Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Apple Is At It Again, Changing Our Logicals!
In mobile forensics, with each update brings new challenges and opportunities. Join us as we dissect the latest iOS 17.4 impacts, including the nuances of SQLite databases and the advent of write-ahead logs in Advanced Logical extractions. Our episode is brimming with insights that could change the way you approach data extraction and parsing.
The forensic landscape is ever-evolving, and this episode isn't shy about the hurdles we face, or the workarounds that keep us ahead. Discover how matching forensic work environments with devices' native operating systems and utilizing tools like Christian Perter's and Lionel Notari's for Logical and Unified Log extraction can streamline your investigative processes.
Building a personal brand in digital forensics isn't just about notoriety; it's about cultivating a reputation that commands respect and opens doors. This episode celebrates those who contribute to the community, from the creation of new parsers to the latest features in FTK 8, and how these actions bolster not just your standing but the entire field. We explore the unique journeys that shape our professional identities and share laughter over common forensics foibles. It's an episode that champions growth, community, and the personal touch that makes all the difference in a technical world.
Notes-
A Gift From Apple:
https://www.msab.com/blog/apple-deleted-data-itunes-backups/
UFADE Universal Forensic Apple Device Extractor:
https://github.com/prosch88/UFADE
iOS Unified Logs tool:
https://www.ios-unifiedlogs.com/blog
FTK LevelDB Support:
https://www.exterro.com/ftk-product-downloads
What's New with the LEAPPS?
https://github.com/abrignoni
Today is Thursday, march 28th, 2024. 2024. My name is alexis brignani, aka briggs, and I'm accompanied by my co-host, the digital forensics sequel writer for excellence, the one that reminds me to put on the face smoother function before the show, the only one that sets up meetings that could not have been an email the one and only Heather Charpentier. The music is Hired Up by Shane Ivers and can be found at silvermansoundcom. Heather, thank you, thank you for reminding me to smooth out my wrinkles before the show.
Speaker 2:Hey, the platform has a face smoother. You need to use it.
Speaker 1:I'm in denial. I'm like the river. I'm in denial.
Speaker 2:We're not in our 20s anymore.
Speaker 1:Oh, Heather, how good to see you. What's going on?
Speaker 2:Oh, good to see you too. Nothing Been a busy. Two weeks Was off all last week, as you know, because you were off as well to work on the IASIS material. So a full week of that, that's what I've been up to the last two weeks.
Speaker 1:Well, we've been up to? Yeah, definitely, and for folks that might be listening for the first time, we will be teaching the Advanced Mobile Forensics course for IASIS. It's coming up real soon in Orlando, so come down to my neighborhood to get this class and we're going to be there. It's going to be really interesting. We're going to have a whole bunch of good topics for you. Johan is online all the way from Europe.
Speaker 1:Thank you for staying up this late with us or being up that early, it depends. It depends what time is there. And obviously Kevin, my right hand man person with all my projects, is up in the chat as well. So good seeing you. Yeah, so we've been doing that and we had a pretty busy. So we've been doing that and we had a pretty busy. What? 48 to 24 hours? And I say we, but I think the community in general. If you're one of those examiners like us that we try to go beyond, just you know, pressing and dumping and pumping, dumping and pumping reports out you need to be aware of a few things, right? So what do you say, Heather? We could get on with it.
Speaker 2:Let's do it.
Speaker 1:All right, let's go.
Speaker 2:So first topic of the night, there was an article by Adam Furman of MSAB and he was discussing a new update with Apple which came with iOS 17.4. So SQLite databases are part of an iTunes backup and, starting in 17.4, we now have access to the shim, the shared memory and the wall files that go along with SQLite databases. So excellent news for the community. Right, we have access to possible additional deleted data, data that hadn't been committed to the database yet, and his blog if you go out to let me put his website up has a bunch of comparisons that show the additional data that's being recovered from the iTunes backup type extractions, now that we have access to the wall file and the shim file. Yeah, so make sure you check out his blog and the new data you'll be able to have access to.
Speaker 1:Yeah, and I didn't get to read the article when it came out, but obviously Heather and some of the folks kind of talked to me about it and at first go, you're thinking, well, that's a pretty cool thing, right, because if it has the wall file now you get more stuff. Like Heather said, and again for those that are not familiar, those are temporary files that SQLite utilizes as data is coming in and out of the database. And yeah, so it's there, right. So I'm like, well, that's nice. I didn't think too much of it until what? 48 hours, 24 hours, I say 40, it was 48 hours right ago, tan chan chan.
Speaker 1:So, um the great, uh, ian whiffen, and if you don't know who ian whiffen you should, although most likely you know who he is. He is the main head cheese at Celebrite. He deals with all the decoding teams there kind of the boss there for those and he came out with a post in the Celebrite portal for the customers and really important information.
Speaker 1:So again, I'm going to get to it.
Speaker 1:So we know that 17.4, that iOS version, does include these wild files. Well, what's happening is that now these wild files are appearing, and, as they're appearing, depending on how you're doing that extraction and I'll explain that in a second and you might be getting copies of that main database, two copies of it. So, instead of getting the database and the wild file, you're getting a database, a database again, and then a wild file, and that's breaking our tools. Okay, and the reason you may be like well, why are we getting those two? That's how Apple decided to pull those out from that particular iOS version.
Speaker 1:Now, remember, our tools don't just drop things into your file system. It just doesn't do that right. What our tools do is put them in a container, right, heather? And usually that container, based on practice, tends to be what A zip file that's kind of like, and I mean, even Celerbry had tried to use DAR files and some other formats, but, based on reasons that we can discuss another day, the zip file has become the de facto standard as a container for this data that's coming out of these mobile devices. Okay, fine.
Speaker 1:Well, the problem is when you pull out, these two databases are coming out of the extraction or the phone is giving them to you. If they land on the file system, you're putting two files with the same name in the same location. Is that possible? Of course not. So what the computer does is what puts one in, overwrites the other one and you're like okay, well, you don't notice it. Right, but zip files don't work that way. If you send a file to a container SIP container and send another file to the same location, path, right, with that same name, the SIP is going to hold it. The SIP file doesn't care. It doesn't say hey look, are you sure you want to put these two files with the same path? The SIP file doesn't care at all, it just keeps track of the path of the file name all together.
Speaker 1:So when tools like and I say celebrate, because there were the ones that gave that notice, but our assumption, we haven't tested it yet, but our assumption is that this could happen with pretty much any forensic tool the tool then has to make a decision. First of all, I have these two files. Am I going to take them or not? And if I do? And if I do it's a problem because if it takes one of them, they're not the same. Those two databases that come out, they're not the same.
Speaker 1:One goes with the wild file and the other one, ian tells us based on his research, is that same database with the wild file already committed, which means all that data is in or out and it doesn't have a wild file. So what happens? If the system decides to pick the one that has it committed, the while file is still there. It will try to apply that while file, say, okay, let's replay these events here, and it's going to choke because those events already happened, right, right, and SQLite is not designed to work that way.
Speaker 1:And I know it's a lot of technical explanation for folks that might be listening and even seeing, because I don't have any props. I'm just talking about what I know and what we know based on what Ian researched and shared with the community. But this is the main point after all this and there's more to say but the main point is this right, if you take your advanced logical extraction from iOS 17, 4.1, right, and you just put it through your tool, in whatever tool it is, and you don't care about it and you pass it on, you're going to miss chats, because chats usually not always, but usually are located in what?
Speaker 2:In SQLite files In.
Speaker 1:SQLite databases right, and that's a serious problem Because the tool will make notice of that in some log, I guess, but you might not even notice. And that comes back to what we talked about last episode about how I believe tools should be more let me rephrase that Tools should make us more aware of where something breaks, instead of having me dig to a log to find it and that's a discussion we had last episode, if everybody's interested. But that's how it is right and that could be a big problem. I mean, what have you seen in regards to the topic, heather?
Speaker 2:So definitely props to Ian for putting that out in the community portal. Hopefully everybody got an email if you didn't go into the community portal and check out that announcement, because included in it are a couple of workarounds which we'll discuss in a second. But I extracted one of my test phones Advanced Logical 17.4.1, and brought it in and checked it out and there's definitely issues with my Advanced Logical. I am missing data. Some of the databases look to be empty but they're not. So using one of the workarounds that Ian provided, I was able to compare the two and you can see the data using the workaround and then, of course, in just the regular advanced logical, I'm missing that data.
