Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Due Diligence, Password Cracking & New Tool Features
Welcome back to another episode of the Digital Forensics Now podcast! In this episode, we explore the critical need for continuous learning in the field, discuss fascinating forensic tools, showcase UFADE with its new chat capture feature, and engage in a spirited debate on the value of certifications. Get ready to expand your knowledge and stay at the forefront of this ever-evolving industry.
We begin by discussing the intricacies of unconscious and conscious incompetence as outlined in Brett Shavers new article. The episode continues with a detailed demonstration of UFADE, created by Christian Peter highlighting its user-friendly interface and the new chat capture feature. The hosts walk you through the tool's capabilities, showcasing its accessibility and usefulness in digital forensics investigations. From breaking Windows logon passwords using a Raspberry Pi Zero W to exploring the distinction between exploratory and explanatory data analysis, this segment offers a wealth of knowledge and practical insights. We also touch on the value of certifications, sparking a lively debate that challenges conventional wisdom and invites listeners to question the true measure of expertise in the tech industry. Get ready to be engaged in this thought-provoking episode.
Notes-
DFIR Competence: Are you Truly Skilled or Just Fooling Yourself?
https://www.dfir.training/blog/dfir-competence-are-you-truly-skilled-or-just-fooling-yourself
Oxygen Forensics Call for Speakers at the 2024 International User Summit
https://oxygenforensics.com/en/call-for-speakers-user-summit/
UFADE Updates
https://github.com/prosch88/UFADE
P4WNP1 Build
https://lush-seeder-8ab.notion.site/P4WNP1-Build-54ffcdbe7cdf4e74b47861e9bd80f857
SANS Webcast Series
https://www.sans.org/webcasts/demystifying-data-conversion-binary-hexadecimal-decimal-ascii/
Bitlocker on by Default Windows 11
https://www.tomshardware.com/software/windows/windows-11-24h2-will-enable-bitlocker-encryption-for-everyone-happens-on-both-clean-installs-and-reinstalls
ChatGPT
https://www.sciencedirect.com/science/article/pii/S2666281724001252?dgcid=author
come on music. Hello, hello everybody. I don't think the music's coming in now, but do you want me to sing? No no, I'd rather Let me hit pause, let me see if the music comes, let me see I got some angelic Very nice, very nice Music.
Speaker 1:Yeah, my thing got confused, let's try it now. Ah, everybody, oh, there we go, there we go. I laughed. Welcome everybody. There we go, there we go, at last. Welcome to the Digital Forensics Now podcast. Thankfully, heather's singing free, and free as in not singing. Today is Thursday, July 11th 2024. My name is Alexis Brignone, aka Briggs, and I'm accompanied by my co-host, the Hash Wrangler, the Don't Leave Any Stone Unturned perspective, the. This Is Important To your Case, and Let Me Tell you why. Examiner the one and only Heather Charpentier. The music is Higher Up by Shane Ivers. Eventually, it was and can be found at tillermansoundcom. Heather, we survived the roughest intro in these 21 episodes.
Speaker 1:It would have been a lot rougher if I started singing. You know beauty's in the ear of the beholder, but yeah, let's not test that theory. How are you?
Speaker 2:I am good.
Speaker 1:How are you Good? Good, it's been good. I'm happy to be back. We had a little bit of a hiatus. We did, we did A pause, if I said it right. Yeah, we work and other things and so we have to lay low for a little bit.
Speaker 2:Yep, we're not up on my main screen. Are we up on your main screen?
Speaker 1:We're not. I think we should, so people can actually see us.
Speaker 2:We should. It's a pretty background, but I think our pretty faces should show.
Speaker 1:Yeah, I mean, if you are listening podcast there we go, you don't really care yeah, that's true, that's true hello everybody, we're here. Um, so yeah, so uh. No, I was, uh, I was. I was at my mom's down by the gulf, the beautiful uh gulf coast of florida, so that was nice took the, the children there, to see grandma and very nice had a great nice. You know 4th of July celebration and weekend fireworks and everything.
Speaker 2:Very good, Very good. I kind of did the same type of thing. I went and visited my family and then, I don't know, we've been off from the show for a few weeks. So I did start watching the Python study group stuff again. I swear I'm going to. I know, I know you're happy about that.
Speaker 1:I am. I am extremely happy and that's why you know when I'm happy, you know what happens, right.
Speaker 2:Oh, the fireworks, why? Thank you.
Speaker 1:Thank you for you know actually following up on your Python for studies. That's good.
Speaker 2:Yeah, so I've run into a few issues for everybody to know with the Python. And of course Alex asks me well, have you watched the videos from the study group yet? And I haven't watched them all. So I guess if I'm going to ask for help, I need to make sure I'm trying to figure it out on my own first.
Speaker 1:Well, you know, we'll be talking about a little bit about conscious incompetence and conscious competence, so I think it'll be an interesting discussion.
Speaker 2:What are you trying to say?
Speaker 1:Nothing I'm saying nothing. I'm going to blame Brett, the author of the article.
Speaker 2:Yeah, definitely so, speaking of that, yeah, you want to start there.
Speaker 1:Yeah, before we start. Hey, look behind me. What do we have?
Speaker 2:Oh my God. So, for those of you listening, alex is trying to show me up with the wall signs, the light up wall signs. He had one, so I got one. I'm like, oh, we match now and now, how many do you have? Seven of them there.
Speaker 1:Yeah, because you know, if one is good, then six more.
Speaker 2:You're completely surrounded by neon wall signs.
Speaker 1:And I'm going to get one. Somebody suggested in LinkedIn to get one that says it depends, Because that's our phrase, right.
Speaker 2:Yeah, you do need.
Speaker 1:It depends. Yeah, I'm going to get it. I kid you not, I'm going to get it, I'm going to figure out how to reorganize it I was going to say where are you going to put it? I'm going to put it right here in front of my face. Okay, upgrade, upgrade. No, but I know you have one you haven't put up yet.
Speaker 2:I do. I do have another one. I'm debating, though, if it's going to replace the live nerd sign or if I'm going to have both. We'll see. I don't want to be all off balance no put it on the other side All site so all right, anyways, I have to get it hung up for folks that are listening.
Speaker 1:You need to go to youtube and and then see check out our sites.
Speaker 2:Yeah, I have.
Speaker 1:The one I like a lot is the one on top of my head says cool kids club and underneath it says all are welcome, which is uh kind of like the vibe here in this podcast, right, yeah, we can all be all belong. We all belong, right everybody's a cool kid exactly. I got a koi fish and people didn't know. I have a tattoo of a koi fish in my arm.
Speaker 2:Yeah.
Speaker 1:So now I'm showing off a little bit here my art.
Speaker 2:Very nice Matching on the wall.
Speaker 1:Yeah, the beautiful mountains of Denver, a place that I really appreciate.
Speaker 2:Very nice.
Speaker 1:And people close to my heart and yeah, so. Anyways, going back to the topic, we're talking about the things that we know and things that we don't know, so we have a new article. What's going on with that?
Speaker 2:Well, first quick.
Speaker 1:Kevin wants to know how many power strips you're using. Look, it's one, right. And then there is you're about to get a visit from the fire department. Very good, it could be a fire hazard. So I'm closer to the fire hazard range of fire strip, of fire of power strips.
Speaker 2:So all right the article. So fred shavers uh, has a new article out that, um, let me put the the link to that up and the title is DFIR competence Are you truly skilled or just fooling yourself? And I have a little screenshot from his article to share. But everybody should go over there and check it out because it's really good. There we go. So in the article I'll give just a brief overview he talks about the various stages of incompetence and competence conscious incompetence and unconscious incompetence and the question I guess kind of posed from the article is do you know your competence level? And it goes on to say DFIR examiner skills can degrade over time. So there's some examples of the unconscious and conscious incompetence and competence here which is really hard to say a lot in the screenshot.
Speaker 1:Sounds like a little tongue twister.
Speaker 2:It is a little bit.
Speaker 1:But the matrix is really good because his example really drives it home. Right, he says well, there's a person that I love, the name of the examiner, alex, right, kind of close to mind. Right, this examiner never heard about a tool, right? Right, so he's not aware of this tool. He's incompetent on it because he doesn't even know it. Know about it, right, but then he's aware of it. Right, so he's conscious about it, but then he doesn't know how to use it. He's still incompetent about it. But then you're conscious and then you're competent because you know how to use it. But you have have to go carefully. What step goes next? What second step, third step? Right, brett says he was going to use Brett in the example. Alex is fine, I like it. And then you have unconscious competence and when we do things, we know how to use a tool effortlessly, and that's from my perspective. We fall a lot into that. We get really comfortable with a set of procedures or tools to the point that we're unconscious about doing it. We're proficient at it, but Brett makes a great point of this being somewhere we could fail, right, right, because we're limiting ourselves. Right, and when we do that, we don't have or we don't, uh, open space for improvement because, oh, I know how to do this, I just do it.
