Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Bird Cameras and Forensic Insights from New Zealand
(THIS IS WHAT AN AI GENERATED DESCRIPTION WITH NO HUMAN CORRECTIONS WILL PROVIDE FOR YOU! SO NATURALLY WE HAD TO KEEP IT HAHA!)
What happens when a digital forensics expert sets up a podcast studio in a cupboard under the stairs and a co-host becomes a modern-day Snow White with her Bird Buddy camera? You get a lively and engaging episode of the Digital Forensics Now podcast! Alexis Brignoni, aka Briggs, and Heather Charpentier kick off this special episode with humor and camaraderie, sharing personal anecdotes and giving shout outs to their devoted listeners like Adam and Kevin. Plus, we nod to fellow podcaster Justin Tolman for his enlightening episodes on forensic technology, including a riveting discussion on AI and legal standards with Brandon Epstein.
Ever wondered how driving on the opposite side of the road or discovering local flavors like Vegemite could become part of a professional journey? This episode takes you on an entertaining trip to New Zealand, where Alexis recounts his experiences teaching at a New Zealand Customs event alongside experts like Jung Son and Mario Merendon. From navigating tiny light switches to marveling at Auckland’s architectural wonders, this chapter is filled with both professional insights and delightful cultural encounters. The rooftop bar with waist-high glass bumps offering views into the train station below is a highlight not to be missed!
For our tech-savvy listeners, we dive deep into the world of digital forensics tools and training. We discuss the significance of volunteering for IACIS, troubleshoot Magnet Axiom software, and outline upcoming training events like the SANS Community Learning Day in Miami. We also explore the practicalities of running Python scripts, showcasing a new tool called Mister Skinnylegs, caution against over-reliance on AI, and stress the importance of fundamental knowledge in digital forensics. From iOS tool updates and Metadata Forensics to sourcing forensic-related blogs, this episode is packed with valuable insights to enhance your forensic expertise.
Notes:
DFIRCON xLEAPP
https://www.sans.org/mlp/dfircon-miami-agenda/
CCL Solutions Group - Mister Skinnylegs
https://github.com/cclgroupltd/mister-skinnylegs
iOS 17- The “Forever” Setting That Isn’t… Or Is It?
https://smarterforensics.com/2024/08/ios-17-the-forever-setting-that-isnt-or-is-it/
Identity Lookup Service
https://djangofaiola.blogspot.com/2024/08/identity-lookup-service.html
All right, welcome to the Digital Forensics Now podcast, episode 21. And if you're not a programmer, episode 22. Today is Thursday, august 8th, 2024. Almost almost a year of the show. We're reaching it almost there. My name 2024. Almost almost a year of the show. We're reaching it Almost there. My name almost my name is Alexis Brignone, aka Briggs, and I'm accompanied by my co-host, new York, snow White, the one that teemo's until she cannot teemo anymore. The lean and mean, but mostly mean. Mean, but only when she's hungry. Oh, and when they talk lita, francis, crap the one and only heather charpentier. The music is higher up by shane ivers and can be found at silvermansoundcom. Yay, and I mentioned, I think, most of it. It was intelligible, hopefully. Hello, heather.
Speaker 2:I can understand the whole thing. That was an interesting intro.
Speaker 1:Yeah, don't worry folks, if you're listening, tuning in. We're going to explain the intro little by little as we go along, which, by the way, I think we can notice a difference here in my setup here.
Speaker 2:Yeah, alex has been banished to the closet. I do, I do.
Speaker 1:I like it though it's funny because you know, if any any harry harry potter fans in the in the chat here I see um, um, oh, they're just like hey, adam, adam, adam is on the chat hi adam so we're good to see you staying up late all the way from the uk.
Speaker 1:Um, so yeah, so we'll make that joke in a second. So, um, you see, harry potter fans, you know that harry potter lived on the cupboard under the stairs. This is literally under the stairs in my house. I'm a little bit of a Harry Potter set up here.
Speaker 2:It looks good. It looks good.
Speaker 1:What's that? What's that I'm saying? What's that I'm saying? Can you read it, Heather?
Speaker 2:Still watching HBO Thanks to Heather, and waiting for Briggs to wear the shirt. If you know, you know.
Speaker 1:Yeah, yeah, that's true, I had the shirt.
Speaker 2:I need to wear it, and if you watch a previous version, you know why he's watching my hbl yeah, previous episode.
Speaker 1:So if you don't know what the uh, what the uh, what they put things on the movie that easter egg, if you don't understand that easter egg, you need to watch a previous episode to get it yes, yeah, reference uh, anyway, so yeah, so this is my, my is my cupboard under the stairs office.
Speaker 2:It's good, but you don't have as many wall signs and I don't know, my wall signs are kind of starting to show yours up.
Speaker 1:Yeah, well, I mean, I don't have many walls to begin with.
Speaker 2:Or door signs, sorry.
Speaker 1:Yeah, like this thing, like I cannot extend my arms to my right, I won't fit here. Kevin is in the chat. Hello, kevin, it's always good to have all the main folks under the Leap repo and main mastermind of all good things. So yeah, so everybody can see my menu office. So I mean office is new for everybody. Hopefully it's good. How about you? What have you been doing up? What's up with you lately?
Speaker 2:Oh, I mean not a ton. I am a new bird lady. I thought I would share that with everybody. My parents got me the bird buddy, the camera for outdoors to capture video and images of birds, and I am I'm obsessed with it. So yeah, I'm gathering. I call it like my old lady habit. I'm gathering my my old lady hobbies, I guess. So here's my birds.
Speaker 1:I have the hummingbird attachment and, and let me tell you you said so, she so. So, folks, she sent me the picture of the hummingbirds come in right, also the squirrels and all the birds and I'm like how many animals. So I say she's Snow White right, like they all congregate now in front of her feeding camera and it's uncanny, it's amazing.
Speaker 2:Yeah, the squirrels have figured out how to climb the pole. Well, I'm sure they knew how to do that, but they climb the pole, get in there and eat all the bird seed. So that's kind of what I've been up to watching my bird cam.
Speaker 1:I mean look, look. I mean the next thing is knitting and you'll be set.
Speaker 2:I know that's funny you say that because I made a post that says I'm a cat lady. Now I'm a bird lady. I'm going to be sitting on my couch knitting a damn Afghan soon.
Speaker 1:So I'm not doing that. Can you make a beanie for me at least? Sure, I have this hat, as you can see my hat right, I did not put gel on my hair, and so then, okay, I'll confess I'm trying to be the next Justin Tolman.
Speaker 2:But unaffiliated. See, there's no company name here.
Speaker 1:Oh, if you don't know who Justin Tolman is, he works for Xterrao and I don't think I've ever seen him without a hat on, ever I think I think he showers with it on. No, okay, look, justin is doing a great podcast, ftk over the air, if I'm not mistaken. Yeah, their last episode they had, uh, the guy from medics. He's a great guy. What's his name? Um?
Speaker 1:uh brandon epstein yeah, oh, brandon epstein, epstein, oh, what an awesome interview. So if you, and about AI and how that works with LLMs used to identify things in data, and how that relates to the concept of black box, and should that be introduced at court on the Daubert standards, all those, um, you should, you should go and watch that podcast, video podcast, um stream stream is fantastic. So, but again, a lot of love for justin. Yes, yes, you know, I know he was born with that hat, so you might as well keep it. Keep it on him at all times. It's all good, I'm trying to look, I'm trying to be like you, man you're not quite there, yet you're getting there oh definitely not.
Speaker 1:I don't think I'll ever get there. He's just one of them. I'm a cheap imitation, anyways.
Speaker 2:So what have you been up to? I already know quite a story that you have.
Speaker 1:And I will make it after I make one last point Okay, sign on the side of you. That's a new sign. I love it.
Speaker 2:It is it is. So it's from Etsy. I love Etsy. It's not from Timu, even though you decided that you should pick on me about Timu in the intro. But it says digital forensics now and I've got the little twinkle lights behind it and came out pretty good.
