Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
DFN: 2nd Anniversary
We celebrate our two-year podcast anniversary and discuss the importance of thorough case preparation for CSAM cases, courtroom experience, and extracting evidence from iOS devices.
• SANS Difference Maker Awards open for nominations through September 15th across multiple categories
• AI debate webinar with Magnet Forensics scheduled for September 17th
• Binary Hick's blogs reveal insights on iOS search party and Samsung's Rubin and Digital Wellbeing databases
• Discussion on properly preparing CSAM cases for trial with understanding of statutes and evidence requirements
• Brett Shaver's article highlights importance of attending trials to understand courtroom proceedings
• iOS File Provider Storage in BFU extractions can reveal user-created images with metadata
• Updates to LEAPPS tool including CashApp parser improvements and Snapchat returns parser
• New Lava viewer coming soon for the LEAPPS project
Notes:
SANS Difference Makers Awards-
https://docs.google.com/forms/d/e/1FAIpQLSeLNMZm3r4c9WSKdNW8XaPh6KRXoS3C1WI51UtnEANe2osCpQ/viewform
AI Unpacked #5: The great AI debate with Digital Forensics Now-
https://www.magnetforensics.com/resources/ai-unpacked-5-the-great-ai-debate-with-digital-forensics-now/
The Binary Hick New Blogs-
https://thebinaryhick.blog/2025/08/19/further-observations-more-on-ios-search-party/
https://thebinaryhick.blog/2025/08/06/not-strange-bedfellows-samsungs-rubin-digital-wellbeing/
Monolith Notes-
https://www.monolithforensics.com/free-tools
Brett Shavers- Courtroom Trials Are the Final Exam for Your Work. Why Haven’t You Attended One?-
linkedin.com/in/brettshavers/recent-activity/all/
Welcome to the Digital Friendship Now podcast. Today is Friday, August 29, 2025. My name is Alexis Brignone, here inside my car, aka Briggs, and I'm accompanied by my co-host, the work-from-home examiner, the management master of disaster, the tester-in-chief, the one and only Heather Frontier. The music is hired up by Shane Ivers and can be found at silvermansoundcom Heather.
Speaker 2:Hello, work from home. I went, yeah, I mean.
Speaker 1:I'm not doing any work from home today. I'm being kind, you're just at home doing nothing.
Speaker 2:Pretty much.
Speaker 1:Look, look. I started having a room for the show, then I had a closet and now in my, in my car, I'm just it's going backwards I was gonna say have you been?
Speaker 2:have you been banished from the under the stairs cupboard?
Speaker 1:yeah, no, I mean, I'm gonna do the show under a bridge next time that I'm going to touch bottom right there.
Speaker 2:It looks good. I like the new office. It's got a lot of windows.
Speaker 1:Yeah, not the computer kind, just playing actual car windows For the folks that are listening. Yeah, I'm doing it from the car. Today is an odd time for us to be doing the show at 1 o'clock, but schedule has been crazy and the evening is crazy and the evening last night was crazy, so we're doing it today Now. For example, christian Peters in the chat, you know he's very excited. He's, I think, well, it's way earlier.
Speaker 2:It's not bedtime. Yes, it's not bedtime, exactly.
Speaker 1:Hi Christian, at least the folks from other places that want to be live. They got a better chance of doing it at a more reasonable time.
Speaker 2:Yeah, definitely, definitely.
Speaker 1:So, Heather, what's going on? What's going on with you? Tell me.
Speaker 2:So last podcast we did the what's Been Going On and I didn't even mention that I'm now working for Hexordia as a trainer. I can't believe I forgot to mention it. So I'm working with the wonderful Jessica Hyde and her great, her great crew and we'll be training for some of her classes.
Speaker 1:Well, that's, that's fantastic. I, you know, we, we, we talked together for what? Two, three years now. So I like the cut of your jib, so it's pretty good. Folks are going to like the class because the content I haven't used any structure, so they're extraordinarily lucky to have you, so I'm really happy for that.
Speaker 2:Oh, I'm so excited, can't wait to start, not next week, the week after I start.
Speaker 1:So can't wait. Yeah, no for sure. And hopefully you can come in some of that referral money. Yeah, I'll just send it down to you. What's been going on with you. You don't need no referrals, You're worldwide known.
Speaker 2:Thanks.
Speaker 1:What's been going on with you? The?
Speaker 2:last few weeks.
Speaker 1:Not much Before I tell you Forensic Wizard, my good friend, is in the chat Also. Kevin, our right-hand man with the Leaps and Johan is also at a more earlier time than usual, so good to see you here as well.
Speaker 2:He doesn't have to set his alarm and wake up in the middle of the night.
Speaker 1:Or just watch it in the morning when he wakes up, we're actually live. No, johan's a good sport. He shows up even though it's really late over where he's at, so we appreciate it. Yeah so, yeah, so, um, a lot of work, uh, really busy, um cases coming in. So, honestly, there's there's nothing really new new. No trips, no nothing, just just work, trying to survive, um, adjusting to the changes and looking forward to the future.
Speaker 2:Nice, very nice.
Speaker 1:Yeah.
Speaker 2:So we'll get right into our topics then for the day. So I can go back to working from home.
Speaker 1:Appearance of working. Yeah, let me tell you the fact that we have now a few folks in the chat. I'm surprised at this time, so I'm happy. Thanks everybody. Yeah, me too. Like it's one o'clock, I don't know everybody, nobody will show up, but um, I appreciate it, folks in their lunch hour just showing up. So thank you, yes thank you.
Speaker 2:So, uh, a few announcements. So first, uh, I don't know if everybody saw or if you saw uh, theans Difference Maker Awards is now open. So nominations are open now through Monday, september 15th, and there's quite a few categories for the SANS Difference Maker Awards practitioner of the year, for three different categories, four different categories actually. They have a community champion of the year, rising star of the year, media creator of the year, which can include podcast live stream or book innovation of the year, company of the year, ciso of the year and lifetime achievement award. So if you know anybody who you want to nominate for any of those categories, that is open now and you can google it or we'll have. I'm not going to keep that up. Um, we'll. We'll have the link in the show notes for that are those all the other categories now?
Speaker 1:is that? Yeah, yep yeah, because a few years back, uh, we won the open source tool of the year for the leaps, but I don't think that's a category anymore, I guess it's more directed at individuals as opposed to tooling organizations, I guess.
