Ever wondered how to make the most of data analysis tools like iOS Spotlight Store DB and Realm Databases? We're here to share our experiences, tips, and favorite resources to help you elevate your data extraction skills. Join us, as we discuss the amazing work of Yogesh Khatri, the creator of a game-changing parser and as we guide you through the vast world of data extraction and analysis techniques.
We begin our journey with iOS Spotlight Store DB, revealing the treasures hidden within and how to use Yogesh's parser to uncover its secrets. We then navigate through Realm Databases, sharing our encounters with data stores and tools for parsing extracted data. We also share our personal workflow process, granting you a peek into our data analysis strategies. But we're not done yet. Our adventure takes a detour towards Google Maps Geolocation Artifacts, where we highlight the amazing work of The Binary Hick and his research of the audio files and geolocation points related to navigation.
Finally, we explore the nuanced art of analyzing timestamps and locations in images, revealing a fascinating intersection of data and intent. We share how we use Python scripts, manual offsets, and more to make data time-zone aware. Wrapping up our discussion, we emphasize the vitality of research in data analysis and the role of code in automation. So, buckle up for a thrilling ride into the mesmerizing world of data extraction and analysis. You'll come out the other side armed with fresh insights and new tools at your disposal.
Notes:
iOS Spotlight store.db:
https://github.com/ydkhatri/spotlight_parser
Realm Databases:
https://www.mongodb.com/docs/realm/studio/
The Binary Hick-Finding Phones with Google Maps:
https://thebinaryhick.blog/2023/10/17/finding-phones-with-google-maps-part-1-android/
iOS Media Adjustments:
https://www.doubleblak.com/blogPosts.php?id=23
Ever wondered how to make the most of data analysis tools like iOS Spotlight Store DB and Realm Databases? We're here to share our experiences, tips, and favorite resources to help you elevate your data extraction skills. Join us, as we discuss the amazing work of Yogesh Khatri, the creator of a game-changing parser and as we guide you through the vast world of data extraction and analysis techniques.
We begin our journey with iOS Spotlight Store DB, revealing the treasures hidden within and how to use Yogesh's parser to uncover its secrets. We then navigate through Realm Databases, sharing our encounters with data stores and tools for parsing extracted data. We also share our personal workflow process, granting you a peek into our data analysis strategies. But we're not done yet. Our adventure takes a detour towards Google Maps Geolocation Artifacts, where we highlight the amazing work of The Binary Hick and his research of the audio files and geolocation points related to navigation.
Finally, we explore the nuanced art of analyzing timestamps and locations in images, revealing a fascinating intersection of data and intent. We share how we use Python scripts, manual offsets, and more to make data time-zone aware. Wrapping up our discussion, we emphasize the vitality of research in data analysis and the role of code in automation. So, buckle up for a thrilling ride into the mesmerizing world of data extraction and analysis. You'll come out the other side armed with fresh insights and new tools at your disposal.
Notes:
iOS Spotlight store.db:
https://github.com/ydkhatri/spotlight_parser
Realm Databases:
https://www.mongodb.com/docs/realm/studio/
The Binary Hick-Finding Phones with Google Maps:
https://thebinaryhick.blog/2023/10/17/finding-phones-with-google-maps-part-1-android/
iOS Media Adjustments:
https://www.doubleblak.com/blogPosts.php?id=23
Hello, hello, hello. Today is October, october, what? October 18th 2023. My name is Alexis Briggs Brignoni and I'm here again, as always, with my awesome co-host, the most interesting person in New York for Essex, heather Chapartir. The music is by a tire up by Shane Ivers and it can be downloaded at supermansoundcom. And here we go. Good, good, good, good afternoon, heather, what's going on? Let me take off the scene here. Yeah, we go. What's going on?
Speaker 2:hello, how are you? Good, good, well, good, but I'm tired we wake up, we have a podcast to do what say what yeah, you know, for the folks that are, you know, everybody is watching and listening.
Speaker 1:We're on this discussion and I there's this meme because I'm, you know, I'm a meme person that I really like and we were talking about it and it says there's this guy and he says what a week, huh. And the next person says captain, it's Wednesday that's pretty much you have me in a shell. In a shell, yeah definitely feels like that kind of week but you know, in, in, in my scenario still have some way to go. You know you're done, so I don't want to hear you.
Speaker 2:I am done for the week.
Speaker 1:Vacation starts tomorrow well, well, well, extremely served, so, uh. So tell us what's been going on this week, and then I'll do the same after what's going on with you it's been a busy three days, but my vacation starts tomorrow.
Speaker 2:I am not thinking about anything, work starting as soon as this podcast is over, so very excited about that, um. But yeah, it's been.
Speaker 1:It's been a crazy busy week, so I'm sure it has with you as well oh, yeah, I mean, I can't count the time like you're like, you're like one hour from vacation, but no, no, I was good. Uh, there's a lot of development in some of the projects that I'm doing and for the leaps, which is I'm pretty happy about, also a lot of work. Um, james, uh being, if I pronounce his name correctly, um, he's doing a whole bunch of good stuff, like behind the scenes code. Kevin Pagano, as always doing the Lord's work, is my uh, right hand person helping with the project for some people that contribute and then looking at new stuff that's coming in, uh, fulfilling some wishlist requests from somebody that's here and not me, which we'll discuss shortly. But, yeah, but other than that, other than that's been, it's been good and and checking out, like always, new tools, new scripts, stuff that will help, uh, our lives, uh, you know, be a little bit easier, as we do.
Speaker 2:These are friends at work yeah, all kinds of new stuff. So well, let's talk about some things that would help us in our jobs, I guess. Then absolutely.
Speaker 2:I'll start it off. Um, I don't know if anybody has explored the iOS spotlight store db, but I recently have been looking at that and I'm going to share some slides I created regarding the spotlight iOS spotlight. So? Um, if you're not familiar with iOS spotlight, it is a system-wide search feature for Apple, for the macOS and the iOS, and it essentially creates an index of all the files for the file system um iOS specifically because I'm a mobile forensics person, even though I do computer forensics as well, mobile forensics is kind of my passion.
