Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Mind Matters: Navigating DFIR with Balance
Get ready for a hands-on look at digital forensics and the challenges professionals tackle every day. We share a story about forensic guessing that highlights the importance of testing assumptions and following the evidence to avoid errors. The discussion emphasizes how staying grounded in facts can prevent investigations from going off track.
We also highlight advancements in forensic tools and training. Learn about tools like Belkasoft, the UFADE tool for iOS device extraction, and SQBite for SQLite database analysis. These tools are improving efficiency and accessibility in the field.
But it’s not all about the tech. We address the important topic of mental health in digital forensics. We discuss the pressures of the job, strategies for managing stress, and the importance of supporting one another. Personal experiences and practical tips highlight the need to prioritize mental well-being in this demanding field.
This episode provides valuable information on tools, investigative approaches, and mental health strategies for forensic professionals.
Notes:
Belkasoft Windows Forensics Course
https://belkasoft.com/windows-forensics-training
Updates to UFADE
https://github.com/prosch88/UFADE/releases
The Duck Hunter's Blog
https://digital4n6withdamien.blogspot.com/2025/01/the-duck-hunters-guide-blog-1.html
https://digital4n6withdamien.blogspot.com/2025/01/the-duck-hunters-guide-blog-2.html
https://digital4n6withdamien.blogspot.com/2025/01/the-duck-hunters-guide-blog-3.html
SQBite
https://digital4n6withdamien.blogspot.com/2025/01/introducing-sqbite-alpha-python-tool.html
https://github.com/SpyderForensics/SQLite_Forensics/tree/main/SQBite
Mental Health in DFIR
https://thebinaryhick.blog/2019/06/21/mental-health-in-dfir-its-kind-of-a-big-deal/
https://www.forensicfocus.com/podcast/the-impact-of-traumatic-material-on-dfir-well-being/
https://www.forensicfocus.com/news/dfir-and-mental-health-are-we-doing-enough-to-protect-investigators/
https://www.sciencedirect.com/science/article/pii/S2666281721000251
https://belkasoft.com/preventing-burnout-in-digital-forensics
https://www.magnetforensics.com/resources/taking-care-of-mental-health-during-digital-forensics-investigations/
https://www.harmlessthepodcast.com/
https://www.shiftwellness.org/about-us
https://www.nyleap.org/
What's New with the LEAPPS
https://github.com/abrignoni
Welcome to Digital Forensics Now podcast. Today is Thursday, january 23rd 2025. My name is Alexis Briggs-Bregnoni and I'm accompanied by my co-host, the Queen of the North and the support ticket undisputed world champion. Heather Charpentier oh my God, oh my god. By Shane Ivers and can be found at stillermansoundcom. Heather, are we ready to rumble?
Speaker 2:oh yeah, we're ready to rumble, oh my gosh support tickets. I'm the speedy world champion, baby it's my favorite thing to do, really, apparently. Hi, everybody, I'm the speed world champion baby. It's my favorite thing to do really Apparently.
Speaker 1:Hi everybody, thank you for joining us. Again, we have all these inside jokes here, but anyways Some people will get it.
Speaker 1:People receiving the support tickets will get it. Oh yeah, no, we're happy to be here for the folks that are watching live. We love you. We see Jessica. Hi, this is in the house. Hi, jess, great to see you and the folks that are listening later through different podcast services, spotify and iTunes and all the like. Thank you for listening and being here and supporting the show. Heather, what's been going on in your neck of the woods lately?
Speaker 2:I'm freezing to death. That's what's going on. I don't want to go outside and I need an electric heater next to my recliner.
Speaker 1:Well, you live in New York, so what do you expect? Look, look, look. I live in Florida and I'm freezing in Florida. At least I got a little bit of a plane.
Speaker 2:It has been cold in Florida. Oh my God, I can't even imagine you must've been bundled right up.
Speaker 1:No, and I'm lucky I'm not in Pensacola. Pensacola there was actual snow like whatever, like a foot of snow or something ridiculous like that.
Speaker 2:A foot of snow.
Speaker 1:Something like that.
Speaker 2:In Florida.
Speaker 1:In Florida. Obviously, the northern part of Florida was still. What the heck?
Speaker 2:Oh my God, I have to pay attention to the weather down there. I guess I didn't even see that.
Speaker 1:Yeah, so I'm cold. You know, I try to have my beard warm my face. Justin Tolman, look again with the hat.
Speaker 2:Maybe I'll grow mine out and warm up a little bit.
Speaker 1:You'll side gig as the bearded lady you know.
Speaker 2:Yes, I can just imagine the introduction if I come on to the show with a beard.
Speaker 1:I want to say hi to Puppet from Melbourne, good to see you. My friend Hi, and the great scooter man, the one and only Scott Conning. I mean he's running to an airport, but I'm glad he's listening. So, scott, listen as long as you can, but be careful with the people on the plane. They'll tell you to shut down your phone before you take off. You might miss some part of it. And Kevin, obviously the man with the plan. Christian's in there too, and Caitlin.
Speaker 1:Oh, awesome, christian, we're going to talk about your stuff today, so stick around, all right. So talking about stuff for today, so stick around, all right. So talking about stuff for today. What do we have, heather, let's get into it.
Speaker 2:Let's do it. So I actually I think it was last week I was working on a case and so forensic guessing that's like. One of my biggest pet peeves is when people see an artifact, immediately decide what they think it is and then just go with it. And I kind of started to do that myself last week with an artifact. So I was working on a case that was a child sexual abuse material case and I opened the extraction up and did a keyword search across the entire image for some keyword terms that relate to that type of investigation. When I did it I got hit on this file that was related to Siri. So I opened the file. The extension on it was dot T-R-I-E. I'd never even seen that before. And I open up the file and I'm looking at these what looked to me like to be prompts. It looks like it's Siri, it's the user asking Siri questions and the questions were about child sexual abuse material terms. So I'm like, oh my God, I just found all this. Guys, I just found all of the searches.
Speaker 2:Yeah, no, it's not. It's not. So I went with it. I didn't go outside of the office with it, so my forensic guessing was just right at my desk but grabbed a test phone enabled. Siri asked a couple of things. Expected to see my searches in the same file in my test data. When I opened the file in my test data, it had all of the same searches as my evidence phones and it looks like it's just some kind of pre-populated thing related to Siri. And then somebody was actually standing at my desk and said to me maybe it's a block list.
Speaker 1:I mean and that's another, the block list is also forensic guessing, oh yeah, but it's also, I mean, we need some forensic guessing in the sense of creating some hypotheses and then, like you did, you go and you test those hypotheses and see if they pan out, Because, like, why would they pre-populate CSAM terms? Right, Like, thank you Siri.
