New Year, New Discoveries: Diving into Digital Forensics!

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:16):
Welcome to the Digital Fore of the year 2025.
The first podcast of the year,brand new, spanking year.
Let's hope it turns out betterthan 2024.
My name is Alexis Brignone, akaBriggs, and I'm accompanied by

(00:42):
my co-host, the holiday enjoyer,the tool populizer, the eternal
white paper composer, the oneand only the indescribable,
unbeatable, fantasticallyamazing Heather Charpentier.
The music is hired up by ShaneIvers and can be found at

(01:06):
shaneiverscom.
Heather, oh, she didn't fadeout.
Hello.
Pray for the abrupt ending tothe music.

Speaker 2 (01:17):
You're good at the abrupt endings there, yeah.

Speaker 1 (01:19):
Yeah, well, you know there's jokes to be had, but
we're not going to make them.
So what's going on?
It's a brand new year.

Speaker 2 (01:27):
Happy New Year.
Where's your?
You need your firework.
How do you?

Speaker 1 (01:32):
activate those.
I'm on the Mac computer, I'm onthe Mac, I'm on the Windows
computer.

Speaker 2 (01:37):
Oh jeez, so you don't have to have the Mac computer.
No fireworks today.

Speaker 1 (01:41):
Since I moved into this little cupboard under the
stairs Harry Potter-like office,I don't have my Mac in here.

Speaker 2 (01:49):
Oh geez.

Speaker 1 (01:51):
So tell me, happy New Year.
What's going on, what'shappening.
Look, since that joke, Ihaven't seen you since last year
.

Speaker 2 (02:02):
Oh, ha ha ha, Nothing .
I had a wonderful holiday.
Christmas I sat in the reclinerand did nothing.
It was great.
And then new year's eve, I didthe exact same thing and was
fast asleep by 8 30.

Speaker 1 (02:17):
It was fantastic I bet all the folks are coming in
and listening.
They're definitely and have togo out.
They're jealous and envious ofyour holiday enjoyment, which is
resting in your nicecomfortable recliner.
Oh my goodness.

Speaker 2 (02:34):
It was great.
It was great.

Speaker 1 (02:36):
I don't doubt it.

Speaker 2 (02:38):
How was yours?
A little more activity thanmine.

Speaker 1 (02:43):
Yeah, yeah, you know you had small kids.
For Christmas we went to mymom's and my dad's house the
whole family, the kids werehappy to see grandma and grandpa
and see uncle and all the otherfolks over there.
That was nice.
Then for the New Year's we'redancing with the wife.
That's always fun.
I saw the year pass while wewere there and then, you know, I

(03:09):
mean, the party continued, butat noon.
You know, it's kind of reallyway late for me.
So we head back and I alwaysget amazed how the streets are
full of.
You know the smoke from thefireworks as you're driving.
That's how many fireworks areset off here in.

Speaker 2 (03:24):
Florida in Orlando.

Speaker 1 (03:26):
The roads.
It's like a fog, but it's not areal fog, it's firework fog, if
that makes sense.

Speaker 2 (03:32):
There were no fireworks here.
If there were, I didn't seethem.
I was fast asleep.

Speaker 1 (03:37):
Yeah, I don't think the squirrels set off fireworks
there in the woods of upstateNew York.

Speaker 2 (03:42):
You never know, they probably have their own little
party.
Oh that could be.

Speaker 1 (03:46):
Could be.
I love the countryside so I'mnot hating.
Nice.
Christian is, Peter is in thechat, so happy new year, my
friend.

Speaker 2 (03:55):
Happy new year.

Speaker 1 (03:57):
Great, awesome toolmaker.

Speaker 2 (03:58):
Kevin and Ronan are in there too.
Happy new year.

Speaker 1 (04:02):
Always good to see you.
So yeah, so obviously,obviously the year just started,
so there's not a lot of stuffthat happened this year, right,
but we have some of the thingsthat happened on the end part of
last year, of 2024, so end of24 yeah yeah, let's talk a
little about those.
So, what do we have for?

Speaker 2 (04:20):
uh, for you know, to start with, so one thing that
has been on LinkedIn and in thedeeper news lately is MSAB's
RAMalyzer tool.
We've talked about RAM dumps onprior podcasts and the
capabilities that MSAB has, andthey're now putting out a blog

(04:42):
series about it.
So they have four entries, fourblog posts about RAM and their
RAMalyzer tool.
One is so you have a RAM dump,now what, what is RAMalyzer?
And it talks about what theRAMalyzer tool is and its
capabilities, what's in a task,so tasks and processes that you

(05:03):
can find inside of a ram dump.
And then, um, the last blogthat they just put out was uh,
what was the web search?
So it kind of walks you throughhow to, um, look for web
searches in the ram dump yeah,and I like that one a lot,
because now they're gettingfurther in, like what's what?

Speaker 1 (05:22):
the tool is, right, um, as you see them in memory,
kind of make an analogy toWindows.
But now where's web searches?
Now you're looking foruser-generated stuff and that's
what I think a lot of the valuein this RAM analyzing within
Androids is where it's at, andfolks are not really aware that
that's a capability and I'mhoping that this becomes a thing

(05:44):
.
I know MSA is working on reallygiving that capability, but I
would hope both open sourcefolks and other tool vendors
also try to get in the space,because if you're able to access
RAM from an Android device,we're talking about possible
gigs of evidence that you mightwant as well.
So it's good stuff.

Speaker 2 (06:03):
Yeah, the Samsung that I dumped in the past had 12
gigabytes of RAM, so 12gigabytes of data to go through,
and we previously showed kindof a walkthrough on the tool,
the RAMalyzer, in a really earlyepisode of the podcast.
But just throwing up on thescreen here again, it's a
command line tool that handlesthe memory dumps that XRY is

(06:25):
able to extract and then justsome of the available commands
and flags that go along withthat ramalizer tool.
I keep wanting to call it ramanalyzer tool, but it's
ramalizer oh yeah, that's rightso yeah, um, and also I was.
I was reading one of their mostrecent blogs.

(06:46):
There's a link to theircustomer forum.
They actually have a customerforum specifically set up for um
, for the ram, ram dumps andramalizer.
So if you're a customer of xry,you can log in and join that
discussion forum yeah, no,absolutely it's.

Speaker 1 (07:04):
It's just, I was just , I just I'm an idiot, I'm just
thinking because, you know, theyhad this, this snl skit about
jeopardy, and they had, uh, uh,like an actor doing, uh, the guy
that used to use james jamesbond uh, connor, I was his first
name, I don't know well, it'sthe first james James Bond and
he would, you know, in Jeopardy,you have to read the column

(07:29):
right and then you ask for thedollar for the questions.
And the question is, you know,and he would always, you know,
like you know, he would say therapist, and it's the therapist.

Speaker 2 (07:41):
Oh, jeez, you know what I mean.

Speaker 1 (07:42):
Oh my gosh, so it's a joke like that.
And then the guy that used toplay James Bond again this is an
actor making that.
He would laugh at Trebek.
Trebek is Colin Farrell.
You know, that guy is hilariousand they would go back and
forth.
He's making fun of Trebek inthat sense.
So you know, I just thought Ramanalyzer, ram analyzer.
I can see this being an SNLskit there.

Speaker 2 (08:05):
At least I know why you're laughing at me.
Now I'm looking over, like whyare you laughing at me?

Speaker 1 (08:10):
I'm a nut.
Anyways, all jokes aside, thisis a good capability and we
talked about in a previousepisode how the memory in
Windows, when you turn thecomputer off, the memory goes
away.
It's volatile.
But in Android devices thatmemory somehow I don't know the
details, to be honest with you,but it kind of still gets some

(08:33):
energy from the battery, I guess, and it persists through
reboots to the phone being off,to all those type of stuff, so
you might have data there that'spersistent for a long time if
you care to pull it out.
So that's pretty neat.

Speaker 2 (08:48):
Very cool.
What else do we have?
Let's see here.
Paraben just announced thatthey have their call for papers
for the Paraben ForensicInnovation Conference for 2025.
If you have a tip that can helpfellow investigators, they're
looking for you to sign up andpresent at the conference.

(09:09):
The call for papers is open nowand there is a summer session
in August August 20th and 21stand a winter session in November
November 12th and 13th and thecall for papers closes April
30th.
Um 2025.
Yeah.

Speaker 1 (09:27):
Yeah, and Amber, uh, you know now she has these,
these events, uh, you know, atdifferent sessions throughout
the year.
So that's pretty neat anddefinitely go on and and put in,
put in for a couple of papersand, uh, be part of the
community.
That's one way of doing it.
That's one way of doing it Ifyou have a good topic or things
that you're interested about,put in for these type of events.
You're helping others bysharing your content, but you

(09:49):
also help yourself in regards ofbuilding a brand for yourself
and putting your name out thereas the person that's active in
the field.
So it can only help you andhelp others.

