What To Expect When You Are Expecting a Digital Forensics Class, Two Hardware Solutions, One Neat Tool Capability For Windows, and a Partridge in a Pear Tree.

Show Notes

Get ready to journey into the world of digital forensics as we share our insights on the crucial art of utilizing a diverse range of tools. A single tool just won't cut it, and reliance on just one could cause you to miss out on important finds. We also give our listeners the floor, inviting you to voice your thoughts on the IACIS Advanced Mobile Device Forensics class, and the topics you'd love to see covered. 

How do you feel about forensic extraction tools? We dissect unique features of tools like duplicators, TX1, and Atrio, and dive into latest updates from OpenText and ArcPoint Forensics. These updates have made it possible to create Android and iOS backups using duplicators, a game changer in the field. With Atrio, we open up an intriguing discussion about their forensic triaging and AI capabilities. We discuss the role of AI in identifying CSAM and brainstorm ways to enhance the tooling.

 We share our own learning experiences from various classes, highlighting the absolute necessity of continual learning and outside research in this ever-evolving field.  We also explore the features and potential of Arsenal, a digital forensics tool which aids in mounting and virtualizing E01 images. The unique capabilities provided by Arsenal to bypass the password to a Windows logon screen and access DPAPI-protected data is a must try! Whether you're a seasoned expert or just dipping your toes in the water, this episode is sure to pique your interest in the vast world of digital forensics.

Notes-
IACIS Advanced Mobile Device Forensics (AMDF)
https://iacis.com/training/amdf-advanced-mobile-device-forensics/

OpenText Duplicator Update
https://www.youtube.com/watch?v=L3qGa7H6NBs

ArcPoint Forensics
https://www.arcpointforensics.com/

DFIR Diva-
https://dfirdiva.com/

Arsenal Recon-
https://arsenalrecon.com/

Hexordia Mobile Data Structure-Virtual Live Training-
https://academy.cyber5w.com/courses/hexordia-mobile-data-structures-dec-2023

Chapters

• 0:09: Digital Forensics Tools and Discussion
• 9:09: Features of Duplicators, TX1, and Atrio
• 22:28: AI for CSAM
• 27:18: Openness and Duplicator Use Cases
• 38:03: Importance of Continued Learning in Forensics
• 43:08: Asking for Help
• 50:30: Virtualization and Tool Updates in Forensics

Transcript

Speaker 1: 0:09

Good morning, good afternoon and good evening, wherever you are, whatever day you're listening to us. For us, today is Thursday, november 30th 2023. As always, I have the pleasure and the honor to be accompanied by the master, the forensicator, the script inquirer, the master tester, the brain to my pinky, as we try to take over the Dirtart forensics world, the one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at Silverman Soundcom Heather.

Speaker 2: 0:59

Hello.

Speaker 1: 1:00

I bet you're asking yourself the pinky to your brain? What is that?

Speaker 2: 1:03

all about. What are you talking about?

Speaker 1: 1:08

Heather has not been introduced to the joys of the Animaniacs cartoon show when she was growing up, so no, I have not.

Speaker 2: 1:16

I have no idea what you're talking about.

Speaker 1: 1:21

Other than turning you for a loop with a reference that you don't get because not your fault. What's going on? What's going on with you? Last time we were on the show.

Speaker 2: 1:31

Ah, nothing much Just been busy, busy, busy, busy at work, busy preparing for today and crazy busy. How about you?

Speaker 1: 1:42

Well, you folks can see the ones that are watching that have a baseball cap hat, because in Florida it got cold, which means it got to maybe high 40s at night and like mid 60s to high 60s in the afternoon. In Florida it's cold and people bring their.

Speaker 2: 2:05

Ugg boots. Is it Ugg Ugg?

Speaker 1: 2:07

Yes, I pronounce it. I'm a hater. No, but it's been a little bit. I mean it's not been that cold, but I put a hat on just because.

Speaker 2: 2:16

That's a beautiful temperature, my favorite.

Speaker 1: 2:20

Up in the frigid north next to Santa, you live. I bet it is 40s perfect. Yeah, but no, I mean doing a lot of forensics, a lot of work trying to. I'll be traveling soon for work, so we'll discuss it in the next podcast how that went and just ready to go. Oh, obviously we're working. Actually, that really leads really nicely into it. We're working on the content for the IASIS Advanced Mobile Device, for IASIS Class. Say that three times.

Speaker 2: 2:54

We are. We've been working on creating the content for the IASIS Advanced Mobile Device for forensics class. You're right, that is quite long and difficult to say. So if anybody's interested in coming and taking a class at IASIS, alexis and I will be teaching that class and it is going to be at the end of April, last week of April or first week of May. Two separate classes, two separate week long classes.

Speaker 1: 3:23

So yeah, and don't worry, we're not going to be streaming it live or nothing, so you'll be fine and if you would like to and I say please do it's going to be a good class and we're in the creation process, so as we're going through it, you know, reach out to us Some of the things that you might want to see and we're happy to see if it. You know, if we could do that as well.

Speaker 2: 3:44

Yeah, absolutely.

Speaker 1: 3:48

So and you say it's in April, right April, and to May, I think April.

Speaker 2: 3:51

Yeah, so last week of April is the first week of the class and into the first week of May is the second week of the class.

Speaker 1: 3:58

Yeah, but it's like two sessions.

Speaker 2: 4:00

Yes.

Speaker 1: 4:00

Yeah, so you're not going to be there two weeks, just one week.

Speaker 2: 4:04

Right, correct.

Speaker 1: 4:06

Right, and yeah, in the class we're going to discuss obviously more advanced topics, we're going to discuss some data structures and you know, there's kind of more manual ways of doing that and there's also tools to do that right. And that brings us to tooling right and important stuff. And yeah, don't say your tool is the only one you need right. So let me show you here I showed everybody here, I did a post what last week? Hello, I think.

Speaker 2: 4:33

Yeah, it was last week.

Speaker 1: 4:34

Yeah, and it was about in a post in LinkedIn. Right, it's since Twitter, can I ask, been uploading. I've been moving, you know pretty much my my TTAF friends social presence to LinkedIn and I have it on screen here. So I'm going to read it for the folks that are listening. I have a pint.

