The Gift of Expertise: Why Forensics Matter in the Courtroom

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
door and the music.
Here it goes.
Welcome to the G-Tal ForensicsNow podcast.

(00:24):
Today is Thursday, december 12,2024.
My name is Alexis Brignone andyou saw me just closing the door
to my little recording office,and I'm accompanied by my
co-host, the Google KeepUnderstanderer, the Avid or Avid

(00:44):
, avid, avid.

Speaker 2 (00:46):
AI user.

Speaker 1 (00:47):
Yeah, but only in some things, not on all things.
The world deserved victory.
Lapper, the one and onlyHeather Charpentier.
The music is hired up by ShaneIvers and can be found at
supermansoundcom.
And there we go.

Speaker 2 (01:05):
Hello Heather.
Hi, Thank you for theintroduction, as always.

Speaker 1 (01:12):
Oh no, I mean to me that's the part I do the most
research for the show.
I'm going to introduce you.
I'm talking about introducingyou For folks that are not
watching us live or arerecording on YouTube.
You and for folks that are notwatching us live or are
recording on YouTube you can seethat Heather is super festive.
I am From the top of her headwith her deer ears and horns to

(01:34):
her awesome sweater shirt.
No, it's a plain sweater.
Right, it's not a shirt.
What is it A?

Speaker 2 (01:38):
sweater yeah, oh, yeah, yeah.

Speaker 1 (01:41):
And she can definitely say that she has the
balls.

Speaker 2 (01:45):
I can, I absolutely can say that this week.

Speaker 1 (01:48):
You have multiple balls there.

Speaker 2 (01:50):
Yes, lots of them.

Speaker 1 (01:52):
Well, since I'm not going to be well actually.
Well, I was going to say I'mnot going to be left behind, but
I did because your outfit isway better than mine.
But I have a nice Hawaiianshirt that has like a beach and
you can see where is it.
I'm on the wrong side of theshirt.
There we go.
You can see Santa here with asurfboard, just ready to go.
He's doing his last surfingbits in Hawaii before he has to

(02:15):
go and deliver all the presentsfor all the good boys and girls.

Speaker 2 (02:21):
I think you're super festive.
You just needed some antlers ormaybe some balls to hang from
somewhere.

Speaker 1 (02:30):
You know I'm not putting my balls on the shirt,
I'm just going to have the shirtand you can put yours on your
shirt and that's all good.
So, yeah, christmas spirit.
I mean it's not the day ofChristmas or the week of
Christmas, but we're closeenough so we can do this.
We're not gonna have a show,obviously, during the holiday,
so so we're celebrating a littlebit early so you can see also

(02:51):
our background, the entireforensics now with a nice little
tree there.
So it's all good yes, yes.

Speaker 2 (02:56):
What have you been up to?

Speaker 1 (02:57):
well, uh, doing good.
Um, before I say that, there'ssome folks already coming into
chat.
So hi, matth, Matthew, andobviously Kevin is around.
Kevin is the man with the plan.
Always good to see him.
So I've been doing a lot ofstuff.
So what was it?
It was on Monday.
Yeah, on Monday, ArcPointForensics has a series called

(03:18):
the 12 Days of Deferment, whichis kind of a smart take, Hello,
Jake.
And on those series, for thenext 12 days, she will be
interviewing some folks in thefield experts and the like on
different topics.
So I was the first to open thatseries, so I'm really honored
about that.
And I spoke about validationand verification and that came

(03:38):
into AI.
It came into a whole bunch ofstuff, because when I start
talking I don't shut up.

Speaker 2 (03:44):
It was a good episode .
I watched the whole thing very,very good oh check the mail I
appreciate it everybody shouldcheck it out um, and and what
else?

Speaker 1 (03:53):
so, um, uh, all of that has something I'll have to
say.
We did it with the show, we didthe uh, what was it?

Speaker 2 (04:01):
oh the cyber social right.

Speaker 1 (04:03):
Thank you, so.
So, so everybody's seeing forfor some news.
So we, we um um unveiled forthe first time, uh, the lava.
So that's the leaves artifactviewer app.
Uh, we made it public, at leastto show it.
We're not, we hadn't, we havenot released it yet because it's
still in like an alpha phase.
It's really rudimentary, but wegot stuff that works.

(04:26):
So we were excited to demo thatduring the Cyber Social Hub
conference 2024 yesterday, andtoday we talk a little bit more
about it, also during theconference.
So I'm going to try to show itto you all here as well, at
least the larger contours of theapp and how that is different.
If you're a Leap user and again, the first time you hear about

(04:46):
the Leaps these are open sourceplatform that we use, that we
develop Heather, myself andanother group of developers free
open source to the community toparse items of interest from
iOS extraction, androids, returnfrom providers, isps, vehicles
and the like, and now we have aviewer.
That's an evolution of thetooling, so I'm going to be

(05:09):
happy to show that today.
Now, enough about me.
How about you, heather?
What's?

Speaker 2 (05:14):
going on.
I can't wait I'm just on thesame topic of the lava for the
leaps.
Can't wait till that's released, because you guys are going to
all love it.
It's awesome, awesome updatescoming.
You guys are going to all loveit.
It's awesome, awesome updatescoming.
But for me, the last few weekshave just been super busy.
We should have had a podcastlast week but I was busy, so
we're having it this week, but Iguess I've just been doing.

(05:37):
I've been doing a lot moretesting on on phone data and I
recently, for the first time, umextracted my own phone.
It's finally supported and, um,it's insane.
What is in your own phone thatyou don't even realize is stored
, uh, from your daily movements?
I can't believe it like yourpersonal phone my own personal

(05:58):
phone.
Yeah, um, I'm going through andrealizing that a lot of things.
I thought I knew what theymeant after looking at my own
data.
I just was a little bit wrong,so I'm changing my views on some
of the data.

Speaker 1 (06:13):
The good thing for everybody that's listening is
that Heather is going to show usall the content of her phone
during the show.
Oh, definitely.
And we will, ever we were ableto see.

Speaker 2 (06:21):
I mean, I've already given out my passwords, why not
give out the rest?

Speaker 1 (06:25):
That's a good inside joke for the people that watch
the show.
So if you don't get the joke,you got to watch some episodes
back to get it.

Speaker 2 (06:33):
Yeah, definitely.

Speaker 1 (06:34):
No, but that's cool.
So you're figuring out thatyour perception of what
something means expands asyou're looking at your own data,
right.

Speaker 2 (06:41):
Yeah, definitely, Especially with anything that's
cached Like.
I'm looking through my cachefiles on my phone and I don't
even have a recollection of evervisiting some of these pages
that the files are caching from.
So trying to figure out wherethat comes from and realizing
that when I'm testing somethingon one of my test phones it's
very specific what I'm lookingfor, but there are so many more

(07:03):
functions of the differentapplications that it's really
easy to overlook.

Speaker 1 (07:08):
uh like how something may have gotten there oh and,
and I guess it could be wrong,but as you're going through it,
you're not making moreconnections like, yeah, looking
for this, but since I knew I didthese other things, oh, look
how they come, circle around andhit up oh, big time, big time,
big time.

Speaker 2 (07:24):
So yeah, it's actually.
I encourage anybody who has thecapability to extract your own
phone see what you have in there.
I definitely don't recall someof the stuff that's in my phone.

Speaker 1 (07:37):
I don't recall that drunkenness.

Speaker 2 (07:38):
Yeah, I don't, I don't recall.

Speaker 1 (07:42):
Andrea is in the chat .
I haven't seen her in a littlebit, so it's so, so happy to see
you around.
She's the best.
Yeah, so, so, yeah, so let'ssince you brought that up, let's
go more into detail, right?
I mean, so you look at yourphone and what's going on?

Speaker 2 (08:00):
Yeah, I mean no, seriously.
I am just starting to lookthrough it and I just really am
realizing how much is in thereand the connections I need to
make.
I think, as I continue to gothrough it and we continue to
have podcasts, I'll probablyhave some new things to show
everybody.

Speaker 1 (08:16):
Yeah, and folks, of course you got to be careful,
right, check your own data,careful, right, check your own
data.
But if you find somethinginteresting, go and take a test
phone and try to replicate someof that in a way that you can
share or do research on, becausethere's something that we
definitely need is research andwhat happens with our tooling.

(08:36):
At least some folks make a goodartifact, but the test data
that they have they might not beable to provide it, and
sometimes I make some commanddecisions.
If the person is sending a pullrequest that I trust and it's a
respective person, I will mergeit because I trust them, but if
I don't know you, I need sometest data right, right, in order
to merge or to and I guess mypoint is, one way of giving back

(09:01):
to the community is bygenerating test data sets.
Now, you don't have to be aneminence, an awesome, incredible
out there person like JoshHickman that does test data of a
whole device and that's crazyhard in regards to the time
investment he does on that, soyou don't have to be him.
He's high level.
But nothing prohibits you fromhey, let's do one app or two

(09:24):
apps that you found somethinginteresting and share your
analysis and share the data,because other folks can build
tooling on top of that, like us.

