Digital Forensics Now

The Gift of Expertise: Why Forensics Matter in the Courtroom

Heather Charpentier & Alexis "Brigs" Brignoni Season 2 Episode 6

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 1:19:31

Send us Fan Mail

Join us for a holiday-themed episode of Digital Forensics Now, where we blend expert insights with personal stories from the field of digital forensics.

This episode delves into cutting-edge tools and techniques for digital forensics. Explore insights from Arsenal on advanced methods for analyzing swap space and memory files. We also share experiences with the Samsung Secure Health Data Parser, highlighting the challenges of decrypting health databases and the critical role of UFED in overcoming them. Don’t miss an in-depth look at the remarkable features of ArtEX, showcasing its value to examiners. Additionally, we introduce the LEAPPS Artifact Viewer App (LAVA), a groundbreaking tool unveiled at the Cyber Social Hub conference. 

We discuss the vital role of forensic experts in legal proceedings, from the importance of meticulous validation to the risks of mishandling evidence. Real-world cases and a controversial court rulings that highlight why expert testimony remains essential in interpreting digital artifacts.

We close with gratitude to our listeners and warm holiday wishes. Stay tuned on social media for updates on our next live session after the holidays.



Notes:
Working with 010 Hex-Editor 
https://www.youtube.com/playlist?list=PLCS2zI95IiNwheFCTaUEytA1GT0mNOOdn 

Arsenal Releases a New Tool! 
https://arsenalrecon.com/additional-products 

Samsung Secure Health Data Parser - A Forensic Tool for Parsing & Analyzing Samsung Secure Health Databases https://github.com/breakpointforensics/Samsung-Secure-Health-Data-Parser-/tree/main 

ArtEx Artifact Examiner <br>https://www.doubleblak.com/app.php?id=ArtEx2 

Why the Manual Preview/Screenshots May Not Hold Up in Court https://www.forbes.com/sites/larsdaniel/2024/11/13/think-that-screenshot-is-proof-heres-why-it-might-not-hold-up-in-court/  https://www.forbes.com/sites/larsdaniel/2024/12/06/smartphone-forensics-and-fake-texts-how-are-courts-responding/ 

What's New with the LEAPPS!? 
Google Keep Notes <br>https://charpy4n6.blogspot.com/2024/12/google-keep-notes.html 
Signup for Updates! leapps.org

 

Speaker 1

door and the music. Here it goes. Welcome to the G-Tal Forensics Now podcast. Today is Thursday, december 12, 2024. My name is Alexis Brignone and you saw me just closing the door to my little recording office, and I'm accompanied by my co-host, the Google Keep Understanderer, the Avid or Avid, avid, avid.

Speaker 2

AI user.

Speaker 1

Yeah, but only in some things, not on all things. The world deserved victory. Lapper, the one and only Heather Charpentier. The music is hired up by Shane Ivers and can be found at supermansoundcom. And there we go.

Speaker 2

Hello Heather. Hi, Thank you for the introduction, as always.

Speaker 1

Oh no, I mean to me that's the part I do the most research for the show. I'm going to introduce you. I'm talking about introducing you For folks that are not watching us live or are recording on YouTube. You and for folks that are not watching us live or are recording on YouTube you can see that Heather is super festive. I am From the top of her head with her deer ears and horns to her awesome sweater shirt. No, it's a plain sweater. Right, it's not a shirt. What is it A?

Speaker 2

sweater yeah, oh, yeah, yeah.

Speaker 1

And she can definitely say that she has the balls.

Speaker 2

I can, I absolutely can say that this week.

Speaker 1

You have multiple balls there.

Speaker 2

Yes, lots of them.

Speaker 1

Well, since I'm not going to be well actually. Well, I was going to say I'm not going to be left behind, but I did because your outfit is way better than mine. But I have a nice Hawaiian shirt that has like a beach and you can see where is it. I'm on the wrong side of the shirt. There we go. You can see Santa here with a surfboard, just ready to go. He's doing his last surfing bits in Hawaii before he has to go and deliver all the presents for all the good boys and girls.

Speaker 2

I think you're super festive. You just needed some antlers or maybe some balls to hang from somewhere.

Speaker 1

You know I'm not putting my balls on the shirt, I'm just going to have the shirt and you can put yours on your shirt and that's all good. So, yeah, christmas spirit. I mean it's not the day of Christmas or the week of Christmas, but we're close enough so we can do this. We're not gonna have a show, obviously, during the holiday, so so we're celebrating a little bit early so you can see also our background, the entire forensics now with a nice little tree there. So it's all good yes, yes.

Speaker 2

What have you been up to?

Speaker 1

well, uh, doing good. Um, before I say that, there's some folks already coming into chat. So hi, matth, Matthew, and obviously Kevin is around. Kevin is the man with the plan. Always good to see him. So I've been doing a lot of stuff. So what was it? It was on Monday. Yeah, on Monday, ArcPoint Forensics has a series called the 12 Days of Deferment, which is kind of a smart take, Hello, Jake. And on those series, for the next 12 days, she will be interviewing some folks in the field experts and the like on different topics. So I was the first to open that series, so I'm really honored about that. And I spoke about validation and verification and that came into AI. It came into a whole bunch of stuff, because when I start talking I don't shut up.

Speaker 2

It was a good episode. I watched the whole thing very, very good oh check the mail I appreciate it everybody should check it out um, and and what else?

Speaker 1

so, um, uh, all of that has something I'll have to say. We did it with the show, we did the uh, what was it?

Speaker 2

oh the cyber social right.

Speaker 1

Thank you, so. So, so everybody's seeing for for some news. So we, we um um unveiled for the first time, uh, the lava. So that's the leaves artifact viewer app. Uh, we made it public, at least to show it. We're not, we hadn't, we have not released it yet because it's still in like an alpha phase. It's really rudimentary, but we got stuff that works.

Speaker 1

So we were excited to demo that during the Cyber Social Hub conference 2024 yesterday, and today we talk a little bit more about it, also during the conference. So I'm going to try to show it to you all here as well, at least the larger contours of the app and how that is different. If you're a Leap user and again, the first time you hear about the Leaps these are open source platform that we use, that we develop Heather, myself and another group of developers free open source to the community to parse items of interest from iOS extraction, androids, return from providers, isps, vehicles and the like, and now we have a viewer. That's an evolution of the tooling, so I'm going to be happy to show that today. Now, enough about me. How about you, heather? What's?

Speaker 2

going on. I can't wait I'm just on the same topic of the lava for the leaps. Can't wait till that's released, because you guys are going to all love it. It's awesome, awesome updates coming. You guys are going to all love it. It's awesome, awesome updates coming. But for me, the last few weeks have just been super busy. We should have had a podcast last week but I was busy, so we're having it this week, but I guess I've just been doing. I've been doing a lot more testing on on phone data and I recently, for the first time, um extracted my own phone. It's finally supported and, um, it's insane. What is in your own phone that you don't even realize is stored, uh, from your daily movements? I can't believe it like your personal phone my own personal phone.

Speaker 2

Yeah, um, I'm going through and realizing that a lot of things. I thought I knew what they meant after looking at my own data. I just was a little bit wrong, so I'm changing my views on some of the data.

Speaker 1

The good thing for everybody that's listening is that Heather is going to show us all the content of her phone during the show. Oh, definitely. And we will, ever we were able to see.

Speaker 2

I mean, I've already given out my passwords, why not give out the rest?

Speaker 1

That's a good inside joke for the people that watch the show. So if you don't get the joke, you got to watch some episodes back to get it.

Speaker 2

Yeah, definitely.

Speaker 1

No, but that's cool. So you're figuring out that your perception of what something means expands as you're looking at your own data, right.

Speaker 2

Yeah, definitely, Especially with anything that's cached Like. I'm looking through my cache files on my phone and I don't even have a recollection of ever visiting some of these pages that the files are caching from. So trying to figure out where that comes from and realizing that when I'm testing something on one of my test phones it's very specific what I'm looking for, but there are so many more functions of the different applications that it's really easy to overlook.