Speaker 2:Yeah, the way I saw it too. I mean, they were so detailed that I was like, oh my God, I can't believe this is here, like it's awesome. I want to figure out how to parse it so we can let everybody look at it.
Speaker 1:No, don't, don't bother. Yeah, jessica says that pregnancy guess is when you don't test. Right, you made up and you test and she's absolutely correct. Right, you have to do that, your. Your experience reminds me of something that happened, geez, like four or five years ago on Google. Google also. I found like I don't have the details, it was so many years ago but like a list of words. They also had CSUN words.
Speaker 1:I'm like, okay, this must be some search thing and I kept looking and I figured out no, it's kind of like a pre-populated thing and I was finding this on multiple different devices that had nothing to do with season cases and I'm like, okay, so that you know, like you said, this is not oh, I, I, oh, and I didn't have any evidence of those lists being populated by user action either, you know right. So I had to discard that, that idea.
Speaker 2:Yeah, I didn't I didn't either, because you know how sometimes in the audio files there's you can hear the person's voice, and it's some of their Siri searches. I didn't have any of them and I'm like, what is this? And it ended up being exactly the opposite of what I thought it was, but I didn't send it out and say it was that. So that's the good part. That's the good part Always test, test, test.
Speaker 1:Well, good part, that's the good part always test, test, test. Well, and I've got an example from a from a recent scenario. Obviously I'm going to keep it really light, so it's not related to any to the actual case, but right, um, we had a, a tip, um, from from, from neck mech with information and those. Those reports have a standard format or different section. There's a section for the suspect and there were a whole bunch of identifiers there and, and the thing is, you got to be careful. So you got to be careful not only when you're looking at something that's unknown to you, but also things that are known to you, because you can make wrong assumptions. The wrong assumptions we were having in this case is that those identifiers included the person that was paying for the service, which makes sense, and then below it had other monikers, usernames and different things. So if you look at it and you look at the header that says suspect and will always say suspect, because how the report comes in from the tip, the cyber tip people, it's easy to assume that that subscriber information from the tip is related or, you know, it's tied to the usernames. Kind of makes sense. They don't tell you that it's not, they just put them all lumped together and most of the cyber tips, the subscriber information, is for the user and the identifiers are for the user. They match and you're done. In this particular case they didn't and we could have made a wrong assumption in assuming that these usernames were tied to the subscriber and they were not. The reason those usernames were there is that there was some information that was provided that had those usernames in it. So it was incumbent upon us to not make an assumption there and try to understand. What does this mean? I know the cyber tip told me it's the suspect, but okay, that's fine. But what does that mean?
Speaker 1:By looking at the evidence, we can't take the report and assume or take its own conclusions as the correct conclusion. We could be wrong. I can't call the provider and have somebody from the company by the phone tell me well, this means X. Well, that's fine that you're telling me that, but what does the evidence show, right? Right, because this guy's phone call is worthless unless I can actually show how his conclusion is supported. Just because he's from the provider doesn't mean that he is correct. And that's the whole appeal to authority type of stuff, right? As investigators I cannot just use an appeal to the authority. I have to understand how they got to it and we take shortcuts.
Speaker 1:Well, the provider said X and you go with that. What did that guy that picked up the phone was wrong, right, right, yeah. So, and we avoided making the wrong assumptions in that case because we had a peer review for it, right, and then we avoided that problem. So forensic guessing is not only on the technical side, it could also be on the investigative side. And you have to be well, I'm going to make another story, quick story. See, now I'm going to roll. No, go ahead.
Speaker 2:That's why I picked this topic.
Speaker 1:We have to be aware of our biases and then establish our love for truth right, our principles, our values right, not our beliefs. Values, that's my topic from last year, but I'm going to bring it again. We go by values, not beliefs, right? So I have cases where the suspect will say things to try to cover, and, you know, try to. For example, look, I'm at this illegal content, I don't like it, you know, as they're downloading it, right. So if it's found, they said well, I said I didn't like it. So they're kind of trying to cover themselves.
Speaker 1:Right and well, just because somebody did that at some point in one of your cases doesn't mean everybody is like that. And I say that because in one particular case, somebody would have told me well, that thing that looks exculpatory, well, that's what a guilty person would say. And my response to that okay, then what would an innocent person say? The exact same thing, right? So that type of comment doesn't help. What do you do then? Well, you look to the evidence. You figure out well, is this statement consistent with the evidence? If the person is not liking this contraband, they don't want it. Well, did they delete it? Did they report it? I mean, did they delete it? Did they report it? I mean, did they follow the actions to show that? And if that's the case, that statement is supported. And is that not the case? The statement is not supported.
Speaker 1:What I can do is just, well, that's what a guilty person would say. I mean, come on, man, and we do that all the time. And look, I mean I'm not saying that to ding on the folks that I had the conversation with is, people are really good people, but that's normal. I've been there. I've been there. I've been the one that makes those assumptions, because our training and experience leads us to kind of go that way. But sometimes we have to step back and I say that for myself step back and make sure that, whatever the statement is and my assumption of the statement, they need to be backed up by the evidence and if they don't, I should be happy with discarding them, because I don't care about being right. I I mean not being right about my beliefs being right. I care about the evidence and my interpretation being right, and if my beliefs are wrong, I'm more than happy to drop my beliefs and develop new ones.
Speaker 2:Hopefully that makes sense, I really wanted this to be the user Siri questions, though.
Speaker 1:Well, I mean, it would do for great artifact research right.
Speaker 2:I know I was so excited because I'm like, oh, we can support it in the leaps and no, we're not going to do that, because it's not what you think it is.
Speaker 1:Yeah, mary's is also there. Hi Mary, that's a good friend, and who else is here?
Speaker 2:Derek and Damien.
Speaker 1:Derek Damien, we got some of your stuff coming up too. Derek did some awesome logos. So if you subscribe to our newsletter for the leaves go to you haven't go to leaps L, e, a, p, p, s, dot, r, g and you can subscribe there and whenever we have a new version of the product or when we're ready to this to release lava not yet, we're still working on it um, would you be advised? Well, I send out the first newsletter email out, uh for the uh, um, announcing the latest I leave version, and it has some awesome logos done by derrick it does, it does they look pretty cool.
Speaker 1:It's a little apple with all the different connectors. You gotta see it, it's pretty nice I also put it on social media.
Speaker 2:Yeah, I was gonna say we should have put a picture up, but it's right on your linkedin and everybody can go to your LinkedIn and see it.
