Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
New Year, New Tools, New Ways of Thinking!
Ever found yourself piecing together a complex jigsaw puzzle of digital evidence? That's precisely the journey we invite you to embark on in our latest episode packed with tools, tales, and tech. We're not just talking shop; we're handing you the magnifying glass to examine the intricacies of JSON files with JSON CRACK, and introducing a python tool to automate investigations involving Google Drive File Stream artifacts, DriveFS-sleuth.
This episode is a testament to the craft of digital forensics, featuring a blog from Mattia at Zena Forensics that aides in answering the question, "Has the user ever used the XYZ application?". As we unpack the nuances of reverse engineering and celebrate the updates to Hexordia's Evanole, we're reminded that the heart of digital forensics beats to the rhythm of relentless inquiry and meticulous method.
We delve into the advanced research and exploitation methodologies With Magnet GrayKey Labs and converse about the importance of these capabilities as well as validation. This is coupled with a live demonstration involving SEGB files and the data that can be overlooked without research and the validation of multiple tools.
Raise your glasses—here's to the exuberant spirit of learning and the relentless pursuit of truth that defines our community. So, are you ready to elevate your understanding of the digital landscape and smash those New Year's resolutions? Join us, and let's make 2024 a year of 4K clarity—in forensics and beyond!
Notes:
JSON Crack-
https://jsoncrack.com/
DriveFS Sleuth — Your Ultimate Google Drive File Stream Investigator!
https://amgedwageh.medium.com/drivefs-sleuth-investigating-google-drive-file-streams-disk-artifacts-0b5ea637c980https://github.com/AmgdGocha/DriveFS-Sleuth
Advanced Research and Exploitation Methodologies With Magnet GRAYKEY Labs
https://www.magnetforensics.com/blog/advanced-research-and-exploitation-methodologies-with-magnet-graykey-labs/
Has the user ever used the XYZ application?
https://blog.digital-forensics.it/2023/12/has-user-ever-used-xyz-application-aka.html
Evanole New Year Reveal!
https://www.hexordia.com/evanolece
Hello and welcome to the Dita Forensics Now podcast. Today is Thursday, january 4th, first episode of 2024. Woo, my name is Alex Brignoni and, as always, aka Briggs, I'm accompanied by my co-host, the Dita Forensics examiner of the new year, the person to see when you said let's go back on this task after the holidays, the one you wait in line for, the one and only, heather Charpentier. The music is higher up by Shane Ivers and can be found at Silvermansoundcom. Heather, and let's show our faces here. Thank you for everybody that's live and all the folks that are listening later.
Speaker 2:Yeah, your introductions never disappoints, I'm going to have a good one for you one day, and we're going to switch roles.
Speaker 1:We'll see about that. Oh my goodness, first episode of the year, Heather Awesome.
Speaker 2:Yeah, crazy Three weeks off.
Speaker 1:Yeah, holidays are over and we're back at work. Yay, not really.
Speaker 2:Not really. Yeah right, if anybody is on from work. I didn't just say that.
Speaker 1:Exactly so. Talking about holidays, how was your holiday? What happened? What did you do?
Speaker 2:It was good. I had a good time with family, relaxed, took a week off of work. It was pretty good. How about you?
Speaker 1:So, you know, went with the kids to my parents' house, so that's always fun, and we came back with a million toys, as one does. Even I got toys. People can see here the folks that are watching can see my little sign behind me says Feliz new year. Because you know, we got to. You know mix it up. So happy new year, both some Spanish. And then we have a little stormtrooper built of Lego. Right, and actually talking about Lego, see, I'm going to take that opportunity to show folks a little bit of the Lego that I have in my office. At some point somebody's going to be like you can't be bringing Lego into the office. What do you think this is Right? So I have a little Lego, Let me allow it. Yeah, All right, Can we see it? Oh, yeah, yeah.
Speaker 1:So look, so I have my police collection here, obviously as one has on the oops, sorry about on the back. Here I got like a little truck with a little doggy park where they train the canine. So I know Geraldine is going to appreciate that. Geraldine is a good friend of ours.
Speaker 1:If you want a local agency Santa's folks that know her she has a electronic detection canine, siri, beautiful dog. And then we have here some unicorns, because you know, some of the stuff that people ask me at work is as feasible as getting a unicorn and some motorcycles. And you know inclusivity and all that good stuff. So so yeah, no, it was it was yeah, it was a good, a good holiday. So no, no, no complaints. Yeah, geraldine is there, yay.
Speaker 2:I got my first Legos for Christmas. They're not quite as cool as yours, but they're the flower sets, so I can have Lego flowers around my house.
Speaker 1:Oh, those are awesome. Of course, I don't have as much Legos as Kevin because I, you know, I see all his marble stuff and all the stuff that he gets. So one day when I grow up, I'll have enough Legos as he has. He has Awesomeness. So so, yeah, so pretty neat. Now we're starting in full.
Speaker 1:So this episode for you know, whenever you know, we have a whole bunch of tools. So I'm pretty happy, excited about it. A whole bunch of demos that we're going to give you and hopefully, time permitting, I'm going to give a kind of a deep dive on on working on on on data, data sets, or that's. That's the one I'm looking for On on data structure. As a word I am looking for on a data structure and I want to talk about that because we, we, we told people oh, this is a hex editor and this is the hex, and this is this and this is that, but we never talk about what's the thought process behind or that you should have in your behind, in your mind, when you are about to do it or you know. So I want to hopefully guide folks through it and maybe get some value from it. So, talking about tools, what's the first tool that we have on deck Heather.
Speaker 2:So the first tool we're going to show you is actually a webpage. It's called JSON crack and it is a tool to visualize, analyze and manipulate data, so you can bring JSON files in, and it actually has a few different views. I'm going to put it up on the screen here so everybody can see. So you can import JSON files into this website and you just click import and click to upload your JSON file. I have one from an iOS full file system pulled out and click import and it'll bring that data into this very nice tree graph here or, I'm sorry, yeah, nice graph. This one is actually the Apple cache data from the past files in an iOS device and you can switch between the graph and the tree views.
Speaker 1:Oh, that's awesome.
Speaker 2:Yeah, and it looks very nice, and you can also take the graph view and use a download function and it will save out as an image file. I have one here.
Speaker 1:And as you're looking for that, folks are listening. You have a little grid like a little predicated paper, if I pronounce that correctly, and you have a little box it looks like the old school visual flow chart type of things and that really spreads out all those keys and values, if they're nested, and makes it such a big difference. How can you visualize how the data is organized?
Speaker 2:Yeah, and then here's just what it looks like when you save out the image of the graph view of a JSON file. So I don't know, I could see this having a really nice visual effect for reports.
Speaker 1:Oh, absolutely the other type, not the graph one, but the one that's kind of like drop down type of stuff, reminds me a little bit of PA, of Celebrates type of format. The tree one, yeah, which again there's nothing wrong with it. I don't like it, but I mean there's nothing wrong with it. I mean the good thing is that in a sense you can also, using the tree view, you can kind of open and close the different ones, so that way you can kind of make it easier to kind of to print from top down. So it has its purposes. It's just that visually I like the other one way better, yeah.
Speaker 2:The graph is much prettier for sure.
Speaker 1:Yeah, I don't know about you, but I'm seeing JSON like everywhere, you know, yeah. Yeah, I mean I would say JSON and protobufs, I don't know what. Do you agree or do you think?
Speaker 2:Oh, definitely agree. There's tons of JSON in the last couple of cases that I've worked on, I think this would give it a really nice visual representation.
Speaker 1:Oh, absolutely, and either JSON inside SQLite or JSON inside who knows what. So, folks, this is one option. I mean, this is not the only one. This is one that I thought you know. We thought that was kind of neat to show, but this is that the stuff that you need to think about when you're trying to present data to people that are not in our field. How can I make this in a way that's easy for them to appreciate and get some value out of it? But, yeah, JSON everywhere at all times, Like the meme JSON, JSON everywhere.
Speaker 2:And here's the website too. So it's JSONcrackcom and you can just go import your JSON files right in.
Speaker 1:I'm assuming it's because it's addictive. Maybe I don't know why they call it that, yeah.