Speaker 2 (09:32):
I can share some of my data.
You're not getting my textmessages or my pictures, but
I'll share some of the otherstuff.

Speaker 1 (09:37):
So I'm not going to know what really you think of me
.

Speaker 2 (09:40):
No, never.
Oh, my God, I see how you work.

Speaker 1 (09:44):
I will never share that with you you know what I
think it's better that I Iignore all that.

Speaker 2 (09:49):
I'm okay with that yeah I'll believe what I want to
believe um so uh, some thingsto talk about this week.
Um, I don't know if anybody saw, but ali haddi um released or
posted about some YouTube videos.
He actually did quite a fewyears ago I believe, like three
years ago, on working with the010 hex editor.

(10:12):
I had never used this hexeditor.
Have you used that hex editor?

Speaker 1 (10:17):
Well, I used it when I saw his post.

Speaker 2 (10:19):
Okay, all right, so, yeah, so I had never used that
hex editor, but Ali has anentire YouTube video series of
kind of the functionality of thehex editor and it outlines the
different view options, how toview Unicode files, how to work
with and locate specific offsets, how to find things using hex,

(10:42):
and it might be basic for someexaminers.
Um, but if you're new and you'renot sure where to get started
with the hex, these videos canbe great to to start off with.
And also, even if you aren'tnew, the seasoned examiners
always need a refresher on thiskind of stuff.
So, um, encourage people tocheck out his youtube page.
I'll throw the.

(11:03):
I'll throw the banner up now,but I'll throw the YouTube page
in the show notes at the end ofthe of the podcast, which
actually, I was chatting withKevin Pagano and he didn't even
realize that we have a blog forthe podcast and the show notes
are there.
They're also on the Buzzsproutpage where you can um connect

(11:23):
with all of the audio sites forthe podcast, so we put them in
both places.

Speaker 1 (11:29):
You know what, after we're done here, we do some
post-production.
I need to go and add that stuffto our social media and to
other places.
So I need to do that as well,so people can get to it.

Speaker 2 (11:38):
He shared it out too for us.

Speaker 1 (11:39):
So you know this whole thing about hex editors
and being experienced or not.
It reminds me of this, thismeme of you know.
There's there's two pieces ofpaper and they ask the person
what's the difference betweenthese two?
Right, and one says, uh, youknow, uh, learning regex and um,

(12:01):
having to learn regex.
And then every time I actuallyI I butchered the meme because I
forgot what was learn Regex.
Another one where you have touse Regex and the person says
there's no difference, the samething, because if you learn
Regex every time you use it, youhave to relearn it every single
time, right?

Speaker 2 (12:17):
Yeah, true.

Speaker 1 (12:18):
So with Hex, some of the Hex things, if you don't do
it daily, even if you know,understand hex and have a feel,
um, you always have to review,you always have to be okay.
I'm going to dig into hex, Letme, let me refresh myself of how
to do this.
And if you're looking for, uh,uh, a tool with some guidance,
then this, this uh, Definitely.

Speaker 2 (12:41):
Kevin says he facepalmed so hard when he found
the show notes.

Speaker 1 (12:44):
finally, I facepalmed worse by butchering the joke of
the meme, but it's okay yeah.

Speaker 2 (12:51):
We all understood what you meant.

Speaker 1 (12:53):
Well, thank you, you're so kind.
Derek is around.
Derek is awesome.
He's an awesome examiner.
He was also interviewed inAmy's ArcPoints series in
regards to forensics in thehealthcare arena.
So check that out.
I have to check it out andChristian, the master extractor
of all things, ios, is also inthe chat.

(13:14):
So good to see you, man.

Speaker 2 (13:15):
Hey Christian, what else do we have?
This week, arsenal released anew tool.
I don't know if anybody saw,but Arsenal released a tool
called Swap Recon.
This tool performs brute forcedecompression of Windows 10 and
11 swaps.
So the page file and swap filewhat are they?

(13:37):
System files on the hard drivethat act as temporary storage
for data when your computer'sphysical RAM becomes full.
So potentially, with this newtool, there's a potential to
find many different artifacts inthese files, and I actually
have a.
I'll share a screenshot here ofwhat the tool looks like.

(13:58):
So this is what swap reconlooks like.
Looks a lot like their othertooling, but you browse out to
the file that you're looking toprocess, choose your output and
then it will process that swapfile.

Speaker 1 (14:15):
And this is interesting because, as you were
saying, the swap file, it'sencrypted, right, and it might
contain remnants of activityfrom the system.
So, if you're doing incidentresponse, for example, a lot of
good data is there.
And well, you might askyourself, well, some other tools
already do this.
What's so special about it?
I was having a conversationwith Mark Spencer, the CEO owner

(14:37):
, lead person up at Arsenal, andhe was explaining to me how
there's some heuristics added tothe tool that allow you to
really identify items ofinterest, some strings of
interest that other tools mightnot represent it in a way that
you cannot capture as you'redoing the review.
I'm not going to give you allthe details, because that's

(14:58):
something.
You should go to their websiteand kind of check out all the
explanations and all thedifferent differences website
and kind of check out all theexplanations and all different
differences.
But, um, he portrayed to me howthis tool is.
Does this swap analysis plusright?
So yeah, if you're looking forfor cases in incident response,
when you might, for example, I'mthinking of examples when this
might be useful if you're doingtrying to figure out, um,

(15:20):
lateral activity or activity orthings that, uh, a user but not
a legit user, a, an actor, isdoing on the systems, looking at
swap space, looking at pagefiles, looking at hybrid fields.
Okay, that type of that copy ofmemory space down to the file
system is going to be a goldmine for your investigations and
it's definitely that.

(15:41):
Does that for you.

Speaker 2 (15:44):
All right, Let me remove that.
So last podcast I talked aboutthe Samsung Secure Health Data
Parser.
It's by David Haddad and Ishared a blog.
He wrote about it and we sharedthe GitHub page where you can
get the parser itself, but atthe time I didn't have the

(16:09):
capability to decrypt thedatabase that goes along with
that.
So the database the securehealth database needs to be
decrypted to run on that tooland currently there's an issue
with extracting in premium andpulling down the key store, so I
wasn't able to pull the keystore for my Samsung phone.
However, I extracted my Samsungphone with UFED and it pulled

(16:35):
the decrypted version of thesecure health database.
So I'm going to show this toolagain to kind of give it justice
and actually show what it does.

Speaker 1 (16:45):
As you're bringing that up.
So, yeah, what do you, what'syour, your theory of what
happened, like it actually theufed actually dealt with the key
store, or what.
What's your, what's your theoryof the case here?

Speaker 2 (16:54):
I don't know um, but I got, I mean it.
It parsed, the decrypted, ithad the keys obviously to
decrypt it and I didn't have itin my other extraction and it
decrypted and I have the SamsungHealth decrypted copy with UFED
.

Speaker 1 (17:18):
So if you're missing the key store and your device is
supported by UFED, try it.
Yeah, I mean it's interestingthat you mentioned that, because
it really goes with something Imentioned to Amy in her podcast
about how some versions losesupport or gain support or
whatever it is, and sometimesyou have to revert back to a
previous version, and how itwould be useful for vendors to
do that, to let us know that.
So actually, I think it'sRebecca her name, if I'm not

(17:38):
mistaken.
We were having a conversationin the comments in LinkedIn
about it or how she keeps allthe executables from all her
tools, all the versions he keeps.
She keeps a library of thosebecause she never knows when
she'll need to revert back toversion x to get something right
and and that's that's.
That's that's good practice onher.
I think it's a good practicethat we should start as well,

(18:01):
but my contention is that itshouldn't be that way.
She shouldn't have to keep atrack of all those old binaries,
right?
Why do vendors not allow thosebinaries and not only binaries,
binaries and release notes to beeasily indexed and searched?
I want to look for all thedifferent support of all

(18:21):
different devices across allversions, all release notes um,
I don't understand why.
I mean, maybe there's the spaceconstraints, I mean I don't
know um, but I believe thatshould be available.

Speaker 2 (18:32):
I don't know what you think, but uh, well, I have
them all, so if you ever needone, um, I do the same thing.

Speaker 1 (18:38):
I definitely keep every version that's ever been
created, so I mean would youlike to keep doing that, or you
rather the vendor do it for you?

Speaker 2 (18:45):
Well, yes, I'd rather have a vendor do it for me, but
it takes up some space on theserver.

Speaker 1 (18:51):
So free the space please.

Speaker 2 (18:52):
Yes, let's free.
Yes, definitely, give us theold versions have them available
.

Speaker 1 (18:56):
Oh, let me say this Some vendors do, it's not all
vendors.
I don't want to judge allvendors, vendors, you know the
same token.
But if you're not doing thisvendor, then do it.
Give us release notes and giveus versions.

Speaker 2 (19:08):
I'm sure they have copies somewhere for us, right,
correct.

