Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Balancing Act: Trials, Training, and the Future of Digital Forensics
Recognizing excellence is key in our community, and we spotlight the SANS Difference Maker Awards and Cellebrite Summit Digital Justice Awards. Discover why it’s crucial to nominate your peers and learn about the newly opened registration for IACIS 2025 training classes, featuring must-attend courses like Advanced Mobile Device Forensics.
While highlighting a recent article by Brett Shavers, we stress the significance of continuous education and community acknowledgment in helping digital forensics professionals grow and excel.
Our conversation delves into the technical challenges of iOS Telegram data analysis and the development of tools like Kathryn Hedley's Parse USBs script. We shed light on the importance of peer reviews and cognitive bias in forensics. This episode is a deep dive into the intricacies of digital forensics, education, and the community that drives it forward.
Notes:
SANS Difference Maker Awards
https://www.sans.org/about/awards/difference-makers/
Cellebrite Summit Digital Justice awards
https://cellebrite.com/en/c2c-summit-digital-justice-awards/
IACIS 2025 Training
https://iacis.com/training/
Belkasoft - iOS Telegram Acquisition and Database Analysis
https://belkasoft.com/ios-telegram-forensics-acquisition-and-database-analysis
Kathryn Hedley parseusbs script
https://www.khyrenz.com/post/automated-usb-artefact-parsing-from-the-registryhttps://github.com/khyrenz/parseusbs
Cracking OneDrives Personal Vault -Brian Maloney
https://malwaremaloney.blogspot.com/2024/09/cracking-onedrives-personal-vault.html
https://github.com/Beercow/Personal-Vault-BEK
Brett Shavers New Article - Today, today I rant
https://www.linkedin.com/pulse/today-i-rant-dfir-training-brett-shavers--pij4c/
Lionel Notari Logs of the Week
https://www.ios-unifiedlogs.com/unifiedlogoftheweek
Welcome to the Digital Forensics Now podcast. Today is Thursday, september 12th 2024. My name is Alexis Brignoni, aka Briggs, and I'm accompanied by my co-host, the return of the different Jedi from NCFI, the job fair fairy, the one with the best concepts of a plan, the one and only Heather Charpentier. The music is higher up by Shane Ivers and can be found at silvermansoundcom. Heather, I just kind of like a drop of the music knivers, and can be found at silvermansoundcom. Oh, heather, I just kind of like a drop of the music.
Speaker 2:Nice, abrupt ending to the music.
Speaker 1:Sorry Go ahead. Go ahead.
Speaker 2:The intro is over.
Speaker 1:Yeah, right, if we're done. I didn't. I didn't put the fader in and out, so my bad.
Speaker 2:The cyber fair fairy. Yeah, yeah, you gotta tell everybody about that. Yeah, I will, I will thank you, oh my goodness.
Speaker 1:and thank you everybody. That's uh rolling into the chats. I see there's some uh comments. Jeremy saying hi hey, jeremy good to have you. So, yeah, no, I'm yeah, heather. So, uh, interesting, interesting. You have done a lot of things last couple of weeks. What's going on?
Speaker 2:I've been busy. So I mean last podcast I aired from Hoover, alabama, and was at NCFI for a class down there. It was great. I'm back now, happy to be back though Two weeks is a long time to be away but I came back to immediately being just as busy. So I came back to immediately being just as busy, so yeah. So I found out that I'm going to be possibly testifying in a trial. So immediately prepping for a trial, that is not in a few weeks, it's just like next week.
Speaker 2:And then today, myself and a couple of coworkers actually went over to the university at Albany cyber job fair. Um, they have a nice little job fair set up over there where they uh, they take, uh different companies uh that have digital forensics jobs and they have you give like a 10 minute pitch on why you want to, why you want to work here. So, um, my coworker Corey, who is a sworn investigator in our office, he did the pitch for why to become a trooper and then maybe work your way to the digital digital forensic lab. And then myself and Deanna, who are both computer forensic analysts, gave the pitch on becoming a civilian computer forensic analyst in the in the lab. So it was really good and after after the 10 minute speech, we set up at a table and just answer questions for the rest of the day, and there were a lot of questions. I think I might have talked all day long and now we'll just continue it with the podcast.
Speaker 1:So by the time we're done, you have no voice. You'll be like yeah.
Speaker 2:I'm not going to talk at all tomorrow. You're welcome, coworkers.
Speaker 1:Look folks, heather is so, so good. She went and she said you know what? There's so many people here, so I'm gonna stand on top of this table or a chair, I didn't know what was it. You call everybody in and you give them this meal, all at the same time because that's what we do in this field.
Speaker 2:We're efficient, I'm gonna, actually I'm gonna. I'm gonna roast my co-worker right here. Uh, this is Deanna at the Cyber Job Fair and we had our table all set up with the State Trooper swag and then some of the digital forensic items from our lab.
Speaker 1:I like that you said a table. It's an actual table, yeah.
Speaker 2:Yeah, oh, you literally just set the table up, yeah.
Speaker 1:It's not like you know the conference table. So you say it's a table, but it's not like a conference for that purpose. No, that's a table that you sit and drink coffee. That's cool.
Speaker 2:Yes. Yeah definitely Anyway co-workers their thumbs, the folks that cannot see thumbs up the whole situation, that's awesome yeah, she's excellent in our office, but into a bunch of the prospective job candidates, and one of them actually recognized me from the podcast because he watched our podcast as part of an assignment for one of his classes. So thank you to you, albany.
Speaker 1:So Heather is now Heather Hollywood.
Speaker 2:Oh yeah.
Speaker 1:So you get to sign autographs at any time please, yeah, no, not quite that Hollywood. The paparazzi are following you.
Speaker 2:But it was nice being over there and then hearing one of them actually looked for a digital forensics podcast and found ours.
Speaker 1:Oh no, look, I'm giving you a hard time, but when you told me, I was super excited as well. So it's pretty cool having a little bit of a voice and folks kind of you know stumbling into the podcast and finding something of value. So that's awesome, that's awesome.
Speaker 2:Oh yeah, abraham says in the comments, I fangirled when I met Heather at school event. I did a presentation over there and he came for it, so thank you, abraham.
Speaker 1:Hey look, I fangirled too at IASIS, and we do it daily.
Speaker 2:Oh my God, stop it.
Speaker 1:I understand at Iasis and we do it. Oh my God, stop it. I understand. Oh look, look, kevin is saying I'm back in the broom closet. I'm going to correct you. This is actually a coat closet, okay.
Speaker 2:I think it's also now his permanent spot, so it's not like he's just moonlighting there, it's a permanent spot.
Speaker 1:Yeah, it's true. Like you know I, I, I, this is how I say this. Yeah, it's true, like you know, I, this is how I say this.
Speaker 2:This is my house, that my life, my life, my wife lets me live in, so the kids give you a little bit of space of your own, and there it is.
Speaker 1:Yeah that's all I get. You know, I can't even stretch out my arms like legit, stretch out my arms, it's all fun, it's all fun. So what have you been up to? So, yeah, a lot of casework that I can't really speak about. But what else have I done? Oh, I got a couple of conferences coming up. I got InfoConf, and that's an Argentinian conference, but sadly I'm not going to Argentina, so I'm going to present a couple of topics. Well, one presentation like a speech online Everything's online but one speech and the next day like a workshop on mobile forensics, and it's focused on data structures. Lately and you and me, I think we've both been really focused on spreading the understanding of data structures.