Speaker 2:A little bit of a strange name, yeah, right.
Speaker 1:No, and, as always, people should know that obviously we get no type of financial benefit from any of this, which is fine stuff that we think is cool, and we show it, and we're not haters, but we're also not shields, so we don't push nothing on nobody. Check it out if you want, and if you don't, then that's fine. That's cool too, yeah, so there's a pre-need tool, there's a paid version. I guess it allows you to do more stuff like paid options, which I didn't look into, but I like the concept. Now there's some other tooling. This one is it's not paid, but it's a great, great functionality, and it is in regards to investigating Google Drive capabilities on your computers, and this is good. People hate on us because we only talk about cell phones, because we'll sell cell phone centric, which is true.
Speaker 2:Mobile device centric.
Speaker 1:But this is Google Drive and it's a Python script which I always love, we all love. I know Heather loves it not.
Speaker 2:I'm getting there. I'll have a love for it one of these days.
Speaker 1:Far far away.
Speaker 1:In the distant, distant future, in a galaxy far away. And it's a good tool because, as folks know, the way it's designed the Google Drive to work is that you don't really download everything on the computer. They say you download the application, you link it with your Google Drive account or Google account and let's say you have a terabyte of stuff. That stuff is not replicated immediately to your computer, it's just going to bog it down. So what it does is it kind of streams the files as you need them, as you're looking for them. It streams them and you get them. So there's a bunch of artifacts that are generated through it.
Speaker 2:Yeah, so there's actually an article and it has really a great breakdown of the types of things that happen when you install the Google Drive Windows application. It will show registry modifications that occur, file system artifacts, what happens when you launch the application and what happens when you log in, and the article really, really does a great job of outlining all of those different things that you might look for when you're investigating a computer, when you have a computer in a case.
Speaker 2:I actually downloaded the application on my computer and ran it against my own Google Drive. Ran the script against my own Google Drive so I could see what their report looks like and how it all works, and I'm going to share that.
Speaker 1:Yeah, and even you install something on your computer, especially on Windows machines. Well, I mean, this is still on all computers, but on Windows machines we work with them a lot and it impacts so many different things on that computer. You're going to find registry entries for that stuff. You're going to find databases that are generated that keep track of a whole bunch of different things. You're going to find those accounts that are linked to that Google Drive, not even counting all the link files or the run time artifacts when you're looking for it, when you run it for the first time, and then how many times you ran. What's that called? You know what I'm thinking about.
Speaker 1:Somebody's going to pop in yeah, somebody in the chat threw it at me, somebody's going to pop it in the chat. Yeah, you run the program once, creates it, and then it keeps counting how many times the program was ran. I just forgot what the name of the artifact is of the thing. Anyways, Heather is now showing how the report looks. Please describe it for us.
Speaker 2:Yeah, I ran the script against my own Google Drive on the application and it creates this really nice report. You can choose HTML. Thank you, Geraldine. There it is.
Speaker 1:Yeah, prefetch, that was the one, no question mark. She said prefetch with a question. It's actually that one Put prefetch with exclamation mark. That was the one, thank you.
Speaker 2:So it creates this really nice report. You can do HTML or a CSV. The HTML report is way prettier, but it pulled in all of the information about my Google Drive. It has my account number, my display name, it has the picture of me that I have on my Google account, information about the connected devices, and then I'm just going to zoom in here. Hold on one second.
Speaker 1:Yeah, in typical examiner fashion it's a lot of rows and columns, which we all love kind of having that detail of all the artifacts.
Speaker 2:So it has the synced file tree. So this is everything that I have in my drive, and each of these will show what's in the folder and they can be dropped down. So it's a complete listing of all the files I have in my Google Drive.
Speaker 1:That's true even if they're not downloaded to your computer, correct? Correct, yes, well I mean and think about it, you have a full visibility of what's over there, like a total listing of it, just by running this program.
Speaker 2:Yes, so that's a listing. There is a spot for shared with me files and deleted items and I do have a few of those, but they didn't pop up under the categories for those. I'm not 100 percent sure why, but it does say in their description that it will show some deleted and some shared with me files. So there must be something about the ones I have in there and just it didn't pull them.
Speaker 1:But there's Is that pulling from a SQL database right?
Speaker 2:Yes, yes.
Speaker 1:Yeah, it might be something. Maybe it's not committed fully, or so I mean I'm guessing, I don't know. Yeah, but then it has.
Speaker 2:Besides the item list, there's the item details, so it'll give the type, the URL ID, the title. You get the file size, a modified date, a viewed by me date, whether or not the file is trashed, and the TreePath, the MD5 of each of the files. And it actually goes on for quite a while because I have a lot of stuff in this Google Drive.
Speaker 1:Well, amy, can you imagine how useful that is? This is doing a corporate investigation and you're possibly worried about stuff being exfiltrated in some way or fashion. Now you have a full listing of all the files, down to the hash number, hash value, I should say the hash value of the stuff. So even if you don't have the thing on the device but you're worried about this exfiltration, obviously you may have the original copy. Just hash it and make those comparisons and you can really get that investigation moving forward. Again, this is just one made-up scenario, but there's many of investigative scenarios that come up that this could be extremely useful for.
Speaker 2:Yeah, absolutely, and I did go through all of the data before putting it up on the screen to make sure no passwords were available. So my password is not on the screen today like last time.
Speaker 1:So no free HBO, netflix or streaming service. So yeah, no.
Speaker 2:You now have my email address, but I don't really care about that.
Speaker 1:We're not starting the year with free stuff, all right. I'm sad now For folks that are not into the joke. Go check the last episode or the episode before that and you'll get the joke.
Speaker 2:So there's going to be a link at the bottom of our podcast page when we close out. That has the article that lists out all of those great artifacts and places that you can go. Look for remnants of this being installed, as well as the script from GitHub.
Speaker 1:Yeah, absolutely. And Kevin is saying that he's done some investigative work as his day job in corporate investigations and he founds it to be extremely useful. So I'm happy that I got some legit validation of my imaginary scenario. It's not that imaginary right?
Speaker 2:No, absolutely not, that's awesome.
Speaker 1:So yeah, so folks check that out Again. It's a community tool and, again, really really useful and makes accessing the data visually really really nice, which leads to the next point a great segue there accessing that data right and lately, I'm pretty happy that a magnet, specifically after they merge with Gray Key. They're actually putting a lot of content out that we can assume, but now it's becoming a public domain, so I'm pretty happy that I can speak about this magnet. Gray Key Labs portion came out with an article explaining how the process works, how they come up with the access that we need to make those tools, and this is good, because the best type of access that we can get from a mobile device Android or iOS is a full file system extraction and those are not obtained easily. Like the phone doesn't want to give it to you, there's no option for that.
Speaker 1:So yeah, so in the blog and it'll be part of the notes you can see on the screen folks that are watching it explains how they actually leverage exploits right and what that means is that they look for a vulnerability in the software and they're able to piggyback on it and get administrator root access on the device, which then allows us to do that full file system extraction, and this is a good thing, and I have some thoughts on that right. This was pretty much limited to law enforcement for many years I don't wanna say many, but for quite a few years but now we're seeing products coming out targeted to the private sector right, where you can get full file system extractions without having to be law enforcement, and I believe this is a great thing. It's a good thing. The more access, the better, of course, with some safeguards for that, and I thought it was pretty good and I know you read the article, obviously, heather, so what?
Speaker 2:do you?
Speaker 1:think about it.
Speaker 2:So yeah, definitely the research and exploitation stuff that they're doing is insane, and at the bottom of the article there's a little link that you can go work doing that as well. So I mean what a great job that would be to just go do research and exploitation. I mean it just sounds awesome.
Speaker 1:I mean well, true, you have to be like extremely knowledgeable on that stuff.
Speaker 2:Oh yeah, I know.
Speaker 1:So that's definitely not me. I'm working on the Python.
Speaker 2:But yeah, no, the article is excellent. Everybody should read it. They're doing some really amazing stuff in the magnet-gray key labs.
