Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Live from IACIS with the Phone Wizard, Bill Aycock!
Live from the International Association of Computer Investigative Specialists (IACIS) with special guest Bill "the phone wizard" Aycock!!
Notes:
Three New SANS Posters
https://www.sans.org/posters/ios-third-party-apps-forensics-reference-guide-poster/
https://www.sans.org/posters/android-third-party-apps-forensics/https://www.sans.org/posters/dfir-advanced-smartphone-forensics/
New Release of Mushy
https://doubleblak.com/app.php?id=Mushy
Blue Crew Forensics
https://bluecrewforensics.com/2022/03/07/ios-app-intents/
Welcome to the Digital Forensics Now podcast Today's Thursday May 2nd 2024. My name is Alexis Brignoni and I'm accompanied today live in person, not on any computers with the one and only Phone wizard, the one that puts verified in verified labs, our good friend and iAsys phone instructor Layton. And as always, I have with me the Kahoot master, the advanced mobile device presence class boat captain, the one and only Heather Charpentier. The music is hired up by Shane Ivers and can be found at rumensoundcom. Hello everybody at home and hello to Bill and Heather.
Speaker 3:Hello, hello hey what's up?
Speaker 1:everybody Super happy to be here. I see folks coming into the chat. Johan is around. A salute to be here. I see folks coming into the chat. Johan is around. A salute to Johan. And we'll talk a little bit about what he's been up to with the leaves and helping out, you know, maintaining the project. I appreciate your help. My friend Andrea is online too, so hi to my co-Florida examiner, happy to be here. So, as you can tell everybody, we're live, we're all here with our nice ISIS. Where is it?
Speaker 3:Oh yeah, hold on, I got it.
Speaker 1:I can muffle a little there you go ISIS shirts and we're in our nice classroom here at the Carribean Royale in nice, sunny Orlando from where I live, right so Bill is teaching with us and Bill, you're for law enforcement, right Retired?
Speaker 2:Yes yes, retired in 2013. So you know, I started policing when I was 19 years old. So you know, my entire adult life I've been a policeman. So when I retired after 20 years, I was 40 years old. So why stop now? Precisely Right, I mean. So so start something else and so that's exactly what I did.
Speaker 1:So now you have your own lab doing forensics Yep.
Speaker 2:Doing. So I just do cell phones Right. So when you have your own shop, you can do whatever you want. If you want to make, you know, clown balloons you know you can do that but but uh, so I just do cell phones, cause you know that's my jam, right, I love cell phones, and so that's all I do is cell phones.
Speaker 1:See when I grew up. I want to be like you.
Speaker 3:Me too. I'm ready right now.
Speaker 1:No, I'm really happy to have Bill. Bill has been covering some of the topics with us and hopefully it's a busy man. Hopefully you can come with us every year.
Speaker 2:Yeah, so great benefits here, great benefits, you know, and to give back part of giving back to the community, and this is it, this is the community, right? So everyone is in this community and to give back is just huge.
Speaker 3:Absolutely, Absolutely, which leads us to being here at IASIS since the beginning of last week. We did a class in advanced mobile forensics last week and then our second class is this week. We're going to end that tomorrow. We're all at the biggest IASIS event ever so far. They said there's over 700 students, over 150 staff members and 23 courses in total.
Speaker 1:Yeah, it's been nice. I will say I don't know why I'm kind of far away from the center of the action. So, like next time, if some ISS board member is hearing, let's put the advanced mobile device class closer.
Speaker 3:Yeah, we're away from everybody like the redheaded stepchildren.
Speaker 2:I have literally put in 15,000 steps a day. I guess there's a pro benefit there yeah definitely yeah.
Speaker 3:So there's a whole bunch of classes available down here in Florida once a year Mobile forensics, advanced mobile forensics, computer forensics, sqlite and many others and I think the best part of being down here is definitely the networking. I would not have met Bill if I wasn't down here, or Alexis or Alexis last year actually so the networking is definitely top notch.
Speaker 2:Definitely Part of you know. Part of the big thing about IASIS is not only are you networking here locally, like New York and Texas I mean that's, that's far away. But no, we're. We're networking with people from New Zealand and England and Australia and you know, the more brains that we put into this group, the more problems we're going to solve.
Speaker 3:Yeah, couldn't agree more with that.
Speaker 1:They're saying the mobile students are way cooler though, so I have to agree 100 percent. That's from the chat. I have to agree that we are.
Speaker 3:Oh, definitely.
Speaker 1:Or at least semi-cool nerds.
Speaker 3:They can't take our coolness. That's why we're over here, hidden, that's right.
Speaker 2:They don't want to show their non-coolness, so they put us down here.
Speaker 3:So not only networking with other colleagues, other friends, but networking with the vendors. There's a ton of vendors here at this event and getting to interact with those vendors and ask questions about the products is definitely a really important part of the conference.
Speaker 1:Yeah, and you know it's really nice because sometimes they go around. They do not sometimes, but they do this at night. They have the vendor nights so folks can go there learn about the tools. They do giveaways, so it's a good time and I'm really impressed, since forever, I mean, I've been an ISIS member certified for the last decade actually 11 years this year and this event is run totally by volunteers. All of us were volunteers, the people that run are volunteers and it's an event that's amazing that's done that way, people giving it their time for free to make this happen.
Speaker 2:Yeah, and you know about the vendors too. It's not they're here for us, right, but we're also here for them too. I mean, as we come to these events, we bring issues or we bring new things to them and and they're very open to to suggestions. Or hey, would could your tool do this? And they write it down and they take it back to R and D and they they see what they can do with that. So not only are they here for the students, right about their new products or whatever, but we actually add to their existence as well by making suggestions and comments about their products.
Speaker 1:And I would say, if you come to this event or other events, totally like Bill's saying, reach out and say look, this is the problem that I have, this is a solution that I found, and see how can that be filtered into the tooling so everybody can benefit. So that's absolutely a good point to come to these events.
Speaker 3:So I definitely have to share our class instructor picture here. So this is the group that's teaching the advanced mobile device forensics class. We have John Hyla, Alexis, myself and Bill and, of course, our class mascot, Hannah.
Speaker 2:And what a handsome group I might have.
Speaker 3:Definitely. And let me throw up. I have one more, one more picture of our lovely class mascot, Hannah. She was helping us teach the other day, understanding your role, and she was understanding her role in the classroom.
