Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Digital Forensics, Moot Court, and New Tool. Come Down the RabbitHole ™ with Us!
Curious about how digital forensics can unlock the secrets held by your tech devices? Join us as we shine a light on RabbitHole, an ingenious tool devised by Alex Caithness of CCL Solutions Group. This episode is sure to be a revelation, as we delve into this unique amalgamation of data format viewers. The plot thickens as we, act as your guides, to dissect the complexities of the RabbitHole - reparse feature, the free form report builder, and the remarkable ability to extract data from various sources.
We step away from the tech talk for a moment to underline the crucial role of Moot Court in nurturing digital forensics examiners. We debate the need for a supportive environment that allows mistakes, honing professionals in the field. We discuss the highlights of what qualities are needed to shape a great witness and throw light on two free cybersecurity courses related to expert witness testimony.
Don't miss our discussion on the new additions to iLEAPP! Media events from the knowledgeC database and connecting Discord attachments to message threads.
Finally we discuss changes to Shellbag artifacts that were implemented in Windows 11 updates as outlined by 13Cubed, and the meme of the week!
So, are you ready to tumble down this fascinating digital RabbitHole with us?
Notes:
CCL Solutions-RabbitHole-
https://www.cclsolutionsgroup.com/forensic-products/rabbithole
Courtroom Testimony Trainings-
CYBRARY.IT-
https://cybrary.it/course/dfir-investigations-and-witness-testimony
NW3C-DF501 Expert Witness Testimony - Digital Forensic Examiners- https://www.nw3c.org/UI/CourseCatalog.html
Connecting Discord Attachments to Message Threads-
https://bluecrewforensics.com/2023/10/30/connecting-discord-attachments-threads-sdwebimage-library/
13 Cubed: An Important Change to ShellBags - Windows 11 2023 Update!
https://www.youtube.com/watch?v=M1nyMIu1Y18&t=4s
Shellbags Explorer by Eric Zimmerman
https://ericzimmerman.github.io/#!index.md
Hello, hello, hello. Today is Thursday, november 2nd 2023. My name is Alexis Briggs Brignoni and I'm accompanied by my co-host, the horse whisperer, the report corrector, the master of peer review disaster, the one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at Silverman Soundcom. And here we go. Here we start. Hello, hello, heather.
Speaker 2:Hello.
Speaker 1:Thank you for putting up with me and my colorful introductions of your few awesomeness. There we go.
Speaker 2:I'm sure what it's going to be.
Speaker 1:Yeah. So, as people may have noticed from the intro there, I mentioned you're the horse whisperers, because I'm dying for you to tell us what you did over your well-deserved vacation.
Speaker 2:Well, in case you didn't figure it out, I went away and went horseback riding. I went away for a week to an all-inclusive horseback riding ranch and it was in Georgia and I'm going to share a little something from my trip. So I went away and relaxed for a week and horseback rode twice a day. It was wonderful. I did not want to come back. I am back. I plan on visiting again.
Speaker 1:Why does your you know why the long face? What does?
Speaker 2:he have a long face.
Speaker 1:For those who are listening, it's a horse, so why the long face I'm laying like that? I was told, living by Keraly, by Keraly, through you. She sent me a few pictures during your trip. I wish I was there.
Speaker 2:This was my riding companion for the week, Grace. She was my horse for the week.
Speaker 1:Beautiful, beautiful horse. Yes, yeah, heather was like oh, I'm like, hey, you're coming tomorrow, you're coming back. She's like most crying that she didn't want to come back.
Speaker 2:Yeah, no, I did not want to come back, and I left and did not bring a computer with me at all. Felt a little naked for the week, but I did not bring a computer at all. I did have my test phones with me, though.
Speaker 1:So you had a little bit of a little bit of a little bit of a drug still with you there.
Speaker 2:Yeah, A little bit a little bit.
Speaker 1:That's awesome. I'm really happy that you surfaced and I'm really happy that you have fun.
Speaker 2:Thank you, thank you so what were you up to?
Speaker 1:Well, obviously, there's no way I'm going to outdo you, of course not, of course not. But so Halloween was what? Yesterday, you know, the day before, yeah, yeah. So I'm just going to share a picture of my elaborate costume, which is absolutely the opposite of elaborate. And again, for those of you folks that are not seeing because they're hearing, it's just me with Jason, you know, the serial killer mask, and very, very creative, extremely creative. My kids loved it. One was dressed as the Mandalorian, my little one was dressed as a signaligator, which is the most Florida costume you can get, as an alligator, right, I mean.
Speaker 2:Florida, that's very good.
Speaker 1:So no, it was a good time. I mean, the kids loved it, and Halloween is for the kids.
Speaker 2:So the alligator was the youngest.
Speaker 1:Yeah, yeah.
Speaker 2:Oh, that's cute.
Speaker 1:He had a tail, so that was. That was the best part. Oh, my goodness, that's cute, yeah, but no, I mean so, yeah, so again. Good, good week. Two weeks away, some vacation. We did Halloween.
Speaker 1:Now we're getting into the holiday season and we want to start the discussion talking about some tools and yeah you know not to get serious now and this, this tool is from a CCL Solutions group and it's called Rabbit Hole. So CCL Solutions, it's a digital Francis company over in the UK, across the pond, and the tooling was made by Alice Caithness. And, as always, full disclosure. We don't get paid or anything like that for showing these tools. We just show them because we think you know they're neat and might be useful and we also critique them if we need to right. And the second part is also for full disclosure.
Speaker 1:Alice is a good, a good friend, a good friend of mine, a good friend of the stream. He has helped, and through, you know, through CCL, in putting out a lot of open source libraries that folks use for digital forensics, me included. So I'm definitely appreciative of of his voluntary work for the community and also we're grateful for CCL Solutions Group for allowing him, allowing him to do so. And, that being said, I definitely want Heather to show us how Rabbit Hole works and why do we think it's a pretty cool tool.
Speaker 2:So yeah, definitely. I'm going to give a brief overview of Rabbit Hole, not all of its functionality, but brief, brief, just a brief overview of a few of its functions. Rabbit Hole combines data format viewers into a single user interface.
Speaker 1:So let me share my screen so you can see what Rabbit Hole looks like here and you mentioned viewers, and folks that have listened to the other episodes know that you know viewers, you know they're your friends, but you cannot really depend on them. This viewer has actually made me change my mind in a lot of those assumptions Like this is a really, really good. I believe viewers should be what you're going to see now. So just just just get ready as as there we go, so here's going to tell us.