Speaker 2:Yeah.
Speaker 1:Yeah, not just using a tool to get to them, but what do you do to get to them in the most direct way possible? So we're going to be teaching some of that protobuffs and double dbs and even sequel like stuff like that. So so I'm prepping for that. And then the icac um conference, the one in redmond in washington state oh yeah, pacific northwest right, I think that's the name of it, that's. That's one of the bigger ones in the country, it's it. A lot of people there, a lot of good investigators, all the vendors are going to be there. So I'll be doing a panel and two workshops on how to reuse the Leaps, which I'm also excited about.
Speaker 2:So you're going to be busy, jeez.
Speaker 1:Yeah, I'll be flying. I'll be there for the week and I appreciate all the ICAC there for having me there and hopefully I can bring some value to the conference.
Speaker 2:Nice, good stuff, very good. So let's get into our topics for the week then. So we talked on a previous podcast about the SANS Difference Maker Awards. We just kind of wanted to hit on it one more time, because the deadline for nominating people for the SANS Difference Maker Awards is tomorrow at 5 o'clock.
Speaker 1:Like, for example, there's a category. I'm going to mention one, I'm going to mention more, but it's a category. For example, just an example. Just imagine. Imagine there's one for podcast of the year. Okay, and if you're interested, they say you can maybe nominate your favorite digital forensics podcast. I'm not gonna say which one, but I think you can imagine which one. Which one could that be?
Speaker 2:so yeah, nominate I think, the listeners have an idea of what you might be talking about yeah, yeah, just use your imagination there you go, but the um.
Speaker 2:the nominations are open until tomorrow at 5 pm Eastern Standard Time, and I'll just run through the categories real quick to article or book of the year, people's champion of the year, diversity champion of the year, innovation of the year. So open source or product pool, podcast, live stream, video series of the year, rising star, team of the year, practitioner of the year, ciso of the Year, cybersecurity Company of the Year and Lifetime Achievement Award.
Speaker 1:Well, at least I can tell you which cybersecurity company of the year is not going to get it this year. I can tell you which one the one that got me stranded in San Francisco I'm not going to get it.
Speaker 2:Yeah, probably not.
Speaker 1:I'm going to make that a safe bet. They're not going to get it.
Speaker 2:You're probably right. So another award that's closing soon that we've mentioned on in past shows, but we'll bring it up again, is the Celebrate Summit Digital Justice Awards, and I actually have an image to share for that as well. Let me put it up here and those are going to be closing on September 24th. I didn't take down a time for that, so when you go onto the website, just take note of the time on that day. But it's September 24th and their categories are Digital Bridge Builder Award, Voice of the Voiceless Award, Mentor of the Year and Diversity and Inclusion Champion.
Speaker 1:Yeah, I mean, I think they had more categories before they did.
Speaker 2:Yeah, that's all I saw on the site for now, but I think they did when they originally opened it up. Not sure what changed there.
Speaker 1:Yeah, that conference is going to be in in in washington, washington dc yeah um. So there'll be great, great talks there um so I we're not attending, sadly, but uh, it promises to be pretty good. So nominate, nominate, uh, you know, nominate all the folks. Recognition, recognition is important and I say that because you know everybody wants to be recognized. We would love to be recognized, at least me. Heather is so humble that she don't care for that yeah, I'm all right she has a fan club already. She needs no more recognition.
Speaker 1:But the thing recognition is, oh, it makes you feel good, but it also uh, opens uh the audience up, right when you're recognized and people that might have never heard of your thing or your program, your show, your product or your research now they'll be aware of it. More people will be aware and then that knowledge spreads.
Speaker 2:So I believe in that, just for the fact that we want folks to be informed and the good stuff that comes out of the community be more broadly known by others, so, yeah, I especially like the rising star category, because that's somebody who may have just started doing blogs or started doing research or started doing something, and to get a rising star award I would. If it were me, anyway, who was the rising star? It would give me the push, the momentum to keep going and, and, um, keep improving.
Speaker 1:So oh, okay, no, and imagine that this, this young researcher, and it's sometimes, I'll tell you, sometimes it's like you feel like you're screaming into the void. Right, you put content out. You know it's a hitting, it's people getting. Feel like you're screaming into the void, right, you put content out. Is it hitting, is people getting it? At some level you do that for yourself, but it's also nice to kind of share and some other folks benefit. So if you get that little push that you're saying, that's great. I mean it would definitely motivate folks to continue to do what they're doing. And yeah, please, please do, please, do motivate and nominate all the folks for the categories please do, please do not motivate and nominate all the folks for the categories.
Speaker 2:Uh, another that is actually registration has just opened. Not awards, but training classes. So registration for iasis 2025 is open. I have a screenshot to share here too, my eyes is sure ah, you do. I should have worn mine, maybe next time I.
Speaker 1:I wore it like three days out of the week. So when you teach they give you a few poll shares for teaching, so I use them all the time now.
Speaker 2:So registration's open and the classes will run April 28th through May 9th. Some of the classes are the full two weeks and then most of the classes are actually one week of the class. You can choose to go the first week or the second week, but it's a two-week training event held once a year. Iacis is I think it's an awesome organization made up of all volunteers, and some of the available classes the Advanced Mobile Device Forensics, windows Forensic Examiner, cyber Incident Forensic Response, mobile Device Forensics, windows Forensic Examiner, cyber Incident Forensic Response, mobile Device Forensics, preparing for Lab Accreditation, applied Scripting, forensic Techniques. The Basic Computer Forensic Examiner course, computer Forensics Real World, managing a Digital Forensics Lab and Open Source Investigations and RAM Capture and Analysis are the classes that are open and available right now and go ahead.
Speaker 1:And I highly recommend the mobile device, the advanced mobile device course. Yes, the chair for that class is an awesome, awesome instructor that we all know and love. Like I said, she needs no recognition, like I mentioned previously. Oh my gosh.
Speaker 2:So she's my boss, but she does great.
Speaker 1:I love her. Like I said, she needs no recognition, like I mentioned previously. Oh my gosh, so she's my boss, but she does great I love her.
Speaker 2:I'm not your boss. Oh my gosh.
Speaker 1:She's my boss. She runs the class I teach at her pleasure, so that's how it works.
Speaker 2:But so for the advanced mobile class, if anybody's looking to get into the advanced mobile class, we were a shock to see the come sign up for the class notification dropped on IASIS LinkedIn page. So I went to look at the open seats and the second week is already almost sold out. There's only two seats left in the advanced mobile class.
Speaker 1:I'm still not. Is that a glitch? No, I reached out and I'm like is this real?
Speaker 2:And I was told it's real there's only two seats left in the second week. The first week still has like four, I think 14 seats, but yeah.
Speaker 1:But Bill, Bill. So Bill's in the chat. He says sign up now and you should. Bill is one of the other instructors on the class. He is Look, I will go. Just I will go to the classes because Bill is there, All right. So, honestly, Heather knows I'm being legit on this. He's such a great instructor and has a great touch with all the topics that he teaches, so please go.
Speaker 2:Yeah, that instructor, that when you listen to them they like captivate you and you want to hear more. That is totally, bill.
Speaker 1:Kevin says the mobile course is good. Well, you know, of course it is.
