Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Awareness Unlocks Discovery: Knowing It Exists is the First Step to Finding It
Join us as we discuss the latest blogs and training opportunities available to keep you at the forefront of digital forensics.
We’ll then dive into the release of iOS 18 and its impact on digital forensic investigations. Beyond tools and gadgets, we'll explore the shift towards cloud-based evidence storage, weighing its benefits and security challenges against traditional air-gapped networks.
Whether you're a seasoned professional or just beginning your journey, this episode offers a mix of education, entertainment, and a sense of community, all with a dash of geek culture fun.
Notes:
-Triple Trouble. iOS 16, Android 14, and iOS 17 Images Now Available!
https://thebinaryhick.blog/2024/09/14/triple-trouble-ios-16-android-14-and-ios-17-images-now-available/
-A First Look at iOS 18 Forensics
https://blog.digital-forensics.it/2024/09/a-first-look-at-ios-18.htmlhttps://www.magnetforensics.com/blog/a-look-into-ios-18s-changes/
-New iOS Feature - Brian Krebs Linkedin Post
https://support.apple.com/guide/iphone/request-give-remote-control-a-facetime-call-iph5d70f34a3/ios
-macOS 15 (Sequoia): What Forensic Examiners Need to Know
https://www.linkedin.com/pulse/macos-15-sequoia-what-forensic-examiners-need-know-sumuriforensics-ohbrc/
-25th Anniversary of Paraben
https://l.paraben.com/25-year-anniversary-3005
-Oxygen 2024 International User Summit
https://oxygenforensics.com/en/user-summit-2024/
-When is an app not an app? Investigating WebAPKs on Android
https://www.cclsolutionsgroup.com/post/when-is-an-app-not-an-app-investigating-webapks-on-android
-mr. eerie Blog
https://mreerie.com/2024/09/30/exploring-ufade-to-extract-data-from-ios-devices/
-Learn With Hexordia Launch
https://learn.hexordia.com
-Noel Lowdon-Vehicle Systems Forensics
https://www.linkedin.com/in/noel-lowdon-74685769/
-Not Scary Binary
https://us02web.zoom.us/webinar/register/WN_8G0VMawERVO-kpaDJbE2Ww#/registration
-Marco Neumann added Withings HealthMate on iOS (iLEAPP)
https://bebinary4n6.blogspot.com/2024/09/withings-healthmate-on-ios.html
Welcome to the Dirt Art Forensics Now podcast. Today is Thursday, October 3rd 2024. My name is Alexis Brignoni, aka Briggs, and I'm accompanied by my co-host the best co-host anyone would ever dream of having. The one that makes sure things work as advertised, the premier Geek Squad agent of the digital forensics world, the one and only Heather Charpentier. The music is Hired Up by Shane Ivers and can be found at silvermansoundcom. Everybody see us, see your beautiful smile. Did you like the intro? Did you like the intro, Heather?
Speaker 2:I knew you would not let me get away without the Geek Squad comment Of course not.
Speaker 1:Oh my gosh.
Speaker 2:Well, let me tell the quick story behind the Geek Squad comment. Yeah, please do share I was testifying in a trial, which is now completely over with um, and I, uh was being questioned by defense and they pretty much equated my job to being a member of the geek squad at Best Buy. Yeah, right up on the stand I was like what Promptly corrected them and told them no, that I work at the New York State Police Computer Forensic Laboratory.
Speaker 1:Which with the geek squad, but not from Best Buy, just for the state police. Okay, let's make it clear.
Speaker 2:Forensics is a little different between best by and a state police agency, I would think oh, my goodness, that's hilarious, the geek squad. They didn't give you like a cup for that oh yeah, one of my co-workers bought me a mug I said the geek squad he thought it was funny. It is funny, it is funny, it is not that you look like a geek, but maybe you do. I don't know you need some glasses to reinforce it. Careful with the geek.
Speaker 1:Look, I am a geek and a nerd, so don't feel bad about it.
Speaker 2:All right, yeah, I guess me too.
Speaker 1:Embrace it, embrace it, all right, all right, so yeah, so everybody, again, we're here. We had to jump or skip an episode because life gets in the way, but we're back. I just want to say a quick hi to Johan and we're going to a good friend from he's in France and we're going to be talking about some of the work that he and some of the other folks are doing at the Leaps by the end of the show. But before we do that, heather, what else is going on other than being called a geek, uh, by a court? What else is going on? I know?
Speaker 2:um, we uh have some new employees that just started in our office, so, uh, I have been with my, my other co-workers, uh, starting with them with the intro, kind of here's the intro to your job and what you're going to be doing. We started a whole new program to kind of not just throw them into digital forensics, like to prepare them to work in digital forensics. So it's been going pretty smoothly.
Speaker 1:How about you, instead of just giving the firehose approach, you tell them hey, look, here's the firehose, are you ready? Okay, now here we go.
Speaker 2:That was kind of the method we had before, and now we're kind of structuring it a little better now.
Speaker 1:That's awesome. That's awesome, I mean, and we need to do that.
Speaker 2:Yeah, definitely, definitely.
Speaker 1:Well, on my end. So I participated at the InfoConf conference. Well, infoconference, but InfoConf 2024. That's in Argentina. Sadly I was not there in person. Yeah, I know, it was in La Matanza University. That's right there next to Buenos Aires, and it was awesome. I spoke about push-button forensics versus examiner. What's the word I'm looking for in terms of translating from Spanish? Be an expert, right? So an expert versus a push-button forensics, right? So what's the difference there and why should we strive to do more and actually, you know, up our level of expertise? So I talked about that a little bit. On mobile forensics, a little course. So it was pretty fun. And yeah, and next week I'm going to land at Seattle, at SeaTac, and I'll be, I think, in Redmond for the Northwest ICAC conference, one of the bigger ones in the country.
Speaker 1:I'm super stoked and excited yeah, that's awesome oh, I yeah, I've been to the ones back in the day. I was when I used to do exploitation, to the ones back in the day we, when I used to do uh uh exploitation cases, online exploitation cases like full-time that. I went to the one in dallas a lot, so that was a lot of fun I've heard that one's awesome.
Speaker 2:I've never been to the one in dallas. I've been to the one in orlando, but not dallas yeah yeah, the orlando ones are gonna show up.
Speaker 1:But kind of funny, by the way. Yeah, it was good. Yeah, so this is my first time going there. It's pretty cool. I'm going to be at a panel with a whole bunch of people that it's like how did I get in this panel? So you know, heather Barnhart is going to be there in the panel, jessica Hyde and a few other folks where I admire. So I'm pretty honored to be there and I'm going to give two courses on the LeapTools and Python and stuff like that. So, and I'm going to give two courses on the LeapTools and Python and stuff like that. So that's fun.
Speaker 2:Oh, very cool.
Speaker 1:Yeah, oh, kevin is in the chat. Hi, kevin.