Speaker 2:Yeah, as you. As you can see, super, super simple interface. Not much to see when you first open it, but go right for file and you can open the file you're looking for. It asks you if you want to start a new dig project. So the projects in this tool are called a dig and you can create a dig. I'm just going to, I'm just going to call it test for the purposes of the podcast here.
Speaker 1:Yeah, you have one called test already. Want to call it test one, just in case.
Speaker 2:Oh yeah, good idea. Sorry, thank you, I was testing it earlier.
Speaker 1:It's a test of a test.
Speaker 2:We will test again, for my second test had to make sure it was going to work here and then you can just browse out. So the tool supports numerous different data formats. You guys can't see my screen right here, but I'm just going to read some of them off to you. So this is ABX, android binary, xml format, ben code binary formats, chromium level DB, index, db local storage. There's X view, there's image view, there's JSON level DB, proto, buff, sqlite, numerous different data storage formats, and you can find all of that listed right on their website and I'm going to put that up on the bottom of the screen.
Speaker 2:Now I am not sure why we can't see my the screen where I am, so I'm going to just try and reshare here. There we go. So this is where I was reading from. So there's all kinds of different formats that the tool supports. I'm going to browse out and for the first test here, I am going to grab just the packages XML. In an Android, in an Android phone, the tool will suggest a couple of formats that you can open the file as this this file itself is suggesting that it be open in the ABX, android binary format or hex view. I'm going to go with the Android binary format and open that up. Oops, I have to choose it first and hit okay and then everybody can see on the screen. And for those listening, I encourage you to go out and get the 30 day trial of the tool. Rabbit hole For the 30 day trial. If you go out to their website and sign up, this tool is amazing.
Speaker 1:And something that Heather is kind of navigating the interface. Something that's really, really good about this tool is we're used to looking at a viewer, right, and the viewer is saying, well, it's protobuf. You see the protobuf, right, but what happens when there's, let's say, a P list inside that protobuf? Well, you either have to take that protobuf out and open it separately or get another tool to open it. Right, right, this is great because, as she will show in a second, you can go and say, okay, this is inside this format. Oh, I found another nested, different format. It recognizes it and you can go keep digging, hence the dig, right, you keep digging down those to get to what data you need, and it supports so many formats. It's super awesome.
Speaker 2:Do I actually have an example of that coming up For this particular file? The package is XML. I'm going to show you how you can create a report. So with this XML you can go choose which data you want to add to a report and it has a free form report builder built right into the tool. You can go choose a certain section of the XML file and what you do is you right click and go to their report building section and choose build record query. If you don't remember what I'm showing you at some point, there are also videos on the website that show you how to do this. And then, once you've chosen where you want to build the record query, you choose which portions of that record you want to put into your report and you pick build field query. That will add the portions to your report.
Speaker 2:You can see over here on the right hand side. I'm just going to add a couple. I'll just add a couple to the report and I'll show you how to create a report here. And then, up under export, there's export results grid. There's an HTML, a TSV and an XML format. You can choose whichever you like and go out and create a report. I'm just going to call it report, and we'll save it right to the desktop and I actually already have one created, so let me just share that screen with you.
Speaker 2:And this is one I created earlier. Awesome.
Speaker 1:Awesome and folks that are listening. The process of doing this is so easy and you have a chance later to watch the stream, the recording later. The visual one is so good. It's so easy. Just picking out the record and from those records the fields that you need is a breeze.
Speaker 2:So this is a report that I actually created earlier out of that package XML, Added a bunch of data and zoom in here for you. I added the name field, code path field, native library path field and then an installer field and you can add whatever records and fields you want to add to the report. I may have said column. I see the records and fields down there. I'm trying to break my habit of saying tables and columns and rows and columns. I'm getting there.
Speaker 1:Let me make an underlying point. We're so used to seeing data. This is a conversation we had with Alex and he made me a convert. I'm trying.
Speaker 2:I'm still trying, so that's how the report works. I'm going to show a couple of more, because Alexis actually talked about the different data formats that are stored within others, and I think it's important to show some of those. So let me get it back open, yeah.
Speaker 1:And let me make a quick point. We like at least we're trying to move to records and fields, because not all data comes in like a SQL database in columns and rows. It could be hierarchical, like a JSON file or that XML that is best represented as a tree going down, so there's no columns like that, it's going down. So records and fields. It can describe both data that's in columns and rows, but it can also describe data as hierarchical or a tree structure format. It makes total sense to me that the word records and fields should be the more appropriate term for at least for our field.
Speaker 2:It makes sense to me too. I'm just having a hard time breaking old habits.
Speaker 1:No, and for the longest right, for instance in regards to mobile, a lot of it was just pure SQLite. So of course, rows and columns right.
Speaker 2:Right.
Speaker 1:And we kind of trained with that way. But now we're having to move everybody to more different data structures, not only SQLite, and we have to also make that mental switch in how we present things.
Speaker 2:Right. So I just brought in one of the level DB files and I'm going to just scroll down here to it was let's see here this one here. So here's an example. This is a level DB. I believe this one is related to Snapchat, but you see here that the format I mean I don't want to look at it like this. I'm going to come down here and right click and choose the reparse as, and the tool will give you a few options on how you may want to reparse the data. I know that this is stored as protobuf. I'm going to choose protobuf, but you can try the different options if you're not quite sure how to reparse the data, and you'll be able to figure out how to reparse the data.
Speaker 1:Yeah, and a quick note there for folks that are not watching the column is I mean? I mean, I have to make the habit. The field is there but it's not readable. It looks like gobbly cook and what Heather is showing is she's going and reparsing and the tooling gives you some guesses of what would be the best one, but it doesn't tell you what's the best one. You can make. Like Heather is saying, make those choices. Maybe the one, the tool picked, is the one that you need, but maybe not, and you can switch that. You have that ability as well.
Speaker 2:Right, so I'm going to reparse it and take a look at the data and then you have here we can see actually this one was TikTok, so we have a TikTok. There's a Google sender ID. You'll find some more information about the actual IDs in this same level DB. In one of those other fields. There's also some Snapchat and there were parts of some messages back in that level DB, so you can use this All records as a meme. Yeah, yeah, definitely.
Speaker 1:We're putting some message there that Alex is in the chat. It's all records. Always was a meme and if you're not familiar with that meme template, I'll work on it after the show. So don't worry, It'll be out before the day is over.
Speaker 2:Yeah, so you can use that reparse feature to then take the proto buff data, make it into a readable format with this tool and then use the free form report builder to turn that into a readable format or a readable report for your cases or for your presentations to court or your presentations or whichever whatever you need them for. I'm just going to show. I'm going to show one more of those because I kind of like this feature. I love that you can't really read what's going on here.
