Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Android Security, Market Acquisitions, Research, Tools & More Tools!
Join us for an engaging session where we'll recap recent events and activities before diving into the latest research, cutting-edge tools, and exciting updates!
Tune in as we explore groundbreaking research conducted by emerging stars in the DFIR community. We'll delve into the testing of data stored in iOS Unified Logs, focusing on driving and motion states—this is sure to be fascinating. Discover the newly documented multi-user/multi-account functionality, such as Samsung's Dual Messenger, uncovered by a newcomer to digital forensics. Stay informed about enhancements and new capabilities for tools like UFADE.
We'll also ponder the implications of significant market acquisitions, such as Thoma Bravo's, and discuss their potential impact on the digital forensics field.
Additionally, learn about Android's innovative anti-theft features designed to thwart device thieves, which will also have implications for forensic investigations.
This episode is packed with insights you won't want to miss!
Notes-
iOS Unified Logs - Driving and Motion States
https://www.ios-unifiedlogs.com/post/ios-unified-logs-driving
Thoma Bravo Announces a Cash Offer to Acquire Cybersecurity Leader Darktrace
https://www.thomabravo.com/press-releases/thoma-bravo-announces-a-cash-offer-to-acquire-cybersecurity-leader-darktrace
Magnet One
https://www.magnetforensics.com/products/magnet-one/
UFADE Updates
https://github.com/prosch88/UFADE/
Android’s Theft Protection Features Keep Your Device and Data Safe
https://blog.google/products/android/android-theft-protection/
CCL Updates
https://github.com/cclgroupltd/ccl-segb
Brian Hempsteads Work on the Session Application
https://www.linkedin.com/posts/bhempstead_a-guide-for-session-app-sqlite-database-navigation-activity-7196877311659446272-zebu
Phil Hagen YouTube Channel
https://www.youtube.com/@PhilHagen
VMware Fusion Pro: Now Available Free for Personal Use
https://blogs.vmware.com/teamfusion/2024/05/fusion-pro-now-available-free-for-personal-use.html
https://unexploredterritory.tech/074-newsflash-vmware-workstation-and-fusion-licensing-changes-did-i-hear-free/
Welcome to the Detail Forensics Now podcast. Today is Thursday, May 16th 2024. My name is Alexis Brignone, aka Briggs, and I'm accompanied by my co-host, the one that puts the tech in techno, the patience generator, the gluten-free pita that's healthy for you, the one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at silvermansoundcom.
Speaker 2:The gluten-free pita.
Speaker 1:Yeah, you know you're healthy. You know all that working out that we're doing. All of a sudden, oh my gosh, I like the patient generator more, and you know why I say that.
Speaker 2:I do, I do, I definitely do.
Speaker 1:Hello everybody. I'm happy that we're happy that you're all here. People are starting to roll in to the chat and whatnot.
Speaker 2:What's going on, Heather? Since IASIS, what have you been up to? Nothing. We're back from. Iasis 2024 is over for IASIS.
Speaker 1:Now we got got to start working on 2025.
Speaker 2:Let's take a couple weeks off first yeah, let's take almost one year off, okay, all right. All right, we'll start thinking about it, though. But being away for two weeks, um came right back to a trial that had already started and had a message on my phone hey, I'm gonna'm going to need you to testify. So that's what I did this week testified in a trial, fun times.
Speaker 1:You know I always freak out before I go testify, but then when I'm there I'm like into it.
Speaker 2:Yeah, so I was freaking out for this. I haven't testified in a little while. It's been a little bit, and I was freaking out for this one like I was for the very first time I ever testified. I'm like what is going on? And you're right? As soon as I got in that seat, I was absolutely fine.
Speaker 1:Yeah, I mean, that's the good thing about the type of work that we do, because we're there for the facts, so there's nothing I need to be afraid of. It is what it is and that's what's going to happen. It's what's going to come out. Still, that panic factor happens every time. Oh yeah, yeah, and I take that as a symbol that we take it seriously, and that's a good thing.
Speaker 2:It's definitely the unknown of what's going to be asked by the other side.
Speaker 1:And sometimes by your side too.
Speaker 2:That's true, oh, that's really true, especially when it's last minute, right.
Speaker 1:I don't know where you're going with these questions, but here we go.
Speaker 2:Don't ask that.
Speaker 1:Please don't ask that. So yeah, so well, yeah, we, there's some conference coming up, right.
Speaker 2:Yeah, I'm going to techno in a couple of weeks. So I've been asking to go to the techno conference for like nine years since I started working at the state police forensic lab and at the time we weren't allowed to go because it was in Myrtle Beach and Myrtle Beach is too fun, apparently. So now that it's in Wilmington, north Carolina, I get to go this year for the first time, so super excited, looking forward to that.
Speaker 1:No fun allowed I know I'm surprised.
Speaker 2:I was allowed to go to Orlando for IASIS, but actually we weren't allowed to for years.
Speaker 1:So no, I, I, that's actually not only your agency.
Speaker 2:Yeah.
Speaker 1:Even, even you know federal agencies at some level they put some constraints because you know we don't want to give the impression that we're there for the party, which again we're not. We're there to learn, obviously obviously.
Speaker 2:I have a feeling Vegas would be a problem.
Speaker 1:Well, I just want to say that I'm not jealous or envious at all that you're going to Techno.
Speaker 2:I wish you were going.
Speaker 1:Me too. Yeah, we'll see. We'll see. I mean, again, it's hard to, like you said, just get the approvals and the funding. It's not always easy, but there's a will, there's a way. We'll find a way, what's been going on with you? So uh, so, talking about places and to be and things to do, I'll be uh teaching next week at department of the interior campus over at west virginia, so I'm really excited about that and then after that I'm going to argentina, um so don't cry for me no, I'm jealous.
Speaker 1:I kind of want to go on that trip going to beautiful buenos aires, one of the most beautiful cities, one of my favorite cities in the whole world you must need an assistant.
Speaker 1:No, all right and look, I mean, if I could, I would. But yeah, I'll be teaching there, you know, and working with some of the um local agencies from the region, and then I'm gonna be the second week. I'll be working with the festa engineeringTA Engineering University. I get some community programs and talking about Python, the Leaps, utah Forensics, and also working with the local prosecutors. There I cannot be, I won't be, I will be remiss if I don't mention that Kevin, the man with the master plan, the man with the repo powers, the one that approves and can also cancel you, is in the chat.
Speaker 1:So, kevin, glad to have you here, hi, kevin For those that don't know, kevin, he's one of the main repository maintainer for the LEAP program. He's been keeping the fort up and handling all things. So again, I couldn't thank you enough for the work that you do, kevin. So thank you. So, yeah, so that's what's happening. I tell the folks that are listening and watching we might skip a show because again we'll be traveling, heather will be in techno, I'll be overseas, so we might have to skip a show here and there. But just keep your eyes on our LinkedIn linkedin page dtar forensics now podcast, and then we'll make announcements if we're missing a show, or or when we'll miss it and when we're gonna make the show live again.
Speaker 1:So all right.
Speaker 2:Any other news that we're missing, like short stuff, we're good I think that's good, except for I just wanted you to know that you're making kevin blush well, well, good, because he, because he deserves all the blushes, he's awesome.
Speaker 1:So we got a lot of stuff. So tell us, tell us what's on.
Speaker 2:So the first topic I wanted to talk about is iOS Unified Logs. So we've talked a few times about Lionel Notari's work with the Unified Logs. He's doing a ton of testing and also has a tool that has the capability of pulling the unified logs. I demoed it on a previous episode of the podcast. So for his new blog, he's actually outlining driving and motion States. It's really some cool research. I'm going to pop up some slides that go along with it.
Speaker 2:So he is, he's conducting research and he outlines in his blog that it would could be really useful research when it comes to distracted driver cases and, after reading all of his research, it really will be useful in distracted driver cases. I've worked a few of them and knowing that these logs are here and being able to utilize them and match them up with other artifacts inside of the device can really help bolster the case. So he has artifacts such as the driving motion states. So the first motion states are stationary to walking you can see them here in the slides but stationary to walking and then stationary to running and it's capturing these transitions between the motion states. And when it comes to the vehicles, there are vehicle start times and vehicle stop times and transitions from stationary into vehicle motion states. So here's just an outline of the start time and what that entry would look like in the unified logs.
