Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Christmas Miracle: Android Memory Forensics. Doing what we didn't know was possible.
Ever thought about the thin line between privacy and morality? Well, join us, , as we deep-dive into the ethical complexities surrounding this issue in today’s digital age. We bring to you exciting updates from a recent workshop in Panama, where enlightening exchanges with digital forensics experts from all over the world were had.
Our exploration takes us through the workings of XRY and XRY Pro, as well as RAMDCoder, a game-changer in analyzing memory dumps from Android devices. We'll show you just how to navigate this tool, offering a glimpse into the future with the upcoming updates that promise to revolutionize device profiling. Intriguing, isn't it? Get ready as we take on mobile device forensics, focusing on the Samsung Galaxy S21 Ultra, and the treasure trove of data within its RAM. Learn from our experiences, including how we recovered from missing a crucial step in the extraction process. Oooops user error strikes again!
As we wrap up, we'll discuss phishing attacks and the crucial role organizations play in preventing them. We believe in the power of research and validation, especially in the digital forensics field. We’ll also share insights from Jessica Hyde of Hexordia, underscoring the importance of peer-reviewed research in our field. Get a good laugh as we humorously compare Apple to Darth Vader, highlighting the challenges they present for forensic examiners. SEGB for the WIN! This is an episode that you will not want to miss!
Notes:
Chat encryption: A moral responsibility or a moral abdication?
https://arstechnica.com/tech-policy/2023/12/meta-defies-fbi-opposition-to-encryption-brings-e2ee-to-facebook-messenger/
What makes epoch timestamps tick?
https://www.cclsolutionsgroup.com/post/what-makes-epoch-timestamps-tick
CheatSheet: https://assets-global.website-files.com/5f02f2c93eab87a6ea84e2f3/656da27da36e0c5cd1715d8a_EpochCheatsheet.pdf
MSAB XRY:
https://www.msab.com/
BrowserState.db last_visited_time?
https://doubleblak.com/beta/browserstate
SEGB Parsers!
https://github.com/cclgroupltd/ccl-segb
Good day. Today is Thursday, december 14, 2023. Welcome to the Digital Forensics Now podcast. My name is Alexis Briggs-Brignoni and I'm accompanied by my co-host. The call for Natty folks. Deliverer the faster than the gingerbread man. Examiner the Rudolph of our Digital Forensics Lay leading the way the Mary Heather Charpentier. The music is hired up by Shane Ivers and it can be found at silvermansoundcom. Hello, hello, hello, heather. What's going on? I know, I know you love this introduction.
Speaker 2:Hello, thank you for the wonderful introduction. Very good, I think it might be your best one yet.
Speaker 1:Very seasonal, as people can, the further I watch. You can see.
Speaker 2:Oh my gosh, it's definitely the best one yet.
Speaker 1:Well, I appreciate that you think so. Thank you everybody for being here with us. The folks are coming in live. We always appreciate you having you here. Some comments coming in and, as the folks that are watching can see, I have a really Christmasy shirt. I have a Hello Kitty Christmasy shirt, on the topic for the day, and we have a nice little Christmas theme intro and message behind us. It's great.
Speaker 2:Yes, thank you for the Christmas introduction. You've got a little comment here. You're too funny. I don't know, geraldine, I don't know.
Speaker 1:I was crafting that intro, as you know, and I was laughing to myself about it, so I really enjoyed it. Delivering was even better. Thank you I want to say hello to Andrea, good friend, and to Johan, my man. I'm happy that you're all here.
Speaker 2:Yes, thank you for joining.
Speaker 1:All right. So what's going on, Heather? What happened between last time we met and now?
Speaker 2:Nothing Been busy doing work and watching podcasts. I see it's your second one of the day.
Speaker 1:Oh yeah, that's right. That's right. I was lucky enough to be with Amy Moles from Arcpoint4n6 talking about, you know, Defermas, the 12 days of Defermas. It was great.
Speaker 2:I will be joining her next week for one of the Defermas podcasts, so looking forward to that.
Speaker 1:Yeah, me too. I wanted to drag you on mine, but you like none, I know you have yours and I'll have mine. I'll let you have your own. Plus, we'll have one together. We're together. Enough here, right? I'm tired of you, briggs. Please give me some space.
Speaker 2:Who knows what kind of introduction I would have gotten.
Speaker 1:That's right. So well, as you know, I've been busy. I was in Panama last week, so I want to share with folks a little bit of what I was doing over there, and it's always a good time to go out and interact with folks from the community, from around the world. So I was lucky enough to be at an event, if I could open the picture here and an event for a regional Deferns6 event in Panama. So let me show you here. And now can I show you. Great, alex, you're a genius. Yeah, well, I guess I'll show you later, but yeah, so we're there, folks from Costa Rica, dominican Republic, from Panama. There we go. I found it at last. So that's the banner of the event. Well, before let me finish my sentence so Panama, costa Rica, dominican Republic and Peru, and obviously the United States, and we're doing a regional workshop on Deutoth Deferns6, medium to advanced level forensics. That was a ton of fun and I was teaching there, so it was pretty good, very nice.
Speaker 2:Yeah, there's what else did you get to do while you're there Anything exciting.
Speaker 1:I ate a lot.
Speaker 2:I ate a lot.
Speaker 1:I wish you that.
Speaker 2:I think I'm pretty sure I may have seen some pictures of that.
Speaker 1:Oh my goodness, oh, here we go I don't know, Maybe I think you did right.
Speaker 1:Yes, I think it's. The folks are. The folks are and I can't see. I'll tell you what is. It's a dessert that they have there in Panama. I'm a traditional people for Robert's dessert. I know I'm gonna bungle the name. I want to say it's Panache, but I'm not really sure I'm pronouncing it right, but it's delicious. It's, it's just delicious, like all sorts of, like two different types of milk and like a cake on the bottom and some. It's just delicious. It's a mixture of different kind of cultural things. For those people that don't know, panama is a place that a lot of different cultures mix. I would say the whole world mixes there, because you know Panama canal but a great monument to human ingenuity and Panamanian skill right. So it was a great time being there with the brothers and sisters from Panama, so it's really, really good.
Speaker 2:Since I don't do the lovely introductions for you, I'll call you out on your, your eating habits while you're away, then.
Speaker 1:Oh my goodness. Yeah, they could be better, but we're working on it.
Speaker 2:It looked delicious.
Speaker 1:It was. It was. I ate it all in one sitting, which is kind of like, oh my goodness, I need to walk it out. Well, no, but that's it was good. So there's a lot of. I mean, this episode is going to be packed with a whole bunch of interesting things, so I'm glad that everybody, everybody's here Geraldine agrees with me that Siri, her electronics K9, detects electronics beautiful dog. That she agrees that eating is exciting. So, yes, yes, it is exciting.
Speaker 2:I've seen her in action. She does love to eat.
