Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Microsoft recall of Recall & all of the latest Digital Forensic News!
Join us as we recount our recent travels to Argentina and the Techno Security & Digital Forensics conference. We'll share the highlights of our trips before diving into the core content.
What could possibly go wrong with a feature designed for user convenience? We'll scrutinize Microsoft's controversial "Recall" feature, exploring its significant privacy concerns and implications for digital forensics. From unencrypted data to automatic opt-ins, we speculate on the potential user backlash. We'll also dive into the latest tech updates, including CCL Solutions Group's enhancements to the Rabbit Hole tool and how these advancements can revolutionize data analysis processes.
Discover the capabilities of VFC from MD5 and the latest tools for examining data from platforms like Snapchat and Facebook. We'll introduce new and updated blogs, innovative Python scripts, and the latest additions to the LEAPPS in this packed episode. Stick around for an insightful discussion and a sneak peek at what's coming in future episodes.
Notes-
Rabbit Hole Updates and SQLite Blog/Cheatsheet
https://vimeo.com/948752153
https://www.cclsolutionsgroup.com/post/time-travelling-with-sqlite-journals-and-wal
https://vimeo.com/953570512
https://cdn.prod.website-files.com/5f02f2c93eab87a6ea84e2f3/665ed5e6ec5ef877d9d74dd2_sqlite-journal-cheatsheet.pdf
Copilot+ Recall disaster & Forensic Applications of Microsoft Recall
https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e
https://cybercx.com.au/blog/forensic-applications-of-microsoft-recall/
Rising Star Jeremy McBroom
https://yeahihaveaquestion.com/
Analysis of Browser Artefacts from File Sharing Services
https://us5.campaign-archive.com/?u=a5a2a1131e612711f02b96e2c&id=9555c3f865
https://github.com/cclgroupltd/ccl_chromium_reader
SQLite Freelist Page Checker
https://github.com/SpyderForensics/SQLite_Forensics
Forensics StartMe Page
https://start.me/p/q6mw4Q/forensics?locale=en
Hello and welcome to the Digital Forensics Now podcast. Here we go. Today is Thursday, june 13, 2024. My name is Alexis Brignone Briggs and I'm accompanied by my co-host, the one that puts tech in techno, the Digital Forensics Tool Quality Assurance Doctor. The one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at sillermansoundcom. Hello, heather.
Speaker 2:Hello.
Speaker 1:It's been quite a long time since we had a show.
Speaker 2:It has been. We've missed two in a row.
Speaker 1:We've been busy. We've been doing so many things. Uh, I want to thank the folks that are already, uh, showing up. Andrea, hi, I always see you in the communicator as well. I work, we were co-workers, but at a distance. Uh, laurie is here and jess is here. I know bruno is going to be listening all the way from Argentina, so I appreciate you, man. So tell me, tell me what's going on with you since last time you went to Techno.
Speaker 2:I did First time at Techno. I was super impressed, so it was a great time. I met so many new people, saw a whole bunch of people that I haven't seen in a long time, or just communicate with online, right, you think you, you think you know all these people and then meet them in person, um, but the the conference itself was awesome. I went to every single presentation that I possibly could. Super bummed that I missed some of them, because you can't be in two places at once, right?
Speaker 1:You can't do that, are you sure?
Speaker 2:Yeah, I can't Maybe you can.
Speaker 1:I worked the expectors to, apparently, but that's another story.
Speaker 2:I had to pick and choose which ones to go to, but it was really good. The vendors that put on presentations. They didn't gear the presentation to their tool. It was nonspecific, they didn't. They didn't gear the presentation to their tool. It was non-specific. A lot of the vendors did um artifacts and talked about topics that didn't solely rely on using their tools. Um, and then they talked about their tools at the end, so it wasn't a sales pitch, which was so refreshing you know that's, that's, that's good, because, yeah, I don't need.
Speaker 1:I don't need sales pitches like we got those constantly already.
Speaker 2:Exactly. Some of the presentations were just outstanding and it was a great chance to ask all of your questions to the vendors without having to do a support ticket. That was like my favorite. But, they were like okay, somebody else than Heather, please.
Speaker 1:They could actually ask a question, that's not her.
Speaker 2:But it was really, was really really good. I'm just gonna throw up some pictures from my uh, my trip oh, look at that I got to hang out with jessica, who's in the chat, and josh hickman. And um, there's my group up in the right hand corner from the new york state police, and of course, the phone wizard hopped in our picture there.
Speaker 1:My man.
Speaker 2:Went and had a little gym session with Amy Moles from Arc Point. We got the photo op.
Speaker 1:Oh, that's awesome.
Speaker 2:Yeah, and Caesar, caesar from.
Speaker 1:Hexordia as well, yeah.
Speaker 2:And then a couple of my coworkers there and then continued just meeting people that I had never met in person Ronan from Celebrate I'd met him before, got to, got to catch up and, um, adam from msab, met the, met the forensic scooter that does all your photos, that sequel light the myth, the man, the legend right there he's real he's just as smart in person as he is online, and debbie garner of course and then um, of course, was the voice of the iasis podcast, um, and then I did a python class while I was there, so documented that I hope you made me proud and then the last day we had a really late flight, so my co-workers and I got some beach time in um, but overall it was really awesome Like so awesome that I've already booked one of the houseboats that Jessica Hyde was on this year. I booked one for next year, so it was that good.
Speaker 2:It was good. It was good. I'm going to hide, I'm going to hide.
Speaker 1:I'm going to hide in your suitcase.
Speaker 2:You're going to find a way and you're going definitely.
Speaker 1:I've got to start saving now.
Speaker 2:Start saving because you're going. It was a really great time yeah.
Speaker 1:That's awesome man and I think that's become one of the premier correct me if I'm wrong premier like digital forensic-specific kind of conferences, because you know, sometimes they can mingle the whole incident response, but this seems to be really focused for examiners, right? Would mingle the whole insert response, but it seems to be really focused for examiners, right?
Speaker 2:would you say that? Yeah, I would say so. Everything I went to was um, I picked up all kinds of great uh information that I'm going to use at work every day, so I would say it was definitely geared toward examiners look, kevin is saying that, that he needs to make it there next year.
Speaker 1:So it's yes, he does then I'm gonna make the extra effort, since I know kevin's, so I can go too. So I'll start saving my pennies, like right away.
Speaker 2:You both have to, so yeah.
Speaker 1:That's awesome. Well, I'm going to tell you about what I did these last two, three weeks. Has it been four weeks? I don't even know.
Speaker 2:Let's count.
Speaker 1:Yeah, we missed two podcasts All right, so that's about four weeks, so look about four weeks.
Speaker 2:so look forensic which is saying where is this and when? Yeah, tell us, where's techno at? Yeah, I didn't even give the details of it. So this year was the, was the 25th anniversary and it's in wilmington, north carolina, and it's the first week of june, so it'll be his first week of june. Uh, 2025 for next year all right.
