Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Is Support on Life Support?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Unlock the secrets of advanced forensic analysis with us! We reveal essential training classes that every digital sleuth needs to stay ahead in an ever-changing tech landscape. Sign-on to be enlightened by experts in the captivating world of data structures through Hexordia's class and IACIS's comprehensive course. But it's not all about the classes; we're also sending a must-read book your way to sharpen that detective wit you pride yourself on.
Get ready to explore the controversial yet fascinating realm of facial recognition with our introduction of Exponent Faces, a X-Ways Forensics X-Tension. Whether it's identifying suspects or navigating the ethical minefields of biometric data, we're weighing in with all the expertise you could hope for.
Finally, journey with us as we dissect the pivotal role of soft skills and community support for forensic examiners, you'll find this episode is not just about the tech—it's about the people behind the screens who make justice possible. Join us, where knowledge is power and staying updated is as crucial as the evidence itself.
Notes:
IACIS Advanced Mobile Device Forensics
https://www.iacis.com/training/amdf-advanced-mobile-device-forensics/
DFIR Investigative Mindset-Brett Shavers
Book release March 22, 2024- 1/2 price for one week!
Facial Recognition in DFIR
https://www.apiforensics.com/blogs/announcing-exponent-faces.asp
https://abcnews.go.com/Business/controversy-illuminates-rise-facial-recognition-private-sector/story?id=96116545
Google Chrome Platform Notification Analysis
https://www.sans.org/blog/google-chrome-platform-notification-analysis/
The Digital Forensic Practitioner Survey (DFPulse2024)
https://bit.ly/dfpulse
What's New with the LEAPPs?
https://github.com/abrignoni
Welcome everybody to the DirtArt Forensics Now podcast. Today is Thursday, march 14, 2024. My name is Alexis Brignoni, aka Briggs, and I'm accompanied by my co-host, the one that puts the power in power. User the DirtArt Forensics tool entomologist. The one person, quality assurance program yes, the one and only Heather Charpentier. The music is hired up by Shane Ivers and can be found at silvermansoundcom. Hello everybody.
Speaker 2Hello. Thank you for the great introduction, as always.
Speaker 1You like that entomologist I?
Speaker 2like it.
Speaker 1It was really good, yeah, yeah there's always some little inner jokes and some of those inside jokes, as you say.
Speaker 1All right. So again, I see a few folks already coming in the chat. Jessica is in the chat. Hi, Deferredeva is in the chat. Obviously, kevin, the main man, the man with the plan, is in the chat, so happy to see you all there. And Brett is in, so got to see you, my man. All right, heather, so I know you got stuff to tell me because you had a full last couple of weeks, so what's going on with you lately?
Speaker 2I have the same response. I always give busy, but I actually yesterday attended Hexordia's data structure class and I wanted to tell everybody you have to attend this class. It was awesome. Jessica taught, she goes into data structures found in mobile devices in depth how to handle them, how to look at them with the commercial tooling, but also without commercial tooling, with open source tools, and it was a really great day yesterday in her class and actually Kevin was in the class with me, so it was really good yeah.
Speaker 1Well, three luminaries between you, Kevin and Jessica and folks, in case you're not familiar with data structures, that's the basis of where the data from your cases comes from. How are they organized, how are they stored, how do I get them out, how do I properly interpret them? And I've taken the class as well, obviously highly recommended and I'm really happy to see you know a provider like Hexordia. Going way beyond that, the formulaic tooling, like we teach to the tool. No, we're, they're teaching to the deeper. You know how the data is being stored and it's really, really important that we start looking into those and understanding it.
Speaker 2So help you move away. Help you move away from the push button forensics, that's for sure.
Speaker 1Oh, absolutely, and even if you have to push a few buttons at least you know, you know what you're doing.
Speaker 2Yes, exactly.
Speaker 1So, like Kevin said, you know, never, never stop learning, right, yeah, and in this field you definitely cannot, cannot stop learning.
Speaker 2So so yeah, no.
Speaker 1Well, what else is that? Yeah, that class anything else going on.
Speaker 2Yeah, no, I mean same old stuff. Go to work. Come home, go to work, prepare for the podcast, start working on IASIS material that we're going to do together.
Speaker 1Oh yeah, we got to discuss that in a second At least from my end, from my end. Yeah from my end. Yeah, I've. So I'm in Florida and the oak pollen season is upon us. Everything is covered with yellow muck from the trees and it sucks. I'm highly allergic, so I've been taking all sorts of antistamines. So sorry if I look like death.
Speaker 2You don't look like death.
Speaker 1Yeah, right, yeah, sure, I believe you. Yeah, but other than that, you know just doing regular work and you know just trying to get the class, the class going.
Speaker 2Yeah.
Speaker 1Yeah, which, which is a good segue to that same topic, right?
Speaker 2It is, it is, it is.
Speaker 1So so IASIS, the International Association of Computer Investigative Specialists so really renowned. It's a organization that's volunteer driven, and myself and Heather were volunteers there and we'll be teaching the advanced mobile device, for instance, course. This is a brand new course and what we're going to talk about Android and iOS, so so you know it's going to be a great class we are going to. The class is going to take it's not happen from April 22nd to 26th. That's the first, the first session of that class, and then we teach it again, right for a different group of students from.
Speaker 1April 29th to May 3rd Right, so we still have spots there.
Speaker 2Yeah, there's, there's still spots in both weeks. So sign up, come and come and learn from us in Orlando. So there's a selling point right there too. No, in Orlando in April and May.
Speaker 1Yeah, who else is us and who else is teaching with us?
Speaker 2So we have another instructor this year, john Hila. He's going to join us and some of you may know him from his research on the SEG B biome app, intense data in iOS. I think he was the first person to write a blog on it and it's on his page, blue Crew Forensics, if anybody's still interested in reading that and checking out his tools. So he has an app intense parser on that website. But he's going to be teaching with us in April and May.
Speaker 1Yeah, and I think it's a great catch that we had well Heather did in getting him to instruct with us A really sharp guy and really forward leaning with all the new stuff that's coming out, so I'm really happy that he's with us. Yeah, If you come to class, the class will you get a laptop so to work through the exercises with us, through the to the course, which you can then take with yourself, you know, take home with you and do your work on that laptop. So that's always a good to have to be referenced materials and some other things that we're going to give in that class. And the location is in, like, say, New Orlando, Florida. It's a great, nice place. It's a little pool and everything.