Speaker 1:Yeah, and can you go one slide back? I want to make a quick comment. So for the folks that are just listening, you can't see what we're showing on the screen. You got to remember a couple of things. This unified logs. It requires you to do certain things, either to the phone or have some software to pull those out. They just don't sit there for you to get. So if you're just taking an extraction from the phone, you're not going to see them. Right, you need to do these extra steps, and we discussed this maybe a few episodes back I don't remember specifically which one.
Speaker 2:Yeah.
Speaker 1:We talk about software to include, you know, some software that the NL also does to pull this out, and what you see on the screen, folks, is a timestamp for that event, and then the particular service or system within the device, be it location D or the Wi-Fi service or whatever service. It is telling you something about what's happening on the phone, like Heather is saying, like the vehicular start time and what happens right, or the motions Is it state driving, is it stationary? So it's really impressive this, this amount of data, and you need to be aware that when you're done with your extraction, be it file, full file system or whatever it is, start looking into this ios unified logs for this type of stuff yeah, definitely.
Speaker 2:um, there's the same type of data when it comes to driving stopped. So the transition will be the motion state will transition to driving stopped. And then he also did some research on the out of my pocket. He called it get the phone out of my pocket. So there's different states that show if the if the phone is out of the pocket, if it's in your pocket, if it's face down or if it's face down on a table. I want to also just point out that he mentions numerous times in his research and I'm really really glad he does this that there needs to be secondary sources to validate this data. He's found that some of them can be imprecise and some were pretty precise, but throughout the article he continues to just let the user or the reader know that there needs to be verification, validation for the accuracy of the data stored in these logs.
Speaker 1:Yeah, and that's key, because these are sensors and that's the part that people really don't think about. You have what's recorded, but that recording in your device, be it a car, a phone, whatever it is, it's a reading from a sensor. Now, how of the phone would be registered as something that might not be it. So that's why you've got to be really careful and look from my perspective and you can tell me if you think I'm wrong or not. Don't look at the one thing, right, You've got to look at a series of events across a particular time frame to then be able to extrapolate. Not extrapolate, but kind of determine yeah, the movement was this or no, there was no movement? Because if you focus only on the oh, this event at minute number one, second three, you could be wrong, really, really wrong. You need to look at a few of them across a large enough time frame to be able to make proper conclusions.
Speaker 2:Right and when he was doing the research he actually outlines that the pocket states are what he found to be very imprecise, so minor movements were were making some of those changes. But also that comes along with do your own testing on it as well. Find out what. What is precise, what is imprecise, what things you can use and I think, kind of going along with what you just said, these could fit really nice into a timeline with other artifacts where they match right up and they're showing the progression of what's going on with the device.
Speaker 1:Oh yeah, and I think digital forensics is moving into that Again. We like the whole ones and zeros, yes or no, but we're going to start thinking of data as a continuum of our degree of this. Sensor recordings, right, and those recordings are a reflection of events that happen in the real world and they need to be taken with that we talk about this in other episodes taken with that degree of uncertainty, because there is some uncertainty there and we need to consider that as we make our analysis.
Speaker 2:Yeah, I see the comments. You had no idea that the logs had all that stuff. I didn't either. When I read this I was like you have to be kidding me. I've never seen this before.
Speaker 1:Oh yeah, I mean. So you look at logs, right, and it's so much of it and you're like, well, there's tons of stuff here. I don't see nothing right. But what Lionel is doing, he's taking the time to really dig into them and say, oh, there's a nugget here, there's a nugget there. And folks like him bring so much to the community because now it makes our work easier because he's done the hard finding part right. So, lionel, we appreciate your work, we appreciate you and we're looking forward to all your new blog posts on the different things that you find and my plan is hopefully, down the road, be able to support some of these in our tooling. Yeah, I'm definitely stalking his.
Speaker 2:LinkedIn page for all of the new blog posts. Kevin says there's an orientation and screen wake artifact in there that could be correlated with these two, so definitely pair it up with those other artifacts.
Speaker 1:Yeah, I'm going to share a comment here from from Christian Peter. He's working on a master thesis for that and that's fantastic, because research at that level master level thesis that goes to a peer review process and all that. Christian, whenever you get your stuff out and you're able to publish it, let us know and we'll share it with the community. Get your stuff out, you're able to publish it, let us know and we'll share it with the community. We're really looking forward to that as well.
Speaker 2:Yeah, definitely, let me remove this here. Hold on one second, there we go so.
Speaker 1:Yeah, we have some movement in the digital forensic space and it's been a pretty heavy year so far and we're about to hit the midpoint. So Tom Abravo announces a cash offer to acquire cybersecurity leader Doug Trace, and this is why they obviously advertised that acquisition. So let me put folks on set the table on what's going on. So, tom Abravo, is this investment? I don't want to say investment firm, I don't. On what's going on. So, toma Bravo, is this investment? I don't want to say investment firm, I don't know how come I'm worded. Let's call it investment firm for our purposes here. So they acquire businesses and they build them up and obviously to enhance stockholder share value, right. So they acquire Magnet Forensics.
Speaker 1:There's a lot of synergy, obviously with Grey Keys, something that was happening way before toma bravo showed up. Right, that magnet gray key synergy was there. They added uh with that um griffi. They added uh for the name of the company, but a company that deals with dealing with dvrs and extracting video from devices, which again, another field with a lot of growth there. And what I'm seeing is, oh, they added also some analysis on video analysis as well. Not only extraction, but video analysis, support for that acquiring companies. They even recently acquired an exploit firm, and what that means is that they're looking for really smart folks that are able to provide us access to devices to be able to lawfully obtain evidence.
Speaker 1:Okay, so what I'm seeing is they're actually becoming kind of building this big behemoth in regards to their forensic offering, and this latest one, with Darktrace, is really interesting because it goes beyond the purely forensic side of the business right of the business right.
Speaker 1:So what Darktrace does is they have some AI solutions for incident response and incident response prevention and what that does and I think it's one of the few, from my perspective, one of the few clear AI reasons to exist that actually makes sense to me.
Speaker 1:All right, and I say that because what the AI does, based on my understanding of their business, is that the AI can baseline the network, can baseline your endpoints in your enterprise, and, after that baseline is set, the AI is able to determine any deviations from this baseline, which could mean either an attack is ongoing or some evilness is spreading to the network, and that knowledge eventually then leads to other AI responses in regards to containment, in regards to alerting the folks that need to know about it, and in regards to also prevention right Prevention, containment and resolution. So having them acquire that and putting it together with all the other magnet forensics it together with all the other magnet forensics great key tooling capabilities I think it's going to really they're turning into a really big player at a speed that I don't think, from my perspective, other companies in the space are doing right now.
Speaker 2:Yeah, I mean definitely. I read an article that went along with this particular topic, and they were saying that their goal is to automate all of these functions and streamline it and really work on that backlog of case data that everybody has. I don't know how I feel about the automation, though.
Speaker 1:They have a solution that actually we'll talk about it in a second, then we'll go into the automation though. Yeah, and they have a solution that actually we'll talk about it in a second I want to point, then we'll go into that, onto the automation piece. This is a hard analysis to predict what could happen, because I see the value in having all these tools and expanding into the incident response field and obviously I'm pretty sure they're gonna expand also even more they do already, but even more into the e-discovery area and it comes with the benefit of, hey, you have all these baskets now that you can put eggs in. But also the question is will they lose focus on their main core capabilities? And that's always that I've seen happen in this industry. When a company that's focused on uter forensics expands to other markets, they lose that focus on their primary mission and then they have to eventually come back to it. So is that what's going to happen? I don't know.
Speaker 1:I do know a few, you know, I know mostly folks from Magnet and I know they're really capable folks. I don't know anything about the other companies. So it'll be interesting to see, and also interesting to see how other players in the market react? No-transcript. I just hope they don't lose that customer service that we get from the tools that we mentioned that they're picking up. Yeah right, I mean again, maybe I'm overgeneralizing, but they become really big and then you know customer support sucks or they outsource it to some company that does not really their thing. Right, and it's bad.
Speaker 2:Yeah, I don't want to start getting the answer turn it off and turn it back on again.
Speaker 1:Did you try that? Yes, yeah.
Speaker 2:Definitely, definitely.
Speaker 1:No, but to your point of automation, right. So actually let me show folks quickly here what Magnet Forensics I guess, from the public's perspective, kind of the big umbrella under which capabilities seem to be living they came out with the concept of the Magnet One and what Magnet One is, and let me share here.