Speaker 1:Yeah, it's a good point. People need to know at least, at least where it is. Thanks for the secret. We sort of appreciate it. So I went to and look. Since you have such a nice picture spread, I got to have mine too.
Speaker 1:So I went to beautiful Buenos Aires, actually first to Argentina, and then part of my trip was going to Buenos Aires and for folks that you know, everybody knows Buenos Aires, beautiful city, the capital of the country of Argentina, you see, here's the obelisk, it's like the like the main thoroughfare in the middle of the city. And when they won the, the soccer, you know, the world, the world championship, right, everybody went there and celebrated. It's a beautiful place. Here's how it looked during. The day was cloudy that day but from the hotel was staying and I was there to with the embassy to teach folks from a couple of you know surrounding countries and Argentinians on digital forensics and some investigative techniques. So it was, it was such a great time I was here teaching, doing some exercises. Shout out to Jess that helped me out with some logistics of the class, and Jessica Hyde she's like awesome. So her input was key for this class. Everybody loved it.
Speaker 1:So that's pretty good for the first week I had also my trainee came with me, so she taught some blocks. I got some felicitaciones, which means congratulations. Thanks, my man. It was great and you know, know, you would think well, that's great, it couldn't get better. Well, it actually got better because I was able to eat like a world-renowned pizza, guaran pizza. I mean it's like ridiculously delicious. This place has been founded in 1932, so if you go to buenos aires you gotta stop at this place multiple times. Like everything is like freshly made, it's fantastic. So I enjoy that. I know you're jealous.
Speaker 2:Yeah, very jealous. I had pizza in North Carolina, a piece of pizza. It wasn't quite the same as that, I bet.
Speaker 1:It wasn't. No, it wasn't, it was like ridiculously good, so I would say top one, like the best pizza I had period. So yeah, and they said you know, the churrasco in Argentina is crazy good. So I had some ojo de bife, which is like a real big, thick steak and because if you're there, you got to have some of the Argentinian you know meats there. So I also enjoyed that. It was fantastic.
Speaker 1:Now I'm on a diet. It's time to catch up. All right, I'm taking too long here. So then it got even. I'm sorry, lori, but I love deep dish pizza specifically. You know Lou Malati's is legit in Chicago. I'm a big Chicago fan, but this one, this one's a pretty good hard competition, just saying so, yes, I went to Mar del Plata, so that's on the coast, on the Atlantic coast, around four hour drive from Buenos Aires. So when my logo is there on the map I drove, I say I drove, I didn't, they drove me all the way down to the little red circles there in Mar del Plata and I never obviously never been there and it was ridiculously gorgeous.
Speaker 1:It's like a medium-sized city beaches, the coast, such a laid-back atmosphere. You can see here a little statue that somebody put we know who it was An artist put it during the pandemic. People were like in a closed-in lockdown and he did it in the middle of the night and nobody knew where it came from. So it was something that really brought you know, joy to the city and figure out who it was. The city is rich in history. It's rich in architectural. You know different arts and buildings and the rocks they use. They're really well known for the type of rocks they use to make the buildings. It's just honestly, I wanted to take the whole city and bring it with me.
Speaker 2:It looks nice.
Speaker 1:I learned how to drink mate, which, again, I haven't tried before, and now I didn't put the picture here but I was having some today I actually they gave me a mate cup with a bombilla, which is the straw-looking thing that you kind of use, and I was having some of that this morning. It's a big cultural thing. You know. Sharing matter with friends, close friends, it's I don't know how to explain it. It really brings people together in a way that is hard to explain and if you're not there, partaking of the tradition, right. So I was so, so lucky to do that. I was brought there to help out not to help out to collaborate and exchange with the FASTA University. It's a really well-known Catholic University in the country but also in the city. The picture there some of the folks that were nice to spend some time with me there.
Speaker 1:The gentleman on the far right is Bruno Constanzo. He is the InfoLab director and also one of the professors at the university. He collaborated with us in the LEAPS programs, doing some testing for us, speeding the programs up. He's done all sorts of things. Super smart guy. I hope that I'm like him when I grow up. So I appreciate him facilitating us being there with the local prosecutor's office and the embassy and all that, so a really nice guy. And then here I am. I'm there teaching a class and then talking to the criminal justice students there, which was a nice surprise. I was expecting a few people, but then the whole room was full. It's awesome.
Speaker 2:Very cool yeah.
Speaker 1:Bruno's saying that he hopes to be like me when I grow up. I don't know about that man and then so yeah, so that was. It was great. It was such an experience of a lifetime for me and people were so warm and so happy to receive the information and also to share with me how they do things and hopefully we can, you know, hopefully we will take some of that knowledge with the tooling and and different things that we do around the world, so that was super awesome that's awesome.
Speaker 2:Those pictures are great.
Speaker 1:The beaches look beautiful I need to come back at some point. We wish you should go back.
Speaker 2:It's great anyways I'll go with you if you need somebody to help you teach something, or, or be your secretary, I really don't care yeah, yeah, you, you want to do, want to stay too.
Speaker 1:I was eating this pastry. It's like a croissant, it's not like. It's like they have a croissant, it's just that this croissant, the two edges kind of meet and they call it half moons, and I'm addicted to the stuff. I need to to be away from it. They fill them with cream, they fill them with chocolate and all sorts of stuff, and they were feeding me that like every five, every five minutes, and I'm like no, no, no, no, no, no, no, no, no, no, no, no, no no, no.
Speaker 2:So we wanted to mention too. This weekend is Father's Day, so happy Father's. Day to all the fathers that are listening or out there.
Speaker 1:Thank you, I appreciate it. I'm one of those. No, and as you mentioned Father's Day, you know kids, they start making some art at school or daycare, whatever they are, and here's the one my kid did for me, my oldest. I'm like what's that on my chin? He says that's your beard. I'm like I don't have a beard, but I found it funny because kids are so perceptive. He says here's his favorite thing to eat and he puts a picture of me sitting with a little table. And I show you that picture. Right, right, heather. Yes, Doesn't my table look like that little table?
Speaker 2:right, right heather? Yes, doesn't my table look like that little table yes, it's one of those little folding tables folding tables to your recliner. He drew it perfectly well he drew it exactly right and yeah one part.
Speaker 1:You know it's kind of sad but it is what it is right. He says when he comes to work, when he comes home from work, he likes to work on his computer. Yeah, so like when I come from work I keep working and I'm a bit guilty of that, but in my defense, uh, weekends are are for for the kids, to play with them and take them out and do different things I just found the he is so good at riding bikes intriguing.
Speaker 1:So you're really good at riding bikes, huh oh, I mean he's impressed that I don't fall, I guess oh my, that's so cute.