Speaker 1:And he gives an example, this article. It's like when you drive from work to home, from home from work, every day, you start driving then like, oh, I got to work, how did I get here? You're like I just I just got here. Do you think about it? You think about many things, but you're not really thinking about the driving. It becomes kind of automatic and a road in a sense, and you don't like, not subconsciously, you're awake but you don't think about it and you get to work or you get to work. Actually, it has happened that I'm so used to going, let's say, to work that it's a weekend and I need to go somewhere else and I just drive to work and I, where it was supposed to be going, right, it was supposed to be going somewhere else, and that's the problem, right, if we get to that, a lot of examiners get to that and then we don't improve, we don't really think about how can, even in the processes that we know how to do effortlessly, how can we be better? Because we can always be better. I think he calls it eternal, not eternal. What's the word I should have memorized. Oh, here it is Infinite competence right, that's right there on the screen. If I could read Infinite competence, where you're constantly trying to see where can I improve, because I know this process like the back of my hand and I would take it even further, right? Well, not I. Actually Brett did that for us. He uses the example. Everybody, please read this article.
Speaker 1:He uses the Penrose stairs as an example, and that's pretty cool, because it's kind of like a. It's not kind of, it's like a visual trick. What's that word for that? Like illusion, what's the word for that? We have like visual illusions that, for example, these stairs are going up at all times but also going down at the same time. I forgot what the word for that is. It's like a visual illusion.
Speaker 2:Yeah, it's not coming to me. Sorry, I'm no help with this one.
Speaker 1:Oh no, it's fine. It's fine Actually, I feel like Optical illusion. Optical illusion.
Speaker 2:Brett's saving you. Brett's saving you.
Speaker 1:There we go, so I like it. It's like an optical illusion up and down. Right, because you have to constantly be improving, because you will always at some point be incompetent, because new things will always be coming, so you got to be constantly going up those never ending stairs, right? And I really like this topics from Brett, because there are a lot of philosophy which I'm kind of. You know I'm partial to it. I love it, but it also makes me think about being better and and and, as he gives you kind of a plan on how to do that Reflection he makes a great point about. That is so important and you have to catch yourself, you have to make an effort. If you're doing something and not making an effort on it, that's an indication that you need to think about what you're doing.
Speaker 2:Yeah, I relate this a lot to training, even especially with myself. So I've been to so many trainings over the last nine and a half years and I think a lot of people myself included I've been to that training already. I don't need that again, and I do because you have to constantly be learning and not think that something you learned eight years ago is still what's being taught in in those training courses, if that makes sense.
Speaker 1:Oh no, there's, there's, there's always, always, always new stuff, and and that's the, the infinite competence you get to a level as an examiner when you can do certain things, something, and this is that, let me, I'm going a little bit, not a tangent, but something that I'm seeing is how can I say this? Not a tangent, but something that I'm seeing is, how can I say this? Like conscious incompetence, but not so much in the fact that you know what you don't know. I'm going to change it a little bit. People are consciously wanting to be incompetent. In other words, I know how to do the one thing and I don't need and I don't want to do or learn anything else, and I don't know how Brett would make that a stage or not. And I'm seeing that a little bit, where folks are like can you strive to be better? Can you strive to move? No, I just don't want to, I just want to do the one thing, and sometimes I don't even do it right.
Speaker 2:Yeah, I've seen examples of that recently too. Where you're a hundred percent right, it's I. I know how to do this one thing, that's all I'm doing. I'm not moving out of that realm, so.
Speaker 1:Yeah, and and and in this field, that is a problem. And that is a problem actually because I'm going to, I'm going to share something here on the screen real quick. A problem actually because I'm gonna, I'm gonna share something here on the screen real quick. Um, we have to think about only us in two terms, right, us being uh good examiners, uh, having due diligence something that we've both been discussing, you know, heather and myself discussing lately. What is due diligence? What is expected of us? What do the, the stakeholders, in our case are victims or expect from us? That's one thing. What's our due diligence? But also think about ourselves and I mean, do we want to be employed in the future? And let's be real, I mean we, we need those necessities, right. So let me actually, if I, if I opened the file, then I can share it, right.
Speaker 2:While you're looking for that, brett says new neon sign idea be constantly learning.
Speaker 1:Yeah, yeah, no, absolutely. It's a long sign, but maybe I need more wall to fit some of those.
Speaker 2:We'll have to put that one on my side. It's the only place it'll fit.
Speaker 1:Actually right on top of your head. I agree, All right, so this is what I'm talking about here. Um, so I had this meme, I think last week or this week, where you have the a person kind of sitting in pews, like maybe in a church or something like that, and there's this person sitting there and it's labeled the button pusher, and then behind that person is a is this person with a gun to the person's head, like about to shoot him? Right, and I labeled those tools. But behind the automation tools is another person with another gun, called AI, right, but then all the way in the mezzanine up in the rafters, whatever, there's somebody with a sniper rifle pointing at them, right, and it's called.
Speaker 1:I labeled it actual digital forensics experts, and what I meant by that is if you're in the state of conscious incompetence and I kind of opted, co-opted the term from Brett, but it's not how he defines it, it's just me redefining for this particular point where you consciously want one thing to be incompetent, right, being that button pusher, you will be pushed out by the automation tools. You'll be subservient to them if you still have a job, because at some point I'm pretty sure technology can push the button for you. We won't need you. We don't need George Jetsons, right? Okay, and then AI will kind of take some of that. So if you want to still be relevant in this work, moving forward, because technology advances in leaps and bounds, you're like, well, ai is coming, but it won't affect me, I'm retiring. In the next 10 years I should have plenty enough time to coast over to my retirement.
Speaker 2:Ai could possibly retire you way earlier than that, let me stop sharing this.
Speaker 1:So yeah, and again I'm co-opting that term and kind of misusing it a little bit, but just because that Brett's article made me think about those things and I think are important, that we all should should take some time to reflect on them.
Speaker 2:Yeah, really great article, and I'll put the link to that in the show notes on the podcast website.
Speaker 1:Hey look, if Arsenal is saying plus one for the meme, I'll take it. Yeah, arsenal, great, great company, great software. Always good to have them here and hear from them. Great company, great software. Always good to have them here and hear from them?
Speaker 2:Yeah, definitely. So one thing we wanted to announce is Oxygen Forensics put out a call for speaker at the 2024 International User Summit coming up. It is going to take place October 15th through the 18th. I actually have a little screenshot to share here and it's in Alexandria, Virginia.
Speaker 1:Beautiful Alexandria Virginia.
Speaker 2:There we go. You could submit a topic and share your knowledge. So if anybody listening has thought, oh, I really want to, I really want to get in there and share some of the things that, some of the things I've learned, some of the things that I've written about, some of the things I haven't shared yet, go in there, apply, go speak at at the user summit. It's a great place to get started With. Whatever topic you have in mind, you can submit it right at the web, at their website.
Speaker 1:Absolutely. And oxygen I also agree. I agree Company Lee a great guy, the CEO a great, a great company. Uh lee a great guy, the ceo I had the pleasure of, of presenting with him in some events, so it's always a good time with the oxygen folks.
Speaker 2:so definitely consider that and submit for it yeah, if, if you're not submitting, if you're attending, I'll tell you right now. I've listened to a couple of lee's presentations and he's really really good at presenting excellent topics and just a captivating speaker. Absolutely, absolutely, all right. Let me move that, all right. So next up, we have talked about a tool on past episodes called YouFade. It is created by Christian Peter and he's out of Germany and we've talked about it a few times and its capabilities, but there's some major updates to it. Um, there's a whole new user interface and there's a chat capture feature that I want to show everybody live, so hopefully it doesn't screw up on me while I'm trying to show it live and before you show it live, just tell the folks, maybe they missed those episodes.
Speaker 1:What's what's? What's you fit about it? What's it, what does it do?
Speaker 2:um, all kinds of capabilities I'm going to go through the different capabilities inside of it, but all kinds of capabilities with ios devices so you can pull the sysdiagnose logs, you can do logical extractions, itunes, backups, um, there's all kinds of other logs from the device that you can pull. And now, with the newest feature, there's the chat capture.