Speaker 2:Um for iOS specifically, these are the locations that um the databases related to the iOS spotlight store dbs are located um, they're located in the private bar mobile library spotlight, specifically in the core spotlight, and they are ns file protection complete, ns file protection complete unless open and ns file protection complete until first user authentication.
Speaker 2:The path that you're looking for specifically is index dot spotlight v2 and that is where you'll find those store db files that contain a ton of data about all of the files in the um in about the files in your file system for iOS. So some of the information you'll find in these databases related to the files are important dates like created dates, modified dates, added dates, um, a bunch of other dates related to the files, the types of files, um, unique IDs, file sizes, um. I specifically was looking at notes. You can tell if the a note is locked, if it's been shared, you can tell authors of certain files and then third party um applications will also store metadata about files inside of the store db. You'll find that in the spotlight data. So the parser that I recently was introduced to is created by yogesh kittari, and he wrote a parser that extracts data from the spotlight databases present in both the macOS and iOS.
Speaker 1:I'm gonna just share here the and, and I want to say, uh, yogesh kittari, he is such a great examiner, he, he, he really helped. He was not the key person, it's pretty much me, him and me, we, we. We started the lily project, so whatever tooling he, he generates, I use, so highly, highly recommended yeah, this parser is awesome.
Speaker 2:so, um, um, it's available at the um github site that I just posted at the bottom and the script is simple. I have it up on the screen. The script is also available at the GitHub site. That is posted on the bottom of the screen and it's really simple. All you do is take that indexspotlightv2 directory, place it wherever you want. I just went along with his example script and placed it on the C drive in a folder called spot. Place that folder right inside and then create an output folder. And I went along with his script and just created an output folder in the same directory. Run the script and it goes against the store db file and it will populate. Let me share with you the file that it populates.
Speaker 1:Super, super useful scripts.
Speaker 2:I pulled some of the data out, so this is just a portion of the. It's a really long file because it indexes all of the files in the iOS file system, so I just pulled some portions out. This is a portion of a note century from the data that is populated from that script and it's actually not. This is one note that it is referencing and I didn't even include all of the fields related to this one note because they wouldn't fit on the screen, but some of the data included here is the last update to the note. There is a display name, which actually is the title to the note. It tells you here that the note is locked, that it wasn't shared, that it's part of the Apple mobile notes. There's creation date and times. There's a last launch date and a launch count related to the note. There's modification dates and times. It just has a ton of information about files that you may otherwise not see in the parse data in your forensic tools.
Speaker 1:Do we know if some of the stuff remains even after the file from which the index is created? Right, it goes away. Do we know that that's the case? It stays behind.
Speaker 2:After the file is deleted yeah. So I actually the next slide.
Speaker 1:Of course, if I had some patience, I could wait for the next slide.
Speaker 2:That's okay. So the next slide is actually an SMS entry. I deleted this and it still remained. I don't know how long it will remain, but I extracted the phone fairly shortly after I deleted the SMS entry and it was still in the spotlight store DB. I don't know how long it will remain. I have not tested it again, since it was very quick that I did the extraction after I deleted the entry. If anybody knows how long it stays, I would love that information. I'm going to continue to test it and hopefully be able to come up with a time frame on that. I wasn't able to find it researching on how long that might remain, but this is an SMS entry that I deleted Again. It gives you all of that same type of information. It gives you the last updated date. You'll get the snippet of the message here at the bottom. Maybe some pizza was the message.
Speaker 1:I love that message, my favorite message.
Speaker 2:Want some pizza, what no? I want to yes the answer is yes.
Speaker 2:Always yes, but you'll see also the author address and it's the phone number of who sent the text message that it's an iMessage, the creation date, who, the message, the recipient address. So there's a ton of information inside of this store DB and, as far as I know, I don't believe the commercial tools are parsing the data out of the store DB. I know they're not getting all of these extended attributes, all of these additional fields. That's definite and it's definitely a file that you don't want to miss.
Speaker 1:I wonder this is for future research. I wonder if, like airdrop files because when you airdrop files some of that, there's some metadata added to those extended attributes in APFS that tells you about who the sender was and some other details I wonder if that remains, and maybe spotlight it's something we need to put in our list, like this one. Here we're looking at the screen for the SMS. It's super important because if the SMS is deleted, you want to have multiple, if possible, avenues or multiple artifacts to support or to reconstruct what was deleted. We'll talk about it later. Like biome stuff or another seed. You have an older iPhone and now there's another piece of evidence you can add to your cases with spotlight that can help you recreate some of the possibly lost data. We want to make everybody aware that this is out there and that you should check it out.
Speaker 2:Yeah, and this script works beautifully. It pops it all right out into a text file and it's really easy to read, really easy to work with. I did test as well. I moved text message to just to the recently deleted. I didn't fully delete it and the message was no longer there, but I did still have some of the dates and times and I still had this I the I node number that you see at the top of the screen. That was still there but I didn't have the snippet. I couldn't find the actual message when I just moved it to the recently deleted folder, which I would. I would have thought it would have been the opposite. I would have thought I would still see the snippet for a message moved to the recently deleted folder versus permanently deleted, but it was the opposite.
Speaker 1:Not sure why. Well, it makes me think I mean, I'm just spitballing here it makes me think that moving it to another place that's allocated will want to index it in the new allocated space, whereas when you delete it and it's gone gone, there's nowhere else to index it to. But again, I'm really just kind of I'm assuming here and obviously we don't assume in this business but that but. But no, you don't assume, but you can do some like tentative hypotheses and then you test them out, right, and you make sure that's the case or not, right?
Speaker 2:Yeah, I'm definitely going to continue to do further testing on this. I want to learn more about it. I have done so in the commercial tools. I'll take the the entire image and do a keyword search across the entire image and I'll see hits in this in this store DB and then I'll go to the database and and I won't be able to find them, it won't be parsed or won't be able to to see it. And I didn't know about this script until recently, and now that I know about it, I'm going to be able to use those searches that I do across the entire image and go find what I was looking for. So I'm really excited about about this.
