Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
From Disaster to Attainment: Crafting Digital Forensic Reports
Navigating the complexities of digital forensics can be daunting, but this week we've got your back with the exploration of Magnet Forensics' Axiom version 8, and its transformative Mobile View feature. As your hosts we're not just sharing tech updates; we're discussing the impact these tools have on our work and how they shape the narratives we construct.
When it comes to the integrity of an investigation, the devil is in the details—and in the documentation. We delve into the craft of forensic reporting, dissecting why an analyst's narrative is just as critical as the raw data pulled from tools. From the subtleties of crafting a timeline to the nuances of articulating the relevance of each artifact, we've got the insights that will assist you on your report writing journey.
Finally, join us for a celebration of the community spirit that fuels this field, illustrated by new blogs and newly supported artifacts in the LEAPPS. We also look at the growing significance of vehicle forensics in investigations. And because we all need a good chuckle, don't miss our 'meme of the week' segment. It's an episode brimming with expertise, but not without its moments of laughter because finding joy in our work is paramount. Come for the knowledge, stay for the camaraderie, and enhance your forensic acumen with us.
Notes-
Job Alert- Upcoming Openings at the New York State Police
https://troopers.ny.gov/civilian-employment
Capture the Flags
Hexordia
https://www.hexordia.com/spring2024-weekly-ctf-challenge
Oxygen
https://oxygenforensics.com/en/training/events/ctf-apr-19-2024/
Belkasoft
https://belkasoft.com/belkactf6/info
Mobile View and Copilot in Magnet Axiom
https://www.magnetforensics.com/blog/bring-your-mobile-evidence-to-life-with-the-new-mobile-view-in-magnet-axiom/
https://www.magnetforensics.com/blog/identify-deepfakes-and-quickly-surface-evidence-with-new-ai-tools-in-magnet-axiom/
DeRR.p. Investigating Power Events on Samsung Devices
https://thebinaryhick.blog/2024/04/07/__trashed/
Peer Review Checklist
https://www.hexordia.com/blog-1-1/gc0vnvj80ogwx724ovu7avzwvjl742
What's the Buz: Forensic Analysis of Buz for iOS
https://laurora4n6.wixsite.com/aurora4n6/post/what-s-the-buz
What's New with the LEAPPS?
https://www.stark4n6.com/2024/04/splitwise-on-ios.html
Welcome to the G-Talk Forensics Podcast. Forensics Now Podcast. Today is Thursday, april 11th 2024. My name is Alexis Brignoni, aka Briggs, and I'm accompanied by my co-host, the Uber decoder, the fax compiler, the knowledge distributor, the one and only Heather Charpentier. The music is Hire Up by Shane Ivers and can be found at silvermansoundcom. Hello, heather.
Speaker 2:Hello. Thank you for the great introduction, as always.
Speaker 1:The Uber decoder, I know you dig that.
Speaker 2:We'll talk about that later. Folks, I do like it.
Speaker 1:Welcome everybody, Happy to have you here. I see already folks starting to roll in. Lori, good to see you and I'll see you a little bit more later I'll be talking to her class after the show, so I'm really excited about that. Happy Thursday to Jess in the chat and Jeremy, tell me, heather, what's been going on since last time we were here.
Speaker 2:I've been working and I actually had to deal with jury duty this week, so I got summoned for jury duty and had to sit at the courthouse all day waiting to see if I was going to be selected for a jury and I was not, thankfully so that's a constitutional responsibility, lady, come on, you should be sad. I testify enough. I don't need to go sit on another jury or on a jury yeah.
Speaker 1:Like I've been on all these chairs. I don't need more chairs, yeah.
Speaker 2:No, I don't want to sit there. Plus, I've done it before. One time in your life is enough.
Speaker 1:No, it's, I mean, we joke about it.
Speaker 2:But obviously an important thing to do do as a citizen, be part of a jury.
Speaker 1:But um, if somebody else can do that, that's fine too, and we can do keep working. They picked eight great people for the jury, I'm sure absolutely well, folks, folks might remember that the eclipse happened what two days ago or something like that. Yes, yeah, yeah, so so that was exciting. Um, I think you saw less of the sun than me during the eclipse, right?
Speaker 2:Yeah, ours wasn't super impressive. I saw everybody's pictures online and I was like I want to be there. Ours was really cloudy and just not as good as all the other locations.
Speaker 1:Gotcha, gotcha, yeah, no, we had here in Florida at least where I was maybe like 50%, almost 60% of the sun, so I thought it was still worthwhile checking it out. So I want to share with folks a picture here of some stargazers at my house. As you can see, we made sure that we spared no expense to make sure that my kids didn't get any any sunlight the direct sunlight in their eyes. So for the folks that are listening, you know you have the eclipse glasses, right? Well, we took a paper plate, like you know, for food and, and we cut it in a way that it covered the top and the side so they could only see through the eclipse lenses right, that's perfect, and I mean see through the eclipse uh, lenses, right, that's perfect.
Speaker 1:Um, and I mean especially little one super excited for all of three minutes. They're like okay, bye. Oh, kevin says that his eyes still hurt man I see that yeah, get get that checked out. That could be a problem keep your glasses on yeah, I need you with eyes. You're the one that's running the, the, the repositories, right now. For folks who don't know what a repository is, it sounds like something else, but no, it's a place we put our code for our projects. Okay, don't get confused.
Speaker 2:Yeah, he cannot go blind.
Speaker 1:Exactly, oh no, but it was a great experience. So I mean, let me take this out, and the kids enjoyed it. I personally enjoyed it. I'm hoping that at some point I'll be able to travel somewhere in the world to see a full eclipse, because the next one is going to be coming through the US. That's going to be kind of full-blown in Florida where I could see it. It's going to be in 20 years.
Speaker 2:Oh really.
Speaker 1:So, yeah, I'll be in my what 60-something. So, see it, it's going to be in 20 years. Oh really, yeah, I'll be in my what 60-something.
Speaker 2:So I'm like you know what I might want to do that before getting to almost 70. I'm sure you'll go see it still anyway.
Speaker 1:Yeah, I'll do both. Hopefully, if everything goes well and the universe wants me alive, I'll enjoy it as well.
Speaker 2:Yeah, Jessica says how many attorneys would want a digital forensic person on the jury. Jessica says how many attorneys would want a digital forensic person on the jury. Jessica, it was a civil trial.
Speaker 1:I was really worried they were going to pick me Most likely both sides, right, yeah, on the civil side, of course, yeah, yeah, but no, so that's what happened. I did some parses. We're going to talk about that. Thanks to your work, heather, we did some parsers for a pretty neat app, yeah, and presentations and regular work. So that's what happened these two weeks.
Speaker 2:Nice. Well, let's get into it then. So I'm going to announce a job alert that's coming up soon, if anybody wants to move to the beautiful Albany, new York, and come work with me. We're going to be posting our civilian positions within the next, probably like week or two. I would guess probably next week, but I'd say a week or two. We're going to have several spots open, and it starts from like an entry level, and then there's additional job titles for people with a little more experience. So it would be based upon your experience. It's not a remote job. You would have to come and live in Albany, but the title is Computer Forensic Analyst. And let me put up the website. It'll be on the page afterwards too, but this will be the website that you'll want to check and look for that posting in the future, near future.
Speaker 1:Yeah, and that's something that folks ask me well, how do I get into this field? And one of the things I tell them is you know, obviously you get your degrees or your certifications, all that good stuff but one way is by looking for posting like this one where, um, you go into a law enforcement capacity and you learn that aspect of the gtar forensics process and you can do that for for your whole career. This is excellent work. I mean, I'm one of those, right, or or you eventually can transition to the private sector, right, but that's a really good way, obviously. Uh, the new y State Police, you know, really, you know a big agency, well-known, good work's being done there.
Speaker 2:Oh yeah, I should have said New York State Police. I'm just assuming people know where I work. But yes, new York State Police is where the job is.
Speaker 1:Exactly so, and you know, a really, really good agency with a lot of impact in regards to the things that are happening in the state. I personally think it would be a great opportunity for anybody and everybody if they get picked. Be, on the lookout for that posting.
Speaker 2:And you get to work with me. I mean, what more could you want?
Speaker 1:Everything was going up and now we're crashing.
