Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Navigating the Digital Forensics Maze: Insightful Discussions and Valuable Resources
Stay tuned as we navigate the mesmerizing maze of digital forensics, sharing insights that you wouldn't want to miss! We kick-start this thrilling journey with a sneak-peek into the Regional Computer Forensics Lab in Boston. The fun doesn't stop here as we also delve into the exhilarating Cellebrite Capture the Flag challenge and touch upon the awe-inspiring Difference Makers Awards.
We then turn to the indispensable resources for those wishing to take on the digital forensics world. From the empowering IACIS Women in Law Enforcement Scholarship to the unique Magnet Forensics Scholarship, we've got you covered. Don't miss our take on the complimentary Belkasoft iOS Forensics Course and DFIR Artifact Museum. Plus, we'll guide you through using the intriguing Eric Zimmerman's SQLECmd and Timeline Explorer.
Finally, we discuss the invaluable act of giving back to the digital forensics community. We share the secrets of adjusting to corporate culture, continuing education, and the pivotal role of mentoring. We even touch upon the remarkable Digital Forensics Intern Program by Notre Dame. So, tune in as we unravel the complex world of digital forensics. What's more? We've got some valuable advice for newbies waiting at the end. Get ready to embark on this digital journey with us!
Notes:
Difference Makers Awards 2023:
https://www.sans.org/about/awards/difference-makers/
IACIS Scholarship:
https://www.iacis.com/will-docken-scholarship/
IACIS Women's Scholarship:
https://www.iacis.com/womens-scholarship/
Magnet Scholarship:
https://www.magnetforensics.com/blog/2023-magnet-forensics-scholarship-program-apply-today
Belkasoft iOS Free Training:
https://belkasoft.com/ios-forensics-training
Eric Zimmerman's SQLECmd:
https://ericzimmerman.github.io/#!index.md
DFIR Artifact Museum:
https://github.com/AndrewRathbun/DFIRArtifactMuseum
J & L Forensics Blog:
https://jnl4n6.com/2023/09/13/new-to-cyber-preston-mcnair/
Today is Thursday, september 21st 2023. My name is Alexis Briggs-Brignoni and, as always, I have the great company of my awesome co-host, the Dita Forensic examiner, sensei, the master of things forensic, the one that keeps pushing me to be better, the one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at SilvermanSoundcom, and with that we start the show. Hello, hello. There we go. Now people can see us Hello.
Speaker 2:Heather, what's going on, how you?
Speaker 1:doing.
Speaker 2:Good, how are you?
Speaker 1:Good, good, just still getting my feet on the ground. Came back from a trip to Boston. It was really fun, so I liked it a lot.
Speaker 2:Oh nice.
Speaker 1:Yeah, I was there at the RCFL. The RCFL, so folks don't know, is the Regional Computer Forensics Lab. In this case is the New England Regional Computer Forensics Lab in Boston. Actually, I got pictures for the folks that might be watching, so let me get you a picture. So I was there. I was invited to the RCFL to talk about mobile forensics and all that good stuff. Beautiful, beautiful building as the folks can see. There it's housed. The lab is housed in the FBI's Federal Bureau of Investigation field office in Boston. So I was privileged to be able to teach there and speak with the examiners from the area. So I was really fun and, yeah, it's pretty good.
Speaker 1:Actually talking about nice things. You can see here on my side, here right.
Speaker 2:Very nice.
Speaker 1:Heather knows I was really excited about this little neon sign that says on air Like I'm in a little studio here, which is actually.
Speaker 2:Your studio is getting so fancy that I had to get myself some lights as well.
Speaker 1:You will not be left behind, by any means.
Speaker 2:I was looking a little plain over here. No, you're fantastic.
Speaker 1:So yeah, so I put the on air there to see to make me feel better. So folks that are listening have a small neon on air sign like I'm an actual what's it called? Like, not a DJ, but if people speak on the radio, you know anyways. So yeah, so what's going on, heather? What's going on?
Speaker 2:Oh well, this week or this week started the celebrate capture the flag challenge. So you know, because you're on my team, we are working through that.
Speaker 1:And by we as you and Kevin, because I suck.
Speaker 2:I don't know I'm struggling. I think Kevin's kind of taking it.
Speaker 1:Last time we were like 12 for a little bit, but now we we're ranking down again.
Speaker 2:Yeah, we're definitely falling down down the scoreboard quite a bit and it's for anybody who doesn't know, the celebrate capture the flag is going on right now. There are four images two iOS images, two Android images. It's running from September 20th through the 27th and last I looked, there's 350 teams, which are our teams, as well as individuals, registered to compete in the challenge of answering all of the digital forensic questions that celebrate has come up with. The top score receives a free celebrate class I think that's my understanding and then all the other winners receive challenge points. So if you haven't signed up yet, I don't believe it's too late to sign up and download the extractions and get started. It is definitely challenging.
Speaker 1:Yeah, and even if you don't want to compete for whatever reason, I recommend that you do. But just getting the images is worth a lot because then you have some test data that you can play along and do research on or just try to figure out how things work. So just having test data it's awesome. And the folks that build the questions Heather and Jared and all those fun or did the test data really nice people. I will say I will pick a bone with them later on some of the questions because it's a little bit too vaguely worded for my taste.
Speaker 2:But overall, though, it's really fun and it really challenges you and you'll learn a lot about the iOS and Android files that some sets for sure. I know that I now need to go take some additional classes in Android after this.
