Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
BFU Data, Forensic Tools, and the Future of Digital Investigations
The latest episode of Digital Forensics Now kicks off with lighthearted banter about Heather's newfound fame in commercials, bringing a fun and relatable start to a tech-heavy discussion. Following the laughs, the conversation shifts to an invigorating recap of Alexis' recent experience at SANS DFIRCON, featuring interactions with digital forensics luminaries like Brian Maloney and Ian Whiffin. Ian's ArtEx tool, which cleverly maps locations for forensic investigations, also takes center stage as a highlight of the conference. The episode weaves in personal reflections, including a scenic family train ride from Orlando to Miami and the implementation of a Python artifact exercise during a teaching session.
The journey continues with a vibrant detour to the Tanganyika Wildlife Park in Kansas, where the usual birthday horseback riding tradition was replaced with unforgettable encounters like swimming with penguins, feeding giraffes, and snapping selfies with lemurs. These charming moments with nature set a refreshing tone before diving back into the tech world.
In the realm of digital forensics, the episode explores reverse engineering iOS 18, discusses the brief availability of BitLocker support in FTK Imager, and examines the evolving landscape of BFU (Before First Unlock) data extraction in law enforcement. The hosts delve deep into the complexities of digital forensics tools, translating technical data structures into accessible insights while emphasizing the importance of a strong digital evidence strategy. Topics include advancements in the LEAPP Parsers, the innovative Lava Viewer, and the latest developments in Blue Sky data structures, offering a comprehensive look at the tools shaping the field.
The episode wraps up with an open invitation for listeners to connect on social platforms, share their thoughts, and showcase innovative projects within the community, fostering a collaborative and forward-thinking space for digital forensics enthusiasts.
Notes
iOS Devices Rebooting Continuedhttps://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html
Samsung Secure Health Data Parser https://breakpointforensics.com/2024/11/06/samsung-secure-health-data-parser-a-forensic-tool-for-parsing-analyzing-samsung-secure-health-databases/
https://github.com/breakpointforensics/Samsung-Secure-Health-Data-Parser-/tree/main
Mobile Forensics Data Structures: Extracting and Analyzing Data with Free Toolshttps://www.hexordia.com/blog/mobile-forensics-data-structures
GAMEPLANS: A template for robust digital evidence strategy developmenthttps://onlinelibrary.wiley.com/doi/10.1111/1556-4029.15655Digital Evidence
Enhancing public safety using digital investigative technologieshttps://majorcitieschiefs.com/wp-content/uploads/2024/10/MCCA-Digital-Evidence-White-Paper-_-Oct-2024.pdf
Importance of BFU Partial Filesystem Extractions!https://www.linkedin.com/posts/1carl-lawrence_dfir-polcing-digitalforensics-activity-7264179600631468034-FHGh
Sumuri Gives Back 2024
https://sumuri.com/sumuri-gives-back-2024/
Welcome to the Digital Forensics Now podcast. Today is Thursday, November 21st 2024. My name is Alexis Brignoni, aka Briggs, and I'm accompanied by my co-host, the one that puts the wild in wildlife, the tester supreme, the one now better known as HC Hollywood, the one and only Heather Charpentier. The music is Hired Up by Shane Ivers and can be found at silvermansoundcom.
Speaker 2:Yes, my outro was worse than last time. Yes, the what the hc, what hc, hollywood heather, oh my god.
Speaker 1:No, no, if people don't know why I'm saying that I'm gonna show you right now oh my gosh that she is now the star of all sorts of commercials.
Speaker 2:Oh, my God.
Speaker 1:Get out of here.
Speaker 2:What is wrong with you?
Speaker 1:No, look, look at that Computer Forensic Analyst for Excellence. She's on all the TV shows. Now I expect her to be like what's that show that's going to go? It's called it's like an investigative show.
Speaker 2:Oh my God, there's some people joining us.
Speaker 1:It's great that you joined us as we're looking at Heather doing her Hollywood debut on social media.
Speaker 2:It's a lovely shot you grabbed, thank you.
Speaker 1:It's fantastic. So if you all want to see her, go to the Minded Forensics social media and look for the video where she talks. It's a great mini documentary of New York State Police and some of the work they do, which is outstanding work, and obviously they show their header. Having a few words about the work that, she does.
Speaker 2:Oh my gosh, Holly and Jeremy say law and order.
Speaker 1:Law and order. Thank you, that's the show.
Speaker 2:Yeah.
Speaker 1:See, I knew that Tuntun would for people to give us the answer there, yeah, so surprise, surprise.
Speaker 2:Sneaky, sneaky, sneaky. I didn't know you were gonna do that.
Speaker 1:Um, thank you for picking such a fabulous shot I mean, you know, I, I can only do my best oh my gosh.
Speaker 2:So what have you been up to? We just did a podcast last week, but what's new?
Speaker 1:well, um, yeah, I've been doing a whole bunch of things, so, let me, talking about sharing pictures, I'm gonna share pictures too, but of myself. So let me, um, let me share it. So what I'm gonna show you is so, this, uh, this weekend, I was, uh, I spoke at sans defer con. You can see there, uh, folks that are not, they are listening, won't see it right, but you see stickers from SANS and D4Con, and what I did there was talk about the leaps. Right, I was accompanied by my beautiful family. It's a picture of us behind the Brightline train. So we took the train from Orlando to Miami so the boys could experience it. Their face looks like emojis. That's their face.
Speaker 2:I was going their faces. Wife and kids look just like you, yeah yeah, yeah.
Speaker 1:So their emoji faces are their real faces, so it's not a mask, that's their faces. So I kid you, I kid, I kid, right, so so you can see a little video there of me going on the train. Uh, let me tell you, central florida is pretty beautiful and on you know, as you're going by the train, you see the rivers and bridges and all the good stuff. I really enjoyed the Bright Line experience. I would definitely do it again.
Speaker 2:So it was nice.
Speaker 1:And then we had that night. We got there on Friday night so I had a dinner with some of the speakers. You see Brian Maloney there on the right, ian Whiffin and Christian on the bottom on the back part and so these people, all this brainpower in that table. It was pretty amazing. I was hoping that we could maybe see the future if we put our heads together, but that did not happen.
Speaker 2:You must have come close.
Speaker 1:Well, I mean, I was the one not putting enough output there Brainpower output so I blame myself. All right, and then I ate a salad because, because I gotta eat healthy for health reasons, but I'm not gonna bore you all with that, but where's the burger that you had after that salad?
Speaker 1:I already ate all the burgers I needed to eat in the past. I guess, all right. And then, uh, I started my day, um, and I started setting the family up and all that, uh, by listening to ian whiffen. Ian whiffen explain his art x? Uh tool and if you're not familiar with it we say it a lot of times but I'm going to say it again it's a must-have tool for your examinations. It's absolutely free, it's really I love it for the location. So he maps it and gives you different ways of showing the map locations for your exhibits. It's fantastic. So art x a r t e x, so ArtEx A-R-T-E-X, and at doubleblackwithak instead of ckcom, you can get it there. So just Google EM within ArtEx and you're going to find it All right, very cool.
Speaker 1:So, and the next thing is, it's me teaching. So I've been of a double mind in this trip because I gave my spiel about the leaps and I think I was asking Heather but not our Heather here. I was asking Heather Barnhart from SANS, which we all know and love. She thought I was overreaching. Overreaching because I tried to have the class do an artifact with me and you know, I think some people knew Python, some didn't, and it was kind of a bit of a situation where some folks were totally lost and some folks were like oh, this is great, it's easy, right.
Speaker 1:So I was a little bit about two miles about it, but then I came to a conclusion, right, and my conclusion is that I believe and a little bit of a soapbox here we've got to start moving as a community to I didn't close my door properly we need to move as a community to start acquiring these skills. Look, if the only thing you do is connect the device and press a button and hit print, you're going to be automated out of a job in a matter of years, maybe less. So we got to start thinking about if things are made using code. We need to understand code, or at least not be. I'm not going to make the next iPhone, but at least know enough to be able to determine what is relevant and how to parse it out.