Speaker 2:You belong on the panel. Don't be modest.
Speaker 1:You're kind, you're kind yeah, so that's what's going on, what's going to happen. Awesome, pretty cool stuff.
Speaker 2:Yeah, very good. Well, let's talk about some of the things that have been going on the last three weeks. I'm not sure if everybody saw, but Josh Hickman from the Binary Hick, who also works at Celebrate, released some new test images for everybody to use iOS 16, ios 17, and Android 14 test images are now available. They are all Celebrate extractions this time around available. They are all Celebrite extractions this time around. The iOS 17 image, he says, picks up right where the iOS 16 left off. He upgraded the iOS 16 to iOS 17 and just continued generating the test data and he has these all on a site hosted by Digital Corpora and I'll put the link up here for his blog about the release of those new images.
Speaker 1:Yeah, and I love these. Every time they come out, we run into the leaps you know the tools, that community tools that we work with, but also running through your other tooling, tooling sets and try them out and he adds, like, for example, ios. He usually adds six diagnosed logs and some other extra things. Yeah, so you get a really good picture of what that phone was doing and for research it's just invaluable. So highly, highly recommend, especially you know 17 and 18 and all that With all the sec B files. You can play with those and some other artifacts that are coming out on the newer version. So we really, really, really appreciate Josh's work and hopefully he keeps doing that.
Speaker 2:Well, and now that he has 16, 17, and 14 out, ios 18 and Android 15 will be coming out, so they'll just keep him busy.
Speaker 1:I don't think he ever sleeps. Yeah Well, you know I'll buy him the coffee. It's okay, it's all good, there, we go To keep him awake. You know I'll buy him the coffee. It's okay, it's all good, there, we go To keep him awake. There's iOS 18. And you know, I think they I don't know if I mentioned it last episode, but the whole hiding apps thing- yeah. I really want to have some test data to do some more. I know some people are working on it, but I would like to look at it myself.
Speaker 2:Yeah.
Speaker 1:Well, that great, great segue right.
Speaker 2:Yes, perfect. There's a couple of blogs related to iOS 18 that I saw. I'm sure there's more, but one is out by Chris Vance from Magnet Forensics, and another one, Mattia I'm going to butcher his last name every time.
Speaker 1:I'm sure, Epifani, you said you were going to say Epifani, I think I would have had it right.
Speaker 2:Yes, epifani, I think I would have had it right. Yes, of course you would. So he has a new blog with iOS 18 too. So the Magnet article takes a look at iOS 18 with a full file system extraction. Just a couple of the things that Chris outlines are app protections so a user can hide in password protect apps and or just password protect apps.
Speaker 2:The article provides the P list that hold the data to track which applications have been hidden or hidden in password protected, and then hidden apps will actually be marked ignored in the icon state P list. But he has a whole section on that in his blog to check out. He outlines the new RCS messaging feature in iOS 18. So, if my iOS friends have noticed, they now can see when I'm typing to them because I'm an Android user, but they can see when I'm typing to them. But he outlines how that'll look in the SMS database and that it will indicate if a message was an RCS message. The date read and date delivered will now have a date and time in the SMS DB for those RCS messages.
Speaker 1:Look, I was hoping iOS users would discriminate less about you know, less you know in regards to Android user being in their chat, but no, I don't think so. They'll still feel superior. That's iOS users. What can I tell you?
Speaker 2:A couple of my friends don't like it.
Speaker 1:See, I told you, I told you I was kidding, but not so much.
Speaker 2:Like why can I see that you're typing now? Don't you still have Android? They thought I switched over to iPhone. I'm like no, never, never.
Speaker 1:Hey, we love iOS too, yeah.
Speaker 2:In iOS 18, users can now also schedule their iMessages with a send later feature. So when the messages are scheduled they're immediately written to the database. So that'll change maybe some of the way you do forensics and interpreting that message. Data and the date will reflect when the message is actually scheduled.
Speaker 1:Oh, interesting.
Speaker 2:Yeah, I thought so too.
Speaker 1:Yeah, I wonder if there's any other contextual clues somewhere else in regards to when this was actually written, because, let's say, the message is trying to make an alibi. You know, yeah, I'm over there. You wrote it before the event, right Before you, whatever making the subline. You, you wrote it before the events, right Before you, or whatever making the sublet. You killed the suspect, I mean killed the victim. Then, okay, I would like to know that you wrote this before, right, yeah?
Speaker 2:definitely, definitely.
Speaker 1:A lot of research to be done, yeah.
Speaker 2:Yeah, a ton, I'm just. I'm just highlighting a few of the key features. There's a whole bunch more in the article that Chris wrote as well. He also noted in his article that there's still data in the Knowledge C. No major changes were noted and that the SegB version 2 files are still in iOS 18. No new versions, so you don't have to change all of the artifacts for iLeap.
Speaker 1:Yeah, I know, I mean this whole changing versions, but that's good, I'm happy.
Speaker 2:Yeah, so that's Chris Vance's article. I'm going to throw the link to it here, but as always, it'll be in the show notes at the end of the show when we put that up. And then Mattia, his blog, addresses some of the changes found in an extraction that he created with Ufade. We've talked about Christian Peter's Ufade tool quite a bit on the podcast and it's awesome, and that's what Mattia used to extract the data from his device.
Speaker 1:Yeah, no, and let me tell you real quick Ufade is awesome. Just a quick reminder for folks. It's free, you can use it, you don't have to pay nothing and you get extractions from ios devices and they look like advanced logical extractions, you know, and it pulls, it does a whole bunch of features and again, it's free. So I've been recommending it a lot. I was recommending it to the students in argentina when I was talking to them last week. Um and you fade, there we go, um, christian go. Christian is on the chat.
Speaker 2:He says this feels like a nightly accolade.
Speaker 1:There you go, Sir Peter of the iOS Ufade, I need one of those big broadswords and go shoulder to shoulder right. No, it's good stuff. Thanks, Christian, for hanging out and for putting that tool out there. We appreciate it.
Speaker 2:So Matias' blog details a list of files present in the previous versions of iOS and available in an iTunes backup with iOS 18. So they're still available. He provides locations in the file system for all of the files that he mentions. He also includes locations of files that should be analyzed from the SysDiagnose logs and it's a great blog, Definitely a great blog. While we all wait for support to have that full file system for iOS 18 too, I think I'm not sure One of the tools has it for consent, I think.
Speaker 1:I do not know, I think so.
Speaker 2:But again, how many suspects have unlocked iOS devices there?
Speaker 1:No, I mean, and the thing is you still need to be. This type of stuff is good because you still need to be aware of what the functionality is, because the moment, even you get access to the phone because you've got a full file system extraction and for the folks that might be the first time listening to us that what that means is that now you can get to all the files and folders on the phone, not just what you will get from a itunes backup, which is really limited, right? Um that you need to be aware what you're looking for, what you should be looking for. You need to understand the phone features per the operating system.
