Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
iOS 18’s Inactivity Reboots Explained: AFU to BFU Transitions with Chris Vance from Magnet Forensics
Join us on the Digital Forensics Now podcast as we explore the details of the iOS 18 inactivity reboot issue with mobile forensics expert Christopher Vance from Magnet Forensics. Chris traces the origins of this challenge back to iOS 17 and explains how unified logs play a key role in diagnosing these system memory resets. This episode is packed with valuable insights for anyone interested in the inner workings of iOS devices and the unique considerations they present in digital forensics.
We also discuss device security and data preservation, focusing on iOS devices. Examining the balance between law enforcement’s need for data access and Apple’s privacy measures, we highlight the importance of extracting the data from devices quickly to prevent data loss. Our conversation covers the legal complexities, jurisdictional nuances, and the demand for data preservation tools to address these challenges effectively.
We explore recent developments in mobile technology, specifically Android 15's "Private Space" feature and how it will effect the digital forensic community workflow.
With insights from industry experts, this episode is full of essential updates tailored for digital forensics professionals looking to stay current.
Notes:
iOS Devices Rebooting
https://www.magnetforensics.com/blog/understanding-the-security-impacts-of-ios-18s-inactivity-reboot/
5 iOS forensics evidence sources to capture before they expire
https://www.magnetforensics.com/blog/ios-forensics-evidence-sources-to-capture-before-they-expire
Mac and iOS Forensic Analysis and Incident Response Poster
https://www.sans.org/posters/macos-ios-forensic-analysis/
Welcome to the Digital Forensics Now podcast. Today is Thursday, November 14, 2024. My name is Alexis Brignoni, aka Briggs. I'm accompanied by my co-host and before I tell you my co-host, I want to take the overlay so I can see your face, my co-host. The justified tool grumbler, the organizer queen, the hardest working squirrel east of the Mississippi, the one and only Heather Charpentier.
Speaker 2:Oh, my God the one and only Heather Charpentier.
Speaker 1:Oh my God. The music is hired up by Shane Ivers and can be found at silvermansoundcom. Heather, heather, heather, hello, see this. Abrupt endings. I hate it. Obviously you know why. I had all these little monikers for you this week.
Speaker 2:I do. A few other people do too, but I definitely understand the organizer queen especially. I do, A few other people do too, but I definitely understand the organizer queen especially, Thank you. Thank you for that wonderful introduction.
Speaker 1:Well, today is a really special day and I'm glad I'm seeing some folks already coming in from YouTube, and so if you can leave some comments, say hi, we got a special show today, so we're going to really get to it. Actually, you know what? Yeah, I think we should get to it.
Speaker 2:Um, let's do it.
Speaker 1:Yeah, let's do it. So we have a special guest today is the one and only christopher vance, and I'll give intro before I bring him in. I know chris for many years actually. We presented some years ago at the D4 Summit one of the D4 Summits in Austin, I would say maybe five, six years ago and he is really well known in the community, an expert that I respect a lot as a person and, again, as an expert in what he does. Specializes in iOS when I met him, but now he specializes in also some mobile forensics. He works at Magnet Forensics, one of their resident experts there, and we brought him in to discuss the iOS 18 rebooting issue. That has been the talk of the news and talk of the town, so let me bring Chris in. Hello, chris, hey everybody.
Speaker 2:Hi Chris.
Speaker 1:So we got some folks in the chat. Hi everyone. So again, Chris, I gave you an introduction, but we all know you really well. Everybody knows you, so tell us. So iOS devices are rebooting. People are losing their minds. Why is that? What's happening?
Speaker 3:Yeah, and so this is an issue that we've been tracking for kind of a while now. This has been something that I've been seeing and trying to get my head around probably for at least the last six months, maybe nine, and it wasn't really contained just to iOS 18. This is something that's been going on. There was a big delay in some of the access that we had in 17. It was just, you know, 17 was difficult. So a lot of folks were asking me hey, we got it to this phone. We saw that it was rebooted. What happened? What's going wrong? We keep seeing this and digging into it. We started looking at different things and trying to figure out what's going on.
Speaker 3:After a while, I started to notice a trend, and that's one of the big things that I do in my job right now is I look at the trends in the industry. I look at, you know, I look at what's happening with a lot of the different devices that are out there and I try to stay ahead of them as much as I possibly can, just trying to get like hey, what's the next thing that the community is going to want to know about? So I can rip that apart first. The big one has been like okay, so why is this happening? So I started to notice after a while, a certain pattern and anytime anybody would ask me I'd like pull out my best. You know, good old fashioned, like Johnny Carson impersonation like hold an envelope to my head, let me guess you know, good old fashioned, like Johnny Carson impersonation like hold an envelope to my head, let me guess iPhone 15s, probably something it's like iOS 17, four or higher, and they're like how'd you do it?
Speaker 2:You said that to me recently.
Speaker 3:Yeah, it's nothing special, it's just that's what I happened to notice, what we typically found. Now, I obviously don't have access to all of these magic devices out there Like I, it's not like I can go out there and get evidence items, but what I found from looking into anything that did reboot, it was usually a memory maintenance issue. And this is just like any computer, right, when you run too much in the process memory for too long, you are opening yourself up to potential crashes. And so what ios does is it says, hey, you know what process memory's been running too high for too long, we're just gonna do a nice little soft reboot.
Speaker 3:Because, if you think about it, what's really gonna happen to the end user if I reboot my device? Right, not much, right, maybe all of a sudden my contacts aren't showing up number-wise to name-wise and I just got to unlock my device. So it's kind of like a nice little safety mechanism for them. They don't have to worry about, you know, a device going into a kernel panic. They don't have to worry about anything, know, major crashes kind of happening, and anyone that I got a hold of, even ones that I may have purposefully tried to break myself, um, you know magnet knows me. Uh, folks that know me kind of outside of magnet. My internal title at magnet literally is the breaker of things. So I take my job very seriously.
