Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Leveling Up in Digital Forensics: Strategies, Tools, and the CSAM Debate
Looking to level up your expertise in digital forensics? We promise this episode will arm you with actionable insights, strategies, and tools to sharpen your skills. Our conversation covers a wide spectrum of topics from the importance of conferences to the rising debate surrounding Apple's proposed scanning for CSAM material. We peel back the layers on forensic labs, discussing how to measure effectiveness, the role of leap artifacts in investigations, and the critical need for continual learning and collaboration.
In this episode, we navigate the various pathways to proficiency in digital forensics – whether that's through formal education like criminal justice degrees, on-the-job training, or the value of certifications. We explore the growing need for standardization in the field and the relevance of experience and research in establishing credibility. And let's not forget about Ryan Benson's Unfurl tool – we discuss its capabilities in breaking down URLs, a vital tool for digital forensics cases.
Lastly, we delve into the contentious subject of Apple's decision not to scan for CSAM material. We analyze the potential implications of such a move and the concerns raised by the Heat Initiative in their recent letter. Apple's reported cyber tip line reports are also put under the spotlight as we compare it to Google's numbers. From seasoned professionals to those just starting out, this episode promises to challenge your thinking, ignite debates, and bring you valuable tips and insights to help you stay ahead in the digital forensics field. Tune in for an enlightening and inspiring session!
Notes:
https://github.com/abrignoni/iLEAPP
https://dfir.blog/unfurl/
https://www.documentcloud.org/documents/23933180-apple-letter-to-heat-initiative
Welcome to the Dutard Forensics now podcast for Thursday, september 7, 2023. My name is Alexis Brignoni, aka Briggs, and I'm here with my co-host, the Dutard Forensics examiner, educator, researcher and all-around superstar, heather Charpentier. The music is higher up by Shane Ivers and can be found at SilvermanSoundcom. As always, our opinions are only ours, they are subject to change and do not reflect our employers or anyone else for that matter. And with that let's start the show. Good, good, good afternoon, heather there we go Good afternoon.
Speaker 1:I want to. Before we start, I want to thank the folks that are coming in, that are live and just give a shout out. You're awesome. I'm really looking forward to comments and people chit chatting with us. I'm happy to show your comments on screen and sharing with the folks. I also want to thank all the listeners to the podcast. The support has been amazing. We're like glued looking at the numbers.
Speaker 2:Yes, we are.
Speaker 1:It's really nice to you know, we think that there's a need for this type of content and, you know, build the community up. You know, do this together. So we're really happy that you're listening in and today we're going to talk about a few things. We're going to talk about a couple of conferences that are upcoming. We're going to talk about a little bit about the lab metrics. In your forensics lab, how do we measure effectiveness? Right, and it's pretty interesting. So we'll discuss about that. A couple of leap artifacts. You know, familiar with the leaps is community open source tooling to parse or, you know, analyze Android and iOS devices. We'll talk about that. We'll talk about degree sensitifications in the ether forensics. We are really opinionated, so we have opinions on that right. Heather's going to demo a tool. What's the name of the tool, heather?
Speaker 2:Unfurl.
Speaker 1:Unfurl. That's awesome, and then Ram Benson's right.
Speaker 2:Ram Benson yes.
Speaker 1:And then we're going to bring up the heat a little bit. It's a letter sent to Apple in regards to CSAM topics, so that's going to be at the end. Anybody know we're not going to be graphic about it, of course, but just be aware we have talk about CSAM a little bit and the process and how we deal with some of that stuff, and at the end, the meme of the week. Right? Did I miss anything, heather?
Speaker 2:I don't think so. I think you got it all.
Speaker 1:We got it. So before we get on on it, what's going on in New York? How hot is the cold? What's happening?
Speaker 2:It's hot. Take your weather back. I hate it. We have Florida weather in New York this week. It's 90s, it's not Florida. I want my New York weather back.
Speaker 1:At least you don't have the humidity I have here in the middle of the swamp in Orlando.
Speaker 2:I don't know. It's awfully hot and humid this week.
Speaker 1:It's not good. We had a storm go by a couple of weeks. Thankfully it wasn't as bad as it could have been, so that's good news. There's another one brewing, but it seems to stay offshore, so happy about that. Yeah Well, I'm talking about things that are brewing. So there was a meeting for the ACCA chapter in Tampa this week. It happened yesterday, right, yeah, yesterday and it was really nice. So it was a great meeting. I spoke at it, a couple of folks spoke at it. Actually, I'm going to show you, I'm going to share with the folks that are here live. I'm going to share a picture from the event. Right, and I like this picture a lot, a lot, because it shows the speakers of the event. Right, and there's Geraldine Bly next to me, awesome examiner from Semmel County Sheriff's Office, with her dog Siri, and she's an electronics detection canine. It's like the most awesome dog you ever met. No offense to other dog lovers.
Speaker 2:She's pretty awesome.
Speaker 1:She's awesome, right? Yes, obviously, that dude in the middle is me. And then you got Jessica Hyde laughing a lot and Amy Moles from art.4n6. We're going to talk a little bit about her stuff a little bit later. So I want you to show this picture because and I don't know if Jessica's in the chat or not, exactly See exactly we were making a joke because we're taking the picture all serious and Siri just licks Jessica's hand and she starts laughing, which obviously anybody would, right and we're wondering is she made of electronics too? And if Jessica's made of electronics, that would be totally in character, it wouldn't surprise any of us. So it was a fun event and the folks in trying to build up that chapter for the Florida chapter, for HCCI, so it was pretty neat. And with that said, there's an HCCI the big meeting coming up in the conference in September 19th to 21st in Phoenix. So a lot of good stuff going on there, right? Yeah, wishing.
Speaker 2:I could make that one. I was looking at the itinerary for that and there's a section on unsupported devices for vehicle system forensics and I really wish I could catch that, because we're getting a lot of vehicles in the lab that are unsupported devices by Berla and really wish we could catch that presentation.