Speaker 1:That's awesome.
Speaker 2:Yeah.
Speaker 1:And as Heather is setting up, prepping up her demo, which I always love when Heather does the demos- Until I can't share the screen. Yeah right, this is a tool that Christian I think Christian's in the house right now is in the chat. It's free to use. So it's amazing how those capabilities that you see in other tools that cost a lot, you see this over here in a community tool. It's absolutely free. So it's amazing.
Speaker 2:Yeah, so I really liked it when we showed it before, but this is just a lot of improvements. I really love it now. So I mean I loved it before. But let me share my window here. Oh yeah, the watchOS devices. I forgot to mention that.
Speaker 1:Also for the watchOS devices that are able to be accessed. There's support for it, so that's pretty cool too.
Speaker 2:So here's the interface. I'm going to take that off too. So here's the interface. I'm going to take that off the screen. Here's the interface and you can see the device information. As soon as I what I did is I plugged my iPhone seven into the computer, trusted with the computer, and then fired up the Ufade tool. You can see all of the device information on the left-hand side, and then it's asking me to choose an output directory for any of the logs I may pull or extractions I may pull. I'm just going to leave it default. It defaults to the folder where Ufade is.
Speaker 1:And, for those that are listening, great graphical user interface really well done. On the left side you have all the device information model, hardware, product serials, disuse, wi-fi, mac A lot of information on the left side and then the right side. Really nice, well-defined, beautiful interface.
Speaker 2:So there's an option to save out that device information and installed apps, sim and companion devices. There's acquisition options, so there's a logical backup, a logical plus backup, a logical plus backup UFED style, so it actually provides you with the zip file, the logical zip file and a UFD file, so it makes it more seamless to bring into Celebrite, if that's the tool you're using to parse the data. And then there's a file system backup for jailbroken devices.
Speaker 1:And I like the UFIT style because those that are familiar with UFIT if you open it's just a text file, right? So you open the UFD file, you have all the information about the device and at the bottom you have the hash. I think it's SHA-256, right.
Speaker 2:It is. I'm actually going to bring that up. I ran a logical with the UFED option earlier, so let me just bring that up for everybody. I already had it up, of course. Now I have found it. There we go, Okay. So this should look familiar to anybody who uses Celebrite. It is the information about the extraction, the information about the device and then the tool that you use to acquire it this one particular I acquired with Ufade and more information about the type of extraction, and at the bottom you have that SHA-256 hash of the zip file of the extracted data I.
Speaker 1:I love that because then you can import it into you know seller by tooling and and you can verify the hash. Or even if you don't, you can always, you know, make sure that when you're done with your work you can validate to the hash.
Speaker 2:So so, so useful all right, let's present that again. There we go. So those are the extraction options. There's also collect unified logs which I'm not going to click on because it kicks it off which I tested it earlier, and you get a log archive of the unified logs and then developer options is where that new chat capture feature is that I'm going to show, but you can take screenshots of the device screen. There's a chat capture capture file system to text. I haven't tested that out yet, so hopefully somebody listening is going to go in and test that out and then unmount developer disk image.
Speaker 1:Maybe Kevin Kevin is saying that he looks forward to playing with the Windows version.
Speaker 2:Ah, all right, so cool. So you're going to test that out and tell me how it is. But the chat capture is what I thought was so cool for this week. So I'm just going to unlock my phone here and the chat application that we're going to take a look at is I'm going to do Facebook Messenger and it's on my test device, so just click Chat Capture. I'm going to name my app Messenger and then the name of the chat. The messages are with Amy Farrah Fowler.
Speaker 1:And for those that are listening, the interface allows you to put those naming fields. It's right there for you to type and it's all graphical. You can click and type whatever you need.
Speaker 2:So then I'm just going to kick it off and you see what I see on my screen of my device sitting here right at my desk. So this is my chat messages with Amy Farrah Fowler. And in a second, after it has done its screenshots of that screen, you just see it move down to the next screen and it's now capturing automatically screenshots of it's capturing the chat for me. So you can see it moving and each time it pages down down in the right-hand side, you can see screenshot saved as and it's saving those screenshots of the chat.
Speaker 1:That's just fantastic.
Speaker 2:I know I love it.
Speaker 1:Yeah.
Speaker 2:While it's capturing all of the screenshots. I'll just tell you that I struggled all day to figure out how to do this because I don't know I'm not great at all of the Python stuff but I found some errors that were user errors on my part, and Christian, who created the tool, was kind enough to help me today realize what my errors were. And one was just my Python version and I didn't even think of it. I'm like all right, I have Python installed, I've got all of the dependencies installed. This should be working. Why isn't it working? And he's like well, you're on a different version of Python, try this. And as soon as I did it, it started working.
Speaker 1:Read, read the docs please. Oh, so yeah, I know I know we're all guilty of that, so I'm giving you a hard time, but we're all guilty of that.
Speaker 2:We are so, um, this has now captured the chats and I'm going to just pop back and show you what it looks like for output. So let me remove that from the screen and go find my output.
Speaker 1:Present.
Speaker 2:There we go. So in the Ufade directory there's a folder called screenshots, and then there's a folder called messenger and there's a folder called Amy Farrah Fowler because that's what I named my chats, and you can see inside. There's a whole bunch of screenshots that I captured earlier too, but you can see inside the screenshots of the chats between Sheldon Cooper is my test phone and Amy Farrah Fowler's phone.
Speaker 1:That's awesome.
Speaker 2:And they they save right in there with the naming convention that you gave them in the Ufaid tool and the entire chat is captured there within the screenshots folder.
Speaker 1:That's awesome.
Speaker 2:Yeah, I love it. I was really excited to show this one, so I was really hoping that none of my user errors would show on screen, and I think it went okay.
Speaker 1:All right, the demo gods were pleased with you today.
Speaker 2:Yeah, definitely, there is one other option.
Speaker 1:I'm not gonna put it back up on the screen, but there's extract crash reports. There's a WhatsApp export from the device 17s. There's no support for them, right. And you might have a phone that comes in with a passcode or from a victim or a cooperating witness and you need to pull out a chat that that cooperating witness wants to provide Right. To provide right. Okay, they bring out the camera, which again the video camera. That's an option. But if you can just go and say, okay, I'm going to pair it, I'm going to select the chat that I want and then just hit go and yes, just chit-chat, as the thing is going taking the screenshots. I think that's way preferable.
Speaker 2:So the support for iOS 17 is being worked on. Ios under 17 is currently supported.
Speaker 1:Oh, and not all iOS 16s are supported, by the way. So it depends on the type of iPhone that you have. Right, Some are supported, some are not. So just because you're like, well, I have iOS 16 and my tool supports iOS 16. No, it doesn't. You have to check. And if it doesn't, because it could happen, then you have this other option to pull those chats when you have access to that device Again, an example being cooperating witness or you know just some consent so you can work on that. So it's pretty neat. Thanks to Kristen Peters for this work. Yeah, awesome, Please continue. We appreciate it, the community appreciates it and we will and we use it. So thank you very much Magic.
Speaker 2:Dave is asking is this a free program? It is. It's on Christian's GitHub. I have the link up on the screen right now, but it will also be in the show notes on our our podcast page. Or you can just Google Ufade and it comes right up. And then Christian says iOS 17 is supported in the CLI version.
Speaker 1:There we go, there we go, perfect, no, and we'll keep highlighting, as, as Christian keeps, keeps, keeps, you know updating it, we'll keep highlighting those updates. We're really happy that that's going on.
Speaker 2:Oh, absolutely, I'm looking forward to whatever the next update is going to be.
Speaker 1:Absolutely.
Speaker 2:So, um, another thing, that so we were we're. I'm all in a WhatsApp group with a bunch of people and Matt beers I don't know if anybody knows Matt beers, but he has canine ASCII. So if you've met canine ASCII, you've met Matt. So you probably remember canine ASCII, though.
Speaker 1:First of all, a group of folks in a, in a, in a WhatsApp, like your sign, tells you who they are. What's your sign, say they're what.
Speaker 2:Oh, the nerds, yeah, so it's a nerd group. It's a nerd group in WhatsApp, but a group of really smart people in a nerd group. We were all chatting the other day about Windows logon passwords, about how to break them pretty much, and Matt was in there and he was chatting back and forth and showed us a contraption that he has made out of a Raspberry Pi, so I'll let you talk a little bit about it, too, here.
