Techno, Timeline, and Training Truths

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:20):
Welcome to the Digital Forensics Now podcast.
Today is Thursday, june 26,2025.
My name is Alexis Rignoni, akaRiggs, and I'm accompanied by my
co-host, the Data Queen, theMaster Instructor and the better
half of the Digital Forensicspodcast, the one and only

(00:41):
Heather Charpentier.
Of the Utah Friendship Podcast,the one and only Heather
Chapman.
Here, the music is hired up byShane Ivers and can be found at
silvermansoundcom.
Yeah, what's up, heather?

Speaker 2 (00:57):
Oh, nothing, nothing.
It's been a long time since wehad a podcast.

Speaker 1 (01:01):
Yeah, yeah, you've been slacking.
I don't know what's going onwith you Me, it's my fault.

Speaker 2 (01:11):
It's my fault, my fault.
Oh, it's both of us.

Speaker 1 (01:12):
We've had a lot of stuff going on, so uh, yeah it's
been a few, few weeks, it mighthave even been a month, yeah, I
think.
Yeah, like a month.
I was gonna say three weeksfrom techno, but I don't I don't
even remember.

Speaker 2 (01:18):
It feels like it was ages ago we didn't end up doing
a podcast from techno, though wewere going to, but I don't even
know what happened.

Speaker 1 (01:25):
I guess we were.
We were partying at the wasbusy at the vendor.

Speaker 2 (01:29):
Oh sorry, we're working hard yes, working hard,
exactly, don't say party no, wedid have the vendor parties were
pretty good.

Speaker 1 (01:36):
We hit them all because, of course, free food
and and you know, andchit-chatting, so it's all good
stuff definitely yeah um well, Imean speaking of techno.

Speaker 2 (01:46):
Let's show some pictures from techno.
It was a great time.
I had such a good time there oh, absolutely yeah.

Speaker 1 (01:53):
Kevin said he had too many churros.
See now, now that he said thatyou know what, I'm gonna get the
churro picture, but starttalking about that while I get
the churro picture okay.

Speaker 2 (02:02):
so while we were at techno um a, alex and I actually
did a couple of presentations.
We did a presentation about theleaps, what they do, how people
can use them, and then we didsome hands-on labs.
Kevin Pagano was also in theroom and very helpful for the
leaps presentation.

(02:24):
Oh, he was the third instructorthere yes, 100 30 instructors,
so it was fantastic to have tohappen he just needed to get up
and come up front with us, andit would have been perfect yeah,
no, no kidding but uh, so yeah,so we did.
We had a packed room for theleaps hand hands-on lab, um, and
then the very first night,celebrite had an 80s party, so

(02:47):
we got to dress up in our 80soutfits here.

Speaker 1 (02:51):
Getting jiggy with it 80s style so yeah.
So there's me in my lovely 80soutfit and then Alex in his
lovely 80s attire well, it's notreally 80s, it's just zooming
in there so people can bask inthe awesomeness of my polo shirt
oh, yeah, yeah, let me zoomright in.
Yeah, give me an extreme zoomlook at that really manly

(03:12):
unicorns with ice cream and, uh,rainbows and um cup approved
donuts because oh yeah, oh yeah,and you have to notice the
watch matches, the donuts.
Oh, yeah, absolutely.

Speaker 2 (03:26):
But he even went a step further and the shoes match
as well.

Speaker 1 (03:30):
Yeah, it doesn't go with anything else, but whatever
.

Speaker 2 (03:35):
So the first night when we went out to dinner, you
know I'm a little angel.

Speaker 1 (03:41):
What can I tell you?

Speaker 2 (03:42):
Yeah, there was no devil background, Otherwise we
would have had you, we wouldhave you in it.

Speaker 1 (03:46):
Okay, got it.
Next picture please.
Next picture please.

Speaker 2 (03:51):
We got to hang out with some really cool people
from MSAB Adam Furman, and youcan see Bill Aycock in the back
there too.
He's not with MSAB, but he'shanging out.
Yeah, we're drinking ourawesome coffees.
And then, of course, jessicahide from hexordia.

Speaker 1 (04:11):
We went and had breakfast with we were obviously
the conversation that anynormal person would be sitting
next to be like what are theseguys talking about?

Speaker 2 (04:19):
they must be, insane but yeah I think somebody
commented on that picturesomething like that yeah there
was a lot of talk about sqlitedatabases going on at that table
or something among many otherones, I mean oh yeah data stores
.

Speaker 1 (04:32):
That was just.
We were scratching the surfacewith the sqlite one um anna.

Speaker 2 (04:38):
She teaches with us at iasis, so we got a picture
with anna, yeah, she is she'sawesome.

Speaker 1 (04:43):
She's a teacher for spider forensics as well yes,
and then we did.

Speaker 2 (04:48):
Let me zoom in on this one we did an ai talk an ai
talk with adam firman, so wesat on sort of like just a panel
discussion about ai.
It was a class at 8 30 in themorning, right, I think 8 or 8
30 it might have right at eight.

Speaker 1 (05:04):
And it was a packed room.

Speaker 2 (05:05):
I was so shocked.
I thought we were not going tohave anybody show up because you
know parties the night before.
But it was a packed room.

Speaker 1 (05:15):
And I think, I think people expected me to take a
dump on AI and they want to hearthat, and I did not disappoint,
of course.

Speaker 2 (05:22):
So you did not.
Yeah, so it.
So the talk was kind of aboutis AI useful or useless?
So we went back and forth aboutthat.

Speaker 1 (05:32):
Yes, it was like useful what.

Speaker 2 (05:38):
And it was useful something.
And then useless abstraction,useless distraction, yeah,
useless distraction, yeah,useful, yeah, something like
that.
But it was pretty good.

Speaker 1 (05:43):
Adam is a great kind of moderator, slash commentator,
so it was pretty good.
Yeah, something like that, butit was pretty good.

Speaker 2 (05:46):
Adam is a great kind of moderator slash commentator.
So it was pretty good.
Oh yeah, definitely.
And then we have a picture ofAlexis here at the houseboat.
So we stayed on the houseboat,which I was so excited about,
because last year when I went Isaw everybody on the houseboats
but I was in an Airbnb up theroad.

Speaker 1 (06:03):
So I got the houseboat for this show and they
were like totally awesome.
Like you see, there's like alittle pier that I'm standing on
and then you will walk in thispier and then the little
houseboat.
You can see a little ramp thatyou walk in and oh, they're
fancy fantastic.
They had like a balcony in theback and it was great.

Speaker 2 (06:19):
Yeah, definitely.
Do you know what I justrealized as we're flipping
through these pictures?
I don't have any pictures of uswith Kevin.

Speaker 1 (06:26):
Oh well, that can be easily solved.
Okay good, you just give meliterally get to the next one.

Speaker 2 (06:31):
Oh well, I got you right there.

Speaker 1 (06:34):
You're going to want to talk about this one.
Oh wait, I have to say I wasgoing to look for Kevin's
picture.
Oh, of course, look at that it.
Some celebrate folks.
I I forgot her name.
She's gonna kill.
Well, sorry, I forgot your nameright now, but she works for
celebrate there in the back yeahand uh, yeah, she beat me at at
pool but it's okay.

Speaker 2 (06:49):
It's okay.
You don't have to look like.
You look a little bit like apro, but I was in that look?

Speaker 1 (06:54):
I just look like it that's it.
This is just for a show, butyou didn't have to call me out.
You know, on the internet, youknow you can't just like leave
it there, you know I might knowsomebody named alexis that calls
me out on the internet everypodcast.
As an introduction, I look, Ionly I look, look I said nice
things I said nice things aboutyou.

Speaker 2 (07:14):
You know what next episode get ready oh, damien
says golf pro and pool pro oh,that is true people.