Speaker 3:Um, but when you know, even when I was trying to do this myself, I always, you know, got the same call in the unified logs system memory reset one word system memory reset, and we put that on the blog that we put out yesterday, because that's typically what we saw when it was a memory maintenance issue is that's why the device rebooted. Yep. Now cut forward to ios 18 and it was a little bit different. Um, you know we were already. You know we've we've been looking at ios 18 a lot. I personally have, um, you know we do, uh, we do mobile unpacked over a magnet, which is my my web show. I get to do once a month, basically just some like hey, free stuff for the community. I try to make it no product but like, here's something that we found. 18 was my big thing recently.
Speaker 3:Digging into the artifacts didn't see much of this one. When all the big hoopla kind of started, we dug in deeper, um, digging in really deep, trying to find what we could find, and I started doing my own testing and, sure enough, almost to the second 72 hours there it went like clockwork. So we did a, we did a bunch of testing internally. Our guys are some of the best of the best, of the best and brightest that it comes to with our internal dev team and I could not be more proud and privileged to work with those folks. But I mean, I'm just the artifact monkey, as I call myself. I like to keep stuff apart and they tell me what it actually means. But honestly, we were able to find that. You know, confirm what a lot of folks were saying.
Speaker 3:It was added in 18.0. It was originally a seven was added in 18.0. It was originally a seven day timer. In 18.0 they shortened it to three days, 72 hours, 18.1. And uh, the only thing that is going to make this timer go away is unlocking the device. Um, it's not tied to the airplane mode or the network settings. It's not tied to the charging state. You can't put a mouse jiggler on this, right? I read that one a lot. Yeah, let's go back to the mouse jiggler days.
Speaker 1:I wish. Right, it's not a Windows box, yeah.
Speaker 3:It's not like we're waiting for it to go to sleep mode or anything Right. It's 100% tied to the lock state. So even trying something like A failed password attempt which I never recommend because you you never know what you're going to do with that there's a lot of things that could go wrong there, especially when you don't know how many times other people have tried a password before they've given it to you. You know it's just one of those things that's not going to work. The only thing that's going to reset that without using some sort of tool is is going to be a actual Unlocking that device. That is why, fundamentally, it's just going to change how we have to deal with iPhones.
Speaker 3:We have to treat every single iOS device now as a volatile piece of evidence, and I think that's just the way we have to look at it. I don't really think it's going to. You know it's not great, but as long as we start treating this as just another volatile piece of evidence, then we can handle that. We got three days that we know we have a timer, just like any other piece of evidence, physical or non-physical, that we have to work with. We know. You know, and not to date myself of how long I've been doing digital forensics, but when I first got into digital forensics we still had call detail records that had content. We could get text messages like the content of them.
Speaker 2:Oh, but we had to act fast, right.
Speaker 3:It was like we had 24 hours at max to get that preservation order and we knew we didn't get it. We weren't getting it. So it's kind of like that again. We know we have to move quick on these things, we have to move forward, we have to preserve that data.
Speaker 3:I think there's going to be a lot of back and forth kind of arguments on legal wise with this. I think it's going to bring up some good debates over what is seizure, what is search. I've got my own opinions about this. Some might say I'm wrong I frequently am but you know I've got my own opinions about hey, imaging the device. Is imaging the device. I would, you know, kind of put this the same way as I am seizing a physical device to keep somebody from tampering with it, I'm seizing an image to keep the device from tampering with it. You know I'm not searching it. Jurisdictions aren't always going to see it that way. So I'm in good old Fourth Circuit. It's going to be very different from Ninth Circuit, going to be very different from the federal system, going to be very different from, you know, international courts.
Speaker 1:So you know I can't speak for all of that and I'm sure it's going to bring some awesome debates as we go along with this and let me ask you this, chris, because I mean part of that is the whole access to content, right, because you're saying I'm preserving, therefore I'm accessing content and most tools when they preserve that's not preserved. Let me say that when you start, even when you unlock it with a tool, right, even if you don't do the extraction, it's going to tell you what the IMEI is, who the possible account is. I mean, do you think vendors will have to say, look, let's give users like a preservation mode where not even that is shown, right, because I could see some jurisdictions saying, well, you got the IMEI, you got identifiers for the account, numbers search. So I think, maybe, what do you think? Maybe vendors should maybe think about providing, like this preservation piece that doesn't show you absolutely anything, maybe an ID indicator of preservation that's not tied to anything on the device. I don't know if that makes sense to you.
Speaker 3:Yeah, no, I think there's. I think there's a couple of different ways to look at it. We've had some very lively internal discussions already since this has kicked off and I can't really say too much here. But we have a plan moving forward on how we're going to deal with it and how we're going to handle it. But I think vendors will probably approach this differently. Some might opt for a system where they do a collection with absolutely zero display to the user and just say, hey, it's here, but you know, the moment that you touch it we're going to log that you touched it, kind of thing. Like with an audit trail, which I'm not opposed to because I love logs. I spend all day in logs, that's what I do. But at the same time, you know some have talked about well, what if the tool were to encrypt this file and you know the decryption key would have to be used, and then that makes a record of the fact that the decryption key was generated? You know, I think there's a lot of different ways the vendors can tackle it. I think that we will have to understand as a community and I'm going to say this as someone who works for a vendor that's not going to happen overnight.
Speaker 3:Backlogs are a thing, and I did not learn this. I used to be. You know, I went from being a analyst to being a trainer for Magnet and some other vendors, to then suddenly working in product management and internal development stuff, and boy did I not realize how big backlog was a thing for them too. I mean, it's backlog is a dirty word everywhere. Um, but like we can't just go and like say, hey, forget everything that we've been talking about doing and now we got to do this. Um, I think vendors are going to have to do some different things. Vendors might have to change things and laws are going to change the way we do things. But it's going to take a little time and I think that I think we're just kind of in a bit of a wait and see moment with that and just kind of see how the community reacts.
Speaker 1:Yeah, go ahead.
Speaker 2:For now, though, so we don't always have access immediately to these devices that are potentially going to be rebooting within 72 hours. Can you share anything about what the plans are to help that to stop happening? No, okay, but there are plans in the works.
Speaker 3:I hear all over the place, so I guess watch for it, I can say, is, you know we always have best intentions and plans um to to provide the best access day one. But you know it's a cat and mouse game and it always will be. But the best I can say is, the moment that you get anybody can get their hands on one of these devices, you've got to move forward with preservation or capturing it or whatever that's going to end up looking like. For whatever tool you're using, if you're in a space where you have the passcode, you have consent, you know you're you're not going to be in that situation.