Speaker 2 (10:01):
So highly encouraged.
So anybody who's familiar withCelebrite products has heard of
Tip Tuesday.
The most recent Tip Tuesdaythat was put out it was by Josh
Hickman and he walks through howto access the trace window in
Physical Analyzer.

(10:21):
If you're using PhysicalAnalyzer and don't know about
the trace window, you have to gowatch this tip Tuesday.
It um, it is how youtroubleshoot, how you look for
errors, um, in the trace window.
If something doesn't parsecorrectly or if something
doesn't decrypt correctly,you'll see that all in the trace
window.
It's actually how I realizedthat there was something wrong

(10:43):
with key store in one of mycases, because the Samsung Rubin
data failed to decrypt andthere was an indicator of that
right in the trace window.
It may not be that the datayou're looking for is not there.
It could just be there was anerror and that's how you trace
that error and and find it.

Speaker 1 (11:03):
I don't.
Every time I use PA I have mytrace window open.
That's just like.
And if I open the program andif the trace window is not open,
I open it every single time.
I'm a big believer of seeingerrors up front and even in the
toolings that we make ILIP andALIP and RLIP and all the LEAPs
we try to make sure that anypossible errors or the login

(11:25):
flies in front of you as it'sgoing and actually eats up most
of the screen, because we makethe assumption that, like you
said, well, it's just not there.
No, it's there, but the toolmight not be able to digest it
for whatever reason.
It could be as simple as aSQLite database, that the query
changed, that's it.

(11:45):
So you can go get it, pull thedatabase out and you can make
the query.
It might take you a few extraminutes, but now you have
something versus nothing.
And obviously the idea is thatyou can tell that to the
community, tell that to thevendors, so it could get
supported as quickly as possible.
But the trace window logs, thoseare important.
It takes some time to at leastglance through them.

(12:06):
No-transcript, I'm sorry,unparsed data methodology is how

(12:30):
do you make sure that the toolis not missing something, and if
it's missing it, how do you goabout getting that data?
Access to that data.

Speaker 2 (12:37):
Yeah, definitely.
I love these little tipTuesdays.
They're short, it's only like acouple of minutes long and it
just gives you the tips for PA,maybe things you didn't know,
different things in the settings, different what different
artifacts mean.
So if you have a chance, goover to their YouTube channel
and check out the tip Tuesdays,especially if you're short on

(12:57):
time, you can watch a couple ofthose in a matter of minutes.

Speaker 1 (13:01):
Oh, absolutely.
And this, this, this one forthe first window was josh
hickman, so I always, I mean, Irecognize his voice, you know.

Speaker 2 (13:08):
So you have to go watch josh.
Who doesn't?

Speaker 1 (13:10):
want to go listen to josh in the tip tuesday
everybody does no, no, no, uh,no hate to heather barnhart,
that also does some of those,but oh, exactly yeah, I I always
I was happy to hear joshexplain things.

Speaker 2 (13:23):
So um, another thing we actually were going to talk
about this like a podcast or twoago and we ran.
Yeah, I always I was happy tohear Josh explain things.
Another thing we actually weregoing to talk about this like a
podcast or two ago and we ranshort of time, but the DF Pulse
2024 Digital ForensicPractitioner Survey was released
.
But this paper reports on thelargest survey of digital

(13:44):
forensic practitioners,conducted from March to May in
2024 and resulted in 122responses.
It collected information aboutpractitioners operating
environments, the technologythey encounter, investigative

(14:04):
techniques, challenges they face, academic research, among other
things.
Some of the highlights in thatsurvey include the need for
greater collaboration betweenpractitioners and academics.
I think we've talked about thison quite a few podcasts.
Couldn't agree more.
There is a need forcollaboration between
practitioners and academics.
Would be great if academicswere teaching what we need to be

(14:25):
taught for future employees.

Speaker 1 (14:28):
Yeah, and I mean there's been some.
So one of the big problems isthat an academic does some
research and the research has togo to this peer review process.
It needs to be published andwhen it's published, those
publications might not be freelyaccessible to everybody, right?
So you're looking for someparticular piece of information.
It might be in this publicationand you have to pay an

(14:51):
extraordinary amount of money orbe part of a university studio
or something, okay.
So there's been kind of meet usin halfway points, like the
Defer Pe peer revieworganization website, where the
idea is to have some peer review.

(15:11):
That's fast, right, and yousend your blog article or your
research over to the differentpeer review site and then
reviewers go at it and it'sfairly quickly published.
But the collaboration, I think,is important in order to make
those wait times less and tomake the information more easily

(15:33):
accessible to the community andyou know when it's behind this
college or university walls.
And again, we don't want to.
We don't want to minimize theimportance of proper peer review
and the time it takes to makeit right.
So we're all for that.
But if we can collaborate more,that will be faster.
So I'm happy that there's somehard numbers on sentiment and

(15:56):
how that it should be done.
The question is, how do we goabout it?

Speaker 2 (16:01):
Right, definitely.
They also reviewed open sourceefforts and work, highlighting
the benefits of open source umcommercial tool collaboration
with tool vendors in academiatoo.

Speaker 1 (16:13):
um, I love seeing the tool vendors working with
academia um having thatknowledge already of the tools,
I mean it's, I mean it's hard,right, yeah, because the profit
motive, right, if I come up withsomething or the university
comes up with something, thenyou know we lose any competitive
advantage to doing it that wayand it all depends, right.

(16:34):
Let's say all is fair in loveand war, right?
You got company A that developsthat access method and company
B doesn't have it.
But they know, researchers orthe community has something like
that.
Then they develop with thecommunity, make it open source,
and then not only do they catchup to company A, but they kind

(16:56):
of kneecap their market benefitin a sense, because they paired
it and made it fully availableto the community.
So you see that, um,competition is good, um, so, but
you can see both ways, justkind of collaborating and also
undercutting each other in orderto get some parity.
But uh, as an observer of themarket, that is a good thing.

Speaker 2 (17:18):
So let's hope more of that happens so brass says the
fir review has one academic andone practitioner for the peer
review.

Speaker 1 (17:27):
That's great.
There we go.
That's exactly what I wastalking about.
Obviously, brad is involvedwith that effort and he gives us
the deals behind it.
I had, I think, three or four,if I'm not mistaken, and not
only myself, also with othercollaborators like Kevin Pagano
and some other folks.
We collaborated on some ofthose articles and it's really
good when you have to testify ata court and you can say, yeah,
I've been peer reviewed, right,and I've done some research and

(17:51):
here it is right.
It always gives some morecredibility, which is what
you're trying to establishthrough that process.
So do submit your research,your articles, and also be part
of the effort, right, be apractitioner that also peer
reviews.
That's a good thing.

Speaker 2 (18:06):
Definitely we have a nice little comment in here.
Loads of love and appreciationfrom Ghana.
I've learned a lot from thispodcast.
Wishing you all the best in2025.

Speaker 1 (18:15):
Wishing you the best too, thank you, thank you,
that's awesome.

Speaker 2 (18:18):
It's a little ways away.
Yeah yeah, yeah, no.

Speaker 1 (18:22):
I appreciate that Addie is in the chat.
I don't know what time it isover there but it's late.
But we appreciate it.
Lots of love.

Speaker 2 (18:32):
With that survey.
Also, it's worth noting thatALEAP and ILEAP got mentioned.

Speaker 1 (18:38):
That's awesome yes as a really well-documented
project, which is kind of funny.
It is well-documented, you havethe source code, but the
documentation is not where Iwant it to be yet, so we're
still working on it.
I will say, because I'm vainlike that, that we also got
mentioned.
Oh, yes.

(19:00):
Over here.
We both got mentioned Because,when the survey came out, the
issue with service is gettingpeople to participate.
So the podcast or social mediaand all that we pushed out word
for folks to participate.
So the organizers were reallygrateful and again, you know,
part of being a member of thecommunity is to also collaborate

(19:21):
with the other folks' efforts,so we try to do that as much as
we can.
So we appreciate their mention.
There Also lots of love for theresearchers for the EF Pulse
2024, which I'm going to saysomething.
So after this came out which isgood my thoughts were there's so
many things we can askpractitioners about, right, so I

(19:43):
made a comment in LinkedInabout I want to know, for
example, if you're apractitioner, how many portable
cases do you give out in a year?
Is that the only thing you do?
And if you do more, what is it?
How many of your cases requirean in-depth report, versus just
a portable case that you give tothe investigators and then you

(20:05):
forget about?
Like?
I really would like to knowwhat's the different processes
that that happen, what?
What's the?
Are you using ai for?
What are you using for?
Do you have any protocols like?
There's a whole bunch ofquestions of how do we do our
work that I think would beworthwhile for the community to
start kind of collating thosestatistics.
That's something that Brett saysa lot and if you don't know who

(20:26):
Brett Shaver is, you need toknow quick.
You know long-time practitioner,well-known in the community,
and he has a series of blogposts explaining how the digital
forensics sciences, inparticular digital forensics you
know the DF part of DFIR welack a standardized model of
certification, of practitionervalidation or licensing of some

(20:51):
sort.
We lack that right, which meansthat a lot of labs, a lot of
practitioners do whatever theydo based on whatever their
training was, but the trainingis not standardized, which means
there's many different ways ofdoing whatever thing that you're
doing.
So I think it's worthwhile tostart collating those statistics
to get a feel of what are thebest practices and what are the

(21:12):
habits and customs of examinersacross the broader field.
So I was happy when I did thatpost that a few folks from SWAG
DE also chimed in and said, hey,maybe we can get together in
2025 and kind of create aproblem Because I can make a lot
of questions Now making themproperly formatted for a poll.
I got no idea.