Speaker 1:Oh no, I hear you. I hear you when you're an instructor like us and you're like uh-huh, but you know what I feel like we need to do this. We need to constantly be growing. Look, there's folks here loving the sign. So I appreciate some of the comments here and I appreciate that Kevin is also around, even though he's been carrying us in this competition. Yeah, so I got a quick question Are the events in Boston open? So events at the RCFL are usually for the examiners and law enforcement for the area, but there's also a lot of events DTAR forensics event happening, especially in Boston. Like big cities like that, there's always events happening. So that's something that we hope to kind of bring like more announcements of events are happening in different locations. So we're looking into putting that out as well. Oh, before we forget, look, is it this side? What side? Can you see? This other? Yeah, yes.
Speaker 1:Of course I say you see this? I have a shirt that has our logo. It says DTAR forensics now and it was a kind gift from Heather because she's awesome and she got us and we got me a shirt with the forensics DTAR, forensics now logo, a little microphone with the bits and bytes coming out. So, thank you, I'm internal grateful. You're welcome. I should take it off someday.
Speaker 2:You've been wearing it since I sent it.
Speaker 1:Well, let's go to the next section.
Speaker 2:Yeah, and the next session.
Speaker 1:The next session is up to me, right, it's up to me actually, yeah, so some of the things that are happening and we wanted to bring this up because the SANS talking about organizations that put up events.
Speaker 1:They support an event called the DUTIL, I'm sorry. The Difference Makers Awards and the Difference Makers Awards are people get nominated and they are selected as a person, groups or a tooling that has to make a difference. For this year, I was honored to be nominated and been selected by the I say me, but me in representation of all the developers that work in the LEAP tools, which is the ones that we put open source tools for DUTAR forensics examiners, and we were nominated as open source tool of the year and we won. So, and the folks here can see a little trophy in the shape of a nice key. So it's really nice and I would like to promote this because there's a lot of people doing great work that should be recognized. So what you need to do is go to the. I think we have the address here if you can put it up, if we have it.
Speaker 2:Go Hi.
Speaker 1:Yeah, if we don't have it, it's fine.
Speaker 2:No, no, no, no, I'll put it up on the site.
Speaker 1:Okay, so go to sans and look for difference makers award. It's a simple Google search. You'll find it and then vote, and these are the categories that are up there, right? So let me show them. So they are article or book of the year, diversity champion of the year, community champion or influencer of the year, innovator of the year, mentor of the year, open source tool of the year, which is the one that we won last year podcast, live stream, video series of the year. You know, I'm just saying for the future, you know, I don't know, just just putting it out there in the universe rising star, team or practitioner of the year, team leader of the year and lifetime achievement award. So which last year was Leslie carhart. She's awesome. So, yeah, please, please, please, go there, nominate folks that are doing good work and make sure that other people hear about it by them being nominated and hopefully winning this award.
Speaker 2:So there's some other training and scholarship opportunities that have come up lately that we're going to share with everybody too. Iasis has a couple of scholarships that are going to be opening up soon. The will dock in scholarship is for city, county, state law enforcement agencies that conduct digital forensic examination. The agencies cannot have more than two personnel that are assigned to conduct digital exams in their agency to be able to qualify for the scholarship, and the scholarship is for their basic computer forensic exam examiner class. It will give them the opportunity to go take the class and it's all all expenses paid for the class and lodging and expenses for meals and per diem.
Speaker 2:Another scholarship for IASIS that's also opening up they're both opening up in October is the women in law enforcement scholarship. This one is for female in law enforcement. They can be sworn or civilian and what you have to do for that scholarship is provide your CV and write an essay of no more than 500 words and that will be based on your career goals. And it's also a scholarship for the basic computer forensic examiner course through IASIS. And then Magna also has a scholarship. Right now they actually have two different categories One is for an examiner new to forensics and the other category is for somebody advanced in forensics. They're providing a license for a magnet axiom for one year and training pass for all of their courses and also that provides you with the opportunity to take their certification exam so that one's actually open through December, open now through December 1st. So just some opportunities there for training and scholarship.
Speaker 1:And I mean the magnet courses I took them there, the online and I think it's some also important but online and they're really, really good.
Speaker 2:So I really recommend taking some of those two, they are excellent.
Speaker 1:Yeah. So some other opportunities for training are coming from Belkasoft and I'll tell you that it's a great training opportunity because, for the time being, is free. So if you let me put it up on screen and don't worry, if you're listening we're going to have these URLs at the description of the podcast or the video so you can grab them from there. So from September 15 to October 15, you can get the iOS forensics course with Belkasoft. They provide you temporary license to do the course and after that, if you don't take advantage of it, then it's going to be a paid course. So if you want to take it for free, do it now. I will tell you. I like some of the tools they come out with, especially at least Belkasoft. The way they deal with wall files, I really like it. So go check it out. For now it's free, so don't walk run.
Speaker 2:Yeah, I just did the course. It was excellent. I don't actually have the Belkasoft tools, and it was really good to learn how to use a tool that I don't have in the lab. I would actually consider purchasing Belkasoft after using it. Some of the capabilities are really good and the training was really good. It wasn't just based on the Belkasoft tool. It also gave you a better understanding of some of the artifacts that you find in an iOS file system. So I would recommend the training, even if you don't have the tools, and I think after you take the training, you would consider purchasing the tools.
Speaker 1:Yeah, absolutely. Some other comments here it also comes and thanks for the reminder you get six CPE credits for taking the course, so if you have certifications and you need credit hours to be able to maintain those certifications, this is one way of getting six of those credits and learning a lot of cool stuff about iOS. So check it out, Alrighty.