Speaker 2:So then the reparse feature and we'll come down for the proto buff and see what's in there and see if this one has maybe a little bit more yeah, same type of thing. So we have the Google sender ID in this one and a little bit more information than the last one. Some of these actually have full text messages in them, depending on which level DB you choose and which application it relates to.
Speaker 1:Yeah, and you can keep reparsing. If you know what the format that's next, you can keep reparsing going down the line. So it's pretty neat.
Speaker 2:So a lot of times I'll use this. I'll be maybe in Celebri or Axiom or something and I'll do a search across the entire extraction and I'll find hits for keywords and they'll hit in these level DBs. I'll figure out which level DB it is and then export the level DB and go looking in that level DB file for what I'm seeing the hits and I would use this tool for that. I would definitely export the level DB that I'm seeing the hits and bring it into this tool and create the free form report right here in this tool. These reports are great and I haven't found I mean I think ALEEP is excellent with the reports, but this is great too Another alternative for the reports.
Speaker 1:And two points on that. The first is we're really like mobile forensic centric in this stream, this podcast, but this works with any data source. It's not don't assume that because we're talking about it has to be about phones. No, it works with stuff from any computer, desktop. Whatever right you got a data source, you can use this as a viewer.
Speaker 1:And the second point is we and I think Jessica mentioned it in the chat in the projects that we leverage within ALEEP and ILEEP, those are community projects to parse data sets for mobile devices. It's open source, anybody can contribute. We leverage some of those libraries that CCL and Alex has created for level DBs, for looking at fire-based code messaging, to look at protobufs. So it's really awesome. And again, I want to make just repeat again for the folks that might have come in into the stream a little bit late it's called a rabbit hole. If you look at the bottom of the screen you will have the link of where to get it. We will add the link in the show notes for the folks that are just listening and you can go to show notes and try it out. And, like Heather said, there's a 30 day, right, 30 day.
Speaker 1:Yeah, 30 days 30 days Try out, which is plenty of time for you to get in love with the tool and give it a shot. And again, we got paid $0 for this. We went to show it because we think it's pretty neat. I believe rabbit hole is the way. If you're going to use a viewer, it has to do this. If it doesn't do this, you're going to be doing a lot of manual labor to get to where you need to get this tool and you can tell is done by an examiner, for examiners, like everybody here, right.
Speaker 2:Definitely.
Speaker 1:It's not a programmer that came from nowhere. It's somebody that does the work that we do and knows how we need to show the things that we need to show.
Speaker 2:Right, I didn't need the 30 days. I've already requested my job. Buy it for me. I think it's great. I do want to show to the SQLite viewer, so I just brought it in. I didn't do a demo of it. The SQLite viewer, I think is pretty good too. Here I brought in just a SQLite database and account. Sqlite database. You can see here the accounts. There is two for the dates and times. If you right-click on the dates you can reparse epoch time and it'll pop into another view and give you the option to calculate the date and time. The result will be right here for the date and time, as you can see here all of the account information, even out of the SQLite view. Here you can do the reparse and the blob data. Here Let me. Let me come down. I lost my cursor here. Where did it go? Came onto the other page, but you can reparse out Completely. Went onto the other page, but you can reparse the data from the blobs stored within side. This Equalite databases as well.
Speaker 1:What a useful capability.
Speaker 2:There we go.
Speaker 1:Sorry, it went behind the tool.
Speaker 2:I think that has something to do with sharing the screen, but you can come right inside the blob data from that's a P-list right. Yes, yep. Binary P-list.
Speaker 1:Yeah, for folks again, those are not watching. This is the whole records and fields coming. We just made this data is hierarchical, so it's going down. Now you can pick those records, go to the fields and reparse, reparse as you need. How awesome is it? You don't have to. You were saying, heather, right, usually if you have a blob inside SQL database, well, let's pull the blobs out and they have to do something with them. And then there's something in it, let's do something else. You do all that process for one and then you have to repeat it for the second one and the third one. Yeah, insanity, so this really automates that creation process.
Speaker 2:Yeah, you don't have to worry about that anymore. I've heard that there are some new features coming to the tool, maybe after the first of the year, that are going to be pretty awesome, so stay tuned for that. I can't give any secrets out, but it's going to be really, really good for people who maybe aren't the best at coding, who aren't Alexis Bregnone, who maybe are a little bit more like me and can't do all of that coding themselves. So stay tuned for maybe some types of automation secrets that will be added to the tool.
Speaker 1:We'll be sworn to secrecy so we cannot tell yet.
Speaker 2:Yeah, I can't tell.
Speaker 1:Yeah, pricing. Obviously we don't talk about pricing. We're not going to tell you what to buy, not to buy, or how it costs, but go to the link, you can check that out and everything is over there, and then you can reach out to CCO and they'll hook you up with pricing or whatever it is.
Speaker 2:Yeah, and I just showed you a few of the functions. There's a lot more functionality with this tool than what I just showed, so definitely get the trial and check it out. Definitely worth checking out.
Speaker 1:Yeah, abraham is saying, yes, booted coding, and I think I'm going to kick you out from the chat now.
Speaker 2:So Abraham, I'm with you right now. I need to learn, so I do know I need to learn, but anything that is going to help me while I learn is awesome.
Speaker 1:so Absolutely, absolutely. So you know it's a great tool. Go check it out. I believe it's the viewer of the president of the future and hopefully other vendors realize that they need to step up their game.
Speaker 2:Yeah, definitely. Well, so, moving on, there's been a lot of chatter on your LinkedIn page. From a post you put up about Moot Court. You put a picture up and your agency was holding Moot Court and our agency actually has been holding some mock trials as well, and so there were a few requests that maybe we talk about that a little bit, and so we're going to talk about that a little bit. I'll let you get started.
Speaker 1:Oh yeah, and I was surprised I was helping out and I wasn't helping out fully this go-around. We do it a couple of times a year because of conflicts and I had something that was planned. It got canceled. So I showed up and said, hey, I want to help. So I got a chance to help a little bit, as opposed to be fully in the event from the beginning to the end. So there were enough to let me help and it was great. I mean I put a picture of myself. Maybe you can find it, you can show people there.
Speaker 2:Oh yeah, I'll look for it while you're talking.
Speaker 1:And I made a comment of what's Moot Court. You're familiar with it. We're going to explain that in a second. What benefits can your agency and your examiners, especially their new examiners, can get from it? And it got a lot of comments and feedback on it and I think one of the things I came across is that and I think, look at somebody just read my mind in the chat right One of the things I took from the comments is that it's not done enough.