Speaker 1:He always says I love you and I do. And if you're a parent and you say, you should say it more, that's, at the end of the day, that's what kids will remember. We won't remember all the expensive gifts. They won't remember the trips. We will. We'll all been sons and we'll all been daughters, so we'll remember the love our parents gave us. So I'm trying to do as much as my mom and my dad did for me.
Speaker 2:So this week we have so much to talk about that it's going to spill into a couple weeks worth of chats. But so there's some updates to Rabbit Hole. We've talked about Rabbit Hole on the show before. That is CCL Solutions Group tool app by Alex Kaithness. There's added SegB, so you can parse the SegBs in Rabbit Hole now. He added hex viewer enhancements. And then the big new feature for Rabbit Hole is called runs. So the runs are a way to define a sequence of operations that you performed and set filters, and it'll automate it for future purposes. Instead of having to redo what you've done over and over again or writing a line of code, a rabbit hole will take care of that for you in a saved run feature.
Speaker 1:So, like you, point it towards the data set and it does whatever it does and pulls everything out. I guess, right?
Speaker 2:Well, you do your process the first time, but you use the runs feature to kind of like I guess, for lack of better terms save it or preset what those filters are going to be to pull that data out of the same type of data store in the future.
Speaker 1:Gotcha, gotcha.
Speaker 2:So it automates your process.
Speaker 1:That's awesome. And if you're a new listener, you're like what's SecP type of data store in the future? Gotcha gotcha. So it automates your process. That's awesome. And if you're a new listener, you're like what's SecP? Those are in Mac devices, I mean Apple devices, ios, ipads, and they have a whole bunch of pattern of life information there, and I think we talked about it in the past in other episodes, and this is what you're describing is so powerful because then, instead of having to go kind of by hand every single time, if you have, like you said, that run set, you can point it at whatever you need and boom it's out. It saves you so much time for that validation, so that's awesome.
Speaker 2:If you want to see it like, I guess, a demo of what I'm talking about, if you go to their web page, alex has done a demo of those new features so I'll put the link in the show notes so everybody can get to that video. But also with CCL Solutions there's a new cheat sheet, a new blog and cheat sheet. It's about SQLite files and the journal and wall files. You can find that on their website and then I'm just going to throw the cheat sheet up here real quick. Here we go, let me take that down. So this is the cheat sheet that's available on their website and it just talks to you about the SQLite database and how the journal files and the write-ahead logs work with SQLite databases. Great, little resource.
Speaker 1:Yeah, and it's always good to have that on hand. I've been teaching SQLite, I mean, for years now, and it's a skill set that's always, always needed. You got new people coming in and even though SQLite I've been predicting it's going to be on the outs, it still hangs on and it still shows everywhere. So it's worthwhile to understand the differences between the wall files, the journal files and how can you recover stuff from it and all that.
Speaker 2:Yeah, and how they operate. Because I mean when I first started looking at SQLite databases, I didn't understand that, and having a cheat sheet like this is just so helpful, especially if you're newer and a beginner with SQLite databases.
Speaker 1:Absolutely, or instructors, you can hand those out.
Speaker 2:Yeah, definitely. Well, I've already put it in our resources material for next year's IASIS. So it's there.
Speaker 1:Christian from LinkedIn is saying I thought you said cheeky instead of cheat. No, no, no, cheat cheat, not cheeky. It could be a cheeky cheat cheat, but no Cheeky cheat cheat.
Speaker 2:It's just a cheat sheet, my man, so yeah. So check that out. On um, the links will be in the show notes at the end of of tonight awesomeness, good stuff so co-pilot and recall. And then the applications, the, the forensic applications of Microsoft recall. I'll let you start talking about that one.
Speaker 1:Yeah, so it's interesting because I linked it and I put a link to an article written by Kevin Beaumont I don't know how to pronounce it. He's a really well-known researcher. I think he's from the UK, but super well-known. He actually worked at Microsoft a little bit. He does all sorts of intrusion, response research, right, and he came and he did an article analyzing this recall function.
Speaker 1:And, for those who haven't heard, what Microsoft was planning or kind of planned and did was create this functionality in Windows, that it takes screenshots of everything you're doing, ocrs on the screen, keeps the screenshot, and that OCR data dumps it in a SQLite database. The idea behind it is to be like well, what was I doing an hour ago or a second ago, or three days ago, a year ago? The Natella is it Satya Natella? I think it's his name. There's a CEO for Microsoft. He's saying that describe it as a photographic memory of your computer, which, I'll be honest, I don't know about you, but I'm thinking that's something anybody asked for. Yeah, that's right. Do I need a photographic memory on my computer?
Speaker 2:I mean, I'm always deleting stuff. Yeah, exactly.
Speaker 1:I mean, you know I understand having backups of certain things, but do I want it to remember every single thing that it does? And the point that the researcher was making in the article is that computers in general, and also in specific Microsoft, they're known to be intruded with some frequency. So imagine some bad actor getting into the computer and then pulling that database out, which at that point happened to be not encrypted in the clear that you could just see everything there, right. So it became a little privacy nightmare and I put that link in a little comments. I commented on my LinkedIn that I predict Microsoft's going to backtrack, either eliminate it or change it quickly. And it was true it's been the most viewed LinkedIn post that I had ever, because people are really interested in this stuff how that recall thing works or is supposed to work, right.
Speaker 2:So you have to opt into it now, correct?
Speaker 1:So, yeah, so some of the things they did to kind of alleviate those concerns, because people were going crazy, yeah, crazy. I'm being kind in the description of how people are going crazy, yeah, it's crazy. I'm being kind in the description of how people are about it. They're saying they're going to encrypt the database. You have to opt in, like, yeah, I want this feature to be enabled Before it was enabled by default. So no, you have to be opting into it, it's encrypted. So people are saying I'm going to go, This's going to be this year is going to be the Linux of well, the year of Linux because of this. They're like, no, I won't. But yeah, Kevin is saying, yeah, they're encrypting the database too. That's right. And again, that brings an interesting point of where the market is heading right.
Speaker 1:They put this feature that has all this data that's kept there and people didn't want it and the big issue wasn't so much that it was remembering, it was that it was not encrypted. No attention into privacy. You know what I mean. So, yeah, I don't know. I mean, what do you think about that?
Speaker 2:So yeah, I would never opt in for that. I'll be curious to see if people do opt into it, if it ever shows up in one of our forensic investigations. I mean, I'm sure somebody out there is going to. I would not. And I wonder if, like in the future, um, if they're gonna kind of change it so you save only the data you want to save, kind of like backing up to the cloud, like you choose which which data you want to back up.
Speaker 1:I don't know yeah, yeah, again, I think the I mean this is my I mean I don't know. I don't know nothing about microsoft or any other companies, but my thought process is some of that stuff they're saying, yeah, it's going to recall for you, but I see it from my perspective as another data source for them to feed their ais. You, you know what I mean. And even if it's a local hosted AI, it needs a lot of data to kind of predict what you're going to do and interact with you. And I'm pretty I say pretty sure I don't know anything, but I think that that might be one of the reasons where you have these big data sets that they can feed off to build the product. I mean, is it going to be sent to Microsoft Home in some anonymized fashion? I don't know.