Speaker 1 (19:11):
You know what They'll ask you for copies.

Speaker 2 (19:13):
Yeah, okay, I can back them up.
So I was able to obtain theSecureHealth database in a
decrypted format from my testphone.
There's not a ton of healthdata on it but, as I said last
podcast, you just select thatSQLite database file, the
decrypted version, and then giveit an output location and then

(19:37):
just click generate report.
Once generate report is done,let me just share here.
Once generate report is done,let me just share here it will
create reports in both a CSV andan HTML format.
So this report here doesn'thave a ton of data, but it is an

(20:03):
exercise session report.
So exercise start time and time, the duration of the exercise,
what type of exercise?
I have walking, and I have atreadmill combination, walking
and jogging in this report here.

Speaker 1 (20:15):
Looks pretty nice, yeah it definitely does.

Speaker 2 (20:18):
And then this one's got a little more data.
But this is the Samsung healthstep count report, which has a
last modified date and time,start date and time and date and
time.
It'll have, if I scroll overhere, the step count um duration
and seconds and the actual stepcount and um.

(20:40):
This is not my personal phone,alex, so don't think I have not
been working out.
This is a test phone.
Okay.

Speaker 1 (20:47):
I was about to bring the hammer down.
What's happening with ourroutine?
Come on.

Speaker 2 (20:51):
I swear I'm still going to the gym, just not with
this phone.
Sure, sure.
But this is a nice way to kicka report out from that decrypted
Samsung health database.
That's excellent.

Speaker 1 (21:04):
That's excellent.
That's excellent.
That's again another view,another thing to try out and
make sure it works.
I mentioned Rebecca I thinkit's Graciela that does that,
okay, so, yeah, so, make sure Iget the proper attribution.
But no, no, I mean I'm all fortools, it's the same as I am for
validation and verification ofthose tools.
So that's good stuff.

Speaker 2 (21:23):
Yeah, All right, let me take this.
So another tool.
This tool's been around for alittle while, but I've never
really dived into it.
I've used it for certain things, very specific things, but I
think, after talking to you,alex, I decided to go look at it

(21:45):
more today and it has a ton offunctionality that I'm going to
show you.
But recently, artx by IanWhiffen.
So if you go to Double Black,his blog, there's an app section
where you can go download ArtX.
You recently sat in a class onit, right?

Speaker 1 (22:02):
Yeah, I went down toami to present on the leaves
and some other things and I hadthe pleasure of getting an
artist class from the author andmaster of all things for n6
young women and, uh, I mean, Iused it a whole bunch of times,
don't get me wrong, but when theperson that does the tool
teaches you certain things,you're like oh, wow.
And well, I'm not gonna stealyour thunder, heather, but some

(22:23):
things that, heather, you needto try these and demo them.
So, I'm going to let you handlethat.

Speaker 2 (22:28):
All right, so I'm going to pull the tool up.
So what ARDEX is is it's a freeiOS research and validation
tool created by Ian Wiffen,allows the examination of
extracted data and jailbrokendevices.
So the tool has a ton ofdifferent features.
So I just kind of want to showsome of the features.
I know I'm not going to hitthem all.

(22:55):
There's a couple here.
I didn't even know it had, so Ialready pre-processed an iOS
extraction.
It's a full file system from oneof my test phones information,
exactly what you expect to bethere the Apple iCloud account,
any numbers associated with thedevice, whether it be IMEI,
serial number, unique device ID.
It has important dates.
So this actually has one of theimportant dates.

(23:17):
In an iPhone is the dotobliterated and, if you didn't
know what that was, it's thelast time this phone was reset.
It's got settings.
So what time zone is my devicein Different types of settings?
Message retention, it has Wi-Fi, the Mac address, it has other
network-related Mac addresses,and then it has information

(23:43):
about iCloud.
So one thing I wanted to showis if you go to settings, you
can actually go in the settingsand view the installed parsers.
This will give you a listing ofall the parsers available for
our app.
I'm not going to read them all.
There's a ton, but check it out.
Installed applications camerause there's passcode changes all

(24:08):
the different artifacts thatArtX supports.

Speaker 1 (24:12):
And I love how Ian took the time to make a little
icon for each artifact.
Like that's a lot of work.

Speaker 2 (24:19):
Yeah, definitely For each artifact that it supports.

Speaker 1 (24:22):
I'm like that's pretty neat, so I like that.

Speaker 2 (24:25):
So back out of the settings here and let me just
cancel.
So under apps, there's alisting of the applications
installed on this device and itgives you the capability to
extract the bundle or thesandbox application data for
this device or for eachapplication like you connect the

(24:46):
phone and it has to be whatrooted?

Speaker 1 (24:49):
I mean not rooted, it's not an, it's not an android
, uh, jailbroken to get that orno.

Speaker 2 (24:54):
I I process my extraction.
Yeah, so now it'll extractstraight up okay yep, so it'll
extract that bundle um from theextraction.

Speaker 1 (25:01):
Yep I'm, because it also does some stuff live as
well.

Speaker 2 (25:06):
Yeah, I haven't even tested it live yet.
I can't wait to keep testingthings.

Speaker 1 (25:09):
Yeah, no, it's really really a lot of features, Yep.

Speaker 2 (25:13):
Then under the key chain tab is all the information
that's pulled from the keychain.
So I have I mean, here in themiddle is my old Wi-Fi account,
it was called Any Dancer theApple iCloud information is in
here.
Anything you would find in yourkeychain you'll locate in this
tab.
And then there's a contacts tabso the contacts of my test

(25:37):
phone here and it tells youwhere the contacts are coming
from address book.
And then I have three contactsthat are being pulled from
Discord.
But the timeline feature isawesome so I pre-processed this.

(25:57):
But over on the left-hand sideyou can see all of the different
artifacts and you can choosewhich ones to process.
Choose one and hit run up hereon the left-hand side and it'll
process that artifact.
I pre-processed all of them soit would be ready.
And then anything that you havechecked will show up here in
this timeline view.
So I'm just going to deselectthem all.

Speaker 1 (26:21):
Yeah, and ArtX is really timeline-focused right,
so it's really the key item istime across the different
artifacts, so it's really goodat timelining things and mapping
things.
So if you're looking formapping and timelining
functionalities in your iosanalysis, these are great to use
for that I made the mistake ofhitting deselect.

Speaker 2 (26:42):
All live on a podcast , though, and I now have the not
responding, so I'm just goingto continue.
Actually, I'm going to show areport from it while we wait for
it to come back.
Yes, so let's see here I havesome reports that I created, and

(27:07):
I absolutely love this one.
So I created.
It has the device details.
At the time of creating thereport, I had the contacts
checked, but this is the part Ilove the best.
So I'm always complaining thatI hate reporting from every tool
, and I always am complainingthat I want a really good
timeline and I want to be ableto put the artifacts that I want
into the boxes that I want themto be.

(27:28):
This is the closest I've everseen to what I want for reports,
so I'm going to just scrolldown to September 23rd, because
I know what data is in there.

Speaker 1 (27:41):
Hold on one second, so, and what we're seeing is
pretty much a list of of thedates right and and and there in
the, uh, in the at the end.
What does it say at the end?

Speaker 2 (27:55):
Um, so it says show.
So I'm going to grab Saturday,september 23rd, and hit show and
you have the artifacts that Ichose to put into my report in a
timeline format for the 23rd.
So I have health data here.
I have some Wi-Fi data.
I'm going to expand September24th.

(28:15):
Got some more health data.
Have some Discord messages.

Speaker 1 (28:21):
The collapsing of the day is genius.

Speaker 2 (28:24):
Oh my God, I love it it.

Speaker 1 (28:26):
I had no idea it did this it's genius because then
you can open whatever days, uh,you need and, and you know, most
timelines show you everythingat all times.
Yes, navigating a little cursorthrough the timeline, you end
up six months before, six monthsafter where you want to be
right right, right, and this isa really good way of controlling

(28:46):
that that movement updates so Ihave some wi-fi data here and
I'm just gonna scroll down alittle more.

Speaker 2 (28:52):
I have some uh, some images that have location data
and it has a little map with acamera and an arrow to where
that image was taken oh, perfect, perfect, love it um, images
come right up in the, which Ilove because there's a lot of
tools that don't have the actualimages in the timeline.

Speaker 1 (29:14):
I mean, if the media is not there, then what?

Speaker 2 (29:16):
I know what's the timeline for the name of the
picture is oh, that's so helpful.
Data usage.
We've got some SMS that arereceived and then some phone
calls on this date, so Iabsolutely love this timeline
feature.
Let me see if ArtX came backafter I angered it.
Ah wonderful.

(29:37):
I was afraid it would crash andit didn't So-.

Speaker 1 (29:41):
You just need a faster computer.
That's all you need.