Speaker 1:In some organizations it's not done at all and in some others, reading the chats and LinkedIn, some other countries they've never been to a Moot Court. Their first experience at trial isn't an actual trial, right, and that's a hard thing, right? We don't expect people to have done their first forensic examination for a case. No, we train them. We give them test data sets or fake cases to work on so they can practice. And if you're going to commit a mistake, you want to make sure you commit those mistakes on test data on a fake case, not on a real one, right? But why do we have the expectations that people are just going to do their examinations and sit on the stand and testify and talk about it without ever going through that experience right, and that's me helping out. I have my suit on.
Speaker 1:I'll fancy yeah, no, and that's something I mentioned I believe that I mentioned in the LinkedIn post is that when you go into this experience of recreating Moot Court, what Moot Court is is you recreate the court experience. You have a judge of course, a fake judge, but the judge and you have the defense and the prosecution. They could be actual lawyers that want to help you out with the process, or they could be other examiners or maybe law enforcement agents that have a lot of experience and they can pretend to be lawyers right, I prefer to have actual lawyers. It makes it even better. And then you have the person that did the examination and that person has to present, direct and then have a cross from the defense right, and it's a lot of fun for me watching. It's not a lot of fun for the person going through the experience, but it's okay because you learn a lot and grow from that, right? So, yeah, so the point of picture is I have a suit on. So one of the things I think is important is, if you're doing this kind of a fake court, try to make it as real as possible, right, as make the fake court as real as possible, even though it's fake. You want to have a nice table with a mantle and with the judges.
Speaker 1:Give them a little hammer to hammer things like what's it called? What's that? It's not a hammer. What's it called A gavel? Yeah, gavel, a hammer. Oh my god, a gavel, a hammer works, I guess.
Speaker 1:If I were to be the judge I wouldn't want that. Looks like the Thor users in the movies.
Speaker 2:Anyway, there you go.
Speaker 1:Give them, give them a gavel, right. Make sure everybody wears a suit, that they're all dressed as they would dress for court and make it sometimes years. If you want to take it to the next level and I recommend that as well have a jury and the jury is not going to make a decision about the fake case. They will listen. Make it sure, as other examiners, so they can get feedback useful feedback for the person that's testifying, not just burn the person down. We wouldn't want to do that. Right. We want to make sure that they get positive critiques, right.
Speaker 2:Yeah, definitely positive critiques, I think so when we do the mock trials, everybody is so nervous and I actually have had people come to me like I'm so nervous, how should I prepare, is this going to be terrible? And some of the things I say to them are yes, you're going to be nervous, it's not going to be fun, don't expect it to be fun. It's definitely not going to be, but it's necessary. You're going to learn. It's going to be uncomfortable, it's supposed to be uncomfortable, but you want to go here. You want to make your mistakes here. We can provide you with the constructive criticism. Afterwards we can correct your mistakes. And if you're going to make the mistakes and be nervous and make the big mistakes here, definitely don't want to do that in court, where a defense attorney is going to eat you alive or you're going to create bad case law for everybody in the forensic field.
Speaker 1:Yeah, and that's a good point. And for those who are not familiar with the criminal side of the thing, if something, that how you approach your cases and when you create bad law, you're not affecting only your case, you're affecting people that are coming after you and we say bad law, not the last bad, but that interpretation could have been presented in a way that's more accurate than what you did and because you didn't do that part, you could affect some other cases coming down the line. Right, right, I think and let me I want to share this come here from Troy. He's saying that the attorney will learn as much as you and that's a good point. Right, if you have an attorney there, you have to you know you as the person being tested work with that attorney to you know to talk about how you're going to do your direct. And then the other attorney, the one that's going to cross you, also has to look at your product and kind of cross you on it.
Speaker 1:And one of the recommendations I want to tell people is make sure that that attorney you assign them with another examiner from your unit like experience, one that will help that attorney. Hey, look, this is the document the person that's going to testify has made. These are the some of the weak points that meet, technically speaking, can point out, because you cannot expect your attorney to know as much as you do about forensics. Right, the experience examiner. So that examiner will help that attorney get some of the weaker points. To test the trainee in the mood court environment and again, not to burn the person down, to build them up, build that confidence and put a little bit of pressure on them.
Speaker 2:Definitely, yeah, they have to be uncomfortable, but you're right At the end, when you go around the room and everybody gives you your positive feedback and the things that you can do better, it should all be like a good experience at the end. It's all meant to make you be a better examiner and be better in court.
Speaker 1:Yeah, and at one point I just I mean, we discussed, but I just remembered having conversations with Heather about this Tell your the attorney is going to do the cross, right, make sure that you understand what the purpose of the event is, because if they're going to start crossing them about, you know what they like for 30 minutes, about what the previous work experience is or how they wrote a report. If they made grammatical mistakes, which, first of all, we don't want to have those. But it shouldn't be about that. It shouldn't be about that, right. It should be about the technical aspects, right, and it could be as something as simple as well. You mentioned this is a binary playlist. What is a binary playlist?
Speaker 1:Examiner so and so, and have them talk about, try to explain to the fake jury those technical aspects of the work, right, so it's not only grill them under inconsistencies if there's any right, or maybe they wrote something in a way that could be misinterpreted, so we're going to drill them there. But have the trainee go over the technical aspects, because we want to have all the trainees and all the examiners, no matter what your experience level is, be able to communicate clearly these technical aspects. In my outfit we call them technical terms, and we have a list of technical terms that, at a minimum, we expect an examiner to be able to convey clearly to those task holders. You could be the jury, the court attorneys, everybody there that's present. But it goes beyond that, right, it's not only those technical terms, a lot of lists that we give them. We have to continuously grow and think about how can we present things in a way that's clear, and I'm sorry, heather, but I'm on my soul box now.
Speaker 2:You're good, you're good. I'm gonna add to that, though, because I think, presenting them in a way that's clear and technical, but also presenting them in a way that somebody on the jury that might be like 65, 70, 75, can understand what you're talking about. Maybe give an analogy or just present it in a way that your grandmother is going to understand what you're talking about as well and go back to your show.
Speaker 1:No, no no, and actually it's perfect because you were reading, you were like a mind melt. We're reading my mind and I was gonna say what Heather said and that's perfect to lead to this point. Doing that explanation and analogy. It's not dumbing it down and I hate that term. You're not there to dumb it down, right, because the juries are not dumb, right? They're folks and from all walks of life, they're your peers and they will understand if you explain it. So don't dumb it down. Explain it in a way that's digestible for a person, that's not technical and that's a skill that takes practice. You have to think about the analogies that you might use and maybe get a friend that's not technical and say, hey, what do you think about this? I'm talking about what's an IP and an IP, and explain what an IP is, with some examples, some analogies, like Heather said, but not dumbing it down I hate that term and I don't like it.
