Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Don't Strive to be Mediocre!
Embark on a journey through both history and the cutting-edge world of digital forensics with us as we pay homage to the brilliant Dr. Gladys West, whose work underpins the GPS technology we take for granted today. In celebration of Black History Month, we draw inspiration from Dr. Martin Luther King Jr., discussing how we can all contribute to the fight against enduring societal challenges. Our conversation is a testament to the power of empathy and action in fostering societal change, spotlighting the often overlooked breadth of achievements by historical figures like Dr. West and Dr. King.
Unravel the complexities of iOS location and Unified Log analysis through our educational talk on the recent breakthroughs highlighted by experts like Ian Whiffin and Lionel Notari. Discover the new feature from Magnet Axiom. The Animated Map Routes feature provides an additional facet for courtroom presentation.
We wrap up with a deep appreciation for the significance of training and expertise in digital forensics, engaging with the thoughts presented by Shafik Punja in his 'Bullshit Hunting: Digital Forensics Edition' article. The discussion traverses the critical role of proper forensic training and tools, the ethical responsibilities that accompany our work, and the profound impact that our industry has on legal outcomes and lives.
Notes-
The Cyber Social Hub- Daily Digital Investigator Episodes
https://podcast.cybersocialhub.com/
Belkasoft's Free Android Forensics Class
https://belkasoft.com/android-forensics-training
Apple Maps - Visited Location?
https://www.doubleblak.com/blogPost.php?k=mapssync
iOS Unified Logs - WiFi and AirPlane Mode
https://www.ios-unifiedlogs.com/post/ios-unified-logs-wifi-and-airplane-mode
Animated Map Routes in Magnet Axiom
https://www.youtube.com/watch?v=fyPrJKLhD9k
8 Log Files You Can Collect from iOS and Android Devices
https://www.magnetforensics.com/blog/8-log-files-you-can-collect-from-ios-and-android-devices/
Candidate Examiner's and Training Programs
https://www.bullshithunting.com/p/bullshit-hunting-digital-forensics
Sources of Error in Digital Forensics
https://www.sciencedirect.com/science/article/pii/S2666281724000027
Welcome everybody. It's Thursday, february 29th 2024. My name is Alexis Briggs-Brignoni and I'm a company by my co-host, the one woman digital forensics training program, the one that's down with the SOPs yeah, you know me, I mean her. The one that's unique like a viable bit hash Heather Charpentier. The music is higher up by Shane Ivers and can be found at Silverman Soundcom. And we start the show once again. Hello, heather. Hi how do you like that intro?
Speaker 2:Down with the SOPs.
Speaker 1:Yeah, you know me, at least I got the reference. For a change.
Speaker 2:Yeah right, oh my gosh Well thank you everybody.
Speaker 1:I see people joining in from Instagram and people joining in from YouTube and from all places. So again, we're really, we're really happy to see you. I got Michael Tana's happy leap year February 29th to all, so, I agree, happy leap year for everybody as well. And what's going on, heather? What happened this last couple of weeks?
Speaker 2:Well, I guess I'm training and I'm down with the SOPs the last couple of weeks. You have to be yeah definitely Doing a lot of work, and you know same stuff. I'm not writing any scripts this week, though.
Speaker 1:I'm disappointed and sad you need to pick it up.
Speaker 2:Yeah, I know right.
Speaker 1:Yeah, it's like any skill if you don't use it, you lose it.
Speaker 2:How about you? What's new?
Speaker 1:I have a little DFN light there on top of my head, so the folks who are listening is Neon Lysos, dfn obviously, dita Forensics. Now, right, we're on air. Another neon sign underneath and you know maximum effort, so that'll be a topic, a part of the topics that we'll discuss today, so we have a good show for everybody. Obviously, we're still the last day of February, so we're gonna again share with you a couple of thoughts for Black History Month, and Heather's gonna bring us the first person that we're gonna be celebrating with.
Speaker 2:Okay, so I chose to present Dr Gladys West as the notable contributor to the field. She is an American mathematician known for her work contributing to the development of the global positioning system, so GPS. She was valedictorian of her high school graduating class, received a full scholarship to Virginia State College, and she earned her degree in mathematics there and later earned a master's degree in mathematics at the same school. She was hired as a mathematician by the US Naval Proving Ground, a weapons laboratory in Virginia, and she was their fourth Black employee. In 2018, west was formally recognized for her contribution to the development of GPS by the Virginia General Assembly, and that same year she was inducted into the Air Force Air Force Space and Missile Pioneers Hall of Fame and named one of the British Broadcasting Corporations 100 Women of 2018.
Speaker 1:Nice.
Speaker 2:Yeah, so really inspiring, inspirational woman who contributed to the field.
Speaker 1:Yeah, if we went for her, we would be all lost. Yeah, definitely, some of us are lost, even with GPS but that's another story. I would definitely be lost without GPS, that is for sure. And it's amazing, like something to take for granted technology, but there's real people, human beings, that had to come through a lot of adversity to contribute and do things. So it's good to remember them. So that's pretty cool.
Speaker 2:Actually too, before we switch. I had, of course, I forgot to open it while I was talking, but I'm going to throw her picture up on the screen here.
Speaker 1:Yeah, yeah, let's see her.
Speaker 2:So this is Dr Gladys West, who contributed to the GPS.
Speaker 1:Awesomeness, awesomeness. That's pretty cool, so I want to. We went to follow up with, for back history month, one of the folks saying I can, maybe you can put that picture up here for the section In LinkedIn. Obviously we're all celebrating and some examiners were celebrating and one of the examiners put a picture and here's going to bring it out. Still see Eldridge, really capable, awesome examiner and she put a little note.