Speaker 2:So last week we put up a post asking for if anybody had recommendations that they wanted to see on the podcast, and we had a recommendation to talk about the SQL, icmd and the DFIR Artifact Museum, and I had never heard of either. So I went out and did a little bit of research and messed around with the both of these, the websites and the tools. I'm going to do a little demo for everyone so you can see how they work.
Speaker 1:This is my favorite part of the show.
Speaker 2:Let me share my screen. Let's see here what?
Speaker 1:which one are we doing first?
Speaker 2:We're going to do the SQL ICMD.
Speaker 1:Awesomeness and yeah, it's coming up so.
Speaker 2:I went out to Eric Zimmerman's website and downloaded his SQL ICMD and I am going to run it for you and show you how it works.
Speaker 1:Yeah, let me give you a quick background. Eric Zimmerman he used to be an FBI agent. I think he works for Crawl now. What an incredible, incredible guy. He does all sorts of tools free to use. One of his tools is kind of an industry standard at this point CAPE and some other tooling. So he's one of the tools that he provides to the community as well.
Speaker 2:So let me give a little bit of an explanation before I actually run it. The way it works is the tool has what's called map files and the map files are SQLite queries and if there's a map file available for a specific database in your extractions whether it be an Android, an iOS, a Windows or whatever type of extracted data you have if there's a map file available to run through this tool, then the tool will hunt for that particular database and you can run the map file. It'll find the database and it'll parse it out and you can dump the parse data into a CSV file. So I'm going to use the command to hunt for, I'm going to do iOS and I'm going to use artifacts that are located in the DFIR Artifact Museum, which is the other website that I'm talking about in this section.
Speaker 2:That is a repository of a whole bunch of artifacts. A lot of them are the Josh Hickman artifacts and they're all there for everybody's use, for testing and validation, available for anybody to go download and use. I'm going to use the iOS extraction and I'm going to point the SQLite CMD at the iOS extraction and have it hunt for databases and see what we come up with here. So let me open it up here.
Speaker 1:Yeah, it's a command line program for Windows. So what we're seeing here is a command line prompt and about to run the command.
Speaker 2:I'm going to just grab the command I already saved to save us time, and so I'm running the SQLite command to hunt and I'm pointing it at where I downloaded the DFIR Artifact Museum. I'm pointing it at the iOS folder and then I'm having it dump the CSV out to attempt folder on my C drive and it's hunting for those databases. So we'll run it and it all goes well.
Speaker 1:And it's set like maps loaded 72 and it's going through and kind of finding all sorts of. It's going pretty quick but, like different databases, are the maps based on the names of the databases or how is that?
Speaker 2:The maps are based on the names of the databases, gotcha, so now I'm going to. I have them all dumped to attempt file on my C drive. Let me share that with you.
Speaker 1:Yeah, it's interesting. If you kind of know that you're going to be pulling out certain databases, I guess a good way of kind of automating that process. Oh, there we go. Look at those.
Speaker 2:There were maps in the maps folder which came with the SQLite tool for calls, ios health photos and the SMS DB and it parsed that data out into the CSV files and if I were going to look at this data I'm not a huge fan of spreadsheets I would bring this all into, probably, zimmerman timeline Explorer, not a huge fan of just opening up spreadsheets. So I think we will do that Open up timeline Explorer and I will share my screen with that in just a moment Once I have it open.
Speaker 1:Yeah, I see a good use of that, triaging like, oh I got these or maybe I have these 10 databases that I need for specific things. You can easily kind of pull them out and look at those contents without having to do queries or nothing, just by looking at those tables. I kind of think figure will be a scenario for this. Time I'm exploring is open, so now you're pulling in all the all the CSVs.
Speaker 2:Yes.
Speaker 1:Nice, and for those are not familiar time like explorers. A tool that also Eric does is graphical and you can take CSV like text files, like this, and if they have a time stamp then you can, you know, do it chronologically set out. Set all the content in chronological order.
Speaker 2:So I like timeline Explorer because I like the filtering and I just I'm a fan of looking at the data in timeline Explorer the way it lays it out better than the than the way spreadsheets do, and the way it handles the columns better than than spreadsheets do. But it's a. It's a nice little tool to be able to filter on the columns Absolutely. That is, in a nutshell, how the SQLite tool works, and the DFI or artifact museum is awesome. I would use that all the time for testing and validation purposes as well, not just for this tool, for for all kinds of purposes.
Speaker 1:So, so. So it's like like folks put data in that museum, or how does that work?
Speaker 2:Yeah, there's. There's a bunch of contributors for that museum. There's a lot of the Josh Hickman data in there. There's windows artifacts in there. There's me pop up the folder I'll show, I'll do a little view of the different of the different artifacts that I pulled down from from the DFI or artifact museum. So there's Android, ios, linux, mac OS, windows, windows phone. That was all pulled down from the repository and inside of these folders are, by indigenous people, different directories and different databases. Within each of the folders, the TCC database, which is part of the Hickman iOS application permissions. You get the call log databases. It's got all the databases in there that you would need to run with the SQLite tool.
Speaker 1:Yeah, and folks, anybody can contribute, that's my assumption.
Speaker 2:Yes, anybody can contribute to that. The more people that can contribute to the map as well, the more this tool can do. If you can get in there and contribute to writing the SQLite queries and putting more maps into the tool, the more databases they can support.