Speaker 3:This is going to be for devices where and that's a big thing we've had a lot of people wondering like how is it going to impact in the corporate system or how's it going to? It's really only going to impact where you have a non-compliant device, someone who's unable to give up the passcode or unwilling to give up the passcode, and you have to gain lawful access to that device without the consenting keys. And that's really where it's going to be an issue, and I think that's just the one thing that we're just going to have to kind of see where it goes. It's going to be a cat and mouse game for sure, but that's what keeps us on our toes.
Speaker 1:No, go ahead. No, go ahead, just real quick. I mean, yeah, just real quick. You mentioned how and I do appreciate the background, you, because you're mentioning how memory gets filled and for the vendor I say vendor in the sense of providers like Apple right, it's good for them to invite the device to restart, let's say when the person's sleeping or not using it, because then the user doesn't see the product not working correctly the degradation of the product, right. And I appreciate you saying that and tell me what you think about the next thing I'm going to say I've seen some folks, especially in my law enforcement circle, saying, well, apple did this just to mess with us. And my first take is, well, they owe it to their clients, and I think what you said kind of feeds into that. This might be more of a feature for better, for kind of cleaning that memory out, for the system works better, more than just trying to thwart anything as a security measure. I would say. I mean, I guess we can't read Apple's mind, but what are your thoughts on that?
Speaker 3:Yeah, and we can't read Apple's mind. I mean, like, if you and you'll appreciate, this is one of my green bubble friends but if we take a look at the Android ecosystem, I mean some of the Android devices have been doing this for a while. Yeah, sure, graphene has been doing this for a long time. Obviously, graphene is security focused but at the same time, you know, we have, in iOS, never really had that issue before, but we've never had all of the things running on the iPhone that we've quite had at this level before. It has been very interesting for me to watch all of the things that are running on a locked iPhone throughout this process. And a lot of folks say, you know, like there can't be that much going on right, there can't be that much happening on a device that's just locked in an airplane mode and you know there's a lot going on. Like you hook one of these things up and you watch stream and I'm not talking about high level, you know, hooking into the device, just streaming the unified logs. It's insane how many processes are running, how many things are happening in the background. There's a lot more than you think and Apple does have a responsibility to their customers, especially as their customers, more and more, are in different sectors. They're in the governments all over the world being used. They're in private industry all over the world. They're in the militaries all over the world and, being in that space, they want to make sure their devices are well protected. They want to make sure their devices are well protected against different kinds of attacks and one of the best ways to clear out, you know, bad stuff is to reboot your device. You know, and so I think Apple doing this do.
Speaker 3:I think it was a security measure. Potentially, apple hasn't updated the security document guide yet, as I said in the blog that I wrote, that went out. You know it's been a couple of months but still haven't put it out yet. So you know, probably around January February we might get one, but I think, in my personal opinion, it was probably a security measure. Was it specifically to mess with the digital forensics industry? No, this is a service to the overall end user, to protect the overall end user's privacy, to protect the overall end user's general experience, because the more that an end user's device just has problems, they're not going to like it. It's an inactivity timer, so it's not like it's just going to happen overnight to the same point. So it's also does make me. Maybe I'm just projecting, but I feel a little hurt by it. Apple, come on. But at the end of it it probably was a security measure for the general user. I mean, apple has said for years they're the privacy phone and that's been their position for a long time.
Speaker 1:No, that makes absolute sense. Go ahead, heather, you had a question.
Speaker 2:No, actually you already talked about it.
Speaker 1:Oh, okay, perfect, no, so I guess the last point I would like to make is so you mentioned about treating devices right as volatile. Right, and we kind of knew this because, like knowledge C, you know every day you miss. You miss data or the biomes now, but like we never, like we say it, but people leave it there for a few days and they don't mind about it, but now they lose the access right. So any best practices you can share right now in regards to that, or are we just stuck with having to hopefully unlock it and go from there? I mean, what's your state of play right now?
Speaker 3:Honestly, my best practices haven't changed at all. I've said the same thing. So since I was back in training and I helped to develop some of the original mobile classes for magnet, you know, same thing I've been preaching for years is soon as that device comes into your possession, image it. I don't care if you have 1,700 cases in the backlog ahead of it, that's fine. Image it today, not six months from now, not six weeks from now, not six days from now Today. Get it imaged as soon as you possibly can once it comes in the lab.
Speaker 3:And a lot of folks ask me why. A few years ago and I haven't updated in a long time, and shame on me Been a little busy A few years ago and I haven't updated in a long time, and shame on me, been a little busy. But I wrote a bit of a guide on the volatility of iOS data and I looked at data across the iOS file system and I measured how volatile is this data? Some of the artifacts that we know and love 24 hours, that we know and love 24 hours, like some of the records and some of the databases you're only getting in the last 24 hours worth of right PowerLog, one of my personal favorites, you know. I mean, as Alexa said, we did a SANS presentation years ago. He could not get me to shut up about the PowerLog database back then. Right and that thing 14 days. You know that's half of what we get in Knowledge C or the. You know seg Bs, because we probably should call them seg Bs and not biomes.
Speaker 1:Thank you. Thank you, Chris.
Speaker 2:You just made his night.
Speaker 3:I take full my own part of that responsibility for all the blogs that I wrote on them, because we as a community are not the most imaginative bunch when it comes to naming. Hey, what do we call it? It's in a folder called biomes. That's a good idea, but we got 28 to 30 days, whatever you want to say. There Power logs were 14. Some of those records are 24 hours. We've got cache locations are seven days. Yeah, why wait? What's the harm in imaging now, if you have legal jurisdiction, if you have the authority to search that device, why wait? You are not gaining any new data by waiting and you only are opening yourself up to the potential for less data.
Speaker 3:Yep, the data is not like that image. If I take that image today, it's not going to change. In six months, when I finally get around to analyzing the case, that image is still going to be the same. And I know it's still going to be the same because I'm going to have all the right hash values versus if I just take the phone. Well, now I don't really know what I could have missed. So my opinion is unchanged from. I mean, like to me. Yeah, this is a thing we have to deal with, but I don't see it as a doom and gloom, I see it as just proving my point get the device, get it imaged. Get it imaged, yes, definitely.