Speaker 2:We think so we think so.
Speaker 1:We do. But okay in a sense. So at least we can speak about all courses. We've taken a whole bunch of them, or most of them. You have the BCFE still, or not yet, right?
Speaker 2:I don't, because I was going to go. But then I started helping teach the mobile class and then teaching the advanced mobile class with you. It's the same two weeks and I really want to take the class to get the certification. But if I do that I'm going to have to step back from the mobile class for one year. But we'll see. Maybe I'll just do the certification without the class.
Speaker 1:Yes, I mean yes, and you do breeze through it. I know how much you know and it'll be fine. But the point I'm making is we're taking a lot of the courses. I know you have a couple more courses you've taken. The point is this At least for the advanced one that we created, we made the point and obviously Heather leading the effort in regards to where we're heading, to make the class not just to hey, look, press here and you get this stuff.
Speaker 1:We try to go as root level as we can, in a way that makes it workable for the examiner, right. You're not going to we'll talk about that in a second, in the next section. We want to make sure you understand the data structures and what to do with them, because at some point, using viewers and tools it's not going to get you to where you need to go, all right, or to pull the thread all the way through Right. And that's what we do in that class. And, folks, I'll tell you straight up, it's a little bit of a challenge, but by the Friday everybody has learned something from it or a lot from it. So I'm really proud of all the instructors and I'm proud of the course that Heather sets for us in the class, so I highly recommend the class.
Speaker 2:Yeah, we get a lot of questions. I've had a lot of questions anyway about the class, like why, of questions anyway about the class like why, why would I ever need to do this? And um, that is one big thing we stress in the class and we teach you and and talk to you about the why with like real case, um case examples, like why I needed a level db file for a case, uh, when none of the tools supported it, or something similar to that. But the why is definitely one of the biggest, one of the biggest things to explain in that class. Oh yeah, yeah, look, I see I'm gonna say a little bit of the biggest, one of the biggest things to explain in that class.
Speaker 1:Oh yeah, yeah, I see I'm gonna say a little bit of the white, because now I've been yeah, no, go for it. You can do things one way all the time and that's fine with cannot be a little bit not doing your due diligence. And then one time, when that's there's gonna be one case that's gonna be in the news, it's gonna have scrutiny from the national press and if you're on the prosecution side, for example, the defense is going to be really high-powered lawyers and they will have, for example, they will have Heather after she retires and goes to the private sector and she will be the examiner for the defense, right. And then you're sitting there looking at Heather and her qualifications and you're like what did I do on this case? Did I cross all my I's and dot it on my T's? And what did I do on this case? Did I cross all my I's and done it on my T's? And you know I mean, of course, the example. I mean it's true, it's a true example.
Speaker 1:But the underlying, the real thing of the how to say this, the real thought behind the example, is not so much if you get a national case, you don't want to be embarrassed. Okay, of course we don't want to, but that's not. The important thing is that you want to treat every single of your cases in a sense, as a national case, for you to have the knowledge to be able to quickly and efficiently treat all your cases with the utmost care that each case deserves. There's no case should be bigger than the other. No person deserves more justice than the other person, right?
Speaker 1:A famous person doesn't deserve more attention or more justice than a person that's not famous, right, and that's, I think, a big. Why is we want equal justice? That means we need to give equal and proper attention to the details of each case. With how do we do that? We don't have all the time in the world, then you do it by knowing what you're doing, being efficient, being, you know, consensual to what you're looking for and doing a good job. You're looking for and doing a good job. That's how you do it, and to me, that's one of my big why's?
Speaker 2:I don't know if that makes sense, it absolutely makes sense, absolutely so. Sign up for iasys classes now, before they sell out, was our whole uh spiegel on that.
Speaker 1:We we just almost done, so you better hurry up for week one yeah, I can't, still can't believe that.
Speaker 2:It's insane. Yeah, yeah. So this week, an article came out from Belkasoft about iOS Telegram acquisition and database analysis. I love this one. Us is some of the desired artifacts that you want to look at from that acquired data, such as secret chats, private channels, deleted messages, previous versions of edited messages and other key artifacts. But this article actually goes into how to read the iOS Telegram database, which, if anybody listening has ever looked at the Telegram database, it is a nightmare. It's just a nightmare. I mean, you have experience with that too, right?
Speaker 1:Well, yeah, and you know it's. It's so we, we, we learn about little ND and big ND in our classes and nobody cares. So maybe it's attention If. If you don't understand the concept, you need it for just to parse this right. They they use delenium beginning in different places, different ways. And and a good thing about this article and I'll tell folks I jury you know the ceo president of the company we interact in linkedin a lot. I give him crap every now and then he gives me crap. I mean he's a, he's a good guy, I was gonna say you give it to each other, yeah, yeah no, but it's all it's in.
Speaker 1:Good good jokes, good jest. But I will say this, say this I give companies crap, but I also give them kudos when required. I've seen a lot of this type of article from other companies that say, hey, let's talk about Telegram acquisition. They say, well, what you do is you connect your phone to my tool, you're going to press the button and these are the things the tool gets. Okay, that's not helpful at all. Yep, nope.
Speaker 1:So what Belkasoft did is actually tell you look, this is how the database looks, this is how the fields look, and where are you going to switch that Indian-ness in order to understand what the message is?
Speaker 1:And true, you could go, because Telegram source code is open source. I believe the code is out there, you can read it, but not everybody will be able to read it and understand it because they don't know code. But articles like Belkasov's bridge that gap between what the source code says and what the applicability is for the examiner, and I would hope these articles like these motivate examiners to learn a little bit of code, to go that next step. You see how the Belkasov engineers went and understood how to do this. Then you can do it too. You can go that step further and kind of validate that work. So I give him a lot of credit for the article. I wish more articles were put out. That's why I said in LinkedIn put out by the vendors Don't hide the ball or just tell me the tool does it and then hide the ball on how he did it.
Speaker 2:Yeah, I definitely want the how, how you did it, especially when you need to validate artifacts, specifically from Telegram. This article will come in handy when you go to validate artifacts. It lays out how the database is laid out. So if you're looking to see if something that was parsed from the Telegram database actually is what it says it is in the parsed data, you can go use that article in conjunction with the database and verify.
Speaker 1:Look, and I believe that the parsing shouldn't be a black box, right? I understand why it is, and by black box what I mean is like a process that you put data in and data comes out and you don't know what happens inside that box. I don't like that for parsing. That's why even the tooling that I have put out there with the community is open source, so it's transparent and and the parsing at least, I don't think it needs to be dark like that or hidden. I understand trying to hit how you get the data, how you, you know, kind of, get gain access, lawful access to devices. I understand that, but after the data's out, how you go about it parsing it shouldn't be a secret or a mystery. Um, we need to validate that. So why, why are we hiding this? So welkins has done a good job with our article and I encourage everybody to go read it and get familiar with it yeah, definitely.
Speaker 2:Um, so katherine headley has a script called Parse USBs and I'm actually going to share my screen for this one. But let me tell you a little about it first. It automates USB artifact parsing from the registry and event logs. It's been updated recently for event logs, specifically event ID 1006 in the event logs, but it will pull all of the USB artifacts out of system software NT user and I saw her post on it and I'm like, all right, I'm going to go try this and see how easy it is. And it is super easy to quickly triage for USB artifacts. So let me just pull up the window. There we go, so install the dependencies it's all right in her blog or on her GitHub page and then it is a simple script to just push it out to a CSV. It runs in seconds. So if you're looking to, I see, I see.