Speaker 1:The juries are not stupid, which, by the way, again in my soul box, this exercise because the facts are what they are right and your examination is what it is right. The important part of this process is you'll be able to present that and be credible. Right, and not because we're trying to make somebody believe a lie. We're trying to have people understand what happened, what we found in our examinations right, and credibility is important, and I have some Alice here. How do you build credibility right? Well, you build it by a couple of things.
Speaker 1:First of all, explaining clearly right, have a calm, demeanor and depending on what your districts are some districts I work in the federal system it's pretty calm, serious, right, but some other districts the lawyers may be really animated and will try to get you mad on the stand, for example right, and you have to keep your composure. You have to treat your side be it the defense or the prosecution, though I don't care which side you are, in which, if you're an, you can be an examiner for either side right, and you get to treat one side which is the same difference and understanding than the other side. It don't matter, even though we're in an adversarial, a legal system. The facts have no sides right. The facts are what they are and I'm more than happy to answer questions from the defense. I'm happy to answer questions from the prosecution, I'm happy to answer questions from the judge if the judge decides to ask me a question, right, and that builds that credibility, keeping that calm demeanor right. You have a few others you wanna share about building credibility, heather.
Speaker 2:Yeah. So I mean, I feel like if you are asked a question and you truly do not know the answer to it, do not try and guess. Answering a question I don't know in this field is okay. You're not gonna know everything always. Excuse me, you should not be answering every question you're asked I don't know. You are the expert testifying, so you need to be able to answer most of the questions with a good answer, a good technical answer, and know what you're talking about. But if there comes a question where you absolutely don't know the answer, answer it accordingly, don't try and answer.
Speaker 1:Absolutely, absolutely so important.
Speaker 2:Yeah, I think that's really important.
Speaker 1:No, and you know, heather, you're saying you know and maybe you can recall at that point, right, and if that's the case, make sure that you have those reports and you can tell that I cannot recall and the attorney might tell you. Well, examiner, agent Bignoni, is there something that might refresh your recollection and you can tell them? Well, my report will help me and it might be provided to you. And then you read your report again, the sections that are of importance. Your refresh your recollection and you speak about it, which leads to another point your reports. You will live and die by your reports, right, and your notes. That's why they have to be detailed. They have to answer the things at the level necessary to be able to do those, because nobody expects you to remember every single bit and byte from a four terabyte hard drive, like nobody will expect that. But your report should address things that are relevant to the case and that give the facts or things that happened in the past as you're presented, giving them in the present right. So, and that's again, make sure your reports are good. You will live and die by them, right, and again, that's another part credibility.
Speaker 1:Like Heather's saying, if you don't know, you don't recall. Then you say that never hazard a guess at situations. I'm not gonna talk about specific cases, but what I've been understand, and I literally didn't recall, but I have a notion of what it was. So how to make a decision in my mind Do I go with my notion or really accept that I can not recall the details and that was the best course of action, right? If you don't remember the details, don't try to guess. Well, I always do it that way. Don't do that because you're gonna get in problems. Remember, you're under oath and that means a lot and that's credibility, right? I have a couple more.
Speaker 2:I think you need to be prepared for the unexpected too, right? So a lot of times you'll go to court and be overprepared. So you're overprepared for all these crazy questions the defense is gonna ask you and not be asked any of them. But then the next time you go to court you could be underprepared because they don't ever ask you anything. But always be prepared for the unexpected. Be prepared for the defense attorney that knows forensics, that knows what they're going to ask you and that knows what you're talking about, because you never know who they're going to have talked to. You never know what they know. Sometimes I will go testify and I am literally not asked anything. And then sometimes I'm asked questions and I'm like, how did you know to ask me that? So just be prepared for the unexpected. Be prepared for the hard questions and then, if you're not asked the hard questions, so what you were prepared and I think that's really important just to be prepared with all of the details of your case.
Speaker 1:Oh, absolutely. And that also speaks to the importance that we don't think of our development as well. I took a class and I'm done. Or if my agency doesn't send me to five classes this year, then too bad, right. There's gotta be a level from my perspective and I think you will agree with me of that self-responsibility to your own self-growth, because when you have this body of knowledge that you're constantly aggregating, it helps you. You might not be ready for something, but you have the knowledge of how something works right. And one time I was asked so because this phone has a pin code. It's encrypted, correct, and usually the answer is yes. But is that the case? Well, is a pin code the only factor that determines if something is encrypted? Well, no, right, and that's that.
Speaker 1:So you have to really that. You have to go back into that well of knowledge that you're developing constantly, as you're growing daily, and go into that. I wanna make a quick comment, and is that make sure you deal with your attorney, be it on, it don't matter what side. Work with your attorney and make sure that you're on the same page. What I mean by that is you gotta trust your attorney and sometimes we get combative at court mood court or real court when the opposing side is crossing us or Asking us questions and we want to set them straight and that might never be the best time to do that. You got a trust that your attorney will come later and clarify some points because, at a level, the way I approach it is, I don't see the other side. I don't matter what, simon, I don't see the other side as being evil, trying to contradict me.
Speaker 1:The way I see it is, they have an interpretation of the facts right, and I have a different interpretation, right, and my job is to show why my interpretation is the one that's best, that's credible, that the actual facts support it right, and the other side is trying to do the same and the fact finder, which is not me, neither the other side. The fact finders will take care of that right, so it's not my responsibility. It is that makes sense either, like I want to. Just this is what the facts show. This is what I, based on my training, my experience. The other side has a different idea? Then this is what it is and the fact finders will take care of that. So it takes pressure off of me, like it's not on me, to have anybody believe anything. This is what it is. It's what my investigation shows.
Speaker 2:Yeah, I agree completely.
Speaker 1:And again, if anybody in the chat you know once I throw a tomato at me and tell me I'm wrong, I'm, we're more than happy to hear that. Actually, it's a good point of me, it's a good moment for me to, for us to say that are the expressions here are only ours.
Speaker 2:They do not reflect our agencies.
Speaker 1:Right, right, oh yeah absolutely Just our opinions based on our our experiences. Troy, oh yeah, maybe we do real quick and I'll let you go on yeah.
Speaker 1:Troy saying, yes, trust the attorney to come back and allow you to clarify. It's not your job to fight with the attorney asking questions. And thank you, troy, because that's what I was trying to say in a lot of words and you made it really succinct, really clear, and I love it. It's not your job to fight with your attorney asking questions, love it. I'm gonna, man, I'm gonna steal that from you. Moving forward, oh.
