Mind Matters: Navigating DFIR with Balance

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:18):
Welcome to Digital Forensics Now podcast.
Today is Thursday, january 23rd2025.
My name is AlexisBriggs-Bregnoni and I'm
accompanied by my co-host, theQueen of the North and the

(00:39):
support ticket undisputed worldchampion.
Heather Charpentier oh my God,oh my god.
By Shane Ivers and can be foundat stillermansoundcom.
Heather, are we ready to rumble?

Speaker 2 (00:53):
oh yeah, we're ready to rumble, oh my gosh support
tickets.
I'm the speedy world champion,baby it's my favorite thing to
do, really, apparently.
Hi, everybody, I'm the speedworld champion baby.
It's my favorite thing to doreally Apparently.

Speaker 1 (01:08):
Hi everybody, thank you for joining us.
Again, we have all these insidejokes here, but anyways Some
people will get it.
People receiving the supporttickets will get it.
Oh yeah, no, we're happy to behere for the folks that are
watching live.
We love you.
We see Jessica.
Hi, this is in the house.

(01:30):
Hi, jess, great to see you andthe folks that are listening
later through different podcastservices, spotify and iTunes and
all the like.
Thank you for listening andbeing here and supporting the
show.
Heather, what's been going onin your neck of the woods lately
?

Speaker 2 (01:49):
I'm freezing to death .
That's what's going on.
I don't want to go outside andI need an electric heater next
to my recliner.

Speaker 1 (01:56):
Well, you live in New York, so what do you expect?
Look, look, look.
I live in Florida and I'mfreezing in Florida.
At least I got a little bit ofa plane.

Speaker 2 (02:05):
It has been cold in Florida.
Oh my God, I can't even imagineyou must've been bundled right
up.

Speaker 1 (02:10):
No, and I'm lucky I'm not in Pensacola.
Pensacola there was actual snowlike whatever, like a foot of
snow or something ridiculouslike that.

Speaker 2 (02:15):
A foot of snow.

Speaker 1 (02:17):
Something like that.

Speaker 2 (02:18):
In Florida.

Speaker 1 (02:19):
In Florida.
Obviously, the northern part ofFlorida was still.
What the heck?

Speaker 2 (02:23):
Oh my God, I have to pay attention to the weather
down there.
I guess I didn't even see that.

Speaker 1 (02:28):
Yeah, so I'm cold.
You know, I try to have mybeard warm my face.
Justin Tolman, look again withthe hat.

Speaker 2 (02:36):
Maybe I'll grow mine out and warm up a little bit.

Speaker 1 (02:40):
You'll side gig as the bearded lady you know.

Speaker 2 (02:42):
Yes, I can just imagine the introduction if I
come on to the show with a beard.

Speaker 1 (02:49):
I want to say hi to Puppet from Melbourne, good to
see you.
My friend Hi, and the greatscooter man, the one and only
Scott Conning.
I mean he's running to anairport, but I'm glad he's
listening.
So, scott, listen as long asyou can, but be careful with the
people on the plane.
They'll tell you to shut downyour phone before you take off.
You might miss some part of it.

(03:11):
And Kevin, obviously the manwith the plan.
Christian's in there too, andCaitlin.
Oh, awesome, christian, we'regoing to talk about your stuff
today, so stick around, allright.
So talking about stuff fortoday, so stick around, all
right.
So talking about stuff fortoday.
What do we have, heather, let'sget into it.

Speaker 2 (03:31):
Let's do it.
So I actually I think it waslast week I was working on a
case and so forensic guessingthat's like.
One of my biggest pet peeves iswhen people see an artifact,
immediately decide what theythink it is and then just go
with it.
And I kind of started to dothat myself last week with an

(03:53):
artifact.
So I was working on a case thatwas a child sexual abuse
material case and I opened theextraction up and did a keyword
search across the entire imagefor some keyword terms that
relate to that type ofinvestigation.
When I did it I got hit on thisfile that was related to Siri.

(04:15):
So I opened the file.
The extension on it was dotT-R-I-E.
I'd never even seen that before.
And I open up the file and I'mlooking at these what looked to
me like to be prompts.
It looks like it's Siri, it'sthe user asking Siri questions
and the questions were aboutchild sexual abuse material

(04:37):
terms.
So I'm like, oh my God, I justfound all this.
Guys, I just found all of thesearches.
Yeah, no, it's not.
It's not.
So I went with it.
I didn't go outside of theoffice with it, so my forensic
guessing was just right at mydesk but grabbed a test phone
enabled.
Siri asked a couple of things.
Expected to see my searches inthe same file in my test data.

(05:00):
When I opened the file in mytest data, it had all of the
same searches as my evidencephones and it looks like it's
just some kind of pre-populatedthing related to Siri.
And then somebody was actuallystanding at my desk and said to
me maybe it's a block list.

Speaker 1 (05:19):
I mean and that's another, the block list is also
forensic guessing, oh yeah, butit's also, I mean, we need some
forensic guessing in the senseof creating some hypotheses and
then, like you did, you go andyou test those hypotheses and
see if they pan out, Because,like, why would they
pre-populate CSAM terms?
Right, Like, thank you Siri.

Speaker 2 (05:39):
Yeah, the way I saw it too.
I mean, they were so detailedthat I was like, oh my God, I
can't believe this is here, likeit's awesome.
I want to figure out how toparse it so we can let everybody
look at it.

Speaker 1 (05:53):
No, don't, don't bother.
Yeah, jessica says thatpregnancy guess is when you
don't test.
Right, you made up and you testand she's absolutely correct.
Right, you have to do that,your.
Your experience reminds me ofsomething that happened, geez,
like four or five years ago onGoogle.
Google also.
I found like I don't have thedetails, it was so many years

(06:13):
ago but like a list of words.
They also had CSUN words.
I'm like, okay, this must besome search thing and I kept
looking and I figured out no,it's kind of like a
pre-populated thing and I wasfinding this on multiple
different devices that hadnothing to do with season cases
and I'm like, okay, so that youknow, like you said, this is not
oh, I, I, oh, and I didn't haveany evidence of those lists
being populated by user actioneither, you know right.

(06:36):
So I had to discard that, thatidea.

Speaker 2 (06:39):
Yeah, I didn't I didn't either, because you know
how sometimes in the audio filesthere's you can hear the
person's voice, and it's some oftheir Siri searches.
I didn't have any of them andI'm like, what is this?
And it ended up being exactlythe opposite of what I thought
it was, but I didn't send it outand say it was that.
So that's the good part.

(07:00):
That's the good part Alwaystest, test, test.