Speaker 1:And again, people don't take this as gospel. I'm just saying what I think might be the underlying reason. I have no evidence for it, I didn't read it anywhere and I'm just saying that because I'm seeing a lot of companies kind of like thinking where are we going to get our data to feed our AIs? Because now everything has an AI. I made a meme of a guy. It was Tom Cruise, not Tom Cruise, it was the guy from Titanic, leonardo DiCaprio.
Speaker 1:Leonardo DiCaprio saying sell me this pen. And the guy takes the pen and says it has AI and deepfake, deepfake, yeah, recognizing software or whatever. Right, that's where the market is heading and they need those data sources. That being said, I believe that people are also moving in the opposite direction in regards to how they're providing that information right Now. The Wolf of Wall Street yeah, that's where they click from. Thanks, kevin, that's the click from the Wolf of Wall Street. Sell me. This's where they click from. Thanks, kevin, that's the clip from the Wolf of Wall Street. Sell me this pen. It has AI and deepfake recognition. Yeah, people are moving away from that. People really put a lot of resistance for non-encrypted always-on recording program, whatever, and they're not the only ones. For example, we talk about some time about Google locations or well, not locations Google Maps, how it kept your locations, and now it's changing completely.
Speaker 2:Yeah, we kind of mentioned this on a previous episode, but now it's implemented correct.
Speaker 1:Yeah, yeah, I think. Yeah. I don't know if you've seen on your phone, or at least on mine. It gave me an alert about the changes and I took some screenshots that I shared in LinkedIn.
Speaker 2:Which are right here.
Speaker 1:Yeah, they look at you, always prepared.
Speaker 2:I went and stole them off your LinkedIn so it kind of just shows you the different settings, the timeline settings for the Google Maps inside of the account and what types of changes are going to be made. I think right, so the data is saved locally.
Speaker 1:Yes, yes.
Speaker 2:And if the data is backed up, it'll be encrypted and then for Google to see the data the user has to opt in.
Speaker 1:Yes, yeah, and even if you opt in, there's some timeframes. You have to do an extra opt-in to be like, yeah, I want it to be forever, or you know, deleted in X amount of hours or X amount of days right it's in.
Speaker 1:You know now, you know this just being real here with everybody. I mean, our audience is mostly folks that do this in the private sector invest investigation in private sector or playing you know public servants doing this for criminal investigations. And this is going to be a problem for lawful extraction or obtain data lawfully right, definitely, because now that's the point I was making these companies are moving. The companies are moving this way because that's what the users want. They want their data to be invisible, even to the people holding it. So the companies are saying, yeah, I have the data police officer. Here you go, it's encrypted blob and we don't have the password.
Speaker 1:Good luck, right, yeah, and that's going to be a hindrance in that sense, which to me means that we should start thinking of going back to basics, those traditional investigative techniques, bringing them back to life again, and then also try to be creative in regards to how we do stuff. I heard folks saying, well, we need legislation about it. Is that going to be a thing I don't see. I mean, I'm opining right as another citizen. I got no inside information of anything, but I don't see any appetite in Congress to tell companies to to not do these things, and that's what the public wants and that's where we, that's what we're moving towards, period.
Speaker 2:Yeah.
Speaker 1:I mean, I think, I think you're right.
Speaker 2:I definitely think you're right. I think all kinds of providers are going to start storing the data this way, and you're right. The search warrant is not no longer going to be as helpful to the service provider.
Speaker 1:Yeah, yeah, they will have to be. How can I say this? A lot of it's easy and I'll be straight with everybody. It's easy to go and tell me hey, examiner, just get this stuff from the phone, tell me when you're done. Another thing is that agent or that person to actually do the groundwork. What's the word I'm looking for? I heard an expression of like when your sole of your foot or your shoe gets all kind of like used. You walk so much. I don't know the expression, but I'll find it later.
Speaker 2:Yeah, that's fine. Somebody will throw it into the comments, somebody will throw it.
Speaker 1:Somebody will throw it into the comments, somebody will throw it. You have to go out and really do that. Walk and burn out that sole of your foot, doing some investigative work that requires you to be out and about. You know what I mean. Just telling me here's the phone and good luck, it's not going to help the victims or bring justice. We have to do more, and that goes back to those Wear the soles of your shoes. Thanks, yeah, we have to do that work even more.
Speaker 1:So we have this sometimes unhealthy dependence on technological sources of data. You know computers, cell phones, stuff like that and that's not enough. We've been watching and we're not going to comment on this trial that we're watching, no-transcript. I was watching this trial on Court TV and detailed data has meaning on its own, but even more powerful when there's some corroborating surrounding pieces of evidence Just because you have a video recording. The video recording has to give you all angles. So that means you need to go further and get eyewitness testimony and get some physical measurements of things that happen to be able to build or corroborate some of that stuff. So there's just a lot of work to be done and we need to think that way, I think.
Speaker 2:Yeah, definitely.
Speaker 1:Look here Christian is saying Rob Abrams told him to firm it up. Right, yeah, you've got to firm some of that stuff up, and sometimes, if it's not accessible via you know digital means, you have to then think about how you're going to get to it some other way yeah, definitely.
Speaker 2:Um, so before we went away for a couple of weeks, I posted uh, a post asking what topics listeners want to discuss or want to hear about, and we're going to just take one of our listener requested topics and talk a little bit about that. So, jeremy McBroom, who is awesome I got to meet him at Techno. He's a student and he's going to be a rising star in the digital forensics world. I'm 100% sure of it. His question was past casework that changed your perception of looking at digital evidence or impacted how you conduct your examinations. So he wanted to know, wanted us to discuss that as a topic.
Speaker 2:I thought about this question and I have to say so, when I first started my job at the lab, I was immediately overwhelmed by the knowledge that I did not have. I had no idea what people were talking about. When I would stand in a group of coworkers, I would have to go Google the different terms they were using and I actually called my mother, I think the first or second week of starting my job, and said I have to quit this. This is not for me. So glad I stayed this this is not for me.
Speaker 1:So glad I stayed. I believe you, but knowing you is so hard to believe you know so it's just so proficient, so proficient in what you do, that it's really hard to believe, honestly.
Speaker 2:Oh it was bad, I wanted out. I'm like I have no idea what I'm doing, like I'm a fish out of water here. I have no idea what I'm doing. Fish out of water here, I have no idea what I'm doing. So, with all of that said, I think there are some cases that changed my perception on not just looking at the digital evidence but making me want to stay at the job at the time. One of my very first cases it was a really horrible CSAM, so a child sexual abuse material case, and it resulted in a 360 year sentence for the defendant. So to know that I was part of that definitely made me value the weight of the digital evidence and my part in that, how I was able to help.