Speaker 1:So I made it. Yeah, oh, looks great. I mean you couldn't ask for it on Timu, because it's not going to be here yet. It's going to take like eight months to at least from some China sweatshop somewhere, I don't know.
Speaker 2:Anyways, I love my Timu.
Speaker 1:Before I go into what I've done, lori's saying no, no knitting crochet. Okay, get your old lady things in gear.
Speaker 2:Lori, that still adds to my old lady list, but I'm going to embrace it. I'm going to embrace it.
Speaker 1:I think you should, and we've been asked if we, if we'd be liking the olympics. We have, we have, we haven't yeah about it.
Speaker 1:Yeah, definitely definitely it'll stay all the way to the end. So, yeah, so, um, since you ask, I'm gonna have a whole presentation about what I've been up to lately, since we have the show, so let's, let's bring it up, let's bring up the slides, okay. So, uh, everybody, this is our show you have to put up with me. So we had had, for the first time, iasis, and you can see my shirt here. It says IASIS. We had, or, this side, we were asked to teach the mobile device forensics course in New Zealand. What a beautiful place.
Speaker 2:I'm not jealous at all that I didn't get to go, not even a little bit.
Speaker 1:No, no, I mean of course not Like the Friends episode. I'm not jealous, I'm not envious at all. So yeah, so you know the trip started here in Orlando, so that's where I live, so I was pretty happy and let's get it going. So yeah, so I was in Orlando, happily going, for I'm really happy, and you know I started my trip. I went from Orlando to San Francisco because you know you get to fly across the country, across the Pacific, but then we get to San Francisco. Guess what? Right, my flight was delayed for some little technical problem, don't?
Speaker 1:worry guys, it's just delayed and Andrea is up in the chat. Hey Andrea, so good to see you always. She's killing it, by the way, she works not with me in my office, but in my organization, and she's killing it so.
Speaker 2:I know I was going to try and get her to come work for us.
Speaker 1:And then I saw that she came and started working for that.
Speaker 1:Too bad Too bad, sorry for you. All. Right, so good for us. So, yeah, so a little problem. And that little problem turned out to be something else. So I'm running to make my flight to New Zealand and I'm telling Heather you, I'm running to make my flight to New Zealand and I'm telling Heather you know, I got to get there, heather's like you got to run right. And as I'm running I see the screens turning a weird, weird but known shade of blue. Yeah, so, literally, I sent Heather a picture here. It's blurry because I'm running to the plane. I said look at this, heather, that's a screen Folks are not listening. It's a screen, folks that are not listening. It's a screen from advertisement in the airport and it has a blue screen of death. And I'm like that's kind of weird that it's advertisement screen has a blue screen of death. Right, because I didn't know what was happening.
Speaker 1:Well, as you all know, the crowd strike mageddon had hit the airports. And, for those that haven't heard, um, this edr company, you know, kind of cyber security company, they put clients on the endpoints in your network and they, you know, make sure that they keep the endpoints safe from malware and ransomware stuff like that. Well, they sent an update. The update just started blue screening all the computers, like literally all the computers in the airport. So let's see the next slide. I mean it was so bad that all the screens about you know departures or where your luggage is all blue screen all across the airport, the terminals, all across the airport. So we're stuck and I'm like what are we going to do? Right, no hotels, because there's no vouchers, there's nothing.
Speaker 1:So I had to sleep on the floor. I was lucky enough to finagle and opened you can see me there. Finagle and opened, you can see me there and open a port to charge my stuff because I'm spending the night on the. On that. I spent most of the night in that spot on the floor of the airport um, all hundreds and hundreds of us, because we were kind of fighting over the not fighting, that's not true, but kind of looking for ports to charge, so anyhow. So I slept there a little bit and uh, yeah, I'm lucky, I had all my luggage with me. I had it all carry on, because I packed really tight and you had to put nothing under the plane. So at least I kept it with me. Some folks couldn't even get their luggage and the lines were ridiculous I think it's the next one. The lines were ridiculous to get that. So, yeah, look at the lines and time to rebook.
Speaker 1:So I was originally slated to fly straight to Auckland in New Zealand and nope, the next one. They flew me down to Melbourne in Australia first. So before I left, I was so stinky I had to take a shower, and I discovered that you can take a shower at the SFO, san Francisco the airport, if you pay 30 bucks for 30 minutes. It's the most expensive shower I've taken, but it was totally worth every single dollar. Yeah, so I got a ticket. There we go. So I went to Melbourne first. So I started that flight across the Pacific and I got lucky because, thankfully, I think I was the only person on that plane that had a whole row for myself, which is the universe giving me a break, because I was about to break down emotionally over the whole thing.
Speaker 2:I would have.
Speaker 1:Yeah, poor Heather had to hear my cries so I was able to actually lay down, put your seatbelt, and I literally put my seatbelt as I'm laying down I'm like I'm not sitting up and then you know, that's a little bit, I guess the sunrise over the Pacific Really nice. Yeah, no, it was tough. So we got there to Melbourne and they had to fly kind of backwards again to the other side, to New Zealand there, and that's another three and a half hours. While I waited in Melbourne they had Hungry Jack's. I'm like, what is Hungry Jack's? Well then I figured out that's just Burger King, like literally Burger King. It's just called Hungry Jack's there. Oh really, yeah, oh, the same thing. Although they have a burger, it's took a whopper, like whopper meat, and put it in a big mac. It was kind of it was kind of weird, like a big mac made out of whoppers they have. I don't know what the name of that was, but it was actually pretty good. I guess they don't get sued for doing that over there, as opposed to the us anyways, I don't know. There you can see me flying back and flying to auckland, and they're right now.
Speaker 1:When I got there, what a fantastic place. I stayed at a hotel next to the Sparks Arena. It was pretty nice. Adam told me that McDonald's over there is called Mackey's or Macy's. I don't know how to pronounce it. Adam, mackey's, macy's, I don't know. I guess Mackey's sounds better. I don't know.
Speaker 2:McDonald's, Mackey's, yeah.
Speaker 1:Mickey D's, I guess it's over here also. One of the things that I found interesting is that they drive on the wrong side of the road and again, I'll go right wrong, get it, get it. But which it was funny, because is there Vegemite over there? I do not know if they had it in New Zealand, I know they have it in Australia. Anyway, that's Matthew asking. So I have to be careful because I'm used to looking certain ways across the street. So I have to be careful because I'm used to looking certain ways across the street. And here's the opposite. Right, you expect cars coming from one direction. They're coming from the other one. So, yeah, on the right side of the road, I don't know about that. Oh, there we go. See, now I just pissed off other people.
Speaker 2:I got to share that one, the correct, civilized side of the road.
Speaker 1:You mean, see, now I got everybody mad. Look, there's the right and there's the other side. Sorry, no, I kid, I kid, I kid actually. Oh, and that's another thing. So Brent Whale is going to pick us up and I'm going to start, you know, walking to get into the car and he's like it's on the other side. Oh geez, I'm not driving, obviously. So I need to sit on the other side. You know what I mean. Anyway, sorry I'm taking too long on this story, but let me hurry up. So here I am. So it was a great event. It was hosted by Customs, new Zealand Customs Office. What a great group of people. They have a tremendous lab with amazing examiners there. There were also some other folks from other agencies that I'm not going to disclose here, and it was. It was a great event.
Speaker 1:I was teaching with a couple of folks. I was teaching, I think, the next slide. Yep, I was teaching with John Sun, right there, he's, he's there from from New Zealand. I went Mario Marendon. He's a great examiner. He's the class lead for the Mobile Devices, for Enses course, and the same way that Heather is the lead for the advanced course, for the course I teach with her, so I know the two leads. So it's fantastic for me. I got to teach with Mario and there we are, so we gave the class and that's me teaching SQLite, because I mean well, SQL within SQLite, right, and we taught a whole bunch of data structures. Something I found interesting about New Zealand is that the plugs are different. I can expect that, but I love the little to turn the lights on and off. What's that called the switches? Yeah, because they're tiny and kind of like little coins.