Speaker 1

uh like how something may have gotten there oh and, and I guess it could be wrong, but as you're going through it, you're not making more connections like, yeah, looking for this, but since I knew I did these other things, oh, look how they come, circle around and hit up oh, big time, big time, big time.

Speaker 2

So yeah, it's actually. I encourage anybody who has the capability to extract your own phone see what you have in there. I definitely don't recall some of the stuff that's in my phone.

Speaker 1

I don't recall that drunkenness.

Speaker 2

Yeah, I don't, I don't recall.

Speaker 1

Andrea is in the chat. I haven't seen her in a little bit, so it's so, so happy to see you around. She's the best. Yeah, so, so, yeah, so let's since you brought that up, let's go more into detail, right? I mean, so you look at your phone and what's going on?

Speaker 2

Yeah, I mean no, seriously. I am just starting to look through it and I just really am realizing how much is in there and the connections I need to make. I think, as I continue to go through it and we continue to have podcasts, I'll probably have some new things to show everybody.

Speaker 1

Yeah, and folks, of course you got to be careful, right, check your own data, careful, right, check your own data.

Speaker 1

But if you find something interesting, go and take a test phone and try to replicate some of that in a way that you can share or do research on, because there's something that we definitely need is research and what happens with our tooling. At least some folks make a good artifact, but the test data that they have they might not be able to provide it, and sometimes I make some command decisions. If the person is sending a pull request that I trust and it's a respective person, I will merge it because I trust them, but if I don't know you, I need some test data right, right, in order to merge or to and I guess my point is, one way of giving back to the community is by generating test data sets. Now, you don't have to be an eminence, an awesome, incredible out there person like Josh Hickman that does test data of a whole device and that's crazy hard in regards to the time investment he does on that, so you don't have to be him.

Speaker 1

He's high level. But nothing prohibits you from hey, let's do one app or two apps that you found something interesting and share your analysis and share the data, because other folks can build tooling on top of that, like us.

Speaker 2

I can share some of my data. You're not getting my text messages or my pictures, but I'll share some of the other stuff.

Speaker 1

So I'm not going to know what really you think of me.

Speaker 2

No, never. Oh, my God, I see how you work.

Speaker 1

I will never share that with you you know what I think it's better that I I ignore all that.

Speaker 2

I'm okay with that yeah I'll believe what I want to believe um so uh, some things to talk about this week. Um, I don't know if anybody saw, but ali haddi um released or posted about some YouTube videos. He actually did quite a few years ago I believe, like three years ago, on working with the 010 hex editor. I had never used this hex editor. Have you used that hex editor?

Speaker 1

Well, I used it when I saw his post.

Speaker 2

Okay, all right, so, yeah, so I had never used that hex editor, but Ali has an entire YouTube video series of kind of the functionality of the hex editor and it outlines the different view options, how to view Unicode files, how to work with and locate specific offsets, how to find things using hex, and it might be basic for some examiners.

Speaker 2

Um, but if you're new and you're not sure where to get started with the hex, these videos can be great to to start off with. And also, even if you aren't new, the seasoned examiners always need a refresher on this kind of stuff. So, um, encourage people to check out his youtube page. I'll throw the. I'll throw the banner up now, but I'll throw the YouTube page in the show notes at the end of the of the podcast, which actually, I was chatting with Kevin Pagano and he didn't even realize that we have a blog for the podcast and the show notes are there. They're also on the Buzzsprout page where you can um connect with all of the audio sites for the podcast, so we put them in both places.

Speaker 1

You know what, after we're done here, we do some post-production. I need to go and add that stuff to our social media and to other places. So I need to do that as well, so people can get to it.

Speaker 2

He shared it out too for us.

Speaker 1

So you know this whole thing about hex editors and being experienced or not. It reminds me of this, this meme of you know. There's there's two pieces of paper and they ask the person what's the difference between these two? Right, and one says, uh, you know, uh, learning regex and um, having to learn regex. And then every time I actually I I butchered the meme because I forgot what was learn Regex. Another one where you have to use Regex and the person says there's no difference, the same thing, because if you learn Regex every time you use it, you have to relearn it every single time, right?

Speaker 2

Yeah, true.

Speaker 1

So with Hex, some of the Hex things, if you don't do it daily, even if you know, understand hex and have a feel, um, you always have to review, you always have to be okay. I'm going to dig into hex, Let me, let me refresh myself of how to do this. And if you're looking for, uh, uh, a tool with some guidance, then this, this uh, Definitely.

Speaker 2

Kevin says he facepalmed so hard when he found the show notes.

Speaker 1

finally, I facepalmed worse by butchering the joke of the meme, but it's okay yeah.

Speaker 2

We all understood what you meant.

Speaker 1

Well, thank you, you're so kind. Derek is around. Derek is awesome. He's an awesome examiner. He was also interviewed in Amy's ArcPoints series in regards to forensics in the healthcare arena. So check that out. I have to check it out and Christian, the master extractor of all things, ios, is also in the chat. So good to see you, man.

Speaker 2

Hey Christian, what else do we have? This week, arsenal released a new tool. I don't know if anybody saw, but Arsenal released a tool called Swap Recon. This tool performs brute force decompression of Windows 10 and 11 swaps. So the page file and swap file what are they? System files on the hard drive that act as temporary storage for data when your computer's physical RAM becomes full. So potentially, with this new tool, there's a potential to find many different artifacts in these files, and I actually have a. I'll share a screenshot here of what the tool looks like. So this is what swap recon looks like. Looks a lot like their other tooling, but you browse out to the file that you're looking to process, choose your output and then it will process that swap file.

Digital Forensics Tools Discussion

Speaker 1

And this is interesting because, as you were saying, the swap file, it's encrypted, right, and it might contain remnants of activity from the system. So, if you're doing incident response, for example, a lot of good data is there. And well, you might ask yourself, well, some other tools already do this. What's so special about it? I was having a conversation with Mark Spencer, the CEO owner, lead person up at Arsenal, and he was explaining to me how there's some heuristics added to the tool that allow you to really identify items of interest, some strings of interest that other tools might not represent it in a way that you cannot capture as you're doing the review.

Speaker 1

I'm not going to give you all the details, because that's something. You should go to their website and kind of check out all the explanations and all the different differences website and kind of check out all the explanations and all different differences. But, um, he portrayed to me how this tool is. Does this swap analysis plus right? So yeah, if you're looking for for cases in incident response, when you might, for example, I'm thinking of examples when this might be useful if you're doing trying to figure out, um, lateral activity or activity or things that, uh, a user but not a legit user, a, an actor, is doing on the systems, looking at swap space, looking at page files, looking at hybrid fields. Okay, that type of that copy of memory space down to the file system is going to be a gold mine for your investigations and it's definitely that.

Speaker 1

Does that for you.

Speaker 2

All right, Let me remove that. So last podcast I talked about the Samsung Secure Health Data Parser. It's by David Haddad and I shared a blog. He wrote about it and we shared the GitHub page where you can get the parser itself, but at the time I didn't have the capability to decrypt the database that goes along with that. So the database the secure health database needs to be decrypted to run on that tool and currently there's an issue with extracting in premium and pulling down the key store, so I wasn't able to pull the key store for my Samsung phone. However, I extracted my Samsung phone with UFED and it pulled the decrypted version of the secure health database. So I'm going to show this tool again to kind of give it justice and actually show what it does.

Speaker 1

As you're bringing that up. So, yeah, what do you, what's your, your theory of what happened, like it actually the ufed actually dealt with the key store, or what. What's your, what's your theory of the case here?

Speaker 2

I don't know um, but I got, I mean it. It parsed, the decrypted, it had the keys obviously to decrypt it and I didn't have it in my other extraction and it decrypted and I have the Samsung Health decrypted copy with UFED.