Speaker 1:No, and that's super important and for folks that I mean, we got folks that might be listening, from big labs, smaller labs and we got a lot of local car cars and just because your tooling is not quote unquote supported, I'm not going to give you a pass. You got to find some abilities, grow those abilities. Going to these conference helps or always reach out to the community. I always again, I mentioned Geraldine. You saw the picture. I really lean on her. She's an expert on that. I'm going to put it on the spot. And we're going to put it on the spot. Invite her when they talk about vehicle forensics, so that'll be fun.
Speaker 2:We've got other things going on at that conference too that people are commenting in Celebrates, doing a capture the flag if anybody's interested in joining, and there's some keynote speakers. If anybody is attending that they can catch Heather Mahalek, david Cohen, devon Ackerman and there's a live moot court. That's another thing that I read on their itinerary that I really wish I could have caught. Gone to catch the live moot court. I bet is going to be amazing at that conference.
Speaker 1:I mean, and first of all, the folks are big keynoting. Oh my goodness, they're like my idols. Devon Devon now he knows what works at Crawl. He used to be you know the agency I used to work with. What a smart guy. I mean David Cohen, what can I say? Right. And Heather Mahalek, right. So, and the moot courts if you're an examiner or you're we'll talk about it in a second we have a lab with examiners having some sort of moot court, you know, like a fake trial, where they can have some pressure on presenting the evidence in a safe environment. It's a must.
Speaker 2:Yeah, and we'll talk about that a little bit more later.
Speaker 1:So also we have techno coming up also September 11, 2013 in Pasadena, California. So that's really coming up.
Speaker 2:That really had some good, some good presentation set up for it too. I don't know if anybody has ever heard of Jessica Jones, but she has a company actually right here in New York that does repair for iPhone logic boards. If anybody has ever heard of her company, I hear she's amazing. I'd love to get out there for a training. I know Jessica talks about her trainings on repair and it really would be an excellent training for people to attend.
Speaker 1:And you will find that I mean you need it. I mean some suspects know, if you know you're coming, they're going to try to break that phone and you'll be surprised that pretty resilient. But you got to have the knowledge right. You got to be able to either move the different parts to another board or whatever it is right Techniques you need to use substitute parts, replace them, solder them super important.
Speaker 2:Right.
Speaker 1:So I hope I can get that training at some point. Yeah, so those are some of the conference that are going on, and if you have a conference coming up and you would like us to talk about it or just put it out there, feel free to email us. For now, the email we're using is abrignoneycom, so I'll put it at the end so you can email us. Eventually we'll get a proper podcast email in the near future, so don't worry. So let's go into the first topic. So, efficiency metrics in a forensics lab. Right, and this topic came about because you know, heather, right, we were talking about how good our labs are being measured internally. Right? I want to say clearly anybody listening Any similarities of what we're going to say to true life is purely coincidental. It's not on purpose. Maybe I don't know. I don't know, and I say that because a lot of times I think. Let me ask you, heather, what do you think is the most common measure of if you're doing a good job at labs, ladies, that you've seen, the most common one.
Speaker 2:That doesn't mean that it's a good one, but I think that I hear two common measures of whether you're doing good in a lab, and it would be number of cases closed or number of gigabytes analyzed.
Speaker 1:Oh, my God.
Speaker 2:Right, I think right. Those are your measures.
Speaker 1:Oh yes, you read my mind. It drives me up the wall.
Speaker 2:Yeah, those are the two common ones you hear from numerous different agencies. I'm not trying to speak for my agency by any means, but that's what you hear from everybody. It's like how many cases can you get closed this month or this year? And that's how you're measured for efficiency.
Speaker 1:And we're discussing before the show is this whole of. Well, it's easy to measure quantities In a business. You say, well, how many widgets do we sold? 10, 200, 300. We need to sell more. Or how fast do we accomplish something? And there's awards that are given for the person that has the most terabytes image and I'm like what was that proof?
Speaker 2:Right, exactly.
Speaker 1:So actually I didn't be thinking a lot about. I mean, we both are, but I put my thoughts in memes. So one of the memes that I had on the topics and I show them. You know the folks that are, you know they say on the podcast they're going to read it for you. There's this person in this cave and it says I finally found it after 15 years. He pulls out of the little chest this scroll of truth and we opens the scroll. It says amount of gigabytes devices. Image is not a good measure of expertise or effectiveness. And the person goes ah and throws the scroll out and then the caption says management right, and I don't want to hate on you managers, but as practitioners we need to start changing that. You know that difference between qualitative and quantitative right, about how much versus how good something is Right, that's not a good measure, I think.
Speaker 2:That's absolutely not a good measure.
Speaker 1:Yeah, and you know there's other things that are. I guess we gravitate to that because it's easy to count and, like Kevin says, yeah, how many? And that's actually true. I've seen folks when they feel their people, oh yeah, they're six terabytes, and it's like dude, of those six terabytes, 500 gigs we're the only things that you actually have to look at.
Speaker 1:So the whole six terabyte thing is such a red herring, right, there's stuff that's unquantifiable, for example, like the amount of time you're trying to explain to an agent how to go about something or how the artifact relates to the case, right, the amount of hours you're going to have one hard drive that's 250 gigabytes and be working on it for two weeks, digging down, filing the traces, putting together the artifacts to show what happened, or you can have six terabytes. That doesn't work with you and some of the comments coming in from Jessica Hyde, and it's actually so true, speed isn't the right measure, and you know, and we get it. I mean, we have backlogs, right, but speed shouldn't be the measure of how effective you are, right.
Speaker 2:And number of cases closed. If it's by number of cases closed, not number of items, right Number of cases closed. One case could have 20 items, where somebody else's case could have one item. So number of cases closed is also another way. That's not a good, I guess a good measure of efficiency. Oh, absolutely.
Speaker 1:I mean that goes to how we allocate cases. Right. That's part of the manager's role. Some places allocate cases. You know well, you have this week and whatever comes this week is yours and the next person has the next week. What happens when I get 20 cases on my week and the other person gets five cases? Right. It's a little bit of an imbalance there, right.
Speaker 2:Right.
Speaker 1:Or even if we try to assign them. You know it's not a good measurement. So I want to share with everybody at least what I think could remediate some of that, because I don't want to just tell you what the problem is and just leave it there. Can I have a solution? Well, I mean, I don't know if that's a solution, but what I think might help. Right, and one of the things that helps is, you know, start looking at the own quantifiable and do give them some weight and kind of semi-quantified, like I mentioned a second ago, the amount of folks helped, the amount of cases that you actually go to trial.