Speaker 1:Definitely. I mean, chris, we appreciate you taking the time to speak with us and speak to the community about this issue. That's been like a really really hot button relevant thing. So we appreciate you for coming on and we're going to bring you next time for other things, if you let us, definitely. All right, I appreciate it, man, and we're going to bring you next time for other things, if you let us Exactly Definitely. All right, I appreciate it, man. Again, thank you for the SecB thing. I'm going to mention more about that later.
Speaker 2:Yeah, and anybody listening will share that blog post that Chris wrote. We'll share that in the show notes. Thank you so much, Chris.
Speaker 1:All right, awesome.
Speaker 2:So that was, yeah, you heard it from the source what we should be doing with these phones. We should stop freaking out, because everybody's freaking out.
Speaker 1:I was freaking out.
Speaker 2:Yes, and just do what we all say we should do, and do it faster.
Speaker 1:Yeah, I mean, and it goes with that, due diligence, right, look, if actually I think we should get into the topic, right, chris was mentioning really clearly about, well, data preservation, right, what's the deal with that? And it depends, he said, on the state, literally where you live or where you are working, right, and the jurisdiction that you're working right. So I mean, what do we have on that? I mean, what are the different practices that you come around?
Speaker 2:I mean. So the question is should we be able to extract the data? A lot of people actually have been mentioning it on LinkedIn. Should we be able to extract the data before legal authority to search the data is signed, is approved by a court, by a judge? And I think Jessica Hyde actually has a post on her LinkedIn right now where there's a back and forth between a lot of people in the community talking about the pros, the cons, what they think is going to happen in the future with this, but there's some comments on there that I thought were worth sharing. Let me grab those. Absolutely so, chris. I grabbed one of chris vance's.
Speaker 2:He equates it to taking the physical device so it can't be tampered with. We're simply taking the data, so it can't be tampered with. He said that on on jessica's post and he just said it in his uh, his uh talk a minute ago. Um, there's also talk about how most judges don't understand data. Superior courts generate a decision without comprehending what they're deciding on. This then trickles to the lower courts, who generate decisions without comprehending what the other judges who didn't comprehend generated decisions on, and we look like deer in the headlights while these decisions are made because of how inaccurate those decisions are. Tom uh, tom Lilienthal wrote that.
Speaker 1:I thought that was an excellent fact about the knowledge. I think that speaks to the fact that we're depending a lot of case law, right. At least from my perspective, the ideal scenario is to have whatever lawmakers from that jurisdiction say you're allowed to do these things, you're not allowed to do these things and have proper codification of what that is. But we don't, right. So we depend on the case law. Like he was saying, a judge case on back case law, and then other judges depend on that case law and then it gets propagated and and, like you were saying, I think that speaks to the technical expertise of the judges but also the person explaining to it. Let me bring Brett, because Brett is in the chat. Brett is great. He says, well, how about exigent circumstances? Right, and that's a tough one, right, Because you could say, well, if I don't preserve this, I'm going to lose it. That's an exigent circumstance. But on that jurisdiction, what does exigent circumstance mean? In some jurisdiction it might mean, like, the loss of data is not an exegem circumstance. In a jurisdiction, maybe it's just the loss of life or something of the sort, right, or maybe some. If we don't get this data, you know there's a time bomb, right, some sticking, or we got a kidnap person right and again, that's a good point, it's not going to be wrong. Can we maybe build some case law around considering the loss of data as an extreme circumstance? That's a good point, I mean. I think it's a good argument as well.
Speaker 1:Also, there's counter arguments on how do we do that. I'm going to give my opinion real quick, because that's what I do here. Go for it. Yeah, I think one way of threading that needle between case law and preserving and seizing because now we're making this distinction in the digital realm, like Jess was saying in the chat, that preservation is not search, right, that seizure, actually we can even separate it further. You got seizure, I got the thing, the physical thing, then the concepts I preserve, and then I have to look, I look into them, right. So there's different aspects there and sometimes I believe the law is not really clear and what the interplay is on that.
Speaker 1:So one way of turning the needle I think and I mentioned with Chris is maybe the tools need to give us some way of preserving blindly preserving data right. Put that blindfold in front of us and saying we got the data and, yes, we got it. I don't know what it is. I have no way of knowing what it is, because I don't think courts want to just trust blindly. They'd rather have us be blind than they trust blind, which I guess kind of makes some sense in a certain way, right, yeah, and if toolmakers, I believe and this is an opinion, again, I don't oh, we haven't said it, but we have't said it, we have to say it Any opinions expressed by Heather or myself, they're only talking about ourselves as examiners in the community and do not represent the opinions, beliefs or practices of our employers.
Speaker 1:They have nothing to do with them, okay, so back to the comment. If vendors go about doing that, then I think that pre-results a lot, because we, as examiners, we can deal with the looking at the data, but we, as examiners, we can deal with looking at the data, but the extraction of the data, that's a thing that we can outsource to vendors for many reasons that are obvious, right in regards to be able to preserve the access and other things and the research that goes into it and so forth. So I don't know, maybe vendors should start thinking of hey, let's create some like a preservation mode, maybe, right, not just extraction and parsing, maybe preservation under extraction and parsing, maybe preservation under extraction and then regular extraction and then your parsing as part of the workflow that needs to happen in order to kind of create good case law, I think.
Speaker 2:Right, yeah, it all has to start with the case law. So I'm going to cite a case, actually Riley v California. This just shows how kind of out of touch people are about digital evidence. But they held in Riley v California and it's not the entirety of this case, but they held that police officers have the ability to preserve evidence while waiting a search warrant by disconnecting the phone from the network and placing it in a Faraday bag. So that just doesn't work anymore with mobile devices. That's not preserving anything and I think that's probably still the understanding of a lot of people who just who are making the decisions, who just aren't aware of how digital evidence works.
Speaker 1:Well, I mean.
Speaker 1:I think it speaks to the threat scenario of somebody remoting into the phone, right, and deleting things.