Speaker 1:Yeah, and one of the things I really wanted to, aside Reddit, I thought about is look, now the access is being kind of broadly obtained Private sector law enforcement, government law enforcement and it really underscores up to me a big point that verification and validation, the tooling needs to be, the exploits needs to be safeguarded. And obviously the reason for that is we don't want the vendors of the products, the apples and the Googles of the world, to then patch those exploits and then we don't have the access to be able to solve the cases or find the missing child or be able to convict the murderer or whatever it is, or to exonerate an innocent person. So the question is well, isn't the exploit needed as part of transparency during the legal process? And I believe that and that's the big point I want to make is it's up to you, the examiner, to kind of make sure your stakeholders understand that what gets transparency is not knowing the exploit, because if I put the exploit on your lab you will not understand it, I won't understand it myself, but it's the data, verification of that data and the validation of the process and we've talked about that in the past Is the source or the code for office or word or Windows.
Speaker 1:Is it open source? Of course not. It's a product. And but still, do we need the source code to actually confirm that my Word document is correctly as typed as I did type it? Do I need the source code of Windows to make sure that it didn't change something in my forensic process? Well, of course not. And why? Because we tested it, we verified it, we validated it.
Speaker 1:And the concept of that black box testing needs to be really underscored and a lot of us just say, well, this is good because the tool did it, and we're going to have somebody from Celebriot or from Magnet come in and testify that this is good. You should test, you should take known data, extract it from those devices, make sure that performance, like Josh is saying, validate that performance. Yeah, what I put in one end in my phone is also in the extraction after it goes through the tooling. And this is important because just saying the tool did it will not cut it. And I think this also gives an opportunity for open source tooling to grow, because now having the access to the full file system is not just law enforcement. Now anybody can get some of those and then build.
Speaker 1:I say that self-serving manner, because I have an open source tool just for that. And I say me, but the community. We work on it. So if you're so inclined to do the analytical portion, there's open source tooling that will definitely need your help on doing that. I know you had any other thoughts on the article. Because it has so many things. I don't want to just dominate the whole conversation.
Speaker 2:Yeah, no, I would just put up Jessica's comment here. It's examiner's responsibility to verify the results, but we also need to know how else could data get there and remove bias from scenarios so excellent?
Speaker 1:Yeah, and that's hard. It's also true because just because it's there doesn't mean it got there how you think it got there. You have to actually figure that out, especially if it's your, it's more oh yeah and it is your key piece of data. You have to do that. If the case hangs on it, you have to do that. An example that I was tasked with recently of looking with the providence of some media Providence. What that means is was this stuff, this picture, this image, whatever it was, was it generated with the phone, which is different from receiving it from somebody else? And there could be really strong implications if it's made with the phone versus not.
Speaker 1:And one of the artifacts that I like a lot, one of my tooling that I use often the many I use is Physical Analyzer. The latest version, ultra 8, or whatever it is. It has a media origin capability which it tells you hey, based on a collection of factors and we talked about this in previous episodes we believe that this is actually generated by the device. Well, this is the thing, right. You can't just say, well, that's true, because it's there, right, because those factors are a conglomerate of factors. You can make a decision, but some of those factors. You have to verify them Because the tool might believe that, hey, yeah, I hit all the points, but when you do it manually, you might believe that. No, I disagree with this assessment Because it's not black and white and astrophysic examiners we're not used to that. We're used to true or false, binary situations where me as the examiner, I'm like this there or it's not there, but that's not how it works and again, I'm going to do one of my custom not rent. Well, what I'm looking for, heather.
Speaker 2:You can go with rent, rent, rent, rent.
Speaker 1:In any other endeavor of knowledge, there's tolerances, right, if you're an engineer and you're dealing with a building, well, on this circumstances, the tolerances for this building to something to happen is, and there's a range, right, if you're doing a car crash investigations, well, the speed is. In this sense, there's some sort of a range of well, we believe it was about this speed around, right, it's not zero or once, and let me tell you that's how life is. So computers are that determination of? Is this image created by the phone? There's many factors and you might have them all or not. So then you have to make a termination what's my tolerance level on this and how can I explain that? And hopefully that's making sense to the folks that are listening.
Speaker 1:What I did was I took my trainee and we took the key piece of evidence that we needed to validate and we went one by one and we look at the metadata we verified. Is the metadata the same as the phone, right At the timestamps, consistent with something that's created on the device? Do we have photos, that SQL, like data about that image? Do we have a thumbnail created when we expect it to be created, when it's generated by the phone, and is there more than one copy of it? And if there's more than one copy, why is there more than one copy? Is it in the SMS type of structure? Is it because we're send, receive and after we make all that termination?
Speaker 1:We a few of them. We determined that they were not generated by the device. Some others were and we validated the tool, the tool. We have no discrepancy with the tool at that point and that's a good thing, okay. But the answer question is this image created on the, created by the device? The answer cannot be yes because the tool told me so that's not the answer right. It's gotta be yes because what I just told you, we checked this A, b, c, d and E, right, and that's something that now that we have full file system access kind of more broadly for everybody, we should start thinking in those terms. It just I'm gonna call somebody from the company to come and say something about it. That's not gonna cut it.
Speaker 2:Yeah, well, with the full file system access, there's so many more artifacts that you should be able to take whatever your key artifact is and tell the story of everything you just said where it came from, make sure everything is valid, and there's so many more artifacts in the full file system that support you being able to do that, so oh, absolutely, and we have to look at it and I totally believe this.
Speaker 1:Like in science, right, you can say well, we have a data point and we have three or four more data points that kind of converge, right, then I feel better. The more data points I have, the more my confidence is. My level of confidence is higher. That tolerance level increases because I have more. Now I might have less, and you have to be able to convey that. Look, we're pretty sure, or this is what we have right, or it could be as simple as I don't know, or you know, and that's what it is right. We're there to state facts, not to impose our opinion.
Speaker 2:Right, saying I don't know is okay.
Speaker 1:Yeah, no, and Jess again makes a good point, right, you can look at the timeline, look at what things happen around that important thing and how this operating system is being impacted, as something is happening, and that will definitely will be one of those converging lines of evidence to be able to paint that picture, as you're saying, Heather.
Speaker 2:Right.
Speaker 1:Yeah.
Speaker 2:So out of the tooling a little bit. We kind of wanted to talk about an article that came out. I love this article by Mattia and it is has the user ever used the application? So he has an entire blog post that ask that question and tell you how to answer that question whether a user has ever used or installed an application. He shows how you might check to see if an application has been installed on a device, whether it be Android or iOS, relevant files, databases to analyze and to determine if it was installed. I think that that step is so important.
Speaker 2:I know that I actually had this misconception when I first started doing forensics. It's in PA, it's under the installed applications, it's installed on the device and that is not true. Anything that is in your Celebriot report or any tooling report. It doesn't have to be Celebriot. That's under the Installed Applications section. It does not necessarily mean that it is currently installed on the device. It may have been previously installed and uninstalled. But the blog goes on to discuss relevant files about iOS and Android in that aspect and discusses how to go check and see if the application was ever installed and then talks about testing and validating this. There's a whole step-by-step guide in the blog that talks about how to test and validate all of these factors. I'm going to put up the link, but this will be on the bottom of the podcast site as well, the link to the blog, if you haven't had a chance to read it yet. Read it. Excellent blog. What are your thoughts on that?
Speaker 1:Yeah, at some point you might think, well, why doesn't the tool vendor in the header tell me all that explanation? Well, this is the thing, right, it's up to you. The tooling will have different sections and the tooling provides you the source of it. Certain databases will have, like in Android, yeah, installed and it will have all the apps that were installed, like you said at one point in time. It might not be installed currently, but you need to know that. You need to know that that database behaves in that manner. It keeps track of possibly everything that was there at some point.
Speaker 1:I say there, but let me rephrase that that was installed using that account, because it might not have been installed on that phone, it might have been installed on another phone and it's part of the installed apps that your account has dealt with at some point in the past, right? I don't know if folks have done this, I've done it all the time. When you go install something from the Google Play Store from the computer and you have multiple devices on your account, you can select to which device you want to install it from the your one account, right, and then that gets wirelessly sent the instructions and your phone gets. It, gets the app. Well, guess what? That's part of that database now. And on your other devices. Does that make sense?
