Digital Forensics Now

From Wins to Wishlists: Digital Forensics Year in Review

Heather Charpentier & Alexis "Brigs" Brignoni Season 3 Episode 2

Share episode

Send us a text

A blue jay, a busted feeder, and a brand-new camera set the tone, but only briefly. 

We kick off the new year with updates from the Florida ICAC conference, including firsthand courtroom experience watching frame rate and frame count testimony in action. The episode centers on Frame Counts Galore, an open-source script for extracting and hashing every video frame, calculating true variable frame rates, and producing transparent, courtroom-ready logs and reports.

We cover upcoming DFIR conferences, introduce a lightweight AI Provenance Scanner for fast C2PA and metadata checks, and reflect on standout moments from the digital forensics year—especially the impact of open-source tools and honest conversations about the realities of the work. 

The episode closes with a 2026 wish list focused on stronger education, fair workloads, and customizable forensic reporting that analysts can actually defend in court.

Happy New Year to the DFIR community.


Notes:

Frame Counts Galore-

https://github.com/abrignoni/frame-counts-galore

Upcoming Conferences- 

https://www.iacis.com/                        

https://www.msab.com/digital-summit-2026/ 

https://magnetvirtualsummit.com/              

https://www.technosecurity.us/

https://ofta.cellebrite.com/event/cellebrite-c2c-user-summit-2026/

AI Provenance Scanner-  

https://github.com/abrignoni/AI_Provenance_Scanner

Brett Shavers Blogs-                                                    

https://www.brettshavers.com/

UFADE & ALEX-                                                              

https://github.com/prosch88


SPEAKER_02:

And we will welcome to the Top Friends 6 Now podcast, the last episode of 2025 in 2026. Today is Thursday, January 8th, 2026. And my name is Alexis Bignoni, aka Briggs. And I am accompanied by my co-host, the one that never gets her feathers ruffled and always looks fly. She is quite a hoot and absolutely unbelievable. The one and only Heather Charpentier. You know, my punts are on point. Okay.

SPEAKER_00:

Oh my god. Yeah, they are totally on point.

SPEAKER_02:

The music is higher up by Shane Ivers and can be found at Silvermansound.com. There we go. The music was abrupt ending. But but I will I will give me an applause for those punts.

SPEAKER_00:

No.

SPEAKER_02:

Thank you. Thank you.

SPEAKER_00:

Thank you. Those were very, very good. Yes. Oh my gosh.

SPEAKER_02:

Oh no. I I again they were truly a hoot. Can you explain? Can you explain to the folks listening why we sound like crazy people right now?

SPEAKER_00:

Yeah, I absolutely can. So all of the introduction that Alexis just did for me is because I have a new hobby. So everybody's always telling me, get a new hobby, get a new hobby. And somebody at work actually recently said, you really need a new hobby. So I now have the hobby of bird watching. Yes, I am an 85-year-old woman.

SPEAKER_02:

You need a hobby. You spent too much time at work, lady. Get out of here.

SPEAKER_00:

Yes. So now I'm bird watching. Um, I bought a brand new digital camera to take pictures of my birds. I have bird feeders that have cameras on them. And I am now linked to my sister's bird feeders that also have cameras on them because she's just as addicted to birds as I am.

SPEAKER_02:

Heather actually has a bird suit that she puts on and she works out so she can blend with the birds and uh and they they will they will know. They will know.

SPEAKER_00:

But they have like TikToks like that where people put like a visor on and have bird food in the top. I might sit out on my porch and try that and see if they'll eat off the visor.

SPEAKER_02:

Oh wow, I was kidding about it, but I guess that's a that's actually a thing.

SPEAKER_00:

It really is. I'm not gonna put the bird suit on though. Not happening.

SPEAKER_02:

Well, at least you won't own up to it, but go ahead.

SPEAKER_00:

Yeah, no, no. So with my bird addiction, Alexis had a wonderful idea to start an Instagram page of the birds. And I I did, I started an Instagram page. I'm gonna throw up my my logo. So my logo is birds of a heather. I can't get it with that on my own, yeah. That's pretty good. Yeah, and then uh New York Vermont bird nerd because I'm putting pictures from my sister's feeders and my feeders up, and of course, I have to share some of my pictures.

SPEAKER_02:

I I want to say that that logo is fantastic. It has like these people are listening, he has a different bird that you see up in upstate New York, and they're right on top of a plant. What's that's called a what?

SPEAKER_00:

Heather.

SPEAKER_02:

Yeah, get it. So that's it. So it's like the inception of the of the puns on top of another pun, on top of another pun. I love it. And then at the bottom says birds of a heather, and then it's at NYVT Bird Nerd. So you can go there and follow the birds, they're awesome, and you'll see you'll see how in a few seconds.

SPEAKER_00:

So yeah, so I expected it just to be like a couple of my friends looking at my bird pictures. I have 20 or 20, 2035 followers. I don't even know where these people are coming from, but people like birds.

SPEAKER_02:

It will get to 20,000 eventually. I'm pretty sure you'll see.

SPEAKER_00:

Maybe you'll see.

SPEAKER_02:

It will get there.

SPEAKER_00:

So I have to show some of my bird pictures. I have a beautiful blue ja.

SPEAKER_02:

Oh, what a hand what a handsome king. Look at that crest there. My goodness.

SPEAKER_00:

And a red-bellied, I don't know why they're not red-headed, but a red-bellied woodpecker. I'm gonna just go through some of my bird pictures. A couple bird pictures here. You can see the one on my my bird camera. And then these I shot with my new digital camera, which is freaking amazing. Um, I'm so glad I got it. Um, people love watching birds. Somebody in the comments said, Yes, they really do. It's kind of insane. Got some blue jays in a tree and a tufted tit mouse, a couple cardinals, a blue jay and a finch. And then I have some birds in action, in flight. So my bird feeder actually catches them in action pretty well. Um you can see their entire wingspan.

SPEAKER_02:

Oh, that's a pretty good frame rate that's recording on.

SPEAKER_00:

Yeah, yeah. And then my very favorite picture is this last one of the cardinal uh with its wings spread. I got that with my my new camera.

SPEAKER_02:

So it's beautiful. Looks like the bat wing in mid-flight. I love it.

SPEAKER_00:

Yeah, so I'm addicted to birds now. So if anybody wants to follow my bird page, please come follow me because apparently, when you get to 10,000 followers on the Instagram, you can make money off of it. So that would be really cool if I could just just go do bird photography. I feel like my my life would be fulfilled.

SPEAKER_02:

Well, you you will need a lot of bird for photos to uh shilly be able to quit your job.

SPEAKER_00:

Yeah, definitely. Definitely. I don't think that'll happen. And I have to tell you what happened though. So I have my bird feeder all set up to take these pictures, and I look in my camera the other day and it fell off the post and broke into a whole bunch of pieces.

SPEAKER_01:

Oh no.

SPEAKER_00:

There's a positive because it gave me an excuse to buy a much more deluxe model that has multiple cameras on it. So that should be here tomorrow.

SPEAKER_02:

Because you need an excuse to spend money, of course.

SPEAKER_00:

Yeah, absolutely. Absolutely. That was the perfect excuse. But yeah. So yeah, if anybody else loves birds like I do, come check out.

SPEAKER_02:

I'm I'm not I'm not a bird guy, but I'm turning into one by following this, uh, by following Heather's Instagram. And I'm not I'm I'm not hating it. I'm not hating it. That's all I can say.

SPEAKER_00:

Thank you. Especially since it was your idea. You're not allowed to hate it.

SPEAKER_02:

Well, that that is true. Actually, I'm gonna charge you a uh commission for the idea.

SPEAKER_00:

Uh, you should once I hit those 10,000 follows. Yeah, we have a little bit of time. Yeah. Although I was really surprised to get to 2,000 in in one month.

SPEAKER_02:

Yeah, that's that's a that's a good amount of growth though. No, and it's fun. I I love that you have this thing like in the picture, so I enjoy it.

SPEAKER_00:

Um, it's costing me a fortune in bird seed, though.

SPEAKER_02:

That's that's a hobby. That's just a hobby, yeah. A really uh expensive way of getting rid of your money really fast.

SPEAKER_00:

Yeah, yeah. So yeah. Um, what else has been going on?

SPEAKER_02:

Um, what else has been going on? Uh uh the the year ended with busyness.

unknown:

Yeah.

SPEAKER_02:

And uh a whole bunch of work and things going on. But uh also good things going on, and we'll talk about some of the good things that happened by the other year. Some scripts, uh great uh blog posts throughout the year from good people. But uh at least, uh I mean, what what did I do? Uh Dina the other year. I don't even remember. It's just oh a lot of personal stuff that I'm dealing with. But I mean, everything's cool, it's just work.

SPEAKER_00:

Yeah, we've we've both been so busy. I've we've felt bad the last couple times. We're like, Oh, we're gonna do a podcast. Oh, no, we're not. Oh, we're gonna do a podcast, no, we're not. But tonight we're just like, oh, let's just do it. So here we are.

SPEAKER_02:

Oh, yeah, no, uh absolutely.