Speaker 1So in the afternoon you can chill out a little bit and talk forensics with us. There are different events and activities that ISIS has at night for examiners, so it's good stuff.
Speaker 2Yes, it is Sign up.
Speaker 1Yeah, the link. The link is at the bottom of the screen and, for those that are listening, we're going to put in the notes so you can check it out and come hang out with us in person at ISIS this summer.
Speaker 2All right. So I wanted to talk about a new book that's going to be coming out and it is written by Brett Shavers, who is in our chat or is watching live today. So, hi, brett. It is titled DFI Our Investigative Mindset. It's not released yet he's still working on it but I've had a chance to check it out and I literally feel like, as I was reading it, that this book was hitting every thought that was in my head.
Speaker 2He talks about how to learn to be a better investigator. One of the first sentences in the book is the DFI Our Mindset is the missing piece in DFI Our, and I couldn't agree more. To be able to do this type of work, you have to have that mindset, the investigative mindset. He hits on how to strengthen your skills, how to be a better examiner, the differences between mindset of law enforcement and civilian. Do you need both? What the difference is If you take a position in a DFI Our job, do you want to do it or are you just taking that position to move up? And you have to want to do it, and this book really talks about that and discusses ways to improve your investigative mindset. I highly, highly recommend the book when it comes out, and from March 22nd the book is going to be on sale for a week, so everybody should check it out and purchase it when you have a nice sale, that first week of release, sorry, go ahead.
Speaker 1No, no, no, I was going to say absolutely. And this is the thing. Right, I need to say this in every show. We say it. We're not sponsored by anybody.
Speaker 1Brett didn't give us a kickback to talk about his book, right? We're not haters. We're also not chills, right? We just tell your honest opinion of things that we like or we don't like.
Speaker 1And now, that being said, right, we do a lot about technical stuff, about how to work a tool, how to work a data structure, how to create a report, but this book is feeling this I'm going to use that word this void in regards to what are the building blocks, mentally, that you need to have in order to do a complete examination. Right, because anybody can press buttons, but for you, you can actually connect the dots in the way that need to be connected. Right, and his book feels that void. Right, if you're in the private sector, you can learn a lot from his experience from being in law enforcement. Vice versa, you're in law enforcement like we are. You can learn a lot from his experiences when he leaves law enforcement and goes to the private sector, right? So how do you take those?
Speaker 1Again, I don't want to tell you what the book you have to read. It's a quick note in regards to what are, what's your mindset in regards to your property, your attitude? How do you approach the evidence? How do you let the evidence speak for itself? Right, there's a whole bunch of little details there that you'll be really, really well imbued with that knowledge if you read that book. Okay, it's not, it's a density read, but it's a profound read. I found myself and I haven't finished it yet, but I found myself rereading certain sections a couple of times because that section had a lot to think about. Does that make sense, heather?
Speaker 2Yeah, no same thing. I reread a couple sections on my lunch break yesterday, so definitely Jessica says the part about curiosity. I wouldn't agree more with you on that, jessica. So curious people, I believe, make good investigators a lot of times. If you're really nosy, that's such a good treat to have for the investigative mindset, in my opinion. I love that comment.
Discussion on Facial Recognition Technology
Speaker 1Yeah, and Brett is saying that I could have transcribed this podcast and wrote the same book. Well, we appreciate that and, and you know, we, we, I guess you know we have examiners that have some time we, we, we can converge right in in certain views or certain opinions, certain ways of dealing with the data, because this is a science, right, and, and that art is to be able to present that science effectively. And and Brett's book is a good way of getting a leg up. I would recommend, especially for people who are new into the field they say you're coming as a new examiner, saying long for me into a lab get that book and make it part of your, your growing process, that growing mindset. Immediately, get that book and check it out.
Speaker 2Definitely Hardest part to teach. You're right too. It's hard to teach somebody to be an investigator. It really is. I always say for my office it's half sworn and half non sworn members and the sworn members come off the road with that investigative mindset already and it's really really hard to teach the non sworn members the investigative part. But the book really lays out how, how you can do that and how they can do that for themselves.
Speaker 1Yeah, and a broader point for the industry, right. I would hope that more books start addressing that right and I say addressing that. There's other aspects, right, even some of the legal aspects of of the job and do it in a, in a way that's accessible, like, like, because Brett's way of writing is really accessible, which is the way I like. It's not encumbered by these words, it's actually pretty clear, and we see more books in different topics that make that accessible to examiners.
Speaker 2Brett says, because DFIR is fun. It is almost like playing a video game. We tend to forget we are working to solve a mystery. I definitely agree. It is fun most of the time until you get one of those cases that just isn't so fun. But you know some, some are boring. But definitely agree with that.
Speaker 1Yeah, I mean, there's always a routine area cases, but in a way that that mindset applies to make sure that you're doing the best job, that that can be done. Now, that you can do the best job that can be done, yeah, and that's what we're striving for. So good stuff.
Speaker 2Yeah, so definitely check it out. March 22nd, I believe it's going to come out.
Speaker 1Yeah.
Speaker 2So there was an announcement on LinkedIn. I saw it and it was regarding facial recognition in DFIR. So API forensics announced the release of exponent faces, which is an add on extension for X ways forensics. So if you're an X ways user, this can be used in conjunction with X ways. It detects matches, extracts faces from photographs and video files and accurately identifies victims, missing persons, persons of interest within volumes of collective media. They say the effective outcomes of the use of facial recognition technology are determined by a number of factors, and those factors include the image itself, the resolution of the image, the angle, the position, whether there's obstructions to the person's face, the vertical and horizontal rotation of the person's head and then, for videos, the speed of the footage measured in frames per second.
Speaker 2I have not tried this out yet. I just saw the post for it this week and I didn't have time to grab the X-Ways dongle and try it out, but I will be trying it out in the future, so hopefully other people will try it out. I want to bring it back to the podcast after I try it and give a little bit of a review and hopefully people can weigh in and try it out as well If you currently have an X-Ways license. You can submit a request for a 30-day trial. You just have to provide your X-Ways license number when you go and request that 30-day trial. So hopefully other people will test it with me and we can all collaborate here on the podcast and discuss it in the future.
