fast processor and a lot ofmemory, and that's not always.
That shouldn't be, that's notthe way.
So we're working on that.
(54:53):
Anyways, I digress, we alsoworked on putting the.
So we have in the Leaps, all ofthem.
They produce SQLite databasewith a timeline.
So any artifact that?
Oh, I had to stop here.
Speaker 2 (55:07):
Scott says yes, sorry they're so long.
At least you're the one doingit.
Speaker 1 (55:15):
Yeah, no, I mean, Scott, we need those to be that
long.
I rather have more than less.
Speaker 2 (55:19):
Definitely.
Speaker 1 (55:21):
So it's all good.
Yeah, so we have a SQL databasethat keeps every artifact that
has a timestamp is going to bedumped in this database, and
before I did some quick crappyjob of the data, I kinda put in
some kinda delimited crappyfield.
Now it's actual JSON.
So if you wanna pull stuff outfrom the SQL database, the
fields are JSON, so you canactually kind of automate some
(55:44):
of that work from that database.
If you want to use it as asource to make a secondary
report, right, most people arenot going to, but the option's
there.
So we added that.
I added today, before I headover here for the show, a whole
bunch of dated Snapchat parsersfor search warrant returns.
(56:04):
Okay, they changed the format.
Format.
What you're doing now is and Ihate it's kind of confusing.
They put like a header and thenthe different roles of what the
data is.
Well, let me.
I missed it by.
That's not true.
They start first with anexplanation of what the thing
that's coming and then what eachfield means, and then after
that they put the data and then,after that data block is done,
(56:27):
they have another title, anotherexplanation for the next thing,
and then that data is allcommingled there.
So it's no.
There's no clear path.
Well, there's a pattern, butit's hard to work with.
So what I had to do was figureout where are the blocks that do
the explanations, and ignorethose because I don't need them,
and then focus only on the datato be able to create reports.
(56:47):
So right now it does chatswithin Snapchat, subscriber
information, friend list, yourlocation info, ips info, some
settings, some of the memories,story data.
There's a whole bunch of stuff,christian asking, business
records, like Facebook.
So Facebook also changed theirreturns and their user data
dumps.
What that means is that you goto the Facebook portal under
(57:09):
your own account and you canpull out your own data, and all
apps do that thanks to the youknow, european government,
governments, right, theregulation requires these
providers to provide that, givethat to the users, and they
changed.
They changed the HTML.
I haven't.
I have a sample set.
I haven't had the time to lookat it, so I'm hoping to start
(57:30):
working on it soon.
It's just so much, but at leastthe Snapchats are done.
So if you're an examiner thatworks these cases and Snapchat
is involved, at least you haveanother way of viewing that data
so you can you can link theconversation with the image that
goes with it, because doingthat by hand is next to
impossible.
Does that make sense, heather?
Speaker 2 (57:49):
That makes sense.
It's funny you're talking aboutthe Snapchat returns too.
I'm just thinking there was amessage asking for help with
that on the listserv yesterday.
Speaker 1 (57:58):
Oh, really Yesterday.
Speaker 2 (58:00):
Yeah, we have to go tell them it's updated.
Speaker 1 (58:01):
I'll respond yeah, tell them it's fixed.
You just need to point thetooling to the zip file.
You know that the zip filereturned and if there's multiple
accounts, it will pull them allin one report and you're good
to go.
Speaker 2 (58:14):
Very good Awesome.
Speaker 1 (58:16):
Yeah, oh, and last one Samsung Honeyboard text and
screenshots.
They're all also provided inALEAP for Android devices, so
you can check those out.
Speaker 2 (58:24):
Nice, very cool.
I have to get contributing more.
Speaker 1 (58:30):
Yes, you should, yes, you should.
I know.
Speaker 2 (58:32):
I know I have one.
I have to finish still.
Speaker 1 (58:34):
Look, you took a whole day Python class at Techno
.
So come on, I did, I did.
You got to put that knowledgeto work.
Speaker 2 (58:41):
I may still need you even after the whole day.
Python class.
Speaker 1 (58:47):
It's okay, we'll both ask ChatGPT together.
How about that Perfect?
Speaker 2 (58:53):
Yes, yes, awesome.
So everybody's favorite timememe of the week.
Let me share my screen here,share my window.
Speaker 1 (59:07):
I loved this one, one , tell us.
Speaker 2 (59:09):
tell us, what it is so when you're going through all
of the images in a case and itis a gif, gif, however you want
to say it of a finger justclicking away on the mouse, um,
it is so relatable.
I loved and there was like ahuge.
There was like a huge followingof comments under it on your
(59:30):
LinkedIn and I'm not sureeverybody in there was getting
what my frustration with thegoing through the images in a
case from your post.
But I definitely understood thepost completely.
Speaker 1 (59:43):
Well, see.
So folks that have done thistype of cases like we have, I
mean, it's tons of images, right, and you're clicking, clicking,
clicking, clicking, clicking.
I clicked.
I had a case where I was doingI was IDing 200.
I got this is back in the daywhen they expected you to look
at all of them, so I ended uptagging like 250,000.
(01:00:05):
And I told my prosecutor I'mdone, I can't, I'm not, I'm not
going to be going through more.
This is more than enough.
Now, the thing is that the pointI was making, the comment that
went with the GIF, is it's notso much that I need some way of
looking at images faster.
That was not the point,although it is true that it
takes some time if you're goingthrough all of them.
The point I was making and somepeople misunderstood.
(01:00:28):
They were saying whoa, that'swhy we have AI, that it can
categorize the images.
And you were talking crap aboutAI the other day, which you
know I really wasn't.
I was just making the point ofproviders trying to
differentiate themselves with AI.
It's not a differentiatoranymore.
Everybody has AI, so who cares?
You know what I mean.
At the end of the day, the AIneeded to do the examination,
(01:00:52):
the examiner does theexamination and again, nothing
against AI Useful capability,hopefully, as it develops.
But the point I was making wasnot that.
The point I was making is thatthere are some images right and
it's not.
I don't care so much about thecontent.
Okay, because the AI could betell me all the pictures that
have, let's say, a gun in themor money in them, the classic
examples.
But that's not what I'm talkingabout.
(01:01:13):
I was talking about images thathave some meaning contextually,
not metadata.
I'm not talking abouttimestamps or exit.
No, I'm talking about theseimages were placed in a
particular app in a particularplace.
What does that mean and howdoes that affect my case?
And if it has some meaning, Iwant an artifact that tells me
that, because if you put thatimage in between all the other
(01:01:35):
images, I'm going to miss thatcontextual meaning.
The example I gave in the postwas the image cache, one of the
image caches in Androids andsome of these image caches and
the one that I I forgot the nameright now, but I described in
the link in a video that I made.
It's an image cache.
That's done Glide, the Glide,thank you.
The Glide cache.
Apps that use Glide, they willrender the images from within
(01:01:59):
the app, there in this location,right, and some apps that are
used to hide images, they willhide the image, but the Glide
cache keeps them okay, andthat's important because it
tells me a couple of things.
It tells me that the app wasopen, that a user had to render
it for it to be shown, and ittells me what's being hidden.
(01:02:19):
And if I don't have, for example, a Glide artifact that tells me
that it's just gonna be one ina million pictures and it won't
tell me anything, it won'treally have any meaning to me as
an examiner, as I'm goingthrough a million pictures like
that mouse, click, click, click,click, click, click, click,
click, click, click, click.
It's not going to help, right?
So I think you know folks.
(01:02:41):
I say folks, but I say vendors,so people that do coding, like
I, like we do think about thecontextual meaning and then make
artifacts based on that.
Sometimes it's not just thecontent is where the thing was.
Under what circumstances Doesthat?
Speaker 2 (01:02:56):
make sense?
It does.
So I think of the.
Have you seen in I'm sure youhave in your investigations the
images that have in their filename FB Downloader.
So Facebook Downloader.
Putting the contextual meaningto those is really important,
because it does not mean thatthey were downloaded from
Facebook.
They're literally cached.
I could go visit your Facebookpage today and your picture is
(01:03:19):
in my phone with a file name ofFB Downloader.
So I love the idea of puttingthe contextual meaning of images
in the tools, if possible.
Speaker 1 (01:03:32):
Oh, I mean, and we should and you know I'm trying
to, you know, walk the talk,right?
I have an ImageGlide cacheartifact in Alib because of that
.
So when I go to the artifacts,I know that there's some use.
The user had to do somethingfor these images to be generated
and I know where they came fromand why, and that's important.
(01:03:52):
And and just dumping the imagesin in this media category, we
have to do it.
But we should go, try to go outsteps further and start looking
at at this type of stuff.
I've got to make some commentshere.
Brett is here, so we're alwayshappy to see him around.
He came for the defer butstayed for the meme of the week.
Well, Brett is up in his memegame too.
(01:04:18):
Actually, we're going to talkabout it next episode.
It's at the hour right now, butBrett has been putting out a
couple of really good articleslately, so we're going to be
talking about it next episode.
So don't stay for the memes,stay for the Brett Shaver's
commentary here.
Speaker 2 (01:04:36):
Absolutely.
I've had a chance to read those.
