Brett Shavers Blogging Extravaganza!

Show Notes

This episode digs into the habits that actually hold up: learning from CTF wins and post-event reviews, exploring scholarships and Reno trainings that build technical muscle, and walking through expert-witness prep that turns courtroom stress into structured, confident testimony.

We’ll unpack Brett Shavers’ reminder that truth alone doesn’t win cases—procedure, documentation, and bias-aware methods do. Clear writing matters too; vague language can undermine solid work.

On the tools side, RabbitHole v3 now recovers deleted SQLite records and rebuilds them into query-ready databases—speeding validation and reporting without losing traceability. We’ll also demo the new Android Logical Extractor: pull device info, logs, and scoped chat data with hashes and ready-to-file PDFs. It’s ideal when consent is limited or full file systems aren’t on the table, and integrates cleanly with downstream workflows.

Throughout, we emphasize one idea: tools are abstractions. If you can’t explain how a result was produced or reproduce it, you don’t own the finding. That’s especially true with AI. Generative models are nondeterministic—useful when documented, risky when their prompts or scope stay hidden. We’ll cover prompt disclosure, reproducibility, and how to write about “deleted” data with precision: previously existing, marked deleted, not referenced—describe state, not intent.

If you’re serious about improving testimony, validating results, and adopting new tools without losing forensic footing, join us. Then share your take on AI prompts and language precision—what will you change in your next report?

Notes: 

IACIS Scholarships
https://www.iacis.com/awards-and-scholarships/will-docken-scholarship/
https://www.iacis.com/awards-and-scholarships/womens-scholarship/

Training Opportunities!
IACIS Reno
https://www.iacis.com/events/in-person/reno-nv/


Free DFIR Test Images + Industry Tools to Analyze Them
https://www.dfir.training/downloads/test-images

New Blogs from Brett Shavers!
https://www.linkedin.com/pulse/theres-lot-more-trial-than-you-may-know-even-have-100-brett-shavers-br4sc/
https://www.linkedin.com/pulse/case-almost-made-me-quit-dfir-shouldve-news-brett-shavers-pie1c/
https://www.linkedin.com/pulse/i-when-digital-forensics-lost-its-soul-brett-shavers-otkec/
https://www.linkedin.com/pulse/end-dfir-again-dfir-training-ab5jc/
https://www.linkedin.com/pulse/how-wreck-your-report-affidavit-testimony-one-word-brett-shavers-qkyvc/
Free Webinar
https://www.suspectbehindthekeyboard.com/fighting-city-hall-dfir-lessons-from-a-pro-se-plaintiff

Rabbithole Update
https://www.linkedin.com/posts/rabbithole-dataviewer-sqllite-ugcPost-7384144022065274880-0d0D
https://www.cclsolutionsgroup.com/forensic-products/rabbithole

ALEX Release
https://github.com/prosch88/ALEX
https://github.com/RealityNet/android_triage

Chapters

• 0:00: Halloween Banter And Warm-Up
• 2:55: What Alexis has been up to.
• 6:00: CTF Highlights And Post-Event Practice
• 8:15: Scholarships And Training Opportunities
• 12:20: Expert Testimony Skills And Moot Court
• 19:30: Test Images, Community Blogs, And Validation
• 24:50: Bias, Procedure, And Surviving Court
• 28:40: DFIR’s Soul: Foundations Over Checklists
• 34:20: AI, Indeterminism, And Responsible Use
• 39:45: The Word “Deleted” And Language Precision
• 46:20: Tool Update: RabbitHole v3 SQLite Recovery
• 52:00: New Tool: Android Logical Extractor Demo
• 1:02:10: Meme Of The Week And Closing

Transcript

SPEAKER_03: 0:16

Welcome to the Data Forensics Now podcast. Today is Thursday, spooky October thirtieth, twenty twenty five. My name is Alexis the Scream Briggs Brignoni. And I'm accompanied by my co-host, The Ghost to my hunt, The Vampire to my Bat, The Frankenstein to my monster, the scary, spooky, and always spooky Heather Charpentier. The music is Hell Up by Shane Ivers and can be found at silvermansound.com. Yeah.

SPEAKER_00: 0:56

Oh my god.

SPEAKER_05: 0:58

I don't know if that even made it. The audio made it.

SPEAKER_01: 1:01

You're awfully spooky. You sounded really muffled.

SPEAKER_05: 1:04

I know, I know. I'm gonna I'm gonna look so the folks that are listening. I had a uh screen mask on because it's Halloween, you know, tomorrow. Wait, let me put my hat on. So so let me let me let me say the intro because with that mask, I bet nobody heard it. I I said, you know, I'm accompanied by the co-host, my co-host, the ghost to my haunt, the vampire to my bat, the Frankenstein to my monster, the scary, spooky, and always kooky, Heather Charpentier. There we go.

SPEAKER_01: 1:31

And he came up with that like 10 seconds ago.

SPEAKER_05: 1:35

Yeah, it's a little burst of creativity after I had a dose of Oreo cookies to get some sugar in my system. Now I'm hyper.

SPEAKER_01: 1:43

Oh my gosh. I did not dress up for Halloween, but I do have an orange shirt on, so I'm just going as a pumpkin.

SPEAKER_05: 1:51

The great pumpkin, like the peanuts. Yes. See, I I like my my my scream mask because uh has it says it's like rhinestones, it's like like you know, fancy and whatnot.

SPEAKER_01: 2:02

Are you wearing that out trick-or-treating tomorrow?

SPEAKER_05: 2:05

No, actually, I'm gonna be dressed out as uh as uh Bruno from the Encanto movie.

SPEAKER_00: 2:10

Oh, okay.

SPEAKER_05: 2:11

So we we don't talk about me, you know? Get it?

SPEAKER_00: 2:14

Nope, I've never seen it.

SPEAKER_05: 2:16

Oh well, I I'm not surprised. I uh people might be surprised that you don't you're not culture like that watching Disney movies, but you know, I'm not surprised.

SPEAKER_01: 2:24

I watched the old Disney movies, like the 1970s, 80s, 90s ones.

SPEAKER_05: 2:29

Yeah, when yeah, when you were in your 20s, I get it. But either way, um it's a great movie, Encanto's a great movie. So I think I'll be trying to Bruno. So I'll have the picture for the next the next episode. So we can you can all laugh on my wig. It'll be great.

SPEAKER_01: 2:44

So what's been going on?

SPEAKER_05: 2:46

Um, so my end uh a lot of stuff, a lot of work, but uh something cool that happened. Let me put this up on the screen. Uh, what I have there is me sitting at this little stage with the awesome Scott uh Tucker, uh really uh uh uh an expert. He works mostly civil cases. Fantastic. We had a little debate at the Oxygen Forensics, and I have here a little wolf, you know, for the Oxygen folks. Yeah, they were they were in town uh not too long ago, and uh they had their um conference, um uh legacy, what was it? Um Legacy and Logic conference for 2025, and they had us debate a little bit on on the on AI. Obviously, I was on the um AI not so good side. Uh you were not. I just told people that uh AI is an insult to uh life, but uh other than that, it was I was pretty civil.

SPEAKER_01: 3:41

Oh my gosh. I think you're quoted saying that on several different platforms, so I saw it.

SPEAKER_05: 3:47

An insult to life itself. It's not even my I didn't come up with it. It was Hario my uh um Mayasaki, the guy from from the cartoons, the anime cartoons. Anyways, the point is that it was a great debate, and and again, really, really nice, but a good good exchange of ideas on what the limits of AI are and and some of the benefits as well, and some of the procedural things we need to possibly be aware, and and some might also disagree in many regards to the use, uh, misuse, and and all those functions. So that was pretty good. That's pretty neat. How about you? What's what what do you do since last time we were here?

SPEAKER_01: 4:20

Honestly, not much. I think I'm still sulking because I'm not on vacation anymore. I think that's what I've been doing since the last podcast. I showed all my cute animals I got to go see the last podcast, and I literally have just been upset about not being there.

SPEAKER_04: 4:38

Yeah, no, I I I I hear you. I hear you.

SPEAKER_01: 4:40

Yeah, but nothing major, you know, just hanging around and going to work, coming home, getting ready for winter. Oh, yeah. Oh, it's freezing here. It was like 26 degrees when I went to work the other morning, so it it's cold already.