Speaker 1:Going to trial takes a lot of prep, like every ridiculous amount of prep, and you can now measure that by drives, image, or if you close the case in a week, or how many pleas you got right. And again, for the folks that are not in the criminal realm, like us, you're in the private sector, civil work, you also have to think about this. My assumption is that how much money maybe is being brought in by the analysis, I don't know, don't burn me on the stake, I don't know. But yeah, like Paul says, quality is really hard to measure, right, so I would say I've been measured of the own quantifiable right, the help that you give when you go to trial, when I have a list of a couple things here when you deal with the defense or the other side of the table right, Working with them in the discovery process.
Speaker 1:How do you serve those stakeholders that you also have some value, and even something like teaching, for example. You can say, well, why won't I send my examiners to teach? You want your examiners to be good at trial, at discovery, at presenting evidence. Have them teach.
Speaker 2:Yeah.
Speaker 1:I mean, I think that's the best way of learning by teaching period. What else? What else could we think that might help that? Any ideas?
Speaker 2:I mean really just rewarding the employees for the good work they do. If somebody's working really hard on a case and you can see that it's good work it's taking them a little bit longer, but it's good work it's. The evidence is there, the case is well put together, it's going to lead to in a criminal case, it's going to lead to a conviction, or it's the evidence that you need to actually solve the case or at least assist in, I guess, supporting the other evidence that's available in the case. Reward that work. They may not be the person who completed the most cases for that year, but give a little bit of, I guess, positive reinforcement that they did a good job.
Speaker 1:I agree, and one of the ways that reminds me of make that visible because you as a manager might be aware of it and the team might not. And one way I think it works is I'm stealing this from my developer days and system administrator days when you do a meeting, have everybody talk about their cases, what they have going on and where do they see that case going Like. For those of you who are developing a little scrum meeting where you can say, look, this is where I'm at, this is what I've done, this is where I think I should be going and open it to the team, to everybody, to a panel hey, maybe you can try this. Look at this artifact, look at this other thing With the manager and the team members. I think that would be a really productive meeting because it also creates some cohesiveness with the examiners. That's a great point that Jessica's bringing up.
Speaker 1:There's different ways for different measurable things, including impact to other cases, especially if you're working like I've done, like the cases. I cannot really go into details, but an event might lead to multiple prosecutions, for example, of multiple individuals, and one thing will impact the other. The methods of communication might impact the examination of another device belonging to a different individual. So all that intelligence and knowledge should also be waited for for how effective that examiner is. So great point we have. The smartest folks live with us, absolutely. That's just a fact, all right, so let's change gears for a little bit and talk a little bit about some artifacts. So what do you have?
Speaker 2:So there's some new ILEAP artifacts. This weekend I was sitting home and got to witness the greatness of a new Discord group I've been added to with some really smart people, and I just sat back and watched them go back and forth while they added new artifacts to ILEAP. I have not figured out how to contribute myself yet to these ILEAP or ALEAP artifacts, so instead I'm going to present what they created this weekend to you guys today. Let's see here, let me share my screen. There we go. So the first artifact is going to be for ILEAP. Google Chat has been added.
Speaker 1:And we have on the screen, of course, that are listening, the ILEAP program. The Graphical User Interface has been brought up, and now Heather is selecting the artifact that she's going to demonstrate.
Speaker 2:Okay, so ILEAP is brought up on the screen. I'm going to select an iPhone full file system extraction that I have from one of my test phones when they added support for the when Alexis and Josh Hickman added support for the Google Chat application, over the weekend I went and took my test phone and generated some Google Chat data and extracted the device this week. So I'm adding the extraction to the tool and I'm going to choose the Google Chat artifact only for time purposes here and I will choose a location and hit process and in hopefully no time.
Speaker 2:So 13 seconds, which is way faster than your other tools. Let's see here. Let me share that when to go. I have lost it. There we go. Just need to share the screen here.
Speaker 1:Yeah, there was a really good artifact. There we go.
Speaker 2:So now we have the Google Chat artifacts.
Speaker 1:Yeah, and for the folks again, they're listening. So we have a grid that has a timestamp, the group type it says I want to one message. If it's a conversation name for the person, it's not. If I was really fun to make, because Josh did have a lifting here based on a need from an examiner and he has some assistance with it and he did all the research. He guided me on the protobuf. So it's a SQL database that has protobuf in it.
Speaker 1:We have to go there and the meme of the week is related to the artifacts which I don't want to show it now but I'll explain later how we'll go about doing some of the things there. But I think at the end of the day the point is how can we be effective? How can we help each other? Heather just said about this discourse pretty much a group of friends, and that's important. Try to make your own tribe, and I say that in the sense of at my middle age I am developing friends, really good friends, and folks that we share a common interest in injustice, in forensics, and go to conferences. Look for people that have the same mindset and band together and make a difference. It's so rewarding, it's just, I cannot even describe it.
Speaker 2:Yeah, definitely. I can't agree more with that. Get out network, meet everybody you can. This has been that the ILEAP and the ALEAP have been so helpful and I can't even describe how many cases so far when artifacts aren't supported in other tools if they're not already supported in ILEAP or ALEAP. If you reach out and just talk with Alexis or talk with anybody else who contributes to these tools, they can become supported with just a little bit of information about what you're looking to get supported. So definitely not work with Alexis.
Speaker 1:And we all help each other when I put on the show notes githubcom, slash, abrignone, slash, ILEAP, to get the tooling and we'll have it on the notes because my last name just hearing it and writing it, it's a little bit of a challenge.
Speaker 2:So there's another artifact that was also supported this weekend, and it relates to locations. Someone actually messaged in our group for IASIS asking about locations that are stored in some of the biome data. It was in the core duet location directory and they were requesting information about, or they wanted it supported, so they could put it in a CSV to be able to bring into another tool. Some of the major tools were supporting it, but not all of the fields that are supported are available. So the timestamp, the latitude and the longitude were being parsed by some of the major tools, but there's other fields that are available, such as speed, altitude, and so Alexis worked on that this weekend as well and now supports the locations that are stored in that directory, in ILEAP. So I'm going to do a little demo of that as well. So let me pull ILEAP back up. Let me just share the screen here.