Speaker 1:It's not in the US it's called sticking out like a stick, like that. Right, I found they were cute, I like those. So I learned the joys of drinking LMP. So also really fantastic. I know it has some lemons in it, what else is there, I don't know, but it was fantastic. So I drank quite a few of those. It's a local software. I mean software, soft drink. My brain was thinking about things. Right, see, adam is saying. See, he has the opposite reaction when he goes in the US, wants to get in the car, he wants to get in the driver's seat because he's confused. Right, yeah, so good, yeah, one thing that I noticed about auckland what a beautiful city is, so clean heather I I was. I was trying to go out of my way to find trash, either on a sidewalk, on the curb, I even I'm so crazy like that I saw a little alleyway between two buildings and I went down that alleyway looking for trash that was clean, clean too.
Speaker 1:All alleyways have no, yeah, no, no trash Like like how did, how did they do this? That picture that you see there looks all clean and like wash and clean. That's the whole freaking city. It's like that. That's crazy.
Speaker 2:That's crazy.
Speaker 1:It is crazy. We're good on them, you know.
Speaker 2:Yeah, definitely.
Speaker 1:Yeah, so there's a couple the of that of the city. You know, it's there right there next to the and to the bay. Beautiful places, beautiful buildings. I went to the winter, but it's not a really bad winter, it's pretty like a. At least when I was there it was kind of mild, it wasn't too bad, so I liked it. And uh see, is adam saying that talk is kind of the same way, the people don't don't put trash out, um, so yeah, all the streets were super nice. Something I found interesting I think it's the next one, it's uh, they have this little, uh, oh, that's oh yeah, so young took us to this rooftop bar. What a great view from the roof.
Speaker 1:That looks nice yeah, so I never drank. But you know, since mario and young were kind of peer pressure me, I took a little bit of a drink yeah, I try and get him to have a drink with me.
Speaker 1:No go, he gets over there with jung and mario and it's game on yeah, I'm gonna say game on, like that's far away from what I actually did. Oh yeah, I don't drink yet, but it's okay. So that was. I was gonna talk about that. So you said you see those those kind of bumps there and folks that cannot. Sorry you're not seeing this, but it's like little bumps, like. They're kind of kind of waist high and they're kind of nice like in the road so road. So on top of them there's this glass and when you look into them, which is the next one, what you see down there is the actual train station. It's like a ceiling. What's that called Ceiling light?
Speaker 2:No, roof light, I don't know how to pronounce that Sunlight Like a sunlight thing, but it goes straight down to where the station is.
Speaker 1:It's fantastic. And I was there like looking at people walking up and down like I'm an idiot, but it was great, I loved it. I loved it and then I had, I was lucky enough. Oh, that's the train station, how beautiful it is, that's nice. And we went in just to check it out beautiful building, everything so organized and people there to help you, hey, what you need, where you want to go, all that type of stuff, right. So I was lucky enough to go to the serious fraud office. I think that's the next one, hopefully. Oh no, before I do that, before we did that.
Speaker 1:Okay, folks, folks are listening, you cannot see this. I was walking, we're walking through the city and we found a business called the ding dong lounge, right literally with uh in in neon lights, and he says my mind is not that of a 10 year old like what's a ding dong lounge? Like, like that's when you put him to rest, when you're not, you're not busy, like I put my ding dongs in this lounge, just whatever that means. I don't know the ding dong lounge. Maybe that means something in New Zealand, I don't know what that means. So, yeah, so moving on, moving right along after the ding dong lounge.
Speaker 1:What you see here is a picture of the sky tower. It reminds me of this one in the one in san antonio what's that called san antonio? It's like a big tower. They have a, a restaurant that kind of goes in circles like that goes around slowly so you can see the city 360 view. Oh, it was fantastic. I have a picture.
Speaker 1:The next one's a couple of pictures from up there. Yeah, oh, it's a beautiful city, matthew. Yeah, I agree, it's a beautiful. See us from a distance. And then we went up there. Uh, brent, uh, brent whale, he's one of the in the board of IASIS. The guy's a legend. If you've been associated with IASIS, you know who Brent is. And not only is he a legend technically speaking, because his expertise is deep and really knowledgeable. He's such a great human being, he's like the best host. What a great guy. So he took us there. You can see the city there, like in the afternoon, really pretty, also at night. I took a picture at night from while we're having dinner, going around the city. You can see the bridge there in the back, crossing the bay. Oh, what a fantastic experience.
Speaker 2:It's beautiful.
Speaker 1:Sorry, you missed it, heather.
Speaker 2:I was just going to say again, not jealous at all that I couldn't go on that trip.
Speaker 1:And then I do want to talk about that's at night. So I want to talk about the Sears Fraud Office. That's the next one. So they work all sorts of different type of crimes, corruption cases, super fantastic. Their building, that's the next one. It's literally right there at the bay, and let me show you how it, how that's that picture I took there, like in a glass and a window, the bay behind me, that's their lunch room and I'm like really, this is the lunchroom, jesus, like wow, what a great view. You hear the seagulls and the boats and all the birds, whatever, it is right, great picture. Um, I love the name serious fraud office. I'm making a making jung a joke, like as opposed to the funny fraud office, I guess. I mean he's, he's so polite he cannot chuckle at it because he's polite. It's a really bad joke, um, so yeah, it was.
Speaker 2:It was a great place adam's telling me that I got to go to wilmington to techno and that is the same as you going to new zealand and I going to say no, that it might not be exactly the same.
Speaker 1:It's a few tiny differences. It's closer though.
Speaker 2:Yeah, and I didn't have to take that horrible flight.
Speaker 1:Oh, my God, what a pain in the behind. All right, so what else we got to wrap this up? It's just, I love this trip so much. I have you all have to endure with me.
Speaker 1:So I um this picture on my right, I guess in the middle, that's Brent, marius. On the other side you see Jung and some of the other students in the class from the different agencies. They have art everywhere. That's the lobby of the building, kind of this hanging art, all the colors.
Speaker 1:The native culture there is so respected and it really permeates throughout the city and the people there and it's permeates throughout the city and the people there and it's so fantastic. I learned about the Maori culture and even rugby and I went to different places to eat and it was a fantastic trip. Of course, all good things come to an end, so I had to fly back. Thankfully it wasn't as bad as the first. The going out was better than the coming in Back to San Francisco and then back to Orlando. I think that's it. Yep, go back to Orlando and uh and and uh here, but I hope to return one day. So there we go. Thank you everybody for putting up for 10 minutes story and these pictures because I had to share them, because that's where it had to be shared.
Speaker 2:It looks so awesome. I I hope to be able to go in the future and if anybody is thinking of joining as a volunteer for IASIS, do it. Look, alex joined and he got the chance to go to New Zealand and teach. Those opportunities come up when you volunteer for the organization as a, an instructor or a row coach or any other capacity that they may have available. So definitely, definitely think about it. It's a great organization.
Speaker 1:And you volunteer, right. So it's not paid, we don't get a single cent but we get the experience sometimes of traveling. But even if you don't travel, the experience will be able to develop that future generation I say future, but kind of current generation like examiners, being able to really make a difference, not only through your own casework but through the casework of others, but through the casework of others. It's this overlapping, always growing circle of good when you put yourself in at the service of humanity, which is what ISIS, I believe, does so highly recommend it.
Speaker 2:Agreed, so let's talk about some topics this week then.
Speaker 1:Yeah, let's do it.