Speaker 1:Oh, that for sure, yeah, that's the mentality behind it, which, again, it's a mentality that's valid, but it's also really dated, right, because now we know, especially with the newer say newer phones, right, that the destruction process, not so much somebody coming in which could happen, it's the phone itself, like Chris was saying, the normal operations of the phone. There's so much things going on, right. So now we have to take into account a non-malicious actor here, which is the phone itself, right. And how do we update that across all the stakeholders? That's a tall order. So I think tooling that does some of that for us can help, but that doesn't substitute, again, us being able as a community, to explain to the stakeholders what the deal is, how this actually operates, and giving the proper arguments for being able to allow what we now believe we should push, which is that seizure, that preservation and that search. And I appreciate that. Jess kindly put it in the chat as a good summary yeah, perfect, yeah, so that's a good thing.
Speaker 2:I think she definitely started a big conversation on linkedin. So if people have different opinions or are seeing different things in their jurisdictions, join that conversation in the comments on on her linkedin post, on jessica hyatt's linkedin post, because there's already some great ideas and um kind of like back and forth in the comments.
Speaker 1:Oh yeah, the best thing about the show is if you're listening in the podcast later, watching the video later. Well, watching the video, you'll see the comments, but if you're listening only, you're going to miss the experts we have in the chat we have the most. Oh yeah, I think this is the most expert pack hour you will ever come across on Digital Forensics, and I'm not kidding, I'm not exaggerating here. Like right now in the chat, you got Brett giving some other scenarios, like legal scenarios. Let's imagine a suspect that goes into a house searching a suspect without a warrant, right? So and that's the whole point about case law right, there's a lot of quote unquote, exceptions or circumstances.
Speaker 1:Now, how do those relate to our digital realm? And we're living in the moment that those are being made, so always take time to think uh, reach out to folks that have been around longer, like a jess, like a brett, like a heather, right here? Right, and because you want to make sure that that, that whenever you talk to your prosecutors or your stakeholders, you're giving your best explanation, your best argument, because we depend on you to actually push forward good case law, right that your judges and your jury not juries, but your judges and the people responsible. Explanation your best argument because we depend on you to actually push forward good case law, right that your judges and your jury not juries, but your judges and the people responsible give you good procedures, good case law that makes everybody's work more efficient, better, faster and brings justice, you know, with speed, if that makes sense.
Speaker 2:Yeah, and let's face it, nobody wants their name on the bad case law. So make sure you're researching and have those good explanations on why it's necessary. I think there's plenty of explanation on why it's necessary to preserve that data. It just needs to be paid to the people that make the decisions in a competent manner so that we can get this moving.
Speaker 1:Absolutely and again, from all aspects. One last thing I want to say here is that SWAG DE is coming out with some protocols and best practices on the preservation feature of digital mobile items, and if you're not familiar with this group, we're talking about experts that come together and have meet multiple times a year to be at the forefront of technology and how that will impact law and our work that we do. So I highly recommend uh folks to follow their, their products and their meetings. I wish I'm one day I will go to a meeting I gotta go too.
Speaker 1:As soon as it's back over on the east coast, I'm going yeah, look, I might, I might paint my own way because that's that's, that's, yeah. So it's really good to follow, so it's highly highly recommended. So you got any other thoughts on the topic.
Speaker 2:Oh, go ahead yeah, no, just just jessica said there's some thought um, some thoughts that oppose the idea of preserving the evidence without having the proper legal authority in place and um, I was reading some of those today. Definitely go check them out. There's some really good points on opposition to it and really good points on support for it. So definitely definitely check those out.
Speaker 1:Yeah, absolutely Absolutely so. And again, developments I mean we talk about pretty much the first half hour developments in iOS, right? But I think we should take some time to talk a little bit about some developments in Android 15, which came out at least I got the update maybe a few days ago, right, so it's pretty recent. So what do we got on android? So you know, we don't feel left out in the show yeah, let's add some android.
Speaker 2:So I specifically um was taking a look at an android 15 update called private space. So if you haven't heard of private space yet, it's um in the android I'm gonna actually pull up. I did a little powerpoint to show how it works, so let me, let me find that real quick and and.
Speaker 1:That update is rolling out for everybody pretty soon, if you don't have it already.
Speaker 2:So yeah, so immediately had to go test it and check it out. Um, but now in the android under settings, security and privacy, there's a new um area under privacy called private space. It says it'll keep private apps locked and hidden. To set that up, you just click on the private space and go through the steps to set it up. It tells you all about what that is, how it hides and locks your private apps in a separate space, and it has its own dedicated Google account for extra security. So you can set it to your um your Google account you already have, but you can also set it to a brand new um Google account when you do the setup. So I set the private space up on my test phone and created a new um Gmail account to for the Google account, gmail account for the Google account, set it up, created a password and then it creates the new private space. Once you create the new private space, it asks you how you want to lock your private space.
Speaker 2:The options are pattern with fingerprint, pin with fingerprint or password with fingerprint, and one thing I thought it was going to do is just grab the fingerprint that I use on my device already, and it didn't. It had me reset up an entirely new fingerprint so that private space could be locked with the fingerprint of a different user. If you wanted to do that, it doesn't draw from your original user account. I set mine up with a pattern in the fingerprint, okay, and it says all set. When you're done, then to locate your private space, you go to the app screen and scroll all the way to the bottom of all of the installed apps that are on your Android device. At the bottom there's just a little spot that says private with a lock. You touch that lock and the fingerprint unlock will pop up. You can also choose to use the pattern lock if you want to. The fingerprint unlock will pop up. You can also choose to use the pattern lock if you want to, and then you have your own private space. It comes pre-installed with camera, chrome contacts, files, photos, pixel buds because mine's a pixel and the Play Store. I installed Snapchat on this particular device, but then I also put it on another device and installed a few more apps just to check it out.
Speaker 2:In the settings of the private space, you also have some options to change that lock. You can change the options on how it locks, so I have mine set to. Every time my device locks that private space locks but you can set it to other options. Where it doesn't lock, it remains open. When your device is open there's the option to hide the private space. I didn't try that because I didn't want to see if it disappeared on me. I didn't want to have to try and figure out how to find it and then be scrambling for my explanation here. But I will try it and then you can delete the private space. I extracted my phone afterwards. I have not had a ton of time to mess around with the artifacts that are stored there. But it comes in as a whole separate user account under data user and then whatever number it assigns the user account in my book Go ahead.