(21:32):
I know nothing about statistics, only that I suck at them,
right.

Speaker 2 (21:38):
I was just going to ask you did you put this up as a
poll?
I must have missed this post.

Speaker 1 (21:42):
Oh, no, no, no.
I put a whole bunch ofquestions or things that I
wanted to know, and then otherfolks chime in with some other
questions and then folks came inand said let's get together and
maybe put some of those in abig pile and obviously the folks
that know how to do a poll willmake them better.
So so yeah, and I guess thepoint, long story short, is uh,

(22:02):
when you see a like this,statistics like this, inform
yourself and then think whatelse should we know to make the
thing better?
And just having the informationfor having it does us no good.
How can I then put it to use?
How can I reach out to apractitioner in this case, right
, if you are a practitioner and,for example, in my area, it's a

(22:25):
to-do for me.
I have a UCF University ofCentral Florida, a really
grown-up degree for digitalforensics.
They have masters andeverything.
I know a few of the professors,but I should know more.
I should actually reach out tothem and talk about what things
we're seeing and what are theyteaching right, and that's on me
.
I should go out to seeing.
And what are they teachingright?
And that's on me.

(22:46):
I should go out to them andreach out to them.
Right?
If I want more collaboration,what am I doing about it?
Just saying that I want it,it's not going to solve anything
.
So what am I?
After reading this, I came tothe conclusion that I'm going to
reach out to the folks that Iknow and then see how can I
interact more with the folksfrom the university and other.
I mean, that's the only programthat I know locally.
There might be more, but again,that's on me.

(23:07):
I should know these things andactually put that into practice.
So hopefully that makes sense.

Speaker 2 (23:13):
Before you know it, they're going to have you over
there as an adjunct.

Speaker 1 (23:16):
Oh my God, teaching some classes.
You know what I like teaching,so who knows?

Speaker 2 (23:20):
Yeah, I did it at the college over here.
I did it at University atAlbany for a little while.
I'm not right now, but I taughtmobile forensics over there, so
it was good.

Speaker 1 (23:31):
Oh yeah, I don't think I have the time right now
because my kids are small, butmaybe after I retire.
There you go.
Brett is making a really bigdistinction, a important
distinction that I didn't make,so it's good for you.
Can you read it?

Speaker 2 (23:41):
Yes, we have yes, we have plenty of structured
processes and procedures forevery granular level of deeper
work.
What we don't have isenforcement of standards,
education and training.

Speaker 1 (23:53):
Yeah, and I appreciate Brett saying that,
because I was getting to that,but I did not express it in that
way and some folks might havecome with the wrong conclusion
from my words.
So, yeah, I mean, it's not likewe're doing forensics, like
whatever.
I'm making this up in a fly onthe seat of my pants, of course
not Like when you go imagesomething, there's a process to
image something.
When you go parse something,there's a process for that.
Sure, that is true.

Speaker 2 (24:14):
You have operating procedures?

Speaker 1 (24:16):
Oh, absolutely yeah.
So I made it sound horriblyrandom.
That's not the case.
No, like what Brett's saying.
The enforcement of thestandards.
Education what do you need tostructure a way of teaching it
and getting certified or trainedon it?
Something I criticize a lot isvendors telling you well, my
certification program will takeyou from zero to hero, from know

(24:38):
nothing to expert, in aseven-day boot camp if you pay
me $10,000.
Wait, hold on.
Yeah, you will know how to usethe tool, and that's right.
Yeah, you will know how to usethe tool, and that's a good
thing.
You want to know how to use thetool.
You're going to be, if possible, certified in all the ins and
outs of the tool, but that doesnot make you an expert, and much
less in a boot camp, in sevendays or five days, right, right.
So thanks for Brett for makingthe important distinction that I

(25:02):
didn't make.

Speaker 2 (25:06):
So what else do we have?
I am going to bring up anupdate to Magnet Axiom, but
there has now been anotherupdate since this one because we
didn't have the podcast lastweek.
But I want to go back to theupdate for Magnet Axiom Cyber
8.7, even though 8.8 is out.
The update for magnet axiomcyber 8.7, even though 8.8 is

(25:32):
out Um, they have acquire iCloudbackups from ADP enabled
accounts and more, and it'sactually the and more that was
really exciting for me in thispost.
So in their new update theyhave um, part of the blog is
about setting a date range intheir tool the time filters that
are commonly used to focus onthe relevant data.
But the important part for mewas that you can now filter your

(25:54):
data and have the option toinclude artifacts without
timestamps in your cases.
So for me at my job, I get daterange search warrants quite
often and when you take a tooland you narrow it down to just
the date range that you'relooking for, as set forth by the

(26:15):
warrant, it doesn't usuallyinclude anything that doesn't
have a timestamp.
So just because an artifactdoesn't have a timestamp doesn't
mean that it necessarily didn'thappen during that timeframe.
A little more work needs to bedone on those artifacts that are
there that don't havetimestamps, to figure out what
the timestamps actually are.
So the fact that Axiom isactually including that in there

(26:38):
, or giving you the option toinclude it in your date range
filter, I just love that.
I'm actually going to put apicture up.

Speaker 1 (26:45):
Yeah, and I agree, and I mean I agree that that
functionality I'm actually goingto put a picture up.
Yeah, and I agree.
I mean I agree that thatfunctionality needs to be there,
but I have thoughts.
But let's look at the image andthen I'll have the thoughts
after that.

Speaker 2 (26:56):
So just kind of a little, I stole it from their
blog, a little picture of theirtime frame filter and the date
time options.
It's not stolen.

Speaker 1 (27:06):
It's on loan, okay, oh, it's stolen.

Speaker 2 (27:08):
I like to.
I steal things, it's okay Okayher, her right.

Speaker 1 (27:12):
I don't steal anything, right?
I loan okay and I give it back.

Speaker 2 (27:17):
The date time options are still there, the normal way
you set your date range, setyour time range, but now there's
a little checkbox that includeshits without dates and
timestamps.

Speaker 1 (27:27):
A simple checkbox, pretty neat.
But here's my thoughts, right?
So, as a general rule, I don'tlike those type of restraints
because we're losing data thatmight be within the constraint
timeframe.
And let me give you an example.
So let's say, okay, I only wantthe timestamps for files

(27:47):
created within this two timestime rate, this range, right,
these two timestamps.
Well, let's say that your pieceof evidence is a computer.
That computer had a databasethat was recovered from a backup
.
Okay, so the database lands onthe computer today, the modified
time is from today, later inthe afternoon, but your search

(28:10):
warrant range is set to includeonly items that happened last
week.
Well, that would be out of play, is it?
Remember, this comes from abackup and you cannot tell that
by looking at the creation date,if it was going to copy it over
or whatever.
Right, you have to look at theinsides of the database and
figure out that the entries ofthat database each have their
own timestamp on when theyhappened, and they may have

(28:32):
happened, most of them, the weekbefore, which is within the
time scope frame or thetimeframe or the scope.
So what does that mean?
Right, at some point I think weneed to educate our courts and
our prosecutors and our defenseattorneys that we do understand
why we want to limit some timeframes for privacy
considerations, especially incivil procedures as well as

(28:54):
criminal.
I get it, but there has to beconsideration that data might
not be constrained by thetimestamps of the container that
might be in, because datadoesn't just fast enough.
The evidence is just it's notjust a one file on the file
system, it could be a wholebunch of stuff inside a
container, like a database,Right?

(29:15):
And?
And uh, jess is saying andlet's read that real quick Um,
Check out this week thedocumentation on minimization.

Speaker 2 (29:25):
Great Gives great examples to educate on this.
I don't think I've even lookedat that one, so I'm glad you
just pointed it out, Jessica,because I have to go find it now
.

