Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
FTK Mobile, Cellphone Forensics Tool Comparisons, and New Open Source Artifacts. Competition is Heating Up in the Mobile Forensics Space.
Ready for the breakdown of the newest player in the mobile forensics field, FTK 8? This latest release includes a facelift, enhanced mobile support, and a plethora of supportive features for mobile devices. From app-specific mobile artifacts like Discord, Facebook, Kik, Snapchat, WhatsApp, to calls, conversations, contacts, MMS, and SMS, FTK 8 is geared up. Plus, its Smart View tab provides new mini and super timeline features as well as enhancements to their multimedia view.
Our chat extends beyond the merits of FTK 8 to the realm of portable cases and the case review aspect of all digital forensic tools. Uncover how the right network setup can boost review speed and why understanding the limitations of portable cases is crucial for examiners and stakeholders alike. We also discuss how focusing on artifact-based reviews, can enhance efficiency. But that's not it! We also delve into the importance of data validation and why a user-friendly interface is key for people reviewing and examining cases.
Interested in hearing about comparative analysis? Tune in for an in-depth discussion about comparing the capabilities of one forensic tool to another and the possible outcomes of such a competitive assessment.
New to iLEAPP? We've got you covered! Together, we unearth new artifacts like the last car connection and voicemail artifacts, even recently deleted (trashed) voicemail - critical elements that will revolutionize your review process. Understanding the significance of analyzing torrent data encoded in Bencode, linking media on a device to files used to acquire that media, is another key takeaway from our conversation. To wrap things up, we express our heartfelt gratitude to you, our listeners and thank you for joining us on this fascinating journey into the world of digital forensics.
Notes:
FTK 8
https://www.exterro.com/ftk-8-0
iOS 15 Image Forensics Analysis and Tools Comparison Project-
https://blog.digital-forensics.it/2023/09/ios-15-image-forensics-analysis-and.html
LEAPPS
https://github.com/abrignoni
Today is Thursday, october 5th 2023. My name is Alexis Briggs-Brignoni, aka again I get said Briggs and I'm a company by my co-host, the Testata Guru, the secret uncoverer and the definition of a digital forensic analyst the one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at Silverman Soundcom. Hello, hello everybody, and hello, hello Heather. There you are, what's happening?
Speaker 2:Oh nothing. How are you?
Speaker 1:Good, good, I'm here trying to. There we go, get this show started. There we go. So welcome to everybody the ones that are listening live and the folks that will be watching and or listening later on. Detoforency is now a podcast where we talk about all things digital forensics and DETOFORENCY's examiner-wise of interest. So there you go. So, heather, tell me about you. What's been going on the last two weeks since last we talked?
Speaker 2:Oh, just been busy. Glad that the celebrite capture the flag is over.
Speaker 1:We'll have PTSD, like one of the folks said.
Speaker 2:It's done. It was fun and I learned a lot, but glad it's over, so that busyness is done. Just been busy at work and planning for the next podcast with you.
Speaker 1:Absolutely.
Speaker 2:What's been going on with you?
Speaker 1:Yeah, just working a lot of you know working cases doing a little bit of coding and we'll discuss a little bit later on in the show. The community does great work and pushes us and vendors to be better, so I'm happy about that. I will discuss it. What is this guy talking about? Hang on, we'll talk about that in a second, but no, it's been again. It's been busy. Family, kids you know the works, but happy to be here. Talk about things that we care about and I know a whole bunch of people that are listening care about as well.
Speaker 2:Yeah, absolutely. So. I want to hit on a topic that we talked about last podcast real quick because I want to add a little correction slash addition to a previous statement I made about one of the tools. We talked about, the SQL CMD tool that I showed last podcast. I talked about the maps and those were the SQL statements that run that tool that are used to go and hunt for the databases and are used to parse out the information inside of the databases. And I had said that they hunt for the database based on the name and I just wanted to put in a little correction before we get started that the name can be used but it'll also find the database based on the identity query. So if someone renames things or you carve, it'll still find those databases. So just wanted everybody to know that before we get started tonight.
Speaker 1:Yeah, and that's a tool that we talked about right last episode from Eric Simmerman.
Speaker 2:It is.
Speaker 1:Yeah, to kind of work those databases. So you know that's a good correction.
Speaker 2:It is, and I want to also encourage everybody to try that tool out. I've been using it as a triage tool on my extractions prior to what, while I'm waiting for them to open up in some of the other tools and it'll pull those databases and you can get started with your analysis on some of those databases that are supported with the tool while you're waiting for the the rest of the extraction to parse. So really good tool and I encourage everybody to give it a try.
Speaker 1:Oh yeah, the days are just sitting and waiting eight hours. I mean, if you can wait eight hours for you for your examination to be done, hey, good for you. You got plenty of time Right. But Triage is now the name of the game being able to get to actionable data as soon as possible. So you got another tool in your arsenal for that. So that's pretty cool. Yeah, definitely.
Speaker 2:So one topic that we are going to talk about tonight is the new FTK8. I think everybody has probably seen on all of the social media FTK8 has come out with some new mobile support and kind of a whole new look. So I have some slides actually to share about that. I'm gonna attempt here to share Ah, much smoother than the last podcast was sharing the screen. But FTK has some new mobile device artifacts I wanted to share with everybody.
Speaker 2:You can still use FTK8 and have the same look as you're used to seeing the mobile data artifacts that they're supporting. They have a lot of app specific support. So in my test data I'm seeing support for Discord, facebook, the iOS native Kik, snapchat, whatsapp and there's a lot more of the application specific mobile artifacts that I saw supported in my iOS test device when I ran it through the new FTK8. They're supporting calls, conversations, messages, contacts, mms and SMS. And then new to FTK in the system summary tab, which is not where I expected to see mobile data. So be on the lookout if you're gonna try out the FTK8 mobile data options.