Speaker 1:If you keep it on your back, you will find it Right. So I got saying there was a lot of good topics for today, so we're going to revisit a topic a little bit contentious topic, but I think it's worthwhile discussing again. It's the whole big thing about chat encryption, right, and let me show you here what the deal is, what the news I've been saying lately about this. So why is it back in the news? So it's back in the news because recently the in meta, which is the parent company for Facebook, and some others, came out with encrypting chats. So the chats were not encrypted and now they're going to be encrypted, right, and I'm showing here an image of the Guardian, a newspaper, I think it's in the UK, and it says will meta encryption plans be a devastating blow to child safety online? Right, and for folks who are not familiar with this discussion, heather, what's the deal with this whole child safety? How would that be impacted by this lack of encryption or actually the putting of encryption?
Speaker 2:So meta, or Facebook, as most people know, has been detecting and removing images and videos of children who've been sexually exploited for more than a decade. Last year, in 2022, there were over 20 million reported incidents of children being sexually exploited and those images and videos being shared on the platform and with encryption. It's likely that the number of reported incidents is going to greatly decrease. I guess my question related to this topic is why make this move, knowing that there's so many images being shared yearly, and why not continue to combat such horrendous problem?
Speaker 1:Well, and that's a great point you made. That's why we, as we were discussing the topic, we named it chat encryption instead of a moral responsibility or a moral abdication, right? Just an aspect of what is the right thing to do here. Right, and what I'm going to do here is both of us right, we're going to opine on both sides of the argument and I want people to understand that we're not representative of our workplaces and this discussion. We're not representative even of ourselves in this discussion. We just try to show different counterpoints so people can be aware of. And what's the right significance for us? Right, since we're tasked with getting some of that data? Right, so I'm going to take the levels advocate role here in regards to assuming that the proposition is that, yeah, it's a moral responsibility to protect kids in general and online, right, so I'm going to take it as the position of the levels advocate, for no, it's a moral abdication, which sounds kind of intuitive, but bear with me. So, like Heather was saying, this has been done for a long time, so why change it now? Right, and let me show folks here where the market seems to be right based on this argument.
Speaker 1:So Users are asking for encryption, for platforms to encrypt their stuff. It's a business requirement nowadays. Why is that? It's because people are all of a sudden smart about forensics or encryption? No, it's because I have a news article here saying that RIN security cameras gave every employee full access for customer videos for years. So that seems problematic, to say the least. Not only that, so I have another one here. I have another news article here from the FTC where Twitter has to pay $150 million penalty for bringing some promises. Their promises were that Twitter told users that they could control access to their tweets and their private messages. They could only be viewed by their recipients, which was not true.
Speaker 1:Folks like users are requiring that because they don't trust platforms to keep their information private. Which leads to the point of what do we value? We value child protection, for sure, and the question is do we also value privacy? It's become this issue and it's not a new issue. This part I haven't discussed with you, heather, but I don't know. It's a really hard one. For example, the classical ticking time bomb If you have a terrorist and there's a bomb going to go off and we need that information, do we go and torture the terrorist to get that information? Are we justified in torturing the person to get to the greater good of saving people's lives. That's a tough one. Technology puts us in that position, constantly having to choose between two values. I don't know. What do you think? What would the argument be?
Speaker 2:I've always been on for this entire conversation. I've always been on the side. The children first. I understand the privacy concerns, but there needs to be something in place to monitor and find these images that are being shared, or these people that are searching out children or grooming children online or sending messages that are in groups that are looking for children. I stand by that. I think that finding these people is important. I don't know If it saves one child. If one child is saved from being abused by someone, I find it to be more important. That may not be the popular opinion. I know a lot of people value their privacy. I value my privacy as well, I really do, but I just feel like if one child is saved by a little bit of I don't want to say invasion of privacy, but a little bit of, maybe, oversight on these platforms, then I feel better about it.
Speaker 1:Yeah, I guess the question is what do we value? Not that we don't value kids or not that we don't value privacy. But we can extend. The argument goes from the other side as well. We can extend that to other crime problems. Why don't we have some monitoring at home? You'll be like, well, it's my property and that's Facebook's property, so they have responsibility. Well, what if you live in an apartment? It's not your apartment, you're just renting it. Well, maybe we should have some surveillance to make sure that you're not abusing kids. And true, it becomes a slippery slope. A slippery slope could be an argument or a fallacy, I guess, depending on which side of the argument you're on. And it's tough. How does the end justify the means? And I think that's the underlying point what do we value?
Speaker 1:And I remember, and some of the folks that are old timers like me, I remember the time where you could go and, let's say, you did an arrest, an incident to the arrest, you had to see some items and you had to inventory them. That's a common procedure. Well, part of the inventory was getting to the phone no search warrant, no court order and just inventory those contents which mean I'm getting to your phone and no court order was required. That was a common practice. And the Supreme Court said no, there is a privacy interest in the individual that needs to be weighted against the privacy industry of government need. Same thing with GPS trackers. I remember the days where you could slap a GPS tracker on a car and just keep it there. And again, no court order. Again the law, the law. I say law, but courts decided that that was not the way to go in regards to privacy, right? So the question is well, why would companies, since they're not being mandated by Congress to either take the encryption off or make it illegal, why would they carry that liability? They'd rather just give what the customers want, value privacy over another particular value and go from there.
Speaker 1:And it's tough because for some folks that you're saying, well, if it saves a kid, I don't care about anything else, right. And some folks might say, well, that type of reasoning, where would it lead? Right? What type of monitoring, bug monitoring are we allowed to? Will we allow government to have? And we say government, it's Facebook doing it, but come on, we know who consumes that output. It's law enforcement, right. And again, I'm saying this as a devil's advocate, and again, I don't go about giving policy descriptions to anybody, right, but that's the research that I've done on what the argument on that side is and some find it persuasive, some don't.
Speaker 1:I think from the forensic perspective, not the policy perspective, because the policy perspective, I believe, should fall in Congress. I say Congress because Congress is the reflection of the will of our society through our elected officials, so Congress needs to get involved, from my opinion. That's my personal opinion, but beyond that, from a forensic perspective, will that make it hard in a sense? Well, I mean, yeah, some leads might go away, but I believe that as investigators, we need to go back to those roots, right, go back to the roots of finding these perpetrators, infiltrating those groups, taking over accounts, getting sources, making sure we understand how this platform works, what we can get from that data to follow up on it.
Speaker 1:Whatever is not encrypted might help us, lead us to other information. Like, really do that the hard work? I mean not that we're not doing it, but really focusing on not forgetting about those fundamentals, because just pressing a button or waiting for Facebook to send me a lead so I can just go and nab the person, that's Technologically speaking, even if they don't do it. Even if Facebook doesn't implement that encryption themselves, at some point criminals will get smart enough to do it themselves.
Speaker 2:So I definitely think the hard work needs to be put in Encryption, or not, right? I mean sitting and waiting for the forensics to be done. You should be doing all of that back work as the forensics is being done anyway. But yeah, I mean, you're right about that part. There's additional work that can be done if the encryption does go through and is put in place.