Speaker 1 (07:20):
the golf one I totally won not.
Not, not that the difficultywas kid level, but whatever, I
have one with Kevin and me, soI'll show you that I just flew
through these.

Speaker 2 (07:31):
anyway, there we go.
So the next one, alexis, wentand got a nice selfie with my
co-worker.
So you see everybody in thatpicture works for the state
police, the New York statepolice.

Speaker 1 (07:42):
Yeah, I was like how can you deal with Heather every
day?
And they're like we don't know,it's just we have to.
You know, I kid, I kid ah, herewe go.

Speaker 2 (07:53):
Robert pike.
If you don't know robert pike,he's from north carolina, he's a
uh contract instructor forcelebrate and he also teaches at
ncfi and he works for NorthCarolina.

Speaker 1 (08:08):
That's a one picture.
Well, I mean the serious peoplethat we are, of course, the
picture really capture howserious we are about things.

Speaker 2 (08:17):
Yeah, definitely.
And then did I miss one again.

Speaker 1 (08:22):
No I did not.
And then we have you and Igetting ready to teach our
hands-on lab outside with oursign yeah, it's a point of
humble pride to be in thetechnical science, so I'm happy
about that.
It's something that I wanted todo Go ahead.

Speaker 2 (08:41):
You're sharing a bunch of other pictures with me
in the background, aren't you?

Speaker 1 (08:44):
Yeah, yeah, because the Churro picture and the Kevin
picture, I got them all.

Speaker 2 (08:48):
Alright, I'm going to remove it for a minute and go
find them then.

Speaker 1 (08:52):
Ronan is in the chat.
Good to read you, man.
We had a great time with himand him changing the DJ.
Not the DJ, but the music thatwas playing at the bar the the
dj me, not the dj, but the, themusic on that was playing at the
bar.
He was just oh yeah with withthe, with the thing, oh, the
flipper.
See, yeah, so that was, thatwas fun.
And then they're like why isn'tthat changing?

(09:12):
Well, because it's a realperson singing.
Now it's not, it's not, it'snot the uh the thing anymore all
right, I have our additional.

Speaker 2 (09:23):
Let me get those up here.

Speaker 1 (09:25):
Yeah, look everybody.
I don't have that many topicstoday, but I want to see all the
pictures.

Speaker 2 (09:31):
I'm getting there.
I'm getting there.
All right, let's go back to usat our sign.
And then we have the churros,the little churro cart.

Speaker 1 (09:40):
They said they're going to bring out the churro
cart.
So I'm thinking somebody's comewith a car and give me a churro
.
No, no, they had a cart thatthey actually put on the table
with churros in it, so well,that's a literal churro cart it
was very cute little cart yeah,no, it had like the chocolate
dip and the caramel and theother one I didn't know what it
was, but uh, they were good.
The only bad thing about themis that they needed to have some

(10:00):
more.
There were too few.

Speaker 2 (10:05):
Ah, there we have a picture, kevin right out on the
deck of the houseboat.

Speaker 1 (10:10):
Oh yeah, it was great to hang out there and the
weather the first couple of dayswas really good in regards to
it wasn't hot or nothing.
Right Then at the end it gotrainy, but it was pretty good
the first couple of days so wecould hang out there.

Speaker 2 (10:23):
I don't even know when this picture was taken.
I think this is the first timeI've seen this one.

Speaker 1 (10:27):
Well, you're posing.

Speaker 2 (10:29):
Well, you just sent it to me.

Speaker 1 (10:31):
Yeah, no, we were.
We were walking from the.
I think it was the Suburi party, right.

Speaker 2 (10:36):
I think the Suburi party Yep.

Speaker 1 (10:37):
Yeah, and then we're going we're going?

Speaker 2 (10:50):
going to whose back this party party hop in the
whole week, so, yeah, so technowas a great time.
If, uh, if anybody listeninghas never been there, I would
definitely, uh, definitely, goto techno.
It's going to be back in myrtlebeach next year instead of
wilmington, north carolina, soyeah, looking forward to that.

Speaker 1 (11:02):
We need to figure out what are we gonna submit a?

Speaker 2 (11:05):
talk on.
So we can, definitely,definitely.
So let's get into our topics.
Um, so I brought this up beforebut I wanted to bring it up
again because um registration isopen for the iasis reno event.
So I'm sure everybody knowsabout the iasis event that
that's held in Orlando everyyear, but this will be the first

(11:26):
year that there's going to bean additional event and it's
being held in Reno, nevada, inJanuary, the week of January
11th.
So that whole week and it's all.
It's a lot of the specializedclasses.
The BCFE will not be an optionfor the first Reno event, but
the specialized classes will bethere and you can sign up to

(11:47):
come take the advanced mobileclass with Alexis and I and the
other great instructors.

Speaker 1 (11:51):
Yeah, so not only can you, I expect you to sign up.

Speaker 2 (11:57):
It's a good class, so we see you all in the chat
there.
We're waiting for your names topop into the registration.
No, come on over.
I mean we're going to pop intothe registration.

Speaker 1 (12:04):
No, come on over.
I mean, we're going to, we'regoing to have a great time with
we, we, we deal with a lot ofneat data structures and
artifacts and and things thatyou're not going to find
anywhere else, and, uh, we getto hang out in the afternoon.

Speaker 2 (12:15):
So, come, come, come show, so we'll see yeah,
definitely, but you gotta signup first, so let's do it yeah,
um wanted to highlight a newpodcast that's out.
So the new podcast is calledparsing the truth one bite at a
time, and the hosts of thispodcast are former fbi senior

(12:37):
forensic examiners beckypassmore and stacy eldridge, who
I got to meet, and I know youknow both of them.

Speaker 1 (12:44):
Oh yeah, I know them from before they retire or left
right, and I can personallyvouch for them.
They're legit and the show'sbeen fantastic.
I haven't been, I heard I'mkind of catching up to the
episodes, but then I saw onethat I wanted to hear, so I
jumped on that one.
I'm halfway on the expertwitness.
One, oh nice, wanted to hear,so I jumped on that one.

(13:08):
So now I'm I'm halfway on theexpert witness.
One, um yeah.
And then I heard before that Iheard the um how to get into
data forensics podcast great,great hour of information,
especially if you're new and theuh, the one about the expert
witness.
They explained really well thedifference between expert
witness fact witness and somethings to really consider when
you're doing the type of role.
And and both of them they havetestified extensively throughout
their careers when they were inthe bureau and obviously at

(13:30):
least Stacey is still involvedin courts and court work, so she
obviously continues to testifyand Becky is now an excellent
instructor in Arkansas.
I think, and they're fantasticand they're really they're great
personalities.
So please, I highly recommendyou take the time and listen to
their or watch.

Speaker 2 (13:49):
I like watching because they have also a video.

Speaker 1 (13:52):
So watch, or and or listen to their podcast is going
to be a lot of benefit to toyourself, as you know, to kind
of grow in the understanding ofyour career.
So go, go, check it out.
And if you're new youdefinitely need to uh, get it
and listen to it.

(14:12):
I have them on my list for thisweekend.
I have not watched an episodeyet, but I have it ready to go
well, and they're mixing some oflike like knowledge podcasts
with like case studies, forexample they had.
the first one I listened was thebtk killer and and how, how
they got them based on a floppydisk and it's pretty.
Now they came out with another.
They're coming out with otherepisodes.
I love it.
I love that they're soconsistent in throwing stuff out
or making great content.
They won like another casestudy about some criminal in a

(14:34):
bike.
Oh, so I really really likethat's the next one that I want
to.
I'm going to listen.
I'm going to jump the ones thatI have listened to yet to get
to that one.

Speaker 2 (14:44):
So it's a good balance.
Sorry, they're doing weeklyright.