Speaker 1 (07:05):
Well, good part, that's the good part always test
, test, test.
Well, and I've got an examplefrom a from a recent scenario.
Obviously I'm going to keep itreally light, so it's not
related to any to the actualcase, but right, um, we had a, a
tip, um, from from, from neckmech with information and those.
Those reports have a standardformat or different section.
There's a section for thesuspect and there were a whole
bunch of identifiers there and,and the thing is, you got to be

(07:26):
careful.
So you got to be careful notonly when you're looking at
something that's unknown to you,but also things that are known
to you, because you can makewrong assumptions.
The wrong assumptions we werehaving in this case is that
those identifiers included theperson that was paying for the
service, which makes sense, andthen below it had other monikers
, usernames and different things.
So if you look at it and youlook at the header that says

(07:48):
suspect and will always saysuspect, because how the report
comes in from the tip, the cybertip people, it's easy to assume
that that subscriberinformation from the tip is
related or, you know, it's tiedto the usernames.
Kind of makes sense.
They don't tell you that it'snot, they just put them all
lumped together and most of thecyber tips, the subscriber

(08:11):
information, is for the user andthe identifiers are for the
user.
They match and you're done.
In this particular case theydidn't and we could have made a
wrong assumption in assumingthat these usernames were tied
to the subscriber and they werenot.
The reason those usernames werethere is that there was some
information that was providedthat had those usernames in it.
So it was incumbent upon us tonot make an assumption there and

(08:34):
try to understand.
What does this mean?
I know the cyber tip told meit's the suspect, but okay,
that's fine.
But what does that mean?
By looking at the evidence, wecan't take the report and assume
or take its own conclusions asthe correct conclusion.
We could be wrong.
I can't call the provider andhave somebody from the company

(08:56):
by the phone tell me well, thismeans X.
Well, that's fine that you'retelling me that, but what does
the evidence show, right?
Right, because this guy's phonecall is worthless unless I can
actually show how his conclusionis supported.
Just because he's from theprovider doesn't mean that he is
correct.
And that's the whole appeal toauthority type of stuff, right?

(09:17):
As investigators I cannot justuse an appeal to the authority.
I have to understand how theygot to it and we take shortcuts.
Well, the provider said X andyou go with that.
What did that guy that pickedup the phone was wrong, right,
right, yeah.
So, and we avoided making thewrong assumptions in that case
because we had a peer review forit, right, and then we avoided

(09:38):
that problem.
So forensic guessing is notonly on the technical side, it
could also be on theinvestigative side.
And you have to be well, I'mgoing to make another story,
quick story.
See, now I'm going to roll.
No, go ahead.

Speaker 2 (09:50):
That's why I picked this topic.

Speaker 1 (09:54):
We have to be aware of our biases and then establish
our love for truth right, ourprinciples, our values right,
not our beliefs.
Values, that's my topic fromlast year, but I'm going to
bring it again.
We go by values, not beliefs,right?
So I have cases where thesuspect will say things to try
to cover, and, you know, try to.

(10:15):
For example, look, I'm at thisillegal content, I don't like it
, you know, as they'redownloading it, right.
So if it's found, they saidwell, I said I didn't like it.
So they're kind of trying tocover themselves.
Right and well, just becausesomebody did that at some point
in one of your cases doesn'tmean everybody is like that.

(10:36):
And I say that because in oneparticular case, somebody would
have told me well, that thingthat looks exculpatory, well,
that's what a guilty personwould say.
And my response to that okay,then what would an innocent
person say?
The exact same thing, right?
So that type of comment doesn'thelp.
What do you do then?
Well, you look to the evidence.

(10:56):
You figure out well, is thisstatement consistent with the
evidence?
If the person is not likingthis contraband, they don't want
it.
Well, did they delete it?
Did they report it?
I mean, did they delete it?
Did they report it?
I mean, did they follow theactions to show that?
And if that's the case, thatstatement is supported.
And is that not the case?
The statement is not supported.
What I can do is just, well,that's what a guilty person
would say.
I mean, come on, man, and we dothat all the time.

(11:16):
And look, I mean I'm not sayingthat to ding on the folks that
I had the conversation with is,people are really good people,
but that's normal.
I've been there.
I've been there.
I've been the one that makesthose assumptions, because our
training and experience leads usto kind of go that way.
But sometimes we have to stepback and I say that for myself
step back and make sure that,whatever the statement is and my
assumption of the statement,they need to be backed up by the

(11:38):
evidence and if they don't, Ishould be happy with discarding
them, because I don't care aboutbeing right.
I I mean not being right aboutmy beliefs being right.
I care about the evidence andmy interpretation being right,
and if my beliefs are wrong, I'mmore than happy to drop my
beliefs and develop new ones.

Speaker 2 (11:53):
Hopefully that makes sense, I really wanted this to
be the user Siri questions,though.

Speaker 1 (11:59):
Well, I mean, it would do for great artifact
research right.

Speaker 2 (12:07):
I know I was so excited because I'm like, oh, we
can support it in the leaps andno, we're not going to do that,
because it's not what you thinkit is.

Speaker 1 (12:10):
Yeah, mary's is also there.
Hi Mary, that's a good friend,and who else is here?

Speaker 2 (12:19):
Derek and Damien.

Speaker 1 (12:21):
Derek Damien, we got some of your stuff coming up too
.
Derek did some awesome logos.
So if you subscribe to ournewsletter for the leaves go to
you haven't go to leaps L, e, a,p, p, s, dot, r, g and you can
subscribe there and whenever wehave a new version of the
product or when we're ready tothis to release lava not yet,

(12:47):
we're still working on it um,would you be advised?
Well, I send out the firstnewsletter email out, uh for the
uh, um, announcing the latest Ileave version, and it has some
awesome logos done by derrick itdoes, it does they look pretty
cool.
It's a little apple with all thedifferent connectors.
You gotta see it, it's prettynice I also put it on social
media.

Speaker 2 (12:58):
Yeah, I was gonna say we should have put a picture up
, but it's right on yourlinkedin and everybody can go to
your LinkedIn and see it.

Speaker 1 (13:04):
Yeah, so.
So there it is.
So, thank you, Derek.
So so, yeah, so, yeah, I meanjust to close with this topic we
need to make sure that ourproperty that's for this year
that's one of my words for thisyear Property property meaning
your character, quality, thatyou have to go and follow things
through the whole way and makesure that.
Attention to detail, and thenthe third one is probably

(13:27):
attention to detail and duediligence.
Those are the three conceptsfor the year, for me, for 2025.
So we need to refocus on those.

Speaker 2 (13:36):
Keep the guessing at your desk.

Speaker 1 (13:39):
I mean, create hypotheses, like Jessica, create
hypotheses.
That's what forensic guessingis, nothing else.
If you're putting a forensicguess on your report, you gonna
be in trouble.
Oh yeah, definitely, yeah, letme.
Let me just uh hear a littleshout out to Derek from Kevin.
Kevin's also been working.
Uh, so Kevin and Kevin andDerek, they're working on some
of the branding for the leavesand the web pages and how we do

(13:59):
logos and stuff, and uh, they'redoing an amazing job and
everybody pitched in ideas andderek's been so kind of giving
us of his time to create thoselogos.
There's more coming up.
I don't want to show them allat once and and they're pretty
fun and roll them out slowly, ofcourse, of course.
So thanks to derek and kevin totry this great uh group work

(14:20):
there.
Yeah good um, let's see whatelse we have, oh, belkasoft.

Speaker 2 (14:27):
If you haven't seen belkasoft's announcements, um,
they're giving another freecourse, which I think is so
awesome, but it's a windowsforensic course this time.
Um, free online access to thecourse materials, and this will
be any time between january 15thand february 14th, so there's
still time.
Um, I believe they had so manypeople sign up, but they're kind
of like staggering releasingthe materials to people anyway.

(14:49):
So get signed up so that youcan get in on that.
It includes a free 30 day triallicense for Belkasoft training
materials, video tutorials,pre-recorded webinars articles
what else does it have?
Recorded webinars articles whatelse does it have?
Practical tasks, certificate ofcompletion and achievement.
And the basis of the course,like what you're going to learn,

(15:10):
is how to review common Windowsfiled systems, which file
system features might be usefulin your investigations.
How to examine Windowsapplications like chats,
browsers, mail clients.
How to inspect media files likechats, browsers, mail clients.
How to inspect media files,documents and utilize
media-specific analysis optionslike text recognition and
keyframe extraction.

