Digital Forensics Now

Live From the MSAB Digital Summit 2026!

Heather Charpentier & Alexis "Brigs" Brignoni Season 3 Episode 3

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 49:44

Send us Fan Mail

Tool output can look authoritative while still being dangerously easy to misread, and we’ve both seen how fast that goes sideways when a case hits court. Live from the MSAB Digital Summit 2026, we walk through a simple principle that saves careers: an artifact is a clue, not a conclusion. We talk about how “artifact worship” happens, how to build real corroboration, and why multiple records on the same phone are not automatically multiple lines of evidence.

We also get honest about forensic reporting and peer review. Assuming “legal will catch it” is a trap, because attorneys and supervisors may not be able to validate the technical meaning of a timestamp, a parser decision, or an attribution statement. We share practical ways to write clearer digital forensics reports, verify tool parsing, and test your assumptions so you’re not learning hard lessons under oath. If you work mobile device forensics, this section is for you.

From there we shift into training and deep technical skills that are quickly becoming baseline: Android RAM acquisition and analysis, what kinds of artifacts can show up in memory, and why RAM can hold evidence you may never find in a file system extraction. We also unpack protocol buffers (protobuf) and the uncertainty that comes with app data when the .proto schema is missing, plus why that matters when AI and automation start “helping” with interpretation. We wrap with an ALEAPP update, a reminder that a portable tool report isn’t analysis, and a quick look at how standards like Daubert and Frye raise the bar for methodology.

Notes:

Brett Shavers Blogs: 

It’s Not Artifact Worship When One Artifact Actually Changes the Case https://www.linkedin.com/pulse/its-artifact-worship-when-one-actually-changes-case-brett-shavers-nwi6c/

I Thought Legal Would Catch It. They didn’t. https://www.brettshavers.com/brett-s-blog/entry/i-thought-legal-would-catch-it-they-didnt

IACIS https://www.iacis.com/events/in-person/2026-orlando-training-conference/


Live From MSAB Digital Summit

SPEAKER_03

Today is March 12, 2026, and my name is Alexis Bringnoni. And we are live from MSAV's Digital Summit 2026. And as always, with me is the Digital Jin to my forensic yang, the extraction salt to my coating pepper. The reporting um the reporting guru to my narrative gin. Oh, it's tonic. The reporting tonic to my narrative gin. They want an only heather charpenteer. Thank you so much for being here. Um I'm laughing because usually we do this intro with music. We do. Yeah, not having the music throws me off a little bit.

SPEAKER_00

Yeah, it's a little bit awkward without the music, but it was excellent as always.

SPEAKER_03

Well, thank you. You're too kind. You're too kind. We're luxuriating today with the awesome uh setup here we have with MSAB folks and enjoying the uh online conference quite a lot. Yeah.

SPEAKER_01

Absolutely. So uh as Alexa said, we're live from the MSAB Digital Summit. Um, there's been some really, really great presenters that have been going the last few days. Um today are the live sessions, and then later on today is the uh capture the flag uh put on by MSAB and Hexordia together. So very excited for today.

SPEAKER_03

Oh yeah, I mean I I wish we could compete, but we gotta fly out.

SPEAKER_01

We do. I know. I really want to do the capture the flag, but we're not gonna do that.

SPEAKER_03

So please, folks, do compete in my honor, please. Uh I'm gonna be living the life through you all as you're competing. Uh, the awesome uh uh CTF that's coming up.

SPEAKER_01

Yeah, and if you can't register for the Capture the Flag and do it today while it's live, um all the Capture the Flags are always available at a later date and you're able to just do it on your own time. And it's a great, great learning experience for anybody interested.

SPEAKER_03

Oh, and whenever you as you solve the the challenges, when you're done solving the whole challenges and the competition is over, do put your write-ups. Put them, put it on blog posts, do videos about them. Um that's how you also help the community grow by kind of providing the solutions to the CTFs as you went uh through them. So I'm really looking forward to reading and and seeing some of those.

SPEAKER_01

Yeah, absolutely. So we haven't done a podcast in a really long time. Um life has been busy. I'm a lazy bum. Uh life has been really busy. So when we heard about the MSAB Digital U Summit, we were very excited to be able to kind of like make a comeback on our our uh I guess lack of productivity during the podcast. So here we are.

SPEAKER_03

No, it's uh it's been crazy. Again, like everybody else, lots of work, yeah, things to get done, but we're we're here and we're uh we're super excited. We're super excited.

SPEAKER_01

Absolutely.

SPEAKER_03

So, what what do we have? What do we have lately? Is it going on?

Artifacts Need Corroboration

SPEAKER_01

So um we have some topics today. We're gonna do the podcast just like we normally do. And um, Brett Shavers is at it again as our first um topic. So Brett had um a presentation during the summit. If you didn't get a chance to watch it, please do. But he's also been very, very busy writing more articles. Um, if you tune into the podcast on a regular basis, you know we love his work and we are constantly talking about the different articles that he um that he writes. And I'm gonna just highlight a couple of them today.

SPEAKER_03

I I see Brett as the philosopher of digital forensics, like the play-to- of our field. So I always enjoy when when he reads and puts stuff out.

SPEAKER_01

Yeah, definitely. So one of the articles that he's written um recently is entitled, It's not Artifact Worship when one artifact actually changes the case. And um kind of the gist of that article is um don't treat one artifact like gospel. Um, and also don't dismiss it entirely. He uh kind of accentuates that both are lazy and an artifact is a clue, not a conclusion. Um, I loved this article because it's very easy to find that one artifact and be like, oh, my case is solved. I've I've figured it all out. I um I'm done. Um, but there needs to be additional testing, there needs to be additional work put in to ensure that your interpretation of that artifact that you're hanging your hat on is actually means what it means, uh means what you think it means.