We have to get those in nextweek.
Speaker 1 (01:04:40):
Yeah, no, they're pretty good.
I always read them and we'regoing to talk about them next
week.
And again, this applies to anytype of artifact, right?
What's the contextual meaning?
What does the thing tell youbeyond the content of the image
or whatever it is?
So that's why I made that post.
Hopefully folks well, noteverybody got it, but hopefully
most people did get the point.
Speaker 2 (01:04:59):
And I just love the meme.
Speaker 1 (01:05:00):
so no, I mean, it's's true, we're sitting there and
you have to scroll, and that'swhat you do.
You go click, click, click,click, click, click.
I'm just not saying clickanyways, anyways.
So I think, I think we came tothe end right for this week?
Speaker 2 (01:05:16):
we did.
Speaker 1 (01:05:17):
Yeah, that's it for this week yeah, we're both happy
to be back after all thedifferent things and, yeah, to
be back after all the differentthings, and uh, yeah, we'll,
we'll, uh, we'll have a anothershow in, uh, in a couple of
weeks.
Yes, I want to thank everybodyin the chat.
The chat was super active,christian was sharing a lot of
thoughts and and I I didn't putthem all up, but I read them all
(01:05:39):
, we read them all um, yeah,same thing to all the folks here
I love that we're building acommunity of by of examiners, by
by examiners, for examiners,right, um, in regards to the
things that that we want to talkabout, um, like like we did
this episode, send us um yourideas and topics and then we'll
(01:05:59):
bring them up in the show I'mgonna post about Any topics that
you want us to research or talkabout.
Speaker 2 (01:06:08):
add them to that post and we'll pick one and try and
include them weekly if we getenough people contributing.
Speaker 1 (01:06:15):
Absolutely yeah.
Please come on up Our LinkedIn,look for Data Forensics Now
podcast, or any of our socialmedia mine or Heather's and
we'll definitely try to hitpodcasts.
Or, you know, any of our socialmedia mine or Heather's and
we'll definitely try to hitthose up.
Yeah, All right.
Anything else for the otherheader?
Speaker 2 (01:06:31):
That's it.
Thank you so much, everyone.
Speaker 1 (01:06:33):
All right, folks, see you in a couple of weeks.
Thank you, bye, bye, bye, bye,bye, thank you.
Hello and welcome to the Digital Forensics Now
podcast.
Here we go.
Today is Thursday, june 13,2024.
My name is Alexis BrignoneBriggs and I'm accompanied by my
co-host, the one that puts techin techno, the Digital
(00:38):
Forensics Tool Quality AssuranceDoctor.
The one and only HeatherCharpentier.
The music is higher up by ShaneIvers and can be found at
sillermansoundcom.
Hello, heather.
Speaker 2 (00:56):
Hello.
Speaker 1 (00:58):
It's been quite a long time since we had a show.
Speaker 2 (01:01):
It has been.
We've missed two in a row.
Speaker 1 (01:07):
We've been busy.
We've been doing so many things.
Uh, I want to thank the folksthat are already, uh, showing up
.
Andrea, hi, I always see you inthe communicator as well.
I work, we were co-workers, butat a distance.
Uh, laurie is here and jess ishere.
I know bruno is going to belistening all the way from
Argentina, so I appreciate you,man.
(01:27):
So tell me, tell me what'sgoing on with you since last
time you went to Techno.
Speaker 2 (01:33):
I did First time at Techno.
I was super impressed, so itwas a great time.
I met so many new people, saw awhole bunch of people that I
haven't seen in a long time, orjust communicate with online,
right, you think you, you thinkyou know all these people and
then meet them in person, um,but the the conference itself
(01:54):
was awesome.
I went to every singlepresentation that I possibly
could.
Super bummed that I missed someof them, because you can't be
in two places at once, right?
Speaker 1 (02:04):
You can't do that, are you sure?
Speaker 2 (02:06):
Yeah, I can't Maybe you can.
Speaker 1 (02:09):
I worked the expectors to, apparently, but
that's another story.
Speaker 2 (02:12):
I had to pick and choose which ones to go to, but
it was really good.
The vendors that put onpresentations.
They didn't gear thepresentation to their tool.
It was nonspecific, they didn't.
They didn't gear thepresentation to their tool.
It was non-specific.
A lot of the vendors did umartifacts and talked about
topics that didn't solely relyon using their tools.
Um, and then they talked abouttheir tools at the end, so it
(02:35):
wasn't a sales pitch, which wasso refreshing you know that's,
that's, that's good, because,yeah, I don't need.
Speaker 1 (02:41):
I don't need sales pitches like we got those
constantly already.
Speaker 2 (02:44):
Exactly.
Some of the presentations werejust outstanding and it was a
great chance to ask all of yourquestions to the vendors without
having to do a support ticket.
That was like my favorite.
But, they were like okay,somebody else than Heather,
please.
Speaker 1 (03:01):
They could actually ask a question, that's not her.
Speaker 2 (03:06):
But it was really, was really really good.
I'm just gonna throw up somepictures from my uh, my trip oh,
look at that I got to hang outwith jessica, who's in the chat,
and josh hickman.
And um, there's my group up inthe right hand corner from the
new york state police, and ofcourse, the phone wizard hopped
in our picture there.
Speaker 1 (03:23):
My man.
Speaker 2 (03:25):
Went and had a little gym session with Amy Moles from
Arc Point.
We got the photo op.
Speaker 1 (03:31):
Oh, that's awesome.
Speaker 2 (03:32):
Yeah, and Caesar, caesar from.
Speaker 1 (03:34):
Hexordia as well, yeah.
Speaker 2 (03:36):
And then a couple of my coworkers there and then
continued just meeting peoplethat I had never met in person
Ronan from Celebrate I'd met himbefore, got to, got to catch up
and, um, adam from msab, metthe, met the forensic scooter
that does all your photos, thatsequel light the myth, the man,
the legend right there he's realhe's just as smart in person as
(04:00):
he is online, and debbie garnerof course and then um, of
course, was the voice of theiasis podcast, um, and then I
did a python class while I wasthere, so documented that I hope
you made me proud and then thelast day we had a really late
flight, so my co-workers and Igot some beach time in um, but
(04:23):
overall it was really awesomeLike so awesome that I've
already booked one of thehouseboats that Jessica Hyde was
on this year.
I booked one for next year, soit was that good.
It was good.
It was good.
I'm going to hide, I'm going tohide.
Speaker 1 (04:38):
I'm going to hide in your suitcase.
Speaker 2 (04:39):
You're going to find a way and you're going
definitely.
Speaker 1 (04:42):
I've got to start saving now.
Speaker 2 (04:47):
Start saving because you're going.
It was a really great time yeah.
Speaker 1 (04:51):
That's awesome man and I think that's become one of
the premier correct me if I'mwrong premier like digital
forensic-specific kind ofconferences, because you know,
sometimes they can mingle thewhole incident response, but
this seems to be really focusedfor examiners, right?
Would mingle the whole insertresponse, but it seems to be
really focused for examiners,right?
Speaker 2 (05:07):
would you say that?
Yeah, I would say so.
Everything I went to was um, Ipicked up all kinds of great uh
information that I'm going touse at work every day, so I
would say it was definitelygeared toward examiners look,
kevin is saying that, that heneeds to make it there next year
.
Speaker 1 (05:19):
So it's yes, he does then I'm gonna make the extra
effort, since I know kevin's, soI can go too.
So I'll start saving my pennies, like right away.
Speaker 2 (05:27):
You both have to, so yeah.
Speaker 1 (05:30):
That's awesome.
Well, I'm going to tell youabout what I did these last two,
three weeks.
Has it been four weeks?
I don't even know.
Speaker 2 (05:36):
Let's count.
Speaker 1 (05:37):
Yeah, we missed two podcasts All right, so that's
about four weeks, so look aboutfour weeks.
Speaker 2 (05:46):
so look forensic which is saying where is this
and when?
Yeah, tell us, where's technoat?
Yeah, I didn't even give thedetails of it.
So this year was the, was the25th anniversary and it's in
wilmington, north carolina, andit's the first week of june, so
it'll be his first week of june.
Uh, 2025 for next year allright.
Speaker 1 (05:58):
Yeah, it's a good point.
People need to know at least,at least where it is.
Thanks for the secret.
We sort of appreciate it.
So I went to and look.
Since you have such a nicepicture spread, I got to have
mine too.
So I went to beautiful BuenosAires, actually first to
Argentina, and then part of mytrip was going to Buenos Aires
(06:24):
and for folks that you know,everybody knows Buenos Aires,
beautiful city, the capital ofthe country of Argentina, you
see, here's the obelisk, it'slike the like the main
thoroughfare in the middle ofthe city.
And when they won the, thesoccer, you know, the world, the
world championship, right,everybody went there and
celebrated.
It's a beautiful place.
Here's how it looked during.
The day was cloudy that day butfrom the hotel was staying and
(06:45):
I was there to with the embassyto teach folks from a couple of
you know surrounding countriesand Argentinians on digital
forensics and some investigativetechniques.
So it was, it was such a greattime I was here teaching, doing
some exercises.