Speaker 1:So us here in the show we're really mobile centric, but we also get some computers every now and then. And it's pretty neat because he says, look, we got this Raspberry Pi 0 on all the older ones and he found some repositories that have some information. It's pretty cool. What that does is it uses the NTLM way of communicating or authenticating between a Windows device and a Windows server and it kind of turns it on its head. What you do is you set up the Raspberry Pi Zero, which, again, I heard about it and I immediately bought one. We both bought one.
Speaker 2:Everybody in the nerd chat bought one. I think they're sold out on Amazon.
Speaker 1:It's our fault now. If you want one sold out on Amazon, it's our fault now. If you want one, you can get it. It's our fault. We bought them all.
Speaker 1:So it's as long as my finger at most, at most, and that little thing, you know, that's the cutest little heat sink you can put on it. Anyhow, I digress. So what that does is the software. It pretty much turns the Raspberry Pi into like a quote-unquote Windows server and the Windows server communicates to the network and there's ways of setting that up over to the device and says, hey, authenticate with me using this older protocol. Right, and that older protocol.
Speaker 1:What it does is it sends that hash out which we gladly grab, and with the hash from that account, from that password, then it's pretty obvious we're just going to try to brute force it. You know, or you know, have a dictionary on it or I guess rainbow tables will still be applicable because it's an older network, older protocol, don't quote me on it and the point is you use, you know, pure brute forcing and it shouldn't be too bad if it's obviously a simple password. And it's genius because we all know how those protocols work. And I never thought of saying maybe I should impersonate a server and have it. Give me the hashes out, because some other techniques of getting those hashes require some sort of entering into the system, right, but if you can't, and but, and, then let's try to do it through a network, and I think it's genius and it's a great little actually.
Speaker 2:He made a video showing us how it works he did and it's pretty sick so he also, because I mean, we all ordered our raspberry pies, but now what? Like I'm not fluent in how to set the raspberry pi up to do that. So matt actually put together um a step-by-step on what to do and how to set it up. I have a link to his um. It's not really an article, it's like an interactive um step-by-step guide how to set the raspberry pi up to be able to perform these uh attacks on the pass, and I'll put that in the show notes. But he did that last night, I think.
Speaker 1:Yeah, yeah.
Speaker 2:So that we could share with everybody.
Speaker 1:Oh yeah and and for folks looking at it it's a super long URL, but I think for the show notes we'll try to make a little tiny URL for it, so it's easy.
Speaker 2:Oh yeah, sorry.
Speaker 1:It is. Yeah, yeah, sorry. Yeah, it's humongously long the link, but don't worry.
Speaker 2:By the time we have the show notes later on tonight, there will be a simple link that will take you there. So quick did everybody get all those numbers that are up on the screen?
Speaker 1:Sorry, 4, 7, C, b, a, B, c, d, A, e, g, F, g, f, O, p, g. Yeah, you know me, you know it's pretty, pretty wild, but we will. We will put a oh and you know Kevin's saying it's pretty ingenious, it is super ingenious. It's one of those things like why didn't I think of that before? Right.
Speaker 2:Right. Yeah, I can't wait to test it out, but I definitely would have been struggling on how to even get started with setting it up, Cause it's just not. It's just not something I've ever done before, and to have the step-by-step guide is just awesome. He also he let us know before we bought our Raspberry Pi to get the Raspberry Pi Zero W. It won't work with the Raspberry Pi Zero 2. So just a public service announcement there.
Speaker 1:Oh no, yeah, yeah, so get the other model, but it's pretty neat and there's obvious limitations. If you're not securing let's say you log in not with a regular password but using like a pin or whatever well, that's not going to work. You know that protocol is not going to be able to give you a hash for that right, um. So there's some limitations on it, but it's always. It's always a good, a good try. And again, going back to what brett said right, I was what unconsciously incompetent, because I didn't, I, I didn't, I was incompetent. I don't know how to use it and I didn't even know existed.
Speaker 2:Right, yeah, same.
Speaker 1:But, but. But now we know, and Raspberry Pis don't feel intimidated. The storage is usually a little SD card, so if you get the image for it, you're good to go. And I'm actually. I use Raspberry Pis the regular ones for all sorts of little things, for a calendar and for different things. So I really, you know, hope folks start looking into that as a solutions for some of our forensic problems.
Speaker 2:Yeah, one more thing on that too. So he, he does, he does courses or speeches, talks about password cracking. So if anybody ever sees his name on the itinerary of a conference, or, or, or, or whatever training they're at, really sign up for that. Um, a bunch of my, a bunch of my coworkers, went to one of his password cracking classes at um, the ICAC conference in Atlanta, and said it was really good. So make sure to catch his, catch his talks on the password cracking.
Speaker 1:Yeah, matt, matt, uh, matt beers, right. Yeah, yeah, I like it because sometimes he goes by Matt Cervezas, which I really got a kick out of yeah that's good, I see, hey, matt Cervezas, I just love it, so I'm going to put it in the chat. Some folks are asking Matt Beers was a really, really, really cool dude.
Speaker 2:Okay, so next topic exploratory versus explanatory.
Speaker 1:Oh, yeah, yeah, absolutely, that's so. You know one of those thoughts when you're like in the shower or sitting down and you're in the throne and you're like thinking about things about life, you know. So I had one of those the other day um, um, do, do you have the uh meme about it? Yeah, so so I put a meme just to highlight the talk. So you know, it's a picture of of, like a galaxy or a black hole. It says me, born too early to explore space, right, and then a picture of the earth born too late to explore, explore earth. And then, and then a picture of a tablet, a computer, a cell phone, and it says born just in time to explore data. True is not as the same level, I guess, as space and earth, but there's a lot of things that that are important about exploring data and that made me think about, you know, exploration and explanations. Right, exploratory versus explanatory, and we had to be really careful. Again, going back also to Matt, to Brett's points, we explore and we explore data when we have output from data viewers, when we have output from tool viewers, and the problem sometimes is that we think that is explanatory. We think that if I have a tool report. I'm explaining something. You're not explaining anything, right. You're exploring the data, and a good example that I have from a great book called Visualization of Data I think that's the title I'll put in the notes because I don't have the book in front of me right now Give an example of how, for example, you want to get pearls right and pearls happen to be found in oysters.
Speaker 1:Okay, does every oyster have a pearl? Of course not. Of course not right. Some do, some don't and actually the minority have pearls. So you might have to go through a hundred oysters to get the one or two pearls right.
Speaker 1:So the question is so it's saying well, you know what? For the sake of completion, make sure I have everything. I'm going to show you all the 100 pearls, I mean all the 100 oysters right. Are you explaining anything? No, you're exploring. You explore the oysters, but what I care about is not how many oysters you explored. I care about the pearls right, and you need to tell me a story about those pearls and what's important about that, the value, and you can talk about the effort of getting there, what your procedure was, but the actual oysters are not the explanation.
Speaker 1:That's the exploration and that's something that I was thinking about because, again, like I said before, we have to have our due diligence and make sure we explore, make sure we use the viewers, make sure we use the tools to get the context of what's happening, because if you don't have the context, you will not be able to explore Something. That Brett is saying and I think I said it also in my post when you show everything, you show nothing, and that's absolutely correct. Yeah, we have this 300 pages of who cares, right, was it there? Sure, it was there, but the point is not telling me yeah, there's 100 oysters, I don't care about the oysters, tell me about the first. And pearls, pearls, oh, my goodness, I'm killing it.
Speaker 2:The pearls are lost in that.
Speaker 1:Yeah, yeah, exactly no, it is. So I said in the post, the narrative reports it was turns the exploratory into explanatory, because you actually build the story. You answer questions, right, that provide to the listener, to the consumer, actionable information, right. Then you're explaining, and our job as examiners, our main job, is the explaining. But that comes after a process of exploration, of getting immersed in the data, of trying to understand what it means within the context of our investigation, of our work, whatever it is. Then we can explain and we take it even further. I didn't mention that in the post, but explanatory in your narrative also goes into not only how you write it, also how you verbalize it. Right, how do you make those thoughts come across and put it from your head in somebody else's head that you can actually visualize on the story that you're trying to build and it's not your story, right, it's a story by and for. The data is what the data actually tells us, okay, so I just you know again, one of those shower thoughts that's the most important thing.
Speaker 2:um, when it comes to reporting, everybody always hears me, uh, talk about reporting and the most important thing is to make sure you're getting that point across. And this meme and the explanatory and exploratory kind of sums it up perfectly. And Brett's comment sums it up perfectly If you're doing a report of absolutely everything, you are not showing anything and explaining anything. And even if there is something good in there, whoever the report is for, whoever the stakeholder is, they're going to miss that.