Speaker 1:Yeah, and, and that's a good point, because a lot of this data that we like, that we care about, a lot of times you can just say well, I'm going to just search a little like a string, you know, ascii or unicode, search through the whole piece of evidence and see what I find. But when they're contained, like in this case with this database, or they're containing other type of formats, you're not going to get hits. So at some level you have to understand what are the data types and how are they contain. You know, in these again, I'm kind of repeating myself but in these containers like database and the like which, which I think we have one another, one another example of that coming up.
Speaker 2:Yeah, we do. Let me get rid of this, all right. So the next example is the round databases. So I also recently learned about realm databases. This is new to me. It was not new to some other people that I did the capture the flag with, which was lucky for me because they got the questions right and I had no idea what they were talking about. But so the round databases there's a ton of wrong databases in the extractions. If you don't know what the realm databases are, new format of databases, not SQLite databases, I believe. Celebrate support, yeah, celebrate supports the, the realm databases, but the. There is a tool called realm studio that you also can export the realm databases and view the data.
Speaker 1:And let me let me get a little background to the folks so surround. Is this no SQL database, so it's non relational databases, so the way the update is different. You don't have queries like that and there's no wall files and most of the data and we'll show it how. It's kind of structured and they got bought by MongoDB the company.
Speaker 1:Some years ago I was having this conversation with Phil Cobley and Adam Furman and Phil Cobley specifically, he spent a lot of time doing a great work on on describing these type of databases because at that point, and me included, I thought realm is going to be the future of mobile devices, how they store, app store data and a whole bunch of apps are using realm databases. But then after they got brought up by MongoDB that's my impression it kind of died out. I don't know is because now became proprietary format. There's no, for example, if I want to reach out to a realm database and pull stuff, data out through with Python, I can't do it. There's no API for it, right? And you have to do a little bit more laborious process process and use kind of another third party tool to look at some of that which obviously has going to show us now.
Speaker 2:Yeah, so let me just pop up one second. I will share my screen. I actually grabbed Me, if I can find it, of course, this is the worst part is finding the.
Speaker 1:Yeah, no, and if you're looking for that, it's great to share.
Speaker 2:You're going to be careful.
Speaker 1:like Heather Jessica was saying in the chat, there's level DBs, there's realm DBs, there's SQL IDBs. So you got to make sure you keep your DBs straight, because they're all different.
Speaker 2:All right, here's the one I meant to share. I opened up Dust. If you've never heard of Dust, it's a messaging app where your messages disappear after 24 hours. There are no conversations in this realm database. I sent messages this morning hoping to populate some conversations in the realm database, but they didn't. There are no conversations in my realm database. However, the account for the Dust application is in here. It's Sheldon Cooper's phone, so Sheldon Cooper is the username and there's some information in the realm database about his user account. But what's stored in this realm database are his contacts. So Amy Leonard and Penny are his contacts in the realm database and it has created update date and it also has Amy Leonard and Penny's phone numbers. So inside of this realm database you will find the contacts for the Dust messaging application, and then there's profile picture information. I was hoping the conversations would store in there as well, but they didn't. But there's other, Go ahead, Sorry.
Speaker 1:Yeah, and actually the only time I had to use this on a case, it was on a dating app which I will not mention, and the issue was that we were finding part of the stuff in regular databases, regular data stores, and then the conversations that we knew were there, we couldn't find them and they were in the realm database. So I've seen at least one time that you see in a case. I've seen this combination of data store in realm for one thing, data store somewhere else for another thing. So maybe that's the case. It could be the case with this app as well.
Speaker 2:Yeah. So I've been now looking for the realm databases to try and figure out what apps have it, and I was just looking in iOS devices the other day Royal Caribbean. So if you're out sailing, extract your phone when you come back on your cruise, because Royal Caribbean has the realm database. A navigation app what three words that we learned in the capture the flag has realm database, dust. Life360 has realm database and the Life360 app has a lot of your navigation stuff comes in, just regular log files, but the Life360 app has some of your saved places are in the realm database. And then Planet Fitness has a realm database that is encrypted with a 128 character hex encoded encryption key. So if somebody can find the encryption key for me, I'd like to see what's inside of the Planet Fitness realm database, please.
Speaker 1:So you can see all the workouts that I have missed this year. Got it, yeah, yeah.
Speaker 2:So I was looking for that. I have not located that yet, but now I'm interested in knowing what's inside of there. But yeah, so just another source of data that we need to figure out.
Speaker 1:Yeah, and one way you can approach it. So you've got realm and realm lets you view it. But maybe you want to report on it. What I do is I take the data and I export it as JSON. And for those who are familiar with JSON, json is a human readable format and it's key value pair based. So again, if you have, for example, the key is house, you can have a value for small or large or medium house or you could have multiple keys within it.
Speaker 1:Right, if the key again is house, you could have another subkey called garage and the value would be two garages, or a subkey called windows and it'll be 10 windows. Hopefully that makes sense. So you can take that out and then kind of manipulate it with other third party processing tools to then fill that gap, since I don't think we have a clear, direct way of interacting with them. Again, celebriot, not reader, what's it called the viewer? The Celebriot viewer, or viewer that's included within physical analyzer manages those. So I got some advice for Celebriot about their viewer, but that will be for another day.
Speaker 2:All right, speaking of that, speaking of those types of files digging deeper in the data.
Speaker 1:Yeah, and that's something that I get my soul box. I kind of carry it with me in my back pocket. It fits, believe it or not, and because we have a workflow right, we make sure that we come in, we image the phone, we follow that process, we do our tools, we give it to the folks to look at and then call me if you need me, and that's fine. But there will be cases and we've discussed this in previous episodes where you just can do that and just say well, my excuse is, I don't have time, I just hand out readers and portable cases, and I guess I got no time.
Speaker 1:I think you were the one that told me that artifacts can be parsed. Artifacts are parsed, but cases have to be built. And if you think you're building cases just by handing out portable cases, you're sadly mistaken. You've got to build those cases and part of that is make sure that you understand your data stores. And in the different episodes, something that I like that we do here is we show you hey, look, there's this realm thing.