Speaker 1:Yeah. And again, if you're not, let me say this if you're not kind of part of the community like come to the show here or follow folks in LinkedIn or open up on your listserv or on your emails from the vendors, you're going to miss this data. So those that are listening, reach out to other you know colleagues from your agencies or you know people that you know, and make sure the word spreads out. Obviously, the companies are working on it. Well, let me rephrase that I know Celebrite is they told us and they do it right.
Speaker 1:But that's a little bit of a tiny little rant, Not rant, a tiny little comment here. I haven't heard about this from any other vendors, and some folks I mean I'm not going to say who they are, but some folks from the other side of the world has told me that they're finding this issue in other tools, not in Celerbrite tools, in tools from other vendors. So just because you're like, well, I don't do my logical extractions with Celerbrite, I use Company W, you might still be susceptible to that. And the reason for that is that, depending on how the company makes those logicals, you might be exposed to this. And you got to remember folks need to be aware that most I say logicals, but iTunes style backups, afc dumps and all that they're done through DLLs that Apple owns. Does that make sense? So different companies, for that particular purposes, they're going to use the same DLLs that Apple provides and say tell the phone, hey, phone, provide me these things run, these processes and those processes will run. Now what will the company do with that? Right, so that's what I'm saying that this problem might be.
Speaker 1:I'm pretty sure and again, I'm not 100 percent sure, I haven't tested it, but I'm making a really good, informed guess that other companies might be having this issue. And again, full file systems. Will they be susceptible? I don't know, it depends what their sticker sauce is, but if their sticker sauce includes some of these processes that Apple has for their phones, it might be susceptible. So you have to always try to check out when you see these things that your product is not being susceptible for it. And if it is, then, like Heather's saying, you need to think about how can we get the job done until the tools catch up with. I'm not going to say fix, nothing is broken. It's just that something changed right. So how are they going to update themselves to accommodate this new change in our working space?
Speaker 2:Exactly so. Ian talked about a couple of workarounds. I have one here. Let's see. So the first workaround he talks about is to locate the zip file created as part of the extraction process and then, using a tool such as 7-Zip, extract the zip file created as part of the extraction process and then, using a tool such as 7-zip, extract the zip file to your computer and then extract. Or you could extract just the backup service folder and then, if you're prompted to overwrite the files which you see here in the screen, it's asking if you um saying, stating that the destination folder already contains these files, do you want to replace the existing file? You would hit the yes, so overwrite the files and then, from within PA, you open that unzipped folder as an iTunes backup. So just using the folder option.
Speaker 1:Yeah, and I mean it kind of makes sense. It makes sense in like I described previously. Right, if you dump the files to the file system, which is what this is doing, if you uncompress the zip file, you're dumping on the file system, the file system through zip. You have to make a decision because you're going to have both files in the same place, the same path, and then you overwrite one and keep the other one and obviously, on Ian's testing, the one that remains is the one that matches the while, and then you're good to go. But what problems could you foresee with that type of approach, heather?
Speaker 2:Yeah, so definitely changes. There'll be changes made to your extraction. You're not going to be able to. You're not verifying the hash to the original hash that came out with the extraction and Ian even has in bold in his announcement to the community to please note that this solution involves removing the committed versions of the duplicated databases from the extraction. Any steps taken should be undertaken with due care and consideration and you must be well documented. So I think the documentation is key here. You're still going to have your original extraction, your original data, but documenting any changes you may have to make to be able to view the data and the tools.
Speaker 1:Yeah, and that speaks to a larger point that we need to make our stakeholders aware what makes something forensic is not just because I use a forensically you know a tool that's been endued with forensicality, Like something being forensic is not a property of like you know, a property of water is wet, A property of Celebrite. Is that it's forensic, Like that's not a thing, right? Forensic is not a property. What forensic means is that you're able to document the steps you took to be able to what Recreate it. Recreate it or replicate it Both words are perfect, right.
Speaker 1:So that's what forensic is right. You have to do the steps to get to this data. Of course there's preferable steps, right? I'd rather not have to open the container, right? If I can avoid it, but if it's unavoidable, then we have to do it, right?
Speaker 2:Yeah, so there's a workaround too as well. Did you want to explain that one?
Speaker 1:Yeah, yeah, yeah. So the second workaround is you take Insights PA, which is the new branding name for the tooling that Celerbite provides, and you process the thing. Now you go to one of the I think it's the file info tab, if I'm not mistaken, right Correct and then you can look at different files that might be of issue here and you take note of those. After you take note of those, you can then go open the using 7-zip. You have to use 7-zip to do it. You don't do it through the.
Speaker 1:Windows zip management thing. That's not going to work. You take 7-zip, you go in and you flag those files and you take them like, delete them from your zip and then save that zip. Now, that zip doesn't have those files and then you process it and then you're good to go. Of course, like Heather said, a big problem in regards to that I say big problem, but a problem in regards to hashes won't match right. Right and well, I mean I'm on a roll, so I'm going to go.
Speaker 1:One more thing I decided what I think what I'm doing is an approach of both. Right, I'm saying that because the whole dump everything to the computer and then parse it. I don't like it because, true, the databases will be there. The main metadata for the chats if it's a chat, that's a database for chats it's going to be within the database, so that doesn't get affected. Now, the metadata for the database itself, that outer shell of the database, does change, right, the creation date is now going to be the date. The thing was uncompressed, right? And Heather, jump at me if I say something badly explained, you're good.
Speaker 1:All right, and then that's not an issue. But what happens with possible multimedia files that come out of that media? Right, and maybe the tool not always, but maybe the tool depends on some of that metadata that comes with the file itself or some exit data. And again, I'm not saying that's the case at all times. Remember, there's manifest lists and there are different things that have the metadata somewhere else. I get it. But I don't want to run that risk.
Speaker 1:So what I do is I take the zip file, I dump it, right, I uncompress it and then parse only for the chats, that's it. Then I take the original zip file, parse it again for everything else, okay, without changing anything else, just for the everything else. So at least I kind of minimize the scope of what could be quote, unquote an issue here. My second report, all the hashes will match because I'm not changing that zip file but I'm using it only for the specific purpose of everything but the databases. And then for the other extract, I say extraction, but the other report that I make out of it just for the chats. Then I can just speak to those. So does that make sense? So I'm trying to take the scope of issues and minimizing it as much as I can, if that makes sense.
Speaker 2:It does. It makes sense. I have to pop your comment up here though.
Speaker 1:Savi's my kid. He's saying hi dad in Spanish. Hi Savi, they're watching.
Speaker 2:That is so cute.
Speaker 1:It is. It's my eight-year-old, the cutest thing you wouldn't believe. That came out, that came out of me. He's so beautiful, so smart. Um, a quick, a quick side note here, real quick. Uh, I see all the folks coming into uh into, uh, into instagram. So thank you also for all of you to uh for for showing up, for we see you. Yeah, all right. So, yeah, so, so you know, and, um, yeah, one more thing. This is important, right? So these type of things when they happen, you need to be aware. I had in my LinkedIn a couple of people told me hey, look, we read your post and we went back and two of our cases had that issue and they didn't notice. Wow, so, yeah, just check out the post when you can. Awesome, yeah, they mentioned it, so they came across it. So please, please, please, please, while this is getting fixed, make sure that those advanced logicals are being properly parsed and give your full file systems an extra look, and it don't matter if you're not using seller by tools. Okay, right.
Speaker 1:Now this is the last thing I'm going to say on this topic, which is important. We said in this show a lot of times we're not shields for any company. We're also not haters of any company, and I've gave some constructive criticism to Celebrite in the past. But now, today, I'm here to give them a lot of credit. Right, and it's how it goes, right, we try to call it as we see it.
Speaker 1:Celebrite took the step of actually sending out somebody of Ian's caliber to make sure the community is aware. They came out with workarounds. Not only that, they're working on a white paper that will be coming out soon about the issues, because that's necessary, right, if I need to go to court and explain why there's some issue with hashes, with these particular extractions, we have the backing now with that white paper, extra backing of what's going on, right, right, because you have that documentation with you, plus your own knowledge, expertise and your own notes, and that's something that I want to see companies continue to do and do more. Okay, that talks about that transparency that we talked about last episode, that we want from our vendors. It also talks about the integrity of the work they do, and they could have hidden the ball right. They could have said well, you know, let's fix this real quick and maybe nobody will notice.