Speaker 1 (14:49):
I assume because there's so many from my
perspective, but that's awesomebecause the content is so good.
Like I mean, I cannot do that.
We cannot do a weekly show,we're not that good.

Speaker 2 (15:00):
I don't know if I have time to do a weekly show
either.

Speaker 1 (15:03):
No, but that's the thing I mean.
They're doing their show basedon their own cases or other
cases they know about, plus kindof knowledge of the rest of the
field, so it's a great, greatshow to listen to.
So they're on top of my podcastlistening to listen to-do list.
So everybody should do as well.

Speaker 2 (15:19):
Definitely Up next for me.
So a couple of companyacquisitions that have happened
since we last had a show.
Celebrate acquired Corellium,and if you don't know what
Corellium is, it's a tool thatlets you create virtual iPhones,
androids and other smartdevices, so kind of like having

(15:40):
a fake phone right on yourcomputer.
Um, acts just like your realdevice, but you won't need to
buy one or plug it in.
So what you can do with thattesting apps, look for bugs,
explore how the devices work oreven create real life scenarios.
So I'm really curious to seewhat Celebrite does with the
purchase of that company,because all of those things are

(16:03):
great.

Speaker 1 (16:08):
I mean, the first thing I want to say, that is
that obviously they spent apretty penny I don't know how
much, but I can assure you itwasn't like it wasn't a million
dollars, it was way, way morethan that to get to get
corallium and corallium has beenthe news.
It wasn't the news, you know,maybe a year or two ago, because
apple had sued them for kind ofvirtualizing the iOS operating
system and they were not allowedto do that and the core said

(16:29):
yes, they are allowed, which isa great win in the sense of
being able to use thesetechnologies for security
research.
I think, from my understandingof the company throughout the
years, is that their main coreproduct or I said not product.
I should maybe rephrase yeah,the competency they have right

(16:50):
is for researchers, securityresearchers.
You want to make sure that theapps are working properly, that
you pen test them properly, thatthey're safe, et cetera.
Right?

Speaker 2 (17:00):
Right.

Speaker 1 (17:01):
And that's a big question in regards to what is
Celebrite going to do with it inregards to data forensics,
because at least the only usecase scenario I see for data
forensics straight up is saying,okay, I want to analyze an app,
right, and the app now.
I don't have to spend timedoing dumps and have another
tool to do the dump, because inthe Corelian environment I can

(17:22):
pull the data out.
It's like a virtual machinetype of setup, right, and I
could really go deep.
I even wonder if you could takedata from one device right and
maybe put it inside theCorellium virtualization and
maybe see how it behaves.
I don't know how it's going tolook, but I think that's their
main thing.
What else will they be able todo with it?

(17:43):
I had no idea.
Now, my big thing is this thereason, my opinion, and again,
everything we say here hasnothing to do with work or
employers.
It's all us talking as membersof the community, more than
experts, members of thecommunity.
Corellium is not widely used indigital forensics because of
the price right.

(18:04):
It's extremely expensive andlabs don't have that money.
Now, will Celerbrite integratesome of that into their insights
, insights tooling, to kind ofallow for that.
I, I don't know um, I wouldlike for the product to be more
accessible, um in regards tocost, um for those benefits, and

(18:25):
maybe they could have a tiersystem where if you're doing pen
testing and different things,it's a price.
If you're doing only like dataforensic work in regards to app
analysis, it's another price oran addition.
I don't know how they're goingto do it, but I really hope it's
way more accessible, thetechnology price wise, than it
is currently, because we evenlooked at it to make some

(18:47):
content for the courses forIASIS, yeah, and I was.
I was like wow, that's a lot ofmoney.

Speaker 2 (18:53):
Yeah, I wasn't sure IASIS was going to purchase that
for us, I'm thinking no yeah,the nonprofit yeah that's not
happening, not going to happen.

Speaker 1 (19:02):
So it'll be interesting to see.
I mean, it was a big win.
So that came out when we wereat Techno right, and it was like
the talk of the floor there.
It was For a day in regards tofirst they spent a lot of money
on it.
And second, what are they goingto do with it in regards to be
able to recover, get that ROIright?
So we'll see.
We'll see hopefully not too farinto the future how they're
going to use it and hopefullyagain really come up with useful

(19:25):
use cases for data forensics.
In regards to iOSvirtualization technology.

Speaker 2 (19:29):
Yeah, so the other company acquisition that has
recently been in the news isMagnet's acquisition of Dark
Circuit Labs.
I don't know a ton about DarkCircuit Labs, but I was looking
at it prior to coming on theshow tonight, and their site
says that they provide servicessuch as reverse engineering,
vulnerability research andsoftware development.

(19:50):
So what more do you know aboutthem?

Speaker 1 (19:54):
vulnerability research and software
development.
So what more do you know aboutthem?
Well, I mean, I want to morethan them.
I want to comment about and Isaid this before, I still think
it's relevant the bigdifferentiator between companies
in the digital forensic space,specifically dealing with mobile
forensics.
Uh, it's not so much theparsing.
Parsing is important.
I want to make sure the toolsgive me as much as I need.
It's not the translation,although I want the tools to
translate stuff for me in asense, at least give me a sense

(20:17):
of what they're saying but wedon't get to any of that if we
don't have access to the data.
So, yeah, we need access to thedata.
We need to make sure that we'reable to get the full file
system extractions that we need,because if we have that, if I
had to do the analysis by hand,then I do it by hand.
But without no data, there's noanalysis, no matter what tool.
You have right, and I stillstrongly believe that the

(20:39):
company or companies that have areally strong exploit
development chain are the onesthat are going to be continue to
be successful in the market andcommand the prices that they
put out, and this has to be areally strong supply chain for

(20:59):
lack of a better word, becausethings get patched all the time
right, there's updates, and theyhave to be constantly looking
ahead.
So acquisitions of outfits thatreally know how to get to the
data are going to be extremelyimportant.
And, uh, um, parsing is goingto be secondary to extraction

(21:21):
and to access access andextraction right.
And and that's and that's noteven adding to the fact that we
need to circumvent, obviouslylawfully, because we're talking
about here in the in the lawenforcement realm or civil realm
, where it's by basic consentall this access has to be lawful
, right.
So lawful access of data whenaccess has, you know, there's a
password, a pin code that'sunknown or does not want to be

(21:46):
disclosed.
So how do we go about that?
And that's whatever companiesare on it and developing.
Those are going to be theleading ones in this field.
The parsing piece will justfollow after that.

Speaker 2 (21:56):
Right, so looking forward to see what happens with
both of those tools beingincorporated into tools we
already use.

Speaker 1 (22:05):
Yeah, and really hear the chat on the screen real
quick, you know I mean longstory short yeah, the tools are
expensive and yeah, there's alot of you know R&D that goes
into them Absolutely, and allthat has to be balanced with how
much the market was able toactually pay for things.
Right, I believe that therewill always be a market for I

(22:29):
say market not because of money,but of users for open source
tools.
Maybe not so much in theaccessing part because, like I
mentioned previously, if anaccess method is disclosed, it
will be immediately patched andit will go away.
But in other functions, like inthe parsing function, right, if
we have the data, then we canreally balance out some of that

(22:52):
cost with open source tooling orscripting, and that's why we
I'm going to add you in this wepush for folks to learn some
code, right, you will be able tobe more productive and validate
and verify validate processesand verify data if you do so.
But yeah, it's expensive.
It is what it is.
Is it justified?
And sometimes I feel that it'snot.

(23:13):
Sometimes I feel that it is.
Is it justified and sometimes Ifeel that it's not sometimes.

Speaker 2 (23:15):
I feel that it is yeah.
A lot of work goes into it, soI mean it's gotta you have to
pay the workers that are puttingthe work into it.