Speaker 1

So if you're missing the key store and your device is supported by UFED, try it. Yeah, I mean it's interesting that you mentioned that, because it really goes with something I mentioned to Amy in her podcast about how some versions lose support or gain support or whatever it is, and sometimes you have to revert back to a previous version, and how it would be useful for vendors to do that, to let us know that. So actually, I think it's Rebecca her name, if I'm not mistaken. We were having a conversation in the comments in LinkedIn about it or how she keeps all the executables from all her tools, all the versions he keeps. She keeps a library of those because she never knows when she'll need to revert back to version x to get something right and and that's that's. That's that's good practice on her.

Speaker 1

I think it's a good practice that we should start as well, but my contention is that it shouldn't be that way. She shouldn't have to keep a track of all those old binaries, right? Why do vendors not allow those binaries and not only binaries, binaries and release notes to be easily indexed and searched? I want to look for all the different support of all different devices across all versions, all release notes um, I don't understand why. I mean, maybe there's the space constraints, I mean I don't know um, but I believe that should be available.

Speaker 2

I don't know what you think, but uh, well, I have them all, so if you ever need one, um, I do the same thing.

Speaker 1

I definitely keep every version that's ever been created, so I mean would you like to keep doing that, or you rather the vendor do it for you?

Speaker 2

Well, yes, I'd rather have a vendor do it for me, but it takes up some space on the server.

Speaker 1

So free the space please.

Speaker 2

Yes, let's free. Yes, definitely, give us the old versions have them available.

Speaker 1

Oh, let me say this Some vendors do, it's not all vendors. I don't want to judge all vendors, vendors, you know the same token. But if you're not doing this vendor, then do it. Give us release notes and give us versions.

Speaker 2

I'm sure they have copies somewhere for us, right, correct.

Speaker 1

You know what They'll ask you for copies.

Speaker 2

Yeah, okay, I can back them up. So I was able to obtain the SecureHealth database in a decrypted format from my test phone. There's not a ton of health data on it but, as I said last podcast, you just select that SQLite database file, the decrypted version, and then give it an output location and then just click generate report. Once generate report is done, let me just share here. Once generate report is done, let me just share here it will create reports in both a CSV and an HTML format. So this report here doesn't have a ton of data, but it is an exercise session report. So exercise start time and time, the duration of the exercise, what type of exercise? I have walking, and I have a treadmill combination, walking and jogging in this report here.

Speaker 1

Looks pretty nice, yeah it definitely does.

Speaker 2

And then this one's got a little more data. But this is the Samsung health step count report, which has a last modified date and time, start date and time and date and time. It'll have, if I scroll over here, the step count um duration and seconds and the actual step count and um. This is not my personal phone, alex, so don't think I have not been working out. This is a test phone. Okay.

Speaker 1

I was about to bring the hammer down. What's happening with our routine? Come on.

Speaker 2

I swear I'm still going to the gym, just not with this phone. Sure, sure. But this is a nice way to kick a report out from that decrypted Samsung health database. That's excellent.

Speaker 1

That's excellent. That's excellent. That's again another view, another thing to try out and make sure it works. I mentioned Rebecca I think it's Graciela that does that, okay, so, yeah, so, make sure I get the proper attribution. But no, no, I mean I'm all for tools, it's the same as I am for validation and verification of those tools. So that's good stuff.

Speaker 2

Yeah, All right, let me take this. So another tool. This tool's been around for a little while, but I've never really dived into it. I've used it for certain things, very specific things, but I think, after talking to you, alex, I decided to go look at it more today and it has a ton of functionality that I'm going to show you. But recently, artx by Ian Whiffen. So if you go to Double Black, his blog, there's an app section where you can go download ArtX. You recently sat in a class on it, right?

Speaker 1

Yeah, I went down toami to present on the leaves and some other things and I had the pleasure of getting an artist class from the author and master of all things for n6 young women and, uh, I mean, I used it a whole bunch of times, don't get me wrong, but when the person that does the tool teaches you certain things, you're like oh, wow. And well, I'm not gonna steal your thunder, heather, but some things that, heather, you need to try these and demo them. So, I'm going to let you handle that.

Data Analysis and Reporting Tools

Speaker 2

All right, so I'm going to pull the tool up. So what ARDEX is is it's a free iOS research and validation tool created by Ian Wiffen, allows the examination of extracted data and jailbroken devices. So the tool has a ton of different features. So I just kind of want to show some of the features. I know I'm not going to hit them all. There's a couple here. I didn't even know it had, so I already pre-processed an iOS extraction.

Speaker 2

It's a full file system from one of my test phones information, exactly what you expect to be there the Apple iCloud account, any numbers associated with the device, whether it be IMEI, serial number, unique device ID. It has important dates. So this actually has one of the important dates. In an iPhone is the dot obliterated and, if you didn't know what that was, it's the last time this phone was reset. It's got settings. So what time zone is my device in Different types of settings? Message retention, it has Wi-Fi, the Mac address, it has other network-related Mac addresses, and then it has information about iCloud. So one thing I wanted to show is if you go to settings, you can actually go in the settings and view the installed parsers. This will give you a listing of all the parsers available for our app. I'm not going to read them all. There's a ton, but check it out. Installed applications camera use there's passcode changes all the different artifacts that ArtX supports.

Speaker 1

And I love how Ian took the time to make a little icon for each artifact. Like that's a lot of work.

Speaker 2

Yeah, definitely For each artifact that it supports.

Speaker 1

I'm like that's pretty neat, so I like that.

Speaker 2

So back out of the settings here and let me just cancel. So under apps, there's a listing of the applications installed on this device and it gives you the capability to extract the bundle or the sandbox application data for this device or for each application like you connect the phone and it has to be what rooted?

Speaker 1

I mean not rooted, it's not an, it's not an android, uh, jailbroken to get that or no.

Speaker 2

I I process my extraction. Yeah, so now it'll extract straight up okay yep, so it'll extract that bundle um from the extraction.

Speaker 1

Yep I'm, because it also does some stuff live as well.

Speaker 2

Yeah, I haven't even tested it live yet. I can't wait to keep testing things.

Speaker 1

Yeah, no, it's really really a lot of features, Yep.

Speaker 2

Then under the key chain tab is all the information that's pulled from the key chain. So I have I mean, here in the middle is my old Wi-Fi account, it was called Any Dancer the Apple iCloud information is in here. Anything you would find in your keychain you'll locate in this tab. And then there's a contacts tab so the contacts of my test phone here and it tells you where the contacts are coming from address book. And then I have three contacts that are being pulled from Discord. But the timeline feature is awesome so I pre-processed this. But over on the left-hand side you can see all of the different artifacts and you can choose which ones to process. Choose one and hit run up here on the left-hand side and it'll process that artifact. I pre-processed all of them so it would be ready. And then anything that you have checked will show up here in this timeline view. So I'm just going to deselect them all.

Speaker 1

Yeah, and ArtX is really timeline-focused right, so it's really the key item is time across the different artifacts, so it's really good at timelining things and mapping things. So if you're looking for mapping and timelining functionalities in your ios analysis, these are great to use for that I made the mistake of hitting deselect.

Speaker 2

All live on a podcast, though, and I now have the not responding, so I'm just going to continue. Actually, I'm going to show a report from it while we wait for it to come back. Yes, so let's see here I have some reports that I created, and I absolutely love this one. So I created. It has the device details. At the time of creating the report, I had the contacts checked, but this is the part I love the best. So I'm always complaining that I hate reporting from every tool, and I always am complaining that I want a really good timeline and I want to be able to put the artifacts that I want into the boxes that I want them to be. This is the closest I've ever seen to what I want for reports, so I'm going to just scroll down to September 23rd, because I know what data is in there.

Speaker 1

Hold on one second, so, and what we're seeing is pretty much a list of of the dates right and and and there in the, uh, in the at the end. What does it say at the end?