Speaker 2:Well, there's a company of the year. An innovation of the year. Maybe that would fit.
Speaker 1:Yeah, no, it's a good event. I don't know if they did it when I went. They did it in DC. I don't know if they did it when I went. They did it in DC. I don't know if it's still there and they have a nice dinner there and then they talk about the awards and they stream it. So it's a good event recognizing folks that put the work in. So, like you said, if you know somebody that would be encouraged by that recognition, then put them in. Yeah absolutely. Let's see what happens.
Speaker 2:Yes, absolutely so. Another little announcement Magnet Forensics is going to have a webinar airing on September 17th. It's going to be entitled AI Unpacked, number 5, the Great AI Debate with with digital forensics now. So Alexis and I are going to join Brandon Epstein from Magnet Forensics and we're going to have an AI debate. I know, last podcast I promised that there would be no AI this week or this next episode, but we do have to like just give a quick announcement that that'll be coming out on September 17th.
Speaker 1:I think I've become the official uh ai, curmudgeon. Is that the word? Curmudgeon? Is that the word? Yeah? I was a hater, but yeah you know, hater is a strong word. It might still apply, it's still a strong word.
Speaker 2:So, uh, you know I thought I hated it and you have completely surpassed my hatred for AI. No, no, no, no, no.
Speaker 1:Look, look, not hate, let's call it skepticism. I'm the AI skeptic. Okay, it's a little bit better. Hey, look, I'm more than happy to be proven wrong. So so I hope I'm wrong. I don't think I am, but I don't think so either. Well, this is the thing. You see, since I'm the moderator, I'm already, you know, buying her in so she can be on my side in this debate. No, I'm kidding.
Speaker 1:The fact is that I believe skepticism is warranted for new technologies. I think we should all be a skeptic of new and old technologies in general, but no, I think it's important to also have two sides to the story. Right, we got the side that speaks to how good things are, how beneficial they are, but we got to also talk about, I believe, the risks that these tooling, new tools come with and the proper methods and procedures to effectuate the use of it, if it's wanted. So we have a debate on that. I don't think we're going to be that far off on this debate. I think we come from how can I say this? An understanding that new tooling is a good thing. So I think we both agree on that, but we'll see how things shake out. Yeah, hopefully we're planning and we'll see what, how we can plan this with Brandon to also maybe do a revisit in a longer time format.
Speaker 1:So we can go into more depth because this type of episodes with magnet tend to be a little bit more shorter based on the format. So stay tuned, you might have a second go around with a bit more time to go into more details.
Speaker 2:Yeah, and everybody can register for that now on the magnet website too. So just go sign up, and the webinar again will be September 17th, and there you just got your little bit of ai in. That's it. I will find a way to put.
Speaker 1:I will find a way to complain and be more skeptical about ai somewhere in the show. I don't know where I'll find a way oh, I know you will.
Speaker 2:Um, let's see. So blogs there's a couple of new blogs out by the binary Hick, josh Hickman fairly new entries that he has. So the first one is called Further Observations more on iOS search party and Josh takes a look into how iOS was keeping tabs on what Find my compatible devices it was seeing in the wild Find my Compatible Devices it Was Seeing in the Wild. He investigates and performs testing in that blog on files found in the comappleicloudsearchpartyd location and specifically he talks about his testing related to the observations database. The research reveals that retention time for that data is likely around 24 hours, so more reason to get your extraction ASAP. But it confirms that iOS devices are keeping track of all of the Find my compatible devices that they see, a lot like the way Android does it, and it gives examiners another source of location data on iOS. Who doesn't love some additional sources of location data?
Speaker 1:Yeah, and a good thing about the article is that he goes into the process of how they were able to get. He was able to get to it. There's encryption involved and he kind of briefly explains you know where the IV is, or the initialization vectors or the salts that you need for the passwords or the passcodes, and then the keychain gets involved. That's where the actual key is right and then what type of encryption this database uses. I don't think there is an automated way of doing it right now. That's something that you know. I know Kevin is in the chat. We need to converse a little bit about how can we implement that. In theory shouldn't be that bad, since already josh gave us all the pieces that we need right to do it. It's just sitting down and doing it. It's just. You know we're always lack of time. I'm talking about kevin. Uh, he made a comment. See, I'm gonna bring it again you gotta do it talking about.
Speaker 1:I guess, referring back to the previous topic about the debate, it's going to be like Gemini versus ChatGPT versus Claude and I'm like, no, I think it's going to be more of an AI in our field, versus me being a skeptic about AI in our field. It's going to be, I guess, more of a broader discussion. But yeah, this whole Gemini was a chat gbt versus claude. That's a whole nother story for another episode yeah, um.
Speaker 2:so josh hickman binary hick had another blog recently too, um, and it's titled not strange fed fellow samsung rubin and digital well-being.
Speaker 2:So this one is kind of like a public service announcement for all examiners that have relied in the past on data from Samsung's Rubin and Digital Wellbeing. If you don't know what those databases are, they're the device pattern of life databases for a Samsung device, so kind of just the pattern of how the device user is using that device. It covers some strange behavior that people have seen related to those databases. I know I've seen a little bit of strange behavior related to those databases and other people have called into Josh asking if he knew about it. So he went and examined it, tried to figure out why the strange behavior was happening. So if you encounter a phone using both Rubin and the digital well-being, the two items need to be examined together in order to get the full picture of what's happening on the device. He specifically talks in the blog about device unlocks and odd behavior related to boots of the device. So check that, check out that blog and make sure you're looking at those two databases together so you're not missing important data related to your case.
Speaker 1:And these blogs are great. I would have assumed that if you have a Samsung phone, it will be only Ruben right? You know, I had no idea that you could actually use both and I think there was like a particular entries I think it's device locked or unlocked, I don't remember which Then I'm going to show up in one of the data stores but not on the other one, yep, which, again being the device unlocked, being part of your case, of course. So you definitely have to look into those and I appreciate folks like Josh that put this research out, because some of these things I would have never thought if you hadn't done that testing. So that's pretty awesome.
Speaker 2:Absolutely yeah, it is the unlocks that you're talking about. So in the Samsung, yeah, it's traditionally in the digital well-being and in the Samsung it's pushed over to Rubin, the device unlocks.
Speaker 1:Yeah, I think Rubin is also encrypted, but tooling nowadays is able to encrypt that and make it accessible to you.