Speaker 1:Yeah, folks can contribute with maps for the tooling, but also with databases and data for the museum as well, I think. But is that the case? Can I contribute to the museum as well, not only with the maps for the tool, but for the museum? Can we contribute to that? Yeah, Okay, awesome, make sure, okay, very cool Having test data, because I think, at the end of the day, the purpose is having that data for you to test, to be able to see how artifacts evolve through time. We need everybody to band together, because if I have a case and I might need to see how this data behaves in a version or the database that I don't have, it might be in the museum if somebody was kind enough to leave it there for me. So, yeah, let's be better together, let's contribute.
Speaker 2:Definitely.
Speaker 1:Talking about being better together. Obviously, I'm going to take the moment to highlight some of the contributions our tooling does. Again, another shout out to Kevin Pagano. He's been doing not only he does CTFs and caries us, he also codes and he did a pretty good set of parsers for Fitbit data. Fitbit data is important. I'm going to just give an example of why Fitbit data is important For those that are not familiar with Fitbit. Fitbit is a hardware software manufacturer. What they do is they do watches or different devices that keep track of your let's say, your steps during the day, your heartbeat and all sorts of things. That data is extremely important.
Speaker 1:The example I'm going to give you is from a case that happened some years ago. This dude, an older gentleman, 91 years old. He was accused of killing his 67-year-old stepdaughter. The way basically the reporting what the investigating agencies believe happened, was that he went to the place, killed her and then obviously left. When the police were to interview him, he said well, yeah, I saw her in the morning, left her some food and some things. Then I saw her later on that day with another gentleman in a car waving me goodbye as she drove by. The question is well, he's the one that saw her alive last and he's saying that he was at a house at a certain time and that he had seen her alive later on that day. Well, in the scene we found the victim was stabbed to death and she had a Fitbit on her wrist.
Speaker 1:The investigators went to that data, pulled it out and they were able to determine, based on the Fitbit, the time of death, because the moment your heartbeat, or the system is detecting your heartbeat, all of a sudden there's a spike at a certain point in time and then it flatlines.
Speaker 1:At that point it's reasonable to believe that it's time of death, considering that they found her with the Fitbit on her. Well, with that time of death, possible time of death, they went and looked at where was the individual and he happened to be at the house. He said he was there and the surveillance system from across I want to say across the street, I don't remember, but some other neighbors had his vehicle parked in her driveway at the time where the heartbeat flatlined on the Fitbit. So it's a little bit of a hard example. The person was accused against an older person. He died before going to being prosecuted fully, but the point I'm making with that is that type of data. It's extremely important and Kevin did some parsers for Fitbit data that might be of interest for you in your cases.
Speaker 2:So, with the Fitbit data, I actually have some Fitbit data that I pulled down from my Google takeout, so I'm going to show you how the Fitbit parser works in our leap.
Speaker 1:Yeah, and for those that don't know what's Google takeout?
Speaker 2:So Google takeout is where the Fitbit data is stored in my Google account and I pulled it down. It's stored on the server side of Google, so I logged into my Google account and requested a pretty much like backup of my data.
Speaker 1:Yeah, the amount of stuff in Google takeout is amazing. If you have a phone, it's going to Google, it's going to be sending that stuff to the Google servers and you can request it yourself with the Google takeout system.
Speaker 2:So the Google takeout comes when you request it. Google will send it to your email. It came to my email in a zip file, so our leap supports the zip file and it's here. It's the takeout file. So I'm browsing out to the takeout file and I'll just pick an output area and I'm going to deselect all the artifacts in our leap and just choose the Google takeout artifacts that are specific to Fitbit. There's three there's Fitbit, fitbit temperature and Fitbit SPO2. And then I'll just hit process and it is done in seconds.
Speaker 1:And it's done in seconds.
Speaker 2:And then I just have to find where it just went.
Speaker 1:Yeah, so your desktop here.
Speaker 2:Yeah, hold on one second. Let me just stop my share and I will get it.
Speaker 1:And we will take out data for the investigators. Let's say you have a cooperating witness or a victim right and you need to get access to possibly data that's housed in Google. You can, we consent, get that data and start to get some benefit from it as legal process goes through as well. So just keep, always keep, that user generated data in mind for your investigation. Super, super important.
Speaker 2:And I'm sharing the wrong thing. There we go. I'll get this share thing down eventually, I swear.
Speaker 1:No, it's. It takes One of these days.
Speaker 2:There we go.
Speaker 1:There we can see it.
Speaker 2:There we go.
Speaker 1:Awesome.
Speaker 2:So you can see in the report there's the Fitbit account profile which shows my account data. Has my full name, my display name, email address, date of birth and other account data, my activity goals. It shows temperatures that were logged with my Fitbit. It shows the Fitbit oxygen saturation, the SPO2, that was logged with the Fitbit. The sleep profile Fitbit sleep profile data is here Fitbit sleep scores that are stored on the Fitbit data, the Fitbit stress scores. I'll have to take a look at those.
Speaker 1:I think both of ours are pretty high.
Speaker 2:And then the Fitbit tracker. So it has the data about the Fitbit tracker that I was wearing. I have the have the Versa3. So it has the information about the Fitbit that I was wearing. And there's all their data stored in the Fitbit too, and I'm sure they're going to continue to add to our leap for the Fitbit parser. So you may see, you may see additional categories popping up here.
Speaker 1:Yeah, and same thing. If you have some test data you don't mind sharing, we'll be happy to create some support for it on the tooling, if you share with us. So, which is our way of contributing as well. So, please do, please contribute.
Speaker 2:Yes, please.
Speaker 1:And talking about contributions right, we mentioned sharing, but what else can we do to contribute? What is there?