SPEAKER_00:

Yeah. Um, so uh recently I got to go to Florida and see you. We can talk about that. I recently attended the Florida ICAT conference um in Orlando and uh was able to stay, well, had to stay because my flight was later in the day, almost a full extra day, and got to visit with Alexis and his wife while I was there. Um, so that was an awesome trip. We had originally planned to go to Universal, um, and somebody got subpoenaed to testify. So the Universal trip didn't happen, but I got to go with Alexis's wife and testify.

SPEAKER_02:

It it kinda happened, kinda.

SPEAKER_00:

Yeah, it did. We did still go have some fun after he testified, but um his wife and I both got to go watch him testify for the first time. He's pretty good at testifying.

SPEAKER_02:

I'm not telling I mean the first time them watching me testify. I've been testifying for almost 20 years.

SPEAKER_00:

Yeah, not his first time testifying.

SPEAKER_02:

I'm actually tired of it. No, I'm just kidding.

SPEAKER_00:

But yeah, we got to see Alexis in action uh working on a case that that uh that had gone to trial. So it was pretty, pretty cool experience in a federal courthouse, too.

SPEAKER_02:

So yeah, no, uh, it's uh and I and we mentioned this no matter if it's state or federal or whatever it is. I um yeah, a big part of uh digital forensics examiner work is not only doing the technical part and it's not doing the written part, which is really important, but it's being able to convey that to stakeholders, the juries and the courts, and the lawyers and the defense attorneys in a way that's understandable. So uh yeah, it was quite the uh quite the experience. And and you can have a lot of experience like like we have, and uh well, let's go into it real quick. I had to go twice because yeah, so so some of these topics that they're complex and and it's okay. It's it's especially with something novel. I guess we're gonna we'll go into that into a second in a second, um, or something that the court has seen that hasn't seen applied in a certain way, um, you might have to come, you know, explain it a couple of times and and be open to changing your approach as you move along, just to make sure that you are understandable. So uh I think I mean I guess we can talk a little about the case. The case is done.

SPEAKER_00:

So yeah, however much you can talk about it. So um, yeah.

SPEAKER_02:

Yeah, so so long story short, in uh in the Mill District of Florida, um, the way some of the uh CSAM cases, and again, we're not gonna say anything graphic in this case, that the point is not the CSAM. And those that don't know, CSEMs are uh uh images of sexual exploitation of children. But we're not that's not the point of this, or we're talking to talk about the case. Was about that. The point is that uh in order to charge those, then you have to count how many pictures uh the suspect or the convicted person had, and then there will be some enhancements in federal law in regards to the amounts. So the question is how do we count those? And counting pictures is easy. A picture, one picture, two pictures, three pictures. What happens with a video? So for many years, um uh the the rule for the district was for every video of contraband, which I will call them contraband moving forward, videos of contraband, um, it will be 75 uh images. So that's the ratio. It don't matter if the video is really long or really short, it's 75 images. Um, but there were some case law and some rulings from the uh the uh uh the the appellate court from our circuit that they said no, the way we're gonna count it is we gotta figure out the frames in the video. So let's say the video has a thousand frames. Of course, it's a really small video, but imagine a video has a thousand frames, we gotta figure out how much of those frames are contraband, because we don't want to charge them all or charge too little. So the court gave a formula for that, and is you look at the frames per second, which you can get from any uh video player, and then you multiply the frames per second by the length of the video, and it will tell you how many frames that video has, right? Obviously in seconds, um, how many overall after you make the calculation. And that's what the court said, and that's that's fine. I mean, that's that's that's correct. Uh, as long as it's a uh steady frame rate. So you have a video that's at 30 frames per second, the whole video, then then sure, you're gonna get the right number doing the math using the calculation. What I faced as the examiner in this case is that the cases in the images in question or videos in question um were not a steady frame rate, they were variable frame rates. And uh so I had to make a decision here, right? If I use the formulation, the frame rates for the video, they are uh it's it's not there, it's not exact, it's an estimate. I'm not said estimate, I said that wrong. It's the average, that's the correct term. It's the average, right? Uh let me explain this for folks. Um uh uh phones, specifically phones and other devices. When you take a video, depending on how much movement, the lighting, and the sort, the video will change the frame rate to accommodate that. And the idea is to make uh videos don't take that much space on your phone. There's other reasons to use uh variable frame rates. For example, in the movie Avatar, the one that came out, uh Fire and Ash, I was listening to a director in an interview, and he was saying that they changed to a higher frame rate where they're recording uh some of the moves under the water because they wanted to uh capture and the action scenes because they're gonna capture more frames at a higher frame rate, which would make the action look smoother and the traveling to water to water more realistic and look better, right? For scenes that did not require that, they came back to a standard frame rate for movies and the like, right? So hopefully that example serves for folks to understand my problem. So, how do I get to the right amount of frames? So I said, okay, well, um, I'm gonna look at the metadata of the file, and the metadata will give me the headers, assuming there's no shenanigans, right? Nobody changed the frames of the video and and you know, not changing the metadata, we should be fine. So I went with that approach um because you know, we use metadata all the time, right? When you look at a picture, you figure out, well, when was this picture created? Where do we look at for that? Uh the metadata of the file, right? So I'm thinking, okay, this should be good, right? Well, it wasn't good enough. There there was a uh uh some discussion at court in regard. And again, I'm I'm super simplifying this. There was way more discussion about it. Um and had to explain to the court what are available frame rates and how do we address this to make a proper accounting. Um I had to come back later and then actually uh I created a script we will discuss later on, um, to really narrow down everything. I went to the to the lengths of showing what the metadata has, pulling out every single frame of the video so folks could have those, hashing them, the presentation timestamps. I did all that work, we're gonna review it in a second, in order to get an accurate count. So, that being said, why is this important for the folks in my district? Well, let's say you have a video, again, that's a minute, but only, and it's variable frame rate, so it's not a steady frame rate, and only the 15 seconds that video are contrapand, and they're kind of almost in the middle, right? You can't use the average frame rates to figure that out, right? Because what if the middle was at a really high frame rate? Right? You're not gonna get an accurate counting for the middle of it. Because if you're using an average to do a calculation. So what I'm telling my folks is where you're gonna go, if it's a video that the whole thing is not contraband, go and look at all the frames in in Windows Explorer and go down your frames. The moment you find the first frame that counts as contraband, write it down, okay, frame number 12. And then scroll down, looking, looking, looking, looking. And when the the contraband stops at frame 40, then subtract 40 minus 12, and you have how many frames? And that's what you're gonna give. You're gonna give the court always an exact frame count of what the thing is, right? And we had a discussion with the with the court, and the court agreed with with uh how we presented that data, and we got the proper counts used in the case because those those enhancements were are required uh by law if if the evidence uh fulfills those requirements. So it was it was uh it was interesting. I it's the first time I had to really present twice on the same topic. But in our district, that's a novel thing, be able to count the frames like this. Maybe in your district, I'm not maybe, I'm pretty sure other districts don't do that. Other districts do something different. Yeah, some folks don't count it. Yeah.

SPEAKER_00:

Yeah, ours is just uh a video. A video is a video. That's your one video. It's not we don't pull the frames. Um, so I would love to model what you're doing for sure.

SPEAKER_02:

It was interesting listening, not not the case I'm discussing that I just fight on, but talking about looking at the case, uh law, um the case that supports that case law. And uh, you know, one of the the parties in the case was saying, well, what if we have a video of contraband that we've seen before? It's a video contraband, but somebody uh slowed it down and did a recording or saved it in a really slow format. Well, now we have double the amount of CSM for the same video, and the court said yes, because we're counting the images. Remember, a frame is an image, it's like a flip book, right? You take a flip book and you put a little drawing stick figures and you flip to it, then it creates the illusion of movement. Yeah, you like you like my flipbook sound.

SPEAKER_00:

Sound effects are great.

SPEAKER_02:

See, see, see, when you're Hispanic, you can do you know, you got the R sound, you know.

SPEAKER_00:

So I don't think I can pull it off.

SPEAKER_02:

So you do and then you get it, right? You see the video in your flipbook. So what if if your flipbook is longer, it's still every image an image. And if it has contraband, then you have more contraband. And I mean, uh it makes sense to me. I mean, I and this is the thing, right? I'm not a lawyer, uh, I am not a judge, I'm just a technical guy. So we have to we come with requests and we try to use our knowledge, our expertise to kind of fulfill those requests to the best of our ability. And that's what the job is.

SPEAKER_00:

Yeah, I think so. You had explained to me like what you had to go testify about. And uh when you did that, I'm like, how how is he gonna present this? How are you gonna have this come across? But I'll tell you, if anybody is working and they're able to uh charge on or sentence or charge or whatever on the number of frames, the way that this tool pulled out the frames and the way that Alexis was able to actually present it in court, it was so easily understandable. Um, but I mean, when you had first mentioned it to me, oh, you're gonna come watch this and and this is what's going on, I was like, ooh, uh, how the heck is this gonna come across? But it, I mean, it came across beautifully.

SPEAKER_02:

Oh, you're so kind.

SPEAKER_00:

It did, it really did.

SPEAKER_02:

Checks in the mail.

SPEAKER_00:

And everybody who knows Alexis knows how fast he talks. When he testifies, he slows it down and nice and crisp and clear. So just to let you know, because you probably think he's going right there sound effect.