(15:31):
How to identify and analyzeforensically important Windows
system files like registry files, event logs, files like that,
and then how to get moreevidence from Windows data
source by using carving, andthen how to get more evidence
from Windows Data Source byusing carving, embedded data
analysis and other advancedforensic techniques.
So I'm going to put the link upon the screen now, but it'll
also be in the show notes foranybody who's looking to go

(15:53):
register for that course.

Speaker 1 (15:55):
Yeah, and the Belkisoft people are putting
great content out.
If you're not following Jury,you know the owner, ceo of the
company.
Yeah, he's putting out a goodforensic forensic content like a
series in linkedin.
Like you know, every day heputs like a, a snippet of a
topic.
That's all related and they'repretty good.
So I suggest folks to do that.
We think that to be goodexaminers, we need to have

(16:17):
thousands and thousands ofdollars of training available,
like a training budget, which Imean if you have it it's great,
but you don't really have to.
There's so much good contentout there for free and available
.
You just need to go and spendthe time you know looking for it
.
So, uh, going to the LinkedIn,to the blogs and free courses at
Belkasoft, uh, that's one wayof of getting that.

Speaker 2 (16:37):
Yeah, and it gives you access to the Belkasoft um
software.
And I mean you're going to lovethe Belkasoft software.
Get it, get that tool for yourtoolbox.

Speaker 1 (16:46):
Absolutely, absolutely.
And talking about tools,there's paid tools, yeah,
there's tools that are there,are, you know, available to the
public, even at no cost.
So what do we?
What do we have on that front,heather?

Speaker 2 (16:57):
Christian, who's in the chat tonight, to his Ufade
tool.
We've showed the Ufade tool onthe podcast a few times now, but
he has recently made a fewupdates and I have some
screenshots to go along withthat Before just give a 20
second rundown of what the tooldoes for the folks that never
hear about it.
Oh, yeah, yeah, so you can doextractions from iOS devices.

(17:20):
There's advanced logical filesystems.
There's Celebrate UFED format,where it comes out with the
actual UFD file.
You can extract the sysdiagnoselogs.
I know I'm forgetting things.
There's a ton of functionalityto it, so check it out.
Oh, the unified logs.

Speaker 1 (17:36):
It'll pull those, so yeah check it out and the cost
is the best part, you know Imean it's like, only like,
$50,000, I think right, butthere's a discount.
It's a $50,000 discount with it, and so being $0.

Speaker 2 (17:52):
Yeah, so it's free.
But with the most recent updatehe added a new type of advanced
logical backup and he put in hisblog that he's calling it a
partially restored file system.
And he explained in his postthat it's calling it a partially
restored file system.
And he explained in his postthat it creates an encrypted
iTunes backup, decrypts thebackup to the original file
structure, pulls files via AFCthat are not included in the

(18:14):
backup, pulls shared appdocument folders and including
missing files, pulls crash logsif you've triggered a
sysdiagnose and pulls iTunesmetadata for apps.
All of that creates a tararchive that can be loaded
directly into iLeap, if you'dwant to choose iLeap or whatever
tool you'd like to use.
And the other new feature is aPDF report is now also included

(18:40):
for screenshots that you take,so the tool actually has the
capability of doing screenshotsas well.
Included for screenshots thatyou take.
So the tool actually has thecapability of doing screenshots
as well, and those screenshotswill contain file name, hash and
information about the chat.
And he threw a thank you out toMiguel Angel Alfredo Traverso.

Speaker 1 (18:58):
That's pretty good.

Speaker 2 (19:03):
I didn't do too bad, right, miguel Angel?
I know you're going to say itbetter.

Speaker 1 (19:07):
Actually, I know him in person.

Speaker 2 (19:09):
Okay, oh yeah.

Speaker 1 (19:10):
No, he's an Argentinian.
He's an Argentinian from Mardel Plata and we're taking a
couple of he's taking a coupleof my classes over there, and
what a nice guy.

Speaker 2 (19:19):
Oh nice, tremendous examiner, really sharp,
tremendous examiner, reallysharp guy, and um really nice
guy, so I actually know him inperson as a matter of fact.
Oh good, so you can fix my, myhorrible butchering of
everybody's name that I come incontact with Um.
I sold Christian's screenshotsthat he put up too Um, so the
first screenshot that I have upon the screen shows you the

(19:41):
option for that new partiallyrestored file system backup.
And then he had a screenshot ofwhat the screenshot reports
will look like.

Speaker 1 (19:51):
They look pretty nice .
I love the logo on the top theydo, and the details, the
headers Not headers, but yeah, Iguess the column thing and the
explanation, they're pretty nice.

Speaker 2 (20:01):
Yeah, definitely.
And then he also had the dataloaded into iLeap in one of his
screenshots, so I have to showoff the iLeap.

Speaker 1 (20:09):
Even more nice.

Speaker 2 (20:10):
Yes, it's beautiful and just wait till Lava comes
out.

Speaker 1 (20:12):
It's just that it's such a complicated piece of
software that, and again, ourbudget allows us to go slow.
But it's pretty good stuff.
Pretty good stuff.

Speaker 2 (20:21):
And since Christian's listening, I I'm gonna tell him
it's in the light mode, it'snot in the dark mode and I
almost got in trouble for thatyeah, my retinas are burning
right now.

Speaker 1 (20:30):
I'm looking away from the screen.
I don't want my retinas to burn, you know I said, I didn't do
the screenshots.

Speaker 2 (20:35):
I stole them from christian, so I blamed you more
dark, more christian, please.
The vampires like me need it,so go check, check out the
updates, give it a try, hookyour iOS device up and try all
the different options.
There's a ton of differentoptions in there.

Speaker 1 (20:53):
And again, it's free, and I love this type of
software because you know itreally gives you a sense of what
the tool's doing behind thescenes.
So please, please, go get itand practice, practice, practice
, practice, practice and thenyou sit on your cases as needed
definitely.

Speaker 2 (21:08):
Um.
So some research, some newresearch that's out there by
damian ato.
Uh, he has a new blog and it'sthe duck hunters blog.
It's on his blog site.
Um, there's three out I have.
I only had two to talk abouttonight and then he went and
released one last minute on mehere.

Speaker 1 (21:27):
So, um, there's actually even better, even
better yeah, definitely, um.

Speaker 2 (21:33):
So the first one is research uh focused on analyzing
the duck duck go uh privacybrowser across ios, android and
windows platforms.
Um, his His objectives includedidentifying stored session data
, understanding data persistence, post-application closure.
Assessing the impact of thefire button, which I didn't even

(21:55):
know what the fire button was.
So the fire button is theDuckDuckGo privacy browser.
It's a feature designed toinstantly clear your browsing
data, including tabs, cookiesand cache files.
It provides users with a quickand efficient way to maintain
privacy by erasing traces oftheir online activity on the
device.

Speaker 1 (22:13):
Yeah, I grabbed that.
It's the wife is coming buttonyeah.

Speaker 2 (22:17):
Yeah, so his first blog talks about that and does a
lot of testing with that.
So his first blog talks aboutthat and does a lot of testing
with that.
His second blog expands uponthat with the DuckDuckGo privacy

(22:37):
browser and examines the actualhistory DB, the SQLite database
related to it, in Androidno-transcript browser.
Oh God.