Speaker 1:So that knowledge, the tooling, will not have a full explanation for you on that. You need to know that as you come in to use it. Right? Imagine you're a mechanic and you know I'm a mechanic and I want every car part labeled from the manufacturer so I can do my job. Well, no, you're the mechanic. You got to know what wrench to use. You got to know what a transmission is. We're not going to label it for you. You need to know what. That is right.
Speaker 2:Yeah, definitely.
Speaker 1:Yeah, let me. Let me share something real quick that Josh said again. I love his comments. He says context is key, not only with other data points within the digital evidence, but also within the physical evidence interviews, surveillance footage, the crime scene and we get, so you know, some like blinded At first I cannot see me, but I'm putting my hands next to my eyes, you know, like what's that called when you put on horses so they cannot look to the sides. What's that called? You know what that's called.
Speaker 2:Blinders.
Speaker 1:Bliners, okay, blinders In Spanish it's different. Yeah, blinders work that we have these blinders on the forensic stuff, on the computer stuff. No, the context of what's happening with the investigation in general will inform you how your forensic work is. You know, effectuated, you know, yeah, but go check out Matias Matias Pifani. He's an incredible examiner from Italy. We talked about him in the podcast before. He teaches for science as well and he's a great luminary on these types of stuff, so go check that out.
Speaker 2:Yeah, he also in the testing and validation part of it is using more than one tool, which I love because so many people, I think, don't use more than one tool. But it's so necessary to use more than one tool when you're trying to validate your results Even, obviously, yourself, your knowledge it will be key to that.
Speaker 1:Yeah, and even some of that. How do you say this when you're trying to figure something out? And hopefully, with time permitting, we've got to speed it up a little bit. I'll give an example that you need to look at a data set to different views, right for you to build a clear picture, and people are like, oh, that's not true. Well, I'll give you a real example at the end, more close to the end Awesome, awesome, so, yeah.
Speaker 1:So, with that being said, let's step back a little bit and off on tooling and that type of technical stuff and let's talk a little bit about more of the human aspect, especially in the new year, right? What are your detailed Francis goals for the year? So, that's not to be a topic, and I was telling Heather and me trying to be funny, but not really, I was telling her well, my resolution for the new year, I want to go from 1080p to full 4K. You know HD, and I took that joke out where, like the what, the result, what, and like resolution, minors, you know they're like, okay, never mind, I'll put myself out. So, yeah, I'm going from 1080p to 4K, but no, but in reality, like how, what are we foresee or plan for ourselves for the next year and I'm going to start with myself. I'm going to share some of mine. So my hope for this from the forensic new year right and maybe for the year in general, independent of forensics I want to do a couple of things.
Speaker 1:The first I want to do is I want to hopefully do two artifacts a month, minimum for the leaps and for those who aren't familiar, set the tool set that I contribute to in for forensics on mobile devices. So make two a month. So at least I. I covered that for January, so I'm good, I did the two for January, excuse me, so that's one, so that's then. I want to do six mobile forensic I'm sorry, mobile forensic explainer videos this year. That's on top of the podcast that we do all the time and what that was, what those videos are, is me. I take an artifact and I try to explain some interesting facts about it and then it could be like a reference material for anybody. So hopefully do six of those a year, because they're hard to put them together, make all that data and the screenshots and demos. It takes time. So hopefully I can do six a year. I want to read more for coding and data forensics books, which is funny because I have a data forensics book. I'm not done with it and I'm already kind of buying the next one without finishing the other one and then listen to some some stuff and you know, I want to continue to exercise consistently and you'll be like, well, that's not digital forensics, let me.
Speaker 1:Let me tell you how your mind works is really tied to how your body operates and how your emotional state is. It's a connection between those three things. Right, it's like if you, as a person, that you're the stool and those three legs are going to be your physicality, your emotionality slash spirituality and what else did I say? And your mental, that mental state, physical and I forgot and emotional, right, you need to work on those. And if you want to do good work, intellectual work, your body needs to support that. Right, you got to eat. Right, you got to exercise. So, believe it or not, it has a lot to do with it. And you'll be, you'll feel better and be more effective in what you think If you're aware of how you move and eat and how. How do you feel emotionally? And a weird one is I want to relearn cursive, or whatever reason. Last time I wrote in cursive.
Speaker 2:How did?
Speaker 1:you forget it. Well, my handwriting is so horrible in like block type, block type of writing and I said you know what? I haven't written in cursive since third grade. So I might, you know, teach myself cursive really nicely. I remember it and then make that my standard hand script. So we'll see if that works.
Speaker 2:All right, so nobody's going to be able to read whatever you write anymore.
Speaker 1:Well, nobody has been born in the nineties to understand me, but people that have been born before that surely, surely, do. Yeah, I need to get a fountain pen to work on that. Actually, geraldine, is a good point. We work on the Vili. Vili is like, again, another tooling that we make for for vehicle extractions, and I'm counting on you, geraldine, to help me with that. If you push me, we'll do it together. So now I'm putting you, you know, throwing you here in the middle, here, throwing that out for you.
Speaker 2:Geraldine now knows her 2024 goal. You've assigned it to her.
Speaker 1:Exactly. Help me with the thing, please.
Speaker 2:No, she's so kind, at least she's agreeing.
Speaker 1:Yeah, now we got some images that we're trying to. I mean, we got so much to do in so many little hours in a day, but she's I mean, I'm kind of joking about it, but she has some images that we'd be able to procure and hopefully, throughout the year, we can give give supports to some of that. So, yeah, so those are my goals. How about you, Ooseller? What do you have?
Speaker 2:So I would like to learn Python in the way that I can actually do it and help contribute to things like the leaps or my own put it to work at my own. In my own cases, I am struggling with it, but I know somebody who might help me, who I think I see him right there. But yeah, so I'm kind of struggling with it, but I want to, for the end of the year, be able to be able to do it on my own without saying, hey, can you help me? I have no idea what I'm doing constantly. I actually am also starting the exercise stuff for the 2024 goal. I have somebody that's pushing me telling me are you walking? Have you gone to the gym today? So yeah, and actually you know what. That's a great goal because, you're right, I feel better and it makes me more productive throughout the day. So I see your fireworks.
Speaker 1:Do you know what the funny part is? So for folks that don't know, I'm thumbing them up and some fireworks came out behind me. The funny thing is that I had no idea how that happened.
Speaker 2:Oh really.
Speaker 1:Yeah, I need to figure out. It must be something in the system that we use for streaming that does that. It's actually great timing. It came out great. I had no idea how it happened.
Speaker 2:It worked out oh that's hilarious. I also want to start. So I'll go through my cases and find artifacts and we go, oh this is how that connects and this relates to that, and I'll do. I'll go through an entire artifact for my case, but I never write it down Right. So I want to write more things down and share them with people, so that's a goal of 2024.
Speaker 1:Oh, and that's, that's a great goal, especially the share. I mean all of them, but the sharing part. We know something and learn something and then it dies with us and like no, no, let everybody else know it and you're like well, people already might know it already. Even if they do, they don't know how you do it and how you present it and what, what, what you bring to the table. So no, please, please do like everybody.
Speaker 2:I'll mention it to my coworker, kevin. I'll be like Kevin, get over here, you have to see this and we'll go through it all. And then I never. I just needed to get past just my office and share more things throughout the year.
Speaker 1:Yeah, absolutely. Alex is saying I wonder if triggering the fireworks graphic left an artifact I need. I need to look into that because I had no idea how that happened.
Speaker 2:That was good timing.