Speaker 1 (29:33):
Yep, absolutely, and I had a conversation.
I don't remember the examiner'sname right now, but he reached
out to me and got a peer review,a document that he was making
to provide to his localcourthouse to explain to the
judges hey, this is why webelieve that these constraints
are fine.
Of course you do what you want,You're the judge, but hey, look
at what we're missing, Thingsthat, like you said, Heather,

(29:56):
things that don't have atimestamp.
Are we just going to ignorethem?
Because sometimes, things thatdon't have a timestamp, we can
put them within the context ofthat timeframe when we do our
full analysis, put them withinthe context of that timeframe
when we do our full analysis.
Right, and we can talk a littlebit about data that's deleted.
For example, Data that'sdeleted, that's maybe carved out
doesn't have a timestampbecause it's a file that has no

(30:16):
metadata.
But the content of the filemight give me an indication.
A stupid example is you have apicture of you holding a
newspaper.
Right, it's deleted, yourecovered it, but if you look at
the picture, the newspaper isthere with the time right.
Is that what?

Speaker 2 (30:31):
it says yeah Well, there's another good example
with pictures.
If an image is embedded insideof like a cache file, some of
the tools pull that embeddedimage out with no timestamp.
But if you go back to thatcache file, the timestamp is
right there in the cache file.
You just have to make theconnection.

Speaker 1 (30:48):
Yep.
So how do we teach ourstakeholders to to, when they
make an order, right Toaccommodate for that nuance?
Um, because then we might bemissing stuff.
And you know, if you're missingstuff, that's an example, right
, that that your client and it'ssomething that's not good for
the client, you're okay withmissing it, I guess, right.
But what if it's somethingthat's good for the client?

Speaker 2 (31:10):
You know what I mean with that, though, right?
No, definitely not.

Speaker 1 (31:13):
So the best policy is to try to give the examiner the
flexibility to be able to lookat some of these things within
context and like in containers.
Now that Jess may mention ofthe SWEG DE documentation
example, which has documentationon minimization, I haven't seen
it either, heather, so I'mgoing to also go out and reach
out for it and check it out.

Speaker 2 (31:34):
You know what?
For everybody else, we'll linkit in the show notes.
If you want to check that out,we'll put it in the show notes
at the end.

Speaker 1 (31:41):
Yeah, we're seeing more and more of that and, again
, I don't disagree with why it'sdone.
So the big reason I heard it,like I said, is they're going to
minimize some of that data forprivacy reasons or because
somebody doesn't have theauthority to look at something
that happened before or aftersomething.
So I get it, but, yeah, therehas to be some.
My three main things for theyear are examiner, probity,

(32:06):
attention to detail and duediligence.
Right, and probity means thatat some point we will be tasked
with some of this stuff and wewill have to make the
differentiation of hey, you'renot allowed to look at some
dates and in your process, ifthey come about, you have to not
look at them Like the tool willnot be able to blind you to
everything at all times, right.
So your probity, your moralstanding, making sure that you

(32:28):
do the job the right way whennobody's looking that's
something that I think we needto push more and more as part of
our due diligence and makingsure we pay that attention to
detail.

Speaker 2 (32:41):
Yeah, all right.
Well, android, some Androidnews, android and the blue Are
you good yeah?

Speaker 1 (32:48):
I want some quick comments.
Oh, android, some Android news,android and the blue.
Are you good, yeah, I want tocome up with some quick comments
.
Oh yeah, go for it.
Yeah, so Bruno is an awesomeexaminer from Argentina, a good
friend, and also collaboratedwith us.
He said that some of the JPEGshave internal metadata with
creation times.
Right, yeah, If that metadatais contained within the picture
right and absolutely correct.
Yeah, if that metadata iscontained within the picture

(33:09):
Right and and absolutely correct.
Sometimes, if you got a, you'recarving a file and the carving
is a partial file, right you?
don't get the whole thingbecause the sectors, the files,
spread throughout sectors.
So what a tool does is itstarts at the header or the
magic number and goes arbitraryamount of bytes, maybe a
megabyte to megabytes, whateverit is.
Arbitrary amount of bytes,maybe a megabyte to megabytes,
whatever it is.
And sometimes it goes withinthat space.

(33:29):
Half of it is garbage.
Something else right, Then youmight not get that.
But again, as examiners we haveto make sure that we also do
that part and just saying don'tlook at it because it doesn't
have a timestamp, that's aproblem.
We have to look at it.
We have to, like, run and seethere some some exit.

Speaker 2 (33:51):
Still, there there's some in those jpegs.
You know, can we carve somemetadata out of it, right?
So, uh, that's part, that'spart of our job.
So, yeah, definitely.
Jessica says she sent the linkto the paper for us, so it'll
definitely be in the show notesafter I read it, of course uh,
yep, I have.

Speaker 1 (34:01):
I have the link right here.

Speaker 2 (34:03):
Oh, okay, All right.
So Android.
We've talked about theBluetooth trackers before and
how there's the warning onAndroids and Apple devices about
tracker alerts.
If an unknown Bluetooth trackeris nearby, the phone will alert

(34:23):
you, but they now have, insteadof just warning you where you
can actually locate the tracker.
I have a little picture tothrow up here.

Speaker 1 (34:35):
Yeah, trackers are good, but also bad, yeah.
So I'm happy they're coming upwith this type of
countermeasures when somebody'strying to spy on you or follow
you around with this technology.

Speaker 2 (34:45):
Definitely so.
Google has added a temporarilypause location feature.
It allows users to enable, whenthey first receive the unknown
tracker notification and whatthat'll do is block your phone
from updating its location withtrackers for 24 hours.
They also added the featurefind nearby.
It will help the user pinpointwhere the tracker is if they

(35:09):
can't easily hear it or see it.
It'll connect your phone to thetracker over Bluetooth and
display a shape that fills inthe closer you get to the
tracker.

Speaker 1 (35:20):
Like hot and cold.

Speaker 2 (35:22):
Yeah, so I have the picture up on the screen, but if
you're listening it is.
It's like a circle and you playthe sound and as you walk
closer it starts to fill in thecircle, and when the circle's
filled you found your Bluetoothtracker.
I have not tested this.
I would like to test it.
Except I had an Apple air tagfrom one of the very earliest
podcasts that I used to testthings and I accidentally threw

(35:43):
it in the garbage.

Speaker 1 (35:46):
But track it.

Speaker 2 (35:47):
No, it's gone gone.

Speaker 1 (35:48):
It's in the dump.

Speaker 2 (35:50):
I think it's gone, gone, yeah, I can't even track
it anymore.
I cleaned my car and that'swhere it was, and now it's gone.
So, I have to get a new one.

Speaker 1 (35:59):
Yeah, the trash compactor in the garbage truck
is crushed, I mean crunched intosmithereens.
It's crushed it, I meancrunched it into smithereens.

Speaker 2 (36:05):
It's gone, so I'll have to get a new one and test
this out.

Speaker 1 (36:08):
Yeah, absolutely Looking forward to it.

Speaker 2 (36:13):
Well, there's a nice little article on it from
Engadget that I'll put in theshow notes as well.

Speaker 1 (36:16):
Yeah, I mean some of the solutions to some of this.
Again, technology is like aknife you can butter your bread
with it or you can stab somebodywith it Right, and the
protection it's knowledge Right.
If you are a user of tags, aresponsible user, that's a good
thing.
But let's say you're a personthat's vulnerable for whatever
reason Right, and you mightbelieve that somebody might try

(36:36):
to track you for whatever reason.
They need to be aware of whatthe countermeasures are, and
this is one way of doing thatRight, definitely.
And this is one way of doingthat Right Definitely.
I think we could do a class ontechnology that has, like that,
dual use and countermeasure.
That sounds like a goodpresentation, I think.

Speaker 2 (36:52):
Yeah.

Speaker 1 (36:53):
I don't know, I just thought about it.

Speaker 2 (36:55):
One of those.
Call for papers right.

Speaker 1 (36:57):
Yeah, like technology .
You know Dr Jekyll and Mr Hydeof technology.

Speaker 2 (37:03):
There we go.
So another thing that hashappened recently on the groups
uh, I forget what group it was,if it was one of the google
groups or the iasys listserv,but it doesn't matter.
Um was a whole bunch of chatterabout ios in 18.2, about their
stolen device protection.
Um, they're in the post.

(37:23):
Long story short about the post.
Somebody was trying to connecttheir device to one of the
forensic tools and when theyconnected the device for
extraction, this was an unlockeddevice.
Uh, the trust verification cameup on the phone.
They hit trust and normallywhat comes up?
Your passcode screen.
And they had the passcode andyou'd put the passcode in and

(37:43):
move on with your extraction.
Except that's not what came up.
A face ID screen came up.
So hit face ID and it doesn'tfind it.
Try again.
Usually then your passcode willcome up as like a default
backup, but it doesn't anymorewith this new stolen device
protection that is on by defaultin 18.2.