Speaker 2:What am I?
Speaker 1:sharing here Slide. Oh, sorry, sorry, folks I'm looking for. I forgot how to share stuff on my screen. Now, alright, here we go. Magnet 1. Boom, alright. So what you see on the screen is you got, on the left, different sources of evidence. You got a phone, a computer, cloud, legal returns, cars, drones, video, wi-fi or a house with Wi-Fi signals coming out of it. I guess maybe that means like IoT stuff, I would assume. And then Magnet is saying okay, we're going to handle your storage of the evidence in the cloud which we have thoughts about that.
Speaker 2:A lot of thoughts.
Speaker 1:We're going to, you know, connect all these products, automate that case management, let you know when things are happening, have folks be able to collaborate, all in one case remotely. And obviously the machine learning is another kind of older way of saying AI right, and they're going to do that acquisition that's how they advertise it Do that workflow optimization, automate it, do some kind of automated analysis and then share it right. And then the idea of them is you know, eliminate backlogs faster to what you get and we get it. And honestly, let's be real here, all companies in the space are proclaiming that their automation solutions do this, like literally, the question is for us is okay, well, who's doing it better at the price point that actually makes sense, and it's going to be. Again, I like competition. I'm hoping that this continues because, at you know, at some point, hopefully economies of scale prevail and prices come back to a reasonable amount, because, from my perspective, prices are getting really out of hand lately.
Speaker 2:Yeah, definitely, the bills definitely keep going up. So, with the automation though, good thing or bad thing.
Speaker 1:Oh, so gee, so look, automation is good, but it could be such a crutch, right. So, okay, automation on pulling stuff, the data, out of things. Sure, I mean that's pretty much it. Yeah, agree, right, like a brain dead process.
Speaker 2:Yeah, please yeah, bring it all up front for me. Yes, I like that.
Speaker 1:Yeah, I'm okay with that, but when you automate the analysis and maybe I'm going to jump ahead a little bit. So forgive me, Heather, but that's okay.
Speaker 1:You know, the tool might decide to show you something or not show you something, right, Based on many factors, but we don't, usually don't, get to know those factors and actually I'm not going to say it. We're going to talk about it a little bit later. So what do we do? Right, and most folks I'll be straight here most folks just hit the button and whatever the tool spit out, that's it. They don't have the incentive and I believe, as a field and Heather, I know you agree with me We've been really hammering this drum and we'll continue to hammer it till the drum breaks.
Speaker 2:Yes, yes, that we take ownership of our analysis.
Speaker 1:Yeah, and that just gets whatever tool spits out, you know.
Speaker 2:So Caesar puts in a comment that is so 100% true, 1000% true. Management wants automation. They want automation. They want everything done as quick as possible. But they don't understand that the quicker we go and the more automation there is, the more of a chance that something is wrong or the less of a chance that something is verified or validated. So I love that comment.
Speaker 1:So true, and again, we're talking about management in general terms. So the folks that we work for, we're not talking about you, okay, at all, right. So, that being said, they know. Exactly, of course they do. So, that being said, this is the thing. Right. They want automation, they want the results, they want the outcomes. But what happens if something goes wrong? Right, right Management immediately wants accountability right oh yeah, so where's the accountability going to lie? Well, the tool messed up. They're not going to take that for an answer.
Speaker 2:Oh no, Definitely not.
Speaker 1:Yeah, and accountability is important. I mean don't get me wrong, and it's something that Brett Shavers also bangs the drum a lot the tool doesn't do the analysis. You, the examiner, you're the one that does the analysis and the accountability is going to fall on you Just because the tool did it or because you didn't know it's not an excuse, right, like the law.
Speaker 1:Just because you have an absence of knowledge of the law doesn't excuse you or absolve you from breaking it right, and accountability works the same way. I didn't know, I didn't mean it, well, yeah, but you're still responsible and people need to understand. We need to understand that. I need to understand that on a daily basis, remind myself of it.
Speaker 2:The automation, though, for that quick upfront look at what you need. I love it. I mean, it's great to have things right there parsed in your face when you first open up an extraction, so there's definitely a place for it. But it just it worries me that we'll put too much emphasis on the automation and not enough on the actual forensics.
Speaker 1:No, I agree with you. And again, you know we're using the whole magnet automation plan as a segue to talking to a topic. Obviously, we're not referring to magnets specifically. Right, this is a general term for all the industry. Right, and again, and we'll see this, I think this is a theme lately, heather, I think it is. They give you a knife and you can butter bread or you can stab somebody with it or stab yourself. In this case, if you depend too much on the tool and you're not careful, you're going to stab yourself with it and they'll be like oh, what happened? And that's a theme lately, and actually it's going to come up again with some of the different new tooling that's coming up. Automation is great and AI is going to continue to infiltrate the space, but it will not substitute the need for trained examiners, because the automation, the AI, has no accountability on its own Right. The only people that are accountable.
Speaker 2:Are that people? I agree, Definitely. So you have a little thing to show here for Belka GPT correct?
Speaker 1:Yeah, and this definitely goes with the topic we just introduced, or we just discussed, right in regards to that accountability and tooling, and I want to show you how BelkaSooft and it's actually it was a pretty impressive presentation. So, to give you guys some background, belkasoft had an event called Belka Day, so two days of conferences. I was honored to be invited to participate and I talked about SecBees and some considerations in regards to pattern of life analysis in iOS and macOS devices. But before my talk, jury which is, you know, the president, founder, ceo and owner of the company Belkasoft's a great product he talked about some enhancement they're adding to the latest Belkasoft Evidence Center X software suite and he called it Belka GPT, right? I don't know if there's any relationship with GPT proper, I have no idea, but that's how they called it, although we've seen, you know, other companies in the space also use words like Copilot, which you know kind of is used by multiple companies in the space. Right, that makes sense, all right. So what I'm showing here on the screen, folks, is you see the dashboard and you can go to data sources and you can enable the Vulca GPT capability.
Speaker 1:So the big thing that Judy was kind of explaining was that this functionality or this large language model that they use. It's all offline. Well, let me rephrase that it's all within your device, right? You don't have to connect to an external service to be able to have this AI work with you. Your case and, of course, from a technical standpoint, there's some benefits and drawbacks. Right, there's some benefits in regards to data is kept locally. There's some drawbacks in regards to the capability for you to do some AI analysis will be limited by the hardware and software that you have. But the way he explained it is that the AI will work on computers without any GPU cards, only running on CPU power. Of course, if there's a GPU available, it will use it to expedite the process, but you don't need to have a supercomputer to run this. At least that's how Jury explained it, right?
Speaker 1:So, after you enable the software, for example, he went and opened a chat from WhatsApp and he saw some content there showing the audience. Well, there's some conversation about Bitcoins, right? So we know it's there for the sake of the of the demonstration. And then he goes to the uh belkis gpt interface there and says any mention of cryptocurrencies and, you know, a few seconds later, the software responds in natural language. Yes, there are mentions of cryptocurrencies in the text data, for instance and explains a little bit of summary what the chat is and then provides first message and the information and then you can right click on it and actually navigates you to that chat where the AI is making that reference Okay, and there is the Bitcoin message, okay.
Speaker 1:Another example he gave is does the case contain images of both faces and guns? And that's an interesting example, because it's not one or the other, it's both. And the AI responds yes, the case contains images with both faces and guns and then shows, you know, the links I say links, but shows the name, file names of those and then you can click on them and go to them. And he did that. And then you show here a picture of a man holding what seems to be like some sort of rifle or shotgun and it highlights the face and there it is right, and folks that are watching they can see that. And you know, this is a quick side note here. It's interesting because it's actually moving a lot of that finding work to the first line user.
Speaker 1:What I mean by first line user is the reviewers. For example, your non forensically trained individual will be able to. You know if this is implemented in a portable case or you know type of system. If they allow regular users to ask questions to the AI, it will help, I believe, folks be able to get to stuff faster using natural language. They don't need to know a lot about technical stuff to say, I want to know about Bitcoin, where is it? Well, it's in all these places. They don't need to know what those places are because the AI will find it for them. So that's a good thing. That's not a bad thing. Of course, we need to discuss this a little bit more.