Speaker 2

Um, so it says show. So I'm going to grab Saturday, september 23rd, and hit show and you have the artifacts that I chose to put into my report in a timeline format for the 23rd. So I have health data here. I have some Wi-Fi data. I'm going to expand September 24th. Got some more health data. Have some Discord messages.

Speaker 1

The collapsing of the day is genius.

Speaker 2

Oh my God, I love it it.

Speaker 1

I had no idea it did this it's genius because then you can open whatever days, uh, you need and, and you know, most timelines show you everything at all times. Yes, navigating a little cursor through the timeline, you end up six months before, six months after where you want to be right right, right, and this is a really good way of controlling that that movement updates so I have some wi-fi data here and I'm just gonna scroll down a little more.

Speaker 2

I have some uh, some images that have location data and it has a little map with a camera and an arrow to where that image was taken oh, perfect, perfect, love it um, images come right up in the, which I love because there's a lot of tools that don't have the actual images in the timeline.

Speaker 1

I mean, if the media is not there, then what?

Speaker 2

I know what's the timeline for the name of the picture is oh, that's so helpful. Data usage. We've got some SMS that are received and then some phone calls on this date, so I absolutely love this timeline feature. Let me see if ArtX came back after I angered it. Ah wonderful. I was afraid it would crash and it didn't So-.

Speaker 1

You just need a faster computer. That's all you need.

Speaker 2

Right, right. So I deselected everything. So you saw a right right. So, um, I deselected everything. So, um, you saw a clear screen here. When I deselected everything, I just rechecked the battery level. Now I only see the battery level in my timeline, so I could potentially uncheck here the ones that I don't want and only choose. Say, I only wanted one day of the battery level, just check the day that I want. Um, so I love the timeline feature. Was there anything else in the timeline feature that you learned in class besides what I've showed?

Speaker 1

Oh, no, no, no, I mean, you showed it well, that's fantastic.

Speaker 2

Yep, the chat view. I love the chat view too, so all of the conversations are here on the left-hand side. So I'm going to just flip to a Discord message. You can flip to a regular SMS message and it all comes up in the chat view with the bubbles which everybody's looking for for courtroom presentation. This is beautiful for a courtroom presentation.

Speaker 1

Everybody's looking for them. We had to put bubbles in our tooling as well.

Digital Evidence Authenticity and Reliability

Speaker 2

Yes, that's what people want they do. It just presents so much better. If you have to go to court on a case, then there's a Gallery tab. All of my images are gathered here in the Gallery tab and the locations tab, so this one has some really cool features.

Speaker 1

That's my favorite tab.

Speaker 2

Oh my God, I didn't even know about some of the features in here today. Ian just told me about it, so I have to show them. But you can choose over here toward the left on the top there's a button that says sources and you can choose which sources you want your location data to come from, what you want to show. We all know that, working in forensics, that some of the location data is super reliable and some of the location data is just not as reliable as others. So if you wanted to just come in and pick your iOS cache locations which we know from the cache SQLite are very reliable you can choose that and hit update. Once you hit update, all of your cache locations are here. The little maps on the side show where I was this is. You can see down in the right-hand corner it says building 22. That is the building that I work in, so I was most likely parked in the parking lot that day.

Speaker 1

Well and. I did like a triple view there, but you have like a really overview of, kind, of the cities around it and closer overview of the roads, and then really zoomed in all three, all three there.

Speaker 2

So that's that's pretty pretty awesome, very um, and then what I learned about today, uh, is he has a feature called flip. This is where you grab the locations that you want. Say you want these 10 or whatever I just grabbed, highlight them and then up on the top, toward the left-hand pane, is a little book-looking icon and it says create flipbook. If you click the create flipbook it will turn them into. I'm going to show you right now this nice view here and let me just and then you can hit play and it will literally flip through the locations that you have chosen to present.

Speaker 1

Oh that's fantastic Because I mean, I think these are pretty static. Oh that's fantastic because I mean, I think these are pretty static. But if you have a data source that records locations with a short window period, it's like a little movie, right it's awesome. Yeah, moving around the road, parking, doing whatever right, and it looks like a little movie going across as it moves. So it's pretty neat.

Speaker 2

I'm going to flip to the other one, because this one will actually show some movement down the road here. So this one, you can actually see the device moving on the Adirondack Northway, which is in New York near me.

Speaker 1

That's exactly what I was talking about. Yeah, perfect.

Speaker 2

Yeah, there's the option for this flipbook to save it out as an HTML or to save it out as a video. I cannot think of a better courtroom presentation for locations than this. I don't think that I know of another tool that does it like this. And I was just so excited today because Ian sent me an email try the flip book. I'm like what is the flip book? Can you tell me what to do? And he showed me what to do and I got this done right before the podcast for the presentation.

Speaker 1

so and the folks who are listening either watch it or download it and try it yourselves oh yeah we're looking at, obviously, a vehicle, you know, going down the map with little arrows indicating directionality.

Speaker 2

Uh, it's, it's great, I love it and then, of course, uh, the very last tab. Here you have your directory, so you can navigate through the file system.

Speaker 1

But the tooling and this is what Heather showed from an extraction. But the tooling has features where, if you connect a device that's been jailbroken, you can do your research pretty much live. You can look at, interact with the phone and immediately look at ArtX and see the contents of whatever databases you're working on and see those changes live. So instead of having to download the phone every single time you want to see a change, you can make the change and immediately look at it through the tool and continue your research. It's such a time saver. So if you're interested in doing iOS research, get a phone that you're able to jailbreak and you can use Ardex to do that work yeah, definitely.

Speaker 1

I don't even want to take it off the screen because I'm so excited about this location we should put it as like a moving background to all the episodes of the maps going around, the arrows moving. It's pretty neat it's really cool.

Speaker 2

I can't wait to actually go use that feature in one of my cases. I have not yet. So very awesome work by Ian Wiffen.

Speaker 1

Absolutely, absolutely.

Speaker 2

All right, and I'll have the link to download that in the show notes too, that everybody can find now.

Speaker 1

And the best price, and the best is the price, right, oh yeah.

Speaker 2

Yeah, the price is awesome.

Speaker 1

So just get that. You won't regret it. It's good stuff.

Speaker 2

So recently came across a couple of articles in Forbes magazine and they are referencing the use of manual previews of phones. The use of manual previews of phones, so like video recordings or photographs of phone data or screenshots, and whether or not they have the capability to hold up in court. The Forbes articles were both written by Lars Daniel and if you don't follow him on LinkedIn, he's got some really good stuff. But the question is can screenshots of text messages be used as digital evidence in court? Is simply taking a screenshot of a text message is it enough to use and is it reliable enough? I would say my opinion on this is no. They're really easy to fake. It's hard to authenticate. There are editing softwares out there, there are fake message generators out there, and it's really easy to manipulate device settings, which these articles the two Forbes articles actually outline very well. What's your thoughts?

Speaker 1

It's tough, right, because we don't always have access to devices in order to pull the data out. And what I mean by that is you can have the password, right, but the device let's say a latest version mobile device you can see it on the screen, but the tooling hasn't catch up to it enough to pull it out. And what do you do? Well, there was no crime, because I can't take a screenshot. And so let me make a different, at least from my perspective, there's a differentiation between taking a screenshot with the device and taking a screenshot with a third device. Right, and I say that because my process is, if I find myself there, I will take a camera, and I don't take pictures of the screen. I take videos of the screen. I mean, could videos, could my video of the screen as I scroll through be of the screen? I mean, could videos, could my video of the screen as I scroll through be, um, you know, altered? Well, sure, that's always possible, but I think that, showing my process as I thumb through the phone, you can see my finger going through it step by step, step by step, um, it's, it's a little bit more credible than taking screenshots with the device, which again will be altering the device to begin with and then trying to go through certain processes to get it in my video.