Speaker 1:Absolutely.
Speaker 2:And then my perception of looking at digital evidence. There's several cases over the course of my time at the lab that have changed my perception of how I look at digital evidence. I would always just look for the evidence to begin with, because I really didn't know what I was doing at first, right, so an example of that is a CCM case. I might just be looking for pictures and videos, but you have to look for the supportive evidence that goes along with those pictures and videos. And I think conferences with prosecutors and testifying really helped change my perception, because I would provide them with what I thought was the evidence and then they'd ask me a question about that evidence that I couldn't answer. The answer was in most likely in the data that I had extracted, but I hadn't thought of that, I guess for lack of better terms there.
Speaker 2:One specific case is a homicide case I was working on. I had an artifact that showed the defendant had turned the phone off and I showed that, that they turned the phone off during the time of this homicide and the question was well, how do you know that the battery didn't just die? And I think I've given this example on the podcast before, but sitting there. When I was asked that question, I didn't know that the battery didn't just die. I had evidence that pointed toward it being turned off.
Speaker 2:But the evidence in that data showing that the battery didn't just die and that the device owner had been charging it for a couple of hours prior to it being turned off, it was there so I think going into these cases and having conversations with people who are involved has really changed my perception of looking at digital evidence and how I conduct the examinations my perception at looking at digital evidence and how I conduct the examinations.
Speaker 1:Oh, don't you. I mean that's, that's, that's some point. And I love when you tell that story about, about the dead battery, because it's just not, it's just not. The artifact is what is the meaning in context, in the real world, of the artifact and and sometimes we're, we're kind of use of being you know, oh, these artifacts, five things were bookmarked or tagged from the case. And here you go, here's a one-pager report. How does that connect with the theory of the case and I know we do a lot of cases, like we examiners in general, but we can be divorced from the main articles or artifacts of the case and how that provides light into that theory of the case. So I provides light into that theory of the case. So I agree 100% with you and for me I'm going to come from another angle.
Speaker 1:Actually, yesterday was the eighth year anniversary, I believe, of the Pulse shooting in Orlando, which was a pretty traumatic day for the office, significant day personally. I was woken up at what was it? 4 o'clock in the morning and telling me to suit up, that they needed me right away, and I was half asleep trying to figure out what was happening. I started racing to respond to the shooting and the thing that changed my perspective from that experience I'm not going to give any details on the experience. I'm not going to give any details on the experience, but it's the importance of you, examiner, that are listening to convey to your stakeholders what's important at a particular time, especially if it's urgent. Everybody has things to do, everybody has things they need to accomplish, but when we talk about digital evidence being volatile, it is, and it's even more so in challenging environments. I'm trying to say a lot without saying much. Hopefully, you folks can get the vibe of what I'm trying to get at and you might find yourself like I was, and you know I'm at the bottom of the totem pole. I'm just another dude that works right. I'm not a supervisor, I'm not a nobody. I'm not a nobody.
Speaker 1:And sometimes you have to be look, knock on that door and talk to the person running the thing and say look, sir, sorry to bother you, or, ma'am, I need some important information for you. This is what I do and this is the things that need to happen for these particular things that you need, and we need to act on it now, and it takes a little bit of bravery from or just plain um seal for the work that we do to do that, and it changed my perspective. Um, sometimes you have to speak out and you have to. You have to do what you have to do.
Speaker 1:Um, not they won't always listen to you. Thankfully, at least from my perspective, I was listened to and and we move forward. But even if they don't, you have to speak out. It's not on you to take the decision, but it's on you to tell the people that will make the decision, give them the proper information they need to make the decisions, whatever that decision is. For that, that changed my perspective a lot in how I communicate and things at particular moments. So hopefully that makes sense.
Speaker 2:It does. Christian says the examiner's mind is even more volatile, or the first responders for that matter. I couldn't agree more. I think everyone's capabilities and perception evolve the more training and experience that they gain. You're going to change and improve with each case you work on.
Speaker 1:Absolutely Talking about improvement. I now have to show this. So you know you improve so much and Scott is absolutely right. He says that now you're famous and you are. People were lining up at Tegno to meet you and you know it's true. Oh, my God, you know it's true, you know it's true.
Speaker 2:Everybody was saying the same thing to Scott the forensic scooter oh my God, it. You know, it's true. Everybody was saying the same thing to scott the forensic scooter.
Speaker 1:Oh my god, it's the forensic scooter so he can say that, but he, uh, he was getting just as many comments. Um, look, folks are listening. This community, and everybody that's listening knows it's pretty small, it's smallish and uh, we're all colleagues and we rub you know. Oh, you're famous. The community is so small that everybody's famous because we all know each other. Yes, yeah, so yeah, I mean, you know, it's a great place to be. I couldn't be any more lucky to do what we do, so Definitely so.
Speaker 2:Speaking of Jeremy McBroom, who I saw is in the chats, we wanted to talk a little bit. He has a blog now, so it is called yeah I have a question and it's at yeah I have a question dot com and he says on his page that he entered the forensics world and found that he had a lot of questions. So there's so much to learn and even though he will never learn it all, he wanted to share what he does learn, so he has a beginner-friendly blog. Last time I looked there were like 10 entries, with a whole bunch of them being about Windows forensic examinations, and he just recently did a write-up on his time at Techno. So check it out because it's awesome and I can't wait to see his research evolve.
Speaker 1:I love the Socratic name of the blog. I have a question. I love the name and look, kevin's going to put it on his blog roll on his Start Me page.
Speaker 2:Very good.
Speaker 1:And we talked about Kevin's Start Me page before, so we should put it back on the notes so people can have it. It's a great resource. Definitely, if you don't know what we're talking about, it's the notes, so people can have it. Oh yeah, it's a great resource.
Speaker 2:Definitely. If you don't know what we're talking about, it's the Forensics Start Me page and it has literally everything you can think of links to everything you can think of.
Speaker 1:All the resources are there.
Speaker 2:Mm-hmm. All right, so the next topic analysis of browser artifacts from file sharing services. The blog that we're going to highlight is probably about six months old, but it has some really really good artifacts in it, especially if you're working CSAM cases, because it's file sharing services and they share their files. So I'm going to throw up share my screen here. There we go, I might be getting better a little better at sharing my screen.
Speaker 1:Oh, you're being flawless this whole episode. Knock on wood, keep it up.
Speaker 2:No, now I'm bound to screw something up.
Speaker 1:Yeah, it's going to freeze or something.
Speaker 2:I'll put the link in the show notes, but this is a paper focused on web browser artifacts created from file sharing services like Google Drive, dropbox, mega and then the cloudmailru, which is a Russian mail site. It has where the artifacts are located, how they can be interpreted forensically and how they can be used in your investigation. It's a really great resource.