Speaker 1:So different things that Dr Matthew Newton King we should know and some people don't know about, and she make a list of some of those really important ones. And we have this discussion and we were agreeing that sometimes our history classes are a little bit faulty in certain parts, right. So that's why we have this type of celebration, so we can be more educated and what I wanted, and we're going to leave that on the screen. But I just wanted to mention a couple of things. We talk about inspirational people for Black History Month or for whatever celebration it is, but I think it's also worthwhile to remember the reasons we're celebrating these individuals, specifically somebody like Dr Martin Luther King, right, and I would also make a couple of points in regards to his life, philosophy and his message and how he talked about the importance of the individual to address three what he calls systemic evils, right. Poverty, racism and militarism. And what he meant by that and kind of apply to the, you know, to today, in 2024, you know poverty, homelessness, hunger, malnutrition, illiteracy right. Racism we can talk about that as prejudice. Antisemitism, sexism, homophobia, ageism right. Militrarism we can talk about domestic violence, rape, terrorism right.
Speaker 1:We all remember Dr King's I have a dream speech, really inspiring, but most of us don't really know anything more than that.
Speaker 1:Right. And we also have to realize and, you know, look back at his writings and his speeches and recognize that for an ideal to actually become reality, it requires action. Right, it requires individual introspection and action. It requires us to demand and ask for elected leaders to address these ills, right, and to really speak to our better angels. Right. It requires us to do little acts of kindness every day, to put ourselves in the shoes or the mindset of others. Think how would somebody with a different background for me would see this thing and appreciate the diversity of experience, of thought, of colors, of mentality and value them, because there's value in integrating those and recognizing that my viewpoint doesn't necessarily have to be the best one at all times right. Hopefully that makes sense and if we remember those things then we can put a little grain of sand in taking this experience, this world, and leaving it better than how we found it. And that's the parting thought for this week on that.
Speaker 2:Very good.
Speaker 1:Actually, before we continue, I want to highlight, you know, they said it's a leap year. So, kevin, being the smart Kevin that he is, he's like more, like leap.
Speaker 2:Oh yeah, there you go, yeah, yeah.
Speaker 1:So leap as in log events on property sparser, some of the scripts that we manage, so more like leap year, am I right? So I liked it, I liked it. I know it's like a dad joke, but I like it All right.
Speaker 2:That's good.
Speaker 1:Yeah, so, yeah. So we celebrated that. So what we got next?
Speaker 2:So I wanted to mention a new daily investigator episode daily digital investigator episode that's put on by the Cyber Social Hub, which is Kevin DeLong, and he is doing daily. He's picking out daily articles that show up in his feed or something that's interesting in the field and he's highlighting it and it's a really short listen Once a day, just a few minutes, about an article or another podcast or some kind of research in the field. So if anybody everybody gets a chance to head on over to his podcast, take a listen. There's some really good, really good things he's talking about on those daily Podcasts.
Speaker 1:Yeah, and on my drive to work I like to do that I put a couple of podcasts Like in a row, like a little semi playlist before I leave so you can listen to him and then listen to us or listen to something else and you know, you get like a little bit of an education as you're driving. Usually, as we're driving, we're not really, you know, just driving right, so you can take advantage of that time, you know.
Speaker 2:Those are perfect for my ride to work, because my ride to work is only 15 minutes, so I can listen to one a day on my way in there you go, boom yeah, you're done with the podcast too, apparently.
Speaker 2:Another thing going on is Belfast off's free Android class opened up a few days ago on the 26. They've made a couple changes to the way they're handling it, though. They had such a large number of registrants that they're rolling it out access to the course gradually. So if you signed up and registered for that that free Android class with Belfast off and you haven't gotten your entry key yet, it'll be here. They said that everybody should have their entry key, I believe, within two weeks of the date of registration. So if you get a chance to take that I know their iOS class was really good and I'm looking forward to Taking the Android class and that'll be open for free for a month.
Speaker 1:So yeah, no, that's awesome and I don't know if jury jury's. You know the founder of the company. You know that you made an announcement yet or not, but they're gonna have like some Conference coming in, like you know, virtual conference and all that. So let's keep an eye out on that and hopefully I'll be able to present. So I'll put in for that and fingers crossed. So we'll see yeah, nice.
Speaker 2:Um, there was a blog that came out today to. Ian Whiffen put a new location blog, which I he's kind of like, the locations King. He has so many blogs on locations and what they mean or what they actually don't mean. I'm gonna just share my screen here for a second let's see. So he did a blog on the map sync. So in iOS, the Apple Maps, the map sync database, and he had some really interesting research in here, some things that that Came out exactly the way he thought it would. The data in the database was actually what do you expect it? And then some that he didn't expect, some timestamps that he didn't expect. So everybody gets a chance to head on over and check out that blog. It's really good data and he actually details all of his testing, as you can see here in the database, and really lays it all out for For you to see yeah, and I think, if I'm mistaken, that database has some put-abuf in it and some other things.
Speaker 1:So I'm gonna sit down with it and update some of my parsers to make them, you know, based on this information, making it even better. And you, you have to be aware you can't just say, well, I'm just gonna wait for the tool to support it and then we'll see what it is. Sometimes, you know, a lot of times, even when the tool supports it, if you don't take the time to understand the artifacts, whatever the tool is showing you, you'll be clueless. Let's, let's be real here. So you need to understand the background of the output. So, whatever output the tool gives you, you can interpret, interpret it correctly for whoever needs it.
Speaker 2:So right, and also these blogs about locations have saved me quite a few times. Locations don't always mean what you think they mean you. Your first glance you're like, oh okay, so they, the device was in this location. And that is not always the case. So if Locations are parsed by a tool and you do that, check all locations and send it out, it's gonna be super confusing to whoever your end user is, and Ian really helps make sense of which are the more trusted locations that you can find in an iOS device.
Speaker 1:Yeah again, and we talked about that last time and we talk about tolerances last episode. Well, same with data sources in mobile devices or any device. Some are more accurate than others. They're not. They don't all have a hundred percent accuracy and I think people just assume that, right, yeah, and if that's not the case, I even have memes about it which you could share another time. But you need to understand and how accurate your data source is, to put it in context, and if you don't do that, you you'll be making some mistakes or not, given the service that it is expected. So if I follow, follow and follow Ian and go to his blog and and benefit one of my main resources, so we'll check it out. Oh, and, as always, we'll put those links in the show description, so you don't have to worry about writing that down now definitely.