Speaker 2:So the newest version of Magnet. I don't know if there's anybody listening or anybody who listens after we're not live anymore. If you haven't heard. On the groups or the listservs there is a little issue with Magnet but there's a fix. So if you updated to the latest version of Magnet Axiom, you might notice that it's running slow and the word is that tech support is aware and it's an issue with the NVIDIA CUDA driver version. There's a write up in their support portal on Magnet's website that addresses the system requirements that you need to have for Magnet Axiom and Magnet Axiom Cyber, and one of those requirements is that the appropriate runtime version of CUDA must be between 11.2 and 12.3. So on those listservs and groups where people were talking back and forth about the issue, that was the fix. They were saying they rolled back CUDA and didn't have the problem anymore. So kind of like a little public service announcement here. If it's running slow, there is a fix.
Speaker 1:Yeah, and I'm going to make, I mean, I guess not opinion, but it's running slow. There is a fix. Yeah, and I'm gonna make, I mean, I guess not opinion, but it's an observation. So you know, um, software development is that's how it is right, you had the crowd stack that I mentioned with a crashed computer. Sometimes some updates get sent and maybe some of that, uh, chicken fall, drivers kind of fall through the cracks, right, or uh, some features are missing, uh, to the point that, like having with Celebrite, they sent an email out stopping development of the insights product till some of those issues were resolved. Right.
Speaker 1:And I'm saying that because, again, we tend to put our faith on the tools, and you should. But at the same time I say faith Faith is not a good word we trust that they will work as they should, but sometimes they don't right and you need to be aware of that. And hopefully vendors see I don't want to talk out of line because the amount of work as a developer that goes into these products is immense, the amount of testing that they do is immense, the amount of people, but sometimes it happens right. And I know at the same time, I know I don't know this for these companies I mentioned. But in general there's also pressures, right, that come from being a public traded company that has financial targeting goals and product needs to be released at a certain times to hit certain financial goals. And the question is, how much would that influence the speed of development? I don't know.
Speaker 1:But I guess my take is the hope that these companies, the head of these companies, understand that companies are here to make profits, for sure, but these companies, they're more than that, right. The type of software that we depend on is not any type of software. It's not like some game, like an app for a game, right, big decisions are taken based on some of the works of these tools. So hopefully, my hope is that development cycles are not shortened because of that financial pressure. Again, I'm not speaking out of any particular knowledge, I'm just opining in a general sense, knowing how the software business works. So just a thought you know knowledge. I'm just opining in the general sense, knowing how the software business works.
Speaker 2:So just just a thought you know you have something coming up, so the deeper con want to talk about that yes, that's, I'm really, I'm really happy it was honored, the sans.
Speaker 1:So the thing is, this sans has a, uh, community day, um, and the thing with the I don't, I don't know they call it community day. You have, you have a picture of that many sense that, yeah, it's community day, yep, community day, um, and the thing with the I don't, I don't know if they call it community day, you have, you have a picture of that many sense, yeah.
Speaker 2:It's community day, yep.
Speaker 1:Community day.
Speaker 2:I don't have the picture, but yeah.
Speaker 1:I have the picture. That's why you don't have it. I have it, so let me show. Let me show folks a picture me and a few other folks for the Community Learning Day that's the full name, and it's going to take place in Miami on November 17th. I don't know if they're going to be live. Well, that's not live, but you know, like kind of streamed or something. I'm not sure I need to figure that out. Lately, sans has been putting stuff out for folks to watch for free, if not live, maybe later on, a few months later, a few weeks later.
Speaker 1:So what I'm going to be doing there is I'm going to be talking about again the lead platforms. There is Python. It's a multi-platform. Also, we develop all the folks like Kevin and all the folks Johan. We develop for Android, ios, parsers for those. So how can we run them? What can we get from them? And also highlight some interesting parsers that you cannot see anywhere else and a little bit of a lab setting when people can run the tool. So that's going to take place from 10 am to 12. So I got maybe like almost two hours there. That will do a little bit of a lab environment. So I'm going to highlight some of those, so I'm pretty stoked about it.
Speaker 2:Yeah, and I'll put in the show notes afterwards. There's an agenda for that whole event and there's a whole bunch of other presentations going on as well.
Speaker 1:Yeah, and I'm saying you know it's a yes, that's fine, I mean I'll do it up. So I'm saying amazing place sharing amazing knowledge, win-win for everyone. And that's something that I want to see. I like seeing from vendors or education providers like SANS. I like seeing from vendors or education providers like SANS More community events like that.
Speaker 2:We need some of those. So recently I was talking with Alex Kathnes from CCL Solution Group and he has a new plugin parser and I'm going to show everybody. That is called mr skinny legs and I had no idea what the reference was to. I'm sure if there's any parents in the chat they will probably know what mr skinny legs is.
Speaker 1:I have a six-year-old and about to be, in a couple weeks, nine-year-old, and I I immediately knew what was it about, um I had absolutely no idea and I had to ask.
Speaker 2:But apparently it is a spider from Peppa Pig. So I Googled Peppa Pig. That is a strange children's show. That pig is weird looking.
Speaker 1:Oh no, no, Peppa Pig is the best, and I love Miss Rabbit. She's like Miss Rabbit, does everything. So that's how I feel at work. I'm the Miss Rabbit of my office sometimes.
Speaker 2:Okay.
Speaker 1:Parents understand.
Speaker 2:If you say so. If you say so, so yeah, so I had no idea what that was, but the whole program, the plugin that Alex created. It provides a command line interface to run plugins against Chrome or Chromium profile folders, so let me just flip. It currently has available for plugins. It includes Discord chat messages, dropbox session storage, user activity, dropbox file system, dropbox thumbnails, google Drive files and folders, google Drive thumbnails, google Drive usage, google searches, office 365, sharepoint, recent files and user activity history, downloads, local storage and session storage. So I installed and tried it out and tried it out. The tool requires that you install have installed Python 3.12 or above. It's not a suggestion. I learned the lengthier, harder way that you have to read the readme and do what it says.
Speaker 1:So I want to say a quick comment there. Yeah, I bet it's the duck typing errors and all that, Because it had to be with some of the Alex code. By the way, folks that don't know Alex, he's like I would say he's like the third co-host, I think.
Speaker 2:Even though he's never been on the show.
Speaker 1:Because we mentioned him like every other show.
Speaker 2:We do, we do, yeah, definitely.
Speaker 1:Alex is great and something I want to highlight there all the places that Heather talked about, what it gets data off from, it's places that I believe some tools kind of neglect a lot 100% yeah, but has important information, which Heather is going to show us, but has important information. So I'm really happy that Alex and CCL, through Alex, is actually putting this content out. But yeah, so you're installing Python 12, right?
Speaker 2:Yes, 3.12. Make sure you have 3 312. I'm actually going to share Adam Furman's comment. We all have to add to skinny legs. So Alex and I were actually talking about that prior to the show, agreed. There's so much that can be added to skinny legs and I am sure he will take all suggestions, research, um assistance on doing that 100%. So the tool requires that you install dependencies and that you use a virtual environment.
Speaker 2:The read me that goes along with this script is excellent. It's really detailed, walks you through the process. Sometimes when I go to GitHub and I'm trying to run some of those program scripts or whatever it may be, I can't figure out what I'm doing because the readme is a little scarce. This one is very detailed and nobody should have a problem. I didn't have. I had a couple problems but I figured them out pretty easily. So it even addresses some issues that you could encounter and how to overcome them right in the readme.
Speaker 2:So once it's all set up, the command. Once it's all set up. So here I have the three simple commands to set it up. You create the virtual environment, activate it and then use the pip install requirements to install the requirements needed for it to run Just a screenshot of it installing the requirements, and then there's a simple script or a simple command that runs the Mr Skinny Legs Python script on the user's Google profile folder.
Speaker 2:So it's a little hard to see there, but the user's Google profile folder is located at your users and then your username, app data, local Google Chrome user data, and then it's the profile folder and maybe profile one, two, three. Mine was up to eight. I noticed a while ago that my profile folder was getting rather large and I deleted it. So I'm now up to eight, but the script will then output to an output folder in the Mr Skinny Legs directory. This is my error. So when you go to run the script on that Google profile folder, the browser can't be open, and it again took me a very long time to figure out that. I just needed to close the browser and then rerun it.