Speaker 1:Yeah, yeah, and look the really bad perpetrators. Not only in this type of crime, but any type of crime that uses communications. They will have some sort of encryption that even third party or from some other sources, they don't have to. If they're a smart criminal, am I going to do my crimes in Meta or some platform like that? Well, of course not. They will use some other methods, but even if they do, they will have encryption. So we have to be really smart about how we do it. And as for as examiners, how can we recover it? How can we go about different techniques to be able to do our constitutionally mandated work? And which again, at the end, but a little bit in the conversation in the show, we have some of that that I think people will be really interested in. So don't leave, it's gonna get better and better. Yeah. So anything else to add? Heather, you think we're good on that?
Speaker 2:Yeah, I think we're good on that.
Speaker 1:All right, so don't be spying on me now, okay.
Speaker 2:All right, so.
Speaker 1:Yeah, so Alice Caithness, again a good friend of ours and of the podcast the show. He made an awesome video about how time time time. Tell her. Let me repeat that again time time work. There we go how they tick. You know it's a clock, get it. So it's pretty neat. I love his voice, obviously from being from the UK, so he has the perfect podcast blog.
Speaker 2:whatever voice Perfect.
Speaker 1:Whatever he said sounds way better than me.
Speaker 2:It sounds way better than everybody.
Speaker 1:I think it's worthwhile to go watch it. So, and you'll be surprised, in the sense that as examiners, we have this habit of just pressing the button and getting the answer and we criticize that to no end. But at some level we really need to understand how these things look, natively, right. I was talking to a group not too long ago and I said, well, you see this series of characters and what is this? And these are forensic folks and they're blank stares. And I said, well, okay, so tell me what encoding that uses the letters A to C, the numbers 0 to 9, the plus, the minus, the kind of slash symbol like that, and the equal sign in their encoding, equal sign being like the tell-off or the clue, big clue about it. And nobody knew how to tell me base 64, like nobody had an idea. And we should have an idea, right, because we're gonna see it, I come across it and we need to visually identify so we know what to do next.
Speaker 1:I did the same thing to the same group, looking at a Unix epoch timestamp, which is what the video that Alex just made, and everybody had blank stares and I said, no, look, that is a timestamp, you're looking for a timestamp.
Speaker 1:That is how it looks. It's 1.6, which now started with 1.6, now they're gonna be starting with, or started with, 1.7, we make that switch and explain explain to folks and not only to them, but you need to know this to explain it to the jury and say look, why is this timestamps like that? Well, because we decided that in 1970, in December, whatever, 31st or whatever. At this time, we're gonna count how many seconds happened from here to there. In the same way we count how many years happened, from year zero to 2023. So we decided to make this calculation in time and that's how we get a date right and we need to know those things. So, even if you say I know what it is, watch those videos, understand the basic concepts behind it so you could be better understood and also be better at identifying things in your forensic work.
Speaker 2:So, yeah, in his blog he also. He talks about rabbit hole to decode the timestamps, which is his tool at CCL Solutions, but he also talks about decode and other options that are free utilities, and he also provides Python scripts to decode timestamps. So if you don't do Python or you have no idea, he provides them right there in the video, and there is also a cheat sheet. I'm gonna put the link to the cheat sheet and I'll actually put it up on the screen too, so you guys can take a look at the cheat sheet, because it's awesome.
Speaker 1:Yeah, and we're gonna have. As always. We're gonna put all those links in the notes for the folks that are listening and not watching, so don't worry about it. You have the links there in the show description so you can get it.
Speaker 2:Yeah, so he's got a whole cheat sheet that goes with the Epoch timestamps that you can go download right from the website and I'll just do a quick scroll. But everybody can go download it and those Python scripts there that I was talking about are right in the cheat sheet, so super helpful for anybody who wants to use it to decode timestamps.
Speaker 1:Oh, this is. I love cheat sheets, so high-drag them.
Speaker 2:Yeah, it's awesome.
Speaker 1:Go check it out, and I will have some more to say about some other stuff that Alex and CCL have been bringing out, as always. Just to make sure people understand, we make reference to tooling, to people, to companies. We're not what do I say always, we're not chills, but we're also not haters. We get zero payment for anything we mention here, so we just mentioned it as part of we believe might benefit you. So just making that clear.
Speaker 2:Yeah, and he's gonna be doing some additional blog posts too, with additional cheat sheets in the future, I've heard. So keep an eye out for that, because the cheat sheets are great to have right at your desk.
Speaker 1:Oh my goodness, no kidding, it's awesome. And this type of tooling cheat sheets. A lot of good stuff coming out last couple of months, so we have one that's coming up. What do we have, heather? Oh no, we don't have that yet. Oh yeah, what do we have Not yet? So, there we go, there we have it.
Speaker 2:Yeah, so recently, the last couple of weeks I have been playing around with, and so has Alex. We've been playing around with memory dumps from phones with X R Y and using the RAM decoder. I don't know if anybody has ever heard of the RAM decoder and we have, yes, memory for Christmas banner back there. But RAM decoder is a tool that X R Y has that I had no idea about until Adam from X R Y told me about it, tried it out. Of course, I tried it out on my own, without being told how to use it, and I did the whole user error thing. But I spoke with Adam, learned how to use it and it's awesome. So I'm gonna show you guys and talk about a little bit of the RAM.
Speaker 1:Let me get my I was blown away as we're doing this testing. I wasn't aware that you could even get memory like that. I mean conceptually, yeah, but I didn't know of a process to get it right. I believe that most folks don't know this, so this is really important for you to all be aware that for these devices, and it's Android devices, you can get some memory from them. There's a lot of good stuff there that you will not even believe.
Speaker 2:So this is going to be a little small to see on the screen at first while I type in the commands, because I'm going to run a couple of them. But X, y, msab provided a RAM dump from a device to run their RAM decoder program on and I'm going to just run one of the processes live. Hopefully it goes well. Sometimes live demos are not a good idea, but I'm going to try it.
Speaker 1:Before you hit enter. So to get the dump you obviously use X or Y and there's a process using X or Y to get that memory correct.
Speaker 2:Yes, so I I'm going to talk about that in one second here. Let me just scroll in on this so you can see it. So this is running a process to let me go back up so you can see. I just put in a command to run a process to show the tasks in the memory dump that the MSAB provided. So the tasks that are in the memory are provided here on the screen. But let me back up for a minute.
Speaker 2:So X R Y will do consent RAM dumps on Samsung devices, and X R Y Pro supports a variety more in a variety of different states, including lock states. So if you're an X or Y user already, you can do RAM dumps on Samsung devices that are unlocked. You already have that capability. If you are an X or Y Pro user, you have a lot more capabilities. You're not an X or Y Pro user. You may want to look into it.