Speaker 1:Yeah, so. So there it is. So, thank you, Derek. So so, yeah, so, yeah, I mean just to close with this topic we need to make sure that our property that's for this year that's one of my words for this year Property property meaning your character, quality, that you have to go and follow things through the whole way and make sure that. Attention to detail, and then the third one is probably attention to detail and due diligence. Those are the three concepts for the year, for me, for 2025. So we need to refocus on those.
Speaker 2:Keep the guessing at your desk.
Speaker 1:I mean, create hypotheses, like Jessica, create hypotheses. That's what forensic guessing is, nothing else. If you're putting a forensic guess on your report, you gonna be in trouble. Oh yeah, definitely, yeah, let me. Let me just uh hear a little shout out to Derek from Kevin. Kevin's also been working. Uh, so Kevin and Kevin and Derek, they're working on some of the branding for the leaves and the web pages and how we do logos and stuff, and uh, they're doing an amazing job and everybody pitched in ideas and derek's been so kind of giving us of his time to create those logos. There's more coming up. I don't want to show them all at once and and they're pretty fun and roll them out slowly, of course, of course.
Speaker 1:So thanks to derek and kevin to try this great uh group work there. Yeah good um, let's see what else we have, oh, belkasoft.
Speaker 2:If you haven't seen belkasoft's announcements, um, they're giving another free course, which I think is so awesome, but it's a windows forensic course this time. Um, free online access to the course materials, and this will be any time between january 15th and february 14th, so there's still time. Um, I believe they had so many people sign up, but they're kind of like staggering releasing the materials to people anyway. So get signed up so that you can get in on that. It includes a free 30 day trial license for Belkasoft training materials, video tutorials, pre-recorded webinars articles what else does it have? Recorded webinars articles what else does it have? Practical tasks, certificate of completion and achievement.
Speaker 2:And the basis of the course, like what you're going to learn, is how to review common Windows filed systems, which file system features might be useful in your investigations. How to examine Windows applications like chats, browsers, mail clients. How to inspect media files like chats, browsers, mail clients. How to inspect media files, documents and utilize media-specific analysis options like text recognition and keyframe extraction. How to identify and analyze forensically important Windows system files like registry files, event logs, files like that, and then how to get more evidence from Windows data source by using carving, and then how to get more evidence from Windows Data Source by using carving, embedded data analysis and other advanced forensic techniques. So I'm going to put the link up on the screen now, but it'll also be in the show notes for anybody who's looking to go register for that course.
Speaker 1:Yeah, and the Belkisoft people are putting great content out. If you're not following Jury, you know the owner, ceo of the company. Yeah, he's putting out a good forensic forensic content like a series in linkedin. Like you know, every day he puts like a, a snippet of a topic. That's all related and they're pretty good. So I suggest folks to do that. We think that to be good examiners, we need to have thousands and thousands of dollars of training available, like a training budget, which I mean if you have it it's great, but you don't really have to. There's so much good content out there for free and available. You just need to go and spend the time you know looking for it. So, uh, going to the LinkedIn, to the blogs and free courses at Belkasoft, uh, that's one way of of getting that.
Speaker 2:Yeah, and it gives you access to the Belkasoft um software. And I mean you're going to love the Belkasoft software. Get it, get that tool for your toolbox.
Speaker 1:Absolutely, absolutely. And talking about tools, there's paid tools, yeah, there's tools that are there, are, you know, available to the public, even at no cost. So what do we? What do we have on that front, heather?
Speaker 2:Christian, who's in the chat tonight, to his Ufade tool. We've showed the Ufade tool on the podcast a few times now, but he has recently made a few updates and I have some screenshots to go along with that Before just give a 20 second rundown of what the tool does for the folks that never hear about it.
Speaker 2:Oh, yeah, yeah, so you can do extractions from iOS devices. There's advanced logical file systems. There's Celebrate UFED format, where it comes out with the actual UFD file. You can extract the sysdiagnose logs. I know I'm forgetting things. There's a ton of functionality to it, so check it out. Oh, the unified logs.
Speaker 1:It'll pull those, so yeah check it out and the cost is the best part, you know I mean it's like, only like, $50,000, I think right, but there's a discount. It's a $50,000 discount with it, and so being $0.
Speaker 2:Yeah, so it's free.
Speaker 2:But with the most recent update he added a new type of advanced logical backup and he put in his blog that he's calling it a partially restored file system.
Speaker 2:And he explained in his post that it's calling it a partially restored file system. And he explained in his post that it creates an encrypted iTunes backup, decrypts the backup to the original file structure, pulls files via AFC that are not included in the backup, pulls shared app document folders and including missing files, pulls crash logs if you've triggered a sysdiagnose and pulls iTunes metadata for apps. All of that creates a tar archive that can be loaded directly into iLeap, if you'd want to choose iLeap or whatever tool you'd like to use. And the other new feature is a PDF report is now also included for screenshots that you take, so the tool actually has the capability of doing screenshots as well. Included for screenshots that you take. So the tool actually has the capability of doing screenshots as well, and those screenshots will contain file name, hash and information about the chat. And he threw a thank you out to Miguel Angel Alfredo Traverso.
Speaker 1:That's pretty good.
Speaker 2:I didn't do too bad, right, miguel Angel? I know you're going to say it better.
Speaker 1:Actually, I know him in person.
Speaker 2:Okay, oh yeah.
Speaker 1:No, he's an Argentinian. He's an Argentinian from Mar del Plata and we're taking a couple of he's taking a couple of my classes over there, and what a nice guy.
Speaker 2:Oh nice, tremendous examiner, really sharp, tremendous examiner, really sharp guy, and um really nice guy, so I actually know him in person as a matter of fact. Oh good, so you can fix my, my horrible butchering of everybody's name that I come in contact with Um. I sold Christian's screenshots that he put up too Um, so the first screenshot that I have up on the screen shows you the option for that new partially restored file system backup. And then he had a screenshot of what the screenshot reports will look like.
Speaker 1:They look pretty nice. I love the logo on the top they do, and the details, the headers Not headers, but yeah, I guess the column thing and the explanation, they're pretty nice.
Speaker 2:Yeah, definitely. And then he also had the data loaded into iLeap in one of his screenshots, so I have to show off the iLeap.
Speaker 1:Even more nice.
Speaker 2:Yes, it's beautiful and just wait till Lava comes out.
Speaker 1:It's just that it's such a complicated piece of software that, and again, our budget allows us to go slow. But it's pretty good stuff. Pretty good stuff.
Speaker 2:And since Christian's listening, I I'm gonna tell him it's in the light mode, it's not in the dark mode and I almost got in trouble for that yeah, my retinas are burning right now.
Speaker 1:I'm looking away from the screen. I don't want my retinas to burn, you know I said, I didn't do the screenshots.