Speaker 1: 4:54

Don't claim that your tool is the only tool. Is the? I'm sorry, let me start again. Don't claim that your tool is the only one everyone needs. You know it's not true, and we do so too. Not only does technical discovery never stop, there will never be one tool that fulfills everybody's use cases. And then I said look, tell us what your tool is good at. What are the killer functions and capabilities? Explain how it fits within the toolbox, because we all know it will never substitute it. And the kicker for that is I got a little meme, as always. Google search says you only need my TTAF friends tool and underneath Google is responding Did you mean how to make sure you're missing evidence? And you know I'm making that comment point there because it happens with, I mean, pretty much all tool makers. At some point, the PR department goes this is the only thing you need, we do everything and you don't need anybody else and I don't know about that approach what you think, heather, but I don't think it's the right approach.

Speaker 2: 5:57

Couldn't be more wrong. I use multiple tools on every single case and I feel that if I only used one, it would be a complete disadvantage and I would definitely be missing evidence. Use everything. You have everything in your toolbox. Why? Why just use one tool ever? I mean, one tool could definitely be better than other on a particular case, but it's never going to be the only tool that you need for a case.

Speaker 1: 6:26

Well, I mean, and you can say well in some of the conversations well, I mean, some of these tools might share processes or libraries, and I mean that might be true right At the end of the day, and we said that's. I say we say this in every episode the main piece of evidence need to be checked by hand. I say by hand, figuratively. Right, you need to put eyeballs, bring out your hex, hex viewers and stuff like that and verify some of that. But there is value to having multiple tools as a validation process and look, even even if the tool were to do everything you might not look like how it looks at the end of the process it will. It provides an output that's not usable for your use case, or it's always too complex, or it's too simple or doesn't give you the flexibility that you need for your stakeholders. So if any of the vendors are listening, I would suggest you refrain, because at the other day I think the value or at least how the market is.

Speaker 1: 7:21

This market is weird because most markets, in my opinion, if there's a competition by me bearing my competitor, I'm getting my, getting the market share. You know I'm good, right and in this business, having competitors and kind of being part of an ecosystem that builds around each other. I think it brings success noted to the market leaders, to everybody else right. Being part of that. It has to be like an ecosystem mentality. Does that make sense? Because it's unavoidable. Like the in the tech world, especially digital forensics, the advancements are so quick because we're responding to developments in the operating system, developments in the platforms, development in the cloud storage world and all type of stuff, and the change is constant. So you're saying I'm going to be the one to rule them all, like load the rings. That's not happening.

Speaker 2: 8:13

No, it's always nice when the vendors realize it too, like I've had vendors say to me our tool doesn't do that the best, try this tool. And there are certain vendors that will admit that this tool does that better than us. And it's great when they're able to admit that and let their customers know.

Speaker 1: 8:33

Oh no, I mean, and it comes to you know you're being straightforward and when you come with a new capability I will definitely pay attention to you, right? Because I know you're not BSing me and you know also, I don't think the Detroit hard look is a good look, so let's again, we're all fine, it's our show, we can do that.

Speaker 2: 8:53

Right, exactly yeah.

Speaker 1: 8:55

Oh, and let me yeah, I was going to make a point of comment, but I'm not going to, it's okay, let's move on. All right, so we have tools and you know, actually, let me take the comment out, let's bring out the banner, so the banner that we have for the next section, and it's something that's tooling that I've used a lot, right. So I've been using, and most of the folks that are in this business been using, duplicators for a while. And for those that are not familiar, the duplicator is a little box, a hardware box that you put your source drive on one end and then your destination drive on the other and it does, you know, a forensic extraction, be it EO1 format or other more modern formats, although EO1s continue to rule on you know kind of endpoint forensics and stuff like that. And or you can get a logical extraction from whatever device, right, and it goes to the other end and you have it, and there's the tool pool's login.

Speaker 1: 9:58

So recently, opentext, and they're the makers of the TD1 series, and I see TD1, a TD series. I said TD1 of a habit, because I had a TD3 a million years ago and it was like I should have brought a picture. I didn't, but I had one a long time ago and let me show you one of the latest that they're of the ones that they're using. Let me see if I can bring it up. So this little boxes, like I mentioned, some of them might have a a good like buttons to press or a screen like a phone. It's like a tactile type of thing, so you can do. You can do your work. Actually, I did not. I had the picture. I don't have it, but that's fine. So recently and I'm I am going to show this part though Blue Monkey Forensics is a great YouTube channel.

Speaker 1: 10:55

I know the, the, the creator behind this channel, a really legit examiner, great human being, a person of mystery, literally Really good guy. He made a review of the latest update for the TX1, which is one of the models, one of the more recent models, that OpenText uses for these duplicators I think they have a TD for now and the latest model, I believe. Something that's cool about it is that now you can get Android and iOS backups created from the duplicator, right, so you take your little duplicator box, you're working on some drives, there's a phone, comes in, you put your phone in the usual mode, right, you? If it's an, if it's an Android device, you make it a developer mode and you know that, and it does a logical backup for you, which is pretty neat. Right Now, the tool it's kind of becoming like in regards to the duplication extraction process I know in one right, so I think it's a pretty cool update to that capability. What do you think?

Speaker 2: 12:03

Yeah, it's pretty cool. It's definitely an awesome capability added in. I mean, obviously you want to get the full file system with premium or gray key, but sometimes the Android backup is what you need to go for. I've had times, too, where I can't get the full file system, where I just need the Android backup or the iOS backup, and I mean it would be a great option to try.

Speaker 1: 12:32

And maybe for us we're in law enforcement. I mean we want that full file system, but I can see this a lot of utility, like in the corporate sector. Or you might be interested in just the text messages and then assuming I don't know the details, assuming that this device has an agent to pull the text messages, that might be all you need pulling the text messages. Actually, I was thinking I mean I'm not me, actually it was the author of the video and I was thinking, as he was saying that he expressed that. Does that mean that open text is moving into the mobile forensic space, which I think will be awesome? I think it would be good Again the more. Like I said before, the ecosystem. The ecosystem grows everybody. The competition makes everybody better, because everybody's good at different things, because the technology moves so fast. And if they're going that route, I hope so.