Speaker 2:Yeah, I'm glad they didn't.
Speaker 1:Exactly which. I've seen this happening in the past with other companies. Yeah, right, so I give them credit for that. Yeah, can you share Kevin's comment there?
Speaker 2:I can.
Speaker 1:Yeah, and Kevin, I there, and yeah, and kevin. I mean, that being said, kevin, kevin is totally correct. Kevin is saying that he wishes the post was public and not behind a login for customers, right, and of course there's always space to to be better. Um, so, yeah, that maybe make it make another type of notification. I think they send out emails too, but again, emails goes mostly to customers, right, um, people that are that are in that list. So, but hey, I give a lot of credit just for being able to put that out there at the speed they did it. And yeah, that's how we're here. We took that and we try to also make it known to the community and now you that are listening or watching then kind of also let other people know. So good stuff.
Speaker 2:I agree with Kevin, because sometimes they're sometimes there's like one person in charge of like uh, managing all of the, the dongles and stuff, so they have the login and they get the email and if they don't share it with everybody, that works for them. You may. You may have a lot of people that miss the um, miss the notification.
Speaker 1:So that's actually a good point yeah, I mean uh, yeah, uh, yeah, I'm gonna leave it like that, I'm not gonna put, I'm gonna, I'm not gonna throw nobody under the bus, but um, um, yeah, if you're one of those persons, make sure you put out like that person is responsible for it. Make sure to put it out. Send an email out. You might be like well, I saw it on the celebrate portal. I sent many. Everybody must know, everybody doesn't know.
Speaker 2:No, they do not.
Speaker 1:Send an email to your squads, to your troops, to your different units that are far away, and make sure people are aware.
Speaker 2:All right. So we have the Universal Forensic Apple Device Extractor next, and I'm going to put the link up for that while Alexis talks about it.
Speaker 1:Yeah, so this is some interesting project that I forgot who sent it to me. I'm the worst, but somebody sent me a message saying, hey, have you checked this project out? And I'll be like, well, no, I haven't, let me check it out and it was actually pretty, pretty good. It's Python-based but it has a nice graphical user interface and, as of today, it runs only on Linux and Mac. There's some issues with the GUI libraries that Windows doesn't play nice with them, so for now, that's the case. That being said, yeah, keep that in there. That's perfect.
Speaker 1:I want to make a, I believe so. I believe that you want to. If you can work with your device in the environment that's most similar to it. Okay, for example, we know androids and ios's right um come from a unix, linux background. That code okay. When you work with a apple device in a Windows computer, there's nothing wrong with it, but it's not a similar environment, so you got to be careful when you do that. Okay, I'd rather do that type of work on a Mac.
Speaker 1:And obviously, tools forensic tools are kind of moving, gravitating more towards Windows environments before you have a little bit of competition in regards to tools running for Mac for doing forensics and tools running on Windows for forensics. But I think we need to revive that and that's why my projects I make the point of making them cross-platform, and I'm going to go off the topic for a second. Give you an example. Folks that are listening and watching. When you pull out a file for analysis, let's say a media file, from an, an ios device, the file system that the ios has is apfs, right apple double file system device. Okay, there's metadata contained within that file system. If you move that from your iphone and drop it on your Windows box, what's going to happen? Heather?
Speaker 2:You're going to lose some of that metadata.
Speaker 1:You're going to lose it because NTFS, the file system for Windows, or even if you have FAT whatever or XFAT, doesn't matter does not know how to deal with that information because it has no way to accommodate it to its own file system. An example of that is extended attributes in APFS file systems. Okay, it's kind of funny because you know APFS is Apple File System, so I'm saying file system twice, apfs, apple File System, file system. Anyways, I digress, but yeah, I mean. So extended attributes are super important.
Speaker 1:It tells you a lot about that file, possibly where that file came from, some maybe usernames, like if you're dealing with files that are coming through the Bluetooth technology with AirDrop, right, if you pull that data out and you dump it on a Windows box, you're going to have issues. Another simple example you want to look at that picture, dump it on a Windows box, you're going to have issues. Another simple example you want to look at that picture and it's a I don't know how to pronounce this. It's HIC or HIC, I don't know H-A-I-C extension files, right, if you dump it on a, you drop that file on a Windows box. You'd be like I don't know what this is.
Speaker 2:Not even opening it.
Speaker 1:Yeah, exactly, but if you put it on a Mac box, you'll be able to actually look at it, right? Right, and let me tell you, if you really want to squeeze that case and get all the data, sometimes you might have to pull some files out of your extraction to do some further by-hand analysis. So you want to do that within the file system. That's more like the system that you're examining, okay, in this case. Going back to the tool. All that being said, going back to the tool, this tooling runs on Mac and I love it because it generates not only an extraction, it generates extraction and pulls logs as well. What you see here on screen right now, it's a little bit of the interface. It's a classical kind of Linux interface. When you set it up, I love it. It's a classical kind of Linux interface. Like when you set it up, I love it. It works really well.
Speaker 1:And when I put my test phone, my test iOS device, at first, it didn't find it because I needed to make sure to put in the PIN code and make sure it recognized that you could pair it with that computer. Okay, this tool will not break your encryptions or nothing like that, right? Well, let me step back. There's some brute force capabilities, but that's for a little bit later. You have to have access to your phone, you have to be able to pair with it and it tells you there all the information about that device.
Speaker 1:Let's go to the next slide and then it gives you a menu of options, and this is the meat and potatoes of this program. You can save the device information to text, which you saw in this previous screen. You can do an iTunes-style backup. You can do a Logical Plus backup, which is kind of like that iTunes-style backup with additional information from like phone call logs and stuff like that. Or you can do it UFED-style, and UFED for those who are familiar again with seller by tools, it's the type of the format that UFED for PC gave us when we made our advanced logical extraction we were mentioning a little bit ago. It's kind of funny, right? This has been the advanced logical extraction week. We didn't plan it that way, it just happened.
Speaker 2:Still go for your full file system.
Speaker 1:Yeah, well, of course, if you can and I have a meme for that right Whenever there's a new file system, you go and you say hey, you know, tool, what can you give me? And the best I can give you is advanced logical.
Speaker 2:Yep.
Speaker 1:Because we don't have support for full file systems yet.
Speaker 2:Exactly.
Speaker 1:Yeah, so yeah, because we don't have support for full file systems yet. Exactly, yeah. So again, this is the thing Full file system is the preferred extraction, but you will not always get it. There will always be some lag time between the new version of the tool I'm sorry, the new version of the operating system and a new version of the tool that actually gives you full file system access to it. That's just the.
Speaker 1:That's just how this game is played, so advanced logicals will still be relevant to your investigations oh, yeah, definitely yeah, and this particular tool gives you that ufit style, which means it has the the uh ufd file there that has all the metadata data in it. I don't know if I don't think I add that to the screen. But that's fine, let's go to the next slide. So when you run it, I ran the UFED style backup. So it does logical backup. It's a nice progress bar. And then after it goes, it does an AFC extraction of media files, which I kind of mentioned previously, like the AFC conduit, pulls those in and the backup is complete. When the backup is complete, what you're going to get is a nice collection of files which we'll show in a minute.
Speaker 1:Another option is to collect unified logs.
Speaker 1:Heather's going to talk about unified logs more in a second another method, but this method I found it, as of today, to be the most painless way of getting unified logs from my device so far.
Speaker 1:You literally hit option number five collect unified logs. You hit okay, it takes some time, you sit there tight, you wait and then, after it's done, you have a nice log archive with everything you need there and again talking about using like environments to do your analysis. If you dump that log archive into a Windows box, you're dead in the water. There's nothing you can do with it. But if you do it on a Mac, on a macOS device, you can then use the macOS viewer that comes with Macs and really look at all that data within that log archive, All right. And when the full backup is done, you can feed it like you can see there on the screen, for example in this case to Physical Analyzer, and it works just like any other extraction that you have done. This is great because the cost of this is it costs as much as our tooling costs, which is zero.
Speaker 2:Zero is nice Everybody likes that price Zero is nice Everybody likes that price.
Speaker 1:Yeah, so yeah, and it works really well. The author is Christian Peters, I believe he's from Germany and he's adding some other capabilities in regards to doing, possibly, screenshotting of things within your device. So he didn't give me details, so maybe I'm saying that wrong. Hopefully not, but he's still. The point is he's working on more developments on the tool, so I'm really happy to see not only decoding things like what I do, but also some extraction things that folks are getting into that space and making it open source, so I'm really happy to see that.