Speaker 1:If you haven't heard about it, here's a tool to look at it and now you can go find them. Hey, you haven't heard about indexing in iOS. Well, we're going to tell you why is that important and a tool to get it out, ok, and it doesn't have to be a paid tool, right? So you have to start doing that mindset, I think, on looking for things. And in order to look for things you know, to know that they exist, right, and make sure that you understand where that knowledge is. And I don't know, heather, like, how do you keep yourself updated with any stuff? How do you do that? Because we have to do it. How do you do it?
Speaker 2:Yeah, so I mean reading the blogs, I mean speaking with other people, really research yourself, do the test data. I think mostly collaborating with other people in the field helps me the most. Doing this with you like coming and doing the podcast. Honestly, I have learned so much in the past few weeks just by coming and doing this with you and planning out these topics. I mean, I think that the thing that helps me the most is definitely collaborating with other people. So when you're away and you're at trainings or you're at conferences, you have to meet people and you have to make sure that you're in the mix and make sure you stay in contact with people and follow their blogs. Follow people on LinkedIn, twitter, wherever you're following people. Keep up to date with all of the most recent research, because stuff changes so quickly.
Speaker 1:Yeah, I mean I think it was yesterday, the day before, and hopefully I'm not jumping to another topic, but I wanna say it now anyways. Celebrate came out saying look a secB files in iOS and it seems to be like an iOS episode today We'll switch it up in a minute Came out with the new version of secB files for iOS 17,. And secB files are the errors of Knowledge C. Knowledge C is a really well-known SQLite database that keeps track of a million things in iOS and on the move from iOS 14 and 15 all the way to 16, but mostly 15 and 16, knowledge C, although it's still there, it's pretty much empty, right. It's like abandoned.
Speaker 1:It's like you see those movies, the westerns, that little thing that goes in the first act, called like on the floor, that goes in circles, the tumbleweeds that's the word. As a native Spanish speaker, the word tumbleweed doesn't really roll out on my tongue. So Knowledge C is all bunch of tumbleweeds. So where are they right? And that part of that collaboration being on the community, that's how we found those files. So we're doing in these files and we used to call them biomes because they were found in the biome directory within iOS and now we're moving away from calling them biomes, which makes sense, because now they're found outside of the biome directory and the header for these files is secb files and everybody's moving to say it's secb correctly, because that's the magic or the header for those files. So they have a new format and now we have to adapt, we have to understand how the data and what the difference is between of them, because I wanna make sure I know what I'm talking about when I get on the stand, in our case, right, and that collaboration is key.
Speaker 2:Yeah, if you're not keeping up with that, if you think you're just gonna learn it and then be done, then you're gonna fall behind.
Speaker 1:So and don't feel discouraged. It doesn't take that much time. To just be honest, that article from Celebri took me a few minutes to read and then you can go, for example, to defer Discord and kind of discuss it, talk with folks over there and if you get in a good rapport with some people there, then create your own little subgroups where you can chit, chat about these things and that's for advice and also help others and that's how we really build really functioning a positive help each other community.
Speaker 2:I have to say, everybody in this community too, is so helpful. I've never had anybody be like I'll figure it out yourself, right? So there's always collaboration and everybody is always so helpful.
Speaker 1:Yeah, and in all things. Again, we talk mostly mobile in this podcast, because that's what we both like. Maybe we should make the effort. Or somebody suggest some regular computer forensics topics, because we work them too. Don't be deceived, right, even though?
Speaker 2:we like mobile. I have a co-worker who wants computer topics.
Speaker 1:I told him to get us some, so Okay, perfect, yeah some happenings in that area and I think you and me and correct me if I'm wrong, I don't think I am but we really like this area because it's fast moving, right, kind of Windows forensics and Linux or kind of desktop forensics. For us it's pretty, it's not static, you're gonna be wrong, but it's not as fast moving, I should say as mobile, and I think that's what attracts us to that. Hopefully I'm not wrong.
Speaker 2:Yeah, no, definitely.
Speaker 1:Well and talk about mobile. We talk about a lot of iOS in the first half year. How about we move to some non-IOS things?
Speaker 2:Go with the Mandroid.
Speaker 1:Yeah.
Speaker 2:And Google Maps. So hopefully everybody got a chance to check out the binary hit blog post on finding phones with Google Maps, because it is an excellent blog post about Google Maps and Google Maps can be a complete headache to look at, especially in Android. I'm going back to Android only, yeah. Yeah, kevin is saying he's going back to Android only I don't blame him, because actually I had to interrupt.
Speaker 1:I'm sorry, but yeah go ahead Talking about secB files, right, I feel with Kevin. So the secB file format, if you read the article from the Celebri blog. So now you have a header, right, and the header tells you OK, there's this amount of records and all that information. If you want information about those records that you're going to look at, you have to go to the bottom of the file and read it from the bottom up and grab the metadata of those records, right, and then, after you got that metadata, you have to go all the way back to the top again Remember to avoid the header that you already read to figure out how many records, how many metadata, you're going to pull and then start using the metadata from the bottom of the file to figure out what records you need to pull out from the secB file.
Speaker 1:After you pull a record out, make sure you take out the first 8 bytes of the record header because it's trash. I mean, I bet it has some function, but we don't care. And then after that that's data in protobuf. So take that in protobuf and deserialize it and who knows what's in there. So, yeah, it's a lot of moving parts, but I mean and I describe it a little bit, maybe a little bit too how can I say this? Maybe making it a bit more harder than it seems, or it is in practice, but it just requires you to be on it. So lately I always keep giving us a lot of headaches in that sense. So I feel, with Kevin and his sentiment of going back to Android only, like Jessica's saying in the chat right, of course it's protobufs, right, and you will see protobufs everywhere, and we should do a show about those in the future, kind of discuss them in detail, because this is really worthwhile.
Speaker 2:Nothing can be easy.
Speaker 1:Hey, you know I mean. To me that just means job security, so I'm OK with that.
Speaker 2:That's my line at work. Anytime somebody is like why can't this be easy, I always say welcome to Forensics.
Speaker 1:Exactly.
Speaker 2:All right. So Google Maps If you didn't get a chance to read the binary hit new blog post, you have to go read it. I'm just going to go over a few of the points in it. But definitely go check it out because Josh Pikman he outlines quite a few artifacts related to Google Maps and does a really detailed documentation of it, really breaks down all of these files.
