Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
New Year, New Discoveries: Diving into Digital Forensics!
Kick off your new year with some forensic fun as we recount our holiday escapades and dive into the latest in digital forensics! Ever wondered how RAM dumps from Android devices can reveal crucial data? We spotlight MSAB's innovative RAMalyzer tool and their new blog series covering RAM from mobile devices.
Discover how the digital forensics community is collaborating to propel the field forward, as we share insights from the DF Pulse 2024 Digital Forensic Practitioner Survey and the delicate dance between competition and cooperation. Standardization is the name of the game, and we're exploring how the field of digital forensics can benefit from it.
Updates to Magnet Axiom's date range capabilities showcase the ceaseless evolution of digital forensics tools. Journey with us as we tackle the intricacies of Bluetooth tracker detection, all while considering the dual nature of technology and the significance of using it responsibly.
From exploring Richard Davis's work with 13 Cubed to discussing Yogesh Khatri's contribution to analyzing the USN Journal, we shine a light on the vital role of principles in our field.
With warm wishes for the new year, we invite you to stay tuned for more episodes brimming with insights and camaraderie.
Notes:
MSAB RAMalyzer series!
https://msab.com/resources/blog/
Paraben Forensic Innovation Conference
https://link.reachpenguin.com/widget/form/99kVMTgaA0mbpZvYLTjG
Tip Tuesday: Troubleshooting in PA
https://www.youtube.com/watch?v=eSNovfdwucw&list=PLwmKlEiYNUYte-pnlbw45YKpPB7K8xCgC&index=1
DFPulse: The 2024 digital forensic practitioner survey
https://www.sciencedirect.com/science/article/pii/S2666281724001719
Magnet Axiom Cyber 8.7: Acquire iCloud backups from ADP-enabled accounts, and more!
https://www.magnetforensics.com/blog/magnet-axiom-cyber-8-7-icloud-adp-and-more/
Android Will Let You Find Unknown Bluetooth Trackers Instead of Just Warning You About Them
https://www.engadget.com/mobile/smartphones/android-will-let-you-find-unknown-bluetooth-trackers-instead-of-just-warning-you-about-them-204707655.html
Be Kind, Rewind... The USN Journal
https://youtu.be/GDc8TbWiQio?feature=shared
Apple Photos phones home on iOS 18 and macOS 15
https://lapcatsoftware.com/articles/2024/12/3.html
SWGDE Considerations for Required Minimization of Digital Evidence Seizure
swgde.org/16-f-002/
Welcome to the Digital Fore of the year 2025. The first podcast of the year, brand new, spanking year. Let's hope it turns out better than 2024. My name is Alexis Brignone, aka Briggs, and I'm accompanied by my co-host, the holiday enjoyer, the tool populizer, the eternal white paper composer, the one and only the indescribable, unbeatable, fantastically amazing Heather Charpentier. The music is hired up by Shane Ivers and can be found at shaneiverscom. Heather, oh, she didn't fade out. Hello. Pray for the abrupt ending to the music.
Speaker 2:You're good at the abrupt endings there, yeah.
Speaker 1:Yeah, well, you know there's jokes to be had, but we're not going to make them. So what's going on? It's a brand new year.
Speaker 2:Happy New Year. Where's your? You need your firework. How do you?
Speaker 1:activate those. I'm on the Mac computer, I'm on the Mac, I'm on the Windows computer.
Speaker 2:Oh jeez, so you don't have to have the Mac computer. No fireworks today.
Speaker 1:Since I moved into this little cupboard under the stairs Harry Potter-like office, I don't have my Mac in here.
Speaker 2:Oh geez.
Speaker 1:So tell me, happy New Year. What's going on, what's happening. Look, since that joke, I haven't seen you since last year.
Speaker 2:Oh, ha ha ha, Nothing. I had a wonderful holiday. Christmas I sat in the recliner and did nothing. It was great. And then new year's eve, I did the exact same thing and was fast asleep by 8 30.
Speaker 1:It was fantastic I bet all the folks are coming in and listening. They're definitely and have to go out. They're jealous and envious of your holiday enjoyment, which is resting in your nice comfortable recliner. Oh my goodness.
Speaker 2:It was great. It was great.
Speaker 1:I don't doubt it.
Speaker 2:How was yours? A little more activity than mine.
Speaker 1:Yeah, yeah, you know you had small kids. For Christmas we went to my mom's and my dad's house the whole family, the kids were happy to see grandma and grandpa and see uncle and all the other folks over there. That was nice. Then for the New Year's we're dancing with the wife. That's always fun. I saw the year pass while we were there and then, you know, I mean, the party continued, but at noon. You know, it's kind of really way late for me. So we head back and I always get amazed how the streets are full of. You know the smoke from the fireworks as you're driving. That's how many fireworks are set off here in.
Speaker 2:Florida in Orlando.
Speaker 1:The roads. It's like a fog, but it's not a real fog, it's firework fog, if that makes sense.
Speaker 2:There were no fireworks here. If there were, I didn't see them. I was fast asleep.
Speaker 1:Yeah, I don't think the squirrels set off fireworks there in the woods of upstate New York.
Speaker 2:You never know, they probably have their own little party. Oh that could be.
Speaker 1:Could be. I love the countryside so I'm not hating. Nice. Christian is, Peter is in the chat, so happy new year, my friend.
Speaker 2:Happy new year.
Speaker 1:Great, awesome toolmaker.
Speaker 2:Kevin and Ronan are in there too. Happy new year.
Speaker 1:Always good to see you. So yeah, so obviously, obviously the year just started, so there's not a lot of stuff that happened this year, right, but we have some of the things that happened on the end part of last year, of 2024, so end of 24 yeah yeah, let's talk a little about those. So, what do we have for?
Speaker 2:uh, for you know, to start with, so one thing that has been on LinkedIn and in the deeper news lately is MSAB's RAMalyzer tool. We've talked about RAM dumps on prior podcasts and the capabilities that MSAB has, and they're now putting out a blog series about it. So they have four entries, four blog posts about RAM and their RAMalyzer tool. One is so you have a RAM dump, now what, what is RAMalyzer? And it talks about what the RAMalyzer tool is and its capabilities, what's in a task, so tasks and processes that you can find inside of a ram dump. And then, um, the last blog that they just put out was uh, what was the web search? So it kind of walks you through how to, um, look for web searches in the ram dump yeah, and I like that one a lot, because now they're getting further in, like what's what?
Speaker 1:the tool is, right, um, as you see them in memory, kind of make an analogy to Windows. But now where's web searches? Now you're looking for user-generated stuff and that's what I think a lot of the value in this RAM analyzing within Androids is where it's at, and folks are not really aware that that's a capability and I'm hoping that this becomes a thing. I know MSA is working on really giving that capability, but I would hope both open source folks and other tool vendors also try to get in the space, because if you're able to access RAM from an Android device, we're talking about possible gigs of evidence that you might want as well. So it's good stuff.
Speaker 2:Yeah, the Samsung that I dumped in the past had 12 gigabytes of RAM, so 12 gigabytes of data to go through, and we previously showed kind of a walkthrough on the tool, the RAMalyzer, in a really early episode of the podcast. But just throwing up on the screen here again, it's a command line tool that handles the memory dumps that XRY is able to extract and then just some of the available commands and flags that go along with that ramalizer tool. I keep wanting to call it ram analyzer tool, but it's ramalizer oh yeah, that's right so yeah, um, and also I was.
Speaker 2:I was reading one of their most recent blogs. There's a link to their customer forum. They actually have a customer forum specifically set up for um, for the ram, ram dumps and ramalizer. So if you're a customer of xry, you can log in and join that discussion forum yeah, no, absolutely it's.