Speaker 2:I stole them from christian, so I blamed you more dark, more christian, please. The vampires like me need it, so go check, check out the updates, give it a try, hook your iOS device up and try all the different options. There's a ton of different options in there.
Speaker 1:And again, it's free, and I love this type of software because you know it really gives you a sense of what the tool's doing behind the scenes. So please, please, go get it and practice, practice, practice, practice, practice and then you sit on your cases as needed definitely.
Speaker 2:Um. So some research, some new research that's out there by damian ato. Uh, he has a new blog and it's the duck hunters blog. It's on his blog site. Um, there's three out I have. I only had two to talk about tonight and then he went and released one last minute on me here.
Speaker 1:So, um, there's actually even better, even better yeah, definitely, um.
Speaker 2:So the first one is research uh focused on analyzing the duck duck go uh privacy browser across ios, android and windows platforms. Um, his His objectives included identifying stored session data, understanding data persistence, post-application closure. Assessing the impact of the fire button, which I didn't even know what the fire button was. So the fire button is the DuckDuckGo privacy browser. It's a feature designed to instantly clear your browsing data, including tabs, cookies and cache files. It provides users with a quick and efficient way to maintain privacy by erasing traces of their online activity on the device.
Speaker 1:Yeah, I grabbed that. It's the wife is coming button yeah.
Speaker 2:Yeah, so his first blog talks about that and does a lot of testing with that. So his first blog talks about that and does a lot of testing with that. His second blog expands upon that with the DuckDuckGo privacy browser and examines the actual history DB, the SQLite database related to it, in Android no-transcript browser. Oh God.
Speaker 1:I was going to ask. I think he did some research on some of the recoverability of data from that SQLite database, right?
Speaker 2:He did yes, yep, so yeah, the browser's fire button and the automatic clearing features can erase the browsing history, and he was looking into the potential methods for recovering deleted browsing history, including the write-ahead log. So check that out. And then the third one, which I just learned about today, is hold on one second, that's going to have to do with the tabs.
Speaker 1:Yeah, kevin is saying that we need gov parses in iLeap, and I agree with that. Actually, heather, maybe we should by me. I mean, you get some test data and then I can help out with the coding part. So that's actually a good idea. I like that.
Speaker 2:Or we'll throw Damien in on this with us.
Speaker 1:Well, I mean, he knows how to code really good. Yeah, I know, Damien, you want to make an artifact for ILEE.
Speaker 2:I'm just throwing you in.
Speaker 1:It's Python, Damien. You got that down like on your sleep. Man, there we go, Boom Ah awesome, ah, perfect. He's saying that he can write them. Okay Now you made a commitment in public to you know.
Speaker 2:Uh-oh, it's up there on the screen.
Speaker 1:Yeah, a whole bunch of people. So we're going to hold you up to it and we'll see you soon in IASIS.
Speaker 2:Yes, I'm just saying a night of coding Iasis.
Speaker 1:I hope he hasn't done before that. But if not.
Speaker 2:That works too.
Speaker 1:Come on, heather, come on.
Speaker 2:I know, ooh, I just gave a longer timeframe.
Speaker 1:Yeah, that's a fail on your end. Oh sorry.
Speaker 2:Um the third blog. He talks about, uh, duckduckgo's open tab information. So he looks into the specifics of how DuckDuckGo browser on Android devices manages and stores information related to the open tabs. It talks about the stored information, including URLs of open tabs, identification of currently active tab, screenshots of the current web pages and open tabs and fav icons associated with the current web pages in the open tabs. So I have links to all three of those but they're not going to fit up on the screen here. They'll be in the show notes for everybody to look at when we're done.
Speaker 1:And I really recommend people to look at his research in recoverability. How much you can pull stuff out from that SQLite database, I'm not going to go into it now, but it has some pretty unique characteristics that you might not be applicable to other SQLite databases. So look into that. In that vein, I did a research long ago on the Firefox privacy browser in Android some years ago and I found out that the LevelDB data stores for that browser were not cleared, even though the SQLite history database was cleared. So I guess if you're doing browser forensics and you care about deleted stuff, read Damien's blog for DuckDuckGo, do some of the techniques he uses with the SQLite and me.
Speaker 1:I'm providing you another avenue get smart with level DVs and pull those out, because you will find good stuff inside level DVs and some of these browsers don't reallyvs. And pull those out because you you will find good stuff inside level dvs and some of these browsers don't really care to flush those out, and then you can get. I in my research I got actual websites at the that I visited um that were not in the cleared out database. So don't sleep on level dvs. We talked about level dvs in the past other episodes and but so we have time for that now, but just research some of that really good, good data sources.
Speaker 2:Yeah, we need to revisit those again because everybody needs to be going to the level DBs We'll have to put that in one of the one of the next we'll just keep revisiting that one.
Speaker 1:And on our IASIS course we we cover those LLDBs really good. In the advanced mobile device forensics course we cover that as well.
Speaker 2:So just a heads up. Oh, speaking of Damien, another post from Damien recently was his tool, the SQ Byte. Let me throw that up there. There we go. So SQ Byte, according to his post, is a tool that has a combination of Python scripts. He wrote it over the past six months to do various things with SQLite databases all combined into a single tool, and he stated that currently it extracts records from tables in the main database file, extracts records from Btree leaf frames in the write-ahead log. Associates records in the write-ahead log to the table they belong to. Outputs all records into a single CSV with file offsets for validation. He indicated in his post that it's very useful for a validation tool. I 100% agree. I would use it as a validation to what I'm seeing in my major tools, but also as a triage quick to get some really quick information from a database that I'm interested in.
Speaker 1:Well, and I think you mentioned the recovery from free blocks and an allocated space right, you mentioned that's upcoming.
Speaker 2:So he has future additions are going to be parsing free list pages. Parsing overflow pages. Parsing index B trees. Parsing free list pages. Parsing overflow pages. Parsing index B-trees. Parsing pointer map pages. Recovery of records from free blocks and page unallocated space. Recreating the database and output the records into a SQLite database that can be queried. And I think he said two.
Speaker 1:I like that feature a lot. I really like the fact that you can take those records and put it in this other also database format that you can actually go through. That's a pretty smart way of doing that. I like it.
Speaker 2:Yeah, he said too that he has a beta version of that already that he plans to release in March 2025. That will have the basic record recovery functionality for free blocks, free list pages and unallocated space.
Speaker 1:And, based on his description, it seems to be a pretty comprehensive recovery tool, because I tried different recovery tools for SQL databases and some pull some things, some pull others, but then that's fine. But I like the detail and all the different avenues of recovery that he's working on. So I really applaud his work on this, the detailed and all the different um avenues of recovery that he's working on. So I really, uh, applaud his his work on this and I look forward to the march release of the latest version with those capabilities yeah, me too.