Speaker 2:I'm going, I want to look into it and possibly get a demo of it, but I don't have X or Y Pro. But I want to look into it and see what the capabilities are. What what RAM decoder is is a command line tool where one or more binary files can be analyzed, and I. So I have a binary file from a Samsung device here and the code that I just put in shows the tasks that are running in the memory. So I'm going to just Scroll out real quick and we're going to focus on one particular task, which is the ID 8991, which is Samsung Honeyboard. So Samsung Honeyboard is the keyboard for the Samsung device. And come back down here.
Speaker 1:Yeah, those and this is this reminds me a lot of forensics on computers right when you can look at the processes that are using that memory space. You can look at different connections and data. So this tool really gives me this kind of volatility vibe, but in Android, I guess, which is pretty neat, Can only probably they can add.
Speaker 2:Now I'm just going to run the show task for that specific ID.
Speaker 1:So you took, so you identified the ID and you took what the process ID right to put it there took the process ID and now I'm just showing the tasks for that process ID. So again, it's like this kind of volatility vibe in a sense. I that's what would be my, my take.
Speaker 2:So we have the tasks for that particular process ID and you can see all the different pages that have the tasks for that process ID. Actually, I think I'll leave it zoomed in because you guys can see it right there.
Speaker 1:Yeah, looks pretty good.
Speaker 2:I'm just going to pop over to the other page here, that live demo. I have to come out or I can't get off that screen, sorry.
Speaker 1:Not now, we know.
Speaker 2:And let me pop back. So now I'm just going to grab the very first page. I'm not going to scroll back up and show you what. I'm going to grab the very first page and just Let me Put it out to a text file so we can take a look at the strings that are related to the keyboard Application itself.
Speaker 1:Yeah, so there's a command there show strings right and then the process ID and the page number process ID 8991, and then the page number, and I'm just putting it out to honey board, you're piping it out to a text file, perfect, yes, and this is kind of you know, command line kind of basic command line navigation, and that's something that we all should work on, of course.
Speaker 2:And then I already have one ready. So so before I, before I show you what's in here with the memory, the Samsung Ram, I was surprised to know that the amount of data that's in a memory dump, right. So I'm thinking you power the phone down and that's gone, right, like a traditional computer. It's not, it's not gone, it's there. After I show you the keyboard Data here, I'm going to show you a memory dump, actually from one of my old phones and there is data in there from years ago and I'm I'm just shocked at the amount of data that's actually in RAM for mobile devices when you shut the device down. That memory, that Ram, it's not gone.
Speaker 1:Look, if you're a forensic examiner, a digital forensic examiner, listening to this and you're not surprised or mind blown, please rewind a few seconds, six seconds back, and listen to Heather again, what she just said. Okay, this to me this is just Too much thing to handle. Right, so you can't be found wrong. But you're saying messages, text messages from years ago, the setting sitting in memory, and I would like to hear, like an engineer, explain to me because I'm not, I'm not an engineer, I'm a software guy but how does memory work in this Android devices that, even if you turn it off quote, unquote off it retains, like there's some sort of like you know, some energy still going through it? Or what happens if I lose battery powerfully? Like I'm really interested on how this memory that is volatile doesn't seem to behave. Volatility in these devices, that stuff that's to me Immensely interesting.
Speaker 2:Yes, so the device of mine. It's a Samsung Galaxy S 21 Ultra and I had recently gotten the pixel, so that device has been, I mean that device has been powered off for a while a few weeks now it's been, since I got the pixel and I powered it on, got the RAM capture and 12 gigabytes worth of RAM and there is stuff in there I couldn't believe, which I'm going to show you some of it in just a minute.
Speaker 1:That's, that's, that's wild.
Speaker 2:Yeah, so with this, this data that came from MSAB, though with the Samsung keyboard you can see here we have some date and timestamps in the keyboard data and then if you scroll over, there's input text and you can actually see some of the keystrokes from the keyboard. You can see where the user was text putting in text, where they were starting to type RAM dumps at proton Mail, and then you have the dot com and then there's some other text here and it goes on. There's, there's a whole bunch of this in this show strings Text document.
Speaker 1:Yeah, and let me paint the picture of some folks are not, cannot be able to see. It is literally as you type. You're typing like one character at a time, right? So this is, you can see the characters being built, every line of, every line of that's recorded. This timestamp, at this second, you see, like the end being added and the end being added and the A being added one by one, line by line, which is pretty. Again, it's pretty wild.
Speaker 2:So just think of the types of things you could use this for right if you're seeing keystrokes.
Speaker 1:by user I mean potential passwords, potential anything oh yeah, I mean, if you're looking at an email, email address or username address type of looking data, well, what's gonna come next after that? Most likely a password, so some sort or some code, right? Yes, looks awesome. And this is one process, right, the keyboard process. Who knows what data every size in other processes?
Speaker 2:So that's just one process. I ran a whole bunch there. I ran a whole bunch on the process IDs from the data that MSAB gave me calendar, camera, the clipboard. There's contacts, geofence, gmail, the key chain. There's the UI. There's Wi-Fi the Wi-Fi actually had some of the BSS IDs in it. The setup wizard had the. The different applications, as the device was being set up like the pre installed applications, were all there Trying to think what else here that the key chain deaf had some of the information related that you would normally find in the key chain. But then they told me if you have an old Samsung device, capture the RAM of your device and check it out, because you're not going to believe it. So my device unfortunately isn't supported by the RAM decoder yet, but it's going to be and the RAM decoder is going to be awesome. They're going to continue to build profiles for devices, but mine's not. Mine's not supported yet.
Speaker 1:And if also know what profiles is. I'm going to make an analogy, like with volatility. Right, you have a random from your Windows computer and you run volatility and volatility at least version two will tell you what's the profile. Is that a windows 2010 version? Whatever is 2011? You have to provide what the and obviously has to. A profile has to exist, be able to understand that Ram data capture property, right, I think. Volatility three now is does it automatically, like applies the profile by itself, if I'm not mistaken, but this is kind of same process, right, you need to build profiles to identify those particular randoms for those particular devices.
Speaker 2:Right, actually, before I share this, I'm actually gonna Show you the process of the RAM extraction in XRY. So so just get started the normal way that you would go do an extraction with XRY, start your new case manually, find the device or app and then, up on the top part, you will type in upload. So Samsung upload mode RAM extraction is what you'll be looking for in your XRY. Now I made this additional information section bigger on this slide because it took me an extraordinarily long time to get this part right due to user error, which I do a lot. So you need to enable upload mode on the Samsung device and you can enable it by accessing by entering star pound 9, 9, 0, 0 pound in the call section.
Speaker 2:The problem is I didn't see the star. I have made an eye appointment, I am going to get my eyes checked. So I hit the star or the pound 9, 9, 0, 0 pound and I thought, okay, so it must have done its upload mode and I just don't see it and I'm trying to continue doing the extraction and nothing is happening. So I reached out to Adam at MSAB and thank God he's like oh, you're, yeah, no, so he, he steered me in the right direction. I missed the star.