Speaker 1:It's just, I was just, I just I'm an idiot, I'm just thinking because, you know, they had this, this snl skit about jeopardy, and they had, uh, uh, like an actor doing, uh, the guy that used to use james james bond uh, connor, I was his first name, I don't know well, it's the first james James Bond and he would, you know, in Jeopardy, you have to read the column right and then you ask for the dollar for the questions. And the question is, you know, and he would always, you know, like you know, he would say the rapist, and it's the therapist.
Speaker 2:Oh, jeez, you know what I mean.
Speaker 1:Oh my gosh, so it's a joke like that. And then the guy that used to play James Bond again this is an actor making that. He would laugh at Trebek. Trebek is Colin Farrell. You know, that guy is hilarious and they would go back and forth. He's making fun of Trebek in that sense. So you know, I just thought Ram analyzer, ram analyzer. I can see this being an SNL skit there.
Speaker 2:At least I know why you're laughing at me. Now I'm looking over, like why are you laughing at me?
Speaker 1:I'm a nut. Anyways, all jokes aside, this is a good capability and we talked about in a previous episode how the memory in Windows, when you turn the computer off, the memory goes away. It's volatile. But in Android devices that memory somehow I don't know the details, to be honest with you, but it kind of still gets some energy from the battery, I guess, and it persists through reboots to the phone being off, to all those type of stuff, so you might have data there that's persistent for a long time if you care to pull it out. So that's pretty neat.
Speaker 2:Very cool. What else do we have? Let's see here. Paraben just announced that they have their call for papers for the Paraben Forensic Innovation Conference for 2025. If you have a tip that can help fellow investigators, they're looking for you to sign up and present at the conference. The call for papers is open now and there is a summer session in August August 20th and 21st and a winter session in November November 12th and 13th and the call for papers closes April 30th. Um 2025. Yeah.
Speaker 1:Yeah, and Amber, uh, you know now she has these, these events, uh, you know, at different sessions throughout the year. So that's pretty neat and definitely go on and and put in, put in for a couple of papers and, uh, be part of the community. That's one way of doing it. That's one way of doing it If you have a good topic or things that you're interested about, put in for these type of events. You're helping others by sharing your content, but you also help yourself in regards of building a brand for yourself and putting your name out there as the person that's active in the field. So it can only help you and help others.
Speaker 2:So highly encouraged. So anybody who's familiar with Celebrite products has heard of Tip Tuesday. The most recent Tip Tuesday that was put out it was by Josh Hickman and he walks through how to access the trace window in Physical Analyzer. If you're using Physical Analyzer and don't know about the trace window, you have to go watch this tip Tuesday. It um, it is how you troubleshoot, how you look for errors, um, in the trace window. If something doesn't parse correctly or if something doesn't decrypt correctly, you'll see that all in the trace window. It's actually how I realized that there was something wrong with key store in one of my cases, because the Samsung Rubin data failed to decrypt and there was an indicator of that right in the trace window. It may not be that the data you're looking for is not there. It could just be there was an error and that's how you trace that error and and find it.
Speaker 1:I don't. Every time I use PA I have my trace window open. That's just like. And if I open the program and if the trace window is not open, I open it every single time.
Speaker 1:I'm a big believer of seeing errors up front and even in the toolings that we make ILIP and ALIP and RLIP and all the LEAPs we try to make sure that any possible errors or the login flies in front of you as it's going and actually eats up most of the screen, because we make the assumption that, like you said, well, it's just not there. No, it's there, but the tool might not be able to digest it for whatever reason. It could be as simple as a SQLite database, that the query changed, that's it. So you can go get it, pull the database out and you can make the query. It might take you a few extra minutes, but now you have something versus nothing. And obviously the idea is that you can tell that to the community, tell that to the vendors, so it could get supported as quickly as possible.
Speaker 1:But the trace window logs, those are important. It takes some time to at least glance through them. No-transcript, I'm sorry, unparsed data methodology is how do you make sure that the tool is not missing something, and if it's missing it, how do you go about getting that data? Access to that data.
Speaker 2:Yeah, definitely. I love these little tip Tuesdays. They're short, it's only like a couple of minutes long and it just gives you the tips for PA, maybe things you didn't know, different things in the settings, different what different artifacts mean. So if you have a chance, go over to their YouTube channel and check out the tip Tuesdays, especially if you're short on time, you can watch a couple of those in a matter of minutes.
Speaker 1:Oh, absolutely. And this, this, this one for the first window was josh hickman, so I always, I mean, I recognize his voice, you know.
Speaker 2:So you have to go watch josh. Who doesn't?
Speaker 1:want to go listen to josh in the tip tuesday everybody does no, no, no, uh, no hate to heather barnhart, that also does some of those, but oh, exactly yeah, I I always I was happy to hear josh explain things.
Speaker 2:So um, another thing we actually were going to talk about this like a podcast or two ago and we ran. Yeah, I always I was happy to hear Josh explain things. Another thing we actually were going to talk about this like a podcast or two ago and we ran short of time, but the DF Pulse 2024 Digital Forensic Practitioner Survey was released. But this paper reports on the largest survey of digital forensic practitioners, conducted from March to May in 2024 and resulted in 122 responses. It collected information about practitioners operating environments, the technology they encounter, investigative techniques, challenges they face, academic research, among other things. Some of the highlights in that survey include the need for greater collaboration between practitioners and academics. I think we've talked about this on quite a few podcasts. Couldn't agree more. There is a need for collaboration between practitioners and academics. Would be great if academics were teaching what we need to be taught for future employees.
Speaker 1:Yeah, and I mean there's been some. So one of the big problems is that an academic does some research and the research has to go to this peer review process. It needs to be published and when it's published, those publications might not be freely accessible to everybody, right? So you're looking for some particular piece of information. It might be in this publication and you have to pay an extraordinary amount of money or be part of a university studio or something, okay.
Speaker 1:So there's been kind of meet us in halfway points, like the Defer Pe peer review organization website, where the idea is to have some peer review. That's fast, right, and you send your blog article or your research over to the different peer review site and then reviewers go at it and it's fairly quickly published. But the collaboration, I think, is important in order to make those wait times less and to make the information more easily accessible to the community and you know when it's behind this college or university walls. And again, we don't want to. We don't want to minimize the importance of proper peer review and the time it takes to make it right. So we're all for that. But if we can collaborate more, that will be faster. So I'm happy that there's some hard numbers on sentiment and how that it should be done. The question is, how do we go about it?
Speaker 2:Right, definitely. They also reviewed open source efforts and work, highlighting the benefits of open source um commercial tool collaboration with tool vendors in academia too.
Speaker 1:um, I love seeing the tool vendors working with academia um having that knowledge already of the tools, I mean it's, I mean it's hard, right, yeah, because the profit motive, right, if I come up with something or the university comes up with something, then you know we lose any competitive advantage to doing it that way and it all depends, right. Let's say all is fair in love and war, right? You got company A that develops that access method and company B doesn't have it. But they know, researchers or the community has something like that. Then they develop with the community, make it open source, and then not only do they catch up to company A, but they kind of kneecap their market benefit in a sense, because they paired it and made it fully available to the community. So you see that, um, competition is good, um, so, but you can see both ways, just kind of collaborating and also undercutting each other in order to get some parity. But uh, as an observer of the market, that is a good thing.
Speaker 2:So let's hope more of that happens so brass says the fir review has one academic and one practitioner for the peer review.
Speaker 1:That's great.
Speaker 1:There we go. That's exactly what I was talking about. Obviously, brad is involved with that effort and he gives us the deals behind it. I had, I think, three or four, if I'm not mistaken, and not only myself, also with other collaborators like Kevin Pagano and some other folks. We collaborated on some of those articles and it's really good when you have to testify at a court and you can say, yeah, I've been peer reviewed, right, and I've done some research and here it is right. It always gives some more credibility, which is what you're trying to establish through that process. So do submit your research, your articles, and also be part of the effort, right, be a practitioner that also peer reviews. That's a good thing.