Speaker 1:So the last one is the one that I found really interesting. Do you recall this? You can ask the AI stupid questions. Right? A stupid question that he gave it was any crime or illegal activity, and I understand what he meant by that. Right, it's like is that a stupid question? What do you think, heather? Is that a stupid question? It's pretty vague. Well, and it is vague and I like that. He described it as stupid. I found it funny because guess what?
Speaker 2:People are going to ask it. Yeah, everybody where is the evidence of the crime? That's the question. Find the evidence? Yeah, you're right.
Speaker 1:There's not a button for find the evidence, they're just going to tell it to find the evidence and actually the tool did a fairly decent job. It said you know there's no evidence of any crime or legal activity discussed in the text data and the reasons it gave. It even gave an argument saying, well, it's going to, could be, but we require more. It says it is impossible to conclude that this request is related to any wrongdoing and give you the stuff. And that's the part where now the AI is starting to bug me.
Speaker 2:Yeah.
Speaker 1:What do you think, Heather? What do you think about that? I don't know about that.
Speaker 2:I don't know about that. I mean, I would love to know the rate of false positives on that, but um yeah the questions are gonna be crazy no, and I think you hit the nail on the head.
Speaker 1:Yeah, um, with the rate of false positives or hallucinations, and I'm not saying his tool does that. I'm not saying that. Obviously, I'm just seeing the demo and that's it. But the AIs are known for that. Now, the good thing is that whenever the AI responds, underneath there's some reference to what it's talking about, so you can confirm it. But the question is, like you said, what will the error rate be? And we can determine that if we have a large data set, which means people using this live I say live, but usually in their daily work? Yes, and it's tough because the testing is happening not in a testing environment. It's happening live because you can test in a testing environment, but that's not enough data or use cases to make a determination about the tools. Does that even make sense, heather, to you Right?
Speaker 2:It's a lot different using test data that's set up for that specific um function. Right, you know what you're looking for as you set up the and it contains that and it's a small data set. Usually when you set up the test data, um, I would say like an example on like evidence items. An example is there's an ai function in one of the tools that looks for grooming and um, I mean, I was looking through, I ran a couple of times. I'm looking through data and grooming. Is mom telling son I love you honey, See you later. So I mean the false positives are like. Do I really want to sift through all the false positives when it's such a big data set, Because there are a lot when it comes to the AI features.
Speaker 1:Oh, I love that example. That's a good example, and at some point the returns are going to overpower the. You know the benefit. I mean, I'm sorry, the works are going to overpower the returns. Yeah, because at that point I'd rather just read the messages straight up, right, oh, definitely Go one by one, it'll be quicker. Right, right, one by one, it'll be quicker, right.
Speaker 2:Right, sometimes with the AI features, with the images too right. You're looking, for example, that what you just said with the Belkasov you're looking for the faces with guns. You may have a few faces with guns up front, but if you have a really large data set, there's a ton of images in there. I'm not saying with Belkasov, but I've never tested it, but with other images in there that are not even close to being a gun or a face.
Speaker 1:Yeah, and that level of uncertainty, of percentage of false positive or hallucinations. We cannot determine that on ourselves using one or two cases. A lot of cases are needed because this thing is deterministic and it's also probabilistic at the same time, how these AIs work, how those internal decision trees happen, based on training, and that we cannot really quantify ourselves. They're so large, right, it doesn't fit in my mind how this thing works. So that's I guess and let me know if you agree with this or not I think this is a good tool that could be used, just to start.
Speaker 2:Yes.
Speaker 1:Just to kind of frame your investigation. But I mean, I'm afraid that people will take that output, screenshot it and say, look, here's the crime.
Speaker 2:Yeah.
Speaker 1:You know, I mean, I don't know.
Speaker 2:That's my fear with the automation. Like you use the automation features, check all that shows up in the automation and then call it a day.
Speaker 1:So yeah, no, like Kevin's saying, maybe the AI says look, there's too much crime here. I quit the.
Speaker 1:AI is taking a vacation today. This device is too guilty. That's good, yeah. I think that speaks also to one last point in regards to the training data. Could I foresee an AI that's really trained in the federal code of law or your state law system and rules of evidence and all that type of stuff and go through a device and make even some prosecutorial determinations? I foresee a company maybe doing that right and again, that knife. You know it's good to kind of frame your mindset, but you cannot outsource that to the AI, no matter how big that training data set is.
Speaker 2:Yeah, I'm sure that it's going to continue to get more sophisticated and we'll see some of that type of stuff where it gets better at some things.
Speaker 1:Yeah, no, no, absolutely, and I think again. I said the last point. I have one last point.
Speaker 2:This is the real last point.
Speaker 1:It also speaks to us being able to be able to communicate with a freaking machine now, right.
Speaker 2:Yeah.
Speaker 1:It's not only talking to people, it's talking to the computer, because whatever you ask, the computer response will be as good as the question you're asking it. And folks have used ChatGPT not this AI in forensics, but plain ChatGPT. If you're trying to code or do something, you ask it a question, you give it a response and you have to do another question to kind of narrow that response and kind of lead the AI to help it go to where you really want to know, Right. So it'll be interesting how we have to develop certain community-built phrases or ways of asking things to these AIs to be to be effective.
Speaker 2:Definitely All right Enough with the AI.
Speaker 1:Yep. So, actually not. Not that much, but by next week somebody will come with some other thing and we will have to talk about it.
Speaker 2:I thought you had another point on it?
Speaker 1:Oh, no, no, no, I already gave you two last points. Okay, All right, and we will have to talk about it. I thought you had another point on it. Oh, no, no, no, I already gave you two last points.
Speaker 2:Okay, all right. So I wanted to talk also about so another tool that we showed in a previous episode called Ufade, which has the capability of pulling some of those iOS logs as well. I'm going to throw some slides up, because I have some screenshots that I stole from the creator of Ufade, Christian Peter, and he has a few, a few new updates, so the tool is now able to perform full file system extractions on already jailbroken devices. You can see on the screen is the interface for Ufade, and option four gives you that file system backup for jailbroken devices. And then there's another screenshot he had on his LinkedIn where it's actually performing the file system backup.
Speaker 1:And this is again, like Heather said, full file system. If it's jailbroken, you have that access. You can pull everything down, which is pretty neat.
Speaker 2:Yeah, and free tool, so you don't have to spend thousands and thousands of dollars to get a full file system.
Speaker 1:And it's kind of interesting because there are companies out there, well-known companies, whose capability is this. It's true I'm not going to call them out, call them out, but everybody knows who they or who these are yeah and and I'm like really that's, that's the offering, okay but yeah, so you can do it free here with you fade.
Speaker 2:The another update to you fade is that it's able to capture live network traffic from your iOS device as a PCAP file. So again, the interface is up on the screen and option three is sniff device traffic. And then I'm just going to show a quick screenshot that I took from Christian's LinkedIn that he posted of it in action.
Speaker 1:Yeah, and it's really interesting, if possible, for malware analysis maybe, or if you're trying to intercept some malicious traffic. There's a lot of utility to be able to do that on a mobile device.
Speaker 2:And then, finally, another update that was announced recently is unlocking the developer mode options on devices with iOS 17 and up. I didn't initially know what this one was doing, so I actually messaged Christian tonight and asked him. So it takes screenshots from the device screen with that developer options enabled. And to further clarify, he told me you can take single screenshots or loop chats, and then it's highlighting every message and then it starts scrolling and when it reaches the end you'll have a screenshot per message in the chats on the device. I had asked him is this similar to what Celebrite's chat capture is? And it sounds similar to what that chat capture is.
Speaker 1:Yeah, no again. That's an awesome capability.
Speaker 2:And again the cost of nothing is unbelievable. Yeah, very, very cool new features in the tool that we previously outlined, how to use it to pull the logs too, so you can see that on previous episodes, yep, yeah.
Speaker 1:And again, christian, thank you for see that on previous episodes. Yep, yeah. And again, christian, thank you for that work that you're putting out. I used it a couple of times and the software works really solid. I do appreciate it.
Speaker 2:Yeah, so Android had. Android had an update this week too, so they have theft protection features that are meant to keep your data safe, so they're announcing a bunch of new theft protection features.