Speaker 2:There are a whole bunch of mobile artifacts. So they're doing biome artifacts, which is really cool. They're doing Bluetooth, browser data, email, health knowledge, see location, media and a whole bunch of other mobile artifacts. I tested it out and it's comparable with a lot of the other commercial tools that you see that have supported mobile artifacts for quite some time, and then they also have a whole brand new look. I'm gonna go back a couple of slides, actually just one slide. If you guys can see in this slide here there's a little tab up on this tab called Smart View. So from the original look that FTK has, you can click the Smart View button and it will pop your artifacts that you have bookmarked, or your mobile artifacts or any of your artifacts out into this new look.
Speaker 1:Yeah, and folks are listening for the podcast, right? If you're familiar with FTK, the Core interface which they had for what? The last 20 years, of course, what if it gets you in there? It's gonna be on the top right and you cannot miss it. It says Smart View. Why is it? Was that called as that? Had it orange or something, right?
Speaker 2:Yeah, they're all pop-back.
Speaker 1:Yeah, and the background of the Core product is kind of like white. It's pretty, like you know, eye-burning and now that everybody's moving to a dark mode. But would you hit Smart View, right? The type of view that you get is a more modern and also dark kind of dark mode, right?
Speaker 2:Right, right, yeah, so now you have that dark mode option. You can, in the new Smart View, change it back to like the white mode. I don't know why you would, but they have the dark mode now. There's a whole bunch of new features, and they're all outlined in their user guide, but I just picked out a few that I really liked in the new Smart View. So one of the new features that I really liked is their new multimedia view.
Speaker 2:So in the multimedia view they have the capability where they're stacking duplicates, and it's not just based off of hash, it's also the visual. So the visual M, the binary copies, but they also have a hover feature so you can hover. Unfortunately I don't have a copy of it here, but you can actually hover over the thumbnail and the image will pop out into a larger view of the image. So it'll pop up for you, so you can get a better view of the image. I really liked that. I do hope that there will be the feature where you can turn that off in cases like CCM, though, because when you hover over it, the image just automatically pops up in a larger view on the screen, and I don't want that to happen in CCM cases at least not for me and then they've added a whole bunch of the mental health, mental or wellness features as well where you can blur and hide the images in the multimedia view.
Speaker 2:Another new feature that I really liked in the FTK8 in the smart view is the mini timeline view. So I don't have the full view of the smart view on the screen, but this is a section where I was looking at SMS messages and there are dates related to the SMS message here and what you can do here is pick a date from the SMS message and click on it and then you click on the mini timeline view and it'll pop out over on the right the mini timeline, and it shows you what's going on on that device around that date when the message is taking place. So in my view I was just chatting, so all of my timeline is showing chat messages, but if the person was Google searching or sending things or doing other functions on the device, you would see a little mini timeline of everything that was taking place on the device around the time of that message. I really think that's a cool feature in the new FTK8.
Speaker 1:Yeah, and I mean, some of us are really and I think Kevin DeLong was saying let me see if I can find it here Again, I'm happy to have him here. He was saying that he's used to that classic tap mode from the core view but again, we've been using it for 20 years, in my case 16. But some of the things that they could definitely and I'm pretty sure they'll work on is how to make that transition seamless. Let's say I'm in classic or the core view. I want to take it to this new type of view, then be able to do it from that interface without having to go and click on the button and then title backtrack where I'm at. So that's something that definitely I think they'll be working on in the near future.
Speaker 2:Yeah, definitely. And then the other new feature that I really liked in FTK that I felt like I needed to point out is their super timeline view. So they have another toggle switch that you can click and it brings you out into a timeline of all of your artifacts. It is really heavy on filtering and my one critique is it can get a little bit busy in the timeline view. So the first day I tried it I was like, oh, I don't know about this. But I've been using it for a few days now and I think I'm starting to get used to the look of it and starting to get used to how it works.
Speaker 2:That I think timeline is one of the major features that's missing from a lot of tools, like a really decent timeline feature. So I'm really excited to see how this develops and see how, in the future, improvements are made to the timeline feature in this. I like the start and I really hope it just continues to get better. One of the things I really hope for the timeline feature as well is a way to create a decent report out of it. I think that's a really important feature to have for any timeline view and for any tool for that matter. So those are the main artifacts that I really liked about the new version.
Speaker 1:And I want to make something clear for everybody, because I wish you'd have said this at the beginning when we talk about tooling, be it free or from vendors, we have received from them, as we know, for talking about their tool in the show, we receive a grant total I'm full disclosure a grant total amount of $0 and zero cents, and we receive zero copies, zero free anything. So I'll be straight with everybody we're not shields for everybody. We're not haters of anyone either. We try to see things that, as they're coming out, are fair opinions, constructed criticisms, but yeah, we don't receive any type of kickback for any of this. Just to make sure everybody understands that.
Speaker 1:And yeah, there's a lot of good things. It reminds me from the first show. I was saying, well, ftk is now kind of like a e-discovery platform, right, and a few weeks passed and they're like actually we're catching up on mobile too. So I'm like, oh, take that Briggs for talking out of line. So no, I appreciate the effort that the company's put in to catch up in the mobile space because, again, we're not shield but we're not haters. But the fact is that FTK AD Lab needed to catch up in regards to the mobile space and Heather, correct me if I'm wrong. 80, 90% plus of our cases are mobile cases. It's mobile devices and mobile artifacts.
Speaker 2:Yeah, I would lean toward that for me, toward the 90. Definitely toward the 90.
Speaker 1:Yeah, so tooling needs to make that integration between desktop I say desktop, but traditional computer forensics with mobile and mobile becoming a point of continuous development, because developments in the Windows world, which is the main one, is pretty stable, right. And event logs and event logs and event logs for years and years and years and there was a change between the old version and new one, but that happened how many years ago. But mobile, you get stuff coming out constantly and artifacts constantly, right. So it's a change of mentality from vendors in regards to what are they supporting and at the speed that they do it as well.