Speaker 2:So many things you can do to contribute for the digital forensics community, right? So I mean, the leaps are one of the big things I think of. I mean, when you think of contributing to your leap project, I think, oh my god, I have to write scripts. But I don't have to write scripts, right, I can't do that. There's so many people who can't do that. But just providing artifacts that you find, or providing data if you can I know a lot of people can't share their data but providing locations of where the data is stored, how it's stored. Just think, hey, I found this new artifact, can you help me to record it?
Speaker 1:Or even if something breaks right. So I had one last week or this week All the dates are mixing together now where they told me hey look, there's some Discord, and Discord I want to say Android, and the tools are not parsing it. What's happening? So I don't know. So we looked at it and it was a change. It changed in how it's stored, so now it's kept in a SQL database that has JSON and, for those that don't know, that's JavaScript object notation, that's key value pairs, and we can talk about that later. And it changed and just somebody put in the word out hey look, this is not working. That helps. You don't have to code, but just be part of the community. It makes us better. Now we have a parser for it and while the main tools or third party tools catch up, you have some support already with open source tools. So that's just thanks to the community.
Speaker 2:Right. I mean, even if finding the new artifacts, write a blog about it, share it on the list, serves the Google groups, the Discord server. I would say nobody knows everything in this field. There's not one person that knows every single thing in this field, and if you are learning something new or you're wondering something, somebody else is also wondering that same thing, so share it. I can't count the number of times that I'm wondering something about a certain artifact or I'm asking a question about an artifact and my phone will buzz and it's somebody asking the same question or answering that question on one of the groups, like 10 minutes later. It happens all of the time. So sharing what you're learning is super important, I mean.
Speaker 1:Yeah, and that sharing could be like you're saying make a blog post or make some content right, make a video, hi everybody, or a podcast. And if you can do something that I can't do, which is make a TikTok, because I can not still get a hang of it, so I just quit, I'm not doing TikToks, but if you can do one we're going to make a TikTok, oh no, oh yeah. And by we you mean you.
Speaker 2:No, and I ate this this year, so be ready, in April we're going to make a TikTok.
Speaker 1:Let's hope there's no like no detergent eating fat at that time. I don't want to do that. Well, if you can do a TikTok or you'll be made to do a TikTok, then do it. As long as it's digital forensics related, the community will appreciate it. If not nothing else, I will appreciate it, so please do.
Speaker 2:I would say to definitely make the videos. I'm trying to think of other ways to contribute. There's so many ways to contribute Mentor somebody. There's so many new people that are starting from the bottom that just don't know how to get started. Pick somebody and just get them started, Start teaching them. Remember that they are starting from the beginning and be patient. Yeah, I mean that would be a great way to contribute.
Speaker 1:Yeah, and getting in that mindset, and I'll confess here it's hard for me in the sense that I get somebody that's new and I know you don't know these things and then I just give them like a ton of stuff in five minutes. So we have to take it slow, be kind to the new folks and build them up, because ourselves, right, like myself, I've been in the law enforcement field for 16 years now a decade in the deter forensics, over 20-something years in technology and I started like everybody else, like not knowing absolutely nothing. Where do I turn this on? And we grow and we grow together.
Speaker 1:So I don't remember who said it and I feel so bad, but I heard one of the members of the community saying look, when you get to the top of that building right, you're in that penthouse. Please, please, please, make sure to send that elevator down right so others can come up and join you. And I love that image of what it means. And I'm so sad I can not remember. I have his face in my brain but not his name, and I think it's really true Bring that elevator down. Whatever you're doing and the success you might be enjoying, bring others along for it. And because you were not built on your own. People came across your path and help you to be where you are and to become who you are.
Speaker 1:So that's so true so true and talking about people becoming who they are, I think there's a great series right Of folks being interviewed in regards to what their experiences. Are them kind of coming into the field right?
Speaker 2:There is. So there's a new blog by Julia Gaitley and Lexi Vanden Heuvel and they are interviewing new people, new to the cyber career, new to the digital forensics, right out of college, just new to the career. And they recently did an interview with Preston McNair, who went up through college and then now works for Magnet Forensics as a forensic trainer, and they interviewed him about being new to the new to the digital forensics atmosphere. The blog is really good. It outlines his whole journey through digital forensics, through school and through becoming a trainer and it talks about his path to get there. It talks about his really about his passion for digital forensics and there's a couple of things that the blog really outlines that I wanted to read because I think they're very important. So he says DFIR space is for individuals who love a challenge and are not afraid to ask questions. Just remember to Google first. I love that.
Speaker 1:I love that.
Speaker 2:It's-.
Speaker 1:It's absolutely true.
Speaker 2:So true. And then another good piece of advice that he gives is being nimble and able to learn new skills and techniques was important. The digital landscape is constantly evolving, with new social media platforms, services, hardware, et cetera. The learning doesn't stop once you get a degree or leave a training environment. Your head must be on a constant swivel in the digital forensics landscape to know what's on the horizon and how you can take the knowledge to apply it to your work.
Speaker 2:So I think those are some really good quotes coming out of that blog and I would ask that everybody go read it. It's really a good story of how, when you're new to really new to forensics, that you have to really have a passion for it and you have to really want to do it, and the types of skills that it takes to move forward and work your way up.
Speaker 1:Oh, absolutely, and I just wanna I mean just for head, there's a question later in the chat that I wanna read address it at the end. So, folks asking some of the questions in the chat, if we're not addressing it right now, we'll make some space at the end, so don't. So stick around, we're gonna talk about those, no, so back to the topic. See, the thing is like Preston. Preston is like the nicest guy you ever met, right, and I don't know if you know him personally.