Speaker 1:And so another blog post that was pretty neat came out this week. It's on iOS unified logs, and it's a blog by. What's his name?
Speaker 1:No, no, terry, right, I forgot his name, lionel notary, if I know I'm mistaken, I'm pretty sure right yeah, and it's pretty good because what he does is he talks about unified logs and he shows some of the the messages that could be of relevance in regards to Wi-Fi and Airplane. More like Wi-Fi, there's a connection with Wi-Fi. It shows what to what it connected. The BS ID that was connected was airplane Mode on or off. It also shows if you activated it by using the control center by swiping, you know, the screen or by hitting the back part. So it shows how that shows in the log is doing this testing. He's looking at how the log records those activities as he's doing them. Okay, so for folks that are not aware of what the iOS unified logs are, I'm gonna give a quick description.
Speaker 1:This log format is utilized across all Apple devices. Okay, you will find it in Macs. You'll find it in app in iPad. You'll find in iOS. Okay, this log format. It's binary format, so you can. You can't just open it and look at it. I mean, you can and you can read a few things, but it will make no sense, so you need to use Apple, a Mac computer, to be able to go through it. There's some parsers out there and it's hit or miss because there's a couple different Versions of these logs and it's called a bit over here hit or miss to parse them outside of an Apple machine, but for sure it can be done. I use use a Mac computer, which I'll show you in a minute these logs and With an extension of dot trace v3 as in Victor, and there's a whole bunch of them and it keeps track of that. So I Again from. We use this for a long time and if you take that individual log Dot trace v3 file and try to open it, it's gonna give you some problems. It's not gonna really work because there's other considerations. The log needs a time sink information to make sure the time Offsets are correct and it needs other information. So the best way that I think from iOS device iOS devices at least that I think should be done is by generating first assist diagnose log. Okay, when you generate that, one of the outputs will be a compilation of all these logs in a really nice format that's really easy to open with a Mac computer.
Speaker 1:I know this sounds a little bit esoteric but I'm gonna show you right now. So I'm a good friend of the podcast and personal friend as well. Geraldine Balai she has a great article in her in her in her blog, where she talks about let me show you here you can see on the screen. The article is about how to look at these Logs and look for airdrop artifacts. The point I want to show you this is because, as part of showing those airdrop artifacts, she gives a great explanation on how to go about and Getting those logs and has you can see there has the pictures like step by step go to settings, go to general privacy, and it tells you what to hit to then generate the logs and then she tells you how to pull them out of the device. Okay, so that's so. Go check that out and we'll put her blog post on on the notes for the show.
Speaker 1:Okay, all right, so we got that. Now what do we receive? So I'm gonna now move over and open Share my, my actual desktops. You, we can look at that real quick. Let's share my screen here, screen number two Yep, there we go.
Speaker 1:So what you see here is a little bit small, but don't worry, what I want you to see is gonna be large in a second. You see that after you do your extraction of the iOS six diagnosed logs from the device, you can look in there and get the system underscore logs, dot, log archive right, it looks like a file, right. It's not really a file and let me, let me show that to you. It's really. Let's open it with a new terminal. There it's actually like a type of directory and I don't sell a bit small, but Maybe let's make it larger so we can at least see that part. And it's just, this will take literally a second, so it's. So I'm gonna show you what's inside of it Much better. So let's do an LS and make it minus L so we can see all the metadata for those files.
Speaker 1:What you see here is how this disease diagnosed process collected all the logs. These are all these logs here. You can see them there, kind like hex Named. And then you see other directories like persist, signpost and special. Let's go into, let's go into one of those, because I mentioned that these logs and in trace V3, right, so let's, let's try the persist ones. Let's do the same as one LS. So look at what's inside that directory and look at that metadata and this looks a little bit ugly.
Speaker 1:Let's open the screen. There we go. So you see there the trace V3 logs for that, for the persist directory. Previous log versions were not Split in the end. Directories like that they were like they were called, I think, log, persist, archive and then trace V3 at the end. So there's been changes throughout the years. All these logs are Accumulate or, you know, presented or recorded. I should say, okay, cool, so we have them now. What do we do with them? Let's now Share the full screen again so folks can see that. And what you do is it's really easy Just go toward that directory where your stuff is and just double click on it and you and this only works on a Mac computer, I Mac OS Double click on it and it will open the console. Right, we're just going to click on it, so right, which obviously is opens as a different screen. So let me go to that screen.
Speaker 2:And the console that I paint on the screen changing.
Speaker 1:Oh yeah no, I'm jumping and jumping back and forth on on things. Now Where's my console? There we go, all right. So I know it's a little bit small, but so it's pretty neat. It has you on the left, top left. It's kind of blocked by a little bit by the our logo, but you can put their stuff to look for and then on the left under showing here on the left bottom left, you can select last day, last hour, 30 minutes, five minutes, select all messages first, so that way it kind of presents them all, loads them. It takes a little bit of time.
Speaker 1:This is not the fastest way of looking at things For this for a single reason that there's a lot of data. This only has data for two days and it's about almost five million lines of log For two days and the data set that I have. So you, these logs could look to be more, a couple of weeks, right or more, so you can imagine how big that is. So load all your messages and then you can go up here and look for things. So in this case I selected the Wi-Fi state, change that message and you can see here in the center of the screen and if I go down you can see. Look, wi-fi state change is not connected but connecting to Dean Frankel. That's an and the name of a router.
Speaker 1:Okay, just just one example. You can and I recommend folks go through it, see what you can find. See if you've like, like, like the blog post that we're talking about it. See if you find certain indicators or processes that talk about Artifacts that you might not see anywhere else. Right, it might be a log of something that's ephemeral, that in your full fast system extraction from your device it might not be recorded anywhere else. It might only be recorded in these type of log files.