Speaker 1:Remember what I told you? Always look at the last line. Yeah. Operational error database is locked.
Speaker 2:Yeah, you have to read the last part I know, alex actually ended up telling me he's like did you close your browser? I said well, no, I didn't close my browser. I've run this. I've run the script like three or four more times and had the same error three or four more times because I for some reason can't, can't get it through my head that the browser needs to be closed. So if anybody's listening, close the browser.
Speaker 1:SQLite is a single user database, so you can't be trying to make it multi-user.
Speaker 2:Yeah, I tried. It didn't work. Once it kicks off, the process will start. This is what the screen will look like. It has the Mr Skinny Legs at the top. It tells you what plugins are loaded and what's going to be running, and then I'm going to share with you the actual output folder.
Speaker 1:I always love the ASCII things. You put the name of the tool in ASCII on the top, like the little symbols there. I always dig those.
Speaker 2:All right, Let me share here. There we go. So it goes right into the Mr Skinny Legs directory in an output folder and let me see if I can zoom in here. I mean I think it's fine. Okay, it's readable yeah.
Speaker 2:So there's folders, datadump, discord, google, google Drive, office 365, sharepoint I had in here. So Discord was actually one of the more interesting ones. I launched Discord from the browser Alex's recommendation to check this out and from the browser. My messages are now parsed with the Mr Skinny Legs plugin, the parser for Discord. It kicks it out in both a CSV version and JSON on most of of the artifacts, and let me pull up the csv here so I can show you if I have one complaint about this platform that we used to show it's. I need to have an easier path to sharing. So there we go. I have, um, my discord messages.
Speaker 2:I think I'm asking Alex about Peppa Pig in these. I'm not going to leave it up for long so you don't read all of mine and Alex's messages. However, I am asking him about the Peppa Pig and what it means, and then going on to ask about the errors that I'm having. Ask about the errors that I'm having. So the JSON file I'm going to share that as well, because I brought that one up in Rabbit Hole. Rabbit Hole is a tool that we've talked about on the podcast quite a few times and Rabbit Hole will also parse that data from the JSON file. So I brought it in under JSON and it has everything laid out in the key value pairs there. So I have the channel ID, the message ID, the author ID, the message type, the content and a whole bunch of other data that comes in, along with those Discord messages that are parsed out. And I think this is a message with me and Alex and I'm saying, yay, the new release of Rabbit Hole is out. So it pulled all of those messages.
Speaker 1:Yeah, why can't I find a place to download it? Because you need to find the right link.
Speaker 2:I didn't have the right link. Yeah, that's why. Yeah, I'm full of errors, but so this is really really cool. I thought this plugin was awesome.
Speaker 1:Let me tell you something An expert is nothing else than a person that has gone through all the wrong ways of doing something till they get to the right thing. So that's what actually. You should be proud of finding the errors, because that one makes you an expert. That's a fact.
Speaker 2:Do I have to take the longest path every time though? I don't know, I don't know, I don't know.
Speaker 1:You took all paths. There you go. That's why we were all here.
Speaker 2:So Alex and I were talking before the show too and he was telling me how he researches these artifacts. So I'm just going to pop up another screen here. You can, in your Google browser, just perform a Google search. So I'm going to search just my own name and then if you hit F12, we get a nice little pane over here on the right-hand side, and if I go to session storage and the googlecom I have that search, that search I just made for Heather Sharpentier with the timestamp. The timestamp can be decoded and other information all in this pane and it can be used for research purposes, maybe to add to this tool in the future.
Speaker 1:Yeah, so that screen for the folks that are listening that's the developer options from the browser. And it's pretty cool because when you open the developer options, you're seeing the different structures and APIs that the browser uses to display things to you. And, heather, there is showing the session storage, those APIs. And for those who don't know what an API is, imagine that you're in a restaurant and you want some food and you want to order. So you can't just be like, hey, bring me a salad. Maybe they don't have salads, right, maybe it's a burger joint. Well, you have to look at the menu, right, you pick from the menu and it goes to the kitchen and they can give you your food based on the menu. That API is the menu, right, it's the things that you can do and how you're going to do them. Right, you can order.
Speaker 1:Now, in this case the, the kitchen where the stuff is kind of kept and made in this case will be level DB databases, okay, and you can see their key value pairs. This is one way, as you're browsing and looking, doing different pages, to look at what's inside those level DB stores through the API and then, with that knowledge that Heather's saying, then we can figure out. Okay, there's important information about this particular session, storage of a particular page. Maybe we can pull those out with Mr Skinnylegs and have it in this format that we can look at and read. And I love I look at some of the code Alex was showing me. I love how it's kind of in spirit, kind of compatible spiritually with the Leap platform and we're discussing and at some point maybe we can even make some integration.
Speaker 1:So I'm really excited to see, yeah, seeing all this development, community development around parsing and addressing areas of Dutarch forensics that I believe and I think of us, we believe that haven't been addressed by third-party tools. So we're trying to fill that gap community-wise. So I'm really happy about it.
Speaker 2:I am looking forward to helping with that. I'm going to figure out how my skills will fit in to help add additional plugins to that.
Speaker 1:Oh, absolutely. I want to make a couple of more points. Alex is saying the ASCII logo is the most important part, that's the part you need to take the most time to figure out how it's going to be all lined up and make it legit. So I agree, I agree with him Right. And Kevin is saying you know, maybe it's going to become automated with Cape and that will be. Cape is a tool done by Eric Zimmerman and he's such a great he used to be used to work at my organization. Now he's in the private sector, great tool.
Speaker 1:So that's another option that will be good to kind of look into more integrations because, like Adam says, it's all about community. Right, we push the field forward, not from the vendors, and we have that misconception that you know the MSAB, so the Celebrites or the FTKs or whatever you mentioned the company. They know. You know the MSABs or the Celebrites or the FTKs or whatever you mentioned the company. No, we as a community, we push them right and we have to make them aware of the needs that we're trying to accomplish so the field can move forward. So, yeah, it's all about community. So, adam, you know, again, totally in sync.
Speaker 2:So outsourcing your responsibilities to tool automation. I know you have a lot to say about this one.
Speaker 1:Yeah, so, so, yeah, how much time we got. I gotta get my eye on the clock, so we're going to make it quick, so let me, let me show. I think I have it here. So, yeah, I was reading some posts, I think in threads or somewhere else, and the posts were talking about some automation, specifically not automation, but AI. So I'm going to share with folks, I'm going to read for you, a little bit of the posts that piqued my interest.
Speaker 1:The thing was saying that the person was saying this article from a newspaper saying writing is hard because the process of getting something onto the page help us figure out what we think, what we think about a topic, a problem or an idea. If we turn AI to do the writing, we're not going to be doing the thinking either, or either. And that really resonated with me right In two ways. The first one is yeah, absolutely, If you are literally let me just take this out of the screen If you are literally just pushing. And again, AI tooling is becoming now part of our digital forensics software. They're there now in a couple of third-party tools. You got to be careful, right, when you look at a tool result and you try to make sense of it. There's a process of thinking, of connecting what this means with other parts of the case and other artifacts, some of the things that you need to follow up on, because the tool doesn't show you when you put an LLM right, this large data model or whatever on it, and you ask it questions and you take that result. My fear is that the examiners of the near future are going to be happy with making a question to the thing and then copy pasting that result into our report and sending it out, right, and there's no thinking there.
Speaker 1:And the problem is that this type of work requires deep thinking, really understanding, and I just thought of a crazy example. Right, let's say you asked the tool Is there any? I think we discussed this before. Is there any? I think it actually came from you. Correct me if I'm wrong, I'm going to say it. You tell me. Let's imagine you asked the LLM in cases of child abuse is there any grooming prevalent on this device, right? And then it says, yeah, look at there and you read it. But when you read it in context, it's a mother telling his son how much she loves him. Yeah, Well, that's not grooming. You know what I mean? No, I think that's your example, right.