Shout out to Jess that helpedme out with some logistics of
the class, and Jessica Hydeshe's like awesome.
(07:05):
So her input was key for thisclass.
Everybody loved it.
So that's pretty good for thefirst week I had also my trainee
came with me, so she taughtsome blocks.
I got some felicitaciones,which means congratulations.
Thanks, my man.
It was great and you know, know, you would think well, that's
great, it couldn't get better.
(07:26):
Well, it actually got betterbecause I was able to eat like a
world-renowned pizza, guaranpizza.
I mean it's like ridiculouslydelicious.
This place has been founded in1932, so if you go to buenos
aires you gotta stop at thisplace multiple times.
Like everything is like freshlymade, it's fantastic.
(07:46):
So I enjoy that.
I know you're jealous.
Speaker 2 (07:48):
Yeah, very jealous.
I had pizza in North Carolina,a piece of pizza.
It wasn't quite the same asthat, I bet.
Speaker 1 (07:55):
It wasn't.
No, it wasn't, it was likeridiculously good, so I would
say top one, like the best pizzaI had period.
So yeah, and they said you know, the churrasco in Argentina is
crazy good.
So I had some ojo de bife,which is like a real big, thick
steak and because if you'rethere, you got to have some of
the Argentinian you know meatsthere.
(08:16):
So I also enjoyed that.
It was fantastic.
Now I'm on a diet.
It's time to catch up.
All right, I'm taking too longhere.
So then it got even.
I'm sorry, lori, but I lovedeep dish pizza specifically.
You know Lou Malati's is legitin Chicago.
I'm a big Chicago fan, but thisone, this one's a pretty good
(08:38):
hard competition, just saying so, yes, I went to Mar del Plata,
so that's on the coast, on theAtlantic coast, around four hour
drive from Buenos Aires.
So when my logo is there on themap I drove, I say I drove, I
didn't, they drove me all theway down to the little red
circles there in Mar del Plataand I never obviously never been
(08:59):
there and it was ridiculouslygorgeous.
It's like a medium-sized citybeaches, the coast, such a
laid-back atmosphere.
You can see here a littlestatue that somebody put we know
who it was An artist put itduring the pandemic.
People were like in a closed-inlockdown and he did it in the
(09:23):
middle of the night and nobodyknew where it came from.
So it was something that reallybrought you know, joy to the
city and figure out who it was.
The city is rich in history.
It's rich in architectural.
You know different arts andbuildings and the rocks they use
.
They're really well known forthe type of rocks they use to
make the buildings.
It's just honestly, I wanted totake the whole city and bring
it with me.
Speaker 2 (09:44):
It looks nice.
Speaker 1 (09:46):
I learned how to drink mate, which, again, I
haven't tried before, and now Ididn't put the picture here but
I was having some today Iactually they gave me a mate cup
with a bombilla, which is thestraw-looking thing that you
kind of use, and I was havingsome of that this morning.
It's a big cultural thing.
You know.
Sharing matter with friends,close friends, it's I don't know
(10:07):
how to explain it.
It really brings peopletogether in a way that is hard
to explain and if you're notthere, partaking of the
tradition, right.
So I was so, so lucky to dothat.
I was brought there to help outnot to help out to collaborate
and exchange with the FASTAUniversity.
It's a really well-knownCatholic University in the
(10:28):
country but also in the city.
The picture there some of thefolks that were nice to spend
some time with me there.
The gentleman on the far rightis Bruno Constanzo.
He is the InfoLab director andalso one of the professors at
the university.
He collaborated with us in theLEAPS programs, doing some
testing for us, speeding theprograms up.
(10:50):
He's done all sorts of things.
Super smart guy.
I hope that I'm like him when Igrow up.
So I appreciate himfacilitating us being there with
the local prosecutor's officeand the embassy and all that, so
a really nice guy.
And then here I am.
I'm there teaching a class andthen talking to the criminal
(11:15):
justice students there, whichwas a nice surprise.
I was expecting a few people,but then the whole room was full
.
It's awesome.
Speaker 2 (11:25):
Very cool yeah.
Speaker 1 (11:29):
Bruno's saying that he hopes to be like me when I
grow up.
I don't know about that man andthen so yeah, so that was.
It was great.
It was such an experience of alifetime for me and people were
so warm and so happy to receivethe information and also to
share with me how they do thingsand hopefully we can, you know,
hopefully we will take some ofthat knowledge with the tooling
(11:51):
and and different things that wedo around the world, so that
was super awesome that's awesome.
Speaker 2 (11:56):
Those pictures are great.
Speaker 1 (11:57):
The beaches look beautiful I need to come back at
some point.
We wish you should go back.
Speaker 2 (12:02):
It's great anyways I'll go with you if you need
somebody to help you teachsomething, or, or be your
secretary, I really don't careyeah, yeah, you, you want to do,
want to stay too.
Speaker 1 (12:12):
I was eating this pastry.
It's like a croissant, it's notlike.
It's like they have a croissant, it's just that this croissant,
the two edges kind of meet andthey call it half moons, and I'm
addicted to the stuff.
I need to to be away from it.
They fill them with cream, theyfill them with chocolate and
all sorts of stuff, and theywere feeding me that like every
five, every five minutes, andI'm like no, no, no, no, no, no,
no, no, no, no, no, no, no no,no.
Speaker 2 (12:39):
So we wanted to mention too.
This weekend is Father's Day,so happy Father's.
Day to all the fathers that arelistening or out there.
Speaker 1 (12:49):
Thank you, I appreciate it.
I'm one of those.
No, and as you mentionedFather's Day, you know kids,
they start making some art atschool or daycare, whatever they
are, and here's the one my kiddid for me, my oldest.
I'm like what's that on my chin?
He says that's your beard.
I'm like I don't have a beard,but I found it funny because
(13:11):
kids are so perceptive.
He says here's his favoritething to eat and he puts a
picture of me sitting with alittle table.
And I show you that picture.
Right, right, heather.
Yes, Doesn't my table look likethat little table?
Speaker 2 (13:25):
right, right heather?
Yes, doesn't my table look likethat little table yes, it's one
of those little folding tablesfolding tables to your recliner.
He drew it perfectly well hedrew it exactly right and yeah
one part.
Speaker 1 (13:34):
You know it's kind of sad but it is what it is right.
He says when he comes to work,when he comes home from work, he
likes to work on his computer.
Yeah, so like when I come fromwork I keep working and I'm a
bit guilty of that, but in mydefense, uh, weekends are are
for for the kids, to play withthem and take them out and do
different things I just foundthe he is so good at riding
(13:54):
bikes intriguing.
So you're really good at ridingbikes, huh oh, I mean he's
impressed that I don't fall, Iguess oh my, that's so cute.
He always says I love you and Ido.
And if you're a parent and yousay, you should say it more,
that's, at the end of the day,that's what kids will remember.
We won't remember all theexpensive gifts.
(14:15):
They won't remember the trips.
We will.
We'll all been sons and we'llall been daughters, so we'll
remember the love our parentsgave us.
So I'm trying to do as much asmy mom and my dad did for me.
Speaker 2 (14:29):
So this week we have so much to talk about that it's
going to spill into a coupleweeks worth of chats.
But so there's some updates toRabbit Hole.
We've talked about Rabbit Holeon the show before.
That is CCL Solutions Grouptool app by Alex Kaithness.
There's added SegB, so you canparse the SegBs in Rabbit Hole
(14:54):
now.
He added hex viewerenhancements.
And then the big new featurefor Rabbit Hole is called runs.
So the runs are a way to definea sequence of operations that
you performed and set filters,and it'll automate it for future
purposes.
Instead of having to redo whatyou've done over and over again
(15:15):
or writing a line of code, arabbit hole will take care of
that for you in a saved runfeature.
Speaker 1 (15:21):
So, like you, point it towards the data set and it
does whatever it does and pullseverything out.
I guess, right?
Speaker 2 (15:27):
Well, you do your process the first time, but you
use the runs feature to kind oflike I guess, for lack of better
terms save it or preset whatthose filters are going to be to
pull that data out of the sametype of data store in the future
.
Speaker 1 (15:41):
Gotcha, gotcha.
Speaker 2 (15:42):
So it automates your process.
Speaker 1 (15:44):
That's awesome.
And if you're a new listener,you're like what's SecP type of
data store in the future?
Gotcha gotcha.
So it automates your process.
That's awesome.
And if you're a new listener,you're like what's SecP?
Those are in Mac devices, Imean Apple devices, ios, ipads,
and they have a whole bunch ofpattern of life information
there, and I think we talkedabout it in the past in other
episodes, and this is whatyou're describing is so powerful
because then, instead of havingto go kind of by hand every
(16:04):
single time, if you have, likeyou said, that run set, you can
point it at whatever you needand boom it's out.
It saves you so much time forthat validation, so that's
awesome.
Speaker 2 (16:16):
If you want to see it like, I guess, a demo of what
I'm talking about, if you go totheir web page, alex has done a
demo of those new features soI'll put the link in the show
notes so everybody can get tothat video.
But also with CCL Solutionsthere's a new cheat sheet, a new
blog and cheat sheet.
It's about SQLite files and thejournal and wall files.