Speaker 2:Yes, I love the Samsung Rubin stuff because it also has some really good location data in it, and when the key store wasn't being pulled for a very short period of time by tools and I couldn't get that data, needed it, and this is another reason why we need to have all of that data, absolutely, yeah. So a little tool that I saw recently people were posting about on LinkedIn from Monolith. So Monolith Notes is a free tool that Monolith has right on their website. You just have to put your email address in and they'll email you an executable for their free note-taking tool. I'm just going to pop it up on the screen here let's see. If you don't know what Monolith is, they have, like, case management software. I have not gotten a chance to use their case management software. Have you? Have you, alex?
Speaker 1:I have not. I have not.
Speaker 2:Yeah. So I hear really really good things about their case management software. So if anybody gets a chance on a demo or sees them at a conference, definitely check that out. But they do have this really simple, neat little note-taking tool that is for free. So it opens there and you can hit new case, put in all of your case information. I'm just going to put some stuff in here. Let's see, see if I can. There we go and then once you open your case you can click on new note, title your note, so we'll call it case notes. And once you have a title for your note, there's this free form text box here where you can just start taking your notes, taking notes, taking your notes taking notes.
Speaker 2:Once you do that, there's an option to export the current note and it'll export that note as a PDF and let me just pull it. Yeah, I'm just going to pull up. I created a PDF from a little test note here that I created, so let me let me pop it up to the screen here, if I can. Of course, I am terrible with the sharing of the screens.
Speaker 1:There we go. It's only been two years on the show. I can't. I can't do it.
Speaker 2:I can't. I know it's terrible. So there it is. It just literally creates a little PDF with I had titled my note, names and numbers, and then I have the wizard of Oz people here with their phone numbers, and if you put in a new note in the same case, it'll just have another note page. So check that out. It's really cool, really easy to use, simple, especially if you're a smaller department and maybe you don't have note-taking capabilities or note-taking software in your office. I know that I am queen of the sticky notes. This may be an option to use instead of the sticky notes.
Speaker 1:Yeah, yeah, I think that's. Yeah, here's for discovery. You have a page with three by the sticky notes. Yeah, yeah, I think that's. Yeah, here's for discovery. I have a page, you know, with three by three sticky notes.
Speaker 2:So I do. I scan them all in. I've tried to get away from that, though, oh my gosh.
Speaker 1:I would have put that in the intro.
Speaker 2:Yeah, no, seriously, it's like a joke in the office, because you come into my office, there are sticky notes everywhere, so this little note taking app is very helpful.
Speaker 1:Somebody will start using it now.
Speaker 2:Yeah, oh, I've been, yes, I've been trying it out, definitely.
Speaker 1:I do my notes by hand also, but I have like a form with little boxes that I write stuff in. But, um, definitely tapping them up is so much better. Also, to again export them out and and and be able to give them out looks way more professional, so maybe I should be able to and try to type them out, instead of just having a form that I scribble my notes in you well, now you have a little tool you can try out for that I just like the price, you know oh, I like the price too.
Speaker 2:It's a good price, yeah, um. So what else do we have? Uh, some recent chatter on LinkedIn I wanted to bring up. So, uh, patrick Seward. Uh, he is on LinkedIn and he recently had a post, uh, about CSAM cases and he asked a whole bunch of really good questions When's the last time you took a CSAM case to trial?
Speaker 2:And he said in his experience they don't go to trial very often, and in his very recent experience with the CSAM trial in Virginia, it suggested that the investigation and preparation for the trial were seriously lacking. He, in his post, attributes that to the fact that you know, the CCM case doesn't usually go to trial. So do we need to fully investigate? Do we need to fully prepare? The answer is always yes to those questions, but he's saying he's seeing CCM cases weekly that should not be prosecuted due to lack of concrete provable evidence.
Speaker 2:And my thoughts on that are the concrete provable evidence is probably there, but did we do a good enough job creating a presentable report for court to show that concrete provable evidence? I think of conversations I've had with people in the past where they're like oh well, I just need those 10 images, I don't need anything else, I just need the 10 images and you can't fully prosecute a CSAM case just based off of 10 images with no context to those images and no further artifacts that show how they got there, where they went, who interacted with them. What do you think?
Speaker 1:Well, look, I mean, like always and we always. This is to be a given, but we're going to say it again the opinions expressed here are ours and only ours, don't reflect our employers or workplaces or any organizations we're affiliated with. Now, that being said, right. Now, that being said, right, I don't believe that the prosecutors and the investigators go to trial thinking they don't have what they need. That doesn't mean they have it. But I cannot attribute malice or just say well, since this case is always pleading, the next one's going to plead. Therefore, I'm not going to prepare. I don't think that's what's really happening.
Speaker 1:My take, or my perception, is that a lot of people are working these cases and, since they haven't gone to trial as much, they haven't been put to the test in regards to what's how they are running these cases and the knowledge they have about the violations of law that they're working. For example and I'll make one up, it just came into my head let's say the investigator is looking at somebody that had CSAM in a mobile device. If you have it, you possess it, and you're like well, it's your phone, you have the code and you had it. Therefore, you possessed it. Go to jail and don't go to jail and and you know, and don't go to jail, don't what's in monopoly. You don't collect 20 and go to jail, something like that. All right, yeah, all right do not pass go and do not pass go, okay, all right.
Speaker 1:Well, if you look at the again again, this is an example I'm making up. But imagine your different jurisdictions. In some jurisdictions, the possession violation or charge might have the statute might require for the person to be able to say that he possessed it. He had to be knowingly possessed. Well, what does knowingly mean right? During the investigation, were there statements that the person knew that was there, because it might've been by accident, it might've been other situations, right? And do we, as investigators, have the knowledge? You say, well, that's on the prosecutor. Well, is it, though? Right? And remember, the prosecutors sometimes work off of what we tell them as investigators, right? So I need, as an investigator, to have a clear understanding what the statutes are and how they're applicable as I'm doing my investigation. And if I don't have that, because I came into the unit and the senior agent or senior detective is just telling me oh, this is how we do it and you do it how they do it, and that gap expands, that knowledge gap expands and I don't think people are thinking to do anything wrong.
Speaker 2:Oh, I don't either.