SPEAKER_05: 4:55

Well, it's getting cold down here in Florida as well. It's a it's a like a uh uh oh, I mean, not not horrible freezing temperatures like you, but it's still it's getting colder here as well.

SPEAKER_01: 5:04

So you it made it down to like 75.

SPEAKER_05: 5:07

Uh actually it was 50 this morning, and I'm like, I'm like, this is ridiculous.

SPEAKER_01: 5:11

Did you have your parka on?

SPEAKER_05: 5:14

Uh I have my uh Eskimo suit on.

SPEAKER_00: 5:16

Ah, there you go. There you go.

SPEAKER_05: 5:18

Even my Ug the Ugg boots.

SPEAKER_00: 5:20

Oh my gosh.

SPEAKER_05: 5:21

I uh but uh wait wait. Just to make it clear, I do not owe any Ugg boots, okay? Just saying.

SPEAKER_00: 5:27

We all just visualized it though. So in our minds, you do.

SPEAKER_05: 5:32

So so before we start, I'm gonna say a few hi's to Christian is hanging out here, so I'm happy uh he's here. We're gonna talk about uh a great addition to open source software. So we're gonna talk about that. Kevin is there. I know he liked my mask. Um, you know, forensics with Matt is there, Natswami from Twitter, so good to have you here. Yeah, and uh yeah. Let's uh let's start the show. What's what's what do we have?

SPEAKER_01: 5:58

Let's do it. So um wanted to mention uh that the celebrate CTF was just the last week or so, and um I did not play this time, however, I was watching all of the great comments in the Discord on the CTF challenge, some really funny good questions. Um but I wanted to just put up the winning team. I stole this from Celebrate's uh LinkedIn page. The winning teams are there, so congratulations to all the winning teams. And then just kind of wanted to do like a little PSA for everybody who missed out on the CTF or maybe just wants access to the images afterwards. Watch for all of the great bloggers because they'll be writing blogs about how they came to the correct answers for the questions on the CTF. And you always have the chance to take the or to do the CTF after it's done at your own pace as well.

SPEAKER_05: 6:53

Oh, I I love how uh the teams from uh from the Pacific, right, did so well. Thailand and Singapore, even the win the individuals and winning teams, um, they did they did awesome. We got Romania up there on their individual number one. So that was uh that was that's pretty cool. And then uh representative from the US as well. So that's that's pretty cool.

SPEAKER_01: 7:14

Yeah, definitely. Let me take that down. All right. Um, wanted to mention a couple of scholarships that are available if anybody's looking to go to training but maybe doesn't have the budget for the training. The IASIS scholarships are up and active um again this year. There's two the Will Docken Scholarship and the Women in Law Enforcement Scholarship. For the Will Docken, um the scholarship will cover the course tuition, and um the recipient will be furnished with all the course materials, equipment, hotel accommodations, everything at no cost. To qualify for the scholarship, um, the applicant must be employed by a city, county, or state law enforcement agency to conduct digital forensic examinations. And the agency cannot have more than two personnel, including full-time, part-time, temporary, or flexible, assigned to conduct digital forensic examinations. So the application period is open now and it's listed uh through November 30th. And then the women in law enforcement scholarship is it covers the registration fee for IACS, and then there that that is funded by Edith Santos. And then there are additional donors that are gonna support um up to$3,000 for travel expenses, so your flight, your accommodations, your perdium, and then access to digital forensic software packages for the recipient of that scholarship. Applicant must be female, working in a law enforcement agency, sworn or civilian. So you don't have to be sworn, sworn, or civilian for that one. Um, and then that is also open through November 30th.

SPEAKER_04: 8:55

Oh, that's awesome.

SPEAKER_05: 8:56

Uh, you know, apply for that. Hopefully you get it. Uh and you know, we as full disclosure, we're volunteers as well for IACIS and we teach the advanced mobile device forensics course. And uh we believe in the IASIS mission and the content. Uh we know that that's really good, so it'll be a great benefit. Um, and if you have uh uh you know a way of going there without needing a scholarship, then take advantage of that. Uh it's a great it's a great opportunity to learn and also a great time to network, and you end up meeting awesome people like like Heather here.

SPEAKER_01: 9:25

Oh, yeah. And awesome people like Alexis here.

SPEAKER_05: 9:30

Oh, yeah, I don't know if I fit in the definition, but it's okay. You'll you'll meet me as well.

SPEAKER_01: 9:36

Um uh kind of along the same lines, some training opportunities. So uh Alexis was just talking about IASIS. Those two scholarships that I mentioned are for the event in April in Orlando, but there is also an event this year in January in Reno. And just wanted to give a reminder that specialized classes, so not the BCFE class, all of the specialized classes are going to be running an event um for a week in January in Reno. So if anybody is looking to register, the registration is still open and another chance to meet us. You can come hang out. Let's work forensics together.

SPEAKER_05: 10:13

No, yeah. I mean, uh, you'll you'll hear me, you'll hear me rant about data structures, which is always fun. So come on, come on over.

SPEAKER_01: 10:19

I'll try and keep his AI rants to a minimum, I promise, for whoever wants to sign up.

SPEAKER_05: 10:26

We'll do those in the breaks and maybe at lunch or or after hours.

SPEAKER_01: 10:30

Well, there's always at least the one student that is like AI can do this for me, right? So you can go a debate with Alexis at lunchtime.

SPEAKER_05: 10:38

You'll see me, you'll see the smoke from my ears coming out in the back.

SPEAKER_01: 10:42

Um, another turning opportunity I want to mention, but first, full disclosure, I do currently work for Hexordia as a contract trainer. I have been um doing my co-teaches so that I can be a uh part-time teacher for Hexordia, but I did want to mention one of the classes that Hexordia is providing. So I recently had the um privilege to attend the very first Hexordia expert witness testimony class. We did it online. Um, it is taught by an instructor, uh, two instructors, and one is an attorney. So we have law enforcement and attorney uh both teaching the expert witness testimony class. It was a great class, in my opinion. We went through like all of the different types of hearings and court attire and court etiquette and everything you can think of, court types of things that you might run into as a digital forensic analyst, um, up on up on the stand. And then at the very end, we did a uh MOOC court or mock trial. Um, I just really think that is very beneficial for people in the digital forensics field, especially if you're new to this and you've never testified. Um, it really gives you an idea of what types of questions you might be asked and kind of how to conduct yourself at a trial.

SPEAKER_05: 12:05

There is such a need for this type of um expert witness courses and with a moot court components. Yes. Um we we we have I say we in the context of the full community, we train folks and then we expect them to be good at trial, at presenting. And you know, you're like, well, I took 20 hours of this, 30 hours of that, and and and how to use this tool, how to use that tool. Well, do you have you ever experienced a court room? No, have you ever been inside of one? Do you know where you go and sit? Do you know where you testify? Well, I saw it on TV. Uh, I don't think that cuts it, right?

SPEAKER_00: 12:40

It is not the same.

SPEAKER_05: 12:43

So so having courses that do that, uh, that kind of expose you to that um environment and what are the best practices in order to present. Because again, when we discussed uh the show, you can have the best arguments, all the the factual items on your side. And if you're not able to convey it, convey it clearly and in a credible manner so that the jury can not only understand it but believe you, then uh you you're gonna you're gonna fail at at the mission. So uh highly recommended to look for those classes. It could be Xordias or any others. Um if you hear of any others, let us know, and we'll be happy to also uh make him uh known to the community.

SPEAKER_01: 13:20

Yeah, I have actually seen one on NW3C's website, but I haven't seen any dates for it up there yet. So hopefully they'll run theirs again as well. Um just one more thing on that. So when I very first started in forensics in uh 2015, uh Lieutenant calls me in and is like, okay, what type of training do you want? And my my number one was I want some kind of training in how to testify. He's like, Oh yeah, we'll find you something. Yeah, uh, there was nothing that I know of, and I don't know if they actually looked for anything for me, but I didn't get the training and I went for one of my very first trials, a homicide trial, and I got there and I had no idea what I was doing. And the prosecutor was an old man and he was so nice, but he handed me um a page of questions he wanted to ask me from a Wikipedia page that was not meant for a mobile device examination whatsoever. And I immediately panicked and had to sit down and write my own questions. So um training in that would have been helpful before I sat down and wrote my own questions.

SPEAKER_05: 14:23

Well, I mean, the fact that you have to write your own questions, people will be like, what? That's actually not that uncommon.