Speaker 2:I'm scaring people away Damn I kid, I kid, I kid um so some other things going on right now in the community are capture the flags. I don't know, um, I didn't know there were so many capture the flags going on. So one of the capture the flags is Hexordia has a weekly capture the flag. It began April 1st and it's every Monday at 11. There's a new weekly challenge unlocked so for participants. Each challenge lasts a week and then there's additional ways to earn points by writing blogs and there's bonus questions throughout the weeks, and those are announced on Twitter or X and LinkedIn. The way to find those additional bonus questions is to follow Hexordia and Jessica Hyde and Kevin Pagano and Geraldine Bly and Cesar Casera, because they'll be posting those challenge questions on the social media platforms. It's a great way to get involved in the community and a great way to get your start in blogging, especially since there's those additional points. If you're writing up the blogs and I read online too there's a chance to win prizes, including seats in some of the Haxordia classes.
Speaker 1:Oh, and folks that I mean both of us, me and Heather and myself we've been at some of those courses and they're fantastic. Jess and her team have made courses with really relevant, timely content to the work that you do. Some of these courses you take somewhere else. You talk about conceptually, about how things are, and you actually do them. And I was chatting with Jess the other day. Of these courses you take somewhere else you talk about conceptually, about how things are, and you actually do them.
Speaker 1:And I was uh chatting with with uh jess the other day and I think you also get points by. If you code, you can make some parsers. And if you make a parser in one of the leaps, the, the, the project that the community we use for uh parsing devices, you get extra points for that too. So it's a great way the blogging, the coding to put your name out there, to learn and start building your brand. And if this is the first time you hear us speak here or you missed last episode, I really invite you to hear the last episode. We have a big section on how to build your brand in the digital forensics space and this is one of the things we discuss and here's a real way of actually making it happen, so take advantage of it.
Speaker 2:Another capture the flag that's going on is with Oxygen Forensics. It hasn't started yet. It's open for registration. Right now, though April 8th through the 18th is registration, and then the challenge details will be released on April 19th. I think that you need to have access to an Oxygen license to participate. Don't 100% quote me on that. Reach out to Oxygen and find out if they'll do the trial license. But another great opportunity to do those capture the flags and learn more about forensics opportunity to do those, capture the flags and learn more about forensics.
Speaker 1:Yeah, I'm pretty sure they'll, they'll be able to give us I mean give the folks the community uh, trial license it's a great product. It's a great product as well.
Speaker 2:I like oxygen a lot too, so yeah, and then the last one, actually this capture the flag. Just ended the belkasoft, but the images are available. So if anybody's looking for test data, or really if you just want to go do the capture the flag even though it's not still actively a challenge, like it's not up as as a active capture the flag go get those images and check it out. There's also blogs and write-ups that are starting to come out on that capture the flag and the details of how people were able to answer the questions. It's a great way to learn and learn how other people were able to solve them. It might not be the way that you would have gone about it and you may learn a new technique or two.
Speaker 1:Oh, absolutely, and I believe the images are just as valuable as the exercises themselves, right as the CTF itself, just as valuable as the exercises themselves, right as the CTF itself. Actually, I used that image to test out some of the parsers that we were working on this week, heather and myself, because he had to say some of those apps in there. So, again, get the image and practice with them. And that's the whole thing with this field. If you're just reading and not practicing, you're not getting the full benefit or the full growth that you could get otherwise. So, open those images and work with them.
Speaker 2:Right, definitely. I think that's all the Capture. The Flag is going on right now. Hopefully I didn't miss any.
Speaker 1:Oh no, it's Capture the Flag season. Yeah, and I wish, sadly for both of us we don't have enough time. Well, actually, let me say this we're actually ramping up to start IASIS. What in nine?
Speaker 2:days, I want to say Nine days.
Speaker 1:Yeah right, is that right? Yeah, so that's why we haven't been able to play in any of these.
Speaker 2:Yeah.
Speaker 1:Because we'll be instructing the Advanced Mobile Device Forensics course for IASIS. I think there's still some spots that are filling out, so do you want to hang out with us for a week and nerd out? Yeah, Come on. It'll be Heather myself, John, Hila and Bill. What's his name? Bill? I forgot his last name.
Speaker 2:Bill's going to be with us.
Speaker 1:Yes, we'll look it up, but uh it's a pretty a pretty good, good, good group of people yeah, definitely, definitely.
Speaker 2:Um want to highlight too. This week um magnet came out with some new stuff for axiom um, so they released uh version 8 and in version 8, the first thing I'll tell you guys about is mobile view. So it gives a representation of iOS and Android devices that are being examined, presented in Axiom with the ability to select the icons for supported apps that are loaded on the phone. So I'm going to show a little preview of that.
Speaker 1:Let me yeah, and, as Sarah's bringing that up, I think this way of looking at the data it's how can I say this it's really useful because we're so used to looking at the data the same way in all applications, in third-party applications. What I mean by that is the companies that sell us tools. They're different, but they're still the same, like the movie, right, I know you didn't get that reference, but it's different, but still the same. I'll tell you about the movie later, okay, but this way it's really intuitive and I don't see anybody doing it this way, and I think it's the next evolution of how you can have folks with minimal amount of computer knowledge be able to at least pick out some of the artifacts, like low-hanging fruit artifacts, and make our lives easier. So you're going to show us how that works, right.
Speaker 2:Yeah, I am, and I definitely love this. I'm super picky about new features in the tools, if you haven't heard, and I really like this one. So I processed one of my test images just the normal way. Nothing changed with the way you go about processing it, but over on the left-hand pane, under evidence sources, you can choose a device and when you click on the device, this image of an iPhone comes up and it's got the icons to the applications that are installed on my test device. They're not exactly in the same location as they are on my test device, so I wouldn't depend on it for that. But the cool thing about this is you can get a quick look at the applications that are installed and then you can click on any of the applications and it will bring you to the artifacts that relate to the application. So I clicked on the Apple Notes and it brought me to the three notes that I have saved in this test data.
Speaker 1:Yeah, and folks need to be aware. You're looking at the kind of like an image of the iPhone, in this case with all the apps. This is not a virtualization, so don't get confused. Okay, you're not virtualizing the phone or interacting with the image being virtualized. No, this is just a representation and the apps show up on this screen as they were in the order they were processed, right. There's nothing special about it, right?
Speaker 2:right.
Speaker 1:But I Go ahead, no, no, go ahead, no, and the bottom row will always look the same. I think I heard Chris Vance explaining that in the video that introduces the product. So the bottom row stays the same, but the apps will change as you process new phones. It's just the order.
Speaker 2:Right, and Jessica's pointing out in the chat that it also will show you unsupported apps. So there's a little toggle above the phone and you can switch which. Let me go back to the. Let me go back. Oh, and it crashed. Okay, Well, it crashed, so I'm not going to open it back up right now.
Speaker 1:The demo gods always, at some point, catch up to us. The demo gods will catch up to us.
Speaker 2:So I'm just going to tell you about that feature. Above the phone there's a little toggle where you can switch over to unsupported apps and it will bring up icons for unsupported apps on the image of the iPhone for my test data. I really like that because they're not always right there up front and in your face for you to see the unsupported apps right. And when we go to our forensic, forensic tools, we see the supported apps because that's what the tool supports and that's what it's parsed.
Speaker 1:But this gives you the opportunity to go look for those unsupported apps and further investigate them and and describe me verbally like uh, so it shows like a placeholder or it actually shows the icon. How was the visualization of those supported?
Speaker 2:yeah, so. So when I looked at them before, they weren't like an icon with the app image, but they were just little icons on the screen and they had the package name underneath, so it would tell you which application it was.
Speaker 1:Yeah, and that makes sense. That tells me that obviously they have a data internally, I would assume, linking the ones that are unknown. But the ones that are unknown have the package, the package name. For folks that don't know what that is, it will be like it looks like a URL, but in reverse right, like the name of musicallycommusicallywhatever.
Speaker 2:And then you know what app that is by looking it up, and then Magnet Forensics put out a blog about it too, about the mobile view. That explains all of it in further detail, but it's really, really a neat feature in my opinion.
Speaker 1:Yeah, and I was saying a second ago that this really helps with people are not super into the weeds like us examiners are listening here, or folks in this field. The view is also portable, so when you make a portable case, your reviewers non-technical reviewers will be able to tag the items through that view which. I think is extremely useful. I foresee my users defaulting to that view from the get-go.
Speaker 2:Oh yeah, it'll be super helpful for non-technical people definitely.