Speaker 1:Like you said, they're going to miss the pearls and ask yourself have I explored enough to find all the pearls that might be there, right? And some folks say, look, I'm in a hurry, I want to close this case. I found the one thing done, Okay. What about the 20 bodies in the freezer? Do you want to open the freezer? Can you do that? Because I know there's some illegal parking in the front, but there's some information here about this possible murders. Of course I'm making a made up scenario. Right, we're in the hurry. You know we have 20 cases closed.
Speaker 1:Look, there might be more information about more important, pressing matters that you are willingly overlooking because your exploration you're cutting it short, okay, or because you don't want to really spend the time to put it all together, to properly explain, right, that explanatory phase? And I want to add that to my thought process. You know, is my exploration complete? And is my explanatory phase being properly informed of my exploration? And I want to add that to my future spiels I teach. Hopefully that helps people out how they think about these things.
Speaker 2:Yeah, one case closed correctly, where there's context and where it's actually explained and where it's solvable, is better than 20 cases closed any day.
Speaker 1:Oh, you know what? I need to write that down Because I want to. I want to use that. Hey, Josh says uh, some pros you might not want to find, but you still need to find and show them. And that's just that due diligence. We need to make the point in our work in and if, especially, you're a supervisor or a or a or a sergeant or a lieutenant in charge of a unit, do diligence. That's a concept that either we just verbally say it but not really live it, or we just don't even think about it. And what is due diligence? You need to find them, we expect you to find them, the victim expects you to find them, Society expects you to find these things. So do your best effort or your tool and your knowledge to get to the bottom of things. And if you're rushing, you're not getting there.
Speaker 2:Or this could happen. Brett says it's okay if you miss something important because your opposing expert will find it for you. Ouch, that couldn't be more true. You know? I don't know, Do you have a lot of defense experts where you are, alex, like, do a lot of your cases have defense experts? I mean, you're federal, I'm state, I'm just curious.
Speaker 1:Yeah, I mean some do. I wouldn't want to characterize what the numbers are because you know, in all honesty, a lot of our cases plea. So there might be an expert, but I don't hear from the expert, right, because maybe right right. I'm assuming here, maybe they're just confirming my analysis and then we're good, right?
Speaker 2:But no, I've seen plenty. We don't have a lot Like. I haven't. I've seen one in my cases since I started nine and a half years, so I've had one. And I think it's really important to point out that that even if you've never encountered an opposing expert for one of your cases, they're there. Be prepared for it every time, even if you don't know one is assigned to your case. Know they're there.
Speaker 1:Know that they're actually becoming more prevalent and they will find that thing that you missed Yep, oh yeah. Or if they don't find something that you missed, your explanatory is not informed enough by the context, by the exploration, and they will take something you say and misconstrue it in some ways that you didn't think of but, in people that are not informed.
Speaker 1:right, because the juries are not examiners, the judges are not you know technical folks, they will believe it. Right, because we didn't do the proper work that we needed to do and you might say well, this is what happened. And the other side and again this goes obviously a little bit biased, quote unquote in the sense of I'm a law enforcement, so this is my context. Right, again, we're not criticizing defense attorneys or their experts. They're super important, I love having them there, they're needed and it's a good thing.
Speaker 1:Right, but using that context, we can use civil in the civil arena, which is a little bit more. You know less problems there. So you have the two opposing parties trying to make a point. Right, equally, you know both sides civilly. Let's use that example better and you make a point on one side and guess what the other side will take that and if you don't do the proper job, they will come up with another scenario that might fit those set of facts, wrongly or not right. And then what? So there's a lot of responsibility. Our due diligence is so, so, so important.
Speaker 2:Definitely, let me get that. So previous episodes we have had questions, I guess questions online and then questions in the chat on the episodes, about trainings that you can attend if you're a beginner, if you're trying to get into digital forensics or really even if you just want to brush up on the fundamentals. And I think Geraldine actually mentioned these trainings by Catherine Headley at SANS in one of the chats in a previous episode. But on the SANS website, under their webinars webcast, there is a series of, I guess, mini trainings, webinars put out by Catherine Headley and the title is the Secret Life of Devices a series of workshops on digital forensics fundamentals. So there's I think there's six, six parts to it.
Speaker 2:It's designed for beginners and it's meant to understand data storage, interpret timestamps, learn how to extract critical evidence, navigate forensic images, convert between data formats. But it's geared toward all law enforcement, it or just people who are curious about digital forensics. So some of the parts are like conversions of binary, hex, decimal and ASCII files with signature and metadata, carving, converting timestamps, evidence with mounted images and then a beginner's guide to encoding and decoding on base 64. I've gone through trainings with all of those, all of those different types of things. I think this is great for a beginner, but I also think it's going to be great for me when I go watch every single part of it and brush up on the skills that maybe we've gotten a little rusty because I learned these things eight, nine years ago, right?
Speaker 1:No, and it reminds me of martial arts, right? So you go and you start with the basics, right, and you build your knowledge as you go through all the belts and then you get to a black belt, right, and the funny thing is that when you get to a black belt, you realize that a black belt is nothing more field. It's kind of the same thing. You're like well, when will I use Hex and ASCII conversions? You know when? When you reach that high level, it's kind of funny, right, we teach that at the beginning, but you get to really really use it when you're a high-level practitioner. And to me that's mind-blowing because it's like when I get to the high-level practitioner, I'm actually just going back to the beginning and really putting into use that knowledge.
Speaker 1:Right, when you're looking at data sets that are not parsed or that are in different encodings, what do you do? You go back to those fundamentals. So this is important, you might think. Well, I mean, the tool does these for me. Let me tell you, if you get to harder problems as an experienced examiner, the fundamentals it will get you through it, and this is one good way of doing it. Sans has excellent instructors. Catherine is a tremendous instructor, and this is at the cost of free.
Speaker 2:Yeah, yeah, just create an account on their website, yeah.
Speaker 1:SANS quality teaching for free. Sign me up. Sign me up any every day.
Speaker 2:I feel like sometimes too, like newer examiners. Maybe you know they start, they get pushed into the mix of things. Everybody's busy, they get their vendor tool trainings and maybe miss some of this too. So I think these are. This is a great, a great resource for anybody who needs to go back.
Speaker 1:No, I absolutely agree. Advanced skills are simply the basics. Mastered that's a good way of summarizing what you said by Brett, so I appreciate that. I totally agree mastered, that's a good way of summarizing what you said by Brett, so I appreciate that.
Speaker 2:I totally agree, definitely All right. So next one's kind of a public service announcement I think I already said that once today, but this has been out, I think, for a few weeks now, or maybe even a couple of months, but BitLocker on by default on Windows 11. So let me just share this. So Microsoft began pushing BitLocker with Windows 11 and the specific update was 23H2. It was on for default with new installations, but with 24H2, that setting expands to reinstallations on any system that has run expands to reinstallations on any system that has run 24-H2 or later. So BitLocker is now showing up on by default.
Speaker 2:I didn't know that until one of my coworkers, kevin, who's in the chat tonight. He pointed it out and he was actually taking a look at it on his own machine and he actually provided me with a screenshot. Let me show you what he saw in his computer. All right, so he did. He has Windows 11 on his and when he did the update he had the BitLocker waiting for activation. So it's already there and ready. It's waiting for the user to activate it.
Speaker 1:Yeah, it has a little icon there for the lock and the alert icon. It says turn on BitLocker and you just need to hit it, yep, both for the operating system drive, and then you can use BitLock locker also on fixed data drives. Um, and so it's. The options are right there, and you know, I mean obviously that's good for uh, for my user security perspective. Absolutely it's a little bit of a challenge for uh, us as the collectors of evidence, but as always there's, you know, we need to just think about how can we lawfully obtain those and different techniques and methods to access that.
Speaker 2:Yeah, and he noticed this when the update came through, and I think it's important to make sure we get that information out there for anybody who may have missed that. It's now on by default, because how did we used to seize computers, pull the plug, package it up, submit it to the lab? Don't do that anymore. I think it's been a while since we've known we shouldn't be doing that right, but this just kind of further solidifies that thought.
Speaker 1:Yeah, and usually the latest thought process was well, just in case there's some encryption, extra encryption there, we want to capture that memory, don't turn it off. Or capture the memory and don't turn it off, yeah, sure, but now with this is another reason why we need to keep that thing alive, if it's already on, because I think Brett just had another great.