SPEAKER_02:

It sounds it sounds very close to the ours. I mean, uh, there's there's there's uh uh need, and anyhow, I I try to practice a lot um on how how you come across when you're testifying and you something as simple as who are you looking at where you're talking to, it makes an impact, right? Yeah, and if I'm addressing, if if I'm addressing uh the court on a topic and there's a jury, I will talk to the jury, right? If either defense or the prosecution asks me a question, I will look at them equally, right? I'm not gonna be smiling to the prosecutors on my side and then scowling at the defense that's quote unquote not on my side. The fact of the matter is that I'm on nobody's side, right?

SPEAKER_01:

Right, exactly.

SPEAKER_02:

And and that's the mentality you have to develop. I am not in favor of any. I am here to present facts, to present truth, right? If it benefits either quote unquote side, because we're in an adversarial system of law, right? Then so be it, right? And the judge being the king or the queen of the of the proceedings, they might ask you a question, then you address the judge, right? And you turn around and and your demeanor, the way you you communicate, not only through words, but through your actions. And I try to practice that. And uh sometimes we don't practice that enough. So that's something that I I try to tell folks spend some time uh practicing how you come across in those contexts.

SPEAKER_00:

I think a case like this too, uh, just goes to show you that anything can come up and you may have to change, uh change how you're gonna testify or do some additional work like you had to do in this case. You never know what you're gonna be asked. Just because you've testified 50, 100 times and you've never been asked those hard questions, here it is. They do come up. And just being prepared for that kind of cross examination. Or or whatever is a super important part of our jobs.

SPEAKER_02:

And look, you will know, you won't won't be able to know everything, especially in DTR forensics. It's such a broad, I mean it would have niche, but it's a really broad niche, right? Mobile forensics on iOS is different from the one in Android, which is different from computer forensics, which is different from computer forensics within Mac OS or Windows or Linux or whatever it is, right? But if you have some of that foundational knowledge really ingrained, right, um, those will come up when you least expect them, either because they're trying to discredit you or because you're trying to establish a point. And then you need those foundational knowledge uh skills. So um believe it or not, uh folks say, well, you know, why do I need to take courses? Why do I need to go to this? You know, if I just press a button and the button will give me the results, right? You will get asked, like I did, in regards to how those frameworks, how how how how does a video go about being presented to the user, right? I had I had to you know really study about what presentation timestamps are in uh in in videos and how's that how's those times calculated? And and it's all foundational stuff that that you will have if you're prepared throughout your career, you keep refreshing. Look, we talk about being an expert. What's an expert from my perspective, at least in this context of this conversation? An expert is a person that really has the basics at the forefront of their mind or their knowledge, right? It's not knowing this secret knowledge that's complex and nobody understands. No, it's really digging down on those basics and understand them. Um look, uh Bruce Lee said, I don't fear a man that has tried 10,000 kicks once. Uh I fear a man that has tried 10,000 times the one kick. So getting to those fundamentals, those are those that knowing your fundamentals is what an expert is, right? And it it will it will come, you know, it will help you be able to convey truth to those stakeholders. Get into those basics and really go back to them time and time again, two, three, four times a year. Take courses, educate yourself. That's the way to go.

SPEAKER_00:

Very, very important. Absolutely. So the tool that you wrote to assist you in this case, can we talk a little bit about that? Because I see in the comments, um, forensic wizard is it's being used for the cases. Thank you so much, is one of the comments.

SPEAKER_02:

Oh, that's awesome.

SPEAKER_00:

Yeah, that is awesome.

SPEAKER_02:

And uh, I I know I know who he is. Yeah, it's a good friend. It's a good friend. Yeah, he uh he's in my district.

SPEAKER_00:

So okay, I can see the little thumbnail of who it is, but I can't make it out.

SPEAKER_02:

So yeah, I'm not gonna call his real name on.

SPEAKER_00:

But yeah, can can you talk a little a little, maybe show it on the GitHub?

SPEAKER_02:

Yeah, so uh so if let's say you're in my district, or maybe if you're not, maybe you need I apologize. You need to uh look at some of those uh frame counts from a video for whatever reasons, right? Well, you can go to github.com slash a brignoni, a b-i-g N O N I. And you go to this button here that says uh repositories. Of course, if I could find the screen, here it is. Repositories. And then you're gonna scroll down a little bit to uh frame counts galore. Uh I don't know, sounds like a James Bond name.

SPEAKER_00:

That's good.

SPEAKER_02:

I I I come I come up with really word names from my repos of repositories, right? So we go there, and there's an explanation here on what you need. It works with the latest version of Python. So I mean I I only tested it with that one, but I'm assuming this works with the previous ones. Yes. And what you do is uh you have to install a few things. So you will need FFF FFmpeg installed, which you can't really do through PIP. If you know Python, um, you can do pip install to get some requirements, and you will have to do this for this program as well, but you need ffmpeg installed. That's something that you install separately. So and make sure that if you're on a Windows computer, make sure that FFmpeg, it's uh part of the path so the script can find it. That other libraries that interface with the API for the FFmpeg find it. Okay. And it tells you all the things that it finds and all that. And we'll show some screenshots, I think. Not screenshots, some little content from that in a second. Yeah. And then I did not, I did not make a binary on it, and um, I don't think I will. Yeah, like Captain America will tell us. I don't think I will. Uh no, you this is I mean, just install Python. If you have a if you're not sure how to do it, how to do things in Python, uh, I will take you to link L I N Q APP, linkapp.com slash Abrignoni. And if you go there, you can find all my stuff that I have, you know, publicly. By the way, this picture, I need I need to change it. Um I I I lost some weight this year, folks. Uh like a lot of weight.

SPEAKER_00:

So you can definitely see it from the picture that I've in your face.

SPEAKER_02:

Yeah, compare it right now, like way more cheeks. All right. So I I had to because I have my blood pressure. Anyways, that's another story for another day. My blood pressure is good now. All right, so you're gonna scroll down, and it's uh it says you so you find a Python script now. What? And if you press that, it will be a video where uh well there's some commercials, but anyways, I can let's close this out. But you watch the thing, and uh, it'll explain to you how to install Python, how to install uh libraries through the Python package installer and all that, and then you'll be good to go. All right, so that's it. Let me take this out of the screen. So let's talk about what the thing does. You have some of that?

SPEAKER_00:

I do. Uh let me just share my screen here. So I found a one-second video. Actually, let me tell my story because I always screw up first and then get it right the second time, every time I do something. So I went just went and grabbed a random video from my computer that was like, I don't know, like eight minutes long, and I'm trying to run this script. How many frames do you think are in an eight-minute long video? Way too many. It was running and running and running, and I'm like, I don't think this thing works. And Alexis is like, yeah, yeah, no, that's gonna have a lot of frames. That's gonna take a while. So I canceled it and found a one-second video, much, much quicker, by the way.

SPEAKER_02:

Yeah, way less frames.

SPEAKER_00:

So if you look on my screen here, this is what you will have seen in um on GitHub with the script, except you see an extra folder, and that's where I outputted my results to when I ran the script. So after you run the script, uh you can name the folder whatever you want. I just named it test. Um and inside of the folder, I have another folder here that has the frames. So you can see here I have 31 frames from my one second video. Um, and you can look at all of those in that.

SPEAKER_02:

I should actually be before you move that away, can you back to the we're not gonna show the frames in this video? But can you zoom in to the file names of those frames to explain something to the folks there?

SPEAKER_00:

Oh, yeah, yeah. Hold on. Let me find, I'll find my zoom while you start.

SPEAKER_02:

Yeah, so uh I named the the frames a particular reason, and I want to quickly kind of show folks um a little bit what that means, so then you can correlate it to the report that Heather's gonna show you. So that's that's perfect. So you you see frame and then multiple zeros and one. Well, I mean, start with zero because I'm a programmer, so we always start at zero, and then one, two, three, four, five, right? So that's the order, sequential order of it. And then the presentation stamp timestamp, that's when it's gonna show up on screen because frames show up on screen at a particular point, and then they stay for a particular amount of time till the next frame is shown. So the way to, I mean, I'm I'm super simplifying this. There's a uh a base number that you have to use to know uh that presentation's timestamp. It's not really a timestamp, it's not that it's not to Wednesday at you know two o'clock. That's not what it is. It's a number that you have to make a calculation to then figure out a couple of things. The most important thing you're gonna figure out is okay, at presentation timestamp 20 is gonna be shown there, how long is it gonna be there? You have to look at the next presentation timestamp and subtract, right? The delta between the two frame timestamps will be how long is gonna be that frame on the screen, right? And since those deltas change, that's a variable frame rate video, right? If there's constant, then it's a standard, you know, or not non-variable, I forgot what the name is, frame rate. Okay, so those show up in the file name, and they show up in the file name, so you're pretty sure to understand what frame it is and when it's supposed to be shown on screen. And that is correlated to the report that Heather's gonna show you in a few seconds.

SPEAKER_00:

Okay, so I'm gonna open this up here in Excel. Let's uh take a look at the Excel spreadsheet that comes out for the frames. So do you want to go through each column in this? Yeah, yeah, yeah. And do you need me to zoom in? Yes, right.

SPEAKER_02:

Uh actually, let me let me let me up my screen here myself. So let me put it full screen, put myself in full screen. I can see it. All right.

SPEAKER_01:

Okay.