Speaker 2 (29:42):
Right, right.
So I deselected everything.
So you saw a right right.
So, um, I deselected everything.
So, um, you saw a clear screenhere.
When I deselected everything, Ijust rechecked the battery
level.
Now I only see the batterylevel in my timeline, so I could
potentially uncheck here theones that I don't want and only
choose.
Say, I only wanted one day ofthe battery level, just check

(30:02):
the day that I want.
Um, so I love the timelinefeature.
Was there anything else in thetimeline feature that you
learned in class besides whatI've showed?

Speaker 1 (30:11):
Oh, no, no, no, I mean, you showed it well, that's
fantastic.

Speaker 2 (30:15):
Yep, the chat view.
I love the chat view too, soall of the conversations are
here on the left-hand side.
So I'm going to just flip to aDiscord message.
You can flip to a regular SMSmessage and it all comes up in
the chat view with the bubbleswhich everybody's looking for
for courtroom presentation.

(30:36):
This is beautiful for acourtroom presentation.

Speaker 1 (30:39):
Everybody's looking for them.
We had to put bubbles in ourtooling as well.

Speaker 2 (30:43):
Yes, that's what people want they do.
It just presents so much better.
If you have to go to court on acase, then there's a Gallery
tab.
All of my images are gatheredhere in the Gallery tab and the
locations tab, so this one hassome really cool features.

Speaker 1 (31:04):
That's my favorite tab.

Speaker 2 (31:06):
Oh my God, I didn't even know about some of the
features in here today.
Ian just told me about it, so Ihave to show them.
But you can choose over heretoward the left on the top
there's a button that sayssources and you can choose which
sources you want your locationdata to come from, what you want
to show.
We all know that, working inforensics, that some of the

(31:28):
location data is super reliableand some of the location data is
just not as reliable as others.
So if you wanted to just comein and pick your iOS cache
locations which we know from thecache SQLite are very reliable
you can choose that and hitupdate.
Once you hit update, all ofyour cache locations are here.
The little maps on the sideshow where I was this is.

(31:53):
You can see down in theright-hand corner it says
building 22.
That is the building that Iwork in, so I was most likely
parked in the parking lot thatday.

Speaker 1 (32:02):
Well and.
I did like a triple view there,but you have like a really
overview of, kind, of the citiesaround it and closer overview
of the roads, and then reallyzoomed in all three, all three
there.

Speaker 2 (32:14):
So that's that's pretty pretty awesome, very um,
and then what I learned abouttoday, uh, is he has a feature
called flip.
This is where you grab thelocations that you want.
Say you want these 10 orwhatever I just grabbed,
highlight them and then up onthe top, toward the left-hand
pane, is a little book-lookingicon and it says create flipbook

(32:37):
.
If you click the createflipbook it will turn them into.
I'm going to show you right nowthis nice view here and let me
just and then you can hit playand it will literally flip
through the locations that youhave chosen to present.

Speaker 1 (32:58):
Oh that's fantastic Because I mean, I think these
are pretty static.
Oh that's fantastic because Imean, I think these are pretty
static.
But if you have a data sourcethat records locations with a
short window period, it's like alittle movie, right it's
awesome.
Yeah, moving around the road,parking, doing whatever right,
and it looks like a little moviegoing across as it moves.

(33:19):
So it's pretty neat.

Speaker 2 (33:21):
I'm going to flip to the other one, because this one
will actually show some movementdown the road here.
So this one, you can actuallysee the device moving on the
Adirondack Northway, which is inNew York near me.

Speaker 1 (33:32):
That's exactly what I was talking about.
Yeah, perfect.

Speaker 2 (33:34):
Yeah, there's the option for this flipbook to save
it out as an HTML or to save itout as a video.
I cannot think of a bettercourtroom presentation for
locations than this.
I don't think that I know ofanother tool that does it like
this.
And I was just so excited todaybecause Ian sent me an email

(33:56):
try the flip book.
I'm like what is the flip book?
Can you tell me what to do?
And he showed me what to do andI got this done right before
the podcast for the presentation.

Speaker 1 (34:05):
so and the folks who are listening either watch it or
download it and try ityourselves oh yeah we're looking
at, obviously, a vehicle, youknow, going down the map with
little arrows indicatingdirectionality.

Speaker 2 (34:16):
Uh, it's, it's great, I love it and then, of course,
uh, the very last tab.
Here you have your directory,so you can navigate through the
file system.

Speaker 1 (34:29):
But the tooling and this is what Heather showed from
an extraction.
But the tooling has featureswhere, if you connect a device
that's been jailbroken, you cando your research pretty much
live.
You can look at, interact withthe phone and immediately look
at ArtX and see the contents ofwhatever databases you're
working on and see those changeslive.
So instead of having todownload the phone every single

(34:51):
time you want to see a change,you can make the change and
immediately look at it throughthe tool and continue your
research.
It's such a time saver.
So if you're interested indoing iOS research, get a phone
that you're able to jailbreakand you can use Ardex to do that
work yeah, definitely.
I don't even want to take it offthe screen because I'm so
excited about this location weshould put it as like a moving

(35:14):
background to all the episodesof the maps going around, the
arrows moving.
It's pretty neat it's reallycool.

Speaker 2 (35:21):
I can't wait to actually go use that feature in
one of my cases.
I have not yet.
So very awesome work by IanWiffen.

Speaker 1 (35:30):
Absolutely, absolutely.

Speaker 2 (35:33):
All right, and I'll have the link to download that
in the show notes too, thateverybody can find now.

Speaker 1 (35:39):
And the best price, and the best is the price, right
, oh yeah.

Speaker 2 (35:42):
Yeah, the price is awesome.

Speaker 1 (35:45):
So just get that.
You won't regret it.
It's good stuff.

Speaker 2 (35:50):
So recently came across a couple of articles in
Forbes magazine and they arereferencing the use of manual
previews of phones.
The use of manual previews ofphones, so like video recordings
or photographs of phone data orscreenshots, and whether or not
they have the capability tohold up in court.

(36:12):
The Forbes articles were bothwritten by Lars Daniel and if
you don't follow him on LinkedIn, he's got some really good
stuff.
But the question is canscreenshots of text messages be
used as digital evidence incourt?
Is simply taking a screenshotof a text message is it enough

(36:34):
to use and is it reliable enough?
I would say my opinion on thisis no.
They're really easy to fake.
It's hard to authenticate.
There are editing softwares outthere, there are fake message
generators out there, and it'sreally easy to manipulate device
settings, which these articlesthe two Forbes articles actually

(36:54):
outline very well.
What's your thoughts?

Speaker 1 (36:58):
It's tough, right, because we don't always have
access to devices in order topull the data out.
And what I mean by that is youcan have the password, right,
but the device let's say alatest version mobile device you
can see it on the screen, butthe tooling hasn't catch up to
it enough to pull it out.
And what do you do?

(37:18):
Well, there was no crime,because I can't take a
screenshot.
And so let me make a different,at least from my perspective,
there's a differentiationbetween taking a screenshot with
the device and taking ascreenshot with a third device.
Right, and I say that becausemy process is, if I find myself
there, I will take a camera, andI don't take pictures of the
screen.
I take videos of the screen.
I mean, could videos, could myvideo of the screen as I scroll

(37:42):
through be of the screen?
I mean, could videos, could myvideo of the screen as I scroll
through be, um, you know,altered?
Well, sure, that's alwayspossible, but I think that,
showing my process as I thumbthrough the phone, you can see
my finger going through it stepby step, step by step, um, it's,
it's a little bit more crediblethan taking screenshots with
the device, which again will bealtering the device to begin
with and then trying to gothrough certain processes to get

(38:06):
it in my video.
I think it's a little bit better.
I start my video, as I wouldstart a recording, a voice
recording, but my name is so andso, and so Today is the day
this is the time you can see thetime on the phone we're going
to preview the certain or lookat data within the application
through the device itself, and Istart doing my work Again.

(38:26):
That shouldn't be your normalpractice, at least from my
perspective.
Like Heather is saying, if youhave a tool that does the
extraction, then do that.
Do that Always.
Go do that.

Speaker 2 (38:35):
Oh, 100% Always.
If you have that capability,always yes.

Speaker 1 (38:41):
You're going to solve so many problems before they
even start.
Okay In regard, but sometimeswe got no choice, so we have to
do the best we can, and myperspective is taking a video
camera and recording from thescreen itself, not to take
screenshots of it per se, ifthat makes sense.

Speaker 2 (38:58):
Right, my worry too.
I mean, if it's all you can get, it's all you can get, there's
nothing more you can do aboutthat.
But just taking screenshots ofthe text messages, what are we
missing?
Are we we're missing possibleexculpatory messages that were
deleted because we don't haveaccess to deleted through a
manual preview that way, um, orpossibly just being able to

(39:23):
connect the dots and seeing theentire picture.
I don't think I could ever dothat through a video of the
evidence versus having the fullextraction.