Speaker 1:And I find it interesting because companies may spend a lot of money in adding a lot of features and actually let me well, I'm going to jump the gun here, heather, so forgive me right, go ahead Even Magnet itself. Something that we're going to talk about in a second is that they added some AI stuff to Axiom 8, right, and in my mind it's a lot of investment, time and investment. But I find it interesting that just how you view the data might provide more direct and transcendent impact that maybe adding something as complex as AI Not that AI is bad right. Ai is a good thing We'll talk about it in a second and it has its pros and cons.
Speaker 1:But just imagining, how can we take the usual way of doing things and tweaking it and thinking of our users or the different types of users how can we make that more data accessible? Or the different types of users? How can we make that more data accessible? It can make changes that might be larger or more impactful than what it seems at the beginning. I'm really, really excited about the mobile view. I'm really excited of seeing how my stakeholders react to it and I will report back what folks are thinking of the new visualization feature.
Speaker 2:Yeah, besides my little crash right there, I've been messing around with it and I really like it and it hasn't crashed until now, of course.
Speaker 1:Look, the demo gods will do that. They figure out. Oh, you need to show this. We're going to crash it just to spite you, yep, definitely. You didn't give them an offering before you started.
Speaker 2:That's the problem.
Speaker 1:It must be it Definitely. You didn't give him an offering before you started.
Speaker 2:That's the problem. It must be it. So the AI, the new AI feature in Axiom 8 is called Copilot and there's another blog here that Magnet Forensics put out and that link will be on our page after. But this one is part of the Magnet Idea Lab right now, so I don't think we can discuss a ton of details. Idea lab right now. So I don't think we can discuss like a ton of details. But it identifies deep fakes and um is able to quickly surface evidence with the ai tools in magna axiom. So it's able to analyze images and videos to determine if they're synthetic or generated um. And then it's also you're able to do searches in the case data. So, like in the chat threads of the web searches and the images, you're able to use that AI feature to do searches about the data in your case.
Speaker 1:Yeah, I think they shouldn't keep it in the download. I don't want Microsoft to hear that their AI is called Copilot, just like Microsoft's.
Speaker 2:Oh yeah.
Speaker 1:You know what? Maybe if you can write the word insights with E-Y-E, they can write Copilot with a K or a Q. Solved, problem solved, there we go. Copilot with a K, there we go and insights with E-Y-E. Yeah, some folks are lost about that joke. I'm sorry you had to have to listen to previous episodes to get the joke.
Speaker 2:It's too long of an explanation yeah, I started to mess with the ai thing. I haven't really gotten into it yet and, um, I'm not so sure that I'll be able to use that though in my agency. Uh, there's some details about it that might just not fit with our policies, but the it sounds cool and I started to mess around with it.
Speaker 1:Everybody should sign up yeah, and actually, actually, I want to get into that a little bit, right, because, um, it reminds me of jurassic park and I'm like, look, let me, let me, let me, let, let me set the table first. Right, I'm not against the concept or the tooling. Right now I'm doing my devil's advocate portion of the show, right? So don't take me now as taking a position necessarily. I just want to express some viewpoints, right. So now, here I go. Table's been set, it's like in Jurassic Park, right, it's like. You know, just because we have the power to do it doesn't mean that we maybe should have to do it, right, and that's the point, right. So obviously, for us that are examiners and we know how this works right, ai is a functionality that uses a lot of CPU cycles, specifically GPU-CPU cycles, right, and for those who are not familiar with that, the way that works is they have a big rig with a whole bunch of video, kind of video card, looking things with that video memory and processors and stuff to do the heavy lifting of an AI. You got to remember that AI is a process that will take data, will learn from it and will respond and give you answers based on natural language interactions. What that means is that you will ask the AI a question you know, ai, were there any chats about X and Y during the last year? And the AI will say yes or no, or here they are, or whatever it is okay. So that requires a lot of processing power. That processing power is not your forensic machine from 2003. Right, yeah, no Running Windows 10, and you're trying to hopefully maybe update that to 11, and hiding the Windows 7 ones that you have around, okay. So what that means is that you have to send that data out, and that's where the complications might happen. Right, there's a lot of policies in a lot of labs that the computers need to be segmented from the outside world for obvious reasons. That protects in a chain of custody sense. It protects the evidence from possible taint in regards to data being exfiltrated or somebody coming in and putting stuff where they shouldn't be and messing up that case. Right, messing up that case, right. So when you want to take that data and work with an AI with the processing power, that's not in your site, it's remote. That means that data needs to leave your site and that's a host of complications.
Speaker 1:The first complication is where is this data placed right? I mean, where is it? Where does it go? How is it secured? What happens when it's intruded? And again, I'm not saying anything about magnet or axiom. Okay, what I'm talking about is, in general sense, if you're in the computer security information space, you have to assume that things will be intruded. That's how this business works. It's not if we're going to get hacked, it's when we're going to get hacked right. If we're going to get hacked is when we're going to get hacked Right. And based on that concept, we need to understand if we're having things on the cloud or being shuttled off somewhere else, how is that being secure? Just telling me, don't worry, I got it, it's not going to cut it Right.
Speaker 1:The type of data, let's say. I was thinking about this yesterday. I do my best, thinking when I'm showering. I was thinking what happens when you get grand jury data right? And when you get grand jury data for folks who are not familiar with that, it's provided for really specific purposes. It's secret, it's for investigations and the folks that have access to it have to be in a particular list to get grand jury data right For the investigations based on that probable cause and all that good stuff right. It's a really serious thing, extremely serious. The control of this data is serious business. Am I putting an outside entity in my access list from my grand jury data Like, is that what's required now? Well, the AI is. Oh, I think I'm losing my video here. Can you hear me?
Speaker 2:Mm-hmm, I can hear you.
Speaker 1:All right, my video is kind of coming in now. All right, so you can tell me well, the machine is a machine it doesn't know, right, so you cannot put a machine in this type of list. But again, the data now is not under my full control, right? So we have to start thinking about how our and our field in general. Is this something that we want to do? And if we're going to do it, how can we do this in a way that's proper, right, that actually follows the forensic process?
Speaker 1:I'm not criticizing it for putting this feature out in the way they did. I believe that the way you open new ground is by walking actually through it, right, moving in the woods and the overgrown plants, making that road, if that makes sense. But again, it needs us to work with these providers to tweak those features in ways that follow our policies, procedures and the due tar forensic process. I think Magnet has done that by the fact that they've done it. First of all, they've done it.
Speaker 1:You have to register, you have to opt in into it, and they put some warnings right Before you start using it, right? Yes, so I believe Magna has done the due diligence to let the users understand that, hey, we're making this available, but it's on you, right? It's like, again, we're giving you a knife, you can butter your bread or you can stab somebody, but don't come at me, because I gave you the knife, right? So there's a host of, I believe, issues there in just the process of getting the data in and coming back to you, and how are you going to use it, and that's different from how we're interacting with the AI itself, right? What do you think about that?
Speaker 2:Yeah, no, definitely. I mean I want to use it, of course, but definitely have to watch out for things that could potentially compromise the evidence, I guess.
Speaker 1:Yeah, and I think, if I were to put my prediction ahead, I think at some point it's going to become a little bit kind of unavoidable to start moving data outside of fully controlled, like physically controlled environments, because it's going to be blurred. Those lines are being blurred more and more, right, when you think about data in your networks, especially agencies that are across states, right, let's say an example, a big state like Texas I'm making this up, but imagine Texas and you have this law enforcement agency that operates in different offices. Well, those offices exchange data within themselves, right, the data is within their networks, but physically, that data is being shuttled across miles and miles and miles, right, right. So we have to start thinking about how we're going to start, how the data forensics concept of labs, air gap labs, will fit into this new space where the demarcation is not so much physical, it's virtual. And how is that going to happen? I don't have the answers, but we'll see them. We'll get that growth going, moving forward.
Speaker 2:Find out eventually right.
Speaker 1:I'll be processing a case from Mars. That's what's gonna happen um.