SPEAKER_00: 14:29

No, it's not.

SPEAKER_05: 14:31

I mean, you're the technical expert, right? So you you cannot tell your stakeholders, your investigators, and say your your prosecutors, whatever, or your client if you're in this on the private sector. This is the detailed stuff, and this is what it means. And the best possible way to convey that knowledge might be this way. Of course, the the person doing the presentation, the lawyer, will always approach it from the way they need to approach it based on the law. Right. But you can give them that heads up. So that's that's something that's it's see look, it's hard, it's hard being. This is my first testifying on a murder trial with no training. Yes, and I I didn't even know how to make questions here. You know what I mean?

SPEAKER_01: 15:09

Yes. I will give the prosecutor props though. So I was so scared of how it was gonna go. He went in there and asked those questions as if he'd been doing digital forensics for two decades. He was amazing. I was like, where did you come from? A minute ago, you handed me a Wikipedia page, it was it was great.

SPEAKER_05: 15:28

So welcome. Look, uh, what is they say uh uh preachers, uh politicians, and lawyers, which actually is a lot of overlap between all three lately. Um there is a lot of uh uh control of the stage and being able to act in a way and present themselves in a certain way, so it makes absolute sense to me.

SPEAKER_01: 15:48

He did great, so but a little nerve-wracking, just a little.

SPEAKER_05: 15:53

Yeah, no kidding.

SPEAKER_01: 15:56

All right, so the next few topics for the podcast all have to do with Brett Shavers because he has been on a roll with his blogs and sharing of information uh to the community. Um I'm gonna start with a page that he put up on LinkedIn recently that has free uh defer test images and industry tools to analyze them. He stresses that real learning comes from analyzing, comparing tools, and documenting your findings, not just collecting the data. And his key message was practice, validate, and understand how tools work, uh, whichever ones you use. So there is a page, and I'll put it in the show notes so everybody can go to it, but on Brett's uh D for training page, there's a section for downloads with test images.

SPEAKER_05: 16:49

Yeah, and test images are so important. Uh like like Brett wrote, you have this output from your tool, and it says this is a chat. If you have no understanding of where it came from, you're gonna have some problems, right? And a good way of of actually interacting with your tools is you take a tool set that's known data and look at it through your tool, see if it's missing something, see where it got it from, where the tool got it from. Um, I I just we discussed this in previous episodes where a tool will give you, let's say, the chats, the images, the timestamp, who's talking to who, but it will not give you um other fields, like for example, is this the administrator of that chat group? And that might be important. But when you have a test image, you can see that, see what the tool shows, but then go to the source from the test image. It's data that's been already pre-populated for you, which saves a lot of time, and then see what else you might be missing from your tool, right? So experiment with those. I I use what we use, uh the folks that develop the leaps, open source tooling for data forensics for the community, mostly mobile devices, Android and iOS, among others. We use these all the time. And I would hope, you know, every every time it's a new iOS, I'm hoping that that Josh Hickman, you know, throws you know, makes a new iOS image or when the new Android comes out because they're invaluable. So many artifacts that we created to the tool based on that test data that folks like Josh Higman put out. So uh uh I I wish I was a millionaire because I would pay them just to make test data for the community.

SPEAKER_01: 18:22

Yeah, so his documentation is out of this world. Um, I I do test data too. Uh I don't have it up public, but I do test data and my documentation, like sometimes I just forget to write down if I sent a message or placed a call or deleted something. His is spot on. It is like everything he does with the phone, including turning the volume up, powering it off. Like he's very, very detailed um in his documentation.

SPEAKER_05: 18:49

So before I say something else about Josh, because he wants his articles to help me this week. So I take the advantages, uh, the opportunity to say that before that, Kevin is saying that he has that's why he has an archive of CTF images. Same thing, it's data that's been populated for the CTFs, and sometimes it's apps that might not be that um like that common because it's it's good to um put some throw some curveballs in some of the CTFs, but you learn from it and also you support that at whatever app that is. Uh, I remember an app that was obscure. I was I think I mentioned it in a previous episode on a kidnapping, and uh nobody knew nothing about it, and I made parsers for it, and it ended up being Discord, which I think is a pretty popular app now. Yeah, but back in the day, nobody knew what Discord was. Maybe it was kind of starting to be uh common for some from gamers, some specific games, but nobody knew about Discord, and now Discord is everywhere, so you never know, right? So it's it's good to have those. I was gonna say quickly um Josh had an article on how to look at uh some signal clones in a sense, um encrypted chatting applications, and how you can go about getting the IDs or the initialization vectors and the different uh hashes, how to decrypt things to get the passwords that you need or passphrases that you need to open those databases. And I was reading his article, I was able to get some of the values from the key store in Android using tooling, and I was able to decrypt the signal database um you know, quasi. I gotta say quasi manually because I still depended on the key store. Yeah, but at least able to decrypt it that way. The the point with that being it it helped me in a case because in this case, for whatever reason, none of my tooling was giving me it was not parsing the extraction. The expassed extraction was good. I don't know why, because I ran it on A-Leap and it ran. You know, I just want to throw that out there. So A Leap, A-Leap got all the stuff that I needed, but I was able to tell through A-Leap that I was missing signal. So I went through the process and and Josh's article and test data and all that helped me quite a lot. So I I guess the long story short, try to be connected to the community, read blogs like Brett's that will keep you up to date on what's going on on Josh and the like, and use your forensic images that are free, you know, test images, and try to strive to learn. Whoever tells you, I don't need training, I don't need to learn new things, the computer will do it for me. I will press a button, AI will come and do my job. Well, maybe AI might come and do your job and then you know leave you with no job. Yeah, if all you do is that, right? So you gotta you gotta grow yourself. Um, Brun is here, uh uh Bruno. That's not the Brunei I was I was thinking of. But hi.

SPEAKER_01: 21:25

Um besides just the test images and um and tools on the site, if you just go to the D for training site, there's also access to the blogs that Brett writes, um, and access to other articles. Uh, there's also uh upcoming trainings, uh big list of upcoming trainings from all the vendors and any any trainings that you can find.

SPEAKER_04: 21:47

Oh, absolutely. Absolutely.

SPEAKER_01: 21:50

All right, we're gonna continue on with Brett because he has written like 15 blogs this week. I'm over exaggerating, but a lot of blogs since the last um podcast. So there's a couple that kind of go together. Um, there's one titled There's a Lot More to a Trial Than You May Know, even if you have testified a hundred times. And another one called This Case Almost Made Me Quit, Deefer. It should have made the news. And Brett is recounting um a corrupt case where evidence vanished. This is according to his blog. Evidence vanished, officials lied, and judges ignored the proof, yet they still won. So his takeaway in these blogs, or what I what I narrowed it down to as his takeaway, is in digital forensics, truth alone doesn't win, airtight documentation and procedure do. He urges professionals to make their work defensible under pressure and invites them to his webinar on how to survive legal and institutional challenges through solid reporting and evidence handling. I'll let you go. I'll give the details of that webinar here at the end.

SPEAKER_05: 22:58

Uh, that's it's it's really uh it's really tough uh emotionally for me because I I don't want to believe that and again I cannot talk from the government side in a sense, us being uh a representative in that sense. It's hard for me to accept that that folks in in positions of authority tasked with prosecuting crimes will let their biases run rampant, right? And again, I don't know the details of this case, so I'm not I'm not speaking to this case, okay? I have no even Brett himself doesn't really tell us what the case is.

SPEAKER_01: 23:31

I know I have a hundred questions when he does the webinar. I'm hoping it's some kind of live thing.