Speaker 1

I think it's a little bit better. I start my video, as I would start a recording, a voice recording, but my name is so and so, and so Today is the day this is the time you can see the time on the phone we're going to preview the certain or look at data within the application through the device itself, and I start doing my work Again. That shouldn't be your normal practice, at least from my perspective. Like Heather is saying, if you have a tool that does the extraction, then do that. Do that Always. Go do that.

Speaker 2

Oh, 100% Always. If you have that capability, always yes.

Speaker 1

You're going to solve so many problems before they even start. Okay In regard, but sometimes we got no choice, so we have to do the best we can, and my perspective is taking a video camera and recording from the screen itself, not to take screenshots of it per se, if that makes sense.

Speaker 2

Right, my worry too. I mean, if it's all you can get, it's all you can get, there's nothing more you can do about that. But just taking screenshots of the text messages, what are we missing? Are we we're missing possible exculpatory messages that were deleted because we don't have access to deleted through a manual preview that way, um, or possibly just being able to connect the dots and seeing the entire picture. I don't think I could ever do that through a video of the evidence versus having the full extraction.

Speaker 1

Well, I mean, so somebody takes some screenshots, right, and you're the expert on the opposing side, and they go. Please validate the screenshots. How am I, how am I supposed to validate these screenshots? What you're asking me is to square a circle, right, like you know, give me, give, give me, give me a square without any angles. Well, you can't do that. I cannot validate that, right? I know you're laughing, you know, I know, you know I am so, so, uh, so you can't do that, okay, and um, you know, I had a meme some time ago and I'm not gonna butcher the joke on this one, all right, uh, there's a, there's a scene in spider-man where, uh, you know osborne, you know the, the green goblin, before he turns green goblin, uh, he has a conversation with peter parker and he tells him I'm somewhat of a scientist myself and explains why, right, well, the joke is that an it person sees some chats that are important, goes and screenshots the shots, deletes the evidence because I have the screenshots and says I am somewhat of a digital forensics examiner myself. Let me show you why. Look at my screenshots, right, and that's kind of the punchline of the joke. Well, no right, we need traceability, we need the verification of that data and just playing screenshots. You're not going to get it If you find yourself in a position to only have to do screenshots.

Speaker 1

You got to think of ways. How do I I'm able to verify or validate my work by verification of this data, of these screenshots? What's my best evidence? Right, and I think that's something that the I'm going to jump ahead because I love the concept of best evidence A little bit. Soapbox moment the courts.

Speaker 1

From my experience I'm not your, I'm not a lawyer, even though I stayed at a holiday inn last night um, old joke, people that watch tv back in the day um, best evidence is important. What is best evidence? The conversation that we're having right now, that we're listening. Let's say you were here in person. What you heard is the best evidence. You heard my voice, but now we have a recording, now pulled out to the world. Well, my voice, after it leaves my mouth, it dissipates in the, in the in air.

Speaker 1

Right, then what's my best evidence? Or your recollection, and what even better, a recording. And then now the recording is your best evidence. But what happens if? If google burns down and this is lost? Well, guess what? We have another recording, audio recording in buzzsprout in the podcast. Well now, that's my best evidence. So the course will look at your piece of evidence and will ask you why didn't you get the best evidence? Why did you get your best evidence? Why are you taking some screenshots when you could have done an extraction? You have done this. You could have done an extraction, you could have done this. You could have done that right, and I think the courts will lean towards not accepting those because they are not your best evidence.

Expertise and Evidence in Courtrooms

Speaker 2

Right, yeah, I agree. So there are some court cases that were referenced in these articles. I'm just going to read one. So United States v Vayner. So in this case, a screenshot of a social media profile was introduced as evidence. However, the court ruled that the screenshot lacked sufficient authentication, pointing out how easily digital content can be fabricated or altered. The ruling underscored the need for proper forensic verification of digital evidence to ensure its reliability, and it goes along the same lines as what you're saying.

Speaker 1

Well, and the comment you put up from Brett and again, I always love Brett when he's in the chat, he always brings so much good input into the conversation he's saying that best evidence is dependent upon the totality of the circumstances and that's absolutely correct. That's why I was mentioning if I find myself in a position where I cannot do the extraction and I have to look at the thing, the circumstances. I explain them, note them, take a video of the screen, try to put some validation of me talking through the process and seeing my hand, just to show the whole concept. But at the end of the day, the circumstances are important and the course will judge that, which means you need to make sure you record those circumstances accurately and detailed in your notes contemporaneous notes, properly initialized and dated for that to be able to be considered.

Speaker 2

Besides just us doing manual previews for screenshots too, the articles also outline when a victim gives a screenshot Right. So Lars actually outlines a real world example in a case that he worked on, where a defendant was sent to jail for violating a restraining order between them and the defendant, and the messages contained threats, including threats of bodily harm. The writer and team questioned the reliability of the text messages and ultimately proved that the victim had faked them, so, after spending six months in jail, the charges against the defendant were dropped and he was released from jail based on this evidence.

Speaker 1

That's amazing. That's amazing. Look at what could happen if we don't take the proper steps.

Speaker 2

Yeah, definitely we'd get the best evidence yes, I, I go for the full extraction anytime you possibly can yeah, and if you're not able document, document, document.

Speaker 1

And if you think you have enough documentation already, document some more.

Speaker 2

Just yeah, yeah, document, everything all right let me so um, digital experts are no longer needed in court. Did everybody know that we don't need them anymore? We've all lost our jobs.

Speaker 1

So so this, go ahead I got, I got triggered when I when I came across this, this thing but then I I then I calmed down as I'm reading through it.

Speaker 2

But yeah, go into it, go into it so this week, um, if you weren't part of the, I think over 100 comments now. Uh, there was a social media post, on linkedin uh, by andy garrett. Andy garrett is a digital forensic expert in the orlando area and I'm just going to read his post. So his post says anyone paying attention to what the courts have been sold lately prosecutors are saying that digital forensic experts aren't needed anymore, that Celebrate reports can be understood by a jury and no expert testimony is needed. The courts agreed.

Speaker 1

Yeah, and I got immediately triggered by that but you and me both, but I had to. I had to step back, especially after reading some of Brett's comment, and think, okay, well, before I get too triggered, like, what case is this? Right, I need to know the detail, because that's and again I mean I mean maybe, maybe, uh, garrett couldn't maybe talk about the case.

Speaker 1

maybe it's an ongoing case or something, so maybe he did not give details, right, but my thought process and reading Brett's comments, you know the context is important, right. Why did the court determine that an expert was not needed in a particular scenario? That's important and it might not be as bad as it seems now. That being said, right, why I'm still a little bit triggered is because I I see in in and tell me if you agree with me or not. I see across prosecutors, defense attorneys, even even folks that work in this field. This, this concept of hey look, I just get the tool output and if it is there, that's all that I need. Right, do I really even need to testify to it? The tool did everything that is needed. And as long as I put tool output in the hands of the juries or the judges or the stakeholders, I should be good to go and kind of minimizing the role of the expert in interpreting and analyzing the data. And that's still true, even if that particular case doesn't show that, if that makes sense.

Speaker 2

Right, yeah, I don't know. Experts are needed. Experts are definitely needed. I know we were talking earlier about, like the non-expert that does the extraction. Right, they repeat the process over and over again and they have, I think you said. Their SOP and maybe they don't have to be the type of expert like we are Right, like everybody in the chat is how they're able to understand and explain the analysis and what all of the artifacts mean. Analysis and what all of the artifacts mean, um, but when, where does that end? So, um, I don't know.

Speaker 1

I think I'd rather have experts working the case from start to finish. In my opinion, I mean, I mean in, in, in an ideal world, I think that would be the best case scenario, right, yeah, um, but how many? How many experts do we have to handle that? Right Versus how much work needs to be done, right, that's the problem.

Speaker 2

Yeah, that is the problem.

Speaker 1

Most labs are backlog and I know you do a lot of work so, even without you telling me, I would assume there's some backlog in your lab.