Speaker 2:I see python there on the screen right python, yes, yep yeah simple python script to run and let me share the output literally takes seconds. I love this as a triage tool if you're, if you're um parsing the data or parsing the e01 and you're waiting and waiting and waiting, open this up quickly. Take a look at the USB and I have a little sample here. There it is, so you'll get a nice spreadsheet. I have the device friendly name, the serial number first connected, last connected, last removed and last drive letter if it's there, volume name and all of that data in a matter of seconds.
Speaker 1:Yeah, and it's pretty neat. I mean, it's not so much that. Look that data has been known for years and years and years. It's not just there. But the fact that you're able to quickly in a can-look command line really easy, pull all that out so quickly and it can save you hours of work just by pulling that script out. And it's free, you don't have to have an expensive tool to get to it. So that's pretty neat.
Speaker 2:Right and she updated it to add the event logs there for for the USB artifacts.
Speaker 1:So that's awesome. That's awesome.
Speaker 2:Um, I put the the blog up. We'll have that in the show notes too. But there's also, um, she has the get hub where you can go get the script. Uh, read about it, install it and.
Speaker 1:No good deal. Good on Catherine for putting that out.
Speaker 2:All right, Another article Cracking OneDrive's Personal Vault. I'm going to let you talk about this one.
Speaker 1:Yeah.
Speaker 1:So Brian Maloney, he's made his thing, is understanding OneDrives and how they interact with your computers and different systems, and he has done such a great job. He has some scripts to actually pull out relevant forensic data, forensic value, from OneDrive. So he's trying to think okay, so there is a personal vault that comes with OneDrive. And he's trying to think well, this personal vault, where is it? What's the structure behind it? So in the article I'm going to paraphrase it so folks will read it to get the full story he figures out that the vault is nothing more than a VHDX, right, vhdx? Yep, it's a virtual hard drive for Windows that is BitLocker encrypted and it sits at a particular location. So what he did was he tried okay, let's mount it, give it a letter and use the command line management I forgot what the command is for dealing with BitLocker drives and see what we can get. So he did that and he tried to collect the keys at that point, but he couldn't. So he went to another process in order to be able to collect those keys and he did. It's pretty neat because then he closed the vault and with the keys he was able to open it again. So there's a couple of things here that are useful for everybody.
Speaker 1:If at least the way I, this is the way or my takeaway from this article is if you go to a computer has one drive, right, and it's on, don't just turn it off, because if you turn it off that one, that drive is open, it's going to close and you're done. You're not going to get in, you're not going to. Just, I mean you can try boot force that big locker thing, but good, good luck, okay. So if it's open and it's on, then use the process that that brian describes and get those keys out. Okay, you have to have administrator access to the system as well, and the drive has to be open.
Speaker 1:If it is, you can pull those keys out. Okay, you have to have administrator access to the system as well, and the drive has to be open. If it is, you can pull those keys, put in your back pocket, seize the device and then at the lab you can, at your leisure, easily open it and do whatever you need to do, okay. Okay, if you have enough time to be able to do some extraction on site, then go. You know that's an examiner. You should make those calls, but he has a, a, a GitHub doc. You know, his GitHub has all the explanation how to do that, how to get that BK, that, that, that, that key for the drive, and you're off to the races. It's pretty neat.
Speaker 2:Yeah, that's awesome. So another article that came out in the last couple of weeks out in the last couple of weeks. I hope everybody had the chance to read this. If you didn't, you have to. So Brett Shavers put out another article. Love all of his articles plus, of course, his books, but this one is called Today. Today I Rant. There is so much to talk about in this article. So many topics are covered. We're just going to kind of go over a few of them. But the first sentence in this article is so true. It's um. Dfir standards are a mess, confusing, convoluted and chaotic disaster that's doing more harm than good. Um, do you need certifications? Do you need a degree? Do you need classes? What do you need? Um, and I would have to agree with this Like, what do you need? There's so many different trainings, so many different classes, so many different degrees, so many different acronyms after people's names. How do you know? How do you know what you need?
Speaker 1:Yeah, and it's so hard because so, you know during what year or whatever you are court, you know you're asked a series of questions and the judge will decide if you were able to speak on that topic. And my experience is that at that level you don't need a lot, a lot right, as long as you have a few things. And then these experts quote, unquote, get thrown to the jury and then the jury has to decide whether they're being credible or not, truthful or not, and that's tough. That lack of standardization um, makes the determinations to be uh, to be really subjective. I mean, again, we'll say this, we have to say it neither heather nor myself speak for our agencies. All we're saying, uh is personal, it's an opinion as examiners, has nothing to do with the people that we work, work with and we do not represent them with our policies. Okay, thank you. So, uh, so, uh, so you've got that down.
Speaker 2:Oh yeah, no, I'm going to say it every single show.
Speaker 1:So uh, so yeah. So I was saying oh yeah. So I was saying it's, it's hard, right, there's there's no standardization, and then it's really subjective and, in my opinion, a lot of people that are claimed to be experts, they're anything but experts. There's like some of them are just guns for hire, and it's quite hard. And then the education system behind it.
Speaker 2:how do you get? There is also a mess, right, yeah, yeah. So I mean, in the very first paragraph of the paper, brett talks about universities and the headline that he has for that section is stop promising or rose garden. So I mean, I love that Students leave college. They don't possess the skills to work in dfir, in my, in the digital forensics realm, and in my opinion, they need the real world experience. And I mean I sometimes feel like universities sell it as come, get our degree and then you're gonna walk right into your job and be proficient at doing a job in digital forensics and that's just. It's not the case.
Speaker 1:Yeah, it's a better roses. Without the roses you only get the thorns.
Speaker 2:Yeah absolutely and honestly. I speak from personal experience on this one, because my master's degree, like I, learned a ton. I'm never going to say I didn't learn a ton, but it did not prepare me for what the job was going to be at the state police Not even a little bit. And I know you. You get those skills from various different sources, it's not just the university. But I thought when I went to college that I'm going to get this degree and I'm going to go in and know what I'm doing.
Speaker 1:And no, not at all, and I heard from universities that. So they have a course in forensics, for whatever it is. And then it's the like, the math teacher teaching it. Like what does this person?
Speaker 2:know about forensics?
Speaker 1:yes, like nothing. You just teach math and they put you there because they didn't have anybody else and it's, it's, it's ridiculous.
Speaker 2:You know the students are not being served yes, in my notes I put teachers providing the instruction lack the real world experience to be teaching in an effective manner. And that is so true. And maybe somebody who studied it studied it but never put put it to practice Right, and you can't effectively teach that way.
Speaker 1:I think the real world experience is invaluable, so and if you're listening to this and you're in a degree, right, you don't know what you don't know. So how do I know I'm teaching all that I need to teach? Well, you need to do something. You need to, I believe, reach out to to you know examiners in your area and I, you know folks that reach out to me all the time and of course I do it as time permits and you know, try to advise them and kind of give them some guidance in regards to what they're, what classes they're taking, what content they're receiving and if it's good or not. And then you can maybe work on that, either by reaching out to the university or yourself doing your own research. But we can't just blindly depend on the certification or blindly depend on the degree and assume that we know what we need to know.