Speaker 1:If you're not aware that apps can be hidden, then you're not going to look for it. If you're not aware, um, some can be hidden, then you're not going to look for it. If you're not aware some of the stuff we're going to talk about in the next section, you're not going to be aware of what you need to take into account, like the RCS messages, right, when Android folks type how does that look in the database? Is there any changes in the database that identifies it as Android users versus not Android? There's a lot of things you need to take into consideration and just knowing the info is important. When you get access, then you apply that information.
Speaker 2:Right, kevin just chimed in. Verikey gets the iOS 18 consent. So GreyKey or VeriKey, whichever one you're using, is how you can get the full file system for now.
Speaker 1:Yeah, I love how the main players in Access, which you know, everybody knows who they are is Greiky and Celebi, right? Mm-hmm, we were talking about it before the show. How they? What's the word you used?
Speaker 2:Oh, like the cat and mouse.
Speaker 1:Yeah, kind of multiple things.
Speaker 2:Yeah, they're trying to one-up each other.
Speaker 1:That's great. I I've been lately on a big wish list. I hope more vendors will get into the extraction space like more options. So it's not only to get high. Say high level, I shouldn't say that. I say deeper level extraction. You know what I mean. Right, right, and I know XRY does a few bunch. I don't want to dismiss the other folks.
Speaker 2:Oh yeah, they do.
Speaker 1:They do great work as well, but usually, at least in the United States. Those are the two bigger ones, but I would like to see five, six, seven, eight companies providing access.
Speaker 2:You know what I mean. Definitely, mattia's blog link is there on the screen as well, but that'll also be in the show notes at the end. Yes, and since we're talking about Christian's Ufade tool, mr Erie blog it's Derek Erie. He actually just added to his blog. He has a whole bunch of topics on his blog, but he just added to his blog exploring Ufade to extract data from iOS devices and he talks about the installation, navigating the GUI interface, some advanced options and how to use Ufade with MDM devices. So he's got a whole nice outline on how to use Ufade, with pictures and everything, so screenshots. So check it out. If you haven't used Ufade yet, that's the perfect blog to go get started. It really lays it out nicely.
Speaker 1:Yeah, I see a good community being built around the tool, and that's what we want to see. We want to see oh, and I haven't mentioned that Christian was nominated, the tooling, the Ufade for a Difference Maker Award.
Speaker 2:Yes.
Speaker 1:So we don't have the link here, but go Google SANS Difference Maker Awards. And the first link is going to be the voting link most likely, and make sure that you vote for Uf8 as the tool of the year type of award, because he's totally deserving of it. Oh definitely 100% support from the podcast. Well, I mean 50% support. How about you?
Speaker 2:Heather, do you agree? Oh yeah, he has support. Definitely, it's awesome.
Speaker 1:Then 100% support from the podcast that he should. I know you were going to say that too, but I don't want to speak for you.
Speaker 2:You don't want to speak for me. Yeah, thanks, I definitely was going to say it 100% support.
Speaker 1:So go for Christian and the tool.
Speaker 2:So also kind of going along with iOS updates. A LinkedIn post from Brian Krebs was on recently and his post talked about a new feature in iOS that a user can request or give remote control through a FaceTime call on an iPhone. So a participant can request to remotely control your screen if they're using an iPhone or iPad with iOS 18 or later and then when you receive a remote control request notification in the FaceTime app on your iPhone, you can tap allow. A countdown from three to one appears, then remote control session starts, which is crazy.
Speaker 1:I mean what could go wrong. I know, come on. I mean yo that's great. I mean I cannot think of any situation this might be a problem.
Speaker 2:Yeah, there's a warning on that. So there's a warning about it. The person remotely controlling the screen can perform tasks on your iPhone such as opening and closing apps, changing settings, deleting items or sending messages. The person remotely controlling the screen may be restricted from tasks such as changing your Apple account or Face ID settings, making payments or erasing your device. Well, thank you, yeah.
Speaker 2:At least, and it also says your Face ID and Touch ID will be disabled during a remote control session. You can still tap, swipe or type while the screen is remotely controlled, and your actions will take priority over the remote actions. Oh my goodness.
Speaker 1:Yeah.
Speaker 2:So many things to go wrong with that.
Speaker 1:I appreciate them trying to put some sort of risk mitigation features there for the parents, you know. But still, yeah, I mean, especially when you have, you know, grandma or granddad and you know we get scammed to the computer oh, you got a virus you need to contact. Give me remote. Can you imagine now that on the phone, so this kind of scams this is my perception that are pretty prevalent in older folks or more experienced folks, it might be migrated to the phone. So, yeah, let's go to your bank account, you know.
Speaker 2:Yeah, I think we're going to have some more cases of unlawful intrusion into people's devices. Definitely, Whoa no, and that speaks again.
Speaker 1:that speaks to the whole artifact. How is that recorded on the phone when you have a live session? Where does that go? Yeah, it has to go, I would assume somewhere.
Speaker 2:I'm definitely going to have to test that one, yeah.
Speaker 1:Oh, for sure. Well, artifacts are generated through the interaction, right? So no, that'll be good. Oh, but a quick note Lori's in the chat, so hi, lori.
Speaker 2:Hi Lori.
Speaker 1:Um, we were here, we're here, you, you, you made it, we're still. Uh, it's not, it's not over yet.
Speaker 2:You just missed Alex calling me a geek in the beginning. Lori, it's okay.
Speaker 1:She knew that already.
Speaker 2:Yeah. She probably did.
Speaker 1:She's part probably the geek club too, the geek squad club, yeah, so no, there's a lot of features coming up and I don't think again. I think we need to be aware of those features and then, kind of as a community, start recognizing what stuff is where. I don't like to wait for the vendors to tell me, hey look, we support this, and like, oh, first time I hear. No, I want to know it beforehand because I might need it before yeah before they get support.
Speaker 2:So that's a big deal definitely um going along with the same theme. Uh, there was an article from sumari mac uh, mac os 15 what forensic examiners need to know, and Sumari released the article and some of the updates are the same as iOS, but there's some others as well. So there's passwords as an app, the scheduled messages that I already said for iOS. Downloaded maps so users can download selected areas for offline map using or offline map use, sorry, including custom hiking trails, and the feature opens up more possibilities for tracking offline movements. So investigators definitely that'll be a good artifact for investigators when it comes to location data and downloaded maps. Absolutely Home Go ahead, sorry, no, no, no, go home. Kit guest access so users uh can grant guests temporary access to their home security systems.
Speaker 2:Another one that uh sounds like dangerous um turn alarm off, let's go steal yeah, so it includes, like garage doors, um alarms during specific times, so that definitely can be a key detail in investigations if you're sharing that data with other people.