Speaker 2

Oh yes.

Speaker 1

I mean labs that do work will have backlogs. That's just how it is, because there's always more demand for the service than the folks that are available to provide it. So what's the solution? What's the middle ground here? I have an opinion on that.

Speaker 2

I said I don't know, I just don't. I mean there is, there's a backlog. There has to be a happy medium somewhere in the middle where the data is getting out quickly so that maybe somebody who isn't fully trained in forensics can read the text messages or go through the call log. But it just worries me on how much of that responsibility we put on somebody who's not technically trained.

Speaker 1

Oh, I mean, and I agree with you a hundred percent. So this is my solution. It doesn't mean it's the solution or the best solution, just for something to consider. This is my solution. It doesn't mean it's the solution or the best solution, just for something to consider. I think that we could define a technician role where the technician will make sure that they extract things and they handle the tooling that does the extractions and make sure that they follow a standardized procedure how to do the extractions from all type of devices. And as devices change, those standard operating procedures will change with it and they will have knowledge kind of constrained to the extraction process.

Speaker 1

Anything above that regarding parsing and analysis will go to a qualified expert, and that doesn't mean the expert has to do expert analysis in every single case. Of course. I've done a whole bunch of cases where the only thing that's needed is a chat and everything is there. There's nothing else for me to do. All that's needed is in the chats. I don't need to look for 20 more dots because that's all we need and that's not expert testimony.

Speaker 1

But this is the thing, and Brett was making a great point in regards to the context of the case. Somebody provided some case example where this happened and in that case the court determined that an expert was not needed to just operate the tool and show that output in light of it being extra evidence. Like the case was already proven 20 ways over before it got to that, right. So I guess a concept of inevitable discovery. It got to that right. So so you know, I guess a concept of inevitable discovery, the sense that we have so much evidence that this little thing is not going to make a difference, right, and that's the context that maybe brett and others point out, that there's different contexts for these.

Speaker 1

Now my point is what happens when we think, oh, this is just item number 20 of all the evidence we have. That's plenty, right, and at court it shows that that piece of evidence has a more profound meaning, right, during trial. Right, and it became something irrelevant to something really important, right? I think we'll be in a better position if an expert is available or has touched that evidence in order to go into it. Okay, because people can only speak about the work they've done, and that work they've done is informed by the experiences and by their training, and I want the expert, if things go sideways at trial to be the one in the seat, in the hot seat, and the courtroom is the coldest place in the world. It's not the North Pole, it's not Antarctica, it's the courtroom. It's the coldest place in the world. Is it true or not, helen?

Speaker 2

Yeah, oh, yeah, definitely.

Speaker 1

I don't care what courtroom you go to, it's always going to be cold, yes, but that witness seat is going to be hot and I want my expert to be sitting there if things go sideways right. So I think there's a lot of words to say yeah, some roles can be a technician role and some roles can be an expert role, even if every expert role does not lead to expert testimony, and I think that's kind of the solution that I think we need to try out and see how that works.

Speaker 2

Yeah, I think to kind of differentiate between when you need a technician and when you need an expert, we need to be educating our prosecutors about digital forensics more. If they have a better understanding of what we do, how we do it, why we do it, what things mean, then they'll know when they need that expert for their case. I know it's extra work None of us want to do, but if they don't understand it, then we run that risk of possibly having the non-technical person testifying to something an expert should be testifying to.

Speaker 1

Well, and the drawbacks that come from that? Because that person that doesn't have the experience and the training will not be able to convey to the jury or the stakeholder what they need to know about it. Right, good point here by Brett. You want to read that.

Speaker 2

So digital forensic evidence should be at a minimum reviewed by the organization's expert before it's submitted as evidence. Peer review 100 review 100.

Speaker 1

Yeah, and that's something that, for example, we do in some organizations, where your trainees and all that they can do the work but it's not going out the door. We have the expert signing off on that work on top of it yeah make sure that it's properly done. So that's that. That comes to a kind of like a peer review concept as well, um, but also kind of that seal of approval for somebody that has the actual expertise to speak about those things. So that's a good point.

Speaker 2

Definitely. I think part of the problem too is we're all being sold, being told about the quick, the easy, the faster data that we're able to get from the tools, and that's kind of it's kind of downplaying the actual forensics behind what we do.

Speaker 1

The word sold was correct, you didn't need to change it. We are being sold, literally. We're being sold, yeah.

Speaker 2

And it's just not. It's not. Sometimes it can't be quick, it can't be just easy. In my lab things go wrong constantly, obviously I mean in all forensics labs. But my favorite thing to say to the newer people are is welcome to forensics. Nothing's quick, nothing's easy. Things go wrong and you need experts to be able to handle that. And I don't know, I don't. I don't like the advertising of everything's just here. Push this button quick and easy, and we're all set.

Speaker 1

Or go to the bootcamp for a week and you're an expert.

Speaker 2

Yeah, exactly, exactly.

Digital Forensics Tool Development Success

Speaker 1

I made two comments, but something real quick 2025 for me. I got three concepts I want to really kind of build on, as I do my social media outreach and all that and one of those is property, so the quality of being a moral agent, as you are an investigator and a forensic examiner your morality and your values, that you do your work. Another one is attention to detail. Attention to detail is making sure that you're not missing anything and you're on, you know, looking for the things, the small things that could make the large difference. That takes time, speaking going back to the point that we're making right and and the third one is probity attention to detail and due diligence. Due diligence we can't just go with the superficial. Oh, I got two or three things. Well, we are required to look at five, six and seven as well. And even if you know that you're not going to find anything, you still have to do it, you do your due diligence. Those are the three main things I want to focus on 2025. That you're not going to find anything, you still have to do it, you do your due diligence. Those are the three main things I want to focus on 2025. And I say that for myself first, but also towards others, and all those things take time. You cannot rush through them, right.

Speaker 1

There's backlogs, it's true, and folks don't think we hate toolmakers or hate tools. We love tools, we need tools. Heather just spent 20 minutes loving a tool. I do Raising a tool, right, but the tools are only as good as the person driving them and doing the work behind it. For that, verification of data or validation of the tool, the process as needed, and that cannot be overlooked. Tool vendors and I understand it's a business are not going to be upfront with the flaws or the limitations of the tool because they're trying to sell you something. So they're going to want to be upfront with their best foot forward. I get it, I get it, but we have to look at the marketing and be skeptical and conscious consumers of that marketing. We're going to use the tool, we're going to buy it, but be realistic and look for where are the gaps, because our job is filling those gaps to make sure we have a good product and good outcomes.

Speaker 2

I'm going to read Brett's comment. The medical field has CNAs, lpns, rns, aprns, cnls, pas, and then the doctors, the experts. Dfir will probably end up the same way because of backlogs.

Speaker 1

You know, and it's true, what I like is the answer for a person that we love. She's saying that. Well, actually the medical laboratory scientists are the real medical field experts, and I'm laughing because I've seen sometimes the nurse telling the doctor hey, you shouldn't put that medication on the other.

Speaker 2

You might kill the patient.

Speaker 1

And the doctor is like, oh yeah, that's right.

Speaker 2

So that would be my sister. She's a medical laboratory scientist, just in case you didn't get that from her comments.

Speaker 1

No, good stuff.

Speaker 2

We love you, holly, so I'm going to skip down a little bit because we're getting close to our hour and we're going to save some of our topics for next podcast.

Speaker 1

But let's hop down to what's new with the leaps.

Speaker 2

Oh, there's a lot, there is a lot. So that's why we're going to hop right down to it by somebody that's awesome and incredible.

Speaker 1

A cool programmer developer, that's just. At first it was kind of getting off the nest a little bird. But now it's flying. Can you tell us who that is, Heather?

Speaker 2

Well yeah, johan's students created a parser this week.

Speaker 1

Yes, that's true, but that's not the bird I'm talking about.