Speaker 1 (23:22):
But yeah, the only thing I'm going to say is if, if
, the functionality is the sameas last year and the only thing
that changed is how, how youcall it.
I and the only thing thatchanges is how you call it.
I'm not going to be happy, so Iexpect more than a price raise
just because a name changed.
No, we need sustenance behindthat, and vendors are trying to

(23:43):
provide that, so that's a goodthing.

Speaker 2 (23:45):
Yeah, so a recent article that came out from
thinkdfircom.
So it's about cachedscreenshots on Windows 11.
And it's talking about wherethe screenshots are saved by
default.
So screenshots taken with theWinShift S key or the snipping

(24:06):
tool itself, which is a toolincorporated right into Windows,
are saved in the user'spictures screenshots folder.
By default Saved screenshotshave file names that are year,
month, day, hours, minutes,second, png.
And if the autosave is disabledin Snipping Tool, screenshots

(24:28):
are instead stored in atemporary cache location under
the user's local app data folder.
So this article was reallymeaning to let forensic
investigators know where wemight find these screenshots
that are being autosaved andpotentially could be evidence to
your case.

Speaker 1 (24:49):
And it's really important to know this because I
remember back in the day forintrusion cases or incident
response well, let's image thewhole computer and go through it
and figure out what happened.
Well, that's not the thinganymore.
Like there is no, we're goingto image the whole computer
anymore.
On incident response, we havetooling that targets different

(25:11):
artifacts that we care about forwhatever purposes.
We have tooling that targetsdifferent artifacts that we care
about for whatever purposes.
So it's incumbent upon you, asthe incident responder, to make
sure that, for example, this newlocation, is this something
that's going to be needed in myinvestigation?
And most likely it might, itshould.
So now you have to make surethat your tools are not
responsive to Colate not Colate,but you know, get that data

(25:35):
Again.
Why are we not doing fullcopies of the whole thing?
Well, there's so many reasonsfor that in regards to what the
job entails and what we'retrying to prove with it.
But again, it's up on you,incidental responder, to make
sure that you know what thingsyou're going to pull from the
box.
That will be helpful in theinvestigation, and your
awareness is key.

Speaker 2 (25:55):
So that's why this article is so good yeah, the one
of the good things about it too, about this actual feature, um,
is those cash screenshots thatgo to the temporary file.
They may exist, they're goingto exist, even if the user never
manually saved them.
So the user may think I neversaved that.
That evidence is gone and thereit is, right there in the
temporary folder for you.

Speaker 1 (26:16):
That's insane.

Speaker 2 (26:17):
Yeah, always check the screenshot default folder,
but don't forget about thatsnipping temporary folder.

Speaker 1 (26:23):
Yeah, and that applies to folks that are not
doing a response Us, that we aremore in the data forensic side.
Yeah, do I want screenshots ofthe activity of my suspect?

Speaker 2 (26:33):
Yes, definitely yes, please.
Thank you so much.

Speaker 1 (26:35):
I would have it.
Oh, look, here's the screenshotof the suspect looking for the
murder weapon.
I'm just kind of makingsomething up.

Speaker 2 (26:41):
Yeah.

Speaker 1 (26:41):
Well, that might be useful.

Speaker 2 (26:43):
Yeah, definitely, but check out that article on
thinkdefercom because it was areally good read and you it was
a really good read and you'lluse it as a reference in the
future while you're checkingthose locations.
Absolutely, absolutely.
So recently I was chatting withNoel Loudon from the UK.
He has was telling me about anew app, the vehicle network app

(27:07):
from Harper Shaw, which is thecompany he works for.
So this app is designed as asecure, private platform to
support professionals in vehiclesystem forensics and collision
collision um investigation andrelated fields.
So fields related to thevehicle forensics um, the app
has a ton of different thingsthat might be helpful in your

(27:29):
investigations there.
There's continuing education, Iguess like little videos.
He does a weekly Friday feature, so it's a video briefing on
practical analysis and theemerging trends in these
different categories.
There's case studies, there'sopen source resources, there's a
whole training hub and there'salso a peer-to-peer community

(27:52):
channel.
The good thing about this one,too and there's also a peer to
peer community channel the goodthing about this one, too, is
it's only $25 a year, which Ithought was great.
Um, it's uh, there's additionaltraining that you can get
through that company that is notincluded in that $25 a year,
but the $25 a year it will getyou in for these resources on
the vehicle network app.

Speaker 1 (28:14):
That's.
That's ridiculously cheap.
That's like like dirt, dirtcheap oh yeah yeah, I mean I
don't do.
I mean I took the barilaccourses and all that, but my
main thing is not doing cars.
Um, but if it were, I would be,I would.
I would get those 25 out in ina heartbeat and, heck, I would
pay for the other seminars in my.
You get a, you get a vehiclenetwork app.

(28:35):
You get one and you get one.

Speaker 2 (28:37):
I agree.
I agree Everybody should signup for this app, definitely.
I have also done the Verlacourse, but I don't really go
out and do vehicle forensicsmuch either.
But what I find useful in thistype of platform is I'm doing
reviews of other people's workand I'm doing reviews of other
people's work and I'm doingreviews of people who have
investigated the vehicleforensics with the burla, and if

(28:58):
I'm not keeping up to date, Ishouldn't be doing their peer
reviews.

Speaker 1 (29:01):
So this will be helpful.

Speaker 2 (29:03):
Yeah, this will be very helpful in that, so check
it out.
I put the website up on thescreen, but it'll also be in the
show notes at the end.
To go check out that app.

Speaker 1 (29:18):
Yeah, and if you have no, on your linkedin adam,
because he puts a lot of greatcontent in regards to vehicle
forensics all the time, so yougotta, you gotta, follow him on
linkedin definitely.

Speaker 2 (29:25):
Other news Belkasoft is having their capture the flag
, so registration is open fortheir capture the flag now and
it begins on July 25th.

Speaker 1 (29:39):
And Belkasoft capture the flags are really fun.
In regards to the topics, youknow the type of case you should
be looking at when you do thisthe the catch of the flags and
catch the flags as a generalsense.
It's always good exercises toto be involved with um, just to
make sure that your your skillsare sharp and that you know what
artifacts mean.
So, yeah, yeah, please go thereand sign up.

(29:59):
They're pretty fun yeah,absolutely.

Speaker 2 (30:02):
Uh.
Let me just grab our next onehere.
So if you're're connected withBrett Shavers on LinkedIn,
you've seen that he's doing aseries of new posts, so he's
doing a six part series.
There's the breakdown of themyth that digital forensics and
incident response roles aretruly entry level.
He's emphasizing real worldexperience, incorporating how

(30:25):
valuable or well, how valuableeducation and training are in
the digital forensics andincident response world.