Speaker 1:So pull them out and do some testing and if you find something that you think is of value, do share with the community, make a blog post. You don't have a blog post. You can, you know, contact me, contact Heather and we'll. We'll find a way to make that Public for everybody. We'll talk about it on the show, whatever it takes, so we can all all grow with that so great resource. There's a whole bunch of things in these logs I wish we had. We could do a whole episode on it. So, yeah, so just just for the everybody listening, just check, check that out.
Speaker 2:Very cool. So Today, I think like like 15 or 16 hours ago, axiom magnet axiom Started supporting animated map routes. I was scrambling today to find some test data so I could show you guys what it looks like breaking breaking news.
Speaker 1:Breaking news you go, you heard. You heard it here first.
Speaker 2:Um, and I got. I got some data process, so I'm gonna just share it up on the screen and then they have a YouTube video showing this as well. You just pop it up here, all right? So when you Process your case in magnet axiom, I have it filtered to just the cache locations. There's a new option over here where you have the column view called route view. If you Switch your view to route view, it will bring you to this world map and you can use these route settings over here to choose what you want to show. It has support for Apple Maps searches, apple Maps trips, cache locations any locations that are are found in your iOS or or Android Extractions.
Speaker 2:I chose the cache locations here and then you narrow it to a date and time. I chose a date and time and then you calculate routes and the tool. The tool will find whatever routes you have that you In that specified date and time. I had three for the date and time that I chose and I'm just gonna show one. So it's a really short route that I found, but it has this animated map and that's it's traveling right now at the one time speed 10 times speed and Then there's a hundred times speed, which is crazy fast. But it also has a record feature to record those in an animated map routes. I thought this was pretty cool addition to the axiom you Cool.
Speaker 1:Oh yeah, I mean you see the little Little pin ten a semi Google like the Google map looking pin moving around the road or I guess whatever the geolocation points are right and it kind of moves back and forth through that route, which is pretty neat. I mean, again, it speaks to being able to illustrate this at a court or whatever stakeholder needs it and you have that visual representation Of how that moves. I guess I mean, does that need? Does that need internet to work, or how's that?
Speaker 2:Oh, yes, so you have to be able to connect to the, the world maps that the. If you have an internet connected computer, it'll work right away for you. If you want to use it on a sandbox machine, you have to set up an offline map. It's a server, so you download I forget the name of it now but you download a file and set up an offline map server and you're able to use it offline as well. I have not. I've not tested that feature out yet, because I heard about it just today. So I will, I will and I'll report back.
Speaker 1:No, absolutely, and that's important because I some of our last by policy. We can't have internet connection in our or our forensic networks, right, right, but there's that alternative. Get that a map server, set it up and you're good to go. So it's another, a great option. I like this, not only for the visual, but like the broader, the broader field Perspective, how tool makers are now competing also on features. Right, look, we have, we'll have the same data. But look, I presented in one way, another presents is a different way, or we make some conclusions based on this data that another vendor doesn't have. So it's good, it's good to know and be aware what those capabilities are, because a particular case might require a step on map feature and Actually must, as of now is the one that has it right and excellent addition for courtroom testimony purpose is right an exhibit so.
Speaker 1:Super awesome.
Speaker 2:Stop sharing my screen here. Speaking of log files to Chris Vance, actually At from magnet, he presented at the 2024 magnet virtual summit and in a mobile unpacked episode which you can find right online, recently about locations that examiners can find types of logging data. So the mobile unpacked episode is 14 if you're looking for it, and it's titled logging la vida loca. Crafty little name.
Speaker 2:Oh, that's, that's, that's so, that's so, chris, that's all him on the website You'll find a cheat sheet, so a quick reference guide, and that is a quick reference to where you'll find all the log files. He outlines five log files from iOS device and three from Android and It'll tell you the locations of the log files and different ways to collect them are included on that cheat sheet and We'll have the link to that after the show. But here it is for now.
Speaker 1:Yeah, no, it's. I mean, I love Chris. I remember we we some years ago we gave a joint presentation or talk at a sans differ summit and we were talking about Talking about deleted sources of data. If you delete certain the sources of data, how can you get that data from somewhere else? And we went up there. He decided to make it sound like we're in a funeral, like we're here to remember to depart it sources of data.
Speaker 1:You know and that the kind of that type of spiel. So, and he came with that out on the fly before we went up on the stage.
Speaker 2:It came up pretty good.
Speaker 1:No, it came up pretty good and, and you know, I mean I mean so many years ago, of quite a few years ago, and that's been part of Some of the stuff that we now that I feel focused on moving forward. I did with him is looking for those data sources and we're they're deleted. But if you don't know the data sources to begin with, you cannot find him if they're deleted or not, or they exist. So folks do check out Chris. Chris's a blog on that, on those topics and, again, really legit guy. So go check it out, you'll benefit. All right, is it? Is it my soapbox time yet, or not yet?
Speaker 1:Yes, all right, everybody so.
Speaker 2:I've been.
Speaker 1:I've been waiting for the last 28 minutes for this part of the show, all right. Oh, the Jardine says that she still referenced that presentation from the deleted artifacts, so I'm happy that still serves a purpose, all right. So my soapbox moment doesn't as a new what, what did I call it a segment?
Speaker 1:our new segments here we don't do every show where I'm gonna tell people what grinds my gears right. And this week it was I. We read and, and and Heather really pointed that article to me a great article by Shafiq Punjab. Shafiq, again I, really well-known Canadian examiner. I before you know, like old-school examiner, the good ones I know him from not personally, but interacted with him online for many years now and he did an excellent article where he talks about, and I will say this it's called the, the blog. I'm sorry, not the blog, but the, yeah, the blog where it's published. It's called bullshitting hunting, right, and he talks about how he was brought in by, I think, the prosecutors to Examine the testimony that was given in the case by a detective in regards to the forensics done in that particular case, right, and what he does is the B of the article. He goes and explains well, this is digital forensics, this is what we do, the lo card, a principle about. You know every, every exchange, these are trace or something like that, and, yes, you know that by memory, right, and explains what these are forensics is right.