Speaker 1:The best girl? Yeah, really good girl.
Speaker 2:And it tells you can also tell the really advanced classes have their own therapy dog.
Speaker 1:Yes, Because Heather really drives a hard class.
Speaker 2:I'm good in my class, my blocks are nice and gentle, when it starts getting a little thick, you reach your hand down and a therapy dog comes up beside you and you can kind of calm down a little bit.
Speaker 1:Yeah, no, hannah is an electronics detection dog and John is the handler, and what she does is she goes and there's, for example, a search warrant and they're looking for secreted or hidden electronics. She can detect through her smell and finds them for the folks. So it's a pretty highly trained dog, but also the nicest dog ever.
Speaker 3:So I think we're going to talk a little bit about the training that's available at IASIS and some other things surrounding training.
Speaker 1:Yeah, so here on IASIS there's vendor courses that the vendors come in here provide, like Celebrize, spider Forensics and others, but we also have the IASIS courses. We are not vendor specific right, and I think we were talking with Bill the other day and he was discussing with us that difference between the need for vendor training and also this methodology of how you do your stuff. You know.
Speaker 2:Yeah, I think it's so important. So you know here and you know it's everywhere. But I think a, I think a, an expert in our field. That's what we are. We're experts. So we need to take that seriously, that, that that banner of expert, we need to take it seriously. And so, as an expert, I I think that, as as my training and as my certification comes in, I think that first of all, I do need a very focused expertise and training on a tool. So if I'm using a tool, I should be able to operate that tool at expert level, know how to troubleshoot it, know how to explain how it works in court, know how to troubleshoot it, know how to explain how it works in court. So I want to be trained by the tool maker exactly how that tool works and they train me on that tool. So not only do I have a laser focused training on the tool, but then also to round out my training, to round out my expertise, I also want methodology training.
Speaker 2:So in here at IASIS, that's what we teach. We teach methodology training. So it's not specific on the tool, it's more the methodology that encompasses the tool. So when I go into court and I testify, or when I'm working on something, not only am I applying the specific tool methodology that I've learned, but I'm also applying the overall methodology. Tool methodology that I've learned, but I'm also applying the overall methodology. And you know sometimes when and we all know that maybe one tool doesn't get this artifact, maybe one tool doesn't do such a great job on this, my methodology training will compensate for that, and so, because I know, I know the methodology behind it, and so that's what we're teaching here. So I definitely recommend that, if you're working as an expert, not only do you have specific training on the tools that you're using, but also the overall methodology training I think is so important in what we do no, and if I had to, we don't have to choose.
Speaker 1:But if I had to choose, I would put that why are the things done the way they're done? How are they structured, even before the tool training? Because at the end of the day and this happened to all of us, right, Like Bill was saying you get your tool to run, it's either it might miss something or something that might not be interpreted properly, because nothing is perfect, right? So at the end of the day, I validate that tool and in some jurisdictions the question is well, you're an expert if you've been trained by the toolmaker and I'm not minimizing that, You've been trained by the toolmaker and I'm not minimizing that. That's important. But the tool can commit mistakes, right? So it's up to us to have that training and some of our blocks.
Speaker 1:What we do is we go well, this is how you get, for example, to a segb file format. This is how it's done. And we look at the hex, we look at the offsets. We do it by hand and then I give you an automated tool to do it. And that goes to speak to what Bill's saying. You got that methodology. This is how you do this by hand and this is how you automate it and you can validate it. And I think and we talked about this some episodes back, Heather and myself right About being an operator. We need to go back to those basics of our field, the scientific basis of our field.
Speaker 2:Yeah, I agree, if you get stuck, if you focus too much on the tool and not on the methodology, the overall methodology, you might get stuck on something. You might, you'll go as far as the tool can take you and then you're stuck. But when you have methodology training you can work around that roadblock and then bring in another tool or re-implement your tool in a different way. So methodology training, the overall methodology training, is, I think, a must. It should be in your CV, if it's not.
Speaker 3:Absolutely, I think you will get stuck. I don't think there's yeah, there's no question about it. Eventually you will get stuck and the end product suffers from that.
Speaker 1:Yeah, and there's this some students not every student, some students have this idea of okay, I take the class and the class will tell me or teach me everything I need to know about the topic. And I mean, you can correct me or tell me your thoughts about this, but the class, I'm here to teach you more how to think as opposed to how to do the things. And I say that because there's no way in a class, in a week or two weeks or a month or a year, that I could teach you every single circumstance you might find or every problem you might come across in your work.
Speaker 2:That's right.
Speaker 2:You know. So I have to teach you how to think about the problem. So when an unknown problem surfaces, you can handle it. And as we were in class, I mean this was so. I mean this is so great as we're in class and as we're talking about the topics we're talking about. So we're talking about in this class specifically, we really focused on the artifacts, on how to find the artifacts, that some of our tools are missing, right.
Speaker 2:So you have a case where you have a brand new chat program come out. No one's parsing that chat program, but yet this is important to your case. You've got a car. You've got to pull these messages out. How do you do that if your tool is not doing it? And so in this class, we're teaching you the method. We're teaching you how to recognize what format it's in, how to dig that stuff out and how to put it out, how to bring it out of that container into a format that makes sense that you can give to your prosecutor. And so you know, in this, this is how we teach the why of why we're doing this, because at some point point you're going to have to employ this methodology away from the tools yeah, oh, you're definitely going to have to at some point.
Speaker 3:Um, I've had to numerous times. I didn't think I could ever do it, but learning those, those, I guess how to how to do it yourself so super important yeah, yeah, like the like, the like, the uber app we talked about last time.
Speaker 1:It's a level db database and if you're not familiar with LevelDB, we teach it here as well. But you can get smart on that and you apply that method. You say, okay, I don't know this. I have a structure of how do I get to know things, and you apply that. And then obviously you reach out to the community, reach out to friends. Like we said last episode and I got to emphasize it again have a tribe right and Bill now that I know Bill really well, spending for him two weeks, he's done.
Speaker 3:I'm going to be pestering him all the time.
Speaker 2:Oh, me too. Me too, definitely. Wasn't it cool that, as we were in class, we're teaching how to dig these new artifacts out that aren't supported, and as we're in class, we're getting emails on the list serve, on the IASIS list serve, which is a list of it's a it's an email service from all the IASIS members. We're seeing, sometimes, the very application that we're we're examples in class that we're giving. People are asking questions. Hey, I came up with this new app. It's not being parsed. Does anybody know how to get get application data out of it? And it just happens to be the program that we were teaching today, so it was as we were doing it. That's literally what happened.