Speaker 2:It is. I have a filter in a couple of tools that have done that and the filter is great. It will pull the grooming stuff out. But you have to go read it afterwards because it is. There have been conversations with the mother and son and mom's just saying I love you, honey, and that's not grooming.
Speaker 1:Imagine imagine somebody copy pasting that thing there. Are you kidding me? Yeah? And? And push push folks as chat are also talking. Push button forensics, at least today, used to be okay. I just print out the report and that's it, right, and maybe I have no interpret interpretation knowledge. I just put that out, which is bad. The problem is that now push button for us is going to be not only just putting the report out, but a possible interpretation of that data based on the tool itself, and that's going to compound the problem more. So I have a. I have a a lot of issues with that, um, because, uh, we're doing like jurassic park, right, just because we can do it doesn't mean that maybe we should, or at least we should slow it down a little bit.
Speaker 2:Well, it all sounds good to be faster, faster, faster.
Speaker 1:But well, yeah, careful, yeah, it's just. I guess that leads to the next point that I really wanted to bring, which I make in my post, is that that thought process of the tool is going to. I'm going to outsource my responsibility of parsing of understanding. If the tool doesn't show it to me, I'm going to assume it doesn't exist. That type of thought process is now migrating to how we are trained value on the tool output. It makes logical sense that how I learn to use the tool must be the most fundamental and important data-first knowledge I could obtain, and I push on that. I push on it hard, at least from my perspective. The idea that I am only allowed to speak intelligently about using a tool because I got certified on that particular tool, it's bonkers. To me, it's just bonkers 100%.
Speaker 1:I don't need to be certified in tool X to be able to talk about it Now. Is it good to have a certification on it? Sure, it's good, but the level of knowledge and the level of expertise that I expect from examiners of knowledge and the level of expertise that I expect from examiners from every practitioner in the field, has to be more than or more deeper than what the tool just provides to you in that type of abstraction. Right, you have to know enough knowledge to understand that this output, what it means behind the scenes, and that's where we need to move towards Anything less as things get more abstracted. First it was abstracted by the tool, Now it's abstracted by the AI, Then it's going to be abstracted by the AI. Asking the questions for you and putting you the report or us letting it be that way and then having courts believe that if you don't have the certification from the company, you can't speak intelligently about using the tool, is ridiculous.
Speaker 2:That's the worst part. That's the worst part, like I don't understand where this whole um you have to be. You have to be certified in the tool and know how to filter and how to um maybe sort the columns. And if you have the fundamental um knowledge of digital forensics, you should be able to apply that to any tool.
Speaker 1:Well, and that's the discussion that window is drifting away from. And again, I speak highly of AASIS. I'm part of it and I'm proud of being part of it AASIS is founded on. We're going to learn about the hacks, we're going to learn about the data structures. We're going to talk about how are things stored, even a little bit of writing code, because if all and this is something I took from Alex Kathan, he's in the chat If all the things we're looking at comes from software, we need to know how software works. We need to understand some code, because the results come from code. Right, and we're moving away from that and people strongly believe that. Well, if I know how to have the certification from the tool and tool, I hope nobody gets mad. But it's true, and we were talking about this before the show. If tool makers are starting to even take away those things, those like the hex why would nobody want to talk about hex? Let's take it out of our class. They are.
Speaker 2:They're starting to take it away. It's insane. The classes the classes that I took when I first started in 2015, all incorporated a lot of the fundamentals in the beginning classes, the starter classes, and then they worked that into how the tool works, getting rid of that fundamental training and just teaching. This is how the tool works and here's your output and you're good to go. Now you're certified in using the tool. I was always under the assumption, since I started uh work in this field, that I had to be certified in the tool to be able to testify to the results, and that is not true I mean you could, you could be certified how to use a tool, but I do not understand what the tool is providing to.
Speaker 1:You have no real understanding of what it means. Definitely, and again, people that make courses for these vendors will be like, well, no, we talk about artifacts and OK, that's fine, but then again, if the artifact again comes from a data storage, it's put in some particular way, it has some nuance. There's some things there that if we don't discuss them and we just discuss the artifact in the context of look at it as it's parsed by us, that's a problem. I think we're taking or leaving that control that we have of our field. And at some point I discussed it with Josh Hickman, some other friends the state might mandate us, right. Yeah, definitely, and I don't know if that maybe it's a good thing, it's a bad thing it's a discussion for another day but the state might require some certain like doctors, like a board exam of some sort, right, or engineers, right, and maybe that's where we're heading If we keep kind of outsourcing that to the vendors, outsourcing that to the vendors, outsourcing that to the LLM, outsourcing that to the tool. Like Adam was saying, I had this comment here up on the screen. You still need to understand how the tool came to its conclusion, and you need to understand it because the tool sometimes will come to the wrong conclusion or a conclusion that could be misinterpreted. The tool is not wrong, but what you see on screen can be easily taken by another examiner who doesn't have the knowledge or has some motivation to not understand it. The tool is not wrong, but what you see on screen can be easily taken by another examiner who doesn't have the knowledge or has some motivation to not understand it and misinterpret it. And if you don't have the knowledge of how to kind of fix that wrong or write that wrong, then what?
Speaker 1:And you know a couple of folks in that post were saying well, but you don't understand. It's the prompt. If you have a, it's from prompt engineers. They really think about it. What happens when the AI itself generates its own prompts? You know Right. So so what right? Your job is to make sure that those details are correct, and the only way you do that is by having a deep knowledge of fundamentals. Being an expert at something is not magic, it's just knowing a lot about of fundamentals. Being an expert at something is not magic, it's just knowing a lot about the basics. If you know a lot about the basics, guess what? You're an expert.
Speaker 2:Yeah, I mean, I find knowing a lot about the basics to be way more important. I have all the tool certifications. I do, I have them all and then when it comes time to recertify them, sometimes there's a little test, but sometimes you don't have to do anything to recertify except say I went to training. So you're telling me on December 31st I'm good to use the tool and then on January 1st if I haven't recertified, I'm no longer good to use the tool. I just I don't get it. I don't get it.
Speaker 1:It's like men in black that date It'll be like I know Right, I forget everything.
Speaker 2:I ever learned what?
Speaker 1:what it's like men in black. That date it'll be like phew.
Speaker 2:I know right. I forget everything I ever learned.
Speaker 1:What tool? What happened? I totally forgot about how to run this tool or what it means. No, and again, I'm giving kind of vendors a hard time. But really the hard time is not the vendors, right, it's us. Right, it's our organizations.
Speaker 1:If you're the head of a lab and you have to make a choice between, well, I'm going to form a curriculum, right, it's OK to have vendor courses. But as the lead of that lab, you got to make sure that that curriculum also you hit the things that you need to hit Right. Not only say, well, if I have the five classes from X company, I'm good, they're experts, go ahead. No, we can make sure that they hit that. Those fundamentals are there. I'm a big proponent of in-house training and in-house certification, especially in your law enforcement that there is no reason why I don't know the police department of CDX couldn't work with other agencies locally and develop a certification that's suited for them, the type of work that they do for their region. Right, and kind of band together to make some good, good, good curriculums for the region, if that makes sense.
Speaker 2:I think that that could be coupled with webinars and workshops and the free online trainings, actual research, like get your new people or your new examiners to actually do research and development and kind of be a self-taught training. I don't know. I put a lot of weight into that Again, adam makes a good point.