(38:05):
So I have some screenshots hereof it.
I had to, after reading thispost, go check it out with my
iPhone.
So I updated my iPhone to 18.2,navigated to the privacy and
security and went and found thatthe stolen device protection is
there and it's on by defaultand also by default it goes to.

(38:30):
There's a what's called asecurity delay and it requires a
security delay.
If the phone is away fromfamiliar locations.
That's by default or the usercan change it to always require
the security delay.
So what is the security delay?
It's for actions like changingyour Apple account password or

(38:53):
changing numerous differentthings in settings.
If you go to reset all settingsor do anything in settings,
that security delay comes up ifyou're away from a familiar
location.
Another thing I found Icouldn't do without the one hour
security delay is turn thestolen device protection off on
my phone.
I tried to turn it off.

(39:14):
It's my phone, I have thepasscode.
I needed to wait the hoursecurity delay because I was
away from a familiar locationwhich I was at work.
So I'm not quite sure how theydon't consider that a familiar
location, because I'm there morethan home.

Speaker 1 (39:27):
But that's besides the point.
I think the phone detects somehostility there from your point.
I don't know, we kid, we kid welove our workplaces.
Okay, that's a we hate workjoke.
Okay, but it's not reality,just saying.

Speaker 2 (39:41):
So my assumption was, though, that, like the familiar
locations, is based on thesignificant locations or and or
saved locations in the device.
It didn't recognize my work asa familiar location, and I'm not
100 percent sure why, but ifyou're seizing devices and you
have consent for the device andthis stolen device protection is
on, it would probably be a goodthing, while you're at the

(40:03):
person's home, to turn thestolen device protection off
before you leave that familiarlocation, because when you get
back to your lab or your office,you're going to need the
person's face or the face, yesto be able to turn that stolen
device protection off.
So here's kind of what thesecurity delay looks like.

(40:26):
It comes up as security delayis required to change stolen
device protection, and then itstarts its one hour timer.
During the one hour timer youcan use the phone as normal.
Uh, you just can't do any ofthose setting options that you
want to do.
Um, I moved on a little furtherand decided to try out some of
the forensic tools and see whatthe deal is with this trust and

(40:49):
then the face ID and not beingable to trust the computer.
So, just like the user in thegroup said, the trust computer
comes up, then the face ID, theface ID option comes up and it
says their stolen deviceprotection is turned on.
So when that's turned on I needthe face.
It didn't recognize my facebecause I didn't give it my face

(41:11):
and it just defaulted toturning that right off and the
trust did not happen between theworkstation and my phone.
I found with some of theforensic tools that they can
bypass it.
It just goes on some of themand some of them.
You just have to keep movingfurther in the process and

(41:32):
eventually it will get past this.
So I mean test out yourforensic tools on a test phone,
see which tools you have in yourlab that do support just
bypassing this and which toolsdon't, because you'll definitely
have to keep in mind to turnthat stolen device protection
off If you don't have theappropriate tools to be able to

(41:53):
bypass this.

Speaker 1 (41:55):
Yeah, yeah, yeah.
Talk to your, to your toolvendors, and yeah.
And there's there's somesolutions out there.
A question that makes a pointhere, and I think I saw the same
thing in the ISIS list therewhat?
What is he?
What was his experience,heather?

Speaker 2 (42:07):
I was able to pair my device at home without
biometrics At work.
It wasn't working.

Speaker 1 (42:13):
Yeah, and I think, if I remember correctly, one
investigator was at the officecouldn't get in and they had to
drive all the way back to thesuspect's house.
You read that one, I thinkMm-hmm.
And then they were able to getin.
But then on your testing, thatdidn't happen.
On your testing, you do requirethe biometrics, right?

Speaker 2 (42:30):
I didn't drive to.
I thought it would know thatwork is a familiar place for me,
you were still at work.
Yeah, I didn't drive to afamiliar place and actually test
that out, so I'm unsure if itwould have worked with my phone.

Speaker 1 (42:41):
I'm sure it would have if I'd gone home, but yeah,
well, I mean, imagine if anational agency like the one I
work for, you know you're doinga lead and sitting a phone in
California but you're sending itover to New York, right?
Oh, I did not took this out.
You have to fly all the wayback, right?
So let's, we have to be awareof this capability, and some

(43:06):
folks were really, really madabout it examiners, and I get
why.
Right, it makes the job harder.
It reminds me of the, you know,hitchhiker's Guide to the
Galaxy, right In the beginningthe universe was created, and it
has made a lot of people veryangry and has been widely
regarded as a bad move.
I know folks might think ofthat, of this capability, as a
bad move, but we got to think ofwhere this comes from.
Right, and I've seen thisfirsthand here in the States,

(43:29):
but also overseas Stolen iPhonesor mobile devices are big
business, right?
Folks go on motorcycles and theysee somebody with a cell phone.
They snatch it or, at gunpoint,they go and take their phones
out and what they do is theywipe them and they resell them.
So imagine if this deviceprotection is enabled and they
cannot get in to wipe it.

(43:50):
The phone has no use.
You cannot sell a phone thatyou cannot actually make calls
with because it's locked orwhatever it is.
So that hopefully limits andagain it's a multi, I would say
billion dollar market stolendevices, specifically iPhones.
I've seen in some countrieswhere they go and say, okay,
when the solution is, ifsomebody steals a device, you

(44:11):
report it and nationally we'regoing to blacklist your IMEI.
And for folks that don't know,an IMEI is a unique identifier
for that hardware device, so youblock, list it from the network
that nobody can communicate.
Well, you know what they do.
Well, they take those phonesand they ship it to a third
country where there's noblacklisting and they have one
that's different from theirs andthey sell it somewhere else.

(44:33):
And now it becomes atransnational crime organization
dealing with these stolendevices.
So I see a lot of value incompanies like Apple making the
device unusable when they're notin the location they should be,
or the users have thebiometrics that are required.
So I see the value in that.
But again, thankfully our hairwas on fire for a few days, but

(44:59):
there's some solutions alreadyin the market to help you with
that.
And again, if you're in thelocation, again, I know this
only anecdotally, I haven't doneit myself yet.
But, like Christian was saying,if you're in the location again
, this is I know this onlyanecdotally, I haven't done it
myself yet but, like Christianwas saying, if you're at the
location, then you might be ableto get in without the
biometrics at the location.
So something for us to knowabout and consider.

Speaker 2 (45:16):
Right, yeah, I definitely freaked out when I
read the post.
I'm like, ah, here we go.
We're for a while and I thoughtyou know it was going to be a
really bad thing.
But it seems like it's not asbad as we all thought and on
some of the tools, likeseriously, it's going to look
like it won't work, just keepgoing in their workflow.
And it does.

Speaker 1 (45:35):
So, yeah, I don't make a point.
I mean for our audience that'san unknown, but I still want to
say it for folks that might comein and not or not in our field.
Whenever we talk about comingand going to devices to extract
data, we're talking about lawfulaccess.
Okay, we don't just take phonesbecause I'm curious to see
what's in it.
No, we yeah, we have to have acourt order, a proof from the

(45:57):
judge that we can do thesethings, and then we execute
those lawfully based on thetools that we have at our
disposal.
But there is no such thing asany law enforcement agent doing
something without a court order,and if it is, that person goes,
as rightfully they should, tojail.

Speaker 2 (46:12):
It's a good way to get fired quickly.
Or you're right, or go to jail.

Speaker 1 (46:15):
Oh, yeah, I mean the fire goes without saying.
Yeah, the being in prison andjail, that's yeah.
That really underscores howimportant it is for folks in
authority to preserve theconstitutional rights of
citizens and to their privacyand secure of their places,
belongings and all those things.
So it's good stuff.

Speaker 2 (46:37):
Definitely so.
Oh, we have a computer topic.
You're going to go with thisone.
Yes, Be kind.
Rewind the USN Journal videoput out by 13 cubed.

Speaker 1 (46:49):
Absolutely.
All yours, absolutely.
So real quick comment, becauseI know there's some lag between
what we're talking about.
But Brett says don't becomeworse than the criminal you are
after, and that's so true, likeI made the point, but I'm going
to say it again, it's part of myproperty for the 2025.
Are after, and that's so true,like I made the point, but I'm
going to say it again, it's partof my property for the 2025,
that concept If you believesomebody is guilty, I don't care

(47:13):
.
You shouldn't care, right?
You don't operate based onbeliefs.
You operate based on principles, on values, and you value truth
, right and truth.
It's independent of the belief.
Hopefully, you have beliefsbecause they're true.
Sometimes you don't.
Sometimes you have beliefbecause you want to believe them
.
Right, some might call it faithor whatever it is, and that's
fine.
But you do that outside of work.