Speaker 1:It is as we were doing it, I mean literally, we were talking about that file that day. The JSON inside a SQL database and Bill told me that I told the class hey, if we had, if the person I think in this class were have that method to be able to address it, that was great.
Speaker 3:Yeah, that was awesome. Actually, we got to put the email, the listserv email, right up on the screen and say this is the exact reason why you need to learn the artifacts we're teaching in this class.
Speaker 1:Yeah, stephanie is saying from LinkedIn. She's saying it's not just learning how to use the tools, it's knowing what they're actually doing, right. Yep, that's it.
Speaker 2:That's huge. And you know when, when you go testify on this, when you and I man, I do a ton of testimony stuff and I do a ton of expert witness on the stand and in deposition, and you have to know, you don't have to know the specifics of how the tool is working, but you do have to know the basics. You have to know hey, the tool is injecting a client and the program's running on a client. You have to know these things. And she's exactly right. You don't have to know, like, the dynamic details of it, but you do need to know how it's doing what it's doing.
Speaker 3:Yeah, definitely.
Speaker 1:Absolutely, and there will be questions that you will depend on that knowledge to be able to answer correctly, right, especially in regards to the background of where something came or is this an artifact that indicates attribution or indicates intent? And again, you don't have to be the coder of the program, but you do need to have that background. So that's what we try to do here.
Speaker 2:Yeah, agreed. And when you're testifying, I mean you need to say that stuff with some confidence, right, and you're going to get a lot of questions about your methodology too, sir. You know, mr Aycock, what is your methodology. When you approach this, you've got to be able to explain your methodology.
Speaker 1:I just, I just press a button here, right? Yeah, I made out something.
Speaker 3:There are people who say that there are. Shame on you.
Speaker 1:No, we uh, no, and again, it's also a good time. Um, there's the event. We go really nerdy during the day, then we go out at night and we have a good time. Really good people in this event. So, uh, I'm hoping that they'll keep me and keep us around for a long time yeah if we didn't break anything not yet we have one more day.
Speaker 3:So, um, specifically related to this class, there's a student in the class. He's from Beverly Hills, his name is Eugene Kim and he decided that he wanted to write a testimonial about this class and the class he did last week. He did the MDF, the mobile device forensics class last week, so I'm going to read it to everyone who's listening. He wrote hi guys, I am a subscriber to the podcast and a recent attendee of MDF and the new AMDF course. In fact, I am in day four of AMDF now. I'm sure there are other listeners out there wondering if the course is difficult.
Speaker 3:I started last week with a novice level of experience. I am happy to say the instructors are truly awesome and very committed to student success. I've been surrounded by extremely knowledgeable examiners and instructors who are always very willing to help out. I never felt left behind or lost. I learned so many techniques that far exceed any of the push button methods we used before. I'm so much better now after the last two weeks of learning as a manager of a digital forensics task force. I highly recommend everyone go through MDF and AMDF. If you're listening to this podcast, you should be here.
Speaker 1:Oh, that's nice. Yeah, it's very nice.
Speaker 3:I had to share. It was very nice. It's much appreciated, eugene, if you're listening.
Speaker 1:Checks in the mail. Yeah, he is actually a really cool guy.
Speaker 2:They have got a really cool setup. I'm gonna next time I'm in the valley doing some work, I'm gonna go. I'm gonna go see him yeah and uh.
Speaker 1:Actually, if you're in the valley, bring some stickers from the uh, their pd, so you can give it to heather. I just noticed, looking at at uh, looking at the feed here, that you're kind of like a sticker lacking I'm a little light on the stickers.
Speaker 3:yeah, yeah, if anybody wants to send me stickers.
Speaker 1:It has to be. It has to be forensics related it can be just any stickers. Okay, so I just want to note that you know.
Speaker 3:Yes, they have to be forensics related, no problem.
Speaker 1:No, we appreciate his comments and, again, you know we try to make the class better and students will do reviews at the end and we'll evolve the class.
Speaker 3:Yeah, I like hearing too, like so people who are just doing the push button forensics and then they come to a class and they're like I'm not doing that anymore or or this is going to change the way I work in my lab or how I instruct people to work in my lab.
Speaker 1:That does I mean that we get paid with with those type of comments, with the changes people make in their labs, with the changes people make in their labs make their workflow better, to bring justice faster and more efficiently. That's our payment and you know there's, there's, there's no money could compensate for that.
Speaker 2:And I think, I think at one point we all started like that. Right, we all started in a very simple, simple mindset. But I think our you know, especially for me, my sense of duty, my sense of I've got to find the truth no matter what. I can't stop until I find it that kind of attitude in a forensicator is what drives us, it's a must. And if you have that, you have that driving mentality, good for you. Don't, don't suppress it, keep it going, because that's what's driving this community to to expert levels and to the truth community to expert levels and to the truth.
Speaker 1:I mean, I don't know if this goes in the podcast, but I started my little lab with literally a little NAS network, attached storage and a computer and a set of little write blockers. That was it.
Speaker 2:Yeah, I started with very little. I had like a room in my garage right, so I mean it was humble beginnings. For sure, humble beginnings, yeah.
Speaker 1:I know Bill's killing it, by the way yeah, definitely.
Speaker 2:I'm so glad you're here, bill so and I'll tell you, I was talking to some peers and I'm like man, I'm here with the smartest people. I don't know what I'm doing here. I'm here with some big brains and you guys are phenomenal to watch you. To sit here and watch Briggs talk about protobufs and level B databases and he's giggling. I mean, he's literally, he's like he's giggling.
Speaker 1:I think about protobufs. Yeah, I think about Porobus.
Speaker 2:Yeah, it's an inside joke, it is an inside joke To see you both up here instructing. I mean, it drives me to want to know more.
Speaker 3:Don't sell yourself short. I heard you instruct as well, and you killed it.
Speaker 2:I don't know about that. I'll tell you to come to these classes and to see you guys and to see everybody. Right, it just drives me to want to know more, drives me once, yeah, um john is making fun of my.
Speaker 3:I thought john was at uh top golf john must be listening to us from the staff dinner at top they all went to the party, but we stay here.