Speaker 1:No, no, I was going to say, and folks that are not listening, this is a great image that Heather puts up because you can see those user directories, both user and user DE, and you can see the two accounts and if you're familiar with Android forensics, the zero tends to be that main user right, and then you see that you see 10. And this kind of makes sense because Heather said a second ago, you set a new, you can set up a new google account. You have to set new uh fingerprints. You have a whole set of apps, a copy, but another set of apps in the space. So it's this is literally creating another user for this enable, this ability. Right, and this is something that I was predicted.
Speaker 1:Some folks figure it out, maybe a year, more than a year ago, by looking at some of the code base that's being pulled out, uh, pushed out by google in in android, right, how they're using that, that second like an extra user for these purposes. But this is not the first time we've seen this right. I think we saw it on samsung's first, I think, right the secure folder yeah, so if you're familiar with secure folder, what 150, I think right.
Speaker 2:Yeah, 150.
Speaker 1:Yeah, user 150, your Samsung device. That's a secure folder. The moment you see that there, you know a secure folder. It's sitting there from that phone. So I think it's more like an implementation, like Google's implementation of, maybe, stuff that Samsung has been doing for a while now.
Speaker 2:Yeah, oh, definitely been doing for a while now. Yeah, oh, definitely. So this set up on one of my devices. It's set it up as user account 10. And then the other one it set it up as user account 11. I'm not quite sure what the difference was there, like if I had something else installed on one of the phones, but I have a 10 and 11 on each phone. And then in, like, parsing the data with some of the tools that we all love and use, um, some of this stuff is parsed If you have access, obviously, when you do the extraction, if you have access to that private space, um, a tool that will pull the data and bypass that lock.
Speaker 2:Um, some of it's parsed. Installed applications are parsed. Applications are parsed for the private space account. I found some of my chat messages, so I had text me installed on one of my devices and when I pulled it, the text me messages were there and you can differentiate where that app was residing just based on the path. That 10 or 11 user account will be in the path versus the original path, for the zero user will be in the path versus the original path for the zero user.
Speaker 2:I did notice that some stuff wasn't parsed exactly perfect With the installed applications. On some tools I was getting just the installed applications from the new private space account and I wasn't seeing the data surrounding the installed applications for the original space account and I wasn't seeing the data surrounding the installed applications for the original user account. And then on some tools I saw more data than others, just parsing which is to be expected in between tools. But, good news, there were updates made to a leap by someone I know to account for the additional user account and the installed applications that reside in the private space.
Speaker 1:Yeah, whoever that was, I don't like him, I think he's yeah, I don't either. He's full of himself.
Speaker 2:He's sketchy, but it's a really cool app to check out or account to check out on your test phones. Try that out, see if it'll even extract. I mean you have to have access, so you'd have to have access to unlock the device and unlock the private space to be able to pull that data for now until we have brute force options for Android 15. But definitely a lot of cool stuff to check out and see how that works and contribute back to the community with your findings.
Speaker 1:Yeah, and please I mean, if you're dealing with a Samsung, I'm sorry, an Android 15 device, no matter what, it is right and you have multiple extraction tools, try them all right, because in our experience, a particular workflow might give you some of that personal space data and another workflow, even within the same tools, might not, and I cannot pinpoint why. That is because you got to remember that some of these extraction methods they're abstractions to us. They tell you press here to get this and that's it. We don't see the inner workings of it. So my recommendation is try different workflows between tools and different workflows within the one tool that you're using. All right, because you might get more data from the personal space in one workflow that you will get from another one.
Speaker 2:Right. Right, there's a question Do you have to unlock the private space using the passcode or fingerprint prior to acquisition? I have found that yes, for now, but, like I said, when there's those brute force options added to tools, whatever your tool of choice is, it should be able to additionally brute force that private space is my understanding. Hopefully I'm correct about that. We'll see in the future when there's brute force support for the Android 15s.
Speaker 1:Yeah, and again that speaks to also what process will we use for this right? And there's a lot of variability there. Maybe we can get to the phone and it's fingerprint. Can we get a court order to compel the fingerprint from a suspect? Like again, it all builds up. It's like another level more than now we have to go through, and the first thing we need to do to go through these levels is know that they're there. That's why we're putting this out in the community, so you're all aware of what different issues might come.
Speaker 1:If you're finding Android 15s and you're expecting something to be on the phone and it's not there, well, think about it. It might be inside a private space. How do we go about it? How do we go unlocking that? Maybe in our interview procedures, add that as an investigator Say, hey, yeah, what's your pin code, right? What's the private space? What do you mean about? Well, you know what I'm talking about and also kind of elicit that information in our interviews or interrogation techniques. I mean the knowledge needs to be out there. So then investigators, detectives and examiners and even prosecutors can adjust and civil world as well for discovery procedures and civil litigation can adjust to this new technology that's coming out.
Speaker 2:Right, definitely. Well, that's what I have on Android 15 so far. I'm looking forward to looking for other things to test and present, but so far that's what I've started with.
Speaker 1:Oh no, and it's good stuff, this whole having multiple users that are tied to the one user. That speaks also to provenance. Right, we have multiple user accounts here. Are they tied to a private space? Are they tied to a secure folder? Are they tied to an actual other user? Right, we need to make sure that our tools differentiate between those and give us the proper information. I don't want only the history of install apps for my main user. What about user 10? What about user 11,? Right, Our tools need to respond to that, and right now, some of them don't. And even the community tooling like iLeap we had to scramble, right. Yeah, jessica, heather, I'm reading Jessica now. Heather told me about it and we jumped on it just to make sure that we can provide that support.
Speaker 2:So that's something to be on the lookout Well and have it done before we presented this tonight.
Speaker 1:Definitely Of course, make it all look sensible and look good.
Speaker 2:Yeah, definitely, definitely, but yeah, so if anybody has additional things they're seeing in Android 15, write to me. I would love to hear about it and I'll do some testing. I love testing stuff, so I'll do some testing for you, if you don't have the devices or don't have the time or capability at the moment to do it.