Speaker 1 (39:28):
Well, I mean, so somebody takes some screenshots,
right, and you're the expert onthe opposing side, and they go.
Please validate the screenshots.
How am I, how am I supposed tovalidate these screenshots?
What you're asking me is tosquare a circle, right, like you
know, give me, give, give me,give me a square without any
angles.
Well, you can't do that.
I cannot validate that, right?
I know you're laughing, youknow, I know, you know I am so,

(39:51):
so, uh, so you can't do that,okay, and um, you know, I had a
meme some time ago and I'm notgonna butcher the joke on this
one, all right, uh, there's a,there's a scene in spider-man
where, uh, you know osborne, youknow the, the green goblin,
before he turns green goblin, uh, he has a conversation with
peter parker and he tells himI'm somewhat of a scientist

(40:12):
myself and explains why, right,well, the joke is that an it
person sees some chats that areimportant, goes and screenshots
the shots, deletes the evidencebecause I have the screenshots
and says I am somewhat of adigital forensics examiner
myself.
Let me show you why.
Look at my screenshots, right,and that's kind of the punchline
of the joke.

(40:32):
Well, no right, we needtraceability, we need the
verification of that data andjust playing screenshots.
You're not going to get it Ifyou find yourself in a position
to only have to do screenshots.
You got to think of ways.
How do I I'm able to verify orvalidate my work by verification
of this data, of thesescreenshots?

(40:54):
What's my best evidence?
Right, and I think that'ssomething that the I'm going to
jump ahead because I love theconcept of best evidence A
little bit.
Soapbox moment the courts.
From my experience I'm not your,I'm not a lawyer, even though I
stayed at a holiday inn lastnight um, old joke, people that
watch tv back in the day um,best evidence is important.

(41:14):
What is best evidence?
The conversation that we'rehaving right now, that we're
listening.
Let's say you were here inperson.
What you heard is the bestevidence.
You heard my voice, but now wehave a recording, now pulled out
to the world.
Well, my voice, after it leavesmy mouth, it dissipates in the,
in the in air.
Right, then what's my bestevidence?
Or your recollection, and whateven better, a recording.

(41:36):
And then now the recording isyour best evidence.
But what happens if?
If google burns down and thisis lost?
Well, guess what?
We have another recording,audio recording in buzzsprout in
the podcast.
Well now, that's my bestevidence.
So the course will look at yourpiece of evidence and will ask
you why didn't you get the bestevidence?
Why did you get your bestevidence?

(41:58):
Why are you taking somescreenshots when you could have
done an extraction?
You have done this.
You could have done anextraction, you could have done
this.
You could have done that right,and I think the courts will
lean towards not accepting thosebecause they are not your best
evidence.

Speaker 2 (42:11):
Right, yeah, I agree.
So there are some court casesthat were referenced in these
articles.
I'm just going to read one.
So United States v Vayner.
So in this case, a screenshotof a social media profile was
introduced as evidence.
However, the court ruled thatthe screenshot lacked sufficient
authentication, pointing outhow easily digital content can

(42:33):
be fabricated or altered.
The ruling underscored the needfor proper forensic
verification of digital evidenceto ensure its reliability, and
it goes along the same lines aswhat you're saying.

Speaker 1 (42:43):
Well, and the comment you put up from Brett and again
, I always love Brett when he'sin the chat, he always brings so
much good input into theconversation he's saying that
best evidence is dependent uponthe totality of the
circumstances and that'sabsolutely correct.
That's why I was mentioning ifI find myself in a position
where I cannot do the extractionand I have to look at the thing
, the circumstances.

(43:05):
I explain them, note them, takea video of the screen, try to
put some validation of metalking through the process and
seeing my hand, just to show thewhole concept.
But at the end of the day, thecircumstances are important and
the course will judge that,which means you need to make
sure you record thosecircumstances accurately and
detailed in your notescontemporaneous notes, properly

(43:29):
initialized and dated for thatto be able to be considered.

Speaker 2 (43:33):
Besides just us doing manual previews for screenshots
too, the articles also outlinewhen a victim gives a screenshot
Right.
So Lars actually outlines areal world example in a case
that he worked on, where adefendant was sent to jail for
violating a restraining orderbetween them and the defendant,

(43:54):
and the messages containedthreats, including threats of
bodily harm.
The writer and team questionedthe reliability of the text
messages and ultimately provedthat the victim had faked them,
so, after spending six months injail, the charges against the
defendant were dropped and hewas released from jail based on

(44:16):
this evidence.

Speaker 1 (44:18):
That's amazing.
That's amazing.
Look at what could happen if wedon't take the proper steps.

Speaker 2 (44:25):
Yeah, definitely we'd get the best evidence yes, I, I
go for the full extractionanytime you possibly can yeah,
and if you're not able document,document, document.

Speaker 1 (44:37):
And if you think you have enough documentation
already, document some more.

Speaker 2 (44:41):
Just yeah, yeah, document, everything all right
let me so um, digital expertsare no longer needed in court.
Did everybody know that wedon't need them anymore?
We've all lost our jobs.

Speaker 1 (44:56):
So so this, go ahead I got, I got triggered when I
when I came across this, thisthing but then I I then I calmed
down as I'm reading through it.

Speaker 2 (45:07):
But yeah, go into it, go into it so this week, um, if
you weren't part of the, Ithink over 100 comments now.
Uh, there was a social mediapost, on linkedin uh, by andy
garrett.
Andy garrett is a digitalforensic expert in the orlando
area and I'm just going to readhis post.
So his post says anyone payingattention to what the courts

(45:27):
have been sold latelyprosecutors are saying that
digital forensic experts aren'tneeded anymore, that Celebrate
reports can be understood by ajury and no expert testimony is
needed.
The courts agreed.

Speaker 1 (45:42):
Yeah, and I got immediately triggered by that
but you and me both, but I hadto.
I had to step back, especiallyafter reading some of Brett's
comment, and think, okay, well,before I get too triggered, like
, what case is this?
Right, I need to know thedetail, because that's and again
I mean I mean maybe, maybe, uh,garrett couldn't maybe talk
about the case.
maybe it's an ongoing case orsomething, so maybe he did not

(46:02):
give details, right, but mythought process and reading
Brett's comments, you know thecontext is important, right.
Why did the court determinethat an expert was not needed in
a particular scenario?
That's important and it mightnot be as bad as it seems now.

(46:25):
That being said, right, why I'mstill a little bit triggered is
because I I see in in and tellme if you agree with me or not.
I see across prosecutors,defense attorneys, even even
folks that work in this field.
This, this concept of hey look,I just get the tool output and
if it is there, that's all thatI need.
Right, do I really even need totestify to it?
The tool did everything that isneeded.

(46:48):
And as long as I put tooloutput in the hands of the
juries or the judges or thestakeholders, I should be good
to go and kind of minimizing therole of the expert in
interpreting and analyzing thedata.
And that's still true, even ifthat particular case doesn't
show that, if that makes sense.

Speaker 2 (47:07):
Right, yeah, I don't know.
Experts are needed.
Experts are definitely needed.
I know we were talking earlierabout, like the non-expert that
does the extraction.
Right, they repeat the processover and over again and they
have, I think you said.
Their SOP and maybe they don'thave to be the type of expert

(47:32):
like we are Right, likeeverybody in the chat is how
they're able to understand andexplain the analysis and what
all of the artifacts mean.
Analysis and what all of theartifacts mean, um, but when,
where does that end?
So, um, I don't know.

Speaker 1 (47:51):
I think I'd rather have experts working the case
from start to finish.
In my opinion, I mean, I meanin, in, in an ideal world, I
think that would be the bestcase scenario, right, yeah, um,
but how many?
How many experts do we have tohandle that?
Right Versus how much workneeds to be done, right, that's
the problem.

Speaker 2 (48:06):
Yeah, that is the problem.

Speaker 1 (48:08):
Most labs are backlog and I know you do a lot of work
so, even without you telling me, I would assume there's some
backlog in your lab.

Speaker 2 (48:15):
Oh yes.

Speaker 1 (48:17):
I mean labs that do work will have backlogs.
That's just how it is, becausethere's always more demand for
the service than the folks thatare available to provide it.
So what's the solution?
What's the middle ground here?
I have an opinion on that.

Speaker 2 (48:30):
I said I don't know, I just don't.
I mean there is, there's abacklog.
There has to be a happy mediumsomewhere in the middle where
the data is getting out quicklyso that maybe somebody who isn't
fully trained in forensics canread the text messages or go
through the call log.
But it just worries me on howmuch of that responsibility we

(48:52):
put on somebody who's nottechnically trained.

Speaker 1 (48:55):
Oh, I mean, and I agree with you a hundred percent
.
So this is my solution.
It doesn't mean it's thesolution or the best solution,
just for something to consider.
This is my solution.
It doesn't mean it's thesolution or the best solution,
just for something to consider.
I think that we could define atechnician role where the
technician will make sure thatthey extract things and they
handle the tooling that does theextractions and make sure that
they follow a standardizedprocedure how to do the

(49:18):
extractions from all type ofdevices.
And as devices change, thosestandard operating procedures
will change with it and theywill have knowledge kind of
constrained to the extractionprocess.
Anything above that regardingparsing and analysis will go to
a qualified expert, and thatdoesn't mean the expert has to
do expert analysis in everysingle case.
Of course.