Speaker 2:Um, I really really appreciate his read me too. Sometimes the read me is when I'm going to do these scripts I'm like, hmm, I really don't know what I'm doing. But if you're gonna go try out this tool, the readme is super detailed and I have it up on the screen now. So I'm going to just run it real quick on a call history database that I grabbed from Josh Hickman's extractions, so Python, the sqbytepy, and then you have the dash I, which is a pointer to the call history store data. That's the database that I'm going to parse.
Speaker 2:The dash W you can either include it or omit it, but it'll then take into account the wall file. So then point to the wall file and then the dash O for the output which I did as call history dot CSV, and I'm just going to hit it. It goes really fast. And then let me share. We have this nice CSV of the call history data from Josh Hickman's Josh Hickman's extraction. You can see that his name's all over it and this is deeper. Oh, do you want me to zoom in?
Speaker 1:Yeah, it's bright and really far away.
Speaker 2:Oh, I know the brightness.
Speaker 1:I didn't fix the brightness, I'm sorry you know you can have dark mode on on those, these type of programs too, right? Ah, yeah, I know actually you can see the shine of the screen in my face oh, I just zoomed.
Speaker 2:Okay, I just lost you for a minute.
Speaker 1:I just I just messing with you, although it's true.
Speaker 2:No, I know you're messing with me. All right, let me just here we go.
Speaker 1:It's like the sun. I'm staring at the sun.
Speaker 2:There we go. Is that better?
Speaker 1:Well, yeah, yeah, that was better. At least I can read it now.
Speaker 2:Yes, thank you, so we in a CSV that was the output from this really simple script that goes along with.
Speaker 1:SQ byte and I can't wait for the recovery features. Yeah, absolutely. I think I saw a trace back there at the end of this run, but you know Damien is already on it. He says you know, if you can send him a send send over the trace back, he will work on it. I love that.
Speaker 2:Yeah, I did see the error too when I ran it earlier and I'm like I don't have enough time to write to you, damien, but we'll fix it tonight and I have my data here too.
Speaker 1:No, and that's useful. Actually, I was troubleshooting with Jess and we haven't finished that yet, but a little bit of some errors we had on iLip on her data set, and that's something that I hope to work on soonish. So that's how it is, that's normal.
Speaker 2:Nice yeah, so try it out.
Speaker 1:Yeah, talking about being bright stuff, chris has said Lava will default to dark mode. Well, I don't know if we I'm going to push for it to be defaulted, but either way, for a fact it does have dark mode. I'm just going to say because there's no way we are gonna release that without dark mode. Heck, even even kevin goes for a farther and says we may have some themes.
Speaker 2:So you know, boom oh, I'm gonna go for a theme. I never put anything in dark mode. I don't know why my eyes are gonna be burned out of my head you're gonna put the hello kitty theme on lava. That's what you're doing yeah, definitely definitely.
Speaker 1:You're not a hello kitty person.
Speaker 2:Come on, not even a little bit, like never have been, never will be.
Speaker 1:I know you well enough not to For that not to be the case.
Speaker 2:All right, I will put the link up. There's a blog about the SQ Byte tool and there's also the link to Damien's github uh, at spider forensics github where you can download the tool and test it out.
Speaker 1:They'll be in the show notes.
Speaker 2:Please do absolutely all right, our next topic. So we haven't covered this one before. Uh, but mental health in the digital forensic incident response world. Um, it's a big thing and I don't know. I'm going to just talk about some of the stuff that goes on with mental health issues in the digital forensic world. So I mean, everybody knows you all work in the digital forensics world. It's really a fast-paced industry, demands a lot of technical expertise, precision, resilience by fast pace. You know you have that district attorney or boss that's like I need this, I need this, I need this yesterday. Where's my, where's my extractions? Where's my analysis? I need this done and it can be become kind of overwhelming at times.
Speaker 1:Um, so we're just going to kind of talk about some of like the stressors that are in digital forensics, some of the common signs of burnout in digital forensics, um analysis and then what to do if you need help and some good resources that are out there yeah, and and before I go into that, I want to get a quick comment here With your mental health in deeper, most of the time we default to you're being exposed to CSAM right, and that will give you some stress, and that's absolutely true, right, and there's a lot of good resources. I think I'm going to mention if you're working in CSAM cases in regards to mental health. But mental health is not only if you're being exposed to see some material. You can maybe not be exposed to it and still suffer from the different things, the stressors that Heather mentioned, burnout, and actually you might need some help and at least in the law enforcement community, getting help.
Speaker 1:It's hard, not because there's no resources, but there is these, the unmentioned culture of toughness. If you're in law enforcement, and you're in law enforcement, you're a tough gal, a tough guy, and I can handle, I can deal with it and I don't want to be seen as weak and that's not something we do consciously, it's unconsciously, right, the, the, the image you want to project, that's law enforcement officers. So it's really good to talk about these topics and just because you're not exposed to CSUN does not mean that we don't need to be aware of our mental health in this field.
Speaker 2:Right, yeah, no, definitely the stigma that comes around with it. Definitely it's a tough it out, tough it out mentality, but I mean with a supportive environment where individuals can feel comfortable addressing what their challenges might be and an area where they can prioritize their self-care. It'll, everything can be overcome. Demands, unpredictable hours, exposure to that sensitive and or disturbing content that Alex was just talking about, which could include CSAM, but really it could include a lot of different things depending on what types of cases you work. Actually, I'll just say here, one of the worst cases that I ever had to work on was actually a suicide. I mean, the CCM cases are horrible, definitely, but a suicide case where I had to actually watch the entire suicide. It was by hanging. I had to watch the entire video of it because they were unsure if somebody had assisted in that suicide. So not only watch it but also listen to it. And I think that's one of the cases that sticks out in my mind as like the most disturbing since I started with the state police in 10 years ago almost.
Speaker 1:Yeah.
Speaker 1:I mean, and you know, to see Sam and other visual depictions of violence definitely can affect you, and some of the effects are not immediate, right, that might come out later can affect you, and some of the effects are not immediate, right, that might come out later. And that speaks to us being a aware that that could happen and then be ready to receive help. That's the big thing, right, and and try to be aware that it's normal for us to maybe have a delayed reaction. The reaction could be delayed for years. Um, oh yeah, I, I was the examiner on, at least for the federal agency that responded to the pulse shooting here in Orlando, right, and part of my job was getting the digital evidence out to include the surveillance recordings, because we needed at that point to quickly identify any other possible attackers, right, is it a one person thing? Is it two people?