Speaker 1:Yeah, it was great. If I do it like that, it's not going to actually happen, yeah. So I want to quickly discuss, like you know, some of some thoughts on on goals that you might say, you know, because you might be listening and saying, well, yeah, I have those goals too, but you know, I might not have the expertise to do certain things. I don't think I'm ready to write an article about a deep dive on something right, because I might I might only be six months into this job or I'm just I'm still studying, you know, in school and university, college, whatever it is sort of certifying, right. So we have a list of different things that you might think about for the new year and for, you know, life in general. So I'm going to, I'm going to, I'm going to mention for new examiners, so I'm going to start with that and maybe Heather can grab intermediate and we go from there. So the first thing for the year is look, if you're new into this, into this field, if you haven't finished your courses, then finish your courses, right, that's kind of an obvious goal. Right, finish your classes, finish your certifications. You know all the mentoring, and if you don't finish it, that's fine. Just keep working on it consistently. Perfection is not the goal, consistency is the goal. And it's like again, it's like as you do things consistently, it's like compound interest right, he's going to accrue and when you look back you'll be like, wow, look, all this money I have now. Well, you have to work consistently towards it. Right, don't overshoot it, just do the best you can and that will work right. Again, be part of the different community, digital forensics and incident response community doesn't mean that you have to be like, you know, the person that brings the new things into the community. But you can read, you can listen, you can look a little bit, make, ask questions and participate. Right, your questions are needed. Right, your curiosity is needed. So, if you're new, you still can contribute with the right questions and the right you know, you know, and answers you can also provide.
Speaker 1:Okay, something that I recommend a lot is watch court testimony from others. It doesn't matter if it's good or bad. Watch all that with a critical eye. Whatever you do in life, have a critical eye. And I say critical eye not to just beat on people you suck. Now. It's like what can I learn from this? What things work or might not work. And there's some videos of folks, forensic photos, that's testified. Yeraldin had a big, high profile case he has to testify and she'd be like, no, don't tell people to watch it. Well, I'm going to tell them to watch it, so we'll share that link later. And because you learn a lot if somebody in your team is going to go testify, go state a trial and get a feel for the environment and for the testimony, for the questions that come from the defense, from the prosecution or whatever it is right. You learn a lot just by listening and understanding that.
Speaker 1:Read presentations about I'm sorry, read books about presenting or presentations right, soft skills like that? It's soft skills, but not really soft. It's an important skill. How do I talk to an audience? How do I write something in a way that's clear and concise and precise? Right, can my workplace pay for Toastmasters for me so I can not be afraid to speak in public? A lot of your effectiveness, sorry, is going to hang on. How well can you communicate that? And we need to work on it Myself. I try to work on it all the time. Obviously, I have an accent and I tend to eat some words and I try to work on my pronunciation and enunciation as best as I can. Right. How do I present things? Heck. Having this podcast is a way of me to practice and try to get better, so that's something that you could do even as a beginner right, and there's a lot of stuff that, as you progress, you can do as an intermediate right.
Speaker 2:Yeah. So once you get a handle on some of the basics as a beginner, you could work on verification and validation of data. You could learn how does the tool do what it's doing, instead of just pushing the button seeing all of those parsed artifacts. Learn what the tool is doing. Learn where that data is stored. Dive a little deeper. Go to some of the advanced classes that are available. Learn some kind of scripting or learn about data structure. If you want to learn about data structures, you can listen to Alexis or go take Jessica's data structure class. But go a little further than just that initial beginner stage and beginner courses.
Speaker 1:Yeah, and I had actually, it comes to mind, recently on the Providence request that I had, I had one for also dates for searches and the searches, some of them came from some databases that had no timestamp for that entry of that search. I'm not going to delve into the details, right? All right, okay, when you look at a search from Google, you have the search like googlecom slash, and then a whole bunch of parameters like that you can actually read and you can read oh, look, he was searching or she was searching for something. And then after that a whole bunch of parameters Paramount means things that's gonna go through the search. It seems like gobbledygook, right? Well, it's not right. Some of those are actual timestamps and there's tools like Unfurl. There's tools, a tool made by Ian Whiffin to decode some of those and you get a timestamp right. That means that as an intermediate examiner, you just don't stop because the tool had no timestamp. Oh, whoa, look, there's a search, no timestamp. Well, that URL has meaning. Put it in Unfurl, get Ian Whiffin's double black I think it's the website, the blog or site doubleblackcom and grab the tooling and get those timestamps right and then you can say, look, here's what this search was and when it happened. Because you're on intermediate level, you should be able to go beyond that. You should be able to understand what's the difference between a binary XML and a regular XML and how to deal with it right, which leads to a higher level, which is what goals can you set as an advanced examiner if you know these things Well, don't give it to yourself. Take some of that knowledge and get presented to your team or some others. Yesika has mentioned also Google Serpent from Fillmore, and it's a good tool from my perspective. Unfurl has kind of superseded, in my opinion, any tool to deal with breaking down URLs. I believe Unfurl is the superior, like the best right, and this is no dig to any other tooling out there, but Ryan Benson has done an incredible job in parsing data from all sorts of URLs that you might come across, so I really recommend Unfurl. I think is the best. That being said, so give that information out, put it out there with your teams, with the public, right. If you know, at this level, you learned some scripting, then make that script in public, share with the community.
Speaker 1:Start thinking about reverse engineering apps, and I say that because we mentioned previously how getting full file system access is more broad because we have law enforcement and the private sector having access to full file systems. Well, guess what? What that happens? I believe app developers, instead of leaning on the operating system to make or keep their data obfuscated or private, now they're actually depending on their own. Let me give you an example Instead of depending on the key chain to maintain encryption, they may move away from that and the app itself keep its own internal encryption, independent of the key chain, independent of whatever systems Apple or iOS has to secure data. They may wanna hand it themselves, if that makes sense. Okay, and that happens.
Speaker 1:So then what? What are we gonna do? Well, as examiners, advanced examiners set that goal to learn a little bit of reverse engineering. How can I go about? And looking at the code and figuring out, how can we solve this problem? Okay, and a big one is take time to invest to understand management science Management science of things, of people and time right, and it doesn't matter if you're not supervising anybody, if you don't have any reports when you're an advanced examiner, I believe you just get those skills, and just because you've been doing it for 20 years doesn't mean that you know how to manage it.
Speaker 1:I'm gonna go out on a limb and say you're gonna suck at managing that stuff because you've been in mesh in the technical work and you know nothing about management. You might think you do. You don't Right. It's a different. Skill set requires training, requires education, reading, and all that depending on mentors. The same thing. So if you experience, think about that, how can I manage better these things? And you never know what role you can grow into. When you do that, you dominate the technical side and then you start dominating the non-technical aspects of the job. I believe yeah, absolutely.
Speaker 1:Yeah, there's tons of stuff. Oh, last one, get peer reviewed if you can.
Speaker 2:Yeah.
Speaker 1:Yeah, I mean, you're an expert, Go get peer reviewed, share that in a really formalized manner so we can take it into court. So just a quick note there. So, yeah, let's go into some tooling, because the show's gonna go along a little bit, but I think it's worth it for two reasons. We're gonna cover an update on a great tooling by Exordia, a great company led by Jessica Hyde, so Heather's gonna show us some of the updates to their tooling super awesome and then we're gonna talk about really technical nerd stuff to close the show. So let's get on it.
Speaker 2:Yeah, so there was a new year reveal from Exordia. We previously talked about the tool available on Exordia called Input Output Syslog. Well, it has changed names and is now Evinol. The capabilities have also changed. There's some updates, so I'm gonna actually show everybody some of the updates. Let me share my screen here, so it has a whole new look, which is really cool. Let me I'm gonna plug in my iPhone and it's totally graphical user interface.
Speaker 1:It's beautiful, nice colors and everything. So when I plug in my iPhone, I have an iPhone XS.
Speaker 2:I plug it in, I get all of the general features and device date and identifiers related to my phone and the whole interface is now new. There's some new key features Besides the UI changes. It's faster. There's the option, if you go to settings, to pair or unpair your device. You can supply your own pairing record and it will also pair your device and it will also handle multiple devices now. So if I plugged in an additional device, I can use this dropdown here to toggle back and forth between multiple devices that are hooked up to my system, and I'm going to hit monitor and run it for a moment here.
Speaker 1:Yeah, so what are we seeing there?
Speaker 2:So we are seeing all of the system information flying across the screen. It's live monitoring and analysis of the logs from the iOS device.
Speaker 1:That's as it's running live. That's beautiful. By the way, I had to make a quick comment. Folks that are watching can see this. There's a little like you know, like a little lizard there right the logo for it and it has like a USB connector at the end. I think it's the cutest logo ever.
Speaker 2:It is very cute, yes, so I like a little lizard there with a USB tail.