Speaker 2:I thought it was cool too. He wrote this script for his master's thesis, so for his schooling. I just thought that was a cool little detail.
Speaker 1:Yeah, I think they should give him the diploma right now. Yeah, definitely. Why are we waiting until the end of the semester? Give that man his diploma.
Speaker 2:Speaking of the Unified Logs, so I tested out a out a unified logs tool this week too. Um, created by lionel notari, and I actually have a link here to his blog his blog about a whole bunch of other topics as well, but the unified log is, um, his first digital forensic tool. He did a LinkedIn post talking about his very first digital forensics tool, which is awesome. The tool allows you to extract the unified logs from an iPhone and in a forensically sound manner. You need to run it on a Mac and then, after installing the dependencies that he provides, when you request a copy of his tool, there's just a simple command that launches the tool.
Speaker 2:So I request a copy of his tool. There's just a simple command that launches the tool. So I have some pictures of this here and here is the command. And I screwed it up because I always screw everything up the first time and I did not put the path in where the script was and I couldn't figure out what was wrong. So I had to email him and he was trying to figure out what was wrong and I figured it out in the meantime, thankfully. But you put in the command, enter your password and here's when I add the path and get it right.
Speaker 1:Look, look, look.
Speaker 2:When.
Speaker 1:I opened. I make code to open thousands upon thousands of files right, and every time I need to open a file in Python I have to be like what's the with open command? Again, how is the full?
Speaker 2:command again.
Speaker 1:And I have to Google it every single time, even though I've done it a thousand times, so don't feel bad about it.
Speaker 2:I like to share the things I screw up because it happens on a daily basis, so I don't know. Hopefully there's others like me, I guess.
Speaker 1:I mean, there is and we'll talk about more of that in the end part of the show.
Speaker 2:So it opens up this nice interface and hook the phone to the Mac Enter, whether it's locked or not, who's performing the extraction. So it gives you a chance to put your name in the name of the device, what you want to name the log archive file, where you want to put it, and then you just click this initiating log collection at the bottom and there's my information and you end up with whatever you named the log archive and again you can view it right with Mac's internal console to view it and I thought it was really easy to use, was super quick and really cool and awesome. To Lionel for his first digital forensics tool.
Speaker 1:Oh, it's fantastic. I mean, we went from having to jump 20 hoops to get this log archive out of iPhone so now we have two tools to do this type of work. You know, I say a really slight critique that I'll give is that his code it's encrypted and he said that it's because it's not done yet. And again, he doesn't have to explain us why he did that, because he wants to right. Maybe he wants to protect that intellectual property and that's fine, I'm not against it.
Speaker 1:But my smallest critique is just, it's a personal preference. I like to see that code, if possible, and to learn from it and also to validate some of that stuff. It makes it easier, but it's not a necessity, it's more of a personal preference. So you know you have to, like Heather was showing in the screenshot, you have to make sure that you use the encrypting, the crypting libraries before you execute the program or it's not going to work because of that function but issue. But that's not an issue, just because that's how we decided to do it. But nothing wrong with it, it's just. My personal preference is that hopefully it would be open source.
Speaker 2:But people make choices and we respect those choices what do we have all right, all right, so so yeah, it's up for my.
Speaker 1:Although I I talk about so much this show right, next show, it will be your time to rant.
Speaker 2:I ranted last time.
Speaker 1:That's true. So I'm not ranting today, but I will say a lot of things that are in our minds, right. So I've been thinking about a few days to the concept of building brands. Right, and when I say that I mean it in the context of digital forensics. We're familiar with personal brands. Right, and when I say that I mean it in the context of digital forensics. We're familiar with personal brands. Right, we know that. You know obscure back then obscure family of a lawyer, the wife and daughters. They became influencers and are really famous people. Right, we know who those are the Kardashians right. So when we think about branding and influencer, we think about them. Right, and obviously I'm not saying you should be or think about being the Kardashians of the digital forensics world. I don't think we want to see that either, but no, please don't.
Speaker 1:I think there is value in having that kind of like a personal brand, right, in regards to the things that you do and the things that you care about. So I want to spend some time today maybe all the way to the end of the show pretty much discussing why we believe this is important and how can we get to it right, and you know, the first part I wanted to mention about is why is this important? Right, and I was thinking about how you spend so much time, let's say, at your workplace, developing a good reputation or being a hard worker, or being known for the work that you do, right, and if, all of a sudden, something changes, if you're laid off, if you move to another unit, if you have to move across the country to get another job or whatever it is, you're starting again, building that credibility from scratch. All right, and that's usually how it happens. You find yourself having to prove yourself constantly, and there's nothing wrong with that in a sense, but I believe that if you have a brand, that having to prove yourself is less, because you are a known quantity.
Speaker 1:Where you go, when you have a personal brand. A personal brand, I believe, is portable you can take from one place to another place to another place, because it precedes you as well as it follows you. Having a personal brand, I also believe that shows that you're resilient, that you're adaptable, that you're up to date, and that's something that's really important, especially if you're coming new into this space. You need to build a brand to show that you're malleable, that you can learn, that you are keeping up with the conversations that are happening within the community, and these conversations are conversations kind of cutting edge conversations what's the latest things that are happening? Okay, having a personal brand makes you visible, and when you have visibility within the community and your workspace, that leads to opportunities, and those opportunities need to lead to new responsibilities and those responsibilities hopefully also lead to more pay.
Speaker 1:I mean, there's nothing wrong with getting more pay, right.
Speaker 2:No, nothing at all.
Speaker 1:And you know, I mean neither Heather and myself are motivated extremely by pay but pay is important?
Speaker 1:Yeah, all right. So the idea is so, how do we build a brand? Right, and you might say, well, why? What credibility do you have about building a brand? Look, I've been doing this for over a decade in regards to the digital forensic stuff, and I've been doing law enforcement, for in September it will be 17 years, okay, and even before that I was doing computers as an assistant administrator and all sorts of things, so that if I add that time, it will be about 23, 20, almost sorts of things. So that if I add that time, it will be about 23, 20, almost 25 years of experiencing IT related things. Okay, and throughout those years I tried to kind of share with the community and that led with me noticing it, to kind of having a little bit of a platform that has served me well and has served others well, right, so that's why I think I could speak on we can both speak on the topic.
Speaker 1:And Heather I didn't tell this Heather before the show, so, but no, whatever I'll say it, I knew of Heather before she even knew of me, okay, because Heather was super active and she had her own brand within the ISIS listserv. Everybody knew that when Heather asked a question in the listserv. It's going to be a really incisive question, right? Everybody knew that when Heather gave an answer, it would be an answer to the actual question, okay. So when I met Heather last year in person for the first time when we taught the basic mobile device course in IASIS, I knew who she was before. She knew me right and that led to us coming together and doing the show, among other things that we do together right in the forensic space.
Speaker 1:So you build that brand and you will get that and people knowing you and bringing you into things, because you have that brand and you build it right. And before I get into the steps, I want to say one more thing. You build that brand not only through the internet and social media. You build it with your workers. You build it right. And before I get into the steps, I want to say one more thing. You build that brand not only through the internet and social media. You build it with your workers. You build it with your bosses. You build it with the folks that you interact outside of the organization.
Speaker 1:In my case, I have to build that brand with my prosecutors right that to make sure they understand the work that I do, where I specialize on and what the the quality of my product right, and that spreads around and you build that brand within your workspace. Okay, and that's super important if you want to be successful and happy at your job, right? So did I tell you that before that I knew you from the? I see I told you before that, right?
Speaker 2:I think I knew of you, though Everybody knew of you.
Speaker 1:It's the branding, and also me being annoying as f, so yeah, so. So how do you do this, right? How do you? How are you like heather, that I knew about her before she knew that I knew about her and vice versa, right, she knew about me for being annoying, right? So how do we? How do you create that?
Speaker 1:Well, the first thing is is to think about what is unique about you, right, and that doesn't mean that. Well, I discovered how. I discovered how to parse JSON. I was the first person in the universe to do a SQLite query. Like you, don't have to be that person. The uniqueness doesn't mean that you have to be the first person or the only person to do X. All right, the fact of the matter is that you're unique for being you, because there's nobody else like you and there will never be anybody else like you, and in my case, thank goodness, you bring your experiences, you bring your life.