Speaker 1:Yeah, I think again, patrick's post still has a good point, right? Yes, we need to be better prepared, we need to actually know our statutes, we need to know the technology behind it. Just because you found the pictures using UFDR, a portable case, well, that's not enough, right? Because you can say, well, the pictures were not taken with the phone Because, let's say, it's a picture from CSUN that I know from a previous series, that exists, right, so therefore they were received. That's a charge. Well, are you aware that receipt requires you to actually show from where they were received? Yes, right.
Speaker 2:Right, exactly.
Speaker 1:Just because their phone didn't take them, because you've seen them somewhere else, doesn't mean that you can now just by that fact sounds logical in your head. But that's not what the statute requires. You need to actually show the distinct way this got from point A to point B. Are you looking that into your case or are you just hoping that the person pleads out? Right, but again, not with malice. I don't think the investigators sometimes don't understand at that level of detail what the statute requires versus what the forensics might show. Which speaks and I'm getting in my salt box here which speaks to if you're working these cases actually if you work in any source of cases and you got an element that does use a forensics in your unit or in your organization, you need to talk to them. You need to brief them on your case, explain what your theory of the investigation, your theory of the case, is right.
Speaker 1:I am not going to get that by looking at your case file. Case file is full of facts. It's just facts. What we found, that's it. But facts by themselves don't tell me the story. You need to explain to me what the theory of the case is theory of the case and I can tell you, then, how forensics either support or doesn't support that theory of the case, because the theory of the case could be wrong.
Speaker 1:Maybe you're thinking this person is guilty and it's not. Or maybe you're thinking it's innocent and it happens to be guilty, right. We might think this person is the actual victim which has happened in cases that I've worked and then we figure out the person was not a victim. It was actually involved into the you know for lack of a better word conspiracy of the crime, right? So we have to have a really open mind in regards to that. Leave all those presuppositions to the wayside. Be biased in favor of truth we said this before but know your violations, know your statutes, make sure you interface with your examiner, make sure you're with your prosecutor and we give him or her all the information that we have to make those very decisions. And and you know it, it's a lot of personal issues there, right? You can have an you know crusty old prosecutor that thinks he knows everything and he's not aware how technology has changed in the last 15 years, and that's a challenge.
Speaker 1:Or you have the brand new prosecutor. That's brand spanking new, out of law degree college, just passed the bar and has no idea of the intricacies of working on C-SAN cases and the multiple violations and the expertise. So you, as an investigator, have to bridge those gaps, those personal issues, personality issues, technological issues, law issues and I don't know, and I don't know, I don't know. That's something that I guess our training programs should really start dialing in a little bit more of that. Hey, you're working this type of violations as a detective. This is what you need to know. I don't know if that makes sense.
Speaker 2:No, I absolutely agree. So I mean the post where it said I said preparation for trial is seriously lacking. I'm not also not saying that it is done intentionally or with malice, obviously. I think sometimes newer analysts or newer investigators that are working in digital forensics also may not be aware yet of what they need to actually go to trial. Maybe they haven't gone to a trial at all. This will be their first trial and they just don't know what they need to adequately testify. But you're right, the only way that we can all be on the same page with that would be through training and knowledge.
Speaker 1:100% A hundred percent, yeah. And trials I've gone to a few. Well gone. I testified in quite a few trials and I think that the next topic is going to speak a little bit more about that, so I don't want to get into it, but you gotta let me put it this way. Of course, we got to prepare for trials, right, and like, like Brett Shaver says in the next point, next section, that's a test for you, but imagine there's no trials. Imagine that didn. And like Brett Shaver says in the next point, next section, that's a test for you, but imagine there's no trials. Imagine that didn't exist. It don't matter.
Speaker 1:We have to have this conviction that we are doing the best job that could possibly any human being do. Right, that we're looking for the evidence and the truth and an understanding of what we're trying to prove or disprove, because we forget about disproving. The act of proving is just the other side of the coin of disproof. Right, it's one coin that has two sides, right, and we need to be aware of that and act and think in that way. If I'm finding that there's a gap in my knowledge where I am not being able to effectively come to a certain conclusion, that there's a gap in my knowledge where I am not being able to effectively come to a certain conclusion. That means I need to up my game. That means I need to reach out to folks that have been doing it longer, have some peer review in my reports or talk to investigators that have been doing this longer.
Speaker 1:If you have in some offices, at these federal offices, for example, there's prosecutors that have a lot of experience working in CSAM cases that they're managing some of those safe Project, south Project, safe Childhood projects, there we go. Project Safe Childhood, there we go. I said it right now that manage that program. It's a DOJ program, right, that is focused on protecting children. Reach out to your point of contact there and hey, look, this is the facts of my case and there are resources that you can use both at the state, federal and local level to make sure you have the strongest case possible because of if there's we said it before on the show there's no other violations, at least from our perspective and I'm going to speak for both of us.
Speaker 1:I know you will agree that are more important than protecting women and children. That's, that's just how it is right. The most vulnerable elements of society. Um, we should be on this, on it and take it with the seriousness and the importance that it has. There's no other bigger priority than protecting those that are vulnerable, and that's our mission, and that's what we do, and we need to do it right.
Speaker 2:Definitely agree. So you kind of already started talking about Brett Shaver's most recent article. So it is courtroom trials are the final exam for your work. Why haven't you attended one? His article talks about digital forensics and evidence professionals often lacking exposure to courtroom settings, even though trials are the true test, you know, and presentation of your work. So observing courtroom proceedings helps us understand how evidence is challenged, admitted or excluded and shows the importance of clear documentation, chain of custody and communication. So the overall theme of Brett's article is he's encouraging people to attend trials or hearings, not just when required, but to build that confidence to improve your practice. And he says even a single day in court can transform how someone prepares and presents their evidence, making their work more reliable and defensible. So I could not agree with this more.
Speaker 2:When I first started working in this field my very first trial it wasn't my first time in a courtroom because I was a probation officer prior to doing digital forensics, but it was my very first time testifying to the work that I was about to present and I went without ever having witnessed anybody else testify in that manner and I think I did OK. Could I have done better? Certainly it was my very first trial. But had I had that opportunity to go and watch some of the people in the office who'd been testifying for quite some time, I think I would have done things quite a bit differently and I would have known what was coming next. Because that was probably the worst part of it for me is I had no idea where we were going next. What was going to be the next question?