Speaker 2:And then you can pop over to the analyze tab and all of the analyze data here is starting to pop up. There's new artifacts, so there's default wallpaper, airplane mode, volume artifacts, ringer artifacts, the flashlight, added lock, state, camera and application state artifacts. So you can choose over here on the right-hand side artifacts that you want to include. Just gonna pop back for one second. But one of the really big features that was announced for the new year is there's now a new ELEEP report option. I'm just gonna click that and you can. So the ELEEP report function. You click it and then save it out, and I am going to stop sharing with you for one moment and pull the report up.
Speaker 1:Yeah, I'm really happy it's obviously it's based off of the community project that I lead, so I'm really honored and proud that it's been adapted and used in this tool, so I'm really happy about that.
Speaker 2:Yeah, so this may look familiar to anybody who uses the ELEEP and ELEEP. We now have the ELEEP report. It has some of the same category well, all of the same categories here where you can look at the details, the device details about my iPhone, the scripts that are run, talks about the scripts that are run and the processed files list, and then along the left-hand side are all of the artifacts. This phone I don't use that much, so there's not a ton of artifacts on my phone. It's one of my test phones, but we have application launch, so I launched mobile SMS, the App Store and mobile notes previously in the day and those come up in the application launch section. There's battery percentages and yes, it was at 1%. I let it die, I know.
Speaker 1:I'm shaking my head, disappointment, like if you send me a screenshot of your phone, the first thing I'm gonna look is how much battery you have, just, and I will judge you, just, you know.
Speaker 2:This is a test phone, though Mine always has at least 50% Talks about the different Bluetooth devices that are scanned, the device orientation, so we have portrait and face up landscape and the volume button. I hit the volume button up once a little earlier today, so I have an artifact for the volume button.
Speaker 1:Yeah, and people might think well, who cares if you hit the volume up button? Well, I care, because it shows that the phone was physically being manipulated in some way, in some, you know, actually not some way Hitting the volume up button at a specific point in time, some extent, and if that specific point in time is indicative of something important, in my case I can say, yeah, this device was in the hand of somebody and looking at the contents on the phone, I can tell you who that somebody was. That makes sense. So, folks, you should not sleep on this. You might think well, how much battery? Well, who cares? Well, I do care a lot. If the battery is being is levels going up or going down, it indicates something about the real world. If it's going up, that thing is plugged in, right. And if I can find what it was, what's it? Ah, I'm sorry. If I can find that it was plugged into a car, right, does that make sense? So there's a lot of value in all this type of stuff that we're seeing here.
Speaker 2:Yeah, there, absolutely is. Continues to show the device state, the general details about my phone. I have mobile identifier, so my phone number, the IMEI, iccid, which carrier I have it hooked up to. And then I have scanned networks and actually this Network is my home network. It was picking up all of the options of my home network and of report. I ran yesterday, actually picked up the neighbors as well. Again some of the artifacts.
Speaker 1:Oh yeah, and we can. We cannot, I mean underplay how important those are. That's just, that's just good stuff. I.
Speaker 2:Did skip one. One thing back in the the UI. There's new sorting options and you can collect, select certain features in the UI. Previously there wasn't that capability.
Speaker 1:Yeah, the graphical user interface is such an improvement and it makes it. It makes it. I even told Jess this is just so smooth, installs really smoothly and the usage is pretty much flawless. So I'm pretty happy with it. It's a community edition, obviously, so that obviously, as it assumes that there'll be a non-community edition. So this tooling it's is growing, so just keep your eye on it.
Speaker 2:So here's the the website for anybody to who wants to go check it out. One thing I noticed when I was using it, so I use the original version as well, and now the updated version. It is much faster than than the original version. I definitely noticed that.
Speaker 1:Yeah, and and is it something that I like? It seems to be faster, absolutely.
Speaker 2:Yeah, definitely.
Speaker 1:Yeah, so again thanks, jess and all the these, the developers and the team that she put on together. You're awesome, so we appreciate that. Another tool for the community to you know, make things better, so thank you so much.
Speaker 2:So one of our last topics here what's new with the leaps? And I believe you're gonna show us some of the new Artifacts that you have with the leaps and some of the updates you've made.
Speaker 1:Yeah, you're, you, you're correct. And before I get in, just saying that the new tooling is two times as fast, so that obviously is noticeable.
Speaker 2:So yeah, I really noticed that. That was one of the things. Definitely, right away I was like whoa.
Speaker 1:So that's awesome and I bet it'll be. It'll keep growing. So. So what's new with the leaps? So I'm gonna this is gonna be the most technical part, and I appreciate the folks that are gonna stick with us be beyond the hour. I Would like to hear some feedback. If you think this type of Section, it will be good for the future.
Speaker 1:What I'm gonna do is talk about what's new but then show a little bit behind the scenes, in more technical detail, what, what it entails to do a simple, quote-unquote, simple report, because I believe, as examiners, we need to start developing the mindset. We have the tools, we have technical know-how, but what's the mindset to apply it? So, so, please let us know, hit us up on that. And you, you can put the calm, the calm and straight up on LinkedIn. And we, we won't get offended, we don't get, we won't, we won't get mad, right, if it doesn't work, let us know. If it works, let us know. And but please do, let us know why. Either way, right, all right. So this is what we got.
Speaker 1:Let's start with what's new with tooling. First of all, again, a big shout out Again to Johan Paul check, good friend from Switzerland that I wish I would Professor, at which I was there with him in Switzerland, beautiful country, and he's adding a whole bunch of stuff. I don't have the time to do it today. This is behind the the scenes or not behind the scenes, like under the hood that's the better description. Under the hood improvement in regards to how the tooling manages certain things and how it uses updated GUI libraries. Updated takes old libraries that were not efficient and replaces them with libraries that are better. So again, a big shout out to you, johan. We appreciate it.
Speaker 1:We got the team we're building the team up To work on the reporting for this year. So I'm really excited about that. I'm I say that like we had. We have these conversations like maybe 15, not 15, but an hour ago before we started the show, so so we were working on it. So what do we have? Well, first of all, I'm gonna show some of the updates with a. I'm start with with sec B. So, as you, we discussed in last episode iOS devices, including max. We're moving from sec B files To another version of them, so we call them version one and version two. Okay, and let me show you our report. Right, so this is our report and I clean it up even more after I did. I took the screenshot, but you can see here the Wi-Fi report. Is is done from a sec B file format and you see a timestamp of when this Wi-Fi connection happened to a device right, and I believe this is a router correct. Heather, the any dancer device.
Speaker 2:Yeah, oh yeah, that's my home. Home Wi-Fi yes.
Speaker 1:Yeah, I mean Heather provided me with some of the test data, so we I appreciate it. Thank you, heather. All right, so this is pretty useful and I have now the. I'm showing now the another one is the airplane mode, right. What's the device put in airplane mode? I'm super important. You might need that for your case, and it does. All is kept within this biome files, a File directory, sorry, which contains sec B file formats within it, right, which contain within it. Put above files which contain within it. You need. It's really nested right now. There's more.
Speaker 1:I'm updating more on some of the things that I found interesting was at least on Heather's test data. I believe what's happening is, if you update from iOS 16 to iOS 17, you will see sec B files version 1 and Then sec B files version 2's right. So I think what's happening is, as it updates, it leaves you all once there, but then starts working on sec B 2 files moving forward. So when you do your examinations, you got to keep eye on both. So now let's do a little bit. Let's do a little bit of technical stuff that I described previously. All right, I'm gonna share with you. I'm gonna open one of these sec B files because I want folks to kind of Understand a little bit of what the thought process behind doing this type of work is. Let me open it up. So I have a sec B file For the Wi-Fi and the first thing you might want to do is you want to look at stuff from different angles. Okay, and I'm at this point I'm actually gonna share my full screen and, and I'll tell, describe the best way I can for folks that are not watching, they're just listening. So let me see how can I share screen one is. Does the one? Yes, this is the one. All right, so hopefully folks can see that. So I opened this sec B file and I open it with a hexa viewer.