Speaker 2:They probably got us on a screen. We're only saying good things about aces, okay don't fire us.
Speaker 1:Yeah, they all went there to party, but we stay here. They probably got us on a screen.
Speaker 2:We're only saying good things about aces.
Speaker 1:Okay, Don't fire us and Boolean Grotto.
Speaker 2:Boof and Boolean.
Speaker 3:Oh, we've got Kachup and Cool Whip in there too.
Speaker 1:Yeah, somebody was in class. I'm going to make that story. So you know, obviously I'm from Puerto Rico and I have an eight-year-old and sometimes I just speak, you know, with my accent. I say, hey, you know, you want some ketchup in your hot dog and he goes papito. That's that in Spanish Papito. It's not ketchup, it's ketchup. And I'm like, really, man, are you going to call me out like that? So now everybody's calling me out in class. It's fun, I love it, it's a good night, it's a nice group of people, the students.
Speaker 2:And I tell you what John to hear him talk about. You know seg b-files right. So, he's like the guy about seg b-files. Right To hear him talk about how he found it. I don't know if I would have. I may have stopped. I mean literally I may have just gone. You know I'm going to get us to Briggs. Forget it Right, I may have stopped, but John didn't. Good job, no.
Speaker 1:And based on. So I don't get tired of saying the story, I will say it again. John figured out there's this file format in iOS devices that has a bunch of important pattern of life information and nobody knew about it, at least nobody within the community and he at it. He kept at it and he came out with it and I put it in a in a blog post and it exploded and myself and some of the examiners built on that to create parses for it, and I wouldn't. We wouldn't have gone there as fast as we did without him laying that groundwork. So we have him in class teaching with us and he explains it's important to know the seg before, but that's great. But what I really like about his blog is he explains it's important to know the seg before, but that's great.
Speaker 1:But what I really like about his blog is he explains the thought process. Like I found this unknown thing how do I look for patterns in the data? How do I apply the sweeping of the offsets and hex, of those bytes in hex? Because we take those classes and we think, oh yeah, I know how to count from binary, how to make it in hex, and when am I going to use this. Well, when you find a file like a file like that, like he did, that's what you're gonna use, it you know, and that's the importance, the.
Speaker 2:The importance is is giving them you know, arming them with the information, but then showing them how to deploy it, showing, showing them the why of you, why you need to know this and john was right on, I mean, he was.
Speaker 1:Hey, I found this file, didn't know what it was, and I started looking at patterns and I started started finding, started doing testing and I found out what it was and that was a huge find well and and even some of those, even when he presents, because I I feel that I know those files well, but I I got something out of every presenter and every, even from the students he was. He was talking about how he looks at the patterns and he can look at the pattern of the hex and he sees some variations. At the end he knows that's a timestamp.
Speaker 1:And when I look at it and say you know what that makes absolute sense. I mean, we're going to replicate here in the show that we don't have the data here. But if you look at the hex at a certain way you can tell that some fields are timestamps based on the configuration of the hexes. Now it's like when you see it, you cannot unsee it.
Speaker 1:So now I'm looking at this, like you know what that's a timestamp, and I'm pretty sure if I swipe it and then convert it, it is going to be so. Even myself that I'm an instructor, I'm learning from the other instructors, I'm learning from the students. It's such a great experience. It's one of the two best weeks of the year for me to nerd out in a good way.
Speaker 3:Yeah, this has definitely been great. Lori is asking in the chat do you have the link to that blog post? And we do so. His site is Blue Crew Forensics, but when we end the podcast tonight I'll put it in our podcast notes and you can go read that blog post, because it's excellent.
Speaker 1:Absolutely, and we teach that in class. We teach about the SEC B files and both version one and version two, and he covers those blocks. I'm really happy that he's part of the instructor crew here.
Speaker 2:Excellent crew. I mean not only in this class, but the MDF class too. I mean, gosh man, these are the instructors here. I've never been disappointed. They've always been industry leaders, always been industry leaders. And who better to learn from? And you know, for us too, like you said, who better for me to learn from than all of you guys? Excellent.
Speaker 3:Oh, I've definitely learned a whole bunch of stuff that I did not know these last two weeks just from sitting in the class and listening to the other instructors.
Speaker 1:If you're at home having FOMO like fear of missing out. Yes, you did miss out. So tomorrow, pretty much, we're ending tomorrow the event. So next year come from the beginning and hang out with us and let's have a good time. Yeah definitely.
Speaker 2:It's definitely something that should be on your list. I mean, there's so many good events to go to, but this should be on your to-do list. I think that IASIS is not only is it an international association that says a lot, but the training is legit. There's other trainings out there too. I'm not putting down anything else. Sans classes, absolutely. I would go to all those classes, absolutely.
Speaker 1:If you're new in the field and you're like well, how can I do that? You know it's a process, right? You can, as you go through your process, you go learning, make sure you're able to have you explain to your bosses, your stakeholders hey look, this is a good developing event and make sure you'll be able to make it here. Or use some program like SANS has, astudy program, that you can go there and the prices are reduced. So some of the stuff that we have to do just to get that knowledge. So it's really worthwhile.
Speaker 3:There's scholarship programs for IASIS as well. So, look for those every year.
Speaker 1:So Trey from Magnet is saying that the stickers are in the mail for you. Oh, thank you. A big Magn sticker that you know the two jeans.
Speaker 3:Oh yeah, it's a pair of jeans. Actually, I want one of those I like so. I'm just being, I'm being kind of we're picking, and now he's not going to send me any stickers. Yeah right, it's all your fault, it's my fault.
Speaker 1:Yeah, the new logo. They look like two pair of jeans together To pump the. M. You know what I mean? It's just joking, I kid, I kid Stickers on the mail.
Speaker 3:Thanks.
Speaker 1:Trey, we appreciate it.
Speaker 3:Yeah, so actually there's a couple of questions. So what is the general makeup of students? Private sector, law enforcement, novice, super experienced, I would say everyone. It's not just law enforcement. There's private sector, there's beginners, there's really experienced students and, with the instructors as well, really experienced instructors.