Speaker 1:And then he says that, even though you know, he starts Dalling down the testimony and he describes how this detective went into it and first of all, he did not do the extraction, right, that extraction of that device. It was a mobile device. He did not Generate it but he received it, he was to process it and when asked, he highlighted his article that the detective mentioned that he had an eight hour, eight hour law enforcement class on Facebook, phones and stuff like that. And if your testimony is, and stuff and like that and whatnot, that that is a problem, right, yeah, I don't think stuff like that, I mean I guess it covers a lot but at the same time it's not covering anything. Yeah, stuff like that is not a thing. And you know he was saying that celebrate was used and that he plugged the phone and he downloaded things from the memory of the phone. Right, and he goes into great detail explaining. Well, if you're an examiner, you know that words have Meaning. Right, it sounds silly but it does. You don't extract the memory of the phone, because what are you do? Why are you talking about memory? Is it RAM memory, like there's, maybe what? Obviously, what he was referring to was the storage he downloaded. You know the whatever's in the storage of the device, right? So the point and this is the part that, again, at the end of the article he goes through all the detective's testimony, some parts of it, making some critiques on that. To make a bigger point, which is the point that I agree with him and I'm gonna now do my soapbox moment on.
Speaker 1:This is happening so too much lately. I seen it in many, many places where we got folks that come in, they take, you know a class and they put them up to testify and and you know they, they, they model through it, right, and and that's a problem, that that is a problem Um, the, the folks that are, you know, the prosecutors to juries, the, the victims of these crimes, expect more from us, right, and I think there's a problem, and the first one I'm gonna make with that is that how do these people get in that position? Right, how do you get a person that's only taking an eight hour, eight hour course or a week course, and all of a sudden they're dumping phones and presenting them the extraction and the, the analysis at court with a week long class? How do they get there? Right, they didn't get there by themselves, right?
Speaker 1:There is a problem with the process in our agencies on how we are staffing these positions right, and Just because you have a backlog, just because you have some empty chairs and you need to put butts on the chairs, does not justify not really doing it in a way that is Preserves the evidence, the digital evidence and I said it in many means as I said before, I, I believe is the most important part of the case Is the most important part is is the? Is the? Is the witness? That cannot, you know, make a mistake if properly interpret it. Alright.
Speaker 1:So there's a problem with how we're staffing those positions and when we start positions, we have two options, right, we either Hire people that have degrees Right, that's one way we staff any position in any corporation. Company is a structure you know Place, right, you get a person, and, and why do we do that? Because we expect those people to know certain things, because they have a degree Okay, a baseline of knowledge, cool. Or we take somebody from internally and we training, train them Sorry, give me some training to the level that what you would expect a proper person being educated with a graduate would be something sensor right, yeah and and the thing is that if you don't expect that level of expertise from the people that you bring him up, you gonna have a problem.
Speaker 1:if you don't not make sure that they have a training program that's more than eight hours or a week To be able to do this job, you gonna have problems. Alright, I'm taking a course and you're good to go. That's the thing I guess the mentality is. And now I'm getting, I'm getting warmed up. Let's say I'm a manager and I'm working to say why color crimes and not a unit? And I said you know what I need? Bodies, major crimes. Another unit has plenty of bodies. And I talked to the lieutenant or I talked to the captain and we're like you know what? We're still assign some people from that unit to this unit because it's more neat. And they, what did they do? They move and that's fine. You can have somebody that's investigated experience, move to my, to my unit or to my squad or whatever, and we train them for a few weeks, we pair them with a mentor and they're good to go right.
Speaker 1:That model, which is the model we've used to move people around for years and ages and decades and from from forever, does not work for digital forensics. You can't take somebody from the road or from whatever other unit and simply sit them in the lab and say take a week long class and pair up with somebody here and you're gonna be gonna do forensics. It's. You cannot transmit that. The knowledge that you come from being on the road or from being on another investigative unit is valuable knowledge. To get me wrong, are you gonna use it in your forensics? Absolutely, but it's not digital forensics. It's not transferable, as I was looking for. It's not transferable directly to the scientific portion of the job. Right, and? And we have this mentality of how we move people around that doesn't apply to the lab, to the forensic process. I mean, am I wrong on this, heather?
Speaker 2:No, you're absolutely right. I think so. The testifying part is the part that's crazy to me, right, when people testify to digital forensics, they need to know the process inside and out. They need to know the technical terms and the concepts behind them, and the statement that I've heard so many times it drives me, not every single time is I'm not an expert, I'm just the operator for the tools like PA or Magnet axiom, right, I don't know what all this means. I'm just the operator. I hit the button. I don't determine what all this means. Yes, you do, so you are the expert. If you are working in the digital forensics lab In law enforcement, you're often the only in the last person that will be analyzing that item of evidence. You hit the button and it goes off to a prosecutor's office and they need you to be able to interpret that data. You're all the prosecutor has and the victims in the case. They're depending on you and if you are just the operator and not the expert, who's the expert?
Speaker 1:Well, I mean, the term operator is a term that doesn't exist. I mean, maybe if you're in SWAT, right, in SWAT team, you're an operator. I guess, right, but I mean, I don't know where the people are getting this idea. There's no such thing as an operator in digital forensics. Either either you have your trained to deal with the evidence in a certain way or you're not Right. Yes, and I do understand that you have different levels of training, because maybe you can train somebody to make copies, and that's OK. Right, but when we start talking about what the data means, there is no. There is no in between here. Right, either you're qualified or not, and when you go to court, they're going to qualify you or not. If you're not qualified, you're not qualified, you will not be able to give opinions. Right, and well, I'm an, you're on, or I'm an operator, and it will be like you're a what Right? You're a doctor, you operate, you cut people open. I mean, come on.
Speaker 1:And look, and now I'm going to really go off and a limb here, but when I really bothers me, because I think it speaks to the point of folks not wanting to take a, not being responsible and be accountable for the work they do, all right, well, I'm not an operator, it's like I'm here to do the minimum necessary, right? Is that the attitude we want in our labs? That the attitude we want? Dealing with the evidence that could set somebody that's accused free, right? Or give, make a victim whole in that sense, right, give them the justice they deserve, right. Well, I'm here to do, I'm here to do the least I could do. I'm the minimum common denominator here and that's what's expected of me and they're proud of it.