Speaker 1:Yeah, it reminds me of Mattia Epifani from SANS. He has something similar, but for Android and iOS. It's kind of a similar format where you have the app and the different things the app has and where they're located, which I use constantly, and this one is also I'm adding it to my collection of use all the time sheets.
Speaker 2:Yeah, definitely, and announced today by Alex Capness of CCL Solutions. There are some parsers for these artifacts built upon the open source project Chromium, and he has some parsers on the CCL Solutions GitHub and they were recently updated. He posted like five hours ago or something, that these scripts were recently updated. So if you are looking at these artifacts, go check out the scripts and parsers.
Speaker 1:Yeah, and let me give folks a little bit of a technical background on that. If you're not familiar with LevelDB databases in Chrome or not only Chrome, any type of browser you have to really check those out. By the way, alex is on the chat. Yeah, I see him. Let's see what he's saying. Can you put it on screen?
Speaker 2:Oh yeah, so that browser artifact paper was based on CCL research. I believe there's a more detailed paper If you know who to ask.
Speaker 1:Ah, we don't want to ask.
Speaker 2:I think we do, and then we have a little, a little hint yeah.
Speaker 1:You know, we have almost the same name, so hopefully that that will give us an in into that paper.
Speaker 2:Yeah, I think so.
Speaker 1:No, but like, like, yeah, I think so. No, but, like Alex was saying, there's some level DBs in these browsers that contain a lot of information that you're not going to get otherwise, and there's a lot of different structures within browsers that regular third-party tools scratch the surface on. So you need to really dig in and this research paper and the tooling, the Python scripts that go with it invaluable resource. So check them out, yeah definitely so.
Speaker 2:I have not talked about a paid tool in quite some time, but I recently had a chance to demo and try out VFC from the company MD5. So they're a company that is out of the uk and they provide digital forensic and e-discovery services, but they also have this tool called vfc. So vfc mount, which is able to mount images for you, is a free tool. And then they have vfc lab. So the vfc lab has a whole bunch of features.
Speaker 2:I'm probably not even going to hit half of them, but they have a password bypass tool. They have a standalone VM. You can launch your mounted image into a virtual machine. They have the capability to inject files, so it allows you to inject third-party analysis software into the VM. While VFC is generating the VM, there's triage tools inside that will pull out recently accessed files, recent apps, recent URLs, installed applications, documents, windows history and more, and I was able to try out the virtual machine, so I have some slides here just to show you what the tool looks like and its capabilities. So this here is the VFC mount, which is the free tool that you can use to mount images.
Speaker 1:And images like EO1 type of images, stuff like that, right yes exactly.
Speaker 2:So I mounted an image and then was able to go in and choose the partition right. So I'll choose the partition where the user data is and the tool will analyze that and once it does, you have the option to launch the E01 into a virtual machine. So there's our little buttons launch later, launch now, and it launches right into a virtual machine. But the cool thing about this was that it bypassed the passcode. For me, it was able to utilize the software to bypass the password and then when I relaunched, I was into the actual user's desktop. I don't know what the password was to this, but it enabled me the capability to just put in any password and launch into the user's computer.
Speaker 1:Yeah, I mean the technique is not new, right? You just go to the registry and you blank it out or name it what you want. So it's a super old technique. But I like the automation and we've seen other tools. Like Christian was saying in the chat I was reading that NCASE used to do that. I think also some folks in the chat, arsenal Image Mounter does it as well. So this is another tool kind of within that space. So I'm really glad to see the space, you know, kind of competing, different companies competing in the space to make sure that we get the best product for our cases. Mounting images this way to visualize the environment as the users had it Incredible tool when you're preparing exhibits for trial or whatever it is.
Speaker 2:Yeah, we previously, so I'm showing this tool today. We previously did do a demo of Arsenal as well, which has similar capabilities. So check that out as well and then go out and try them. Ask for a demo, see which tool you like better, um see if your agency will buy it for you.
Speaker 1:But this, this tool, was great no, absolutely great point, um, and folks are continuing to evolve these tools and and we'll we're the beneficiaries, so that's, that's awesomeness um, one other thing that I will mention too, is they, uh, a portable version of the VFC, so you can take it out in the field with you.
Speaker 2:If you're out in the field trying to examine, there's a portable.
Speaker 1:Like you run it without installing, like kind of portable like that.
Speaker 2:Yeah, on scene. So it's the same functionality as the VFC lab, but it has added features to make you be able to use it in the field.
Speaker 1:Okay, it'll be interesting to research what those are. Yeah, absolutely.
Speaker 2:Yeah that I didn't demo, so maybe a future demo.
Speaker 1:No, no, no, Absolutely, absolutely. Oh good stuff, I like it, I like it.
Speaker 2:Yeah, definitely, yeah, definitely. Another person that I not met, because I've met him before but got to see at Techno, is Damian Atto. So he's the director of professional services at Spider Forensics and he has just started a SQLite free list page checker that he's hosting on the spider forensics GitHub. So there's some Python scripts and it will iterate through the free list trunk pages and identify all of the free list leaf pages in a SQLite database. So I'm going to show you actually how that works.
Speaker 1:And those who don't know, damien he teaches courses at IASIS as well on databases and different data storage structures, so he has a really good class. I think he does it under, obviously, the company Spider Forensics, but they are offered at IASIS and that's where I met him. He had me speak at his class quickly about a few short topics, so really nice guy.
Speaker 2:Nice. So let me share my screen here. Okay, so his scripts use python, so python and then, um, I'm going to just show first the sqlite header parser. So if you're not familiar with the sqlite header, there's a ton of data inside of the sqlite header that gives you information not familiar with the SQLite header. There's a ton of data inside of the SQLite header that gives you information about the SQLite database.
Speaker 2:It'll give you the page size. It'll give you whether vacuuming is turned on or off. It tells you if it's utilizing a journal file or a wall file, and he has automated the process of pulling this data out of the database. So this is what it will look like. You can also output it to a CSV, which would be great for your investigations or reports. But if you look here on my screen, we can see that the page size is 4096, that it's utilizing this is the address book SQLite from an iOS. It's utilizing the write ahead log In this particular database, I believe. So auto vacuum is not on.
Speaker 2:But he also has, in this script over on the right hand side, an examiner tip, in this script over on the right-hand side, an examiner tip. So it'll tell you information about these different, I guess, different things that are stored inside of the SQLite header. So like this one auto vacuum. So it tells you, if auto vacuum is enabled, there will be no, no free pages. So it just gives you little clues as to what you're looking at, and I am going to run the next one here. This is the free list pages script. Oops, I forgot something, so you had to go say I wasn't going to screw anything up.
Speaker 1:You're just missing one argument. You have an equal before the argument. Take it out. Yeah, just a little argument, that's it.
Speaker 2:There we go. So in this particular database there are five free list pages and it gives you the page number, the file offset that you can find those free list pages, the page type, the allocated cells, and it tells you it does an unallocated check. So it'll tell you if that page has non-zero values located within the page. Unallocated space.