(16:40):
You can find that on theirwebsite and then I'm just going
to throw the cheat sheet up herereal quick.
Here we go, let me take thatdown.
So this is the cheat sheetthat's available on their
website and it just talks to youabout the SQLite database and
how the journal files and thewrite-ahead logs work with
(17:00):
SQLite databases.
Great, little resource.
Speaker 1 (17:04):
Yeah, and it's always good to have that on hand.
I've been teaching SQLite, Imean, for years now, and it's a
skill set that's always, alwaysneeded.
You got new people coming inand even though SQLite I've been
predicting it's going to be onthe outs, it still hangs on and
it still shows everywhere.
So it's worthwhile tounderstand the differences
(17:24):
between the wall files, thejournal files and how can you
recover stuff from it and allthat.
Speaker 2 (17:30):
Yeah, and how they operate.
Because I mean when I firststarted looking at SQLite
databases, I didn't understandthat, and having a cheat sheet
like this is just so helpful,especially if you're newer and a
beginner with SQLite databases.
Speaker 1 (17:43):
Absolutely, or instructors, you can hand those
out.
Speaker 2 (17:45):
Yeah, definitely.
Well, I've already put it inour resources material for next
year's IASIS.
So it's there.
Speaker 1 (17:53):
Christian from LinkedIn is saying I thought you
said cheeky instead of cheat.
No, no, no, cheat cheat, notcheeky.
It could be a cheeky cheatcheat, but no Cheeky cheat cheat
.
Speaker 2 (18:02):
It's just a cheat sheet, my man, so yeah.
So check that out.
On um, the links will be in theshow notes at the end of of
tonight awesomeness, good stuffso co-pilot and recall.
And then the applications, the,the forensic applications of
(18:23):
Microsoft recall.
I'll let you start talkingabout that one.
Speaker 1 (18:26):
Yeah, so it's interesting because I linked it
and I put a link to an articlewritten by Kevin Beaumont I
don't know how to pronounce it.
He's a really well-knownresearcher.
I think he's from the UK, butsuper well-known.
He actually worked at Microsofta little bit.
He does all sorts of intrusion,response research, right, and
(18:50):
he came and he did an articleanalyzing this recall function.
And, for those who haven't heard, what Microsoft was planning or
kind of planned and did wascreate this functionality in
Windows, that it takesscreenshots of everything you're
doing, ocrs on the screen,keeps the screenshot, and that
OCR data dumps it in a SQLitedatabase.
The idea behind it is to belike well, what was I doing an
(19:12):
hour ago or a second ago, orthree days ago, a year ago?
The Natella is it Satya Natella?
I think it's his name.
There's a CEO for Microsoft.
He's saying that describe it asa photographic memory of your
computer, which, I'll be honest,I don't know about you, but I'm
thinking that's somethinganybody asked for.
Yeah, that's right.
Do I need a photographic memoryon my computer?
Speaker 2 (19:35):
I mean, I'm always deleting stuff.
Yeah, exactly.
Speaker 1 (19:39):
I mean, you know I understand having backups of
certain things, but do I want itto remember every single thing
that it does?
And the point that theresearcher was making in the
article is that computers ingeneral, and also in specific
Microsoft, they're known to beintruded with some frequency.
So imagine some bad actorgetting into the computer and
(20:01):
then pulling that database out,which at that point happened to
be not encrypted in the clearthat you could just see
everything there, right.
So it became a little privacynightmare and I put that link in
a little comments.
I commented on my LinkedIn thatI predict Microsoft's going to
backtrack, either eliminate itor change it quickly.
(20:23):
And it was true it's been themost viewed LinkedIn post that I
had ever, because people arereally interested in this stuff
how that recall thing works oris supposed to work, right.
Speaker 2 (20:36):
So you have to opt into it now, correct?
Speaker 1 (20:38):
So, yeah, so some of the things they did to kind of
alleviate those concerns,because people were going crazy,
yeah, crazy.
I'm being kind in thedescription of how people are
going crazy, yeah, it's crazy.
I'm being kind in thedescription of how people are
about it.
They're saying they're going toencrypt the database.
You have to opt in, like, yeah,I want this feature to be
enabled Before it was enabled bydefault.
So no, you have to be optinginto it, it's encrypted.
(20:59):
So people are saying I'm goingto go, This's going to be this
year is going to be the Linux ofwell, the year of Linux because
of this.
They're like, no, I won't.
But yeah, Kevin is saying, yeah, they're encrypting the
database too.
That's right.
And again, that brings aninteresting point of where the
market is heading right.
(21:20):
They put this feature that hasall this data that's kept there
and people didn't want it andthe big issue wasn't so much
that it was remembering, it wasthat it was not encrypted.
No attention into privacy.
You know what I mean.
So, yeah, I don't know.
I mean, what do you think aboutthat?
Speaker 2 (21:41):
So yeah, I would never opt in for that.
I'll be curious to see ifpeople do opt into it, if it
ever shows up in one of ourforensic investigations.
I mean, I'm sure somebody outthere is going to.
I would not.
And I wonder if, like in thefuture, um, if they're gonna
kind of change it so you saveonly the data you want to save,
(22:01):
kind of like backing up to thecloud, like you choose which
which data you want to back up.
Speaker 1 (22:05):
I don't know yeah, yeah, again, I think the I mean
this is my I mean I don't know.
I don't know nothing aboutmicrosoft or any other companies
, but my thought process is someof that stuff they're saying,
yeah, it's going to recall foryou, but I see it from my
perspective as another datasource for them to feed their
ais.
You, you know what I mean.
And even if it's a local hostedAI, it needs a lot of data to
(22:28):
kind of predict what you'regoing to do and interact with
you.
And I'm pretty I say prettysure I don't know anything, but
I think that that might be oneof the reasons where you have
these big data sets that theycan feed off to build the
product.
I mean, is it going to be sentto Microsoft Home in some
anonymized fashion?
I don't know.
(22:48):
And again, people don't takethis as gospel.
I'm just saying what I thinkmight be the underlying reason.
I have no evidence for it, Ididn't read it anywhere and I'm
just saying that because I'mseeing a lot of companies kind
of like thinking where are wegoing to get our data to feed
our AIs?
Because now everything has anAI.
I made a meme of a guy.
(23:08):
It was Tom Cruise, not TomCruise, it was the guy from
Titanic, leonardo DiCaprio.
Leonardo DiCaprio saying sell methis pen.
And the guy takes the pen andsays it has AI and deepfake,
deepfake, yeah, recognizingsoftware or whatever.
Right, that's where the marketis heading and they need those
(23:33):
data sources.
That being said, I believe thatpeople are also moving in the
opposite direction in regards tohow they're providing that
information right Now.
The Wolf of Wall Street yeah,that's where they click from.
Thanks, kevin, that's the clickfrom the Wolf of Wall Street.
Sell me.
This's where they click from.
Thanks, kevin, that's the clipfrom the Wolf of Wall Street.
Sell me this pen.
It has AI and deepfakerecognition.
Yeah, people are moving awayfrom that.
(23:53):
People really put a lot ofresistance for non-encrypted
always-on recording program,whatever, and they're not the
only ones.
For example, we talk about sometime about Google locations or
well, not locations Google Maps,how it kept your locations, and
now it's changing completely.
Speaker 2 (24:13):
Yeah, we kind of mentioned this on a previous
episode, but now it'simplemented correct.
Speaker 1 (24:19):
Yeah, yeah, I think.
Yeah.
I don't know if you've seen onyour phone, or at least on mine.
It gave me an alert about thechanges and I took some
screenshots that I shared inLinkedIn.
Speaker 2 (24:28):
Which are right here.
Speaker 1 (24:30):
Yeah, they look at you, always prepared.
Speaker 2 (24:32):
I went and stole them off your LinkedIn so it kind of
just shows you the differentsettings, the timeline settings
for the Google Maps inside ofthe account and what types of
changes are going to be made.
I think right, so the data issaved locally.
Speaker 1 (24:48):
Yes, yes.
Speaker 2 (24:49):
And if the data is backed up, it'll be encrypted
and then for Google to see thedata the user has to opt in.
Speaker 1 (24:57):
Yes, yeah, and even if you opt in, there's some
timeframes.
You have to do an extra opt-into be like, yeah, I want it to
be forever, or you know, deletedin X amount of hours or X
amount of days right it's in.
You know now, you know this justbeing real here with everybody.
I mean, our audience is mostlyfolks that do this in the
(25:17):
private sector investinvestigation in private sector
or playing you know publicservants doing this for criminal
investigations.
And this is going to be aproblem for lawful extraction or
obtain data lawfully right,definitely, because now that's
the point I was making thesecompanies are moving.
(25:38):
The companies are moving thisway because that's what the
users want.
They want their data to beinvisible, even to the people
holding it.
So the companies are saying,yeah, I have the data police
officer.
Here you go, it's encryptedblob and we don't have the
password.
Good luck, right, yeah, andthat's going to be a hindrance
in that sense, which to me meansthat we should start thinking
(26:02):
of going back to basics, thosetraditional investigative
techniques, bringing them backto life again, and then also try
to be creative in regards tohow we do stuff.