Speaker 1:In your defense. The star is really tiny, okay so I'll give you a fast.
Speaker 2:It's very tiny. It is very tiny, so it's not a blank screen. It doesn't just go into upload mode on its own. It actually pops up options and I'll show you the options here. So when you do that, this is part of it. Once you hit the last pound sign on the phone, this menu comes up on the device.
Speaker 1:Yeah, and the menu says what system right.
Speaker 2:Yeah, so the system menu comes up and there's two options that you have to change in that system menu. You have to choose the debug level, you have to set it to mid and then you have to enable upload mode. Once you enable upload mode, the device will the device will shut down and then power back on.
Speaker 1:And the folks that are listening. If you're interested in this process, we're showing here on screen every step with images, pictures, so you know you can go back and watch the video after it's uploaded, so you can then actually visually see what's going on.
Speaker 2:Yeah, then you choose the physical option in XRY, fill out your case data, put whatever your case number is, and then the option or the process is to hold the volume down and the power button for eight seconds. As soon as you hit eight seconds, let go. Once you let go, the device will come up with this screen here, which is the upload mode screen, I guess. But that's the screen that you will see and your RAM extraction will start. Your RAM dump will start. It took less than six minutes I think it was like five minutes and 20 seconds or something to extract the 12 gigabytes of RAM.
Speaker 1:That's not bad at all. That's not bad at all.
Speaker 2:No, and then it'll tell you extraction finished and you can open the case up in XRY's examine. I did a lot of the work in examine, but you can also save the binary file out of examine and do searches in any tool you want, any pack set or any tool you want. So let's get out of here. I have some of the things that I found. So I found it really easy to go look for things in my data because I know what I've looked for. Not so sure it would have been as easy just to go hunting in somebody else's phone.
Speaker 1:But you know, you made a good point. You can find your stuff. You can definitely look at some keywords around it. If you're doing it by hand like this and then kind of extrapolate to somebody else's, yeah.
Speaker 2:So one of the artifacts that I picked out to show tonight is I found in my data my Galaxy earbuds, so they're named Heather's Buds 2 Pro, but they also have, if you look down here toward the bottom, the latitude and the longitude for the earbuds and there's a timestamp here. It's 11, 16, 2023. And there's also a horizontal uncertainty. I'd imagine it's probably in meters. That's usually what the horizontal accuracy is in meters, but obviously I've never tested it in the RAM, but so don't take my word for it. But the latitude and longitude comes up to this point on the map here, which is my house, is right here. So I am certain that that is correct because that is my house. So it is very accurate latitude and longitude, and that was for my earbuds.
Speaker 1:Which is amazing because those earbuds get those through the phone obviously, so you can make those really good conclusions of where you were at. At least your phone and your earbuds were at a particular point in time.
Speaker 2:Yeah, and I was definitely home that day. Let's see what else I have in here. Oh, this is a good one too. So this one I found on November 26, 2023 at 1206. I was at my sister's house and I was actually just getting ready to leave my sister's house and head home and in the RAM dump there's a last updated time with a timestamp, which is that 11 26. And it is a connection to my sister, Holly. So Holly MLS is her wifi. So the last updated time of my connection to her wifi is the very last time that I have been at her house.
Speaker 1:Shout out to Holly for helping us without knowing.
Speaker 2:Yeah, thanks, holly, for the endeavors. Thank you, yeah, so it actually has. It has the last updated time and it is the last time I was at her house.
Speaker 1:That's wild. Yeah.
Speaker 2:There was data in the RAM dump related to the build props Oops, sorry, I skipped it there the build props file. If you don't know what that is that, let's see if I can keep it on the screen. It contains data about the device, so there's the model number or the model name, I'm sorry, and the system build date. I can't keep it on the screen. There we go System build date and the build fingerprint. Also there's the operating system. So I don't have a screenshot of that. But just below the build fingerprint is the fact that this device had Android 13 running, which can be super important if you're looking to do anything with a device and you need to know the operating system Absolutely.
Speaker 1:Absolutely.
Speaker 2:And then this one. I might get people yelling at me for this one.
Speaker 2:But More people yelling at you. I already yelled at you, so Alexis has yelled at me a little bit about it. So everybody be nice in the comments. But I wanted to see if the password to my phone was anywhere in the RAM dump. So I did a search for the password of the phone and I didn't find it in the way I wanted to find it. I found it in a way that makes me sound very unsecure in my password habits. So my HBO Max password was set to the same password as my mobile device and I texted my sister, I believe the HBO Max password, and that text message was in the RAM capture. So if you had seized my phone and gone through and looked for passwords and found my HBO Max password, you would have been able to get into my device from the RAM capture because of my password. Stupidity.
Speaker 1:Which doesn't be real here. That's a common occurrence, I mean.
Speaker 2:My new phone doesn't have the same password. I did black it out because the HBO Max password is still the same. But yeah, so I mean you could have gotten into my device and people are creatures of habit, so you would have had, I'm sure, a lot of people's password you could get that way. They're sharing video streaming passwords and it's the same password to get into their device. I'm sure I'm not the only one that did it.
Speaker 1:Oh, no, no. No, it's a common thing that password is insecure. But it's insecure because we behave that way, and attackers, actors, know that right. So, and we know it too. So, hey, we're gonna use it for good. So.
Speaker 2:Right. So I was really surprised to see there are messages in there from years ago. It wasn't just like a couple of messages from recent. There were messages from 2020, 2021. I was just shocked to see the messages. I was looking for third party messages and I found traces of third party apps being utilized, but I didn't find my messages in the third party apps. I would love to look at other devices besides just this one and see if that's a capability. I'm unsure there weren't any in mine, but just speaking with other people who have done Ram Dumps, I've heard there's possible cloud tokens, chat messages with delete on read settings and then occasionally, when you can't get a file, full file system. If you can get the RAM, if all of that stuff is in the RAM of my device, how valuable is that gonna be if you can't get the full file system?
Speaker 1:No, yeah.
Speaker 2:So valuable.
Speaker 1:I'm gonna well, I'm gonna say it right now Heather, do you wanna go home and change your HBO password? You're gonna change it. You know why. You know why Geraldine just noticed that you did not black out the hex.
Speaker 2:What? Oh, oh See, see, you should fire me.
Speaker 1:I should fire myself too. I didn't think about it. Thank you, geraldine, for having an eagle eye and being such a smart awesome person that you are.
Speaker 2:Oh, she's right, I didn't even pay attention. You know what. Anybody wants to watch a movie, go for it.
Speaker 1:You got maybe one time, is it? You got another 15 minutes if Heather changes the password.
Speaker 2:That's awesome. Geraldine, you're the best.
Speaker 1:Let's move along now. Oh, that's good, that's hilarious. I love it.
Speaker 2:That is good Yep.
Speaker 1:Oh, I'm gonna cry. Okay, oh, that's awesome. Well, again, it's just the HBO password. You don't use it for anything else. So all your accounts first of all, accounts are secure, so you're good.