Speaker 2:I don't.
Speaker 1:You don't. I'm telling you, he's one of the nicest guys you will meet. Actually, in the blog post I was reading and I was surprised to see myself in the picture Him myself at a magnet conference a few years back, and Josh Higman, another of the nicest people you ever meet in this field. So I'm like, what am I doing here? I'm just blessed by being surrounded by them. And I say that because you know your personality as a human being as you come into this field will dictate a lot of how much you will learn, how much success you had. And I say that because lately we're having conversations I mean not only you and me, heather, but also other folks in the field, more seasoned folks about how we're seeing or might be seeing right. So I gotta be careful here. I might be seeing a newer folks coming into the field and some of them might tell me well, these new folks are coming in, they have the attention span of a mosquito or a gnash right and they're blaming the generation. They're saying these young people. And you know, at some point you know you have to be careful with making some generalizations and saying, well, all the people from this age group behaved certain ways. Because, well, not necessarily true, right, only takes one to disprove that. But behind a generalization you can have a little bit of exaggeration or a lot of it, but also a little bit of truth. So we had to kind of pick some of those things and I wanted to take the opportunity now to mention at least talking to the young folks that might come across this podcast or listening in coming into the field Some of the things that I believe will be helpful in regards to how you portray yourself in the field.
Speaker 1:Right and okay, I mean I know I'm gonna sound like the old guy and telling the new people, but it's because it's true, I am the old guy and you are the new people, and you know. I mean, first of all, I think folks coming to the field need to understand that you might come with a degree, and that's a good thing. You might come with certifications right, but neither the certifications or the schools are gonna give you what you need to succeed. And you might ask yourself then why the heck did I spend so much money on getting these? Well, because when I say that it doesn't tell you what you need to succeed, it gives you the method for you to succeed right. So it's not so much what you need to know as things to be done like. I need this artifact and this is how I dealt with the phone. This is how I did with a computer, because those change right, heather. I mean, we're up to iOS. What 16 or what 17 now?
Speaker 2:Almost 17, right.
Speaker 1:And I remember iOS 13 being the thing and all these things we're finding. And then you know we're 17 now, so we need to, you know, constantly update ourselves, right? So schooling gives you the way to figure out what you need to know it when you need to know it. So it might not give you the details of things that haven't come in yet. So you take that base knowledge and you build on it. You build that knowledge, so don't come in thinking that you know everything and you have a degree. You're done with. I'm done with school. Let me tell you this field you're starting school all over again.
Speaker 2:You are. Going to be in school for the rest of your career. You are not stopping.
Speaker 1:You go to a CTF, like me, and you'll get beat up by it and then you'll be like you know what I need to really keep on growing? I just need to, I need to. It's the other way. It's like a shark you don't swim, you die and some of the stuff I mean, and even some stuff that's kind of, I say, elemental when you have experience, but it might not be when you're new, like soft skills.
Speaker 1:If you come to your squad and where I work at, or your team, and everybody is joking and you're the new person, that doesn't mean that you can joke too. It means that you need to listen, you need to make sure you understand what the corporate or institutional culture of the place is. Just because they don't tell you there's a dress code doesn't mean there's no dress code. You're not going to come in jeans and a t-shirt when everybody has, at least at a minimum, apollo and 511s or something else, or slacks and maybe a suit because you got to go to court. When you go to Rome, you have to do the Romans and, again, for the folks that have been experienced in this field, be like well, that's obvious. Well, it's not. We've got a new generation of folks where I believe and tell me if I'm wrong, but I think us, like the adults and the folks that have been developing them, we're failing them in a lot of ways. They have so much challenges that we didn't have, and even the daily life, the devices, phones, computers like I remember a time where mobile phones were not a thing Right, yeah. So that means that I had to be aware to tell young folks hey, look and it might sound silly, but it's not You'd be surprised If you're in the middle of a squat meeting, it's not the time to be looking at the phone. If the sergeant is talking to the group, well, you better look back at the sergeant. And we shouldn't fail them and also don't fail yourself and this is something I've got to get really serious now and for the young folks, all this stuff you can ignore I'm an old guy, so we can ignore that but don't ignore this, please. This is really important. Take care of yourself, and what that means is when you come new to a place and you're not established yet, obviously, if you have a seal for this field, you want to become established, be able to produce and grow, and there will be people I'm sad to say this there will take advantage of you. And also this goes to the older folks Conferences, squats, working areas are not dating areas and as a society I believe this is my opinion I must be for anybody else I believe that the bar is being too low. If it's not criminal, that means I'm OK, and that's not it. That's definitely not it.
Speaker 1:Ethics still mean something, and not only ethics as a profession, as the work itself, but ethics as individuals. And I'm not preaching, although I kind of am a little bit right. But look, I don't care what you do in your life, in your personal life, right, but what I do care about is don't come to these young people and, since you're established, use that power dynamic that you have over them just because you're experienced. They might believe that they won't succeed in this career if they don't quote, unquote consent it's not consent if they're not coerced to do what you want them to do. Right, and it could be something simple to something extremely bad. I say bad in regards to taking advantage of them emotionally or even physically, and as an organization gravitate to organizations no-transcript, are crystal clear on what their policies are in regards to sexual harassment and those type of interactions.