Speaker 1: 13:15

I mean I would totally go for or would like to see other TX products, those duplicators, doing full file systems, right, actually being able to get a full file system extraction, or even maybe making a you know kind of getting into the device or getting that root or, you know, jailbroken, administrator, super user access, and maybe not do a full extraction but maybe at that, with that access level, do a targeted extraction Because, again, in our field, we wanted the full file systems but, depending on the use case, you might not need everything on that full file system, right, you might just need particular chat applications. Whatever, it is Right. This is a good update. And that duplicator space competition is heating up. And, yeah, ios 17,. Geraldine is saying that I'm looking at you, ios 17. I'm looking at them too.

Speaker 2: 14:12

I think we all just want iOS 17,. Please, Anybody who can get it, it doesn't matter which company. Please get us iOS 17.

Speaker 1: 14:21

I really need some sec b files, the new version, so I can actually, you know, dig into them. But yeah, so there's a lot of development. So you have a TX1 and, as a typical examiner, you put that firmware and you're like, yeah, I validate my right blockers every year. Yeah, you validate your right blocker. When is the last time you you changed the firmware on that thing? 2007?. So go and download the firmware update or a little program to put on your computer and you connect your TX1, well, actually TX1 is a little bit different. Tx1, you take the SD card from the device, then connect it to your computer and it will update the firmware in the SD card and then you insert the SD card back in. So, yeah, we need to do that firmware, and at least twice, once a year, not a minimum. But no, the space is heating up and with that we have a good product in that kind of space that Heather's going to introduce us to.

Speaker 2: 15:23

Yeah, so we recently actually, alexis and I both had the chance to work with Arcpoint Forensics atrio, and I actually have it right here with me so I can show what it looks like A little handheld device here that has a ton of capabilities I'm going to talk about and I'm not going to do a live demo with it, because, oh, before you take a picture you should again.

Speaker 1: 15:56

Yeah, so there's something. Sorry, I'm trying to say this, Call the runway so folks that are watching they can see the buttons, right. So it's five rows across and three rows down and the buttons are lighted and the content of the button chains. And I want to say so people are clear, those are string-deck buttons, but don't get confused. Okay, it's only the buttons. Behind those buttons is a full, you know proprietary, different deal behind them, right? So I said people, hey, isn't it aimed at a stream deck and like only the buttons for pressing, that's it. Like behind that thing it's a whole, nother ballgame. So just to make that clear.

Speaker 2: 16:40

All right, so let me just share my screen here. So here's some close-ups that you can't see the buttons with me holding it up, but this is the main screen when you turn atrial on, and it has numerous capabilities. It has the capability to image file carving. It has wipe capabilities, hashing, virus scans. It has some reporting capabilities and it has AI capabilities within the atrial. These are some of the reporting, some of the processing capabilities that it has. It has the capabilities to process registry, process event logs. Photo processing, audio are just some of the processing options email documents, deleted files, browser history and then for imaging options you can see on the screen it has E01, dd, aff4. There's Android backup is also included in the atrial for imaging options. And then there's some carving options. It can do unallocated space. It could carve the entire drive.

Speaker 2: 18:02

And then my favorite part of the atrial, here we have the AI options. There are photo AI options, so there's object detection. In the object detection there's guns, license plates, people, vehicles, street signs, beds, graphic content. It has a CCM feature that can be requested and those are just some of the options for the photos. There's text from audio, so the text from audio actually transcribes WAV audio files into text and it can convert other audio types into WAV and then transcribe those. There's text translation, which translates text files into English and supports seven languages. I actually tested this one out. It did a PDF as well. So I typed some stuff into Spanish, in Spanish, into a text and then also created it in a PDF and it translated those for me. It's able to scrape PDF and doc data and then I think I had I thought I had a slide of the languages, but there's seven different languages in there.

Speaker 2: 19:16

And then I have the atrial hooked up. I was imaging a drive, so they actually provide a drive here to use as your output drive and the source drive. I have hooked up and image this drive. It was very fast for imaging and once it was done I imaged and I did some of the processing options. Once it was done, the results all go out to the drive and this is what the results look like in their file structure here. So the acquisition goes into one folder and the results in another. We have the acquisition and the hash and then a progress report and in the other folder there are folders for IREN, deleted documents, deleted multimedia, and then documents, multimedia and photos, and then there's results reports. So these are the reports about the actual acquisition and about the drive themselves.

Speaker 1: 20:23

Nice.

Speaker 2: 20:25

So it's really a neat little tool. I actually enjoyed testing it out. There's more functions that I didn't get a chance to test yet and I actually got to meet with Amy from ArcPoint and we discussed my likes and dislikes and she's really open to listening to what you like or dislike about the tool and making changes if there are dislikes about the tool. So I really like it and I'm going to continue testing it until I have to give it back, which is probably going to be soon.

Speaker 1: 21:01

Hey, are you giving me the device bug? You're like what back?

Speaker 2: 21:05

Yeah, I'm sure it's going to. I'm going to get a shipping label in the mail eventually, but I haven't gotten it yet, so I'm going to continue to mess around with it. Hey, hey, Briggs Heather's emails I'm sending her are bouncing. Yeah, the email will be coming soon.

Speaker 1: 21:21

Well, let me I want to give a few thoughts on the product. So obviously we both tested it and I think the big differentiator, like I said, duplicator market is the duplicate right. That's the main focus, right. So I'll make some comments on the market at the end. But for atrio products specifically, right, I think the big benefit the tool brings is this combination of processing, just plain processing on site and because duplicating you know if you're going to duplicate a whole drive an hour, I mean it's never going to be quick, right. So having a unique device to copy stuff in the field, to me it's not a big deal. I can bring a laptop, a few cables and an FTK imager that's free and do it right. But the big benefit I believe is in these devices having these analytical capabilities on the field which you wouldn't have on your laptop at that degree of level, because your laptop is not designed or not. You have the unique focus or power to do those right.