Speaker 2:Yeah, oh, definitely.
Speaker 1:Yeah and no. I want to underline that point, Especially even text messages. We look at Android devices well, where can I find some remnants like FCM or some other formats for messages? And now we've got 16 gigabytes with a window of possible evidence that's retained. It can be recovered for years. I mean, that's what I put in my sign behind me. I want memory for Christmas, right, and I appreciate the MSAB is kind of leading the way on that. I would hope other vendors and open source developers will start looking into memory forensics in Android and really developing that area of the field, because I think it's an open, wide field for great development.
Speaker 2:So one thing about the RAM decoder though I don't think I said it and if I didn't I'm gonna say it now it's law enforcement only. So if you're looking to get RAM decoder, you can reach out to them, but it is currently law enforcement only. So if you are a law enforcement, reach out, get it, test it out, try it. I think it's awesome. I can't wait to get more RAM captures, ram dumps and keep looking to see what's in there. It's amazing to me. I had no idea that there was so much data in Android RAM. No idea.
Speaker 1:Yeah, I'm gonna be keep preaching this development because I think it could change a lot of cases, going from well, I got nothing in this case to well, you know what this case is solved? It's because there was some good stuff in that RAM, right?
Speaker 2:So good stuff.
Speaker 1:Just skipping an eagle eye to adopt it. Eagle eye, yes, all right. Talking about eagle eye, right, there's this kind of meme or announcement going up in LinkedIn. I think we have it. I put it up for you. What's going on with this Making the rounds in LinkedIn? What are we looking at here?
Speaker 2:So Cyrillic alphabet. So both addresses look similar but they are not the same. Can you tell the difference? It's kind of what the LinkedIn meme or image was asking. I don't know if anybody's seen this. Can you tell the difference?
Speaker 1:Well, and for the folks that are listening, it says mybank2ucom. It's not the same as mybank2ucom, and then you have to really look into it. To be honest, it took me a while to figure out what the difference was.
Speaker 2:Me too. I don't know that I would ever notice the difference unless it was on an image like this asking you to look for the difference.
Speaker 1:Yeah, and the difference is that the other on the top is like a normal A with a little belly on the front, and the other one is what it's like an A that doesn't have a belly. So I mean, look the folks that posted. I appreciate being security conscious, Like hey, maybe you need to be aware of this, but I mean I don't know about that. You said, Heather, like I would, in a million years, will never, ever think of seeing this right.
Speaker 2:No way.
Speaker 1:Yeah, and the point I think we want to bring this over is look, this is fine. It's interesting that that A is like a Cyrillic A versus or A looking character. I don't know Cyrillic so I'm not going to call it an A, but it looks like an A.
Speaker 1:And look, normal user will not catch that right. I mean, this is not really helpful from my perspective because really we're going to put that onus on the user. There has to be technical solutions, right, and this is more of an info sec, information security type of topic. But if you're listening to this and you're part of an info information security, you know group for your company or your business or your organization, well, think about what are the technical solutions to prevent phishing. That goes beyond putting the onus on the user, because the user wants to just go to the bank, right. The user is not there to figure out if that A is Cyrillic or not, right? So you know, telling that the email says well, be careful, for every mail required you to click on a link. Well, sure, be careful. But I mean, am I going to look for Cyrillic characters in every link in an email?
Speaker 2:I will never work you know, no, nobody's going to think of that. No, of course Most users aren't going to think of that.
Speaker 1:We do this for a living and we don't think of that. So I guess a lot of your point is you know your user base or the folks that you provide services to. How can we provide some technical solutions to take the onus out of them? Because the technical solution is predictable, it acts as, hopefully, as we expect it to behave, and we can update it as needed. And you know the user shouldn't be responsible for that. We should be responsible for that Absolutely.
Speaker 2:So we also oops. I don't know if anybody has seen the browser state blog from Ian Wiffen, but if you have not, you have to go check it out, because it is the exact blog that you need to validate the kind of the conversation that we always have about validate your data or make sure you're testing the data to know what the data means. So, the browser state database, the last visited time and I actually think it is the last verified time, Let me just double check that. Hold on one second.
Speaker 1:No, it's a great article and, like Heather was saying, ian is one of the lead folks for analysis and you know tooling for Celebriot and he did a lot of testing on how the four Last viewed time Sorry last viewed time.
Speaker 2:So the last viewed time in the browser state it doesn't necessarily mean that it was the last viewed time of the URL that is in that database. That's in that table and it's actually been tested by Ian and it's most likely most times not the last viewed time.
Speaker 1:And that's crazy, right? You're like well, it's a browser database, it's a.
Speaker 2:URL.
Speaker 1:That's the last viewed timestamp. Therefore, it's the last time this page was opened by the user and viewed, and all those things are wrong, like you're wrong, like wrong, absolutely wrong, in all senses wrong, like you couldn't be any. You couldn't be any wronger if you wanted to.
Speaker 2:I would see that and I would immediately think last visited time, last viewed time. Why wouldn't you think that?
Speaker 1:Yep.
Speaker 2:And I wonder too if any of the tools are parsing it as such.
Speaker 1:Well, I mean, look, you make a great point, right, as a tool developer. If I, if I just put this is the name of the, of the, of that field, that record and that field there, because that's what's there, I'm going to mislead my users, right? So at some point you have to balance the whole. Well, this is the name of it, but what does it mean? And that's a tough one, right, make making those decisions because we want to be accurate. That's what the actual database is called, the tape, the field Right, but that's not actually what it means.
Speaker 2:Yeah, and someone recently asked me so how do I validate this stuff? How do I know for sure? Right, and I said get a test phone and go test it yourself. And the response was well, I can't. What if I can't afford that? What if my agency can't, can't afford to pay for that? And right here, the work that Ian does. That's how, that's how you do it. Go find the person that is doing it and you and use their work. I mean, he's done the work for you on this particular issue and and it's.
Speaker 1:Obviously it's not going to be your first option, right, because you should test things on yourself. But we also have limitations, right, we don't have an infinite budget. So you know, it's also pays back to kind of depend on the research in the field. And if the research is validated, either by you know, by somebody that's a known expert or organization, which is also even better. I make a segue I know we're running out of time, but make a segue.
Speaker 1:Jessica Hyde from Exordia. She's making good points in different interviews, as she's been on lately, on how all this stuff that we're talking about it's got to be acceptable at court. Right, just saying the tool gave me this output Well, that's what it says there. It's not enough. I was the research that supports this as the proper conclusion. If it's yours, it's good, it's better because you can testify to what you did, right. But if you can't do that, then it's a person that's an expert in the field, it's a peer review research, right, and introduce that.
Speaker 1:If you're saying to me I don't have time or we don't want to invest on it, then you got to be ready to have some of that evidence not be accepted and thrown out, right? Is that something that are not risk. But is that I guess risk is a good word Is that a risk we're willing to take right and kind of eat up that risk, you know? So it's great article. I recommend everybody to see it. I'll make a quick. This is a great comment. I'm going to bring it in. So, mark Spencer. He's saying Corellium can be very helpful with iOS testing.