Speaker 1:Well, I mean, you could be tricked into doing that, or who knows, if any malware I mean, we don't know, we're just speculating but what type of malware could then do that without you noticing? And this is not far-fetched. It might sound far-fetched, but it's not. Let me quick segue here. You see banking Trojans that hit different mobile devices. They use accessibility services to click for you. You don't have to click, they click for you and they do all these sort of things. Why wouldn't they be able to get into your home kits? And again, I'm not trying to be paranoid, although we kind of are because we're in this business, uh, but but the main point is yeah, this is a feature that you know the computer has, or the phone has or whatever has. Um, yeah, let's figure out how's that um, um, memorialize on the device and see if there's any forensic value. Uh, you know, to it and get to it yeah, definitely.
Speaker 2:Uh, just a couple more from theirs. Uh, safari highlights. They have a have picture in picture, reminders in the calendar and then, of course, for iOS and Mac OS, the Apple AI and what it means for the investigations. So go and check that out. On Samari's blog.
Speaker 1:Yeah, let me get a quick comment. Laurie says you are more likely to be victimized by people you know, and she's absolutely right. Let me make a quick comment. Lori says you are more likely to be victimized by people you know, and she's absolutely right, especially if we're talking about home security systems. You know, I don't think a hacker from some country is going to worry about that because they're far away, or maybe who knows. But yeah, she's absolutely on it. But the thing with agreeing with her, the thing with cybercrime for lack of a better term is that, yeah, it could be somebody close, it could be somebody far away, and our task is to make sure we understand how is that recorded and how is that then extracted and presented at court? And we need to be aware of the features. I think the big theme of today's show is be aware of what's coming.
Speaker 1:So then you can go find it especially on a device that's new and we don't have an extraction yet. Be aware of the features. If you don't like to be aware of the latest phones and what they do or don't do, then you're going to be lagging behind the rest of the pack.
Speaker 2:Definitely so. 25th anniversary of Paraben. I saw this on LinkedIn. Actually, they're celebrating their 25th anniversary and to mark that anniversary, they're offering complimentary 30-day license for Parabin's E3 universal software, and they're also offering access to all three of their operator level certifications until October 31st. So they said right on the post the offer is their way of expressing gratitude for the industry's continued support.
Speaker 1:Yeah, and Amber, she's amazing. I don't want to misspoke but don't quote me on this, but I think I do know that she and her team many years ago I think they made the first Faraday bag or a patent for a Faraday bag back in the day, right 25 years ago, and I think it's the first one, yeah, and they've been doing great work since then until today. So I really hope that folks take advantage of this. Like Heather said, it's 30 days, it's free and you get to get extra certifications. If you're new in this business and, uh, especially if you're really windows based in your work and you want to kind of expand your digital, first acknowledge this is one way to start. If you're new, go to these courses. You got all the operator levels, all the tool work where artifacts are on different phones and take advantage and there's images to be you can work and parse through that are free, like and available like j's. There's no reason why you can't grow in this field. The tools are there.
Speaker 2:That, and if you've never used Paraben, this is the perfect opportunity to try it for free for 30 days. You may end up adding that tool to your tools in your lab.
Speaker 1:And they're one of the folks them and others but that also support Haptham integration with the Leaps as well. So you can also use the Leaps through PowerBend tooling and you can have another view of the data from a community standpoint through the tool.
Speaker 2:So Oxygen, another great tool, but Oxygen's 2024 International User Summit is coming up. It is October 15th through the 18th in Alexandria, virginia. They're going to have speakers and presentations the first two days and it's no cost to attend the first two days, and then the 17th and 18th are training days. The attendees will choose a track and that'll either be an extraction refresher track or an oxygen forensic detective update and analytics track. Both tracks include a capture the flag event on the second day and the trainings are only $500 per student.
Speaker 1:That's a great price for all the things, for my opinion, and, like always, we don't.
Speaker 2:Our opinions reflect our employers yeah, two days of training for five hundred dollars that's.
Speaker 2:That's a really good deal, definitely yeah, it's good stuff speaking of training, hexordia uh, previously on the cyber 5w website has moved over to a new website Let me put that up and it is Learn with Hexordia. So they just launched the Learn with Hexordia platform. They have free micro content, virtual live classes, hands-on labs and a community for support and learning on their new website. So, if you haven't registered, jessica Hyde is the head of Haxordia and she is awesome and the trainings are awesome. I've done quite a few of them.
Speaker 1:Yeah, and I love some of the courses specifically because, you know, even though I mean we're friends, you know us with Jess, but it's kind of interesting how we come to some conclusions that converge and we come to them separately. Right, we started moving towards really focusing on data structures as a way of getting deeper knowledge of our investigations and Jess, kind of on her own also, was going that route. So she has a great course on data structures, and by that we mean understanding Protobuf, understanding SQLite, which is kind of the classical one, but expanding to JSON, secp's, like all the different data structures in mobile devices, and they go one by one, explaining what they are, what they consist of and how to pull them out and what value can you get from them. And that's amazing how we kind of come to the same. You know, kind of we converse that way Great, great, great, great course, great topic, so worth checking it way. Great, great, great, great course, great topic, so worth checking it out.
Speaker 2:Yeah, definitely. I think she's expanded upon that class too. Don't quote me 100%, but I think it's a two-day class. Now it was a one-day, yeah, so I think she's expanded upon it. Plus, there's a whole bunch of other great courses in mobile forensics. She has a Mac class that I haven't had a chance to take yet, but I've heard great things about it.
Speaker 1:I would hope that vendors start adding to their courses a data structures course, because if you're showing how to use a tool, there's nothing wrong with that, but after the tool runs, then what? At least a data structures course, and don't take away the basics. We talked about it, I think, two episodes ago and some basics, right, at least you have a more rounded individual. But you know I don't want to tread on ground that we already ran on.
Speaker 2:Oh, you can say it again we need to keep the fundamentals in the training.
Speaker 1:I might say that like a hundred more times and there might not be fun, but they're elemental.
Speaker 2:Right, you have to know it. You have to know it. Another LinkedIn post that I saw and I think you've shared several times, but Noel Loudon has some mini video series, bite secondary considerations related to effective vehicle system forensics, triage and planning to extract that data from the vehicle system systems, and he outlines really well the steps to take for an examination. I think these little mini series are great. Plus, they're free on on LinkedIn, his LinkedIn. So definitely take take the time to check out Noel's LinkedIn page. He's got a ton of content.
Speaker 1:I believe his content is worth its weight in gold. Right yeah, and you'd be surprised how many agencies, both in the US and also outside, they don't consider vehicle forensics that much right, and that needs to change.