Speaker 2:I'm not going to do that here, obviously, but some of the sources of data that he outlines aren't new related to Google Maps, but there are a few that are at least new to me. Some of the sources are the AppTTSCache, appttstemp, which are the folder that contain the audio files related to the turn-by-turn directions. So you can go listen to the audio files related to the turn-by-turn directions in Google during navigation. He outlines where to find the stored information about saved locations, about locations that have been favorited. The databases related to that are the GMM my places or the GMM sync database, so that contains related to labeled locations as well, and then the GMM storage database contains a whole bunch of blob data that has a ton of repeated data and it is just a giant pain to look through. I don't know about you, alexis, but have you ever tried to go through that?
Speaker 1:Yeah, honestly, I don't do it the best way. I have an artifact for it, so it pulls. I pull some URLs that have some geolocation data. There's way more stuff there. It's just the. It's a combination of things that I understand and things that I don't. Right right.
Speaker 1:So I mean I wish I had more time to work more on it. So I pulled those things kind of like the easy fruit, that's the low hanging fruit, that's the word, the low hanging fruit. But again, as time permits, we're still researching. I know Josh, which is Josh Higman, the author of the binary Hig blog, and this blog post that you need. You need to go and read.
Speaker 2:Yes.
Speaker 1:Author and it's worth your while because, like Heather's saying, right, you got your your geolocation points and sometimes there's some files we're going to discuss in a second that has some geolocation points that you have no idea. We're there right and that opens a whole bunch of avenues investigative avenues for you to benefit right.
Speaker 2:Right. So I've done a little bit of research on the GMM storage and I did a PowerPoint on it for ISIS actually and I did some test data and was able to find some of my navigated trips and pull some timestamps out and find my directions and even find some of the trips that I navigated to that had you've arrived at your destination. So I was able to make some sense out of it. But actually pulling the data out of those blobs is just a giant pain.
Speaker 2:Oh yeah, I have to pull it out and to clean it up and make it into a readable format is just, it's a it's it's a mess At least I think it's a mess. But Josh, in his blog, outlines a couple of files that I was not aware of until recently. They're called the two that I'm really excited about because they're actually helping me out in a recent case that I was working on Are they're called new recent history cash search and new recent history cash navigated. So these are two files and they are pretty much what they say. So the new history, or new recent history cash search it. It's a file that has the searches performed in Google, google Maps. So it's got the, it's got the addresses or just the names of searches that you performed in Google Maps. And here we have an example of that because, of course, as soon as it was mentioned, alexis went and supported it in a leap.
Speaker 1:Oh yeah, no, and and and just was kind of kind of enough to share his research with us. And, like you're saying, you can see here on the left side, google Maps searches right and you see the timestamp there. There we go. You see the place I was search and the longitude and latitude of where that place is Right. It doesn't mean the person necessarily went there, but it's a good indication of of at a minimum interest in a particular location at a particular point in time. Right and honestly, more times than not, that could lead to a navigation to those places. I want to make a point here. Notice how the report says on the left side, where you see the artifacts in in a leap and again, again, for folks that are maybe listening for the first time, a leap is a Python based geotr forensics tool to parse Android extractions. It was made by myself and the community and it's freely available, no cost. You can use it on your, on your, on your cases, all right. So it has map searches one and two, and I put it that way because this type of CS files you can find them If you look, if you look at the on the top here, where this is the source.
Speaker 1:It could be in the data data folder when the apps are. You can find that file there within the app folder or if you go to map searches to and I'm going to try to zoom here a little bit you can see on the location is going to be at the data user In this case user zeros, the main user of the phone and then the application and then the file. So you can have multiple instances of this file with with data. So and I like to separate into actually know what you're looking at this becomes really useful, let's say again, as a multi-user phone and the folks at the seller by CTF use that to great effect.
Speaker 1:In the CTF they had a phone that multiple people locked in I say multiple people, but it had multiple accounts. So you want to make sure you separate those things right. You don't want to commingle data sources because you can come to really, really wrong conclusions If you commingle stuff like that. So that's why I I I kind of I was aware of that Thanks to Josh and I kind of separated them to give you a good view of of what's going on.
Speaker 2:So the other file, the new recent history cache navigated is the last navigated route with Google Maps. But the research has shown that Android Auto has to have been utilized for that data to populate in the navigated file and that that's also supported in a leak.
Speaker 1:Yeah, and that, and the I called it in Google initiated navigation, because it means that you said, okay, I'm going to go to this place, right, and that's all it means. You don't know if you got there or not. So so, this particular one, the Google initiated. You just tell you that you, that you went or started towards, and that's pretty much it.
Speaker 2:And then just one other one that I was going to point out from the blog and the rest. You guys go check it out because it's an awesome blog. It's the save direction. So the location the phone last navigated to is can be found in the save directions file.
Speaker 1:Oh, and I'm so sad I don't have one that I could share, because some of the data I used to build it is, you know, personal, private data. I'm not going to show people, I mean everybody, public, your word, people are going Real privacy here, right, but it's, it's, it's amazing, right. It shows Okay, yeah, I'm going to, I'm going to go, and going to go to a place, and usually not usually pretty much everybody. It says where's your, your starting point, and it says your location right, because you want to go from here to there. Well, your location is there, I can pull that out and I can pull the location points. When you said I'm going to search for this place and go there, okay, so you have that. Then you have within the file. I don't pull that, but you have all the moves turn by turn.
Speaker 1:Now, at the end of the file again, we read Josh Josh's blog post. This is really well explained. At the end you have when the trip was ended and where you were when it ended. So even if I say you've got to the destination, then great, those geolocation points are going to match the search location to where you want to navigate. But if you stop halfway, you still get those geolocation points at the end and with the coding that we did over the last few days, you can have access to that. I haven't seen that in any tool yet. I don't know if you have either. I haven't.
Speaker 2:I haven't no.
Speaker 1:So so now you have okay. This is where you started your navigation, this is where you ended, and I think that may be important for a lot of cases, certainly. So keep your eye out for that, use the tooling and you have to read the blog post. There's no point of just going by what I said. Read the research and then do some testing on your own.