Speaker 1:So the ISO requires to have tool training right and we're not saying we shouldn't have tool training right, and I know Adam I think I know Adam agrees with me at this point what we're saying is that tool training you should have it, but tool training does not substitute, does not make you. Tool training is not the Utah Forensics really in large right, it's part of the Utah Forensics, it's good to have. But the fact of the matter is there are so, so, so, so, so many tools, even the ones you create yourself, that it's not realistic to be certified in every single tool, right, um? So it should be part of it, um, and it's required for sure. That's a good thing, um having, even if you're certified in it or not, because you can have tool training and not have certification on it, right um? But to think that our, our curriculums are going to be tool training with certification and have enough of those I'm a forensics expert.
Speaker 1:I don't believe that's the case. In my organization we have a process in-house that hits those fundamentals which I agree with. Aces is one organization that their courses, they hit the fundamentals from the ground level, which I agree with, and I think even vendors should start kind of not forgetting about those as they develop their curriculums. Just, you cannot be an expert in a two week class, even if they advertise it as that, right? Oh, you don't have time. You want to be an expert really quick, it's easy. Take our $10,000 course. I'm sorry, pr people, that's not a thing.
Speaker 2:Yeah, not at all.
Speaker 1:Yeah, marketing people get out of here. That's not a thing, but anyways, not at all. Yeah, marketing people get out of here.
Speaker 2:That's that's not a thing, but anyways, two yeah, two weeks is definitely definitely not long enough, um, but you know, back to the back to the certifications and the tools, though, too like you have to have the certification to create a report out of this tool and testify to this. But what about the person's digital forensics degree, degree that they have hundreds of hours of training in? I think that should have a little more weight, as well than the tool trainings.
Speaker 1:Oh, I agree, because this field came out at least the practitioners didn't come from universities. They were like me. When I started, there was no degree ever. It didn't exist. The data for this degree, what was that? It didn't exist, you had to get certified only.
Speaker 1:But I do make a good point as we're moving towards more of a systematic college level education for this field. It should be complementary and also, again, there's different training programs. Some degrees are from a university and not be as good as the others. We get that. But I mean a person that took a two course week or had run a tool I'm sorry. I'm going to give more weight to a person that took a two-course week on how to run a tool. I'm sorry. I'm going to give more weight to the person that has four years and had to take a binary class. Like what's binary, what's hex? I will really put a lot of weight on that, me personally. Again, one big point for everybody Neither Heather nor myself speaks for our organizations. Okay, these are our opinions. We don't reflect our employers. Our opinions are ours and they're subject to change at any moment.
Speaker 1:So we don't speak for our employers. It's just us as practitioners, sharing what we think, so just keep that in mind, yeah definitely so.
Speaker 2:Yeah, so this topic with the tool trainings though I mean we started to kind of talk about that last episode on the meme of the week and I just thought we should maybe continue it because a lot of people were interested in talking about it. But I don't know. A message out to the vendors for me, not my organization put the fundamentals training back into the basic tool trainings, please. If you've removed it not everybody has- I agree, 100%, 100%.
Speaker 1:And talking about about tool development, right, I think there's been some changes in how we look at some data, I think in iOS, right, am I right?
Speaker 2:Oh yeah, yep, so other Mahalik Barnhart actually just put a new blog out. So Apple Apple has changed the way message retention is tracked in the comapple mobile SMS plist. The plist value for message retention used to be keep messages for days and then after that keep messages for days field. You would have a value of zero for forever, 365 for a year or 30 for 30 days. In iOS 17, you'll need to rely on the value that's found with SS keep messages for the latest message retention setting. So Heather has a nice little blog that she just published on Smarter Forensics, which is her blog. I'll put it up in the show notes after, so nobody has to write it down. But keep in mind, if you're in that iOS 17, your message retention will be found under a different value.
Speaker 1:Oh, absolutely, and actually I think Kevin is already working on how to adapt our parsers to this new iOS 17 knowledge, because you're used to looking at a place for one thing and now it's different, and not only different. The old thing is still there, but if it's iOS 17,.
Speaker 1:It doesn't count. Just because it's there doesn't mean anything. And again, that talks about a tool reporting a value there. Yeah, it might report the value from the original setting, but in iOS 17, it doesn't apply anymore. So again, you got to be careful. You got to make sure you keep up to speed with the things that are happening. And right now, if you were to parse on iOS 17 on many tools, they will tell you the retention level for these messages. It's going to be wrong if they haven't looked at this new field within the file, which again, is exactly what we're talking about. That's not going to work. We cannot outsource. We need to be in the know, be part of the community, to keep ourselves up to date.
Speaker 2:Kevin says more testing, but it's coming. And of course Adam writes do you sleep, kevin? I don't think he does, and of course Adam writes do you sleep, kevin?
Speaker 1:I don't think he does.
Speaker 2:No, he definitely does not.
Speaker 1:He doesn't, he's got a baby too. Yeah, exactly.
Speaker 2:Yeah, there's no chance he's sleeping ever.
Speaker 1:Look, I empathize with him. I went through it twice. He's going through his first beautiful child, so he doesn't sleep. So I feel you, man. Another blog that's out, that is definitely worth checking out, I feel you man.
Speaker 2:Another blog that's out that is definitely worth checking out the Identity Lookup Service. So it's a blog by and I hope I don't kill his name, but Django Django. I'm not even going to try. I'm not going to try the last one. No, try, try.
Speaker 1:Just the D sign. Try it that way, django Fiola, fiola.
Speaker 2:Okay, got it. So his blog talks about the identity services ID status cache, plist, and how it caches records of the Apple user ID authentication data. Even if the data has been deleted from the phone's directory, the authentication file remains intact, containing contact and communication records that you can parse. So it's important to note that this data only confirms that an authentication occurred, but does not mean that a conversation happened or that a message was actually sent. And actually I had that misconception when I first started looking at these records. I saw the authentication and I assumed that I was going to find if it wasn't deleted. I was going to find a message to go along with an SMS authentication. But be careful of that. You don't want to use that artifact and say, oh yeah, they messaged this person, because it's not necessarily true.
Speaker 1:And and every every time I hear somebody explained this interaction and see they it's like well, moving right along, like like yeah, it's so badly, we talk about that a lot but it's so badly explained when in some, in some circles. So I appreciate him kind of bringing that up and giving us a chance to really, and you to underline the significance and then the caveats yeah, so, um, along with this blog, uh, he, there's also support.
Speaker 2:support now that was submitted to iLeap and has been added to iLeap for the identity lookup service. I have some screenshots of that, actually.
Speaker 1:I'll pull those up, yeah bring them up, and I like it a lot because the interactions have this kind of unique ID right that, even if it happened or not, at least you can tell what the interaction was with, what it was a message, was it FaceTime, whatever it was. So what he did I was looking at the code before I merged it and it's pretty neat because you can see how you can at least figure out what that interaction was intended towards, which kind of gives you some knowledge in what the intention of the user was, if that makes sense.
Speaker 2:It does, yeah, so that's what it'll look like when you run this now on iLeap which I'm excited about this one to see a different view. I mean, I've used Celebrite and it's parsed right in Celebrite, but this is nice to have a second tool there verifying the authentication.
Speaker 1:Yeah, you can see their axiom too yeah, axiom too.
Speaker 1:Yeah, absolutely yeah, and you can see, I'm sure, several others yeah, under service type, you see email, you see telephone, you can see message. Yeah, then what the uh, what that search was done for the entity lookup service was related to so and then. So I think that's that's pretty neat. I again, like you're saying, I love to have open source things because we can. Then it's not a black box, you can look at how it's actually parsed and have a good sense, a confidence on what that output is. So whenever we can do that ourselves as a community, it's a big add.
Speaker 1:You don't have I tell people that are listening you don't have to create this new thing for it to have value new thing for it to have value. If you can create something that's already being done, but do it in a manner that's transparent and available and reachable for the community, you are doing an incredible contribution to the general knowledge in the field. Okay, if you can take something out of that black box and let us understand how it works, it's going to be extremely useful and well-received. So don't get discouraged. Don't look for the unicorn artifact that nobody's seen. You know what I mean. The things that we know help us understand them better.