SPEAKER_05: 23:36

Yeah, so so the article doesn't tell you what case is. So I want to make that clear. I'm not talking about anything specific, okay? No case specific. I'm not pointing my finger at nobody. I'm talking about in generalities, right? Um, that so it's hard for me to see that we let our biases, and that's tough because we we want to say, well, I have no biases. I come against no biases are there, right? And if you don't start recognizing that you have biases, that you're biased in a certain way, you will not be able to fix that bias to neutralize it. And how do you neutralize it? Power that is what Brett's saying is by following proper procedure, following and keeping the evidence based on the scientific way of doing things. The scientific method takes away that bias. Okay, and even if you're talking about your understanding of what something means, you need to then, like science does, peer review that. If I'm if I'm gonna go to the case agent, hey, what do you think about this? And the case agent is already married to the idea that a particular person is guilty. Well, what do you what do you expect to hear? Do you expect to hear any you know third unbiased opinions? Like, of course not, right? And okay, I'm not saying go and make your case public. I guess what I'm trying to say is have a support system within your labs or in your organizations when you can actually present things and expect constructive criticism and criticism that will take you to task when when something just doesn't feel right. Okay. Um I will say more. So again, we as examiner, we don't control the whole case. I don't control the behavior of the prosecutor, I don't control the behavior of the investigator, I don't control the behavior of the lawyers, I can only control my sphere. I want to make sure that my evidence and my procedure and my ethical manner is correct. And we and this is the thing for me from last year, right? Attention to detail, right? Um, make sure you have your property, your moral uh character, and your due diligence. Those are the three main things, right? I say that because somebody might do something in your case that's not appropriate, but you have the truth on your side, right? You have what the facts are, and sometimes those errors or those misguided uh actions might be taken care of by the judge in a certain way, okay? And that doesn't mean that the case will flounder. Make sense? But if if we have problems on one side and then problems of the other side, and then you are also a problem, well, the case the case will totally fail, right? And and the idea is to make sure that the truth gets out there so the truth can actually set people free, right? Either set free the victims, right? Or set free uh a person that's guilty. When I say set free the victim, it's by giving the proper punishment to those that are guilty. That sets the victim free in a sense, if that makes sense, right? So there's freedom in truth, either way. Yes, that's I love that. So but you gotta make sure that you want to say that you're really focused on your peace. If you see something that's not right, again, your probability requires you to call that out, right? And make sure you interface with truth at all times. And uh don't go on the assumption that everybody will have those three qualities that you're striving to. Um, because they might not. And it don't matter if it's in law enforcement, civil. Um, we are our brothers' keeper in a sense for borrowing borrowing a uh uh religious analogy here um to make sure that the job gets done.

SPEAKER_01: 26:58

Oh yeah, by reading this, it sounded like a civil case anyway, uh, too. So I mean, but may have started differently. I want more details. I need to talk to Brad about this because I read both articles and I I just really want to read the entire case. Well, no, I don't know if it's available, but I would love to.

SPEAKER_05: 27:15

Um, I mean, uh I would assume, right? If it's in court, it has to be open. But right again, again, we'll see what the webinar says because I need to sign up. But um uh I was gonna say that um um oh see now I lost my final thought. Okay. Okay, I remember now. It don't matter, right, if if you're in civil court or if you're in in uh in criminal court, the system is adversarial, right? The system, the idea is to really put the two competing ideas and fight against each other to determine where reality lies, right? With that really uh deep and and and sometimes hard, harsh uh contrast and and clash, right, between the two points, right? Don't worry about that. So sometimes we worry about well, I want to win. No, you don't I don't care about winning. I don't care about that. I don't uh the only thing I care about is to for the facts. This is what happened. I follow the process, my biases are only for the truth. And when that clash happens, you don't have to be worried about it. You don't have to care. You're right if you if you have the right on the correctness on your side and you're presenting it in the best way possible, then things will fall where they fall, right? Um, but that's important. If we don't do that, we don't strive to do that, our biases will creep in and we won't even realize it. It it gets so bad that in some cases that I've seen in the news, either side, whatever side it's arguing for something, even when presented with facts, they still cannot accept it. Right? It becomes so personalized when we have opinions about things, right? And we feel uh attacked by truth when we have an opinion. Well, do you don't need to have opinions, right? Yeah, and don't have an opinion about it. Go for the facts, go for what is and let it be.

SPEAKER_01: 29:02

Yeah, definitely. So the free webinar uh coming up is called Fighting City Hall DFIR Lessons from a Pro Se Plaintiff. It is Wednesday, November 12th from 11:30 to 12:30 mountain time. Um, you can register for it on the site that I have up on the screen, or it'll be in the show notes if you want to go get it from there. It is free. Uh free registration for this webinar. So check it out.

SPEAKER_05: 29:32

I I want to say something, and again, I'm I'm really it it to me it's totally um clear. So it's been said that anyone that has himself or herself for a lawyer has a client, has a fool for a client. Have you heard that?

SPEAKER_02: 29:46

Yes.

SPEAKER_05: 29:47

Well, actually, I love it because Brett totally is the exception to that rule.

SPEAKER_02: 29:51

Yeah, that's true.

SPEAKER_05: 29:53

And it and if you don't know Brett, you'll be like, he's nuts, but I know Brett, and I and that makes sense to me. He he literally, you know, kind of represented himself. To the process and and won. So that tells you the type of character this guy is. So I'm really looking forward for this uh this uh webinar about um you know and uh what but the content that he's gonna bring.

SPEAKER_01: 30:12

Yeah, me too. I hope I can make it while it's going on and ask questions. But if not, there's also a note on the site that it'll be still up and available to watch if you miss it at that time for 48 hours.

SPEAKER_05: 30:22

So there you go. Go go watch it, do it.

SPEAKER_01: 30:25

Yeah, definitely. All right. So again, Brett was on a roll, so uh, we have more blogs. So um I was there when digital forensics lost its soul, is one of the blogs that Brett wrote recently. He's arguing that um DFIR has drifted from its investigative roots into a credential-driven, tool-focused industry. Early forensics was built by investigators seeking truth, now school's mass-produced technologists who can parse data but not interpret behavior or defend conclusions. So he's blaming profit-driven education for replacing judgment with checklists and confidence with credentials. Um, I definitely have lots of opinions on this one. You go first.

SPEAKER_05: 31:12

Uh see, the the thing with automation, no matter what what type of automation is, it don't care if it's LLMs or not, they will skip the skill you. The skill. And and that makes sense, right? Um, you know, we don't use horses anymore, so we use cars. So don't ask me to change a uh a shoe for a horse. You know, that's not that's not happening, right? And I'm being kind of facetious about it, but the point is, yeah, tools are good, right? But at a certain level, we need to keep actually make time to keep our foundational skills. Because the part that the vendors and the schools and the colleges and the degrees, the part that they don't tell you, or at least they don't they don't do it as much as they should, is that when the abstraction, because these tools are abstractions, here's the data on one side, and here's the results on the other one, and you're not looking at the data directly. The tools in abstract in the middle, right? Those abstractions will fail you. Imagine yourself, you have your data, and then you have a tool and you have AI on it, and you ask AI, and then you have a result. We have four or five levels of abstraction from the actual data. And if you don't have the ability to remove as many abstractions as you can, you won't be able to come to conclusions about the data that are proper, either to verify or verify, verify, or validate the tool, or again, verify the actual data you're talking about. Of course, I cannot remove every abstraction. I can't be like, well, let me look at the zero-some one directly, you know, or the electrical charges on the hard disk. Like, and I can't, I can't do that. There'll be some abstractions I cannot do manually, but remove as much as you can. And we're not doing that, we're not teaching that. Actually, actively I see folks in different labs and organizations arguing against foundational training, and I can take it, it drives me nuts. If you don't want to learn foundational things, what what do you want? Just just where do I hit go and where do I hit print? I need you when the print or the go is not enough. When I tell you as an investigator, I have the X, Y, and C app, you can't come to me and say, Well, the tool didn't show me anything. No, I need you to go in and go get it. You need that foundational training.

SPEAKER_01: 33:26

Well, the find evidence button isn't good enough. Come on. That's all I do.

SPEAKER_05: 33:32

Oh okay, I'm gonna okay, so I'm gonna kick you from the show right now, and you're not allowed to come back until you renounce that heresy. You're a heretic.

SPEAKER_00: 33:40

I take it back.

SPEAKER_01: 33:44

Yeah, no, I couldn't agree with you more. The foundational, uh, the foundational stuff has to be there. And I think in the blog, one of the one of the points Brat makes, the that I just absolutely agree with, and I always agree with this, and I think I've said it a hundred times, probably already a hundred times on the on the podcast, is the education, um, the colleges, if you're going for a degree, those foundational uh teachings should be in your digital forensics degree. It shouldn't be stuff that is 800 years old that doesn't apply anymore, and you know, we just haven't updated the curriculum. I just feel like we're lacking in the education department.