Speaker 2:Right, yeah, no, I really hope that they keep up with adding all of the new mobile artifacts and catch up with some of the mobile artifacts that maybe they haven't integrated into the tool yet. And I've talked about some of the things that I do like I have some dislikes as well. The reporting is not there yet. I'm waiting for a great report to come out of the new mobile features, so hopefully, moving forward, there'll be a really good reporting feature. That's really, really important to me. I think it probably is to most people, but that's the most important thing to me. If I'm going to go into this brand new fancy tool and see this great new interface and see all of these new mobile artifacts and then I can't create a report out of it that is presentable for court.
Speaker 1:And not only is it all tool vendors. Look, if you put a visualization that's nice on your product, how can I now make a report out of it? Why do I have to screenshot things? And this is for all vendors. I'm not saying this to the external.
Speaker 1:All vendors and you all know it. If you have visualizations, let me export it, let me pick a piece of it or whatever I have on the screen and let me put that out. I want to talk about being not shields or nor haters. I like this comment from Kevin saying that this week podcast is sponsored by the LEAP project, which with 100% money back guarantee just because it's absolutely free. So thanks, kevin, for making sure you mentioned the sponsor of the show.
Speaker 2:They do have a portable case too, so I got a chance to look at the portable case for a few minutes. I think you got a chance to look at the portable case a little bit more than I did, yeah.
Speaker 1:And the portable case. I think it's still a work in progress. No, I'm really opinionated on that and of course that's why I'm here. And this is the thing. Right, the users portable cases, and there's nothing wrong with them, but I believe they're suboptimal. I believe that, to exteros credit, they have a platform from the beginning that's designed to be able to be multi-user. Let's say, you're within that local network, you can set an FTK installation with clients and, as long as you have enough licenses, you can have two, three, four, five reviewers hitting the same data set at the same time. And if you're looking to speed and it's something I was going to mention a little bit later, but I think it's good now if speed on working cases doesn't come only from having fast computers, although that's important. It doesn't come from only having an efficient tool set, even though that's important. It comes from two extra things the people that are reviewing it the more the better and the people that are overseeing that effort and putting the death, which is the people that are in the call but in the. We're here on the show and they're listening on the other side, the examiners themselves, which is what the show is targeted towards. So you are the one that pick up the speed.
Speaker 1:Now, portable cases, you kind of lose control. Right, you want to put multiple people to review. You hit out this five, six portable cases. You're hoping that they come back, or maybe they don't. So then you have to be after people. Hey, are you done with your review we're waiting on. Oh, you lost the hard drive. So, yeah, not that that's ever happened, of course. But there's a loss of control and more overhead when you do that. And I understand that. If you're in a lab where you're the one person ban and you have the one computer and you don't have a network set up or not, or forensic network set up, then sure, you use portable cases all day long and there's nothing wrong with them and that's fine.
Speaker 1:And during the pandemic, probable cases were pretty popular because people weren't able to maybe come onto the office and collaborate as they were used to, right, but for efficiency terms I believe network reviews is way better. Xterrohacid and I think other vendors should follow that lead. And follow that lead not by selling me this overpriced thing. It should be a part of the core product. Hey, during the same network you should be able to collaborate and have multiple people hit at that data and no issue. Do that review in conjunction? But, yeah, the probable case of work in progress. I was privileged enough to see some of the bills that they're developing, but I think we'll comment more when the full thing says it's out.
Speaker 2:One of my thoughts on the portable cases and reader type of exports is a lot of times they're pushed out and portrayed as this is everything. So go through everything. And it's not everything. It's whatever you've put into that case or whatever is selected right. So I'm not blaming any vendors for saying it's everything and they don't say it's everything. But sometimes it's portrayed as this magic product that will make everybody's lives easier, but it really isn't. I don't know. It kind of paints a picture that it's everything in here's everything in your case. Take a look at everything in your case and it's just it's not. So I'm just kind of wary with the portable cases and the readers sometimes. Just make sure that who you're giving it to, whether it's another investigator or it's your prosecutor that they have an understanding that this is what we're pushing out to you. That may be just parse data or may be selected parse data. It's not everything in your case.
Speaker 1:Yeah, and it's human nature, so you have to be aware of it.
Speaker 1:We're really keen on talking about benefits the tools give you, but we've barely ever talked about the not negatives, but the limitations that's the more accurate word the limitations of the tool. And if we as examiners don't do that, well, vendors are definitely not going to do that. They're trying to avoid it, right, because they're selling a product, and that makes absolute sense. But as examiners, we need to know those limitations, and I believe you're absolutely correct, heather. And whatever the tool, parse is usually what falls in the portable case. So if you need to do more digging, then you're not going to do it.
Speaker 1:Looking at that portable case and not only the examiners need to know this, the courts need to know this. If your stakeholder is you're working e-discovery for a lawyer, be it on the defense side or just civil, they need to understand the limitations of portable cases, no matter what the vendor is. And that is a report right. The data is the data right. That's not the data, that's a report of the data. And with those limitations in mind, then we can actually work the cases, supplement them in the way they should be.
Speaker 2:Yeah.
Speaker 1:I agree with you 100%. A couple more thoughts before we move out of this, and it's not really FTK, but just things that come to my mind. And when I think about tooling, yeah, the artifact-based review is kind of like the norm. Now FTK came back, started with more of a timeline review not timeline, I'm sorry, filter-based reviews. What does that mean for folks that are not familiar? Well, you use sort of filters to get to the data that you need, as opposed to the tool giving you filter artifacts for the first go. Now, I'm not saying FTK doesn't do that, of course it does it, but you can see the transformation, them going to that type of artifact-based examination, and to me that makes sense. You want to make sure that the reviewers, when they see a little icon for chats, they get chats, web history, whatever it is, and they can go through that.