Speaker 1:And just for folks, the biome is a directory in iOS devices that has data that has migrated from what used to be Knowledge C over to this file structure. Right, and you have information in regards to the locations. If the apps were in the foreground, the background, it's a mine of data. Now, this particular artifact well, before I talk about that, the biome directory has within it files in what's called a SEGB format okay, segb, and within those files you have data in additional data stores like BP, lisp, protobuf, and we parse those to get the information that we need. Now, this particular artifact is a SEGB file within the duet core, duet expert directory and there's your locations there. So we did a parser for it and now Heather is bringing up the graphical user interface and running the tool to see how that looks.
Speaker 2:So I'm doing the same thing, adding the same iPhone full file system and then choosing an output folder to put the results, and then selecting the artifact for those duet locations it's under geo location in the ILEAP tool and then just choosing the process.
Speaker 1:There it goes. The nice is running. It should be fairly quick.
Speaker 2:And 13 seconds this time. Let's see if I can open it up here. Let's see I will share the screen.
Speaker 1:Yeah, if you're not familiar with SEGB files, you have to. You have to look at those. There's so much important information, so here's a report. Acml report open after the tool ran.
Speaker 2:So we have columns for the timestamp, latitude, longitude, horizontal accuracy, altitude and the speed for those locations that are found in the duet expert center location.
Speaker 1:And research here is important because I just put the field there, because I saw it there and here's the one that gave me an explanation. It means it's going in reverse. How can you have a speed of minus one?
Speaker 2:So the device actually, when you see the minus one, it wasn't able to calculate a speed at that time. And I've found when the minus one is there on a lot of the locations for my device in the testing, when I see the minus one I'm actually home, not moving. So a lot of times it's just not able to calculate the speed because there is no speed. And then sometimes I've seen the minus one when I am actually moving and it's just not able to calculate the speed.
Speaker 1:But when you're testing, when there is a speed, is it accurate or accurate, or what have you found?
Speaker 2:I have found in my testing that it is fairly accurate to my speedometer just off by a few miles per hour. And there's actually some research by Forensic Scooter, who did a bunch of testing on several different iPhones and he used some vehicle forensics as well to compare to the speeds found in the iPhone locations as well as vehicles, and it's a really good read. So if you Google just if you Google Forensic Scooter and do iPhone speeds, it'll come right up in your Google search. But it's a really good article.
Speaker 1:Oh no, he does such incredible work. His blog is a must read. He talks about I think that's the same article about horizontal accuracy and how he met and what are good accuracy or tolerances, which is that word that I like tolerances we think of JTAR Forensics as ones, and zeros. You'll be surprised. There's a lot of things that require interpretation. That the measurement yes, scott, scott was it not coning, yeah, so he's awesome.
Speaker 1:And our phones have sensors. Those sensors have tolerances and they might not be a one, a zero or this recorded. So that's where the testing comes in. That's why Heather illuminated me in literally saying, hey, this is what's happening. So you always have to test, always have to test. I don't know if you, I don't know for, for, for saving time, the tooling that the I live or I live when it runs it creates a KML with all the geolocation points, so they're going to show up on a map and also SQL database, so you can pull them out for a period of time and then ingested into whatever mapping tool. If you have 20,000 geolocation points, google maps is not going to digest it, so you might want to narrow it down. So we have that option, though. Yes, I think it's pretty, pretty useful stuff.
Speaker 2:Actually I have a question here too. Yeah, Some are related here. I'll be heading to a Barilla class next week. Do you have any advice for an examiner starting in vehicle forensics?
Speaker 1:Well, I took the class. You take the class. If they offer you the silly glasses that have magnifying lenses on, wear them, Don't be ashamed. Some people will not put them on. Put them on, it's going to help you out. I guarantee you. Put your your lenses so you can do this.
Speaker 1:But the small detail work. It'll be easier if you can actually see what you're doing. But I mean, I'm kidding, but not really kidding. That's actually true. But the real answer to that question from my perspective obviously I led you Heather chime in as well. So, like any guitar forensics field, you got to be really patient and have a lot of attention to detail. Right, Especially with cars. Don't destroy the car unless you have to and you have the backing of doing that. Right. If a cooperating witness brings their car, don't destroy it. Right, Be nice, Take your time, Pay attention to detail, Take notes of your process. Vehicle of vehicle forensics as computer forensics with wheels. That's just what it is. It's the same thing. So if you're really good at what you do, now apply that to vehicle forensics and you will also be good at it as well.
Speaker 2:Yeah, I haven't. I haven't taken the Barla class since 2016. I don't go out in the field and do like the tear downs and take the modules out of the vehicles anymore. I did when when I very first went to the training. I did it a few times. But when the guys bring the modules back to the office, I do a lot of the chip offs for them. So currently, skills in chip off are needed on a lot of the vehicles. We're doing a lot of chip offs on the vehicles. I think that's going to change soon. It sounds like they're going to be encrypted. So, moving forward, I'm not not 100% sure what's going to be the method of obtaining that data, whether Berla is going to move forward and support it or or what the method is going to be. So I mean moving forward. I'm not 100% sure, but having chip off skills now on a lot of those vehicles and it'll be a lot of the vehicles from the past could be could be something that you might want to look into if you're just starting in vehicle forensics.
Speaker 1:Oh what, what a great point. Yeah, because since, since cell phones moved to a file based encryption, the chip offs disappeared.
Speaker 2:Like you, have your chip off equipment just gathering dust and the vehicle forensics has come alive again, that's yeah, we're doing a ton of them on vehicles.
Speaker 1:All right, so yeah, so again, the tooling is there new artifacts? We try to put some new stuff in. So just keep your eye out on social media, for you know, for the folks that work it, like myself, Kevin Pagan, which in the chat, Josh Shigman and I'll put all those links there for the folks that don't don't know, don't know us or don't know the folks that I'm mentioning. So you have it there as a reference point, All right. So let's move on to the next topic, the degrees and use of forensics, and it's a pretty controversial topic and we got to be careful because you can spend the, the later half of the show you're talking about that. Are degrees necessary for it? Theatral forensics? Is certification is enough? Is can you do it? Just on the job training? I mean, that's a good questions and I don't know. I mean, let's discuss it. So what do you think about that degree certifications on the job training? What's your, what's your take on that, Heather?