Speaker 1 (22:53):
I was going to ask.
I think he did some research onsome of the recoverability of
data from that SQLite database,right?

Speaker 2 (22:59):
He did yes, yep, so yeah, the browser's fire button
and the automatic clearingfeatures can erase the browsing
history, and he was looking intothe potential methods for
recovering deleted browsinghistory, including the
write-ahead log.
So check that out.
And then the third one, which Ijust learned about today, is

(23:19):
hold on one second, that's goingto have to do with the tabs.

Speaker 1 (23:23):
Yeah, kevin is saying that we need gov parses in
iLeap, and I agree with that.
Actually, heather, maybe weshould by me.
I mean, you get some test dataand then I can help out with the
coding part.
So that's actually a good idea.
I like that.

Speaker 2 (23:37):
Or we'll throw Damien in on this with us.

Speaker 1 (23:40):
Well, I mean, he knows how to code really good.
Yeah, I know, Damien, you wantto make an artifact for ILEE.

Speaker 2 (23:46):
I'm just throwing you in.

Speaker 1 (23:48):
It's Python, Damien.
You got that down like on yoursleep.
Man, there we go, Boom Ahawesome, ah, perfect.
He's saying that he can writethem.
Okay Now you made a commitmentin public to you know.

Speaker 2 (24:04):
Uh-oh, it's up there on the screen.

Speaker 1 (24:06):
Yeah, a whole bunch of people.
So we're going to hold you upto it and we'll see you soon in
IASIS.

Speaker 2 (24:12):
Yes, I'm just saying a night of coding Iasis.

Speaker 1 (24:17):
I hope he hasn't done before that.
But if not.

Speaker 2 (24:19):
That works too.

Speaker 1 (24:20):
Come on, heather, come on.

Speaker 2 (24:22):
I know, ooh, I just gave a longer timeframe.

Speaker 1 (24:25):
Yeah, that's a fail on your end.
Oh sorry.

Speaker 2 (24:28):
Um the third blog.
He talks about, uh,duckduckgo's open tab
information.
So he looks into the specificsof how DuckDuckGo browser on
Android devices manages andstores information related to
the open tabs.
It talks about the storedinformation, including URLs of
open tabs, identification ofcurrently active tab,

(24:51):
screenshots of the current webpages and open tabs and fav
icons associated with thecurrent web pages in the open
tabs.
So I have links to all three ofthose but they're not going to
fit up on the screen here.
They'll be in the show notesfor everybody to look at when
we're done.

Speaker 1 (25:07):
And I really recommend people to look at his
research in recoverability.
How much you can pull stuff outfrom that SQLite database, I'm
not going to go into it now, butit has some pretty unique
characteristics that you mightnot be applicable to other
SQLite databases.
So look into that.
In that vein, I did a researchlong ago on the Firefox privacy
browser in Android some yearsago and I found out that the

(25:29):
LevelDB data stores for thatbrowser were not cleared, even
though the SQLite historydatabase was cleared.
So I guess if you're doingbrowser forensics and you care
about deleted stuff, readDamien's blog for DuckDuckGo, do
some of the techniques he useswith the SQLite and me.
I'm providing you another avenueget smart with level DVs and

(25:52):
pull those out, because you willfind good stuff inside level
DVs and some of these browsersdon't reallyvs.
And pull those out because youyou will find good stuff inside
level dvs and some of thesebrowsers don't really care to
flush those out, and then youcan get.
I in my research I got actualwebsites at the that I visited
um that were not in the clearedout database.
So don't sleep on level dvs.
We talked about level dvs inthe past other episodes and but

(26:14):
so we have time for that now,but just research some of that
really good, good data sources.

Speaker 2 (26:18):
Yeah, we need to revisit those again because
everybody needs to be going tothe level DBs We'll have to put
that in one of the one of thenext we'll just keep revisiting
that one.

Speaker 1 (26:27):
And on our IASIS course we we cover those LLDBs
really good.
In the advanced mobile deviceforensics course we cover that
as well.

Speaker 2 (26:38):
So just a heads up.
Oh, speaking of Damien, anotherpost from Damien recently was
his tool, the SQ Byte.
Let me throw that up there.
There we go.
So SQ Byte, according to hispost, is a tool that has a
combination of Python scripts.
He wrote it over the past sixmonths to do various things with

(27:06):
SQLite databases all combinedinto a single tool, and he
stated that currently itextracts records from tables in
the main database file, extractsrecords from Btree leaf frames
in the write-ahead log.
Associates records in thewrite-ahead log to the table
they belong to.
Outputs all records into asingle CSV with file offsets for
validation.
He indicated in his post thatit's very useful for a

(27:28):
validation tool.
I 100% agree.
I would use it as a validationto what I'm seeing in my major
tools, but also as a triagequick to get some really quick
information from a database thatI'm interested in.

Speaker 1 (27:41):
Well, and I think you mentioned the recovery from
free blocks and an allocatedspace right, you mentioned
that's upcoming.

Speaker 2 (27:49):
So he has future additions are going to be
parsing free list pages.
Parsing overflow pages.
Parsing index B trees.
Parsing free list pages.
Parsing overflow pages.
Parsing index B-trees.
Parsing pointer map pages.
Recovery of records from freeblocks and page unallocated
space.
Recreating the database andoutput the records into a SQLite
database that can be queried.

(28:09):
And I think he said two.

Speaker 1 (28:12):
I like that feature a lot.
I really like the fact that youcan take those records and put
it in this other also databaseformat that you can actually go
through.
That's a pretty smart way ofdoing that.
I like it.

Speaker 2 (28:23):
Yeah, he said too that he has a beta version of
that already that he plans torelease in March 2025.
That will have the basic recordrecovery functionality for free
blocks, free list pages andunallocated space.

Speaker 1 (28:37):
And, based on his description, it seems to be a
pretty comprehensive recoverytool, because I tried different
recovery tools for SQL databasesand some pull some things, some
pull others, but then that'sfine.
But I like the detail and allthe different avenues of
recovery that he's working on.
So I really applaud his work onthis, the detailed and all the
different um avenues of recoverythat he's working on.
So I really, uh, applaud hishis work on this and I look

(28:59):
forward to the march release ofthe latest version with those
capabilities yeah, me too.

Speaker 2 (29:03):
Um, I really really appreciate his read me too.
Sometimes the read me is whenI'm going to do these scripts
I'm like, hmm, I really don'tknow what I'm doing.
But if you're gonna go try outthis tool, the readme is super
detailed and I have it up on thescreen now.
So I'm going to just run itreal quick on a call history
database that I grabbed fromJosh Hickman's extractions, so

(29:26):
Python, the sqbytepy, and thenyou have the dash I, which is a
pointer to the call historystore data.
That's the database that I'mgoing to parse.
The dash W you can eitherinclude it or omit it, but it'll
then take into account the wallfile.
So then point to the wall fileand then the dash O for the

(29:48):
output which I did as callhistory dot CSV, and I'm just
going to hit it.
It goes really fast.
And then let me share.
We have this nice CSV of thecall history data from Josh
Hickman's Josh Hickman'sextraction.

(30:08):
You can see that his name's allover it and this is deeper.
Oh, do you want me to zoom in?

Speaker 1 (30:14):
Yeah, it's bright and really far away.

Speaker 2 (30:16):
Oh, I know the brightness.