Speaker 2:Um, there was actually my very first trial, uh, an objection to something I said, uh, where they wanted to get, uh, my entire phone tossed out. Um, and I had no idea what I was supposed to do during that part of the trial. Do I sit there and listen? Am I supposed to speak? So getting that courtroom exposure is so, so, super important. New employees that come into my office I take to conferences, to hearings, to trials. We watch some of the more seasoned examiners. We watch some of the newer examiners maybe it's their first time testifying and then afterwards, the following day or if we have time that day, we'll have like an after action meeting where we talk about what they think they did good, what they think they could improve upon, and it helps those new people understand, but it also provides that constructive criticism for the person who was just on the stand. I think that that is so beneficial to somebody new and I wish that had been available when I first started.
Speaker 1:Well, and and and new people and people are not so new. For example, there might be folks that they come to work and they are working a violation. That's not one where you take people to jail too often, right? Let's say you're working some intelligence cases. Well, you're not going to be placing a lot of people in jail and do that for many years, and then you move to a unit that's working safe streets, which is what that means is we're working cases with the locals trying to bust drug rings. You know out on the street, get drugs off the street. Well, you're going to be doing a lot of arrests, most likely, right? So now what? So what that means is that you need to, as an investigator, no matter what you're doing, have that as part of your process in your mind.
Speaker 1:Something as simple as going with some other agents that are testifying to the local courthouse from your district or your division, wherever you're at, only just sitting in the room helps, because the moment you sit in that room yourself, you are familiar with the place where people sit. The defense goes here, the prosecution goes there. That's the testimony box. This is where the transcriber person goes, the judge sits over here, the jury goes over there and you get a feel for the room and that keeps your nerves down because you're not walking into this unknown space. I'm familiar with the space, I know the protocols and procedures for that courthouse. When the judge comes out we all stand up and then we all sit down. We're told to be set to sit down. You get familiar with that and that helps keep those nerves down because you're nervous because it's an unknown environment. Then make it known and part of the process isn't only going to the courthouse Some things that I do.
Speaker 1:I read a lot of books about debating, not because I'm going to debate at court. You don't want to do that. You're not to debate, you're to testify. But the act of understanding how to present ideas clearly will help you. When you testify you can have the best examination in the world and if you cannot convey the conclusions in a way that's understandable to the jury and credible that the jury will believe that you know what you're talking about, you can lose the case. And we talked about this, heather and myself, in the past, where great cases that we believe should have gone one way for a lack of presentation go another way, and only a lack of presentation, a lack of clarity on your credentials.
Speaker 1:Don't put stuff in your documentation about your resumes that that will make you look good if you cannot back it up. Does that make sense? Yeah, oh, definitely. Going to court is not only how you prepare your documentation and how you show your evidence. It's also about how you present yourself. And you know people take their resumes and you know at some point we embellish them a little bit because we want to get hired for a job or whatever.
Speaker 1:Courthouse. There's no embellishment. You're not there to get a job. All right, your resume has to accurately reflect what you did. Your experience has to actually reflect things you have done. All right, the certifications have to actually reflect things that you have acquired and maintained. If you maintain them and if you don't, you don't make that clear. Does that make sense? So it involves a whole bunch of things that also translate to other parts of your job, because if you make an effort to know your environment, you make an effort to understand how to present things clearly.
Speaker 1:You read books about debating, read books about public speaking. Right, that will filter out the rest of your life. It's not only in the courthouse. You'll be better when you talk to your manager, so your squad when you're presenting things, or you'll be better when you do a presentation to the community. You'll be better whenever you like. In my case, I hope to retire at some point and go and work for a private sector make my own company, I don't know but you will have some skills that you build out to your career that will help you and it will help you overall. So I guess I can't explain that. Expand the concept that whatever things that you do in preparation for court, they're also preparation for life and and we forget about those we're too busy looking at instagram in the afternoon to actually spend a few minutes. Why are you laughing?
Speaker 2:yeah, I am, I am, I'm addicted.
Speaker 1:TikTok. Yeah, we spent. Some people spend time on TikTok. They could have spent on something else, learning how to present things in a better way. Look, I'm saying that because that person is me.
Speaker 2:There's like cute little animals dressed in jeans and outfits and stuff. Stop.
Speaker 1:Yeah, there's AI babies that need to tell you something. No, but breast point is great and and please, go, go, even if you're not testifying, go and watch other people testify, watch trials on on youtube and then see how they went what's good, what's bad. Take what's good and whatnot even watch other sections, sections.
Speaker 2:So I took a group of of newer examiners one time to go watch one of our analysts testify and she didn't end up getting on that day. But you know who else testified DNA, firearms and a couple of the me and they got to sit through that. They'd never seen anything like that or that type of testimony either. So if you can't get in to see one of your examiners, just go watch a trial any trial.
Speaker 1:The rigor, the rigor that the folks that do DNA, they do ballistics, they do all the other fields, that rigor is so impressive. That's the rigor of work that we need to have as well in our field. That we should emulate Like you said, just because they're not doing forensics in computers doesn't mean there's nothing for you to learn from them.
Speaker 2:There's a lot you can learn from them.
Speaker 1:So that's a great point, how they do their presentation and the detail and the rigor in which they do their presentation worthwhile watching, even if it's not about computers or phones.
Speaker 2:Definitely, definitely. So we have a question. So have you ever gone through a dauber and do you think a dauber is the same for criminal defense expert and prosecution expert? I've actually never sat for a dauber hearing. I don't know if you have, but I have not. I've watched them. So specifically there were dauber hearings in that Karen Reed trial that was all the buzz not too long ago. I think they questioned the criminal defense experts just as they did the prosecution experts in that. But that's kind of my only real experience is just what I've seen. I haven't actually gone through that process.
Speaker 1:Yeah, I've gone through it a couple of times but it was for me. It was fairly easy. It was just it was more of my qualifications and there was no contesting the qualifications. The award gets complicated when the sides are contesting something specific about the person or the process, the procedure that the examiner or the scientist used for something. That's where it gets dicey, because I think again, these are my opinions Look, it's an old commercial that said you know, I'm not a doctor, but I stayed at Holiday Inn last night.
Speaker 1:It's a really old commercial. People that are old as me will know the reference. So yeah, I stayed at Holiday Inn last night. I'm no lawyer. But what you see is that there's an issue with the process, because dauber is not only about the qualification of the expert, it's also about the methodology, how the work is being done right, and you can look that up. In the rules of, you know, federal criminal procedure they state clearly that is this process accepted in the field. It was the error rate. It's a repl, replicable. It could be done again. Those get somewhat dicey but, like Heather says, it could apply to both sides right, both defense and prosecution.