Speaker 1:And I want to, you know, philosophically, smack him in the face, of course, because we don't, we don't condone violence here. We're, we're non-aggression, like MLK, right, in this podcast, at least you know you think you're being smart and being all wise. Have I told me this? You just tell me you're mediocre and that you're proud of being mediocre, right, and if you're a new examiner, come into the field and the folks that are not everybody, but you have folks around you. That attitude, don't copy that attitude, right, they're not the best role models, right, we're here to do the best work that we can do, right, and you know we got folks in the chat even saying we have the same attitude in corporate companies, right, and and interests that come in and we can talk about. We talk in other episodes about generational gaps and all that, but I think it speaks to the fact that that people, folks, you know, some folks don't want to do the work. They want to get paid and not put their best or their maximum effort, as I have here behind me in the in the lighted marquee Right, and obviously a phrase that I like from that book is another story Put that maximum effort if you are in, if you're like well, you know what, I was on the road, I'd rather be in the lab and tired of being on the road.
Speaker 1:Don't come to the lab just because you don't want to be on the road. Right, come to the lab because you want to actually do the job, you actually want to learn, you want to grow, you want to give justice to the victims. If not, then you're not. What are you doing, right? I thanks for putting all the folks in the chat and I suppose yeah.
Speaker 1:No, and we got folks saying you know about that. Training is also, you know, giving the expert testimony part. Like I mentioned before, the tool. You can press the buttons, the tool will give you an output. But if you don't understand what's behind that output, if you didn't go and look at Ian's blog and understand what map syncs at map sync is actually recording whatever you're seeing on the map You're going to, you're going to say something that's totally wrong. Ok, if you take some of your location points, are not aware of the accuracy level of that data, you're going to say that something that's totally wrong. Or like Shafiq saying in this article and this is the point and I didn't give you I think I didn't give you that part to show on the screen, but I'm going to read it he said at the end of the article Therefore, it is critical and incumbent upon law enforcement agencies to ensure their members that are involved in any manner of due to forensics be trained to an appropriate standard of practical knowledge so they can act as proficient witnesses when required to testify.
Speaker 1:Equally, prosecutors too must be aware of the level of knowledge, skill and limitations of the police witnesses, and I think they're really encompasses. He did a great article on that, because that's been bothering me for a few months now. This is a senior tool often and I'm not saying that I'm perfect, that's not the point right because we all have a, we all have our growth, we all grow right and different levels of growth, and we move forward with this growth mindset that you know, me and Heather. We've been talking about that concept for some time now, but we expect more from you. The public expects more from you. The citizens expect more from you. You should expect more from yourself. If you're listening to this right, and then let's do it. Put that maximum effort, come on.
Speaker 2:It's funny you say mediocre, because that makes me think of an old criminal justice professor that I had when I was doing my associate's degree. I was in for police science and he's that's the class. If you're getting sees, you're a mediocre student, and mediocre students will become mediocre, mediocre cops. We don't need any mediocre cops, so you should change your major now, and I couldn't agree more.
Speaker 1:No, and that's how it is. And obviously, just having a degree and make sure this people understand this just because you have a degree doesn't mean that you know everything or that you're qualified. It doesn't mean that because people, some people go path to college, but college didn't pass through them.
Speaker 2:Yeah, or college wasn't exactly the university that's doing enough to prepare the students for the digital forensic job they're about to take?
Speaker 1:Absolutely.
Speaker 2:I think there are a lot of that.
Speaker 1:Oh yeah, I mean it becomes. I mean, some of the pomamels or they're just, they're there to make money, not to really educate you, so that's you know. That's another topic, but still really relevant. Now that's again that speaks to management. How are we putting those bots in those chairs right? Even if they're coming from a degree and we speak some baseline, we need to make sure that we're able to guide them to a kind of a certification process, if internal or external. What I mean by that is you can say, well, some agencies say, well, we're going to send our folks to ISIS, right, and they're going to take the BCFE in ISIS and they have to pass it. And ISIS is no joke, right, it's no joke. Again, it's not everything you need to know, but it's a big thing to get right. So those agencies decide that external entity based on the standards, which are pretty high standards I mean, heather, ourselves, were both certified by ISIS. We teach for ISIS, right, so we believe in their mission as a nonprofit and they have good content, ok, they get certified and they can go to court and say, well, yes, I am certified as a computer forensic examiner by on ISIS and you have that backing, right.
Speaker 1:But that means accountability. If your employee sent and doesn't just decides to spend those two weeks chilling out of the pool and not learning, you know, I mean, and coming back and telling you well, I just press buttons on the computer. There needs to be some response to that, some accountability, some consequences. That's the way I'm looking for. Some consequences, right, guess what? Well, you're going back to the road or you're going back to wherever you came from, because this just some requirements, all right, and you'll be surprised of people that go to these courses and it's like a vacation. They don't go there to learn anything, which, again, really goes my gears, right. So there's different ways of how we go about as managers, how putting those butts in those chairs. And, again, accountability, and has to be part of this process, right, those consequences you know we got.
Speaker 1:If you make a good job, you get trained, you'll have a fulfilling job, you'll be able to really put an input in the cases that are coming through your AOR or area of responsibility. Right, and you'll make a difference in the lives of people. That's what motivates us, right, and we get paid right because that's our job. Right, but if you don't have that, then you don't need to be here. Right, training did our friends? Training is freaking expensive, okay. And if you're law enforcement, like ourselves, our resources that come from hard working citizens, okay. And if you'd go through it to not do anything good with it, you're stealing from our pockets in a sense, right, I'm not telling you, not literally directly, but you know what I mean right, because we're not making good use of those resources. All right.