Speaker 1:Okay, right you need to understand how these devices works at a more deeper level. So so I was of two minds, but you know what that's gonna be my spiel moving forward? Yeah, definitely, I like this picture because it shows it's random picture here. I was at the hotel and you know hotels, you know multi-level hotels. They usually have like a fire cabinet and there will be a hose there, right, but they took the hose out and just put a extinguisher and I'm like that's not like the same thing. That's not enough.
Speaker 1:You know a little thing, and it wasn't even a big extinguisher. It's like a little extinguisher, fire extinguisher instead of having like the actual hose that you could turn on the valve and douse the fire. So I know there's a lesson there, but I will leave it for later for this question.
Speaker 2:Thankfully there was no fire.
Speaker 1:Exactly, I'd rather have the fire hose than have the little fire extinguisher. So make sure you have fire hoses, intellectual fire hoses in your brain. Start developing those. All right. Brian maloney gave me a nice coin. Uh, he does the one drive. Uh, explorer, it's a forensic tool to deal with one drives and if you have investigations that require that you need to use that tool. It's also free. It's super well documented. He did a great, a great job at it. I couldn't stay for his spiel because I had to catch the train, but he gave me a nice coin and we discussed a little bit about his tool. So that was.
Speaker 1:I was pretty, pretty satisfying and actually I got to met him, met him in person, so I loved it very nice and then they gave me a little interview. They're asking me about what I was talking. There were my really bright uh yellow shoes, as you can see down.
Speaker 2:Oh, I didn't know. You got interviewed while you were down there.
Speaker 1:You know, I got interviewed. I'm famous and also everybody else was interviewed, so it wasn't anything special that it was me, just to make it clear. It was me and everybody else. So I spoke a little bit about the tool and all that. So that's fine and that's it.
Speaker 2:Very cool. I think we're going to have to do a demo of Ian's Art X on an upcoming podcast.
Speaker 1:Hey, that's not an idea, that's not reality. We're going to do that. Yeah, definitely.
Speaker 2:It's a great tool. I've used it. I don't use it as much as I should actually, but it's a great tool and, yeah, let's show it on the next one, I'll get something put together.
Speaker 1:No, we're definitely going to do that, and by doing that I mean you.
Speaker 2:Yeah, yeah, I'll put it together.
Speaker 1:Heather is so good at the whole testing thing, you know.
Speaker 2:I'm going to put this comment up. Everybody's going to get it later. Mr Terry Tibbs is in here and says Evening DFN podcast. Talk to me.
Speaker 1:And one of our topics later is going to pull that together. Oh okay, fantastic, fantastic, we're waiting for that. Yeah, a quick shout out to kevin is in the chat. Adam is in the chat. Um my sister holly is in there hey, there we go yeah but she's the one with the cultural reference a lot of order.
Speaker 2:Thank you, holly yes, so what?
Speaker 1:what? So now that I spoke for half an hour about what I did, I want to know what, what you did. So what's going on?
Speaker 2:So I went on vacation since not last podcast, but the podcast before, and I have some pictures from my vacation. So my sister turned 25 again on October 23rd, yeah, so we did a little birthday trip and I think you've mentioned it probably 15, 20 times how much of an animal lover I am on the podcast. Well, my sister is so much more of an animal lover than I am. So we chose to go to Tanganyika Wildlife Park in Kansas.
Speaker 1:I would have never guessed that by that name that it was in Kansas.
Speaker 2:You know, I think it was in Africa, or something you know.
Speaker 2:So she loves penguins. So I Googled where can you swim with the penguins and this is the only place in the United States that comes up as a place that you can swim with the penguins. In is the only place in the united states that comes up as a place that you can swim with the penguins in kansas, yeah, in kansas. So we went to kansas. It's very, it's very flat there. It's very flat, yeah. Um. So we went and we saw all of the animals.
Speaker 2:We did a three-day all-inclusive at this park where you get to feed with the animals and interact with the animals. Um, so these are the lorikeets we were feeding and there actually was a lorikeet named um noodle that if he sat on your shoulder, if you asked him to dance, he would dance. He would like bob his head up and down. It was really cute. Um, we saw the capybaras, which are adorable. These are babies. They actually get really big. Um, but these were little babies we got to feed. Feed them. Like how big? Like I think a couple hundred pounds. They're big, it, big oh geez yeah and these are just little guys.
Speaker 2:Um, so it was so much fun. Those, I think the capybaras, were one of like close to my favorite animal at the zoo. Um, yeah, they're awesome, kevin, we got to go hang out with the owl monkey and the cavies in this picture and then we got to swim with the penguins. So they gave you a wetsuit and you actually get in with the penguins and they have little cat toys. The penguins like to swim after the cat toys. So just some pictures of us swimming with the penguins, got to feed the giraffes and had the little giraffe interaction. Oh, holly said up to 100 pounds, so I said a couple or 150 pounds for the capybaras.
Speaker 1:So like a decent, decent amount of weight. Yeah, a big animal.
Speaker 2:We interacted with the otters and the sloths and actually the sloths. What they do with them is the sloths will hold a paintbrush, so I have the pictures here and the zookeeper holds the little canvas up and the sloth paints you a picture.
Speaker 1:But he's not telling you that picture took three hours.
Speaker 2:Yeah, oh yeah, pretty much. Yeah, it was not a fast process, but I didn't care because I liked being in there with the sloths. And then this animal right here, the Okapi, is the weirdest looking thing I've ever seen. I'd never heard of it until I went to Tanganyika. It is. It just looks like a mix of a whole bunch of different animals. You can see like its butt is a zebra and its face looks more like a horse and deer combination. So it was a really cool animal and the monkeys and the rhinos we got to feed the rhinos and hang out with the rhinos and the pygmy hippo was the most adorable thing ever.
Speaker 1:um, they have. That's not the one like deng the mudeng is that? Yes, it's just like him.
Speaker 2:Oh, it's not. No, this one's name is locky, but it's just like. Just like mudeng um, and they painted pictures too. So it was a non-toxic paint they put on the nose and it comes over for treats and paints on your canvas.
Speaker 1:Oh, look at that.
Speaker 2:And then my very favorite animal at the entire place was the lemur. You got to go in with them and they sat on your lap and you got to feed them out of your hands.
Speaker 1:I bet people made the whole. I got to move and move a joke, right yeah, yeah, of course.
Speaker 2:And then we got this nice selfie with a lemur there on the one of the last days.
Speaker 1:So it was, it was he's sticking his tongue out for the folks that can't see it.
Speaker 2:So I guess, he's like it's just sticking the tongue out it was awesome, um, one of the best trips I've ever been on. We usually go horseback riding for her birthday every year, um, but this was like a once in a lifetime type of uh trip to wildlife park in kansas of all places I heard that I heard they're looking for some missing capybara.
Speaker 1:So oh yeah, it's a pure coincidence that they got. They weren't missing after you went there they're both at my sister's house.
Speaker 2:She would be the one to steal them don't tell anybody, don't tell the police so the time off was well spent. Uh, it was a great vacation well, that's, that's awesome.
Speaker 1:Thank you for sharing all your your pictures yeah adorkable. They're great um adorkable adorable.
Speaker 2:So now that we have vacations out of the way, hop into some forensics.
Speaker 1:Let's do it. Let's do it.
Speaker 2:All right. So last week we had Chris Vance on. We talked about the iOS devices that were rebooting due to inactivity. Just wanted to quickly throw up another resource to learn a little more about that. There's a blog called Reverse Engineering iOS 18 Inactivity. It is similar to Chris's blog. It has some detail, talks about where you can find those artifacts that show whether the device was rebooted and a whole bunch of other stuff about the iOS 18 too.
Speaker 1:Yeah, and something I like about the article is that it actually goes into the detail of how the author went and had to reverse engineer the processes, right, because one thing is looking at logs and what the logs show and another one is trying to look at. For example, if you want to understand some undocumented feature on whatever software, the first thing he did was he took the IPA, whatever the executable is, and you look for strings and hopefully the developers left some strings there that you can read like notes to give you an idea of what's going on. A lot of these variable names. There are things you can actually read like that makes sense. So he put together some of those. Do some testing. He had to.