Speaker 2:so, moving on out of that topic there, um, there's a few, um a few good blogs that have come out in the last couple weeks too. So, um, I hope everybody follows josh hickman, the binary Hick. If you don't, you need to. Um, his blogs are awesome, but the one that came out this past week is about investigating power events on Samsung devices. Um, it shows the powering event, shows the why. So why did the user power down or why did the device power down? I'm sorry, the file that he's referencing in his blog is called E. It's like E, r, r, dot, p and it. You need a full file system to obtain this file, but it indicates things such as if the shutdown was user requested or if the file may represent a no power situation, values that appear when the phone was on a charger, reboot events with user requested indicators, and it shows phone crashes. And the blog also goes on to discuss other files related to powering events, such as the power off reset reason dottxt, and the power off reset reason backuptxt. And the last line of the blog is sometimes investigations can come down to the smallest details, so having context around events is always valuable.
Speaker 2:I couldn't agree with that more. So I saw this powering events blog and I thought immediately of a case I had where you don't realize that the small details are going to be really important to maybe your investigator or your district attorney. But I had a case where the powering events were what was important. It was an iOS, but it was really important when that device was powered off. It was really important when it powered back on and one of the questions I was asked about the case is how do you know the battery didn't just die? How do you know the user powered it off? So blogs like this just immediately made me think of a specific case that I had.
Speaker 1:Oh look, every artifact that's tied or ties or lets me know about user actions is a potential smoking gun artifact. That's just how it is. Again, I repeat again, every user interaction artifact could be the key to your case, definitely, and you might not imagine. And again, like your case is so great. Actually, kevin is saying we need to make some parses. I think we have some, I think the ER, we have it, but we have to revisit those and maybe add some of the detail from Josh's new blog post. I don't know if we're capturing I'm not sure we're capturing all the details that Josh explained in his blog post. So, kevin and myself, we need to give it a look. But yeah, and keep that in mind, folks, when you look at artifacts, they're not sterile things numbers and letters, right, they tell us about what the user did with the phone and when the user did it.
Speaker 1:Turning the phone off I don't know when I go to sleep, although nobody does that, but when you go to sleep might not be that important, but turning the phone off before you walked in I'm making this up to rob a bank, right?
Speaker 1:That's a big deal, yeah, yeah, I mean, let me turn this off. I don't want to be tracked moving forward, right, and that's just a silly example, but those are important and you have to think about, especially within the pattern of life analysis, when things happen. When you hit a button to turn the screen on, power it off, like you're saying in your example, um, actually, I read I mean that reminds me of a news article that I read about a case where this person was saying that he, I think it was a murder case like that, and the person said, well, um, uh, within the time of the murders, I lost power on my phone. Right, I lost power, so that's why my phone was off. And that was not true. You could see that the phone had power, like whatever percentage, and the after the murders, then the percentage you know started increased because it got it got plugged in, right, things like that. So, uh, really, really, really exciting blog post when some stuff like that comes out.
Speaker 2:So yeah, in my case, specifically, that question was presented. How do you know? The battery didn't just die and, using those pattern of life events, I was able to see that the phone had been plugged in and charging for like the prior three hours, so there's no way it would have died. I mean, we're probably at 100%. Yeah.
Speaker 1:I love those kind of Columbo moments. One more thing.
Speaker 2:But it was definitely something I didn't even think to look for because I at the time just didn't see why it would be important. But once you have all of the details of the case, those little things become important I mean, there's nothing more to add.
Speaker 1:You're absolutely correct so my favorite so, but before you start, I'm gonna now I I'm gonna take the soapbox that I had last week, and now I'm gonna put it on your side of the screen, and now it's your turn to give us the meat of this episode. I'm really excited about this topic.
Speaker 2:So I'm always talking about reporting and how I hate the reports, but as the examiner, it's our job to be able to create an impactful forensic analysis report right.
Speaker 2:So even if you don't like the way maybe certain tools kick out reports, create your own reports. So I just kind of wanted to go over like some of the things I find are important and hopefully you'll join me here with us. But there's some of the things I think are important with reporting. So one of the very first things is know the details of the case prior to starting the analysis and reporting. There's nothing worse than going down a rabbit hole and chasing what you think is evidence, just to find out that it has absolutely nothing to do with your case and I am speaking from experience on that one. It may look like oh my God, this is the artifact, that's going to be it, and if you don't have have all the details of your case, it's can end up just being a giant waste of time yep, no, uh, look, uh, the the reporting I I named when I put the episode together.
Speaker 1:Like to put it out for everybody, I put reporting for this section from from possible disaster to attainment right, and I did that on purpose and Heather's going to go through those reasons. Right, the reporting how do you portray the information? Right? First of all, either you use your time wisely or not, but also you can make and break your case right. Right, and I didn't say we're going to go from reporting, from disaster to success, or from disaster to I don't know, to achievement. Right, because this field we're not here to win.
Speaker 1:Hopefully that makes sense for folks. I'm not here, I'm not winning anything, right? I guess the win is to be able to portray the facts in the most clear manner, portray reality, or portray what's on these devices in a way that's consistent with how they were actually used in the real world at a particular point in time. That's our attainment right. This is not a me. I'm going to win the case. I'm going to make sure the person is innocent or guilty. As examiners, we don't see the world this way. Right, and reporting is the last piece that could make or break this whole thing.
Speaker 2:Right. So with reporting, in my opinion, pumping out reports created by tools is not enough. So it's not enough when it comes to reporting, forensic analysis of any digital evidence. Dumping all the parsed data into a reader or a portable case is not a forensic analysis. A non-existent or poorly written report can put the outcome of an entire case at risk and also put your integrity and the risk of the integrity of your entire agency. If there's not a detailed report to go along with those tool reports, I'd say if you're going to take the time, go along with those tool reports. I'd say, if you're going to take the time and say that you're performing an analysis, the report is going to be that crucial part that is able to portray the data that you've seen. You see the entire story to your case. Now put it down on paper so somebody else sees the same thing that you see. That make sense.
Speaker 1:No, absolutely. And when you make the point of just pumping out the report, it's not enough. One of the reasons that you're saying it's not enough is that a lot of times, you have something on your screen okay, I want this right. I hit the report. It doesn't look as it looked in my processing screen. What happened here? Either something is extra I did not want this. Why is this here? This loses focus of what I want or where's the stuff that I actually wanted? Right, exactly, exactly. So the report can, either you got to make sure that something's not missing, make sure that nothing is being added and, like you're saying, most likely you're going to have to redo a lot of it.
Speaker 2:Right, absolutely. I definitely agree with that. I think another example of that, too, is the artifacts that a non-technical person doesn't necessarily understand, right? So you and I had a conversation, I think last week about about TikTok, and the application package name doesn't have the word TikTok in it anywhere. It says musically, which is what TikTok used to be. But a non-technical person that you're submitting your report to, if TikTok is important and they're looking for that application usage, they're not going to see it because they're not looking for musically. And if you're not adequately explaining that in your report, like, hey, tiktok is your main application for this case and this is what it's called, and here's where I'm showing you that it was being utilized on this device they're never going to see it.
Speaker 1:That's a great example and I appreciate it. I'm going to steal it from you from now on, just so you know.
Speaker 2:I thought I stole it from you.
Speaker 1:kind of Well, you made it better and I love it, because just the fact that a difference in name, in one little name how we refer to it as a user and how the system internally refers to it, can can make it makes a big difference. So I, I love that how you, how you, uh, how you put it together.
Speaker 2:I, I'm gonna steal it from you, thanks I use that little trick when I used to teach at a college too, so I would do practicals and that would be it Like. Look at the application usage and tell me if these applications were being used on the phone. And I'd always throw in TikTok, because it doesn't have the name Gmail also doesn't have the word Gmail in it, it's GM. So if you're just doing a search in the search bar, you'll miss that, and they almost always got it wrong.
Speaker 1:So tricky question. That's what we call in this business, a teaching moment lesson Absolutely.
Speaker 2:Yeah. So I think, though, the tool reports are necessary. You have to have the tool reports to show the artifacts that you're seeing, whether it be a reader or a PDF or an HTML or whatever. They need to be included, but there needs to be that write-up from you explaining the evidence that you're putting out in that tool report. Believe it or not, not everything in the phone comes out in the PDF, html reader or whatever format you're choosing, so you may see things while you're analyzing data that end up being key items to your case, and you have to figure out how to create your own report on that. I just reach out to Alexis and have him add it to the leaps for me, and then I have my report, but you can't always do that right, so you have to figure out how to create your own report and how to make sure you're accurately displaying and explaining those artifacts.