Speaker 1:Yeah, and we're going to mention them in a second. But I understand where they're coming from and sometimes we think, well, they're just there, are you know some folks. Well, they're against us being able to do lawful access. Let me tell you, I've gone a lot of travel overseas and in some countries the secondhand market for stolen devices is huge. It's a big black market, millions, maybe billions of dollars worth. Where you know you're walking down the street and somebody snatches your phone, they go off with it. They, you know they clear it out and they resell it. Or they because some companies I say companies, but some companies in some of these countries what they do is they take the IMEI and the phone stolen, they blacklist that IMEI. So for folks that don't know what it is, an IMEI is the individual identifier for the device. Okay, if they see that stolen IMEI hitting their networks, they cut off that phone.
Speaker 1:Well, these criminals are really how can I say this? Creative and what they do is well, easy let's just ship this phone to the next country over and sell it over there. It might not work here, but it might work, or will work, two countries over and they go sell it somewhere else, right? So some of these features are, for example, if somebody snatches the phone from your hand I guess it's some sort of type of machine learning or some way, some sensor activity that combined together tells the device, hey, you're being snatched, and immediately what the phone does is it blocks itself, locks itself up, and then you know you're able to then remotely find it or even wipe it and delete it. And that's actually.
Speaker 1:I'm going to jump straight to the deletion part, because I just mentioned it. I haven't seen many phones being deleted after seizure lawful seizure because folks don't know how to do it Right. They have to go to a website, they have to log in, they might need dual fact-check authentication. If the dual fact-check authentication is the phone itself and they don't have the phone, they can't do anything. Well, one of the features that Google is putting up is you can go and take any phone from your body next to you, take it and as long as you know your own phone number and you know a specific passcode that you set up, you can access those capabilities immediately. And to me that means that folks need to. I mean, we all should start getting me included a Faraday box and those little Faraday bags. We have them, but do we really really use them? Or we use them and then we open them and we get to the lab, or then you lost the whole plot.
Speaker 2:You have to get a Faraday room. We have a Faraday room.
Speaker 1:Oh, but you're fancy.
Speaker 2:You all in New York are fancy.
Speaker 1:I don't, I don't, I don't got a room at all. I barely have a room for myself. But no, I mean a Faraday room, obviously, like you all do up there. It's the best scenario, but at least a little faraday bag, and I guess our standard procedure moving forward has to be that not to only high, high risk phones but to all phones, oh yes I agree, absolutely so.
Speaker 2:We will get them. Sometimes they're in a faraday bag. But when we get them in the faraday bag we don't even open the bag until we go into the room. And if, if you had the box, you could open the bag in the box. But definitely they all should be equipped and in with a Faraday bag upon seizure.
Speaker 1:Oh, absolutely. We say it in our courses but people haven't seen that push for it. I think we're getting to the point where it's going to become a thing you have to do with all these advancements. Some of the other thing it does is if the thief tries to disconnect your phone from the network for a long time. Let's say I'm like I have the phone Easy, I'll just stick it on airplane mode Done and I take it and it's unlocked.
Speaker 1:If some time it's gonna lock itself up, no matter what the settings are, and you're like well, you know what, I'm gonna change the settings. Well, now, settings you could change in, change them only by having the passcode. Well, now, if you it's as enabled, you can put the pin code, the phone unlocks. You want to change those settings. Guess what? What it's going to ask for biometrics, right and now that you have to have both. Whereas before having the pin code overrode any biometrics because the pin code was the thing, now it will ask for both, right and again.
Speaker 1:I see that as a good thing for consumers in regards to being able to protect and stolen devices and dissuade these criminals from stealing them, because why would they go to the effort of stealing a phone. They cannot wipe because it will not allow it to be factory reset by a thief. That's another capability Thieves. People stole the phones. They factory reset them for selling them and they will not be able to set them up again because the device will ask you for the credentials of the google account so and so you know it's.
Speaker 1:There's benefits to that, but also some drawbacks. Uh, for us, obvious drawbacks, drawbacks yeah, definitely, definitely.
Speaker 2:There's another feature that has also um a private space that hides your sensitive apps. So, like your banking apps or anything that's like personal, you or could potentially hold private data that would allow thieves to get into your accounts. That private space feature lets you create a separate area in your phone that you can hide and lock with a separate PIN code.
Speaker 1:And usually there's apps that do that and usually some yeah, suspects do it and those ads. You know, we have ways of circumventing it. We can go and reverse some of that code, do some things, brute force them. But now this capability is built in the operating system and how is that going to look for us? I, we don't. I don't know yet. Oh, and this update you'll be like well, this is going to happen with the latest phones. No, any phone from android 10 upwards right which is pretty much any.
Speaker 1:Any phone will benefit from the from these updates, and they're saying the time frame is by the end of the year. Um, so we just started thinking about how are we gonna address some of these issues and train our first responders for this, the people doing the seizures on these capabilities, because they will need to be even more aware on how to properly seize these devices and being able to do the work that we need to do on a timely basis.
Speaker 2:Yeah, this is the perfect topic too for somebody who's looking for a research project. Get some test data, test it out, extract it and see how this is stored and how it's going to affect us in the forensic community.
Speaker 1:Yeah, and I'm going to jump ahead a tiny bit, but I think one way they're going to be doing this is by leveraging that multi-user function of the device, where you have more than one account in a phone, which that's a thing that all phones, modern phones do. I can log into your phone and use it and then I can log off and you can log in and you use it like a computer. Right, and I think that's how they're going to do some of that. I think because they've been giving hints in some of the releases, the alphas from the latest Android. It's going to be coming out Some of that code you can see.
Speaker 2:See it there that they're looking or doing that. But that's all that's what I'm going to say now, because the next section you're going to talk about a little bit more. Well, the next section is a little bit different than that. So, um, samsung dual app is something I didn't really know anything about.
Speaker 2:Um, we have a new computer newer, she's been there in the office for a little while, but a newer computer forensic analyst named Deanna in our office and she does extractions for, like her main job duty in our office, and she came across a user account 95 in a Samsung phone. Um, so what is it? We we didn't know. And she took it upon herself to take one of my test phones and go do some research and try and figure out how that user 95 account is created. So, um, you could see that it was related to something called dual messenger. So she started out by researching what dual messenger even is, um for Samsung phones, and she found that it's a setting that can enable, can be enabled on specific Samsung models that'll allow you to use two separate accounts for the same application. So, a little bit different. It's for an app, not for the device. I'm going to just pull up some pictures that she has from my test device.
Speaker 1:But think about it. Think about it. It might be the same thing, because you can say, well, it's for the app, yeah, but if the app is sitting in a separate user space like another user?
Speaker 1:to use like oh, it's another app, it's a different app. No, it's a whole different user. Yes, and a private space, like Samsung does on their secure folder. What do they call it Secure folder? Yep, yeah, secure folder. We know already it's another user, that's all they do, that they encrypt that other user. So again, we don't know. We haven't looked at it, but I have an inkling that that's what's happening here as well.
Speaker 2:But we'll see, I have a screenshot for you to show some of that.
Speaker 2:So she went into the settings, found the dual messenger settings and under the dual messenger you'll find any of the available apps, so the apps that are capable of having a dual account installed.
Speaker 2:She enabled Snapchat and installed the second copy of Snapchat. When she installed that the little icon you can see it in the picture if you're listening, so I'll explain it there's a little Snapchat icon and at the bottom right corner it's an orange circle with two white circles inside of it. Once she installed it in the settings out on the home screen of the device you have the user's original Snapchat icon. On the home screen of the device you have the user's original Snapchat icon and then that Snapchat icon that has the orange circle with the two little white circles inside. So when she extracted the data the user account she had zero, so that your main user account she had 95, which houses the dual app capable applications, the 150, which is the secure folder, and then 1000,. Actually, josh Hickman told me what 1000 was the other day. I didn't know that either. It's the secure browser for Samsung.
Speaker 1:Josh is in the chat, so Josh tell us again. Write it in the chat.
Speaker 2:What's the 1000? Yeah, tell us. Tell us, please, the secure browser. Oh, he told us already, already, yeah, he told me the other day.
Speaker 1:So it's a secure browser.
Speaker 2:Okay, you remembered okay yeah, so under the users you have the separate user accounts and 95 holds that snapchat um dual application. So I asked diana in my office. I said well, what if you enable another application and you have two? Does it create like 96 or do they both go into 95? Well, she tested that as well and they're both in the 95 user account.
Speaker 1:So she's just Explain that to me again. So the user user zero, I guess that would be her account has these apps in the system and it just keeps dumping them in that 95, quote-unquote other user right.