Speaker 1:And if you're wondering how do I get rid of these, get a hold of these nice people that are talking to me here on this podcast, there's two main ways. Right, you can go and look for our LinkedIn presence Digital Forensics Now podcast and search us there. Or you can go to Blue Sky heather blue sky no, it's like it's a kind of a twitter like social media site. Now go to blue sky and also look for digital forensics now podcast there. Before heather jumps on my whole blue sky comment, I want to say that we are trying to get examiners into blue sky because I believe it's a good method of kind of short, quick communication, established conversations that other platforms are kind of cumbersome or are full of junk. In a sense, I'm hoping we can create the Twitter experience of seven, eight years ago within Blue Sky. So I see a lot of good people moving in. It has a lot of momentum.
Speaker 1:The moderation tools in Blue Sky are fantastic, so at least we can keep some of that vitriol and other social media out of it. So I highly recommend folks that are listening to get a blue sky account so they can participate, be part of the conversation. I have a call, a starter pack. Look for abrick noni dot blue sky dot social, bsqi dot social and hit my starter pack. If you hit the starter pack you can follow. I think maybe 15, 20 of the best blue sky accounts so far and I'll keep adding more. So you cannot kind of start with a group, a good group of people to follow from the get-go again in blue sky, heather blue sky so he keeps enunciating blue sky like that, because I think it sounds better as blue ski.
Speaker 1:No, look, I mean another. You're embarrassing yourself in front of a thousand people. That's not like brew ski, like you're drinking some beer. It doesn't sound like a blue sky, like brew ski.
Speaker 2:You can meet up with your friends, have a brew ski while you're on blue ski. Oh, my goodness, I don't know, I have a brewski while you're on blue ski. Oh my goodness, I don't know. I'm just saying in the brewski.
Speaker 1:I know that, kevin pagano agrees with me to have a brewski on the blue ski right, I know he's in there. You better not make a sticker about brewski and blue ski because I think we're gonna have to have one. I will disown you both see, there you go now.
Speaker 2:Kevin showed up, see brewski and blue ski oh, my goodness.
Speaker 1:Anyways, blue sky, that's. That's what is happening right now. So everybody go over, get my starter pack in my account and let's, let's, let's, keep conversing okay I agree I do like the app though it's good.
Speaker 1:It's good. Yeah, it's kind of glitchy lately because a lot of people jumping in millions of people at the same time, but let's stick with it, I think. I think it's the future of, of the social space short, short form social space, because it's not really a a site, it's more of a protocol. But that's a discussion for another day. Uh, how much time we have heather. What should we cover? Should we start winding now? Should cover one more thing, I mean we're gonna show the.
Speaker 2:we're gonna show the sans poster, um, because I those sans posters are just so helpful to everyone. But this will only take me a minute, so let me throw.
Speaker 1:What you look at. I'm going to give people a preview for next show. I want to tell you straight up I wanted to show how the FTK Imager version that they pulled out I mean pushed and then pulled back how it worked with BitLocker. So I want to show that, but I think it's going to be an anchor for next episode. For next episode, if you're wondering how FTK Imager is going to be working with BitLocker, we're going to kind of show you that as a preview of their future releases that they hopefully don't pull back later. Yeah, all right, let's talk about this poster. What do we have here?
Speaker 2:So we have a Mac and iOS iOS forensic analysis and incident response poster created by Catherine Headley and Sarah Edwards. It includes location of artifacts and explanations for artifacts in iOS and Mac. Let me just give a quick rundown of what we're seeing on the poster Native applications, network information, file and folder sharing, program execution, application usage, connected impaired devices and backups, application data, deleted files and file knowledge, file folder opening, account usage system and user information, acquiring and mounted images, volumes and external device and USB usage and log files, and much more. So if you have not made an account on SANS, make your account and go into I think it's the resources tab, but it's something like that the resources tab and find the SANS posters. There are tons of these, not just for Mac and iOS for all different kinds of things forensics and go grab these posters because they're awesome.
Speaker 1:Yeah, and I appreciate that Chris was saying that the biome directory that contains secb files, it should not be called biome, it should be called secb, and I agree with him.
Speaker 1:And for post-op, what is this guy talking about? So some time ago, when knowledge C in iOS devices started the data disappearing, it popped up in this biome directory in some files that we've never seen before and, based on research done by John Hyla, by Geraldine Bly and some others in the community and me kind of attached to them, we figured out how it's parsed and they have this header called segb, s-e-g-b, right, and I believe they should be called segb right Because there's segb files outside of the biome right. And the example I was giving Heather is, like you know, share folders. When you look at an Android app, right, those always have XMLs. We don't call them share folder files, we call them XML files because that's the file type and biome is not a file type. But you know it's okay to agree, to disagree with how they're named, but I like the fact that Chris is on my side that maybe we should name him something else, especially since it's his fault.
Speaker 2:He's the one that at the beginning make a whole bunch of yeah articles about it. It was so easy to do because that's the first place we saw them and we didn't know they were everywhere else. But yeah, you're right, we should adapt with the changing times, now that we see them all over the devices, exactly so I want to make that point again.
Speaker 1:The poster is fine. It says biome, but everybody says biome. But uh, a little by little, I'm gonna try to have people call it segbeast instead of biomes.
Speaker 2:Yeah, what do you think? Do you have time to briefly speak about the new release for the leaps?
Speaker 1:No, no, I don't have time, and the reason for that is that my zip file with it got corrupted and it's not opening, so the universe gave me a hard stop. So let me just quickly verbalize something we're making for the leaps and if you use it the first time you heard about them. There is a Python framework that's used to parse different extractions from iOS ALEAPs, different things, and we have a good group of people. Johan is in the chat. One of those group, kevin, is in the chat as well. We got James also. We got John, hilila as well, myself, heather, a few others.
Speaker 1:We're working really hard and to make sure that when you use this type of framework and your tooling, we're moving to a new type of reporting system so you don't have to depend on HTML reports that could crash your browser if it's too big. We're now using what's called lava to make that reporting. Uh, today I got word that johan, which is in the chat, and I I couldn't. First of all, johan is all the way in europe, so I'm appreciated that he's listening at this time, whatever hour. It is ungodly hour where he's at, but he tested today with a million records, health records, the uh, the viewer that we're creating and it handled it no problem which you cannot do as an HTML report.