Speaker 1No, absolutely, and I can see a lot of views, so I got a couple of thoughts on that. Imagine you're working a Let me put it this way let's say a mass shooting scenario where you get surveillance from multiple cameras and let's say you got an identified, possibly identified suspect. Can I determine if that suspect was in the crowd? Right, that's pretty tough, right? Maybe? Another example that I just came to mind it's a real example I had to Long time ago.
Speaker 1I had to find somebody that was taking a Greyhound bus out of the city. We need to locate that person and the time frame of when that person might have left was pretty wide. So I had to sit down and look at hours and hours and hours and hours of footage Trying to see if I could find that person. Imagine if you have a tooling where you can say okay, well, I have these templates or data pictures of the person I'm looking for. Have the tooling, go and quickly scrub that data set for that face and tell me yo, I have a hit on Tuesday at 2 o'clock. That would save a lot of time. So I can see a lot of good uses for that. Now, correct me if I'm wrong, heather, but the way I read the announcement, it seems that this tool is open also to the general. I say general, pop, I mean not say that To the private sector as well. Do you got that vibe too?
Speaker 2Yeah, I didn't see anything on the website that said otherwise. It looked like you can just go in and put your agency name and sign up for that 30-day license, as long as you have an X-Ways license to provide.
Speaker 1Alright. So now the second part which came to mind is Let me restart A knife. Right, you can butter your bread, or you can stab somebody right?
Speaker 1A little bit of extreme examples, right, any and every technology can be dual-use, right? It depends on the user, right? So I use that as an introduction to kind of say every technology has its challenges and its limitations, right? And I've been thinking about a little bit about what happens if we give that technology outside the confines of law enforcement. Don't get me wrong, people in law enforcement can have and have and will in the future use this technology wrongly. We're not exempt from that, right. So I'm not saying that. Oh yeah, law enforcement really knows how to deal with it at a whole 100% of the time. I'm being honest here, right, obviously we strive not to make mistakes. And what makes mistakes Could that be?
Speaker 1Well, some of this technology, remember, is matching, like a pattern matching. It takes whatever analysis does of that phase and tries to match it upon other data sets. That's a probabilistic nature, and we were talking to me and Heather, we were talking a little bit about probabilistic things earlier the other day. It's probabilistic, right, you know, whatever. 70%, 40%, 30%, 50%, right? At what point are we happy with that percentage? And after we get it, what do we do with it? Oh, the computer said it's this person. That's the person. Go grab the person. We could grab the wrong person, right.
Speaker 1Like, just because the tool told me this is a highly probable match, does that mean that's a match? I mean, what do we need to do? Well, it's a word that starts with I, investigation. Yes, and again, I'll be honest with everybody here. Sometimes in our agencies or organizations we start and finish everything with what the tool says and we talk about push-button forensics. This is really prone for that, right, and we gotta be careful with that. The investigation doesn't stop because the computer said here's X. Actually, that's when it starts the investigation. We have to validate that. Is this person actually with a match? Right, and yeah, tell us what British is saying in the chat, heather.
Speaker 2Tools give clues, not answers.
Speaker 1There you go, and it's really easy, really easy to get confused, because a lot of times, the clue that the tool gives us happens to also be the answer a lot of times. So that happens too, but you need to make sure that that actually is the actual answer. Right, that is correct. I gotta highlight this comment Derek is telling us every tool is a weapon if you hold it right. That's said by Andy Franco. So what a great quote, right? Historically and this is some research that I did for the show today, historically, face recognition tools tend to have some issues recognizing folks that are minority color, and all of that, a lot of false positives. Now, that being said, I'm not talking about the tools specifically that Heather is presenting, so don't get confused. Yeah, I don't want to everybody to think that I'm talking about them or I'm talking about general in general. This thing now. Now, this technology could definitely get to a higher probability level, absolutely, absolutely. But it should not be made to make a like the base for your arrest. That should not be the base for it, I believe. Oh, yeah, the computer said so. Therefore, I got by probable cause for my arrest. No, that's the beginning. Like, like, like. But it's saying.
Speaker 1Another thing I want to say now in regards to the private sector applications of this Um privacy issues. The first issue that I have or think about is well, let's say, private sectors are recording your faces as you go to the, to their businesses and all that, and they had, they record those faces. Let's say, a client becomes rowdy in store and they kick him out In the future. That person comes to another store, the system flags their face and says, hey, you're not allowed to be here, you have issues here and we told you not to come back. Right, and you would think, well, that's, that's not a bad thing. Right, it's limiting access to undesirable people on a private business. Right, you don't have to allow people to go into your business you don't want to.
LevelDB Analysis
Speaker 1I get that, but think about this to be able to make that template is grabbing everybody's faces. Right, it's just not grabbing this person's face, he grabs everybody's. And what happens with that data Is there? Are there any guarantees that this business is not going to sell my face to other businesses? Right, because maybe this person is indesirable in this store and maybe another store they're going to maybe share, like undesirable face lists, right, or just plain share of the faces. I just see my notary report head. Or the pretty old, old, old, oldish movie.
Speaker 1I have not so it's a Tom Cruise movie saying the future and the future. As you go to stores, the stores kind of scan. We go even without noticing, scan your eyes and know who you are and give you ads Like on the story customizes your ad and in the movie he has to change his eyes. They put some other person's eyes. It's a pretty good movie.
Speaker 1You should see it. He goes and obviously the ads are for another person because he has the other person's eyes, right? The point I'm making with that story is do I want to get ads, like when I go into a store because my face is being recognized? We're going to come out of, commoditize our biometric likeness, right, and that's. The questions are really hard questions Is there?
Speaker 1Is there any legal framework for that, right? What? What if that's hacked? Right, I can change a password Like, oh yeah, it's coming, they change my passwords and that's it. Can I change my face, right? I mean, how do we do that? At least, at least, at least the law enforcement labs, for the most part, tend to be air gap, right, because we're going to make sure that we keep the, the evidence in, intact, right, so we have air gap networks, but I don't, I don't see private sector companies using this technology in general in any air gap manner. So I can see databases with millions of faces being hacked and being sold, right. So that's, that's something to be to be considered. How are they secured? So you know, there's, there's a lot that this technology is going to bring. I'm looking forward for you testing it and yeah, me too.