Speaker 1:Reviewers in a lot of labs tend to be, like you were saying, the investigators, the detectives, the folks that are working the case. Then us, the examiners, we can go into the deep dives or dig. When they tell us, hey, we expect something and we don't see it, then it's our job to do that. Right, that means that the UI and the user interface for these people has to be self-explanatory. And look, if you tell me well, I know, and this is for everybody, including myself this thing that you put in, if we tell people how to do it, they'll get a benefit from it. If I had to tell you how to do it, there's a problem. Nobody gives you an instruction book to know how to use an app on a phone. You just click around and you figure it out. Through UIs. You'll be figureable out.
Speaker 2:I just invented a word.
Speaker 1:Yes, I just invented a word. Yeah, so that's important. Don't make me read a 30-page manual as a reviewer. Now, if you're an examiner, you read the manual. I expect you to read the manual and I expect you to find problems with the manual and then tell them enough to fix them.
Speaker 2:Right, yeah, you shouldn't have to take a class to figure out the report.
Speaker 1:Yeah, from a reviewer perspective, Like I said previously, speeding up work is not so much a function of tooling which it is but it's a function of your process, how you're reviewing and how you're studying your things Right. You'll have to share those thoughts before we move to the next topic.
Speaker 2:We can move on to the next topic, which is Mattia has a new blog that he is doing some testing and he's testing iOS 15 image forensic analysis and tools comparison project. I don't know if everybody has seen this. If you haven't go check it out, let me put up the blog here. So this is a project that he's doing with Josh Hickman's test data the public images. It's the iOS 15 image and it is a comparison of different tools in different categories of artifacts. So the project is going to be broken up into four different categories and the first category has already been completed, which was general device information.
Speaker 2:So he's taken the iOS public image and compared parsing capabilities from Axiom, physical analyzer, oxygen, examine, belkosoft, artx and ILEAP. And the general information section included hardware information, ios and SIM card information, ios wipe and setup, ios basic settings, apple accounts and installed applications. He ran all of those tools on the image to see who parses what pretty much and then he wrote a blog and created these charts and if the tool parsed the artifact, you got a green yes box and if the tool didn't parse the artifact, you got a red no box. And this should be making the companies all go crazy to try and change their red no boxes to green yes boxes, and I watched Alexis, the second it hit the blog, go crazy and change all of his red no boxes to green yes boxes within days. I think there's one left right.
Speaker 1:Yeah, yeah, well, two, but one. One's going to be just done shortly, when somebody finds the data that I need. I'm not going to say who, heather.
Speaker 2:Oh, so as soon as I find the data that he needs, there will be no red, no boxes left, hopefully. But it did a comparison of these tools and I think this is awesome. This should, I guess, light a fire under everybody to make sure that their tools are supporting these artifacts, and a lot of the artifacts are. I mean, they're common artifacts that you would see supported in most of these tools, right?
Speaker 1:Yeah.
Speaker 2:Yeah.
Speaker 1:I mean that comparative analysis, like you're saying, is such a great idea and would you have more? And not so much because we want to put vendors fighting against each other. But I believe that vendors often are supposed to support us most artifacts as they can, right, and there might be a difference in regards to how it's presented, and that's a good thing, right, and I have most thoughts about those differences in a minute. But no, what a great idea. And he goes and says look, these are the things that how the tools are reacting to this particular set of artifacts. And then he puts the path and the final name of the artifact, right, so you got no excuse.
Speaker 1:If you're a tool developer like myself or a vendor, hey, look, here it is, you can go find it. Look, I find it. Mattia Epifani says. I found it for you and for those who don't know Mattia, he's an incredible examiner from Italy. He's a sans instructor, highly respected I highly all the respect in the world for him and he comes up with this great content and you should be well served by looking him up in LinkedIn and Twitter and sans pages anywhere that he's at. Yeah.
Speaker 2:I mean look him up, Just look up his blogs and use his information for analysis. Definitely he's awesome. Oh, absolutely.
Speaker 1:And you know, going through this process, it made me think about okay, so what happens? Right? Just say, mattia, that's a whole bunch of these blogs, all the vendors, me included, whatever we all start supporting the same artifacts, right? So where's the difference, right? I mean, if all the tools show the same thing, then what was that mean for us as examiners, right? Not so much for us, I mean. It's good for us, but for the vendors, right? Where will there be some companions? What will be the competitors advantage? Be, right, if you're a tool maker and there's competition in the field, where would it be?
Speaker 1:So I'm going to again give some opinions on that. I believe it will be in a few fields. I believe it will be in presentation, which I mentioned, you know, a second ago. Paral representation is also the reporting of that data. The UI I also alluded to it shortly, how easy it is to use and intelligent artifact correlation right. And now it's going to be, like they say in Congress, a privileged motion time for me. I'm going to take my soap blocks and start talking. So thanks for that, for allowing me.
Speaker 2:What's that?
Speaker 1:Thank you for allowing me to bring out my soap box now and start talking about this.
Speaker 1:So presentation right. We're dealing with a lot of big data sets, so we got to start leveraging technology to make those UIs responsive. And I get it. It's a lot of data, a lot of stuff to see, but our back end seems to be strong. Our UI seems to be strong. We should be able to support multiple users reviewing and our time to support needs to speed up.
Speaker 1:And I understand legacy code is a hard thing to manage, especially if the code base you're dealing with in this vendor is 10, 15, 20 years or whatever. But the developments are going way, way fast and the community is leading, and hopefully vendors, and there's a couple ways of doing that. You can either use the base stream line or re-code your project, or you start integrating community projects within your tooling, and that's something that I think vendors should consider. Those user scripts or user generated queries give more support to those, so your tool becomes a platform for investigations, not just a tool for people to just plain get what you give them. Hopefully that makes sense, and this is where some of that AI stuff I think will be important.