Speaker 2:But wait, yeah, I was just gonna do that.
Speaker 1:You gotta have the tomatoes too. Kevin is throwing me, throwing me tomatoes in the in the chat. Thanks, kevin, I'll make some salsa. It's some chips.
Speaker 2:So I think that there needs to be more training courses available for courtroom testimony. I know that a lot of employers are are doing moot courts and mock trials. Ours recently Started doing it and I wish that that had been available to me almost nine years ago when I first started. I actually was asked what kind of training do you want when I first started my job and that was what I asked for. There was nothing Available at the time for that. I think I read some papers and and and some books on it, but we are doing that now at my agency and I know a lot of other agencies are doing it.
Speaker 2:I I've heard from some of our newer hires that it's being incorporated into a lot of the colleges. I saw a comment earlier from Jessica I'm throw it up here that a lot of the universities are adding the moot core as part of the curriculum, which I think is awesome. That needs to be done at universities, especially for anybody that's going into this field. I know it's being done at a lot of the conferences and At some of the trainings. I know NCFI and if anybody's familiar with NCFI, they they've started doing some of the mock trial stuff. I'm sure are you aware of any others that are doing the moot court or mock trials?
Speaker 1:and NCFI is only for law enforcement correct.
Speaker 2:Only law enforcement only. Yes, yes, yes.
Speaker 1:Just made that clear and and I think we need I say we as a community, as as a community as the as the field right, like you're saying more training and, and I see that, like, like, law enforcement has a lot of those, and I'm ignorant if, if the, the private sector or folks that work for the defense have that same experience or those settings, I don't know. I Definitely would like maybe organizations that, no, that support both law enforcement and a private sector, civil sector, like ISIS, maybe come up with a, with a course, and then we do something that we might have to ping some of the ISIS folks and say, hey, can we develop or put up a court? I'd be more than happy to help with that.
Speaker 2:Oh, I would be. I would be too. We'll have to start harassing somebody.
Speaker 1:Yeah, we'll talk. A few people on the board say, hey, you know, sorry to bother you, hey, maybe it's something you should consider and and maybe do some of those. I I know that I think you mentioned it. Hcci has done a few kind of demos on those.
Speaker 1:Oh, yep, I see you here in the comments, jessica saying he's a yeah and and kind of like a demonstration in front of a group. I think that's how it went. Yes, I can correct me if I'm wrong, but I do believe it'll be really good to have, like you're saying, have a like a class right where you can say look, we have some attorneys, we have some like a mock case, like a fake case with fake data, and during the week You're gonna prepare that case. The first couple of days we're gonna give you some presentation techniques and then you're gonna apply it at the end of the course with a MOOC court, we're the judge and it might take a couple of days, but everybody in the class should have a chance to to go through the process, right.
Speaker 2:Yeah.
Speaker 1:I Think would be a good idea. I said I ISIS because you know we teach with them and they're. If anybody has any other ideas or knows about organizations that do this type of training, let us know. We'll be happy to write up.
Speaker 2:I'm actually gonna throw a couple up.
Speaker 2:I was trying to research this before we, but before we came on today. So Cyberry has, I think it's a, it's a four or no. This one's a two hour. So a two hour free course on cyber a it. This is not law enforcement only. This is a quick little course on on witness testimony. I have not taken the course so I'd be interested to know what people think. But that is a free course if you just created an account on cyber a IT's website and Then the other one I was able to locate was on nw3c, which I is law enforcement only, and they have an expert witness testimony for digital forensic examiners course. So if you are law enforcement you can create an account with nw3c. It's also free and it's a four-day course, free for law enforcement. So if anybody's interested, those will be linked at the on our site at the end of the podcast.
Speaker 1:So and on the notes for the for the audio. Yes, that's, that's awesome. Thank you for sharing that. I wasn't aware of the cyber a one, so that's open for everybody. Anybody can come watch those right. Yes, yes awesome, awesome, alright. So I think we could speak about Muqor like for the whole there's so much to talk about now and how do you present yourself with that credibility but I think maybe we can do a second part in the future in regards to testimony and stuff like that.
Speaker 2:Yeah, we definitely could. Maybe we'll have the defense side on some time and we can, we can talk about the defense side. I think that would be interesting.
Speaker 1:No, I agree, may, might be. I mean, we're not doing interviews yet, but maybe it could be one of our first interviews, right? Bring anybody in that. That's awesome. It's a great idea. Yeah, I gotta put it on the notes.
Speaker 2:We'll keep it on the back burner for when we decide to actually figure out how to add somebody else in exactly so um, yeah, so there's a few new things with the leaps that we kind of wanted to show. Did you want to introduce them, or have me just go right in?
Speaker 1:Again, like I said before, for folks that are not familiar, python scripts to parse, you know, analyze extractions from phones, both iOS, android and cars and some others, and it's free, so, and we'll have the notes on where you can get them as well.
Speaker 2:Okay, so I'm just gonna show two new artifacts that we have with Ileap, and here we go.
Speaker 1:Which are artifacts that I did not make, and people really associate the tooling with me because I started, but at this point it's not my tool, it's the community's tool. Folks from all around I think Johan is in the chat that helped out with a whole bunch of new ones that were coming up. So you know lots of appreciation for your work and I'll let you speak to who's contributing. But it's a community.
Speaker 2:We'll go, Johan first, Johan has media events from the Knowledge See. I'm going to add Josh Hickman's full file system extraction from iOS 15 to show Johan's artifact. He has it here. It is the Knowledge See. So if you just scroll down in ILEAP and find Knowledge See media playing artifact, I'm just going to throw it on the desktop here and we'll just kick that off in ILEAP.
Speaker 1:And we're looking at the interface, the graphical user interface of the tool. There's also a terminal or command line version of it and it runs pretty quick.
Speaker 2:I'm just going to stop my share and share the report with you. Let's me pop that up.
Speaker 1:The report is. The basic form is going to be HTML, which is a lot of good stuff coming up soon on that report that we'll talk about in the future.
Speaker 2:So the new artifact is the Knowledge See media playing and you can see here we have the media that was playing in the Knowledge See. We have start and end time, we have the playing state, the playing duration, the app bundle ID, the artist, the album, the title, the genre, media duration, air play, video output device and the time added are all part of the report. We can see that Josh really likes Naughty by Nature, or this is Defer. Right, this is Defer. Really likes Naughty by Nature.
Speaker 1:Yeah, quote, unquote, air quotes Defer. Yes, defer really loves that.
Speaker 2:Yeah, we have a new meeting show here, apple Music, and it shows all of the media playing.