Speaker 2:Definitely we have a nice little comment in here. Loads of love and appreciation from Ghana. I've learned a lot from this podcast. Wishing you all the best in 2025.
Speaker 1:Wishing you the best too, thank you, thank you, that's awesome.
Speaker 2:It's a little ways away. Yeah yeah, yeah, no.
Speaker 1:I appreciate that Addie is in the chat. I don't know what time it is over there but it's late. But we appreciate it. Lots of love.
Speaker 2:With that survey. Also, it's worth noting that ALEAP and ILEAP got mentioned.
Speaker 1:That's awesome yes as a really well-documented project, which is kind of funny. It is well-documented, you have the source code, but the documentation is not where I want it to be yet, so we're still working on it. I will say, because I'm vain like that, that we also got mentioned. Oh, yes.
Speaker 1:Over here. We both got mentioned Because, when the survey came out, the issue with service is getting people to participate. So the podcast or social media and all that we pushed out word for folks to participate. So the organizers were really grateful and again, you know, part of being a member of the community is to also collaborate with the other folks' efforts, so we try to do that as much as we can. So we appreciate their mention. There Also lots of love for the researchers for the EF Pulse 2024, which I'm going to say something.
Speaker 1:So after this came out which is good my thoughts were there's so many things we can ask practitioners about, right, so I made a comment in LinkedIn about I want to know, for example, if you're a practitioner, how many portable cases do you give out in a year? Is that the only thing you do? And if you do more, what is it? How many of your cases require an in-depth report, versus just a portable case that you give to the investigators and then you forget about? Like? I really would like to know what's the different processes that that happen, what? What's the? Are you using ai for? What are you using for? Do you have any protocols like?
Speaker 1:There's a whole bunch of questions of how do we do our work that I think would be worthwhile for the community to start kind of collating those statistics.
Speaker 1:That's something that Brett says a lot and if you don't know who Brett Shaver is, you need to know quick.
Speaker 1:You know long-time practitioner, well-known in the community, and he has a series of blog posts explaining how the digital forensics sciences, in particular digital forensics you know the DF part of DFIR we lack a standardized model of certification, of practitioner validation or licensing of some sort. We lack that right, which means that a lot of labs, a lot of practitioners do whatever they do based on whatever their training was, but the training is not standardized, which means there's many different ways of doing whatever thing that you're doing. So I think it's worthwhile to start collating those statistics to get a feel of what are the best practices and what are the habits and customs of examiners across the broader field. So I was happy when I did that post that a few folks from SWAG DE also chimed in and said, hey, maybe we can get together in 2025 and kind of create a problem Because I can make a lot of questions Now making them properly formatted for a poll. I got no idea. I know nothing about statistics, only that I suck at them, right.
Speaker 2:I was just going to ask you did you put this up as a poll? I must have missed this post.
Speaker 1:Oh, no, no, no. I put a whole bunch of questions or things that I wanted to know, and then other folks chime in with some other questions and then folks came in and said let's get together and maybe put some of those in a big pile and obviously the folks that know how to do a poll will make them better. So so yeah, and I guess the point, long story short, is uh, when you see a like this, statistics like this, inform yourself and then think what else should we know to make the thing better? And just having the information for having it does us no good. How can I then put it to use? How can I reach out to a practitioner in this case, right, if you are a practitioner and, for example, in my area, it's a to-do for me.
Speaker 1:I have a UCF University of Central Florida, a really grown-up degree for digital forensics. They have masters and everything. I know a few of the professors, but I should know more. I should actually reach out to them and talk about what things we're seeing and what are they teaching right, and that's on me. I should go out to seeing. And what are they teaching right? And that's on me. I should go out to them and reach out to them. Right? If I want more collaboration, what am I doing about it? Just saying that I want it, it's not going to solve anything. So what am I? After reading this, I came to the conclusion that I'm going to reach out to the folks that I know and then see how can I interact more with the folks from the university and other. I mean, that's the only program that I know locally. There might be more, but again, that's on me. I should know these things and actually put that into practice. So hopefully that makes sense.
Speaker 2:Before you know it, they're going to have you over there as an adjunct.
Speaker 1:Oh my God, teaching some classes. You know what I like teaching, so who knows?
Speaker 2:Yeah, I did it at the college over here. I did it at University at Albany for a little while. I'm not right now, but I taught mobile forensics over there, so it was good.
Speaker 1:Oh yeah, I don't think I have the time right now because my kids are small, but maybe after I retire. There you go. Brett is making a really big distinction, a important distinction that I didn't make, so it's good for you. Can you read it?
Speaker 2:Yes, we have yes, we have plenty of structured processes and procedures for every granular level of deeper work. What we don't have is enforcement of standards, education and training.
Speaker 1:Yeah, and I appreciate Brett saying that, because I was getting to that, but I did not express it in that way and some folks might have come with the wrong conclusion from my words. So, yeah, I mean, it's not like we're doing forensics, like whatever. I'm making this up in a fly on the seat of my pants, of course not Like when you go image something, there's a process to image something. When you go parse something, there's a process for that. Sure, that is true.
Speaker 2:You have operating procedures?
Speaker 1:Oh, absolutely yeah. So I made it sound horribly random. That's not the case. No, like what Brett's saying. The enforcement of the standards. Education what do you need to structure a way of teaching it and getting certified or trained on it? Something I criticize a lot is vendors telling you well, my certification program will take you from zero to hero, from know nothing to expert, in a seven-day boot camp if you pay me $10,000. Wait, hold on. Yeah, you will know how to use the tool, and that's right. Yeah, you will know how to use the tool, and that's a good thing. You want to know how to use the tool. You're going to be, if possible, certified in all the ins and outs of the tool, but that does not make you an expert, and much less in a boot camp, in seven days or five days, right, right. So thanks for Brett for making the important distinction that I didn't make.
Speaker 2:So what else do we have? I am going to bring up an update to Magnet Axiom, but there has now been another update since this one because we didn't have the podcast last week. But I want to go back to the update for Magnet Axiom Cyber 8.7, even though 8.8 is out. The update for magnet axiom cyber 8.7, even though 8.8 is out Um, they have acquire iCloud backups from ADP enabled accounts and more, and it's actually the and more that was really exciting for me in this post. So in their new update they have um, part of the blog is about setting a date range in their tool the time filters that are commonly used to focus on the relevant data.
Speaker 2:But the important part for me was that you can now filter your data and have the option to include artifacts without timestamps in your cases. So for me at my job, I get date range search warrants quite often and when you take a tool and you narrow it down to just the date range that you're looking for, as set forth by the warrant, it doesn't usually include anything that doesn't have a timestamp. So just because an artifact doesn't have a timestamp doesn't mean that it necessarily didn't happen during that timeframe. A little more work needs to be done on those artifacts that are there that don't have timestamps, to figure out what the timestamps actually are. So the fact that Axiom is actually including that in there, or giving you the option to include it in your date range filter, I just love that. I'm actually going to put a picture up.
Speaker 1:Yeah, and I agree, and I mean I agree that that functionality I'm actually going to put a picture up. Yeah, and I agree. I mean I agree that that functionality needs to be there, but I have thoughts. But let's look at the image and then I'll have the thoughts after that.
Speaker 2:So just kind of a little, I stole it from their blog, a little picture of their time frame filter and the date time options. It's not stolen.
Speaker 1:It's on loan, okay, oh, it's stolen.
Speaker 2:I like to. I steal things, it's okay Okay her, her right.
Speaker 1:I don't steal anything, right? I loan okay and I give it back.
Speaker 2:The date time options are still there, the normal way you set your date range, set your time range, but now there's a little checkbox that includes hits without dates and timestamps.