SPEAKER_05: 34:25

Well, as students also need, I mean prospective students need to be uh good consumers, and that applies that applies to everything, right? Especially now. Um, oh, it's a degree from whatever university. Oh, I got it. Where's my job? No, you got to be a good consumer. Look at the syllabus, go to talk to folks in the field. Hey, does this look good? Is this something that maps to the skills that I will need to do the job that that you're doing? Um, and you know, do your research, real research, before you jump into a particular certification or course because they will take your money, but that doesn't mean that what they teach you is gonna be you know comparable, equitable to the money that you put in, right?

SPEAKER_01: 35:02

Yes, my student loan payment proves what you just said.

SPEAKER_05: 35:06

Oh well, again, good thing that you're uh uh uh a self-driven person. So you you're way beyond that degree or any other degree.

SPEAKER_02: 35:14

Oh well, thank you.

SPEAKER_05: 35:16

And I wanna I want to add something else also. Um in terms of the abstractions. I think it's a concept that that folks never heard or don't think about. I think we should think about it more. Uh the more we think about the reality of the world, which is what we're trying to discover through digital means, the more tooling, the more things we put between us and that recording or that witness evidence data, the harder it will be for us to say something that's not filtered by that abstraction. Okay? And and philosophically, we need to start thinking this way because that will make us not independent of the tools, we'll be the we'll depend on them for sure, but you will be able to then look at the data in a different way. You'll be able to find avenues of investigation that the tool won't show you because the tool only abstracts in the way that it's programmed. If you like Brett's saying in his article in the previous one, right, if you don't understand where the stuff's coming from, how is it stored, how the computer goes about to getting things, right? You will not know what you don't know or you don't need. For example, we were we've been telling um some vendors in the space that we need level DB viewers, and nobody cared for many years because vendors apparently thought that the only viewer they they that we needed was SQLite. Yeah. And we're like, no, we need level DB, and we're you know moaning and asking and asking. And now I can see some vendors, I've seen vendors recently adding some level DBs. What does that mean? It means that if you're here listening to me and you don't know what a level DB is, that means that you're losing a lot in your investigations, right? The abstraction of the tool that only puts out at least now they have a viewer. Before how many cases you have level DV stuff that might be useful? Well, you don't know because you didn't know what you didn't know. So I again think of tools of abstractions, which means you will always miss something if you solely depend on the abstraction. Try to get as close to the source of the reality as you can for the things that matter. Because I can already hear people saying, Oh, breaks things I have all the time in the world. Like I have I'm sitting at my house at work just doing nothing. You know, I have 50 computers to go through. I get it, and 20 phones, I get it. I'm I'm I'm on the field with you, man, and gal. I I I'm I'm in I'm my hands are dirty. I I did so many computers this week on phones, anyways. But what does that mean? It means that if you think that the tool gave you something that's really important for your case, you need to go and go beyond the abstraction. If the investigator tells you, you know, a lead of, hey, look, these apps were involved, or these conversations had this content, then you have to get a step out of the abstraction and go for those. That's communication is important. If you have particular tasking from your stakeholder, be it your lawyers, the board of the company, or a prosecutor, again, you gotta go outside of the abstraction to be able to accomplish that tasking. So at least my takeaway for this episode think of tools of abstractions and how you need to, at a certain level, go closer and deeper to the source data to get the results that we need.

SPEAKER_01: 38:15

Definitely.

SPEAKER_05: 38:16

Sorry, I'm out of my box now.

SPEAKER_01: 38:17

No, you're fine. No, I have more blogs from Brett anyway. Two more. I only have two more. Um, so the next one is the end of DFIR again. So Brett says every few years people claim digital forensics is is dead. First encryption, bitlocker, cloud, now AI. None of these killed the field, each forced it to adapt and evolve. Um AI, however, is different. It can create that fake evidence, deep fakes, uh, false, all kinds of false fake evidence. Um but Brett insists that forensics will survive through its usual cycle of fear, adaptation, expansion, noting that AI won't kill forensics, just expose laziness.

SPEAKER_04: 39:03

Yeah, I I that last part is key.

SPEAKER_05: 39:05

It's it's so key because the future, the AI, and so again, when we say AI, we talk about generative tooling, right? LLMs, things that are um indeterministic, okay? Um, that's gonna be a lot of change that we don't really know how it's gonna play out. Um, and I say that because the only thing that generative AI can guarantee is inconsistency. That's that's just fact. And you if you like LLMs and you're like me uh saying that, I'm gonna say it again. You can only guarantee inconsistencies.

SPEAKER_01: 39:35

You're gonna get some hate mail.

SPEAKER_05: 39:37

More. So that's where the laziness comes in, right? It will generate an inconsistency and the lazy person won't catch it. And and then what, right? Uh you you're gonna be you're gonna be called out or let go or whatever. And and again, that's assuming that that you're using uh your LLMs in your investigative process or actual accessing evidence. I don't believe that we should uh have LLMs go through data. It's a philosophical um how can I say this procedural standpoint. I know of tools, and I'm not criticizing tools that actually do that, right? Because I don't want to be misconstrued, right? Um for example, I'm gonna say this real quick a jury from uh Belkasov, we had a great uh conversation in LinkedIn debating the pros and cons. It was so good, I think it made it to some present really presentation, some yeah, yeah, some presentations and some screenshots you put it out there, like our debate, right? And look, I don't I'm not we had a great, you know, it's a friendly, it's a debate. We heated but friendly, because you know, I like the guy and we like each other and we're colleagues. But I'm not putting hate on him or vendors that put the thing on the LLM on the tool to access the sort the uh the evidence. They're they're allowed to do that, right? Now the question is what are you gonna do about it? Do you have the procedures to do about it? And if you do, then again, you will have to account for yourself, right? My opinion is that I don't think the LLM technologies are at the point where I want them accessing directly my evidence and giving me inferences, because that's what it does, inferences from my evidence. That's my position, right? I'm not saying that I'm right and the jury is wrong, or vice versa. I'm not saying that. This is something that everybody needs to be knowledgeable to come to their own conclusions until the point comes where either the community or your own organization will set some rules, right? Why will what I would like to see? I would like to see organizations say, if you're using narrative AI, it needs to be disclosed, either on the report, well, not either, on the report and through discovery methods, right? And I want to see your prompts. The prompts will be part of discovery in the same way that if I have a list of search terms should also be part of discovery. Because taking into account that this indeterministic procedure is influenced by the prompt or the question that you're making to it, right? So, what does that say about me as the investigator? That should be describable, that's my opinion. And somebody may have a different opinion. And if the industry agrees with my opinion, then this is something that will be imposed upon you, then you have to do it no matter what. But we're not there yet. So I I would encourage people to think about these things. If you're gonna use these LLMs, be really careful about it. Because if you're not, like Brett says, is it's gonna out you out in a really bad way. And if it affects your case, uh I I cannot even imagine repercussions, not only to you, like like Heather said, but to justice itself. And we don't want that to happen.

SPEAKER_01: 42:23

Well, and those prompts, uh, what if they're outside of the scope of the warrant?

SPEAKER_05: 42:27

Yeah. Oh my goodness.

SPEAKER_01: 42:29

Should definitely be discoverable. We should not be asking AI things that are outside of the scope of a warrant ever.

SPEAKER_05: 42:34

Well, and I heard people saying, Well, but it might be, it was, but I was gonna find it anyway, like it was unavoidable. And I forgot what the the term the legal term for that is. And and you know, I I get that, but do we really want this all-knowing eye? I say all-knowing, but this thing that will eat up all this evidence and can lead you either astray or in a direction that's not allowed, and say, well, it's an unavoidable discovery. Um, that's that's a really shady, for my opinion, backdoor to the privacy rights and the controls that the judges have upon what are you allowed to look now. Don't get me wrong, and actually let me say something about this real quick with abstractions again. My day think today's abstractions. Sometimes our our stakeholders will take our abstractions and misinterpret them and then give us certain limits, right? For example, lately I've been seeing a lot of stakeholders telling me, Well, here's your extraction. I only want you to get stuff from this date to this date. Okay, so how many so we got modified dates, creation dates, access dates? So what what if what if four of the four, three are outside of the time range, but one is?

SPEAKER_01: 43:44

They usually are.

SPEAKER_05: 43:46

So which one am I is the create it? But okay, what about if it's a file that has uh all those timestamps, but inside of the file, say a database, there's like a million entries with a different million timestamps, right? So how do I go about that, right?

SPEAKER_01: 44:00

Um or the files that have no timestamp. Oh, it's there, you just have to go find it.