Speaker 1:Yes, they don't consider vehicle forensics that much right and that needs to change. He was talking about how the infotainment systems, you access them and that's where the data is kept, like track logs, where the vehicle has been, what sensors are being activated, does the door open, the trunk open, whatever. And he's saying look, even between let's say I think it's BMWs or Mercedes, I don't remember which some German cars, cars the same brand the infotainments change a lot and there's still a lot of r? D work in how to deal, get the data out, but the data can be pulled out. That's one of the few devices you can still do chip chips, chipoffs out of and get stuff. You need to take that into account. Your investigations. You get the, the suspect's car. You have to do this type of work. And again, talking about awareness, watching his videos, looking at his series, you have that awareness in regards to what can you get and how do you get it. That's the first step.
Speaker 2:Yeah, you know. Speaking of Chipoff too, I mean he's out of the UK but I'm going to put his actual website up because he has training in chip off forensics as well. I noticed that on his website when I was checking it out. So if you're over in the UK or maybe he'll come to you I'm not sure. I don't want to promise that, not knowing. But there's a, there's a course there on it.
Speaker 1:I'm pretty sure the price is right. I rather, I rather. I rather somebody send me there, though.
Speaker 2:Yeah, me too, I want to go.
Speaker 1:Definitely I'll start drinking the tea with my pinky up or something Good stuff. Yeah, volcano site is a great resource. Do follow his LinkedIn and do watch those videos. You're going to learn a lot.
Speaker 2:Yeah, you know, with the vehicle forensics too, I think there's not a lot of documentation on the how, the why. I mean it's like this tool is used for vehicle forensics, Plug it in, pull the data and just send out a report, and he goes a little more into that. So I think that's needed in the vehicle forensics for sure.
Speaker 1:Oh, absolutely that provenance of that data, how it was acquired, the processes and all that is so important as it gets more scrutinized, because you might you're the other side, be it civil or criminal cases the other side might not be that aware, but as it gets used more, there'll be more awareness, and which is a good thing. That means that you need to up your level, make sure you understand what you're doing and present it properly.
Speaker 2:Yeah, another good blog article out by Alex Kathness from CCL Solutions. The title of it is when is an app, not an app? Investigating web APKs on Android, and this one outlines a progressive web app is an application which is built using web technologies and it's designed to give the look and feel of a native application. His blog addresses how to identify that the app you're looking at is a web apk from the user's perspective, but also from the file system and where that data is stored.
Speaker 1:related to the web apk and my big takeaway from that is because the big takeaway is the difference between, for me, an Electron app and a progressive web app. Right, I dealt with a lot of Electron apps and I have a lot of talks about them and a little bit of a summary. When you talk about Electron apps you're talking about you download the app and it looks like an app, it walks like an app, it ducks like an app. Guess what? It's not an app, it's a browser. Yeah, exactly, it's a browser. It's most likely a Chromium browser with some code that behaves like an app. All right, but it's actually Chromium.
Speaker 1:Now, a progressive app is also run from a browser, but not like a standalone browser like that. It's run from the browser on your system and that's kind of the big difference there. When you look at Chromium apps, you're looking at a whole new browser in there. That browser with some code might generate its own little web server internally to access and show you things, whereas a progressive app, if you need to show you something, it won't be able to show it to you. It has to go out to the Internet and show it to you. There's a pretty lot of this linkage to the browser that's installed to the outside world, whereas an electron app might also do that, but it's not needed. The progressive app within itself should be able to provide you some of that stuff locally.
Speaker 1:And that being said, right, an app that's running, or a browser running locally in that sense, might have and some extra code might have more access to your device than something running from a browser that's actually accessing the internet, because at that point sandboxing and some security measures are involved and a browser that's reaching out in that way won't have that access that an Electron app has. But again, it's kind of funny because we didn't plan it this way. But the topic of the day is awareness, right, if you're not aware that a progressive app, what it is, you have no idea how to parse it. I would say a lot of progressive apps. I don't know if vendors have support for them, like so.
Speaker 1:Yeah, I don't think so, yeah, I mean, it's true that it's using the browser and it will be as a browser artifact, but we talked about in the past how context is important. If you can tell me, look, all this web history, these particular items belong, for example I'm just making this up for some examples belong to progressive web application, right? Or these structures again making this up let's say, some level DB databases are involved with this particular website or domain, which is representative, or a progressive web app. That changes my perception of what's going on. Right, it wasn't just the user browsing to pages. There's another level of abstraction and app. That and that involves different other additional things for me to present and consider, and that awareness is needed. If you don't know that exists, you will know how to look for it, and if the tools don't parse it, then who's going to do it?
Speaker 2:Right.
Speaker 1:Well, actually, let me point at you, heather, you're going to do it.
Speaker 2:Yeah, I'll do it, but we have a little bit of help now, though, because Alex's tool that we've talked about on a previous episode, Mr Skinny Legs, actually does some of that too.
Speaker 1:I love that name. Yeah, me too, even though I had no idea what he was talking about at first, but I got it now. Yeah, people that are. You know we were explaining it last time, but look the skinny legs. You need to do more leg day. That's it. Don't skip leg day.
Speaker 2:Oh, so you don't have skinny legs.
Speaker 1:Heather never skips leg day.
Speaker 2:Yeah, nope Never.
Speaker 1:Never.
Speaker 2:Never yeah.
Speaker 1:That's never, never never, yeah, no worst day oh my goodness, you know what I did today no leg day, did you?
Speaker 2:yeah, oh no, I'm fine now, I'm not gonna be fine tomorrow no no, when it hurts definitely definitely, or if you work out with you, my legs seem to hurt a little bit more.
Speaker 1:I don't ever want to do that again see, I try to work out without myself, but that's, that's not happening. I got no choice. Uh, no, no, all kidding aside, it's, it's again the, it's the work that ccl solutions, uh, you know they do. And through, obviously, to alice capeness, another great uh article. They're always, uh, through him, on the cutting edge of what do we need to know that we don't know, or that we don't know that we don't know. Like Roosevelt once said, I'm going back to the 90s yeah, we don't know the things that we don't know. So, highly recommend it, go check it out and be educated.
Speaker 2:Back on the training subject. So Hal Pomerantz has a a webinar. Um, it's not scary binary, and um it's going to be october 22nd at 1 pm eastern time and it's only going to be 25, which is super affordable. Um, the course topics for his webinar are going to be why do computers use binary? It's going to talk about decimal versus binary, binary to decimal conversions, decimal to binary conversions, um hexadecimal converting binary to hex and back again, uh, bytes, words, d words, q words, little indian and big indian. It's just all of that fundamental stuff that I keep saying vendors need to not get rid of. Hal Pomerantz is going to have that in a webinar for 25 bucks.
Speaker 1:And if you don't know who Hal is, let me give you a little bit of a little bit of little detail. His background, right. He for many years used to teach at SANS right, and we know SANS is world-class level training, okay In regards to instant response for for linux right. So this guy, it's like down there I know him. Um, he's a really cool dude in person as well and I highly recommend that. Let me put it this way when he speaks you need to listen, so you got a chance to train with him at $24, as opposed to sand prices. You know why not? We should all not walk run.