Speaker 1:Some of the hiccups with it is how do you get into the software when the encryption keys are removed by Apple, right? So he went around all this rigmarole to be able to get to that data and give a detailed sense of what's going within the device and when it was added and how is it executed within the device. So I recommend everybody to read that and get familiar with it, and if this is something you find attractive, then definitely reverse engineering is for you and I believe we need more of that within the mobile forensics sphere, beyond just intrusion, intrusion detection, intrusion response. In the DF field we definitely need more reverse engineers.
Speaker 1:So, good example there.
Speaker 2:Okay, so FTK image or BitLocker. We had it for a minute. I'm going to show it.
Speaker 1:Look, look, look. The thing is the for background here. Uh, extero, which are the makers of ftk and ftk imager uh, really, ftk imager is everybody's toolbox. It's one of the most well-renowned tools. They came out with a release ftk 7.3 point something and it had bitlocker support and it was up for a day or so. So a whole bunch of us well, not me, but somebody else downloaded it and it's like oh, this is great, let's test it out. And a few people made blog posts and then it disappeared. You couldn't download it. So I started complaining Not complaining, that's not true.
Speaker 1:I started pointing out the fact that it disappeared. I'm like what happened to it was was there an issue with the software that we should know about? Was it not working properly? It just took it out, but not tell us. But eventually, is that the explanation was? And harsh peel that, I think, is the main product manager for ftk tooling within extero explained that the reason is that it was uh, it was. They were not supposed to release it yet, right? Yeah, um, so there was about an accident. So they released version 7.0, I guess, or 0.1, and not this version which is ahead. But guess what? It's already out, so we're going to use it and we're going to show it.
Speaker 2:So let me take that off the screen. All right, so I just have a BitLockered thumb drive and I am going to add it. Oh, hold on. Oh, I have to have it out. Sorry, I'm gonna add the physical drive. I have it plugged into my laptop and it is this, and just hit finish. When I add it it pops up, and here let me zoom in on that.
Speaker 1:Yes, yes please.
Speaker 2:Pops up a screen asking for your BitLocker encryption credentials. We can do a recovery key or we can do the password to the BitLockered USB.
Speaker 1:Or the boot key file too.
Speaker 2:Yes, or the boot key file? Yes, I have, let's see if I still. Yeah, so I have the recovery key to this because I BitLockered it. Because I BitLockered it and as soon as I put it in, we have access to the files on the USB drive.
Speaker 1:So you can see here my top secret documents folder we now have access to and something that's pretty cool about the tooling. So this is a traditional scenario where you have this drive, you're going to write block and it's bitlocker, you have the key, let's look what's inside of it. So my case, my testing case, was I took and I image the bitlocker uh drive. I imaged it as an e01 straight up. So I have now the encrypted e01 with bitlocker and again same thing. I put it there, I went in a little bit and again that screen popped up and I was able to get in which, which is pretty neat because, yeah, as long as you have the key, you can do the e01 straight up and then later on, uh, do the whole, uh decryption of it, also with the tool, and after that you can make ad1s, as always and for those are not familiar, those are logical extractions from from the image that you're working out of.
Speaker 1:So you can take, say, a film file, some folders, build an extraction, a logical extraction, and pull that out, or do the traditional things you would do with FTK Imager and if you're digital forensics, you have to know this tool. This is just one of those things that you did. One of the first tools they give you when you're walking through the door.
Speaker 2:Yeah, oh, definitely the first tool you use in college too, right, oh, absolutely.
Speaker 1:It's like it's all reliable. I call it in one of my old my. Now the thing is that the question is are they gonna I mean, why? Why? Take it back right? Is it because they're gonna charge for it or you're gonna know? Well, I hope not. I hope they can release it as is, as I did, free with that functionality. But who knows, do other tools do this Absolutely? But it's a benefit, because we're so used to using this tool I've been using it for over 15 years or whatever it is. So just adding this capability makes the tool so much useful and it broadens the user base because we know how to use it, we teach it and now it has more capability.
Speaker 2:So I hope they release it for free again in the not too distant future. So please, xterra, don't make us wait too much. Yeah, and super easy to use. So I mean we definitely want access to this.
Speaker 1:So if you don't have access to it, I'm sorry and don't ask me for it, because I am not an Xterra tool distributor and I don't want to get in trouble. I just got a copy for me and for testing and that's it. So if you didn't get it, sorry.
Speaker 2:Yeah, I know.
Speaker 1:Don't come asking me for it.
Speaker 2:He's not lying. He won't even give me a copy. I had to get it elsewhere. No, I'm just kidding. Yeah, yeah, yeah, I didn't give him the copy period.
Speaker 1:That's my story. I'm sticking to it yeah.
Speaker 1:Oh, ryan Benson. Ryan Benson is in the chat. I got a shout out to Ryan. Ryan does great tools, like in hindsight. He does Unfurl Unfurl just recently Good thing I saw his name Unfurl just updated. So now it recognizes blue sky timestamps and more different data and better parsing for some protobufs and other things.
Speaker 1:If you're not familiar with unfurl, what that does is it takes the url from a, from a website, from a cloud service, a chatting application. You take that url, you put it on furl and it breaks down the url in its component parts. You see the domain and those component parts might have timestamps in. It, might have protobuf or something else other data types within the URL base64, which is traditionally a URL thing. It will explode that for you and show you all the component parts and it's a great tool If you carved out some URLs and you want to know when the URL, the activity, happened. Some of these URLs have timestamps of a search that was done within that URL and just put it on referral and it tells you what the timestamp is. So great, great tool. Same with hindsight. You're doing browser forensics. Check it out Also. Quick shout out to Brett Shavers in the chat. What is he saying, heather?
Speaker 2:FTK Imager is the pair of pliers in the DFIR toolbox. Definitely.
Speaker 1:FTK Imager is the pair of pliers in the DFIR toolbox Absolutely Of all the tools. Pliers is a good analogy. I like that.
Speaker 2:Yeah, that's really good. So there's another release of a tool, the Samsung Secure Health Data Parser. It was released, or created and released by um. Oh, where did I put that? I'm trying to remember the, trying to remember the blog name. I have it down. Oh, breakpoint, breakpoint forensics. Um, what this does is it will, um, it'll parse out your Samsung health data, right. So the features of the tool are step count parsing. It does exercise sessions, it does live data decompression. It creates comprehensive reports. The GUI is super easy to use. I'm going to just throw that up on the screen here. So this is what the GUI looks like for the Samsung Health Database Parser.
Speaker 2:What you do need, though, is this database, by default, is encrypted, so you have to get a decrypted copy of the database. The database is securehealthdatadb. Tools like Celebrite actually automatically were decrypting the Samsung Health Database, automatically were decrypting the Samsung health database. I tried to extract my Samsung device to have some test data for the podcast tonight so I could show you how this tool actually works, but I think, because of that key store issue, where the key store is not being pulled from Android devices, I'm not getting the decryption keys necessary to generate that decrypted version of the health parser.
Speaker 2:I do have some like older versions, but it's work stuff so I wasn't able to bring it on and show everybody how this tool works. So if you have that decrypted version of the database, try it out. It looks super easy to use. You're just going to choose that database, pick your output folder. It'll create a report in CSV or in HTML and there's also a blog about it which I have up on the screen. And then the Breakpoint Forensics GitHub page is where you can go to download the tool.
Speaker 1:Yeah, go to the repository and get it, and I think one of the big takeaways of this type of discussion, it's not only the tool which we need, and that's great.
Speaker 1:And also, it's not only the fact that we need the vendors that deal with extractions. That's the part that we as a community are kind of forced to outsource to them to get support for those encryption keys or decryption keys. A good teaching point is that when you think about Android, android is not just Android right. You got Android Samsung, you got Android LG, you got Android Moto, you got Android Google ones right, and all of them will, for example, deal with health data. But each vendor might decide to do their own implementation, which means if you're doing Android forensics, if you know about a health database in a google pixel, you gotta think about is my tool showing me the implementation from moto or motorola or from lg or for whatever other vendors out there, right, if they're android 14, 15, whatever it is compliant, they will have it, but they might not be located where you expect it in traditional Vanilla from Google Android.