Speaker 1:I mentioned how I came from a coding background and what's my uniqueness? I believe I have. I come from that coding background and what's my uniqueness? I believe I come from that coding background and I came in, I discovered I like mobile forensics a lot and I said, well, how can I also necessity right, how can I make these things better? And I took what I like from mobile forensics and forensics in general, added it with my coding and that's where the Leap project came to be, which again has open opportunities that I never imagined that would happen and the projects being used worldwide, right. So how do you do that? Right? How to bring those? Not a lot of people know I mentioned this like three or four years in an interview with Jessica Hyde in the Magnet podcast. Before I became an examiner and a computer person, I was a seminarian and I know that's hard to believe.
Speaker 1:I didn't believe it when you told me I was six months away from finishing seminary school.
Speaker 2:I still can't believe it.
Speaker 1:But I bring those experiences too right, that love of helping people, of making the world better, of preaching in a sense, and with my rants See a couple of people in the chat saying what.
Speaker 2:I agree with Mary and Lori. What it's exactly my response? I had no idea.
Speaker 1:The chat is going crazy. Now saying what?
Speaker 2:I was.
Speaker 1:I used to preach, yeah, like professionally. Now I do computer professionally, but you bring those experiences to your workplace, because you're a few human being, right? I mean that uniqueness, heather, what do you think?
Speaker 2:Yeah. So I think there's unique qualities about each and every person. In this field, Everyone has something to offer. A lot of times I have trouble figuring out what sets me apart and what's unique about me. And then, of course, I come here every two weeks and Alexis does his intro for me and I'm like, oh, is that it? But even if you don't see in yourself what's unique about you, other people are going to see it and they'll point that out to you. Which has been done for me, I mean definitely.
Speaker 1:Look, you're so unique that I know that we could do the show for the next 20 years and I will always have something new to say every show about you, like, like, guaranteed, and I will always have something new to say every show about you like, guaranteed Well, thank you, Thank you. I want to share this thought from Brett. Brett says he might not be a seminarian, but he prays during every acquisition.
Speaker 2:I think we might all do that. We all join you.
Speaker 1:Even if you're a non-believer, like I am now, you will still, just in case, maybe light a few candles too on the way. Yeah, we want that thing too. We want those hashes to match. Please, universe, make the hashes match. So, yeah, so you bring uniqueness right, we bring that to the table right, and that uniqueness needs to be framed and with that, I think it needs to be framed within what are your values? Okay, and values, uh, you know and this is something that I kind of thought about throughout the years and and read some books that are on the topic values are the things that that, uh, that you value. Obviously it's a value, but it's what gives you purpose. That's what I said. It's what gives you purpose. That's what I said. It's what gives you purpose.
Speaker 1:Why are you doing what you're doing? Right, and these things are important, right, for some people is money important? For some folks it is. It might be really, really important to have money, and there's nothing wrong with it. Money allows us to do other things and get something wrong with that, but allows us to do other things and get something wrong with that. But it might not be money. It might be something else right, or maybe not only money, it might be one of those. So what other things are than money? Because this is work. That's why I mentioned money first. We're not going to do this for free. We need certain things right the pyramid of needs, right. We need food, we need shelter, we need clothes, we need health and what else and some other basic necessities right, so we need those.
Speaker 1:But what are your values, right? Um, I value justice, right. That's why I'm in this field, in the law enforcement field. I value service, I value the fact that I came to this planet and that, hopefully, when I leave it, I will leave it at least a tiny bit better than how I found it. And I value curiosity and I value the truth. And this is different from beliefs, because when we talk about beliefs, we're talking about the things that you think are true, and it's okay to base your value in beliefs, because you're not going to base it on things you think are false. Right.
Speaker 1:But the thing with beliefs and values is an important difference, because belief is what you believe is true, but values should inform your beliefs. If you base your value only on beliefs, anything that comes into conflict with your beliefs will be a threat, because if something comes in contact with your beliefs that's contrary to what you believe in, you run the risk of being wrong, and nobody wants to be wrong, right. But if I value truth, well, guess what? I will take that value and that value enforce my belief and I will change my belief. And I say that because the conversation in our circle says well, you're examiners, you need to be unbiased and impartial. And we constantly declare ourselves to be unbiased and that's ridiculous, right? The fact that you're saying that you're unbiased, it's in itself a bias. I mean, come on, man, it's like you cannot declare yourself unbiased or impartial because when you declare it, you're obviously not right.
Speaker 1:I think the conversation is to move more into the value sphere. What do you value? I value truth, I value justice, I value honesty, I value the correctness of the evidence, and those values will inform my beliefs If I might be believing this person is guilty. But as truth comes, I will change that belief. Right, we have a scientific method within our science. Right, our digital forensics field that guarantees that our values shine through and our beliefs are accommodated to the facts of the case, the facts of the planet, of life, of the universe, and this is important.
Speaker 1:We're all biased in certain ways. In certain things we're human, it's there. But we value something beyond that, beyond what we believe at the moment. We value being and understanding what the truth is, no matter the cost. So that's why I'm not afraid in looking at an exam and coming across a piece of data that contradicts the theory of the case, and I have no fear, I feel nothing bad about bringing that up. Simple as that, because I'm not here to confirm your beliefs. I'm here to express those values, to make our beliefs change as needed, right? Does that make sense, heather?
Speaker 2:values to make our beliefs change as needed. Right? Does that make sense? Heather? That does make sense. So I'm wrong often, but you're completely right, I need to be wrong to get to that right answer. When I'm working through a case, I think just don't be afraid of being wrong. Open yourself up. That'll open you up to learning more.
Speaker 1:I mean being when you're new. I guess we get all of this for 10, 20 years. We forget that beginner's mentality. Right, oh, I'm a black belt now I know all there is to know about the digital forensics kung fu. And we forget that beginner's mentality when you have to commit so many mistakes to get to the right place. You need to be, and that's how learning happens. You have to have that beginner's mentality at all times. You need to always be a white belt, even if you have 20 black belts in this field.
Speaker 1:Right, and again, I'm not saying that you're going to go and say, uh well, I am totally biased. Right, I'm here, I'm not impartial at all. Right, I'm not saying that. Right, you are biased to truth. You are partial to the reality, you're partial to the facts. That's what you're partial to. Right, those are your values, right? So that's what I'm saying. And you're biased, everybody's biased, but if there's a bias that I want to really underline, it's the value of truth. That's what I'm biased towards, I'm biased towards the facts, and that I feel comfortable saying every day, at any time of the week, because that's what I value and I strive, and our science guarantees it. The detoxification process guarantees that those values shine through, if you let it, because if you don't and I'm not going to say any specifics, but we know cases where folks are so tied to their beliefs that even when the evidence shows, for example, that the person is innocent, they persist that they're guilty. And you're like come on, are you not seeing this? And actually I was reading a book. I'm sorry, quick, quick, tangent. I'm going to be sorry. Folks stay with us 10 or 15 minutes after the hour because I want to stress these points.
Speaker 1:I was reading a book by Adam Grant called Rethink or Think Again. I think it's Think Again. He was mentioning in some studies where folks that lost their eyesight right, and they to themselves believed they were not blind. They were like oh no, the room is too dark, we need to kind of turn the lights on more, or no? I don't have my glasses. It's not that the lights were off, they were blind, they lost their vision. If you had to punch them in the face they would inflinch, right, but they did not want to accept those facts because it contradicted those internal beliefs. And some of those persons did have some. You know, brain development has some issues with that right and that you know that's the case, but sometimes we're like we could be like that, right, we could be blind and not want to accept that we are right.
Speaker 1:So we need to constantly focus on values and and those, and then let the beliefs you know change, need to right. So that's the second part. You have to live your value. You have to know what your values are, because when you know your values then you can actually act upon them and contribute, which is a third step. You need to have contributions.
Speaker 1:So, in order to build your brand, let me just kind of again recap that you have to recognize that you're unique and what makes you unique. You got to recognize what your values are and put those into actions and then put in front what are your contributions? Okay, what are you doing with your values that makes you unique? Right, and you know, are you sharing those contributions? And I understand you can't go and say, well, yeah, we just solved this triple murder case and give all the details of the case and we're going to trial next week, like you cannot do that. But what you can do is say, look, there's these artifacts or these things I've been researching. Or look, even if you're a beginner. Something as simple as taking an article that somebody put out and making comments on it is enough. Like I said, I knew Heather from her contributions on the listserv and I don't think she was doing it to get recognition. I don't think I know she didn't do it to get recognition because I know her pretty well by now, but that's a byproduct of it. You get that recognition. You build that brand Not because you're so much trying to build it. It a byproduct of it. You get that recognition. You build that brand Not because you're so much trying to build it. It's because you're actually sharing your contributions. It could be as simple as that Participating with an article.