Speaker 2:Oh yeah.
Speaker 1:And that's a great point. Virtualization is way more accessible than maybe buying the hardware, depending on what you're trying to do Right and how much of it you need to do. So think about that. Corellium is used is known for iOS virtualization. Android virtualization is a little bit more accessible, I believe, in regards to pricing and all that. You can do some Android virtualization for the price of nothing. So, also looking into that, what a great comment there. So we appreciate it. Yeah.
Speaker 1:So talking about tooling, yep, so I want to make something mention to people James Havin and Johan Polacak that have been really contributing to the projects that I spearhead, which is the leap Right. It's again I'm so grateful for people wanting to be part of the project and adding some stuff, and I want to show some of the things that Johan has been adding and some of the how he's extending the project in different ways. So the first thing I'm going to show you is something that's pretty neat, let me see is the load case. So when you have one of the leap programs and you can see there on the screen, you have an option to load case data, and now that option is not just having a JSON file that you have to make. Now the leap itself has a window where you can add that case data. You can add your case number, your agency name, the name of the examiner and when you you can save that case data file for later use and it will show in your report. So that's something pretty neat. And he added that option of referencing that load case data option within the command line. So that means that if you have, you know, five extractions you need to parse with the leaves. You can code that with auto automated with command line. You know instructions and say, hey, here's the profile, the load case data for it. Another thing he added, and this is even more important if you do development for the tools for the leaps For the longest I only implemented the option of selecting artifacts for processing.
Speaker 1:Let's say I have supported 200 artifacts, I only need two. Well, to the graphical user interface you can go and select those two and deselect all the others and you have a report only of those two artifacts. But you couldn't do that on the command line. You have to. If you run the command line you have to get all the artifacts, no way of saying only one, two or three.
Speaker 1:So Johan came in and changed the code, added, you know, de-factored it, and he added the option of feeding that profile JSON file through the command line, which is great, because now when I'm doing my testing and I'm developing artifacts for the tool, I don't have to be clicking the user interface I want to run this one and not the other ones, this one and not the other ones or loading it manually. I can just have a command line with all my instructions and my profiles and hit enter and boom done. It will create my report for the particular artifacts I specified. So I highly recommend folks to check those enhancements. Another thing that he's been doing and I'm incredibly grateful for he teaches at a really renowned university in Lausanne, if I'm saying it correct, in Switzerland, and I'm like I wish I could go teach with him.
Speaker 2:I'm all for going here.
Speaker 1:Take me with you, please.
Speaker 2:The students are doing great things there.
Speaker 1:Exactly, they need me there. So Dejus recently made some parsers as part of the schoolwork, and look at all the artifacts that they're supporting. I will be merging into the project soon Big O Live booking for Android, a CFF, garmin Locket, revolute, ricardo Strava, tinder and this is interesting because some of those apps I've never seen before. My assumption is that it's really famous or useful in that region. So this is great because now you have to the platform. You have this ability to really open the parsing to the world. Right, if people know the code. Right. And look, johan is on the chat, so I'm going to have you here, man. It says you're welcome to visit us. Heather, we might need to.
Speaker 2:I just wrote we're on our way. It wrote for both of us.
Speaker 1:That's awesome. We love it, so yeah, so all these parts are coming in and that speaks to the point of as examiners are developing in university. I'm really happy to see them adding those coding skills and then bring it into their forensic work.
Speaker 1:I think it's going to make everybody better. So again, thank you, johan, for the work you're doing for the community and for your students, kind of teaching them. Look, there's this conceptual stuff that I'm teaching you, but it's also practical and you can make the world better by the things that you know and by the things that you share. So you know. Again, thank you for for most of them from the community, for all the work that you do. Man Appreciate it. And talking about work that's being done, I'm going to go and talk about one more thing. It's not implemented in the leaves yet, but it will. I'm going to go back to again our best friend for our best friend of the podcast, alex Caithness, and we were having some discussions about a sec B.
Speaker 1:Right, we met him some time ago and celebrate came out with an article explaining that sec B. There were some changes in it and for those who knows what sec B is, let me give it a quick primer. For a long time, iOS devices and macOS devices use a database called Knowledge C in SQL SQL like database to keep track of a plethora of forensic evidence from the app intense. We can recover messages from it and all sorts of communications and activities on the phone. It kept it just kept the locations, kept a whole bunch of stuff. So in the move from iOS 15 and moving forward from it, that database kind of emptied itself. If it's there, it's going to be pretty much empty. So we're wondering where the data went and it went to this. Files calls a format called sec B become sec B because that's the header that had that the file has and they're usually contain a biome folder within those these devices iOS and macOS devices.
Speaker 1:Okay, so celebrate came up with an article saying look, that form has changed a different format. So I was talking with with Alex and how could we develop a Python parser for it? And he was so kind that he did and definitely helped me with my crappy code and actually I really fixed it because I couldn't really get it and that actually that made a meme comes in my head. Right, there's a scene from Star Wars where the Darth Vader is telling you know, Boba Fett and and Landau Carlisle, and you know I'm altering the deal. You know, pray that I don't alter it further. So I changed it to Darth Vader being Apple and them to be forensic examiners, and he's saying I'm altering the sec B, pray that I don't alter it further, Because Apple is doing that on us, right? You cannot change it, that format, constantly. So what was the parser that that Alex did? So let me show you a little bit of that, just to kind of closing out. So, um, so Alex did Let me see where I have it here Some some good code on it, and I think there it goes.
Speaker 1:I have the code now. So let me close this out so I can show it again. The code is super accessible. Even if you don't know Python, you can run it. It's super easy. So I'm going to again folks, if you don't know code, don't sweat it. I have the YouTube channel. This YouTube channel is a video on how to run Python scripts. You can watch that, but it's really easy.
Speaker 1:So what you do is you input, you run the script and put the name, the file name and the location of your secb file and it's going to. If you run it like you see here, it's going to take and it's going to show you all those contents. What we see here is me downloading Firefox, and let me see if I can highlight some of that. It doesn't want to let me highlight it. But downloading Firefox, you see Safari to download it and then you can see here me getting the DMG, the container, to install it, and that's just by looking at the app in focus. Actually, what I'm going to do is I'm going to go above the time, so people bear with us I'm going to actually demo it. I think that's even better. Let's do that, I'm going to demo it.
Speaker 1:So let me hide all the pictures that I had here that I've been showing All the memes. Hide all the memes. Let me share the screen. So let me share screen number two, hopefully the right one. Yep, this is the one, all right? So I'm going to bring a command line and this is my Mac. So I'm going to bring a command line and let me see if I can make this a little bit larger here. All right, I think it's more visible now, right? Yep, and I'm going to go and go into the folder where I have my stuff. So let's see, should have been smarter about it. Let me be smarter about it. Let me open the tab where I need to be and I don't have to navigate it. So there we are.