SPEAKER_03

Yeah, the way I always kind of phrase it is uh lines of evidence. Like you don't want to have just the one thing. Although sometimes the one thing might be the most important thing, but you always have to look for some corroborating lines of evidence. And one good point that uh that Brett mentions in the article is that just because you have multiple recordings of an event on the phone doesn't mean that you're doing uh separate multiple lines of evidence. Uh that evidence might come from the same source, it's just recorded in different places, right? So looking for multiple lines of evidence also means looking outside of the phone. And that's something that um we might fail sometimes because if you're doing only the examination and you're not maybe involved in running the case, you might miss items that be relevant to you that are outside the device. I say phone because that's what we do the most. But it could be a computer, whatever the device is. So let's or a vehicle, let's say that you're looking at some information about speed and about location. Well, I want to see if I have toll records. When I mean toll records, I mean when you drive through a toll and you pay the fare, right? Are there any surveillance videos? Anything that's outside of the forensics device that then will give context to that artifact. And you'll be surprised, right? So many artifacts we might think they mean one thing. And when you put them in context, it might be recording something different of what you might be expecting.

SPEAKER_01

Absolutely. Um, I think the major takeaway from this article that he writes is it kind of encompasses all of that. So use single artifacts to open your possibilities, build hypothesis, and then choose your next test. Um, and he mentions the two career enders, calling the case closed too early or ignoring something um that changes what's possible.

SPEAKER_03

Yeah, and I think we'll talk about a bit more later, but you always have to have like an alternate hypothesis, right? It could be either how you think things will play out, or just a simple most basic hypothesis that we can have, since we're a scientific endeavor, is I got my theory of the case, my null hypothesis, I just might be wrong. I might not have an alternative theory, but that doesn't mean that, let me put it this way: just because you have an idea and there's no other ideas doesn't mean that you're right. You could be wrong, even though you don't have another uh option or alternative to explain uh a set of facts, right? So we need to be our own devil's advocate. And and looking at artifacts, you have to be the own devil's advocate. Think about well, how would this be interpreted differently? How could this mean something else than what I'm assuming? That's one way, because we talk about, well, we're gonna be free of bias. I don't have any bias, right? And me, I I always don't have bias. Even the statement is a bias statement, right? Because you're putting yourself uh above your own human nature. But the way to defeat that bias is to constantly take the steps necessary to do that. And one of those is that kind of Brett talks about is making sure we have different alternatives on how we look at the data or null hypotheses. This is a scientific field, and uh we shortchange uh that for whatever reason, because we're too busy, we got too many cases, and we gotta really be careful with that.

SPEAKER_01

I think it's okay too to have that aha moment. I do it constantly where I'm behind locked doors doing my casework, and I find that thing that I think is my my smoking gun. I'm like, I've got it. This is the this is the answer. Um, and I can have my little my little dance in the office um that I've found what it is, but make sure you're doing that additional testing. I have on numerous occasions had that moment and um realized, oh, I am so wrong, so so very wrong.

SPEAKER_03

So the the chat is the chat is is live and I love it. So we got some comments here. So data takes a journey through a system and can be different artifacts in different stages of its journey. Uh absolutely, absolutely. Uh Brett is saying, better to prove yourself wrong in the lab than to be proven wrong on the stand. Oh, no kidding.

SPEAKER_01

Absolutely. That's why it never makes it to the report, right? I'm having that happy dance in the office, but that's not going in my report until I've tested it. Yeah.

SPEAKER_03

Yeah, no, the uh it's better to in the lab make sure that, and and that comes to peer review. Have somebody that you work with that you trust or or somebody in the field and do that peer review for your work. You don't want to be peer review on the stand. Uh and I say peer review, that's not the right word, right? Uh grilled alive on the stand and charred toward crisp, but you don't want to do that. So uh it's it's really important that and we think, well, this should be obvious, right? And it's not as obvious as one thing. Again, we I know I understand we're under pressures, we have backlogs, we need to get stuff done, and you might ask yourself, when will when will I do this? Uh the the issue is is that if we don't make time by either being really proficient of our at our work, which speeds us up, making sure we understand and take time to study and research, all those things speed you up. But so if we don't do that, um we're gonna figure out that we're gonna regret not in um investing in the time on the stand or or something worse. So uh it's a call to change that mentality that, well, when will I have time to do that? Well, you have to make time, you have to prioritize. Stop looking at your Instagram all day and and start uh working on your on your self-development. You can be meaner and leaner and faster as you do your work and and and accurate, of course.

SPEAKER_01

Yeah. Uh I see, I see in the chats one of my coworkers uh talking about my happy nerd dance. Uh, she also does the happy nerd dance when she finds artifacts in the office. So have to call her out. Hi, Giovanna.

SPEAKER_03

You do it like in like football games, they have like a little, you know, yeah, no, seriously, right up from the desk. She owned it up on TV. I find it amazing. I don't know. I don't know.

Peer Review Beyond Grammar

SPEAKER_01

So your point to the peer review and and will people catch it leads into the next article from Brett that I chose for us to highlight is um I thought legal would catch it, they didn't. Um, Brett talks about an early uh career assumption that he made um that that uh put him in an awkward position up on the stand, right? So um kind of the gist of this article is if you write something wrong in a forensic report, legal will catch it, right? Well, they won't. And by the time anybody notices, it may be too late. And when he says legal, I attribute that in my casework to the peer review process. I'm hoping that as it goes through the process, um, any error that I may have made will be caught. Um and they are, um, but that doesn't mean they always will be. Um, things will get through, there will be um errors that are missed, and uh don't just count on that. You need to be able to stand alone um with the work that you're doing.