Speaker 2:Yeah, definitely.
Speaker 1:I want to make a quick note here. Like Michael Noonan, he's watching from LinkedIn. I don't have a way to respond to him on the chat, but he's saying that you know, some of the Josh work is so important and again I agree with him and make sure you make those he's type of tooling part of your. Put it in your toolbox.
Speaker 2:Yeah, yeah, really.
Speaker 1:Right, so Talking about? See, we talk about Android, but now we're done with Android. It's so unfair.
Speaker 2:That was quick.
Speaker 1:That was quick. We're going back to iOS. Sorry people, I care, in Android, I feel sometimes discriminated by iOS folks, but it is what it is. We have to go back to iOS, right? So this came about well. Let me give you a backstory of it. So I think it's and correct me if I'm wrong, Heather I think it's iOS 15 that it came out, but I might be wrong. The point is, it's a functionality that allows you to take photos that you took with your phone and change the location of where they were taken and change the date right. And when that happened, there was a lot of stress, for that Is iOS 15, you remember.
Speaker 2:I can't remember which iOS it was. Now that you say that.
Speaker 1:Well, I want to say 15. Let's go with 15 for now.
Speaker 2:We're going to find out.
Speaker 1:All right, and at first, a first blush. Everybody you know hair, you know braced up, you know because, well, what happens when we get to the phone and all these images are edited? How do I contract that out and all that type of stuff, right? So there is this great blog post that Ian Whiffin wrote and we have it down on screen. As always, it will be part of the notes, both in the video notes and also in the podcast notes for those that are just listening. And this blog post, Ian he's the main guy there doing some research at Celebriot. He explained that, as I summarized, this is my summary the images if you change the time and the location, right, those new location data, data points, they will show on your phone as change. So you will look at your phone and say, well, this picture that I took at place A, now it shows in place B and it's true, you see, on your phone, but that data, which is specifically the metadata of the picture, because the data, the location data, is kept within the metadata portion of the file, specifically the EXIF type of data sources, right, that does not change until the picture goes out of your phone. Does that make sense? So, as long as it's on the phone, your phone is going to show you the edited location and times, but the picture itself will still keep the original location and times. So the question is where's the edited data, right? Where's that located at? Because it's showing me the edited data but the picture was not edited. Where is it? So that happens to live in the photos, that SQLite database? So, keeping that in mind, right, that the picture is not changed until it leaves the phone and the differences in times reside outside of the picture.
Speaker 1:A few what? A week or a couple of weeks ago, a young son, right, yeah, a good friend of ours that teaches with us. He's from New Zealand, with his years of law office there, great examiner, good friend. He's like hey, how do you, why don't you do something about a flagging possible images that have been changed in this matter? And I said you know what. That's a good idea. I appreciate him pointing us to the problems. We're trying to find solutions here, right?
Speaker 1:So I thought about it. Well, it should be fairly quote, unquote, easy. I get the except data and look at what the original locations and times are and I'm going to compare it with what follow SQLite shows me and see if there's any difference. If there's any difference, it's a flag that there has been some change and that's what I did. So, as you can see here on the screen, you had some of the pictures here and I have a couple of columns here, one called same timestamp, like a question mark, and same coordinates question mark is the same timestamps. That, if it's true, that means that the time in the database and the time in the XF or file data is the same. So no editing has happened. Same thing with coordinates has the coordinates change from, you know, the database to the file? And and I'm looking, I kind of eyeballing here the chat, the chat. Sorry.
Speaker 2:Now she's going to put the same one up.
Speaker 1:Perfect the photos. That SQLite database has a whole bunch of stuff in it Facial recognition, tagging, like Kevin is saying. So that's stuff that you definitely want to look at. So I'm going back to this, this comparison. So I'm going to do now here I run the report and I'm going to look for the false, for false, the term false within my report, and a couple of pictures here come up. So the first one here you see here, obviously we know where. This is A picture of the word trade center, the one tower there, right, and the time step says true, but the coordinates say false, right. And here's, here's where what I was telling you about. I'm going to move here the report to the right and you will see here the latitude and longitude based on the database and the name of the file. And then, if you move here, you see the XF latitude and longitude at the end of the report. Notice the big difference there from from the locations right. So that's a, it's a, it's a big flag.
Speaker 1:Now Forensic tools like the celibate axiom and MSABs, ftks, belkasoft, oxygen hopefully they didn't miss anything, anyone of the world, and they're not going to get fooled by this, because everybody looks at the XF data so they don't depend on follow SQLite to determine how the file is either located or or or generated in regards to the timestamps. So this is important though, I believe, because if I can flag someone in attempting to change timestamps or locations from images that are going to be evidentiary, that talks about intent Okay, and it might give me clues of what they're trying to do or what they were trying to head next in regards to whatever criminal activity they were in that's related to the pictures Okay. So I think it's still worthwhile, or to show that, even if it's trying to destroy something, try to hide something who knows? Or fool us in some way. So I believe this type of thing is important. This is kind of like an outcrop and I'm going on. I'm on a tear now. So, sorry, I'm on a tear now, tears, crying. Sorry, I'm on a tear.
Speaker 1:It's what I was preaching, kind of like last episode right, where it's okay to show me stuff that's on the phone, but how can we take disparate pieces and gather some artifact intelligence from it? Like celebrities doing, they take multiple data points and they tell you well, we believe, with a level of confidence, that this picture was created by the phone or no. We believe this picture came from the internet, from an app, or we just don't know where this picture came from. Right, they're grabbing this data and making some determinations Not final determinations, but it gives you like a heads up on things you need to focus on.
Speaker 1:This is, I think, another, more simple example where we're taking one piece of point, one data point which is the latitude in the exit, another data point, which is the database, and we make some comparisons to get some intelligence out of it and make some possible determinations. I put on the top of the report that, again, this is tentative. You need to actually validate everything. There's another picture down that I identified and I think it's another again, another tool set, and I wish vendors, I wish developers and US examiners start looking at aggregating artifacts and data points and then taking it to the next level. What can we deduce or learn from these to then push our investigations forward.
Speaker 2:Yeah, definitely. This artifact correct me if I'm wrong is unchecked by default.