Speaker 1:My first big contribution, at least that falls to my mind, was with Discord. I had a case I was helping the locals with an individual that had coerced a miner to travel with him that they met through Discord and nobody knew Discord what it was. They had no idea what it is right and I started looking at it. And you know, let's be real here To contribute you do not need to be an expert. You do not. When I started working on that Discord did, I went and consulted with a Discord expert to make sure I was right. Could I have done that? There was no Discord expert. Nobody knew what Discord was. It's a new app. The expert didn't exist. What am I going to sit there and just wait till the Discord expert shows up? Well, guess what? And let me tell this to folks real clear you do not declare yourself to be an expert. It's not my sense.
Speaker 1:Being an expert is not something you declare. It's something that is said by others. It's something that somebody imbues upon another or upon yourself. You don't declare yourself an expert. What you do is you put the knowledge out. You put what you learned out, right. And guess what? With enough time, enough, you know, going through that process, learning about making contributions in a particular field, you will become an expert, even if you're not looking for it. I'm an expert now. You will never know that you're an expert. People will tell you that you are and you say thank you, but what you do is you keep on trucking, you keep on contributing, you keep on sharing what you know. When I become an expert, you will never become an expert. That's on sharing what you know. And then, when I become an expert, you will never become an expert. That's not something that you declare upon yourself. Does that make sense, heather?
Speaker 2:Yeah, it does. I would say always share what you find, even if you feel that people in the field already know it. Maybe a majority of the people who see whatever you're sharing will already know it, but you will be helping somebody. There'll always be a handful of people that come across your research, your posts, your comments that didn't know what you're putting out there, and then you have contributed and your influence will grow.
Speaker 1:Oh, absolutely, and look like Heather's saying. Put that what Heather said, what we said at the beginning right, you're unique. Your perspective of whatever it is will help others that might have the same thought process as you. Right, and I mentioned at the beginning of the show. We mentioned how Ian came out with a notification about what's going on with the advanced logicals. I did a post on LinkedIn, obviously referencing him, how I viewed or my synopsis of it and my steps on how I took his workarounds, how I use them for myself, right, and that's my point of view, and a few people were able to write and say, hey, you know, we appreciate that. That really helped us. You know, drive it home, you can. I mean, if I do it, anybody can do it. You remember those old Geico commercials? You know it's not Geico, it's not Geico, but you know like a caveman could do it or something like that, some caveman.
Speaker 2:What was that? It's an old commercial.
Speaker 1:Oh, you don't watch TV Actually that's better, that's all right. Yeah, not watching TV actually makes you smarter.
Speaker 2:Anyways, did you expect me to know that?
Speaker 1:I should ask you about quantum physics. That's more likely to happen. But yeah, I mean a caveman couldn't do it right. If I can do it, a caveman could do it right. So do that, dude. Add your voice right. Create that, put that contributions out there, right.
Speaker 1:Yeah, you have to also find people. Find people like I've been lucky enough to find good people to within this field. Right, to talk about the things that we like, that we have shared interests that keep me real, that they tell me hey, briggs, you're full of emoji poop on this thing or you're wrong, because obviously that really polish my ideas or add their ideas to mine and we grow together. Right, and I got folks that we have a conversation within Discord or conversation within some other chatting applications. People that we started as plain interested in the field became colleagues and eventually we became really good friends.
Speaker 1:I'm looking at you, heather, right, build your tribe right. When you do that, be part of the community right. Be part of the community right. Take those contributions and find people that are like-minded in those fields, because it will build your brand but be more important than the brand. At that point it makes you a better human being, right, and you know, don't get red, but it's true. I'm a better human being by having Medhead right and hopefully you can do that as well.
Speaker 2:I'm looking right back at you. So, since since we started our friendship, I have learned so much more than I thought I ever would. But um, it's you're teaching me things, but not necessarily always teaching me things, just pushing me to learn things on my own. So with that tribe, you'll get that extra push and the positive reinforcement from people in the community. That will just just make you a better digital forensic analyst or whatever your position is, and it'll just make you better at your craft look, look, when I push you out of the nest.
Speaker 1:when I push you out of the nest it's because I know you can fly, so so don't, so don't you worry you. If you don't fly, you at least glide, you'll be fine. Thanks, look. And the last step, right as you have making those contributions, create that content right, make it digestible for others and make people know that you have content out. And it's the typical like I think it's Chinese or Japanese koan or thought processes If a tree falls in the forest, right, and there's nobody to hear that file Did it make a sound, right?
Speaker 1:And you can tell well of course it makes a sound, the sound waves when it hits it, but there's nobody there. So, honestly, if it makes a sound or not, who freaking cares? And that's the whole point. And I see a lot of my mentees, especially women. I see a lot of my mentees, especially women, that they find it hard to push out and let people know about their successes and contributions. On the opposite side, I see a lot of mediocre men portraying themselves as the last Coca-Cola in the desert and I'm being straight here and like dude, really, I mean, I know you're full of yourself, but come on, man. And I see women that are so capable and they're afraid of putting that content out there, right, um, so you need to be your own hype, hype person, right? Hype man, hype girl, um, and be sure that, look, you made something good happen. Send, send a quick email. Hey boss, I want to let you know that we had this. I had this success able to do these. I want to let you know that I had this success able to do these things. And just to make you aware, there's something that we can build upon. It could be as simple as that. Right, we have some successes. Or I shared this. Look, there's something interesting that we did, or I did, right and you have to do that.
Speaker 1:Nobody is going to advocate for you. The only person that advocates for you is yourself. That's just a fact of life. And if you think well, they know they see me work, coming, being the first in and being the last out. They know I do all this work. I'm here to tell you. They don't know because they don't care, because most people are self-centered and look towards themselves, me included, because I'm a human being as well, right? So we all fail on that part. Nobody notices unless you make sure that people notice, right? I mean, do you think that's too far off the mark, or what?
Speaker 2:Yeah, no, definitely. I mean the entire build your brand section. Just don't be afraid. Don't be afraid to put yourself out there. I have been in the past and I'll tell you it's so much better now that I'm out doing things in the community and sharing and contributing, and just don't be afraid.
Speaker 1:Yeah, and don't be afraid. And a good way of not being afraid. You know what it is, heather. It's being consistent about it, right? You don't have to do a blog post, a five-page blog post, every day or every week, but you can comment, put comments on somebody's post every day. You can take at the end of the day, because that's the big issue. It's like well, when am I going to do this? I'm busy. I got my home life, work life. Look, take an hour, 30 minutes an hour every day. Comment on other people's posts, repost things and add your thoughts to it. Right. Be consistent on putting your content and your wins Let people know about your wins as well.
Speaker 1:Look, I got a certificate on something you know. I passed this class. Celebrate with me. Put it on LinkedIn. Put it on different social media. Be consistent with letting know people of your wins on a daily basis. When you make it a habit, it's not scary anymore. Things that are scary are things that are mostly unknown, but when you know that when you post, people comment or you add to it, you get a couple of likes and things like that, it's not scary anymore.
Speaker 1:Okay, because you're actually just contributing, you're participating, you're being a part of the community, right, and obviously you have to enjoy what you do, right, and that's not a step, but it's something that's kind of the underpinning of it. If you don't like doing any of this, building your brand is going to be a waste of time. You've got to enjoy the process. It's not so much. Well, when I get a brand and I become X, you're missing the point. Right, you got to enjoy the process. You got to a brand is a daily thing that you enjoy because that's who you are just being you, and it will work. If you don't like what you do, if you don't like doing any of these things, it's not going to work for you. At the end of the day.
Speaker 1:I want to tell to everybody is that? We want to tell you that it's your turn now, right, heather and myself, we have now this podcast as part of our brand because we enjoy it. We like to share our contribution, the contribution of other people, and that's great. But I want to see you now. I want to see you listener, watcher, viewer have your own podcast or make your own articles or, you know, start on your social media. Do you start doing your research? Right, I want to see your values in action, the things that you believe, be informed by those and, letting us know, share those contributions. We're like-minded people, we like to share the road with you and we're actually looking forward to seeing your brand and see what you can put out. So come on, let's do it.