SPEAKER_02:

So the frame index there is that number, like 000 and then 001, 0002. Well, I have it there right on the first column. And then the uh the uh percentage timestamp on when is it is gonna show show up, right? In this case, I can see you can see by the presentation timestamp, it's a steady rate, 20, 40, 60, 80, 100. So every 20s. So just by looking at that, I know it's a standard frame rate. It's not a variable one, right? But just by looking at that, but if you want to make sure of it, if you look to column F, frames per second, they're all 30, 30, 30, 30, 30, 30. So that makes sense. It's 30 frames per second. That's how it is, and it doesn't change. Um, but when it's variable frame rates, you make in frames per second or the instant frames per second, you can see 25, 30, 8, uh, 60, you know, it could change quite a lot from from frame to frame, depending on how much movement is being recorded and the like. Okay, the next time is the time base. You make a multiplication, and I'm not gonna go into details with that, I'm gonna bore everybody with it. You you use math, and then you get a what you know, a second 0.3, the next frame is gonna show, and then a 0.66, and then a one and 0.1, 0.13, 1.6, 2, 2.3, 2.6. This one is easy, it's gonna be like a pattern because it's the same frame rates for uh for a second. Okay, and then you have what's called the keyframes. Long story short with the keyframes is that a keyframe has all the pixel data that full pixel data from the picture. In order to save on space, the next frames are gonna be what has changed from the keyframe to the actual frame that you're uh showing. So when you look at frames like that one by one, you see some frames being a bit a little bit darker or adds a little bit of data to it, and you're like, well, this is kind of it's weird. No, it's not weird. You take the keyframe and then you kind of put it together with the A B frame that comes after it, and you have a frame that you can look at. But that's that's fine. Those changes, it's you can see that you can see the frame. You see what you can see what's in it. So that's not an issue in regards to the content of that frame. Now, for since we're forensic folks, uh, we want to make sure that in these cases, I want to uh make sure we we authenticate the uniqueness of each frame because if you're working in uh cases of contraband, um you know um I don't want to charge uh the same uh uh video, not video, I'm sorry, picture um within a video if there's no change to it, right? Right. So, but I mean there will always be by logic on how videos work, there will always be unique frames. But I have the proof because me saying it because it makes sense doesn't prove anything. So what I so what I do is I take all the pixel data from the frame, I hash it, and I save it in my report, then I write the file, the the frame to the file system, and then I take that again, I read all the pixel data, RGB, you know, red, green, colors, pixel, I read them all, and then I hash it again, and then I check if they match. All right. I am not hashing the file itself after I write it to the file system because that's a whole different story. Depending different file systems, and we want to make sure you compare apples to apples, right? So I'm hashing that pixelated content from the frame, taking from the video, and taking from the file system itself after I write it to the file system. Hopefully that makes sense for folks. Right. And then I uh I I there's different ways of decoding things. I always I always by default use CPU decoding. There's reasons for that. Uh again, I'm not gonna bore everybody, anybody with it. Um, and and there you go. And that's the report. And that was really helpful when I was testifying because I could show the core look, look at all the frame rates, how they vary, and how the best approach is to actually count how many there are. Right. And and that's how we did it.

SPEAKER_00:

Let me just close that here, and then we can go back and talk about the processing log. Oops, that came up on the wrong screen. Sorry.

SPEAKER_02:

There we go.

SPEAKER_00:

There we go. We have a processing log that came out as well. Oops. How's that? Good.

SPEAKER_02:

Yeah, that's perfect. So as this as this program is running, you'll see some messages on screen, like a little log. So uh it's it tells you how many videos it found. You can do it with just one video. So just point it to the video. You can do that, or you can point it to a directory, and then whatever videos are in there, it will go through them. Um, and it tells you what video is processing, how long the video is, uh, what are the average frames per second, and then variable frame rate corrected. So uh, in other words, what I'm telling folks or telling you with this is that if it's like a nice round number, it's gonna be a standard frame rate. But if you see some point one, point two, point point anything, now we're talking about a valve variable frame rate, and it's the average, right? And then complete how many frames. And this is useful because I'm not depending on the metadata of the header metadata of the file. Well, no, I mean, depends on the type of format, because not all videos have that information at the header, but I digress. The point is you can now see how many frames because it counts the actual frames. And again, um, could there be shenanigans at this header, a metadata field, not header, metadata field? Sure. You can take a video, add or delete frames, and not change the metadata field. And now that's one way of showing some shenanigans. If a video was edited maliciously, um, most likely that bad actor is not gonna take the effort to uh to also match the the metadata with the actual change, right? So that's one way of kind of sanity check. But the way I do it here, I just count the frames straight up, one by one, and that's the number that you have there.

SPEAKER_00:

All right, and then we have the JSON file here, case provenance manifest JSON. Let me open that up so you can check it out as well.

SPEAKER_02:

Yeah, so I have a lot. Let's go to the uh let's go to the top for a second there.

SPEAKER_00:

Okay.

unknown:

Yeah.

SPEAKER_02:

All right, so it tells you in so I like I like I did it in JSON because that way you're gonna ingest this into some other tooling, then it's it's super easy. You know a little coding. You got your case ID, information about what system did the processing windows, what Python version you you use, the D PYAV, that's the Python library that interacts with FFmpeg, what's the library number, and what libraries were used to decode that video. Again, I'm not gonna build the details with that, but they're there. Now, if you scroll down, you'll see information about with the video, the hashing algorithms that I that I use, I decided on SHA 256, the code method method CPU, it will always be CPU. I did that on purpose, and then uh additional information about the duration, average frames per second, and stuff like that. So it's just a way to um if you want to um ingest this into a tool, if you have a lot of videos and you want to present it some other way, then you can just ingest that JSON and and it's easier for you to kind of aggregate in a third-party system.

SPEAKER_00:

Pretty awesome. So, and guess what? Open source, free, available, money back guarantee on this one too, right?

SPEAKER_02:

If you don't like it, I will give you your money back. And since you're not paying me, then you that's what you get.

SPEAKER_00:

But yeah, uh, it was it was really great to go watch Testify too, because uh I mean you really didn't even have to go into a ton of explanation once you showed this. Once you showed this, it was like, ah, okay, I get it. And I mean it kind of just ended any argument that there was about the number of frames in the video, which was really great to see.

SPEAKER_02:

No, always, always uh show me is better than telling me.

SPEAKER_00:

Always, always, always, always definitely, definitely. So, yeah, that's what we've been doing recently, though. Uh, because instead of going to Universal, however, Alexis and his wife did take me to City Walk. Right? So we did have some fun as well as although the court was fun for me.

SPEAKER_02:

But but we again we're we're we're weird in that in that way.

SPEAKER_00:

Yeah, yeah.

SPEAKER_02:

And I think our audience is weird also in the same way.

SPEAKER_00:

Yeah, they get it. They get it that I had fun going to the courthouse for sure.

SPEAKER_02:

Yeah, but if folks don't know what City Walk is, City Walk is um is like a little area before the parks themselves where there's restaurants and little things to see and uh and shops and the like is a movie theater. So it's fun to walk around. We actually we should have put some pictures of that.

SPEAKER_00:

We should have. We have a whole bunch too.

SPEAKER_02:

Yeah, maybe, maybe, maybe I'll find one and put it before we we end the show.

SPEAKER_00:

All right, we can do that with in the place of the meme of the week because I never picked one out.

SPEAKER_02:

Okay, then uh I'm gonna I'm gonna look for some while we're chit-chatting for the next thing.

SPEAKER_00:

All right, cool. So another thing we did we were gonna talk about um this week is upcoming conferences for 2026. And uh I just we just want to mention some that we're gonna be at and some that are available for people to attend uh as well. So next week I'll be in Reno for the West Coast IASIS event. So if anybody has signed up for the advanced mobile class, you'll get to come see me next week in Reno. Um Alexis can't go this time, so it's just gonna be uh me and John Hila and Bill Acock. We're gonna we're gonna do a fantastic job teaching for everybody next week, though.

SPEAKER_02:

I I I am sad because I I was gonna I was gonna go and I have to uh be a parent that week because uh family is gonna be doing work that I need to be taking care of the kids. So and it's all good. I'm I'm happy. But happy that I'm doing that, but I'm unhappy that I'm not going to be able to do that.

SPEAKER_00:

Yeah, I'm a little bummed.

SPEAKER_02:

But it is, it is, it is what it is.

SPEAKER_00:

It is, it is. Um, and then uh we will both be at the Orlando, um, the Orlando IASES event, which is every year, last week of April, first week of May. And that those classes are still open if anybody wants to sign up for our advanced mobile class or any of the other uh classes that are going on, which there's a ton of great classes, you can go right on IACES website and check those out.

SPEAKER_02:

Absolutely, absolutely.

SPEAKER_00:

Um, another conference, well, uh virtual conference is gonna be uh MSAB is having a virtual conference this year from March 10th to 12th. So we're gonna go and be live with MSAB, but it's going to be attended virtually. So there's gonna be talks. There's gonna be potentially we may air a podcast from there. We'll see. Uh and there's a capture the flag that Hexordia, I believe, is assisting with. Um, so Hexordia is gonna put on a capture the flag during that event. So if you can, it's a virtual, you can do it right from your office. I suggest doing it from somewhere else, though, because people will bug you if you're doing it in your office.