Speaker 1:Yeah, and I think people don't. I call those well. You explain two things. You explain first you explain well the stuff that you write about the report, the tool report, and then the tool report and how sometimes the tool report is not up to spec and you have to create kind of your own. So I get that. Now I want to talk about the first part, the part, that one that you write. I call that a narrative, your narrative of your work. Right, and I believe this is an opinion. I believe some people are afraid of writing narratives in detail. And why would that be Well? Because when you write a narrative and you bring that to court, guess what's going to happen with that narrative.
Speaker 2:It's going to be what You're going to get questioned.
Speaker 1:It's going to be like bingo you're going to get questioned, right, and people don't want to be questioned, right, and my take on that is well, that's why you're here to be able to look if you're working on something and you're not sure. Reach out to other colleagues. Colleagues, make sure you understand what's going on. Make your narrative, because we depend on you to explain these to the stakeholders, to the, to the board, to the boss, to the juries, to the prosecutors, to the defense attorney. That is depending on you to to help in. You know, defend properly this accused person, right? You? You have to write your narratives and not be afraid of them, because you know your stuff and if you don't know it, then you can learn it that's.
Speaker 1:That's what we're here for right, and so that's why people are afraid of that. They don't want to, they don't want to be questioned too hard, so they think the solution is well, I'm not going to say that much. And actually actually the flip side of that is when, when you don't say a lot I mean you're not really specific on certain things you end up having more questions than what you would have otherwise if you had made a good narrative.
Speaker 2:Or no questions at all, because it's not understood and whoever receives the evidence is just not even going to use it, because they don't understand.
Speaker 1:Oh my goodness, yeah, and it could be a oh yeah, yeah, and it could be a oh yeah. I mean it could be a disaster in the sense of, in the criminal sense, a miscarriage of justice or something not coming across as it should and make a big difference in a case no-transcript and you know that it's going to be highlighted at a trial.
Speaker 2:you have to validate what your assumption is. It's fine to sit in your office and be like, oh, I think this is what this means, or I'm pretty sure this is what this means. But even if you're 99% sure of what an artifact means and if it's going to be a key artifact in your case, it needs to be verified. You need to know. You're correct in that narrative, in that write-up. So testing, verifying every artifact in a case Is anybody going to do that? Yeah, not a chance.
Speaker 1:Absolutely.
Speaker 2:But the items that are important have to be.
Speaker 1:Oh, absolutely, and I want to comment because you're hitting great points. I just want to quickly, before I hit on those, share some of the comments from the chat. Jessica's saying that you know she has a strong opinion on this and I agree with her. The narrative is what explains the truth of the data, and that is our job. Like that's the part that's the value that you bring where you're explaining that data. I also have a comment here how you know it shows prosecutors or stakeholders what the value of that information is. If we're not doing that, then you know what are we doing, right.
Speaker 2:Exactly.
Speaker 1:Yeah, and I just had a point you had to make a second ago and I lost it for showing the comments. Give me a quick synopsis of the last thing you said and I'll pick up from that.
Speaker 2:So I was just saying the forensic guessing Never guess, you can guess in your office. Thank you, thank you, thank you. Yeah, so I was not getting into that.
Speaker 1:So there's just a thing I want folks to understand, right, and I agree with you no forensic guessing. And this speaks to how, as examiners, we need to keep a constant growth mindset. I say that because, true, some things will come down to a validation and a verification, but some things will come down to your expert opinion, and an expert opinion is not the same as a forensic guessing. It's really different. It's not the same thing, right? Not the same as a forensic guessing. It's really different. It's not the same thing, right, you build on your knowledge, your training and your experience to explain what's the highly likely probability of something coming out the way it did. And that's your expert opinion. That's something that, if you consult other experts, hopefully nine out of 10 dentists will agree with you. Right? I say dentist because of the toothpaste, remember oh no, I know the commercial.
Speaker 2:First time I knew what you were talking about.
Speaker 1:Ok, good, good, good. So I really and again, that your research, your validation, your testing will build upon you the experience, the knowledge, the training, the experience enough to be the training, the experience enough to be able to say well, in my expert opinion, based on my training and experience, this is what's happening here, this is how this behavior on the phone relates to the behavior of the user, and it's not guessing. If you think an expert opinion is me, well, I think it might be this. That's my opinion. You're not understanding what you're actually conveying.
Speaker 2:Right. So expert opinion, forensic guessing, they're not at all the same thing. So some of the components of a good report in my opinion notes you have to have a detailed account of what you did with the device, the second it comes into your custody. So how you received the item, was it powered on, powered off, damaged, locked? Did you have to manipulate the device to obtain the extraction? Are there identifying markings? How did you extract the data from the device? What tools, including the versions, and why include the versions? If you have to go back and do another extraction, or maybe there was a bug in the tool in a certain version, documenting those versions is going to be really, really important. Um, so you know if any of that occurred in in that certain case. And then, um, what type of extraction also is super important to make sure it's documented oh yeah, there's.
Speaker 1:There's been cases where how a tool describes a field might change the interpretation of what actually happened and the tool wasn't wrong. The tool is showing you the data that's there, but the toolmaker put, let's say, timestamp on a field and creation timestamp, and it may not have been a creation timestamp, it might be a timestamp for something else, right and just the word creation. It might not be wrong, maybe it's creation in a different sense, but it changes the meaning. So when you I agree with you when you have down those versions right as things move along to the case, then we can refer to those and explain why things show the way they were shown, because we did it at that time with this version and now, as the case has progressed, we have been able to refine that understanding based on new tooling, new versioning, or testing and validation.
Speaker 2:Right. If all of this is not documented too, how is the examiner supposed to remember what they did? I know I have. I don't even know how many cases I have, and sometimes it's years before you have to testify on a case or have to go back and look at that case again and what you've done and how many cases have you done since that case. So I would forget what I did on a particular case if I didn't have good detailed notes outlining every step I took.
Speaker 1:Oh, absolutely. And that goes to what Laurie is saying in the chat. Right, it must be repeatable, because that one makes it forensic right, being able to say, okay, examiner, unknown examiner, here's the process, and do it. But to your point, to me and I agree with you we work so many cases, right. Even in one case, you might have like five phones and 10 computers, right. So what happened with computer A Dude? I need to refresh my recollection, definitely. And that's how it is. I've been in court where I know what happened, but it's so much of it that I need my recollection to be refreshed. And what do I get? I get the report.
Speaker 1:If I wrote a crappy report, there's going to be problems. Actually, I got a story for that, but no, I cannot. Okay, well, anyways, the point is this Make sure you make sure no, no, no make sure we write good reports, and when you need them, they'll be, they'll come to your aid and you will remember oh, of course, this is what happened Boom, boom, boom, boom, boom, boom. But if you don't take those notes, you might find yourself. What's the saying in English? Up a creek without a paddle. Did I get that right?
Speaker 2:Yeah, I think so Awesome, I got it Good. Also, though without those detailed notes, suppose someone else has to testify for you. For some reason you're not available or you're not around anymore. You're not available. They need to have a document of all of the actions you took in your case so that they're able to, one, reanalyze it and make sure they agree with your findings. But, two, I couldn't testify. I couldn't testify to a case if I didn't know all the steps that were taken in those beginning stages of the process.
Speaker 1:Oh yeah, and I want to share a comment here from Sam. I can tell from the report if the analyst understands the case, which is true, and I want to frame that in the context of peer review.
Speaker 1:All right, before you put stuff out, have another analyst, another examiner, go through your stuff and they might tell you I think you're not interpreting this or understanding it correctly. Right, and they might tell you I think you're not interpreting this or understanding it correctly, right, or maybe what you have is correct, but maybe we present it in this other manner. It's actually more to the point of what you're trying to make. So thanks for that comment. Your reporting has to go to some sort of peer review and I understand some of us are in not me anymore but some folks might be in single examiner labs. When you're the person that does the labs and fixes the computers and deals with the internet and installs things, I get it right. But when we spoke about it last time, make sure you start making a circle of colleagues that you can reach out for mentoring, for guidance, for peer reviews and start building community, even if you're in a one-person lab.
Speaker 2:Agree. So Sam works in my office and he does all of my reviews and all of most of the examiners in our office reviews, so I definitely get that comment he just made. You can you can tell? You can tell if the person doing the work has any idea what the artifacts mean just by the report.
Speaker 1:Absolutely.
Speaker 2:So I would say when it gets time to actually start crafting or start doing the analysis, as I'm analyzing extracted data from a device, I'm always crafting the report in my head as I go. By the time I'm ready to write the report, I already know exactly how I want it to look. Now I just have to get the tool reports to fit what I have in my head and then my written report to fit that. But keep in mind of your end product as you're working on the analysis and all the way through the analysis.