Speaker 1 (30:17):
I didn't fix the brightness, I'm sorry you know
you can have dark mode on onthose, these type of programs
too, right?
Ah, yeah, I know actually youcan see the shine of the screen
in my face oh, I just zoomed.

Speaker 2 (30:30):
Okay, I just lost you for a minute.

Speaker 1 (30:31):
I just I just messing with you, although it's true.

Speaker 2 (30:33):
No, I know you're messing with me.
All right, let me just here wego.

Speaker 1 (30:38):
It's like the sun.
I'm staring at the sun.

Speaker 2 (30:41):
There we go.
Is that better?

Speaker 1 (30:42):
Well, yeah, yeah, that was better.
At least I can read it now.

Speaker 2 (30:45):
Yes, thank you, so we in a CSV that was the output
from this really simple scriptthat goes along with.

Speaker 1 (30:59):
SQ byte and I can't wait for the recovery features.
Yeah, absolutely.
I think I saw a trace backthere at the end of this run,
but you know Damien is alreadyon it.
He says you know, if you cansend him a send send over the
trace back, he will work on it.
I love that.

Speaker 2 (31:11):
Yeah, I did see the error too when I ran it earlier
and I'm like I don't have enoughtime to write to you, damien,
but we'll fix it tonight and Ihave my data here too.

Speaker 1 (31:20):
No, and that's useful .
Actually, I was troubleshootingwith Jess and we haven't
finished that yet, but a littlebit of some errors we had on
iLip on her data set, and that'ssomething that I hope to work
on soonish.
So that's how it is, that'snormal.

Speaker 2 (31:35):
Nice yeah, so try it out.

Speaker 1 (31:39):
Yeah, talking about being bright stuff, chris has
said Lava will default to darkmode.
Well, I don't know if we I'mgoing to push for it to be
defaulted, but either way, for afact it does have dark mode.
I'm just going to say becausethere's no way we are gonna
release that without dark mode.
Heck, even even kevin goes fora farther and says we may have
some themes.

Speaker 2 (31:59):
So you know, boom oh, I'm gonna go for a theme.
I never put anything in darkmode.
I don't know why my eyes aregonna be burned out of my head
you're gonna put the hello kittytheme on lava.
That's what you're doing yeah,definitely definitely.

Speaker 1 (32:11):
You're not a hello kitty person.

Speaker 2 (32:13):
Come on, not even a little bit, like never have been
, never will be.

Speaker 1 (32:19):
I know you well enough not to For that not to be
the case.

Speaker 2 (32:25):
All right, I will put the link up.
There's a blog about the SQByte tool and there's also the
link to Damien's github uh, atspider forensics github where
you can download the tool andtest it out.

Speaker 1 (32:39):
They'll be in the show notes.

Speaker 2 (32:41):
Please do absolutely all right, our next topic.
So we haven't covered this onebefore.
Uh, but mental health in thedigital forensic incident
response world.
Um, it's a big thing and Idon't know.
I'm going to just talk aboutsome of the stuff that goes on
with mental health issues in thedigital forensic world.

(33:04):
So I mean, everybody knows youall work in the digital
forensics world.
It's really a fast-pacedindustry, demands a lot of
technical expertise, precision,resilience by fast pace.
You know you have that districtattorney or boss that's like I
need this, I need this, I needthis yesterday.

(33:25):
Where's my, where's myextractions?
Where's my analysis?
I need this done and it can bebecome kind of overwhelming at
times.

Speaker 1 (33:36):
Um, so we're just going to kind of talk about some
of like the stressors that arein digital forensics, some of
the common signs of burnout indigital forensics, um analysis
and then what to do if you needhelp and some good resources
that are out there yeah, and andbefore I go into that, I want
to get a quick comment here Withyour mental health in deeper,

(33:57):
most of the time we default toyou're being exposed to CSAM
right, and that will give yousome stress, and that's
absolutely true, right, andthere's a lot of good resources.
I think I'm going to mention ifyou're working in CSAM cases in
regards to mental health.
But mental health is not onlyif you're being exposed to see
some material.
You can maybe not be exposed toit and still suffer from the

(34:19):
different things, the stressorsthat Heather mentioned, burnout,
and actually you might needsome help and at least in the
law enforcement community,getting help.
It's hard, not because there'sno resources, but there is these
, the unmentioned culture oftoughness.
If you're in law enforcement,and you're in law enforcement,
you're a tough gal, a tough guy,and I can handle, I can deal

(34:42):
with it and I don't want to beseen as weak and that's not
something we do consciously,it's unconsciously, right, the,
the, the image you want toproject, that's law enforcement
officers.
So it's really good to talkabout these topics and just
because you're not exposed toCSUN does not mean that we don't
need to be aware of our mentalhealth in this field.

Speaker 2 (35:01):
Right, yeah, no, definitely the stigma that comes
around with it.
Definitely it's a tough it out,tough it out mentality, but I
mean with a supportiveenvironment where individuals
can feel comfortable addressingwhat their challenges might be
and an area where they canprioritize their self-care.
It'll, everything can beovercome.

(35:29):
Demands, unpredictable hours,exposure to that sensitive and
or disturbing content that Alexwas just talking about, which
could include CSAM, but reallyit could include a lot of
different things depending onwhat types of cases you work.
Actually, I'll just say here,one of the worst cases that I

(35:49):
ever had to work on was actuallya suicide.
I mean, the CCM cases arehorrible, definitely, but a
suicide case where I had toactually watch the entire
suicide.
It was by hanging.
I had to watch the entire videoof it because they were unsure
if somebody had assisted in thatsuicide.
So not only watch it but alsolisten to it.

(36:11):
And I think that's one of thecases that sticks out in my mind
as like the most disturbingsince I started with the state
police in 10 years ago almost.

Speaker 1 (36:21):
Yeah.
I mean, and you know, to see Samand other visual depictions of
violence definitely can affectyou, and some of the effects are
not immediate, right, thatmight come out later can affect
you, and some of the effects arenot immediate, right, that
might come out later.
And that speaks to us being aaware that that could happen and
then be ready to receive help.
That's the big thing, right,and and try to be aware that

(36:43):
it's normal for us to maybe havea delayed reaction.
The reaction could be delayedfor years.
Um, oh yeah, I, I was theexaminer on, at least for the
federal agency that responded tothe pulse shooting here in
Orlando, right, and part of myjob was getting the digital
evidence out to include thesurveillance recordings, because

(37:06):
we needed at that point toquickly identify any other
possible attackers, right, is ita one person thing?
Is it two people?
And at that time there was a lotof confusion in regards to one
attacker or two attackers, and Iwent into the crime scene.
I had to.
The crime scene was pretty muchnot processed yet because we

(37:27):
had an urgency to preventattacks, right, so I went into
the crime scene and you know,really impactful thing, I'm good
so far, but what will happen inthe future.
I don't know.
I need to be ready for that andthankfully my agency has a lot
of resources in regards to that.
But even if your agency doesn'thave as much mental health
resources, there's resourcesthat are available to you, that

(37:49):
are free and out there for thecommunity, and I think we'll
talk about some of those.
And then that video.
I had to process that video andlook at all the camera angles,
making sure that it was the oneattacker that ended up being
right, and try to figure out ifthere was any intelligence we
could grab from that.
Right.
And now you're listening,you're watching, you might be

(38:11):
well, I'm not exposed to thattype of level of impactful
material thankfully right.
But even if you're not, forexample, if the volume of work
is really high, if the pressureof getting work done is high, if
your boss tells you, deal withthe priority cases first, and
the next sentence is all casesare priority right, yeah.
You can experience a level ofyou know, especially your boss,