Speaker 2:Oh boy, so I all right, I'm going to speak for my situation personally. So I started out with a criminal justice degree and became interested in digital forensics and decided to go get a master's degree in digital forensics so that I would have a way in to a job in digital forensics. They let I was let into a master's degree program with no computer knowledge whatsoever. That's not a good idea. I was lost in in college at like. When people were talking, I had to Google everything they were talking about, and I did. But I had to Google everything they were talking about because I had no background. So it was really hard for me to do a master's program with no background. But I got the piece, the piece of paper from my master's degree and it got me my job.
Speaker 2:I started my job and I continued my Googling everything everybody said, because I had no idea what people at work were talking about. And then I started all of the trainings and certifications at work and I would say that my trainings and certifications that I attended and obtained at the New York State Police are how I learned most of what I know in digital forensics. And then that's coupled with things that I learned on my own and that's just kind of my path. I don't know if it's the same for everyone, but school for me was not it? So it's just kind of my path. I found that school just didn't teach me what I needed to know as much as as much as worked it.
Speaker 2:I'm not saying I learned nothing, but but as much as the on the job trainings did.
Speaker 1:And we talk about this. You know, in other settings, you know amongst ourselves, there's degree programs and there's degree programs and it's and we have to be smart customers in that sense. Now, especially at the beginning, those degrees were not really too solid when they started coming out, and that happens, I believe, with any new field. When I started, there were no degrees period Like that was not a thing. And if you want to become an examiner and I don't know, this is the best example.
Speaker 1:But the way I saw it is, for example, folks that went to the military and and they teach them to fly planes and they come out and then they fly planes for you know, delta, whatever, right. Well, back in the day you became a police officer, you take some certification with IACS and some other certifying bodies. They teach you that and you became an examiner and you did that. And then, after you left your law enforcement career, you became an examiner in the private sector, right, and you got kind of degrees, degrees for that, and that was usually true for pretty much sworn, and I get my experience at the beginning. All the examiners that I knew were sworn, right. You know sworn means you know gun carrying law enforcement officers right, and that's not the case now. Right, and like yourself, you're a civilian examiner, right.
Speaker 2:Yes.
Speaker 1:And do they require again maybe I don't want to maybe bring your agency into it, but maybe other agencies that you've seen for for civilian they do require certificate, certifications or degrees, right?
Speaker 2:Yes.
Speaker 1:There you go. So I think the degrees became a way of kind of standardizing the field and opening the door to non-sworn folks. But yeah, the degrees depend it really depends on where you're going and at the end of the day I don't think you're going to get like you're saying everything that you need to learn because you can take your degree today and then tomorrow's biome and sec b-files come and you'll be like oh, then nobody taught me that. Oh yeah, well, whose responsibility is it to learn that?
Speaker 2:Yeah.
Speaker 1:It's not the school. The school teaches you how to think and how to get to things not necessarily all the things Right Now. If they're not teaching you even that, then that's a problem.
Speaker 2:Right, right, and I just I think in my personal situation, I think some kind of like, I guess like proficiency tests before I was entered into a master's program in something I knew nothing about would have maybe been a good idea. But I mean, I am where I am today. I figured it out, I went to all the trainings, I've done research on my own, I've made it. You know, I've made it to where I am. I've learned what I needed to know and the degree helped me get there and I definitely did learn things at school.
Speaker 1:Let me share a few of the comments here because they're really good. For example, jessica is saying that departments opens you, you know, to more opportunities. I say possible, to more opportunities. Right, it becomes like a thing that to put your foot in the door. So that's absolutely correct. And if you testify as a comment that was said before, here it goes.
Speaker 1:It kind of asks your credibility to your testimony right Now. I want to make a comment on that. And this is so true. When you start, I mean throughout your career, your certifications are important, right, and keep them. But at some point you're going to transcend those. And I say that in that the credibility is not going to come because you have certification. It comes from your experience through 10, 12, 15 years of doing the work, doing the research and coming up with new understanding of what your work is. And then, well, I'm not going to go into that. So I got another comment here that Kevin Pagano is saying he wouldn't have found the Determinus field if it weren't for his bachelor's degree. So there's value, there's different paths. I believe that that path of being certified and just being an examiner that way, little by little, is going to fade away and actual bachelor's, master's degrees are going to be the rule as the field gets more standardized. I think that's where we're going right now.
Speaker 2:I think this is a very long comment, but I'm going to put it up because I think so. I felt the same way in my undergrad. We got little hands-on experience with the tool sets, but mostly lectures. The hands-on of trading with certificates helped me and put what I learned in the lectures with my degree to connect all the details together. I think that that most accurately represents what I'm trying to say. The hands-on experience is very important in this field, in my opinion. This is a little bit on me for the degree program I picked as well. Mine was completely online. I did two different weekend visits to the school where we did a little bit of hands-on experience and that was it. The hands-on experience was very minimal in my degree. This comment really encompasses what I'm trying to say.
Speaker 1:I agree as well. Kevin is saying that on his degree program. You're good, I'm going to put Kevin's coming up. His degree had mock cases, testimony, a whole bunch of good stuff and you have to research those programs, Make sure those programs have those ability if you're ever going to benefit from it.
Speaker 2:Yeah, I would have loved that.
Speaker 1:Folks that are coming in into the field listening to us. I believe you'll be well-served by doing that research, getting those certifications. But at the end of the day, like Heather's saying, amy which is what we just read previously, what she said you've got to put things in context by being hands-on. If you have projects that you worked on, research that you've done, blog posts, social media about it, it will help you a long way with your development. Jessica is saying oh, my goodness, what a great question. Do we even think we have a national standard? I think it's the comment here and what do you think about that? Do you think that would be the case?
Speaker 2:National standard for digital forensics. Wow, I mean it could happen. I don't think it's a bad idea.
Speaker 1:Ah God, let me look. So I think it's going to happen just because there's so many, there's people that mess it up for everybody else. Well yeah.