Speaker 1:And that comes with experience. You might be a new person and think, oh, how do I do that? And don't worry, it comes with experience. It comes with experience. You might be a new person and think, oh, how do I do that? And don't worry, it comes with experience. It comes with you understanding when you start working the case. You know how the phone works. You have this background of information that, as you see artifacts coming to your purview, you're able to start creating, like Heather says, in your image, a picture of what's happening in the real world at that time and how those things go together. And you don't write those immediately, right? You start creating that in your mind and then you put it in a good, really way of doing it.
Speaker 1:One comment here. I want to share a comment here. Jessica Hyde says that check out the peer review checklist for mobile forensics. She has Exordia has done, and I think it's Exordia was I can't remember if it was another on the DFRWS, so Jessica will correct me in the chat if it's the FDFRWS or it was Exordia. But either way, they put together a great peer review checklist for mobile forensics that you can check out, and checklists for me are really good starting points to make a solid peer review process. The checklist is not the endpoint. It's a solid starting point to make sure that your endpoint, your finished product, is of quality. So we're going to look at that. I don't have the link here, but we're going to look it up and put it in the show notes so folks can benefit from it.
Speaker 2:So with the artifacts. If it's important to your case, explain it. Explain what it is, explain how it relates to the other artifacts in your report, explain how it relates to your case. Explain how it got on the device. Explain if it was shared, if it was deleted. Explain the location you found it and what that location means. And if you do not explain it there, there's a high likelihood that no one will ever understand why you included it or how it relates to your case.
Speaker 1:Oh, absolutely, and I think again, especially, I would say to you folks, but this applies for everybody. You've got to take note of the things Heather is sharing with you. You will see your users react to those changes positively. Your prosecutors will be delving into your report and getting the information that's actionable, that they need to make their case.
Speaker 2:Yeah, and they want to know that. Like the prosecutors in my area, they want to know what all this stuff means and they remember it a lot of times the next time I go to court on a different case. So being able to explain that is super important.
Speaker 1:Yeah, it's part of building that brand. People know what to expect from you as an examiner and what to think that you're teaching them right. You're actually teaching them. You're not giving them just a fish. You're teaching them, in a sense, to fish right, because they can now look at those reports and really have a sense of that mental picture that you're trying to portray to them.
Speaker 2:Right and they're better able, able to better prosecute the case when they know what something means and they know what questions to ask.
Speaker 1:Absolutely.
Speaker 2:So another thing if you're using language that's not known to others whether it be others outside of your agency or others outside of the DFIR community define what you're talking about. So I use CSAM as an example, because not everybody knows what CSAM means. We do, a lot of us do. The jury is going to have no idea what you're talking about if you say CSAM in your report. So spelling it out as child sex abuse material and defining those terms in your report and in your testimony is super, super important.
Speaker 1:I had a case where I was going to I had to explain how the user I was accessing certain files, and it's the LNK files, or link files. You have to explain what that is. Well, these files are created in this manner, they have this information, they keep the status tense from here to here and then, after you set that table, set that groundwork, then you can say therefore, the user was accessing these things at this time. Right, you have to make those.
Speaker 1:I had another case where I had to do a little bit of virtualization. So I took one of those share programs, I took some of those data lists that indicate what the person was sharing and I put it in a virtual machine and I opened it and I showed look, this is how the user saw it. This is not the user computer, but this is the information that was in this, and then you explain what it is, and then that makes some sense. If you don't explain those terms, you cannot assume that your users know what you're talking about. You have to write your reports like they don't know, because they don't know.
Speaker 2:Yeah, exactly.
Speaker 1:And in my agency we spend a lot of time training our examiners on how to properly define technical terms we call them tech terms and we spend a lot of effort, conscious effort, in our training program to do that. I don't want people to be kind of like forensic, guessing what that means right now you have, we have a way of saying it and we try to impress that upon our trainees in their growth process.
Speaker 2:And then the last thing I wanted to touch on for reporting, which I think is really important, is timelining. So the way that tools report artifacts often groups the artifacts and the way that they're grouped in whether it be category like these are all web history or these are all calls doesn't always get that timeline of events across in your report right, so the timeline's lost. We see calls over in this section, we see messages over in this section and even though they relate to each other and they're important, if you don't have a good way of timelining that for a report, it may not be depicted in the way that you want it to be depicted to present your case. So whoever is going to create me the perfect timelining tool out there, I'm ready for it.
Speaker 1:The whole forensic process. It's the base. The foundation is timestamps, timelining when things happen.
Speaker 2:Yes.
Speaker 1:And if you look at a lot of our look, want to say I'm not a lawyer, right, and I did not stay at a Holiday Inn last night. That's a really old reference. Actually, I don't blame you if you don't get it. Okay, get it on. Yeah, I don't blame you, it's really old, but the charges right. The legal, you know. The statutes right. They require when did this happen? Right, because if it happened too too long ago, then what happens with that charge? It gets dropped, but what's the one I'm looking for? It gets. Oh my goodness, when a charge is too old and you cannot charge anymore, I forgot the word now.
Speaker 2:Like beyond the statute of limitations.
Speaker 1:That's the word. Thank you, yeah, it might be that it's beyond the statute of limitations, right? So it needs to have a timestamp. A timestamp and a lot of charges. When did it happen? Do we have jurisdiction? Right so the combination of? But even when it happened, when did it happen? And I think we agree on this, I know we agree on this. Our tools do a poor job at timelining. How they represent that, and sometimes how they represent it in the tool looks great and then when you put it in the report, it looks like crap.
Speaker 2:Yes, or it's missing half of the data that you see in the tool.
Speaker 1:So we've been making this point for a couple of years now. Hopefully reporting really gets the attention or at least a quarter of the attention that some of the AI tooling is getting.
Speaker 2:Yeah, I wish it would come first. I'd love a nice report before we add all of the fancy bells and whistles.
Speaker 1:Yeah, and again, it's a general comment, right? Nobody thinks I'm talking about any particular company. No, or anything like that, it's all, oh yeah, again, we're not shills and we're not haters, we're just commenting.
Speaker 2:So I mean, those are the elements that I find to be super important for my forensic reports.
Speaker 1:I don't know if anybody in the comments had anything to add, let me share, because I want to show quickly, because Jessica gave me the link for the checklist, so I want to show people how that looks, if I could actually let me pull this out here. There we go. So let me see if I can share it, because I don't want to share a screen that I shouldn't be sharing. Which one is screen two? Let's open screen two. Yeah, screen two Perfect, all right, so let me make this big. So what you see here is from the Exordia page and again, we'll put the link. It'll be long but we'll put the link in the show notes. You can see here peer review for mobile forensics and then you can press the button to download the PDF.
Speaker 1:I'm going to scroll down and, for folks that are listening, you can see here, for example, a section for scope Do you have scope and all the items you need for scope, the acquisition tools? Um, do we have all the aspects needed in regards to verification, in regards to if the how you got is a forensic tool, not forensic tool, and the list goes on and on right, and it's a really, really, really detailed. It gives you forms so how you uh document your tooling and your reporting, so please check that out. It has, like I said, peer review for mobile checklist and the tool reporting document, so we're going to put that link on the show notes.
Speaker 2:Okay, that's all I have for reporting, but definitely a topic that I am super interested in.
Speaker 1:We'll keep being that voice in the desert and making sure that the companies at some point up their game in the reporting section.
Speaker 2:Yeah, so I want to talk about another blog that came out and this is by Lori, who is in our chat tonight, and she did research related to the use of walkie-talkie style applications. She specifically chose the application Buzz. It's B-U-Z and Buzz advertises that the app allows you to effortlessly connect with family and friends, stay connected through voice even when your phone is locked. So she and her blog definitely go check it out. I'll put the link up in a second. But she creates a mock story to go along with her research, which I absolutely love, and she details the process of generating the test data really thoroughly. She investigates the storage locations and the databases related generating the test data really thoroughly. She investigates the storage locations and the databases related to the application and then at the end she says her next project is to write a Python parser for iLeap. So I'm super excited to see your parser for iLeap, Lori.
Speaker 1:Oh, absolutely, and that's definitely a happy moment oh yeah, you're going to have the fireworks. I put some fireworks there celebrating I'm going to be communicating with Lori and kind of helping her a little bit, Kind of kickstart that process on automating her research. And I like the story a lot. Like you know, when they were trying to steal some things how they're communicating, that was pretty neat. It was a pretty engaging read.