Speaker 2:Yeah, I'm laughing.
Speaker 1:Brett is just hitting it like out of the park, like too many things, too many words, too many times in a row. It's great, I love it.
Speaker 2:He's on fire tonight.
Speaker 1:Can you read it for us? What is he saying?
Speaker 2:So if you pull the plug on running Windows 11 machines and image a dead box, you can reduce your backlog.
Speaker 1:Yeah, yeah, if I'm your sergeant, you're going to be reducing your usefulness to the unit as well. Pretty quick.
Speaker 2:Yeah, that's great. So Kevin, who was my coworker that, actually told me about the BitLocker. He says there's also no recovery key generated, so if that computer is turned off or locked you're out of luck with the password.
Speaker 1:So for his computer in particular, yeah, I want to look into that. In regards to how is that? Is then the password tied to the user account password. I mean, honestly, I haven't tried it out, so I want to also look into that. Yeah, definitely it's a separate password, or it's just machine boots and then ask for the user password and then the decryption happens. Honestly, again, I'm more of a mobile guy.
Speaker 2:Oh, me too, but we should be up to date with our computer skills.
Speaker 1:We have to, we can't. I know we have to, we can't.
Speaker 2:I know.
Speaker 1:You got to be consciously competent.
Speaker 2:Exactly.
Speaker 1:So we're going to be doing some experiments on that, yeah.
Speaker 2:All right. So we are at what's New with the Leaps.
Speaker 1:Yes, yes. So again the community always stepping up with new stuff. Do you have screenshots? You didn't get screenshots for this one.
Speaker 2:I do. I have some. We're going to do Android notifications first.
Speaker 1:Let me share.
Speaker 2:A lot of artifacts coming in. There we go, the Android notifications are. I actually checked my samsung phone when, uh, when this article came out, because I'm like, oh my god, I've never even seen that. But on my samsung test phone, the android notifications are turned off by default and the file containing the notifications if it happens to be on and you find it in one of your examinations is a protobof file. And evangelos and I don't recall his last name, evangelos recently, recently put support in the leaps for these Android notifications in a leap.
Speaker 1:Oh yeah, and, and, and it's fantastic. I want to see evangelos Dragones, I think that's that's his last name and he's. He's been doing a lot of research, cutting-edge research on all things mobile, and we'll talk about him again in a second. Is that, since you have the Samsung? Was that like an overall notification or was it for an app? Because I'm assuming that you will get notifications. You don't have to do anything to get them right.
Speaker 2:So the history that you still get your notifications, but the device will log the history and that history file is the protobuf file that Evangelos talks about. On my Samsung test phone that was turned off by default. I didn't find exactly the same setting on my Pixel, but I did find a notification setting on my pixel and it was turned on and I didn't turn it on. So I'm not sure if there's a difference between the two devices, but, um, the history will actually be stored there in that protobuf file If the user has turned it on. I've now turned it on on my test phone and I'm going to use it for a little bit and then, um, see what it looks like in the leaps. I'm assuming it's going to look a lot like what the screenshot looks right here.
Speaker 1:Oh, yeah, yeah, oh, and that's why you actually hit it where I asked, because I'm a pixel user. So that's why I'm like those little differences between those implementation, between the Samsung's and the pure Google ones. Yeah, because I never I don't remember either having to set it on right or something like that right. So I would think that something similar in pixels are going to be on by default. But that's part of the research and that's why we're here, so folks can go out also and do their own testing on it. The example that we have on the screen I like it because it's a notification from ThoughtCrime. Which. What application is that? Signal Signal, right, so Signal signal. We know it's encrypted and you notice there the text of that message is you know the pass or the password is in a value, right? Well, it's now in clear text in the notification. So how good is that?
Speaker 1:pretty awesome of course people can also set the notifications to not show stuff, but we know that Right. But the fact is that most folks accept notifications because they want to be able to read, have a preview of what it is on the screen before they decide to go in and let the other person know that they read the message, right, right, do you see the message? No, I didn't see the message. No, I haven't, of course you did. You saw the notification, the message, you know I haven't. Of course you did. You saw identification liar, you know. So, a pretty, pretty useful capability. Um, ios has something similar. I think it's, is it? Uh, segb files?
Speaker 2:I think I don't yeah, they're in the segb.
Speaker 1:Yes, yeah, actually geraldina, myself were the first one to do some of that work. Um, um, but yeah, it's, uh, it's, it's, um, all right, so, so, kevin, let's see. So there's just a couple of some information here. Kevin Pagano is saying um, still turn off by default pixel, but I do remember turning it on on my personal phone. Okay, so that's, that's the answer.
Speaker 2:Okay, so I must've turned it on and just forgot.
Speaker 1:Yeah, yeah, and then so the other.
Speaker 2:what's new with the Leaps is chat GPT parsers, so the chat GPT mobile app. There's parsers in iLeap, aLeap and rLeap that Evangelos actually created as well, and with those new parsers I don't have a screenshot for that, but I'm going to put up on the screen. There's an article.
Speaker 1:Yeah, before you I want to mention it. So some of this research also. Costas Labrindunakis and Panagiotis Nakouris so they're Greek, so hopefully I made honor in their pronunciation of their names. Yeah, so I want to mention also their names because they were also instrumental in that, in that research. Oh, and Kevin says don't quote me, so I don't want to, I don't want to throw them out there, right? Okay, sorry about that.
Speaker 2:So yeah, so there's a, there's an article about the chat GP, um mobile application and how the data is stored, and then um new support in the leaps. Um. Let's see what else I have. That's what I had for the leaps for this week, unless you have anything to add no, the chat.
Speaker 1:I would just want to say that chat gpt, like it's, it's so, so crazy in use right now and, uh, so we're used to looking at, okay, I want, I want to look at the search history, right, what was the person searching for and trying to get information on? Whatever it was, right, you know how to you know, murder somebody without getting caught by the police, right, and look at that search, right. But what happens when they're moving? Because they are being moved to ChatGPT now and people mistakenly, from my perspective, my opinion they're using chat GPT as a search engine and that's what they do and they will ask the questions they used to ask at a search engine. They move it to chat GPT. Are we aware, and not only chat GPT? Are we aware of other you know LLMs that might be living within these devices, either the meta one or some other ones, where folks are asking questions that might go to intent, might go to the key matter of the case? Right, we have to do those and again I thank Evangelos and his team for doing that.
Speaker 1:That article is in a peer review magazine. I'm really honored that they decided to use the Leafs as a platform to apply that research. I think in you know, I think I might be wrong, but I think our platform is the only one that actually grabs that data right now. Yeah, the tool really does it. So I guess a good point of of of healthy pride and and and love of community. So again, uh, I appreciate him and his team for doing that yeah, awesome addition.
Speaker 2:So I use chat gpt daily, so there we go yeah, you'll find a lot of data on my phone if you get it. Um, there's a good conversation going on in the comments about the bitlocker too. Um, so kevin, my co-worker, saying the physical acquisition performed live with ftk imager showed the system and arsenal's actually reaching out to him in the chats and they're going to talk about the BitLocker status on his computer.
Speaker 1:Oh, there we go, there we go. We'll do further research.
Speaker 2:It's a meeting point of the latest.
Speaker 1:SpringSync technology right here in the podcast.
Speaker 2:Yeah, so he hadn't enabled the BitLocker on his device when the update came through it. It enabled it and he still hasn't fully set it up. So I'm curious to see what he and Arsenal work out in research and maybe we can talk about that again on a future episode.
Speaker 1:Absolutely. I hit that button here. I turned my lights on.
Speaker 2:You've got enough lights no that is true, that is true.
Speaker 2:So we are everybody's favorite part of the show, the meme of the week. Yeah, oh, wait, we have to go back. No meme of the week yet. Oh, what happens?
Speaker 2:Celebrate I forgot there's a new celebrate update. So, with insights, physical analyzer, there are some. There's a new beta version 10.3 is out and it's updated with improvements to the media review and they revamped their entire support matrix. If you are not a member of the design partner group with Celebrite, you can join that and become a beta user. You just have to sign up on their website and then you provide your Celebrite license number to them and they validate that you have your Celebrite license and you can become a beta tester for that, so you can get the newest version before it's even released.
Speaker 2:I downloaded it today. Haven't had a chance to mess around with it yet, but we were provided a few um screenshots of some of the updates, so I'm going to show the updates to the support portal because or the supported app list. Sorry, if everybody remembers, the supported app list for physical analyzer was an excel spreadsheet and it wasn't super intuitive and not great to really look through. But now we have this new supported app list with the capability of filtering and searching to see what's supported in the newest versions. I just thought this was a really good update to that.