Speaker 1: 22:28

The AI stuff I did some testing with the AI for the CSAM materials, which is not familiar, is child sexual abuse material and that's it. I'm not going to go into details with any of that and that it was pretty efficient and it found the things. Then it becomes I think I've been pushing this also a couple episodes ago how can we take this and take it to the next level? For example, for those in the law enforcement, we have an access to a database called Project Vic and this database is hash sets, or hashes of files that serve as indicators of contraband, and I'm going to refer to these images moving forward for this discussion, as contraband I want to find and that's contraband. Obviously, that's known because we have a hash for it, we hashed it, we have a unique digital fingerprint for it and we can identify it. The AI will also try to identify this contraband, but it's not based on the hash right. It's based on the LLML algorithm that the artificial intelligence was trained upon, obviously with law enforcement and all that done properly, of course.

Speaker 1: 23:31

Now, this is the part that I'm thinking like. Taking the next step, what is the tooling on site? It's able to say, okay, I'm going to look at these hash sets and concurrently do the AI processing and, as those are going at the same time and when they are done, the tooling, I want the tooling, for example, to say, okay, show me all the hits that the AI had that are not part of the known hash sets? Right, and why would I want to do that? Right, because at that point, I'll be minimizing the universe of possible evidence to possible contraband that has not been seen before.

Speaker 1: 24:10

Okay, which could indicate that we need to really work on finding information about this contraband, because the main purpose, the only purpose, here is to save children, right, that are at risk right now. Okay, but look how we can take this concept and instead of waiting to go to the lab to do that, right, because we're looking for to help victims now, if we have that capability on the field uniting a hash set with AI knowledge to do that filtering and I think that's where we could do good and I think that's where these type of devices are going to be should be moving towards, and I think Jared and Amy the folks that are behind ATO they're really open to listen to that.

Speaker 2: 24:57

Yeah, and they definitely are.

Speaker 1: 25:00

Yeah, one thing that I would say is that, again, like this is every single tool. I'm going to just make it a point now, supposed to in a second, when I talk about the market. So it gives you a report and it gives you hits, because the interface says, okay, photos, AI looks for nudity and there's no division, just nudity period. Right, I would like a report that divides this. Okay, this is adult stuff and this is contraband stuff. And the reason is, you know, if I'm working on a case, right, the adult stuff might not be relevant to me, as opposed maybe to a version of the product that's designed for the consumer market not law enforcement market, but consumer, I mean the civil, private sector. Okay, so they can get their flagger for adult stuff and the law enforcement for the contraband. The report should be separate, shouldn't be all commingle, because then it's it may. It gets another step for us on the field to try to filter down what's contraband and what's not so. And tool makers, as you provide those things always and again, like I said, amy, amy is really into doing those up, those changes being communication for your stakeholders. For them is us, the examiner's right, and if you're a vendor in the civil sector, civil private sector, also be aware we're stakeholders. And how can you make that workflow more efficient?

Speaker 1: 26:22

So, give me my Mac times, so always give me, give me time. So let's say, I found that image that's contraband, I never seen it before. When was it? I say, when we know quotations, right, but give the time, the Mac times of those Mac times when it was creating modifier access, right, so I can then determine, hopefully determine when that hit that location, that piece of media, and then go from there, all right, and again just reporting, reporting, reporting. Well, what do you thought about the? I mean you just on testing with the as well, the AI as well, right, the yeah, yeah, I did.

Speaker 2: 26:55

I did the testing with the CCM AI as well and I thought it works pretty well. I definitely I mean it identified the CCM material for me in the case that I that I worked with it and I thought it did a good job. Definitely when, when you're talking about the reporting as well, amy and I had some conversations about the reporting. She's very open to suggestions. So if anybody does do a like a demo of our point or of atrio I mean of our points, the company but does a demo of atrio, make sure you test it out and let let them know what your likes and dislikes are, because they will definitely, they will definitely listen.

Speaker 2: 27:41

We just got to comment what are, what are some negatives? And I talked to Amy and my negatives was was reporting, but my negatives always reporting. I think I've said that on the show 800 times. I haven't found a report I like yet. So and she's actually working on reporting now and making changes and we're going back and forth right now with reporting options to make the reporting better. So it's very open to whatever customers need. So excellent customer service with our point.

Speaker 1: 28:16

Yeah, and it was from me negative there she is. Now your ears won't be ringing because we're not talking behind your back, we're talking with you right up front as you listen to us live. This is great.

Speaker 2: 28:30

Yeah.

Speaker 1: 28:32

See, I was gonna say that. I was gonna say, yeah, what I don't like. But I'm not gonna say it, I'm kidding. So this is again it. And Amy knows this, everybody know that, knows us, knows this we're not chills for anybody and we're also not haters. Right will give you our opinions and try to be constructive about it.

Speaker 1: 28:50

So, yeah, the reporting. Again, the reporting with most 99.9% of tools have issues with reporting. My tooling has issues with reporting is something that's my goal for next year. So the other reporting at the beginning I was a bit confused how to navigate it, navigate the interface. It was my fault because the tooling if, since I didn't hit the right places, it was trying to do the, the parsing of data with the copying, and for me the copying is not a big differentiator, which I'll mention in a second.

Speaker 1: 29:26

What I'm really interested in is what are the capabilities that I can bring to the field as I'm doing a forensic triaging, and that's the main point of these type of tools. Actually, if you don't mind that I'm going to start talking about the market in general. These duplicators their big thing is triaging. Just having this duplicator sitting at your desk yeah, you will have some benefit, of course, but sitting in you won't get as much bang for your buck just by having a sitting on your desk. I have a full desktop processing server, for that right is bringing that equipment in that form factor out and doing things out in the field. That's where the big benefit comes. So I didn't. I didn't want to focus on how fast does it? Does the thing copy out in the field? Because most of the time I'm not going to copy a full drive in the field with this device, and driving copying drives as a differentiator, I believe, is a dead end. And I say that because, even if you have the most advanced hardware ever and your source and your destination, or the fastest SSDs, those devices will only copy at the speed they're designed to, the the bus lets it go right, which is always going to be lower than that theoretical maximum. Okay, so we can have, we can have parity among all duplicators just by having good hardware. Is that my sensor? Am I getting across? Yeah, right, so what's the differentiator there? Yeah, I copy at whatever, at 300 megabytes per second. Well, me too, and I can not. I mean it's making numbers up, but I can not copy any faster, neither can you. That's how fast the drive goes right. So there's not gonna be a big differentiator there. But what are you doing, either as you're copying, or just by not copying right, just by going into that media and processing stuff out right? I actually have a lot of thoughts about that. So, and again, the product that ArcPoint, for instance, is bringing, I see a lot of space for growth. The AI was my big thing. That, I believe, make the product really worthwhile. And so for those type of purposes, because of that, okay, this duplicates will depend on those use cases, right, and how the vendors cater to those will depend and they will drive the adoption.