Speaker 1:Not that I'm against the standard, but at the same time, when you have a standard it's a good thing, but will the standard keep up what the needs of the field are Right? And right now we have this flexibility to be able, as experts, to do certain things and justify them because we're experts and we have the knowledge. I believe having a standard. Now you're kind of narrowing my options there and I'm not really sure how I feel about that. But the more folks that are examiners come out with subpar work and work that cannot be properly validated. Yeah, that might be something imposed to us. I don't know if at the state level, federal level, maybe a little bit of both Get some sort of what's it called Like when you get a license like license, maybe like a licensing test, and you're not an examiner unless you pass the state bar digital forensic exam. I don't know, I'm making it up.
Speaker 2:But we might be heading that way.
Speaker 1:Yeah, exactly, I bet your agency and your and your certificate that we take have those right. But if the work is being subpar and not really illuminating, being as scientific as it should be, that might be the case. So that's something that's dangling out there.
Speaker 2:Yeah.
Speaker 1:Do you have any other questions there? Right, all right. So I think the big takeaway is, if you can get them all, get them all. Get your good degrees, get your certificates. I don't have a degree specifically in digital forensics. I have a whole bunch of notifications and a lot of hands on experience and years of doing that. But if you can get them all, get them all. And if you cannot get them all, then try to either get into roles within, as, for example, law enforcement or private sector. That will expose you to the digital forensics and hopefully make a jump or a transition to those areas.
Speaker 2:So yeah, I'm not trying to knock anybody either. A combination of all of it is excellent.
Speaker 1:Yep, no, like I said, I don't have the degree and here I am. So there's different paths and try to up your chances by doing as much as you can. All right. So we got one more demo that I'm really excited about the unfurl demo. So what can you tell us about that, Heather?
Speaker 2:Okay, I am going to share the screen and present it, so this is Ryan Benson's unfurl website, and let me put the website here on the bottom and I'm going to show everybody an example of what this tool can do. I grabbed a shortened URL and this tool here. We can put URLs here into the tool. I'm just going to do a little demo here and my example that I grabbed is a shortened URL and what the tool will do is take the URL that you've found, possibly in your case, and it will break out all of the components of the URL.
Speaker 2:With the shortened URL, the really cool part about it is it will show you the components of the URL in the expanded version. So this particular URL that I went and found when expanded by this tool comes back to the Magnet Forensics website and it is the shortened URL for their new scholarship program that they announced today. It'll show you the path of the URL, which expands out to the entire URL for the MagnetForensicscom scholarship program. It breaks it down to the host and the domain and then it'll further break down. If there's timestamps included in the URL, it'll include the timestamps. So if you're using this for one of your cases, you may be able to find the timestamp that a specific URL you've carved out of your evidence and you may be able to find the timestamp that that URL was visited. So this actually breaks down all of those URLs you find in your cases. So this can be really, really beneficial in any of your cases. Yeah, and this, this tooling is.
Speaker 1:there's different ways of doing it. This is command line. The one that Heather's showing is web. I say web base. It is web base. It's a web page and you put your URL there. In this case it's a Hootsuite. I know that because it's OWWly, the URL shortener for Hootsuite, which tells me that Magna uses that product. The point is that it breaks it down graphically, so nice like a little flow chart looking graphic, and you can really drill down. And, like Heather said, I cannot understate how important this is. If you carved out a URL, let's say, for example, do you have a Google example Coming up or not? Really, if you don't, then I'll say it. I didn't pull a Google no, ok, perfect.
Speaker 1:Then I can talk about it. Sure, google URLs say Googlecom, and then slash whatever it is, question mark, equals, and then the variables and the search. It looks like gobbly-goog, right. And this tooling by Ryan Benson takes that gobbly-goog and spreads it out with meaning Timestamps. If it's a Google search, what was being searched, the search terms, the actual term that the person wrote. For example, if I wrote super M and the search returns super man, you'll see both. You see super M and super man within that URL. I used this in a case where a prosecutor was asking well, what does this mean in this URL? All this stuff to the right side of the dot com? What is it? Is it relevant to my case? Is there something I should know about it? And you see an unfurl. I was able to kind of spread it out and explain what it meant and we were able to clear those doubts. Super useful tool, super useful.
Speaker 2:So I'm going to do. I do have one other. I'm going to do a TikTok because there's a really cool timestamp conversion in the TikTok URLs and I actually grabbed. I'm going to share a screen here. So this is my sister's TikTok page. This is her cat, kevin, and this is her TikTok. That was visited 7.2 million times. And this is her TikTok. That was visited 7.2 million times. And I'm shocked it was visited 7.2 million times. He is cute, but that's a lot of visit.
Speaker 1:Well, the cat types better than me.
Speaker 2:The cat does the types better than me too, but with this particular TikTok I'm going to grab the URL for that TikTok.
Speaker 1:By the way, for the folks listening, it was a cat typing a message a funny message there. That's why.
Speaker 2:And then I'm going to go back over to Ryan's site, kevin and Kevin, and we'll put Holly's URL in and it breaks the TikTok URL down.
Speaker 1:Nice.
Speaker 2:And when it breaks the TikTok URL down, it breaks it down with the TikTok username. So the username who posted the TikTok is Holly and Kevin and Charlie, and it shows that it's a video. But it also has this ID, and the ID for the TikTok video is time based and the time based pulls out a timestamp that the TikTok is posted. So it has here that that TikTok was posted on January 19, 2022. I'm going to share a different screen with you and show you how that TikTok timestamp is actually broken down. I found it on Ryan Benson's website and it's actually pretty cool.
Speaker 1:So and we're going to put that put. We're going to put all that in the notes for folks to follow up later.
Speaker 2:Let's me find my and find my screenshot here of it. There it is.
Speaker 1:Oh nice.
Speaker 2:So if you take a look at the URL, that time-based ID is converted to binary. So you'll see the binary and the leftmost 32 bits which are there in the orange color. Those are converted to decimal and then in the blue color, the decimal is what's converted to the actual timestamp, which is the timestamp that you actually saw on Ryan Benson's website in the Unfurl tool. I just put it in Eastern Standard Time because we're here in New York and that's the timestamp that my sister posted that TikTok video of her cat, kevin, typing.