Speaker 1:So, again, the big takeaway is make sure that, as you're working with different Android types, that you're looking for those implementations. Your tools will not parse all of those and I'm telling you because this happened in my cases time and time again where, oh, there's no health data. I bet it might be there, it's just in Motorola. It might be somewhere else, or it might have a little bit of changes in how the data is decoded and their meaning. I'm trying to think of an example. Look for the one in Samsung Ruben Ruben Ruben is another example, by the way.
Speaker 2:You're right, that's not the one I the other one.
Speaker 1:Ruben is another example, by the way. Yeah, you're right, you're right. Yeah, that's not the one I was thinking of, but that's a good example too. Right, you have to decode that as well. There's one for activities. It's not user stats, it's the other one. I just forgot the name right now. In Samsung it's a number and in Google it's a different number, even though they track the same activity. So that's part of that research that you have to do. So, anyways, I'm going too long on this, but again, I want to emphasize those differences.
Speaker 2:Specifically, though, ruben is a good example of what I think the issue is here. I can't decrypt the Ruben database right now because there's issues with the pulling the key store from the devices, so I think that's probably just what happened here. I I did find an older database and and used it.
Speaker 1:It works beautifully so, yeah, no, we, we need to. We need to work with vendors and again, I I believe that us as examiners, the analysis is on us and the extraction is going to be on vendors, and I don't think we should outsers. The analysis is on us and the extraction is going to be on vendors, and I don't think we should outsource also the analysis to the vendors. But that's a discussion that we can have later.
Speaker 2:You're just generating topics for the future podcast. Thank you. I wanted to point out a blog article. So the name of the blog is Mobile Forensic Data Structures, which data structures are super important. I'm going to tell you why here in a second Extracting and Analyzing Data with Free Tools. So it's a blog written by Cesar Caseta from Hexordia, and he outlines how to extract and analyze data structures using SQLite Browser, pl editor pro and notepad plus plus, which are all free tools. He takes the one of the cache DB files. So there's a whole bunch of different cache DB files in the in extractions and they commonly have different types of data structures stored within the cells as blob data. In Caesar's example, there's BP list and base 64 stored inside of the SQLite database and he shows you, walks you through how to open the data, how to export it and view it with the free tools. Why is it important? I mean, the tools do it for you, right? So why do we need to know how to do that? Do the tools always do it for you?
Speaker 1:Not always going to work, yeah, and what is a data type you know. You said that your tool doesn't recognize. You have to pull it out and use another tool to be able to look at it, right?
Speaker 2:Exactly, exactly.
Speaker 1:Although I will say I will say something real quick. That's why this part, this information that Cesar is giving out, is super important. It, this information that Cesar is giving out, is super important. It gives you a way to do some of that. But I want to push everybody to take it to the next level, because if your cache file has 10,000 rows, are you going to be pulling all those one by one and then opening it with a viewer, one by one? You're going to be there for a week, right? Or you can code a few lines to do a query on the database, pull out the thing, it automatically identifies what it is and then it shows it to you in a nice report, right. Again, I'm kind of also self-serving, because that's something you could do with the leaps.
Speaker 1:Yeah, you know how to code a little bit right and they use the leaps to show it to you. But this knowledge is important for you to know what's the deal, what's inside of it. We need to get to it, and then the next step, I believe, for the community, is to start automating some of the stuff and sharing that knowledge among the rest of members of the community.
Speaker 2:Right, and so definitely being able to code and look at all of the cells in the SQLite database, all the tables, all the rows, is important, but if you just need to go in and validate or verify the results of one, the skills that you can learn just by reading this blog can be super helpful.
Speaker 1:Oh, absolutely. And again, you might not need to do 10,000. Maybe you do, but still, even if you don't know how to code, at least know that you can get to the data and look at it. It's better than not, right.
Speaker 2:Oh yeah definitely.
Speaker 1:I mean there's 100% absolute great value on all this, and then we can take that and automate it as another goal we can set for ourselves.
Speaker 2:Right With this data structures. There's other courses to take or there are courses to take too. So if CESAR works at Hexordia, there's a data structures course at Hexordia, and if anybody's interested in learning more about the different data structures, it's an excellent course and I believe it's got a discount right now, through December 2nd, I think for Black Friday, so definitely maybe take advantage of that discount and then you could always come down to Orlando also for the big IASIS event in April and May. The instructors who are teaching the advanced mobile class are super awesome. Yes, people listening can't see Alex like dancing around and pointing to himself and pointing to me. But yeah, we teach that class at IASIS and there are still seats available for week one, so check it out.
Speaker 1:And everybody that's hitting me on LinkedIn and social media. I said don't worry, we will have answers for all your questions. Heather will be in charge of it of answering the questions, so I know that she's waiting for those with bated breath to actually answer all your questions.
Speaker 2:Yeah, I accidentally saw your comment too. I forget who your comment even was to, but it was like oh, Heather will be there, She'll answer all of the questions for you. I expect to have some help with that.
Speaker 1:I'll make sure the rest of the team does. I'm just there to pet the electronic detection dogs.
Speaker 2:We're going to have a couple in class this year too. So if you don't want to come learn about data structures with us and you want to just come pet the dogs, no, you have to learn about the data structures too.
Speaker 1:And pet the dogs in the process.
Speaker 2:Yeah, the dogs will be there. I hear we're going to at least have two.
Speaker 1:Let me, before we move to the next topic, let me just highlight a few other comments in the chat.
Speaker 2:Sure.
Speaker 1:Yeah, the folks were talking about how hard it is to get some of that Tableau software to update some of that firmware. They're saying that, well, we just run the firmware to 2010. We never update it, and actually that's so true. You can ask some people when was the last time you updated your write blockers? And people are like you can update your write blockers? Yes, you can, and please do it as soon as you can. Yes, make sure you update that type of stuff. And Damien which again a shout out to Damien he also teaches with Spider Forensics, so he gives that class also during IASIS, but within Spider Forensics and on data structures and SQLite. He's talking about how he had a lot of work to do with a SQLite database but with a few lines of code he was able to automate the process and get to those results. So a lot of value in learning those skills.
Speaker 2:Definitely skills, definitely so. Um, an article that actually alexis shared with me uh called game plans a template for robust digital evidence strategy and development. Um, we thought it was a good read and that we would share with everybody. So, um, it kind of addresses the need to have digital evidence strategies to uh effectively identify, collect, examine and evaluate digital devices and data. It lays out nine fundamental components of the game plan. So let me share that screenshot with everybody so you can see the Nine components.
Speaker 2:One day I'm going to be able to do this quickly, sharing the screenshots. I swear I'm going to come up with some kind of quicker way. There we go. So for game plans, it's grounds for investigation, authorization, method of investigation, evaluation of the meaning of any findings, proportionality, logic agreement, logic agreement, necessity and scrutiny. So that lays out the steps of the game plan. Having a game plan in place will support investigators and their teams and ensure that important elements are not overlooked or missed. It may take time to implement and plan out, but it's necessary to make sure that tasks are carried out properly in not only digital forensics, but I think this kind of applies everywhere. I can think of ways it could apply in your own personal life to have a game plan. So what do you?
Speaker 1:think I like the format Again, each letter of the word game plans. I like the format Again, each letter of the word game plans. It speaks to an aspect of what we need to do.
Speaker 1:When I read it, as I was reading it, I'm like this is good stuff, but it's a lot right, it's a little bit a lot of work to do to develop them, and at the end of the article the author also says, yes, it's a little bit burdensome. So the author also agrees with me on that, but there's value in trying to detail the investigative work based on this pattern or these steps. Will folks sit down and do this at that detail? Maybe not, but I do believe that discussing each of these we're not going to do it here today, we'll discuss a few but discussing these and then have them as part of your process, it's essential, right, even if you don't use this methodology to the T right At that level, right, can I highlight a few? Heather?
Speaker 2:Yeah, absolutely.
Speaker 1:So one that I found interesting is by proportionality. I'm like, what does even proportionality mean? And the article speaks about how the technique that you're using is proportional to the need, right? For example and this is an example that I came up with I thought about if some of the evidence involves victims, right, we need to be proportional to that. Is it necessary to disclose the victims or move this data related to victims around? Is that necessary? Is it what we need? Is it proportional to the need of the case? Well, it might not, so we don't need to do that. We have to make sure that the evidence that we're acquiring is proportional to the need of the case and not go beyond that. Right, it's logical to do that, right? I like also the one about logic. You have one for logic, right, and to me, this is something that I've seen in many places Is it logical to look for X or Y?