Speaker 1 (30:34):
Yeah, and I want to.
I want to comment real quick onsomething he wrote about that
because he had.
He had a post on on the, theeducational gap, and he makes a
point that we talk about the F?
Ir like it's one thing and heeven goes to the history.
Uh, harlan carvey, he came outwith the whole df slash ir to

(30:58):
say, look, there's hugeforensics slash like separated
incident response, they'rerelated fields.
But it was, they're not thething, right?
But then, um, I think Rob fromSANS I just blanked out his name
.
Well, rob, rob Lee, rob Lee, Iwas just gonna say, I just was
watching him on TikTok orsomething I couldn't remember it

(31:20):
.
Yeah, on Twitter he startedusing the hashtag DFIR.
It kind of makes sense youcannot put a slash in a hashtag
just to kind of popularize thefield and that really took off.
Still to this day I use thathashtag.
But the thing is that it's notRob's fault, but the thing is
that in the consciousness of thefield they're the same thing.
And one point that Brad makesis that, for example,

(31:42):
universities, colleges, they say, well, we have a DFIR program
and DFIR is cybersecurity.
The three things are different.
Dfir and cybersecurity are twodifferent things.
Now, cybersecurity canincorporate some of those and
vice versa, but they'redifferent things.
So what we're seeing is a lot offolks go get some degrees in
cybersecurity and then they wantto put, let's say, apply for at

(32:05):
a RCFL lab I'm making this upright A forensics lab, and they
don't have the skills.
They were not taught the DFside, sometimes at all.
They give them a lot of IR or alot of not technical.
The episode of technical wouldbe, you know, kind of like
procedural cybersecurity.
You know, you know frameworksand that's great, that's needed,

(32:27):
but that doesn't qualify you togo and extract data from a
phone and do an analysis.
You know frameworks and that'sgreat, that's needed, but that
doesn't qualify you to go andextract data from a phone and do
an analysis and, like he saidin the article, if you don't
know what a hash is, what do youspend your money on in four
years of college, right?
So I really recommend that.
It's really percolating in myconscience and you start
separating the DF from the IRmore.
I knew it already, but separateit more when I speak to folks

(32:52):
and make sure I'm more specific,Because if we're more specific
in our language, then that wouldtranslate more specificity in
other fields, like at court ordegrees that are being generated
.
There's a lot of good folks,like Jason Jordan.
He's from South Africa and he'sdoing his doctoral work just on
this problem in regards to howcan we solve this educational

(33:14):
issue, how can we identify theproper things to be taught at
this level for DF and IR and howdifferent they are.
So that's pretty important.
And all the articles in theseries they're great.
I haven't read them all, butthey're fantastic and I highly
recommend everybody to gothrough them.

Speaker 2 (33:32):
Yeah, they are excellent.
I agree with so many of Brett'spoints, but it just makes me
think about when I went tocollege too for computer
forensics.
My degree was cybersecurity,but it was concentration in
computer forensics, and I wentto get my master's and got into
the master's program with zerocomputer knowledge whatsoever,

(33:54):
like I was the type of personwhere I turned the computer on
how.
So making sure the student isready for that type of program
is another thing that I wouldjust add to some of Brett's
articles because I was not readyfor that.
I took the steps that I wouldjust add to um to some of
Brett's articles because I wasnot ready for that.
I took the steps that I neededto take to catch myself up and I

(34:15):
I mean I was doing this stuffall outside of school.
And then, when I got to the.
When I got to the state policeand started getting those
trainings, I really like jumpedin and learned everything that I
know now, but it was reallyhard to do a degree when I had
no background in computerswhatsoever.

Speaker 1 (34:31):
Well, and even you coming into your workplace,
having to catch up to the otherexaminers because what you were
expecting to have coming out ofcollege was not one-to-one
what's needed, right.

Speaker 2 (34:42):
No way.

Speaker 1 (34:43):
Actually, brett gives a good advice for people.
Sometimes it might be betterand I agree with his advice get
a computer science degree andthen get a minor or a specialty
in justice, like in excuse me,in classes that relate to the
criminal justice system, likecriminal justice minor.

(35:04):
Even a minor or some course isgonna.
So you understand what the, theinterplay between the computer
science with the computers, thedigital stuff and the law and
the course occur right and havethat, and that might be even
better than getting a cybersecurity degree itself.
And I really took to thatadvice because my degree is in
computer science okay.

(35:24):
So so I'm a, I'm a and again,I'm a living product of that
advice.
But not because I didn't wantto take a cybersecurity degree.
It's because they didn't exist20 years ago when I started
doing this job.
But it might still beworthwhile to get that computer
science degree and maybe make itstronger with some law stuff,
right.

Speaker 2 (35:45):
That's what I was missing.
So my bachelor's was incriminal justice, so I did the
criminal justice part and then Iwent from that right into a
master's for cybersecurity andcomputer forensics.
So I w I was missing thatcomputer science component,
definitely.

Speaker 1 (35:59):
And that's that's.
That's tough.
I I did my master's is ininformation management,
information systems and andthat's a that's a management
like an MBA degree, right,business administration.

Speaker 2 (36:14):
Yep.

Speaker 1 (36:14):
And the folks that come in just from straight
business administration with nocomputers.
We're struggling in that sense,right.
So having that baseline is soimportant and really be a good
consumer.
If you're a person that'scoming into the field, you've
got to be a good consumer.
You have to make your research.
You can't just if the providerbe it a university, a college, a

(36:35):
certification vendor, whoeverit is look at curriculums, look
at what they're teaching, makesure that it maps knowledge base
with what you're trying to get,at what your destination is.
If you want to work at a labfor law enforcement, you got to
make sure that you understandwhat the work that's being done
and if this degree speaks tothat.

Speaker 2 (36:56):
Yes.

Speaker 1 (36:56):
Just blindly going.
You might come out four yearslater with debt and then not be
ready for the job.
Debt Yep, because it's notcheap to get out.

Speaker 2 (37:06):
No, it's not cheap.
No, not at all.
There, yeah, because it's notcheap.
To get out of the country isnot cheap?
No, not at all.
There's some comments in thecomments.
So one comment is saying thatthe classes, a lot of classes,
are out of date too.
Yeah, I agree 100%.
So the college classes, I thinka lot of them are behind.
Just some, I guess, someexperience with it.

(37:27):
When I was taking classes itwas, the material wasn't up to
date.
I didn't even have a mobileforensics class at all.
We didn't ever even talk aboutcell phones.
And then I got to my job and itwas like 90% mobile forensics.
So, um, I definitely wasn'tprepared for that.
And then one of the other uhcomments same person says uh,
they still have us learning withthings like autopsy and end

(37:49):
case.
Um, yeah, it's not with themost up-to-date tools and it's
not with the tools that you areparticularly going to use at
that job that you go get and andlook and I'll look.

Speaker 1 (38:04):
if you give me autopsy and case, yeah, I'm okay
with it.
If the person teaching theclass you know what I mean yes,
delivers on the goods, right,because at the end of the day, I
want to go to a degree and notto learn so much about tools,
but to learn about theunderlying things that the tools
are getting at yes and whatI've seen this is, I mean for

(38:25):
folks that have told me is thatthe professor that's going to
teach that forensic course hasnever done an EO1 in their life
Never, they've never done.
If I give them an SDK image,they don't even know where to go
to make one.
They haven't even made anextraction in their lives.
But you know they're part ofthe staff and you have to teach
this class.
Read something and go at it.

(38:45):
And again, we have to be betterconsumers.
There are some great programsthat have a great reputation.
You have to really look intothose and lean into those If you
want to get a degree on fordigital forensics.

Speaker 2 (38:58):
So so Jessica's chiming into, she teaches at one
of the colleges and not all arebehind.
Some of us update regularly andthat is right and that really
plays into what Alexis just said.
You need to be checking out thecurriculum and seeing who those
teachers are.
Research the teachers for sure.
All right.
Make sure you're goingsomewhere that has people who
have real life experience andmake sure it's a curriculum

(39:21):
that's going to fit with whatyou want to do.

Speaker 1 (39:24):
Absolutely A hundred percent.
If you're going to spend$40,000, $60,000, $100,000 on a
degree, you got to do some duediligence.
My friend and I know you mightbe 19, 20 years old, but it's
your future at stake here,switching careers, and you're a
middle-aged man like myself.

(39:50):
You need to do that research.
You can't just jump blindly.
You have to make sure you'regetting the information that you
need to make right choices.

Speaker 2 (39:57):
Yes, definitely, let's see here.
So that brings us to ah, we'regoing to do an artifact of the
week.
You got a comment.