Speaker 1:And at that time there was a lot of confusion in regards to one attacker or two attackers, and I went into the crime scene. I had to. The crime scene was pretty much not processed yet because we had an urgency to prevent attacks, right, so I went into the crime scene and you know, really impactful thing, I'm good so far, but what will happen in the future. I don't know. I need to be ready for that and thankfully my agency has a lot of resources in regards to that. But even if your agency doesn't have as much mental health resources, there's resources that are available to you, that are free and out there for the community, and I think we'll talk about some of those.
Speaker 1:And then that video. I had to process that video and look at all the camera angles, making sure that it was the one attacker that ended up being right, and try to figure out if there was any intelligence we could grab from that. Right. And now you're listening, you're watching, you might be well, I'm not exposed to that type of level of impactful material thankfully right. But even if you're not, for example, if the volume of work is really high, if the pressure of getting work done is high, if your boss tells you, deal with the priority cases first, and the next sentence is all cases are priority right, yeah.
Speaker 1:You can experience a level of you know, especially your boss, but whatever management you have, it's not responsive to your needs as a person. That will create some certain uncomfortableness and issues with you in due time. So just because you're not exposed to really horrendous visual material, you don't minimize the stresses that you might be in and it might require to have some conversation with management. Sometimes it might require you to just leave that organization because you need to prioritize your mental health. We are in a technical field and you know jobs are hard to come by. But losing your mental health, that cannot be recovered later after a point. Right, don't yeah, don't minimize the stress that you're in. Look for help and try to put them in context and if you need to leave and get out of that environment, maybe that's just an environment that's not healthy for you and there's no shaming in accepting that and trying to be better. Right, we need to take care of ourselves.
Speaker 1:See, now I'm on another role. It's like it's like you're in the right and you're helping people. Help you. You want to help people because the plane is coming down and the mask come down and they tell you put the mask on the children first. I mean, I'm sorry on you first and then on the children, right? Because you cannot help anybody if you don't help yourself. What good are you? If you pass out, then you pass out and then the child also passes out, right? Put it just put your mask on first and then you can put the mask on the children or whoever needs you, right? So you got to take care of yourself. It's not a selfish thing, it's a smart thing. When you do that, then you're able to take care of yourself and of others definitely, definitely so.
Speaker 2:Some of the stressors and like some of the common signs to look for in yourself and maybe in others. If you happen to see somebody out struggling so exhaustion, low energy, detachment, any type of anxiety or depression, you may experience headaches or digestive issues, muscle tension, the person may be irritable or have just unannounced mood swings. Compass, compassion, fatigue is definitely a big thing, uh, especially in law enforcement. Um, you know you want to help everybody in all of these cases that you're working on, and it can. It can just get tiring to try and be help help everybody. Um, and then difficulty separating work life from personal life. That one's huge. I, I definitely do that. Um, and then, um, also like desensitization to the things that you're looking at, like it's no longer bothering you as much as it used to.
Speaker 1:Um, yeah, go ahead yeah, yeah and um, I understand this is my as a personal, a personal opinion. So take it everybody for what it's worth and if you don't agree with it, that's fine. But we take to be. Well, I'm going to use a lot of dark humor to kind of cope with it in the work environment, right, and I take that to be as an indicator that we need to look for more consistent professional help, right? I don't believe that dark humor really helps that much. It's more of a mask that we put in front of ourselves to try to say that we're okay when we're not. If, if the material is not good, if the pressure is high, just underlining it constantly as a joke, it's not going to help you feel better about it, even if you think you do right, and then that's.
Speaker 1:That's my personal opinion and I try to avoid taking that, that tack, because it's just me reminding myself of how bad the thing is. I rather just try to do something different and in how I deal with it and also people that are exposed to your dark humor about those topics. Maybe they don't want to be exposed to that type of humor, right? Maybe that just makes it harder, even harder for them because they're going through the same experience and now you're making jokes about it. Right, trying to make yourself feel better and actually makes them feel worse. So that's why I think having a good conversation with your management and what resources you have, if you're under really stress due to your workload or the materials you're exposed to, it's important to have and do it periodically. Even if you feel fine, there's nothing wrong with having that discussion periodically and make sure that everybody is doing okay.
Speaker 2:Yeah, to identify someone who might be in need of help. Some things you might be able to identify a decline in their work performance or an increase in errors in their work. If somebody was like a really high producer in your office and all of a sudden they're just not anymore, that could definitely be an indicator. Withdrawal from coworkers or social activities and excessive sick days or absences these are all some ways to help identify if somebody might be struggling. Absolutely, law enforcement agencies used to lack, but I think they're really like starting to embrace the supportive workplace and more of the mental health um types of trainings and uh resources. I think now, um, they're often let's see. Oh, set boundaries.
Speaker 2:So, um, you must have a life besides just work. Find, find the balance. You can still be amazing at your job and make time for yourself. Take the breaks, take your lunch break. Um, get up from your desk once in a while, uh, just to go for a walk. Uh, whatever. Whatever it is that helps um, take away some of that stress, find an outlet. Uh, for some people it's exercise. Where Alex it's exercise, not for me. I hate the exercise. I'm just being forced against my will to exercise.
Speaker 1:But it's good for you, so I don't care. I'll keep dragging you to the gym every day. But go on, carry on.
Speaker 2:So with finding an outlet. It might be therapy, it might be hobbies, just something outside of the work that you're doing, to take your mind off of those stressors and look for community support. The digital forensics community is an amazing group of people. There's a lot of people out there that come to my mind when I think about mental health, and I'm going to mention a few of them in just a minute, but there's resources right inside the digital forensic community that can be helpful.
Speaker 1:Absolutely. And just a quick comment here and give yourself grace and time right as you're dealing with those issues. For example, here we had in the chat I changed jobs and it took a year to recover from the burnout. Right, you got to be. Give yourself some time as you're addressing those issues. And that's okay, that's normal and it's expected. We're not made out of wood or metal. We're human beings and we need to be aware of those.
Speaker 2:So what resources are out there? Therapists and counselors there's a lot of them that are geared specifically toward law enforcement too. So if you are in law enforcement in the digital forensics field, they have like a unique ability to connect with the law enforcement employees field. They have like a unique ability to connect with the law enforcement employees, so you can always look for a therapist or counselor that has that Employee assistance programs at work. Any of the digital forensic groups conference sessions. A lot of times the conferences that are available will have actual sessions on mental health in digital forensics. Different podcasts and blogs there's available that relate to mental health, self-care, whatever you choose. It could be reading, journaling or, like I said before, exercising whatever it is that will help you with your own self-care, connecting with peers, networking or just talking to somebody that you might feel safe with and not judged by, or just talking to somebody that you might feel safe with and not judged by.