Speaker 2:Yeah, I loved that. I don't think I've ever seen the mock story in another blog, not that I've read. Anyway, I thought it was a great idea.
Speaker 1:Oh, I agree, and that's a good example for again, folks, if you're new in the field, you do what Lori did and we all benefit. Right, we're going to create an artifact. If you going to create an artifact, if you see that, coming across your data sets, you're going to be picked up automatically and do the same thing. Look for different apps that you think have value, do a study, make a, make a mock case out of it and let us know. And and if you want to learn how to automate some of that, I have a full free class on youtube on how to use python to make those. You want to do that? Or use one of the third-party tools or custom artifacts from tooling to make it and start sharing that information. So again, laurie, thank you for that blog post. I really enjoyed it.
Speaker 2:I did too. So what's new with the leaps these last two weeks?
Speaker 1:Yeah, so oh yeah, no, I got a great contribution from an expert that lives in New York, that works for the New York State Police. Why don't you tell us about her work, heather? What does she do?
Speaker 2:Oh yeah, I don't think I know her. I think you do thing you do, so um, I'm not my myself and another analyst in in my office actually found some data related to the uber app and, um, it's level dbs in an ios, which I think this is the first time that I've actually seen level dbs in an ios. That I that I needed to get the data right.
Speaker 1:Oh my god sam is saying that she wouldn't stop talking about it.
Speaker 2:This morning at work, I was very excited, so I may have gone around saying that I created my second um artifact, for I leap this yesterday. So yes, I'm excited about it.
Speaker 1:Leave me alone, sam and you should be excited.
Speaker 2:Yes, yeah, so I didn't create the the parser for the level db stuff. Alexis did um, but I created one for a database related to the uber uber places, so it um was places that were visited with the uber app.
Speaker 1:Um, and go ahead, tell about your level dbs yeah, so before we go into level dbs, uh, I'm not gonna let her downplay. Downplay her effort okay it's a sqlite database that has json in it. Right, and she went and she was able to use json extract functionalities. Understand what the keys and the values are. Is there a list or dictionaries within them? Um, that's key other key value pairs and she parsed them like a boss.
Speaker 2:I complained a little, because I don't understand why there's like lists inside dictionaries, inside other things, like just put it there for me, but um, they don't. And I did figure it out though oh my goodness.
Speaker 1:Okay, we're gonna continue to have this ongoing discussion no, no, you will get it okay. No, I mean, I I wish it was simpler, but no, it is what it is and actually you did a great job, so I want folks know that. Uh, I'm really proud of that work and and that's pretty awesome right I actually like the challenge.
Speaker 2:Anyway, I'm just complaining to complain that that makes it fun too.
Speaker 1:Yeah, well, and the thing, folks, the thing with this type of stuff is that is Uber an important part of your cases? It is, even if your case is not about Uber itself, right, something that happened with Uber. Uber and I'm going to go into it right now has location data. Okay, because if you're a driver or if you're a rider, it stays within the app.
Speaker 1:And the interesting thing that that heather and her office they're a co-worker and some analysts they're found was that they're being, they're using level dvs, and we are so used at seeing level dvs in the context of of the browsers, or maybe fcMs in Androids and again, we talk about this in other episodes, so I don't want to relabor the point for folks that are regular listeners. If you're not a regular listener, go a few episodes back. Okay, we're used to seeing them there. But this is the first time that me or Hilda and myself have seen it as being the main data structure for an app, which I found it to be super interesting. What it has on the inside is has the typical level DB, you know, formatting key values, but the binary large object in it is JSON. It says here the parser sounds uber helpful.
Speaker 2:It sure does.
Speaker 1:Well, that's why I started the show saying that Heather was the Uber decoder. Wink, wink, nod, nod. Get it now. Right, the Uber decoder, so? But yeah, no, it has JSON data within it and when you look at it, it tells you the timestamp, it tells you the lat and the longs, the speed movement of the vehicle, it tells you a little bit of what the app was doing. Right, Are you searching for a rider? Right, Because you're a driver. Are you at the home screen? What screen are you? Right? There's a bunch of data inside those level DBs. I believe that most examiners in our space are not aware that they even exist.
Speaker 1:Okay, and that's troubling because we're seeing it more and more. By the way, we're going to be discussing LevelDVs in excruciating detail in nine days in the IASIS class. You'll be bored. No, I'm just kidding. You're going to know a lot about them, but yeah, it's important.
Speaker 1:Look, I got folks saying that there's been capital in the chat, capital on murder convictions based on Uber data right, and some of that data you can get, obviously through legal process, right. But when there's data on the device that you can get that immediately that might be actionable for your case, you cannot put a price on it. I don't want to wait weeks to get something when I have it right in my hand right now and I could give it to my detectives or my agents and go out and continue the case immediately. As time passes and we talked about this in other episodes as time passes, evidence degrades. Digital evidence degrades. Real-world evidence degrades. Recoll evidence degrades. Real world evidence degrades. Recollections of witnesses degrade with time. We need to move fast and one way is being aware of this data store so we can get to the data as quickly as possible.
Speaker 2:So also with the Leafs. A new vehicle. Artifact right.
Speaker 1:Yes, yes, thank you for bringing that up, because, yeah, so yeah, and really thank you because, and I mentioned in the last episode, we're really going to be focused on working vehicle extractions after IASIS July to the end of the year, and hopefully we can get a lot of support for vehicles, because vehicles again, I'm going to repeat it, I believe will be one of our main data sources moving forward. For as long as they're available, most of them are not in an encrypted state, so we can get to them. And even if they started encrypting all cars today, right, you're going to have cars that are not in that state, that came out in previous years, on the road for decades, right, right, so there will be always a good data source. So you gave me some data, some test data, and I made a parser for a RAM 1,500 or 1,600?
Speaker 2:I forgot what the number was 1,500.
Speaker 1:Yeah, 1,500 RAM and I was surprised how much data was there. We got geolocations, and the interesting thing for me as a developer was that these logs are text files, right, you can read them with your eyes, right, but they were compressed as star GC files, a compressed format, and if you don't decompress it and then go into it, you're not going to get to it. Right, and sometimes our tools, if you don't set them correctly, they might not decompress those files, which means they will not get those files in the clear text, which means they will not be indexed, which means that if you look for lat and long, you will not get hits on those files, even though they are full of lat and longs, like lat and longitudes, right? Does that make sense, heather? Yeah, absolutely.
Speaker 1:So you got to look at your sources and make sure that you're taking the steps to make sure that data is there. Christopher Vance is saying and again, I cannot respect Chris Vance more. He works any more than I do right now. He works for Magnet, one of the lead researchers there. He agrees 10 out of 10, agree on vehicles. It's a chance to keep our chip-off skills relevant and absolutely Heather, I mean explain to the folks why he's saying that about chip offs.
Speaker 2:Like all the vehicles we're doing chip offs on, if they're not supported by one of the only tools Burla, right Then we're taking the memory chip off and reading that data and either parsing it ourselves or hoping that maybe Burla will parse some of the data from the chip off, or going to VLEAP or other tools that might handle vehicles. But chip off is super relevant in vehicle forensics right now.
Speaker 1:Yeah, I mean, for a long time we used to do it for phones, but phones became file-based encryption and it's useless. I mean I guess you could get cheaper from a phone a bunch of encrypted data. Good luck, you're not going to get into it. But cars are not like you're saying. They're not like that so far. So we get some data. Like Jessica's saying in the chat, people update phones more frequently than cars. Some cars get updated like never. So there are good data sources and obviously I'm going to have people understand.
Speaker 1:Some people sometimes don't understand where we're coming from. We're talking about in every conversation we have about this type of topics in this podcast. It's about lawful access access. What that means is that we go and we make sure that we either there's a person, a victim, that consents to get this data, or we go to the legal process with probable cause, prosecutors and judges to agree for us to do this. There is no circumstance where we would do any of this analysis just because, because we're curious, because I have the ability and I have the tools. That's not a thing. And if that happens, because it has happened, the person responsible will be prosecuted to the full extent of the law and I want to make that clear for folks that are not in our field. We talk about this because it's our field, right? But it goes on the assumption that all this data is extracted and accessed with lawful extraction, for lawful purposes. So let's make that crystal clear.