Speaker 1:I like that. I mean hopefully, yeah, hopefully, he builds, he goes to the next step and then says and we pulled out the content of that note or whatever it is you know.
Speaker 2:I think he's planning on expanding these scripts. According to him when we were at Techno, he's planning on expanding his work on these.
Speaker 1:No, that's super useful. I like the detail because a lot of the recovery tools, even open source ones, they just pull the stuff out and the traceback is hard. This type of traceback is easy and the folks that are just listening we have on the screen a nice little table with every little column explaining what it is. So if you pair that with the actual data being pulled out, gold, gold.
Speaker 2:Yeah, and then there's a third. It's the page info, so let me just hit that one. I'm just going to Gold, gold, yeah. And then there's a third. It's the page info, so let me just hit that one. Just scroll back up here.
Speaker 1:It will give you the page number, file offset, page flag and page type for the pages. Yeah, some of that stuff is good informational stuff. Obviously you know if things are where they need to be then you then you'll see it in a database right when you run a query. But I'm really interested in the recovery aspect of of these databases. Um, so any tool that gives that detail and then actually does some recovery. It's stuff that I'm always happy to to have. So good job, good job on damien to start putting that content out, that tool out.
Speaker 2:Thank you. I'll put the link to his GitHub page in the show notes.
Speaker 1:Heck yeah Good stuff.
Speaker 2:Yeah, so we are at what's New with the Leaps.
Speaker 1:There's always something new. Folks. Folks come to me While I was out in Mar del Plata in Argentina. My god, some data, that about an Audi app in your phone, in the iOS device, and it's pretty neat because it has some JSON data about the trips the vehicle has done, which is amazing. You don't think. You don't think about maybe the fall I'm sorry the vehicle putting data in your phone. Don't think about maybe the phone I'm sorry the vehicle putting data in your phone. We actually think about. Well, we connect our phone to the car and then it sucks in my data into the car infotainment system that then later can be recovered. But this is the opposite, right, the phone is sucking in information from the vehicle and it has the trip, how the trip, how long, how many miles, the speed, a bunch of stuff. So it's all JSON data, so it's not hard to parse. So I did a couple of parsers for that. So that's in there, in I leap. Now, if you have an Audi, you know app for your career car, pretty cool. And then Francis, cooler again he's up. But in during those times he added some of those more of the photos of SQLite queries, and we're working on optimizing some of those, I mean some of these.
Speaker 1:It's kind of tough because some of these queries are humongous and the question is well, do I put them in memory? It's not a discussion I was having with or not a discussion, a conversation I was having with Bruno the engineer up in Argentina. How do we optimize that? Well, the first option is put it all in memory. But some of these queries are huge, like huge. So if you want to put a query that's supposed to be a couple of gigs, then what right? If you don't have enough memory or using a computer, that's not the best, because let's be real here, we don't all have Talinos in our labs and we wish, or a BitMind's computer. I don't want to be, I'm open to any of those. So then what? So we're discussing how to make that fast. So some of these queries are going to not be enabled by default in the tooling.
Speaker 1:So folks need to look at Francis Cooter's blog where he explains each query where it does. And then my suggestion is if you need to do some deep analysis on the photossql database for your cases, go look at his blog and you can pick out which queries are more suited for your investigation and you can run those. Now. If you have all the time in the world, then you know, just run them all and just wait. If you have enough time in the world, who cares Wait. So it all depends.
Speaker 1:A quick note Laurie is saying has anyone researched and tested the MyChevrolet app? I haven't, but if you have a Chevy and you can put the app on it and create some test data and send it my way, I'll be happy to give it a look and if not, use somebody. Yeah, bruno's saying get more computers and more RAM. So that would be the ideal issue. He's joking. Obviously it's not always possible, but yeah, so we're going to try to work on finding ways of speeding that process in tooling. And for the coders out there, when I started coding almost 20 years ago or more, we were taught to be efficient with our code. Nowadays, systems are so powerful that code is sloppy because we're going to compensate on the back end with a fast processor and a lot of memory, and that's not always. That shouldn't be, that's not the way. So we're working on that. Anyways, I digress, we also worked on putting the. So we have in the Leaps, all of them. They produce SQLite database with a timeline. So any artifact that? Oh, I had to stop here.
Speaker 2:Scott says yes, sorry they're so long. At least you're the one doing it.
Speaker 1:Yeah, no, I mean, Scott, we need those to be that long. I rather have more than less.
Speaker 2:Definitely.
Speaker 1:So it's all good. Yeah, so we have a SQL database that keeps every artifact that has a timestamp is going to be dumped in this database, and before I did some quick crappy job of the data, I kinda put in some kinda delimited crappy field. Now it's actual JSON. So if you wanna pull stuff out from the SQL database, the fields are JSON, so you can actually kind of automate some of that work from that database. If you want to use it as a source to make a secondary report, right, most people are not going to, but the option's there. So we added that.
Speaker 1:I added today, before I head over here for the show, a whole bunch of dated Snapchat parsers for search warrant returns. Okay, they changed the format. Format. What you're doing now is and I hate it's kind of confusing. They put like a header and then the different roles of what the data is.
Speaker 1:Well, let me. I missed it by. That's not true. They start first with an explanation of what the thing that's coming and then what each field means, and then after that they put the data and then, after that data block is done, they have another title, another explanation for the next thing, and then that data is all commingled there. So it's no. There's no clear path. Well, there's a pattern, but it's hard to work with. So what I had to do was figure out where are the blocks that do the explanations, and ignore those because I don't need them, and then focus only on the data to be able to create reports.
Speaker 1:So right now it does chats within Snapchat, subscriber information, friend list, your location info, ips info, some settings, some of the memories, story data. There's a whole bunch of stuff, christian asking, business records, like Facebook. So Facebook also changed their returns and their user data dumps. What that means is that you go to the Facebook portal under your own account and you can pull out your own data, and all apps do that thanks to the you know, european government, governments, right, the regulation requires these providers to provide that, give that to the users, and they changed. They changed the HTML. I haven't. I have a sample set. I haven't had the time to look at it, so I'm hoping to start working on it soon. It's just so much, but at least the Snapchats are done. So if you're an examiner that works these cases and Snapchat is involved, at least you have another way of viewing that data so you can you can link the conversation with the image that goes with it, because doing that by hand is next to impossible. Does that make sense, heather?
Speaker 2:That makes sense. It's funny you're talking about the Snapchat returns too. I'm just thinking there was a message asking for help with that on the listserv yesterday.
Speaker 1:Oh, really Yesterday.
Speaker 2:Yeah, we have to go tell them it's updated.
Speaker 1:I'll respond yeah, tell them it's fixed. You just need to point the tooling to the zip file. You know that the zip file returned and if there's multiple accounts, it will pull them all in one report and you're good to go.