Speaker 1:All right, the first thing, what you notice is on the Let me move this away on the Top right you see that the file starts with an X and Then it has some values and then on the kind of third line, you know, 40 bytes plus, you see there's second B on the file right. This makes it a second V version one file. Sec B version twos have that sec V indicator or you know a magic number on At the front here at the beginning, the first four bytes of that file. All right, not back here. You know 30 something bytes into the file. Actually I can tell you exactly how many bytes. Right there there we go, 52 bytes into the file. So, no, it's on the top.
Speaker 1:Now, as you scroll through it you see some stuff that looks like goblica. But you see some stuff that you can read, right, you can see here I'm gonna spread it out so it looks better and then hopefully folks can see that on the screen. You see here, for example, wi-fi connection. You're like, oh it's, this might indicate a Wi-Fi connection, right. Then you see here a obvious grid right and Then you see the value, like any dancer, and some other values, right? So I can read those. So that's how the hex editor shows it to me.
Speaker 1:Now, based on our, our understanding of sec B files, we know how to Get to the data portion of that sec B file and we know that that data portion is in protobuf, right? So how is this useful of what I'm showing? You imagine you're working on a device, you run your tooling and you get all your sec B artifacts from the protobuf and when you did, you did your verification and validation, you go to the buy-on folder and you find a sec B file that nobody has seen before. Your tool has never come across it. Therefore, it's not on your report and it's something. The file, the name of the folders, the script is something important.
Speaker 1:Well, the first thing I'm gonna do is I'm gonna do this. I'm gonna open my hex editor and give it a quick look to figure out what could it possibly be. What can I read from this thing? All right, and say, okay, I never seen this before. This is interesting again. This is kind of like an example. I'm gonna now go and look at that with the knowledge I have on how to work these type of files. So what I'm showing now everybody is that script in in Python on how to manipulate some of these. So the first thing I do is I Import a library done by Alex K, this in and CCL solutions group to deal with sec B1 files, version ones.
Speaker 1:As I showed you right, and I know, I need a library to deal with protobuf. And this is the thing. Folks, I don't expect you to know how to code, and you don't need to know how to code. I need you to. At least I would like you to understand the thought process behind it of how you need to do this. And from my perspective right, you don't have to agree from my perspective. So I import those libraries. I have a little function here. Function means a set of Commands or routines to do something Repetitively. Right, that's gonna convert timestamps, right, you don't have to understand it. Just how it works in Python, just the concept.
Speaker 1:I'm gonna get my file, as you can see here, line 13. I'm gonna get the data out. That's happens in the highlighted part, and if you cannot see this, if you're listening, it's fine. The that's not the point. And then I figure out if there's data in a record. And if there's data in a record, now, this is the important part I'm gonna take the data portion of that sec B file which is in protobuf, and I'm gonna take that protobuf out and put it in a format that I can actually do something with it. So I'm gonna run the scripts to show you. Right, like I mentioned, it's gonna take that file, it's gonna look for records that have data and if a record has data, it's gonna pull that, but that protobuf out and it's gonna show it to you in A format that's easier to understand.
Speaker 1:All right, so, as you can see here. You see sections, you see this. I'm gonna highlight a section. That is one record. There's a space there or a new line, and there's another record and there's a space here and there's another record. So now I'm looking at the same data on two different ways. I'm looking at it protobuf as the Prova's being kind of converted or kind of manipulated in a way, and Now I'm also looking at it how it looks straight from a hex view perspective and the two tools.
Speaker 1:I'm using two tools right now. I'm using the script in Python and I'm using a hex viewer or hex editor and Notice this. If you look at, I'm gonna pick the last record on the screen, this last, last record here you can see in the bottom really easily to pick out what is this other the good? Exactly, boom, right. So just by looking at it, like, hmm, have I seen that before in the hex viewer? Yeah, I seen that good right there, and Before that good in some of the records. I see Any dancer, right, that's a possible router name. Well, right, do I see it on my view in the script?
Speaker 1:I don't know, I do not see it. So if you think looking at data from two different tools is not important, it's extremely important, right. I'm using the hex viewer to be able to kind of look at that view and get some insight about it. And as I'm trying to manipulate the file to get that data out in a format that's digestible for my stakeholders, I'm noticing differences, right, it's not that the data is not there is there, is just encoded differently. And having the two tools viewing at it is aiding me in Perceiving that.
Speaker 1:Imagine if I just started straight up with my script working on that sec b file. I would have missed that whole any dancer value, I Would have missed it right. And let me give folks a background on this. The way put above Protobuf works, is is designed to work, is you take that data, you serialize it into a protobuf and Hopefully comes accompanied by a dot protofile. This dot protofile defines all the records and values within that protobufile, so then you can convert them properly. What happens in real life? That dot protofile, as that description of it, never comes with your protobufile. Never comes with it. And if you might ask yourself about why, if we need it? Well, because this data is designed to be ingested by an app or by an operating system, and the app and the operating system, or whatever it is, that's the digest in it. They know how to interpret that, that that proto knowledge is part of the app, but we don't have it right somewhere in there that we might not be able to pull it out right. So what does that mean? It means that I need to then look at this and make those assumptions myself.
Speaker 1:If you look at this record that I'm showing you, this is what the library assumes that to be, and it's a guess. And it goes back to what I said previously and and and thanks to Josh, he said soapbox, not rant soapbox In my soul box a second ago. Right, there's tolerances. It's not zero or one. In a sense right, although they are. The tool is making an interpretation. In this sense. It decided to interpret that any dancer ask you value as a big, long kind of integer number I. That's how we decided to do it. And is it wrong? It's not wrong. It's a different way of presenting it, but it's not the preferred way of presenting it, right? Does that make sense, heather?
Speaker 2:Yeah, it absolutely makes sense, and I think a lot of people, including myself at one time, would have just scrolled right by it and not even realize it was anything.
Speaker 1:Oh, thank you. Yeah, and that's exactly. Thank you for that. That's exactly the point I'm trying to make. Look at that same data to different ways of looking at it, because each will give you some insight. And so we're looking at data in this example that's not parsed by the tool. So you cannot lean on the tool, just the one tool, to do it for you, right, you have to lean on yourself and with your knowledge of how this works, right? So the next step is and now this is a part, and this is the I'm sorry I'm kind of talking about over myself I get really excited with this topic. This is the main point I want to show you right, use multiple tools, especially when you're looking at data you haven't seen before, so you can get insights into what's happening within it. Now I'm going to go a step further and show you if you know how do you can take scripting knowledge to take it to the next level, right? So let's do that.
Speaker 1:So I know specifically that before the grid, there is a value that some records a lot of them should say any dancer, and I know that because I looked at the hex. Okay, so if I look at my record, you'll see the records on the way that the Python library has presented to me, presents this to me in keys and values. Okay, kind of like a JSON file format. In Python it's actually called a dictionary. Okay, so you got key one and within that key there's other values and you can have other keys within that one. So the first one is going to be a key one, and then another key one and then a value with this Wi-Fi connection has a little B on the front. That means binary. So the tool is interpreting that as a binary. So the question is well, how do I know? How is the tool interpreting each of them individually? Well, what I'm going to do is I'm going to go back to the code and when I take my data, that ProBuff data, and I decode it right, deserialize it into a dictionary.
Speaker 1:My library that I use by the way, it's done by Jogeshka3. He kind of built it on Blackbox ProBuff library it's going to provide to me my ProBuff data here under proto stuff. That's how I called it. So, like I use another variable called types, what I'm going to do now is I'm going to take only show you types. That will be the interpretation the library is making for you, so hopefully you folks can see that on the screen. You see there that for the first key, the type is going to be a message and that message, moved to the right, is going to be bytes. Does that make sense? Notice that the Wi-Fi connection had a little B in front of it. Well, it has bytes in front of it. That's why it's making that interpretation right. If you go down and if you remember from the previous image, our grid was on key five and also had a little B in front of it, which is also bytes. Right, you're with me with that one, heather, does that make sense? So far, yeah, yeah.
Speaker 1:All right. So we mentioned that before the grid, or good, that's where the device name was right. If we look at the key before it, key number three is type message and then type is fixed 64. Okay, that's a type of data. I'm not going to bore everybody with the details, but in ProBuff there's six type of wires and each wire can represent multiple data types, and that's why tooling is not perfect. It makes assumptions and we need to realize that Tools makes assumptions. We need to validate them and change them as appropriate.