I heard folks saying, well, weneed legislation about it.
Is that going to be a thing Idon't see.
I mean, I'm opining right asanother citizen.
I got no inside information ofanything, but I don't see any
(26:23):
appetite in Congress to tellcompanies to to not do these
things, and that's what thepublic wants and that's where we
, that's what we're movingtowards, period.
Speaker 2 (26:32):
Yeah.
Speaker 1 (26:33):
I mean, I think, I think you're right.
Speaker 2 (26:36):
I definitely think you're right.
I think all kinds of providersare going to start storing the
data this way, and you're right.
The search warrant is not nolonger going to be as helpful to
the service provider.
Speaker 1 (26:47):
Yeah, yeah, they will have to be.
How can I say this?
A lot of it's easy and I'll bestraight with everybody.
It's easy to go and tell me hey, examiner, just get this stuff
from the phone, tell me whenyou're done.
Another thing is that agent orthat person to actually do the
groundwork.
What's the word I'm looking for?
I heard an expression of likewhen your sole of your foot or
(27:11):
your shoe gets all kind of likeused.
You walk so much.
I don't know the expression,but I'll find it later.
Speaker 2 (27:19):
Yeah, that's fine.
Somebody will throw it into thecomments, somebody will throw
it.
Speaker 1 (27:22):
Somebody will throw it into the comments, somebody
will throw it.
You have to go out and reallydo that.
Walk and burn out that sole ofyour foot, doing some
investigative work that requiresyou to be out and about.
You know what I mean.
Just telling me here's thephone and good luck, it's not
going to help the victims orbring justice.
We have to do more, and thatgoes back to those Wear the
soles of your shoes.
(27:42):
Thanks, yeah, we have to dothat work even more.
So we have this sometimesunhealthy dependence on
technological sources of data.
You know computers, cell phones, stuff like that and that's not
enough.
We've been watching and we'renot going to comment on this
trial that we're watching,no-transcript.
(28:03):
I was watching this trial onCourt TV and detailed data has
meaning on its own, but evenmore powerful when there's some
corroborating surrounding piecesof evidence Just because you
have a video recording.
The video recording has to giveyou all angles.
So that means you need to gofurther and get eyewitness
(28:24):
testimony and get some physicalmeasurements of things that
happen to be able to build orcorroborate some of that stuff.
So there's just a lot of workto be done and we need to think
that way, I think.
Speaker 2 (28:36):
Yeah, definitely.
Speaker 1 (28:37):
Look here Christian is saying Rob Abrams told him to
firm it up.
Right, yeah, you've got to firmsome of that stuff up, and
sometimes, if it's notaccessible via you know digital
means, you have to then thinkabout how you're going to get to
it some other way yeah,definitely.
Speaker 2 (28:57):
Um, so before we went away for a couple of weeks, I
posted uh, a post asking whattopics listeners want to discuss
or want to hear about, andwe're going to just take one of
our listener requested topicsand talk a little bit about that
.
So, jeremy McBroom, who isawesome I got to meet him at
Techno.
(29:17):
He's a student and he's goingto be a rising star in the
digital forensics world.
I'm 100% sure of it.
His question was past caseworkthat changed your perception of
looking at digital evidence orimpacted how you conduct your
examinations.
So he wanted to know, wanted usto discuss that as a topic.
(29:38):
I thought about this questionand I have to say so, when I
first started my job at the lab,I was immediately overwhelmed
by the knowledge that I did nothave.
I had no idea what people weretalking about.
When I would stand in a groupof coworkers, I would have to go
Google the different terms theywere using and I actually
(29:59):
called my mother, I think thefirst or second week of starting
my job, and said I have to quitthis.
This is not for me.
So glad I stayed this this isnot for me.
Speaker 1 (30:11):
So glad I stayed.
I believe you, but knowing youis so hard to believe you know
so it's just so proficient, soproficient in what you do, that
it's really hard to believe,honestly.
Speaker 2 (30:22):
Oh it was bad, I wanted out.
I'm like I have no idea whatI'm doing, like I'm a fish out
of water here.
I have no idea what I'm doing.
Fish out of water here, I haveno idea what I'm doing.
So, with all of that said, Ithink there are some cases that
changed my perception on notjust looking at the digital
evidence but making me want tostay at the job at the time.
One of my very first cases itwas a really horrible CSAM, so a
child sexual abuse materialcase, and it resulted in a 360
(30:48):
year sentence for the defendant.
So to know that I was part ofthat definitely made me value
the weight of the digitalevidence and my part in that,
how I was able to help.
Speaker 1 (31:00):
Absolutely.
Speaker 2 (31:02):
And then my perception of looking at digital
evidence.
There's several cases over thecourse of my time at the lab
that have changed my perceptionof how I look at digital
evidence.
I would always just look forthe evidence to begin with,
because I really didn't knowwhat I was doing at first, right
, so an example of that is a CCMcase.
(31:23):
I might just be looking forpictures and videos, but you
have to look for the supportiveevidence that goes along with
those pictures and videos.
And I think conferences withprosecutors and testifying
really helped change myperception, because I would
provide them with what I thoughtwas the evidence and then
they'd ask me a question aboutthat evidence that I couldn't
(31:45):
answer.
The answer was in most likelyin the data that I had extracted
, but I hadn't thought of that,I guess for lack of better terms
there.
One specific case is a homicidecase I was working on.
I had an artifact that showedthe defendant had turned the
(32:05):
phone off and I showed that,that they turned the phone off
during the time of this homicideand the question was well, how
do you know that the batterydidn't just die?
And I think I've given thisexample on the podcast before,
but sitting there.
When I was asked that question,I didn't know that the battery
didn't just die.
I had evidence that pointedtoward it being turned off.
But the evidence in that datashowing that the battery didn't
(32:27):
just die and that the deviceowner had been charging it for a
couple of hours prior to itbeing turned off, it was there
so I think going into thesecases and having conversations
with people who are involved hasreally changed my perception of
looking at digital evidence andhow I conduct the examinations
(32:48):
my perception at looking atdigital evidence and how I
conduct the examinations.
Speaker 1 (32:50):
Oh, don't you.
I mean that's, that's, that'ssome point.
And I love when you tell thatstory about, about the dead
battery, because it's just not,it's just not.
The artifact is what is themeaning in context, in the real
world, of the artifact and andsometimes we're, we're kind of
use of being you know, oh, theseartifacts, five things were
bookmarked or tagged from thecase.
And here you go, here's aone-pager report.
(33:10):
How does that connect with thetheory of the case and I know we
do a lot of cases, like weexaminers in general, but we can
be divorced from the mainarticles or artifacts of the
case and how that provides lightinto that theory of the case.
So I provides light into thattheory of the case.
So I agree 100% with you andfor me I'm going to come from
(33:32):
another angle.
Actually, yesterday was theeighth year anniversary, I
believe, of the Pulse shootingin Orlando, which was a pretty
traumatic day for the office,significant day personally.
I was woken up at what was it?
4 o'clock in the morning andtelling me to suit up, that they
needed me right away, and I washalf asleep trying to figure
(33:54):
out what was happening.
I started racing to respond tothe shooting and the thing that
changed my perspective from thatexperience I'm not going to
give any details on theexperience.
I'm not going to give anydetails on the experience, but
it's the importance of you,examiner, that are listening to
convey to your stakeholderswhat's important at a particular
(34:16):
time, especially if it's urgent.
Everybody has things to do,everybody has things they need
to accomplish, but when we talkabout digital evidence being
volatile, it is, and it's evenmore so in challenging
environments.
I'm trying to say a lot withoutsaying much.
Hopefully, you folks can getthe vibe of what I'm trying to
(34:38):
get at and you might findyourself like I was, and you
know I'm at the bottom of thetotem pole.
I'm just another dude thatworks right.
I'm not a supervisor, I'm not anobody.
I'm not a nobody.
And sometimes you have to belook, knock on that door and
talk to the person running thething and say look, sir, sorry
to bother you, or, ma'am, I needsome important information for
(34:59):
you.
This is what I do and this isthe things that need to happen
for these particular things thatyou need, and we need to act on
it now, and it takes a littlebit of bravery from or just
plain um seal for the work thatwe do to do that, and it changed
my perspective.
Um, sometimes you have to speakout and you have to.
You have to do what you have todo.
(35:19):
Um, not they won't always listento you.
Thankfully, at least from myperspective, I was listened to
and and we move forward.
But even if they don't, youhave to speak out.
It's not on you to take thedecision, but it's on you to
tell the people that will makethe decision, give them the
proper information they need tomake the decisions, whatever
that decision is.
For that, that changed myperspective a lot in how I
(35:42):
communicate and things atparticular moments.
So hopefully that makes sense.
Speaker 2 (35:49):
It does.
Christian says the examiner'smind is even more volatile, or
the first responders for thatmatter.
I couldn't agree more.
I think everyone's capabilitiesand perception evolve the more
training and experience thatthey gain.
You're going to change andimprove with each case you work
on.
Speaker 1 (36:06):
Absolutely Talking about improvement.
I now have to show this.
So you know you improve so muchand Scott is absolutely right.