(47:35):
You do that on your own time,when you have property, when you
work.
You operate based on values, ontruth, and truth requires
evidence, and evidence that'sproperly acquired, because when
you don't acquire properly, it'snot truth anymore.
We can consider it lies as afruit of a poisonous tree, right
, and we cannot consume thatRight.

(47:56):
We made it a lie.
We are operating as thecriminal.
Now Right.
So again, property in all we dois so important.
And again, if you have a strongbelief that somebody is guilty,
that means that you need tostep back even more to make sure
that you get help and I don'tmean mental help, I mean help in
making sure that we're applyingthe values and have you work

(48:17):
double and triple check, becauseour beliefs don't matter,
period.
We will have biases, but theydon't matter.
But matter is important workguided to principles, being that
main principle truth.
So that's a big thing for methis year.
Okay, now be kind and rewindthe USN Journal.
So I've been a long time asupporter of 13 Cube.

Speaker 2 (48:42):
Oh, you wore the shirt.

Speaker 1 (48:44):
And it's funny because it was totally by
accident.
I didn't put it on because Iwas going to talk about this
topic.
I just wore it for work today.
And when I say supporter, again, I'm not talking about our
workplace.
Again, that's what we say everyshow.
All we talk about here is ourpersonal opinions.
They don't have nothing to dowith our workplaces.
Our opinions are our own and donot represent our employers.

(49:04):
So I have this shirt becauseI'm a big supporter, personally,
of 13 Cube.
13 Cube is an educationalorganization that's led by
richard davis and he's thenicest guy you ever meet and
he's one of the best explainersteachers, professors of this

(49:24):
craft and he knows a lot abouteverything, but specifically in
windows forensics.
He recently came out with somecertifications that 13Q provides
that were really great.
Now, that being said, he alsodoes tool reviews.
One time he reviewed one of theLeaps a long time ago, and I've
been a supporter since day onefrom his podcast, so I'm proud

(49:45):
to say that Now he made a videowhere he was reviewing a tool
made by CyberCX, and CyberCX, ifI'm not mistaken, is a cyber
intrusion technology DFIRcompany in Australia and the
tool and this is pretty quickstory, so I saw the video, I'm

(50:06):
subscribed to his Patreon so Iget the videos first before
everybody else, and I love thevideo and as I'm listening to it
I said, wow, this type of work,I kid you not.
I said this is something thatYogesh might have fun doing.
I literally thought that, andagain I forgot what company he
worked for.
Well, like almost at the end ofthe video, richard says yeah,

(50:29):
you know CyberCX and coded byYogesh Kathria.
Like, ah, I knew it.
I knew it.
When you know somebody wellenough that you've seen their
code and what interests them, Ikid you not, I knew it was him
without knowing it was him.
Oh my goodness.
Yeah.
So Yogesh is a great friend.

(50:49):
You know he's really busy witha lot of work now in Australia,
but when he used to be in theUnited States, he is an equal co
from my perspective, an equalco-founder, developer of the
LeapTools.
I started with the Leaps andwhen he came in, I learned my
mentor.
I learned so much from him.
He made the code base so muchbetter and the work that we're

(51:09):
doing now is built upon hiscontributions as well.
So I love Yogesh.
He's awesome.
So I need to say that Now.
So what does the tool do?
So what the tool does is, firstof all, you're going to be
aware of what the USN Journal is, and it was a timely video
because I was working with, Ihad a call from the embassy in
Panama with some folks in theSouthern Hemisphere that needed

(51:33):
help with a case, with a filethat was deleted and they want
to figure out and it was, I kidyou not again.
I saw the video and then thecall came in or the email came
in like two days later.
They were trying to figure out.
They know what the file namewas that was deleted, but they
wanted to figure out where thatfile was because it was deleted.
So where was it in the computer, right?
Can it be recovered?

(51:54):
If not recovered, what theyreally wanted is some of the
timestamps of what thingshappened.
So it was really useful becausefrom my previous training I
knew that the USN Journal, whatthat does, is part of that
metadata of the file system andthe USN Journal keeps track of
all the activities or eventsthat take place within the

(52:15):
computer.
If you create a file, there's aUSN Journal for that file.
When you move it, when youdelete it, there's an entry
there for that and the entrywill have that file name and it
will have the MFT entry and theMFT sequence number.
The MFT is the master file tablethat keeps tracking in the NTFS
file systems of the file paths,the metadata of each file and

(52:39):
directory that's created withinthe file system.
Because for a computer file ora directory is just another
entry in the MFT table, okay,and that's is just another entry
in the MFT table, okay andthat's.
Then it goes out to the, to thedrive, to get the data.
If it's, if it's resident, thatdata might be within the MFT

(53:00):
table.
Now, this is.
This is not an MFT class, butI'm explaining this because it's
the cool part.
So what happens?
Let's say the file got deletedand you know what the file name
is.
So you go to the file, you goto the Ascend journal and you
can find that file.
You say, oh look, this file wasdeleted on such and such date.

(53:21):
Where is it?
Well, the way you do that isyou go and you look at the
Ascend journal, you look at theMFT entry and you go back to the
mft table to figure out wherethat file was.
But remember, it's deleted.
And one thing that mft, mftworks is entries are reused and
reused first.
Okay, so if you have, let's sayyour mft table has 10 entries

(53:42):
and it will create new entries.
But let's say entry number oneis deleted, instead of creating
an entry 11, no, the file systemwill take one and reuse it and
when it reuses it it will changethat sequence number.
So one, the entry one, is nowgoing to be another sequence
number that increments, you know, one by one.

(54:02):
Okay.
So now it reuses it.
And let's say you delete thatfile again, there's no entry
number 11, right, it goes backto one and then reuses it and
the sequence number jumps anumber up.
Does that make sense?
So let's say you go to thisentry, I delete the file, I go
to the MFT entry and I see it,and I see that the sequence
number compared to the one inthe USN journal is three numbers

(54:24):
ahead.
That means that that file, thatrecord in the MFT table, was
reused how many times?
Three times.
So that doesn't work right.
Whatever path I have in thereis not going to match what I
have on the USN journal.
So I don't know what that filewas sitting in the file system.
Now this is the magic of whatYogesh did, right.
What it does is the toolingwill take the MFT table right

(54:49):
and you have to process it alittle bit, you have to create a
CSV of it.
And then it takes the USNjournal.
Also, you have to process it alittle bit and create a CSV of
it.
The video that Richard 13 Cubehad explains how to do that as
well and what tools to use.
So you have those two CSVs andyou ingest it into the tool and
the tool goes and says, okay,here is the entry for that

(55:10):
record and here's the sequencenumbers.
Remember, sequence numbers growincrementally, so it goes back
and it starts counting down andgetting all the different files
and directories Remember,directories are files too or
treated as files from the USNjournal and it rewinds them.
Okay, so the output of the toolis a nice CSV, like a
spreadsheet type of thing, andnow you have that file that was

(55:33):
deleted with the proper path,because it goes back looking for
the sequence numbers to findthe proper pathing for that file
, right, does that make sense?
My explanation it does.
Now my explanation is reallyconceptual.
Richard goes into the video andshows it.
He literally goes and says OK,let me show you by hand.
You made the connection betweenthe USN Journal and the MFT

(55:55):
entry.
Look at it when it's reused.
Look at the sequence numberbeing incremented.
Now look at the tool how itgoes and rewinds all those
sequence numbers to recreatethat path and provides you that.
I gave that to the authorities athird country that I'm not
gonna disclose and they hadn'theard about it.
They had no idea that theycould do that, so they were
extremely excited.

(56:15):
I haven't heard back and thathappens a lot.
Right, it reminds me.
I mean, I grew up in the church, so you know, jesus would heal
the lepers and 10 of them andthey will go out and only one
will come back and say thank you.
That's the story of the Bible.
So so it's kind of like thatright, you help people out and
something never come back andlet you know what happens.
So I hope they let me know whathappens because I think they're

(56:37):
going to, they're going to besuccessful, they're going to be
able to do this in journalrecreate the path.
They have already sometimestamps from the
investigation.
They will be able to reinforcethat with timestamps within the
USN journal and possibly withinthe MFT table for other things
that happen around the eventthey're investigating and they
were really excited about theinformation.
And again, if you want to checkthat out, check 13cube's latest

(57:02):
video on the USN Journal and Iagree with Malik.
He's saying that this is aclean way to get deleted file
location and in some instances Ithink it might be the only way
and that might be.
Again, I cannot disclose thecase, but it was super important
for the case for them to getthat path and this is the way to

(57:25):
do it.
So I love this video.
We don't talk about Windowsenough.

Speaker 2 (57:29):
No.

Speaker 1 (57:32):
I think we did plenty today my co-worker will be very
happy.