Speaker 2:Yes.
Speaker 1:As opposed to making a new user for each app.
Speaker 2:Correct, we installed two. She installed two and they both were under user account 95.
Speaker 1:That's interesting, that's pretty interesting.
Speaker 2:I thought it was going to hop to maybe 96, but it didn't. And she's doing all this testing. She's going to write a nice blog on it. She's got it started. It's coming along nice. But she's got a little more testing she wants to do with it.
Speaker 1:Yeah, and actually Kevin's making a great point, maybe for her testing. He says multiple user data could be mixed. So it'd be interesting to have another user account, not zero, but another main user account, and then see we will dump it on the quote unquote 95, or would it make its own 90, something else? So now, kevin, you're making my brain move around. And then how can we determine those relationships? Right, how can we determine that zero is linked to that 95? And again, it's hard for folks that you're not looking if you're listening, but what Heather put on the screen is those user account directories. And what we're discussing is how can we discover those relationships by looking straight at a file system. That's now. I'm excited.
Speaker 2:Deanna, if you're listening or you may be watching the recording tomorrow, but if you're listening, you have more work to do. I think she's having fun with it, so that's good.
Speaker 1:Yeah, and I'm going to share some comments here because we got a lot of luminaries in the chat.
Speaker 2:I see that.
Speaker 1:So Josh is saying their profile is somewhat similar to Windows accounts. So Josh has been looking at some of the code that's coming out. As you know, android is open source, so he's commenting that they're considered profiles somewhat similar to Windows accounts. We have system local user and guest. That makes sense to me. Yeah, so 95, he has a dual app, you know. And then he makes another list, a few more. So 1,000 is the S browser, 1,001 is the private browsing in the S browser. The S browser is the Samsung browser and I want to make a point with that.
Speaker 1:Samsung is really known for saying, okay, android from Google is going to come with this functionality and for them to be able to use or update their software to that version, they have to have the same capabilities. To say they're Android 15, right. They can't say they're Android 15 and then not have that capability. Android forces you to have those capabilities, but Android doesn't force you on how you implement it. So Samsung implements things differently. Samsung puts the digital wellbeing data in a database in a whole different place right, for example. Right, and this might be and again, give me your thoughts on that, this might be kind of like an inkling. This is how Samsung is going to implement that capability. But it very well could be that Android is going to have the same thing. It's just maybe in a different place or in a different way, but the same type of concept.
Speaker 2:Yeah, no, absolutely. I think we're probably going to see this more in all of the devices.
Speaker 1:Were you able to use a tool from what we have now and parse it and get I mean, what type of results you'll get?
Speaker 2:Yeah, so it's supported. The major extraction tools actually alert you that there is a dual app account and it'll ask you if you want to brute force it. The tools will also pull the data and the major tools are also parsing it as well.
Speaker 1:All right, but I really wonder if you have more than one user account. Although that's kind of like an edge case Most people don't share their phones, right, but we need to look at everything, right. So I was wondering if you have more than one user with dual apps enabled on each user, how would you know who generated that data?
Speaker 2:Well, Deanna is going to be testing that when I tell her tomorrow, unless she's listening and you can get started now, Deanna.
Speaker 1:Wow, you drive a hard bargain here.
Speaker 2:Well, she's having fun with it. I'm not making her do it.
Speaker 1:I know, I know You're kind and nice, we all know that she's awesome. Yeah, again, I got to show you know what we're going to bring Josh one day just to chat here with us and be on the show.
Speaker 2:Yeah.
Speaker 1:Yeah, so multi-user on iOS. So that makes absolute sense to me that that will be definitely coming.
Speaker 1:He's also telling us that you have to have that collaboration with other artifacts to help tie the profiles, and that makes sense to me. Yeah, it does. Yeah, if there's no one direct thing that you could tell, at least for now, you will have to do that. But my inkling, and hopefully the research that you're all doing starts leading us in that direction there has to be some sort of internal indication of what is connected to what you know.
Speaker 2:Right.
Speaker 1:But even at the end of the day, that corroboration with other artifacts is still necessary for that validation and to actually paint a picture when you're trying to present it. So that makes absolute sense.
Speaker 2:Well, we're going to find that corroboration, because I won't give up till I do, and Deanna is exactly the same way.
Speaker 1:Well, she has somebody to guide her through that process that knows a lot about you Check this out.
Speaker 1:So the folks at Exordia and Jessica Hyde, they are Swigdy Swigdy. My pronunciation is so Hispanic. It sounded fine. It sounded fine. It's hard for me to pronounce a word that only has one vowel at the end In English, but they are I mean again really important organization in regards to establishing different testing and validation procedures in our field, and they're watching in the lobby. So, hi everybody, we love the work that you do In LinkedIn. I follow all the happenings when you all get together and come out with your different products and documents. So we appreciate you and we appreciate you watching.
Speaker 2:Yeah, definitely. All right, let me remove this. So we will continue working on the dual app stuff and have a paper eventually.
Speaker 1:Yeah, we'll announce it on our social media and keep an eye out for that. I'm really excited about it now that you discussed it, so I'm looking forward to it.
Speaker 2:Yeah. So another quick update here. We have some collaboration with John Hyla. If you don't know who John Hyla is, he actually went and taught with us at IASIS the last two weeks prior. He has an electronics canine named Hannah, who we love. I showed a picture last week. But he has been collaborating with CCL Solutions on updates to their SegB script, so he actually is improving the usability of the library for parsing iOS and macOS SegB files. He was able to shorten the amount of code needed for the iLeap, specifically for the iLeap artifacts, for the ILEAP, specifically for the ILEAP artifacts, and it now internally handles checking if it's a SegB1 or a SegB2, and processes automatically and returns you the data.
Speaker 1:And John is the granddaddy, or the father of our SegB knowledge in the field. He was the first one that actually said you know what? What is this? Is this important? So he's the first one that put something out in public and I mean the whole field benefited from it. It's kind of funny because at the beginning that article came out and nobody really thought much of it until they figured out holy crap, this is super important. So I was honored, we were honored, to teach with him over at IASIS and we're going to have him back next year. Hopefully his agency continues to send it with us.
Speaker 2:Anyways, I digress.
Speaker 1:The point I'm making is that he made some good. One of the things that he changed that I'm really happy that he did is that the code as it was and it was correct, right? The segb file tells you hey, these are the amount of bytes you need to read to get to the protobuf payload, because the data within the secb file is in a protobuf formatted payload, most of it and it said read from this byte to this byte. And when you did that, the first eight bytes were not actually part of the protobuf. So I had to in my code and we learned about that yesterday.
Speaker 1:Right, heather, we had to in my code and we learned about that yesterday, right, heather, we had to, in the code, clean those first eight bytes out to then actually get to the port above. But that's been taken care of. So now you don't have to worry about those eight bytes in your code. The library will account for them automatically, which makes my life so much easier and Heather's life so much easier, which I know she will appreciate.
Speaker 2:Yeah, I'm not good at figuring out how to remove the bites.
Speaker 1:No, she's good. She's just going through that learning process and everybody's bad until you learn how to do it.
Speaker 2:So don't be hard on yourself, girl. The computer was about to go out the window last night, so I had some choice words for it.
Speaker 1:Fantastic, beautiful. I love your computer. Oh, that was definitely it. So check that out. And again, I motivate folks. Look, the field is moving fast and you need to keep up, and one way is start learning some scripting. Learning some scripting.
Speaker 1:I've been having again tangent, sorry, little tiny soul back moment. I got folks in the last two weeks ask me hey, I got this JSON inside a database or these type of data stores. What do I do? What tool do I use? And the thing is that the tool will format it for you to look at, maybe indent it for you so it looks nicer, but that data source might have so much gunk in it that you don't care about, right that. What you need to do as part of what we do in our IASIS class, is give you some tools, say, look, you need to learn a little bit of scripting to be able to pull the relevant items of that thing to actually come to proper conclusions. And sitting down and waiting for the tools to do that, it might not come anytime soon for your intents and purposes, right. So we need to start thinking of coding not as a good thing to have in an examiner, but as a necessary thing to have if you're coming into the field. That's my perspective.
Speaker 2:Yeah, no, I agree, oh well, and you can see it. You can view it in a lot of the major tools, but how are you reporting it? There's no add this to my report function in a lot of those data viewers.
Speaker 1:Look, heather, don't feel bad.