SPEAKER_03

Well, I mean, the fact of the matter is that when you give stuff to people, let's say your supervisory chain, right? They will look at it to approve it and they might tell you, hey, you have a spelling mistake. Yes, and you didn't capitalize this, or this needs to go in a certain uh phrasing, but you are the technical expert. And uh it's it's tough because the folks of the supervisory chain, and that might include you legal folks, uh, they're not technical experts in the same way that you're not a lawyer, right? Which also speaks, as mentioned in the article, how you phrase things, right? If you're doing attribution, well, uh the suspect did X. Do you have the actual detail forensics evidence necessary to prove that link that you're making? Right. Because, and we're talking about it yesterday, just because A Brig Noni, let's say that's my account, was logging on the device and was doing the activity, doesn't mean that I did it, right? Um, and sometimes we get annoyed at our stakeholders because what they expect me to have a recording of the suspect doing something on the device.

SPEAKER_02

Oh, yes.

SPEAKER_03

I mean, if we had it, they would love to have it. I mean, of course, I would love to have it too. But that means that we can we can't just go on these assumptions because we see a little piece of evidence. We need to build more. And sometimes you might not get there directly, so then you have to put enough circumstantial evidence, and that's what the role of an expert comes in, right? You can say, Well, based on my training and experience, you know, and all the facts in the case, I can make a certain determination. Yeah, but it has to be clear, and how you write it is also important. You gotta make sure that your stakeholders, and again, all these processes, and I get it, people maybe watching or listening to us, they'll be like, Well, I mean, it would be nice to have all the time in the world that Briggs and Heather has. Look, I have the same amount of time that you have, 24 hours in a day. Um, but we need to start making some choices in regards to how our workflow is established and how much time can we dedicate to different uh things. Look, there'll be cases, there'll be like here's a chat, and here's a picture, and here's the suspect actually committing the crime or whatever it is.

SPEAKER_01

Absolutely, have that smoking gun. Oh, yeah, it could happen.

SPEAKER_03

Yeah, so I'm not saying that you need to do this in every single case, right? But um develop the habit of writing in a way that that gives you space, either to not make attributions without the proper evidence, right, and also to not um keep yourself in your lane. Don't you're not a lawyer, you're an investigator, you're a forensic examiner. Talk to what's found and talk to the things you can actually support. Going into this, well, I I think the person is guilty because X, that's not your role. That's definitely not your role.

SPEAKER_01

Right. Absolutely. Um, and uh just uh to go on with the artifacts just a little bit more, right? So we trust our tools uh for for the most part, right? If we have call logs, we trust that our our tools are parsing the call logs correctly, right? Um check that yourself. Um, don't always trust. Look and make sure that the timestamp is being converted correctly, that it's being parsed correctly. Look and make sure that the recipient in your call log is the actual recipient that matches your call detail records. Take the steps to make sure you're not stuck in a place where you've said something and now you're being grilled on an incorrect assumption that you've made based off of your work.

SPEAKER_03

I I love a comment here. You provide enough uh information to the stakeholders, whoever it is, so they can use common sense to make the connection themselves. And I think that's such a great way of the thought process when you write your reports is I'm gonna give all this information and lay it out in a logical, commonsensical way, and then the reader will make that connection themselves. And that's a really good uh way of kind of framing your thought process as you're doing reports. So it's a great comment there.

SPEAKER_01

Absolutely. Uh Brett, peer review is not a grammar check. Thank you, thank you, thank you, thank you. Say that louder for everybody to hear, please. It is not just a grammar check. Please be checking my work to make sure what I'm saying is actually correct. I don't care about my comma. My work is still going to say the same thing if I've missed a couple of commas.

SPEAKER_03

Oh, yeah. I mean, that's that's the that's the least of it. I mean, if if if the other side is criticizing me for a comma, I mean, I don't want to spell mistakes in my reports. Of course not. But that's not the worst thing in the world. The the the this the foundation of your report, that's important. If I get a report for peer review, uh I want to be able to read it and then don't explain to me the report. I'm gonna read it, I'm gonna ask you questions about it. So, because I'm coming in as would a jury or a lawyer or defense expert, whoever it is, is coming at it. And if if if you can get through me, or that's not through me, but I can understand what you're saying by the read, then we're good. But if there's some things that need to be explained better, then give that feedback to whoever is having your peer review, and and vice versa. Um, there's ways, again, I I hear this all the time. I don't have time, I don't have time, I don't have time. There's ways of doing this. There's some some uh outfits that's required. And I wish it was required per policy everywhere. Um, that might not be the case, but that will only make you better. The thing is this the more you do it, the better you're you're at it, the better your framework is established, and then things speed up. The reason, and I'm gonna be a little bit around here. The reason that we complain so much about time is because we haven't developed the the muscle memory to do things. Right. The the framework, the process. If you do these things constantly and you learn the best practices, you will be more efficient at it. It's like a like a like in a factory, right? Let's say I'm in a factory and I work and I and there's uh some um parts that I need at the next table, and I'm walking to the table constantly. Well, I'm gonna figure out I don't be walking that much every single day. So I'm gonna put the table next to me.

SPEAKER_02

Right.

SPEAKER_03

I'm gonna put, I'm gonna change my environment in a way that I'm more efficient. The more I do it, I will find where are those time savings, and you'll be surprised how efficient you can be if you really put your mind into it. Um, so I really want to keep that thought, put that thought in everybody's brain that the better, the more proficient, the more time you develop yourself, the faster and more uh accurate you are when you do your work.

SPEAKER_01

Yeah, absolutely. So I think the key takeaway on this whole article uh was your next report could end up in court. A report you wrote months ago could end up in court. Um don't learn the lesson the hard way, like Brett did, um, under oath and uh with your credibility on the line. Make sure you're checking your own work, make sure that everything is all set so that you can uh defend that report in court.