Speaker 2:Definitely.
Speaker 1:And take that course. Especially again, the topics here go from really basic I say basic like why do computers use binary, right In a sense, to packed bytes? Packed bytes and masking and shifting, like I'm going to put it in my calendar, I haven't I got so many things going. I don't know what I'm doing in 20 seconds. But if I can fit it I will. I myself will do it because it really covers so many important things. I do like not scary binary in October. You know, get it, I like that.
Speaker 2:Yeah, definitely I highly recommend it. Yeah, I'm super bummed. I'm going to be traveling that day, so hopefully I can pay the $25 and do it at a later date. If not, you better take notes for me. I need to, I need my.
Speaker 1:I need my refresher on all of that oh no, I'll say good, no, so don't worry okay, uh.
Speaker 2:So another topic, uh, that also I saw on linkedin because you shared it, um, but amazon web services, so I'll throw up a picture if you want to start talking about this yeah, so so I I essentially this was interesting to me because um celebrate, and again, it's a a company that does a lot of good stuff and we love them.
Speaker 1:We also, when needed, we give them constructive criticism, and there's nothing wrong with that. The CEO, carmel, he was saying that what they're doing is so we're dealing with a lot of evidence, right, and we all know this. We got so much stuff coming in and instead of saying, well, we're going to keep it in our local network area storage or whatever it is that we're using right now, sellerby is proposing that you leverage their service, which uses Amazon Web Services, aws for storage. So now you don't need a physical server on location. What you do is you take your evidence and you push it up to the cloud, to the AWS cloud, and they explain that they maintain security and preserve the resources and expedite data analysis, and that works hand-in-hand with their Pathfinder tooling, and I'm not really familiar with the tooling. I'm only more familiar with the extraction capabilities they use and the parsing capabilities. You know premium or I guess, insights now, insights premium and insights PA. So I took a screenshot of how the Pathfinder tool looks. I don't know if we have it.
Speaker 2:I do, let me just get it open.
Speaker 1:And the reason I'm going to show it is because I wanted to see okay, so this data, your case data, is going up to the cloud, so you're going to process it and work from it. From the cloud, how's it going to look on the user from the user standpoint? And it's pretty nice, right? You've got a little dashboard and you see all the different things the tool is kind of doing in regards to analytics. It makes linkages and you get more from. That's all great. But there's a a point there, or an entry for images, and I don't know, it's kind of small the picture, but you can look it up, it's there.
Speaker 1:So then I thought, okay, so normally I might, if I put all my evidence on the cloud, right, and my evidence is contraband, I mean, and see, I'm kind of lost at words Like there's a lot of things that come to mind. Right, how in regards to access, right, how is this being managed? What's being proposed? And maybe I'm mistaken, right, I'm open to being corrected on this. So this is my thoughts. A little bit of ignorance there. I accept it up front. But my thought process is we're going from having control, absolute control over the evidence, over a standalone air gap network. And now we're saying we're going to trust this vendor to put this data on another vendor thing and then hope that that's secure and the contraband is going to live outside where I'm at, outside my office and it's going to live outside where I'm at, outside my office and it's going to be secure.
Speaker 1:And there's a lot of risk. And, again, I'm ignorant in regards to what the mitigations are. But that's the questions we need to be asking. I don't think we should go say, oh, this is great, how much is it? Can we afford it? Take it. Where are the discussions about risk and risk mitigation? And I'm pretty sure that some of those discussions, the sales rep will have them with you and that's great. But I believe that some of these discussions should be up in the open for the community to discuss, because this is no dis-accelerate, no dis-accelerate, this is for the industry. A sales rep has a purpose. What's the purpose of the sales rep, heather?
Speaker 2:Sell the product.
Speaker 1:To sell it to you. They're not there to you know, I'm going to show you transparently how secure or unsecure this is. And bye, I have a nice day. I'm going to try to make the sale and I mean that's just normal incentives, right, when the discussion happens within the community, in the open, there's no incentives to sell anybody. Anything we discuss, hopefully we can discuss what the risks are and what the mitigations are. Is this a good idea? Do we want to really put some of our evidence? What happens? And I'm going to jump on this, heather, I guess it's like my mini soapbox moment. Go for it.
Speaker 1:I was reading an article last week and one today about aws itself. Right in aws, aws, right, any service, they have mitigations for, you know, hacking and all that type of good stuff. But it happens. We've seen uh, bad actors being able to get credentials. Um, be advised, uh by uh. Um, I lost the word. When you trick a person, a human, what's the word? When you trick a person to give you something without them knowing that they gave it to you? It's not human engineering, what's that called?
Speaker 2:You know what I'm trying to say. Right, I do. I'm drawing a complete blank, though that makes sense.
Speaker 1:Chat, give me a help. I'm going to keep talking, but the chat, give me a help when I trick talking about the chat. Give me a help when I trick somebody to do something. That, uh, the social engineering. I got it myself. Social engineering. Okay, so they use. You're like, yeah, that's not it, but yeah, that's what it is. Well, I'm gonna say social engineering, the social engineering, somebody to give you the access. And now, what right? All that mitigation that you had goes out of the window because the data is accessible. It's out in the universe. What holds it is that access. Social engineering, see ian thanks, he's got it.
Speaker 1:He's jumping right in with you and the fact that a person like ian of his caliber said it's social engineering. That means I'm right and you're wrong. Yeah, okay, thank you. Thank you, ian, for selling that dispute. I was not gonna guess that yeah, and another ian is there in case.
Speaker 1:You see he got here Again. This is not a discelebrate right I'm talking about. Yeah, I'm talking about, because this is not only Celer right. We see this move toward cloud and Magnet as well. They have some of the case management that is on the cloud it's not on premise and Magnet is another great company like kind, and Magnet is another great company kind of same space and how much oh, and reviews as well. You can do case reviews to process it and you put it on the cloud. So it's not only Sellerby. I don't know if Magnet uses AWS or not, but what system you use doesn't matter. The risks are still there. And then are those being discussed in the open as a community and those mitigations as well.
Speaker 1:One more I thought it was interesting, not directly related to this topic, but I was reading Brian Krebs' blog post today and he was talking about how these bad actors go and sell credentials to some AWS-hosted LLMs so large-language models, pretty much AIs, ai engines and they take some credentials that somebody mistakenly put in GitHub, for example, or some other places and they log in and what they do is, when they have access to the AI, they have on their end. A website that offers sex chatbots. Ok, so you want to have, like, some conversation of that topic? You don't have to talk to an actual person. The ai will provide you with that conversation, which is kind of disturbing in the sense that some of those conversations can uh deal with really, uh like abuse conversations, if you folks I don't want to go into more details, but folks understand what I mean by that Conversations regarding victims that are disturbing, and they do that by kind of jailbreaking the LLMs, and by jailbreaking means that they make or ask questions to the LLM in a way that breaks that security and the LLM converses in a way that's not designed to.