Speaker 2:I see it, somebody of the stature as the forensic scooter is also learning with you.
Speaker 1:So if he's telling you that he's learning and he's putting hard work. You're in excellent company.
Speaker 2:Listen. Most of the time, scott. You are teaching me because I am constantly referencing your blogs.
Speaker 1:You and me both.
Speaker 2:Uh-huh, Rereading and rereading. What does he mean here? Wait what.
Speaker 1:Yeah, and not because it's not clear. It's because there's so much good stuff that we're like I cannot hold it all in my brain at the same time.
Speaker 2:It's all good, there's just so much.
Speaker 1:Actually, Scott, I'm going to talk about you more in a little bit.
Speaker 2:Shortly here. So more research. I'm on a kick of pointing out people's good research. So today, actually on LinkedIn, there was a post from Brian Hempstead and he did some work with the Session application. If you don't know what the Session application is, it's a privacy-based chat app. So Celebrite was the tool he used. He was able to decrypt and parse the data. But he takes it a step further and he validates the data. Right, he goes in, he looks at the database and he's validating what he's seeing in the parse data and the research blog. I'm going to put his oh, this will be in the show notes, but I'll put it up anyway. Um, the research blog actually outlines, um, how he's able to identify which chat thread a particular image attached image um originated from, which is really important when you have these chat applications. Sometimes the images are well, most of the time the images are stored separately and being able to relate them back to exactly which chat the images go with can be really difficult. So definitely a good research paper to read.
Speaker 1:Oh, absolutely. And again, even if and we say this a lot even if the tool does it for you, coming out with a research paper, you know testing and validating, testing, you know validating that data and testing the tool, it's so important. I mean it's another way of doing kind of like a peer review type of work that you can then say look, this is not me making this up, it's just a tool hallucinating things. There's backing to this. So we appreciate folks like Brian that make the time to kind of guide us through their analysis and we all learn from it.
Speaker 2:Yeah, definitely Another announcement. I'll let you take this one.
Speaker 1:Yeah, talking about learning. If you all don't know Phil Hagen, you should.
Speaker 1:Phil Hagen has been around for a long time. He's really well known for doing forensics in networks and I've been one of his students one of the classes. I really enjoyed that class. I actually want to take it again. Obviously there have been advancements and not only does he teach the SANS network forensics class, he spearheads Linux distribution used for network forensics that you can download and benefit from, and he's come out with a YouTube channel and I'm really excited. I want to after my trips these trips that are coming up. When I'm done with that, I'm going to start going to his videos where he goes about all the network forensics knowledge that he's teaching. He has them as a series of videos. So I really recommend folks to go and subscribe to the YouTube channel. It's really easy. You have the link there.
Speaker 1:It's youtubecom. Slash at Phil with one L Hagen, h-a-g-e-n, and again, he's a fantastic instructor. A master instructor knows his stuff back and forward and you will learn a lot from him. So I'm really happy that he's putting that content out to the community.
Speaker 2:Yeah. In his post about his YouTube channel too, he specifically says that anyone starting out in network investigations and analysis this playlist will be very helpful for you. So if you're looking to just get into network analysis or investigations, this may be a good place to start.
Speaker 1:And let me tell you, for folks that are data forensics and law enforcement and you do phones and computers all day long when you go out to the private sector if you start getting ready for this type of work, you'll benefit by expanding your skills. Definitely, because you see well, network forensics for what? When there's intrusions in an enterprise, the nuggets of the intrusion, when it's happened and how guess where they're going to be In your network logs, in the devices in between the routers or in devices that are gateways to your network, that keep logs, that keep information about that. Has there been any exfiltration from that network? Because we want to know if it has and be able to remediate and take into account those. How do you do that? Well, I don't know. It's not on the computer. Well, it will not be on the computer. It will be based on network forensics.
Speaker 1:If you have a network where you're doing packet captures, if it's a sensitive network, how do I go about dealing with PCAP files? Maybe it's not data sensitive, but you're getting NetFlow data and again, but you're getting NetFlow data and again. If you're like a cop like ourselves and you never heard about the term, about NetFlow or the term PCAP, well, maybe you should Right. So a good way is going to the channel. Start learning about those things. It can only make you better.
Speaker 2:Yeah, I would say that this is one of my weaker areas and I'm looking forward to going and starting from the beginning of the playlist and watching all the way through Absolutely.
Speaker 1:Absolutely.
Speaker 2:Absolutely so. Another update from this week VMware Fusion Pro. If you use VMware, it's now available free for personal use the pro version. So you could use VMware Player before as a free version, but now the pro and Workstation Pro have different license models, one free for personal use and then one paid for commercial use.
Speaker 1:And when I heard that, I felt the heavens open, the angels singing hallelujah oh boy. Yeah, actually, do I have any reaction for that?
Speaker 2:Let me see, you don't have any fireworks or anything.
Speaker 1:Oh yeah, look, look, yes.
Speaker 2:There you go, there you go, I have fireworks.
Speaker 1:Folks that are listening. I have fireworks behind me. I'm going to put some of the confetti coming down. I'm really happy because, you know, VMware was bought by a company I forgot what the company was and they've been making some moves there in regards to their pricing and I think this is a really welcome way of getting into the good graces of the user base and I agree with it.
Speaker 2:Yeah.
Speaker 1:Of course you know, if you're a corporate user, you might have some comments about the non-free model. But I don't care. I don't care about you, Sorry.
Speaker 2:That's nice.
Speaker 1:Good, but I don't care I don't care about you.
Speaker 2:Sorry, that's nice. Good luck with that. They also in the article that I've outlined I'll have in the show notes. They also have a link to a podcast that's available that discusses all of the changes. So if anybody's interested in that as well, they have a whole podcast explaining the changes and part of it is called Did I Hear Free? So if you heard free and you want to hear more about it, tune into their podcast.
Speaker 1:Exactly. It's not like fat free where you don't have fat. It's like free as in you can use it.
Speaker 2:Yes.
Speaker 1:Here we go. Cesar told us it's Broadcom about VMware.
Speaker 2:Okay, perfect, I was looking at that today.
Speaker 1:I couldn't remember it. It was a tip of my tongue. I was about to stick it out to see if I could read it. Thanks for reminding me of that, yeah.
Speaker 2:All right. So what's new with the Leap All?
Speaker 1:right. So I said a second ago that we're going to talk more about Scott and the forensic scooter. So he's really well known as the. Now he's the granddaddy of photossqlite analysis and, for folks that are not in the know, in iOS, photossqlite keeps track of the images from that device and it has a ton of information. One of the things I like about that database is that it helps me it's a data point to determine where a picture came from. So he added support for one of the queries that he has within the queries that he shares and also within my own tooling. I leap in the leaps to be able to get embedded P lists out of that and also get embedded preview images, which is pretty good because if it's sitting there, I can look at that image. In case you know, the garbage collection hasn't gone around yet, right? So another way of getting at the data and we say this in other episodes data is like money it likes to replicate, replicate, replicate, replicate. So you got to know where that stuff is.
Speaker 2:Right.
Speaker 1:The only drawback is that it's a pretty involved, intense script and it will take some time to run. So the decision that we made and by we I mean Johan, which again Johan, we love you he said you know, maybe we should make this optional. What that means is that when you run iLeap, it's not going to be checked by default, going to be checked by default. So that gives you the power to say look, do I really want to spend five, six extra minutes on looking for something? Then you can do that and you might tell me five minutes is not a long time. The leaves are designed to be quick and to me, five minutes is a lot.
Speaker 2:Yeah, that is a lot for the leaves definitely.
Speaker 1:Yeah, for other tools, five minutes is just them.
Speaker 2:Starting to process, see if we can even find the database.
Speaker 1:Exactly, it's a computer on. It's just eating up your memory. Those five minutes used to eat your memory up, so that's a long time in our benchmarking for that. But it's not Scott's fault, it's just that there's so much data to be got to get. Then that's how it is right. So it's optional. So what I tell folks is look, run it without the optional stuff on, first to get your quick hits, and then, if you need to go deep dive, then only check the photos, sqlite or check some of the other ones that take a long time, and then do that with more time. You can do those while you're looking at your first parsing for quick wins.