Speaker 1: 31:44

Maybe an example so it makes sense. If you're in the military, right, and you have this type of duplicator, well, you will want that duplicator to be able to do things in the field quickly, because it's highly likely you're in a hostile environment, right, and you wanna go quick. You don't want those buttons on that screen to be lit up, or if it's lit up, it has to be. I guess I've never been in the military, but based on my extensive knowledge watching TV, you want it to be red, in colors that don't flag your location, or something like that. Again, I'm not a military person, so please, folks, don't throw tomatoes at me when you see me, but at least it makes sense to me. You want a device that will fit the needs for those users, right? If you're in law enforcement, I might not mind the screen being bright as I'm doing my work, but I do want to be able, for example, to have certain profiles. I say profiles because I might not want everything. I wanna be able to tell the device, say I want you to pull these things and when you pull those, do these other things. When you pull them and then giving them to me in your destination, output now so I can act on it here on the field, okay, and that only for me in law enforcement.

Speaker 1: 32:50

If you think of folks in the private sector, let's say they have the product across their location, across the sea, let's say in the UK, and even those one company as folks that have been in the private sector I've been as well you can have a company that buys another company. They're one company, but the IT structure is different. How they manage their end points is different. Can I get to the endpoint using this client software and they're like, no, because it's not compatible. All sorts of things happen. But if they have that hardware over there and I send them that profile they put on the device, the device takes care of everything and then just push that stuff cloud over to me.

Speaker 1: 33:28

Or, if it's an evidentiary matter, put on a hard drive, put a chain of custody and ship it properly, or somebody, carrier, courier, sorry, yeah, have a courier bring it over. That really allows folks on the other end that might not be as technical to do that job as long as you push that profile and they only have to push a button, a couple of buttons and the thing goes and does this thing on its own. So there's a lot of growth that could be done as duplicators as the hardware also becomes faster and stronger. So long story short. I like it, but for really specific purposes is when I'm out on the field. Let me see if I'm missing anything from my little miss here. Yeah, no, that's pretty much it, and again, thanks, amy for letting us try it out.

Speaker 2: 34:19

Yeah, thank you very much.

Speaker 1: 34:22

Yeah, we appreciate it and I buy they're coming up with all sorts of new stuff. New stuff coming up. See, at some point they might add some IELIP and IELIP support at some point. I think that's in the roadmap that we discussed some time ago, so really excited to see how that pans out All right.

Speaker 2: 34:42

So I am going to highlight DFI Rdiva. So I am sure everybody that is in this chat has heard of the or seen DFI Rdiva Elon Wright. I have never met her, but she is everywhere and I wanted to take some time just to highlight her and make sure everybody goes and visits her site, because she is always giving back to the forensic community and she shares resources. She has trainings listed on her site. She's always sharing our page. She's always listing free and affordable trainings and resources and websites and webinars and YouTube channels and groups and books and tools and scholarships and certifications and anything you can think of. She's sharing it on every social media platform that you can think of.

Speaker 2: 35:39

So I just kind of wanted to highlight her. I've actually never met her. I would love to, but she also has a merchandise site and you can go buy t-shirts that are DFI Rdiva and I just kind of wanted to give her a shout out because she is always helping out the DFI Rdiva community. So everybody go visit her site and go buy one of her t-shirts. I have her Nerdy by Nature t-shirt and I think it's just great. So big shout out to DFI Rdiva.

Speaker 1: 36:12

She's awesome. Again, I haven't had the pleasure of meeting her in person, but I've seen some interviews the interviews that Jessica Haid did with her some time ago and, yeah, she's awesome. And she only shares the resources. She also does them right. See, she's constantly taking courses and posting LinkedIn different achievements that she gets, so when she gets some advice on what's something that's good, you can be sure that it is good.

Speaker 2: 36:38

Yeah, like everything constantly and it's just like it's so helpful all the time. So very appreciated.

Speaker 1: 36:46

Yeah, and that speaks also to her attitude and our attitude as folks in this field. And that's our attitude, is everything right? She has a really, you know, growth mindset. She wants to grow, she wants other people to grow, and that's the mindset we should all take, especially if we're going to either go to a class or if we're going to ask anybody for help. Our attitude will really dictate what type of results we get from that.

Speaker 2: 37:12

Yes.

Speaker 1: 37:15

Yeah, and you know there's folks that have asked us so okay, so you know what do I expect Officially, new people, what to expect when I go to a class? Right, I'm going to get these are friends, this class, and you know how should I expect from that class? And actually, even if you're an experienced person, right, sometimes we get so set in our ways and we're going to take a class and we have this crusty mindset of how a class should be and we had to check ourselves constantly because if we don't, we're not going to get the benefit we're going to get from a class or asking for help from somebody in the field. So we're going to talk a little bit about that. What would you say, heather? So let's talk about so yeah.

Speaker 2: 37:59

so when you go to a training, what to expect out of a training?

Speaker 2: 38:03

This was a topic that came up with me recently. So when you go to a training course, don't expect the training course to teach you everything that there is to know about that topic, whether it be like if it's a beginner class in mobile forensics or a beginner class in digital forensics altogether. You're not going to learn everything there is to know about forensics in one digital forensics class. There's continued learning, there's always going to be continued learning and you're not going to learn everything there is in one single class. And when you're done with that class, there's going to be outside research that's needed by you. So if it's a specific topic whether it be data stores or it be SQLite or whatever topic it is you're going to have to come back from training and continue to learn on your own. The teacher is not going to be able to teach you everything there is to know about that topic in a one-week class, especially Even in a two-week class or a three-week class. You're just not going to learn everything there is to know in that time span.

Speaker 1: 39:14

So and for so long, so long, for you might be thinking but come on Heather, come on Briggs, that's obvious right. And it's not that obvious right, it's not. We teach a lot throughout the year.