SPEAKER_03

Well, absolutely. Uh a couple more comments because I I love the chat is lit.

SPEAKER_01

Yeah, I like the time once you do that.

SPEAKER_03

Yeah, so so the stakeholders make the legal attribution. The stakeholders mean the courts, juries, etc. Right. So we make the story, but we're not the ones who made that legal attribution. And that's that's so important. We we we think of ourselves sometimes in a role that we we are not, right? Yeah, um, Kevin says, Kevin Pagano says, you gotta practice, practice and practice. Right? And CTFs are a good way of getting that that practice, getting that that digital forensics muscle memory. And as we develop that, um we we become way better examiners, way faster, more efficient.

SPEAKER_01

Yeah, I I love the comment too. What what is this thing uh time you keep referring to? Uh yeah, uh none of us have it, uh, but we have to make time for it. Um if it's a big enough case, it's a if it's a big enough artifact, if there's enough uh, I guess, question around it, like did this actually happen? What does this artifact actually mean? And it's that big of a deal to your case, you have to make the time for it.

SPEAKER_03

If you're a court, you say, well, your honor, or you know, uh the attorney, whoever it is, uh, I would have loved to do that, but I didn't have time for it. Yeah. Do you think it's gonna fly? So if that's not gonna fly in in crunch time, why do you think it's gonna fly everywhere else, right? If you tell me that I don't have time, I'll I'll tell you. Well, tell that to the judge and let's and see what happens.

SPEAKER_02

Yeah.

SPEAKER_03

You'll be surprised of what the what the answer, the result from from that excuse will be, right?

SPEAKER_01

So uh a little?

SPEAKER_03

Yeah, you don't want to make a judge mad. Yeah. Um so so think about those terms. If if what you if the excuses that you give yourself are not gonna fly at crunch time, and I say crunch time for us is court, but it could be in a board meeting, it could be during an uh internal investigation that you're participating in, it could be to some review process. If the excuse, I don't have time, it's not gonna fly there, it's not gonna fly anywhere. So we need to think about how we can go about it because there's ways where there's ways we can go about it.

SPEAKER_01

Absolutely, absolutely. So, as always, check out Brett's uh articles, they're excellent, and there's way more than the two we chose to highlight. So um he's been he's been on a roll lately.

SPEAKER_03

Yeah, absolutely. I I want to just say this again, Abe. Oh, yeah. The folks that are uh the chat is so good. There's so many good people put in so many good comments. I I I think we could have uh another hour of the show. Oh, definitely just reading the very comments that are coming in. So please keep the chat going. It's it's super good.

IASIS Training And Our Course

SPEAKER_01

Yeah. Um, so to roll into the next topic, IASIS is getting closer. I think everybody uh knows, and if you don't, I'm gonna tell you right now, Alexis and I teach um courses for IASIS. Um, IASIS is in Orlando, and it's every year last week of April, first week of May. So it's April 27th through May 8th this year. And we just wanted to highlight um that there are still seats in many of the courses open, and it is a great opportunity for some really good training. Just a few of the courses that are offered. There's the basic computer forensic examiner, there's the mobile device forensics course, there's our class, which is the advanced mobile device forensics course, which we're gonna talk a little bit more about. Um, there's uh scripting courses, there's OSINT courses, there's there's a ton of courses I'm not uh I'm not saying. So check that out on the website. Um, and you can still register. There's still time to come down to Orlando, and Orlando's beautiful. I love coming going down to Orlando too. So great opportunity for training. There's also um numerous vendor classes that are available as well.

SPEAKER_03

Yeah, there'll be uh some classes also from uh from from the for the vendor from um MSIB is gonna be there as well.

SPEAKER_02

Yep.

SPEAKER_03

So you you can check that out. Um I I I I love uh the ISS event. Uh, if you're not familiar, ISIS is a uh nonprofit organization that does uh education for all sorts of organizations, law enforcement and like on the forensics. So our class is super awesome. Yeah, um, we got spaces running out, so go check it out. You want to hang out with us uh for a week there. We have two two classes, one week each back to back. Um so you can sign up for either of those and uh come hang out. It's a it's a great venue. It's a nice pool.

SPEAKER_01

It is, it does have a nice pool.

SPEAKER_03

Uh-uh, you know. Uh I was walking out of the hotel and I got this cold breeze, and I'm suffering, but in Orlando it's not cold. So uh you can come down and during the summer and enjoy uh the weather. It's fantastic.

SPEAKER_01

Alex is a little cold here in DC today. Yesterday was like 80 degrees, it was beautiful, and today's a little chilly. Perfect for me. He's freezing to death.

SPEAKER_03

Well, you have uh anti-freeze in your veins, you're a New York lady, but what can I tell you?

SPEAKER_01

I do. So the ISIS course. So we uh we do the advanced mobile device forensic course. And um, I want to just highlight we have an amazing instructor who joins us for the advanced mobile device class. Um, and he actually currently works for MSAB. So Chris Courier, shout out to Chris Courier. Um, he'll be there and he uh he has extensive knowledge um on Android RAM and what uh MSAB is doing with the Android RAM, and he teaches the topic in the class. So you have a chance to actually extract RAM from Android devices in the course as well as analyze it. And he talks about all of the different artifacts that you may potentially be able to recover in the RAM. It's a really cool topic. And that's just one of the topics that That we cover. Our class is similar to a data structures course with a few other topics in there as well. So we came up with the idea that starting this week, until the podcast, we'll highlight some of the data structures that we plan on covering in the advanced mobile class. So this week we're talking about the Android RAM a little bit. I have had the chance to extract Android RAM and look through the data myself on my test phone. And I was, I was amazed by some of the artifacts that you can find in there. There's uh I found Wi-Fi from when I connected, when I visited my sister. I didn't expect to be in RAM. I found passwords, I found message data. There's information about the phone. There was location data. There was the location of when I set up my Galaxy earbuds and it had my Galaxy earbuds name. And then the location where I did it, my home address was right there in the RAM. There's tons of other artifacts that you can find in the RAM that Chris outlines in the advanced mobile class. And also, if you're interested in learning about the Android RAM and you are registered for the CTF, uh get ready to start looking at some Android RAM because it will be part of the CTF. Um and you'll have Jessica and Adam Furman here uh moderating that. So um please check that out. It'll give you a chance to actually work with the data um today.