Speaker 1Yeah, some of the community testing it see how, how you know different applicabilities that we have, but I think it's an emerging technology. We'll see a lot of that being litigated legally in the courts and in Congress, so we'll have to keep an eye on that.
Speaker 2So with the tool, though from API forensics that works with X ways, that tool matches against only the faces that you provided it. So I just don't want to. I don't want to confuse it with like scanning crowds, right? So it's not doing that. It's working with only the, the pictures that you provide it to look, look through in your investigation.
Speaker 1Oh yeah, and folks need to understand, right, I'm providing like both sides of the argument, right? Yeah no, I believe there is a space for this type of analogy. I'm happy that companies like this, this one, are actually taking the lead and providing that service. So I'm not against it personally. But, like I said, a knife could butter and I could kill. So it's just to put it, putting that that those both sides out there.
Speaker 2So yeah, definitely so. Um stands had a blog out recently and it was related to the Google Chrome platform notification analysis, which has to do with level DB files. So if you haven't seen level DB files in your investigation, start looking for them, because they are absolutely important to your investigation. I'm going to show a little picture here of what you're looking for. So this is from from the blog itself. I took the picture from the blog and this is what your level DB structure like, what your structure will look like for your notifications. So um. So in Chrome they're everywhere, they're on computers, they're in mobile devices, and the LEAPS support parsing the level DBs. So does Arsenal. Arsenal's level DB tool is awesome, for that Rabbit Hole that we've talked about prior also supports parsing the level DBs, and the data that's in them can be so helpful for an investigation.
Speaker 2I actually have a case example that I can talk about. I had a case where a teacher was having a relationship with a student and she had deleted all of the contact that she had had with the student from her phone and she didn't know about the level DBs. Obviously it's not something that the user has access to, but this is specific to the FCM level DBs, which is the Firebase Cloud Messaging. The pair were primarily contacting each other on Snapchat and, although all of the Snapchat data was gone and the application had been uninstalled, data related to their communications was still present in those level DB files. I didn't get the actual messages, but it was enough to show that they were communicating and it was enough to result in a plea deal. They can be really important to your investigations.
Speaker 1I'm telling you it's really powerful. The example you give is a really powerful example. I like that example a lot because it corroborates the presence of the communications, corroborates all the other things in the case. I'll tell folks some of these FCMs I say FCM, but level DBs, data storage or data structures will have messages, will have all sorts of information in them and we're really not looking for them, like Jessica was saying. They're there and you don't know they're there. We'll cover that in the IASIS Mobile Forensics course. We also will cover it in more detail in the Advanced course. But it's important. If you have any browser that's worth anything. We'll have tons of data in the level DBs.
Speaker 1I did some research some years ago on Firefox Privacy Browser for Android, which deletes all history. Guess what? I was able to find a lot of the pages that were visited within some of the level DB stores from the Privacy Focus Browser. If you look for it, you will find this is a great blog that folks should read. In regards to that analysis, it explains I think you mentioned it some of the tooling that could be used. You mentioned some of the tooling that could be used.
Speaker 2I did. Yep, arsenal level DB was one I mentioned. Rabbit Hole, that we've talked about on the podcast previously, and Arsenal, we've talked on the podcast about previously too, and Alip Sports at two. I'm sure there's other tools. If you've never come across one, do a global search across your entire image for keywords that are important to your case. I guarantee in an Android device they're going to hit in one of those level DBs and then follow that trail. Follow that trail. Use some of these tools that I mentioned to look through the level DBs, because you're going to be surprised what's in there. And Jessica actually mentioned to open source. There's a CCL script from CCL Solutions.
Issues With Digital Forensics Support
Speaker 1Yeah, Alex Caithness was the one that really pointed in my attention towards level DBs. So you Google CCL Solutions, level DB and the name Alex Caithness or a combination of the raw, you will get some of those scripts and some really good detailed articles on how they work and at a detailed level right, how they're offsets and how they're organized. So you'll be as an examiner. You'll be well served by looking into that. That's why we're talking and remember all sorts of other examples.
Speaker 1One more example yeah, we had a case Again, in general it is an old case, but where the suspect had written like a manifesto, right, and it was using the Google Word thing. What's that called the Google Cloud Word thing? Oh, you know, they have like their own version of PowerPoint or version of Word or version of Excel, but it's the Google one and you access it through the browser, right? If somebody in the chat knows, then let me know.
Speaker 2I'm looking for it.
Speaker 1So those type of Google Docs. Thank you, jessica. So the manifesto was done in Google Docs. Well, guess what? If you're offline and you're writing, there's no save button for that, but the start is saved and you'll be like, well, where is it saved? Right, it's saved in a level DB, and we were able to find that manifesto in that level DB from that Google document. Ok, so thanks for Kevin also putting the name out the Google Docs. So they are stored automatically in level DB. They are stored, of course, when you get online, then that gets pushed to the cloud and all that good stuff, but the remnants, or the full document that's being written, is going to be in there, right? So it's really worthwhile that we get familiar with these data structures, just as we are familiar with SQLite or just as we are familiar with XML, and you might be like, what do you need to do that, honestly? So let's start looking into those.
Speaker 2All right.
Speaker 1Yeah, so this is the best part of the show they always like, right Is what grinds our gears section, specifically, what grinds Heather's gear section Support system not meeting the needs of the customers and I named the episode is support and live support. And the reason we're discussing this? For many reasons. I'll tell you my reason. I go into the D4 Discord channel and I'm more of a lurker just to see what's going on and I see a lot of folks saying, hey, there's somebody from company X available, Is there somebody from company Y available? And it makes me think why are we asking for support from these companies in a community chat?
Speaker 2Right.
Speaker 1What's happening with the support systems in, you know, established by the providers, that folks are not gravitating to those first. Where are they gravitating to kind of like side channels, when, where they know, there'll be folks from these companies who are not even reading or listening to be able to get some support? And that made us think that there is an issue in how examiners or tools for examiners are supported in this space. Right, and we're not talking about any particular vendor, I believe. We believe, and if I'm wrong, heather, we believe that it's more endemic in regards to baby software development in general. I don't know, right, but in our field we see it a lot and you see folks doing all those requests in all those places, right?