Speaker 2 (57:36):
I have a co-worker and he loves working on
computers in the lab, likethat's his thing and mobile's my
thing.
I'm not.
I'm not big into the doing thecomputers.
I'll do computers and I havethe capability, but he's, like
you guys, never talk aboutcomputers.
So so this is for you, kevin,if you're listening.

Speaker 1 (57:51):
There you go, Kevin.
90% of our stuff is stillphones because that's what the
work brings in.
But we love computers, we loveour Windows and again, the fact
that I know some of this stuffoff the top of my head, I owe it
.
I mean, I take a lot of courseswithin my organization.
They're great.
But what really drove it homewas taking the BCFE with IASIS,

(58:13):
for me at least.
And if folks are trying tobecome examiners, you are not
going to go wrong with the BCFE.
And, by the way, the BCFEdoesn't give you any commissions
but we teach for them and weget paid zero dollars for
teaching.
It's all mom's work.
So we're not saying thisbecause there's any benefit or
nothing right.
We don't put things out to getany personal benefit out of it.
We put it out because we thinkit's useful.
And the BCFE really drilleddown on me.
All these details about the USNjournal and how files are

(58:36):
created, how they're spread outon the desk, the resident or
non-resident All that good stuffcame from a good training and
AASIS is a good way of doingthat.
So from my experience it'sreally good.
Highly recommend it.

Speaker 2 (58:49):
I have to do that training still.
I still have not done that.

Speaker 1 (58:52):
Well, I think you should.

Speaker 2 (58:54):
But then I can't come teach the class with you and
it's all on you.

Speaker 1 (58:58):
I think you should do it whenever I'm not teaching
anymore.
Then you can do it, becausethen it won't be my problem All
right, I'll wait till then.
I'll wait till then.
Malik is asking is it possibleto make a GUI from the journal
to support the flow for theexaminer?
Yeah, of course.

Speaker 2 (59:14):
Yeah, there is.

Speaker 1 (59:15):
So the way Richard does it, he uses some of Eric
Zimmerman's tools to ingest theCSVs, to be able to look at them
and search through themTimeline viewer.
Don't correct me if I'm wrong,but whatever Eric Zimmerman's
timeline viewer application iscalled, he uses that, he uses

(59:36):
other tools.
So there's some kind of guisealready for that in a sense.
But yeah, if folks are up to itand kind of automate because
the tool that Richard showed isall command line and then
creates a CSV, so if somebodywants to create like a front end
for that, I think it would be agood thing.
So absolutely go, go, go checkthat out.

(59:57):
Cyber CX and for that tool andit's the, the to rewind the USN
journal, so go look that up 13cubecom.

Speaker 2 (01:00:07):
Nice.
So a LinkedIn post from DanielA avia, I want to say avia, how
do you want to pronounce it?

Speaker 1 (01:00:16):
so it could be so, so that daniel or daniel, he's
from from, from brazil, so itcould be avila, or it could be
avija, at least in spanish.
I'm not sure, but I'm gonna sayavila, I'm gonna go with okay
all right.

Speaker 2 (01:00:28):
Well, he had a linkedin post about downgrading
APKs on Android 15 that heposted, I think, just a couple
of days ago.
So he was talking aboutforensic research that was done
in their lab on performing thetechnique of downgrading APKs on

(01:00:48):
Android 15 for forensics anddata acquisition purposes.
He mentioned that the method isallowing the collection of
sensitive data from applicationssuch as databases and
cryptographic keys, expandingour investigative possibilities.
He said the APK downgrade maybecome the only viable

(01:01:09):
alternative for success ingathering critical information
in your investigative cases.
So the APK downgrade?
I don't do that.
Do you do the APK downgrades?

Speaker 1 (01:01:22):
So last time I heard about my own policies was that
we're not allowed to do APKdowngrades.

Speaker 2 (01:01:30):
It could come in very handy if you can't get data
from a specific applicationbecause something has changed in
the application or even I don'tknow just more advanced
techniques.
It can be downgraded to be ableto pull data from different
applications that you may nothave access to any other way.
But you just have to make sureyou have the authority to be

(01:01:55):
able to do that.

Speaker 1 (01:01:56):
Oh, lawful authority.
Always, we teach that the firstthing that comes is lawful
authority.
I don't care if you knowcomputers or not, you need to do
lawful authority and put yourhands on it.
Now let me be clear here.
Yeah, we're not allowed to doit, but there's always at least
within my organization there's aprocedure where you can ask for
permission to do certain things.
Right, let's say, you have atool that you need that's not

(01:02:18):
part of the approved tool list.
There's a process you follow tobe able to use it and put some
safeguards.
So don't get me wrong we can doanything we want, right, if we
have the proper authority, wefollow the proper channels and
the proper validations andtesting and verifications and
the like.
Right now, that being said, um,why do I think?

(01:02:39):
Uh, first of all, before I saythat, um, downgrade apk is not
nothing new downgrade,downgrading an apk is old.
What that does is, like he,heather was saying you have a
version of that app that youcannot get the data out of it
because it's a recent app.
You put an older app in andthen that data is now shown

(01:02:59):
through the older app, which youdo have access or a way to
download that data, and whatAvila has done is being able to
do that in Android 15, which isa great capability, but the
concept is not new.
The application on Android 15,it is new.
Now, what are the drawbacks ofwhy we don't do that as a matter
of course?
Well, because there's a reasonwhy there's a new app.

(01:03:20):
Something has changed right.
The reason we have to the worddowngrade means going back a
level, literally down.
You're going down a level.
So when you're going down alevel means that you're having
less than you might be missingstuff.
Maybe the new app has sixtables in the database and the
downgraded version might haveonly four, those two extra ones

(01:03:43):
being added with the new APK orprogram for that application.
Apk is just the program, okay,in Android, what if the data you
need is in those two tables,right, and you went for it and
you didn't get it.
You have no way of going back.
It's not reversible.
When something goes away, youcannot.
Well, I'm going to upgrade, youknow.

(01:04:03):
Upgrade the app.
Well, yeah, you're going toupgrade it, but you're going to
miss that data.
So you got to be judicious,right, and may you have your due
diligence.
If you're dealing with aticking time bomb scenario, then
get your proper authorizationsand do that downgrade APK ASAP,
right, and I'm pretty sure thefolks in authority will allow
you to do that, okay.
Again, it's all about properlegal and organizational

(01:04:25):
authority to be able to getthings accomplished.
But, as a matter of course,maybe you're better off waiting
a few weeks, or maybe a fewmonths, for your tool vendor to
support it, or for somebody oryourself even come up with a
process to be able to get thatAPK data out from that program
that you couldn't do before.
You have to make thosedecisions in conjunction with

(01:04:46):
your higher-ups.
When is an ad-downgrade APKneeded?
When it is not needed right.
If you know that what you'regetting for example, if it's
particular conversations and youknow that hasn't changed from
one version to the next, then goahead.
Go ahead and do that right.
So, again, it's all about youmaking sure that you make an
informed decision or not.

(01:05:07):
Let me step back.
Make sure you inform the peoplethat make the decision, give
them the right information sothey can make the right decision
on how you're going to proceed.

Speaker 2 (01:05:16):
I think too if, given the time and the test device,
the test devices test it on yourown test device first, see what
the difference is between thetwo different applications, see
if you're going to lose a bunchof data.

Speaker 1 (01:05:30):
I like that, I like that, I like that, and that's
actually that you hit the nailon the head.
That's.
That's the way.
The Mandalorian, this is theway.
Do I need an NWPK?
Well, let's try it out, do I ordo I?
What do I miss?
What do I not?
So this is the way.

Speaker 2 (01:05:47):
So I was driving into work this morning and on a like
a regular station that Ilistened to music on, they were
talking about Apple photos andnew settings.
I have no idea why it was, evenon this random, random radio
station, but it was talkingabout a blog and the name of it

(01:06:10):
is Apple photos.
Ok, hold on, I got to say itslow, I'm going to get it wrong.
Apple photos phones home on iOS18 and Mac OS 15.
And what they're talking aboutis, uh, this guy's blog.
He's from lap cat software andhe's talking about how, enabled
by default on iOS 18 and Mac OS15, is something called enhanced

(01:06:35):
visual search.
So as soon as I heard this, Iwent out to the website to see
what the hell are they talkingabout on the radio station on
the way in and read the blog.
But I have a couple of pictureshere to share.

Speaker 1 (01:06:47):
If we put the pictures.

Speaker 2 (01:06:49):
Yeah.

Speaker 1 (01:06:49):
I named this Apple phones for photos, phones home
on ios 18 phones and ios 18devices 15 devices to make.
You need to make more phones inthat.