Speaker 1:Absolutely, there's something that needs to be questioned. For me it's being, like I said, pretty easy. It was more of my qualifications Just presented. The judge agreed that I was an expert, same with the expert of the defense and, at the end of the day, judges, my opinion is that they defer a lot to the judgment of the jury.
Speaker 1:So if, if something might be, it's not super clear cut that it's not scientific or whatever it is, then the jury will make the decision what's true or not. That is my opinion, of course, my opinion for what it's worth. All right, I'm not talking in the name of anybody else. That's what I've seen, that the judges will listen. If they don't see anything glaringly obviously wrong, then they'll let the jury decide what the truth is. Sometimes for me, some of those decisions I might have as a citizen and knowledge in my field, I might gone on one side of the opinion or the other side of the opinion. But the judges have the legal knowledge to determine when it's appropriate to put something in front of the jury and when something is not worthy of putting in front of the jury. And that's the judge's discretion, based on their training, their legal experience and their authority, and that's respected and we go by what the judges and the jurors say and that's the final.
Speaker 2:And we go by what the judges and the jurors say, and that's the final word Absolutely. So, before we end that, just go to a courtroom and sit for a trial, sit for some of the hearings, sit for whatever you can. It will greatly help you in the future. Absolutely.
Speaker 1:There's one follow up question and then we'll move to the topic. Absolutely, there's one follow-up question and then we'll move to the topic. Sure, josh is also asking well, what if they ask you about error rates, for example, and metadata? What do you say? Well, again, that speaks to how well do you know your field? Right, if I'm going to use a method right, that's a black box that I cannot explain how the outputs, or I couldn't verify the outputs I'm going to be in trouble, right? And imagine, imagine that you take some AI, ask it a question, you take the answer and give it to the court. Well, what about the error rate of the AI? I don't know, I just had the AI tell me the answer. Oh, you're going to be in trouble, right? So I guess what I'm saying with that is whatever your procedure is that you're going to use, you got to understand how good or how bad it is With metadata. It's a process that's so well-known, right, that's been verified a lot.
Speaker 2:I don't know if I do I have you still, heather? Yes, I think I'm losing my internet here.
Speaker 1:Oh no, I got you. I can still hear you. Okay, perfect. And so, again, you really have to understand what process are you using, right and what are trying to tell you with that right? And again, a process where it's hard to calculate error rates. Well, you need to think about that. Maybe you want to use another process to get to your answer, a process that has a better track record, that's more in use with the field and that you, the examiner, understand, all right, and you go with that. So your preparation, how you run your cases just taking shortcuts might get you there faster, but then it's going to bring you back to the beginning if you don't understand what you just did. Does that sound good to you, heather? What do you think?
Speaker 2:It does, and I'm going to call out Josh in our comments for helping you get more AI into this episode, when it was supposed to be AI-free.
Speaker 1:I told you I was going to try. I was going to try.
Speaker 2:I know You're being quite successful at it. I have to put one other comment up. Yeah, so this is my coworker. Kevin Selhoff says that's why I like to get arrested regularly, so I can get courtroom experience.
Speaker 1:That's great. That's great, kevin, yeah, yeah. Of all the places I could sit at court, the defendant's table is the one I don't want to be sitting at.
Speaker 2:Yeah, me either. I try to avoid that. Kevin tries to avoid it as well. Yeah, no, oh boy, he's at work watching this, I bet. So yeah, I just want to throw a little dig into Kevin. I'm not at work. Ha, ha, ha.
Speaker 1:Well, he's working and listening, so we appreciate you man. Thanks for the joke. I'm going to assume it's a joke, okay.
Speaker 2:Oh, it better be. It better be right. So, artifact of the Week. Been doing the Artifact of the week.
Speaker 2:So my question to everybody is are you getting those bfu extractions? Um, if your phone is in a before first unlock status, is it worth getting that before first unlock? Partial file system extraction, extraction. I say yes. The reason I say yes could there actually be illicit images and videos in a BFU that relate to the device user? I used to say probably not, because the BFU really didn't have the capability of getting through the security mechanisms to reach, like it doesn't have the capability to reach the DCIM folder or the third-party app folders. But there's some other locations in these devices that a BFU is able to interact with and pull images and videos that may be related to the device user. So I'm going to just throw a quick little PowerPoint up here because it's easier than me trying to work with these sharing screens.
Speaker 2:But have you ever heard of file provider storage? So I hadn't, until I did a BFU on one of my test phones and I saw images and videos that I had actually taken with my test device in. And I saw images and videos that I had actually taken with my test device in this file path. So file provider storage is another source of user data in a BFU extraction, and the way Apple explains it is iOS.
Speaker 2:File provider storage is a feature introduced in iOS 11 that allows third-party apps to interact with files stored on the device or in cloud-based storage devices. The feature enables apps to present a unified view of files from multiple sources, such as iCloud Drive, dropbox, google Drive and OneDrive, and allows users to manage and interact with those files directly within the app. So why is this good for the BFU? This is good for the BFU because that file provider storage will show you these images and videos with the metadata. So all of the images and videos from my test data were showing that they were taken with the iPhone 7. And that's the test phone I used. And that file path actually also contains a trash folder. So I haven't quite figured out what the trash folder means to potential to get user images and videos and potential to maybe, in your CSAM cases, have those illicit images and videos access to them.
Speaker 1:And depending on the again, this is a section of the iOS workings that we do more research on, as Heather said. But I've seen in other cases where the file provider, there's a little field called metadata and if you go and look into it you will find additional information about that file. In one of those I found a URL and that URL we visited, you know, on an online un-attributed device law enforcement computer and we found a copy of that CSAM, that image, which stands to reason. That's the possible origin. Then later we were able to look at some other artifacts because we had a full file system at that point. But we were able to then look at some other artifacts and correlate them with that image. It's coming from the link on the website. But the main point is that there might be some good evidence and we're thinking well, bfus, there's nothing there, it's trash. No, there might be some evidence there that might be useful for your CSAM cases and we want to make you aware that this is one of those locations.