Speaker 2:Yeah, and definitely, if I had to give a piece of advice to university, when it comes to digital forensics degrees, the curriculum has to be up to date. You have to have, you have to change the curriculum as things change in this field and I feel like that doesn't get done quickly enough at some some of the universities.
Speaker 1:Well, yeah, I mean, if you think about it, most universities, how can I say this? So certain sciences are pretty, pretty standard, established, right. And you say well, let's say Windows forensics, it changes, yeah, I mean not at light speed, but certain areas of forensics, like mobile forensics, they change month to month, right? Yes, sometimes weekly, and the curriculums are not keeping up for many reasons. So, yeah, you're absolutely correct.
Speaker 2:Yeah, the next section of his article actually talks about vendors. Uh, the headline for this is something we talk about often on the on the show, but quit with the magic button. I think that this is one of the best headlines for the paragraph, but please, please, please, stop selling the magic button. Uh, the training from the vendors needs to include the fundamentals. We talked about this last week a little bit. But the why behind what we're doing, why the tools are doing what they're doing. What the tools are doing, it has to be on par with what we're doing for work, or we're never going to be able to testify to these artifacts if we don't know the why. I think the training is becoming too watered down. I think I said that last week too.
Speaker 1:Yeah, yeah, but this is a point I don't know if we made it last week, but if we did, we'll make it again that type of mentality where the vendor is pushing and vendors have most vendors have some powerful PR behind it, right, they put a lot of effort in marketing because they're selling a product. They have to do that. So the marketing is pushing to the examiner body in the whole planet that hey, look, if you use my tool, you easily are going to find these things and you're going to quickly be able to master and do certain things right. And that mentality is coming down to the examiners and examiners consciously or subconsciously eat it up when they come and believe well, these tools are broadly accepted now at courts. Right, I just need to run it and it goes. I don't even have to explain it why. Why do I have to explain how a tool works? The court knows how it works. They've seen it a lot before. And I just use it and I'm being an expert, I'm doing what I'm actually expected to be doing, and that mentality comes from that product as a service that vendors sometimes give and that's not how it should be and it's a big. It's a big problem because sometimes the tool, um, will be wrong, the tool will not show you everything like.
Speaker 1:At that point we said last week, yeah, so instead of developing this oh, by the way, folks that buy into this thought process they resist, actually resist being able to do more work outside of that tool. They're like, well, why do I have to do that? I mean I don't have time for it. I got so many cases. I mean, come on this whole, push the button and you get all you need is a fallacy and it's going to bite you at some point and it's going to affect your cases at some point. And we're not saying don't use tools. Use the tools. Automation is important. You won't be able to do work without it, right, but you need to validate what's important, your smoking gun, even if you use that tool a million times. I had some cases, and I'm not going to mention from where or who, but one of the tools shows some chats and another tool showed more chats and by hand we found even more chats. So so the two tools show us.
Speaker 2:Each one showed us more, but both didn't show everything right, right.
Speaker 1:So so my my examiner friend, which we know from my aces and and heather knows I haven't I mentioned who the person is later, but, um, the person was telling me, look, I had to, I found more, even going by hand, because the two tools that I was using were getting me partials right, even if they were not uh, you know, they were distinct from each other didn't have everything so. So no, that that mentality I I push back. I want to push back on the vendors. Um, vendor tool centric, we will give you what you need is, it's all. I'm going to push on it and we, as access, the community, we should push on it.
Speaker 1:Don't come at me telling me that you're 12 day or seven day or whatever. Two week certification is all I need to be an expert. No, you're not an expert. You took a forensic class for two weeks. That's what you did and you learned a lot, but you're not an expert. That's by no stretch of the imagination, just because you got a company's logo in a piece of paper with a signature from some person. That who knows who? That person is Right, and I feel really strongly about it.
Speaker 2:I think even scarier than examiners believing that there's a magic button or they only need two days of training and they're proficient. Is the command staff believing that because they're seeing the latest poster out from the vendors that says we can get this all done? Clear your backlog? And I mean people who don't work in digital forensics but maybe up the chain they just they believe it.
Speaker 1:Well, and that mentality that the vendors push infects the mind of the examiner, but it more easily infects the mind of the management staff, because they're not examiners. Now the question is and Jeremy's hitting the nail on the head should the fundamentals, then, be the responsibility of the vendors? Well, depends, right, because if you're telling me you're going to make me an expert in a week, then you need to teach me the fundamentals, because there's no. What's an expert? An expert is not magic. It's a person that knows all the fundamentals, all the basic stuff, knows it enough and knows it so well. And knowing all the basic stuff, that's what makes you an expert. There's no magic to an expert, it's just you knowing all the fundamentals like the back of your hand. So how can you be an expert and not have the fundamentals? That's what makes you an expert, if that makes sense.
Speaker 2:I think I get a little bit of what Jeremy might be saying too, though. Like so okay, I went in with a master's degree in computer forensics. I should know the fundamentals already. But if we apply it to a law enforcement agency, they're taking a road officer off the road and saying here, you're doing digital forensics now. So they need to be able to get their fundamentals from somewhere. If it's not going to be the vendors, the vendors just need to make that clear so we can make alternate arrangements to make sure that those officers are adequately trained to be able to do digital forensics.
Speaker 1:Well, and that speaks, I agree, and that speaks to the point Brett is saying. What a mess it is. There's no standardization right. Every agency is out there for itself. Some decide to have vendor courses. Only as long as you can fulfill these 10 vendor courses, there you go, go and testify on it.
Speaker 1:And we've seen in many disciplines to include Utah Forensics where a big case comes up and they put that expert there and it's an embarrassment and the person did what they were told to do. They pressed the right buttons Under cross. Well, why did you press that button? Why didn't you press this other button? Wouldn't, in the circumstances, this other approach be correct? The person doesn't know because they were never. They never. How can you know if you never taught that or at least researched it yourself, right? So again, it speaks to Brett's point of why lack of standardization nationally. It kind of hurts.
Speaker 1:The best we could do, I guess and you tell me what you think about this is kind of recommend to you know, folks, take a a hybrid approach. Make sure you get somebody that to lead your lab, your sergeant or the lab or the director, to actually have a really broad experience in the field, and then make maybe a hybrid curriculum where you have some vendor courses which are needed. I'm not against vendor courses if I want to use a tool and I said and certified by the tool, that's a good thing, right, because I'm coming from the source how the tool works. But then also in-house or organizations that are really good at it again, like isis, they're really good at certain fundamentals then integrate those with vendor courses or internal courses that you develop to then holistically create a well-rounded examiner.
Speaker 1:Because the days of explaining the tools they're not over just because they're used a lot in courts. They they're just starting. And we've seen cases this year where the main point of contention of the case is how we interpret the report, the tool report, what does the tool report mean? And they even bring the tool report vendor to speak at trial and so what? That still becomes a contention point. So just because you use a tool doesn't mean that you won't have to explain what's happening behind the scenes on that.