(49:38):
I've done a whole bunch ofcases where the only thing
that's needed is a chat andeverything is there.
There's nothing else for me todo.
All that's needed is in thechats.
I don't need to look for 20more dots because that's all we
need and that's not experttestimony.
But this is the thing, and Brettwas making a great point in
regards to the context of thecase.

(49:58):
Somebody provided some caseexample where this happened and
in that case the courtdetermined that an expert was
not needed to just operate thetool and show that output in
light of it being extra evidence.
Like the case was alreadyproven 20 ways over before it

(50:21):
got to that, right.
So I guess a concept ofinevitable discovery.
It got to that right.
So so you know, I guess aconcept of inevitable discovery,
the sense that we have so muchevidence that this little thing
is not going to make adifference, right, and that's
the context that maybe brett andothers point out, that there's
different contexts for these.
Now my point is what happenswhen we think, oh, this is just

(50:42):
item number 20 of all theevidence we have.
That's plenty, right, and atcourt it shows that that piece
of evidence has a more profoundmeaning, right, during trial.
Right, and it became somethingirrelevant to something really
important, right?
I think we'll be in a betterposition if an expert is
available or has touched thatevidence in order to go into it.

(51:04):
Okay, because people can onlyspeak about the work they've
done, and that work they've doneis informed by the experiences
and by their training, and Iwant the expert, if things go
sideways at trial to be the onein the seat, in the hot seat,
and the courtroom is the coldestplace in the world.

(51:25):
It's not the North Pole, it'snot Antarctica, it's the
courtroom.
It's the coldest place in theworld.
Is it true or not, helen?

Speaker 2 (51:32):
Yeah, oh, yeah, definitely.

Speaker 1 (51:35):
I don't care what courtroom you go to, it's always
going to be cold, yes, but thatwitness seat is going to be hot
and I want my expert to besitting there if things go
sideways right.
So I think there's a lot ofwords to say yeah, some roles
can be a technician role andsome roles can be an expert role
, even if every expert role doesnot lead to expert testimony,

(51:59):
and I think that's kind of thesolution that I think we need to
try out and see how that works.

Speaker 2 (52:05):
Yeah, I think to kind of differentiate between when
you need a technician and whenyou need an expert, we need to
be educating our prosecutorsabout digital forensics more.
If they have a betterunderstanding of what we do, how
we do it, why we do it, whatthings mean, then they'll know
when they need that expert fortheir case.

(52:26):
I know it's extra work None ofus want to do, but if they don't
understand it, then we run thatrisk of possibly having the
non-technical person testifyingto something an expert should be
testifying to.

Speaker 1 (52:39):
Well, and the drawbacks that come from that?
Because that person thatdoesn't have the experience and
the training will not be able toconvey to the jury or the
stakeholder what they need toknow about it.
Right, good point here by Brett.
You want to read that.

Speaker 2 (52:53):
So digital forensic evidence should be at a minimum
reviewed by the organization'sexpert before it's submitted as
evidence.
Peer review 100 review 100.

Speaker 1 (53:04):
Yeah, and that's something that, for example, we
do in some organizations, whereyour trainees and all that they
can do the work but it's notgoing out the door.
We have the expert signing offon that work on top of it yeah
make sure that it's properlydone.
So that's that.
That comes to a kind of like apeer review concept as well, um,
but also kind of that seal ofapproval for somebody that has

(53:24):
the actual expertise to speakabout those things.
So that's a good point.

Speaker 2 (53:28):
Definitely.
I think part of the problem toois we're all being sold, being
told about the quick, the easy,the faster data that we're able
to get from the tools, andthat's kind of it's kind of
downplaying the actual forensicsbehind what we do.

Speaker 1 (53:46):
The word sold was correct, you didn't need to
change it.
We are being sold, literally.
We're being sold, yeah.

Speaker 2 (53:53):
And it's just not.
It's not.
Sometimes it can't be quick, itcan't be just easy.
In my lab things go wrongconstantly, obviously I mean in
all forensics labs.
But my favorite thing to say tothe newer people are is welcome
to forensics.
Nothing's quick, nothing's easy.
Things go wrong and you needexperts to be able to handle
that.
And I don't know, I don't.

(54:14):
I don't like the advertising ofeverything's just here.
Push this button quick and easy, and we're all set.

Speaker 1 (54:20):
Or go to the bootcamp for a week and you're an expert
.

Speaker 2 (54:22):
Yeah, exactly, exactly.

Speaker 1 (54:26):
I made two comments, but something real quick 2025
for me.
I got three concepts I want toreally kind of build on, as I do
my social media outreach andall that and one of those is
property, so the quality ofbeing a moral agent, as you are
an investigator and a forensicexaminer your morality and your
values, that you do your work.

(54:46):
Another one is attention todetail.
Attention to detail is makingsure that you're not missing
anything and you're on, you know, looking for the things, the
small things that could make thelarge difference.
That takes time, speaking goingback to the point that we're
making right and and the thirdone is probity attention to
detail and due diligence.

(55:07):
Due diligence we can't just gowith the superficial.
Oh, I got two or three things.
Well, we are required to lookat five, six and seven as well.
And even if you know thatyou're not going to find
anything, you still have to doit, you do your due diligence.
Those are the three main thingsI want to focus on 2025.
That you're not going to findanything, you still have to do
it, you do your due diligence.

(55:28):
Those are the three main thingsI want to focus on 2025.
And I say that for myself first, but also towards others, and
all those things take time.
You cannot rush through them,right.
There's backlogs, it's true, andfolks don't think we hate
toolmakers or hate tools.
We love tools, we need tools.
Heather just spent 20 minutesloving a tool.
I do Raising a tool, right, butthe tools are only as good as

(55:50):
the person driving them anddoing the work behind it.
For that, verification of dataor validation of the tool, the
process as needed, and thatcannot be overlooked.
Tool vendors and I understandit's a business are not going to
be upfront with the flaws orthe limitations of the tool
because they're trying to sellyou something.
So they're going to want to beupfront with their best foot

(56:11):
forward.
I get it, I get it, but we haveto look at the marketing and be
skeptical and consciousconsumers of that marketing.
We're going to use the tool,we're going to buy it, but be
realistic and look for where arethe gaps, because our job is
filling those gaps to make surewe have a good product and good

(56:34):
outcomes.

Speaker 2 (56:36):
I'm going to read Brett's comment.
The medical field has CNAs,lpns, rns, aprns, cnls, pas, and
then the doctors, the experts.
Dfir will probably end up thesame way because of backlogs.

Speaker 1 (56:53):
You know, and it's true, what I like is the answer
for a person that we love.
She's saying that.
Well, actually the medicallaboratory scientists are the
real medical field experts, andI'm laughing because I've seen
sometimes the nurse telling thedoctor hey, you shouldn't put
that medication on the other.

Speaker 2 (57:11):
You might kill the patient.

Speaker 1 (57:12):
And the doctor is like, oh yeah, that's right.

Speaker 2 (57:16):
So that would be my sister.
She's a medical laboratoryscientist, just in case you
didn't get that from hercomments.

Speaker 1 (57:24):
No, good stuff.

Speaker 2 (57:31):
We love you, holly, so I'm going to skip down a
little bit because we're gettingclose to our hour and we're
going to save some of our topicsfor next podcast.

Speaker 1 (57:44):
But let's hop down to what's new with the leaps.

Speaker 2 (57:45):
Oh, there's a lot, there is a lot.
So that's why we're going tohop right down to it by somebody
that's awesome and incredible.

Speaker 1 (57:51):
A cool programmer developer, that's just.
At first it was kind of gettingoff the nest a little bird.
But now it's flying.
Can you tell us who that is,Heather?

Speaker 2 (58:02):
Well yeah, johan's students created a parser this
week.

Speaker 1 (58:06):
Yes, that's true, but that's not the bird I'm talking
about.

Speaker 2 (58:12):
The other bird.
So actually, so I created a newparser for ALEAP and it is the
Google Keep Notes.
There already was a parser forthe Google Keep Notes, but
Google Keep Notes changed and Ifound that out in one of my
cases when I parsed it with allof the tools I have available to
me and the only thing in thenotes that were being parsed

(58:33):
were the timestamps and thetitle of the notes.
I was missing the entire bodyof the notes and attachments of
the notes.
So I needed that, went into thedatabase, found the note it was
actually very pertinent to mycase and had to figure out how
to report on that.
So I, with the help of somebodyelse who's pretty awesome and

(58:59):
might be a co-host in thispodcast, just saying um was able
to get the data that I neededfor my report and that case went
out.
Uh so and it's up on a leap.
Now I'm just waiting forsomebody to approve it.

Speaker 1 (59:16):
Kevin get on it.