Speaker 1:A simple checkbox, pretty neat. But here's my thoughts, right? So, as a general rule, I don't like those type of restraints because we're losing data that might be within the constraint timeframe. And let me give you an example. So let's say, okay, I only want the timestamps for files created within this two times time rate, this range, right, these two timestamps.
Speaker 1:Well, let's say that your piece of evidence is a computer. That computer had a database that was recovered from a backup. Okay, so the database lands on the computer today, the modified time is from today, later in the afternoon, but your search warrant range is set to include only items that happened last week. Well, that would be out of play, is it? Remember, this comes from a backup and you cannot tell that by looking at the creation date, if it was going to copy it over or whatever. Right, you have to look at the insides of the database and figure out that the entries of that database each have their own timestamp on when they happened, and they may have happened, most of them, the week before, which is within the time scope frame or the timeframe or the scope.
Speaker 1:So what does that mean? Right, at some point I think we need to educate our courts and our prosecutors and our defense attorneys that we do understand why we want to limit some time frames for privacy considerations, especially in civil procedures as well as criminal. I get it, but there has to be consideration that data might not be constrained by the timestamps of the container that might be in, because data doesn't just fast enough. The evidence is just it's not just a one file on the file system, it could be a whole bunch of stuff inside a container, like a database, Right? And? And uh, jess is saying and let's read that real quick Um, Check out this week the documentation on minimization.
Speaker 2:Great Gives great examples to educate on this. I don't think I've even looked at that one, so I'm glad you just pointed it out, Jessica, because I have to go find it now.
Speaker 1:Yep, absolutely, and I had a conversation. I don't remember the examiner's name right now, but he reached out to me and got a peer review, a document that he was making to provide to his local courthouse to explain to the judges hey, this is why we believe that these constraints are fine. Of course you do what you want, You're the judge, but hey, look at what we're missing, Things that, like you said, Heather, things that don't have a timestamp. Are we just going to ignore them? Because sometimes, things that don't have a timestamp, we can put them within the context of that timeframe when we do our full analysis, put them within the context of that timeframe when we do our full analysis.
Speaker 1:Right, and we can talk a little bit about data that's deleted. For example, Data that's deleted, that's maybe carved out doesn't have a timestamp because it's a file that has no metadata. But the content of the file might give me an indication. A stupid example is you have a picture of you holding a newspaper. Right, it's deleted, you recovered it, but if you look at the picture, the newspaper is there with the time right. Is that what?
Speaker 2:it says yeah Well, there's another good example with pictures. If an image is embedded inside of like a cache file, some of the tools pull that embedded image out with no timestamp. But if you go back to that cache file, the timestamp is right there in the cache file. You just have to make the connection.
Speaker 1:Yep. So how do we teach our stakeholders to to, when they make an order, right To accommodate for that nuance? Um, because then we might be missing stuff. And you know, if you're missing stuff, that's an example, right, that that your client and it's something that's not good for the client, you're okay with missing it, I guess, right. But what if it's something that's good for the client?
Speaker 2:You know what I mean with that, though, right? No, definitely not.
Speaker 1:So the best policy is to try to give the examiner the flexibility to be able to look at some of these things within context and like in containers. Now that Jess may mention of the SWEG DE documentation example, which has documentation on minimization, I haven't seen it either, heather, so I'm going to also go out and reach out for it and check it out.
Speaker 2:You know what? For everybody else, we'll link it in the show notes. If you want to check that out, we'll put it in the show notes at the end.
Speaker 1:Yeah, we're seeing more and more of that and, again, I don't disagree with why it's done. So the big reason I heard it, like I said, is they're going to minimize some of that data for privacy reasons or because somebody doesn't have the authority to look at something that happened before or after something. So I get it, but, yeah, there has to be some. My three main things for the year are examiner, probity, attention to detail and due diligence. Right, and probity means that at some point we will be tasked with some of this stuff and we will have to make the differentiation of hey, you're not allowed to look at some dates and in your process, if they come about, you have to not look at them Like the tool will not be able to blind you to everything at all times, right. So your probity, your moral standing, making sure that you do the job the right way when nobody's looking that's something that I think we need to push more and more as part of our due diligence and making sure we pay that attention to detail.
Speaker 2:Yeah, all right. Well, android, some Android news, android and the blue Are you good yeah?
Speaker 1:I want some quick comments. Oh, android, some Android news, android and the blue.
Speaker 1:Are you good, yeah, I want to come up with some quick comments. Oh yeah, go for it. Yeah, so Bruno is an awesome examiner from Argentina, a good friend, and also collaborated with us. He said that some of the JPEGs have internal metadata with creation times. Right, yeah, If that metadata is contained within the picture right and absolutely correct. Yeah, if that metadata is contained within the picture Right and and absolutely correct. Sometimes, if you got a, you're carving a file and the carving is a partial file, right you?
Speaker 1:don't get the whole thing because the sectors, the files, spread throughout sectors. So what a tool does is it starts at the header or the magic number and goes arbitrary amount of bytes, maybe a megabyte to megabytes, whatever it is. Arbitrary amount of bytes, maybe a megabyte to megabytes, whatever it is. And sometimes it goes within that space. Half of it is garbage. Something else right, Then you might not get that. But again, as examiners we have to make sure that we also do that part and just saying don't look at it because it doesn't have a timestamp, that's a problem. We have to look at it. We have to, like, run and see there some some exit.
Speaker 2:Still, there there's some in those jpegs. You know, can we carve some metadata out of it, right? So, uh, that's part, that's part of our job. So, yeah, definitely. Jessica says she sent the link to the paper for us, so it'll definitely be in the show notes after I read it, of course uh, yep, I have.
Speaker 1:I have the link right here.
Speaker 2:Oh, okay, All right. So Android. We've talked about the Bluetooth trackers before and how there's the warning on Androids and Apple devices about tracker alerts. If an unknown Bluetooth tracker is nearby, the phone will alert you, but they now have, instead of just warning you where you can actually locate the tracker. I have a little picture to throw up here.
Speaker 1:Yeah, trackers are good, but also bad, yeah. So I'm happy they're coming up with this type of countermeasures when somebody's trying to spy on you or follow you around with this technology.
Speaker 2:Definitely so. Google has added a temporarily pause location feature. It allows users to enable, when they first receive the unknown tracker notification and what that'll do is block your phone from updating its location with trackers for 24 hours. They also added the feature find nearby. It will help the user pinpoint where the tracker is if they can't easily hear it or see it. It'll connect your phone to the tracker over Bluetooth and display a shape that fills in the closer you get to the tracker.
Speaker 1:Like hot and cold.
Speaker 2:Yeah, so I have the picture up on the screen, but if you're listening it is. It's like a circle and you play the sound and as you walk closer it starts to fill in the circle, and when the circle's filled you found your Bluetooth tracker. I have not tested this. I would like to test it. Except I had an Apple air tag from one of the very earliest podcasts that I used to test things and I accidentally threw it in the garbage.
Speaker 1:But track it.
Speaker 2:No, it's gone gone.
Speaker 1:It's in the dump.
Speaker 2:I think it's gone, gone, yeah, I can't even track it anymore. I cleaned my car and that's where it was, and now it's gone. So, I have to get a new one.
Speaker 1:Yeah, the trash compactor in the garbage truck is crushed, I mean crunched into smithereens. It's crushed it, I mean crunched it into smithereens.
Speaker 2:It's gone, so I'll have to get a new one and test this out.
Speaker 1:Yeah, absolutely Looking forward to it.
Speaker 2:Well, there's a nice little article on it from Engadget that I'll put in the show notes as well.