Speaker 1:That's amazing. Yeah, that's so many, so many, so many timestamps that you can pull from a URL that you will have no idea it's in there unless you do this analysis.
Speaker 2:That's pretty cool so that conversion can be used by anyone to go and validate the actual timestamps of TikTok videos.
Speaker 1:Yeah, or like we're saying, or if it's pulled from somewhere you have no context right, it's carved out or whatever, or it's just shared with you some way and you want to know when it happened and you can do that at scale. You can have many TikTok links. In that case, you can, at scale, do it all those. So it's pretty neat. So we're running short on time, so I don't think we're going to make justice. The last topic, but we need to talk about it. So since actually I'm going to let you introduce the topic and then we'll discuss it with the time that we have.
Speaker 2:Okay. So the very last topic let's see here let me stop my screen, there we go Is the heat is on Apple and I don't know if anybody has seen on LinkedIn. I think over the last week or so there has been some talk of this new child safety group called the Heat Initiative. They are gaining some momentum with their campaign and they're putting some pressure on Apple to go back to their original plan that they had in 2021, which was to scan and report CSAM material, so child sexual abuse material that users of Apple products are storing in their iCloud. So quick, little background.
Speaker 2:In 2021, apple had announced that they were going to start scanning and reporting any users that were storing CSAM material in their iCloud. They had planned on using hashing technology from NecMAC and, if a match was found, they were going to use human reviewers. They were going to assess the materials and then they were going to report to law enforcement, much like some of the other internet service providers do. Experts were worried that it could be used by governments to spy on citizens. It could be used to scan for prohibited content, be used to scan for political speech or be used to compromise privacy and security of all of the iCloud users. So in 2022, apple quietly killed it.
Speaker 2:Last week it came back up again because the CEO of the Heat Initiative authored a letter to Apple and they were asking them to revisit and honor their original intention to scan and remove the CSAM material from the iCloud accounts.
Speaker 2:Apple responded. I have here the link to the letter if anybody wants to read it. It's actually quite a long letter, but the response basically was that they've taken steps to disrupt the grooming of children, as well as implement sensitive content warnings on children's devices or on their devices. As it relates to the scanning, they have chosen a very different route and they're prioritizing the security and privacy of their users. They go on to talk about the possible implications that scanning could have, which is like opening the door for possibly scanning other messaging systems or bulk surveillance, and a possible impact on freedom of speech, and they also point out that scanning systems could affect innocent parties that may fall victim to persecution when they've actually done nothing wrong. So that's kind of the short version of what that letter entails. What are your thoughts? Would you like me to give my thoughts first?
Speaker 1:Oh, go first, Go first oh okay.
Speaker 2:So I did a little research on some statistics and, according to NACMAC, which is the National Center for Missing and Exploited Children, in 2022 Apple had 234 cyber tip line reports, which is, reports of CSAM material to NACMAC's tip line, and Google had 2,174,548. So the difference in the number of cyber tip lines between those two companies to me is alarming. And then Google I went on the Google website and did a little bit of research how they actually scan for the CSAM material and they use hash matching and artificial intelligence and they say they have a team of highly specialized, trained content reviewers and that they use subject matter experts and they have highly accurate results. And my thoughts on it are if Google can do it, I want Apple to do it too.
Speaker 1:Well and no, and I totally let me pervade when I say next, I think what we're going to try to do here is offer what the argument is right and some things that we should think about as examiners and technologists and the folks that really actually deal with this stuff. When the rubberbees derail, right, we're the ones that actually have to deal with it and apply the law to the folks that are doing this type of activity. Right, and from that point of view, me personally, I think both of us. We do not represent our agencies, we don't represent anybody, right, we just talk about, as technologists, what's happening. Okay, and our agencies have their positions, and private sector companies like Apple and Google have their positions, and civil society groups, privacy and encryption experts have their positions. Okay, with that being said, right, this is a hard. I think it's a hard topic because both sites made valid points.
Speaker 1:I want to really focus at least my point of view, focus on a detail that's kind of overlooking the discussion. Right, scanning for CSAM in these platforms it's nothing new, right? This hash matching has been going on for who knows how long, right, but Apple says that it's going to be and this award in that letter, client server-based right. It's a big difference there, right? One thing, scanning with the stuff that you put in their servers that they're housing, another thing is scanning stuff on the phone on my end that I have in my pocket, right? No, they can scan my phone. There'll be none of that, right?
Speaker 1:But it becomes a little bit dicey from a privacy perspective, because you can say well, if Google is searching and now I'm going to be a little bit of a contrarian if Google is searching for CSAM, right, and that's a bad thing, we don't want that, right. Would you be okay if they search for evidence of terrorist activities or maybe pictures of something that's going to blow up or some plans? Is that something that we want to do? Is that a yes or no, right? And if we're willing to do that, how about drugs? Right? Do we want systems to be scanning for drugs in all millions and millions of iPhones around the world, or the United States? I don't know.
Speaker 1:And if that's okay, how about misinformation? Right? You know misinformation is bad for the democracy, right? Maybe we want to make sure that people hold on to the correct ideas. And again, I'm not taking that position either way. The point I'm making is it gets really, really dicey when you're talking about client-side checking as opposed to all the server side, when you make a decision to push stuff up, Because clarity and transparency is important and these companies sometimes are not as transparent as we would like them to be. Are you a Chrome user, heather? Any chance?
Speaker 2:What.
Speaker 1:A Chrome user. Chrome browser user.
Speaker 2:Yeah.
Speaker 1:Recently have you seen, like an announcement that came out in your browser about some privacy settings. Have you seen that? By any chance, not yet.
Speaker 2:I don't think so. No, not yet For a one-way extension.
Speaker 1:Okay, update your browser. You need to update it Security purposes. No, I'm saying that because it came out with a popup saying hey look, we have some privacy features. And if you don't read it, what it actually says is that they're going to take your web history and process it to make sure they give you proper ads. And if you don't want that, you got to go into settings and mark yourself off, so they put you in the program by default. If you don't read it, you're in, and I think it's a little bit like how about telling me it's there and if I want it, have me approve it, don't approve me beforehand.