Speaker 1:Same thing with I was talking with Heather the photo picker functionality of an iOS device. Whenever you go into any app and you're going to select that picture, let me give you a background for the folks. Back in the day, when you went to share a picture with an app, the app would have access to all your pictures, like the whole album, right? Well, the photo picker functionality now segregates that. The photo picker will only send the pictures you want to the app and nothing more. Apps don't have full access to your albums and your pictures anymore. That's why it's called PhotoSpeaker.
Speaker 1:But the moment you select PhotoPicker, certain copies of those images get placed in these different directories within PhotoPicker itself and some of them might remain, some of them might be shown in different extractions. So start opening your mind and start understanding. Well, what's the photo picker functionality for? What's that file storage that we're talking about functionality for? Where have I seen it? And do more testing and this is something that as a community, we should all be involved in, not just wait for Heather to do it and then say, well, heather said no, get some test phones, try it yourself, do some BFU extractions and see what you can get, what you don't get, and help us kind of figure out. And verification of that data and then validation of the process that Apple uses, so we can take that and make proper conclusions from those.
Speaker 2:Yeah, I actually bring this up because it just came up One of my co-workers. It just came up One of my co-workers, one of the analysts in my office, saw stuff in a file provider storage and was like how is this in a BFU and so and potentially may never get the full file system extraction. Had he not gotten the BFU extraction because, ah, there's nothing in those, or had he not even reviewed the BFU extraction, he may never know that that evidence lies right there in that partial file system.
Speaker 1:That's amazing.
Speaker 2:Yeah, uh, there's another. Another thing too recently we saw uh in a BFU. So I don't know if everybody's aware of Scott Koenig, the forensic scooter, and his wonderful work on the iOS photossqlite. So recently I've seen in some of the tests uh test, bfu extractions, some of the shared with you syndication photo library related images and videos. That's also gonna be actual user images and videos. The only downside to those being in the BFU is you don't have access to the photossqlite database in the BFU, so it's kind of hard to trace the origination of the photos or know which apps they came from. But it's still good evidence if the images and videos are there. I mean, what if you have the video of the homicide? Do we really at that point need to know which app it came from? In the Photossqlite We've got the act being committed. So I mean, just don't discount those BFU extractions Absolutely.
Speaker 1:No, I don't know. That's yep and this feels like cyclical right. We have access. Then they cut off the access the vendors, and then we're back to logical BFUs, but then we get the access. So we need to be really proficient in trying to squeeze as much data out of whatever expression that we want or that we have. So, yeah, don't disregard it. Always do your again, your due diligence, Be a property, Make sure that you do a good job. And attention to detail. So three most important things.
Speaker 2:So what's new with the leaps we have this week? So I'm going to call I'm going to call myself out first and you can talk about the new, the new parsers, but I'm going to call myself out because I've been saying that I was going to record and put up an instruct instructional video related to lava and its functionality. Lava is going to be the new viewer for the leaps and I'm going to make that promise today that I will get it by the end of the week. And if I tell everybody on here, then I have to do it. I keep putting it off, I get too busy or something comes up. So look forward to that instructional video so you guys can get a look at lava and how it's going to work with the leaps in the future, because it's going to be probably coming out pretty soon.
Speaker 1:So and I also have a video already of how to make artifacts Lava compliant and then Heather's going to really showcase the viewer and all the different things that we're putting into it. Well, we is a lot of people. There's a lot Johan and Kevin and James, but not me. I'm not touching the Lava Code.
Speaker 2:Johan says, we will remind you. Thank you, johan, thank you. That's what I need.
Speaker 1:Other new things with the leaps. What do you got? Yeah, so. So somebody had a catch up, a situation where the applications were not showing us the stuff and and we I let me step back we had a person in the leaps and we I, so let me step back. We had a parser in the leaps, but the parser needed updating. And looking at the parser, the way it was extracting the data, there was a better way of doing it. So I took the opportunity for the request and then remade it, refactor it, and it's working really good now. So it is interesting. It's interesting because it's a SQL database, right? Correct me if I'm wrong, heather, it is, and inside the database it has Protobuf in it, right?
Speaker 2:It does. And inside the.
Speaker 1:Protobuf there's JSON.
Speaker 2:Yes, yes, yep, so I can see it and I'm like, okay, I need the data that is inside the database, inside the Protobuf, inside the JSON, and I know I can get it out of the SQLite database. But I called in reinforcements for the additional nested data. It wasn't too hard.
Speaker 1:It's just that the previous Say what.
Speaker 2:No, no, you're good.
Speaker 1:Oh yeah, so it wasn't that hard to get out, as long as you understand what PortableFace, what JSON is, what SQLite is. And our previous parser was doing some casting that I didn't like, so we just fixed it. It's working really good, so I'm happy that that it does. Everybody can benefit, benefit from that. So so that's the cash app very nice. And then, um, I did one for our leap for the returns.
Speaker 1:Um, snapchat changed the format of their returns so, um, I did one for for the conversation with Snapchat. I also make it Lava compliant, which is pretty convenient Usually on this and correct me if I'm wrong, tell me about your experience, but for me, the main two ones are the conversations and the memories when they get those returns. I don't have a sample data of the memory, so I'm waiting for someone to tell me hey, I got some data I can share with you and then, with that, when I provide some examples, then I can actually update it. But for now I can only update conversations, as the data said that I had on hand for the latest return. So that's done. So that's pretty good, nice.
Speaker 1:And then there's a couple of more things that have been merged about application state DB and showing some metadata about application usage in iOS. I haven't had time to run it and test it, but I know it's been merged because Kevin and some of the folks on the team also are able to do testing and merge as needed. So it doesn't have to be only me, thank goodness. So we've got capable people checking those out. So I've got to test it myself and see what other new data points that needed. So it doesn't have to be only me, thank goodness. Um, so we got capable people checking those out, so I'm gonna I gotta test it myself and see what other new data points that artifact has.
Speaker 1:But it's for the application statedb. Really useful is the main way of understanding what applications are installed on the device. It maps the bundle id or the name of the application with the uh folder directory where the application lives. It also tells you what the app is and what the sandbox is, but this parser adds additional information from that database that we don't have right now. So that's pretty cool.
Speaker 2:Nice, I have to test that out too.
Speaker 1:And Lava is still going yeah, yeah, no, I had to run it. I had to run a couple of things to be up to date with all the things that are changing.
Speaker 2:Nice, so look for the videos on how to use Lava coming up shortly.