Speaker 1:So what I'm going to do now, I'm going to go and I'm going to get you know what. I want to see that as bytes. I want to let my operating system interpret that as bytes and see what it has. So what I'm going to do now is I'm going to take all this interpretation, I'm going to copy it and then I'm not going to put it in my code. Let's put it up here. It's not the best way of putting it, but for the example is going to work. I'm going to call this. I'm going to call it new types, not really new. I should have called it like alter types or something, but that should work Right. Let me hide the documentation view that came up. Okay, perfect.
Speaker 1:And now I'm going to change a couple of things. The first thing I'm going to change is I'm going to go and this type instead of message I said I'm going to name it bytes, okay. And then I'm going to take that definition, I'm going to apply it to my data, Okay. And I know, folks, that I cannot see what I'm doing because you're listening. What I'm doing is I'm taking those, that little change that I made and I'm now passing, giving that change to my library, so then it can apply it. So let me see if I applied it correctly. If not, then I'll mess with it and we'll get it done. We're almost done here, all right. So I'm going to apply it and look immediately after I apply that change. You see that. You see that the third key we're talking about. What do you see there?
Speaker 2:Heather Any dancer. My Wi-Fi network.
Speaker 1:Now we can actually read it. Was the script or the library wrong? It was not wrong. It was making an interpretation because it had to. I am the examiner, I made the examination, I go in and, based on my understanding, I can present this properly. All right, another good one.
Speaker 1:Folks that are watching, you'll see key number two has a big, long integer. Key number three, another really long integer. It's interesting because the first, whatever 10 or 12, let me see one, two, three, yeah, 10 or 12 values from left to right on this integer. They're the same right on both. To me, that's significant. That usually means that this could be a timestamp right? Possibly right. So I'm going to save everybody the details. I'm going to go and look for key two and three and I'm going to change them. And two instead of fixed 64, I'm going to change them to doubles. That's another data type and if you don't never heard about them, that's motivation for you to start working this year on figuring out what that means. I'm going to execute it. And now that long integer now becomes a decimal I say decimal but a fractional number, right, because I have a little dot there and if you're familiar with WebKit timestamps in iOS, just by looking at it, you know it is a timestamp. Okay, and again, if you're not familiar with timestamps how they look before they're converted to a human readable timestamp that's also something you can work on through in the year.
Speaker 1:So, to make things long story short, what I'm going to do is I'm going to now the timestamps. Just to show you the example, I'm going to take one of the timestamp fields. I'm going to use my function to convert timestamps that I defined at the beginning of my script and I'm going to just apply it. I'm only going to show the timestamps this time, and there you go. This is one of the timestamps for each record, right? If I want to show the other timestamp, I'm going to go and do that conversion and each of the timestamps, right. There we go.
Speaker 1:So now this is the part that becomes even more interesting. You might be. What do these timestamps mean? It means that you have to take your test phone, generate some data, connect to some Wi-Fi devices, keep track of when you connect to disconnect and all that, take that data out, run, do this analysis and then try to make sense of it. And these are connection and disconnection times. Some of them are pretty like, kind of like concurrent to each other, right? So even though they're split in little pieces, they're pretty much back to back to back to back, which to me would indicate some sort of continuous connection. Okay, but that only comes from you actually testing that data and making sense of it all right. So take away from this portion.
Speaker 1:Use more than one tool when looking at data, and I'm not talking about only well, use Axium and Belkosoft or FTK and physical analyzer. I'm talking about when you get a data set you haven't seen before. Look at your hex view. Use your libraries. Then use the corporate tools, use open source tools to get knowledge, a broad knowledge of it. Then pick what's your more, the way you dominate or you are more skillful in dealing with these things and start aggregating that knowledge so your stakeholders can have the best view of the data that you can provide to them. I like to use Python. It doesn't have to be Python, it could be something else. The point is apply that process. Don't just scroll to things without thinking about them. Apply that process and you will get really, really good results.
Speaker 2:Yeah, you're definitely well and, like I said before, anything that looked like that I normally, when I first started my career, would have scrolled right past. So learning what all of these data stores are like, how they work, what tools work best for them, really, really important.
Speaker 1:Absolutely, and let me know I'll be straight. You'll be like Alex, that was Briggs, that was too long, it was too high level or too low level, and don't do it again. Then we won't do it again, but let us know if there's value on that and if not, then maybe give us some ideas of how can we provide value to the community on this type of deep level topics. So we would appreciate that.
Speaker 2:Yeah, very good. So we are at the end and we have the meme of the week. Yes, you cannot skip the meme of the week. Let me share it.
Speaker 1:That's my favorite part of every episode.
Speaker 2:Describe it, think this was your first meme of 2024, and we have the investigative team standing around, the digital forensic examiner, who appears to be the only one doing any work.
Speaker 1:Yeah, there's this poor guy like in a hole right, doing some work in the hole. Maybe they're looking for a pipe or something, who knows. And everybody's looking for this poor guy in the hole trying to make the work. Yeah, that's us, it's us. And you might see like, oh, whatever, you're exaggerating. I was talking with some other examiners and I've seen it. It's like they do. I don't know your agency, but my agency does file reviews, right, and what that means is, at certain periods, management wants to know where the case at. I mean, what projects have you made on this case, right? Are you working on it and you need help? Whatever? And I've seen in some instances. I'm not going to say what agency, but the update for the case is we're waiting on forensics. No, you're not. I mean you can supine a stuff. You can go and get some material from the cloud and do some other things. You don't need to just sit and say, well, I'm waiting for the forensics.
Speaker 2:Write your reports Always waiting on the forensics.
Speaker 1:Yeah, that's like an excuse, man. Go do your job, I'll do mine, don't worry about it.
Speaker 2:I think it's a really, really good top contender already for meme of the year for 2024. But I had to pick what I thought was the meme of the year for 2023. There we go. I will show you my favorite one from the entire year of 2023 is this the winner is. The winner is the winner is the digital forensics. I don't even know what those things are.
Speaker 1:Treeheader dragon.
Speaker 2:Yeah, okay, so the acquisition, the parsing, and then you get to the analysis and reporting, which, by the look of the face, will be the area that the report is lacking. It's lacking, but the investigation is lacking. Yeah, that was my favorite of the year. I'm sure somebody or several in the comments or comments later are going to disagree and think that you have a better meme of the year, but this one was my favorite.
Speaker 1:Yeah, no, and I think it was the favorite of most folks that come by my LinkedIn because he had the most likes and, it's absolutely true, the one, the three headed dragon, which is our field. If we divide industry parts, we need to work on analysis and reporting, and then only from the level of the tools themselves. But us, because at the end of the day, even if they're reporting on the tooling sucks, you're the one putting the stuff together. So it's kind of introspective. So I'm criticizing, but I'm also pointing myself out in the process. So, pretty good, I like how Kevin calls. You know the door. You know why. This is Heather. No, no, you got to watch more Godzilla movies. Bye, yeah, you need to watch Godzilla movies. See, I was getting Heather a hard time because she loses a lot of movie references, so I'll keep giving you a hard time till the end of time.
Speaker 2:I laugh at the movie references, but most of the time I'm not getting them, so sorry.
Speaker 1:Now it's pretty neat and before I leave, because I know I'm looking at the chat, I couldn't look at it. I was talking. Josh Higman makes a good few points. Some of this pro bus stuff in psych bees, timestamps tend to be in doubles. And he's making a point of GPS coordinates also tend to be in doubles. And it makes sense because GPS coordinates tend to be, you know, kind of fractional right. You got 85 dot, whatever right, so it's represented in that type of fractional format. So again, if you're listening and there's a lot of benefit to being in the chat, so I would recommend everybody to come join us, live and be part of the chat. There's a lot of knowledge going there that we cannot get to good people in the chat. So we appreciate you and we love you. Thanks for being here.
Speaker 2:Yes, thank you.
Speaker 1:And with that we came to, I think, the longest show ever it is. Again, thank you everybody, and we'll do it again in a week in between.
Speaker 2:Thank you very much.
Speaker 1:Thank you everybody, and to that, we'll see you soon. Bye, bye, bye.