Speaker 2I would say on Discord, in the Google groups, on the IACIS listserv, there are tons of support requests and they are they're actually tagging the company saying can you help me with this? And I think, well, I have a personal opinion on what some of the reasons are, I guess. So when I go into support on any tool no tools in specific I go into the support portal, whether it be a chat or I have to open a ticket. The first, one of the first things that I always get from support is can you send me your data extraction? Well, the answer is no, I work for a law enforcement agency and that is evidence. I am not sending you my data extraction and I cannot send you my data extraction. So I think the second question I'll be asked well, can we set up a meeting where I can remote into your, into your machine? No, it's on a sandbox network. I can't have people remoting into our sandbox network. I work for a law enforcement agency, so it's just we can't. We can't do that.
Speaker 2I think another reason is that sometimes you get wrong information. So I had one of the really new people in my office reach out to a support and they were requesting assistance on a phone, asked what their options were for this phone and the answer was chip off. But that phone had, like Android 11 on it and if you chip that off, you're done. He, luckily he came to me and is like, is this right? And I'm like, oh my God, no, thank God, he wasn't trained in chip off. It'd be chipping off a phone that couldn't be chipped off.
Speaker 2We would never let that happen.
Speaker 1And even if it was chipped off, you're going to get what an encrypted blob right. So you're getting nothing out of it.
Speaker 2Yeah. So of course I hopped back in the chat and I'm like, who told my new person to chip this phone off? Please correct this mistake before somebody does it. But also, I mean I've had numerous different places just unanswered support tickets, Like we can't replicate your problem, Sorry, and it's frustrating. And it's not only frustrating but it takes up a lot of time for whoever the examiner is asking for the support help.
Speaker 2I know me personally if I'm asked to do all of these things and then send screenshots and then can you try this or can you try that? I've actually been asked to uninstall the version I have and reinstall a new version that they want me to try. And no, I can't. The extractions I have open. Some of them take like over eight hours to open If it's in certain tools or maybe I have like 10 things going on. I can't just shut my machine down at that time and just to troubleshoot an issue, so it can end up taking up your whole day. I think that these things are what deter people from submitting support tickets. The problem with that is it leads to the company being surprised when you tell them of your issues. Right, no one else is reporting this. You're the only one reporting this, and I'm not the only one reporting it, or whoever's reporting is not the only one reporting it. It's just they don't want to go through the painful process of submitting a support ticket. What do you think?
Speaker 1Look, I mean, no, I agree with you and this is so. Maybe folks that are in the space will say well, you're complaining. What's the solution? And it's not easy, like. I think the main thing is this type of support system. It was being used to support everything and anything In any company, software or non-software, right, this type of help desk method, and I get it, it's needed, but I believe and again, you can jump in and tell me I'm wrong or not the factors, especially with law enforcement and digital forensics, it should be a little bit different. I want my help desk to be power users, right, and the first level of solution from my perspective is I have this problem right. Tell me, within the tool, how can I go around it as we're dealing with the underlying problem. Does that make sense?
Speaker 1And I think folks go to the Discord because the folks that are there for the companies tend to be examiners as them right, yes 100%, and then those examiners can tell you oh well, maybe you can try this and this and that, but you're not going to get that straight up from your help desk. There's kind of that knowledge gap from I mean I might be wrong, but that's my experience Between the folks that are maybe you're interacting in the IACS listserv versus the folks you interact within the help desk structure, right. So I believe that needs to change a little bit, and so that's one thing. Another thing is the whole give me your logs type of thing, right, and I understand you need your logs. So I got a couple of critiques. Some of these logs either they're in code, when they tell you, well, the error was error xx3935. I'm as a user doesn't serve me anything, or the logs are encrypted. I cannot see them. So, whatever the issue is, the ball is hitting from me, it's provided to the company and then you might sit forever and nothing happens, right?
Speaker 1I would like for more transparency as you can see here in my marquee for the week that that's the word of the week more transparency in regards to what the limitation of the tool is. Look the tool crapped out on x. I want to know that because even if you'd have the solution, and again, that's OK. At least I can go and do something else, either manually, or be able to fix what the possible issue is on the back end, as, again, we're looking for the long term solutions. So I would like to see more transparency, and it shouldn't be, from my perspective.
Speaker 1You just give me the logs and sometimes you give them the logs and they're like I don't see nothing in those logs, right, at least they tell you that I don't know, I cannot confirm it, I cannot read your logs, I cannot encrypt them, or it's all in code. It's codes that I don't understand what they mean. The meaning of that code is because it allows you right. And they might tell me well, there's some proprietary information there. Look again, more transparency on the limitations will be helpful, and I understand no company wants to tell you well, my tool sucks at x. They don't want to tell you that. They want to tell you we're good at everything, or at least we're good at x, y and z, right? So there has to be a balance in regards to what the tool is not doing or where it's bugging out and how can we go about it. And I believe, again, examiners for the companies are really good at interacting, but the help that's kind of failing on that. So you have two parallel support systems and, like Kevin is saying, and yeah.
Speaker 1I think you're putting it up. Yeah, can you read it, Heather?
Speaker 2It's infuriating to be brushed off by support just so they can close the ticket and sometimes it seems like that is the goal. Let's just get this closed as quickly as possible, whether there's a resolution or not Absolutely.
Speaker 1You have a ticket sitting there for months and then all of a sudden it disappears. What happened? So I guess the solution, at least from my perspective, is the knowledge gap between the people in the help desk and the examiners that work for the company, either doing forensics or being front facing for the enterprise. With the examiners there has to be some parity there so there could be really productive conversations. I send you an email, you send me an email. I send you an email for days on days for dumb stuff, stuff, that's like. Why are you telling me this? Can you get somebody on the line that knows what they're doing?
Speaker 2This is my coworker writing in here. Your ticket has been escalated to our Black Hole Division for additional analysis. Pretty spot on.
Speaker 1The Black Hole looks like a trash can.
Speaker 2Exactly, it's the bottom of a trash can.