Speaker 1:Yeah, so another update. It's canine mail support by Kalinko. So we appreciate you. Kevin has made the report in the leaves a little bit more pretty, so it's actually highlighting some of the header sections on the left side of the interface. So I appreciate that. He showed me. I'm like dude, of course it looks great, do it, do it. So he made those changes and we are working on by we I mean mostly header.
Speaker 2:Oh, yeah, right.
Speaker 1:So what are we working on?
Speaker 2:We're updating the current one, actually because there already was one, but the browser state database. So previously on a prior episode, we talked about Ian Whiffen's research on the browser state database and how the last visited timestamp doesn't necessarily mean last visited. So I was just going to go in and change that field so it didn't say last visited timestamp anymore. But there's another table in that database that includes tab sessions data. So I thought we'll just add that tab session data in to match up with the tabs that are open. And it didn't end up being as easy as I thought it was going to be. I am struggling.
Speaker 2:But I'm getting help from a pro.
Speaker 1:You're being too hard on yourself.
Speaker 2:Oh, my God.
Speaker 1:You're doing good. You're doing good.
Speaker 2:So it'll be coming, but it's not available quite yet.
Speaker 1:Well, you know, I mean, see, the thing is that you know I'm going to kind of, I'm going to point you, but I'm not going to do it for you, as you know.
Speaker 2:So no, I appreciate that I'm going to push, do it for you, as you know. So, no, I appreciate that I'm gonna push you along. I thought I would do it without asking alex for help. I'm like ah, let me just try it myself.
Speaker 1:I don't, don't, don't help me, yeah right, yeah right no, look, I mean, and as I was telling you yesterday, I mean I would appreciate something like yogeshka 3, which again really up my understanding and and I had to leave some of that ego to the side and say you know what I need help, I need to actually learn the process. So we're going through it and it's you know, you're doing great, so don't feel bad.
Speaker 2:I finally caved and asked for the help that's actually the harder thing.
Speaker 1:It's not the coding. It's actually getting to that point, so well done.
Speaker 2:Yeah, I get to a spot, though I'll get to a spot where I'm like I don't know what you're talking about, and then Alex is like let's start from the beginning, and I'm like, no, I know. So that was why the computer almost went out the window last night.
Speaker 1:Well, and for folks that are like what are you talking about so you can understand, say well, I know this is the output I want, but do you really know how you got there?
Speaker 2:I didn't.
Speaker 1:Yeah, and actually getting there is more important than the output. That's kind of the lesson we were talking about yesterday. Just because you got the right answer doesn't mean that it's right Right.
Speaker 2:And also I'm not going to be able to replicate it unless I understand it.
Speaker 1:Yeah, or troubleshoot it when it goes wrong, because you don't know what happened. You just know that it's there, right?
Speaker 2:Yeah.
Speaker 1:Absolutely happened. You just know that it's there, right? Yeah, no, absolutely, and, and I mean it's again, we have a lot of fun doing that. Um, so, and and folks, again we motivate you to look into ways of expanding you're not expanding yourselves and and and being better. Um, I want to say something real quick about that database, the browser state database. Uh, I didn't see it a lot. Now I see it everywhere. In a lot of cases, yeah, it's like when you buy a car, it's like, oh look, I bought let's say, I bought a new I don't know a BMW, whatever, and you have it. And now when you drive, you see it everywhere. That's me now. I see that browser, that DV, everywhere and it's important because a lot of I've seen cases coming to wrong conclusions and we discussed this a few episodes ago. Check out Ian Whiffen's blog on the browser statedb.
Speaker 1:In regards to how those timestamps are populated. People are coming to wrong conclusions, both on the prosecution side and the defense side on what those timestamps mean and that's a big problem. How can I say this side and the defense side on what those timestamps mean? And that's a big problem. How can I say this?
Speaker 1:Some tooling might decide not to even show it because it's complex and there's no certain way of determining where the timestamp comes from, under what circumstances, and that's a decision that tooling makers can make and others can decide to still show it and hopefully put a lot of flags around the same. You know timestamp of, you know indeterminate origin.
Speaker 2:I don't know how to describe that field. I'm still debating what to call it.
Speaker 1:It's tough because we're talking about it I know we're off the hour, folks just three more minutes and we're done. Like, do we want to show that to users if we cannot determine certain things with certainty, or do we want to hide it to avoid confusion? Or do we want to show it just for completion? And I mean, you have an opinion on that, Heather.
Speaker 2:Yeah, I mean I want to see it when I'm working on the case. I want to see it. I have like a general understanding of what different circumstances can make that change the timestamp, so I still want to see it. I still know it's associated with those tabs. I just never would go in and testify that this is the date and time that that specific website that's tied to that tab was visited, because it's been found in research, in Ian's research, that that's not true. But I still want to see it.
Speaker 1:Yeah, and I'm like you. I also want to see it Again. It talks about what we talked about at the beginning. If you have multiple data points, maybe you cannot point to that one, but you can build this pattern across multiple data points to come to a conclusion. So we need that. But at the same time, a lot of examiners don't have the expertise to look at it that way. And is it a fault of the tooling or is it our fault, or is it a way to we can bridge that gap. We're going to try with our artifact and see how that comes out.
Speaker 2:Yeah, you just have to be very careful in how you name that timestamp field.
Speaker 1:Yeah, yeah, absolutely that header, for that could make or break a case. So again, folks, if you're not in the loop again, do Google EN within W-I-F-F-I-N. Double black is his blog and look for the browser statedb entry. It's a really in-depth research on this database and and I recommend you do that- yeah, I do as well.
Speaker 2:So we've made it to the end. We're at the meme of the week, the most important part. Let me see if I can share it here.
Speaker 1:No, it's truly the most important part. So let's give some fireworks, let's get some balloons going there. All right, describe it for us. What are we seeing here, heather?
Speaker 2:Okay, so we have finished a conference, speaking, teaching event, and now you're back right Back in your office Pending work stuff. And then we have a nice little expletive to outline that pending work stuff that you came back to. I picked this one this week because we were just gone for two weeks and I mentioned at the beginning of the show I got back to a trial that had already started and had to go testify. So the little expletive may have been my first response or something similar to it, but also all the work that piles up right, all of the things that still need to get done even though you're gone for two weeks.
Speaker 1:See, I watch. I know you haven't watched it, but I watched Fallout on Amazon not too long ago. So, now all my cursing is okie dokie.
Speaker 2:Okay, you may have to replace that on this meme then, but it will not be as impactful. Oh, no, no, no, no.
Speaker 1:The meme stays as is right. Okay, good, I know Kevin will watch the show so he knows I like the meme a lot because it's from the Office. What's this guy's name in the Office? I forgot his name.
Speaker 2:I've never seen the Office.
Speaker 1:Oh my God, Okay, get out of here.
Speaker 2:I know I get picked on at work constantly for got you, got 10 seconds to leave, to leave the the uh the stream.
Speaker 1:Okay, no, I know even I seen it right, so anyways. So he's really happy they're standing like having a good time. I just finished my conference and then the pending work stuff kind of creeps up on him yeah, and then kind of shows up on the. He's like, oh, yep, f you, you know what right. So I like that. That's how I felt also when I got Dwight there we go, caesar, saving the day.
Speaker 1:Yeah, dwight Schrute. Schrute is that I see my pronunciation is so bad, but yeah. So I think it's a funny meme, because that's how I felt after I came for IASIS and how will I feel again when I come from Argentina.
Speaker 2:I was going to say we may have to reuse it in a couple of weeks, but you'll have to make a new one that has the similar theme for for the next podcast, that's true, I gotta, I gotta think of something that's topical for the region.
Speaker 1:We'll see All right. Well, so I think we're at the other. I know the podcast.
Speaker 2:Thank you for staying with us.
Speaker 1:Yeah, thanks for the folks that watch live and also thank you for the folks that are watching and listening later. We appreciate you. Please send us your comments, your ideas, constructive criticism. We love that and, again, we're going to be out for a couple of weeks due to travel, so please go to our LinkedIn Detail Forensics Now podcast to get notice on where we're coming with a new episode as well. Yes, and I think that's it. I mean anything else for the good of the order, heather.
Speaker 2:That's it. I see a question about the leaps in the chat from Mr Maka and I'm going to get with you offline and answer your questions.
Speaker 1:Well, you're awesome.
Speaker 2:Heather.
Speaker 1:We appreciate it. All right, folks, then we'll see each other soon-ish. Just keep an eye out Peace.
Speaker 2:See you Bye. Thank you.