Speaker 2:Yeah, definitely. There's a bunch of other headlines in his article. You have to go read it, but I'm just going to hit a few more. So, training and education he talks about how there's over 400 college degree programs, over 500 continuing education programs, over 50 large private training vendors and over 400 smaller niche training vendors in the USA alone. How do you pick what you actually need? So, honestly, without real world knowledge of the job that you're doing, if you're just starting out, you'll never know what you actually need, because everybody's training program is going to be the best. This is the best training program you have to take's training program is going to be the best. This is the best training program you have to take this training program and by the time you're done with it, you've taken so many training programs I wouldn't even know what was going on, because the vendors in college they're looking to sell you anything. So, whether it's in your best interest or not sometimes and it leads to great qualifications on paper but not so great qualifications to do the job, in my opinion.
Speaker 1:Yeah, and mentorship needs to. I mean, mentorship fills those voids most of the time. And again, if you're a person coming into the field, don't be discouraged. Right as you go into the field, your lab, your place of work, look for mentors, look for the folks that are being efficient, that are being serious about their job, and you can pick them, you can tell them apart. It's really easy. And try to, you know, go under the wing to then get that, get that knowledge, get mentors.
Speaker 1:Mentors like apprenticeships Back in the day, you know, say in the middle ages, for example, you know, or before that, because there were universities then. But before universities existed, how did knowledge get passed on? What's apprentice? I have apprentices right. The person that knew how to deal with wood had. You know. The carpenter had apprentices. The guy that deal with masonry, right, and they have associations for masonry right and kind of develop that knowledge. Just because we have degrees doesn't mean that that human way of transmitting knowledge is old and outdated. We call it mentorship now instead of an apprenticeship, but it's the same thing. Be mentored, be an apprentice, learn from the experience of those that come before you and I'm telling you that will be way more educational and important than maybe your four degree college thing.
Speaker 2:Yes, I agree, that's just a fact, you know, I agree, definitely. Brett in the article says certifications and he calls them a pyramid scheme college thing. Yes, I agree, that's just a fact, you know, I agree, definitely. Um, brett in the article says certifications and he, uh, he calls them a pyramid scheme. Um, it's I. I find that one to fit quite well. Uh, he says they're just expensive pieces of paper.
Speaker 2:Um, so certifications have their place. Obviously, you, they have to have certifications and some stuff. You have to show that you know how to do certain things, use certain tools. There's some certifications that really hold a lot of weight, but I'll tell you, there's people that I know, um, in this field actually, um, I know them very well. They don't have all the fancy certifications, they didn't go to all the expensive trainings and there's some of the brightest people that I know. They're self starters and they take the time to learn and absorb as much source material, open source material as they can. They test things, they do online free trainings, they know how to use Google and they prove that the number of trainings and certifications that you have, it maybe doesn't matter as much as you think it does.
Speaker 1:Oh, absolutely. And again, you know a person that reads about it and a person that does it. But they both learned.
Speaker 2:But the one that does it definitely learns more.
Speaker 1:That's just how it is.
Speaker 1:And that doesn't change in this realm Do? I believe it will get more standardized. I think so at some point, as the field becomes more and more mature, there will be some sort of I think normal push for it. An example I discussed with some other examiners is if you want to become a doctor, right, you, you know you're not just a doctor, but you could, you're certified in being a doctor. You have to go to the board exams, right. Yeah, there's a body that that nationally make sure that you're actually a doctor. Or you're actually an engineer Right, engineer that makes bridges or buildings, because we're not make sure that that building doesn't fall on the top of our heads after this dump.
Speaker 1:You know, I mean so, you know there will be some certification bodies. I think and this is me opining that will build us to feel mature. But between here and there, we gave you some ideas on how to do that. Right, get your studies, get your certs, but get your apprenticeships, get mentoring, do your research, be a BSL starter, test things out yourself. This field allows for that and actually recognizes that.
Speaker 2:Brett has in his article that CTFs are time killers. I agree with this one. Some of them, depending on what the content is, if it's not completely relevant for you, could be a time killer. He says that winning a CTF is cool, but is it strong on the CV? And I think a CTF can be a great learning experience. So they teach you about the unparsed data. You have to go find the answers. They're not going to be parsed and right there for you, um. They teach you what you're missing, um, by just hitting the button and, although they might not do too much for your CV, I still strongly recommend participating if you have the time, because they they are time consuming I.
Speaker 1:I see ctfs as fun and bragging rights that's it yeah, yeah that's it um.
Speaker 2:I mean, oh could you learn things the ctf king here. This makes me sad well, why?
Speaker 1:why makes him head sad? If there's a person that can brag a lot about winning cts, it's him. No, I mean. So why? Why would we brag about it? Well, you have to know certain things, true, yeah, you need to. You need to know about where things are and and to a certain point, at certain point, what they mean. The thing that I I say more bragging than education is because a lot of the questions, how they're made, you know, know, they're so like convoluted, you know what I mean. Like you're trying to get you to the answer without giving you a legit question, and then the jump from knowledge I'm sorry, from the answer to the actual knowledge. It gets lost, right? People that play CTS will understand when you read the question, like what's the answer for this question?
Speaker 2:the question is sometimes a little bit opaque, so at some point it becomes, uh, you know, like a blind hunt I feel like, at the end, though, when people do those write-ups on what the answers were and how they got to the answer, that that's invaluable training for anybody. So bill says ctf is additional on-the-job training. I agree while you're doing the ctf you're learning things, but it it's when you have that write up to see how people came to the answers. I don't think you ever forget those artifacts, because you're like I can't believe I missed that, and it was so easy to find with this detailed explanation.
Speaker 1:Well and true, I agree 100 percent. But so I'm OK with reading those without doing it, so I can learn without putting the hours. But that's the whole point, right? Do we have the time? I mean most examiners. They have a lot of casework and I'm lucky I don't have an insane amount of casework because I'm not a local agency.
Speaker 1:So I see less devices. Now, the devices that I see, they're usually more complex, but this is the point. You don't have the time. Folks don't have the time to do with that. If you're an on the field, right Right, but folks are able to put that time in because that's their hobby or their fun time. Hey, look, put some write-ups like Heather's saying share with the community and then me. I will read them and learn and benefit from it. So I appreciate you all.
Speaker 2:You'll find those artifacts forever because of the wonderful person that wrote it up.
Speaker 1:Oh many times that Kevin has come out. I find like, oh, I think Kevin or somebody, and then I Google it but it put the bug in my head that such a thing exists.
Speaker 2:Right right.
Speaker 1:And then I use it to a good benefit in a case.
Speaker 2:Yeah. So a few other topics that are in the paper. I'm not going to, we're not going to go into detail on all these. Read the paper, though. It's great.
Speaker 2:So, tools, the never-ending parade of buttons. Skills needed a checklist from hell. Cost of entry stop whining and start fighting. And then the problems a broken system that we allowed to happen. And the solution time to burn it down and start over.
Speaker 2:So, honestly, how do you know what you need? Which schooling, which training, which certifications? Which acronyms do you need to have after your name? Which tools do you need to get the job done? The list is never ending. Your guess is as good as mine to have after your name. Which tools do you need to get the job done? The list is never ending. Your cast is as good as mine. But I recently heard that the Scientific Working Group on Digital Evidence is actually working on a project to address some of the issues that are outlined in this paper, to come up with guidelines to make these decisions on what is needed. So if anybody has ever thought of contributing to the Swig DE scientific working group, give them your thoughts. I think, as a community as a whole, we all need to contribute to something as big as a topic like that.