Speaker 1:So I think we need to start creating that culture or cultural approach as examiners across the board. Right, that when, when we, as examiner, think what is an examiner? That every one of us here in the that are listening in our labs, that we are clear in what that means and we Expect that from other examiners. Does that make sense? Heather the cold I'm looking for a word and I cannot find it right now, but that that like a like that, I guess, like the corporate culture of the field, of the Utah forensics field. Right, that we have an expectations. The citizens have expectations. Management to have an expectation. You should have an expectation, or yourself and the folks that work with your colleagues, we have an expectation of you as well, and we should help each other to that high standard. Hopefully, that is more clear now.
Speaker 2:It is very clear. I Couldn't agree more. I mean. Just one other point on what you were you were talking about with the training. The training needs to start at the fundamentals too.
Speaker 1:So I know.
Speaker 2:I know there's all of the, the tool trainings and learning the tool is excellent, but the fundamentals of forensics should be the very first class, in my opinion. Go learn about the ones and zeros and then come back and be paired with somebody for some on-the-job training and go to those tool specific trainings, but the, the fundamentals, have to be learned first. If you don't have that, the tool training is not gonna make as much sense.
Speaker 1:Well, and how do you know the tool is right? Because the tool could be wrong, right?
Speaker 1:Yeah if you don't have the fundamentals, the tool might spit some nonsense and you'll be like, hey, great, here you go and you just gonna just gonna let it go right on the fundamentals. Teach you to to. The validation process needs those fundamentals, right? Oh, I gotta read this. Thanks for bringing it up. Michael is saying is operator part of the Dabber standard for the FI's, testifying that court? And if you're not in this business as a person that testifies and knows what, being qualified as an expert, you might not get the joke. But I do get the joke and I like it and obviously obviously it's not yeah, but um, yeah.
Speaker 1:So the fundamentals are important, and especially in not only because the tool could be wrong. They could be things. The tool does not pick up right and if you don't understand a basic of fundamentals and there's something that Geraldine, again, I know she's listening and we work together a whole bunch of cases when Prodobov came out, we didn't know how to really understand it. And she has the fundamentals, she knows how to look at hex, she knows how to Bite sweep and she knows how to identify Time stamps and convert them. And she started building that Prodobov data and and we able to get what we needed right. Fundamentals are important. If you don't think they're important, again, you might not be at the right place. You might not be cut out to this job and there's no shame on that, right, I'm not cut out to be a lawyer or a medical doctor, and that's not against me. Do you want me to be your medical doctor? I hope not. Yeah, absolutely not I.
Speaker 1:Might be your gym trainer I can do that, right? Not a doctor or your lawyer. You're gonna go to jail. But if you have, you have me as a lawyer. But there's no shame in saying you know what. I don't have a Passion for this field. I don't really feel like learning these things. I don't belong here, and that's okay. You find where you belong and we'll support you on that, and that's, that's okay.
Speaker 2:Actually, too. I mean coming in. Whether you're just graduated college and you're coming in as a digital forensic examiner or coming in as a sworn member, you're going to be learning for the rest of your career. So if you thought school was over, no school. School has just begun and it will be class after class and self-learning, and You're never going to stop with the education if you come into this field.
Speaker 1:Oh, absolutely. And you have to be honest with yourself, right? If you're not honest with yourself in regards to what the job requires, you're not gonna be honest with the cases. What I mean by that is you might come to a new piece of information from Ian's blog or from somebody that's really you know High-speed, because that's all they do in their daily job, like really knowledgeable people, and you might have to go back and look at an old case and say, you know, or a case that's I'm going to figure out. You know what this new knowledge applies to my case? I need to apply it. I can't just sit down and say, well, I'll give it a slide. You know I don't want to rock the boat, no, you did.
Speaker 1:This job requires dedication, requires property and honesty. I mean, I guess all love for some jobs require that, true, but but these are forensics is pretty clear. Caught on that clear cut right as the information comes in. You might have to revisit all cases, and that's a good thing. You might have to go and make sure your conclusions are correct at all times, and that's an always ongoing process. It like like Heather's saying, it's never gonna end. So any of you retire, the younger folks will pick up that mantle, will pick up the torch and we'll keep moving forward. Right, it never ends. Oh, my goodness, thank you for letting me get out of my chest. I feel like a waste being lifted.
Speaker 2:I was waiting to see if you had anything else there for a second. I mean, look, if you push me a little bit, I bet I do.
Speaker 1:Let's save it for the next episode, I guess.
Speaker 2:So another topic that we had for this week is sources of error in digital forensics. There was an article by science direct that talks about the air, the sources of error in digital forensics. So it kind of says, like the occurrence of errors in forensic practice is inevitable, which which of course it is, and we may not feel uncomfortable with that idea. But it's a truth that there will be errors throughout the process. But in digital forensics, in the field, digital forensics in particular, on those errors can have great repercussions, right. So yeah.
Speaker 1:I'll let you go and I'll chime in so oh, yeah, no, yeah, you know, you know, you know I. I Call it biting on the bit. Is that what it is? Yeah, jumping at the bit.
Speaker 2:Thank, you, so look again.
Speaker 1:I'm a, you know I'm, I'm from Puerto Rico, so I'm still, even though I've been here for so many years, I'm still learning all these phrases, right, chomping at the bit. Yeah, look. So the article is by dr Orzman. He's well known the field, right? He's been around forever. Academic love, you know, with, with a capital, a, all right. So so read this, right. I like it because it's a taxonomy of what be, could be problems when you're within your process.
Speaker 1:And this type of academic exercise is super important because if you're not aware of the categories of Problems or errors and he has the whole list, I wish I could I could you know, go on and read them all. But he defines what's an error. Why is it important? How do you attribute it? The castle factors is the problem in the source? Is the interpretation, the forms of error, a random error, systematic error, a negligent error, right, and they had.
Speaker 1:You map those errors, how they apply to your forensic process. How do I then? How do I identify it, how you manage it, how to mitigate it, how you prepare for it, because committing errors or mistakes, based on that taxonomy that he explains, it's unavoidable. Your, your brain is gonna grow right and grow in the sense that you will be able, now that you have that knowledge, to identify them and mitigate him before they happen. Or, if they happen, you're able to solve them in a way that does not impact your case.