SPEAKER_02:

Oh, yeah, for sure.

SPEAKER_00:

But yeah, sign up for the virtual summit. Um, because it sounds like it's gonna be a really good time.

SPEAKER_02:

Oh, it's gonna be it's gonna be a hoot. Uh it's gonna be great. And again, a lot of good information that's shared.

SPEAKER_00:

So definitely. Uh Magnet, uh theirs this year is February 23rd through the 26th. That's the virtual event. And then uh they have their Nashville event in April, April 20th through the 22nd. So definitely a good one to check out is Magnet's Virtual Virtual Summit and their in-person conference. Absolutely. Celebrate is having their conference again in Washington, DC. And that one's April 13th through the 17th. That is the conference where last year I won the Mentor of the Year award. But I have to mention this year, there's a few of our good friends that are up and nominated for some of these awards. So Bill Acock, who teaches with us at IAS, he is up for mentor of the year for private sector and enterprise innovator of the year. Oh, there we go. We got the clapping.

SPEAKER_02:

Um look for Bill, that's that's a requirement. He's uh he's a good guy. So well well-deserved nomination, and I fully expect him to win. Or at least I hope.

SPEAKER_00:

Yeah, yeah. And then um Christian Peter, who does UFAD and Alex or Android Logical Extractor.

SPEAKER_02:

Um Alex is is good enough.

SPEAKER_00:

And Johan, that we talk about all the time, who is contributing to Leaps all the time because uh he's crazy and does it every other second. But uh he's up, they're both up for the excellence in digital forensics award. So I I need them both to win though.

SPEAKER_02:

Oh my goodness.

SPEAKER_00:

They're both excellent.

SPEAKER_02:

The three of them need need to win. Like I look, you Christian and Johan. Oh my god, they're they are amazing.

SPEAKER_00:

Oh yeah.

SPEAKER_02:

Um I I don't know, I don't know. I I don't have words, so totally deserving. So uh I do hope so.

SPEAKER_00:

Absolutely. Um, and then the last one I'm gonna talk about now, and I'm probably missing some, but we'll talk about uh other ones in future podcasts, is techno, because uh we're gonna be going to techno as well. So that one is in Myrtle Beach this year, and it's June 2nd through the 4th. Uh, we submitted today, because today is the deadline to potentially do another hands-on lab this year. Uh Alexis, myself, and Kevin Pagano submitted. So if we get picked, there may be a lab from us this year. If not, we can just all hang out because we're going.

SPEAKER_02:

Oh, yeah, yeah. We I I don't care. Even if I have to go in through the window to the event.

SPEAKER_00:

Yeah, oh, we're going.

SPEAKER_02:

I will I will I will make it in somehow. I don't know.

SPEAKER_00:

We we have to go. I already booked an Airbnb on the beach, so yeah, that's what I'm talking about. Absolutely, absolutely. So, yeah, so those are uh just some of the conferences to look forward to in 2026. Um yeah.

SPEAKER_02:

Um it's good stuff, really good stuff. Uh a lot of things going on.

SPEAKER_00:

Definitely. And then next I have to talk about another tool that you have to talk about because Alexis has been busy creating free tools for the community. And uh, you want to talk about the AI scanner?

SPEAKER_02:

Yeah, yeah, absolutely. So I haven't so this is the thing. So the what people ask me is, well, are you gonna put are you gonna put some of this stuff in the leaps? And uh yeah, depends, right? Like some things, like for example, the frame stuff, it's such a niche thing to my district that I tend to put that in a format that's leap ingestable. I don't think it's gonna serve people well. Where where having a standalone script you can run might be more suited. So it depends, right? So the next one, this one I might actually um add it, but this is a conversation that I'm having with Johan and Kevin and Kevin and oh, I mean, Heather and John and what am I who am I missing? Um, James. James, of course, I cannot leave James. So this is my main main uh group, developers, to add into the leaves. So what is it? So let me show you here real quick. Um I was doing some, I was reading an article. Actually, um, am I right place? I am not in the right place. Let me just open the proper screen. There we go. All right, so I'm gonna go to my uh again to my repository in GitHub, go to the repository that's called AI Provenance Scanner. It has a lot of big long name, but it's it's not that impressive as a name. So I I was educating myself on an article I was reading about how do we figure out that uh image is AI generated. Okay, now there's a really solid forensic approach that uh toolmakers like Magnet are using. If I'm not mistaken, it's called Magnet Verify.

SPEAKER_01:

Yes.

SPEAKER_02:

And uh it has just some algorithmic data and some cool research to be able to tell you about the provenance of videos. Uh that's fantastic. What I'm gonna show you is not it, it's definitely not that. So, what I'm doing is I'm I'm trying to just uh pick the easy fruit from the from the tree of the evidence, the the easy things. So, what are the easy things? So, if you're using uh really well-known AI uh generator of data, let's say OpenAI or Gemini or others, they uh many of them conform to the C2PA standard, um, which I forgot what they stand for, but you can look that up. So the soup the C2PA standard uses some uh some um you know um hashing uh to be able to authenticate that it came from uh AI provenance, right? Generation, it's not real. And not only that, if there's changes to that media where it's edited further, each change is uh hash, or I'm looking for another word. It's um it's a uh I don't have the word here, but it uses uh hashing to be able to validate those those changes and it kind of lists those changes as they go along. And so what I'm doing is uh oh, that's not the only one. There's also the IPTC standard, if I'm not mistaken, which uses puts the information in the header in regards to what AI providence came from, right? So the IPTC is more is more easy to fool. You can just wipe and you know take that out because it's just in the header data. The C2PA is since there's a hashes involved, um, you might be able to tell that there's some shenanigans going on in regards to this, because they're they're digitally signed, right? So as you know, people that do with digital signatures, and you just a public key and a private key, and then when you do some changes, uh you know, you have to make sure that uh they the the the the it validates, right? Again, I'm saying a lot in short sentences. Please go and Google that up. It's C2PA and IPTC. All right, so how does that look? Let me see if I can um uh open this a little bit uh larger here. So for example, for this one, um it's uh is C2PA data, and it has there, it tells you that it's sign, exactly about those hashes, and it's the generator's open AI. So you know where that came from, and the what type of uh ChatGPT within the true pig lens with chat GPT and the generator, C2PA, RS, C03, or so that good stuff, and the credential dates on when that generation happened. So that's the C2PA uh way of looking at it. Now let's look at some IPTC metadata. And this particular uh image that I have here, that it's I I did it with Google AI, it says it right there, made with Google AI, and it has a digital source type, so it's AI generated. You see that at the end. And there's no C2PA data on this particular image, right? The cool thing about the script is that if you want to look at all the headers, and I didn't put a picture here, but if you use the flattened uh option or argument when you run the script, it will take all those headers from C2PA and IPTC and just showing them all to you. Uh, of course, you need to install C2PA Python bindings to get that information. XIF tool is needed, so you have to install that as well in order to uh be able to look at the exif data for the ITPC sections. And then you want Python Magic, and I use that library so I can feed to these programs what type of image it is. So I look at the MIME headers and say, okay, this is a JPEG, is a this, it's a that. And then that's fed through the C2PA and XF tool, and then you can figure out all the information that's that's down there. Especially for C2PA is really useful because some of that data, again, there's some hashes involved, so then you can see clearly that information. Look, if you an example that I thought in my, I don't have a case for it, but an example that in my head, let's say um some dude goes and has a receipt when on work travel, and the receipt is for five bucks and want to scam the company. Well, they go into Google AI, for example, generate me uh uh what's it called, a receipt for these things that and the amount is gonna be a thousand dollars, right? And they provide that image to you in your expense in the expense report. Well, you know, and they just you know, they kind of you know give that to you. Well, if you run this little program quickly, you can figure out if it's AI generated, assuming they use an uh, you know, a really commonly used type of uh AI tooling. AI meaning LLMs. And so that's the example I had in my mind. If it's a more complex scenario or somebody that's a little bit more technical, then this tool might not help you, right? Because this is this is like super easy stuff. You might need something like Magnet Verify to then really understand where this came from based on this algorithmic data that's within the embedded within the actual media itself. I I am, I mean, I don't, I know I'm not an expert at that part, obviously. But folks from the company, they give a course that you can take. I forgot what the name of the course is, but it's a course for Magnet Verify, where they go into details on what that means, how you can interpret it properly, and then how do you use a tool to do that? And that's part of as an examiner, if you're gonna do that type of work, you need to take those top of courses so you can be knowledgeable on that.

SPEAKER_00:

Yeah, pretty awesome. I haven't had a chance to try this one out yet, but I need to um because it looks pretty awesome.

SPEAKER_02:

Yeah, and it's really easy. You can put it there, like point it at the directory, and just run it, and it will run and give you a report for all the images. And you can quickly go, does it have does it say uh Chat GPT, open AI, whatever it is, and you can read it real quickly, and then you can point out which ones are those, which again, I I will add those at some point to the leaves as a column when you look at images, because if it's there, it should be it's fairly easy to add it to the report. I just need to talk to the folks how we're gonna do that in a way that's efficient and doesn't bug down the code.