Speaker 1:No, it's going to be awesome. I think folks are going to dig it.
Speaker 2:Yeah, so we had an exciting day a couple of days ago, right August 25th was the two-year anniversary of the Digital Forensics Now podcast, so we've been doing this for two years now, which is insane. August 25th was the two year anniversary of the digital forensics now podcast, so we've been doing this for two years now, which is insane. Yeah, with no fireworks in the car huh, oh, what, what?
Speaker 1:No fireworks, how could that be? Let's see.
Speaker 2:I don't know, I didn't see any fireworks.
Speaker 1:Well, look, look, I'm going to give you some, uh, I'm going to give you some lasers.
Speaker 2:Oh, there we go, there we go.
Speaker 1:Warm it up and then, yeah, you go two years.
Speaker 2:Perfect.
Speaker 1:Two years yeah. You can have one with cake or something, but you only have balloons. Now, if you're listening, I'm just putting reactions on the screen and there's balloons and fireworks going off. So me being silly yeah.
Speaker 2:So yeah, two years, two years insane. Um, I can't believe it's been two years.
Speaker 1:I'm a lot less nervous now you sure, you sure, and and you, you. Let's leave it there. I'm just gonna make some jokes, but it's okay, so good oh, you can, it won't hurt my feelings no, no, yeah. When we started, heather wouldn't say a word. She was really quiet, and now I have to fight her to just tell me to shut up no, I I talk too much as this, so it's good. It's a good thing that you're more targeted now I'm just trying to compete with you now well, that's a good thing.
Speaker 1:that's a good thing. I want that People are super bored of me right away. So I appreciate you growing into the co-host position and you're awesome and I'm glad you're happy. So thank you.
Speaker 2:So for the two years of Digital Forensics Now podcast, we're going to do a little giveaway for two people. So I'm going to put up our lovely little wheel here. Let me share my screen. Lovely little wheel here, let me share my screen.
Speaker 1:Thank you, johan, for the happy two years. It's, it's, it's amazing. We never thought we'd be doing this for this long, or that.
Speaker 2:Oh my God, I know.
Speaker 1:Yeah, we really get, you know, value out of it, so we're happy that that's the case. All right, do it, heather, do it.
Speaker 2:Anybody, anybody who liked and shared the post I put up earlier in the week will get a chance to win something that I'm going to surprise you with. So I'm going to spin the wheel for our first winner. And our first winner is Roberto. Oh no, that's not what it landed on. Okay, my screen looks different.
Speaker 1:I think that's our winner. Our winner is Roberto. It landed on. Okay, my screen looks different, I think. Yeah, no, it's roberto, but the thing that's our winner? Yep, our winner is roberto orzocco oh, I can't see, I'm all I can't see.
Speaker 2:All right, let me let me spin it for the next one, yeah. I think it's not landing on the right one. Yeah, and Ashley. Ashley is our second one. Wow, wanted her to win it, did it, did I?
Speaker 1:know, ashley, I know.
Speaker 2:Okay.
Speaker 1:She's awesome, she's great. I was going to feel sorry, like girl, you, you, your name came up, but then you didn't. But then she actually won.
Speaker 2:really, yeah, I'm going with the two that the pointer actually pointed to and then I don't know what's up with the Wheel of Names website but the two that it actually pointed to, roberto and Ashley I'll reach out to you on LinkedIn and just ask you for your address at some point so I can send you some digital forensics. Now.
Speaker 1:podcast swag oh I'm I'm so happy that actually actually won all the merits in the second run. Definitely. I don't know what's up with my wheel. Bad for her. Me too, I don't know what's up with the wheel the wheel is broken.
Speaker 2:Yes, um, so I'll reach out to both of you, the wheel of misfortune. Yeah, and now we're to our favorite part of the show, the meme of the week. So let me share the meme of the week and I think everybody is going to agree with us on this one.
Speaker 2:Let's see here. Let's see it. Here we go. So we have, um, the groceries all knocked off of the shelves in the grocery store into the middle of the aisle. It is an absolute disaster. And the meme reads also I need you to finish this case that the other examiner started. I don't know how things have been going, and and this doesn't just apply to work Like this is everything in my life right now, so I don't know how things have been going for you, but this summed it up for me, which is why I chose it.
Speaker 1:And then they have to take my case and all my notes are done. The notes of the exam are in post-its and I'm like what is this? How are they supposed to go, Is this?
Speaker 2:how this goes. These are post-its.
Speaker 1:What the heck is this? I'm supposed to finish this case now, and then you know your ears are ringing because they're thinking of you.
Speaker 2:It's just the. Also, I need you to finish this part, and it's in every aspect at the moment. So, the to-do list is insane.
Speaker 1:Yeah, the also word there really brings it home for you.
Speaker 2:Yeah, it totally, totally, totally does. I think you've kind of had the same thing going on lately.
Speaker 1:Yeah, at a certain level, the work that we do, we're kind of the cleanup guys in a sense, because you know, something happened right and there's some theories of what happened. But it's up to us, the folks on the back end, to actually put some of those pieces together in a really structured and approvable way. So we end up having to do that type of work and clean up all the time, all the time. But it's good, it's all good, we do it with a good attitude, hopefully.
Speaker 1:Of course, always right, of course, we don't curse or get mad at other people. I don't.
Speaker 2:So that's it. That's all I've got Two years, two years done.
Speaker 1:Yeah, this baby is now what it's going to eat? Solids now. It's eating solids now, so it's walking possibly, who knows?
Speaker 2:Terrible twos are over.
Speaker 1:Well, actually they're starting, so let's hope they're not that terrible yeah.
Speaker 2:All right.
Speaker 1:Well, thank you for the show, heather. Thank you, thank you for being with me and my crappy connection from my car for the show Heather. Thank you, be patient with me and my crappy connection from my car. We will plan for hopefully not another month to go by, because it's just slightly crazy, but we're trying to do what we're supposed to be and we'll let you keep you all posted. Follow us on the Detail Forensics Now podcast. Linkedin page for updates, heather's page, my page and anything else for the other Heather.
Speaker 2:That's it. Thank you so much, everybody for tuning in. Today at the strange hour we have the podcast.
Speaker 1:Strange hour, strange day it's all good. Thank you, take care, folks, see you soon. Bye, there we go. A different song for you right there yeah, we'll see you next time.