Speaker 2:We're waiting, I'm going to have one less coworker tomorrow morning.
Speaker 1:Oh really.
Speaker 2:Yeah. How come Read the comment.
Speaker 1:No, no, no, Read it. Read it for the folks that are listening. What does it say?
Speaker 2:Would building a brand be like winning?
Speaker 1:the Civilian of the Year Award. Oh, somebody won that. Who won that? Who won it Me? Hey, how come I? When did you win this, like last year?
Speaker 2:I didn't hear about it. No, it was a few years ago. And they say it in my office constantly. Did you know that Heather got the civilian of the year award? They tell everybody that walks in the office and Kevin Sayloff, who made the comment and didn't change his name to something else, is no longer going to be a coworker. Tomorrow, dude, you need to be a co-worker tomorrow.
Speaker 1:Dude, you need to use a sock account. Come on, man, you brought the heat to yourself.
Speaker 2:Sorry, I couldn't do nothing for you on that one. I may even get to work on time tomorrow to be at his desk.
Speaker 1:No, no, no. I'm going to say that somebody that has said against him that did it, it wasn't him, okay.
Speaker 2:Oh yeah, it's somebody that wants to get at him.
Speaker 1:That's. That's what happened. You need to do more investigation to confirm okay dude, leave the state right now. Um look, I'm I'm not surprised that you got it actually. Actually, it should be coming again shortly oh, gee, thanks no but again I mean folks, and we know we'll be a little bit over the hour, but I think all this is important, especially for all expertise levels new people, older people or Asian people like myself. In this field, build your brand. It's a good thing.
Speaker 2:Yeah, definitely. Okay, we're going to keep going over the hour a little bit, so I just wanted to point out a recent LinkedIn post from Xterra. So, creators of FTK, let me share my screen because I have a picture. They are now supporting LevelDB files. So we talked about those last week and I talked about a case that actually we were able to complete due to the LevelDB, the FCM files. Let me see if I can find the picture here. We go.
Speaker 2:All right. Leveldb looks like in the new version of FTK. It's FTK 8 and they have a service pack that you install right over the FTK 8 that you already have installed. So you don't have to do a whole new install with the database and everything. You just install the service pack and they included the parsing support for the Firebase cloudbase. Cloud messaging is what fcm stands for level db files, so it gives you an additional chance to locate message, messages, notifications, account information and a ton of other data that's stored in those files. Um, let me just put up their product here. So if you're an ftK user, install that service pack, check it out. Let me zoom in a little, and I think it's one of the best viewers that I've seen for the level DBs. In my opinion, yeah, it's really.
Speaker 1:I mean, I think they lay it out nice.
Speaker 1:Oh yeah, and as folks who are more familiar with this artifact, fcms like Firebase Cloud Messaging right, it could be anything, right, it could be whatever right. So I really like the fact that vendors are taking the time to present key values that are coming to clear or are also looking at specific FIRE you know FCM artifacts and decoding them for you Because I believe they need to do that. I appreciate that FTK is leading with that effort because they listen to the community for that and I hope, honestly hope other vendors follow, because there's so much pertinent evidence in these LevelDB files, specifically in Android devices. At this point I'm up to the dozens of cases that I I mean not including my own right that I heard from people that reach out to me. I can only imagine how many more cases are being solved with SCM data that I never I don't hear about, right, because not everybody calls me. Hey, thanks for the leap you know Right.
Speaker 1:So I want you listener, viewer, to benefit in your cases. So you know it might be through FTK. It might be through FTK, it might be using the leaps. It will have to be by you learning the artifacts and going into those data stores and looking through those for those in your particular cases.
Speaker 2:If you've ever tried to parse them yourself, though, and then report on them yourself, you will be very thankful for tools like this. Arsenal does the level DBs, rabbit Hole does the level DBs, the Leaps you already mentioned, and now FTK is joining the party on those, so you will be very thankful for the tools when it comes to those files.
Speaker 1:Oh, absolutely. And again, rabbit Hole, one of my favorites, arsenal as well. Again, I do like FTK, because now it's not only showing you the double DB contents, it might be vendors, I hope again start adding a little bit more decoding, extra levels of decoding that might be needed for that FCM content. I don't believe it's there yet across the board, and that's fine, but that's why we get paid the big bucks. Well, sorry, that's why you get paid the bucks If you're in government work. The word big doesn't go there, but you know what I mean. Right, let me remove that here.
Speaker 1:So what's new with the leaps? A lot, oh, my goodness, it's. It's so much that I have to remind myself how much. Um right, so again, I think, I don't know. Maybe hopefully I mean hopefully johan is still around. It's super late up in Europe where he's at, but if he's around again, johan, I want to thank you for your work. With the least what Johan has done is and let's show the next slide. First of all, he took all the code base and he made binaries executables, but for Macs. And this is great, because the only way you could run the tooling oh, Johan is here, Okay, good good, awesome.
Speaker 1:It's good that you're here, man. Look, we in the community we appreciate this. Now you can run the tooling as a binary on a Mac operating system, not only on Intel-based Macs, not only on Intel-based Macs, but also on silicon-based Macs. I have a I think it's M2, m3 here that I'm using to you know, even screencast right now and it works great. Right, it's really fast, it's really nice. Again, you're using a like environment, which is a Mac, to deal with a like device, which is an iOS, and it's all compiled as binary. You don't have to really use Python or learn Python to be able to run the tools in that environment anymore, which is an amazing improvement. Second of all, johan took the screens and he changed them. So I put here on the upper left the old version of how Alib used to look. Look, right, you had on the left the artifacts and then like a tinier kind of screen there for the log as it's going through. So johan took those we're discussing and talking about it and and even from his own um perception he took and he eliminated the the log window from the artifacts, because when you hit process and I think I have the other slide there, the whole screen turns into a big log and I really really like that. I said it last episode If there's any issues there, they're going to jump at you immediately. Any problems, they're going to be there and you can review that log up and down before you open the report. Of course, this log is also contained within the report, but I want you to be aware of where an issue might be so that you can go dig deeper if it's relevant to your case and the previous screen, like Heather was showing, johan took and made binaries for all the leaves and took all the leaves and changed that interface. Another benefit of the interface change is that it's pure Python code so we don't have to use libraries that want to charge you or get your money. It's all pure Python for the community and that is an amazing job. The community and me personally. I'm really grateful to Johan for the work and he's still cranking it out. I see all his, his, uh pull requests coming in and making the tool better pretty much on a daily basis. So we're so we're super grateful for for those changes um I mentioned oh, I didn't mention this for folks that don't know, the leaps are composed for a tool for ios parsing, android parsing uh, returns.
Speaker 1:That's what returns. That's when you get. You send a search warrant to Google, apple or Kik or Snapchat. Whatever you get back, the tool will parse it for you and show you in a nice report, okay, or Google Takeout or stuff like that. That's the R-Leap and then V-Leap, which is for vehicles, the V-Leap one. What I have down the pike is, after iasis across during the summer, my plan is to really focus on v leap artifacts from um end of july all the way to january and maybe the beginning of next year to really beef up that capability. I believe there's a big hole in that sense, not because there's no vendors, there's, there's vendors, there's a main vendor for all the car things. But I think an open source, community driven tool will really help, you know, with reporting right and and hopefully motivate vendors in the space to to up their game to what the specs that we need. Again, hopefully that makes sense. I don't want to offend anybody.
Speaker 2:I don't think you did.
Speaker 1:Okay, good. So I want to be that healthy competition in a sense, Also as a validation tool, because right now if like Axiom parses and Celerbite parses, I say Celerbite, don't call me on it but some tools do parse products from vehicle folks that do dumps and process vehicles, but it's not a validation of that process. They're just showing you their output within their tool and that's different from me parsing it myself differently or separately from you. Let me see if I can. Does that make sense, Heather?
Speaker 2:Yeah, it does, xry does too. We'll ingest those, but yes, it makes complete sense.
Speaker 1:Yeah, but it's not like X or Y goes to the image and pulls the stuff out itself, right?
Speaker 2:No, they ingest the file right.
Speaker 1:That's what I'm talking about, right? So they take that out, the product of the processing from tool Y or tool B, and they put it in. Nothing wrong with that. But I want us to be another way of looking at that data, with independent processes. Right, we do our own parsing of the data. So you can do that comparison, do that validation, see if you're missing something or not, right? Or indicate where you need to do some manual analysis. Kevin is saying what is Kevin saying?