SPEAKER_05: 44:06

And it might be evidentiary, but no timestamps, that means I'm not gonna even address them. Like they like they're not there. They're invisible to me. And that's tough because the abstraction has kind of wrongly uh taught our stakeholders that oh, everything has a timestamp and it's one, and you can filter through it and get an accurate thing, accurate in my mind of what I want, right? So it's it's it's tough, right? We need to make sure that that we take those nuances up to our stakeholders so they can actually give us the proper parameters to do the search and still respect the constitution, still respect the privacy rights of of whoever or whatever it is that we're working on, right? Um, and and don't look for excuses to to not follow the the the get directions you've been giving, right? Um we need to think about those things, it's part of of why we're here. Definitely, and why the LLM will never take your place if you're doing the right thing. There. There you go.

SPEAKER_01: 45:04

All right, last Brett Shaver's uh blog, and this one is my favorite. So uh a couple of weeks ago, Alexis put up a um a post about deleted artifacts marked as deleted and why it's a loaded word. And Brett uh got involved in the conversation in the comments. There was there were quite a few comments on the post and uh wrote a blog about it. So this one is uh entitled How to Wreck Your Report, Affidavit and Testimony with one word. So he was expanding on Alexis's post that deleted is a loaded word. He explains that using deleted carelessly in digital forensics, reports, or testimony can imply intent instead of simply describing a state which can destroy credibility in court. Um, in technical tools, deleted may mean different things. It could mean system cleanup, cash removal, um, many different things, and not necessarily that the suspect intentionally deleted something. So uh Brad in his blog was urging examiners to use precise, defensible language like previously existing or mark deleted um to define what deleted data means. And the takeaway was be exact with terminology. One vague word can shift a case's perception and damage an expert's reputation. Precision in language is a vital is as vital as precision in analysis.

SPEAKER_05: 46:31

Deutard forensics is the realm that has the most overloaded terms ever. Okay. And I picked on on deleted, and I'm so happy that Brett also decided to expound on my comment because Brett is such a great communicator, right? It's uh 10 times the communicator I will ever hope to be. So I do appreciate his input. Um, look, let's say they tell you, accusing you of deleting purposely some important piece of item of evidence from your mobile device, and until you deleted that information and you're like, I didn't delete anything, right? Well, what what happens if the information was contained in the record of a tab of a browser, right? Can you delete a tab in the same way you delete the history of your browser?

SPEAKER_02: 47:20

No.

SPEAKER_05: 47:21

No, I mean you don't delete tabs. What do you do with tabs? You what?

SPEAKER_00: 47:24

Close them.

SPEAKER_05: 47:24

You close them, right? Now the database will record that entry as deleted, right? But then that's the overloadness of the word. When you go to court and people are not technical, and they want to use the word deleted, meaning intentional user, you know, attribution to that as a malicious thing that you're doing to obscure some activity. And the technical term actually means when data is not referenced anymore, let's say by a pointer or referenced by a uh a file system or within the database itself, right? It's one word for the two things. Now what? We we need to be aware. You can't just assume I use the word delete it without that context. That's why Brett encourages us to say more to make it clear what the word means and how the meaning might change as the context changes. Because that such roo is something that lawyers and people like that are really skilled on. So if you have to understand your terminology and know what it means in one context and what it means in another. And it's not the only one. We talk about unallocated. Well, what's what unallocated mean, right? Depends on that, on that context, right? Even when you speak about unallocated, and does it have timestamps? Well, it depends, right? If it's an allocated from the file system perspective, no, but a file might have a timestamp within it, even if it's from an allocated space that I was able to carve it out. I mean, there's a lot of nuance there, and that's why, and in some training that I've gone through, we have they have a portion called tech terms, which I love that they had the examiner learn a whole bunch of terms, um, you know, what's an allocated, what's deleted, what's uh parsing, what's whatever it is, a lot of terms. And then you have to present and and and present those to a panel. And the panel will ask you questions about that term, and I love that because it really forces you to understand the term at a deeper level and with analogies to make that clear. And me as a questionnaire, I've been part of those panels, I try to break break them down a little bit. I mean, not in a mean way, but kind of push them a little bit in regards to changing the context of their how they're defining something. And so I could see how they can instruct me on, oh well, this is true, but in this context, it has this other additional meaning, which does not apply to the discussion we're having now. Make sense? So that's something that maybe you can think of your training scenarios, add a list of 50, 100 tech terms so people can start learning to how to manipulate, not manipulate, but uh explain better in those terms, independent of that context.

unknown: 49:55

Yeah.

SPEAKER_01: 49:56

Uh Mark from Arsenal put a comment up. I'm gonna put it up. Um, I was in back-to-back depositions with expert witnesses claiming the end case recover folders function, recovered files and folders deleted by the user. They were both eventually bounced from the cakes.

SPEAKER_03: 50:11

Yikes.

SPEAKER_01: 50:13

I mean, as they should be, and just luckily it, you know, it wasn't one of us. You know, um, but they should be. I mean, understanding that, I mean, I I would I would consider that one of the like foundational things that we need to learn when we very first start in the digital forensics field, and understanding that and being able to explain it, then we don't run the risk of being bounced from the case like like these two.

SPEAKER_05: 50:38

Well, and and Mark's come and really adds what Brett said at the beginning with this, right? When he was saying you need to know your tools and actually understand when they use recover folders to describe something the tool pulled out, you need to know what that actually is, right?

SPEAKER_02: 50:51

Yeah.

SPEAKER_05: 50:52

In order for you to be able to intelligently speak about it. Yeah, so that's the first thing. And if if that the word recover and folders has a lot of meaning, the word folders has a lot of meaning within file systems, and it could be represented itself differently from file system to file system. If somebody tells you, yeah, I know what file system is because one time I did FAT16, I know everything about file systems from now on, no matter what, you but you're nuts, right? No, every file system is different, and what it means is different. How you recover it is different. So you need to understand what that means to your tool if you're using that tool. If not, you bounce from the case. That's that's a really like you said harsh, but a fair, fair punishment.

SPEAKER_01: 51:30

It is. I mean, that's the difference of somebody um potentially going away to prison for something the crime they didn't commit.

SPEAKER_05: 51:39

I mean, I'm okay. Well, you you're saying that this particular artifact, this tool, is user is user-attributable when file system and the and the operating system, say property, the operating system itself moves the least folders around willy-nilly all the time, right? Especially on phones. Uh for example, in iOS, if you take an app and you you just updated it, and always updated, it's fine. It takes the data folder, so where the stuff that you did was, it takes the app folder where it is, it takes uh a couple more folders, which are right now. I top of my head and remember what they do, and it takes the data, nukes those folders, creates no newer GWID name folders, and then puts the stuff in there. Yeah, totally brand new. All those other folders that you had or the structure you had, they're gone. When you update it or when you uninstall it and reinstall it, though all those GWID changes, right? I did I meant to do that. Did I know that the my operating system is gonna delete all those directories and make new ones to put different things in there? And uh of course I don't know that as a as the user, but me as the examiner, I need to know that because now I can go to mobile installation logs and look at a history of those folders being created, not created, and it tells me about user activity when the app was installed, when the app was deleted, when the app was uh updated, and how that looks, right? You need to have that understanding. You can't just press a button and then like like you like Heather says, forensically guess what's the meaning of recovered folders on your tool. Oh no, that's that's really bad news.

SPEAKER_01: 53:14

I am not a fan of forensic guessing. You could do it in your office with your door closed, make that guess, and then figure it out. Don't don't publicly announce your guesses.

SPEAKER_05: 53:27

For sure.

SPEAKER_01: 53:28

Uh so yeah, so um, I mean, Brett, amazing writer, and we just had to cover all of the wonderful content he's been putting out lately.

SPEAKER_05: 53:38

Yeah, it's all it's all it's all love for Brett at all times.

SPEAKER_01: 53:42

Oh, you made it do it on the screen.

SPEAKER_05: 53:45

Yeah, for those of that didn't see it. I also had hearts, really hearts coming out of my of my person here for Brett.