Speaker 1:If I select some, I tag a whole bunch of stuff right. I would hope that there's some AI somewhere in there that we could put some context not context, but like a small narrative, like look, I'm picking up this logs, I'm picking up this files, I'm picking up these things so it can create a little Framework that says you know these items were picked and from this, isn't that? And the locations and all that kind of be preridian for me when I start doing my, my narrative report. And I don't think that's a big lift nowadays with AI technology, because then the reporting of the tool goes beyond just the tags, but at least that type of drudgery work of putting paths, putting certain meta data points, the tooling could do like a narrative framework for you. So that's gonna be a competitive, competitive advantage in the future if the narrative report Can be part of it, be derived just from the picking of the artifacts. Is that make sense, heather?
Speaker 2:Yeah, it definitely makes sense. I hope that reporting ends up being where the competition between the vendors goes next.
Speaker 1:Oh, absolutely.
Speaker 2:That's what I want to see. Is the the good report?
Speaker 1:That's what I'm waiting for and and and reporting is like a never-ending field for for developments, because different fields will need different reports and even different Companies will need different reports and even units within those companies will be different reporting needs, and and starting to get into that or integrating some Well mature, develop reporting tools will be will be helpful. Now there's the biggest. Now, this is the part that I really, really am interested in in talking about everybody. The biggest company advantage I believe should be right, what I like to call artifact correlation intelligence right, that's a term that I just made up and I like it. So what does that mean? It means that there's these artifacts on the, on your evidence, like things that tell you about Events that happened in the past. Right, where the, where the phone was, the message that was sent, and the idea is that you can take Pits of information from each artifact and use that to either filter the data or determine how important, how important something is based on that aggregation, in other words, is I kind of hate this where it's overused, but I'm gonna use it anyways synergy, right, like the sum of these artifacts together is more than each one Individually. Right, the value of the parts together is more than each part individually right, and I have a couple of examples. The first example and I describe it verbally, it's a good job by magnet forensics when they came out with their correlations platform right.
Speaker 1:Correlations, for those are not familiar is if you're putting a axiom in your case you put five Computers, three phones, five thumb drives all in there and they're related to each other. In other words they're from the same house or the same case, same owner. Whatever it is, the tooling will go out and look for, for example, a piece of media and it will try to correlate that piece of media and see if it's in other pieces of evidence there, another piece of media, I'm sorry, another, yeah, other evidence within your case, and if it's there, it would sort of correlate it by its metadata so you could tell graphically. That's the cool thing, like little lines connecting the image was first seen in this computer, then it was seen in a thumb drive, then that thumb drive, then it was seen on the laptop right, and you can see different timestamps as they move this. This image then was put in an email that was sent out To this location, for example.
Speaker 1:It was also. This picture was also moved or copied over to this other thing that's like a vault for pictures. It's not make sense. So it could. You could. Then, instead of looking for the pictures and figure out where they are, the tooling will kind of track for you. And now if you have an, a piece of interest, in that case, you can see that correlation among all your piece of evidence and I've used that successfully in cases to determine, you know, copability of a suspect and success.
Speaker 2:It's a really good feature.
Speaker 1:Absolutely. And another one that I'm really, really in love with and I'm gonna show this to the, to everybody. It's from celebrate now and let me present it real quick. So, what they've been doing, and again, a lot of credit to Ian with in, and and his team. They came out recently with the Media origin feature in celebrate in physical analyzer, and what they do is, and if you're, everybody has worked, see some cases, for example, no knows that. And again, I use those type of examples because they're really, sadly, really prevalent.
Speaker 1:But we will need sometimes we need to know where this picture came from. Was this picture taking with the device? Was this picture downloaded? Was this picture received in some way? And and by what app? Right, so you can do that manually and then manually for years. How do I do it manually? Well, I look at the picture, I figure out the timestamps and I compare those timestamps for example within the picture timestamps with the Exif timestamps, and if they're the same, well, that kind of gives me a better feeling of hey look, that's pretty consistent with something that was been taking with the phone. But that's not. That's not completely right. You, you cannot make a determination just on time stand. You need more data.
Speaker 1:The next step is okay, let's look at the path. Is it? If it's iOS, is it in the DCIM folder? Well, it's, that's the case. That makes me more confident that possibly this was taken on the phone, because stuff in the CIM is there, because the user put it there right. So that's even that's getting closer. I look at the s6 data, that exit data again. Is the Device model or the camera or all that, whatever it is on device Information consistent with the phone that I have in my hand? Right, if it says Samsung and the exit data says Samsung but the phone is an iPhone? Well, of course, not right. So is it consistent? And you get a better level of confidence?
Speaker 1:And you can go to photos of sequel like Great, great job, donna. We mentioned him before in by the Francis scooter on. I always forget his name. I say Francis scooter, I forget his real name. Studying photo photos, that's sequel light.
Speaker 1:And within that database and I was devices, there's a feel for the pictures, right. That tells you what application generated. If it comes from snapchat, if it comes from, if it comes from the camera itself, then that entry will be Blank. Right now you put all of those and then you can say, okay, I'm pretty confident this picture came from the as it came, but it was generated by the phone or not. That's that's. You're doing one picture, that's great. If you're gonna do 20, 30, 40, 50, you're not gonna do it by hand.
Speaker 1:So what they done here, you can see on the screen the folks that are watching. You can see media origin filter there. And after, after the tooling does its magic you can filter on device captured. That means it was taking with the phone. If it's external, it was, you know, to put in, download it or whatever it is. It was something that's a camera associated with the device, like from a sync event. Right, and the cool thing about this is that you can then say, okay, I got this case. I think there's production of illegal contraband. I'm gonna go to kind of speed up my work and I go to device capture and filter all my pictures from device capture and I get a leg up on possible production by looking for pictures that were.