Speaker 1:It's not make sense. So this type of academic article you may be like also a little bit some a bit of a dry reading, which actually his article is not. It's not dry reading at all, it's a really accessible article. But you might come across some other academic articles a little bit dry, go through many ways. Right, be on, be on the lookout for those, be part of the community, because that will give you a special, a special, I guess the word but awareness around you of the what you're doing Right, and then you are aware of what those problems. If you don't take the time to figure out the type of errors that could come up when they happen, you won't recognize them, you won't be able to pinpoint them out, and I don't want the defense attorney to pinpoint it to me understand, because that's gonna suck.
Speaker 2:Right.
Speaker 1:And I got that stuck in me as an as an expert for the prosecution right. But if you're an expert not in the law enforcement field but in corporate or whatever right, you don't want to be, you know, confronted with an error that you could have taken care of if you Would have been aware of it right. So it's a great article and I think it's worthwhile to take time and and to study that.
Speaker 2:Yeah, and I mean just some of the points that are in the article. So the the people make errors point is is great, but on the law enforcement side of things it could mean a wrongful conviction or a suspect that walks free. So knowing how to handle those errors super important. And then he has a part where the tools make errors. It's our job to ensure that these errors are caught and that we can rectify them. We validate the data and then the misinterpretation of data. That comes back into what we were just talking about. So prior prior training and testing is mandatory when it Misinterpretation of data, with interpretation of data in digital forensics is is comes to light. So yeah, it's a great article.
Speaker 1:No, the one that scares me a lot is errors in the source itself. Right? Yeah, because you can go and extract some logs from a location and the time stands might be wrong. Did I take time to validate that? The clocks on these companies, an example? Right? That the clocks on these systems that I'm extracting is correct? Right, is it? Is it? Is it properly timed? Right, because then if I just don't do that and take it at face value, I will have a problem, because the problem is on the actual recording level from the beginning, right? So, again, that taxonomy of possible errors, how to mitigate them, worth your time to check out.
Speaker 2:Yeah, and I don't think that the article talks about this. But when it comes to the misinterpretation of data specifically, watch for overconfidence, right? You see? You see, an artifact is like. I know what that means just by looking at it. You don't necessarily know what it means just by looking at it. You have just go look at Ian with and new blog, right?
Speaker 2:I mean he found some things that he thought were one way and they're not. So watch that over confidence, that that can definitely get you in trouble if you're on the on the stand with too much confidence in something that may be misinterpreted.
Speaker 1:Well, I mean, and you can be used to an art, an artifact, to behaves a certain way at all times, and then a new update comes up and it changes. And again a bread, another, again good friend of the podcast and friend of personal friend as well he says refusal to accept, admit and correct errors or mistakes make for, makes for a short career, and he couldn't be any more correct. And this is the thing. Our egos get in the way and that's the problem. Right, we need to be really check ourselves because sometimes we, we, we resist being corrected and that's a normal human, you know, issue that we have right, we, we don't want to be called out, we don't want to be incorrect, but, you know, we need to be humble as well, be be open to criticism and and I say criticism in the, in a constructive way.
Speaker 1:That's why the forensic process we have quality assurance methodologies, right, we have peer reviews, and you have to be open to that. You have to be naked, not literally, right, but emotionally naked, like you like. Look, I'm here, this is what I did. I will be criticized, I'm not gonna take it personal. I'm here to learn from those criticisms and grow right. And If there's a mistake. You need to learn, correct and grow like, like, like bread is saying so. I think our field, all this, is codified. We need to make sure we apply it and, and, and you know, live and walk our talk another expression I learned not too long ago.
Speaker 2:So Everybody's favorite time. It is the meme of the week, yeah.
Speaker 1:That's, that's my favorite time.
Speaker 2:Let me share my screen here. Ah, there we go. So the meme of the week this week says I think I forgot something. The third-party tool says if you forgot that, it wasn't important. And he says yeah, you're right. And then there's a picture of a Kid with a soccer ball out in the rain. His parents forgot to pick him up, it looks like. And evidence in unsupported apps.
Speaker 1:It's a tough one to describe verbally, so I'll prop on you for trying. That was pretty good and I love this because you know it speaks to the classic. You know also have kids like, yeah, it's fine, the kid is waiting for you to pick him up and it's a night at the soccer games. Poor kid is wet. That poor kid is your evidence, your main evidence. You're smoking gun. You're like, oh well, if the tools and show it to me, it doesn't exist. Right, right and and again.
Speaker 1:That really I think it's and you know Heather Heather's in charge of picking the meme of the week right, and I think she picked a really good one, because it really kind of make goals takes us back for circle, right to what we're discussing right, or all that we discussed today in regards to how we come into the field, how we manage that, how we make sure people are trained, what our attitude should be and how we work with our tools, dealing with errors, and all that. It all comes for a circle in us being aware that we need to go always that step, extra step. That's needed, because an extra step will always be needed in your analysis, in your view of the data and how you present it and even how you speak about it. Right, we need to get that extra step. We don't want to Leave our evidence or our victims out in the rain right waiting for us and we're not picking them up right. So you know, good, good pick for me another week. So I appreciate that.
Speaker 1:All right. So again I mean thank you everybody for being with us here. I appreciate all the folks that rolled in for the discussion, for the comments. We love your comments. Again, it's a community and we both each other with them. Michael is seeing thanks for the post that we're putting out and thanks to him and everybody that also is part of the community in LinkedIn and Again reach out to us. He does up on the DTAR Francis now podcast LinkedIn page with suggestions, with questions, topics that you might want us to hear from us discuss, and We'll try to bring those to you.
Speaker 2:Yeah.
Speaker 1:Thank you. Anything else for the good of the order, heather.
Speaker 2:That's it. Thank you very much, everybody.
Speaker 1:All right. Well, we'll see each other in a couple of weeks.
Speaker 2:Yep, see you in two weeks.
Speaker 1:Take care everybody. Bye, bye you.