SPEAKER_01: 53:52

Um, all right, let's shift gears and let's look at some tools. Uh, we have a tool update and a tool release that we're gonna cover quick before the end of the show. So the very first um is the update. Rabbit hole had a recent update. Last um last podcast, I mentioned that Rabbit Hole had an announcement to make, but nobody knew what the announcement was. Um during our little break here before the this podcast, the announcement came out, and Alex Caithness recently reported the release of Rabbit Hole version three. The standout new feature of version three is its ability to recover deleted data from SQLite databases. Recovered records are rebuilt into a database so you can rapidly and effortlessly explore query and report on them just as if they were live. So I'm sharing my screen here and I have Rabbit Hole up, and I'm gonna open up um a little database that I created earlier today. Let's see. Let me find it. Oh, there it is. Password. Rabbit hole recognizes that it's a SQLite database. I'm gonna choose it. And now we have, let me do a little zoom here. There we go. There we go. Now we have the database with passwords. I have five passwords in my database. And if you take a look at the underscore ID, uh I have one, three, six, seven, and ten. So that is because I deleted some of the passwords in my password database. Alex actually has a video that he did showing other features, but I'm gonna show the data recovery portion. So let me back out here. So this is the data recovery portion. Um, my database is already loaded in. So all I need to do is hit analyze database right up here. When I hit analyze database, I can pick which table I want to analyze. I only have one table in this database. I made it really simple so uh it wouldn't take too long during the podcast. So I'm gonna pick the passwords table. And you can see down here we have the passwords table, we have the different columns, and we have the types. So what I'm gonna do next is just leave the settings by default. You can change things to um have it not recover fields that have a null entry. You can use um there's a regex setting here for the text where you can set a regex on like specific data if you know what you're looking for. Um, but I'm just gonna go for perform recovery. Um I'm gonna do no to this. It um it's telling me that's too general and could lead to a disproportionate number of false positives. I'm just gonna go for the false positives. That's where you would narrow your search a little. So now if we open up into there we go. The data now has these um additional tables here. And if we look in this epilogue, because that's what that's what rabbit hole named it, composite table. Let me zoom out here so you can see. We have recovered entries. Um, we have this is my other password, password one, two, three. Give me your password now or else. Give me your password now. Not sharing my HBO password on this episode of DFN. It's an important one.

SPEAKER_05: 57:41

Well, first of all, um what a what aggressive passwords tease. But yeah, you're not revealing. Yeah, no, no, no, no hex passwords on the screen.

SPEAKER_01: 57:52

So um, let's see. So there are some invalid looking results from where the structure of some data in the database um file matched the signatures generated, but they're not quite right. You can add validation to the signatures to reduce um the number of false positives, and that's back on the previous screen. I'm just gonna show you what we get without adding those uh those filters. So I had deleted five passwords, and and here are the five passwords that I had deleted, and they came right along with the timestamps, and I did all the timestamps the same. So um there's another table here that contains um metadata about how the records were recovered and where in the physical files they can be found. So we have here in this metadata column you can see the data sources, the database image, success, and it's found at offset 3975, page number one. So we'll have these records here as well that help um determine where they're being recovered from.

SPEAKER_05: 58:55

Alex is such an elegant coder. Oh my goodness. Uh yeah, he's good. I love I love that he calls it epilogue. I bet there's some story behind it.

SPEAKER_02: 59:03

Oh, I'm sure.

SPEAKER_05: 59:04

Yeah, but the whole being like, you know, after all this processing, look at all the things we have in this epilogue. I just love the concept. Um, I just want to say that you didn't salt or encrypt your password, so I'm highly disappointed in you.

SPEAKER_01: 59:16

Listen, this was a nice little easy database to just give a quick demonstration. I was gonna pull in a database from an extraction, then I'm like, ah, who knows if anything was even deleted. So I just made my own.

SPEAKER_05: 59:29

Oh, I I I just I'm just teasing. Yeah, no, that's I know, I know. This is a great example because you know, everybody you could see or hear um how the tooling really streamlines this part of the recovery process. And there's oh we always get that question was there something else in the SQLite? Well, tools like this one are are such a great uh way of really doing that analysis. And this is something that uh uh Rabbit Hole really needed. And the amount of granularity that Alex has added to the tool, I just love. Love it. You can really filter down and really focus on the things you need with all the different uh knobs and turns that he puts on the tool. So I'm really excited for it. Um, so and I'm I'm ready to use it and ready to use it.

SPEAKER_01: 1:00:13

Uh yes, I've been testing it out. So very excited to have that. All right. So next, oh, I want to say too about the rabbit hole. If you've never tried it, um, go on their website. I'll put the link in the in the show notes, but go on the website, you can get a 30-day free trial. Um, you're gonna want it afterwards, probably, but try it for 30 days for free first.

SPEAKER_05: 1:00:35

Um, see, see, let Mark's saying we want real passwords, Heather. Come on, you know, I'm so so so we can get your HBO again so we can watch all the TV shows, please.

SPEAKER_01: 1:00:45

No way. Although I'm really playing with fire with this next demo because I have my I have my personal phone hooked up to it to show you how this next one works. Because I left my Android Test phone at work.

SPEAKER_05: 1:01:00

So oh, this is gonna be good. Look, if if you're if if you're listening if you're kind of newest to the show and you don't know the inside joke, you gotta look for the HBO episode, and so you can follow, follow along, follow with the inside joke. But yeah, go ahead.

SPEAKER_01: 1:01:11

You can see how they're doing stupid things. Um all right, Alex is released. That is the Android Logical Extractor. I think it needs a new name, um, but that's besides the point. It's a go ahead.

SPEAKER_05: 1:01:25

I think it's a beautiful, beautiful, totally uh utility plus name, Alex. Android, what was it? What does it mean again?

SPEAKER_01: 1:01:33

It is Android Logical Extractor.

SPEAKER_05: 1:01:36

There you go. Obviously, name in my honor. Thank you. Thank you so much.

SPEAKER_01: 1:01:40

So this is uh created by Christian Peter and it's available for testing. Uh he he put a little note in it, so I'm gonna read his little note. He's been considering for some time whether now is the right moment to make the repository public. There's still some things he would like to integrate. And if he waited for everything to be complete, it would likely take months. So there's no binary release yet. Everything's still in the early stages. So he expects that there will be bugs, and he's hoping that people that are testing it out will provide feedback. So if you test out Alex and find bugs, please report um and give feedback to Christian on his GitHub page. And the GitHub page will be in the show notes. He also I want to make a quick note he also um recognizes Matia. So many of the artifact our Android features are based on Matias Android Triage, and I'll put the link to Android Triage in the show notes as well.

SPEAKER_05: 1:02:34

Uh real quick, Android Triage, I've used it quite a few times, is the best ADB uh-based tooling that you will find. It will pull everything and anything an ADB can pull for you. Okay, so so keep that there. The fact that now there is this um interface that's been built through Alex makes it even better. So uh do do check both out.

SPEAKER_01: 1:02:59

So um really simple to run. I'm just gonna do a command prompt here from the directory where Alex is, and I'm gonna do Python Alex PY. We'll give it an enter. Just takes a sec to open. Um prior to this, I installed the requirements that were listed in the requirements txt and also um platform tools. But how to do that is right in the readme of the tool. So it takes away any guesswork if you're not like super familiar with using command line to install requirements. So we see here that I have I already have my phone. Um, USB debugging is on. I've already trusted my device, I have it plugged into the computer, and immediately upon launching Alex, I have information about the device. Uh Heather's Pixel 10, and then now you have all my MAC addresses and how much space I use and all that good stuff.

SPEAKER_04: 1:03:58

I love I love the little bar there, you know, kind of showing how much space. I love I love those details.

SPEAKER_01: 1:04:05

I lost the magnifier. There it is. Okay. So then here you can choose your output directory. I have a little folder for Alex testing. We'll hit okay and the options. So the ops this looks a lot like UFade, right? It looks just like UFAD, but we have different options for the Android. So we have save device info, we have create a PDF report of the that device info, and I'll show you those because I already created them. Um, the acquisition options, we have pull just the content of SD card as a folder. We have perform an ADB backup, we have a logical plus, which is an advanced logical backup as a zip file with the UFD file ready for physical analyzer and celebrate. And then we have a partially restored file system backup under logging options. We have logcat dump, dump sys, and bug report. And then advanced options, which I love this option. I'm gonna show it, are the take screenshots and the chat capture and the query content provider. So I'm gonna do I'm gonna do the chat capture. I'm just gonna fancy.

SPEAKER_04: 1:05:10

That's really fancy.