Speaker 1:All my background is criminal background, right, but Med Bill we took a class together a few years back, but now I really met him real well. He works now in the private sector. We have a student that sits over there that also works in the private sector and I've gotten a lot of understanding in regards to how they go about doing their work, how they will testify in the civil arena and some of the things that we discussed I know I can incorporate into my own presentation in the criminal side. So we have students here from all sides. There's this concept of the criminals and the criminal investigators versus defense. That doesn't exist here. We're here for the science, and criminal investigators versus defense that doesn't exist here. We're here for the science and we're all colleagues, no matter what type of work that you do hey, I think that's a really good question, yeah, so do I.
Speaker 3:So Stephanie asks what would you suggest be the first cert to attain for a novice to get into digital forensics? I'm starting from the bottom and working my way up.
Speaker 1:So where are you going, bill's?
Speaker 3:our guest. That's how, bill's.
Speaker 1:I'm starting from the bottom and working my way up so thoughts, so do I. Bill's our guest. That's how Bill's at the top of the year.
Speaker 2:So you know my in my experience, I was a tool certified first, so I went with. It was a Celebrite training because that was the tool that was out there that we bought. So I did tool specific training first and I became efficient with that tool. Now, once I got that training, I wasn't done. I started using the tool. I started utilizing my training. I got some time under my belt right, I got some experience using the tool. Then I went to my next certification and that was more methodology certification.
Speaker 2:So I would recommend starting out small with a tool learn that tool, get some experience with it, get some mileage with it, get good with it and then, once you're there, then you're ready for the next step, which would be methodology training or maybe another tool. But I do not recommend taking one course and going certification and then two weeks later or a week later go to another course and then a week later go to another course. I recommend getting the training, putting it into practice, becoming a practitioner of that and then moving to the next step because it becomes applicable. That your next training the methodology. You're thinking okay, so I could apply it here, because I've done that before. So I think, tool training, first get one tool and then get some experience and then move on. What do you think?
Speaker 3:I think so. If it's. If the question was specific to IASIS, I would start with the BCFE and the and then the CFC certification. I agree with the vendor specific because you're going to have to be using those tools, so you need to have some training in the tools you're going to be using first. But if it's IASIS specific, I would start with the BCFE. Get your fundamentals out of the way right away.
Speaker 1:I'm going to be the odd man out. So the BCFE is a hard class, right? Yeah? And from my perspective and I mean I agree with you it should be the first one if you're here. But that being said, a groundwork has to be done first. From my perspective it's a hard class. And when she says that, well, I'm a novice, Well, it depends how you define that, right. If you're saying I'm a novice, but I know how networking works, I know how computers works, I know all the parts of the computer, I understand what a file system is, and that's not limited to digital forensics, computer knowledge. If you have that, well, you are a novice only to the digital forensics application. But there are folks that come in that don't even have that. For example, you're a from the road because you like computers and you come to the lab. I cannot send you to BCFE straight up because you're going to fail.
Speaker 1:You don't know the parts. You don't know how networking you might think. Well, who cares about networking? You know what. How the data moves from one computer to another, from one phone to another, will be part of your investigations. And that's not forensic knowledge, that's general computer knowledge. So I guess it's a long way of saying I would recommend, if you're a real, real novice, go and get your Network Plus, and that's from CompTIA. It teaches you how networking works, what are protocols, what are packets, how they move across the networking stack. Get A Plus, also from CompTIA. And just some examples. On certifications how do the CPUs work? What's CPU? What's memory? What's on certifications, how do how the cpus work? What's cpu? What's memory? What's what's the um? Um, the swap space. Right when a computer goes to sleep, the memory gets dumped to the drive and that concept later gets applied when you say, okay, does that memory dump when the computer goes to sleep? Is there's any forensic significance? That's when the bcfe stuff in right, yeah, what do you guys?
Speaker 2:think about the. So this is something relatively new. The, the, the bachelors of digital forensics, right, the masters of digital forensics. What do you think of those programs, Heather?
Speaker 3:So, yeah, I, I have a master's degree in computer forensics and I feel like I learned most of what I know in forensics once I started my job, and I mean I got fundamentals from school. I'm not saying I didn't get anything from school, but I graduated and came into a job at a police agency and had no idea how to apply what I learned at school and the courses that they've sent me to is is how I am where I am today. I wouldn't, I wouldn't attribute it, I wouldn't attribute a very high percentage of that to my schooling.
Speaker 2:I know and I've I've had the same experience. I don't I don't have a bachelor's in digital forensics, but I've I've heard the same experience and that that question comes up a lot to me, especially with young examiners. Uh, feel like they want to go to college or have a need to go to college to get a digital forensics degree. And you know, maybe that helps you understand the fundamentals, like Briggs was saying about you know how the computer works, how it's built, what's the working knowledge of the computer and how information goes through it. That would probably be a useful part of that degree program. But your on-the-job training, that's where you're really going to get the application part of it. So you know, maybe an associate in some type of computer IT something to get that basic stuff right, and then delve into the forensics.
Speaker 1:I mean, we're not that far apart in age. When we came about, there was no degrees that did not exist. There was no forensic degree that didn't exist. So people got certified and as you got into the field, I think that with enough time, as we codify this knowledge more strictly, I think people will need to get degrees at some point. Not yet right, but at some point I think people will need to get degrees at some point.
Speaker 1:Not yet right, but at some point. I think that's going to be something that future generations have to think. When I get into this field, you've got to have a degree because you're going to become really specialized. Now we're not there yet and Stephanie is saying in Stephanie's case she says I took A+, network+ and SecBookCamp and from my perspective, if you have that baseline and you have understanding that is what Heather and Bill are saying Get your good tool trainings you have like like your hammers and your nails and your tools, and then take the BCFE so then you can then learn how to hammer and how to measure and learn how to build that house.
Speaker 2:Yeah, and it's like. So, like you said, the hammer and the nail Right. So you got to learn how to use the hammer first, and then you know, and then you learn where to hammer right.
Speaker 1:Learn the hammer first, then learn where to hammer. Don't hammer your finger, please, and we all done that at some point, right?
Speaker 2:I'm stretching this analogy to the max expect nothing less of course of course no, it's good stuff and um man you guys got a great crew here. Look at that. It's just all kinds of chat. Oh, yeah, yeah, yeah so you know what.
Speaker 3:Back back to what you just said a minute ago, though with the associates with having that computer knowledge. I didn't have to have that to get the master's degree in computer forensics, so I went into um, the computer forensics master's degree with no computer knowledge. So definitely you want that associates, or or you know undergrad in something that gives you the basics.