Speaker 1:So I'm at my folder where my director will have my stuff, and I have here a couple of files here. I'm going to open the media now playing one. So let me actually move it out of the folder that is in. And I'm going to call the sec B2 script. So I'm going to call Python and I'm going to say I want to do the CCL underscore sec B2, dot P, y, and I want to feed it that file. I want to feed it the 7241 file. There we go. So for folks that are not able to see the listening, we call the interpreter. In my command line, python three. Put the name of the script that will parse it for me, and then the next argument is going to be in filing. Okay, I'm going to hit enter and let me see if I can change this. This looks a little bit better. There we go. So this is the output, straight output.
Speaker 1:If you just run the tool or the script as is and it's super nice you can see here and this one is the things that are being played. So I'm in my browser, using Mozilla Firefox, right, and you can see here that I was opening StreamGuard. Streamguard is a page that we use because I was playing we used to record this podcast, but I was playing a video from it, and it's recorded here that I'm playing that video from StreamGuard in my Firefox browser. Okay, if I go down, you can see me here. Instagram is open and I'm watching videos on Instagram, right, if I go farther down, you can see not only that I'm watching the videos on Instagram. Let me kind of scroll down quickly so we can get to what I want to show you. You can see here, for example, our point forensics, second day or day two of the 12 days of different mess with Heather Mahalek Barhart, of course, and I'm Firefox, so you could see that I'm using Firefox to watch, if you Google that, it's a YouTube video. Right, and this is to me. This is kind of my employee, because some of this data, if you go and delete your browser in history, well, you might let me you. How would you know? I was watching this page and this video, but it's recorded here within the sec b files and it's kept there for for quite a while, right, I think 20 something days to 30 days, and if I go scrolling down, you can see. You know all the different things I'm watching here, even though what this is, I was clicking on some of Paul Medicare policies. Okay, sure, I know what happened is the videos ended and another video started about Medicare for all things. Yeah, so that's what happened, anyway, so that's an example of it.
Speaker 1:If you run the script, I'm see if I have it here. I don't have it here, but I'm going to show you a picture of it If you look at the repository, and we provide those links at the show notes. Let me show you two things. First of all, I'm going to show you how the biome folder looks. Let me zoom into that. You can see here oops, sorry, you can see here the different like app intents and then the big number. There is the sec b file. Let me show you the one that media now playing the one I was doing right now is in the media now dot, now playing folder, local directory, and then boom, that's your sec b file. You can take those and doing with the parser. Okay now what I was going to show you the repository.
Speaker 1:If you go to the link we will provide in the show notes to get this code, alex gives us a little bit of how to execute those commands right. So if you use this way of doing it, it's really good because you won't get that hex data view, but you will get the data in a what's called in Python, a list, which allows you to manipulate it better. You can take that and make a report from it and do certain things if you know some basic Python. If you don't know basic Python, I have a class for that. You can watch in my YouTube channel. So you know like everybody says comment, like and subscribe.
Speaker 1:Again, I believe this is really good stuff. Tools are promising to support sec b file, which is great, but I'll tell you, just because it supports it doesn't mean that it will report on all of them. We have again Darth Vader could alter the sec b set anytime, not only the, not only the content but say look, we're going to add a new one and add a new folder there with some new sec b recording of something that the vendor hasn't seen before. So we're going to do nothing. No, you will get to that folder, get that sec b out, use the script, parse it and see what's in it and see if it is relevant to your case, because that's what we're here to do, right?
Speaker 2:So thank you, alex, and CCL solutions, even if yeah, even if the tools parse the sec b file, they may not parse every part of it, so keep that in mind too. They may, there may be data still in there that's important to you, that they may or may not see as important. Go in and check out the ones that are parsed anyway.
Speaker 1:Absolutely. I couldn't agree more, and with that I know we're way over the hour, but you're going to close out with something that we have to always do and we cannot get away from doing, which is what the meme of the week the meme of the week. Yeah, I asked you this one you're drinking water. I'm such a genius.
Speaker 2:All right, so the meme of the week.
Speaker 1:Yeah, let's get it so for the meme of the week, I love this one and I'm going to describe it verbally, as always. So there's a picture of you know two girls and they're labeled as examiners in the lab Friday at 4pm, right, and if they say hey, what you got there? And then the focus changes and this dude walking with us with an ostrich, and, and the ostrich says five, the ostrich is labeled as five phones, three laptops and 10 data drives and do these labels to detective and on his right hand or left hand, depending on what side you're on it's he has a drink, and when they and when they ask him hey, what you got there, he says a smoothie. Right, that's how it is.
Speaker 2:They show up 100% how it is.
Speaker 1:This agent, so it detects it, show up at the last minute with a whole bunch of stuff and you're like what you got? Oh, you know, you just you know we're just having dinner. Okay, sure, but what's that box behind you? All those, all those evidence bags with evidence tape everywhere seems to be a lot.
Speaker 2:By the way, all five phones are AFU, so they need to be done right now for a clock on Friday.
Speaker 1:Oh, my goodness, oh, you're killing me.
Speaker 2:True story. True story.
Speaker 1:And that's how it is Right. But it is, it is what it is. You know what we have to deal with that ostrich? Then we'll deal with the ostrich, right. Look, if you're doing a search, don't do it in the afternoon of a Friday, right? Unless it's absolutely necessary. So you'll be in my, in my, not in my, naughty list. Let me use the seasonal terms.
Speaker 2:Oh my goodness, stay right with the Christmas theme.
Speaker 1:Yeah, I wasn't going to say describe the list as another way, but I'm not going to do that.
Speaker 2:Stick with naughty.
Speaker 1:Naughty list. Yeah, anyway, heather, thank you for the work you did on on the memory stuff. I think folks would be appreciative. I'm appreciative and you know it's good. What is Yaldeen saying, heather?
Speaker 2:And the agent goes home and says call me when it's done.
Speaker 1:You know what. You know what You're going to. Go out, give me dinner, right. You pay for my dinner and bring it over right and give me company while I eat it, if I like you. No, but yeah, no portfolio I mean. Thank you so much for that work, Thank you for the folks that contribute. We got a great community going and yeah thank you for everything.
Speaker 2:Yeah, thank you everybody for joining.
Speaker 1:And do we know what we're doing for next episode, in the sense of, are we taking vacation or what? What's going on? Do we know?
Speaker 2:It's up to you.
Speaker 1:Well, let's do this for everybody that's listening. Keep track of our LinkedIn. We're going to make an announcement of what's happening, because it's holiday.
Speaker 2:Yeah, we'll decide.
Speaker 1:Yeah, make sure that what's going on, so we'll let you know when the next episode, if it's in the next two weeks or when it's going to be, so we'll let you know soonish. All right, everybody. But again, thank you so much for being here and we'll talk till next time. Keep out for that announcement. Thank you so much.
Speaker 2:Thank you.