Speaker 1:The tooling is pretty confident. Pretty confident, not a hundred percent, but pretty confident. That could have been done by the tool and it's an amazing functionality. But notice is it's nothing in error in the picture that tells you that the tooling took all these data points, make an analysis, right, and, like I mentioned a second ago, it correlated, it, artifact and brought out some intelligence, actually all the intelligence. For you as the examiner, we should do this more and more.
Speaker 1:I give you an example again those you see, some cases, right, what if the tool could tell me yeah, this picture is consistent with a possession charge. Now we also the tool, tell me well, all examiner, we also found that this picture was also received through this torrent application. Well, that's also consistent with a receipt charge. Right, what are the two? Tells me well, this, this picture was made with the device and it's not a, you know, it's not part of your assets. It's possible that this is a production image that you can charge production. This picture was not only a receive and maintained and kept, but also distributed through To kick, for example. This will be a possible distribution charge. So the tool could make or unite different data points Through whatever Parameters you need.
Speaker 1:In my case, I give up. That's, that's what we both work. We work in the criminal law enforcement sector and Give those parameters based on the law, on what violations are. But you can think, we can think of an infinite amount of Covelations we could do for civil cases, for all sorts of investigative endeavors, making more or getting to better, better conclusions out of the different pieces that the device has. I believe that's a comparison advantage of of of the future and and vendors should look into those Devot kind of progression in regards to how tools operate and feature. Yeah, yeah, that's my soapbox. Go ahead, what's? What's the caution? One word of caution the report will say device captured.
Speaker 2:Just, I worry a little bit that Kind of Maybe someone who just is brand new to forensics will go testify that it was 100% captured with the device. So just make sure that you have. I just want to make sure everybody has an understanding that it's not it's not a hundred percent, but the the idea of taking all of those different factors and bringing them together to have that, that understanding of where an image may have come from and how it got there and all of the All of the different factors surrounding it, is awesome.
Speaker 1:Oh, absolutely. And this is another, another big, important point In due to forensics. And again, if you're gonna testify that something was in a particular way, right, you're gonna make sure that's the case. You cannot point to the tool and say what the tool told me, right. Right, and if you're gonna give an opinion, right, all this is consistent with this picture being there, you gotta make sure you are able to sustain that opinion, right, just saying the tool had a little field that said device captured. That's not gonna cut it and you're gonna get in a lot of trouble if your examination it kind of has that kappa top of top of crutch crutch. And yeah, chris is totally on point. He's saying that's where training is key, right, to understand what the tool is actually telling you and not assume anything about it right and 100%.
Speaker 1:Right, so, um, yeah, so that's, that's, that's all, that's all done with With the future development. So let's, let's, let's, let's, let's, let's pivot now talk about, keep about talking about tooling, but talk about open source tooling. Heather, what, what do we got?
Speaker 2:All right, so we have some new leap artifacts. Um, I am going to share some new leap artifacts that came out since the last podcast and I'm going to try and share my screen here in a second. Let me just pull up the tool here.
Speaker 1:Like, like, like Josh Higman is saying in the chat verify, verify, verify.
Speaker 2:Oh, definitely.
Speaker 1:And verify the verification absolutely.
Speaker 2:All right, let me share my screen here. Resents.
Speaker 1:Yeah, I got. I got folks in the chat saying you know a lot of people that that say the tool gave me the result and we shouldn't rely on that. So absolutely.
Speaker 2:Yeah, I've heard people say I know because the tool presented it to me and yeah, that's just a scary answer. So the first, the first artifacts, new artifacts that I'm going to show is um Is going to be the last car connection. Let's me Deselect all in we're going to use, I leap for this. And there's a new artifact for a last car connection that was discovered since the last.
Speaker 1:Podcast and if you're the first you never heard about, I leave this. If your first podcast, you know from what you're listening. It's an open source tool that myself and maybe like a couple of dozen people from the community, develop its open source. It's free MIT license and we try to parse androids iOS is another devices so so Heather is showing some of the new stuff that's coming into that tool.
Speaker 2:So I'm gonna add a full file system extraction from my iOS test device to I leap and choose an Output location. I'm just gonna throw it on the, throw it on the desktop and I'm going to Choose the. I think it's under identifiers.
Speaker 1:Yes, I can find it. Keep going down. See, that's why I need to use the Load Profile option, just saying.
Speaker 2:I should. You know I have the profile. I'm just going to load the profile but it's under Identifier, so let me load the profile and then I can show that artifact. I do have the profile right on my drive here.
Speaker 1:The tooling on the interface says Load Profile. What that does is, if you save that profile previously, you can select any series of artifacts on the tool, like from 1 to 20 to all. That way you can just load that profile. It checks the box and whatever artifacts you care about, and then it goes.
Speaker 2:All right, loaded the profiler. I already have them pre-processed.
Speaker 1:Yeah, but I didn't see you load the profile though.
Speaker 2:Oh, I did it, is that okay?
Speaker 1:Okay.
Speaker 2:All right, let me share my screen for the R here.
Speaker 1:Oh, awesome, look at that.
Speaker 2:There we go. The last car connection is from my car on Sunday. It's my Hyundai Tucson. On Sunday I connected my test phone and it comes up in the Location D Cash P-List that has recently been added to iLeap.
Speaker 1:It's pretty funny because I was there looking for someone, mati, I was saying, hey, there's this data there that you should use. I think it was some of the calibration UID or something. As I'm going and finding that piece of data, I'm like, wait, what's this? It says last vehicle connection. Again, we're using Josh Ekme. He's on the chat. His image is a public test image. I said, look, I got these timestamps. Is this accurate? He's like I put it on the PDF. Let's look. He has a PDF that he explains on the PDF all the actions he took when he created the image. Amazing, it was exactly to the minute, the connections and this connection. In the test data you can see the brand of the car, the Nissan, and something else. In Heather's case that's a MAC address.