Speaker 1:Sometimes we want to look for X or Y because we have a hunch, because we think, and it becomes a fishing expedition. And no, there's a constraint of why we do things and why we do it, and I don't care if it's on consent. This is my perspective, again, like always, and we're going to say this, we say it every show. We speak as our own personal opinions and our opinions do not reflect all employers or their policies in any kind. We speak for ourselves and only for ourselves. So I don't care if you have a device on consent. Well, I have consent to look at everything. Well, should you?
Speaker 1:Is it logical to do these things right? Is it logical, let's say, to look at something that's going to take six months to be able to analyze? Maybe not. Maybe the case has to be done in three months, in two months. So wasting resources on something that's going to take six months or more might not be logical, right?
Speaker 1:Maybe you're looking for a crime and you found evidence of a different crime. Is it logical to go down that path? Maybe, maybe not, because maybe the crime, the sentencing, might be concurrent. So do we really need to spend time delving into this different crime? That's not going to add to the possible sentencing or rehabilitation of the suspect. That doesn't mean we're not going to use it. Maybe the plan is, the logical thing is to take that conduct, not charge it, but use it later as sentencing, as conduct, as a pattern of conduct, which also the law provides, at least in the United States, for some enhancement of penalty based on pattern of conduct, right?
Speaker 1:So again this, this article, made me think of all the different aspects of our work and how can we constrain it or expand it in a way that and that's really important on the scrutiny part at the end, in a way that's justifiable and that S at the end, the scrutiny is so important. We need to consider scrutiny, not because the defense is going to come after us and then we get mad at them. No, no, no. The first level of scrutiny is yourself. Is your property as an examiner right? Am I expanding or limiting my search in a way that's justifiable? When I look at that phone live, do I really need to do that? Do I really need to go around the screen and click it around? Can I justify that or can I not? So those for me, is it necessary and the scrutiny really, really important within this aspect? So please go to the link we're going to be in the show notes and check the article out. I think it's a great read and really gave me a lot to think about.
Speaker 2:Yeah, definitely. I was applying it more to like the lab setting because I work in a lab and I think it definitely overall, if you have a structured approach and you have a game plan, it can improve your investigative process, ensure that you have a thorough analysis and then help to maintain the highest standards in the lab. I also think the game plan could kind of like just follow along the same lines as your SOPs. If you have good SOPs, you have a good game plan. If you have no SOPs or no guidelines in your office at all, there is no game plan and I just can see how that could lead to chaos. So I really liked this read on the game plans and it made me think of the lab setting mostly and having a good set of SOPs.
Speaker 1:And I want to say something real quick. Will SOPs or game plans cover every single circumstance you're going to find in your career? The answer is no. There will come some time when they might not apply exactly. But guess what?
Speaker 1:You need to know your SOPs, you need to have your game plans, because the only way you can go, move beyond them when needed, is by having a thorough understanding of them. Right, it's like in martial arts. Right, when you get your black belt and you're a high level practitioner, that's when you start you can actually go out of that system and apply it in ways that you wouldn't do before because you didn't have that knowledge. I guess that's a lot of words to say that you need to know your SOPs, you need to have your game plans, you need to know your sops, you need to have your game plans, you need to know your procedures and then, if something changes, based on those, you'll be able to justify whatever changes are needed. And and evolution moving forward, because technology evolves, right, and then you can take that sop, take that knowledge and then evolve that sop, that game plan, uh, with it, you, you know, yeah.
Speaker 2:Definitely worth the read.
Speaker 1:Absolutely.
Speaker 2:Absolutely so. Another article this is actually a paper, a paper put out by Major Cities Chief Association Digital Evidence Working Group. So this paper explores the increasing importance and challenges of managing digital evidence in modern law enforcement. It highlights how digital evidence plays a role in solving cases, often surpassing traditional forms like DNA evidence, they say, with six out of 10 professionals identifying it as their most critical investigative tool. So digital forensics I mean digital devices are in every type of case and this report talks about that. It talks about the role that digital devices have in modern day law enforcement. It was put up on LinkedIn by Robert Pike. If you don't know Robert Pike, he works in North Carolina Great guy, and I think he contributed to this paper. But it's a whole bunch of examiners that contributed to this paper and another great read.
Speaker 1:It has a lot of reference materials because it's more high level, so they don't go into. This is how you extract a phone. These are the things you're going to find on a computer. It's more about. These are the things you need to consider. These are the things you're going to find on a computer. It's more about. This is the things you need to consider. These are the standards, and then links to those and a lot of high level policy guides, which I think is going to be extremely useful for managers and you know kind of folks that might be a couple levels removed from the actual evidence, at least to start educating them on some of those aspects. So we also really could read.
Speaker 2:Yeah, it touches on AI in digital forensics too. I know that's a hot topic with everybody. We have talked about it numerous times and I see articles for it everywhere. But they talk about the potential for enhancing digital investigations, but they also address the ethical considerations and potential biases in AI.
Speaker 1:So another resource to um learn about about ai and digital forensics yeah, let's not, let's not, let's not get into ai right now no, I don't want to talk about that tonight I'm gonna lose it again, which which, by the way, I'm gonna be talking at a small interview for the deferred days of christmas, or deferrmas. Okay, uh, yeah, for uh, um, for the uh, the company that makes atrio atrio, I forgot his name right now. Um, arcpoint, arcpoint for asics, yeah, and there'll be a lot of talk about validation and ai. So you want to hear me run.
Speaker 2:Be be aware, be ready for that'm going to have to tune in for that one, definitely All right. So this one got me going. This week I saw a post by Carl Lawrence of MSAB about the importance of BFU partial file system extractions. His post I'm just going to read his post to you, so he wrote this really shocked me. But should it have? I recently heard that some organizations are shelving BFU devices so before first unlock devices, they're labeling them as too difficult or not worth it. He says this blew my mind. He wanted to hear from the deeper community about what they think on bfu extractions and should they be attempted. Why wouldn't you attempt them? Um, why wouldn't you attempt them? So yeah, go ahead yeah, I was gonna.
Speaker 1:It's for folks that are not familiar with that. Uh, bfu is a phone that is turned on and nobody has put the code in yet, right? No, pin code has not been accessed, which means the amount of data that's accessible to you is pretty limited. If somebody calls you, for example, you might get the phone call, but the screen's not going to tell you who. It is right, because that information is still safeguarded within the phone. Now, if you put your PIN code in once and then the phone locks again either because you locked it or a timer when you get that phone call again it will show you on the screen hey, so-and-so is calling you right, because now that data is accessible because the phone was unlocked at least once. So that's called AFU. So being able to get an extraction in AFU state is better. You get more BFU, you get less. And then I guess the article speaks of people assuming that since it's less than AFU, therefore it's useless. That's the question, right? Is it useless or not?
Speaker 2:So I hear that from people all the time. It's just a BFU, it's just system information. I'm not going to look at it. Why would you not look at it? Or why would you skip the extraction? Even so, for mobile devices that come in and there's no support for brute force, no support for a full file system and they're in that BFU state, you can get the BFU extraction, which is limited data and mostly system artifacts. When I say mostly, it's definitely just mostly. There are user artifacts in there. So some of the user artifacts that I've seen in a BFU, I've seen KTX files in the form of system generated snapshots. So what the snapshot is is the user has an application up on their screen and it was sent to the background for some reason. The user maybe just closed the window and the system takes a snapshot of what that app looked like at that time that it was sent to the background. If your device user has text messages up there, you potentially have a snapshot of the text messages. Is that going to be available in every extraction, every BFU extraction? I don't know, but I've seen it in them before. You have access to the Apple ID. You have access to the cloud information. When was the last time the device was synced to the cloud? So potentially you have the date that it was synced to the cloud. So potentially you have the date that it was synced to the cloud yesterday and then you have the Apple ID that you can send off to Apple with legal process to gather the data that's stored in the cloud.