Speaker 1:And that will open the door for me at least. I'm the big kind of, pretty much the sole maintainer of RLEAP for returns from providers, and if you get a return from Facebook or Meta, it's going to be HTML right and it will crash your browser. No doubt it will crash your browser. So now I will have a tool to be able to make the reports Lava format and it will not be crashed no matter how big it is, which I'm really excited about. What I'm going to do next week not next week, the next show, the week after, although we have to look at the schedule, I don't know if it's.
Speaker 1:Thanksgiving, so we'll have to think about that.
Speaker 2:Figure it out.
Speaker 1:Yeah, for the next show. I that, but figure it out. Yeah, for the next show. We're going to show you how that looks within uh the report directory from I lead 2.0, which is out already. And then keep your lookout for the cyber social hub conference. It's coming up in december where uh james, um, he's going to be showing uh lava, like unveiling it to the world, like what we have so far. I mean, it's not ready for release yet, but we're gonna show people how it looks. So that's where we are with the leaves and we'll give you more info on the next episode very good.
Speaker 1:Um, I think we can be at the meme of the week then yeah, that's the best part of the show let me share my screen here johan says it's 1 am where he's at oh geez, that's dedication, thank you he wakes up.
Speaker 2:Either he goes to bed really late or wakes up really early so I scoured your linkedin to find one of the famous alexis brignone memes.
Speaker 1:I'll let you explain it so there's this movie that nicholas cage kind of plays himself, right, and, uh, the guy from the mandalorian, he's super famous. What's his name? Uh, he's chilean. I, I just I just missed his name. He's a great dude. So the other actor, he's playing like this drug lord and he really admires nicholas cage. Right, he's nicholas cage kind of playing himself in the movie and he's looking at nicholas cage, looking at this guy like what the heck? Right, and the other guy is really smiling at him.
Speaker 1:So Nicolas Cage says examiner, waiting days for a tool to parse, you know this kind of tired looking face. And the other guy is really happy and it says me already finding the main items by hand. And I did that to kind of illustrate the point that sure, we have automation to help us, but it all depends, depends, like we say in this business, right? Um, if you need something specific, sometimes the automation is not the first thing you should do, right, or maybe, okay, do the automation, but if you need something, now there's go back to your basis basics. Make sure you're keeping you know sharp as a good sharp knife so you can cut and get to that meat quickly. Right, I was talking with my not trainee anymore my ex-trainee, because she got certified and she's not a full-blown examiner.
Speaker 2:Congratulations.
Speaker 1:Yeah, I'm not going to say her name because I didn't, you know, I didn't get her permission, I didn't ask her to be in the show, right? So I'm process of full blown examiner and we're reviewing, for example, how to go straight, how to find in ios devices a particular app that's not on, that's unparsed. How can I go find the straight up? I don't have to wait for the tool. Pedro pascal, thank you, christopher. Pedro pascal, I love, I love him. I'm totally in love with that guy. I, he, he can sit down and read the phone book and I will. I will watch it. He's done, pedro is fantastic anyways, fantastic. Anyways, back to my story.
Speaker 1:We were discussing, or kind of reviewing, how do we get to particular apps that are on parse straight up without having to wait for the tools to tell me anything, and there's a couple of two-step procedure using to make it. I cheat a little bit. I use iLeaf for that, but most of the work is done by hand, right, and I was actually parsing which. But most of the work is done by hand, right, and I was actually parsing which. I just finished this today. I think it's text-free or free text, one of those texting apps, right? That's not supported by any tool. Right now, it's by hand. That's how you do it. So, yeah, let's be more Pedro Pascal and less Nick Cage in this context. Right, let's just keep our knives, our tools, sharp and getting the job done.
Speaker 2:This meme works great too with the updates. So Android 15 updated. We now have private space. Is everything parsed in private space? No, you're going to be finding the main items by hand, possibly on anything that's newly released and not yet supported by your tools, so it actually fit right into our topics for the night.
Speaker 1:Oh, absolutely, and I think it's too close. I want to share what Heather is saying. Right, there's some methodology. I said Jess, I said Heather Jess. Now it's the opposite. I was looking at her and now looking at you and reading her, so I get it more confused. You know what happens with my kids. I call one the other name all the time. Anyways, I digress. There's a methodology for parsing unsupported apps and we need to identify them cases. Absolutely. One of the big things that I like to do when I'm brought in to speak in regards to parsing digital data is talking about that methodology. There are steps and there are things you, as an examiner, need to do with your skill set you've been trained to to be able to get to these data structures and successfully get the data out for our stakeholders. So let's not keep track of that, let's not keep that out of our minds and let's keep it there. Let's do it.
Speaker 2:Agreed.
Speaker 1:Awesome.
Speaker 2:All right.
Speaker 1:Anything else for the Grow the Order header?
Speaker 2:I have nothing else, no.
Speaker 1:Well, I want to thank. First of all, I want to thank Chris for being in the show with us. I appreciate also Magnet Forensics for letting him, allowing him to talk to us in regards to what the work they've been doing on this feature and we're more than happy to you know, different vendors, you know, reach out to us and and collaborate in things that to help the community. We're happy to do that. I also want to thank all the folks in the chat, all the big group of experts there, all the community that we're building. Let's go to BlueSky or BlueSky.
Speaker 2:You said it right.
Speaker 1:Yeah.
Speaker 2:Humoring me, I'm just indulging you. There we go.
Speaker 1:Humoring is better. I'm humoring you and thanks for all the folks in the chat and all the folks that are going to be listening. Later you can reach out to us on our social media and in our Buzzsprout page there's a little send us a message section that you can use and let us know your thoughts.
Speaker 2:So with that, yeah, I definitely want to just mirror your thanks to Chris. That was great. We could have explained the things in his blog, but nothing better than having the source of the blog come on and explain the artifacts and how he came to his conclusion. So thank you so much for that.
Speaker 1:Oh, absolutely, and he's. He's such a great speaker I. He's really funny but but really depth. You know really deep in what he speaks about, so I appreciate having him here. All right, well, we don't have a date for the next show, but we'll keep on social media. How is our comments? So we'll figure it out and we'll let you know, we'll figure it out. All right, Take care. Have a good night everybody.
Speaker 2:Thank you. Outro Music