Speaker 2:Very good Awesome.
Speaker 1:Yeah, oh, and last one Samsung Honeyboard text and screenshots. They're all also provided in ALEAP for Android devices, so you can check those out.
Speaker 2:Nice, very cool. I have to get contributing more.
Speaker 1:Yes, you should, yes, you should. I know.
Speaker 2:I know I have one. I have to finish still.
Speaker 1:Look, you took a whole day Python class at Techno. So come on, I did, I did. You got to put that knowledge to work.
Speaker 2:I may still need you even after the whole day. Python class.
Speaker 1:It's okay, we'll both ask ChatGPT together. How about that Perfect?
Speaker 2:Yes, yes, awesome. So everybody's favorite time meme of the week. Let me share my screen here, share my window.
Speaker 1:I loved this one, one, tell us.
Speaker 2:tell us, what it is so when you're going through all of the images in a case and it is a gif, gif, however you want to say it of a finger just clicking away on the mouse, um, it is so relatable. I loved and there was like a huge. There was like a huge following of comments under it on your LinkedIn and I'm not sure everybody in there was getting what my frustration with the going through the images in a case from your post. But I definitely understood the post completely.
Speaker 1:Well, see. So folks that have done this type of cases like we have, I mean, it's tons of images, right, and you're clicking, clicking, clicking, clicking, clicking. I clicked. I had a case where I was doing I was IDing 200. I got this is back in the day when they expected you to look at all of them, so I ended up tagging like 250,000. And I told my prosecutor I'm done, I can't, I'm not, I'm not going to be going through more. This is more than enough.
Speaker 1:Now, the thing is that the point I was making, the comment that went with the GIF, is it's not so much that I need some way of looking at images faster. That was not the point, although it is true that it takes some time if you're going through all of them. The point I was making and some people misunderstood. They were saying whoa, that's why we have AI, that it can categorize the images. And you were talking crap about AI the other day, which you know I really wasn't. I was just making the point of providers trying to differentiate themselves with AI. It's not a differentiator anymore. Everybody has AI, so who cares? You know what I mean. At the end of the day, the AI needed to do the examination, the examiner does the examination and again, nothing against AI Useful capability, hopefully, as it develops.
Speaker 1:But the point I was making was not that. The point I was making is that there are some images right and it's not. I don't care so much about the content. Okay, because the AI could be tell me all the pictures that have, let's say, a gun in them or money in them, the classic examples. But that's not what I'm talking about. I was talking about images that have some meaning contextually, not metadata. I'm not talking about timestamps or exit. No, I'm talking about these images were placed in a particular app in a particular place. What does that mean and how does that affect my case? And if it has some meaning, I want an artifact that tells me that, because if you put that image in between all the other images, I'm going to miss that contextual meaning.
Speaker 1:The example I gave in the post was the image cache, one of the image caches in Androids and some of these image caches and the one that I I forgot the name right now, but I described in the link in a video that I made. It's an image cache. That's done Glide, the Glide, thank you. The Glide cache. Apps that use Glide, they will render the images from within the app, there in this location, right, and some apps that are used to hide images, they will hide the image, but the Glide cache keeps them okay, and that's important because it tells me a couple of things. It tells me that the app was open, that a user had to render it for it to be shown, and it tells me what's being hidden.
Speaker 1:And if I don't have, for example, a Glide artifact that tells me that it's just gonna be one in a million pictures and it won't tell me anything, it won't really have any meaning to me as an examiner, as I'm going through a million pictures like that mouse, click, click, click, click, click, click, click, click, click, click, click. It's not going to help, right? So I think you know folks. I say folks, but I say vendors, so people that do coding, like I, like we do think about the contextual meaning and then make artifacts based on that. Sometimes it's not just the content is where the thing was. Under what circumstances Does that?
Speaker 2:make sense? It does. So I think of the. Have you seen in I'm sure you have in your investigations the images that have in their file name FB Downloader. So Facebook Downloader. Putting the contextual meaning to those is really important, because it does not mean that they were downloaded from Facebook. They're literally cached. I could go visit your Facebook page today and your picture is in my phone with a file name of FB Downloader. So I love the idea of putting the contextual meaning of images in the tools, if possible.
Speaker 1:Oh, I mean, and we should and you know I'm trying to, you know, walk the talk, right? I have an ImageGlide cache artifact in Alib because of that. So when I go to the artifacts, I know that there's some use. The user had to do something for these images to be generated and I know where they came from and why, and that's important. And and just dumping the images in in this media category, we have to do it. But we should go, try to go out steps further and start looking at at this type of stuff. I've got to make some comments here. Brett is here, so we're always happy to see him around. He came for the defer but stayed for the meme of the week. Well, Brett is up in his meme game too. Actually, we're going to talk about it next episode. It's at the hour right now, but Brett has been putting out a couple of really good articles lately, so we're going to be talking about it next episode. So don't stay for the memes, stay for the Brett Shaver's commentary here.
Speaker 2:Absolutely. I've had a chance to read those. We have to get those in next week.
Speaker 1:Yeah, no, they're pretty good. I always read them and we're going to talk about them next week. And again, this applies to any type of artifact, right? What's the contextual meaning? What does the thing tell you beyond the content of the image or whatever it is? So that's why I made that post. Hopefully folks well, not everybody got it, but hopefully most people did get the point.
Speaker 2:And I just love the meme.
Speaker 1:so no, I mean, it's's true, we're sitting there and you have to scroll, and that's what you do. You go click, click, click, click, click, click. I'm just not saying click anyways, anyways. So I think, I think we came to the end right for this week?
Speaker 2:we did.
Speaker 1:Yeah, that's it for this week yeah, we're both happy to be back after all the different things and, yeah, to be back after all the different things, and uh, yeah, we'll, we'll, uh, we'll have a another show in, uh, in a couple of weeks. Yes, I want to thank everybody in the chat. The chat was super active, christian was sharing a lot of thoughts and and I I didn't put them all up, but I read them all, we read them all um, yeah, same thing to all the folks here I love that we're building a community of by of examiners, by by examiners, for examiners, right, um, in regards to the things that that we want to talk about, um, like like we did this episode, send us um your ideas and topics and then we'll bring them up in the show I'm gonna post about Any topics that you want us to research or talk about.
Speaker 2:add them to that post and we'll pick one and try and include them weekly if we get enough people contributing.
Speaker 1:Absolutely yeah. Please come on up Our LinkedIn, look for Data Forensics Now podcast, or any of our social media mine or Heather's and we'll definitely try to hit podcasts. Or, you know, any of our social media mine or Heather's and we'll definitely try to hit those up. Yeah, All right. Anything else for the other header?
Speaker 2:That's it. Thank you so much, everyone.
Speaker 1:All right, folks, see you in a couple of weeks. Thank you, bye, bye, bye, bye, bye, thank you.