Speaker 1:Yeah, I mean some of the solutions to some of this. Again, technology is like a knife you can butter your bread with it or you can stab somebody with it Right, and the protection it's knowledge Right. If you are a user of tags, a responsible user, that's a good thing. But let's say you're a person that's vulnerable for whatever reason Right, and you might believe that somebody might try to track you for whatever reason. They need to be aware of what the countermeasures are, and this is one way of doing that Right, definitely. And this is one way of doing that Right Definitely. I think we could do a class on technology that has, like that, dual use and countermeasure. That sounds like a good presentation, I think.
Speaker 2:Yeah.
Speaker 1:I don't know, I just thought about it.
Speaker 2:One of those. Call for papers right.
Speaker 1:Yeah, like technology. You know Dr Jekyll and Mr Hyde of technology.
Speaker 2:There we go. So another thing that has happened recently on the groups uh, I forget what group it was, if it was one of the google groups or the iasys listserv, but it doesn't matter. Um was a whole bunch of chatter about ios in 18.2, about their stolen device protection. Um, they're in the post. Long story short about the post. Somebody was trying to connect their device to one of the forensic tools and when they connected the device for extraction, this was an unlocked device. Uh, the trust verification came up on the phone. They hit trust and normally what comes up? Your passcode screen. And they had the passcode and you'd put the passcode in and move on with your extraction. Except that's not what came up. A face ID screen came up. So hit face ID and it doesn't find it. Try again. Usually then your passcode will come up as like a default backup, but it doesn't anymore with this new stolen device protection that is on by default in 18.2. So I have some screenshots here of it.
Speaker 2:I had to, after reading this post, go check it out with my iPhone. So I updated my iPhone to 18.2, navigated to the privacy and security and went and found that the stolen device protection is there and it's on by default and also by default it goes to. There's a what's called a security delay and it requires a security delay. If the phone is away from familiar locations. That's by default or the user can change it to always require the security delay.
Speaker 2:So what is the security delay? It's for actions like changing your Apple account password or changing numerous different things in settings. If you go to reset all settings or do anything in settings, that security delay comes up if you're away from a familiar location. Another thing I found I couldn't do without the one hour security delay is turn the stolen device protection off on my phone. I tried to turn it off. It's my phone, I have the passcode. I needed to wait the hour security delay because I was away from a familiar location which I was at work. So I'm not quite sure how they don't consider that a familiar location, because I'm there more than home.
Speaker 1:But that's besides the point. I think the phone detects some hostility there from your point. I don't know, we kid, we kid we love our workplaces. Okay, that's a we hate work joke. Okay, but it's not reality, just saying.
Speaker 2:So my assumption was, though, that, like the familiar locations, is based on the significant locations or and or saved locations in the device. It didn't recognize my work as a familiar location, and I'm not 100 percent sure why, but if you're seizing devices and you have consent for the device and this stolen device protection is on, it would probably be a good thing, while you're at the person's home, to turn the stolen device protection off before you leave that familiar location, because when you get back to your lab or your office, you're going to need the person's face or the face, yes to be able to turn that stolen device protection off. So here's kind of what the security delay looks like. It comes up as security delay is required to change stolen device protection, and then it starts its one hour timer. During the one hour timer you can use the phone as normal. Uh, you just can't do any of those setting options that you want to do.
Speaker 2:Um, I moved on a little further and decided to try out some of the forensic tools and see what the deal is with this trust and then the face ID and not being able to trust the computer. So, just like the user in the group said, the trust computer comes up, then the face ID, the face ID option comes up and it says their stolen device protection is turned on. So when that's turned on I need the face. It didn't recognize my face because I didn't give it my face and it just defaulted to turning that right off and the trust did not happen between the workstation and my phone.
Speaker 2:I found with some of the forensic tools that they can bypass it. It just goes on some of them and some of them. You just have to keep moving further in the process and eventually it will get past this. So I mean test out your forensic tools on a test phone, see which tools you have in your lab that do support just bypassing this and which tools don't, because you'll definitely have to keep in mind to turn that stolen device protection off If you don't have the appropriate tools to be able to bypass this.
Speaker 1:Yeah, yeah, yeah. Talk to your, to your tool vendors, and yeah. And there's there's some solutions out there. A question that makes a point here, and I think I saw the same thing in the ISIS list there what? What is he? What was his experience, heather?
Speaker 2:I was able to pair my device at home without biometrics At work. It wasn't working.
Speaker 1:Yeah, and I think, if I remember correctly, one investigator was at the office couldn't get in and they had to drive all the way back to the suspect's house. You read that one, I think Mm-hmm. And then they were able to get in. But then on your testing, that didn't happen. On your testing, you do require the biometrics, right?
Speaker 2:I didn't drive to. I thought it would know that work is a familiar place for me, you were still at work. Yeah, I didn't drive to a familiar place and actually test that out, so I'm unsure if it would have worked with my phone.
Speaker 1:I'm sure it would have if I'd gone home, but yeah, well, I mean, imagine if a national agency like the one I work for, you know you're doing a lead and sitting a phone in California but you're sending it over to New York, right? Oh, I did not took this out. You have to fly all the way back, right? So let's, we have to be aware of this capability, and some folks were really, really mad about it examiners, and I get why. Right, it makes the job harder. It reminds me of the, you know, hitchhiker's Guide to the Galaxy, right In the beginning the universe was created, and it has made a lot of people very angry and has been widely regarded as a bad move. I know folks might think of that, of this capability, as a bad move, but we got to think of where this comes from. Right, and I've seen this firsthand here in the States, but also overseas Stolen iPhones or mobile devices are big business, right?
Speaker 1:Folks go on motorcycles and they see somebody with a cell phone. They snatch it or, at gunpoint, they go and take their phones out and what they do is they wipe them and they resell them. So imagine if this device protection is enabled and they cannot get in to wipe it. The phone has no use. You cannot sell a phone that you cannot actually make calls with because it's locked or whatever it is. So that hopefully limits and again it's a multi, I would say billion dollar market stolen devices, specifically iPhones.
Speaker 1:I've seen in some countries where they go and say, okay, when the solution is, if somebody steals a device, you report it and nationally we're going to blacklist your IMEI. And for folks that don't know, an IMEI is a unique identifier for that hardware device, so you block, list it from the network that nobody can communicate. Well, you know what they do. Well, they take those phones and they ship it to a third country where there's no blacklisting and they have one that's different from theirs and they sell it somewhere else. And now it becomes a transnational crime organization dealing with these stolen devices.
Speaker 1:So I see a lot of value in companies like Apple making the device unusable when they're not in the location they should be, or the users have the biometrics that are required. So I see the value in that. But again, thankfully our hair was on fire for a few days, but there's some solutions already in the market to help you with that. And again, if you're in the location, again, I know this only anecdotally, I haven't done it myself yet. But, like Christian was saying, if you're in the location again, this is I know this only anecdotally, I haven't done it myself yet but, like Christian was saying, if you're at the location, then you might be able to get in without the biometrics at the location. So something for us to know about and consider.
Speaker 2:Right, yeah, I definitely freaked out when I read the post. I'm like, ah, here we go. We're for a while and I thought you know it was going to be a really bad thing. But it seems like it's not as bad as we all thought and on some of the tools, like seriously, it's going to look like it won't work, just keep going in their workflow. And it does.
Speaker 1:So, yeah, I don't make a point. I mean for our audience that's an unknown, but I still want to say it for folks that might come in and not or not in our field. Whenever we talk about coming and going to devices to extract data, we're talking about lawful access. Okay, we don't just take phones because I'm curious to see what's in it. No, we yeah, we have to have a court order, a proof from the judge that we can do these things, and then we execute those lawfully based on the tools that we have at our disposal. But there is no such thing as any law enforcement agent doing something without a court order, and if it is, that person goes, as rightfully they should, to jail.
Speaker 2:It's a good way to get fired quickly. Or you're right, or go to jail.
Speaker 1:Oh, yeah, I mean the fire goes without saying. Yeah, the being in prison and jail, that's yeah. That really underscores how important it is for folks in authority to preserve the constitutional rights of citizens and to their privacy and secure of their places, belongings and all those things. So it's good stuff.