Speaker 1:Yeah, and let me quickly describe for the folks that are listening. You have the platform columns. Tells you this android, ios if the app is native, obviously comes with the os or what type of app, what name of the app it is, the version numbers, and then, on models, it has a like a little series of little icons, which is pretty neat because instead of looking at a spreadsheet that's 50 columns long, you can look at those icons and pretty much quickly okay, I have telephonic data for this app, I have geolocation data for this app, some Wi-Fi data. You know what I mean. Like you can really easily figure out what types of data are being parsed by the tool for that particular app, just by looking at the icons.
Speaker 1:Of course, if you don't know what an icon is, I think you can either hover it or go to the legend and then figure out what that icon means. And we don't have enough usage you you can have, not even with usage. By looking at it, you can figure out that's an email, right, yeah, an email icon. So it might be email data there. So, uh, it's pretty, it's pretty awesome I'm just gonna put another one up.
Speaker 2:So, um, there's actually a search being performed in this one and the just WI and you can see it filters. We now have SwiftKey, twitter, wicker, anything that hits with the WI for the search feature.
Speaker 1:And then I have another little screenshot here by the way, as you're changing screens, I love how our background is a big. I like the insights. I mean the insot eye, so it's kind of-.
Speaker 2:Wasn't that planned?
Speaker 1:It's all coincidence and we have the the insults.
Speaker 2:I in the back there. Yeah, and then. So for support, there's. The normal icon means the artifact should be included. Partial is some artifacts of this type will be included, but not necessarily all. Uh, the protected icon means access to this artifact requires keychain or keystore access. So it's really a good legend. If you think you're missing data, come look at the legend. This may be why Maybe you didn't get the type of extraction that can pull a key chain or key store access, and if that's the case, that could be the reason why you're missing specific artifacts that you think should be there.
Speaker 1:Oh, you made the excellent point, as always. That will really inform what the next steps are if you're not getting what you're expecting, and maybe why, Maybe what's the case, and even if you cannot get to it, then you can tell your stakeholder look, the reason we weren't able to get X, Y and Z is because these reasons right, and then we could discuss other possible solutions to get around or over what the problem is. I think it's a great update to make the information more digestible. The Excel spreadsheet you were so kind in your description the Excel spreadsheet was not it.
Speaker 2:Oh, my God no way.
Speaker 1:This is way better. So, and again, we might criticize you, but we also give you some props when you do a good thing, and Celerbite has done a great thing by doing those changes. Do we have more screenshots? Or that's pretty much it.
Speaker 2:I have. Let me just I have some screenshots. It's a lot of reading on these other screenshots, which is why I didn't throw them up, but we can throw them up there. My favorite part of the new release on 10.3 is I got an email today and um celebrate resolved one of my support tickets in 10.3. So I can't wait to go see if it's resolved and I'm sure it is. They wouldn't tell me it was if it wasn't, but I can't wait to go see it resolved.
Speaker 1:Um, I'm, I'm, I'm, I'm putting some faith in that, yeah me too, so this is actually really cool too.
Speaker 2:I'm glad you told me to bring these up. Model definition so there's definitions of what some of the artifacts mean. Right, so like activities, application usage. But do you always have the best description of what the artifacts mean? And now you do. Each column has a little description of what type of data is there.
Speaker 1:And that definition is so key because we're not going to go into details and examples, but a lot of problems happen when, since there's no definition, the person assumes something and makes the incorrect interpretation of the data based on an incorrect re in order to interpretation incorrect interpretation of what a column means the column says search and timestamp.
Speaker 1:What does that mean? Well, let's go to data definition for that artifact so we can make the proper. Uh, you know, understanding, right, that that legend, that that definition will inform you to make the proper interpretations. Because we're looking at this as an abstraction, right? You got the data on the device, it goes through the tool and the tool is a report that tells you these are the pearls, right, and we look at it through their kind of viewpoint, the tool viewpoint, which means the tool maker and I give props to Celebrite is now telling you this is our definition, this abstraction is defined in these certain ways. So then you can make the proper interpretation.
Speaker 1:And sometimes I'll be straight Sometimes that definition might not be enough. And it's not criticizing the tool, it's the fact that we, as examiners, we have to then go to the original right, to that source data, and make sure everything is working correctly, make sure the tool didn't miss something or make sure that those mappings are correct. But having this actually aids you and accelerates that process. So, tool vendors, I encourage them to continue to do this. I would hope that somebody or maybe in the future, with some more bandwidth, I will be able to do that with the leaps, and it's really hard. This is hard work, especially if your budget for your tool is $0, like mine, yeah that's true.
Speaker 1:But companies that do this for a living definitely make available those data definitions for your artifacts, for your reports. It's super important if you want to actually make proper interpretations using your tool. Beautiful.
Speaker 2:All right, so Josh is over in the comments. I'm just going to throw this up Hover or legend. And then he says field glossary to what fields mean in certain models.
Speaker 1:That's exactly what I'm talking about how important those are Super important.
Speaker 2:Now we are, to everybody's favorite time, the meme of the week. Let me pull that up here For anybody listening. There's lights and confetti all around Alex right now, and balloons, oh great.
Speaker 1:So you guys, you explain, yeah, yeah, you have, this guy has like a coat right and he's just shaking the coat off and he has a chest full of medals and ribbons and recognitions right and he shakes it off and then he pulls it down. You know, uh, pic Picard style. You know, I don't know, you know, I know, you don't know who he is, but no, I don't.
Speaker 1:Picard, the captain of the enterprise, kind of pulling his shirt down, and it says LinkedIn, be like CSSP, ccna, cea, csus, gsec, casp, oscp, right System. You know GCFA, like we, especially LinkedIn. It's tongue in cheek right In LinkedIn us and I'm going to include myself, I'm a big LinkedIn user we put a lot of really letters on behind our name, right, it's like my name is Alexis and then you know three pages of letters and so the point of this of my post was just having you know, kind of have a discussion and think about are certifications important? And my answer was yes, no and it depends. So it normally depends all three of them, and I made a little scenario for each right. Well, are they useful? Well, yes, they can be useful in the context of you putting your foot in the door for an interview for a corporation. Right, at least you can show you have some sort of baseline, assuming that company values that certification. Right, so it has some use. Now, does that mean me having like a CISSP, which is kind of like a to-have thing in the corporate world? Does that mean I'm an expert? I say no and this is my take and I'll die on that hill.
Speaker 1:That does not make you an expert. Having 200 certifications do not make you an expert. There are experts that have zero certifications, right, and it just makes sense. The certifications measure a body of knowledge. Well, guess what? That body of knowledge was generated, created and compiled before the certification right. So are you going to tell me the people that did that are not experts? Well, they are right, they are the ones. Their knowledge is the one that makes a certification possible, right? What came first? The chicken or the egg, right? You know the chicken right, and I never was able to lay eggs right. So there has to be somebody, some expert, before certification even exists, to tell you this is important, this is valuable, right. And then I say it depends, right. And it depends because, again, do you need it? Again, it depends right. And some folks like, if you are, if work pays for it, for example, well, take them. I mean you- oh, definitely.
Speaker 1:The worst thing that can happen is what you learn, something that maybe you didn't know right, or you have some more letters to kind of put in your metal chest. That's something you care about. Some people do, some people don't but but if you're paying for it yourself, well then my take is you need to make your research Right, because some of these certification will be six thousand dollars for a class that's a week long, and then whatever $1,000, I'm making the numbers up, but $1,000, although they're not that far off $1,000 for the actual test. And some of these tests are going to be just filling the bubbles. Some are going to be on the computer, some are going to be some practical examples or practical exercises, or a combination of both.
Speaker 1:So just think about those things If you're new in the field, or a combination of both. So just think about those things If you're new in the field. You can get a lot of expertise by doing things, having a portfolio, and then be judicious in how you use your money with certifications. At the end of the day, what you know is only valuable if you can show it, if you can actually show that you know, at least from my perspective. So that was kind of the topic, my thought process on the meme.
Speaker 2:When my perspective so that was kind of the topic of my thought process on the meme what, what when you saw it, what, what came to mind. So I think there are a lot of certifications that are unnecessary. Your schooling, a lot of the fundamentals training, a lot of the non-vendor, non-tool, specific trainings that don't give you the letters at the end of your name, are just as important. I think whatever trainings and whatever whatever trainings you do that actually get you to the next level right, and that was kind of flashing too much, wasn't it? Whatever, whatever gets you to the next level, whatever gives you that expertise, whatever helps you in your casework it doesn't necessarily have to be because you have four letters at the end of your name.