Speaker 2:So also with the leaps. Let me pull up. Gabe Birchfields wrote a LinkedIn post recently. I'm going to share that with everybody. There we go, so I'm going to just read it. Forensic examiners, practitioners, never hesitate to reach out when you need assistance or a second opinion.
Speaker 2:I was recently conducting an examination on a Samsung Galaxy on an ICAC investigation. All of the easy evidence had been deleted by the user. However, I know not everything is gone. The images and videos associated with the cyber tip had been deleted. The internet browser history and downloads had been deleted. That's it, right. Wrong LDBs to the rescue.
Speaker 2:So the level DBs, a shared protobuf associated with the Samsung browser, had the data I wanted, but it wasn't easy to display it to a non-forensic person Keys, values, timestamps, compression not easy to convey to a jury. I got a hold of Alexis Brignone and said can you help me make this look nice? More or less Within a short period of time, he added it to his ALEAP tool as a parsed artifact Samsung browser shared protobuf. Thanks for the assistance, and now everyone has access to this artifact with his tool. I also want to thank Ian Whiffen for creating Mushy, a free tool that allowed me to see the level DB values easier to begin with. Never give up when you think there is no evidence. Don't depend on one tool to find everything you need. Do some forensic digging and make every case count.
Speaker 1:I mean, I mean honestly. After that, I could be like well, thank you for being here. We're going to close the show.
Speaker 2:I love this post because we talk about the level DBs a lot and how, um, how they're commonly like they're skipped over, they're looked, they're not looked at. Um, some people don't even know what they are. Um, and I think, having these cases where they aided in in maybe, maybe, um generating an arrest or a conviction, um, the more you share this, I think, the more people will begin to start taking the LevelDB seriously.
Speaker 1:There's a lot of data in there.
Speaker 1:Oh, and all sorts of formats. In this case, the LevelDB had ProBuff in it, so you had to do an extra level of not abstraction but file formatting there and it was good. Actually, I was in New Zealand when he sent me the request and I started looking at it and during the so I wasn't teaching the whole time, right, I had other two instructors, so when they were teaching I was able to kind of start doing some of that code and before I left New Zealand we had it done because, as community members, you know the community is really helpful and I know he needed this for a case. So I was really happy and excited to be able to to help them push the case forward and bring justice to the victims. And it was amazing the amount of data that was there Amazing.
Speaker 1:And and I'm glad that now everybody can benefit from it, If you have a case with a Samsung device, do run a leap, because you're going to get some good stuff that you might not expect. And again, thanks for Gabe for doing the research. I couldn't do my part if he had done the digging, so we worked together and we got that output, so I'm really pleased with it Awesome.
Speaker 2:One more. What's new with the leap? So metadata forensics actually added a watch sleep data report. So it is sleep data. The artifacts provide a glance review to sleep periods when the Apple watch is worn. Uh, the data is broken into sleep States following Apple's use of them and breaks down the data to mirror the health applications review of sleep. I have a couple of screenshots of this too. So, whoops, hold on one second there we go.
Speaker 2:So, um, there's the health sleep all watch sleep data report has sleep start time, sleep state, sleep end time and um the sleep state hours, minutes and seconds.
Speaker 1:Yeah, and and and the guy that does the coding for them for these artifacts, I his name slips the sleep state, hours, minutes and seconds, yeah, and the guy that does the coding for them, for these artifacts, his name slips my mind. What a great guy.
Speaker 2:James McGee.
Speaker 1:James McGee. What a gentleman. What a gentleman. He's a good guy. I'm really happy that again him and through metadata forensics, who he works for they made this available to the public. I cannot thank him and the company he works for for again helping the community have access to this data.
Speaker 2:Just a second screenshot too. So we have some more sleep period report now with the sleep start time and the time in bed. Time of sleep awake duration, rem duration, core duration, deep duration. So it's got the percentages of of when you're awake and when you're in those other states of sleep.
Speaker 1:Oh yeah, and it goes without saying how important this might be on all sorts of cases, right, especially events that happen in the middle of the night and you're like what happened here. That's definitely helpful.
Speaker 2:Definitely. Let's see. I think now we are to everybody's favorite part, the meme of the week. Yeah, and the meme of the week brings that in a little bit. So we have a meme with AI, third party tool, parsers, analytics, automation, and it is a shooter from the Olympics with all the gear on the special glasses, turkey, who walked in like he just rolled out of bed, pointed the gun and won the silver. I think he's my new hero.
Speaker 1:He has his little glasses on and just oh, my God. His hand in his pocket. He's like you know what? I'm just here to win some, some medals, ok.
Speaker 2:I that some of the comments that have been going around on his pictures are just amazing. Somebody, somebody said that his wife sent him out to the store to get milk and he stopped off at the olympics and won the silver. Um, there's just some really good comments on it and he looks, he looks badass well, he looks badass because of the simplicity right.
Speaker 1:Yes, yes like and that kind of speaks to when you have fundamental knowledge, right, a hex editor, and you just look at the hex and so what? But when you know what you're looking at, right, you can be pretty dangerous in a good way, right? So the simplicity, being able to get the job in a simple, direct way, gives you that badass attitude, but you get to your results in a way that's unshakable, right. Somebody might try to come at you and say things, but no, you know what's going on. When you have those fundamentals, you will get that silver or gold without so many going arounds.
Speaker 2:Yeah, exactly.
Speaker 1:Actually, one more thing. Alex is saying that about that file that we're talking about, that we're working on. He may have some more info on it and some extra code, which again, oh good, I'm all for for, for making things better. So I'm so happy that again, even the show we can have a even grow, we did something, we can even make it better. So, uh, that's what's important. You're here and let other people know, uh, you know, there's some community resources, we can even make it better. So that's important that you're here and let other people know that there's some community resources that we can interact and exchange information.
Speaker 2:It's good stuff.
Speaker 1:Yeah, definitely All right. So we have come to the end of the show. We took a little bit longer, but at this point I'm not going to say that anymore, because the show is now like an hour and 10 every single time. So we finished just in time.
Speaker 2:Yeah, I didn't think we had enough topics this week. Apparently we did.
Speaker 1:Well, I mean I took half of it just talking about New Zealand. That's true, Well, Heather anything else, with the good of the order. No, I think I'm good. Thank you very much. No, thank you, and thank you all the folks that are in the chat. We love you, we appreciate your thoughts, we learn from you and we'll be hopefully in the next couple of weeks, although you'll be traveling, I think, right.
Speaker 2:I'm here for the next one. We're good. We're good for the next one in two weeks.
Speaker 1:Yeah, you got to travel out, but always keep track of our LinkedIn like personal ones, also the Utah 46 Now podcast, linkedin and the social media so you can know where's the show. See media, so you can know, uh, where's the show. Um, uh, there's a see. We're not gonna hit it now because we're closing the show, but somebody has a question? Yeah, open it up if you can, we?
Speaker 1:I just say we both hit at the same time yeah about a dot mob file in the files provider stories photo picker. What I suggest, mark, you should do is get go to the the defer uh discord and go to the defer discord and go for discord and ask your question in the decoding section and maybe some folks there might be able to help. You know, you don't have to wait for us or for folks in this, in this chat.
Speaker 2:Yeah, you know what? To just looking at it quickly though, google file file provider storage and just put the word forensics after there's a blog. There's a blog on that, I know there is.
Speaker 1:And it should come right up.
Speaker 2:It should come right up. The key is to anything you're searching that's forensic related. Put the word forensics at the end of your search and I think you'll find a good blog on that.
Speaker 1:Fantastic, and again, also the deferred discourse a great resource. We probably have some questions interacting and it's open 24 seven, so so do that. Thank you everybody for for being here and and thank you for appreciating the memes, and we'll be seeing each other, hopefully, if all goes well, the next weeks. Yes, so take care and talk to everybody soon.
Speaker 2:Thank you, bye, bye, bye, thank you.