Speaker 1:I don't remember, but it should. And the reason it should is because if you have a lot of pictures, it's not take a while to go through it. Yeah.
Speaker 2:I just want to quit that out, yeah.
Speaker 1:Yeah, thanks for doing that, because I don't remember, and if I haven't, I will.
Speaker 2:I'm pretty sure it is yeah.
Speaker 1:I set up. I does the same thing with the media, I think media origin and some of the they call it enrichments. You have to select those processing and it makes sense If you hit it. If you hit all by default and you don't really need it, the extraction is going to take a sweet time to parse right and you might not have that time so maybe you want to do it later. So just keep that in mind and I will make that. I will check on that. So thanks for the reminder.
Speaker 2:I did select all for one of my larger extractions with this and it did. It took a long. It took a long time, so just keep that in mind. If you're going to run this, you may want to do it separately.
Speaker 1:Nope, no, absolutely. There's always limitations. I mean a computer can only go as fast as it can go, depending on the data set. Like a phone, that's 15 gigs, sure easy. If you have like a terabyte phone, then good luck.
Speaker 2:Whatever you're trying to do, awesome artifact though.
Speaker 1:Oh no, thank you. Thank you for helping and actually providing some test data there to make it happen.
Speaker 2:Yeah, the World Trade Center is not actually. I think I changed it to Georgia, or no. I changed it to Disney. I had the picture.
Speaker 1:I'm a dummy. I should have shown it, but I don't know where it is right now. I took a screenshot of where you put it, and you put it in Epcot actually.
Speaker 2:Yeah, in Epcot Center, yep. So another new feature coming to the leaps, to all of the leaps, so we're not just discriminating here on iLeap, it's not just iOS, it's going to be my new favorite the time zone offset.
Speaker 1:I'm laughing. I'm laughing a lot.
Speaker 2:Because I wind enough and got my way. Oh, my goodness.
Speaker 1:It was this fight for a year where she's like we should put up. You put time zones and I'm like UTC or GTFO. Right, you can subtract four hours or five of the top of your head. That's super easy, right? Let me explain to you like she doesn't know. Of course she knows. Let me explain to you the values, the virtuous values of UTC in my moral crusade to make sure UTC is a standard for everybody.
Speaker 2:So when I get up on the stand and have to testify to things. I want things converted to my local time and I want my day savings time right.
Speaker 1:And look, I came around to Heather's point and it's good to have, especially with some of those calculations, and you're like, well, is it four? Is it four? Is it five? What day did we change? Yeah, what is? The phone that I got was in France and they landed and now it's on my lap right. I want to make sure I put that activity in, I guess France you speak a country, but in European time, to make sense of that data. Oh, they were sleeping right and I don't want to do those calculations, but so I relented. I put the white flag of surrender.
Speaker 2:So anybody who wanted to be able to choose their time zone offset in any of the leaps is going to get their wish. But it's a work in progress though, so I didn't realize that Alexis can't just push a button and give that to us and that it's going to take some time. But he started it and it's going to be quite the project. But I'm going to show everybody kind of how it's going to look in the leaps, so let me grab and bringing that up, I want to thank again Kevin.
Speaker 1:Kevin has been so kind and also starting to help me out refactor all those, because I have to go back to all those old code and make sure that we make it time zone aware. So we'll take some time, but we're working on it.
Speaker 2:So brought up ILEAP and you can see here we have this new dropdown time zone offset and it has the option to go pick your time zone.
Speaker 1:And I put all the time zones that Python recognizes. Am I here, yep?
Speaker 2:I'm in New York, so I'm picking New York, and then you can just run it against whatever extraction you have. I actually have one already run, so I will just share that instead of running.
Speaker 1:Hey, Heather, just for the folks. No, you might use a time zone a lot and it's really easy to go to code and just put your favorite time zone at the top of the list so that way you don't have to hunt it down, open down the list. So that's something that's really easy to do. So I might do a little LinkedIn or blog post about how to do that. Super easy, oh yeah, yeah, put your favorite time zones at the top so you don't have to kind of scroll up and down to find whatever you want to find.
Speaker 2:Yeah, I definitely need to do that. So in the report I just ran I knew that Alexis had already refactored the time zones for the biomes. So I ran it on the biomes and if you go to the process file files list you can actually see here that the time zone selected will show and it's the American New York time zone. And then I ran a bunch of the artifacts that I knew already were adjusted for the time zone and let me choose one and you can see here. Now I have the minus four at the end for my American New York, with the Eastern Standard Time minus four accounting for the daylight savings.
Speaker 1:Which I got super excited when I in one data set I move away from daylight savings time and it gave me the right offset, like yeah, this works great. So I was actually happy to see it in action and super useful to have that ability. You want to make sure that in the leaps, if you don't see a minus or plus or if you don't see the offset at the end of the time stamp, assume it's a naive UTC. So it's UTC and plain right and that's how right now is set up as we add that support to all the older artifacts and the newer ones. You will see that offset at the end of the time stamp, either minus or plus, depending on what offsets are you using.
Speaker 2:And there is still that all dates and times are in UTC and less. Otherwise noted too, on your report.
Speaker 1:Yeah, the noted part is that minus or plus at the end. That's your notice that it's been some offsets and it's not pure UTC. So we have a question.
Speaker 2:What's more productive, the software or Python scripts.
Speaker 1:I guess that's for me.
Speaker 2:Yeah, I guess.
Speaker 1:It depends what you mean by productive right, because software I mean a script is software and software might not be a script, but it's based on coding right. So it depends on what you're trying to achieve with the software or with the Python. So I mean, long story short, I have software like third party software in my toolbox. I have scripts in my toolbox. I have a piece of pen and paper to do offsets by hand in my toolbox. That we have to do sometimes and it's all part of being effective at our jobs. And again, for those that not those everybody just bring justice to. Whatever doings you're into, no matter if you're civil, no matter if you're corporate, like Jessica is saying, you have to use it all, use your stuff or use your scripts.