Speaker 2:Yeah, mine came out with the MAC address. I was looking for the Hyundai Tucson, but mine actually provided the MAC address to my car.
Speaker 1:I was telling Heather before the show. I think that's better than the name, because MAC address are pretty unique. That's what makes them a MAC, one of the big things. If I have any question that this phone was connected exactly to this vehicle, you got a MAC address to go off way better than a name, although a name is good as well. That was an accidental discovery of that artifact. I was looking for a different one.
Speaker 2:Another artifact that was added to iLeap since the last podcast is voicemails, but not just voicemails, voicemails that have been trashed, voicemails that are recently deleted. I'm just going to pop that up again and share my screen and I will show you. So I'm going to browse out to the same extraction, which is a full file system from an iPhone, and we'll throw that on the desktop as well. The extraction and the voicemails are under call history. Leave Wrong version. Voicemails were under call history, all right. Just going to pop up the report, all right.
Speaker 1:So it's coming up, yep.
Speaker 2:There we go, and so the first voicemail it brings up I have two voicemails on this device, so the first voicemail is just under voicemail and it shows the data about the voicemail, the date and time, the sender, receiver, the ICCID and the duration, and then there's a link to play the voicemail. And then just under that there is the deleted voicemail and it shows the date and time, the sender, receiver, and this one has the trash date, so the date that it was trashed sent to the recently deleted. The cool thing about ILEAP with these voicemails and the trashed voicemails is I ran this extraction in a couple of other tools and the other tools that I ran it in get these two voicemails, but neither of the tools I tested it in indicate that that voicemail was trashed. So if you go into the database and the other two tools you can find the column that indicates it's trashed in the database, but you don't see it in the parse data. It just provides you that voicemail and as if it's a regular voicemail and it was not deleted by the user.
Speaker 1:Oh, my goodness. And what a great example of the need for validation and making sure that the tool is showing you what you need, because the tool will not show you everything. And it makes sense, right? Let's say this voicemail data has 40 fields and you only need five or six, but you know what? The tool maker might add it only four to the report. So then what If this is your biggest piece of evidence?
Speaker 1:Yeah, these voicemails here. You need to know everything about those voicemails within your data set, so the tool will point you to them, but it's incumbent upon you, as the examiner, to go in and see if there's any other data points that the tool is not showing you. And, as I was saying, this shows you if it's trashed, and some of the tools are not making that differentiation. This was an addition from Johan and Polashek, if I say it correctly, and sorry if I mispronounced your name, I did my best effort there and again it's the community Folks coming in saying look, I discovered this, this is available to everybody now and hopefully the vendors can follow the lead of the community.
Speaker 2:Yeah, definitely an important column to add to the tools. So if the tools know who they are, the vendors know who they are. Please add that column, because it's definitely important to know if the voicemail was deleted.
Speaker 1:To say the least, absolutely yeah, so we have all those. We have all the ones from. Oh, we have one more right, the.
Speaker 2:Yes, so the torrent data.
Speaker 1:Yep, yep.
Speaker 2:And you were gonna talk a little bit about the torrent data.
Speaker 1:Yeah, so I don't have a visual to give everybody, because the data sets that I use to create the artifact are for cases and obviously we cannot reveal those. But again, torrent data and for those who are not familiar, torrent is a way of distributing multimedia to the internet, leveraging the power of other people that are in a peer-to-peer network and again, for some cases it's used a lot. So it's a great artifact because data, or torrent data, it's encoded in a format called B-encode and if you're an examiner and you're not familiar with B-encode, you need to get familiar with it. Since yesterday, b-encoded data is important in torrent cases because in order to receive or download from the peer network, whatever the media that the person is interested in, a torrent file needs to be obtained, and just if we're sort of obtaining it in magnet links beyond the scope, the point is that if I find those on the device and I'm able to see what's encoded within them, I can make a correlation between the media on the device and the files used to acquire that media or to share it out as well, and the tooling does that for you.
Speaker 1:It will take B-encoded torrent files and show you all the parts inside that torrent and not the files themselves. The files are not in the torrent file right, but the file names and the metadata of the data that's to be downloaded through the peer network onto the computer. And that's super important because now I can say look, I have this image of contraband. It's in a directory that's consistent with downloading files and now I have this torrent whose content, file structure, file size, everything equals this media that I have here. It's a great strong indicator Look at the timestamps If the torrent file predates the media itself, it's another good indicator that this was downloaded to the torrent peer-to-peer network and I don't think we have enough analytical tools for Torrents in this way. So that artifact is a way for us, the community, to show that there's usefulness in this type of analysis.
Speaker 2:Yeah, we have the Discord as well.
Speaker 1:Yeah, and that's a really good one and I tried to have a visual but I wasn't able to get it on time and it's one of those and it will feed into the meme of the week which is gonna be doing the next two minutes. You go to Discord and Discord depending on what platform, it has changed a lot. How is the data stored? I think Discord was the first series of blog posts that made people aware of the type of work that I do for the community, because it was new when I started doing that analysis. So I seen that progression since Discord came out all the way to today.
Speaker 1:And in Android they used to have the messages in this single files, kind of text files, and they had a pretty unique to them encoding and that's. You can find that in my blog, abrignanicom. Search for Discord. Now what they've done now is they have a SQLite database and that's fine, and they have JSON in it within that database, which, again, there's nothing wrong with it. I'm laughing because my supervisor he just retired and I know he's in the chat just because of the comment that he made you want me to put that?