Speaker 1:Okay, I love ISIS, I'm a big proponent, all volunteered Corp of instructors and they make it clear and Heather, as I see, my witness, has been there with me in that meetings. They tell you we're here to this event and these are the rules, and if you're not abide by this code of conduct, you are out, and and I don't even if it's not criminal, you are out, and if it's criminal, we will. We will arrest yourselves. There's plenty of cops there, you know. So you protect yourself. Don't, don't feel pressure into anything. Talk to other folks that are also in the field, are more Experience or organizations that are that of trust. If you see something like that, you're being pressured to do something you don't want to do as you come into this field. You shouldn't be put up to that. Don't stand for it, and folks in the field other folks in the field will support you.
Speaker 2:I Think with. I'm gonna go back to the beginning, I think, with some of your, some of your comments on new people coming into the field and maybe Not being so so much not being ready or not being where they, where they need to be at. Coming into the field, new, um, maybe internships or some real life experience, some kind of real world real world Experience prior to starting the real world job wouldn't be a bad idea. Um, I know we've had people come through our office that have done internships and they seem to come in and they acclimate into the work life Pretty well, in my opinion. You know they've done an internship in a digital forensic lab. They know what the work is gonna be like. They have worked a real case. Um, uh, and it makes me think of the notary public loan signing program.
Speaker 1:Right, oh my, what a great program.
Speaker 2:Yes, you know for people who don't know about the notary public loan signing internship program Um, they have a digital forensic lab in in the school run by a police agency and the press, the prosecutors office and they take interns starting I believe it's at sophomore level and they'll take interns and they go through a whole background Process, interview process with the county prosecutor and they're picked for the internship and they Um, they're actually sworn in as officers and they have like full police duty, full police powers and full police duties and they work actual digital forensic criminal cases Through their internships and I can't think of a better real-world experience Prior to getting your your job out of college than that.
Speaker 2:I think it's a great program that would just set somebody so far ahead For their job after college. I I would encourage people to look into that. That type of program, if this is the career that you want to go into, or programs like that doesn't necessarily have to be that exact Program, but it just seems so cool. I actually had never heard of it until you mentioned it to me and it's Really cool.
Speaker 1:Well, and and and emulated right for managers that are running labs, both private and public, say publicly, government, emulate that right. And if you cannot, because we fail, we fell our young people when we were thinking of, well, I need to fill out these five seats and I'm gonna grab five bodies and then, and there you go. Right, and there's no support system. Right, and maybe, well, I'm gonna assign you a mentor, this older or more experienced, seasoned examiner, and that examiner has their own workload and now they have to try to mentor a young person with no support for management. Right, there's no program, no, nothing.
Speaker 1:So, as managers, that program from Notre Dame is, I believe, the gold standard as they're coming in. But if you hire them and they have a probationary period, use that to the effect. Right, make sure that your mentors have, that you allow them to have the time to mentor and that you empower them. Right. Of course you don't want to empower them for them to have to abuse the abuse, the mentee, right. So you know, make sure the power dynamic is balanced. There's policies, but that probationary period for that new person is coming in. Then you're gonna level them up to where you actually need them to be.
Speaker 1:And and mentorship, mentorship program in an institution Without making sure you understand how to empower the mentors and what the roles of the mentee are, it's not gonna succeed. And and Sometimes those mentor programs are there in name oh yeah, I will assign you a mentor and there's like Nobody came to my help for the first year and then. And then you're, and then you pass that probationary period and you say used to trying to figure things out, so now we need to do a better job. That's, that's a great example of how not to Notre Dame does it and and we can definitely do better. Yeah, so Before I move to the next thing, I want to answer some of the questions from the Sure, from the chat, and so I'm bringing up some of the comments. So if you don't mind me, heather, I'm gonna drive a drive for a second. The, the chat for a second.
Speaker 1:So I'm gonna I'm not gonna put up the the person in the chat, so I'm just gonna mention what it is. So we have a question about well, some an agency, some of the investigators, handle handle officer-involved shootings or vehicle collisions reconstructions and they bring phones into the lab but they never bring returns from Google Ipoh cloud. And the person says I think that's because they don't know what's available, any advice to get them to start looking into those. So I'm gonna let you, heather, kind of answer that and then I'll try to chime in tell them immediately.
Speaker 2:You know, just tell them, call them, say get it. So we, when we get in the phones, um, once our phones are extracted, that's what we do first. So I have these user accounts. These are the accounts tied to the phone. These are where you can possibly Obtain additional data. Get your, get your legal process out to the service providers, have your, have your field investigators or your case investigators or whoever whoever's handling that serve those service providers with legal process immediately.
Speaker 1:Oh yeah, preservation, and immediately well, and in my mean you need to make an I mean make a dummy account in Google and Apple, right, and fill it with some data, location data, chat messages, like juicy stuff.
Speaker 1:When I say juicy, I mean stuff that would be of interest in an investigation, right, and then download it and parse it with a third-party tool or our leap it's a free one, that that we mentioned previously and show the investigators look, you have this type of case, look at all the different types of data you can get from these cloud Services, or backups or whatever it is to create.
Speaker 1:To create that right sometimes, and sometimes it might require more, it might require reaching out to Whatever units management is and make it make a training or talk to the sergeant I don't know, but somebody that has the awareness that this needs to be followed up on it.
Speaker 1:It's an incredible, from my perspective, professional malpractice to be able to have, you know, the authority to access data to solve a case, be it to a prosecute or to, you know, liberate a person has been wrongly accused and leave that evidence on the table, just because Either we didn't know or, sadly, because sometimes we don't want to spend the time on writing the search one on writing the legal request or whatever it is, or because we received it and we don't know what to do with it. If I don't know what to do with it, then I just leave it there. I don't know what it is. No, we have a responsibility for our citizens and for the folks that are being going through the legal process To follow up, do or do diligence, and that I mean again. So I got in the soapbox, but I'm really, I feel strongly about it.