(38:34):
but whatever management you have, it's not responsive to your
needs as a person.
That will create some certainuncomfortableness and issues
with you in due time.
So just because you're notexposed to really horrendous
visual material, you don'tminimize the stresses that you
might be in and it might requireto have some conversation with

(38:57):
management.
Sometimes it might require youto just leave that organization
because you need to prioritizeyour mental health.
We are in a technical field andyou know jobs are hard to come
by.
But losing your mental health,that cannot be recovered later
after a point.
Right, don't yeah, don'tminimize the stress that you're
in.
Look for help and try to putthem in context and if you need

(39:18):
to leave and get out of thatenvironment, maybe that's just
an environment that's nothealthy for you and there's no
shaming in accepting that andtrying to be better.
Right, we need to take care ofourselves.
See, now I'm on another role.
It's like it's like you're inthe right and you're helping
people.
Help you.
You want to help people becausethe plane is coming down and
the mask come down and they tellyou put the mask on the

(39:40):
children first.
I mean, I'm sorry on you firstand then on the children, right?
Because you cannot help anybodyif you don't help yourself.
What good are you?
If you pass out, then you passout and then the child also
passes out, right?
Put it just put your mask onfirst and then you can put the
mask on the children or whoeverneeds you, right?
So you got to take care ofyourself.
It's not a selfish thing, it'sa smart thing.

(40:00):
When you do that, then you'reable to take care of yourself
and of others definitely,definitely so.

Speaker 2 (40:08):
Some of the stressors and like some of the common
signs to look for in yourselfand maybe in others.
If you happen to see somebodyout struggling so exhaustion,
low energy, detachment, any typeof anxiety or depression, you
may experience headaches ordigestive issues, muscle tension
, the person may be irritable orhave just unannounced mood

(40:31):
swings.
Compass, compassion, fatigue isdefinitely a big thing, uh,
especially in law enforcement.
Um, you know you want to helpeverybody in all of these cases
that you're working on, and itcan.
It can just get tiring to tryand be help help everybody.
Um, and then difficultyseparating work life from

(40:51):
personal life.
That one's huge.
I, I definitely do that.
Um, and then, um, also likedesensitization to the things
that you're looking at, likeit's no longer bothering you as
much as it used to.

Speaker 1 (41:08):
Um, yeah, go ahead yeah, yeah and um, I understand
this is my as a personal, apersonal opinion.
So take it everybody for whatit's worth and if you don't
agree with it, that's fine.
But we take to be.
Well, I'm going to use a lot ofdark humor to kind of cope with
it in the work environment,right, and I take that to be as
an indicator that we need tolook for more consistent

(41:31):
professional help, right?
I don't believe that dark humorreally helps that much.
It's more of a mask that we putin front of ourselves to try to
say that we're okay when we'renot.
If, if the material is not good, if the pressure is high, just
underlining it constantly as ajoke, it's not going to help you
feel better about it, even ifyou think you do right, and then

(41:52):
that's.
That's my personal opinion and Itry to avoid taking that, that
tack, because it's just mereminding myself of how bad the
thing is.
I rather just try to dosomething different and in how I
deal with it and also peoplethat are exposed to your dark
humor about those topics.
Maybe they don't want to beexposed to that type of humor,
right?
Maybe that just makes it harder, even harder for them because

(42:15):
they're going through the sameexperience and now you're making
jokes about it.
Right, trying to make yourselffeel better and actually makes
them feel worse.
So that's why I think having agood conversation with your
management and what resourcesyou have, if you're under really
stress due to your workload orthe materials you're exposed to,
it's important to have and doit periodically.

(42:36):
Even if you feel fine, there'snothing wrong with having that
discussion periodically and makesure that everybody is doing
okay.

Speaker 2 (42:43):
Yeah, to identify someone who might be in need of
help.
Some things you might be ableto identify a decline in their
work performance or an increasein errors in their work.
If somebody was like a reallyhigh producer in your office and
all of a sudden they're justnot anymore, that could
definitely be an indicator.
Withdrawal from coworkers orsocial activities and excessive

(43:08):
sick days or absences these areall some ways to help identify
if somebody might be struggling.
Absolutely, law enforcementagencies used to lack, but I

(43:36):
think they're really likestarting to embrace the
supportive workplace and more ofthe mental health um types of
trainings and uh resources.
I think now, um, they're oftenlet's see.
Oh, set boundaries.
So, um, you must have a lifebesides just work.
Find, find the balance.
You can still be amazing atyour job and make time for

(43:59):
yourself.
Take the breaks, take yourlunch break.
Um, get up from your desk oncein a while, uh, just to go for a
walk.
Uh, whatever.
Whatever it is that helps um,take away some of that stress,
find an outlet.
Uh, for some people it'sexercise.
Where Alex it's exercise, notfor me.
I hate the exercise.
I'm just being forced againstmy will to exercise.

Speaker 1 (44:20):
But it's good for you , so I don't care.
I'll keep dragging you to thegym every day.
But go on, carry on.

Speaker 2 (44:27):
So with finding an outlet.
It might be therapy, it mightbe hobbies, just something
outside of the work that you'redoing, to take your mind off of
those stressors and look forcommunity support.
The digital forensics communityis an amazing group of people.
There's a lot of people outthere that come to my mind when

(44:48):
I think about mental health, andI'm going to mention a few of
them in just a minute, butthere's resources right inside
the digital forensic communitythat can be helpful.

Speaker 1 (44:57):
Absolutely.
And just a quick comment hereand give yourself grace and time
right as you're dealing withthose issues.
For example, here we had in thechat I changed jobs and it took
a year to recover from theburnout.
Right, you got to be.
Give yourself some time asyou're addressing those issues.
And that's okay, that's normaland it's expected.

(45:17):
We're not made out of wood ormetal.
We're human beings and we needto be aware of those.

Speaker 2 (45:25):
So what resources are out there?
Therapists and counselorsthere's a lot of them that are
geared specifically toward lawenforcement too.
So if you are in lawenforcement in the digital
forensics field, they have likea unique ability to connect with
the law enforcement employeesfield.
They have like a unique abilityto connect with the law
enforcement employees, so youcan always look for a therapist
or counselor that has thatEmployee assistance programs at

(45:45):
work.
Any of the digital forensicgroups conference sessions.
A lot of times the conferencesthat are available will have
actual sessions on mental healthin digital forensics.
Different podcasts and blogsthere's available that relate to
mental health, self-care,whatever you choose.
It could be reading, journalingor, like I said before,

(46:07):
exercising whatever it is thatwill help you with your own
self-care, connecting with peers, networking or just talking to
somebody that you might feelsafe with and not judged by, or
just talking to somebody thatyou might feel safe with and not
judged by.
Absolutely, absolutely.
So.

(46:29):
A few of those resources rightin our field that come to mind
one is in my state and it'sNYLEAP.
It stands for New York StateLaw Enforcement Assistance
Program, so they're a nonprofitorganization that provides
support specifically to lawenforcement professionals and
their families.
They address mental health andwellness needs of officers,
particularly ones that haveexperienced trauma, stress or
critical incidents, and it's all.

(46:50):
It's all put on by Jim Banish.
I had to think of his namethere.
He had a brother who was a NewYork State police officer and he
committed suicide while on thejob and he started this whole
organization after the death ofhis brother.