Speaker 2:There's some certifications that take a look at things that you've already done. They'll take a look at schooling you have. They'll take a look at times you've testified or the number of cases that you've completed, and they'll say, okay, you're certified. Now that's not a certification. That's taking everything I already have and now telling me I'm certified I can explain that myself and charging me money for it, by the way. I don't know.
Speaker 1:The thing with that method that I don't like is that, okay, experience is valuable, but how do we measure the experience? Right? The experience, I'll be straight with you. The experience that you have as a state examiner, the volume of work that you have is my volume of work is way less. I'll be honest with you. That's just how it is right. So we cannot say that your level of expertise in certain things were the same. Well, we're not. Actually, you have way more more expertise in a lot of things because the volume of work that you do, right, I have more expertise because I can spend my time more on some other different or harder problems contextually to what I do, my type of kids that I receive, right, and so I wouldn't try to certify it that way because it's not a real measure of knowledge, right, it's not apples to apples, so I don't like that and it's quite hard. Also, take into account that and again, this is my opinion. Again, look anything we say in the show or in our social media. It's not reflective of our employers.
Speaker 2:Oh, yeah, definitely not.
Speaker 1:Yeah, this is just our opinion as examiners and nothing that we say. We do not speak for them at all, right? So, that being said, some of these certification bodies you know, yearly or every couple of years, is going to be 500 bucks, ouch. The one that I keep is a CSSP because first of all, it was kind of a lot of time investment for me to get it and I think there's still some value in that foot in the door thing maybe when I retire. So I want to keep that. But a lot of certifications I cannot afford the renewals. I'm sorry I don't have the money. Like the job goes, puts you through it, but then they don't give you the budget to renew it or renew that certification and then the actual stamp or medal goes away because I cannot afford it. If you have 12 of these or 20 of these and they're like $400 each every couple of years, how much is that?
Speaker 2:Well, and if my certification in a specific tool any tool, I'm not picking on anybody, but my certification in a tool ends tomorrow, do I forget everything about the tool? Do I not know how to use the tool anymore? I mean, I do, but I didn't pay my renewal fee, so I don't anymore. And you know that stuff can be brought up in court, right? So you used this tool. Are you certified in the use of that tool? And I think a lot of weight is put on are you certified in that tool where it should be? Are you certified or are you trained in knowing what the artifacts that came from using that tool actually mean? That's way more important.
Speaker 1:I know we have to stop the show, but that's like my soapbox. One of my pet peeves is the tool doesn't certify my work. Right For overload the term. I certify the tool. The tool doesn't tell me what's up. I tell the tool what's up and I will override the tool because I'm the examiner and I'm above the tool. Right, I deal with the data at a level the tool will never be able to, and that's something that I hope our prosecutors and even defense attorneys, courts start to understand that a tool certification.
Speaker 1:Again, I'm not saying you shouldn't have it, you should have it, it's great to have. But the examiner is not how many certifications you got? I mean, make a tool that there's certification for the leaps. Well, have you been certified in the usage of the leaps? Well, first of all, there is none. But even if they were, who cares right? Can you speak to the truth of this data, independent of the tool? Well, I can. I'm an expert. I can speak to the truth of it. I can talk about SQLite, a simple example about the SQLite, and talk about all that all day long without using the tool, if need be. The tool is just a presentation of how to show something. That's it Right. And the false equivalency is well, if you're not certified, then whatever you say about it is not valid, and that's. I think that's ridiculous, and ridiculous.
Speaker 1:And when we do that let's say, a prosecutor trying to discredit a defense attorney, for example, a defense attorney, a defense expert, because they're not certifying some tool I don't think we should do that. It's not about the particular, particular particularities of the tool, it's about the particular aspects of the evidence, of the actual data. That's what we should focus on.
Speaker 2:That is an easy thing for them to go after, though, because there's a misconception that all of those are necessary to be able to work in the field.
Speaker 1:And it becomes in certain spheres. It becomes a I just gonna I'm not gonna address the data, I'm just gonna discredit you and address you because if I can shoot you down, then hopefully people don't put any value in what the evidence is. And yeah, and that goes both ways. It goes both ways, sadly, and we need we need to, I think, educate uh, everybody and avoid that yeah let me share something here Brett's killing the comments.
Speaker 2:I hope that's the one you're sharing.
Speaker 1:Folks, if you're listening or watching later, come live and benefit. We've got really good experts in the chat. Just throw in those pearls. Again to using that example throwing the pearls out, right. What is that saying?
Speaker 2:Oh yeah, so it might not be certified but can be competent, could be certified but incompetent.
Speaker 1:A hundred percent. There's folks on the LinkedIn thread where I put the meme out of saying one guy saying, look, I employ a couple of guys who have certification. There were like the worst, yeah, this other guy didn't have the certs, but we have a good interview and he's been killing it from day one. Right, and I guess it goes for management. Certifications are great in the context of hey, this is something I might want to, a person might want to look at, but that's it. Right, you need to make sure you have a robust interview process where you're able to make proper, have discretion. If your interview process and give you discretion to really go into depth into the analysis of who the candidate is and if you're going to hire them or not, that's a problem and I think that's another topic for another day.
Speaker 2:Yeah, there we go. We'll put it on the list for next time.
Speaker 1:No, yeah, the whole interview hiring process for folks in this field. I have thoughts, but we'll leave it for another episode.
Speaker 2:I may let you soapbox.
Speaker 1:On that one I have thoughts too, but Well, you're a boss, so there's so much you can you can talk about.
Speaker 2:Yeah, I don't want to actually speak for the employer, yeah.
Speaker 1:But I'm not a boss, I don't hire anybody, so I can, I can, I can say whatever I want. All right, good point Again we don don't hire anybody, so I can, I can, I can say whatever I want. All right, good point again we don't speak for our employers all right, yeah, no one.
Speaker 1:Last thing, and again, kevin is absolutely correct, right? Um, sometimes certs are a checkbox on a resume, right, and just to get 90 of the time to get to a, to get through the hr, that hr uh, yeah, you know wall or limitations, right, if, if, if, you want your, your resume to be looked at, make sure you hit those, whatever certs. And it's sad, that's how the game is played, but that's how it is. The question is, you know, we can decide not to play the game and that has some consequences, but we had to play it and also there's some consequences there. It's all, that's how it is. Oh, my goodness, josh is also killing it. Not all it's, it's all it. That's how it is. Oh, my goodness, josh is also killing it. Not all certificates are are equal, right, until we as a community come together and agree on a set of skills, the alphabet soups will continue. And but that's tough, right, and I maybe we need to bring josh one day to the show. I think we should I think so it's.
Speaker 1:We're volunteering him right now yeah, right, it's a fine, fine line between look, do I want the flexibility to do the job as an expert I need to do, or possibly do we want to have some sort of rigid set of parameters being posed by us by an external entity that might not be adequate for us and that's a tough one, right?
Speaker 1:Do we want the state, for example, to say, well, to be an examiner, you need to feel these things right and you might say, well, that's good, at least there's a baseline. But the problem with some of those checkboxes or baselines is that then people just get to those right and they don't feel the need to go beyond those right, or we might be constrained into how the definition of our work should be and there's no evolution on that. Again, that's another long topic for another episode, the whole. Should folks be like examiners, like doctors, right, have like this collegiate certification body that everybody needs to have it before they get, be able to practice, you know, be a practitioner? Is that something we want for this field or not? That's a big topic of discussion, but we run out of time.
Speaker 2:I'll write it down for next time.
Speaker 1:Absolutely All right.
Speaker 2:Well, heather again we've come to the end.
Speaker 1:For this week. Thank you everybody that have been in the chat. It was a great conversation. The folks that will listen later also. Thank you for listening and being part of the community. Let us know in our LinkedIn or social media pages topics you want to hear from us, your own opinions that you would love to share with the community. If you have any projects that you're developing and putting out for the community as well, and if you are just doing research, also let us know. We'll be good to share those with everybody else and build on it. So anything else for the good of the order, heather.
Speaker 2:That's it. So anything else for the Goody Order, that's it. Thank you everybody for listening. We're watching.
Speaker 1:Exactly All the above Right, so we'll be seeing you all in the next episode. Keep track of our social media and we'll see you then. Take care, bye. Bye, we'll see you next time.