SPEAKER_01: 1:05:11

WhatsApp. I'm gonna do a WhatsApp. Um, and we'll just Orlando. I have a chat in WhatsApp that doesn't have any messages in it. So it's my personal phone. I don't want to be sharing all my messages. People will see what I say about them.

SPEAKER_04: 1:05:27

Yeah, don't don't put our our chat messages there because you know there'll be people be mad at us.

SPEAKER_01: 1:05:33

And now you can see. And what it's doing is it's looping through. The screen is actually moving on my phone. I can see it moving, and it's just moving through an old Orlando chat that we actually removed all the members from because we're not using it anymore from Iasis, right? But so literally you can see it moving on your screen, but I can also see it moving here on my phone. And as it's doing that, it's capturing screenshots and text files, and I believe PDFs too, but we'll check it out because it's gonna be in my folder.

SPEAKER_05: 1:06:01

That's that's so is that I get so I guess it works with some apps, it doesn't work with it. Do you know? I mean, I'm just curious because this functionality is so useful.

SPEAKER_01: 1:06:10

I've only tried WhatsApp and um I might have tried signal as well. I've only tried WhatsApp, we'll go with because I don't remember if I tried signal or not. Um so I canceled it so we could go back and I'll show you what that looks like in the folder here. Uh let's see. So I put my Alex testing here on this drive. And we can see here, I did I did all everything the tool would do earlier. I did with one of them. So we have the backup ADB, the dump state, we have the um here's I'm just gonna actually open up one of the reports. Let me move it over. But this is one of those reports, and you're gonna see all the apps I have. We'll go through them fast. So we've got the Alex device report, Heather's test phone, all my information, and then all the apps I have on my phone. Right with the versions. So if we need to create some test data, we know the version of those applications.

SPEAKER_05: 1:07:08

Look, Christian says it should work for every chat app.

SPEAKER_01: 1:07:11

Oh, beautiful, beautiful.

SPEAKER_05: 1:07:12

That's um, I mean, can you imagine? So let's say you have a phone, you're able to get the the pinko, right? But your tool is not supporting a full file system. And what you want is a particular chat or series of chats, just go and get it. This is this is so useful. I just I just love this. Or or maybe it's it could be on consent, and you were told the only thing you need is this, right? Based on the judge order or whatever. You just go there and and pull that out based on those instructions, right? Um, this is this is amazing. I I this is a great functionality. I love it.

SPEAKER_01: 1:07:44

So here's where the screenshots came into a folder called screenshots. WhatsApp is what I named it. So it came into the WhatsApp folder. Uh Orlando was the name of the actual chat that I named it. And then inside of here, let me back out. We have a PDF, a PNG, and a text version of each of those screenshots. So let's take a look at the PDF. So here we go. Oops. I've got all the stuff open on the sides here. Let's get rid of that. An AI assistant on my Adobe. I never asked for that.

unknown: 1:08:18

Alright.

SPEAKER_05: 1:08:20

Look, you don't you don't need to ask for AI to be thrown into everything.

SPEAKER_01: 1:08:25

It's infiltrating everything.

SPEAKER_05: 1:08:27

You're totally will have AI soon enough. Don't worry about it.

SPEAKER_01: 1:08:30

Oh my gosh. So we have the device, and there's some basic information about the device. The screenshot came from, the name of the screenshot, hash value, and um the app and chat as named by me. So that's the PDF version. Then you've got the PNG.

SPEAKER_05: 1:08:49

Well, I love the PDF because it's like this screenshot has what I need. That's just it's ready for it's ready for my report straight up.

SPEAKER_01: 1:08:56

Yeah, the PDF has the additional information. You know, I haven't even opened a text yet. I'm not 100% sure what the text is, but Christian's in the notes. Maybe he'll tell me.

SPEAKER_05: 1:09:05

Is that a hash, Christian?

SPEAKER_01: 1:09:07

Oh, maybe.

SPEAKER_05: 1:09:08

Because it looks like some sort of hash. But again, I'm missing. Well, you know what? I'm just guessing.

SPEAKER_01: 1:09:13

Let's compare it. It is, it's the hash. I compared it to the PDF. Perfect.

SPEAKER_05: 1:09:17

Okay, look at that.

SPEAKER_01: 1:09:18

You're a good guesser.

SPEAKER_05: 1:09:20

Well, it's informed by experience. So I'm just gonna say that.

SPEAKER_01: 1:09:23

So we have all I did each and every one of the options here. Um, we'll open one more here. Let's look at the I don't want to open in that. Uh that's alright. Hold on, I'm gonna crash my my uh notepad. Let's open it in notepad. So this one is the dump sys, and we've got it all here. We've got currently running services on the device, and just an entire log of the dump sys. Pretty neat. Pretty neat. Yeah, I love it. My let's see if we can find so yeah. So I know what my um my wifi is here, so we can see there on the screen. I just did a search for my any dancer Wi-Fi, and there it is.

SPEAKER_04: 1:10:08

Oh, look at that. Look at that. Very nice.

SPEAKER_01: 1:10:11

So awesome, awesome tool. I suggest that everybody go out and try it. It's it's a wonderful price right now, too. You can get it really cheap.

unknown: 1:10:22

It's free.

SPEAKER_05: 1:10:23

Yeah, I was gonna say if you don't like it, uh, you know, Christian will give you your money back.

SPEAKER_01: 1:10:27

So he will, he will, but no, all seriousness, seriousness, though. If you're gonna go try it out, please report any issues that you see because we make this the best tool for the community.

SPEAKER_04: 1:10:37

Absolutely.

SPEAKER_01: 1:10:39

All right, let me close that. And that brings us to the end of the show. So we have to do the meme of the week.

SPEAKER_05: 1:10:50

Yay, my death favorite part.

SPEAKER_01: 1:10:52

Let me take this off of the screen. Here is our meme of the week. We have a Snickers candy bar, and the caption says, Check your kids Halloween candy carefully. Vendors tried to hide, and inside the candy bar you can see a little box that says chat GPT on it.

SPEAKER_05: 1:11:12

I uh I yeah, this is a meme I made some time ago, but uh, you know, it's it's so top uh topical for the Halloween section. It is there's chat GPT, I say chat GPT, but LMs everywhere, even where there don't need to be one. I don't need a chat box in my browser. Why would I want one? It has to the point that OpenAI has made a straight-up browser, straight up browser, which I think is pretty hilarious because this is my this is my personal opinion. I don't speak for my job, I know, but either way, none of the things we said today represent our employers are opinions and opinions only. Um look, if if you're trying to muscle into Google's ad revenue by making a browser, um your use case of your technology is obviously not as clear as you want to make us believe. Yeah. Uh but that's me being the AI critic. But yeah, no, um, this is true. You see LLMs being put everywhere, and and folks, companies and vendors think, well, I am my strategy is to have LLMs. That's not a strategy. Like a strategy is I have a problem and I'm gonna solve it in a certain way. Just throwing LLM into things is not a strategy, it's just you throwing stuff into things, right? Um, so a proper use of technology and and actual useful use cases for it is more important than just having it, right? It reminds me of Jurassic Park. Just because you know you can't do it doesn't mean that you should. But yeah, it's Chat GPT is everywhere. That's how it is, folks. Be careful when you buy your candy.

SPEAKER_01: 1:12:44

Oh well, that's it. That's all we've got for the week.

SPEAKER_05: 1:12:49

Yeah, no, again, thank you everybody for being here. Um, all the folks, some folks just join in when we're leaving, so sorry about that.

SPEAKER_00: 1:12:58

Watch it on YouTube.

SPEAKER_05: 1:12:59

Yes, just subscribe and then you'll know when we're going live and you can hang out, hang out with us. Again, thank you for Christians, thank you for Brett and Kevin and Mary that I saw her there, and for Mark, and uh all the folks uh who else am I missing, and Bruno and and Forensic with Matt, all the folks that uh chat with us today. Your input is so valuable. We love you, and uh we don't know when the next episode will be. We hope soon.

SPEAKER_01: 1:13:25

Yeah, oh definitely. Let's shoot for two weeks.

SPEAKER_05: 1:13:27

All right, well we'll we'll try that out and we'll see you there. Anything else for the good of the order, Heather?

SPEAKER_01: 1:13:32

That's it, thank you so much.

SPEAKER_05: 1:13:33

All right, folks, we're gonna finish up with the song if I can find it, and uh, we'll see you again next time. Take care.