Speaker 1 (47:10):
Yes, it's a really tough motivation there, but
making the best out of a tragedy, that's amazing.

Speaker 2 (47:16):
Yeah, yep, he does a really good job with it.

Speaker 1 (47:20):
That's great.

Speaker 2 (47:23):
And then another one that comes to mind.
I don't know if anybody has everheard of Eric Oldenburg, but he
used to work for Griff Eye andhe's awesome.
Yeah, so he was a trainer atGriff Eye, but he is really
focused on mental health anddigital forensics.
He's not with Griff Eye orMagnet anymore, but he has a
podcast.
It's called Harmless thepodcast and it focuses on the

(47:44):
harsh realities of online childsexual exploitation.
So it does have that childexploitation theme to it has a
really good way of, I think,kind of like just explaining the
things that happened to himthroughout his career and how

(48:04):
they might happen to you and thetypes of things that really can
that you can do to kind ofdeescalate those feelings inside
of yourself.
So if you get a chance to checkout his podcast and then
another one that comes to mindis Debbie Garner, so she's
actually an instructor for theInnocent Justice Foundation
Shift Wellness Program If you'veever heard of Shift Wellness

(48:27):
they focus on mental health inthe digital forensics world as
well them out, go check them outfor you or for your team, and
if you're a manager, you need toalso be not only taking care of
the cases and the hardware andthe licensing and the
environment that you're in.

Speaker 1 (48:46):
If you have desks, chairs, that's fine, but the
most important thing to takecare of is your people, right?
It's the folks that actuallywork with you and, as a manager,
that should be your number one,number two, number three
priority, and this is one way ofshowing that you care for your
folks.
So look into that.

Speaker 2 (49:05):
Yeah, definitely In the show notes too.
I have a whole bunch of blogsthat actually focus on mental
health.
Binary Hick has one ForensicFocus, there's a Science Direct
paper, belkasoft has one, magnethas one.

Speaker 1 (49:17):
So I'll put all of those blogs in the show notes
awesomeness, awesomeness yeahright, so so yeah, so we're good
with the mental health and,again, I really like the fact
that we cover more more thanseason, so that's important.
So now let's get some lightertopics.
So what do we have next?

Speaker 2 (49:33):
yeah, what's new with the leaps?

Speaker 1 (49:36):
Yeah, so I think Scott's still around, if he
hasn't left on his plane.

Speaker 2 (49:41):
He might be on the plane.
Yeah, he might be flying.

Speaker 1 (49:44):
So, scott, his claim to well-deserved digital
forensics fame is the photossqliqueries that he does for iOS
devices and if you're notfamiliar with it, the photossql
database has a ton ofinformation about all the images
, media, that reside in theseiOS devices.

(50:05):
Okay, some of some of the mostuseful features of looking at
this type of photo not type, butthis database it's, for example
, determining the provenance ofmedia, provenance, meaning where
it came from.
And I love it because you couldsee there, like the media, and

(50:27):
you can see the bundle id thatwould generate it some metadata
about it.
Um, if that media has beenaltered in different ways or if
it has been been placed withanother name at other locations,
right, because if you're notaware, aware of it, ios devices
will show you, um, I don't wantto say thumbnails, but
renderings of images, and itwill save it with different
names in different places.
Now, photos of SQLite allowsyou to correlate all those file
names and files to the originalphoto that those are rendered or

(50:52):
derived from.
I mean, there's a ton ofinformation, it's a ton of
queries.
Some of these queries havethousands upon thousands of
thousands of rows of pertinentinformation.
So, oh, and another thing,these queries are different, can
be different from one iOSversion to another.
So the query that work in iOS,whatever 17 might not work in

(51:15):
iOS, whatever, 18, whatever thenumber is.
So Scott has gone and done allthat research for you.
So, instead of you having torun each query by hand, and by
hand I mean okay, what iOSdevice do I have?
Oh, ios, whatever.
Okay, take that database out.
Look for the query.
Open a SQLite browser tool, runthe query.

(51:36):
Look at the.
To avoid that, he coded that allin the leaps in, I leap, and
it's an.
It's a ton of work.
And not only did he code that,and obviously with the leaps, he
takes into account the iOSversion that you're having your
extraction.
So you don't have, you don'thave to do that, just run it and
you're good to go.
He also made it lava compliantand that means that whenever we

(51:56):
release, as soon as we release,the lava viewing you know
program that we're working on umyou will be able to look at all
the photos sqlite within lava,and which is way faster than the
html reports.
And if you have a lot of datathat crashes your browser, it's
not going to crash lava.

(52:16):
Lava is made to be able toprocess large amounts of data,
so I'm really looking forward tothat amazing work that scott is
doing.
It's not gonna crash lava.
Lava is made to be able toprocess large amounts of data.

Speaker 2 (52:22):
So I'm really looking forward to that amazing work
that scott is doing.
It's gonna be awesome,definitely, and if you ever get
a chance, just open and look ata few of those scripts that are
uh, photo sequel a.
Oh my god, I don't know how hedid all that.

Speaker 1 (52:33):
That is a ton of work it is and and look he's, he's
that, that's, that's his baby,that type of research and so
useful for the community.
And he was in, you know, incontact with the me and other
developers, like kevin, likejohan and all the folks that
work on the leaps and, uh, youknow, I gave him a uh, like a
not even beta, like an alphaversion of lava, um, so he could

(52:56):
kind of test some of those,because it's not really, it's a
lot of work, it's a lot scripts,and I love the fact that he
shares that because you can alsodo your own validation.
You find something importantthat's relevant running the tool
, you can go at the precisescript and really narrow down
where the stuff is based on thatopen research that he has done.
So he's doing invaluable work,definitely, in a sense that we

(53:19):
cannot quantify it that's howmuch work he's doing with that
um also, not only has he beenadding new stuff, there's an uh,
some developer there.
She still needs to do some workon her script, but she put out
some script on some researchlately.
I don't know.
You know who that is heather Idon't.

Speaker 2 (53:35):
What are you talking about?

Speaker 1 (53:37):
Yeah, yeah, the last commit that I approved the other
day.
Who was it?
Oh yeah it was you?
What did you do?
Tell us what you do.

Speaker 2 (53:46):
Well, I found a database in a case that is
called Calculator, and then ithas a little hashtag at the end
of it.
The application does and itstores data about videos that
are in the calculator app.
It's like it's just acalculator application, one of
the many variations of it, and Iwrote a script, but it's not

(54:09):
Lava compliant yet.
I have to fix it.

Speaker 1 (54:12):
I know, I know.

Speaker 2 (54:14):
That parses data from the database called FolderLock
Advanced.
It parses data from thedatabase called FolderLock
Advanced and it relates theinformation in the SQLite
database to the videos that arestored and it links the videos
in.

Speaker 1 (54:28):
And that's what's fantastic.
By the way, I love how you saidit's calculator and the hashtag
I'm like come on.

Speaker 2 (54:34):
You're old enough, I'm sure you think phone sign
yeah you're old enough.

Speaker 1 (54:37):
Don't be playing like the TikTok person here.

Speaker 2 (54:40):
I want to seem younger than I actually am.
Don't give away my age.

Speaker 1 (54:45):
Apparently.
You definitely are trying to dothat, but you're not getting
away with it, Sorry.

Speaker 2 (54:48):
I am only 25.