Speaker 2

The other bird. So actually, so I created a new parser for ALEAP and it is the Google Keep Notes. There already was a parser for the Google Keep Notes, but Google Keep Notes changed and I found that out in one of my cases when I parsed it with all of the tools I have available to me and the only thing in the notes that were being parsed were the timestamps and the title of the notes. I was missing the entire body of the notes and attachments of the notes. So I needed that, went into the database, found the note it was actually very pertinent to my case and had to figure out how to report on that. So I, with the help of somebody else who's pretty awesome and might be a co-host in this podcast, just saying um was able to get the data that I needed for my report and that case went out. Uh so and it's up on a leap. Now I'm just waiting for somebody to approve it.

Speaker 1

Kevin get on it.

Speaker 2

Kevin's looking at it for me and I actually took the time to write a blog on it, so I'll post that in the show notes. I don't have it right here with me to put up on the screen, but so the way Google note keep notes works though I parsed the or am able to parse the section where the notes are stored. But you also can um share notes in Google keeps, so there'll be a creator of the note and you can add collaborators to notes. That part, that part I don't have um completely figured out yet, but I'm working on it and I've put in the blog the sections that I have figured out so far and a quick comment there.

Speaker 1

I love that. You know the process, the thought process. Heather goes to the tools. What's her assumption? Oh, there's no notes here, because the tool didn't give me any notes. No, she went in and made sure she was not missing something there and she immediately discovered that the tools now had a gap. They didn't have it before before, now they have it again. They had to be careful. Those assumptions just because it did it in the past doesn't mean it's gonna do it in the future. Yeah, and now she filled that gap and now we all benefit. Now I benefit, now I run the tooling and I can find those notes that the tooling other tooling doesn't found, doesn't find, true, sorry. So thank you, heather, for sharing that with everybody.

Speaker 2

I've got to throw the Alete report up too, even though it's not there yet. So now we have the time created the last updated time, the last time the user edited the note. This one is a note with more than one image which I got help with, and let me tell you the help with.

Speaker 1

It wasn't that much help I I gotta, I gotta give her so much credit because I used, I used. I saw the parser right, so the background, and I saw the one picture per row of her record and I'm like, heather, what is? There is two pictures. He's like, oh yeah, they might have more pictures. And look at some sample code that I directed her to and she figured it out. So really proud of you. That's well done.

Speaker 2

Well, thank you. Also with the Leaps, though, johan, who we talk about all the time, that is a major player in the Leaps. He had his students create a parser for the app Pay by Phone. It's an app that he says is widely used in Europe. I've actually never heard of it, so I looked it up to see exactly what it does. It's a quick and easy way to pay for your parking, and the app actually has the functionality to pin the location of a vehicle once it's parked, so that the user can easily find the vehicle when they're trying to return to it, which we all know. Based off of that, we'll have some beautiful location data.

Speaker 1

Oh yeah, and the fact that now folks from overseas to us, from the US, they're adding to the tooling, to the Leap tooling, that's something that makes me emotional in a positive way to the leap tooling, that's something that makes me, you know, emotional in a positive way because it's not just folks in the US, it's folks in Europe, folks in Africa, folks in, you know, australia, new Zealand and Japan, that now we're kind of building that, that worldwide community, one of our key developers right now, and he volunteers his time across the sea now to benefit everybody around the world. So I do appreciate that and I would want to make an invitation to listeners that if you're involved in the educational sector, as an instructor, professor of forensics or computer science, look for projects like ours that are open-sourced and you can mix in within your lessons the applicability of your lessons through the development of these tools. In his case, his tools learn how to look at unparsed apps, how to identify items of interest and then automate those results in reports that are easily digestible to lay users. And they decided to use the Leaps for that purpose, and Johan told me that the students loved the project.

Speaker 1

They really felt that it was a worthwhile endeavor and that their knowledge, their academic knowledge, had an actual real world application and that they can point to. And not only point to as a self-fulfilling aspect of their studies, but also when you go out into the real world and work, you can point to those projects that had an impact that you were part of. So educators will be happy to have you and not only to code. If your students do technical writing, we'll be happy to have them help us with some of the documentations for the tools or do some graphical work. We'll be happy also to receive collaborations on those. So please reach out to myself, to, to the podcast, uh social media aspects, and we'll be happy to get in touch and maybe work together on on expanding uh the tooling and expanding your coursework nice.

Speaker 2

I think you have some stuff to talk about with lava, correct?

Speaker 1

yes, it's hot, it's molten rock hot. So I think I mentioned at the beginning that we got the Leaves Artifact Viewer app called Lava, and on Monday, like I said, myself and James, we gave a demonstration of the tool. So that's what I'm going to do today. Let me just share my screen so we can do that. Share my screen here. I'm going to share the screen that doesn't have all the junk. That's actually clean. So, entire screen. Here we go, boom, all right. So we got a clean screen here and the first thing I'm going to show you is how the leaps.

Speaker 1

When you run the leaps, specifically right now, ileap. We changed a few things. Can we see that, heather? Yes, the Leaps folder. Right. So you run the Leap tools and if you're not familiar with the Leaps, I explained that at the beginning. But you can go to githubcom, slash, abrignoni and you'll see all the repositories for the leaps. You can download them and play with them.

Speaker 1

When you take an extraction from an ios device and run it through the tool, you're gonna get a report like the one here on the top of my screen. It's named I leap reports and the time stamp for the day the report was run. Now the way the reports are organized. You will see it's just really clean. You will see an h, an HTML folder with all the HTML reports for the artifacts that were discovered by or to say discovered, I should say parsed by the tool Before. It didn't used to be this way. I would have it's my fault. I would have HTML reports all over this directory. It was kind of a mess. So Johan and Kevin and John and James kind of helped me clean this up quite a bit.

Speaker 1

Now the important things here are these two files underscore lava, underscore artifactsdb, and underscore lava, underscore datajson. These are now, as we update the leaves. They will be producing this in your report. That's what the new viewer will necessitate in order to show you the data in a different way. Okay, so let's keep that in mind. I'm going to show you here super alpha installation of lava. That's why it has an extra A at the end. So this is not production quality yet, but I want to demonstrate that for the folks here in the in the show. So I'm gonna. I'm gonna run it and where what we're gonna see here, uh, right now on the screen, is an electron app that has react running in the background to do this type of work. It says lava 1.0, part of the leafs family, and there'sa display settings and I start there with the display settings, under theme settings. You can go to light like that. If you want to burn your eyes, you're free to do that. Like Heather, I guess she might use shades when she's sitting at her computer.

Speaker 2

I set the Leap report that I showed tonight to dark.

Speaker 1

Well, thank you, you're welcome. All the vampires, we'll use it as dark right and then you can open a project. So what you do is you have your Leap report that's compatible or compliant with the Lava viewer. You're going to hit open project, go to your Leaps report Oops, there we go. And then select that lavadatajson and hit open the project will open that data, look at the database and populate the fields.

Speaker 1

This is a limited data set. It's quite small, but you will see here on the left all the artifacts. In this case it's user activity. It's gonna be three artifacts with 163 records on those. So if I open it, you'll see that how it's going to be three artifacts with 163 records on those. So if I open it, you'll see how it's break down by artifact and how many records each artifact has. The more artifacts are parsed, the more you'll see here on the left pane. I want to make a quick note here. In the demonstration we did on Monday, james made a synthetic data set, so it's not real data, but it looks like real data to run on Lava. The thing was that he used over 2 million records for that piece of data and Lava is able to display it in a blink of an eye.

Speaker 2

That's insane.

Speaker 1

It's insane fast. I couldn't believe it. The issue we were having that's why we're moving to lava is that the originally the leaves did reporting, html reporting and html's. If it's a really large html, your browser will crash and you will tell me what's really stupid. Why do you select html? Well, you know, I can only do what I could do when I could do it with the knowledge I had at the time, but this is not that weird If anybody has processed lately. Or look at a return from Meta, instagram or Facebook. What are you receiving, heather? Do you know what you're receiving?