Speaker 1:I'm saying all of this just to make the point that the access if they get the access, they get the data. If they get the access these bad actors they get the service. And maybe I'm too old school, coming from the school, of saying, hey, all the evidence should be housed in-house, should be handled by the agency and it should be an error gap. Maybe I'm a luddite in that sense, old school, I don't know. I mean, do you think it's a good idea? What are your thoughts, heather, in regards to this move to put evidence in the cloud as a way of expanding storage.
Speaker 2:So I think it depends. I mean, so I was actually you brought this topic up. So I was actually you brought this topic up. So I'm like I'm going to research this a little bit. But with AWS they do a shared responsibility model where the customer is responsible for securing their own data. So with with tools like Pathfinder or a magnets review, my question would be is the customer me that is securing my own data, or is it, is it celebrate, or is it magnet or whoever else is providing the the service right? So the customer would have to tailor it to their security and compliance control to meet their agency requirements. Um, and I don't know, do I feel like that would have to be different for every agency on a case-by-case basis, and I wonder who takes that responsibility on?
Speaker 1:wow, yeah, especially since I don't. I mean there is no universal, to my knowledge, standard or how you're going to keep this stuff no I mean there's there's. No, there's some mandate or some law that tells you you need to keep it this way. You know? I mean right, right, so it could be different from agency to agency.
Speaker 2:So who, who's controlling that? And I mean Right, Right, so it could be different from agency to agency, so who's controlling that? And I mean I don't even know if it was our agency, who would control that in our agency. I'm not even sure at all. So I mean putting that factor into it. I think it could be it could make it more dangerous when it comes to vulnerabilities in storing the data could make it more dangerous.
Speaker 1:when it comes to vulnerabilities in storing the data. Well, I mean, and look, I understand that. But let me put it this way Would I say that me having my email server at my house is more secure than having my email managed by Google? Well, google will do a better job of securing the email server than me. That's just a fact. So I understand where we're coming from. Right, does a big company at AWS, right, has this security team will secure it. Well, of course, but the premise is we're going to agree to put this evidence in the cloud and then the question is how to best secure it. But my contention is maybe we shouldn't. Maybe we should still keep it in-house, in a sense, because and again, we're kind of brainstorming we're kind of just discussing some thoughts here for the folks that are listening and for everybody that's listening, with us participating. I believe it. Correct me if I'm wrong, heather. We don't have really super strong opinions on it. I want to be educated. Yeah, I want to know more about this.
Speaker 2:Yeah, me too. I definitely do, and I think it could be secure if it's done correctly. I just I would like to understand a little bit more in depth of how it's done.
Speaker 1:Because this is how I think about it. Let's say, you secure it, it's on the cloud and you made a mistake or you didn't press a button, or somebody social engineered you and now you're exposed. Whereas what the worst could happen if I had the evidence in a standalone air gap network in my office? What's the worst that could happen in regards to security? Maybe I forgot my password or something. I need to reset it. Nobody's going to come from the outside. Now, I'm not saying that air gap networks are intrusion proof. I'm not saying that air gap networks are intrusion proof. I'm not saying that right. I'm not saying that somebody could come in and pull the data out physically and then put it out. So I'm coming from the context of risk mitigations that are needed from a standalone air gap network compared to hey, let's put everything in a third party cloud service. I'm going through another third-party to kind of make that access either to Magnet and again, I'm mentioning Magnet now a lot because I want to make sure folks understand.
Speaker 1:We're not dissing any particular company. We're talking about the state of the industry as it's being moved, because this move is coming from vendors. Vendors from a technological standpoint it makes sense. They say look, this might be a better solution than you having to buy all these drives and all this hardware. Maybe you can save the cost on hardware because now you can spend it on software. Ta-da, I mean the profit motive, and I got nothing against profit motive, right, that's how things get better. You know, in a society that works like ours operates, right, you want to incentivize these technological companies to create solutions. But is this a good idea or not? I'm still on the fence, but kind of tending still to the old school method. We'll see how the market and folks react. Or if hopefully not if a big hack happens of a law enforcement agency, can you imagine?
Speaker 2:Yeah, that will not be good.
Speaker 1:Yeah, I mean, would that change the approach? I don't know. I mean, again, I'm ignorant on this, so I'm really I would hope that folks will leave comments in in our LinkedIn page or yeah, about what they think about this and maybe we can discuss it as we learn further in a future podcast.
Speaker 2:I think there's a few other things to consider too. So when it comes to migrating to a service like this, what type of logs from that service now become part of discovery in court?
Speaker 1:Oh, my goodness, yes.
Speaker 2:Yeah, and chain of custody Like, how are we explaining chain of custody? I'm sure there is a perfect explanation on chain of custody when it's stored up in the cloud, but are all of the users in your agency ready and prepared to explain the process in court? Do they understand the process? Do they understand what happens when it's uploaded? How to ensure that the integrity of the data that's stored in the cloud remains?
Speaker 1:I just think there's a lot to think about when moving to a service like this yeah, and I mean, I mean again, I, I'm ignorant, but it makes me think of when you get stuff from a provider, a cloud provider, somebody from their end has to testify or send some documentation saying, yeah, this was housed here and it was accurate and this is what it was. Um, if it's and we can say what's a VIP? It's a virtual private network. Right From the topology standpoint, for sure it feels like a computer. That's on your network, it feels, but it's not right.
Speaker 1:Will the courts want to validate that? Would they need somebody from the other end? Right, well, it's going to be encrypted at rest, right, is that? Will that? Will that suffice? Like, yeah, like. Those are pretty valid questions and thank you for bringing that. That did not cross my mind, so thank you for bringing that up. That needs to be discussed with, with our, I say, prosecutors or lawyers or whoever you're working with, to make sure we keep that, that chain of custody, as it should. That's a. That's a pretty good, good point.
Speaker 2:Yeah, I think it would have to be a standard explanation for everybody in your agency too. We should all be testifying or repeating that process in the same manner. So I think it would be some training involved for sure.
Speaker 1:Yeah, laurie's saying what it will cost you to get the data back, because these folks might charge by the megabytes going up and down.
Speaker 2:Yeah, that's true.
Speaker 1:Yeah, we run out of the budget for this month, so no cases are going to be solved until we get the next data block allocation. I don't know how it works, it'll be good to know.
Speaker 2:Yeah, on this topic, though as a whole, please feel free to leave comments, because I would love to hear what other people think about this. I mean, if people could kind of like phone in and talk about it right now, I would want to allow you to, because I just want to hear what other people's thoughts are and if anybody knows additional details on how it all works.