Speaker 1: 39:28

And I got examiners that been in it longer than me and they're like having this type of question of well, we spent X amount of hours and I didn't get to learn X, y and Z. And, like Heather's saying, these classes right, the classes themselves are to teach you how to learn Some makes sense. So it's not so much you're going to learn ABC and D. I want to teach you the ABC and Ds in the context of how we know these things, because when the ENF or FG and H whatever letters you want comes along right, I'm not going to be there to tell you about them. So take the concepts that you learn for the first set of data and apply them to the other ones. And there's a good conversation in the chat that I'm kind of eyeballing.

Speaker 2: 40:18

Yes, I'm talking right.

Speaker 1: 40:19

What do you think about that, about the conversation Heather yeah, so trainers learn new stuff when delivering classes.

Speaker 2: 40:25

And then Jessica says I learned so much from the question. Students ask so, absolutely. So that's another expectation not to have when you go to class as a teacher, as a trainer, instructor that when you go to class you can't expect the trainer and instructor to know the answer to absolutely everything. Right, they're not going to know the answer to everything. Especially in forensics. Nobody can know the answer to everything. I've taught classes at the college level and taught classes for law enforcement and I have definitely learned things from the students in both classes. Every class I've taught, I've learned something from the students that I didn't know before. So the trainers learned something in every class as well. I have to agree 100%.

Speaker 1: 41:12

Oh, and last year in IASIS right, we're teaching we didn't have the advanced course yet, so it's just the main mobile forensics course and we were teaching and one of the breaks one of the students goes hey, you know that topic you were talking about In regards to an investigation with a crash and all that. Again, I'm not gonna spill the whole details in the show but because it's an ongoing case, and he talked to the class about the process that he used and I told him hey, look, you need to talk to the class. And he was kind enough to share his experience and the whole class benefited from it. And he wasn't the instructor, he was a student and I had him come up I say I, but we all had him come up to explain what he was doing because it was relevant to the class. So we all learned and it's about having that attitude. If you don't have a good attitude, you can have the best instructor in the world and you're not gonna learn anything.

Speaker 1: 41:59

And again, it's not the details of the instruction, like the learning, not learning, but the actual endpoint of the instruction is the process, right, it's not. What you learn at the end is how do you get to that endpoint? Okay, how do you? What's the process to an understand this? If I tell you look this sec b file, like I mentioned in some of the previous episodes, the bottom part contains the pointers to where the data is in the middle of the file, right? And this is the content of the middle of that file. And here's the content. You can read it. Okay, I can read it, but who cares If I don't understand the process to get there?

Speaker 1: 42:37

How do you figure? How would you able to figure that out If you look at the header? Okay, so, and explain the different offsets and how my process to get there, you're not gonna get that benefit in the long term, right, you'll be constantly depending on somebody to tell you how to do things and there will be a situation that will be unique to you and your case and there will be nobody that's gone through it and you're the one that's gonna trail-place that knowledge and then obviously make it known to others.

Speaker 2: 43:08

Yeah, 100%, and some classes are better than others. Some are mediocre classes, some are good classes, some are great classes, but I've never been to a class where I didn't learn something. I just haven't. There's always something to be learned. I haven't been to a horrible forensics class since I started this job nine years ago.

Speaker 1: 43:30

No, no, I mean, I absolutely agree.

Speaker 1: 43:33

Even a class where I known all the content because it's a class that I went, because, hey, it's the class that we're giving your group, so you have to go, and I knew the content pretty much, but I always got either a good analogy out of it, a good way of teaching it to others, or how to apply it in a context I did not know that I could apply it to, even though I knew the actual end points of the teaching.

Speaker 1: 43:56

You know what I mean, right, and so I think that's having a good attitude, especially also because, again, we go to the classes, we ask questions to learn, and we might ask questions outside of the class context. We might go to the D4 Discord or to Reddit or send somebody an email or a direct message over on LinkedIn. And if you're gonna ask a question, just be aware of a few things, right, at least with me. Don't tell me, hey, could you, for example, could you add support for X, just like that, and not give me source data, not explain to me what research you did on it or how to go about it. Well, no, that's not gonna happen, right?

Speaker 2: 44:35

right.

Speaker 1: 44:38

Or how do you get this encrypted messages off of whatever Like? My answer would be I don't know. Be willing to actually work with the people that you're trying to ask help from if you wanna get results from that. Right, and nobody has any obligation to do your job, or do your work or answer your question. Nobody's obligated, right, but people want to help, right. We're a social species, we're good folks and we wanna help. But hey, you gotta help yourself a little bit first.

Speaker 2: 45:13

Right, yeah, someone asking others for help. Make sure you've done all your research first. Make sure you've checked everywhere you can check to see if the answer's out there somewhere first. Right, and yeah, be prepared to answer the questions that are gonna be asked of you if you're asking for help. That's definitely. I just love it. I always have to repeat this one. But when somebody calls and asks for help with a phone, hey, can you get an extraction from a black iPhone? No research whatsoever. Yeah, let me help you. I can help you definitely. So, no research whatsoever. But do your research first. Have all of the answers to the questions I'm gonna ask you ahead of time.

Speaker 1: 45:58

I just pictured you. Yeah, I'll give you a black eye and then your phone Watch out oh, black eye here here, here, here, here, here, here have one. Here you go, and I guess so many situations where the person asked a question and I literally be tempted to send them a let me Google that for you. Link. You're not familiar. You go to this, let me Google it and you put the search and it creates a link where the person presses, it opens like a Google looking webpage, types the question in the search and then it gives you actual Google research, Google searches for it. Come on man, come on girl, let's do the minimum required before you ask the question, right, and when you actually and again, it's not about not asking questions ask questions Right yeah, definitely.

Speaker 1: 46:47

Yeah, if you do your research, that you try it, you're your best. You say, look, this is how far I've gone, this is what I know, this is what I don't know. Then we can work with you. Right, and because maybe we also don't know, but we know what steps to take next, right, we took that class that we were talking about a second ago. We learned the process to get to places. Well, you know what, let's apply it. I learned how to do it in classes. Go forward, but you gotta give me a heads up, because nobody has time and nobody owes you an answer nobody. Nobody owes you an explanation. It's a be kind and then people will be kind to you back. You know, yeah, like Geraldine is saying so, they tell you well, I didn't have time to Google it. Well, what makes you think that I have time to Google it for you? You know what you send me the email or DM. That's the time we should have used to Google it first.