Speaker 1And again, I've seen this with support tickets and editing in any other enterprises. But I think that's something that these, the companies in the space, could grow from and say, look, we're going to change that, we're going to put some numbers in regards to issues that are accumulating and if the company decides to have a dual track of reports let's say the folks that talk at the listserv plus the tickets then keep track of that in a way that the company actually the information filters through. And we're not reinventing the wheel, because I'm pretty sure that some person says, hey, can somebody at company X send me a DM for an issue? And I bet those poor folks get that issue 10 times or 20 times from 20 different people. So how is that being aggregated and making part of the knowledge base so that it could either be addressed or that workaround solution be pushed out, and again presenting it in a way, I guess, for management so they don't feel like, oh, we're seeing our tools crap.
Speaker 1No, that's not what we're saying. We're saying the tool will do these things. And as we work to present this in this manner, there's another solution for you. You're in the solution providing business and the solution providing business cannot be constrained only by the interfacing with the tool, especially when your tool is either bugging out or failings at something. Right? Am I? Am I based on that, heather?
Speaker 2No, you absolutely, absolutely hit it. One thing I will add, though I have it not all support personnel or help is bad. I've had great interactions with support as well. I just want to make that clear. I want to make that clear and I will say that on the Discord, Google groups and actually just people who have personally helped me from some of the companies, the help has been excellent, so I don't want to make it all sound bad. If I had to say one thing that I would suggest to people in the community, it would be you need to be reporting all of your support issues to the company so they realize that, hey, this is actually an issue, as painful as it is sometimes to do those support tickets. If we don't do them, they're not going to know, or they're not going to know, how much of a problem it is for how many people.
Speaker 1Oh, thank you for saying that, because you hit an L on the head right At the other day. We got to play the game that's in front of us, all right, and if this game requires us to do tickets, do the ticket. Look, even if you find an alternate solution and you're like, well, I find a solution, who cares? No, no, still put the ticket in, even if you don't expect an answer because you solved it in some other way. Ok, do it, because you're helping yourself and you're helping others down the road. So we got to play the game as it's played right now. And thank you for saying that, heather. That's totally on point.
Speaker 2All right, so we can move away from that. I guess it's my soapbox week. I stole it from you.
Speaker 1Oh no, I said it was what grinds Heather's ears and it's being finely grounded.
Speaker 2Well thanks, Well done, well done.
Speaker 1All right, so yeah, go ahead.
Importance of Service and Product Updates
Speaker 1Yes so we have the changing gears again. We're going to talk about something that I believe is really important, and it's service. I know most people like to do service, but I'm going to ask from the community all the DITAR Forensic Now community to do me a personal favor. Ok, as a personal favor, I want you to go to the survey We'll provide the link in a second and it's the DITAR Forensic Practitionary Survey, all right, or the DF Pulse 2024.
Speaker 1This is done by Professor Mark Scanlon and the School of Computer Science from the University College of Dublin in Ireland. All right, and it's also an association with a couple of professors from the University of Luzon in Switzerland and professors from the University of Oxford in the United Kingdom right, as well as the University of Nottingham in the United Kingdom. So I mentioned that because this is academics and academics from world renowned organizations that are asking us right in regards to what's happening in our field. They're asking because they want to know what's the interface between academia and us as practitioners. How can academia inform us and how do we inform them? Does that make sense, heather? Yes, and I believe this is important. Last episode we had a. We discussed briefly an academic article in regards to error. Error, it's not projection like error. I'm having a brain, a brain.
Speaker 2I don't know what word you're looking for.
Speaker 1Well, some errors within our analysis. What causes of errors in our analysis, in our work? I guess that's the best way of saying it. And to me it's really eye-opening, and I mentioned last episode that this academic understanding made me aware of this possible pitfalls, so I could mitigate them before I get them, and seeing it in that sort of structure, an academic structure, helped me a lot, right? So it's important for us to also be informing the academics that systemize all that knowledge and then they providing it to us. So please, please, please, please, please, please, pretty please. Look, we don't ask you for anything. We don't ask you for money. We don't ask you for nothing in this podcast. This community doesn't ask you for anything, Only that we ask. At least this time I'm going to ask you to go to this link it's going to be bitly, bitly, slash dfpulse and do that survey. It's going to be around 30 minutes, a bit longer survey. I'm going to do it tonight.
Speaker 2Yeah.
Speaker 1So we're going to set the example.
Speaker 2So I'm going to do it tonight, I'll do mine too.
Speaker 1And go there and please participate in this survey from the universities. It's going to help everybody and help yourself.
Speaker 2So we are now to what's new with the leaps, and there's a bunch of new stuff with the leaps, so I'll let you start that off.
Speaker 1All right. So this is a lot of stuff happening, so we have a couple of artifacts that weren't added and we changed the graphical user interface a little bit, so let's get with that. First, we have the Burner app. It's now supported in iOS and that was done by Yango Faiola and I think we have a screenshot of that. I don't have a screenshot of that.
Speaker 2There was just the burner icon was up.
Speaker 1But we do have the link to the article. I think it's in Portuguese or it's in French. I think it's Portuguese, right? Either way, don't worry about it. I couldn't read it.
Speaker 2That's all I know.
Speaker 1Yeah, but Google Translate does a great job. So if you have Google Chrome, it immediately adds. You want to translate it to English? You say yes.
Speaker 1And you can read it there. It's really good. So the burner app is supported and we have that in iLeap For the folks that are new. That's an open source tooling that the community created and supported and it will take a full, fast system extraction from an iOS device and get stuff, parse it out for you and get you stuff. That's just useful. So that's the burner.
Speaker 1Kevin Pagano, one of the main developers for those projects with me, my right hand man, he did an artifact on keyboard usage stats, which is pretty neat. So you got there, how many words were typed, how many words auto corrected, the suggestion bar, and that's important because it will tell you a lot about the user and that goes to that pattern of life. Those are investigators. No, and I'm not going to say them here, but there are certain words that might be important for your investigation that indicate activities, behaviors, likings of the suspect that you will not find anywhere else. So they're not part of any dictionary in the planet, but if you see them as part of that usage stats, in regards to the words that are corrected or typed, that will give you an inkling on what that person is doing or not doing, what their interests are. So you can see a little report there of the lexicon from that device and let's look at the other user stats and there we go. That's the kind of statistics how many were typed, how many were auto corrected and from the suggestion bar. So this type of artifact and there's tons of that that the LEAP support and your forensic tool support will let you know about information about that user there might be of importance.