Speaker 1 (40:07):
Yeah, I got a comment .
So Shane's mentioning that someorganizations want feedback on
their programs right frompractitioners.
One thing they could do and is,uh, have advisory boards like
that's, that's like that's athing, right, and, and sometimes
advisory boards in some ofthese institutions it's just to
say they have one.
But a good advisory board andthat applies not only to

(40:28):
colleges or organizations Bringpeople from different fields
that you're interested in andreally query them on what's
needed, what does the marketrequire of our students in order
for us to provide it.
And being part of an advisoryboard, make sure you make that
approach and make it anillustrious position right.

(40:49):
Make sure that the folks thatare part of that board are
recognized.
So you have to have motivationfor people that are of
importance in the field reallygive you the information that
you need for your students.
So make sure you I'm telling youit makes sense, heather, like
it has to be something that'srecognizable, that the person
being part of it feels honoredto be part of this advisory
board, but also that whateveradvice the advisory board gives,
the institution follows up onto provide that service to their

(41:12):
students.
So advisory boards are soimportant and a lot of
institutions.
I don't see any or too littleof that.

Speaker 2 (41:18):
So I definitely agree with that, and that would be so
.
That would just could fix somany problems.

Speaker 1 (41:24):
Absolutely.

Speaker 2 (41:27):
So artifact of the week, so I'm having fun showing
like different research I'vedone or different artifacts that
have been located.
This isn't a new artifact.
I actually think we may havetalked about it on a previous
podcast, because Josh Hickmanactually wrote a blog about it
about a year ago now and I'llput the link to that in the show

(41:49):
notes.
But in December of 2023, Googlerebranded their location
history as timeline and movedall of the data storage on
device rather than to their ontheir servers.
So the default retention wasreduced from 18 months to three
months and the timeline dataresides under data data

(42:10):
comgoogleandroidgms, not insidethe Google Maps directory.
There's locations and Iactually have a slide to put up
here.
So there we go.
There are locations found inlevel DB files, so it stores GPS

(42:32):
like latitude, longitude,timestamps, the horizontal
accuracy, and it's all stored inthese level DB files.
I have a little screenshot onthe screen here and if you're
listening and not watching,they're under app semantic
location, raw signal DB and it'sa whole bunch of level DB files
.

Speaker 1 (42:53):
And let me say something quickly about level
DBs.
Yeah, those are the thinglately right, I was reading an
article by a CCL group aboutlevel DBs.
Because apps now they look likeapps, they behave like apps in
both computers and phones, butactually browsers they're just
skin browsers that look likeapps.
And the quote unquote permanentstorage.

(43:17):
I say quote unquote because allthat stuff just then migrates
to the cloud.
But, while it's sitting on yourdevice, it's going to be sitting
on a level DB.
If it's a browser, it's mostlikely going to be sitting on a
level db for some of these,these uh apps that behave like
apps but they're actually skinbrowsers.
So if you're not up to speed onwhat level db is and I said

(43:37):
that, we said it, both of ussaid in other episodes we need
to get on it.
Like heather is showing here,all this stuff is in level dbs.
You need to understand how theformat works.
By the way, if you come up withus to Reno, to the class in
January, we'll teach you allabout LevelDBs, to the point
that LevelDBs are going to bepopping out of your ears.
But you need to get up to speedon this.

(43:57):
This is a data store that somefolks don't even know exists and
they think SQLite, sqlite.
Sqlite is great there's a lotof it.
But LevelDB is great there's alot of it, but level DBs.
You'll be surprised how of thelevel of importance this humble
key value pair database has inall sorts of cases.

Speaker 2 (44:15):
Absolutely.
And I'll say too, the toolshaven't really caught up with
parsing the level DBs they'restarting to.
This artifact that I'm going totalk about now.
I used Celebrite for and theyparsed this location history.
But where they're starting toimprove is those level DB
viewers so you can go in andvalidate it yourself.

(44:36):
The parse data is great, but Ineed to see it and just going
into a level DB file, it's notsuper easy to figure everything
out that you need for yourtesting, gear everything out
that you need for your testing.
So hopefully all of the toolswill follow suit and start
supporting these level DBs andprovide a great viewer for them.

Speaker 1 (44:55):
I mean, what about the level DB that's not parsed?
What about the level DB that'snot parsed, right?
Yeah, absolutely.
If you don't have a good viewer, it's like it's not even there,
right?
So I agree with you thatsupport needs to really better.

Speaker 2 (45:09):
support for level dbs is needed across almost all
tools oh yeah, definitely, andjessica said she likes moshi as
a level db viewer me too.
Um, it's great and I alsoreally like rabbit hole for a
level db viewer and also umarsenal's level db tool yeah, so
moshi is done by ian whiffen, agreat friend of the podcast, a

(45:30):
personal friend.

Speaker 1 (45:31):
We had a great time he's a techno and we had a great
time too.
It's free.
You can get that for freeRabbit hole.
you have to pay, but it's adecent price and does a lot of
things Not only LevelDB but doesa whole bunch of stuff, and
Arsenal also part of their suitethat you can buy.
But Arsenal also is really wellknown for their tooling, and
actually we teach all thosetools in our class as well.

(45:52):
Yes, yep, highly recommend it.
Yes, but yeah, but those lasttwo that need to be paid.
Moshi is free to use.

Speaker 2 (45:59):
Right.
So Celebrite is parsing thesefor me.
I found them in one of my cases.
This is not my case data on thescreen, but I found them in one
of my cases and I decided Iwant to check out how accurate
these are right, becauselocations that's always the
problem.
Are they accurate?
Was the device really there?
What's the what's the deal withthese locations?
Josh wrote an amazing articlewhere he tests it on multiple

(46:22):
different Android devices, butwith all artifacts.
You should test it yourself too, if you have a chance.
So, to verify the accuracy ofthese locations, I went and took
a trip Um, let me share myscreen with you.
So I took a trip on Easter frommy house to my parents' house

(46:44):
and I parsed my extraction afterI got back and took a look at
these locations in Celebrate.
Once I took a look at them inCelebrate, I decided, all right,
I want to export all of therelevant data, which the
relevant data to me was the dateand time, the latitude,
longitude, that horizontalaccuracy.
So I exported all of that outinto a CV, a CSV CSV, sorry and

(47:11):
brought it into Google Earth soI could take a look at it.
Um, so if you look at it frompretty far away.
Here it is looks like the exactpath that I take from my house
up to my parents house on Easterday.
Um, let me just so, if we gothis was like I was sleeping at

(47:34):
this time, this was like 12 AMIt'll bring you right to my
house All of these locations.
Um, for the wee early morningshere.

Speaker 1 (47:44):
I just I love, I love the swimming effect and it
never gets old.

Speaker 2 (47:47):
I love the swimming effect.
It never gets old Work at myhouse.
So about 8.30 am I'm still home, but I decide to leave the
house a few minutes later or alittle while later, I think,
like an hour later and at 9.48,I arrive at Starbucks.
So let me get to 9.48 here toget my coffee for the ride up to

(48:10):
my parents house that's likethe most american thing anybody
can do we'll take a little tripover here and I'm gonna zoom in
for everybody, but the starbucksbuilding is right there and the
points that these locationsdrop are actually me coming
around the building, goingthrough the drive-thru.
So you can see there's a fewpoints here, there's a point

(48:33):
here and a point here.
This one right here that I'm onis actually right in the
drive-thru.
I'm probably grabbing my coffeeat that moment After actually
sorry, I didn't I got a lemonloaf because I went and got an
energy drink next door for mydrink.
So at 9.52, I go over next doorhere sort of next door up the

(48:58):
road a little bit to UnstoppableNutrition, and I get one of
those energizing teas becausethey have way more caffeine than
the Starbucks coffee.

Speaker 1 (49:07):
You need the lettuce stuff.