He says that now you're famousand you are.
People were lining up at Tegnoto meet you and you know it's
true.
Oh, my God, you know it's true,you know it's true.
Speaker 2 (36:24):
Everybody was saying the same thing to Scott the
forensic scooter oh my God, it.
You know, it's true.
Everybody was saying the samething to scott the forensic
scooter.
Speaker 1 (36:35):
Oh my god, it's the forensic scooter so he can say
that, but he, uh, he was gettingjust as many comments.
Um, look, folks are listening.
This community, and everybodythat's listening knows it's
pretty small, it's smallish anduh, we're all colleagues and we
rub you know.
Oh, you're famous.
The community is so small thateverybody's famous because we
all know each other.
Yes, yeah, so yeah, I mean, youknow, it's a great place to be.
(36:56):
I couldn't be any more lucky todo what we do, so Definitely so
.
Speaker 2 (37:01):
Speaking of Jeremy McBroom, who I saw is in the
chats, we wanted to talk alittle bit.
He has a blog now, so it iscalled yeah I have a question
and it's at yeah I have aquestion dot com and he says on
his page that he entered theforensics world and found that
he had a lot of questions.
So there's so much to learn andeven though he will never learn
(37:24):
it all, he wanted to share whathe does learn, so he has a
beginner-friendly blog.
Last time I looked there werelike 10 entries, with a whole
bunch of them being aboutWindows forensic examinations,
and he just recently did awrite-up on his time at Techno.
So check it out because it'sawesome and I can't wait to see
(37:44):
his research evolve.
Speaker 1 (37:47):
I love the Socratic name of the blog.
I have a question.
I love the name and look,kevin's going to put it on his
blog roll on his Start Me page.
Speaker 2 (37:59):
Very good.
Speaker 1 (38:00):
And we talked about Kevin's Start Me page before, so
we should put it back on thenotes so people can have it.
It's a great resource.
Definitely, if you don't knowwhat we're talking about, it's
the notes, so people can have it.
Oh yeah, it's a great resource.
Speaker 2 (38:09):
Definitely.
If you don't know what we'retalking about, it's the
Forensics Start Me page and ithas literally everything you can
think of links to everythingyou can think of.
Speaker 1 (38:18):
All the resources are there.
Speaker 2 (38:20):
Mm-hmm.
All right, so the next topicanalysis of browser artifacts
from file sharing services.
The blog that we're going tohighlight is probably about six
months old, but it has somereally really good artifacts in
it, especially if you're workingCSAM cases, because it's file
(38:41):
sharing services and they sharetheir files.
So I'm going to throw up sharemy screen here.
There we go, I might be gettingbetter a little better at
sharing my screen.
Speaker 1 (38:56):
Oh, you're being flawless this whole episode.
Knock on wood, keep it up.
Speaker 2 (39:00):
No, now I'm bound to screw something up.
Speaker 1 (39:02):
Yeah, it's going to freeze or something.
Speaker 2 (39:05):
I'll put the link in the show notes, but this is a
paper focused on web browserartifacts created from file
sharing services like GoogleDrive, dropbox, mega and then
the cloudmailru, which is aRussian mail site.
It has where the artifacts arelocated, how they can be
interpreted forensically and howthey can be used in your
(39:27):
investigation.
It's a really great resource.
Speaker 1 (39:31):
Yeah, it reminds me of Mattia Epifani from SANS.
He has something similar, butfor Android and iOS.
It's kind of a similar formatwhere you have the app and the
different things the app has andwhere they're located, which I
use constantly, and this one isalso I'm adding it to my
collection of use all the timesheets.
Speaker 2 (39:54):
Yeah, definitely, and announced today by Alex Capness
of CCL Solutions.
There are some parsers forthese artifacts built upon the
open source project Chromium,and he has some parsers on the
CCL Solutions GitHub and theywere recently updated.
He posted like five hours agoor something, that these scripts
(40:16):
were recently updated.
So if you are looking at theseartifacts, go check out the
scripts and parsers.
Speaker 1 (40:23):
Yeah, and let me give folks a little bit of a
technical background on that.
If you're not familiar withLevelDB databases in Chrome or
not only Chrome, any type ofbrowser you have to really check
those out.
By the way, alex is on the chat.
Yeah, I see him.
Let's see what he's saying.
Can you put it on screen?
Speaker 2 (40:41):
Oh yeah, so that browser artifact paper was based
on CCL research.
I believe there's a moredetailed paper If you know who
to ask.
Speaker 1 (40:50):
Ah, we don't want to ask.
Speaker 2 (40:52):
I think we do, and then we have a little, a little
hint yeah.
Speaker 1 (40:58):
You know, we have almost the same name, so
hopefully that that will give usan in into that paper.
Speaker 2 (41:03):
Yeah, I think so.
Speaker 1 (41:05):
No, but like, like, yeah, I think so.
No, but, like Alex was saying,there's some level DBs in these
browsers that contain a lot ofinformation that you're not
going to get otherwise, andthere's a lot of different
structures within browsers thatregular third-party tools
scratch the surface on.
So you need to really dig inand this research paper and the
tooling, the Python scripts thatgo with it invaluable resource.
(41:27):
So check them out, yeahdefinitely so.
Speaker 2 (41:31):
I have not talked about a paid tool in quite some
time, but I recently had achance to demo and try out VFC
from the company MD5.
So they're a company that isout of the uk and they provide
digital forensic and e-discoveryservices, but they also have
(41:53):
this tool called vfc.
So vfc mount, which is able tomount images for you, is a free
tool.
And then they have vfc lab.
So the vfc lab has a wholebunch of features.
I'm probably not even going tohit half of them, but they have
a password bypass tool.
They have a standalone VM.
(42:14):
You can launch your mountedimage into a virtual machine.
They have the capability toinject files, so it allows you
to inject third-party analysissoftware into the VM.
While VFC is generating the VM,there's triage tools inside
that will pull out recentlyaccessed files, recent apps,
(42:37):
recent URLs, installedapplications, documents, windows
history and more, and I wasable to try out the virtual
machine, so I have some slideshere just to show you what the
tool looks like and itscapabilities.
So this here is the VFC mount,which is the free tool that you
(43:01):
can use to mount images.
Speaker 1 (43:04):
And images like EO1 type of images, stuff like that,
right yes exactly.
Speaker 2 (43:10):
So I mounted an image and then was able to go in and
choose the partition right.
So I'll choose the partitionwhere the user data is and the
tool will analyze that and onceit does, you have the option to
launch the E01 into a virtualmachine.
So there's our little buttonslaunch later, launch now, and it
(43:34):
launches right into a virtualmachine.
But the cool thing about thiswas that it bypassed the
passcode.
For me, it was able to utilizethe software to bypass the
password and then when Irelaunched, I was into the
actual user's desktop.
I don't know what the passwordwas to this, but it enabled me
(44:01):
the capability to just put inany password and launch into the
user's computer.
Speaker 1 (44:08):
Yeah, I mean the technique is not new, right?
You just go to the registry andyou blank it out or name it
what you want.
So it's a super old technique.
But I like the automation andwe've seen other tools.
Like Christian was saying inthe chat I was reading that
NCASE used to do that.
I think also some folks in thechat, arsenal Image Mounter does
(44:29):
it as well.
So this is another tool kind ofwithin that space.
So I'm really glad to see thespace, you know, kind of
competing, different companiescompeting in the space to make
sure that we get the bestproduct for our cases.
Mounting images this way tovisualize the environment as the
users had it Incredible toolwhen you're preparing exhibits
(44:53):
for trial or whatever it is.
Speaker 2 (44:56):
Yeah, we previously, so I'm showing this tool today.
We previously did do a demo ofArsenal as well, which has
similar capabilities.
So check that out as well andthen go out and try them.
Ask for a demo, see which toolyou like better, um see if your
agency will buy it for you.
Speaker 1 (45:12):
But this, this tool, was great no, absolutely great
point, um, and folks arecontinuing to evolve these tools
and and we'll we're thebeneficiaries, so that's, that's
awesomeness um, one other thingthat I will mention too, is
they, uh, a portable version ofthe VFC, so you can take it out
in the field with you.
Speaker 2 (45:33):
If you're out in the field trying to examine, there's
a portable.
Speaker 1 (45:38):
Like you run it without installing, like kind of
portable like that.
Speaker 2 (45:42):
Yeah, on scene.
So it's the same functionalityas the VFC lab, but it has added
features to make you be able touse it in the field.
Speaker 1 (45:53):
Okay, it'll be interesting to research what
those are.
Yeah, absolutely.
Speaker 2 (45:55):
Yeah that I didn't demo, so maybe a future demo.
Speaker 1 (45:58):
No, no, no, Absolutely, absolutely.
Oh good stuff, I like it, Ilike it.
Speaker 2 (46:03):
Yeah, definitely, yeah, definitely.
Another person that I not met,because I've met him before but
got to see at Techno, is DamianAtto.
So he's the director ofprofessional services at Spider
Forensics and he has juststarted a SQLite free list page
(46:25):
checker that he's hosting on thespider forensics GitHub.
So there's some Python scriptsand it will iterate through the
free list trunk pages andidentify all of the free list
leaf pages in a SQLite database.