Speaker 1:up there. No, no, that's fine. Okay, all right, it's good to read you, man, all right. So what they did was they put this JSON inside the database, which is fine. But they put a wrinkle on it, right, they put this kind of hex values in front of the JSON. So if you tend to use the JSON extract functionality in SQLite, what that does is you can tell in your query, say, okay, database, give me this field, this column. I know there's JSON in it, so give me from that JSON, give me this key and this key, and this key, obviously, and the values that go with it. But that little hex value in front of the JSON breaks it because the database gets confused, says, hey, this is not JSON, right, and it's true, it's not. It's actually the coding for backspace. I don't know why. I figured that out and what I did was I took out that value and the JSON became legit JSON and you could take the data out and yeah, put that seed comment there. Yeah, I have to. Yeah, so it's data inside data, right, you got the SQLite database and you got JSON in it and I will JSON with some backspace value in front of it. Take it out and you can get it.
Speaker 1:And during the, that's an inside joke for folks in the, there's an inside joke for folks that played the seller by CTF, the SID, everybody in the seller. But it was a question saying what's the SID of whatever? And nobody knew what an SID was. Now that the solved questions are coming out, we all then a lot of us discovered that it was a piece, an SID, an information piece within a nested data. I forgot. I think it's a protobuf inside base 64, or base 64 inside protobuf, something like that. It was nested and you will be seeing that more and more and more and more. This is just one example of JSON inside SQLite and that's coming, that'll be there.
Speaker 1:So you need to be able to examine those data stores when they break. And how did I figure this out? What was the need? Well, the agent was telling me hey, my suspects were talking on Discord and I, you know you parsed it as they say parsed. But you say you gave me this report from Sellerbride or from Magna, whatever, it was FTK, and I don't see no Discord here. You know, like there's no Discord.
Speaker 1:Well, sometimes the first reaction is well, because there's none. But if the investigator or the stakeholder has intelligence about something being there and it's not there. It's, that's what we get paid for. We need to go and look is that the case or not? And it was there, it's just that it was broken, the tooling, and I think it's still broken right now. The tooling did not recognize it because it changed format. It went from a text file, or not text file, but like a flat file, over to a database with JSON and a weird character in front of it. And, as good examiners, we're trying to make sure that the vendors are aware so they can update those that tooling and everybody can benefit from it.
Speaker 1:Yes, so, since I mentioned the, because we're literally running out of time, so, yeah, a great segue to show the meme of the week. Right, and the meme of the week. I'm gonna present it right now and, for the folks that are listening to the podcast, I will describe it verbally. We have that big, humongous airplane, right, the cargo airplane. They're so big that the nose of the airplane opens, and some people are laughing because they already read it. The nose of the airplane opens and cargo comes out, and in this case, what comes out is another airplane, so it's an airplane inside of an airplane and the caption is storing JSON in a SQL database, right, and if I show this to a friend, it'll be like a friend not in the field, in our field. It'll be like what are you talking about? Yeah, but you think about it. They're both data stores, right the SQLite and the JSON. They're both planes, right, but putting JSON inside of it, that's pretty much a graphical representation of it.
Speaker 2:That you see there on the screen.
Speaker 1:So yeah, chris is saying and Antonov, it's a plane. I think that they had something in Ukraine, but that's a story for another day. Pretty nice. We have one last thing we have to do, though, what we have to do.
Speaker 2:The podcast giveaway.
Speaker 1:Oh, yes, yes, yes, yes, yes, awesome.
Speaker 2:Saturday was International Podcast Day and I put up a post on the podcast page asking people to follow, like and repost a picture of Alexis and I, with a bunch of funny faces from the podcast. A few people did it and I have a giveaway which I'm not gonna say what it is. I'm just gonna mail it to the lucky winner and they can post it if they want to or just keep it a secret. But I am going to do the little wheel and present the winner today, so let me see if maybe I can share my screen. I'm not very good at that.
Speaker 1:No.
Speaker 2:I like that.
Speaker 1:I like that, so they can't say that anybody got any. What's it called under the table deal right?
Speaker 2:Yeah, right it's all live here.
Speaker 1:You can see it.
Speaker 2:I even my few co-workers that followed and reshared the post. I'm like you can't win, you're not going on the wheel, so they're not on the wheel. But I put the names in, I'm gonna shuffle them a couple times and then hit the spin and we'll see who wins.
Speaker 1:Yay, look at that.
Speaker 2:Andrea Martinez. So if Andrea is not on tonight, that's okay. I'm gonna send you a LinkedIn message and get your address and send you a special gift for following, reposting and liking our post on International Podcast Day. That's awesome and actually I'm feeling a little generous tonight, so let's do two people. Oh yeah, let's spin it again. Let me see if I can spin it again. Look at that. And Jessica Hyde. All right, andrea and Jessica, I'm gonna message both of you. You're winning a special gift.
Speaker 1:Yeah, and thank you, andrea, for being here live, so I'm so happy that you were able to see yourself win. So that's awesome. That's awesome, Well, Heather again thank you so much.
Speaker 1:Oh, I want to ask you a little detail, in case you're wondering. It says be a fringe examiner. Here on my little sign over my shoulder Be one. What does that mean is that's a little backstory to that, we'll tell it some other day. We're out of time but be the examiner that goes above and beyond. Right that try to explore the fringes of the field, the things that are far out, and let's bring everybody to that edge, right To the most advanced, useful, dedicated that we can be. Let's all be fringe examiners and expand those horizons. So it's a phrase that I like a lot, that I take it too hard and I'm sharing with everybody today. So be a fringe examiner, yeah.
Speaker 2:I couldn't agree more. Thank you, Heather.
Speaker 1:It was always your awesome and kind. I appreciate all the work that you do for the podcast and the community and we'll be back. What another two weeks? Two weeks.
Speaker 2:Alrighty.
Speaker 1:Well, with that, everybody, thank everybody that's been live. We appreciate you. Troy, is there? Good to see you and hear you and read you. We'll see each other next time.
Speaker 2:All right. Take care Thanks you too, I think.