Speaker 2:No, I agree with you 100%.
Speaker 1:Yeah, and I'm Super, super important that that data it's in. Well, and I was listening. That reminds me of I was listening to this, the podcast for for MSAB, adam Furman, and they were talking in their latest Differency fix how, in the moving forward, some of the things they're thinking how it will look is Data might not even reside on phones anymore. Phones and computers be like dummy clients. It's just a screen with a keyboard and internet speeds are gonna be so fast that there's no point of having a hard drive and a phone because the data could communicate through these wireless, uninterrupted connections Instantaneously, right? So where's the data gonna be? Not on the device anymore, it's gonna be all house in a service, right? So Realizing how's that might change that way? I don't know, it might go that way. We don't know the future. But it really underscores the importance of being aware of all the data sources within the device and outside of the device. Right? So we have.
Speaker 1:We have some more questions here. It says here, if you could answer, yeah. So it says I like to know if it's possible to use I leap that's the tool, that open source tool that we make to parse iOS extractions to see if, if you use I leap with an iOS capture that was from an encrypted backup from iTunes. So the question is yes or no? It is no. If it's encrypted, no. But if you decrypted, yes, and there's open source tool for them. As long as you know the password of the Encrypted backup, of course. You know the password, you can decrypt it and then feed that unencrypted iTunes backup to I leap.
Speaker 1:The thing with I leap and backups like that is that I Don't provide a lot of support for iTunes backups just because there's not a lot of data that's relevant to my cases. I Gravitate to full file system extractions and, for those who don't know, is the most data you can pull out of a mobile device, especially, be it Android or iOS. Specifically Android full file system extractions and that's the ones I support the most. I don't really go digging. I For items backup artifacts, but if somebody has one and wants to reach out to me, something they want to support and they can provide some test data, I'll be happy to to try and support it. But again, give me some test data and we can go from there. Let me see what's up in else here. Yeah, so I got a good good folks here in the chat.
Speaker 1:So you know I want to read this. I think it's pretty, pretty interesting. To have a successful career in detail forensics, you need to be passionate, curious, driven and embrace continuous learning. That's pretty much what we said in a nice concise sentence, right, yeah, the day you stop being curious and stop learning is the day you will have an expiry date in this field, and no matter if you're in usually feel you have been doing it for 20 years, everybody, but everybody, can contribute to the field. You'll have unique experiences and areas of forensics that we're passionate about, so that you can tap into and share with your peers and learn to. We should just stop like the show there, right, yeah, but we're not going to. We need to show one more thing, all right, so let's see here and we see the one last comment here that I have. All right, awesome, yeah.
Speaker 1:So just to kind of close up the show, obviously we have the meme of the week and and this is inspired, I think, a little bit on the CTF or well, not a CTF only. I don't want to. I don't want to call out a Celebri, because that's not. That would be unfair and untrue. A Celebri does. It's a great tooling great people and and they're awesome, but it's more of a comment in for all the field Benders and tooling that we have. So so, again, it's not sell advice. Anybody and everybody, including myself, because I make I make tools.
Speaker 1:So you have here this. It's like the flex tape commercial and you have this big, humongous bucket of water and it's a hole on the big hole in the bucket and then the water is coming out. So in the commercial, if you've seen it on TV, the guy has flexed a. He goes and slaps the flex tape on the thing and stops the leak, right. So the meme for the again I'm describing it for those folks that are listening the big bucket is the need of parsers for level DB artifacts and we'll talk about level of in a future episode or you know, but any type of artifact. And then the guy with the flex tape is the vendors, right, they're gonna solve this issue. And then they put the flex tape to close that hole and it says clunky file viewer. And yeah, I know, I mean I don't know why you experience are with the viewers, heather, but mines are not always the best.
Speaker 2:No, especially when you're trying to find answers to a capture, the flag or a test.
Speaker 1:Poor seller by we.
Speaker 2:It's all of them. It's all of the file viewers in everyone.
Speaker 1:Like I said, we're gonna undercover dragging them. No, it's, it's all in love, and I say that because I mean that's the case, right, and I'm gonna be wrong. Five of yours are important, right? Sometimes you might need to look at specific one piece of data and look at more Than what the parser shows you, right, because, let's say, you have a p-list or a BP list and it has a hundred fields. You know, your parser, your tool, will show you maybe five or six that are important, and that's good, because if they show you a hundred of them, they're gonna overwhelm you, right? So I get that right and you might need, and you might need, to look at three more of those fields or see if there's any others that you might want that are not in the tooling shown as the part, as part, as an artifact. So, yeah, we need viewers don't get me wrong. We need them, but let's, let's make them more user-friendly.
Speaker 1:And if anybody wants to get opinions, I think me and Heather, we're more than happy. We're full of opinions, all right. Well, I think. I think we're, we're. We come to this end of the of the of the show. Thank you, heather, for putting up with me.
Speaker 2:It's been a week for us.
Speaker 1:It's been a rough week, but we survived not even Friday, oh no. What do you have to tell me that? And also thanks to the folks that that show up for the chat. I will love reading your comments. Interacting with you, you're the ones that that are. We learn from you, so thanks for coming up. We're gonna be again here in two weeks. Again, we love you all. Thank you for being here and With that, we'll see you. We'll see you soon. Hi bye you.