Speaker 2:I've seen some location artifacts in the BFUs. They were specifically on images that had EXIF data. So there's an area of the phone called file provider storage artifacts. They can include user images that have the EXIF data, including the location. One of my test data BFU extractions Kevin that I work with and I were down in New York City creating all this test data. We were taking pictures all over New York City, came back, extracted the device, the BFU, and there were the pictures we were taking in the city in that file provider storage, which relates to synchronization across devices. But I had the locations and it was right where we were when we took the pictures the locations and it was right where we were when we took the pictures.
Speaker 2:Other things you can find in a BFU log entries, wi-fi connections and Snapchat. There is a ton of Snapchat. If your device user is using Snapchat. You're potentially going to have their messages in the Snapchat Arroyo database. All of their messages come out in a BFU partial file system extraction. I don't want to miss that. What if Snapchat is the platform that they were using to plan the crime or commit the crime? We have all of that. I'm going to. You're going to read.
Speaker 1:Yeah. So to add to that, so different than folks in the chat telling us that testifying the case and the BFU helped convict the suspect of 10 counts, because later it says five years but later he corrects oh sorry, it's 10 counts because there was a ton of data in that BFU. So not only the stuff that Heather is telling you, the BFU has been used successfully, you know, to prosecute and complete investigations. Jeremy is telling us that he has gotten, like confirming what you're saying, heather, that there are Snapchat conversations on the BFU and people should not sleep on those. Look and let me mini rant right, go ahead. Let me mini rant right, go ahead.
Speaker 1:Even if you think that that phone has nothing on it, on that BFU, and you have the authority and you have a crime to solve, you still need to do it, even if, just because you have a thing called what Due diligence? You need to do your due diligence and that's a word that I believe we're not using enough, a concept we're not stressing to folks coming to the field enough Due diligence. It means that you do the work the best you can, how you can have your game plan, do all of that, but because it's expected of you to do a complete investigation, right, you cannot dismiss. It's like an example that's not forensics, right? You got a suspect and you got to interview the suspect and you're like, well, they know I'm coming, I'm not going to ask for their phone or they will never talk to me, because they know I'm coming. What? You're not going to go. You still have to go and you ask, hey, can we do this? And they might say yes, and a lot of times they do.
Speaker 1:Right, you have to do your due diligence and it really irks me that folks are looking for all sorts of excuses to not do their due diligence, and managers need to make sure, from my perspective, that themselves and their reports are exercising due diligence in their investigations and their casework. If you're not doing that, then what are you there for, mr Manager? Just to keep a spreadsheet of how much the tools cost and which ones are we going to cut because we don't have funding? That's, I mean, anybody can do that. But exercising due diligence Are we doing the cases and following up as we should? And that means sometimes doing a BFU and guess what you might get good stuff out of it.
Speaker 2:Definitely. I'm going to share a couple pictures that Carl had up too. There's all your BFU devices on shelves waiting for extraction, waiting for support right, because we're waiting for support to brute force the device and get a full file system. But these shelves and shelves and shelves of devices that are here in this screenshot all have the capability of performing a BFU partial file system extraction and potentially gathering that data that we're talking about.
Speaker 1:I want to believe that picture is AI because, if folks are listening, it's like shelves and shelves full to the brim of phones and I'm like I hope this is not real, because if these phones are for real and nobody has looked at them, I'll lose my mind. It's like an insane amount of, and I'm like I hope this is not real, because these phones are for real. Nobody has looked at them. I'll lose my mind. It's like an insane amount of phones like all on top of each other, which I would say it's not properly categorized. But let's be real here. A lot of our labs kind of look like this Put a sticker on it and just put it there. You know yeah.
Speaker 1:Oh geez Due diligence.
Speaker 2:Also how you handle your evidence. Please, due diligence. Yeah, so I I want to actually talk about a couple more artifacts that I found. Um, so there was an iphone 14 that I had looked at in the past I was running like ios 16, so we're a little past that. Is this artifact still there? I don't know, it might not be anymore, but uh, there were calls and chats, regular phone calls and chats, regular phone calls and native text messages. In the BFU, the call database is call history dot store store data and the SMS database is the SMS dot DB. Well, there was a copy of the call history dot store data with an underscore temp and same with the SMS, an underscore temp, and inside of those temp files were two phone calls and three text messages. My guess is they were probably the last three messages or the last two phone calls on the device. I didn't have anything to compare to that, but there's potential to get that data. But you're never going to know unless you open it up and take a look.
Speaker 1:Exactly, exactly and, as a quick note, it's been confirmed that that picture was actually AI Oof. What a relief. I was going to lose it.
Speaker 2:You feel better, huh yeah.
Speaker 1:Kevin's saying that there's no way that's been properly inventoried.
Speaker 2:No.
Speaker 1:Yeah, so okay, it's AI Oof. Okay, there was no game plan for those phones. None at all, absolutely no. No SOPs there. So which? Again, let's not get into AI, it's just a scary definition. Yeah, let's skip that.
Speaker 2:Let's skip that. I have one more meme to show. So this was the meme that was up with Carl's post and I have no idea, so I had to be schooled today, before the show, on who this is in the screenshot. It's Terry Tibbs. So if anybody is in the chat right now on YouTube you might see Mr Terry Tibbs as a user. I'm going to guess that's Carl in there, but it's Terry Tibbs from a UK TV show called Phone Jacker, so I'm hoping that anybody from the UK may recognize what I'm talking about. But I had no idea who it was until I said Carl, help me, what's a phone jacker?
Speaker 1:They just run and take the phone from you. They jack it away yeah.
Speaker 2:So he explained it as I'm going to butcher this. By the way, he explained it as Terry Tibbs would make it would be a personality on prank phone calls. Oh, okay, so they call you to prank you on the phone, I guess, so I've never seen it. I may have to see if I can find a version online and check this out but one of the what's up one of the catchphrases of terry tibbs is talk to me oh, there you go yeah that's me, with every agent that walks through the door.
Speaker 1:Can you please tell me what this case is about? Let's just don't drop the stuff here. Please talk to me. Yeah, my uk uk cultural references are lacking, sadly, but I will look into it mine were too.
Speaker 2:So I I cheated and I I phoned a friend, uh, before the show, yeah, and I probably just butchered half of what I was saying. But uh, carl was telling me that he and he and adam firman, who we love from MSAB2, were joking about this show recently and that's how the meme made it to his post about BFU's.
Speaker 1:Talk to me. Talk to me that's the new catchphrase for the month. Talk to me.
Speaker 2:I'm adding it back up, trying to take it down. Okay, last thing on the BFU's. So I do have one case example. Oh, he says I got it spot on with the Terry Tibbs. Good, I didn't screw it up too much.
Speaker 1:Well, there was a wink there.
Speaker 2:So I don't know. I'll get rid of the wink side. I'm sorry. A home invasion case, uh, that involved a BFU extraction. Um, the guy dropped his phone, uh, the person who was at the house didn't, didn't know who it was that invaded the home. And the guy dropped his phone, uh got the partial file system, the BFU, and in it were enough details to just prove whose phone it was and who broke into the home and assaulted a woman. He got like 25 years in prison. I think. Um, if I had just said let's not do the BFU, there's nothing in it anyway, it's not worth it. You may not have ever even identified who the suspect was. So do not skip your BFU.
Speaker 1:Oh I mean wow, I got that. That's so amazing. I got nothing to add, it's just amazing.
Speaker 2:It was the Snapchat data right, because I mean I had the username and the Snapchat data and the iCloud, the Apple account Saved the day.
Speaker 1:Oh, that's good stuff.
Speaker 2:Love. It All right, we can move on from that, I swear.
Speaker 2:No, I mean no, it was an important discussion yeah, that one, I truly believe that one drives me nuts, so let's move on to a happier note here. So samari gives back. Um, I don't know if anybody saw this on linkedin but or any other social media, but samari has. Samari gives back 2024, where you can submit a nomination for a law enforcement agency with limited resources, a high caseload and a focus on serious crimes. The nominations need to be submitted by November 29th. The submissions are limited to 500 words. A community of law enforcement examiners will review all nominations and select the top five agencies, and then the top five agencies will be notified, asked for permission to participate. Once they're approved, they'll be featured online for public voting from december 12th to december 18th. Um, and let me show you what they have the potential of winning if it's, if it's summary, I'm expecting a legit box.