Speaker 2: 47:33

But, geraldine, do you Google it for them? That's the question, because I do for some reason. I don't know why I do it.

Speaker 1: 47:44

No, you're a nice person. You're a nice person.

Speaker 1: 47:47

Sometimes, yeah, and again, you folks that are ourselves that are really active in the community, you know we will try to help you as much as you can, but, you know, don't talk about expectations, right. Set expectations for the class, but also set expectations in regards to people that are active in the field. You're busy, we're busy, everybody's busy, right? So, you know, make sure you give us a reason to help you that we can fit into our schedule and our daily lives, and I think that's applicable to every single person that's listening to this, actually every single person on this planet. Yeah, and relate to that right, not having enough hours in a day, you know.

Speaker 2: 48:29

Definitely.

Speaker 1: 48:31

Yeah, and you know we've been accused multiple times of only talking about mobile forensic stuff.

Speaker 2: 48:39

Oh yes.

Speaker 1: 48:41

Yeah, a little bit of truth, but we got some windows stuff for today.

Speaker 2: 48:46

people, we do we do so? I recently had the chance to work with some Arsenal Recon products which I have not before. Well, I worked with a level DB Recon product before, but none of the other ones so recently-.

Speaker 1: 49:08

I only use the Imager, the Mounted, yeah.

Speaker 2: 49:11

Okay, so that's what I recently was testing out. So let's give a short slide here about some of the products that Arsenal has. So they have the Image Mounted, hibernation Recon, registry Recon. The level DB Recon is the one that I have actually worked with before. It does a really good job with the level DB files. But I recently was contacted about the Image Mounted and it's capability to launch an image in a virtual machine and bypass the Windows log on screen and then not only bypass the Windows log on screen but also access protected data like browser stored passwords and EFS encrypted objects. So these are just slides going through the process. I will show you the actual virtual machine in just a minute, but I did slides of the whole process to save time. But I mounted the E01, it was from a capture the flag challenge Then launched it in a virtual machine.

Speaker 1: 50:30

Let me just make a quick point. So the folks are listening. You get the product, you got Arsenal, the image mounter and you got your E01 or your image. The tooling lets you mount that and even virtualize it so you can bring that up. Just a quick comment here I want to make. I haven't seen any. I mean, there may be, there might be, but I haven't seen any mounter like this that you can interact efficiently and properly with volume shadow copies. Okay, yes.

Speaker 1: 51:00

Yeah, For example, and again, no dig to F2K Imager. Again, we're not haters, but it's true F2K Imager will not if you mount stuff with it, will not let you access those volume shadow copies. It's just be a big mess, it's not going to work. But image so Arsenal does it so and I use that for a long time to work with those volume shadow copies and do kind of more quote unquote manual stuff with it. But you can virtualize and what Heather is showing is puts the product, mounts it, tells the product to mount it and virtualize it and it's amazing, Just from the extraction from the E01, it opens a virtual machine.

Speaker 2: 51:35

Yes, so it starts up in the virtual machine and bypasses the Windows password, the Windows log on screen, and I launched the Internet Explorer and was able to go to the password section, find the users stored Facebook, Instagram, TikTok accounts and you can see there the user names and passwords for the user in the Internet Explorer. So it can also do a lot more than just that. But for demo purposes I just went to Internet Explorer in this image but literally can just access the user names and passwords immediately by launching it in the virtual machine here. So I'm going to take this down for a second and just share my screen here with the actual virtual machine, because I have it here.

Speaker 1: 52:33

Let me see and the value, the value you get from virtualizing the machines, because, yeah, I can get that stuff, a lot of that content, I can get it by looking at the forensic image. But there's really unique value in showing that computer how it was being utilized, how things were ordered, just from demonstration purposes it can really make or break your case in regards to what impression you cause in those stakeholders, in the jury and whoever where they can see the stuff as the user saw it. It's amazing.

Speaker 2: 53:08

Yeah, so I still have it up and I wanted to actually show it while it's live, Mostly because I can click through here and it's actually working. I don't know if anybody else has ever tried to virtualize Ne01 in any other tools and has tried to click through using any other tools, but this actually works. I've had other tools where it didn't work at all or it was just super slow and clunky and it just didn't work for me. And this I mean it's quick, I can open it right up and it actually works and I don't know, I really really like it. It works very well. So I want to make sure that I actually showed it live here, but not go through the whole process.

Speaker 1: 54:00

No, and some years ago I used to try to. I did it with VirtualBox, kind of by hand, and, like you're saying, it's slow, clunky, it crashes and some images I don't know, maybe user error or maybe something change. I just couldn't get into virtualize period. And even with some products they're like yeah, I used to seem to virtualize and you put it like, oh, this doesn't work. But Arsenal, at least all the times that I've used it, it's been pretty solid and they always keep up with it.

Speaker 2: 54:28

Yeah, so yeah, I really, really, really like that feature. It's really awesome. I'm going to try it on some of my cases. I just didn't have a chance yet, so I used some of the capture the flag images, but it worked really well on both of the images I tried it on. So I was really impressed with that and I've never I've never used it before. I know a lot of people that are here. I know you've used it before and I think a lot of people in the comments are saying they've used it for but I had never done it and I'm really impressed with it.

Speaker 1: 54:55

So yeah, no, I had a case where I went to show the contents, the searches of a peer-to-peer program, right, and yeah, I had those in a spreadsheet, you know, because that's usually how tools show you things.

Speaker 1: 55:10

But, I virtualized it and I opened the program and I could look at all those results within the program itself, that the exhibit that I created by having it how it looked and being able to say, yeah, this is exactly how it looked. This was taken from the virtualized environment, which is how the user would have seen it. I mean, it's a game changer, like Adam was saying in the chat.

Speaker 2: 55:35

Yeah, I'm going to actually pop the PowerPoint back up because I have a couple slides. They actually also recently updated their level DB tool as well, so they released a new version with some bug fixes and a new customizable predefined filter option. So they actually put some slides on Twitter. I just stole them here from my PowerPoint, but I'm just going to run through it real quick. So if you haven't used the level DB tool that they have, it's pretty good too. You can export the level DB files, bring them into the tool and it has the capability of parsing them. It does a pretty good job on parsing that data out. And now they have. If you see here on this screen, they have that customizable filter where you can filter for data, and that's new.