Speaker 2:Definitely so. Oh, we have a computer topic. You're going to go with this one. Yes, Be kind. Rewind the USN Journal video put out by 13 cubed.
Speaker 1:Absolutely.
Speaker 1:All yours, absolutely. So real quick comment, because I know there's some lag between what we're talking about. But Brett says don't become worse than the criminal you are after, and that's so true, like I made the point, but I'm going to say it again, it's part of my property for the 2025. Are after, and that's so true, like I made the point, but I'm going to say it again, it's part of my property for the 2025, that concept If you believe somebody is guilty, I don't care. You shouldn't care, right?
Speaker 1:You don't operate based on beliefs. You operate based on principles, on values, and you value truth, right and truth. It's independent of the belief. Hopefully, you have beliefs because they're true. Sometimes you don't. Sometimes you have belief because you want to believe them. Right, some might call it faith or whatever it is, and that's fine. But you do that outside of work. You do that on your own time, when you have property, when you work. You operate based on values, on truth, and truth requires evidence, and evidence that's properly acquired, because when you don't acquire properly, it's not truth anymore.
Speaker 1:We can consider it lies as a fruit of a poisonous tree, right, and we cannot consume that Right. We made it a lie. We are operating as the criminal. Now Right. So again, property in all we do is so important. And again, if you have a strong belief that somebody is guilty, that means that you need to step back even more to make sure that you get help and I don't mean mental help, I mean help in making sure that we're applying the values and have you work double and triple check, because our beliefs don't matter, period. We will have biases, but they don't matter. But matter is important work guided to principles, being that main principle truth. So that's a big thing for me this year. Okay, now be kind and rewind the USN Journal. So I've been a long time a supporter of 13 Cube.
Speaker 2:Oh, you wore the shirt.
Speaker 1:And it's funny because it was totally by accident. I didn't put it on because I was going to talk about this topic. I just wore it for work today. And when I say supporter, again, I'm not talking about our workplace. Again, that's what we say every show. All we talk about here is our personal opinions. They don't have nothing to do with our workplaces. Our opinions are our own and do not represent our employers. So I have this shirt because I'm a big supporter, personally, of 13 Cube.
Speaker 1:13 Cube is an educational organization that's led by richard davis and he's the nicest guy you ever meet and he's one of the best explainers teachers, professors of this craft and he knows a lot about everything, but specifically in windows forensics. He recently came out with some certifications that 13Q provides that were really great. Now, that being said, he also does tool reviews. One time he reviewed one of the Leaps a long time ago, and I've been a supporter since day one from his podcast, so I'm proud to say that Now he made a video where he was reviewing a tool made by CyberCX, and CyberCX, if I'm not mistaken, is a cyber intrusion technology DFIR company in Australia and the tool and this is pretty quick story, so I saw the video, I'm subscribed to his Patreon so I get the videos first before everybody else, and I love the video and as I'm listening to it I said, wow, this type of work, I kid you not.
Speaker 1:I said this is something that Yogesh might have fun doing. I literally thought that, and again I forgot what company he worked for. Well, like almost at the end of the video, richard says yeah, you know CyberCX and coded by Yogesh Kathria. Like, ah, I knew it. I knew it. When you know somebody well enough that you've seen their code and what interests them, I kid you not, I knew it was him without knowing it was him. Oh my goodness.
Speaker 1:Yeah. So Yogesh is a great friend. You know he's really busy with a lot of work now in Australia, but when he used to be in the United States, he is an equal co from my perspective, an equal co-founder, developer of the LeapTools. I started with the Leaps and when he came in, I learned my mentor. I learned so much from him. He made the code base so much better and the work that we're doing now is built upon his contributions as well. So I love Yogesh. He's awesome. So I need to say that Now.
Speaker 1:So what does the tool do? So what the tool does is, first of all, you're going to be aware of what the USN Journal is, and it was a timely video because I was working with, I had a call from the embassy in Panama with some folks in the Southern Hemisphere that needed help with a case, with a file that was deleted and they want to figure out and it was, I kid you not again. I saw the video and then the call came in or the email came in like two days later. They were trying to figure out. They know what the file name was that was deleted, but they wanted to figure out where that file was because it was deleted. So where was it in the computer, right? Can it be recovered? If not recovered, what they really wanted is some of the timestamps of what things happened. So it was really useful because from my previous training I knew that the USN Journal, what that does, is part of that metadata of the file system and the USN Journal keeps track of all the activities or events that take place within the computer. If you create a file, there's a USN Journal for that file. When you move it, when you delete it, there's an entry there for that and the entry will have that file name and it will have the MFT entry and the MFT sequence number.
Speaker 1:The MFT is the master file table that keeps tracking in the NTFS file systems of the file paths, the metadata of each file and directory that's created within the file system. Because for a computer file or a directory is just another entry in the MFT table, okay, and that's is just another entry in the MFT table, okay and that's. Then it goes out to the, to the drive, to get the data. If it's, if it's resident, that data might be within the MFT table. Now, this is. This is not an MFT class, but I'm explaining this because it's the cool part.
Speaker 1:So what happens? Let's say the file got deleted and you know what the file name is. So you go to the file, you go to the Ascend journal and you can find that file. You say, oh look, this file was deleted on such and such date. Where is it? Well, the way you do that is you go and you look at the Ascend journal, you look at the MFT entry and you go back to the mft table to figure out where that file was. But remember, it's deleted.
Speaker 1:And one thing that mft, mft works is entries are reused and reused first. Okay, so if you have, let's say your mft table has 10 entries and it will create new entries. But let's say entry number one is deleted, instead of creating an entry 11, no, the file system will take one and reuse it and when it reuses it it will change that sequence number. So one, the entry one, is now going to be another sequence number that increments, you know, one by one. Okay. So now it reuses it. And let's say you delete that file again, there's no entry number 11, right, it goes back to one and then reuses it and the sequence number jumps a number up. Does that make sense? So let's say you go to this entry, I delete the file, I go to the MFT entry and I see it, and I see that the sequence number compared to the one in the USN journal is three numbers ahead. That means that that file, that record in the MFT table, was reused how many times? Three times. So that doesn't work right. Whatever path I have in there is not going to match what I have on the USN journal. So I don't know what that file was sitting in the file system.
Speaker 1:Now this is the magic of what Yogesh did, right. What it does is the tooling will take the MFT table right and you have to process it a little bit, you have to create a CSV of it. And then it takes the USN journal. Also, you have to process it a little bit and create a CSV of it. The video that Richard 13 Cube had explains how to do that as well and what tools to use. So you have those two CSVs and you ingest it into the tool and the tool goes and says, okay, here is the entry for that record and here's the sequence numbers. Remember, sequence numbers grow incrementally, so it goes back and it starts counting down and getting all the different files and directories Remember, directories are files too or treated as files from the USN journal and it rewinds them. Okay, so the output of the tool is a nice CSV, like a spreadsheet type of thing, and now you have that file that was deleted with the proper path, because it goes back looking for the sequence numbers to find the proper pathing for that file, right, does that make sense? My explanation it does. Now my explanation is really conceptual. Richard goes into the video and shows it. He literally goes and says OK, let me show you by hand. You made the connection between the USN Journal and the MFT entry. Look at it when it's reused. Look at the sequence number being incremented. Now look at the tool how it goes and rewinds all those sequence numbers to recreate that path and provides you that.
Speaker 1:I gave that to the authorities a third country that I'm not gonna disclose and they hadn't heard about it. They had no idea that they could do that, so they were extremely excited. I haven't heard back and that happens a lot. Right, it reminds me. I mean, I grew up in the church, so you know, jesus would heal the lepers and 10 of them and they will go out and only one will come back and say thank you. That's the story of the Bible. So so it's kind of like that right, you help people out and something never come back and let you know what happens.