Speaker 1:There it is.
Speaker 2:Boom. So they will be giving. The title of the picture is the green Tolino, green Beast. So it is a Tolino and all of the specs can be found on their website at the Sumori Gives Back 2024 link that I have up on the screen.
Speaker 1:I will call it the green mean mystery machine, that's how I would name it, you know like green mean mystery machine, love it.
Speaker 2:Yeah, it's a pretty nice looking machine. I have a Tolino. I loved my Tolino. I need another Tolino. I'm not going to win it, but maybe I can talk the boss into buying me another Tolino. Yeah, how about you talk to boss also send me one. Yeah, maybe you know we'll share the love.
Speaker 1:We can give them out for christmas. Holidays are coming soon. Anybody else in the chat want one?
Speaker 2:I'll work on it yeah, you're not gonna get it. But no, you're not. But uh, if you know an agency that's deserving of that, so murray gives back nomination. Uh, write up the essay and definitely nominate them.
Speaker 1:Yeah, those are pretty powerful boxes and folks that are not familiar. Mori is a company that provides computing resources computers, laptops For due time, forensic purposes. They have write blockers built in, proper video cards for cracking passwords and encryption. So pretty good equipment and good on them. For you know it's advertisement and that's fine, but this is the type of advertisement that I like, because it recognizes the good work people do and then enables them to do even more good work, right.
Speaker 2:So what's new with the leaps?
Speaker 1:So we got a lot of stuff going on. So the first thing, actually, I'm going to go first and I'll let you go after me. Sure, what's new with the leaps? So we got a lot of stuff going on. So the first thing, actually, I'm going to go first and I'll let you go after me, sure. So last episode I was trying to show the changes within the reporting structure that we're building and again, I always give a quick explanation what the leaps are.
Speaker 1:These are Lux events and properties or PList Parsers. It's a Python-based framework that I developed and then the community has embraced and developed further. That allows folks in an open source, totally free, python-based way to look at extraction from iOS, android's returns from providers, vehicle extractions, all sorts of data types, and it creates a nice HTML report and some other reporting features in KMLs or SQLite databases for your cases. And we try to specialize in the tool being quick Tools is more than one, obviously, being quick and we try to parse things that nobody else does as quickly as we can. For example, which is something that Heather is going to talk about, a lot of us have been opening accounts in Blue Sky. Blue Sky and that's like a Twitter-like application, like competition with Twitter and threads, and it's great stuff. So Heather made some test data for Android and I made a parser for it within the Leap. So if you have a case where they're chatting within Blue Sky, the only tool that will do it as of now is ALEAP.
Speaker 1:Right, good folks, I think Adam hopefully he can do that he's trying to get us some iOS test data to then build one, or at least get us the data, and then I'll use it to build something for iOS, for ILEAP. So we're working on that. So that's what the platform does. That's the purpose, and folks have embraced it, which I'm pretty grateful for. And I got a good group of developers Kevin is in the chat, one of them and I always mention their names. I'll mention them again in a second. Now that explanation. So what happened with the Leaps leaves recently? Well, we're moving to a new viewer called lava and somebody's saying blue ski. I hate you all. It's your, it's your, it's your fault. Heather first calling like blue ski, like a bruski. No, it's blue sky.
Speaker 2:Okay, I will always oppose it dfir, dan and I are gonna have bruskies while we chat with people on blue ski later oh my god, I'm cringing.
Speaker 1:I'm cringing for you so hard on the inside. I'm crying in my insides about it.
Speaker 2:I know. That's why I keep saying it.
Speaker 1:Yeah, I know, folks, she's not on the show. She texts me the blue ski when she texts with me just to annoy me. All right, when she's messaging me for stuff, anyways. So what we've done is we're trying to build a viewer, a newer viewer, so that it allows you to look at more data in a more efficient way and have more parsing not parsing, I'm sorry sorting capabilities and that good stuff. So I'm going to show you now how the directory has changed and it's actually way cleaner. Now I want to give a shout out to the team, like I said I would, as I'm representing the data James Haben, johan Policek, kevin Pagano the one that's right here next to me, heather although she's slacking a little bit, I am, I know you need to catch up on some things, as you know anyways, I digress and Bruno Constanzo, a great, great friend as well, that he does a lot of library parsing work.
Speaker 2:Oh and John.
Speaker 1:Hyla. I cannot forget about John. He's the king of the refactoring, so I love you all guys. So I'm actually going to have'm actually have some challenge going to be sending you shortly, all right. So what do we see here? So this is the folder structure is way better now. Before you would have all the reports were html and we're like kind of thrown in the in the root directory, which is kind of ugly. Now you hit index and it will open your report, html report, and then all the other little reports. I say say other little, but all the other reports about it are gonna be in the HTML directory. So it's way cleaner and the timeline is still there.
Speaker 1:It's a SQLite database of all things that have timestamps in your parsing and that's a underused capability. People don't know about it. Take dbBrowser for SQLite, open it up and then you can look at all the artifacts, kind of lined up by timestamp, and see the relationships between them, right, so it's really useful. There's the tsvs, so tab separated values. You can import it into your kind of spreadsheet program if you need to. Now the big thing I want to show is these two structures. One is a database, sqlite database, called lava artifacts, another one called lavadatajson the viewer that we're hoping to release soonish because it's still working on it will take that JSON and then be able to reference the database, and all the information that's in the HTMLs is now in this database, and this is really useful because now it allows us to use Lava as an electron application to look at the data and is now on this database. And this is really useful because now it allows us to use Lava as an electron application to look at the data and not choke on it. If it's too much data, htmls won't work. So I want to show folks let me take this off the screen I want to show folks how it looks and again, I'm really excited about it, so that's why I'm talking about it at length. So thank you for humoring me folks, the folks that are still here or are still here that were with us.
Speaker 1:So let me open my DB browser for SQLite and I want to show you folks how it looks. I'm opening it now, and now I'm going to share the actual program. It's a little bit too big. There we go, so let me share it. Share screen and, as you will see here, this is the right one.
Speaker 1:Yes, you'll see here of the artifacts that we have been able to refactor to make it compatible. We have a whole bunch here we got each artifact is a table. You got the biomes, we got burner artifacts, we got notification artifacts, telegram, website, website visits, all sorts of things and we're refactoring this code. That means that we're updating it to be compatible with this and you can see here all the data within the different databases, or I'd say, tables in the database, and this allows us also, with the viewer, to be able to sort not sort the time zone, change the time zone on the fly, so you can move it to any time zone that you need and it will deal with those.
Speaker 1:I'm showing this because in the future, if you have data, as long as it's in this type of format, you could use Lava to view other sorts of data. So it's designed for our stuff. But if you understand a little bit of sqlite, how this is ordered, you can create your own sqlite databases and use lava to view them. So it will be another way of looking at different sorts of data if there are sqlite databases in this type of structure. Um, but that's a discussion for another day. So I'm excited, uh, for it. Uh, the whole team is excited about it. It'll be like a monumental change in how we deal with the leaps and it will enable folks to be able to look at all sorts of data, independent of how much data there is. I guess we're going to be getting closer to more like a corporate type of solution, but still being open source and available to the community.
Speaker 2:So we're excited, very cool, very cool. It's going to be awesome, definitely. I know I've had iOS cases where I just have so many artifacts and if you load them all onto the page, the page just crashes. So the fact that this is going to fix that is awesome. I think a lot of people will agree that use the leaps, oh yeah, and it's way faster. Look at this stuff that.
Speaker 1:Use the leaps, oh yeah, and it's way faster to look at the stuff. Oh, quick, quick thing.
Speaker 2:I was just going to put that up, yeah.
Speaker 1:Holly's saying that it's blue sky. Okay, Sorry, rather so. Your sister is the obviously the better one of the sisters.
Speaker 2:So I'm just going to say that she's just not joining Dan and I for brewskis anymore.
Speaker 1:So no, she Us too. We're going to go and actually look at the blue sky, you know, Okay, you guys have fun. Oh, and Rebecca showed up, so hey, don't worry, Rebecca, if you're late, you can watch the first half later in the recording.