Speaker 2:Also new with the leaps. We have a new blog by Stark Forensics, kevin, about the Splitwise app.
Speaker 1:And that was an interesting app because it's an app for money and if there's one thing that will help you in your case, it's following the money money and if there's one thing that will help you in your case, it's following the money. And that app has information about groups of accounts where you pay things, where you receive money, send money, where do you send it to? And this is a good example of why doing CTFs is important. So Kevin was looking at the Belkasoft CTF image and he found out that Splitwise app was installed there and he made his analysis and if he found tons of good information for that app, he immediately made a blog post, immediately made an artifact for the leaps for it. And again, if you make those artifacts, you automate them. When you run your next extraction they're going to come and kind of be apparent, which they wouldn't be otherwise. And if you're not looking for it, at least the tool will look for you. And I'm going to make one quick point on that.
Speaker 1:My habit in my cases is I run my tools, I look at the things that I know I have there and I do a sanity check. I look at the things that I know I have there and I do a sanity check. That means if it's an Android device, I look at the data data folder and look at the bundle IDs, glance them to make sure there's not one that you know kind of sticks out that I haven't seen before. So I look right If I'm doing an iOS. You cannot do that with iOS, but what you can do is I have a list with my own tooling based on different data sources in iOS devices. That tells me all the apps that are installed with their names, and I go quickly and do a sanity check, make sure that I'm not missing something. Let me rephrase that Making sure that the tools are missing something that needs to be looked at. Does that make sense, heather?
Speaker 2:Yeah, absolutely. I do the same thing, I mean a lot of times. I'll bring it into one of the commercial tools and I immediately go right to the installed applications. Because, it's not going to just show you the installed applications that the tool supports. It'll show you all of the applications, so take a look through and find the ones you're right that you don't recognize or that the tool is saying they don't support.
Speaker 1:Well, let me give folks a little bit of an advanced suggestion. Right and again, this is fine. What you're doing is fine, it's not wrong, and I do it too, but I really like doing. How can I say this? Let me step back In iOS.
Speaker 1:There's two easy main ways of figuring out if applications are installed. The application statedb that's what everybody uses. It's a database that has those there. But there's also and Jessica is agreeing with me, right the appstatedb. But there's also each, every application folder has a dot, a file that starts with a dot. When a file in a Unix, Linux, macOS system starts with a dot, it's invisible to the user.
Speaker 1:Okay, Starts with a dot. That plist that starts with a dot has information about the app that resides in that directory. Does that make sense, Heather? Yes, All right, my tooling I say my tooling, but the leap tooling, the community tooling, takes those dot files and extracts that information for them. Why is that important?
Speaker 1:Sometimes and I've seen it more than once when you delete an application on an iOS device, it will leave the App State database, but that folder of the app it hasn't been garbage collected yet. When you make the image and you find a folder, it's empty. It has stuff, but it has that file there and you can say, look, this phone doesn't seem like this application is here, but that folder is there and it belonged to this application. An example that might be real or not the Dropbox application was deleted before the officers got to the phone right, and it doesn't show in the AppState DB. But the folder wasn't garbage collected and the file, the plist inside of it, told me that that good folder was for the Dropbox application, which is the reason we were at that door that day. Does that make sense, Heather?
Speaker 2:Yeah, absolutely makes sense.
Speaker 1:So I'm just going to give the folks an extra step to possibly take when they're dealing with this Always think of have a sanity check to make sure you're not missing something. That's the big takeaway.
Speaker 2:Agree, agree, 100%. So that brings us to everybody's favorite, the meme of the week. Woo-hoo, where's your fireworks? Right yeah?
Speaker 1:yeah, well, actually, they're right here. Actually, since I used the fireworks already, I think I'm going to go with some lasers. There we go, ah, perfect perfect, there we go.
Speaker 2:Some confetti just for good measure, all right, so I am pretty sure this is my new favorite. Um, I absolutely love this meme. I can't scroll in. Okay, so we have nine different scenarios of monitors for a digital forensic analyst right, the one monitor computer for the new examiner. The very large screen monitor for an examiner, two monitors for the reviewer, a monitor and a longer monitor for the examiner.
Speaker 1:Which, by the way, the reviewer has two monitors, but there's two small monitors.
Speaker 2:Small, yeah, small monitors.
Speaker 1:I'm sorry reviewer, I'm not going to give you my curve OLED. You're going to get two little monitors and be happy with that.
Speaker 2:And then it goes on with nine different versions. My very favorite is number six, though. We have six monitors, three stacked on three, and that is the supervisor that does not do forensics, and I think that's why I love this meme. That's why I love this meme the best.
Speaker 1:I think this meme had a whole bunch of hundreds of reactions and a whole bunch of 40 something comments, and I think it's because everybody knows that supervisor that has the best equipment, even though they do none of the technical work. Yes, let me see, sam. Sam, we're not, look, look. This is a general comment. We're not talking about your office, okay, or about any specific office not even my office, it's other people's office.
Speaker 2:I actually made that joke because one of our, our um, our bosses, our supervisors, has that that setup. But he does do. He does do a lot of forensics still too so so I can't really pick on him about it, but I did show him the meme and he looks at his setup and he's like oh, oh no.
Speaker 1:And even if he didn't, you better say that he did okay, oh, yeah, yeah, no, the setups and I think the setups again, I come up with these because it's a reflection of what we do day to day and we see ourselves in it and we laugh about it. But it's true. Right At the end of the day, we deal with what we have, and what we have will reflect who we are and my monitors. I had the eight, which is two big vertical monitors and one horizontal, but I changed it two big vertical monitors and one horizontal, but I changed it. Now I have a big, big, big, big big, you know kind of curve monitor.
Speaker 1:It took me years to be able to procure that Government procurement. You know how it is. And then I have some smaller ones, but again that that changes. Oh, before we close the show, I want to. Chris actually looked up. I mean he knows it by memory. The file that we're talking about, the plist file, is the comapplemobile container management metadata plist and I leave those, like Chris is saying in the chat, in mass. I make a list and what application is relevant to that particular P-list, and so check that out. You will get a real good sense of what's been installed on that device. But going back to the memes, I think we should not only portray the truth of our cases and our work but also share with each other what makes the job funny, what makes the job fun, what makes the job us right, and start building that community also through that. A lot of our job is serious, traumatic, in some ways right, but we can also take joy and let that happiness, happiness also go as far as as as we can.
Speaker 1:And I mean this is one way we can do it.
Speaker 2:And we can use it to pick on the supervisors that don't do forensics. So I mean it's a win, win.
Speaker 1:There's a. There's a meme that is like you know pick the Uno cards Like one card. Oh yeah, stop picking on your bosses. Or take 25 Uno cards and I have 50 Uno cards now I won't make fun of that. I'm kidding. Actually, I have a really good boss, by the way, and I'm not kidding about that. So a commenter on LinkedIn is saying keep the memes coming, don't you worry.
Speaker 1:My field of memes has been planted and the memes are growing, so you don't have to worry about that. Well, heather, I think we've reached the end of the show.
Speaker 2:We have.
Speaker 1:Thank you everybody. At this point we're not looking at the clock anymore, we just go yeah.
Speaker 2:This is our show.
Speaker 1:This is our show and we'll stop whenever we feel like it, Exactly. Oh no, I hope you enjoyed it. I sure did.
Speaker 2:Yes, absolutely.
Speaker 1:And I hope the folks listening and watching enjoyed it as well.
Speaker 2:Yeah, thank you.
Speaker 1:Please reach out to us on our LinkedIn Digital Forensics Now podcast. Send us your ideas for topics, send us your questions, send us your comments. Make it constructive, please. I'm sensitive.
Speaker 2:I'll deal with those other comments. All right, all right.
Speaker 1:Thank you, everybody. And any last word for the group of the order. Heather, no, that's it. Thank you very much, everybody. And any last word for the group of the order.
Speaker 2:Heather. No, that's it. Thank you very much, everybody.
Speaker 1:All right, we'll be seeing each other at IASIS. We don't know what we're going to do. I'm hoping to do something, but we'll see.
Speaker 2:Yeah.
Speaker 1:Something fun during the IASIS week, so we'll see what we can come up with, but our net podcast will be through the training in IASIS, so be on the lookout for that.
Speaker 2:Yeah.
Speaker 1:And with that everybody have a good night. See you soon. Good night, Bye. Outro Music.