Speaker 2 (01:07:01):
In that sense, yeah, just just to help me say it a
little more horribly.
Um, so on his blog he has ascreenshot and he had actually
turned it off on his phone.
So the button is off in myscreenshot.
But in under photos, under appsand photos, is an enhanced
visual search and apparentlythis setting is new to photos

(01:07:22):
and Mac OS.
It's enabled by default and itallows you to search for photos
using landmarks or points ofinterest.
Um, your device privatelymatches places in your photos to
global index.
Apple maintains on theirservers.
Um, you know, there's beenfeatures like this in the past,
um, with Apple devices, butapparently it's now on by

(01:07:43):
default.
And kind of the point of hisblog was that he felt it should
be up up to the individual userto decide their own tolerance
for the risk of privacyviolations with this.
He also said by enabling thefeature without asking Apple's
disrespecting users and theirpreferences.

(01:08:03):
And his final sentence is Inever wanted my iPhone to phone
home to Apple, so new feature toknow about.

Speaker 1 (01:08:13):
My phone is not ET.

Speaker 2 (01:08:14):
Yeah, right.

Speaker 1 (01:08:17):
So no phone home.
Anybody that's not a Gen X willnot possibly not get this.
You're really into 80s movies,but yeah, it's not ET.
Look, I hate up outs.
But this is not even a properopt out, because at least when
you tell people opt out of this,you have to tell them what
you're going to opt out of andthen you can click it off.

(01:08:37):
I don't like, I don't want tohave to click it off, right, but
they didn't even do that.
They just opted you in withoutyou opting in, and I don't agree
, I don't agree, I, I, I, inthat sense, personally, my
personal opinion I agree that ifyou're going to add something
that's going to receiveinformation from me, especially
specifically information that Inregards to locations, right,

(01:09:03):
because the picture has alandmark and that landmark now
leads to a location, because theEiffel tower is not going to be
in Orlando, right, I'm sorry,so, if I took a picture there
and I'm not sharing anything,but I'm sharing to Apple that
that Eiffel tower, I was thereat that time, okay, um, look, I
love the convenience.
I thought a lot of folks love ittoo, but they need to do that
knowingly and that's somethingthat, uh, I hope in the future.

(01:09:25):
Yeah, legislators get on andsay look, you want to add some
features, basically that involvesensitive information, like
locations.
People have to opt in.
You got to put it in and peoplehave to willfully add that in.
That's an opinion again,personal opinion.
I don't speak for anybody elsebut myself, but that's the state
of the market right now.

Speaker 2 (01:09:46):
Well, if they think it's this great feature too,
like advertise it, right, I mean, if it is this great feature to
like advertise it, right, Imean if it is this great feature
people will opt in.

Speaker 1 (01:09:54):
Oh yeah, look and and and the the author of the blog
post.
You know kind of uh uh, burned,uh, burned uh, apple, apple had
this big billboard in vegassaying whatever happens in an
iphone stays in an iphone yes,yes what happens in vegas stays
in vegas and the guy's likethat's bullcrap.
Yeah, yeah, it's not staying onmy phone, it's actually going
to the mothership.
I play up what happens in Vegas,stays in Vegas and the guy is
like that's bull crap, yeah,yeah, it's not staying on my
phone, it's actually going tothe mothership and then getting

(01:10:15):
identified there, you know.
So, uh, so he, you know he wasgiving me a hard time on that
sense and you know, conceptuallyhe's not, he's not wrong, yeah.

Speaker 2 (01:10:33):
Part of it does talk about too, like the um, the
security that they have builtinto that whole process too,
with, like um, encryption andprivacy that hides your ip
address, when, when you doperform these I guess I don't
even know what I'm trying to sayhere, but like, uh, like the
search from the servers, um, butthen he goes on to talk about
how he just doesn't trust thattoo.

Speaker 1 (01:10:47):
So I mean there's, there's uh, there's a history,
and I'm not talking about applespecifically, but in general.
Um, for example, there was acompany that are saying, oh, or,
you know the videos from your,your doorbell camera, so we're
security systems are safe withus.
And then the folks that workedthere, they were spying on on
the users right?
Weren't they supposed to besafe so, and again, uninformed

(01:11:10):
consumers, the it should be thenorm and not the exception.
Yeah, definitely, and providersneed to inform us.
So again, a personal opinion.

Speaker 2 (01:11:20):
So what's new with the leaps?

Speaker 1 (01:11:24):
Well, new that I can inform is that our good good
friend, matt Cervezas and I sayCervezas because in Spanish
Cervezas I mean.
In English Cervezas means beers.
So Matt Beers, a good friend ofours, also teaches with us at
IASIS.
He made a cool and really nicelittle artifact for Meet Me

(01:11:45):
Chats.
So if you have an applicationthat uses Meet Me Chats for
communications, your proprietarytools will be blind to it.
But the Leaf, thanks to Matt,now has that capability and
again, it's a work for thecommunity, from the community.
So we're really grateful forMatt to add in that.
Johan Polacek, as always, lovehim to pieces, he's the best.

(01:12:09):
Love him to pieces, he's thebest.
He's doing.
You know, behind the scenes,enhancements for the tooling in
regards to media management, forthe new lava output that we're
working on, and, uh, he'sawesome.
I, I, I can't thank him enough,um, I hope, I hope life gives
me an opportunity to repay himand and hopefully, um monetarily
, but if not in some, if not insome way, um, same with all the

(01:12:32):
collaborators, like, like kevinand like john and like, um,
james and everybody else, andyourself is included as well if,
if you're able to get yourscripts to work yeah, I'm
working on it.
I don't know what's going onwith this one I can't figure it
out yeah, I I don't know Changecomputers.
I think that computer is cursed.

Speaker 2 (01:12:52):
I'm going to try it.
It's cursed.
I'm going to try it.

Speaker 1 (01:12:56):
New year, new operating system.
Just look it from orbit,reinstall it and you're good to
go.

Speaker 2 (01:13:01):
All right, I'll work on it Tomorrow.
I'm going to make it work.
Well, that brings us toeverybody's favorite part of the
show, the meme of the week.
Let me see if I can get itshared here and I can explain it
.
So we have a turtle that isjust looking completely chill

(01:13:24):
and it reads when you get towork and everyone is out on
holiday.
Finally, inner peace.
I love this one.
My office has been a ghost townthese two weeks and it has been
beautiful.
I've gotten more work done inthese two weeks than I've gotten
done in the last two months.

Speaker 1 (01:13:45):
Examiners.
That's the best week forexaminers because you're able to
catch up without people askingyou 20 questions that were
already answered in the reportthat they did not want to read,
right?
So this is a good time of yearand I was reading another
examiner I forgot her name, butshe was saying LinkedIn that if

(01:14:05):
an examiner goes on holiday inthe holidays right, they have to
work really hard before theyleave, right?
So that way they can kind oftry to catch up with all that
work and then they can put it inthe stakeholders lap and then
they can leave, right.

Speaker 2 (01:14:17):
Yeah, there you go.

Speaker 1 (01:14:18):
Your stuff is there.
Have fun.
I'll be back in a week orwhatever it is.
But some of us that do comeinto work in some of these days
I think we all can relate to theoffice is Quiet, not even a
mouse staring, and you can getso much work done.
I think, it's my favorite twoweeks of the year.
Hey, you know what's the song.

(01:14:39):
It's our most favorite time ofthe year for the holidays, right
, yeah?

Speaker 2 (01:14:43):
Not because of the jingle bells.

Speaker 1 (01:14:44):
To go to work.
Yeah, we need a life, we need alife, oh, big time.

Speaker 2 (01:14:49):
I'm here telling you how I went to bed at 830 on New
Year's Eve.
Now I want to go to work duringthe holidays.
I do.
I need a hobby, a different one.

Speaker 1 (01:14:57):
Yeah, our hobbies can't be doing forensics.

Speaker 2 (01:15:00):
No.

Speaker 1 (01:15:04):
Well, folks, we got to the end of the show, the
first show of the year.
I appreciate everybody here,everybody in the chat Like the
year.
I appreciate everybody here.
Everybody in the chat um like,but it's saying, get more work
done on a day off in the officeand a day on in the office yeah,
like I like to play on wordswith on and off, so true, um, so
yeah, no, so we're gonna behere, hopefully in in two weeks,
um yes, you know time and andnews permitting, and that's all

(01:15:29):
I got.
Anything else you have for thegood of the order, heather.

Speaker 2 (01:15:32):
That's all I have.
Happy New Year.

Speaker 1 (01:15:34):
Happy New Year to everybody.
Don't do anything we wouldn'tdo, and if you're going to do it
, make sure to invite me.
Yeah, me too, All righteverybody, have a good night and
we'll see you soon.

Speaker 2 (01:15:45):
Bye, thank you, bye, thank you.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}New Year, New Discoveries: Diving into Digital Forensics!

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

New Year, New Discoveries: Diving into Digital Forensics!

On Purpose with Jay Shetty