Speaker 1:So I hope they let me know what happens because I think they're going to, they're going to be successful, they're going to be able to do this in journal recreate the path. They have already some timestamps from the investigation. They will be able to reinforce that with timestamps within the USN journal and possibly within the MFT table for other things that happen around the event they're investigating and they were really excited about the information. And again, if you want to check that out, check 13cube's latest video on the USN Journal and I agree with Malik. He's saying that this is a clean way to get deleted file location and in some instances I think it might be the only way and that might be. Again, I cannot disclose the case, but it was super important for the case for them to get that path and this is the way to do it. So I love this video. We don't talk about Windows enough.
Speaker 2:No.
Speaker 1:I think we did plenty today my co-worker will be very happy.
Speaker 2:I have a co-worker and he loves working on computers in the lab, like that's his thing and mobile's my thing. I'm not. I'm not big into the doing the computers. I'll do computers and I have the capability, but he's, like you guys, never talk about computers. So so this is for you, kevin, if you're listening.
Speaker 1:There you go, Kevin. 90% of our stuff is still phones because that's what the work brings in. But we love computers, we love our Windows and again, the fact that I know some of this stuff off the top of my head, I owe it. I mean, I take a lot of courses within my organization. They're great. But what really drove it home was taking the BCFE with IASIS, for me at least.
Speaker 1:And if folks are trying to become examiners, you are not going to go wrong with the BCFE. And, by the way, the BCFE doesn't give you any commissions but we teach for them and we get paid zero dollars for teaching. It's all mom's work. So we're not saying this because there's any benefit or nothing right. We don't put things out to get any personal benefit out of it. We put it out because we think it's useful. And the BCFE really drilled down on me. All these details about the USN journal and how files are created, how they're spread out on the desk, the resident or non-resident All that good stuff came from a good training and AASIS is a good way of doing that. So from my experience it's really good. Highly recommend it.
Speaker 2:I have to do that training still. I still have not done that.
Speaker 1:Well, I think you should.
Speaker 2:But then I can't come teach the class with you and it's all on you.
Speaker 1:I think you should do it whenever I'm not teaching anymore. Then you can do it, because then it won't be my problem All right, I'll wait till then. I'll wait till then. Malik is asking is it possible to make a GUI from the journal to support the flow for the examiner? Yeah, of course.
Speaker 2:Yeah, there is.
Speaker 1:So the way Richard does it, he uses some of Eric Zimmerman's tools to ingest the CSVs, to be able to look at them and search through them Timeline viewer. Don't correct me if I'm wrong, but whatever Eric Zimmerman's timeline viewer application is called, he uses that, he uses other tools. So there's some kind of guise already for that in a sense. But yeah, if folks are up to it and kind of automate because the tool that Richard showed is all command line and then creates a CSV, so if somebody wants to create like a front end for that, I think it would be a good thing. So absolutely go, go, go check that out. Cyber CX and for that tool and it's the, the to rewind the USN journal, so go look that up 13 cubecom.
Speaker 2:Nice. So a LinkedIn post from Daniel A avia, I want to say avia, how do you want to pronounce it?
Speaker 1:so it could be so, so that daniel or daniel, he's from from, from brazil, so it could be avila, or it could be avija, at least in spanish. I'm not sure, but I'm gonna say avila, I'm gonna go with okay all right.
Speaker 2:Well, he had a linkedin post about downgrading APKs on Android 15 that he posted, I think, just a couple of days ago. So he was talking about forensic research that was done in their lab on performing the technique of downgrading APKs on Android 15 for forensics and data acquisition purposes. He mentioned that the method is allowing the collection of sensitive data from applications such as databases and cryptographic keys, expanding our investigative possibilities. He said the APK downgrade may become the only viable alternative for success in gathering critical information in your investigative cases. So the APK downgrade? I don't do that. Do you do the APK downgrades?
Speaker 1:So last time I heard about my own policies was that we're not allowed to do APK downgrades.
Speaker 2:It could come in very handy if you can't get data from a specific application because something has changed in the application or even I don't know just more advanced techniques. It can be downgraded to be able to pull data from different applications that you may not have access to any other way. But you just have to make sure you have the authority to be able to do that.
Speaker 1:Oh, lawful authority. Always, we teach that the first thing that comes is lawful authority. I don't care if you know computers or not, you need to do lawful authority and put your hands on it. Now let me be clear here. Yeah, we're not allowed to do it, but there's always at least within my organization there's a procedure where you can ask for permission to do certain things. Right, let's say, you have a tool that you need that's not part of the approved tool list. There's a process you follow to be able to use it and put some safeguards. So don't get me wrong we can do anything we want, right, if we have the proper authority, we follow the proper channels and the proper validations and testing and verifications and the like.
Speaker 1:Right now, that being said, um, why do I think? Uh, first of all, before I say that, um, downgrade apk is not nothing new downgrade, downgrading an apk is old. What that does is, like he, heather was saying you have a version of that app that you cannot get the data out of it because it's a recent app. You put an older app in and then that data is now shown through the older app, which you do have access or a way to download that data, and what Avila has done is being able to do that in Android 15, which is a great capability, but the concept is not new. The application on Android 15, it is new. Now, what are the drawbacks of why we don't do that as a matter of course? Well, because there's a reason why there's a new app. Something has changed right. The reason we have to the word downgrade means going back a level, literally down. You're going down a level. So when you're going down a level means that you're having less than you might be missing stuff. Maybe the new app has six tables in the database and the downgraded version might have only four, those two extra ones being added with the new APK or program for that application.
Speaker 1:Apk is just the program, okay, in Android, what if the data you need is in those two tables, right, and you went for it and you didn't get it. You have no way of going back. It's not reversible. When something goes away, you cannot. Well, I'm going to upgrade, you know. Upgrade the app. Well, yeah, you're going to upgrade it, but you're going to miss that data.
Speaker 1:So you got to be judicious, right, and may you have your due diligence. If you're dealing with a ticking time bomb scenario, then get your proper authorizations and do that downgrade APK ASAP, right, and I'm pretty sure the folks in authority will allow you to do that, okay. Again, it's all about proper legal and organizational authority to be able to get things accomplished. But, as a matter of course, maybe you're better off waiting a few weeks, or maybe a few months, for your tool vendor to support it, or for somebody or yourself even come up with a process to be able to get that APK data out from that program that you couldn't do before. You have to make those decisions in conjunction with your higher-ups.
Speaker 1:When is an ad-downgrade APK needed? When it is not needed right. If you know that what you're getting for example, if it's particular conversations and you know that hasn't changed from one version to the next, then go ahead. Go ahead and do that right. So, again, it's all about you making sure that you make an informed decision or not. Let me step back. Make sure you inform the people that make the decision, give them the right information so they can make the right decision on how you're going to proceed.
Speaker 2:I think too if, given the time and the test device, the test devices test it on your own test device first, see what the difference is between the two different applications, see if you're going to lose a bunch of data.
Speaker 1:I like that, I like that, I like that, and that's actually that you hit the nail on the head. That's. That's the way. The Mandalorian, this is the way. Do I need an NWPK? Well, let's try it out, do I or do I? What do I miss? What do I not? So this is the way.
Speaker 2:So I was driving into work this morning and on a like a regular station that I listened to music on, they were talking about Apple photos and new settings. I have no idea why it was, even on this random, random radio station, but it was talking about a blog and the name of it is Apple photos. Ok, hold on, I got to say it slow, I'm going to get it wrong. Apple photos phones home on iOS 18 and Mac OS 15. And what they're talking about is, uh, this guy's blog. He's from lap cat software and he's talking about how, enabled by default on iOS 18 and Mac OS 15, is something called enhanced visual search. So as soon as I heard this, I went out to the website to see what the hell are they talking about on the radio station on the way in and read the blog. But I have a couple of pictures here to share.