So I'm going to show youactually how that works.
Speaker 1 (46:43):
And those who don't know, damien he teaches courses
at IASIS as well on databasesand different data storage
structures, so he has a reallygood class.
I think he does it under,obviously, the company Spider
Forensics, but they are offeredat IASIS and that's where I met
him.
He had me speak at his classquickly about a few short topics
(47:04):
, so really nice guy.
Speaker 2 (47:05):
Nice.
So let me share my screen here.
Okay, so his scripts use python, so python and then, um, I'm
going to just show first thesqlite header parser.
So if you're not familiar withthe sqlite header, there's a ton
of data inside of the sqliteheader that gives you
(47:26):
information not familiar withthe SQLite header.
There's a ton of data inside ofthe SQLite header that gives
you information about the SQLitedatabase.
It'll give you the page size.
It'll give you whethervacuuming is turned on or off.
It tells you if it's utilizinga journal file or a wall file,
and he has automated the processof pulling this data out of the
database.
(47:47):
So this is what it will looklike.
You can also output it to a CSV, which would be great for your
investigations or reports.
But if you look here on myscreen, we can see that the page
size is 4096, that it'sutilizing this is the address
(48:07):
book SQLite from an iOS.
It's utilizing the write aheadlog In this particular database,
I believe.
So auto vacuum is not on.
But he also has, in this scriptover on the right hand side, an
examiner tip, in this scriptover on the right-hand side, an
(48:33):
examiner tip.
So it'll tell you informationabout these different, I guess,
different things that are storedinside of the SQLite header.
So like this one auto vacuum.
So it tells you, if auto vacuumis enabled, there will be no,
no free pages.
So it just gives you littleclues as to what you're looking
at, and I am going to run thenext one here.
(48:59):
This is the free list pagesscript.
Oops, I forgot something, soyou had to go say I wasn't going
to screw anything up.
Speaker 1 (49:11):
You're just missing one argument.
You have an equal before theargument.
Take it out.
Yeah, just a little argument,that's it.
Speaker 2 (49:16):
There we go.
So in this particular databasethere are five free list pages
and it gives you the page number, the file offset that you can
find those free list pages, thepage type, the allocated cells,
and it tells you it does anunallocated check.
So it'll tell you if that pagehas non-zero values located
(49:39):
within the page.
Unallocated space.
Speaker 1 (49:42):
I like that.
I mean hopefully, yeah,hopefully, he builds, he goes to
the next step and then says andwe pulled out the content of
that note or whatever it is youknow.
Speaker 2 (49:53):
I think he's planning on expanding these scripts.
According to him when we wereat Techno, he's planning on
expanding his work on these.
Speaker 1 (50:02):
No, that's super useful.
I like the detail because a lotof the recovery tools, even
open source ones, they just pullthe stuff out and the traceback
is hard.
This type of traceback is easyand the folks that are just
listening we have on the screena nice little table with every
little column explaining what itis.
So if you pair that with theactual data being pulled out,
(50:23):
gold, gold.
Speaker 2 (50:24):
Yeah, and then there's a third.
It's the page info, so let mejust hit that one.
I'm just going to Gold, gold,yeah.
And then there's a third.
It's the page info, so let mejust hit that one.
Just scroll back up here.
Speaker 1 (50:42):
It will give you the page number, file offset, page
flag and page type for the pages.
Yeah, some of that stuff isgood informational stuff.
Obviously you know if thingsare where they need to be then
you then you'll see it in adatabase right when you run a
query.
But I'm really interested inthe recovery aspect of of these
databases.
Um, so any tool that gives thatdetail and then actually does
some recovery.
It's stuff that I'm alwayshappy to to have.
(51:04):
So good job, good job on damiento start putting that content
out, that tool out.
Speaker 2 (51:08):
Thank you.
I'll put the link to his GitHubpage in the show notes.
Speaker 1 (51:15):
Heck yeah Good stuff.
Speaker 2 (51:16):
Yeah, so we are at what's New with the Leaps.
Speaker 1 (51:22):
There's always something new.
Folks.
Folks come to me While I wasout in Mar del Plata in
Argentina.
My god, some data, that aboutan Audi app in your phone, in
the iOS device, and it's prettyneat because it has some JSON
data about the trips the vehiclehas done, which is amazing.
(51:43):
You don't think.
You don't think about maybe thefall I'm sorry the vehicle
putting data in your phone.
Don't think about maybe thephone I'm sorry the vehicle
putting data in your phone.
We actually think about.
Well, we connect our phone tothe car and then it sucks in my
data into the car infotainmentsystem that then later can be
recovered.
But this is the opposite, right, the phone is sucking in
information from the vehicle andit has the trip, how the trip,
(52:08):
how long, how many miles, thespeed, a bunch of stuff.
So it's all JSON data, so it'snot hard to parse.
So I did a couple of parsersfor that.
So that's in there, in I leap.
Now, if you have an Audi, youknow app for your career car,
pretty cool.
And then Francis, cooler againhe's up.
But in during those times headded some of those more of the
(52:29):
photos of SQLite queries, andwe're working on optimizing some
of those, I mean some of these.
It's kind of tough because someof these queries are humongous
and the question is well, do Iput them in memory?
It's not a discussion I washaving with or not a discussion,
a conversation I was havingwith Bruno the engineer up in
Argentina.
How do we optimize that?
Well, the first option is putit all in memory.
(52:49):
But some of these queries arehuge, like huge.
So if you want to put a querythat's supposed to be a couple
of gigs, then what right?
If you don't have enough memoryor using a computer, that's not
the best, because let's be realhere, we don't all have Talinos
in our labs and we wish, or aBitMind's computer.
(53:11):
I don't want to be, I'm open toany of those.
So then what?
So we're discussing how to makethat fast.
So some of these queries aregoing to not be enabled by
default in the tooling.
So folks need to look at FrancisCooter's blog where he explains
each query where it does.
(53:32):
And then my suggestion is ifyou need to do some deep
analysis on the photossqldatabase for your cases, go look
at his blog and you can pickout which queries are more
suited for your investigationand you can run those.
Now.
If you have all the time in theworld, then you know, just run
them all and just wait.
If you have enough time in theworld, who cares Wait.
(53:52):
So it all depends.
A quick note Laurie is sayinghas anyone researched and tested
the MyChevrolet app?
I haven't, but if you have aChevy and you can put the app on
it and create some test dataand send it my way, I'll be
happy to give it a look and ifnot, use somebody.
Yeah, bruno's saying get morecomputers and more RAM.
(54:12):
So that would be the idealissue.
He's joking.
Obviously it's not alwayspossible, but yeah, so we're
going to try to work on findingways of speeding that process in
tooling.
And for the coders out there,when I started coding almost 20
(54:32):
years ago or more, we weretaught to be efficient with our
code.
Nowadays, systems are sopowerful that code is sloppy
because we're going tocompensate on the back end with
a fast processor and a lot ofmemory, and that's not always.
That shouldn't be, that's notthe way.
So we're working on that.
(54:53):
Anyways, I digress, we alsoworked on putting the.
So we have in the Leaps, all ofthem.
They produce SQLite databasewith a timeline.
So any artifact that?
Oh, I had to stop here.
Speaker 2 (55:07):
Scott says yes, sorry they're so long.
At least you're the one doingit.
Speaker 1 (55:15):
Yeah, no, I mean, Scott, we need those to be that
long.
I rather have more than less.
Speaker 2 (55:19):
Definitely.
Speaker 1 (55:21):
So it's all good.
Yeah, so we have a SQL databasethat keeps every artifact that
has a timestamp is going to bedumped in this database, and
before I did some quick crappyjob of the data, I kinda put in
some kinda delimited crappyfield.
Now it's actual JSON.
So if you wanna pull stuff outfrom the SQL database, the
fields are JSON, so you canactually kind of automate some
(55:44):
of that work from that database.
If you want to use it as asource to make a secondary
report, right, most people arenot going to, but the option's
there.
So we added that.
I added today, before I headover here for the show, a whole
bunch of dated Snapchat parsersfor search warrant returns.
(56:04):
Okay, they changed the format.
Format.
What you're doing now is and Ihate it's kind of confusing.
They put like a header and thenthe different roles of what the
data is.
Well, let me.
I missed it by.
That's not true.
They start first with anexplanation of what the thing
that's coming and then what eachfield means, and then after
that they put the data and then,after that data block is done,
(56:27):
they have another title, anotherexplanation for the next thing,
and then that data is allcommingled there.
So it's no.
There's no clear path.
Well, there's a pattern, butit's hard to work with.
So what I had to do was figureout where are the blocks that do
the explanations, and ignorethose because I don't need them,
and then focus only on the datato be able to create reports.
(56:47):
So right now it does chatswithin Snapchat, subscriber
information, friend list, yourlocation info, ips info, some
settings, some of the memories,story data.
There's a whole bunch of stuff,christian asking, business
records, like Facebook.
So Facebook also changed theirreturns and their user data
dumps.
What that means is that you goto the Facebook portal under
(57:09):
your own account and you canpull out your own data, and all
apps do that thanks to the youknow, european government,
governments, right, theregulation requires these
providers to provide that, givethat to the users, and they
changed.