Speaker 2:So with the Leaps since we're talking about blue sky, blue ski we did some test data and Alex wrote some parsers for the blue sky data, so let me share my screen here oh, and you're sharing the screen, johannes, in the chat again.
Speaker 1:You always stay late for the show. We love you, man. He's saying that it's more, it's able to manage more than 1 million records and that's all that's a lot right. There's no html reporting that will allow you to do that so he's doing some of that testing and some of that implementation and it's pretty awesome, so we're super excited about it. Sorry, go ahead.
Speaker 2:No, you're fine. So we now have let me click over here and zoom in we have parsers for Blue Sky Actors, blue Sky Feedpost, blue Sky Messages, blue Sky Posts and Blue Sky Searches for blue sky actors, blue sky feed post, blue sky messages, blue sky posts and blue sky searches. So just to take a look at that, the actors are your contacts, um, or people that were messaged with correct not are not necessarily contacts so it's.
Speaker 1:So. People ask me why actors, not users? Well, the word that blue skies uses within the data structure is literally the word actors. So I try when I do artifacts to keep it as close to what the verbiage they use. So actors is anybody and everybody is an actor. Somebody put a post as an actor. You put a post or responded you're an actor, everybody is an actor. And it's not necessarily your contacts, because I can have actors there that are not my friends. They're just a post that came by and that post have that actor quote, unquote actor information.
Speaker 1:So, since the data and I oh how much time we have. Oh, we've been running short on time, so I'm not going to the details, you're sure. Yeah, it's from an http cache type of structure, which makes me think I have I need to test more this more, but it makes me think that the app mostly works as a browser. It's an app, it's really a browser, so it's pulling stuff in, putting it there and as you're moving around the app, different things will be coming in and being shown to you on the interface, kind of kind of like a browser. So I'm able to capture this data from this kind of HTTP cache functionality and it's mostly JSON. So I try to just be as accurate as I can while trying to give you something that you can actually interpret right. These JSON files where this is coming from. There's more data in them.
Speaker 1:I didn't find it to be horribly relevant, so I did not show that and let me tell you this is not something weird that I do. Oh, look at you hiding stuff from me. Let me tell you, your tool vendors do that all the time. Yeah, if your tool vendors were to show every single row or every single table, you will not be able to do things right. So that speaks. Another side note your tools will point you to where things might be. If the smoking gun is the list of actors in my blue sky list, I will still go and look at those files by hand. I say by hand, quote, unquote right, I will look at them with myself and make sure that whatever data points I didn't put in, make sure they're not relevant to my case. Or if they are, then make sure to include them right. So that's what an actor is, and folks always think about that way. The tool will not. Even if we show you something, that does not mean showing you everything I have to say.
Speaker 1:I have an example of one of these chat applications. I forgot right now which one it was, but there was an entry in the database that tells you if the user was an administrator of that group or not, and the tools didn't show you that. The tools show you who the person was, what was said and all that and the media attached to that conversation or that particular entry in the chat, but it wouldn't tell you this detail. That's part of the database. Well, guess what? Some jurisdiction? There are statutes that explicitly put penalties on folks that are running illicit websites or illicit group chats for, let's say, the trading of contraband. Well, that charge, those folks wouldn't be penalized as they should for being the leaders of the organization if I didn't look at the database to figure out. Hey, look the database, tell me who's the administrators are or who the main user is right. So always, folks, always take your data, your smoking gun data, look at the source directly with your own eyes and make sure that you're not missing anything. Oof, sorry for the rant.
Speaker 2:No, you're fine. So we have the Blue Sky feed posts here that you can see. My test here. Let me zoom in a little. My test data is Amy Farrah Fowler, so you can see the display name, amy Farrah Fowler, and she posted checking out this awesome new app. It's her only post. If anybody saw Amy Farrah Fowler stalking their Blue Sky page recently, I was just trying to get test data.
Speaker 1:Yeah, and you might see a few entries repeated. And again, that's a decision that I made. Some of these files, different files, these caches, will have the same data in a few of them. So I decided as of now to just show them all, but at some point I might deduplicate them. But that's some of the decisions that you make as a developer and you will make us an examiner, right, how much of this data might be useful. Maybe the context indicates that this thing being there three times means something and we just don't know yet. It might mean there was access more than once. What does it mean? So we have to take that into account when we see data and try to figure out. What does it mean?
Speaker 2:So we have the messages. Alexis became friends with Amy Farrah Fowler and had a little conversation, and then posts. This was Amy Farrah Fowler's only one post here and then the searches. So she searched for best memes Howard Wolowitz, leonard Hofstadter, penny Hofstadter and Sheldon Cooper. So that is all stored within the Blue Sky Blue Ski data and now you have a tool that supports it. Yeah, I know.
Speaker 1:And it's good stuff. Johan is saying that he actually staying early, so it's so so late.
Speaker 2:That's already the next day, so he's already like.
Speaker 1:I'm up. I'm staying up, whatever.
Speaker 2:I just want to watch the show.
Speaker 1:No, I'm just teasing you, johohan. Thank you for all you do man um. I hope we can meet in.
Speaker 2:We can meet in person sooner rather than later yeah, I'm coming too, if we're going to visit him actually you're going.
Speaker 2:I'll be in your luggage so tons of great new updates to the leaps, but we are now at everybody's favorite part, the meme of the week. That's yeah, let me share it. How could we not? So this week was the mike tyson fight, um, and the two women that fought were definitely the better fight, in my opinion. So we we have the digital forensic examiner who is all beat up, and then one of the announcer girls I don't even know what the title is, I guess, the ones that carry the little round.
Speaker 2:Yeah, as the case agent. So the case agent is looking all happy and the digital forensic examiner has just been beaten, beaten, beaten.
Speaker 1:Well, and the little note I had at the post was when they asked you for updates, right.
Speaker 2:Yeah, hey, investigative team give us an update and everybody's like here's the examiner.
Speaker 1:Go ahead and you're like oh my gosh, this has been a hard week and the case agent is all fresh, looking good you know I mean that's not always the case. I know case agents that work really hard and we both work in teams.
Speaker 1:It's just a bit of a teasing to the agents because I believe that my work is the most important work in the world. But you know they believe the same thing. I'll be honest with you. I did not watch the fight because I thought it was going to be like a wrestling not real wrestling, but like WWE.
Speaker 2:Staged.
Speaker 1:A staged thing. And I'm like wwf staged a stage thing and I'm like this is staged.
Speaker 2:This is ridiculous and, based on what I've been, told I think it was staged, I think the tyson one was, but these women really like, went oh, no, no, no yeah they were.
Speaker 1:That was a good one no, no, no, no, no. This, this girl is beat up like for real yeah, oh yeah yeah, no, no, the, the, the cars, before the main thing they, they were pretty legit, right, but yeah, but the main one. Come on, that's all preordained acting stuff.
Speaker 2:I fell asleep. That's my opinion. Definitely, but we had to use it as the meme of the week since it's so fresh.
Speaker 1:Yeah, I thought for me it was funny. Hopefully other people appreciated the humor in it.
Speaker 2:Yeah, I did. That's why I picked it. Awesome it yeah.
Speaker 1:I did. That's why I picked it Awesome, awesome yeah.
Speaker 2:Well, that's it. That's all we got.
Speaker 1:Well, thank you everybody. Just a quick couple of notes from the chat.
Speaker 1:You know, sometimes those agents bring us donuts, so I guess that's not a bad thing, or sometimes they don't, and then you know sometimes you got a comment here that you complete the report, submit it and then you can add more artifacts related to the case, because an examination is never done and honestly it's never done, it's only done when you answer the questions. But it could go on forever on the device. All right, Talking about going on forever, which is apparently what I always do. Heather, Heather, do you have anything else for the Goody Order?
Speaker 2:I have nothing else. Thank you so much.
Speaker 1:Thank you. All the folks watching, we appreciate it. We love you. Hit us up in Blue Sky, hit us up in LinkedIn or our accounts in those platforms and others and let us know what you think, let us know what you want us to speak about. If you do something cool, also, let us know what you think, let us know what you want us to speak about. If you do something cool, also, let us know and we'll try to highlight it here and everywhere else. So good night Heather, good night everybody.
Speaker 1:And thank you Good night, bye everybody, thank you Bye.