Speaker 1:Oh, and that organization is legit. I know some of the folks that you know participate, you know in the organization and the products, the documents that come out of it.
Speaker 1:I highly recommend them to integrate into your workflow process. So, yeah, be part of the solution. I mean I know we kind of whine a lot about the problems here in this podcast, but we can also give you ways of becoming the solution. Be part of SWAG-D, become an apprentice and become a mentor as well both sides and help start to develop. Put some order into this field, some logical, scientifically based order in the type of work that we do. Yeah, Good stuff, All right. Yeah, definitely Read the article. Read the article. It's really long, it's really good, yeah, so, yeah.
Speaker 2:So last week, or the last podcast a couple of weeks ago, we talked about Lionel Natari's Logs of the Week. He's doing the Logs of the Week and the Log of the Week this week is the iOS Unified Log of the Week. Yes, that's what he does all of his research on, so the iOS Unified Logs. But he's picked a log for each week and this week he wrote up, did a little write-up about touch events. So the iOS unified logs saves your touches on the screen and the blog indicates the logs that you should investigate and the identifiers to look for that relate to the touch artifacts. Two of them that he mentions in his write-up are touch events and attention awareness. And then he also addresses timestamps found in these logs. The timestamps are actually seconds since last boot and they're reset when the device reboots. So check out his logs of the week. Very cool stuff.
Speaker 1:Yeah, I think. I think, if I read it correctly, that the log keeps track of, like, where in the screen was a touch happening, I think like a coordinate type of thing, and that to me is pretty wild.
Speaker 2:talk about user attribution yeah, I mean, I can't.
Speaker 1:I would never even imagine that was there yeah, I don't need to touch it touched the little right corner, or you know, two inches to the above from from the top and four from the left. It's crazy and I appreciate his series, um, because going to those unified logs and pulling value out of them, it's amazing and that can then be automated in a tool to find them easier.
Speaker 2:You know faster, but the actual blog post helps you with understanding and then be able to validate some of that, some of that product yeah, so we are to what's new with the leaps, so there's some new artifacts that have been added to the leaps in the last couple of weeks.
Speaker 1:Yeah, there's been an expert developer lately who want to work in artifacts and it's a she. She is amazing and doing all sorts of things lately. Do you tell us who that person is, Heather?
Speaker 2:I'm doing more of it. It's so much fun.
Speaker 1:Right, see, look everybody, it's what September 12th 651. Heather said that doing artifacts in Python is so much fun.
Speaker 2:It is, and it's frustrating, but it's so much fun. So, yeah, so I was working on a case with a coworker this week. We found some artifacts that were going to be important and they aren't parsed by the tool. So what do you do? Just take a picture of it? I mean, no, we have to figure out how to pull that data out and pull it out in a manner that it's going to look presentable for court presentation. That I worked on with him this week was Life360 driver behavior reports, which I didn't even know were in there, but I kind of knew that Life360 had that feature where it would kind of monitor your driver behavior. So this was in an Android device and the artifact is located in the Life360 driver behavior and trips directory and it's stored in a JSON format. Inside of the JSON format, I'm going to actually share a little picture of the.
Speaker 1:This guy JSON, he's everywhere.
Speaker 2:He's a little bit of a pain.
Speaker 1:All right. No, JSON is good. I wish everything was in JSON.
Speaker 2:So I had fun doing it, but let's just take that off there, all right. So inside of the JSON is trip events and with the trip events there's a trip ID, timestamps and then event data. So for the event data you have a trip start and a trip end and in between the trip start and the trip end for each trip there are events such as distracted, hard braking, rapid acceleration and speeding events. There may be more. That's all I was finding in the data that I had to look at. But each trip has the trip start and the trip end and it also has a trip ID that ties all of the artifacts for one trip together. The time, the latitude, the longitude and the speed at the time of the event are also recorded.
Speaker 2:So if you look up on the screen and I'll explain it for people who are listening the ALEAP artifact is going to parse the trip events and the trip waypoints.
Speaker 2:So for the trip events, you'll see on the screen there's a timestamp, the event type latitude, longitude, speed in meters per seconds, and then I created, because I wanted it for my data I converted the meters per second to a column for miles per hour. Then there's top speed, average speed distance, which is in meters, and then the trip ID. So each event is logged by the trip ID and then there's a section at the bottom of the JSON for each trip that has waypoints. The waypoints don't have a date and time, so you don't have the exact moment they hit the waypoint, but there's a latitude, a longitude, exact moment they hit the waypoint, but there's a latitude, a longitude, an accuracy in meters, and then it has that trip ID to tie the waypoints to the trip events. So if you plot all of this out on a map, you can actually see in Google Earth, you can see the trip events with the dates and times, and then the waypoints just fall where you would expect them to fall in the trips.
Speaker 1:Well, and I would say it would be a little bit of more later on, a little bit more math, right, because if we know what we start, when we end and we know the speed right, then we should be able to calculate. You know pretty much where each point's falling, at what time, with a little bit of more math, which we can do at least down the road. But that's amazing that this type of data is not being parsed by the commercial tools. It's just mind-boggling, because the importance of this data goes without saying.
Speaker 2:Yeah, definitely, especially if you have no location data. I mean, this is the feature that you turn on in Life 360 when you set up the app and you may not even realize you turned it on. And then if the suspect turns their locations off in the future, you may not have any of those good locations, but this is still logged in the driver behavior every time one of those events takes place.
Speaker 1:Yeah, that's amazing.
Speaker 2:Yeah, and then for this. So specifically for my case, I wanted the latitude, longitudes for the trip events and the waypoints all to be each in their own csv for each trip id. So that's the way the script is written. For a leap is it combines uh, based off of trip event for the events and then the waypoints for each trip that's awesome, and did you make it to create a kmML for each? I didn't do the KML. You're going to have to help me with that.
Speaker 1:Oh that's easy. That's so easy. It's one line of code, literally.
Speaker 2:Oh, perfect. Well, you help me and tell me how to do that, or push me in the right direction, and I'll do it. And I will do that because I actually was bringing the CSVs in and then creating my own KMZs from Google Earth.
Speaker 1:Boo, we can do that with Alib automatically.
Speaker 2:Oh perfect, it worked for me when I needed it, though.
Speaker 1:Oh, no, no, no, well, but this is the thing I'm saying. Boo, just because I'm giving you a hard time. Oh yeah, I know If you're able to get, like look what Heather just did, which is take data. That's easy peasy, my friend.
Speaker 2:Yeah, easy peasy In the words of Alexis easy peasy. He says that to me and then I look at the data and I'm like there is nothing easy about this. What are you talking about?
Speaker 1:Look, at least I got to say it was fun. So we're getting there. It was, and.
Speaker 2:I may have gotten picked on a little bit, because it's what I did all day Saturday.
Speaker 1:Hey, look, you want to see a Friday night, an exciting Friday night at my house. It's your.
Speaker 2:Saturday but a Friday night, but I really had fun doing it. I haven't put it in a leap, but I'm going to put it up tomorrow for Kevin or Alex to check over make sure I didn't miss anything. So it should be in a-Leap by tomorrow sometime, hopefully maybe the weekend, whenever they get a chance to look at it.
Speaker 1:Oh absolutely.