Speaker 1 (54:51):
On each leg.
So look, there's a ton of thoseapps.
And that's the interestingthing about the type of tooling
that is community-driven, right?
I'm pretty sure and correct meif I'm wrong that this type of
artifact is not for this app.
It's not recognized bycommercial tools, right?

Speaker 2 (55:09):
No, it's not.
I mean commercial tools willshow you the images and videos
there, which will then lead youto the database that has all of
the additional information aboutthe videos.

Speaker 1 (55:19):
Yeah, but let's be honest here Most examiners they
will maybe mark the picture andnot follow through on that right
.
Right, and the fact that we cancreate an artifact that
actually puts a lot together foryou, that's better.
Right?
It really helps with drillingdown to the information
immediately, as opposed to, wellwhat happened with this picture
and then try to figure that out.

(55:39):
If you figure it out like youdid and you share with the
community through the leaps,then that's an added value to
everybody else when they run it.
There's many of those.
There's one that I constantlyget folks either thanking us or
asking about it and it's one ofthose kind of decryption apps
and the leaps support it andthey pull out.

(56:01):
You know the evidence and thecommercial tools don't support
it yet.
So there's always value inrunning your commercial tools
and also there's value inrunning open source or community
driven tools, even if they'renot open source.
At the end of the day, ifthere's something relevant, then
you can drill down on it andafter your process is done, you
do your due diligence and thenyou check for anything that the

(56:23):
tools no matter what type oftool has missed.
That's the most important part.
So commercial tools will getyou stuff, open source tool will
get you stuff, and then youhave to go and make sure that
nothing was missing by all thosetools, because sometimes it's
missed by every tool that's justhow it is definitely so the
only tool that's going to get itis you, because you are

(56:45):
definitely.

Speaker 2 (56:45):
I recently.
I recently had something thathad changed.
So the database, uh had updated, the application, had updated
the commercial tools didn't getit and neither did the leaps,
but it's fixed now yeah, as longas you're d tool and not a tool
, then you're doing good um, Igot my dad jokes right, yeah,
yeah, that's good.

(57:06):
Is there anything else new withthe leafs this week or these
last three weeks?

Speaker 1 (57:12):
johan is doing a lot of stuff behind the scenes and I
try to pull out, pull.
I don't know why I cannot getit, but but the pull requests
are open for the leaps and Idon't know, I'm getting like a
404 page or something, I don'tknow, but it don't matter.
The thing is that again, I wantto always give props to the
folks that are working behindthe scenes all the developers

(57:33):
for the leaps.
Johan has been such a righthand.
He just about a couple of daysago made the latest iLeap
release that has a lot of coolnew features in it and fixing
some bugs.
He does an amazing job.
And he's working also on themedia portion of Lava, which is
the last piece for us to kind ofrelease a workable product to

(57:54):
the community.
But it's a hard, big piece ofcode because you have to do
changes in the Leap code andalso have correspondent changes
on the Lava code.
And him and all the other folksway, way smarter, bigger brain
than me.

Speaker 2 (58:12):
Way bigger than me.

Speaker 1 (58:14):
So I accept their assistance and I'm learning
through them and they're makingthe community better.
So thanks to Johan, thanks toJames also that do that type of
work, and then also, last butnot least, kevin Derek and all
the other folks that are workingon the the public facing side
of branding, website,newslettering, communications

(58:36):
and and all the stuff that makespeople aware of the tool that's
so important.
If, if, if a tree falls in theforest and there's nobody to
hear it doesn't make a soundheather right, well, I want to
make sure that the leap treemakes a lot of sound and people
are aware and they cancontribute and the community can
grow and we can do good thingstogether.
So and look, and, and Kevinsays, I promise to be back to

(59:02):
making some parsers soon.
Thank you, kevin.
I have been really lacking onthat.
I have so many speakingengagements lately that I've
been lacking on making parsersor at least updating the ones to
Lava compliance.
So I also for this year, Ipromise publicly that I'll be
going back to writing some morecode after I'm done with my two

(59:24):
trips for uh to europe that I'mdoing for some speaking
engagements I'll make thatpromise too.

Speaker 2 (59:28):
But as soon as the white paper for our class for
iasis is done, then I'm good oh,then that's gonna be on 2026,
no, no no, it's almost there.
It's almost there.
We're going through correctionsnow, all right.
No, no, it's almost there, it'salmost there.

Speaker 1 (59:41):
We're going through corrections now.
All right?

Speaker 2 (59:42):
No, that's awesome, that's awesome.

Speaker 1 (59:43):
Yeah, all right.
So, uh, that's always what wehave to finish the show.

Speaker 2 (59:47):
Meme of the week.
All right, since we did themental health portion, I have
this meme of the week.
Oh, this meme of the week.
Oh, I did the whole screen,that's all right.

Speaker 1 (59:58):
There we go.

Speaker 2 (59:59):
All right, so go ahead, you explain it.

Speaker 1 (01:00:02):
So it says lots of new cases coming in and panic.
Right, we have a little headthere that's panicking.
Then management says to focusonly on priority cases.
Oof, then I'm calm.
But then they say managementsays all cases are priority
cases.
Management says all cases arepriority cases, and then they
panic again and it's a graphicalI I kind of said it beforehand,

(01:00:23):
not not remembering what thememe of the week was, but it's a
graphical way of saying look,um, if you're a manager, right,
just because, uh, like, justjust flogging the horse won't
make it go faster, like thehorse can only go at a top speed
, right.
If you slug it anymore, it'sactually going to go slower,
right?
So let's make sure that, asmanagers, we prioritize properly

(01:00:48):
, and prioritization doesn'tmean make everything a priority.
When you make everything apriority, nothing is a priority,
okay.
So we need to understand thatif we have 10 balls in the air
and that's how much we canhandle you throw an 11 in.
One of those is going to falloff.
That's just a fact.
The question is, which one arewe going to consciously drop?

(01:01:11):
And if you cannot drop them,then what's the solution?
Then you need more balljugglers, right?
You?
hands definitely like like, atsome point you can't have your
cake.
You need to make some decisions, and, uh, we want to advocate
um, for the examiners, and andthat management is make sure to

(01:01:31):
give us our resources that weneed, and and only as much work
as we can handle.
That goes back to the topicright, that our mental health is
not impacted in the process,because if our mental health is
impacted in that process, thenall balls are going to be on the
floor and nothing's going to bedone.
So let's keep that.
I think that's a good takeawayfrom the meme of the week.

Speaker 2 (01:01:52):
Definitely, and that's all I've got.

Speaker 1 (01:01:56):
That's awesome.
Well, Heather, thank you forbeing the driving force of the
episode.
Like every other episode, I'llkeep us organized.

Speaker 2 (01:02:06):
Oh you go.

Speaker 1 (01:02:08):
Look, folks, I talk a lot, but this show is actually
Heather's show.
Oh stop, it's not, it is so.
Thank you for your work, asalways.
Anything last words for thegood of the order, heather.

Speaker 2 (01:02:19):
No, thank you so much for everybody who tuned in.

Speaker 1 (01:02:23):
All right, folks.
Thank you again.
Hopefully we'll be back in twoweeks or three.
We're going to lose a littlebit with the schedule there.
See what's going on.
Yeah, we're responsible, butthank you, it's been so much fun
, folks, and take care and seeyou next time.
Bye, thank you, we'll see younext time.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Mind Matters: Navigating DFIR with Balance

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

Mind Matters: Navigating DFIR with Balance

On Purpose with Jay Shetty