Speaker 2 (59:18):
Kevin's looking at it for me and I actually took the
time to write a blog on it, soI'll post that in the show notes
.
I don't have it right here withme to put up on the screen, but
so the way Google note keepnotes works though I parsed the
or am able to parse the sectionwhere the notes are stored.
But you also can um share notesin Google keeps, so there'll be

(59:40):
a creator of the note and youcan add collaborators to notes.
That part, that part I don'thave um completely figured out
yet, but I'm working on it andI've put in the blog the
sections that I have figured outso far and a quick comment
there.

Speaker 1 (59:59):
I love that.
You know the process, thethought process.
Heather goes to the tools.
What's her assumption?
Oh, there's no notes here,because the tool didn't give me
any notes.
No, she went in and made sureshe was not missing something
there and she immediatelydiscovered that the tools now
had a gap.
They didn't have it beforebefore, now they have it again.
They had to be careful.
Those assumptions just becauseit did it in the past doesn't

(01:00:22):
mean it's gonna do it in thefuture.
Yeah, and now she filled thatgap and now we all benefit.
Now I benefit, now I run thetooling and I can find those
notes that the tooling othertooling doesn't found, doesn't
find, true, sorry.
So thank you, heather, forsharing that with everybody.

Speaker 2 (01:00:35):
I've got to throw the Alete report up too, even
though it's not there yet.
So now we have the time createdthe last updated time, the last
time the user edited the note.
This one is a note with morethan one image which I got help
with, and let me tell you thehelp with.

Speaker 1 (01:00:55):
It wasn't that much help I I gotta, I gotta give her
so much credit because I used,I used.
I saw the parser right, so thebackground, and I saw the one
picture per row of her recordand I'm like, heather, what is?
There is two pictures.
He's like, oh yeah, they mighthave more pictures.
And look at some sample codethat I directed her to and she
figured it out.
So really proud of you.
That's well done.

Speaker 2 (01:01:18):
Well, thank you.
Also with the Leaps, though,johan, who we talk about all the
time, that is a major player inthe Leaps.
He had his students create aparser for the app Pay by Phone.
It's an app that he says iswidely used in Europe.
I've actually never heard of it, so I looked it up to see

(01:01:40):
exactly what it does.
It's a quick and easy way topay for your parking, and the
app actually has thefunctionality to pin the
location of a vehicle once it'sparked, so that the user can
easily find the vehicle whenthey're trying to return to it,
which we all know.
Based off of that, we'll havesome beautiful location data.

Speaker 1 (01:02:01):
Oh yeah, and the fact that now folks from overseas to
us, from the US, they're addingto the tooling, to the Leap
tooling, that's something thatmakes me emotional in a positive
way to the leap tooling, that'ssomething that makes me, you

(01:02:29):
know, emotional in a positiveway because it's not just folks
in the US, it's folks in Europe,folks in Africa, folks in, you
know, australia, new Zealand andJapan, that now we're kind of
building that, that worldwidecommunity, one of our key
developers right now, and hevolunteers his time across the
sea now to benefit everybodyaround the world.
So I do appreciate that and Iwould want to make an invitation
to listeners that if you'reinvolved in the educational
sector, as an instructor,professor of forensics or
computer science, look forprojects like ours that are

(01:02:51):
open-sourced and you can mix inwithin your lessons the
applicability of your lessonsthrough the development of these
tools.
In his case, his tools learnhow to look at unparsed apps,
how to identify items ofinterest and then automate those
results in reports that areeasily digestible to lay users.
And they decided to use theLeaps for that purpose, and

(01:03:14):
Johan told me that the studentsloved the project.
They really felt that it was aworthwhile endeavor and that
their knowledge, their academicknowledge, had an actual real
world application and that theycan point to.
And not only point to as aself-fulfilling aspect of their
studies, but also when you goout into the real world and work
, you can point to thoseprojects that had an impact that

(01:03:37):
you were part of.
So educators will be happy tohave you and not only to code.
If your students do technicalwriting, we'll be happy to have
them help us with some of thedocumentations for the tools or
do some graphical work.
We'll be happy also to receivecollaborations on those.
So please reach out to myself,to, to the podcast, uh social

(01:03:57):
media aspects, and we'll behappy to get in touch and maybe
work together on on expanding uhthe tooling and expanding your
coursework nice.

Speaker 2 (01:04:06):
I think you have some stuff to talk about with lava,
correct?

Speaker 1 (01:04:10):
yes, it's hot, it's molten rock hot.
So I think I mentioned at thebeginning that we got the Leaves
Artifact Viewer app called Lava, and on Monday, like I said,
myself and James, we gave ademonstration of the tool.
So that's what I'm going to dotoday.

(01:04:30):
Let me just share my screen sowe can do that.
Share my screen here.
I'm going to share the screenthat doesn't have all the junk.
That's actually clean.
So, entire screen.
Here we go, boom, all right.
So we got a clean screen hereand the first thing I'm going to

(01:04:52):
show you is how the leaps.
When you run the leaps,specifically right now, ileap.
We changed a few things.
Can we see that, heather?
Yes, the Leaps folder.
Right.
So you run the Leap tools andif you're not familiar with the
Leaps, I explained that at thebeginning.
But you can go to githubcom,slash, abrignoni and you'll see

(01:05:17):
all the repositories for theleaps.
You can download them and playwith them.
When you take an extraction froman ios device and run it
through the tool, you're gonnaget a report like the one here
on the top of my screen.
It's named I leap reports andthe time stamp for the day the
report was run.
Now the way the reports areorganized.
You will see it's just reallyclean.
You will see an h, an HTMLfolder with all the HTML reports

(01:05:37):
for the artifacts that werediscovered by or to say
discovered, I should say parsedby the tool Before.
It didn't used to be this way.
I would have it's my fault.
I would have HTML reports allover this directory.
It was kind of a mess.
So Johan and Kevin and John andJames kind of helped me clean

(01:06:01):
this up quite a bit.
Now the important things hereare these two files underscore
lava, underscore artifactsdb,and underscore lava, underscore
datajson.
These are now, as we update theleaves.
They will be producing this inyour report.
That's what the new viewer willnecessitate in order to show

(01:06:23):
you the data in a different way.
Okay, so let's keep that inmind.
I'm going to show you heresuper alpha installation of lava
.
That's why it has an extra A atthe end.
So this is not productionquality yet, but I want to
demonstrate that for the folkshere in the in the show.
So I'm gonna.
I'm gonna run it and where whatwe're gonna see here, uh, right

(01:06:45):
now on the screen, is anelectron app that has react
running in the background to dothis type of work.
It says lava 1.0, part of theleafs family, and there'sa
display settings and I startthere with the display settings,
under theme settings.
You can go to light like that.
If you want to burn your eyes,you're free to do that.
Like Heather, I guess she mightuse shades when she's sitting

(01:07:08):
at her computer.

Speaker 2 (01:07:09):
I set the Leap report that I showed tonight to dark.

Speaker 1 (01:07:14):
Well, thank you, you're welcome.
All the vampires, we'll use itas dark right and then you can
open a project.
So what you do is you have yourLeap report that's compatible
or compliant with the Lavaviewer.
You're going to hit openproject, go to your Leaps report
Oops, there we go.
And then select thatlavadatajson and hit open the

(01:07:39):
project will open that data,look at the database and
populate the fields.
This is a limited data set.
It's quite small, but you willsee here on the left all the
artifacts.
In this case it's user activity.
It's gonna be three artifactswith 163 records on those.
So if I open it, you'll seethat how it's going to be three
artifacts with 163 records onthose.
So if I open it, you'll see howit's break down by artifact and

(01:08:00):
how many records each artifacthas.
The more artifacts are parsed,the more you'll see here on the
left pane.
I want to make a quick notehere.
In the demonstration we did onMonday, james made a synthetic
data set, so it's not real data,but it looks like real data to

(01:08:20):
run on Lava.
The thing was that he used over2 million records for that
piece of data and Lava is ableto display it in a blink of an
eye.

Speaker 2 (01:08:32):
That's insane.

Speaker 1 (01:08:33):
It's insane fast.
I couldn't believe it.
The issue we were having that'swhy we're moving to lava is
that the originally the leavesdid reporting, html reporting
and html's.
If it's a really large html,your browser will crash and you
will tell me what's reallystupid.
Why do you select html?
Well, you know, I can only dowhat I could do when I could do
it with the knowledge I had atthe time, but this is not that

(01:08:57):
weird If anybody has processedlately.
Or look at a return from Meta,instagram or Facebook.
What are you receiving, heather?
Do you know what you'rereceiving?

Speaker 2 (01:09:08):
I don't get a lot of returns, but I have heard that
it's just tons and tons and tonsand tons of data in HTML.