Speaker 1:If we put the pictures.
Speaker 2:Yeah.
Speaker 1:I named this Apple phones for photos, phones home on ios 18 phones and ios 18 devices 15 devices to make. You need to make more phones in that.
Speaker 2:In that sense, yeah, just just to help me say it a little more horribly. Um, so on his blog he has a screenshot and he had actually turned it off on his phone. So the button is off in my screenshot. But in under photos, under apps and photos, is an enhanced visual search and apparently this setting is new to photos and Mac OS. It's enabled by default and it allows you to search for photos using landmarks or points of interest. Um, your device privately matches places in your photos to global index. Apple maintains on their servers. Um, you know, there's been features like this in the past, um, with Apple devices, but apparently it's now on by default. And kind of the point of his blog was that he felt it should be up up to the individual user to decide their own tolerance for the risk of privacy violations with this. He also said by enabling the feature without asking Apple's disrespecting users and their preferences. And his final sentence is I never wanted my iPhone to phone home to Apple, so new feature to know about.
Speaker 1:My phone is not ET.
Speaker 2:Yeah, right.
Speaker 1:So no phone home. Anybody that's not a Gen X will not possibly not get this. You're really into 80s movies, but yeah, it's not ET. Look, I hate up outs. But this is not even a proper opt out, because at least when you tell people opt out of this, you have to tell them what you're going to opt out of and then you can click it off.
Speaker 1:I don't like, I don't want to have to click it off, right, but they didn't even do that.
Speaker 1:They just opted you in without you opting in, and I don't agree, I don't agree, I, I, I, in that sense, personally, my personal opinion I agree that if you're going to add something that's going to receive information from me, especially specifically information that In regards to locations, right, because the picture has a landmark and that landmark now leads to a location, because the Eiffel tower is not going to be in Orlando, right, I'm sorry, so, if I took a picture there and I'm not sharing anything, but I'm sharing to Apple that that Eiffel tower, I was there at that time, okay, um, look, I love the convenience.
Speaker 1:I thought a lot of folks love it too, but they need to do that knowingly and that's something that, uh, I hope in the future. Yeah, legislators get on and say look, you want to add some features, basically that involve sensitive information, like locations. People have to opt in. You got to put it in and people have to willfully add that in. That's an opinion again, personal opinion. I don't speak for anybody else but myself, but that's the state of the market right now.
Speaker 2:Well, if they think it's this great feature too, like advertise it, right, I mean, if it is this great feature to like advertise it, right, I mean if it is this great feature people will opt in.
Speaker 1:Oh yeah, look and and and the the author of the blog post. You know kind of uh uh, burned, uh, burned uh, apple, apple had this big billboard in vegas saying whatever happens in an iphone stays in an iphone yes, yes what happens in vegas stays in vegas and the guy's like that's bullcrap. Yeah, yeah, it's not staying on my phone, it's actually going to the mothership.
Speaker 1:I play up what happens in Vegas, stays in Vegas and the guy is like that's bull crap, yeah, yeah, it's not staying on my phone, it's actually going to the mothership and then getting identified there, you know. So, uh, so he, you know he was giving me a hard time on that sense and you know, conceptually he's not, he's not wrong, yeah.
Speaker 2:Part of it does talk about too, like the um, the security that they have built into that whole process too, with, like um, encryption and privacy that hides your ip address, when, when you do perform these I guess I don't even know what I'm trying to say here, but like, uh, like the search from the servers, um, but then he goes on to talk about how he just doesn't trust that too.
Speaker 1:So I mean there's, there's uh, there's a history, and I'm not talking about apple specifically, but in general. Um, for example, there was a company that are saying, oh, or, you know the videos from your, your doorbell camera, so we're security systems are safe with us. And then the folks that worked there, they were spying on on the users right? Weren't they supposed to be safe so, and again, uninformed consumers, the it should be the norm and not the exception. Yeah, definitely, and providers need to inform us. So again, a personal opinion.
Speaker 2:So what's new with the leaps?
Speaker 1:Well, new that I can inform is that our good good friend, matt Cervezas and I say Cervezas because in Spanish Cervezas I mean. In English Cervezas means beers. So Matt Beers, a good friend of ours, also teaches with us at IASIS. He made a cool and really nice little artifact for Meet Me Chats. So if you have an application that uses Meet Me Chats for communications, your proprietary tools will be blind to it. But the Leaf, thanks to Matt, now has that capability and again, it's a work for the community, from the community. So we're really grateful for Matt to add in that.
Speaker 1:Johan Polacek, as always, love him to pieces, he's the best. Love him to pieces, he's the best. He's doing. You know, behind the scenes, enhancements for the tooling in regards to media management, for the new lava output that we're working on, and, uh, he's awesome. I, I, I can't thank him enough, um, I hope, I hope life gives me an opportunity to repay him and and hopefully, um monetarily, but if not in some, if not in some way, um, same with all the collaborators, like, like kevin and like john and like, um, james and everybody else, and yourself is included as well if, if you're able to get your scripts to work yeah, I'm working on it.
Speaker 1:I don't know what's going on with this one I can't figure it out yeah, I I don't know Change computers. I think that computer is cursed.
Speaker 2:I'm going to try it. It's cursed. I'm going to try it.
Speaker 1:New year, new operating system. Just look it from orbit, reinstall it and you're good to go.
Speaker 2:All right, I'll work on it Tomorrow. I'm going to make it work. Well, that brings us to everybody's favorite part of the show, the meme of the week. Let me see if I can get it shared here and I can explain it. So we have a turtle that is just looking completely chill and it reads when you get to work and everyone is out on holiday. Finally, inner peace. I love this one. My office has been a ghost town these two weeks and it has been beautiful. I've gotten more work done in these two weeks than I've gotten done in the last two months.
Speaker 1:Examiners. That's the best week for examiners because you're able to catch up without people asking you 20 questions that were already answered in the report that they did not want to read, right?
Speaker 1:So this is a good time of year and I was reading another examiner I forgot her name, but she was saying LinkedIn that if an examiner goes on holiday in the holidays right, they have to work really hard before they leave, right? So that way they can kind of try to catch up with all that work and then they can put it in the stakeholders lap and then they can leave, right.
Speaker 2:Yeah, there you go.
Speaker 1:Your stuff is there. Have fun. I'll be back in a week or whatever it is. But some of us that do come into work in some of these days I think we all can relate to the office is Quiet, not even a mouse staring, and you can get so much work done. I think, it's my favorite two weeks of the year. Hey, you know what's the song. It's our most favorite time of the year for the holidays, right, yeah?
Speaker 2:Not because of the jingle bells.
Speaker 1:To go to work. Yeah, we need a life, we need a life, oh, big time.
Speaker 2:I'm here telling you how I went to bed at 830 on New Year's Eve. Now I want to go to work during the holidays. I do. I need a hobby, a different one.
Speaker 1:Yeah, our hobbies can't be doing forensics.
Speaker 2:No.
Speaker 1:Well, folks, we got to the end of the show, the first show of the year. I appreciate everybody here, everybody in the chat Like the year. I appreciate everybody here. Everybody in the chat um like, but it's saying, get more work done on a day off in the office and a day on in the office yeah, like I like to play on words with on and off, so true, um, so yeah, no, so we're gonna be here, hopefully in in two weeks, um yes, you know time and and news permitting, and that's all I got.
Speaker 1:Anything else you have for the good of the order, heather.
Speaker 2:That's all I have. Happy New Year.
Speaker 1:Happy New Year to everybody. Don't do anything we wouldn't do, and if you're going to do it, make sure to invite me. Yeah, me too, All right everybody, have a good night and we'll see you soon.
Speaker 2:Bye, thank you, bye, thank you.