Speaker 2

I don't get a lot of returns, but I have heard that it's just tons and tons and tons and tons of data in HTML.

Speaker 1

Yeah, it's one HTML with five gigs of data. Yes, I mean, you can't see it. There's no browser in the world that can open it. Right, it's ridiculous, right? So you know, even meta still does this, right. So I don't feel that bad. But we have to think of a solution and I'm so grateful for James and Johan and all the crew that we we came up with this right. And again, that's a plus to james. He's kind of spearheading this part of the project where now we can look at all this really large amounts of data pretty quickly. For example, I hit here, uh, the keyword application usage and let me put this in and it loads there. You can see there all the different data that you can see again these are really simple artifacts.

Speaker 1

They're not large ones, but the ones that you, that, uh, that james show were millions and millions of records. If you hover here over the dates, you get a cool view of different time formats in ISO, utc, unis, epoch, and from how far away that timestamp was generated, for example, a year ago, two years ago, three months ago, which I really like a lot. And if it's DST leap year, it's fantastic. And the tool also allows you to change the offset. If you go to display settings, you can go with date and time settings and then you can select and I know this is something that Heather will appreciate you can select any time zone that you care about, because Heather's a heretic and she does not believe in UTC.

Speaker 2

I don't, I want it in my time zone.

Speaker 1

Yeah, I don't know. You're an infidel. You need to do things in UTC.

Speaker 2

It's the daylight savings time. I don't want to have to try and figure out what date it changed up on the stand and get it wrong. I just would rather have it account for it for me.

Speaker 1

Well, until you understand, and you have one timestamp that's DST and another isn't, and they're both from two different time zones and you're trying to testify to those. Good luck.

Speaker 2

I know, I know I still want my time zones.

Speaker 1

No, I'm also kind of being I'm kidding. We need the time zones. I mean, we need the time zones. We need to make this understandable to our users and they're not going to deal with UTCs. So I'm just trying to be quasi-funny. So, yeah, it's right here, you can change it and you can change the date format. I believe only in ISO date times. But hey, you want to also be a heretic and change the data format. You can also be wrong and change it here.

Speaker 2

That's not wrong. I like Brett's. Brett's suggestion is right. The world needs to be on UTC, one time zone for everybody.

Speaker 1

I mean, the world is, it's just that we don't want to accept it. I mean, utc itself is not a time zone, right, it's just a time. Yeah, that's true, a time zone is an offset of UTC.

Speaker 2

See, now I'm getting pedantic, very picky, very picky.

Speaker 1

Yeah, but yeah, so these are the settings. Yeah, I get distracted easily squirrel. So in this type of view, we're going to add a whole bunch of stuff to it. We're going to add some. The media viewer, which we're working on, we're going to add hopefully, you know, in the future be able to generate sub reports, kind of tags and bookmarks, and then generate sub reports of that export formats. And now we're taking the work that was done at the parsing stage and kind of segmenting it. So the parsing is the parsing. All this display enhancements or conversions will happen apart from the parsing. And this is a good separation of responsibilities on the tool which gives us a lot of flexibility moving forward, good separation of responsibilities on the tool which gives us a lot of flexibility moving forward.

Speaker 1

I want everybody to, if you could go to leapsorg L-E-A-P-P-Sorg. Thank you so much and please sign up for notifications. If you sign up, we'll let you know when the latest leaps, be it ILEAP, aleep or whatever, have been updated and there's new binaries for you. And we'll also let you know when Lava will, when it's ready to be released. We'll announce it through that list, that notification, that Lava has been released. So please sign up for that. The page right now is just a sign up form, but in the near future we're going to make a full feature website that talks about the tools. We'll have documentation. We'll talk about Lava and point you to the right places to get the right things. So we're going to hopefully build on this website moving forward.

Speaker 2

Very cool. I can't wait until it's released Very excited.

Speaker 1

Again the speed and all the things that we're building. Again. I've been blessed to have such great folks around me, including you, of course experts, colleagues and friends, so it's a good big in the holiday spirit. It's a big work of love.

Speaker 2

A big work of love Okay.

Speaker 1

Oh, come on, come on I love it Just vibe with me, please.

Speaker 2

It's perfect, it's perfect.

Speaker 1

Thank you, heather, thank you.

Speaker 2

All right, so everybody's favorite time Meme of the week yeah, let me share, let me share. Ah, there we go. Ah, there we go. So the meme of the week this week is a tree, and the tree says the apple doesn't fall far from the tree. And then you see a little apple on the tree and it says if it is not on the automated tool produced report, it doesn't matter. And then you see the tree throw the apple and I think it's perfect. Perfect example of not everything is in your automated tool report.

Speaker 1

It's an express example of what Heather will do to you in her lab yes, she will open the window and throw you out the window really far away, like the tree threw that apple really far away.

Speaker 2

People actually say this to me in the lab just to irritate me. I haven't thrown anybody out the window yet, though. Yes coming.

Speaker 1

I, I, I made this joke because I hear that too often and it, yes, kills me. So, yeah, you're gonna be falling really far away from me. Because, no, I made a point and I was interviewed for the Forensic Focus website a couple of days ago, so that should be coming out soon. And I made the point that the real job of a digital forensic examiner is not to show what the tool finds. The Utah Forensic Examiner is not to show what the tool finds, all right.

Speaker 1

The job, the real job description, is to find the things that the tool doesn't right, and that's a big difference. Right, we're finding things, but the things that the tool doesn't. That's, I think, the really important piece of my job. Not the only thing, even the thing the tool finds I need to verify and all that, sure, but the core value that I bring is finding what the tool cannot find, and that's job security until the end of time. Until the end of time, yes, you will always have job security, because there will always be things that are missed or misinterpreted or that were shown before and then disappeared later, a new version, and our job is to find those, fill those gaps and make sure we have a complete picture of the events under our care.

Speaker 2

Couldn't agree more 100%. I love this meme and it illustrates that beautifully.

Speaker 1

Print it, put it on the meme wall.

Speaker 2

Oh, it's going on the meme wall? Definitely I need to refresh the meme wall. Anyway's going on the meme wall? Definitely I need to. I need to refresh the meme wall anyway.

Speaker 1

Take some down, put some new ones up, yeah oh heck, yeah, you know there's plenty, uh, plenty to choose from, so look as, as things happen in this field, there will always be memes right behind them. So, and if folks have ideas for memes, then send me some. I cannot reveal who gave me some ideas, because you know I don't want to get in trouble, but some of the best memes come from folks saying, hey, I had this experience and I'm like that's right, me too, let's make a meme about it. You know.

Speaker 2

Definitely. That's all I have. That's all we have for the week Yay.

Speaker 1

Thank you for all the folks that you know took with us a little bit over time today. I think it was a great episode. Thank you, heather, for all the work that you do, both for the community and for the podcast. You're the best.

Speaker 2

Thank you for all the work you do.

Speaker 1

And I hope that your holidays are awesome, that you get all the toys that you want, all the electronics that you want from santa claus and or from the three kings, if you're hispanic like me.

Speaker 2

The three kings, you know, in three kings day, so, uh, I hope that happens for you I hope you have a wonderful christmas as well, and, yes, get you'll be getting legos, I'm sure are you santa?

Speaker 1

you do you read? Do you read the list I sent to Santa? I think, it's a GDPR violation there.

Speaker 2

I don't know.

Speaker 1

Some privacy violation Well and for everyone listening and watching at home. Again, we hope you had the merriest of holidays, close to the people that you love and getting ready for the new year, and we can only wish for you good things to come. Yes, we'll see you after the holidays. Keep track of us on social media and so you know when we're going to live again and have a good night and again, happy holidays.

Speaker 2

Have a good night, bye, thank you.

Head Shot

Alexis "Brigs" Brignoni

Host
Head Shot

Heather Charpentier

Co-host