SPEAKER_00:

So makes sense. All right. So what we had planned next is just to kind of talk about what we think the highlights of 2025 were for digital forensics, and then talk about our 2026 wish list of what we hope to see in 2026. Um because we kind of threw this together, what? Like last minute. So that's what we're gonna do.

SPEAKER_01:

Absolutely.

SPEAKER_00:

So I'm gonna give you a couple of my highlights from from 2025 for digital forensics. I think my biggest highlight of the year was all the work on the open source tooling that everybody has done. So I'm gonna leave people out, I'm sure, because we talked about a lot of really cool little scripts and tools. But when I say that, I mean updates to the leaps, uh, additions to the artifacts that are parsed in the leaps, all of the work that Christian did on UFAD and Alex, the Android uh version of UFade. I think that that is definitely one of my highlights of the year. I use these tools on like a daily basis, and they're so valuable to our community. And I really appreciate everybody who's done the work and shared those with the community.

SPEAKER_02:

And and since we're talking about Christian, um, he came out, I think, this week, yeah, this week or the week before, one of them two with a parser for the 3MA app, which is, I believe, is really common in Europe, specifically in Germany. And is it and it's actually coming up in other cases like around the world in criminal cases. It's a chatting application. I think it has some security features and the like. And uh, and he did an amazing job at uh understanding the structure, the databases, how to pull out the different things, made a parser for it in the leaves that's compatible with uh the uh lava viewer, which again I've been promised this promising this to come out for months and months. It's just again, our our budget is pretty tight. Um, but we were still working on it. And you can see there on the screen uh the you know the uh the the blog posts. So we're gonna add that to the notes. You should you should read it. Uh you have to read it. And then he explains that his his UFA tooling will be able to pull uh those files from you know full file system or not. And then he has a quick note at the end in regards to sometimes when you take from the backup, the database, the databases don't really seem to be corrupted. But then he figured out I think Johan was involved as well, uh, but I'm not sure. No, not Johan, who was? Maybe I need to scroll down to the end. Okay, so we can we can give proper credit to who who where it's due.

SPEAKER_00:

Sorry, hold on, I'm getting there. There we go.

SPEAKER_02:

There we go. So the adjustment. So so he has some some issues there in how uh you faith pulled that stuff out. Let me just I need to hide. I can't can you read it there? Who who was involved here? It was uh there was like a month formed. Oh, I can't see it.

SPEAKER_00:

Uh yeah, scroll down, scroll down, scroll down more. Bruno, Bruno, it was Bruno.

SPEAKER_02:

Bruno, there we go. Bruno, I want I want to make sure I get the proper credit.

SPEAKER_00:

Thank you for the assists in the chat there.

SPEAKER_02:

Oh, no, okay. Oh yeah, Christian is there. Thank you. Thank you. I didn't I didn't want to misplace the uh the credit. So they work together to figure out why there were being malformed where they're being pulled from the file system using the tooling, and that was fixed. And I always get excited when that collaboration happens. Um we make each other better. Like a a blade sharpers another blade, right? So that's that's pretty neat. And please go check that out, benefit from it. It's already merged it into the leaps, it's lava compatible, and uh it's it's good stuff. And yeah, we have we had a big influx of folks trying to contribute. Some are legit, some are not. People use uh LLMs to generate garbage PRs. I don't even understand why. Um I mean, I guess some might be malicious, I don't know, but some of them might look at them and don't seem malicious, but they also don't seem to do anything that adds to the project. So why is this being sent? Anyway, somebody smarter than me might illuminate me on why that the case is. But oh, if you send me a good PR that's helpful, we'll merge it and the community will get better because of it.

SPEAKER_00:

My other highlight of the year of 2025 for digital forensics were all of Brett Shaver's posts.

SPEAKER_02:

Um I I have to I'm sorry. We have to clap. We have to clap to it to do it. Yeah, we have to clap for Brett because Brett, uh, I'm telling you, his blog posts have been on point for months and months.

SPEAKER_00:

Yeah, so if anybody listening has never gone and read Brett Shaver's post, please go to the blog. Um, and if you're if you're listening on the the recording later, please go read the post. Um, they just they just make so much sense. I I've made the comment to Brett a couple of times. It's like you're you're you're saying what's in my head. And I I mean seriously, because I'm thinking some of the same things, and I'm like, oh, but he's putting it down in these great blog posts for everybody to see. And I just I just think that those types of blog posts can be so helpful for the forensic community, and it's my other highlight of the year.

SPEAKER_02:

So I I I concur. I concur. So so for my end, um, let me let's give I give you two. So the first one, and I've been on a really long binge with AI and LLMs and the internet forensics. Uh, I've been I'm having a running uh in exchange with with with uh Jury from Belkasoft. Yeah, and yeah, and he's such a great guy. Again, we're we're I wouldn't say we're on the opposite side, we just approach things differently in regards to the usefulness of LLMs or how proper it is for us to be there, and it's some great conversations, and we keep it going from different posts. And I would tell, I mean, I I really appreciate him because when Jury makes me it makes me think because one thing we need to be aware of is we don't know everything, and it's good to have different viewpoints and try to examine yourself and then have this debate, not because you want to win. The point is not winning. When you win, somebody loses. No, it's to to better yourself and understand and actually grow. And you know what? Maybe I'm wrong, right? So I want people like Jury that are really knowledgeable to give me a different point of view so I can inform myself and come to better conclusions. So we've been doing this for AI and LLMs for a while, and obviously I have a pretty solid position at this point, but always open for improvement or reinterpretation, right? That's like a big one, just AI and LLMs and what the role of the forensic examiner is and how it should be properly used. Uh, one more thing. I I believe there's still time for us as a community to set those operating standard operating procedures of how we use AI and LLMs and inform stakeholders. I I posted recently in LinkedIn about how some of the states are requiring this providence, right? If you write a report, you gotta state clearly we require by law in California, if you use the LLM at what points and and what parts, right? Anything that's written by an LLM, you cannot uh people wash it by signing it under your name. No, you have to make sure that it's understood where this came from. And I I agree with that. But how do we go about doing it? It will require us to also chime in. We want to be part of that uh that conversation. So please please do that um and be aware of the of the issues. Um and you know, you you can go check um my LinkedIn. I some funny things that happened and with LMU. Some guy was recording an interview and recording at the background had uh uh a Disney movie. Which one was it? The one with the Oh I forget what Disney what Disney movie it was, but yeah, it's it's like the the the the princess that oh princess the frog? Yeah, yeah. Yeah, they know the kiss you kissed the frog, and you know whatever. So so they gave it to LLM to transcribe, and the LM say, and then the officer became turned into a frog.

unknown:

Yeah.

SPEAKER_02:

And I'm like, but how what? And nobody thought they needed to check the LLM for accuracy, which is mind-boggling to me. So they put the report out and they're like, What? And he said that the the officer became a frog, right? So that you know, it it it there's a policy issue, there is a tooling issue, and we need to be part of that conversation. So go check that out. So that's my fair, my favorite one. I've been talking a lot about it. I've been actually in debates about it lately, so it's pretty cool.

SPEAKER_00:

And the article just has the best picture, so I have to put it up of the frog with the uh police hat on.

SPEAKER_02:

So uh look that let me read this for the folks that are not watching, they're listening later. Cops forced to explain why AI generated police report claimed officer transform into a frog.

SPEAKER_00:

Yeah, that's it. It was it was quite a good read. I see Damien, I didn't see that one. Take the time and go read it because it was pretty good.

SPEAKER_02:

Oh, it's pretty good. I can you imagine?

SPEAKER_00:

Um by pretty good, it was pretty bad.

unknown:

Yeah.

SPEAKER_02:

Oh my goodness. So yeah, so check that out. Um, so yeah, so so that that's a thing for this year that's been up the forefront. I foresee 2026 continue with the AILM and how what role it should play in in our specific field. So be part of that conversation.

SPEAKER_00:

So I guess we're talking a little bit about that too, um, at some of the upcoming conferences that we're going to as well.

SPEAKER_02:

Oh, oh, oh, absolutely, absolutely. So key key keep uh keep a pin on on our on our LinkedIn for the podcast and our our personal accounts, because we'll be we'll be giving dates and topic titles for that coming. It has to do with AI. Now, the second one I found interesting from that year is Apple Unified logs and and how some vendors were deleting then before extracting them, which I thought it was pretty hilarious because if you tell me that your tool has Apple Unified log support, but then you delete the logs before you can process them, then what's the point of supporting them? Yeah, right? And I and it's a testament to the community because the community is the one that figured this out. Now, the vendors had, you know, for what it's worth, valid reasons, maybe, maybe not. And I made no judgment on their reasons. So and on that thing, uh, I don't want to get into that. But you can but the point is that that was happening, and the community, you know, made sure that that was being um known, and then the vendors took the proper actions to be able to maintain those. Logs, the Apple Unified logs, and addressing whatever concerns they had by deleting them. And again, that's a big conversation that was had at that time. And I think that was important that the community is here not only to consume the product from vendors, it's also to make sure the vendors understand what we need and also to um how can I say this? Um for us to be uh check and make sure that things are done the right way. Not because vendors want to do it the wrong way. I'm not saying that. Uh vendors are filled with people like us that are examiners, good folks, friends of ours that we know personally. So I love my vendors. But sometimes, you know, things need to move fast, business decisions are made that examiners might not be a part of. And then us as it falls on us as a community to make sure that folks understand where we folks understand where we stand. And and hopefully changes are are made quicker rather than later or faster rather than later. So uh hopefully hope people understand what I'm trying to say by all this.