Speaker 2:We need vehicle test data. I've got a bunch for you, kevin. Not related to work, by the way, yeah, no, not case related.
Speaker 1:Yeah, and we talk about, we talk about two episodes back how hard it is to get these images right. Yeah, yeah, I'm lucky that I came across a whole bunch of and not came across people I asked and people were kind enough to share some of those with me. Some, like heather says, some are not case related. Some are case related, right. So some of not case related, some are case related, right. So some of those you know, I just I can work on them. I cannot share them, right, but but yeah, it will be. It will be just like that. We will be, we'll be working. Geraldine Bly she's awesome. We'll mention her again in half a second. She's also going to be helping with that effort. She's a really good expert with cars. I depend on her all the time, on her expertise both in working the cars and teaching me about it. So I really appreciate that. I think we have a question in the chat, heather, can you see it there?
Speaker 2:Yeah, sorry, I kicked my cord and my battery was about to die. I saved it.
Speaker 1:Okay, good I disappear, it's because oops Don't leave me alone.
Speaker 2:Are you able to do an install video for the leaps for m1 max?
Speaker 1:um, I guess we can right now with the videos that we have on how to install it. They're done by hexordia um, and they work great. I mean, it's true it's Windows, but I think they are what's it called. It works just the same, like I haven't had an issue installing it. The requirements seems well. But again, you know, I'll try to get a clean Mac and run it again, see if there's anything particular that's different, and if so, then I'll come back on the show and some other means and let people know. But yeah, so that should be fine. Mary is saying what?
Speaker 2:is Mary saying I'll start dumping my rentals? All right, Mary, start doing it.
Speaker 1:Like I said last time, make sure you can put that dashboard back on. Yeah, don't ruin the rental that's going to be a really expensive set of test data.
Speaker 1:I don't think our bosses are going to pay for it, just saying yeah, so that's yeah. So Johan is making a good comment here. Can you share that? Yeah, so I'm going to read it.
Speaker 1:Johan says since we removed magic, there's no issue anymore, and what that means. It doesn't mean that we have actual magic in it. What that means is that there was one library that we used to identify different file types, called Magic, and it was having some issues with some of the Mac installations that are silicon-based. And thank you for the comment, johan, because obviously Johan flagged that and he proposed a solution and we did it. We took his solution and that took care of it. Thanks for the reminder, because I totally slipped my mind. But yeah, that shouldn't be an issue. That library is not used. We use another library that's more general. I say general, but other, not distributions, other platforms can use it and solve that problem. So you should be able to install it with no issues. Awesome, all right. So we have another thing that's new in the leaps.
Speaker 1:I really want to highlight this out. So when you do a takeout archive and for those people that don't know, if you have a Google account, you can ask Google to give you all your data, and all your data will include location history, your search history, your pictures, everything. Right, you can get that. It comes in different formats. Json HTML comes compressed in a zip.
Speaker 1:The cool thing is that the folks from Metadata Forensics have made a parser for RLEAP that will take the location history settings and make them really viewable for you, which has a lot of cool information about the different devices that are kind of attached to the account that you took the Google takeout from. And I want to flag it because you know Metadata Forensics. It's a really now well-known company in the space providing data forensic services and I'm really happy to see not only individuals but seeing organizations really valuing the effort of the open source tool community and also themselves participating. So I want to thank metadata forensics for putting that content for the community. And again, if you're not familiar with takeout B, you might be like well, that's something that the user has to pull. I don't you know. Yeah, that's true, but I had cases where I got a cooperating witness that could give me a Google takeout that will break open the case.
Speaker 2:Yes, definitely.
Speaker 1:So don't dismiss any data source. All data sources are good.
Speaker 2:We've had a case before where the user of the phone had actually brought his own Google takeout down into his phone. So use this script in the leaps to parse it right from the actual evidence item right. Sometimes people request their own takeouts and save it right on the evidence.
Speaker 1:Just saying, oh wow, that's really wild. It's like I have an extraction plus plus. Yes, that's really wild. It's like I have an extraction plus plus, yeah, yes. Second of the extraction and this and the third one request. I think how you have to do it. You put it down for me, thank you exactly, exactly oh wow, I like that story. I'm gonna use it. I'm gonna use it from now on. It's good again. Never you look. A forensic device that you're analyzing is like a box of chocolates.
Speaker 2:Heather you know what comes next.
Speaker 1:The phrase you never know what you're gonna get okay, good, oh, thank goodness I know that one okay, good, okay, if you if you hadn't, I would have been really troubled. Okay, yeah, look, we have a running joke here because Heather doesn't watch too many movies, but that's another story for another day. Okay, we got another cool report the Media Service Information Report. This is one for the V-Leap for the vehicles. This was done by Heather Geraldine and it's pretty neat, so you need to go check it out. Thanks to her, we can get that information from cars. And again over the summer I mean after the summer we're going to be working hard on adding support to the vehicles and really be an important tool within the sphere for those things. So I think that's it we have for the V-Leaps, right?
Speaker 2:Yes.
Speaker 1:And for the Leaps in general.
Speaker 2:It is, it is. So we're to everybody's favorite part after we've kept you for 21 minutes longer.
Speaker 1:We're sorry, folks, sorry but, you know what. This is our brand, so we like it so hopefully you do too what do we have next?
Speaker 2:so the meme of the week is our last.
Speaker 1:Let me get it up here and always the meme of the week really brings out some fireworks. Let me bring out my fireworks. Hold on, oh, I brought the lasers. I always bring the laser beams. Oh, that's confetti. No, there we go, fireworks.
Speaker 2:Okay. So the meme of the week this week says when they bring the phone in a Faraday bag but the cable cord is running outside connected to power. So I am sure that everybody that's still here listening has seen this before. Thank you for possibly creating an antenna for the device to connect to a network. I appreciate the effort of putting it in the Faraday bag, but do better.
Speaker 1:The antenna is so good that it not only connects to the cell towers, now it's connected to starlink. Yeah, the satellites in space. Thank you very much. I, I, I, I pick, I pick the. The meme template is you know this? This poor guy with contrary to smile, but his eyes are red and red and he's like about to cry yeah, oh, he's definitely about to cry yeah, well, he's still trying to smile.
Speaker 1:Yeah, that's me, that's me, and and look, folks, that's why I talk about putting that content and being part of the community. Folks were putting all these stories in linkedin about different like whoa, like the guy that, or the folks that put the telephone in a used potato chip bag yes, I saw that one. Yeah, what look the?
Speaker 2:potato chip bag is not. Oh, I saw that one.
Speaker 1:Yeah, what? Look, the potato chip bag is not going to work, but really you could at least clean it. Now you're giving me a phone that's compromised and dirty. Yeah, or more dirty than they usually are, right.
Speaker 2:Right, exactly, maybe the potato chips made it cleaner actually.
Speaker 1:Yeah, it's like a scrub Agent Brignone. Why are those potato chips on the phone? It looks like it's consistent with it. I don't know, it wasn't me. No, and there's a whole bunch of stories of folks you know the folks that you know. They leave the phone out and before they give it to you, you just snuck it into the Faraday bag.
Speaker 1:Yes, yes, and before they give it to you, you just snuck it into the Faraday bag yes, yes, you think I'm not going to notice when I look at this phone that you put it in the Faraday bag at the last second.
Speaker 2:Right, or a little bit different topic? Kind of Not really, but they bring it to you and it's AFU, but it's not because they turned it on on their ride over, but I got it powered on.
Speaker 1:Of course it's on. You can't see it uh okay oh look, if you're not in this field, you're trying to be slick about it. You know, don't? Just, don't just just just try to do the best you can with what we told you and if not, don't. Don't mess with it right? Admit your mistake exactly grow from it, like we were saying. Anyways, I think that's it for the show. I think it's the longest show we had so far. It is?
Speaker 1:it definitely is but I enjoyed it. Hopefully you did as well absolutely every time, alright everything. Any last words for the group of the order Heather that's it.
Speaker 2:Thank you so much for everybody who came and joined thank you everybody.
Speaker 1:We're gonna be back again you know, not this Thursday that coming up, but the one over that with some, some topics, some news again. Thank you everybody and hopefully we'll go back to the one hour standard. Back to the one hour standard, yeah we will awesome, and with that we all bid you uh adieu, see you later night. Thank you good night, bye.
Speaker 2:Thank you you.