SPEAKER_03

Uh anything that Adam and Jessica do, I will watch. Yeah, definitely with no exception. So you're in for a tree, they'll be uh running the CTF also like MC in it. So you you want to be here for that. Um there's so many things we can get from RAM. I'm not gonna tell you because I'm not gonna give you any hints for the CTF.

SPEAKER_00

No answer.

SPEAKER_03

But just keep in mind that, and this is a big the question we always get at class is well, am I getting something different that I'm not getting from the phone if I have a full file full full-file system extraction? Yes, you will get stuff that's not on the phone. That is not on the phone at all. You will get it from memory. And that capability, and my understanding, I think the only tooling right now that does it is MSAB's tooling. That's as far as I know, yeah. Yeah, that's my understanding. And uh so definitely look into that. And the CTF is a good opportunity to give uh a chance for that uh look at that data set.

SPEAKER_01

Absolutely.

SPEAKER_03

Uh in Windows, we're really more used to dealing with memory, the RAM, in a sense. Um, but memory in mobile devices is something that I think is kind of a sleeper um data structure that we need to look into. And this CTF and MSIB totally is a good way of doing that. Um data, as you're saying, data remains there for a long time. Like how long, how long was your testing show?

SPEAKER_01

I mean, so uh uh we were at IASUS in April of I forget what year my testing was from, but and the following year, a lot of the artifacts that um I had generated while at IASUS were still there in the RAM.

SPEAKER_03

A year later.

SPEAKER_01

Yeah, yeah. I had I had um the IASUS Wi-Fi had connected to their Wi-Fi that was in my test phone. Um, I also have I have found um deleted artifacts. I I need to dig more into that because you know I found one. I'm like, oh my god, there are actually deleted artifacts in the RAM. But I want to I wanna further um explore that and find all of the opportunities to recover anything deleted.

SPEAKER_03

No, and you're looking for uh research uh you know areas to do so. Um Android memory is a great research area. There's work being done, but not enough work.

SPEAKER_01

Absolutely.

SPEAKER_03

So start looking into that. And again, we think of RAM as well as it's you turn it off, then it goes away, it's volatile.

SPEAKER_02

Yeah.

SPEAKER_03

Um but in Android devices, the way the the the uh the architecture of it is um RAM remains, even if you think you turn it the phone off. It's still there. So still good stuff to uh pull out from it.

SPEAKER_01

Yeah, and do a couple of the the chats. So uh Brett, memory is magic. Agreed, memory is magic. Uh Jessica's chiming in that uh we don't tell you the answers on the phone or the RAM. So it's amazing to coordinate your data between the phone and the CTF. So you guys are gonna have to actually go into this data and figure out where where is the answer to the CTF? Is it in the phone or is it in the RAM? Is it in both? So you may actually be able to see some of those artifacts that are only in the RAM and not on the device, or vice versa, right? Yeah.

Android RAM Artifacts And CTF

SPEAKER_03

No, absolutely. And and the more data sources that you have, the better. Some data sources will allow you to look at a particular set of behaviors through time. And I'm not saying this is for CTF, I'm talking more in general terms. Um, you can see uh the recording of an event on your phone, but you may have that same recording of that of same recording of an event of similar quality, or not say not quality, but the same type of event maybe a year ago or six months ago, and now you can timeline it. A big function of our work, as the folks are that that are watching us know and listening to us, uh we do timeline all the time. Uh a big part of forensics is doing that. Yes. So having another data source of timeline where the timeline window could open in a range of year or years, uh is fantastic. And and we should definitely take advantage of that.

SPEAKER_01

Absolutely. Um, I will highlight one more one more comment. So Jessica says Ramalizer is an amazing tool for navigating the RAM dumps. So if you haven't heard of Ramalizer, check out MSAB because they have a tool to navigate the RAM dumps. Because honestly, without that, it's not very easy. I mean, I'm doing string searches in a binary file. So the RAM Elizer really gives you uh additional help with your searches for sure.

SPEAKER_03

Well, absolutely. And again, a call for folks that are are really involved in dealing with RAM, see Windows environment environments. Maybe they can start also looking into RAM dumps from Android devices and see how we can locate artifacts. And there's there's many opportunities to the community to put tools, tool sets or work with vendors on moving moving the field forward. So hopefully the CTF will be a way of supporting that interest in the community.

SPEAKER_01

Yeah, we'll get some people out of it that are that are ready to do the research for sure. Um, so uh we're gonna do another data structure that is highlighted in the advanced mobile course at IASIS. So protobuf, one of Alexis's favorite. I am not a fan of the protobuf, but we're gonna talk about why.

SPEAKER_03

Yeah, right? Yeah, so um because you're lame like that.

SPEAKER_01

So I kid, I kid we have a photo one, if we could put photo one up on this um screen. All right, I'm gonna put it up here for you.