Speaker 1Another one that I'm really happy about and it was done by Evangelos Dragonas and Panos Nakoti and they're great examiners and they have developed. Especially Evangelos. This has done a lot of artifacts. This one is for chat GPT and that's pretty neat and I think they did it for both iOS, android and for RLEAP. Rleap is a tool that does returns, so as you pull data from the services, you can parse it and get value out of it, and it's pretty neat. You can see the conversation that you have with chat GPT. You can see the metadata about that conversation. If you uploaded any media, the preferences, you can see there the creation time, the modification time of that conversation was the title. So it's pretty interesting. Lately and I'm telling you, chat GPT is becoming like a really world-use tool. I don't think any other tool supports chat, gpt parsing. That I know of, you know of any other?
Speaker 2I haven't seen any. I haven't seen any at all yet.
Speaker 1Yeah, so ILEAP and ALEAP from Android, ios do support it, and if you're looking for it, you're not going to right, and that's kind of the rule with these type of things, right? But at least this open-source tooling will give you a head stop and it's filling that gap until the big players in the space, the third-party providers, are able to catch up, right? What was the chat saying?
Speaker 2It may have been handy on the recent CTF, and Kevin says the same thing that also may have been handy on the recent CTF.
Speaker 1And that's a good point I have. When there's CTFs, capture the flag. That's the competition where either our organization puts out an image for folks to go through it and answer questions about that image. The person that answers the most questions or answers them all, wins the competition. Well, guess what? That gives you ideas of how to get to data and if they're not supported, then you can go into tooling like this one that's open-source and provide some support. So CTFs are a really good way of learning and learning, obviously, new things that lead to applicable, repeatable tooling for everybody. So that's pretty neat and I love that. Chat GPT.
Speaker 1The big one that I left for me is the big one that I left at the end Is the graphical user interface change. Right, let's bring up. So this is the change. I'll show you a couple of pictures, literally two. The first one we're going to show you. Do you have it? I sent it to you, yeah. So the first one is how is going to the interface, is going to be looking? And this is soon. We're going to merge this into the project soon. So before you had on the left all the artifacts and on the right a little section for the logs to go through telling you what's the tool doing as it's parsing your data. So now you have a really big, nice screen that it will have all your artifacts for you to pick, pretty readable.
Speaker 2What did I just do?
Speaker 1Hey, look at that, we're sideways. Let me change it. There we go, and then what we need to do is this Boom.
Speaker 2Okay, perfect, sorry about that I got you.
Speaker 1So the folks that are listening we have the screen kind of went haywire on us a little bit, but we got it fixed All right. So now when you hit process, it's going to then take, it's going to show you only the log screen there. So let's show them that whenever you can, and I like that a lot. I try to leave what I preach and I was talking a second about transparency, about how tooling sometimes hide the ball from us in regards to what the limitations are, or when a problem happens is hitting some log that you cannot understand or decrypt. My perception or philosophy about it is that the error should be upfront and your hand did this change. I want to say 20 things at the same time. Let me go step by step.
Speaker 1I'll talk about why the change, but I like it because, even without me telling him, he really picked up on what the idea, the philosophy behind the project is. Now you can see those logs as he's going through. If something breaks or there's an issue, you're going to have it really highlighted, really bold in your face as you're going through it. Now you might say, well, what if it passes? I didn't see it, it's okay. Those same readable logs are available in your report. So then you can go back and figure out where the tool failed or where something happened. So then you can backtrack and figure out if you're missing data. I believe strongly in that. I believe that the limitations should be put upfront and we shouldn't be ashamed of them, because that's how we get things to be better. Maybe my philosophy is like that because I don't have a product to sell.
Speaker 2Maybe I don't know.
Speaker 1But I would hope the industry moves in that way. Do those errors upfront. Okay, now what I want to say the reason we did that big change is because the libraries we were using to generate the graphical user interface, they were freely available and overnight they decided to charge for them. And again, I'm not criticizing that, right, folks do some work and they decided well, I think we want to get paid for it. That's okay, and folks that value that and have the money can do it. Now, since this is a tool that we provide fully to the whole community, I want to make sure that it's free and I don't charge for it, and I don't believe that folks should pay for libraries, extra libraries there.
Speaker 1So what Johan did, and again, so, look, I'm so grateful for the work he did. He took the graphical interface and did it natively within Python. I say natively in the sense of using libraries that come with Python already with the interpreter that they're free to use. They come with it. That library is the kinder and he did an incredible job. It's a lot of code to generate a graphical user interface the way he did it and I'm grateful for it. And I know the community will also be grateful when they interact with it and we have plans again long term for more changes to the tooling.
Speaker 1And you know it really gratifies me, like when Heather said that one of her cases some of the data that came out through the tool solved and made somebody that was guilty plea, and you know that makes me really happy. That's why we do it. We do it because it's the right thing to do and that's our payment and I know Johan agrees and all the photo developers behind the project. We do it because of that. If you have any good stories about using the tool, let us know. Let us know some success stories. I mean you don't have to tell the details of your case because we know some of that stuff is, you know is confidential, but if you need to, you can tell us like main plots. That really really powers us and gives us energy to continue doing what we're doing. So again, thank you for Johan, thank you for Kevin, thank you for all the other folks that I mentioned that keep putting stuff into the project. It's a project buy and for the community. So again, thank you so much.
Speaker 2Yeah, definitely a big week for the leaps.
Speaker 1Absolutely.
Speaker 2So that brings us to everybody's favorite, the meme of the week. Let me share.
Speaker 1Let's see here I always, I always like the meme of the week.
Speaker 2So this was my pick for the week out of the memes that came up on Alexis's LinkedIn, and it reads are carved items and items in the trash bin, deleted files. Well, yes, well, actually no. So I mean, I love this one because I think it was Jessica in the class and I'm not going to give away the details of your class, jessica, but yesterday she was saying just because a tool says something is deleted doesn't mean it was deleted. There can be numerous other reasons that it's showing as deleted in your tools, and they're just there are. It could be in the trash bin. There's just tons of reasons it could actually be showing deleted and this meme just hit at the perfect time for me, so I chose it.