SPEAKER_00:

I think everybody understands, absolutely. So those are really good takeaways from last year for sure.

SPEAKER_01:

Yeah.

SPEAKER_00:

Um, now our wish list for 2026. I'm gonna I have a huge wish list, by the way, but I'm gonna go with two because we're at the hour. So um, so on my 2026 wish list, one of my wishes is that educators, and when I say educators, I I do mean like higher education mostly with this comment, but I hope that educators start to take digital forensics a little more seriously and improve their undergrad and graduate level digital forensics programs. When I say that, that does not go for every single college or every single school that has digital forensics programs because there are some good ones out there. There are some bad ones out there, and I would like to see it taken more seriously. And I think it would be a pretty big step to make sure that they're hiring people who have the knowledge to be able to teach digital forensics to the new generation.

SPEAKER_02:

There are some really good detail forensics programs. There are, and there's a pretty good ones here in my area, but there's also pretty, really bad ones. And and you got folks that are trying to teach forensics, and this is an example I heard some time ago, that don't have any expertise in the area. Okay, okay, maybe you're a computer scientist. That does not make you uh uh uh uh qualified to teach on DITA forensics. Um, you you know how you teach a whole course on extracting from a phone. How can that take a semester? What about parsing? What about interpretation? What about data structures when you're taking a mobile device course? How is that not part of a college graduate level course? So uh and I think we said this previously, previous episodes. If you're listening and you want to get into this field, you're a younger person, or not even a younger person, you're uh an uh an older person like myself, that you might want to get a second career or transition from your current career to Utah Francis if you find it interesting. You gotta be a good consumer yourself. You gotta put in the work to actually seeing, see what is being said of this program or graduate program or bachelor's program that you're trying to get into, and look at the syllabus, look at the courses, reach out to folks in the field and say, Hey, is this a good course? Will this will this teach me what I need to start this field? You can't just say, Well, there's a college you know next to my house that they offer a degree, I'm just gonna get it. Um, because it might not be it might not help you get you where you want to be. So gotta be a smart consumer, do your research and get second and third opinions and then move forward.

SPEAKER_00:

Yes, absolutely. And then my other wish list is I've been asking for this since we started the podcast, I think. But I'm still looking for that customizable digital forensics report that analysts can use to make their reports the way they want them and the way that best suits the case for courtroom presentation. I'm gonna throw this out there, but I am willing to work with anyone on this, on coming up with something that is customizable and something that everybody wants for their reporting. Um, and I I made the joke, or maybe I'll create my own and share it with everyone. I can try. I feel like that will take me a really long time and require a ton of assistance from somebody who might be in this podcast with me.

SPEAKER_02:

Um Christian, Christian says in the chat.

SPEAKER_00:

But that's what I'm looking for. I want that for 2026. I want the report, and I want to be able to create the report based on my case needs the way I see it and envision it for courtroom presentation.

SPEAKER_02:

Look, I only heard that there's a free SME available. So, vendors, go and go knock Heather's door down. Free free subject matter expert. Come on, let's go.

SPEAKER_00:

Let's do it. Let's do it. Let's go, baby. Let's do it. Those are my wish lists.

SPEAKER_02:

That's awesome. No, I I love them. I love them. So so let me, I'm gonna share a couple of mine. So uh it speaks to what I said before about fundamentals. I want more fundamentals. I want yes, yeah, I want data structures, I want file systems, I wanna, how does the OS inner workings, how does the OS call APIs and it's just Windows DLLs to do things? What's the interplay there? How do how do how are timestamps recorded? What the trend that we're seeing this year, and correct me if I'm wrong, Heather, but I think we will agree, is that uh courses, vendor-led courses or third-party courses in our field are becoming less about the fundamentals and more about the outcomes or pressing the buttons and what the outcome is. 100%. And yeah, okay. Well, I I'm happy that we're on the same page because I I I I cannot accept the diminishing of the fundamentals. Well, when I will when I will when will I use uh binary conversions in my life? I mean, you will use them. If you're doing the work, you will. But even if you don't, for whatever reason, the the thought process, how your mind develops by learning this will inform your examinations. When you look at data, you will look at data differently because you understand how that data converts into different abstractions, right? You can do the same ones and zeros in hex in binary, well, once and zeros in binary, or or look at it in in other uh formats, and that will help you. It will develop how you think. And that's the thing. You're like, well, I want to know X, Y, and C. Before you know X, Y, and C, you need to develop the proper way of thinking about those things. And fundamentals will teach you that. Now, there's some fundamentals that go up, you know, they develop how you need to think, but also like legit, you need to learn this, right? If you do a lot of SQLite, because we all all of us do, you need to understand how the thing works. You need to understand what's a wild file and and what's the whole process, and not only uh you know at a conceptual level, some of the some of that level, it'll be a detailed. You will be asked how these things work. Is this really quote unquote deleted or not? Maybe it's recovered. What do we what do we mean by that? We have to get into those fundamentals. And I think this wanna be one of my things for the year 2026. I always have a thing for the year, like a topic. So this year is gonna be fundamentals, and I'm trying to look for a a catchy way of of saying it, right? You know, um, so I'm still working on that one, but it's gonna be all about fundamentals, right?

SPEAKER_00:

Yeah, I love that. I couldn't agree more with you about the fundamentals. It's it's gone away, and I don't know why it's gone away. I feel like that is just going to lead um people coming into digital forensics, and not everybody, don't get me wrong, but it's gonna lead us down a path where they're going to testify, and the answers instead of the explanations are gonna be more like that's what the tool told me. Well, the answer is because that's what the tool says. And we can't get to a place like that, and I fear that that's where we're headed, because the fundamentals are missing from our core trainings.

SPEAKER_02:

Uh absolutely. And and even some courts in different jurisdictions, uh, and uh uh not in the U, well, maybe in the US, I don't know, but I I know firsthand from other places uh outside of the United States. Um, they they some courts believe that, well, if we have a tool from a particular vendor, then everything that's what it is. Not necessarily, right? Tools can be wrong, or or tools might show incomplete information. Yes, so we need to re-establish in some places the the primacy of the expert. A tool is a tool, right? And I've been having this discussion online, and sorry I'm gonna leave my tangent, but um tools cannot make management decisions. What I mean by that is because the tool says it means nothing. The tool cannot be held accountable for anything. If it's wrong, whose fault was it? The tool? Are we gonna blame the tool? Are we gonna blame the computer? You can't come to court with that way, or anywhere else for that matter, right? You are accountable. The tool is the tool. And either you do it right or you do it wrong, you verify it, you check it, you do different things. But computers cannot be held accountable. Only people can be held accountable. So we need to put again the person at the center. And when I say at the center, people like to think, well, I'll just kind of check. Uh it's more than checking, right? You are accountable. And that's the the piece that we should understand in our role. And accountable means that when things go wrong, who's gonna bear the brunt of it? You are. So you better make sure that you do your job. Make sure you understand your fundamentals, make sure you understand how the tool works and what output is given you. And if that output is accurately represent, does accurately represent that data, use verification and use validation. You verify that data and you validate those processes. And and because you are to be held accountable, not the system, period.

SPEAKER_00:

I think um, I think well, in law enforcement specifically, anyway, we need some uh some more defense experts that are out there challenging us. And I hate to say that because I don't want that. Don't get me wrong, but it's so easy to fall into like uh a repetition of I never get questioned by defense attorneys in my trials. So maybe I I don't know. I don't need to know that. I've never been asked that before. And once you do, once you are just chilling out and think that that those questions are never gonna be asked of you, you're gonna get that one defense expert that comes in and asks you the hard questions, you're not gonna be able to answer them. And that's it's gonna take a case.

SPEAKER_02:

Well, and I will say this. So, you know, I I'm pretty critical of LLMs in general. Again, but LLMs do have value, don't get me wrong. And I should say that more often, but you do have some value. Look, if you think nobody's gonna be questioning you moving forward, let me tell you the I don't care which side you're in, uh, well on, I should say, uh, you know, prosecution, defense, whatever it is, folks will use LLMs now to make sure they get a pretty good sense of what you're saying. They will run your report to it, and hopefully that LLM will give them ideas on how to question you on things. Oh, yeah. So, so information about how to question you is gonna become more accessible, right? So don't think it's gonna be less, it's gonna be more. And and when Heather says, well, it's pretty controversial. Some folks in our field from the law enforcement side, you know, would they want to be questioned more? No.

unknown:

No.

SPEAKER_02:

Yeah, they don't want to, right? Believe me, because I'm telling you, no, but I mean, I am with Heather on this one. I do believe strongly that it's important to have really good experts on any side of a question, right? So we can get to the truth by by you know, maybe coming together or maybe arguing about it. It's an adversale system, like I said. So I want those experts. But let me tell you, in if you're in law enforcement like we are, the information to question your work is gonna be more accessible, not less. So you're gonna make sure that you are also growing in your knowledge, not less. If you're if your mentality is I'm gonna, I'm gonna head the the the the backward direction, you're not heading the right way. And uh, you will be replaced. I'm just I'm just I'm just telling you, you will be replaced. So let's let's start this year with uh this this mentality on growing, that growth mentality, understanding that the challenge is not gonna get easier, it's just gonna get more complex, but we can and we will price with that challenge.