Speaker 2:You know. But at the same time I want to. I want to encourage that if, if college is not your thing, you don't have to go to college to get into our field. You don't, you don't, you know? I think that I think the most useful thing that a person can have is up here, right. I think it's the drive to be better, right To the drive to dig down to the deepest parts of the well, for the truth, that drive gets you far.
Speaker 1:Yeah, I want to try to look like a find it quickly here, but I was reading I don't have it in front of me, but I was reading that even the White House recently is promoting trying to push a policy where to be able to do certain jobs in computers you don't have to have necessarily a degree. If you can show you have that aptitude, you have the knowledge, and we had a discussion a few weeks back. Like somebody like Bill Gates, he just dropped out of college and made Microsoft you cannot say there's medicine, no computers, because you don't have a degree, right? Just one example. So yeah, absolutely, especially in infosec circles, the best practitioners are not the best practitioners because they got a doctorate in information security right. They got it because they did the work. They actually are curious, have the aptitude, have a note they're not, not quitters, and that's how they got developed Right. Yeah.
Speaker 2:And just jump in right, Just get in. If you think you want to do this, get in. It's going to take, you're going to, you got some work, legwork to do. It's not going to be an immediate understanding and knowing all, but so get, get, get started.
Speaker 1:Oh yeah, and and and. Be flexible. I got folks and, again, it depends on what stage you are in life, but you might need to move somewhere where that opportunity presents Right, and the opportunity might not be in your town and I'm not from Orlando, I'm from Puerto Rico, but I move over there, Can you tell? Can you tell, in my kitchen, my proto box, above the beach. But I, this is my experience, I, I had to, you know, look for that opportunity and, and I'm so happy that I did, I, I wouldn't change anything yeah yeah well
Speaker 2:oh. So she says well, I'm jumping okay, good, what have? I been saying jump off the cliff, yeah.
Speaker 1:Jump off the cliff.
Speaker 2:Yeah Right, jump off the cliff. Just know what you're jumping off the cliff with.
Speaker 1:Yeah, exactly, I love this. Bill is telling me that you jump off the cliff and you have the parts you need to make that parachute.
Speaker 2:So I would say you can either jump off the cliff with a parachute or you can jump off the cliff with the stuff to make a parachute Right, and it's up to you how fast you make the parachute. Hopefully you make it in time.
Speaker 3:I don't know where you're from, Stephanie, but if you listened to the podcast last time we were on, we're hiring at the New York State Police. Maybe you can jump right in and work over with me.
Speaker 1:There you go, the opportunity presents. It might not be your time, but if you have the flexibility, take it, yeah, and you won't regret it. All right. So I mean, we're having so much fun, I don't think we need to. Well, actually, let's cover a few things.
Speaker 3:Yeah, we'll talk about a few things that have happened.
Speaker 1:Yeah, let's talk about the, because we're about to hit the top of the hour. Let's talk about the stuff that's happening in the leaps and some of the sound stuff.
Speaker 3:Yeah, that sounds good.
Speaker 1:Hey, I'm going to step out All right, I got work to do. Ah, come on.
Speaker 2:Just 10 more minutes. I actually work for a living, so I'm going to let you guys have it.
Speaker 1:I agree.
Speaker 2:I mean, I just can't say how much, how how great it was to be with you guys this week, these last two weeks and uh, just you know, wow, what an honor to be with you guys.
Speaker 3:Listen, we feel the exact same way about you. This was awesome.
Speaker 2:Well, I had a great time. Thank you to the audience for allowing me to be on your show and thank you guys for allowing me to jump in on this, but I had a great time. Um, we're going to repeat it. We're going to repeat it next year for sure?
Speaker 3:Oh, definitely. Oh yeah, we'll get Don in here with us and Hannah. I think there are four of us. But thank you guys, see you guys later, thanks, thank you Bill. So yeah. So to hop over to another topic, the SANS put out some new posters and I kind of just wanted to put up the links for those new posters. If you haven't ever utilized the SANS posters, get them. They are like cheat sheets to whatever you'reparty app forensics reference guide and then the uh d first advanced smartphone forensics reference guide. It must have been updated because I have a copy of that. So in my office we take those, those cheat sheets, and we blow them up into like big poster size and get them laminated and they're hanging in our lab. They're excellent resource.
Speaker 1:I'm gonna just throw them up here real quick, yeah, as you put them up. Mattia Epifani, he's an excellent examiner. We discussed some of his work before on the podcast. He stands commissioning, commissioning those posters, so he could do it, and he's such a great mobile forensic examiner, world-class expert, and I'm really now I'm going to flex a little bit I'm really happy to see that the Leaps project are mentioned in some of the posters and some of my research into some of the apps it's mentioned also in the posters, so that's a point of pride of me to have there, so I'm so grateful for the community to support it.
Speaker 3:Yeah, that's awesome. So the posters are free. You can just go download them on the website, but you have to make an account. But you want an account with SANS anyway, so make your account and I'm just going to scroll them across the screen here quick. But this is what the posters will look like.
Speaker 1:And.
Speaker 3:I suggest blowing them up, yeah.
Speaker 1:So the folks. It might be a little bit little, but if you're watching, as opposed to folks listening from their car or whatever, as opposed to folks listening from their car or whatever what you're going to see is the little icon for the app and it's divided by types, like the business apps, utilities, health and fitness. And I like it because you have the app there and then all the locations with printed data will reside for that app. And I use this a lot because I'm like okay, I need to validate LinkedIn. Do I know the top of my head where that thing is? I go quickly to the poster. I see here's the data and I go get it and I validate or do whatever research that I need to do. So the posters are super helpful.
Speaker 3:Right, I find myself forgetting all of the time where you go find the artifacts to show that a phone was wiped and the date that it was wiped. And they're on these posters and this is a quick reference guide you can hop over to and find those answers quickly.
Speaker 1:Yeah, show the green one. So I was talking today about identifying malware based on heuristics and how it behaves. I was teaching that class based on work done by Josh Hickman, a personal friend that we mentioned a whole bunch of times before, and so I was talking about that. The poster has a section in regards to malware identification and some malware analysis, so it goes beyond just the apps. It talks about other topics that are related that you might not be aware that you need them until you need them.
Speaker 1:Right, so you're going to go to the poster and get some reference points there, so pretty good stuff.
Speaker 3:Really great resources. Let me take it down here, yeah.
Speaker 1:So with the new posters we also have something new with the leaps right.