Speaker 1:We got a LinkedIn saying GUI for the show, CLI for the pro. Don't hate on the GUIs, but CLI has command line interface.
Speaker 1:It has a lot of benefits and you might ask yourself why is that important? What was he listening to? Look, when you use something, you leave a trace. Was it LoCard? I want to say Picard, like Star Trek, but it's not Picard, it's LoCard. Right, yeah, A principle right. And that helps with attribution. If you see how the person is using the browser, the media players videos, you can really tell what that person is about, right, and sometimes what they're playing is something that they shouldn't be playing.
Speaker 2:Right right.
Speaker 1:Yeah, so don't dismiss this type of artifacts. They're really important. But you're creating a pattern of life analysis and I think we mentioned that briefly in previous episodes and we might have to go into that in the future. But pattern of life builds a profile of the suspect based on different parts of activity so that you can make determinations in regards to what you're trying to investigate. So super important stuff. And again, johan, thank you so much for helping out everybody and keeping coming as you're able to. I appreciate it and we love it.
Speaker 2:And then the other artifact in iLeap that I'm going to share is Connecting Discord Attachments to Message Threads. This one was shared by John Hyla Blue Crew Forensics is his blog and he actually wrote up an entire blog on how he figured this out and created the artifact, so I'm going to share that there on the bottom of the screen. It's probably going to pop away here for a minute, but it'll be back when I'm done sharing the screen.
Speaker 1:And Hyla. I want to give him a lot of mad props because the first person that I came across that was dealing with the biome slash SEGB files was him, and I don't know of anybody else in the planet that was dealing with those before him, and Geraldine Blyam and myself we built on his research to do the version SEGB, version one, SEGB parsers, which we'll talk about more maybe next episode. We built a lot of it on his work and before anybody else not even the big players came out with support, he was already dealing with those. So props to him and for putting it out for the community.
Speaker 2:Yeah, so he's a fellow New Yorker, so I know him from New York. And when he was looking at those files he called me. He's like what is this? I said I have no idea. I kind of brushed him off and then he figured it all out, which was amazing. But yeah, he's a fellow New Yorker right here, so he created this. It's Discord JSON is the is the artifact you'll choose for the, for his, and we'll hit process here.
Speaker 1:And John Johnson the house.
Speaker 2:So happy to see you there and we'll let that run and I'm just going to stop the screen again for a minute and share that report. You one second.
Speaker 1:Absolutely. I'm here as you're going. You know chatting with people in the chat, you know a lot of folks come in and you're chatting with people in the chat. And we got a mark first time watching man, we're happy that you're here and hope to see you again.
Speaker 2:So here it is. I was looking for these attachments in my extraction the other night and he found them for me the lemons from Price Shopper. So we were up late the other night trying to find the lemons from Price Shopper and he got them all attached in the ILEAP report for me.
Speaker 1:If life gives you lemons, make sure you make a report in ILEAP about it.
Speaker 2:Yes, so these are part of my discord attachments, and then we have also, in the Sheldon Cooper and Amy Farrah Fowler extraction, the string theory attachments.
Speaker 1:Yeah, and people will say, well, those are just pictures. Let me tell you there's sometimes the way they present it right. It will depend how you be able to pull them out and present them in a lot of factors in regards to resolution and all type of stuff. But he did a lot of work behind the scenes to be able to present those and add them to the report, so it's pretty awesome.
Speaker 2:Right, so yeah, so I'm just explaining how. I'm just showing the artifact in ILEAP. Go read the blog. The amount of work that went into it is insane. I have to read it again to actually fully understand what he did to go figure this out Because, as I said before, I'm not a coder, but it's really good. So go check out the blog definitely.
Speaker 1:Absolutely Right. So we're running short on time. We got something more to show on the ILEAP. That was it right.
Speaker 2:That was it for ILEAP. Yeah, yeah.
Speaker 1:All right, perfect. So I want to move quickly because I just noticed the time Again. Time flies when you're having fun, right, and we love talking about all things forensic. So I want to highlight something really quick, important Thirteen Cube and actually I have a shirt, thirteen Cube and you can see here on my shirt it's 13, a little cube there. It's by Richard Davis and he's well-known in the community. He does really well, made like visually appealing on digital forensics and incident response, with a lot of emphasis on the incident response part, and he came out with a video recently talking about some changes made to the shell bags, windows 11. I think I wrote it here the 22H2 2023 update right, and super important that we need to discuss it before we close the show out, and I think, well, first, before we explain what the changes, let's explain what a shell bag is right, and I think, heather, you have a pretty good quote from the video about shell bags, right.
Speaker 2:Oh yeah, so I've watched the video like three times so I could be prepared for tonight. But actually Richard quotes Eric Zimmerman. A comment Eric Zimmerman makes about the artifacts and he says like GPS for the file system, right. So I think that's a great quote, because shell bags are showing where the user is traveling in the file system, right. They're showing their access to these folders, they're showing where they've traveled, which folders they've accessed. And I think that's a great quote to kind of explain not fully explain, but to kind of explain what shell bags are.
Speaker 1:Well, and that speaks for what you said before, mukur, it's an analogy, right? Say, look, you want to know where the suspect or the person or the user let's use the folder the user was what directory is the user was accessing? When was the first time that it was accessed? Right, and when that directory was created? Shell bags are there for you, okay, it's like that GPS, right. And somebody will tell you I know nothing about that, that was, that directory was there, I had no idea. And you go to shell bags and say, well, you interacted with it on this date and it was created on this date, and the content of that folder is problematic, ma'am or sir, right, so it's super important.
Speaker 1:And for the longest time, shell bags only contained. And shell bags, well, I'd be remiss if I don't say this. They're contained in the user classdat registries and NT user, right? Nt userdat, yeah, nt userdat, oh. Another thing I will be remiss if I don't say this this is Windows forensics for everybody. It's not an iPhone or a phone, it's not a phone, it's an actual computer artifact. So I don't want to hear any complaints about you.
Speaker 1:Only talk about phones.
Speaker 2:And then my coworker, Kevin, is going to be very happy.
Speaker 1:Well, kevin, you better be happy. Okay, so, yeah, so Windows machines, those registries will keep those shell bags information right. And it kept track that we mentioned of first interaction with a directory or a folder and creation, you know, modified access, last access times, all that Okay. So it was limited to those folders and SIP files because, as you are familiar, you can open a SIP file using Windows Explorer. Now, with the update, this new version in Windows 11, now there's native Windows Explorer support for TAR files. Let me get a list here yeah, for RAR files, tar, gc files and some other more right. So now you don't need to have a third-party tool to open these archives, you can do it through Windows Explorer and that means that now the operating system considers those part of the quote-unquote file system. Therefore, you'll see those entries within shell bags as well. Okay, and I did not want to show you this on screen here, because Richard has this awesome video we shared there with you. There on the screen we put on the notes where he goes and shows the different formats, the new formats, he interacts with them and then he looks at shell bags to see if they're actually there and they are One of the tools or the tool that he uses is a well-known tool and if you haven't used it for Windows 4 and 6, you have to.