Speaker 2:Shannon and Caleb are just saying and we're investigating this now, but it would be interesting to find out what requirements are for each trigger and I agree, we're actually working on the research for that now, trying to figure out exactly. I have Life360 on my test phones and we're about to drive around and figure it out, so maybe on a future podcast.
Speaker 1:I hope it's time, you know, like every two minutes or something. That's my hope, so that makes it easy.
Speaker 2:It doesn't seem like that, based off of the data but we can still hope for that. We can still hope for that.
Speaker 1:Hopefully it's not something too complicated. But yeah, that's that I mean, and for the folks are listening like that's the point. Right, you have the data and if you're able to kind of determine how does, how does how they even, how does the device recorded and why, that also gives you a whole nother set of understanding of what happened in the past and you can recreate that in the present. So that's research that needs to be done, so that's awesome yeah, um, I leap.
Speaker 2:There's some additions to ILEAP too, so the oops chat parser in ILEAP the oops chat, was needed for a case in my office. Again, we find messages that we need for court, and how do you get them out? Write some scripts, because I'm learning how to do it and it works wonderfully. It's all set. The report is ready and it's now available in iLeap for anybody who comes across the oops chat, which that was a first for me.
Speaker 1:I've never heard of it and everybody I mean and nobody have no examiner will have heard of it if they only run the tools that they have because it's not supported, right? So that's a good thing about this community tools is that we'll put stuff in that. That chat is important until you see that as important. That being said, right, the thing we recommend is, you know, don't just depend on your main tool and the leaves to then do your work, right?
Speaker 1:Um, part of the things that we teach in our class is and I take a two seconds for this have a process. I run this stuff to my tools and part of my process is, for Android is manual. I say manually, manually, but visually. See the data data folder for bundle ids are unknown and for ios, a leap throws a list of all the bundle ids that I have for that device and I go through them, you know, in five, ten minutes visually to make sure there's one that is that I haven't recognized, because the moment I do that, then I know I need to go deep, dig deeper in this case or this device. So have a process to make sure that you don't miss stuff.
Speaker 2:Right, so another iLeap addition. Heather Barnhart did a blog about support for iOS 17 plus message retention settings, and that is now supported in iLeap. So it was the week of the Heathers for the. What's new with the Leaps?
Speaker 1:Yeah, and I don't know if we talked about it last week. Maybe we have, but retention has changed from iOS 16 to iOS 17. And especially on 17, you will still have the old retention plist, but it's going to be wrong. You cannot listen to that plist. I mean you can't really listen to it. But the entry in the p-list that work for ios 16 will still be there, but have to ignore it. You have to look for the key that's applicable to ios 17 and uh and the leaves now. Uh, do that. Um, it was kevin that did it, so you know it's good stuff all right, we're to everybody's favorite time the meme of the week.
Speaker 2:Let me pull that up.
Speaker 1:And before we pull that up, so Brett, just show up to the chat. I know he's late. We talk about your article. Sorry, so you will have to catch it on YouTube or on the podcast and listen to the part. So, yeah, sorry about that.
Speaker 2:We talked about it a lot too, so all right M meal of the week.
Speaker 1:What do we have?
Speaker 2:Got it, got it All right. So we have Bart Simpson with his goggles on and his cane he's blind Finding the issues in the report that I wrote. And then Bart Simpson again with a telescope and finding issues in the report someone else wrote.
Speaker 1:I got inspired. I got inspired by that because I'm teaching my kids Well, I mean my nine-year-old, but my six-year-old is kind of hanging out how to play chess, okay, and the thing about that is that when you're playing chess right, you're there and you're like, okay, what should I do? And people behind you they're like oh, pick that. Like in their minds they can see the whole game and what should you pick. But when you're in the game itself, you might not make the best decisions and when you move it, they say why did you do that? You should have done something else. Of course, right. If we switch roles, the same thing's going to happen. The person that's giving me the advice is going to sit down and not not see the things that somebody else on the outside sees definitely yes, that's with chess.
Speaker 1:So then I said you know what? That's also true with our, with our peer reviews, and not only of our cases, but documents, important emails, important speeches. Um, when you write something look, that's so true that I wrote things. I read them, it's perfect. I get to the next person and they find 20 typos, like obvious typos. But yes, they were like. How come that I wrote it and I missed the typos? It's crazy, right.
Speaker 2:I love when that happens, when I wrote it and then I sat down and like thoroughly read through it and they're still like I'm not quite sure how I miss it. I do I do a lot of reviews of other people's work at my job and I'm finding, you know, things that they didn't see or things maybe they missed. Or, like you're saying, finding issues in the report they wrote is hard and I can't find any of the issues in my own report ever.
Speaker 1:And that speaks to a certain cognitive bias that we have.
Speaker 1:We have it. And again, I think I'm a lone voice in the desert saying this. When people say, well, we have to be unbiased, that's impossible. They will always have biases. You have them Even when you write your report. Your bias is that you know what you wrote and what's coming next, to the point that you glaze over spelling mistakes or even logical errors or even how you put things together. So we have biases. The question then is how do we keep those biases out of our work, and that's the scientific process right In forensics or, in this case, have somebody else come and peer review it for you to make sure you can put those down.
Speaker 2:Yeah, that peer review process is super important. If you're not doing peer reviews in your agency, you have to be doing peer reviews. If you have nobody to do your peer reviews, reach out to another agency. Find somebody in the same field as you to do your peer reviews. Reach out to another agency. Find somebody in the same field as you to do the peer review. Super important.
Speaker 1:Yeah, take the time to do that and you know, the more you do it, the more proficient you are at picking things out, and then we help each other and we can grow together. So highly, highly recommend that you do that. So that's the purpose of the meeting.
Speaker 2:And doing the peer reviews too. I mean, I learned new artifacts and learn new things I didn't know from doing peer reviews for other people on a daily basis.
Speaker 1:So oh, yeah, yeah, yeah. Oh, actually I forgot about what I'm saying right now. Um, evangelos dragonas, from from, from, from greece, you know, great researcher, he did some parsers for, for example, for chat gpt right In Android, and I'm not sure if iOS and those are parsed by the Leaps, not by any other tool. And I want to bring that up because leverage that peer review, leverage community knowledge, right, reach out to folks when you find things, and I had some cases that you know. Chatgpt is becoming like a search engine. Now People see it as a search engine in a sense.
Speaker 1:Yes, and you might not find. Oh, you know, they're not Googling anything. You know why? Because they're asking the AI about it now. And if you're not aware, where is the questions that the person's asking to the AI? Where's that on the phone? You're not going to find it and the tools right now they don't show it to you, period, they just don't. So, again, you have due diligence. We talked about that last show. What is due diligence and what does it mean? Check out season two, episode zero, and you can delve more into that.
Speaker 2:That's it. We've come to the end.
Speaker 1:That is amazing. I appreciate all the folks that persevered with us this week, all these interesting things that we talked about. That is amazing. I appreciate all the folks that persevered with us this week, all these kind of interesting things that we talked about. Again, sorry, brad, you came in late, but catch the replay.
Speaker 2:Yeah, definitely.
Speaker 1:Anything else you have there? Heather for the good of the order.
Speaker 2:I have nothing else. Thank you very much everyone.
Speaker 1:No, absolutely, and we'll be back in a couple of weeks with another episode of the GTR46.podcast. So thank you everybody and have a good night. Thank you, See ya Outro.
Speaker 2:Music.