Speaker 1: 56:26

It's like looking for strings and stuff like that right.

Speaker 2: 56:29

Yeah, so if you haven't updated and tried yet, download the new version and give it a try.

Speaker 1: 56:35

And if you're not familiar with level DBs, your browsers are chock full of level DBs that tooling pretty much ignores. I found a level DBs in a Firefox privacy type of environment and I got some hits within the level DB, even though the internet history was deleted because it's a privacy browser. That's what it does, right. Android devices tons of important information in those level DB data stores or data structures. So tooling like this really helps when the cases get complicated.

Speaker 2: 57:12

Yeah, definitely. And then I was talking. Their support is phenomenal. So I was struggling because I do and user error hit me on trying these tools out and I popped into Discord with support and they fixed my issues immediately. It was all user error. They have really, really good support and I was chatting with them today and I just want to let everybody know too. They're releasing a major update in December adding pin and password attacks, which include new password sledgehammer database and they have many more updates. So look for upcoming news, for a lot of major updates. I'm hoping to test it in the future and hopefully talk about it again after I test it out. So look for those upcoming features.

Speaker 1: 58:05

I just love the sledgehammer. You know, it's kind of like.

Speaker 2: 58:07

Yeah, me too. I can't wait to try that one out.

Speaker 1: 58:11

Yeah, we're not going to hit it, we're going to sledge it and we're going to yeah yeah, yeah. No, it's good stuff. And again, I think today was a really tool-centric day and I like those days, I like to play with tools. So, like hardware, like software, I know you do, so it was a fun couple of weeks putting all this together, oh yeah definitely.

Speaker 2: 58:32

I think that's why we have the semi-cool nerd sign behind you. We were being nerds for two weeks.

Speaker 1: 58:37

Yeah, which is we're talking about something, and she's like well, you're more like a semi-cool nerd, like kind of bringing me down and I'm like you know what. But usually I'm called a fool on nerd and nothing cool about it. So I'll take semi any day.

Speaker 2: 58:52

I'm not sure I said that.

Speaker 1: 58:54

Yeah, yeah, that's totally you, Even though you don't remember it. No, but we're kidding aside, right? You know, we're realistic about where we are in life and we enjoy what we do. And there's others that enjoy it as well. So find your pride, find your semi-cool nerds. Hang out with us.

Speaker 2: 59:13

Oh, we got to put this one up too. Jessica has a level DB class coming up. You have to check out her level DB class. Definitely, the Hexordia draining is top notch and I am sure the class is going to be as well.

Speaker 1: 59:29

Yeah, and truly, without knowledge, you go nowhere. Right? It's like being super smart and super intelligent and all that and then having no effort. Well, you're going to be nobody right, or maybe not that smart, or you're dedicated, you have grit and you'll go far. So I say that example because you get a tool, can do a lot of stuff If you don't know what is doing or how is doing it. It's going to be a tough spot if you get asked a single question about what that output is. So you take a class like Jessica's or do your own research in regards to how level DB is organized, how they work, in what context, what's the purpose and how is it applied in an application, a third party application, or in a system application like FCM in Android, and then you get to that next level because the tool is only as good as the examiner that's wielding it. All right, and let's not take that and not forget about that.

Speaker 2: 1:00:27

Oh, I got to share one more, totally buying the t-shirt.

Speaker 1: 1:00:31

Yeah, kevin is saying semi-cool nerd coming to a shirt soon. That's awesome. Yeah, we were semi-cool nerds and I dig it, I dig it, yeah. Yeah, jessica has courses online and also courses in person. Obviously, I would prefer, first of all, to me go to person, because then you have her there and you can actually have that wealth of knowledge in person. But if you don't have the capability of taking in person class, you can also take it online. And I'll be straight, she's my friend, a good friend, but that's not a bias, because her content is good though. So, and again, we got, we get, we receive no, no money for any of this. We're being sincere and honest. So it's good stuff. And again, you know going to those courses and have the right attitude, which leads me, which leads me to the meme of the week. All right, and this meme of the week against the world premiere, because it'll be coming out social media soonish.

Speaker 1: 1:01:39

And the meme of the week. It's the following You're going to see here, for the folks that are watching, you're going to see a person putting some white makeup on their face and when they're putting the makeup, it says who needs a week long digital forensics class? And then they start kind of putting the lipstick and the eyes right, and why is this teacher going over all these conceptual things? And then is putting this clown hair on it and is doing the lab really necessary, right? And at the end, when the individual is fully dressed as a clown, it says I learned nothing, this class is trash, right, and if you get to that point, yeah, you are a clown. Right.

Speaker 1: 1:02:26

Things in courses, things it all builds, it builds. And the secret of to understanding all these is just having a good attitude, right, saying look, I don't understand, or maybe I'm advanced, I don't need the conceptual stuff. Well, pay attention, you will. You will. Yes, oh, the last, give it a shot, give it a shot. And if you don't know anything about it, don't let that be a barrier to try it. Just try it right. And in the process you will learn something, or you will get it and you will do it. And then when you come out of the class, it don't matter if you learn a lot, if you learn a little, you get something out of it. So don't, let's not be clowns, let's just be semi-cool nerds, agreed.

Speaker 2: 1:03:06

Semi-cool nerds everybody.

Speaker 1: 1:03:09

Well, heather, we came to the end of our time together on the show, so thank you everybody. Yes, thank you for watching and thank you for all. You're listening on the podcast later as you drive or at home. We appreciate you and hit us up. Hit us up in LinkedIn. Look for the Detail for Sits Now podcast. Leave us questions, comments, comments, concerns, any complaints. Leave them to Heather and she will take care of them. And again, thank you so much. I'm going to explain to Heather now what pinky on the brain is.

Speaker 2: 1:03:43

Yes, please.

Speaker 1: 1:03:44

So she'll get the reference All right. Thank you everybody. We appreciate you and we'll see you in a couple of weeks.

Speaker 2: 1:03:53

Thank you Bye.