Speaker 1 (01:09:16):
Yeah, it's one HTML with five gigs of data.
Yes, I mean, you can't see it.
There's no browser in the worldthat can open it.
Right, it's ridiculous, right?
So you know, even meta stilldoes this, right.
So I don't feel that bad.
But we have to think of asolution and I'm so grateful for

(01:09:38):
James and Johan and all thecrew that we we came up with
this right.
And again, that's a plus tojames.
He's kind of spearheading thispart of the project where now we
can look at all this reallylarge amounts of data pretty
quickly.
For example, I hit here, uh,the keyword application usage
and let me put this in and itloads there.
You can see there all thedifferent data that you can see

(01:09:59):
again these are really simpleartifacts.
They're not large ones, but theones that you, that, uh, that
james show were millions andmillions of records.
If you hover here over thedates, you get a cool view of
different time formats in ISO,utc, unis, epoch, and from how

(01:10:21):
far away that timestamp wasgenerated, for example, a year
ago, two years ago, three monthsago, which I really like a lot.
And if it's DST leap year, it'sfantastic.
And the tool also allows you tochange the offset.
If you go to display settings,you can go with date and time
settings and then you can selectand I know this is something
that Heather will appreciate youcan select any time zone that

(01:10:45):
you care about, becauseHeather's a heretic and she does
not believe in UTC.

Speaker 2 (01:10:51):
I don't, I want it in my time zone.

Speaker 1 (01:10:55):
Yeah, I don't know.
You're an infidel.
You need to do things in UTC.

Speaker 2 (01:10:59):
It's the daylight savings time.
I don't want to have to try andfigure out what date it changed
up on the stand and get itwrong.
I just would rather have itaccount for it for me.

Speaker 1 (01:11:08):
Well, until you understand, and you have one
timestamp that's DST and anotherisn't, and they're both from
two different time zones andyou're trying to testify to
those.
Good luck.

Speaker 2 (01:11:18):
I know, I know I still want my time zones.

Speaker 1 (01:11:22):
No, I'm also kind of being I'm kidding.
We need the time zones.
I mean, we need the time zones.
We need to make thisunderstandable to our users and
they're not going to deal withUTCs.
So I'm just trying to bequasi-funny.
So, yeah, it's right here, youcan change it and you can change
the date format.
I believe only in ISO datetimes.
But hey, you want to also be aheretic and change the data
format.
You can also be wrong andchange it here.

Speaker 2 (01:11:46):
That's not wrong.
I like Brett's.
Brett's suggestion is right.
The world needs to be on UTC,one time zone for everybody.

Speaker 1 (01:11:58):
I mean, the world is, it's just that we don't want to
accept it.
I mean, utc itself is not atime zone, right, it's just a
time.
Yeah, that's true, a time zoneis an offset of UTC.

Speaker 2 (01:12:09):
See, now I'm getting pedantic, very picky, very picky
.

Speaker 1 (01:12:14):
Yeah, but yeah, so these are the settings.
Yeah, I get distracted easilysquirrel.
So in this type of view, we'regoing to add a whole bunch of
stuff to it.
We're going to add some.
The media viewer, which we'reworking on, we're going to add
hopefully, you know, in thefuture be able to generate sub
reports, kind of tags andbookmarks, and then generate sub
reports of that export formats.

(01:12:34):
And now we're taking the workthat was done at the parsing
stage and kind of segmenting it.
So the parsing is the parsing.
All this display enhancementsor conversions will happen apart
from the parsing.
And this is a good separationof responsibilities on the tool
which gives us a lot offlexibility moving forward, good

(01:12:56):
separation of responsibilitieson the tool which gives us a lot
of flexibility moving forward.
I want everybody to, if youcould go to leapsorg
L-E-A-P-P-Sorg.
Thank you so much and pleasesign up for notifications.
If you sign up, we'll let youknow when the latest leaps, be
it ILEAP, aleep or whatever,have been updated and there's
new binaries for you.
And we'll also let you knowwhen Lava will, when it's ready

(01:13:19):
to be released.
We'll announce it through thatlist, that notification, that
Lava has been released.
So please sign up for that.
The page right now is just asign up form, but in the near
future we're going to make afull feature website that talks
about the tools.
We'll have documentation.
We'll talk about Lava and pointyou to the right places to get
the right things.
So we're going to hopefullybuild on this website moving

(01:13:42):
forward.

Speaker 2 (01:13:44):
Very cool.
I can't wait until it'sreleased Very excited.

Speaker 1 (01:13:49):
Again the speed and all the things that we're
building.
Again.
I've been blessed to have suchgreat folks around me, including
you, of course experts,colleagues and friends, so it's
a good big in the holiday spirit.
It's a big work of love.

Speaker 2 (01:14:11):
A big work of love Okay.

Speaker 1 (01:14:13):
Oh, come on, come on I love it Just vibe with me,
please.

Speaker 2 (01:14:16):
It's perfect, it's perfect.

Speaker 1 (01:14:20):
Thank you, heather, thank you.

Speaker 2 (01:14:23):
All right, so everybody's favorite time Meme
of the week yeah, let me share,let me share.
Ah, there we go.
Ah, there we go.
So the meme of the week thisweek is a tree, and the tree

(01:14:44):
says the apple doesn't fall farfrom the tree.
And then you see a little appleon the tree and it says if it
is not on the automated toolproduced report, it doesn't
matter.
And then you see the tree throwthe apple and I think it's
perfect.
Perfect example of noteverything is in your automated
tool report.

Speaker 1 (01:15:04):
It's an express example of what Heather will do
to you in her lab yes, she willopen the window and throw you
out the window really far away,like the tree threw that apple
really far away.

Speaker 2 (01:15:14):
People actually say this to me in the lab just to
irritate me.
I haven't thrown anybody outthe window yet, though.
Yes coming.

Speaker 1 (01:15:25):
I, I, I made this joke because I hear that too
often and it, yes, kills me.
So, yeah, you're gonna befalling really far away from me.
Because, no, I made a point andI was interviewed for the
Forensic Focus website a coupleof days ago, so that should be

(01:15:46):
coming out soon.
And I made the point that thereal job of a digital forensic
examiner is not to show what thetool finds.
The Utah Forensic Examiner isnot to show what the tool finds,
all right.
The job, the real jobdescription, is to find the
things that the tool doesn'tright, and that's a big
difference.
Right, we're finding things,but the things that the tool

(01:16:07):
doesn't.
That's, I think, the reallyimportant piece of my job.
Not the only thing, even thething the tool finds I need to
verify and all that, sure, butthe core value that I bring is
finding what the tool cannotfind, and that's job security
until the end of time.
Until the end of time, yes, youwill always have job security,

(01:16:28):
because there will always bethings that are missed or
misinterpreted or that wereshown before and then
disappeared later, a new version, and our job is to find those,
fill those gaps and make sure wehave a complete picture of the
events under our care.

Speaker 2 (01:16:47):
Couldn't agree more 100%.
I love this meme and itillustrates that beautifully.

Speaker 1 (01:16:52):
Print it, put it on the meme wall.

Speaker 2 (01:16:53):
Oh, it's going on the meme wall?
Definitely I need to refreshthe meme wall.
Anyway's going on the meme wall?
Definitely I need to.
I need to refresh the meme wallanyway.

Speaker 1 (01:16:58):
Take some down, put some new ones up, yeah oh heck,
yeah, you know there's plenty,uh, plenty to choose from, so
look as, as things happen inthis field, there will always be
memes right behind them.
So, and if folks have ideas formemes, then send me some.
I cannot reveal who gave mesome ideas, because you know I
don't want to get in trouble,but some of the best memes come

(01:17:19):
from folks saying, hey, I hadthis experience and I'm like
that's right, me too, let's makea meme about it.
You know.

Speaker 2 (01:17:26):
Definitely.
That's all I have.
That's all we have for the weekYay.

Speaker 1 (01:17:36):
Thank you for all the folks that you know took with
us a little bit over time today.
I think it was a great episode.
Thank you, heather, for all thework that you do, both for the
community and for the podcast.
You're the best.

Speaker 2 (01:17:43):
Thank you for all the work you do.

Speaker 1 (01:17:46):
And I hope that your holidays are awesome, that you
get all the toys that you want,all the electronics that you
want from santa claus and orfrom the three kings, if you're
hispanic like me.

Speaker 2 (01:17:59):
The three kings, you know, in three kings day, so, uh
, I hope that happens for you Ihope you have a wonderful
christmas as well, and, yes, getyou'll be getting legos, I'm
sure are you santa?

Speaker 1 (01:18:12):
you do you read?
Do you read the list I sent toSanta?
I think, it's a GDPR violationthere.

Speaker 2 (01:18:18):
I don't know.

Speaker 1 (01:18:20):
Some privacy violation Well and for everyone
listening and watching at home.
Again, we hope you had themerriest of holidays, close to
the people that you love andgetting ready for the new year,
and we can only wish for yougood things to come.
Yes, we'll see you after theholidays.
Keep track of us on socialmedia and so you know when we're

(01:18:42):
going to live again and have agood night and again, happy
holidays.

Speaker 2 (01:18:45):
Have a good night, bye, thank you.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}The Gift of Expertise: Why Forensics Matter in the Courtroom

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

The Gift of Expertise: Why Forensics Matter in the Courtroom

On Purpose with Jay Shetty