They changed the HTML.
I haven't.
I have a sample set.
I haven't had the time to lookat it, so I'm hoping to start
(57:30):
working on it soon.
It's just so much, but at leastthe Snapchats are done.
So if you're an examiner thatworks these cases and Snapchat
is involved, at least you haveanother way of viewing that data
so you can you can link theconversation with the image that
goes with it, because doingthat by hand is next to
impossible.
Does that make sense, heather?
Speaker 2 (57:49):
That makes sense.
It's funny you're talking aboutthe Snapchat returns too.
I'm just thinking there was amessage asking for help with
that on the listserv yesterday.
Speaker 1 (57:58):
Oh, really Yesterday.
Speaker 2 (58:00):
Yeah, we have to go tell them it's updated.
Speaker 1 (58:01):
I'll respond yeah, tell them it's fixed.
You just need to point thetooling to the zip file.
You know that the zip filereturned and if there's multiple
accounts, it will pull them allin one report and you're good
to go.
Speaker 2 (58:14):
Very good Awesome.
Speaker 1 (58:16):
Yeah, oh, and last one Samsung Honeyboard text and
screenshots.
They're all also provided inALEAP for Android devices, so
you can check those out.
Speaker 2 (58:24):
Nice, very cool.
I have to get contributing more.
Speaker 1 (58:30):
Yes, you should, yes, you should.
I know.
Speaker 2 (58:32):
I know I have one.
I have to finish still.
Speaker 1 (58:34):
Look, you took a whole day Python class at Techno
.
So come on, I did, I did.
You got to put that knowledgeto work.
Speaker 2 (58:41):
I may still need you even after the whole day.
Python class.
Speaker 1 (58:47):
It's okay, we'll both ask ChatGPT together.
How about that Perfect?
Speaker 2 (58:53):
Yes, yes, awesome.
So everybody's favorite timememe of the week.
Let me share my screen here,share my window.
Speaker 1 (59:07):
I loved this one, one , tell us.
Speaker 2 (59:09):
tell us, what it is so when you're going through all
of the images in a case and itis a gif, gif, however you want
to say it of a finger justclicking away on the mouse, um,
it is so relatable.
I loved and there was like ahuge.
There was like a huge followingof comments under it on your
(59:30):
LinkedIn and I'm not sureeverybody in there was getting
what my frustration with thegoing through the images in a
case from your post.
But I definitely understood thepost completely.
Speaker 1 (59:43):
Well, see.
So folks that have done thistype of cases like we have, I
mean, it's tons of images, right, and you're clicking, clicking,
clicking, clicking, clicking.
I clicked.
I had a case where I was doingI was IDing 200.
I got this is back in the daywhen they expected you to look
at all of them, so I ended uptagging like 250,000.
(01:00:05):
And I told my prosecutor I'mdone, I can't, I'm not, I'm not
going to be going through more.
This is more than enough.
Now, the thing is that the pointI was making, the comment that
went with the GIF, is it's notso much that I need some way of
looking at images faster.
That was not the point,although it is true that it
takes some time if you're goingthrough all of them.
The point I was making and somepeople misunderstood.
(01:00:28):
They were saying whoa, that'swhy we have AI, that it can
categorize the images.
And you were talking crap aboutAI the other day, which you
know I really wasn't.
I was just making the point ofproviders trying to
differentiate themselves with AI.
It's not a differentiatoranymore.
Everybody has AI, so who cares?
You know what I mean.
At the end of the day, the AIneeded to do the examination,
(01:00:52):
the examiner does theexamination and again, nothing
against AI Useful capability,hopefully, as it develops.
But the point I was making wasnot that.
The point I was making is thatthere are some images right and
it's not.
I don't care so much about thecontent.
Okay, because the AI could betell me all the pictures that
have, let's say, a gun in themor money in them, the classic
examples.
But that's not what I'm talkingabout.
(01:01:13):
I was talking about images thathave some meaning contextually,
not metadata.
I'm not talking abouttimestamps or exit.
No, I'm talking about theseimages were placed in a
particular app in a particularplace.
What does that mean and howdoes that affect my case?
And if it has some meaning, Iwant an artifact that tells me
that, because if you put thatimage in between all the other
(01:01:35):
images, I'm going to miss thatcontextual meaning.
The example I gave in the postwas the image cache, one of the
image caches in Androids andsome of these image caches and
the one that I I forgot the nameright now, but I described in
the link in a video that I made.
It's an image cache.
That's done Glide, the Glide,thank you.
The Glide cache.
Apps that use Glide, they willrender the images from within
(01:01:59):
the app, there in this location,right, and some apps that are
used to hide images, they willhide the image, but the Glide
cache keeps them okay, andthat's important because it
tells me a couple of things.
It tells me that the app wasopen, that a user had to render
it for it to be shown, and ittells me what's being hidden.
(01:02:19):
And if I don't have, for example, a Glide artifact that tells me
that it's just gonna be one ina million pictures and it won't
tell me anything, it won'treally have any meaning to me as
an examiner, as I'm goingthrough a million pictures like
that mouse, click, click, click,click, click, click, click,
click, click, click, click.
It's not going to help, right?
So I think you know folks.
(01:02:41):
I say folks, but I say vendors,so people that do coding, like
I, like we do think about thecontextual meaning and then make
artifacts based on that.
Sometimes it's not just thecontent is where the thing was.
Under what circumstances Doesthat?
Speaker 2 (01:02:56):
make sense?
It does.
So I think of the.
Have you seen in I'm sure youhave in your investigations the
images that have in their filename FB Downloader.
So Facebook Downloader.
Putting the contextual meaningto those is really important,
because it does not mean thatthey were downloaded from
Facebook.
They're literally cached.
I could go visit your Facebookpage today and your picture is
(01:03:19):
in my phone with a file name ofFB Downloader.
So I love the idea of puttingthe contextual meaning of images
in the tools, if possible.
Speaker 1 (01:03:32):
Oh, I mean, and we should and you know I'm trying
to, you know, walk the talk,right?
I have an ImageGlide cacheartifact in Alib because of that
.
So when I go to the artifacts,I know that there's some use.
The user had to do somethingfor these images to be generated
and I know where they came fromand why, and that's important.
(01:03:52):
And and just dumping the imagesin in this media category, we
have to do it.
But we should go, try to go outsteps further and start looking
at at this type of stuff.
I've got to make some commentshere.
Brett is here, so we're alwayshappy to see him around.
He came for the defer butstayed for the meme of the week.
Well, Brett is up in his memegame too.
(01:04:18):
Actually, we're going to talkabout it next episode.
It's at the hour right now, butBrett has been putting out a
couple of really good articleslately, so we're going to be
talking about it next episode.
So don't stay for the memes,stay for the Brett Shaver's
commentary here.
Speaker 2 (01:04:36):
Absolutely.
I've had a chance to read those.
We have to get those in nextweek.
Speaker 1 (01:04:40):
Yeah, no, they're pretty good.
I always read them and we'regoing to talk about them next
week.
And again, this applies to anytype of artifact, right?
What's the contextual meaning?
What does the thing tell youbeyond the content of the image
or whatever it is?
So that's why I made that post.
Hopefully folks well, noteverybody got it, but hopefully
most people did get the point.
Speaker 2 (01:04:59):
And I just love the meme.
Speaker 1 (01:05:00):
so no, I mean, it's's true, we're sitting there and
you have to scroll, and that'swhat you do.
You go click, click, click,click, click, click.
I'm just not saying clickanyways, anyways.
So I think, I think we came tothe end right for this week?
Speaker 2 (01:05:16):
we did.
Speaker 1 (01:05:17):
Yeah, that's it for this week yeah, we're both happy
to be back after all thedifferent things and, yeah, to
be back after all the differentthings, and uh, yeah, we'll,
we'll, uh, we'll have a anothershow in, uh, in a couple of
weeks.
Yes, I want to thank everybodyin the chat.
The chat was super active,christian was sharing a lot of
thoughts and and I I didn't putthem all up, but I read them all
(01:05:39):
, we read them all um, yeah,same thing to all the folks here
I love that we're building acommunity of by of examiners, by
by examiners, for examiners,right, um, in regards to the
things that that we want to talkabout, um, like like we did
this episode, send us um yourideas and topics and then we'll
(01:05:59):
bring them up in the show I'mgonna post about Any topics that
you want us to research or talkabout.
Speaker 2 (01:06:08):
add them to that post and we'll pick one and try and
include them weekly if we getenough people contributing.
Speaker 1 (01:06:15):
Absolutely yeah.
Please come on up Our LinkedIn,look for Data Forensics Now
podcast, or any of our socialmedia mine or Heather's and
we'll definitely try to hitpodcasts.
Or, you know, any of our socialmedia mine or Heather's and
we'll definitely try to hitthose up.
Yeah, All right.
Anything else for the otherheader?
Speaker 2 (01:06:31):
That's it.
Thank you so much, everyone.
Speaker 1 (01:06:33):
All right, folks, see you in a couple of weeks.
Thank you, bye, bye, bye, bye,bye, thank you.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com