Speaker 2:Absolutely, absolutely. So. A few of those resources right in our field that come to mind one is in my state and it's NYLEAP. It stands for New York State Law Enforcement Assistance Program, so they're a nonprofit organization that provides support specifically to law enforcement professionals and their families. They address mental health and wellness needs of officers, particularly ones that have experienced trauma, stress or critical incidents, and it's all. It's all put on by Jim Banish. I had to think of his name there. He had a brother who was a New York State police officer and he committed suicide while on the job and he started this whole organization after the death of his brother.
Speaker 1:Yes, it's a really tough motivation there, but making the best out of a tragedy, that's amazing.
Speaker 2:Yeah, yep, he does a really good job with it.
Speaker 1:That's great.
Speaker 2:And then another one that comes to mind.
Speaker 2:I don't know if anybody has ever heard of Eric Oldenburg, but he used to work for Griff Eye and he's awesome.
Speaker 2:Yeah, so he was a trainer at Griff Eye, but he is really focused on mental health and digital forensics.
Speaker 2:He's not with Griff Eye or Magnet anymore, but he has a podcast. It's called Harmless the podcast and it focuses on the harsh realities of online child sexual exploitation. So it does have that child exploitation theme to it has a really good way of, I think, kind of like just explaining the things that happened to him throughout his career and how they might happen to you and the types of things that really can that you can do to kind of deescalate those feelings inside of yourself. So if you get a chance to check out his podcast and then another one that comes to mind is Debbie Garner, so she's actually an instructor for the Innocent Justice Foundation Shift Wellness Program If you've ever heard of Shift Wellness they focus on mental health in the digital forensics world as well them out, go check them out for you or for your team, and if you're a manager, you need to also be not only taking care of the cases and the hardware and the licensing and the environment that you're in.
Speaker 1:If you have desks, chairs, that's fine, but the most important thing to take care of is your people, right? It's the folks that actually work with you and, as a manager, that should be your number one, number two, number three priority, and this is one way of showing that you care for your folks. So look into that.
Speaker 2:Yeah, definitely In the show notes too. I have a whole bunch of blogs that actually focus on mental health. Binary Hick has one Forensic Focus, there's a Science Direct paper, belkasoft has one, magnet has one.
Speaker 1:So I'll put all of those blogs in the show notes awesomeness, awesomeness yeah right, so so yeah, so we're good with the mental health and, again, I really like the fact that we cover more more than season, so that's important. So now let's get some lighter topics. So what do we have next?
Speaker 2:yeah, what's new with the leaps?
Speaker 1:Yeah, so I think Scott's still around, if he hasn't left on his plane.
Speaker 2:He might be on the plane. Yeah, he might be flying.
Speaker 1:So, scott, his claim to well-deserved digital forensics fame is the photossqli queries that he does for iOS devices and if you're not familiar with it, the photossql database has a ton of information about all the images, media, that reside in these iOS devices. Okay, some of some of the most useful features of looking at this type of photo not type, but this database it's, for example, determining the provenance of media, provenance, meaning where it came from. And I love it because you could see there, like the media, and you can see the bundle id that would generate it some metadata about it. Um, if that media has been altered in different ways or if it has been been placed with another name at other locations, right, because if you're not aware, aware of it, ios devices will show you, um, I don't want to say thumbnails, but renderings of images, and it will save it with different names in different places. Now, photos of SQLite allows you to correlate all those file names and files to the original photo that those are rendered or derived from. I mean, there's a ton of information, it's a ton of queries. Some of these queries have thousands upon thousands of thousands of rows of pertinent information. So, oh, and another thing, these queries are different, can be different from one iOS version to another. So the query that work in iOS, whatever 17 might not work in iOS, whatever, 18, whatever the number is.
Speaker 1:So Scott has gone and done all that research for you. So, instead of you having to run each query by hand, and by hand I mean okay, what iOS device do I have? Oh, ios, whatever. Okay, take that database out. Look for the query. Open a SQLite browser tool, run the query. Look at the.
Speaker 1:To avoid that, he coded that all in the leaps in, I leap, and it's an. It's a ton of work. And not only did he code that, and obviously with the leaps, he takes into account the iOS version that you're having your extraction. So you don't have, you don't have to do that, just run it and you're good to go. He also made it lava compliant and that means that whenever we release, as soon as we release, the lava viewing you know program that we're working on um you will be able to look at all the photos sqlite within lava, and which is way faster than the html reports. And if you have a lot of data that crashes your browser, it's not going to crash lava. Lava is made to be able to process large amounts of data, so I'm really looking forward to that amazing work that scott is doing. It's not gonna crash lava. Lava is made to be able to process large amounts of data.
Speaker 2:So I'm really looking forward to that amazing work that scott is doing. It's gonna be awesome, definitely, and if you ever get a chance, just open and look at a few of those scripts that are uh, photo sequel a. Oh my god, I don't know how he did all that.
Speaker 1:That is a ton of work it is and and look he's, he's that, that's, that's his baby, that type of research and so useful for the community. And he was in, you know, in contact with the me and other developers, like kevin, like johan and all the folks that work on the leaps and, uh, you know, I gave him a uh, like a not even beta, like an alpha version of lava, um, so he could kind of test some of those, because it's not really, it's a lot of work, it's a lot scripts, and I love the fact that he shares that because you can also do your own validation. You find something important that's relevant running the tool, you can go at the precise script and really narrow down where the stuff is based on that open research that he has done.
Speaker 1:So he's doing invaluable work, definitely, in a sense that we cannot quantify it that's how much work he's doing with that um also, not only has he been adding new stuff, there's an uh, some developer there. She still needs to do some work on her script, but she put out some script on some research lately. I don't know. You know who that is heather I don't.
Speaker 2:What are you talking about?
Speaker 1:Yeah, yeah, the last commit that I approved the other day. Who was it? Oh yeah it was you? What did you do? Tell us what you do.
Speaker 2:Well, I found a database in a case that is called Calculator, and then it has a little hashtag at the end of it. The application does and it stores data about videos that are in the calculator app. It's like it's just a calculator application, one of the many variations of it, and I wrote a script, but it's not Lava compliant yet. I have to fix it.
Speaker 1:I know, I know.
Speaker 2:That parses data from the database called FolderLock Advanced. It parses data from the database called FolderLock Advanced and it relates the information in the SQLite database to the videos that are stored and it links the videos in.
Speaker 1:And that's what's fantastic. By the way, I love how you said it's calculator and the hashtag I'm like come on.