Speaker 1:So Google, the Office of the World, have done some of that. And do we want client-side scanning with that level of transparency that they have us accustomed to? I don't know. I mean, at the end of the day it's tough because also the crime really demands our attention and that we act upon it right. I think, at the end of the day, congress might be the best way of addressing that, in the sense of the companies can go there, the civil society can go there, the companies, law enforcement can go there, everybody can express their viewpoints in a hearing or a via within Congress and maybe some legislation can help us push forward what the proper way is, and then the courts will also weigh into that as laws come out and they determine if it's constitutional or not. But at least for me the whole scanning on the device is a little bit creepy, you know yeah.
Speaker 2:I mean the 234 cyber-tip lines to the 2 million, though I mean do something Right. I mean because you know there's more than 200 on the Apple devices. So I mean, if it doesn't have to be on the device, there's got to be something that we can do.
Speaker 1:Oh no, no, I mean, and they're saying they were doing both. Right, they were doing the whole iCloud thing and the whole on the device thing. I think that the part of the device was the thing that really made people take them back. Now, that being said, it's again. I believe legislation has, and again, my personal opinion, not my agency or anybody else.
Speaker 1:It's so important because there has to be to address this problem. Let me put it this way Not long ago, apple said we're going to encrypt everything in iCloud and the encryption is going to be handled by the user. So we're not going to have it right. And what's the upside for Apple? Well, if you can't, if I go to them and say, hey, I need information on a case, it'll be like well, it's encrypted, there's nothing.
Speaker 2:I can do about it.
Speaker 1:Here's this encrypted blob of things that you can never get into and they can wash your hands off the whole problem doing it that way, right. But on the flip side, let's say we force them and say, no, you cannot encrypt that data, right? Well, what could happen? Well, the users that are smart, they're going to put encrypted stuff within the iCloud and they'll be like here it is. There's some files here. They appear to be encrypted and the encryption goes from the platform to the user, right, and we've seen that, that we see folks that deal with CSAM that they're congregating in a platform when that platform is investigating and taking it down.
Speaker 1:Whether they do they stop their activity. Oh, no, they move to another thing, which is they're trying to be more discreet and safer about it, which is horrible, and we will continue to pursue them to the ends of the earth, obviously, but that's where it goes. So, for folks that are law enforcement, there is no magic pill. Your traditional investigative techniques will continue to apply and again, this is not the forum for that and technology is just an aid, but it's not the thing. Right? You, as an investigator, those traditional investigative techniques should come into play. I mean, what do you think, am I too off? No, you don't agree with your agree. What do you think?
Speaker 2:No, I see both sides, but at the end of the day, I am going to always be on the side that protects the children.
Speaker 1:Yeah.
Speaker 2:So yeah.
Speaker 1:No, and I think every person of Google in the planet will agree to that. And we're gonna make sure that we do that quickly, efficiently and also within the bounds of the Constitution and all that good stuff. But the days of companies doing this willingly might be coming to an end and they will try to wash their hands off using encryption and some other things in a sense. And how's that gonna play out? Honestly, I have no idea. Yeah well, hopefully we don't get too much trouble by bringing the topic up.
Speaker 2:They're shutting us down.
Speaker 1:Yeah, so again, we're five minutes past the hour, so we're gonna start closing it out. So let me just show you the meme of the week, right? Yes, so what is the meme of the week? So, when I was dealing with the working with Josh on the Google Chat artifact in iOS the folks that are, if you're not familiar with iOS, ios keeps the data user-generated data within the apps within a particular set of directories. These directories are not named Google Chat directory. That would be too easy, right, and Apple being Apple, it's not gonna make it easy. So those are GWIDS and the apps are named. I'm sorry, those directories that have the app data. They're GWID named and that GWID name could change for many reasons, right, Because you can just reinstall the application.
Speaker 1:They're different from phone to phone, okay, so it's easy for me to find the database because it's called dynamitedb. It's pretty distinct, but I can find the database. But the pictures that the database references, they're in a directory that's the most common name directory in the world, like temp or something like that, right? So if I pull all the temp directories in an iPhone, I'm gonna have so much data just to. It's gonna be too much for me to then try to figure out what I want, right? So what I had to do is, based on where the database is, determine what the GWID of the application is. So then I can only search for that directory, for the picture, for that particular GWID, for that particular application. Woo, I need a cup of water, but hopefully that makes sense to folks here.
Speaker 1:Right, and the only way for me to get that GWID out of that location is by regging X in and out. Right, and I'm telling you, what I'm gonna show you now is literally me every single time. So what you see on the screen now is a person with two signs, a piece of paper saying corporate needs you to find the differences between this picture and this picture. And the first picture says times I have used reggics and the next picture says times I've had had to learn reggics. And then the lady says they're the same picture. What a hard way of doing pattern matching, but it works. So I literally had to try to teach myself again how to do reggics to get that out. I Google a lot, so that helps Google's the best.
Speaker 1:But don't feel frustrated. I mean, there'll be some things that you can not commit to memory if you don't do them all the time, but if you need them, just research it and try to get it done and the artifact works well. So I'm happy that it all panned out. They're the same picture right.
Speaker 1:So thank you everybody for staying with us a little bit. The extra time for the topics we appreciate it. Yeah, absolutely. I hope the topics will help. If you want us to talk about anything of interest to you or if things interesting for the community, let us know. We'll put the abrignonycom if it talks like a dog and it walks like a dog right. The UCK We'll put on the notes. Send us an email. Things you wanna talk about, questions that you have and people that you would like us to interview in the podcast that you think are interesting. We'll reach out, so let us know.
Speaker 2:Yes, thank you.
Speaker 1:Yeah, anything else I'm missing, Heather. Before we sign up.
Speaker 2:I don't think so. I think we covered everything.
Speaker 1:Well, again, thank you everybody. I think we're gonna be doing what this like in two weeks again, you think.
Speaker 2:Yeah, two weeks.
Speaker 1:Yeah, so in two weeks we'll have another show, see what happens in the field and if it's happening, we'll bring it to you. So with that, have a good night and thank you for being here.
Speaker 2:Bye, bye, thank you, airing tonight you.