SPEAKER_03

Yeah, all right. So you're looking for data sources and you're looking at let's say on a particular app, and the app, you know, has the data, and um, and you know it's there because let's say, for example, you did a text search across your data set and you were lucky enough to get a hit on it. Um of course, you will not always get ahead on what you're looking for, and we discussed that in in our ISS class in regards to how to go about searching through your evidence for on-parse artifacts. Okay, cool. But let's say you came across a piece of data and on the screen, you can see from my name. There you see my name and one of my emails there, public emails that I have. And okay, so this is relevant to my case. So there's stuff that you can read, but there's some letters or maybe possible gobbledygook around it. And you can't see exactly as you know, watching on the screen, what's the relationship between my name, this a couple of email addresses, um, some numbers, are there's phone numbers? What is that, right? You don't get that relationship clearly stated. Um in this particular instance, this is a uh protobove file that was open with a text editor, right? Which is usually the kind of the tool we use to give a quick preview of whatever we want to see. See what we have in it. So it'll hopefully get some uh ASCII characters. I say ASCII, but Unicode characters out. ASCII is too small. So Unicode characters out and see if we can see what we can see. Um quick note, and this is the thing. We're we love XMLs, we love JSON, these are formats that are human readable. We love those. But at least in my experience, what we're seeing is we're seeing more of a movement, specifically in mobile devices, to more of binary data. What that means is that's data that's not designed for you as a human to read. What you see on the screen was not designed for you to read, even though you can read a little bit of it. And the reason for that is uh making a serialization or a conversion from a text data that you can read over to binary data that the system can manage in memory, is it has a cost. So developers want to limit that cost. And they limit that cost by trying to put the data in in a binary format and transmit it in the same manner, right? So let's look at a picture uh number two here. So let's get a little bit in more detail in protobuf. So protobufs stands for protocol buffers, technology developed by Google, and of course, it's a quick overview of it. Right. We go into details in in our classes for that. So protobuf is is Google and it's really common in their environments. Okay. What you see on the screen now is I did a little bit of code, a little Python code, just to deserialize it, to take it from Protobuff and deserialize it in a format that makes sense, that we can make sense of. So if you look at the bottom of the screen, you'll see there all the gobly cook, how it looks, if you put it out to the screen as is. The second block of data, now it's after I deserialize it, the library that I'm using will give you two outputs. The first one is the types or what type of data it is, and the bottom will give you what the data is, right? And again, this is not something that I'm gonna go into details to explain it here. We don't have the time, but this is the takeaway. If you look at the bottom section, you'll see there in a JSON format, and which is at a class as well. You see the name and then some keys, numeric keys, and then the values. So for my name, for Alexis, you see a little B there, and it treats this as binary, but it's actually text. So the tool is making an assumption that this field there, the definition of that um type is a message, it's a binary uh format. Okay, and as you go through looking at the data sets, the main thing I want to point out is that we have a lot of uncertainty in our field. We're really used to saying this is yes or no, true or false, ones or zeros. In protobuf, I can get that data set, that storage of data set, I can read some of it, and my tooling will make assumptions into what that data means, how it's defined. And you might ask yourself, well, why can't it actually define it properly for the beginning? The reason is because we're missing pieces of data that don't do not come with that data itself, right? In protobuf, we've got a thing called the dot protofile that Heather wants, but she will never get.

SPEAKER_01

Yes, that's my problem. The protobuf. I want the dot protofile. He's gonna explain to you what that is, but it's missing and I need it.

SPEAKER_03

The dot protofile is what the programmers use to be able to um interpret correctly all the data that's in this file and and correctly say what type of data it is. For example, you could see a number here, so these are kind of fun number-looking numbers, but an integer, a number that's a complete number, one, two, three, four, five, six. And the tooling might interpret it as an integer. I can take that same number, that same data, not number, data, and interpret it as a float or a fractional number. And when I do that change of interpretation of type definition, now that number looks like a GPS location. And it might be an actual GPS location. The program knows how to interpret that data, um, but you looking just at the data source, you will not. So you will have to make some research and inform assumptions and play with how you define data types to then properly interpret the data to come to investigative conclusions. And this this is the part that I'll be really blunt with everybody, like everybody else. There's the part that if you throw this to some AI, good luck.

SPEAKER_02

Yes, okay.

SPEAKER_03

There will be uncertainty built in into a data set because you're getting partial information, because that's how it's designed. Right. The program has the one piece of the information and the data set stands alone with however it was uh designed or architectured. So our job is to do the research, kind of reverse, kind of reverse engineer in a sense what the possible data types are. For example, if I'm looking at a Google Maps, Google Maps is the best example. Google Maps uses protobuf up the everywhere. All right. I'm gonna be changing my data types on my protobufs to floats all around, just to see if I get lucky with something, right? And then based on that, then I can build. Obviously, testing comes into play.

SPEAKER_01

Yes, I want to say that's the main thing that you need to do is testing.

Protobufs And Interpreting Binary Data

SPEAKER_03

Yeah, you want a data set that you know what the locations are, and then play with that data and do the proper data types. And after you do that, you can take unknown data and apply the same types, and you should get the right results. Um, because that's because the program will behave consistently in that sense. Now, uh, I know some of this stuff, this is like the nerdiest part of the podcast. And and the reason that the the main reasons, like I said, I want to pike everybody's interested interest in is understanding that there's some viability and uncertainty in our field, understanding that there are ways of us um getting to the finish line and embracing that uncertainty to then come to facts. We can definitely do that, and there's uh tools to get there. It could be a class, it could be a seminar. Um, we have a video. If you're like, well, I don't know how to read that and do all that conversion that you did there. That's okay. There's uh I have a video series where I explain how to do that in Python, for example. And there's tools, vendor tools, that that will help you with that.