Speaker 2 (49:09):
Well, I was going to my parents' house for Easter, so
if you can see this screenshot,I'm going to zoom way in.
Let's see here.
So if you look right here,there's like a little bush right
here.
Right next to that bush iswhere I walk in to grab my
energizing tea, and you can seethe points where the GPS has my

(49:31):
device are right here.
That literally is the parkingspot that I was parked in, the
parking spot right here in frontof this bush.
So that's how accurate theselocations were at this time for
my device.
I then leave head up to myparents.
I'm going gonna just scroll upto when I'm about to my parents

(49:52):
house.
It's a pretty long trip, likean hour and 45 minutes, so we're
not right right before you robthe bank?
yeah, right before.
Oh shush, don't be telling mysecret, no, but you're an
awesome decision.

Speaker 1 (50:03):
A case like that.
Yeah, here's the, here's thegetaway vehicle after when they
rob the bank.

Speaker 2 (50:08):
Oh, yeah, yeah, definitely, definitely.
So now we're going to take alittle zooming trip and we're
going to cruise up the North Way.
Uh, and at this point, righthere, I am almost to my parents'
house, and when I put all ofthe data from the celebrate or
celebrate extraction into like atimeline, when I'm right here
at this point, I actually textmy sister that I'm there.

(50:31):
I'm not actually there yet, butI want to make sure she's there
too when I get there.
So at 1127, there's actually atext message right at that same
time, and I'm just just down theroad from my parents.

Speaker 1 (50:43):
So at 1127, there's actually a text message right at
that same time and I'm justdown the road from my parents'
house.
It's like are you heading thisway?
Yeah, yeah, yeah, I'll be therein a minute.
And you're still in the shower.
Yeah, exactly, I'm on my way.

Speaker 2 (50:55):
It's still getting dressed.
About a minute later I'm at myparents' house.
I'm going to zoom in on myparents' house here,

(51:18):
no-transcript, where I starttraveling away from my parents'
house and I'm headed back homeAt 7.21, I'm quite a ways into
my trip there.
Let me find my 7.21 for you.

Speaker 1 (51:36):
So we'll be in for years here of your life?
Yeah, definitely, that'samazing.

Speaker 2 (51:41):
Well, the accuracy thing's coming up up, so I have
to do my trip home so at 7 21,you see me pull off of exit 11.
So this is where I'm pullingoff of exit 11.
Right over here is where I pulloff, and I actually pull into a
Dunkin Donuts because it israining so hard that I can't
even see to drive.

Speaker 1 (52:04):
It was not to eat a donut, though by any means it
was not.
I didn't even go in.
It was raining.

Speaker 2 (52:10):
I didn't even go in.

Speaker 1 (52:11):
I don't know that location that is really close to
the store.
I don't know, no, so that'swhere this is awesome.

Speaker 2 (52:21):
That's where these locations are awesome.
I pulled in and I parked wayout front of the store and just
sat there.
This is literally the exactspot I was parked when I pulled
in and I only stayed for a fewminutes and decided I'm going to
try and drive it'll, it'll beokay.
So I stay for a couple minutesand at 735.
10, let's see here, I get backonto the north way, but then it

(52:46):
is pouring so hard I have to getback off of the north way.
I get off exit 8, pull into astewart shop.
So these are.
These ones are awesome whatshop again?

Speaker 1 (52:59):
what?
What shop is this?

Speaker 2 (53:00):
Stewart's.
It's a local gas station.
You don't have Stewart's, doyou?

Speaker 1 (53:05):
No, we have Wawa's.

Speaker 2 (53:07):
Okay, so I have a Stewart's, do you?

Speaker 1 (53:09):
have Wawa's.
No, you're missing out, goahead.

Speaker 2 (53:12):
So this is the Stewart's shop right here and
you can see all of these points.
I sat there for quite a while.
It was downpouring, for a whilethere was thunder, lightning,
everything else.
But the best part of this islet me scroll in a little bit
there were so many cars pulledoff this exit because of the
rain that none of these parkingspots were open.
So I parked right here where itwasn't a parking spot.

(53:34):
So I was parked right thereafter the last parking spot and
that's where the device loggedme the entire time that I was
sitting there.

Speaker 1 (53:42):
Okay, okay, You're parking on illegally parking.

Speaker 2 (53:48):
I was.
I was illegally parking.
I eventually get back out ontothe road, I think at like 802.
I sat there for a while, so letme grab 802.
I went the wrong way, I'm notgoing to bore you with that.
And I get back on the Northwayand I arrive back home at about

(54:09):
832, I think, yeah, 832.
So let me go there.
We'll go to 834 because Ishould be home.
Then we'll go to 834 because Ishould be home then, so all the
way back to my house.
So these are very accuratelocations, right, super, super
accurate.
Are they always accurate, isthe question.

(54:31):
So, as I'm looking throughthese, I looked through all of
these.
There were tons.
I'm looking through them.
So I'm looking at thehorizontal accuracy and there
are some locations that have avery large horizontal accuracy.
So what does that mean?
They're not as accurate as theother locations.
So I actually pulled those outof my location so I can just

(54:54):
show these.
So during the day I said, I wasat my parents house all the
entire day for easter.
I never left the house, butwhile I was at my parents house,
this test device was.
It was out in the driveway inmy car and while I was at the
house there were locationslogging me in the village of
white hall that's where I'm frombut they're logging me in the

(55:16):
village of Whitehall out in thewoods, and then they're logging
me in the village of Whitehallover here in the woods at the
Water Tower, and then in variousother places in the village of
Whitehall.

Speaker 1 (55:33):
I think you're saying like oh, you know that body
that was found there in theWater Tower.
It had nothing to do with me.
I was out there by time.
I'm a mom's house.
It isn't always accurate, Idon't know.
I think it's accurate.
Right, I think you were hidingthe body there.

Speaker 2 (55:47):
So these are pretty high horizontal accuracies.
So I definitely never left myparents' house.
I swear, I'm not lying.
But if you were looking at thisin a case and maybe you didn't
look right at the horizontalaccuracy, the suspect left the
house and went and buried thebody in the woods Immediately.
That's what I think.
I mean.
I'd test it and find out thatI'm greatly wrong.
But it looks like I left myparents' house during the day

(56:10):
and I was potentially hangingout in the woods for some reason
.
Right yeah.

Speaker 1 (56:15):
I don't know, but you made the point because if the
horizontal accuracy is so large,right, instead of maybe using
so many resources, we need toscan the woods with dogs Maybe
we need to, but if it's reallyan outlier, maybe we can slow
down and understand thelimitation of the data source,

(56:36):
which is what you're showing us,which is so important.
It's accurate, except what itisn't, and at least we have now
an indicator, right, and the bigkey here is look at horizontal
accuracy and then make thedeterminations considering all
the data points around it.
Correct me if I'm wrong,because it's like an outlier.
You don't see any points goingfrom there to there, right?

Speaker 2 (56:55):
No, so there were 29 of them in I don't know
thousands and thousands andthousands for this period of
time.
There were twenty nine of themthat just didn't make sense and
had that huge horizontalaccuracy.
All twenty nine of them were,were, were while the phone was
sitting in my car in my parentsdriveway throughout the day.
And actually Jessica asked agreat question so how accurate

(57:18):
is the horizontal accuracynumbers?
And actually Jessica asked agreat question.
So how accurate is thehorizontal accuracy numbers?
I tested a couple of them.
Some of them appeared to bearound two miles from where I
was at and the actual locationwhere I was at was a little bit
over two miles.
A couple of them, so a coupleof them were just slightly
outside of the horizontalaccuracy, but several of them
were right in.
Most of them were right insidethe horizontal accuracy, but I

(57:42):
definitely didn't leave my house.