Speaker 2:You're old enough, I'm sure you think phone sign yeah you're old enough.
Speaker 1:Don't be playing like the TikTok person here.
Speaker 2:I want to seem younger than I actually am. Don't give away my age.
Speaker 1:Apparently. You definitely are trying to do that, but you're not getting away with it, Sorry.
Speaker 2:I am only 25.
Speaker 1:On each leg. So look, there's a ton of those apps. And that's the interesting thing about the type of tooling that is community-driven, right? I'm pretty sure and correct me if I'm wrong that this type of artifact is not for this app. It's not recognized by commercial tools, right?
Speaker 2:No, it's not. I mean commercial tools will show you the images and videos there, which will then lead you to the database that has all of the additional information about the videos.
Speaker 1:Yeah, but let's be honest here Most examiners they will maybe mark the picture and not follow through on that right. Right, and the fact that we can create an artifact that actually puts a lot together for you, that's better. Right? It really helps with drilling down to the information immediately, as opposed to, well what happened with this picture and then try to figure that out. If you figure it out like you did and you share with the community through the leaps, then that's an added value to everybody else when they run it.
Speaker 1:There's many of those. There's one that I constantly get folks either thanking us or asking about it and it's one of those kind of decryption apps and the leaps support it and they pull out. You know the evidence and the commercial tools don't support it yet. So there's always value in running your commercial tools and also there's value in running open source or community driven tools, even if they're not open source. At the end of the day, if there's something relevant, then you can drill down on it and after your process is done, you do your due diligence and then you check for anything that the tools no matter what type of tool has missed. That's the most important part. So commercial tools will get you stuff, open source tool will get you stuff, and then you have to go and make sure that nothing was missing by all those tools, because sometimes it's missed by every tool that's just how it is definitely so the only tool that's going to get it is you, because you are definitely.
Speaker 2:I recently. I recently had something that had changed. So the database, uh had updated, the application, had updated the commercial tools didn't get it and neither did the leaps, but it's fixed now yeah, as long as you're d tool and not a tool, then you're doing good um, I got my dad jokes right, yeah, yeah, that's good. Is there anything else new with the leafs this week or these last three weeks?
Speaker 1:johan is doing a lot of stuff behind the scenes and I try to pull out, pull. I don't know why I cannot get it, but but the pull requests are open for the leaps and I don't know, I'm getting like a 404 page or something, I don't know, but it don't matter. The thing is that again, I want to always give props to the folks that are working behind the scenes all the developers for the leaps. Johan has been such a right hand. He just about a couple of days ago made the latest iLeap release that has a lot of cool new features in it and fixing some bugs. He does an amazing job. And he's working also on the media portion of Lava, which is the last piece for us to kind of release a workable product to the community. But it's a hard, big piece of code because you have to do changes in the Leap code and also have correspondent changes on the Lava code. And him and all the other folks way, way smarter, bigger brain than me.
Speaker 2:Way bigger than me.
Speaker 1:So I accept their assistance and I'm learning through them and they're making the community better.
Speaker 1:So thanks to Johan, thanks to James also that do that type of work, and then also, last but not least, kevin Derek and all the other folks that are working on the the public facing side of branding, website, newslettering, communications and and all the stuff that makes people aware of the tool that's so important.
Speaker 1:If, if, if a tree falls in the forest and there's nobody to hear it doesn't make a sound heather right, well, I want to make sure that the leap tree makes a lot of sound and people are aware and they can contribute and the community can grow and we can do good things together. So and look, and, and Kevin says, I promise to be back to making some parsers soon. Thank you, kevin. I have been really lacking on that. I have so many speaking engagements lately that I've been lacking on making parsers or at least updating the ones to Lava compliance. So I also for this year, I promise publicly that I'll be going back to writing some more code after I'm done with my two trips for uh to europe that I'm doing for some speaking engagements I'll make that promise too.
Speaker 2:But as soon as the white paper for our class for iasis is done, then I'm good oh, then that's gonna be on 2026, no, no no, it's almost there. It's almost there. We're going through corrections now, all right. No, no, it's almost there, it's almost there.
Speaker 1:We're going through corrections now. All right?
Speaker 2:No, that's awesome, that's awesome.
Speaker 1:Yeah, all right. So, uh, that's always what we have to finish the show.
Speaker 2:Meme of the week. All right, since we did the mental health portion, I have this meme of the week. Oh, this meme of the week. Oh, I did the whole screen, that's all right.
Speaker 1:There we go.
Speaker 2:All right, so go ahead, you explain it.
Speaker 1:So it says lots of new cases coming in and panic. Right, we have a little head there that's panicking. Then management says to focus only on priority cases. Oof, then I'm calm. But then they say management says all cases are priority cases. Management says all cases are priority cases, and then they panic again and it's a graphical I I kind of said it beforehand, not not remembering what the meme of the week was, but it's a graphical way of saying look, um, if you're a manager, right, just because, uh, like, just just flogging the horse won't make it go faster, like the horse can only go at a top speed, right.
Speaker 1:If you slug it anymore, it's actually going to go slower, right? So let's make sure that, as managers, we prioritize properly, and prioritization doesn't mean make everything a priority. When you make everything a priority, nothing is a priority, okay. So we need to understand that if we have 10 balls in the air and that's how much we can handle you throw an 11 in. One of those is going to fall off. That's just a fact. The question is, which one are we going to consciously drop? And if you cannot drop them, then what's the solution? Then you need more ball jugglers, right? You?
Speaker 1:hands definitely like like, at some point you can't have your cake. You need to make some decisions, and, uh, we want to advocate um, for the examiners, and and that management is make sure to give us our resources that we need, and and only as much work as we can handle. That goes back to the topic right, that our mental health is not impacted in the process, because if our mental health is impacted in that process, then all balls are going to be on the floor and nothing's going to be done. So let's keep that. I think that's a good takeaway from the meme of the week.
Speaker 2:Definitely, and that's all I've got.
Speaker 1:That's awesome. Well, Heather, thank you for being the driving force of the episode. Like every other episode, I'll keep us organized.
Speaker 2:Oh you go.
Speaker 1:Look, folks, I talk a lot, but this show is actually Heather's show. Oh stop, it's not, it is so. Thank you for your work, as always. Anything last words for the good of the order, heather.
Speaker 2:No, thank you so much for everybody who tuned in.
Speaker 1:All right, folks. Thank you again. Hopefully we'll be back in two weeks or three. We're going to lose a little bit with the schedule there. See what's going on. Yeah, we're responsible, but thank you, it's been so much fun, folks, and take care and see you next time. Bye, thank you, we'll see you next time.