Speaker 3:Yeah.
Speaker 1:And I know Johan again, Johan stays late because it's all the way in Europe, so I appreciate it. Johan's still around. If he wants to sleep, I will forgive him.
Speaker 1:I guess, this time, this time. So Johan was kind enough to generate a new release for the Leap, for A Leap, and I Leap, and the releases that he's putting out. They're really nice, because not only do you have an executable for Windows, now you have also binaries for Mac to include the newest architecture, the M1s, m2s what's the architecture I forgot? Right now I'm the worst ARM. Thank you, arm. Okay, so the ARM architecture I forgot right now I'm the worst ARM ARM.
Speaker 3:Okay, I got to think.
Speaker 1:ARM architecture. Yeah, so if you have a Mac and you need to do some forensics and I was discussing, we were discussing with class that I'd rather do like if I'm doing iOS forensics, I want to have a Mac computer close by. I want to do like environments in a like environment. So in analysis you have to do it like that. And the reason you know we got some time here so the reason we want to do that we're discussing with class is if you move a file out of an APFS container, which is the Apple file system, and you dump it in a Windows file system like NTFS, you're going to lose data, the metadata that comes with the files. The moment you dump it in a foreign file system foreign for the file file system is going to get lost.
Speaker 1:And we don't realize that. We're really, as examiners, we're really kind of trained in Windows environments and to work all things Well. No, you might need a Mac computer to take that file out of that container, drop it on an APFS file system and then analyze the metadata points right With proper, you know, apple, ios, mac OS tools. So highly, highly recommend that you take those binaries, have them available for your Mac and do some examination on your Mac. Get smart on that. It's going to help you out.
Speaker 3:Yeah, johan's in the comments saying that V-Leap and R-Leap have also just been released. I don't know where you find the time, well, apparently it's late at night. Yeah, definitely. Now that we're going to be done with the IASIS class, I plan on helping with some things.
Speaker 1:No, we say a lot of time, but we really hope to do a big push for the V-Leaps. For the folks that are not aware, it's a Python platform that we have and it's going to be focused on processing extraction from vehicles, cars, trucks, whatever, and we got some nice people from the community have donated test images for us to figure out. What artifacts can we find and that will serve for the community as another validation point?
Speaker 3:for vehicle forensics. Those are hard to come by because I mean it's going to be your case data, or is somebody renting cars to pull to pull the modules, right? I?
Speaker 1:mean copying a phone. There's many ways of copying a phone, but getting data from a car is one way and it's really physically intensive. Yeah, not as easy Not everybody has the equipment to do that, so we get some images. We're happy that we got those and we're going to hopefully try to support them.
Speaker 3:Yeah definitely Other artifacts. From the leaps Looks like there were some other artifacts added, so iLeap added. I don't even know how to say that. Is it Zangie chats?
Speaker 1:I'm going to dictate. It's going to be Zangie, yes, zangie chats chat.
Speaker 3:I'm gonna, I'm gonna dictate it's gonna be sangy. Yes, all right. So if you're seeing that application in your iphones, there's a parser now written for that by matt beers and, um, scott ponig, the from the forensic scooter. He has done some major major updates to the photos that sqlite parsers. Um, so definitely check those out, because I mean there's a lot that he added. I don't I don't even know how he does that either, where, where he finds the time to write the parsers for that.
Speaker 1:It's a SQLite database that we've done before and he has like 100 queries for it for different purposes and some of these queries involve so many tables good information but the query itself could be like 100 lines of query and I'm like wow, yeah, I'm like dude, I don't know how you do it. My eyes gloss over. It's like the matrix looking at that query.
Speaker 3:I'm happy with my little five line ones. I'm starting with I'm going to stick there for a little while. But also there's some additions to ALEAP, so additional support for Wire Messenger and support for the Health health mate app, which includes accounts, tracking, location messages, contacts, measurements and devices yeah, no, there's and that's, that's a, that's a really good uh, you know kind of type of data, uh, to have available.
Speaker 1:Um, actually I have. I just got this email a few hours ago. There's some other you know, know, community developers or you know forensic examiners that want to contribute. We should be getting one for the Likey application and it has a whole bunch of data in that application like location, demographic data, message data and it's kind of like an app. This is kind of like a side note about when a popular app either closes by force or by mandate, users are going to migrate somewhere else. So where are they migrating? Right, and we do that because we want to make sure we have some visibility into where criminals can also move to right. And TikTok recently by law either has to be sold or it has to be closed here in the United States, so that millions of people that are there they're going to move to what applications?
Speaker 1:We need to have visibility on that, and folks are already thinking Lord, the next big thing is going to be X. We need to know how to parse it so, if something happens, we're able to provide that service to the community. So I'm happy that folks are thinking ahead that way.
Speaker 3:Yeah, so I'm going, so I'm gonna, I'm gonna pop back. We're gonna do the update to mushy too, so important, yeah. So, um, if you're not using ian whiffen's tool, mushy, you should be. It's awesome, um, and he just released a new version. It's 2.7. I'm gonna actually share it on the screen. Hold on one second. Yeah, but there's some major updates and what is?
Speaker 1:what's the concept of mushy? What's the tool?
Speaker 3:so it's show. It's showing data structures, right. So we've talked about like Rabbit Hole before. It's got similar capabilities to that.
Speaker 1:It's an excellent file viewer. If you have some file formats and you don't have a viewer to kind of visualize them. Mushi is going to do that for you, so it's pretty neat.
Speaker 3:So did I put that up? I did put that up, okay, good. So yeah, this is a look. I brought a SegB file in. It's a SegB one, but one of the updates to Moshi is it now supports SegB version two, and I don't think there's a ton of schools supporting the SegB version two.
Speaker 1:No, no, it's mostly outside of the forensic su suites yeah um, it's gonna be mostly scripts or you know um custom stuff yeah, so, um, he updated the segby viewer.
Speaker 3:It's showing seconds and date filters and then obviously the segby version 2 support. Um, new splash screen, new icon. Um, the interface has changed a little. Uh, they're searching in his. In his description it says searching. That actually works now, so I like that.
Speaker 1:Um it worked before it works better.
Speaker 3:Yeah, it works better, exactly, exactly and um, this must have been a feature request, but hold, shift and hover over protobuf values to see their original bytes. And it now supports abx files.