SPEAKER_00:

Yes, absolutely. Did you complete your wish list?

SPEAKER_02:

Um, I'm so I'm so hyped up on the topic that I need I I forgot about the next one. So the next one, thank you. I'm like coming down from the from my from my stool, not stool, my soapbox, I should say. All right, so uh, although I'm not that tall, so I need a I might need a stool. Anyways, so management issues, right? So um also how you run your groups to me is important. So for my wish list, I would like to see a management at all levels uh really work on developing their teams so they don't become one or two-person bands, right? Where you got the the workhorks examiner, and whenever a hard case comes, well, well, well, Heather would do it. She's the one that actually knows things. If it's just pressing a few buttons and and picking out a few chats, then everybody else can do that. But anything that requires real knowledge, well, well, Heather will do it. And then for Heather, it's doing, I mean, this again, maybe this is clear. Any similarities, if any, I don't know, it's it's made up. I just use it on an example. I don't want her to get in trouble at work. So so but buses at her work, I'm not talking about use, it's um and an example. Okay, so let's imagine that Heather gets overworked for the same pay that everybody else. Also, number one, that's not fair. But number two, we're losing the efficiency of having a well-trained team of folks that build each other up and we could work more cases. And if it's not more cases, then the cases that we're getting, we're working them at a deeper level so we can get to more information and more facts. Okay. So that's the one, the first thing. Now, as a manager, you need, from my perspective, I wish you established some mandatory training requirements to include um um proficiency testing. If you're an accredited lab, you you you get that by you have to get that. That's part of being an accredited lab. But most of the work in digital forensics, at least on the law enforcement side, is done in labs that are not accredited by anybody. Right? They do fund our do they do uh they do follow standards, standard operating procedures and the like, as they should. But since they don't work on accredited under accredited, uh lab accredited uh situations or environments, it's a management to make sure that we keep that training and and it's required. Look, I understand you have a busy life, you gotta take your kids to you know your soccer practice and all that, but you have to make plans to stay a week at an event where you'll be trained. Well, you get continuing credits where your knowledge will grow and we can show that the folks that do this work are experts in the field. Yes, and it's on management to require that because you know if you well, if you want to, but most people won't. That's just how it is, right? We're all busy, right? No, we need to do that from my perspective.

SPEAKER_00:

I agree. I think your your fundamentals wish list just ties right into that perfectly, too. Because uh, I mean, if you don't have that, if you don't have the fundamentals, you're not gonna be able to be the go-to person in the office. Like you were giving the example of the person who gets the more difficult difficult cases. If you're not trained with the fundamentals, you're not gonna be able to be that person.

SPEAKER_02:

Oh, absolutely. And it becomes a game of avoidance sometimes in some in some labs, where you know, well, you know, I they hold the kids for a little bit and they're like, oh, this is too much for me, and then they dump it up to the poor person that works all the cases that are quote unquote hard. Um, you know, we we and management sometimes don't want to rock the boat, sometimes I'll be, and this is I'm not talking about my organization. I also don't want to get in trouble, but in other organizations that I've seen, uh, the the person that's leading the the lab, the the the sometimes a sergeant or lieutenant, whoever it is, is there on their way to something else. And that's normal office politics, right? We don't need uh travelers leading our outfits, right? We need people that are committed to the mission of the lab or the reference examiners to train us, to give us the tool that we need, and to actually require us to do the best work that we do. And that is not just saying, well, you're really good because you imaged 150 drives this month and the other guy only imaged 12. Because the guy or gal that imaged 12 had to do a really 100-page report on something and couldn't image. Does that make sense? So, whatever metrics we use for success need to be fair and actually reflect the effort done by those examiners in order to have a properly working team. Uh the if if you give the work to the person that does the most, that person's gonna burn it out. And not because they don't want to do the work. We want to do the work. What we don't want is to for us to do the work and other people not do the work. That's really demoralizing. So if you want to keep your best examiners, your best people, the way the best way of doing it is not even throwing money at them, although please throw money at me. I'm okay with that. It's actually by making them effective and by sharing the load properly and be accountable. Um, have everybody be accountable, not just the the quote unquote rock star. Everybody should be held accountable and required to do the work as as best that we can do it.

SPEAKER_00:

I love our wish list. Yeah, we'll work on that for the year for sure.

SPEAKER_02:

Yeah, so uh, you know, well some you know maybe somebody's mad at me, but I hope not. And if you are too bad. All right, so let me let me show you here. Uh I'm crazy. All right, so let me show you here. Uh, I'm gonna share my second screen here. So let me share my screen because we're gonna show uh a couple of pictures from the uh from uh what am I oh from uh actually this is not the way I want to do it. I want to open the screen. I was trying to open each picture one by one. That's gonna take too long. So uh let me see here. I stopped my screen. Now I can share my screen. There we go.

SPEAKER_00:

While you do that, I just love that the all of our accounts that this uh forensic platform uh or this podcast platform are connected to are Alexis's accounts. So anytime I answer any of you in the chats, it's Alexis. So I really can say anything, and you're never gonna know it's me except I just turn myself in.

SPEAKER_02:

Oh my goodness. Well, good thing we're recording this. We're recording this.

SPEAKER_00:

So you'll have to save it because I'm I'm answering people and I'm seeing Alexis Brignoni says.

SPEAKER_02:

Yeah, she's writing, oh yeah, I'm a total idiot. I don't know what I'm I don't know what I'm talking about. You know, like well, the thing is that if you write that under my name, it's actually true. So I cannot I can I cannot even contest it. All right, so check this out. So, you know, we have here a big chair. Look how happy we are. So you can tell by our outfits that we just you just came straight from court.

unknown:

Yep, yep.

SPEAKER_02:

I just have some sneakers in my car and I just put my sneakers and we were you were the best dressed person at City Walk, though. From from my ankles up, that was it.

unknown:

Yep.

SPEAKER_02:

Because I'm not gonna wear I'm not gonna walk universal, I mean the the the at the area that we're in, City Walk, on dress shoes. No, that's gonna be really hard on my feet. So, but yeah, so this is my goita bill, and it's a big humongous chair. So I love that picture of me and me and Heather in that chair. So let me show you another one. So I have one here with my awesome, beautiful wife and Heather, and we're in front of the chocolate emporium.

SPEAKER_00:

Oh, we ate lunch there.

SPEAKER_02:

We ate lunch there, and it was fantastically delicious.

SPEAKER_00:

Yes, it was.

SPEAKER_02:

So we enjoy that. And they had this, it's like bread with chocolate in it. I don't even know what the name was.

SPEAKER_00:

I don't know either, but it was delicious.

SPEAKER_02:

It was it decadent, decadent. So this picture is the ultimate proof of where Heather was. It's the big universal like ball, right? And it has like uh like water coming out, you know, like uh water vapor and stuff. It's pretty neat. So a little wind came by so I could actually get the the ball because it's sometimes covered in water vapor. And then last but not least, we went to Voodoo Donuts.

SPEAKER_00:

Oh, we did, yes. Oh, jeez.

SPEAKER_02:

And and they have this mug, the magic is in the hole, because it's a donut shop, it has a hole in the mug. So I just I just loved it. The magic is in the hole. So uh I I I wanted to buy that donut, but you know, the wife wouldn't let me buy it to take it to work. I I don't understand why. I had to ask her why why I shouldn't buy it.

SPEAKER_00:

No inappropriate comments were made at all.

SPEAKER_02:

Uh yeah, at all. I don't I don't know why. I don't know why. But that's uh that's uh in lack of uh meme of the week, that's what we have for you a little bit of universal pictures.

SPEAKER_00:

Yes, yes. So this was a good impromptu podcast, I think.

SPEAKER_02:

I enjoyed it. I enjoyed it. I you know, I think I we uh folks we didn't do a podcast for a couple of months because live was pretty active. Yeah, hopefully we can back up back get back on track on 2026. So thank you for being here, everybody in the chat. You're so awesome. I saw Damien was there, um Christian was there, Brett Brett Shavers was around. So again, thank you again for all your work. I think you heard us already, but I noticed that you're here. Kevin was around, and all the folks. If you're not live, I mean please be live, it's even more fun. But even if you're listening later, we appreciate you. The the show would not be anything if no folks that want to share and listen and grow with us. So the show is is for us, but it's also for you. So thank you so much for the what two years, three years we've been doing this.

SPEAKER_00:

It'll be three this year. We'll hit three in August.

SPEAKER_02:

Three in August. So almost three years is it's flown by. So thank you for being with us. We we love you here. Heart, heart to heart there.

SPEAKER_00:

There you go.

SPEAKER_02:

There we go. There you go.

SPEAKER_00:

I don't get that. So I'm just with my hands up in front of my face. Yeah, yeah, yeah.

SPEAKER_02:

My computer throughout some hearts when you do this that simple. So, anyhow. Well, um, anything else for the Guru the Order header? All right. Well, go be happy with your birds and keep watching your birds, and we'll see each other and see everybody else on next go around. Have a good night and take care. Bye.

Head Shot

Alexis "Brigs" Brignoni

Host
Head Shot

Heather Charpentier

Co-host