SPEAKER_01

So there's ask, it's a very community, right? I mean, ask that there's definitely people that would be willing to help out, uh, us included.

SPEAKER_03

Yeah, and again, we I think one of your coworkers was talking to us about how she found some particular evidence and and well, how do I look at this, right?

SPEAKER_01

Right, absolutely.

SPEAKER_03

And then she reached out to Heather, and together we'll figure out this protobuf and let's do some of the conversions, and then you get to the result that you need.

SPEAKER_01

Yeah, we did, yeah. Um, she she did a terrific job on that case, found an artifact that she was like, I see that this is probably going to be important to my case, but what do I do now? And we looked at it together and figured it out. So, I mean, uh the ask for help, absolutely. Um, she now has a a kick-ass case.

SPEAKER_03

Oh, absolutely, absolutely. So, yeah, data structures are super important. And again, I'm I'm I I know I've been known for not being super AI friendly, but the fact of the matter is that we're not gonna avoid it, right? So we need to be able to be experts, really up our our game. Because if you think, and I'm coming to a rant that we might we might have later another discussion, but I have to say it if you think technology is just gonna, well, technology is here to uh make my job easier, the answer is yes, but mostly no. Technology just will push you to up your level of expertise because if you don't, the automation will do it for you. And then why you what are you here for? The the the make your life easier in some context might mean uh leave you without no job, right? So you gotta you gotta be the expert that oversees an expert system. And and that's that's that's something that it we might not want to accept it, but we have to. Absolutely. You will have some and again, I'm not saying AI hasn't have any uh issues. There's many issues with AI, AI meaning LLMs, and we'll get to that later on today. But this technology is here to stay, and you gotta be the expert over expert system, which requires you to actually look into these things and up your understanding at a deeper level in zero forensics and and data structures.

SPEAKER_01

Right. Um Brett says if you don't know forensics, you'll never know if AI gives you the right answer. That's exactly the point of the class that we teach at IASIS. And I mean, exactly the point as a lot of training classes nowadays, which is great to see, by the way, some of these classes coming out that teach you the um uh what it is and why it's there, what it means, um, and really dive into the data structures and teach you how to how to handle it yourself.

SPEAKER_03

Yeah, I love it. What? You are not AI friendly. I think I have a little bit of a reputation. Oh, I see that for not being AI friendly.

SPEAKER_00

Yeah, you do.

SPEAKER_03

Yeah, don't get me don't get me wrong. It's not like that I'm loving the AI now. Um, but but we live in reality, yeah. We live in reality. So um if if the capabilities are gonna be there, then uh I I guess I'm I haven't changed my mind, but I'm changing my approach, if that makes sense.

SPEAKER_01

Yes, you've you've changed a little.

SPEAKER_03

Then we have to do things in a way that makes sense, that is, that is, uh, that provides value. Um, because me just name saying it's not gonna do anything. So if if we're faced with these capabilities, then how and we're some of us might be even forced, right? You know, we're gonna as an institution, we're gonna use this process. Then how do we do that without forgetting what our geotard forensic process means scientifically? Yeah, and I I'm gonna a big piece of my thinking right now is we need to be expert among expert systems.

SPEAKER_00

Yes.

SPEAKER_03

And and uh there'll be a culling of like a cut off of who knows and who doesn't. And I want to be on the on the right side of that equation.

SPEAKER_01

Yeah, I want to know. I want to know. Absolutely. So with the data structures that we teach, uh, we're gonna try and hit on some of them as the weeks coming up uh leading up to the class come around. So hopefully we do another podcast in a timely manner. Yeah. And talk about and talk about some of the additional data structures that everyone needs to know about.

SPEAKER_03

Yeah, no, and and it'll be a little bit like a quick nuggets of like this of to pick your interest. Yeah. And uh, and then uh, you know, there's a lot of resources that we'll provide in the podcast how you can follow, follow through on some.

SPEAKER_01

Definitely. So now we're at uh what's new with the leaps. I know there was a new addition to A Leap, correct? Do you want to talk a little bit about that?

SPEAKER_03

Yeah, so a good friend of mine, uh Giovanni, I forgot his last name right now. Um Perez. Yeah, Perez, there we go. So so Gio's a great guy, uh, excellent examiner at another uh federal agency, United States Federal Agency. And he was doing some, he's looking at some data sets in regards to the uh secure folders in in Android and the Samsung implementation. And he discovered there's a SQLite database that keeps track of every piece of media that's placed in and out of the uh of the secure folder. And this is great because it has the name of the media, the directionality, was it put in, was it placed out, and when it happened.

SPEAKER_01

Wow.

SPEAKER_03

Oh yeah. Now anything that has a timestamp, I I am already in love with.

SPEAKER_01

Yeah, definitely.

SPEAKER_03

Because as as uh there's reasons why you put data into a secure folder.

SPEAKER_00

Yeah, oh, there is reasons, yes.

SPEAKER_03

When you look at artifacts, you're building a story. It's not just saying, well, I mean, true, you you you say the fact. Yeah, this thing was here at the time, but you're making, like you mentioned before, you're building a story by uh expressing the facts in a chronological, commonsensical manner, right? And you cannot speak to intent unless you look at all the factors uh together, right? And when you look at the factors of the case, and then you figure out that then at this particular time something happened, then you can get behind to that intent.

SPEAKER_02

Oh, right.

SPEAKER_03

Then you can be stakeholders, paint the picture of what was happening. We are kind of like the we take a recording of the past and we make it uh real again in the present. We look at things that happened in the past through our devices, phones, computers, and then we tell the stakeholders this is what was happening at that time in this particular way.

SPEAKER_01

Build that timeline.

SPEAKER_03

It's like an arc, like a digital archaeologist, in a sense, right?