Speaker 1:So a bunch of major, major updates to mushy and if you're doing android forensics, uh, you will come across abx files, like guaranteed. So, yeah, and, and the tool is great, it because what's the cost of the tool?
Speaker 3:uh, the tool is free which you can't beat.
Speaker 1:That yeah, exactly you can't go wrong if it's good and free, right, right.
Speaker 3:So yeah, um, I would definitely recommend downloading that new version, checking it out. Which you can't beat? That, yeah, exactly. You can't go wrong if it's good and free, right right. So yeah, I would definitely recommend downloading that new version and checking it out. I use it on the SEGB files For the ones that aren't supported by, like the commercial tools. I'll export them and get my quick look at them in Moshi.
Speaker 1:Oh, absolutely, I like the view.
Speaker 1:Absolutely. Imagine you're trying to use uh, there's nothing wrong with that one, I'm gonna say. But you have a big commercial tool and you want to see them, but the process might take hours because you can't really limit it to the thing. Right, and you have to run the whole thing, whereas you can quickly go into extraction, pull the files, use a viewer and determine is this something that's worth me spending all these hours of tool time exactly? And if not, then I can move to other priority items and then go back to this other time, right? So there's a really important purpose in being able to triage extractions or data sets with these file viewers.
Speaker 3:Yeah, definitely. So I think that can bring us to the meme of the week.
Speaker 1:Yes, wait, wait, wait, wait, wait, wait, wait, wait. You know what, you know what I'm doing, right, you know what we're doing. What are we doing?
Speaker 3:We're celebrating the middle of the week. Oh, my gosh, oh you know what?
Speaker 1:I don't have the fireworks on this box, oh.
Speaker 3:We're streaming from my crappy.
Speaker 1:Windows Boo Boo. Next time we're doing the Mac. Okay, I don't have fireworks, okay, sorry.
Speaker 3:I don't have fireworks. Okay, he's got fireworks over on his computer so nobody can see them but me. Sorry, that's so sad.
Speaker 1:Okay. Well, we celebrated the meme of the week over here, Okay. So what do we have?
Speaker 3:Let me go grab it. Hold on one second.
Speaker 1:Maybe we should go with two.
Speaker 3:We'll go with two. All right, all right.
Speaker 1:You're getting a bonus.
Speaker 3:We're going to be memes of the week, so let's okay, hold on one second. I'm having technical difficulties, which happens almost every time I use the computer. There we go. So here is meme of the week Number one.
Speaker 1:Okay, so I'll do this when you do the next one.
Speaker 3:Okay, sounds good, can you?
Speaker 1:zoom it All right. So this would be that yeah, I, yeah, I got it. Yeah, so this is the the bcfe experience, so the isis experience right, it has been the hardest week of training of my life and it's the hardest week of training so far because isis is two weeks. So if the first week was hard, don't't worry. The second is coming right and it's tongue in cheek. It's hard, but hard in a good way, like yeah, I'm tired, but my brain has grown a couple sizes, so it's a good time.
Speaker 3:Well, and related to the BCFE, we've also been here for two weeks doing the training, so we could use this meme for those purposes as well.
Speaker 1:That is true, we're also a little bit beat up too.
Speaker 3:Yeah, I might be ready for my own bed. Let me do our second meme of the week here. Let's see.
Speaker 1:After we saw the meme, we have to address this question.
Speaker 3:Okay, yeah, definitely.
Speaker 1:Jason is saying that week one was definitely harder. I bet the BCA team were doing the data runs.
Speaker 3:Oh yeah, definitely Jason confirm the BC if you were doing the data runs. Oh yeah, definitely.
Speaker 1:Jason confirm that. If you were doing. The data runs on week one. That's the case and that's true.
Speaker 3:That's the hardest week, All right.
Speaker 1:the second one.
Speaker 3:So when it's 2 am and you are still working the case I don't need sleep, I need answers. I'm pretty sure everybody can relate to that. I don't want to go to sleep, I want the answers.
Speaker 1:Well, the thing is that you know everybody's focused with the answer Right, and when I get the answers I talk. On the morning I go open the door to the investigative team. I got the answers. Guess what?
Speaker 3:They're all sleeping.
Speaker 1:Everybody went home.
Speaker 3:Yeah, they're all sleeping.
Speaker 1:I'm the only one there, so but you know what it is all right. Yeah, before we close, we have a comment there. With the addition from a linkedin user, from the addition of billy the leaves, can we also expect a leap for social media forensics? Oh well, let me. Let me give you an information that so we have also. Our leap is for returns. Now let's say it's a quick brief of it.
Speaker 1:If, if you are able to do like a google, take a google, um, take, take out of your account, that means that you log in and you tell google, google, give me all. My brief of it. If you are able to do like a Google takeout of your account, that means that you log in and you tell Google, google, give me all my data, and you pull that out and you run it to the tool from RLEAP. You'll get some results. On the other hand, if you're a law enforcement officer and has a search warrant and tell the provider, hey, give me that data. Rleap also parses a whole bunch of those. We parse Kik, we parse Snapchat, we parse not the full iCloud return, but it's a lot of it, a part of it, a big chunk of Google stuff, and we give you another view of the data that some tools either don't give you or pretty much the parser doesn't exist, like for Kik. I don't know of any return parser that exists, only our leap right, so we got.
Speaker 3:We got that as well, so you can check that out well, and if you're specifically looking for social media forensics, there's social media related artifacts included in I leap and a leap for for androids and iphones, um, and also if you find a specific social media artifact that you want included in one of those, you can send it to anybody that's working on the lead projects, or try and figure out how it's all stored yourself and learn how to write a parser to include with those suites.
Speaker 1:Yeah, we have a class for that, but yeah, time has run out.
Speaker 3:What's up? Time has gone on. I guess time has run out, yeah, yeah.
Speaker 1:Well, thank you, everybody at home, people that were watching live, the folks that are listening as they're driving or doing about in their in their home. We appreciate you. Make sure you hit us. Hit us up on LinkedIn or LinkedIn page these are forensic now podcast. Tell us about ideas for the show, tell us about questions, problems that you face in your examinations, and we'll try to either answer it ourselves or bring somebody to talk about those, those concerns and make a community.
Speaker 3:Definitely All right, thank you.
Speaker 1:Thank you, everybody. Let me let me get the music on for for saying goodbye, and we'll see each other in two weeks, yeah. All right, bye, bye, outro Music.