Speaker 1:Yeah, if you go to our, if you're listening to our podcast, if you go to our podcast page and it's going to be there in the description of the show the BuzzFeed or Buzz I missed it Buzzsprout page If you go there, also, in the podcast directories there's a little link where you can send us a message as well. So if you want to communicate that way, you can go to your podcast, the podcast page in your podcast feed. Go, leave a message for us and we'll read it in the next show and discuss it. Folks on LinkedIn, leave us comments what you think about putting stuff on the cloud as evidence, risk and mitigations and also the benefits. Right, and let's maybe get a discussion going.
Speaker 2:Yeah, definitely All right. What's new with the leaps? I have one that. I saw on. I think Kevin posted it, I'm pretty sure. So Marco Newman added the Withings Health Mate on iOS that parses account information between users devices connected. The account measurements um so steps, heart rate, location, spo2, temperature, uh tracking and activities, and then um specific activities tracked manually or detected automatically, like cycling, swimming or running, and there's actually a blog post that goes along with that from Marco, if anybody wants to check that out, a blog post about the new Leap artifact.
Speaker 1:I wish that more folks do what Marco's doing. All those things are pattern of life artifacts and, you know, usually vendors focus on the ones that come with the device or device brand, like the iWatch or the Google and Fitbit, because the Fitbits are pretty popular but some that are not as popular might fall through the cracks. So the more support we have for these pattern of life artifacts from many device vendors Withings or the other Fitbits of the world that would be good. So I wish I could do more of those, but I don't have the budget to buy all the devices to generate data. But hey, if you have some of these devices, then yeah, try to make some parsers for that. It's super useful.
Speaker 1:So many cases are solved with this type of pattern of life data.
Speaker 1:And pattern of life data if you're not familiar with the concept, long story short is artifact that tells us something about the state of the world in regards to the person that's using the device or using the phone, and not only what they were doing at a particular point in time.
Speaker 1:You can maybe be able to predict what they will do or detect moments where they were not doing what you were expecting them to do, and a simple example of that is if that person you see a pattern of being asleep at night and then you see a pattern or a day that the person's awake, well, that's a point you need to check out, right. An obvious one if you see a pattern of the heart beating and then the heart stops, that's a big clue that something bad happens, especially if the person is deceased or disappeared, and we can think about many scenarios where this data could be useful. So the more support we have, the better. And talking about support, I want to give a big shout out to James, johan, john, hila and Kevin and the folks that I did not mention. The last names we know they're friends from the podcast, and John, soon enough, will be mentioned, just as John.
Speaker 1:We know the last name there's a lot of Johns, though we have to just call him Hila. Hila yeah, actually that's pretty good. I like that. I like that. It's cooler as well.
Speaker 2:Yeah, so like that I like that it sounds.
Speaker 1:It's cooler as well. Yeah, so so they've been working on a project um, you know we've all been working, but they're being the heart and soul of the project. It's a way of I cannot give a lot of details because it's not finalized yet but it's a way of looking at extracted data with the leap leap tools. That's way faster, way more efficient. It handles more data. It allows you to do a whole bunch of different capabilities. It's a project that we're working on. I just recruited a great examiner that works from the great state of New York to help us with updating some of the artifacts. I don't know if you know her. She's awesome.
Speaker 1:I'm going to try, let's see if I can handle this oh you will, and the point of that is, we hope, hopefully in the nearish future we could make some announcements. But I don't want to say to james, johan, john and kevin you, you guys are, are rocking it. Um, after this conference that I got next week, I hope them to then also. You know, put my hands, you know, roll up my sleeves, well, my short sleeves, roll them up even more and actually put behind more hands on with some of the stuff, uh, that that we're developing really, uh, look, keep your eye on the space, the leaf space. There there's a lot of good stuff uh, coming, coming up yeah, definitely looking forward to it.
Speaker 2:Uh, everybody's favorite time, the meme of the week. Let me share it here. Yeah, I was going to say where's your fireworks.
Speaker 1:See, I'm on a lame dose or I'm sorry, windows, so I don't have that anymore.
Speaker 2:So the meme of the week says are you two friends? Incident response digital forensics Incident response says no, Digital forensics says yes, and you're going to further explain this one for me yeah, so because I just killed it with the characters.
Speaker 1:I think you have to explain yeah, so it's a star trek episode. So you got these two star trek folks and you know one is like no and the other one's yes, right, um, the thing is. So there was this. This being came in response to a post that Defer oh, my goodness, I blanked out on his name, hold on. And a post that Brett Shavers.
Speaker 1:Now, it came to mind that Brett Shavers did explain and kind of talking about the differences between digital forensics and incident response, because they're lumped together D-F-I-R. So what's the difference between, uh, dtar forensics and incident response? Because they're lumped together dfir. So what's the difference between df and ir? He's making the point that dtar forensics has the court element in it, right, so the fact that I say court but you know, legal element, the fact that legal element is involved, means that our processes within dtar forensics are gonna can be really really different for insurance response.
Speaker 1:And the point I make with this is like that's true, but it's also some cultural differences, right, and the incident response community, from my perspective, it's a lot of really like hacker culture, kind of cool dudes with gray, you know, green hair, right, you know doing hacks, you know, and again, not hacks in the sense of negatives, in a negative way, I'm talking about as a researcher and doing pen testing and when an incident happens they go in there and make sure they understand what happened, how to mitigate it.
Speaker 1:It's important work, but they're more like a cooler crowd, in a sense right, whereas Utah Forensics is usually a bunch of cops. Utah Forensics in the plain sense of the word, right and yeah, it's like are we friends? Of course we are Not that much right. It's just a cultural difference. The fact is that a lot of the incident response world is now benefiting from the experience that sometimes retired law enforcement folks that work in these forensics that they make the move over to to incident response, which is a valid thing and a great thing to do. But there's some cultural differences and I was making kind of that point in a little bit of a funny way, to me at least it's good yeah, look, look, data forensics, look, we're gonna.
Speaker 1:We're gonna be wearing 511s, 5.11s boots, a polo shirt, okay, and a tactical belt, of course, with our pockets and what else.
Speaker 2:It's almost time for you to share that meme with the Halloween costume.
Speaker 1:Oh, that's coming soon. That's coming next week. It's that time of the year, yep.
Speaker 2:Definitely.
Speaker 1:Peter's in the chat. Peter's a good friend from California, so yeah, it's a good meme. I appreciate that. You appreciate it, my friend.
Speaker 2:All right, that's all I've got.
Speaker 1:You're awesome as always. Thank you for pretty much driving us home today, so I appreciate it tons thank you we're going to be out of action in regards to here in my area of responsibility for the conference, but we should be able to have the next episode at the scheduled time we should alright awesome alright, folks, then I have nothing else for the good of the order this time I have nothing else either.
Speaker 2:Thank you very much everybody for listening thank you so much.
Speaker 1:We'll be seeing each other in a couple of weeks and, uh, take care and be cool, be a geek, be part of the geek squad have a good night. Yeah, good night there we go. Geek Squad definitely have a good night there we go.