Speaker 1 (57:44):
Well, and again that speaks to you have to look at
data not as just a point, butwhat the collection of points
tells you, and use your brainright.
You got to make sure youunderstand that if I have these
points and I don't have anypoints in between, plus your
horizontal accuracy is high,then this might be outliers that
don't really mean anything tomy investigation.
And you know we might need toverify that and that's

(58:06):
appropriate, but then we don'tset everybody's hair on fire
when we should be maybe devotingresources to actual things that
could be leads that could befollowed up on.

Speaker 2 (58:17):
Well, I think you were making the point a minute
ago too leads that could befollowed up on.
Well, I think you were makingthe point a minute ago too.
Um, so these I'll give incontext the the the path that
you saw me take up to my parentshouse.
Those horizontal accuracieswere like four meters, three
meters, five meters, six meters.
These 29 points have more like2200 meters, or 30, 3500 meters
big.

(58:37):
Yeah, and the good thing aboutthese 29 points, I have other
points right almost at the exactsame time that have me at my
parents' house, so you can usethat horizontal accuracy to
determine.
Okay, this one is within fourmeters and this one's within
2,200 meters.
Where was I actually at?

Speaker 1 (58:57):
Yeah, and that's knowing the artifact, because
the bias sometimes comes in.
I want, I want that person tobury that.
I want to find the bodysomewhere.
And we can't let the biasinfluence us.
We need to actually look at thedata source and let the data
source speaks to us what thetruth is.
We, we, we can't just interjectit.

(59:17):
It's because I want to find thebody and I have data points in
the woods.
Therefore, right, we got to bereally careful with that.

Speaker 2 (59:23):
You watch.
Somebody is going to find theevidence at the water tower in
Whitehall and they're going tohave seen the podcast and come
and arrest me now.
So, in other words, I'mincriminating myself.

Speaker 1 (59:32):
No, no, you're creating your alibi.
You're so sorry.

Speaker 2 (59:42):
Publicly.
I said it wasn't me and I yeah,exactly it was you.
I know it was you, oh mygoodness.
So these, uh, these locationsare great um we're always
talking about the iOS cachelocations that are so amazing on
the iOS and I think therereally wasn't a great um, I
guess, equivalent on the Androiddevices until I saw these, I
think, I think, think these arejust as good as those iOS
locations.
As you know, the iOS locationsonce in a while will also have

(01:00:06):
the outliers with the largehorizontal accuracy, so I would
compare these in Android tothose iOS cache locations on, I
guess, reliability andusefulness in your cases.

Speaker 1 (01:00:18):
That's great.
That's great that we can findthose data sources.
So no, thank you for explainingit.
I enjoyed following you aroundCheck out.

Speaker 2 (01:00:27):
Josh's blog too, because he did it with numerous
devices he used a Pixel, he useda Samsung and shows the
differences.
But he also breaks down some ofthe LevelDB data in.
I think he was using Mushi inhis blog, so he breaks down the
data where he's finding it, howyou can actually go into these
files and validate the data thatyou're seeing yourself as well.

Speaker 1 (01:00:47):
Go check it out, my good friends.
It's good stuff.

Speaker 2 (01:00:50):
Definitely All right.
So we are, I believe, at thememe of the week we are at the
end of the show.

Speaker 1 (01:00:59):
So let me pop that up here yeah, I love the meme of
the week.
Go ahead oh no, go ahead no, Isaid I love the meme of the week
.
It's uh, it's always, it'salways fun definitely.

Speaker 2 (01:01:13):
Um, oh, I have to stop sharing the other screen is
what it's telling me I.

Speaker 1 (01:01:16):
I will never figure out this screen sharing stuff
and whenever we start figuringit out, they change it yeah, oh,
they did.

Speaker 2 (01:01:23):
They changed it.
I think my stuff was missing,right the one showing all these
screenshots, the one podcast andeverybody's in the comments
saying, oh, we can't see yourscreen.
Um so, meme of the week.
Go ahead.
This one's all you so so wehave.

Speaker 1 (01:01:39):
I forgot the name of the of the actor, but he's he's.
He's a great actress, a lot ofmovies.
Uh, lately he's always been inthe mandalorian.
He's a muff gideon.
That's the character, but Iforgot his real name.
Well, the thing is that thisgreat actor, really serious
actor, has a suit on kind ofplaying with his tie, making it
tight, and it says you use toolsto see what they can find.
I use tools to see what theycan find.

(01:02:01):
I use tools to see what theycan't find.
We are not the same, and thepoint of the meme is that the
template speaks about a contrastbetween things that sound
really alike, but a littledetail makes an extreme
difference, and the point is notto say that this person is
better because of that.
The point is to make theillustration that tool

(01:02:23):
limitations are just asimportant as tool capabilities,
because if you go by what a toolcan find, that's great, but if
you're not aware of what ismissing, what it's not designed
to do, then you'll be doing adisservice to your stakeholders.
To your case, right, and asimple example if you run your
AI on your tool to give you thechats, that's great.

(01:02:45):
Is the AI aware of this otherapp that's not parsed by the
tool to give you the contents ofthose chats?
Well, if you're not aware thatthe AI cannot get into
unstructured data I sayunstructured in the sense of,
let me not say unstructured theAI cannot get into unparsed data
by the tool then you assumethat this is all there is right.

(01:03:05):
So you got to be really awareof what the tool, what the AI,
whatever it is that you're goingto use.
And again, everybody knows whatwe think about AI right now, at
least at this stage.
I'd rather not use it at all,but you got gotta be aware of
those limitations, right, and soI?
I think we should change ourmindset.
Instead of being well, I'lllearn the tools you can find no,

(01:03:26):
let's this.
We, we know the tool will findstuff.
Our job really, as examiners,starts to figure out the stuff
that the tool doesn't show,because I will give to my
investigator what the tool showsand they will go through it.
They don't need to have adegree of no sorts to just read
chats or do whatever, but to getto what the tool doesn't show.

(01:03:52):
That's the gap between theknowledge and the data that we
need to fill Right, and I thinkwe should be really conscious of
our role within that context.

Speaker 2 (01:03:57):
Yeah, absolutely All right.
Well that brings us to the end.

Speaker 1 (01:04:04):
Yeah, no, it was good it was.
I thought it was going to be ashort show, but it never is.
No, it never is.

Speaker 2 (01:04:09):
So, yeah, we were talking about that before the
show.
I'm like I don't have that manytopics we can make it short,
maybe a half an hour.
We've said that like five orsix podcasts and I think a
couple of them have gone to likean hour and 20 minutes.
So it's never.

Speaker 1 (01:04:21):
We always have enough to talk about well, it's always
fun to you know talk aboutthings with you, so I appreciate
you always being around andsame to you all your insights,
so listen.

Speaker 2 (01:04:31):
I couldn't think of a better podcast partner oh, look
at that look at all the love,all the good vibes in the show.

Speaker 1 (01:04:37):
All right, and also, I couldn't think of a better
community that's built aroundthe podcast and around the work
that we do for the community.
So I thank everyone that's beenon the podcast, have been
chatting.
Everybody can be seeing theirmessages on the screen.
It was great always having you.
We leave a smart group ofpeople Josh, ronan, bruno,
matthew, kevin, everybody sothank you for being around.

(01:04:58):
So anything else before we goto the order Bruno, matthew,
kevin, everybody so thank youfor being around.
So anything else before we headout that's it until next time
alright, my good folks, we'lllet you know when the next show
is.
When we know when the next showis yeah, definitely alright,
everybody take care thank youand with the music we say
goodbye, bye, thank you.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

24/7 News: The Latest

The Joe Rogan Experience

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Techno, Timeline, and Training Truths

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

24/7 News: The Latest

The Joe Rogan Experience

All Episodes

Techno, Timeline, and Training Truths

Stuff You Should Know