Speaker 1:It's by Eric Zimmerman and it's called ShellBags Explorer. Okay, and Troy is mentioning 7SIP is also part of those files that are now part of the shell bags in Windows 11 updates. So, thank you, troy, that's absolutely correct. 7sip, which is pretty common, rars, targc, is a whole bunch. Eric Zimmerman we used to be colleagues. Now he works at, I think, scroll and he's saving the world from that position that he has, and he has literally, and he has a whole bunch of tools, cape. I mean a whole bunch of tools. Again, if you're into Windows 4 and 6 or you're a new examiner and haven't heard about them, look for Eric Zimmerman EC tools, ecosulu tools and get them. One of them is ShellBags Explorer and you can see that these new archives they're not new, but the support is new. They're also viewable registered within ShellBags. So check the video out and check out Eric Zimmerman tools. Did I miss anything on that, heather?
Speaker 2:I don't think so. I think that was good.
Speaker 1:Okay, awesome, awesome. Yeah, we're going to try. I think we mentioned it. We're going to try to bring more Windows topics in. I say Windows, but 4 and 6, computer, 4 and 6, linux Windows, not all these cell phones. And if folks want to hear about some topics on incident response, let us know and we'll be happy to bring those. And from our lens examiners and law enforcement, I'm more happy to do that.
Speaker 2:Oh yeah, please suggest a way.
Speaker 1:Yep, yeah, absolutely. I know folks are in the week for some topics, but we're not going to share them now. We're going to develop them and then we'll talk about them All right. So now we're going to go to what Heather? What are we doing now?
Speaker 2:The meme of the week. We got to do it.
Speaker 1:Yes.
Speaker 2:We can't skip the meme of the week, and this is sad.
Speaker 1:Okay, heather, I think, is many and many of us have heard his name. Today we're doing what's it called a world first. How can I say this like it's never been show before? It's a meme that we're inaugurating for the first time, right?
Speaker 2:Yes, it hasn't been up on LinkedIn or any of the other social media platforms.
Speaker 1:Exactly so new. So this is the first time everybody's gonna see it, and then I'll post later in LinkedIn or whatever. Right? So here we go. So the meme of the week, and for those unknown familiar with this tradition, we end the show always. Those is that we take a meme template and we try to make some fun of ourselves or Just kind of express some relatable experiences as examiners working digital forensics and this one we have here.
Speaker 1:It's kind of a breaking bad meme. And what's the guy's? The guy's name Walter White is thing or Walter, something, right, and. And the other here he's right hand man and they're talking and the guy says the right hand man says I've got a thing. Somebody in the chat will tell me the names. Yeah, we're all premier. Thank you, troy. That's the world was looking for is a world premiere, thank you, so it goes. It says well, I found what they are found where the suspect was based on geolocation data from the phone. And then the other person says already, where he says in Florida, with emphasis, but also in Canada and China at the same time, on the same day. And the other guy says what the heck Are you talking about? Right, and that's a riff from an episode which is kind of follows the same and it's up saying that what the heck are you talking about? And what do you think? Heather, you've seen this before. Do you relate to this Completely?
Speaker 2:Relatable with locations in phones. I know we're going from the computers back to phones, but completely relatable with locations in phones. So I don't know how many times I've seen Locations in phones where the date and time they are in like five locations at the exact same time. That's just completely not possible, right? I see in the. I see in the chat validation, validation, validation. Thank you.
Speaker 2:Or validate validation even better. Thank you, do not check all Locations and send out a report. You will be sorry because your suspect will be in Florida, canada and China at the exact same time.
Speaker 1:No, and and there's, there's some artifacts that they might look good, but like encrypted, encrypted cash DB, right, and you're like, oh whoa, this is, it's in the location. And, yes, the way those are recorded, they're not recorded at the proper time. They might not record what you think it records. It might not even be the phone that was there at that point. It's something else, right? So, yeah, you gotta, you gotta be be be sure that you know what you're doing. Like. It's like I was saying if you crowdsource a location based on a router location and they move the router, now what yeah right.
Speaker 1:And you can get in trouble. So, and I see some of those reports as well where folks, even if it doesn't hurt the case, quote, unquote, hurt because you can put them all right and and and you can say, well, no, that that's, that's a location, but that location is not where the phone was and you have to explain yourself. If you have to explain those, why, right it, let's not put in there. If you, if you, you know that this, the location is not relevant because it comes from crash Cache encrypted DB, for example, or it's because it's a location for a picture, an exit data of a picture that was not was received but not generated from the phone. So therefore, that your location was not where the phone was, for example, then why put it on the report? Why highlight it? Why waste time Having to explain that away? Just put it there to begin with, yeah, and make my life easier as a peer reviewer. Right, don't have me go out. What don't have me tell you? What the heck are you talking about?
Speaker 2:Right right your report. You know I mean well, and popping back to our testimony, talk, right. You don't want to realize that your suspect was in Florida, canada and China, all at the exact date and same date in time For the first time when you're sitting up on the stand right, yeah you're gonna be a deer in the headlights sitting up there in that chair when the defense attorney says to you how is this possible? Because you're not gonna have time to do the validate, validate, validation when you're sitting there on the stand.
Speaker 1:So oh, my goodness, I have nothing to add. That's that's, that's, that's beautiful. Well, thank you everybody. I think it's yeah, really fun episode. Heather, You're the best. Thank you for again being here with me. Thank you for all the folks in the chat. Yeah, we, if we didn't highlight your your comment, mate, I'm rest assured that we read them.
Speaker 2:Yes, absolutely read them yeah.
Speaker 1:Yeah, and reach out to us in LinkedIn and and I'm gonna say, like my kid, because my kids been watching a lot of YouTube, like educational as YouTube's, and he goes and says he makes His own little videos with his little tablet and he says please like and subscribe. So I'm gonna have him come in and say, hey, please like and subscribe, right be proud of the conversation.
Speaker 1:Yeah, reach out. Reach out to us in LinkedIn, in in YouTube and our emails, and and again. We'll see you in the next episode. Again, thank you everybody for being here.
Speaker 2:Thank you.
Speaker 1:And with that we say goodbye.
Speaker 2:I Could.