Speaker 1Sorry, yeah, this is one of my favorite memes. Yeah, and all the stories that could be told about that meme, right?
Speaker 2Yeah.
Speaker 1All of my favorite.
Speaker 2Oh, I can't hear you.
Speaker 1You can think of different examples of the meme, how that applies. So, for example, you think about when you carve an item out of an allocated space and when you look at stuff from the trash bin and your prosecutor asks you so are those files deleted? Well, if you use the term deleted, right? Well, the answer is yes, but that's like what is said in the chat it's an imprecise answer to an imprecise question. Right, Is it deleted? Well, what do you mean by deleted? Because deleted can have different meanings. Right, and I see a movement, and actually Jessica is the one that cannot put me in that direction. Don't talk about files that were deleted. Let's talk about recovered items.
Speaker 1That's a little bit more precise. Of course there's some context where you need to use the word deleted. That means that we need to be more precise when we use it, and I found myself telling my prosecutor well, yes, it deleted, but no really Right, Because something in a trash bin is still allocated right, and it has all the metadata. It has everything. It's just kind of quote, unquote, moved from one place to another right To the deletion. It's not really deleted. Now, allocated is deleted but different, right, there's no metadata. You might have a file that's half of the file, a quarter of the file, not complete, right, Just the header, a little bit more. So it depends, right. What was the chat saying?
Speaker 2So allocated? Accessible, inaccessible. Oh, the joys of explaining that in court. That's Paul Lorenz.
Speaker 1Oh my, that's yeah, absolutely. What is what is saying? What's Brett saying?
Speaker 2Brett says two separate things deletion, intention and how, and recovery partially, fully, none.
Speaker 1Yep. So even when you use the word deletion and recovery, there's also new ones within it, and what Paul and Brett are saying speaks to a concept that I was taught to be presented as a tech terms. These technological terms right, we need to dominate them, and we have this bad habit of trying to use shorthand words to mean things. This is a scientific endeavor. There's precise words for precise things and we need to start using them.
Speaker 1If you're an examiner and you have trainees, you have to ding them a little bit and say whoa, that's like a database, right? No, no, no, it's not a database, it's this, it's a JSON file, right? A database. You can mean different things by it. It could be relational, it could be no SQL, it could be different things, right? Precise terms, as best as we can for precise items or precise procedures, and even if you have to spend some time explaining it, I rather do that and take my time and explain it than have people confuse and I know my prosecutors don't like it because they want me to go get over with my part fast. But I'm like nope, sorry, you got to stick with me, you got to bear with me, you got to thank me at the end, okay.
Speaker 1So, bear with me.
Speaker 2Jessica says deleted means something to the user, Try or affect. We need to be careful 100%.
Speaker 1Yeah, the term can be loaded right. When you say something is deleted, intentionality could be part of that. Right. The try or affect. What she means by that is the jury, for example, the ones that decide what actually happened or not. They could think what's deleted the person did an overt action on purpose to. And you got to be careful because some things are quote-unquote deleted that don't require my user interaction. There's no intentionality there to obfuscate or obstruct any justice, right? So we got to be really and that's a great point we got to be really careful and really precise in how we say things, because maybe what you said is not false, but the impression that it might cause on the hearer might be, and that's just a big of a problem as saying something wrongly or make a mistake or just say something. That's totally off the wall, right.
Speaker 2Yeah, brett says, bad testimony equals bad case law, and we do not want that as a community, for sure.
Speaker 1Oh, absolutely. And if you got bad case law, eventually it's not going to bite you today, it's going to bite you and everybody else tomorrow, exactly. And for the folks that are not familiar with this law enforcement field, that means that the consequences of you being careless could affect you and everybody else down the road. So do this for you, but also think of doing this rightly for me, when it's my turn, and for others.
Speaker 2Yeah, we've got a cough recover folders. Cough hack, pass out comment.
Speaker 1Oh my goodness, especially with the mobile. And oh my goodness, yeah, there's a lot, and I appreciate you brought this meme as just a selection because it really talks about, then again, our fundamentals, and our fundamentals are important how we refer to things, what are the meaning of things in the proper context, the intentionality that a word might bring or not bring, and those are things that need to be constantly reminded, especially with new technologies. When chat GPT comes in and stuff comes with chat GPT, what's the interplay between what I asked and what I received right? How can we ascribe that to the person, not to the computer, or vice versa? We need to continuously make sure that we evolve those technical terms and define them properly and explain them properly, and we talk about that in a few shows back how those soft skills as examiners are going to be important, more important as time goes by.
Speaker 2I'm going to go back and just post one comment that I missed earlier because I thought it was kind of funny. But Arsenal is demanding that Brett give the people a publication date, and I thought it was funny and I missed putting it up earlier. So, brett, if you have a publication date for the book, a solid, definite date, it looks like you're being called out by Arsenal here.
Speaker 1Well, and Brett response right. What's the date?
Speaker 2So it's definitely the March 22nd that I mentioned. That week It'll be on sale, so yeah, no, let's all get it.
Speaker 1What else is Brett saying?
Speaker 2Half price for one week starting March 22nd.
Speaker 1All right. So everybody, you heard it here first, we got that scoop. Go check it out. Half price March 22nd, Go get it. Oh well, first of all, Heather, thank you, it was a fun, fun episode. I really liked it yeah thank you.
Speaker 1Me too, and thank you everybody in the chat and the folks that are watching and listening live. I've been keeping an eye on the folks also in Instagram and the folks in LinkedIn, and if you don't see me commenting in LinkedIn because I can only have so many hands, know that we see you and we appreciate you. Yeah, send us comments, topics you would like us to speak about. You can send it to our Dita Forensics Now podcast page in LinkedIn. Just searches and you'll find us. Or hit Heather, hit myself up. Send us a friend request and we should be good. Anything else for the good of the order, heather.
Speaker 2No, that's it. Thank you so much, everyone.
Speaker 1Thank you, and with that we'll see each other in a couple of weeks yeah. All right everybody. Thank you for being here and we'll see you take care. Thanks, Bye.
Speaker 2Bye, bye.