Speaker 1:At the end of the day, the tools are tools, right, and you are the examiner, right. You are the one that has to validate and make sure that that output has the correct meaning, that the output of the tool or of your analysis is an accurate representation of things that happen at a particular point in time in the past. Okay, this is not about just what the tool says. Is this interpretation correct? Is this an actual reflection of what happened and that's a long conversation because you can do a whole bunch of artifacts and the way you present those artifacts, you could make it mean the total opposite of what it should mean. Hopefully that makes sense, heather.
Speaker 2:Yeah, it makes sense definitely.
Speaker 1:Yeah, how it's like conversation. You can take a conversation and, depending on like, I could say I'm really sorry for you, sadly, right, or I could say I'm sorry for you being sarcastic. They're both that's the same sentence. That's why you shouldn't argue over text message, because you don't know what the what's, the tone or the attitude of the person with your texting. Right? Some conversations you have to have in person to see what the person actually means by their face expressions and their voice tones. Right, Same with evidence. Evidence is like that, right, you could give it that face tone, I mean facial expression with that voice tone that might make it seem what it's not. And that is something we have to be really, really careful. Our property as examiners is key.
Speaker 2:Yeah, I had to put this comment up. I love it. Thank you, heather, for complaining. Thank you, alexis and Kevin, for this work with time zones.
Speaker 1:Look, Laurie, don't encourage her. You know what? Don't find me problems, find me solutions.
Speaker 2:Like my marquee says here on my shoulder okay, Laurie, what else would you like me to complain about? I'm ready. Well, you know what?
Speaker 1:I think it's a great point in this show to start with the meme of the week, so we can close it out before I get more work.
Speaker 1:All right, let me show the meme of the week. So obviously we're in October and we had to make this a little bit seasonal. So I have here an old debug goodie meme that I share. When this time of the year and it's like a spirit costume and those here in the US every in October, you have big box stores that are empty and they get filled with Halloween costumes and then they go away till next year.
Speaker 1:And this one is for law enforcement digital forensic examiner. And you see this guy with a polo shirt type of deal some tactical pants, 511 pants and some boots, which is kind of funny because when I posted this stereotypical examiner in law enforcement, I did it wearing the exact pants, the exact same shirt and the exact same boots. And this costume for law enforcement digital forensic examiner comes with 511 pants and boots for office or lab work. Of course, two pants with no ink which I don't know what's happening with this government provided pants and the right blocker kid with firm were last updated in 2015, which I think it strikes too close to home to a lot of people. Yeah, make sure you update your right blocker.
Speaker 2:Check the firmware.
Speaker 1:Exactly so. So that's the meaning of the week. It's a little bit of a crack of ourselves.
Speaker 2:That's good.
Speaker 1:But I like it. I think it's accurate.
Speaker 2:Yeah, very.
Speaker 1:The only thing that was missing in this meme is having, like, some sort of a branded shirt from a conference. Yeah, when they give it out for free, we always grab a couple and then we warn for the rest of the year. That's the only part that could be more accurate, right.
Speaker 2:Definitely.
Speaker 1:Anyways, All right. So so that's what we have for the for this episode, Anything else for the order that we might be missing Heather.
Speaker 2:You know, we have one last question here I'm going to throw up because we kind of skipped it, so I'm going to let you answer it and then we can. We can call it a night.
Speaker 1:All right, you want to read it.
Speaker 2:What percent of your scripts are self-written and how many are just things that you've found that others have made that just work?
Speaker 1:Oh, wow, on percentages, that's tough because I found another meme that I presented a few episodes back, where you know pretty much. They say well, all that you do at work is Google things and, like yo, you offended my whole profession. But yes, that's true, most of the stuff we do is Google. No, but I mean kidding aside. I mean there's some stuff that's native. I say native, but kind of created by me straight up. But most of it is built on stuff that some other people have done and in not necessarily not even code.
Speaker 1:I'll be straight with you, the code is not important and I'm going to make this point again and again and again. The code is not important. The code is just a way to automate in the process, to make it easier for you to do it repeatedly. So the code is not important. You know what's important the research, the Josh Hickman's of the world. Then go and look at the data, get the offices, tell you what it means and make you aware of it. Those are the important folks, right? The automation part At some point, chat, gpt is going to do it for you, they'll do the code for you.
Speaker 1:But defining the relevance, why is this important and what's the meaning that human aspect and that sweat and tears and blood of the research, I believe is the main thing. So I depend on folks like and even like Heather that does the test data right. She has to go and be careful and accurate in making that test data and she has the right time stamps, because I'm not going to compare her notes to what the phone has and if she didn't do a good work there then everybody's in trouble, right, and she's not doing code, but the work is asked or, I believe, even more important than the code that I do. So we have to, I think, and then it is not on the person that asks the question, it is more on all of us to move our mindset away from just well, what does the tool do, what does the software do, how many tools do you have? And move it towards what's the research behind it and my understanding, what the tool is telling me and how can I make it better based on that understanding.
Speaker 1:Right Now, percentages, I don't know. I use a little bit of everything, a lot of it. I mean, all my leaps are a product of that desire to give and make people's life better, in starting with mine. But again, we need to really focus on the root of it, on what's the underlying truth, under what the output of these tools tells or gives us. Did you think that's the questions, heather? Hopefully, no.
Speaker 2:Yeah, that definitely answered the question.
Speaker 1:Okay, thanks for bailing me out here.
Speaker 2:I kind of threw you the question last minute. Sorry about that. We skipped it, though we had to answer it no, no you're up for it you had to answer it. I didn't.
Speaker 1:Okay, everybody next week. All the questions it to be for Heather, okay, all right. Well again, heather, thank you so much for being awesome, for being here with me. I enjoy these so much. Thank you for the folks that are live, that give us your comments you give us life and thanks for the folks that listen and watch the show later Send us your questions. Look Heather and me up in LinkedIn. Also looked Digital Forensic Now Podcasts in LinkedIn. Leave us questions there. Comments concerns If you leave complaints, make sure you leave solutions with them as well.
Speaker 1:Yeah please, and we'll see you next time. Anything else, heather.
Speaker 2:That's it.
Speaker 1:All right, everybody, so we'll see you in two weeks.
Speaker 2:Two weeks.
Speaker 1:All right, everybody take care and have a good night.
Speaker 2:Have a good night.