SPEAKER_01

Yeah, I like that.

SPEAKER_03

Yeah. I'm like the Indiana Jones of Vital Friends, I wish. Um so you know, all kidding aside, uh, the point of that is you gotta you gotta make sure that that you also think about how are you building that timeline and what its story is telling you in regards to the intents of the person doing whatever the person was doing, right? And I'm not gonna I'm not gonna put in my report the personally intended, I'm not doing that.

SPEAKER_01

Oh no, don't do that. Obviously not. Don't do that.

SPEAKER_03

But you put the facts that lead to the conclusions, then the stakeholders will make those determinations, right? And that's how I think you should go about it.

SPEAKER_01

Yeah, excellent addition to a leap. Um, and uh, I mean, I we talk about the leaps all the time, but just in case there's anybody listening that's not familiar, um, or open source project. Um, so if you find an artifact that nobody else has discovered, um write the write the script, figure out how to parse it, figure out how the data is stored. If you need help with that, we're always there to help with implementing that into the leaps, and then it puts it into a report for you um for courtroom presentation.

SPEAKER_03

And and this is always ongoing, an ongoing thing, right? So, for example, like what was it, like yesterday or the day before, I got a friend examiner of mine from another division. She was telling me that um the wire uh chatting application is not supported anymore. And I said, Well, let's see what's going on. So I looked at the coding that I I was it me? I don't know if it was me or not, but the coding that's within the tooling that I kind of oversee the leaps. And the data source is uh SQLite.

SPEAKER_00

Yeah.

SPEAKER_03

But the data source that they did my examiner friend found was uh what was it? Level DB. Level DB, thank you. Level DB. So it's a different data structure now.

SPEAKER_02

Completely.

SPEAKER_03

So of course we tell vendors in the space that, hey, we need to support this, but vendors have roadmaps, they have things that they are already kind of working on, so they cannot turn on a dime and just give me a level DB parcel for wire, which means it's like there'll be a gap time between what change and a solution for that change.

SPEAKER_02

Right.

SPEAKER_03

And it's on us, the community, to actually pull that gap in. So one of the things I'm gonna do the moment I get off the plane, it's uh you know, open my computer and start looking at a level DBs. And if you haven't heard about level DBs, you need to look at level DBs.

SPEAKER_01

We're keeping you in suspense though, because we'll cover level DBs as our data structure on the next podcast. There we go. That'll be first up. Don't miss it. Don't miss it. Yeah, that'll be first up. Yeah.

SPEAKER_03

So so that there will always be that that type of gap, right? And we're there to fill those gaps. Um, just just saying, well, I'll wait till uh uh uh you know um somebody supports it. Well, no, there's there's time-sensitive cases that need us. So reach out, we'll be happy to to work with you.

SPEAKER_01

Definitely ways of doing it before uh before you just waiting for it to come out in a tool.

SPEAKER_03

If for in this particular example, I mean my my friend knows me, knows how to get to me, but you can go to the to the GitHub repository for the for A Lee, which is an Android device that changing the Android wire implementation. Go to the issues and say, look, this parser is not working anymore.

SPEAKER_02

Yeah.

ALEAPP Updates

SPEAKER_03

And and I mean, that's fine, but tell me more. Tell me. And I looked and I don't see SQLite database anymore. Right. And I looked and I found out it's level DB. And not only that, I did some test data. And then here's some test data for you to maybe help me out. And that's the thing. You gotta help yourself. Just telling me this doesn't this doesn't work, I I can't do anything with it, right? And that applies to in anything in life. You can't go to somebody and say, hey, you know, this sucks. Okay. I mean, did you do some research? Did you try to help yourself a little bit? You know, did you Google a possible solution? I am not your personal Google here. Or your personal AI.

SPEAKER_01

I tried just saying this sucks to him. It doesn't work.

SPEAKER_03

Yeah, no, no. It sucks. Well, too bad, so sad.

SPEAKER_01

No, yeah, figure it out.

SPEAKER_03

Do some steps first. And even if it's just hey, look, I did some test data. I don't know how the thing works. Right. But it's on test data.

SPEAKER_00

Here it is.

SPEAKER_03

Oh, that opens. I mean, I can work with that.

SPEAKER_00

Right, absolutely.

SPEAKER_03

And I can might you may end up with a parser, right?

SPEAKER_00

Yeah.

SPEAKER_03

So think about not only complaining, but also I complain. That's I mean, I complain all the time. I don't call it complaining, I call it something else. But um, but I also tried to start with a B.

SPEAKER_01

Okay, all right.

SPEAKER_03

But but the point is, I also try to take affirmative steps to do something about it. Yeah. You can do some research, do some test data, do all the things that need to be done to then push the ball forward to those that can take it and wrong with it.

SPEAKER_01

All right. So that leads us to the last topic of the podcast, which is always everybody's favorite, the meme of the week. If we could put up uh the next image, please. I think it's number three. We don't have it.

unknown

Okay. Um, all right.

SPEAKER_01

Describe it, describe it. I'm gonna talk about the meme of the week then. So we have um it actually got a lot of traffic on LinkedIn uh during during the last few weeks. So the meme of the week is um it looks like a father or grandfather and son, and um, it says, My daughter tells me No, that's not a grandfather, it's a it's like a it's a dad and then dad and the boyfriend. And the boyfriend, yeah. I always ruin it. Um, dad and the boyfriend, it says, My daughter tells me you are a digital forensic examiner. And the boyfriend says, Yes, I only give out portable cases and UFDRs. And the dad, uh, the dad says, You have exactly 10 seconds to get the heck out of my house. I love this meme. I love this meme because it's not our job to just hand out a tool report and call it a day. We can't have reporting where we don't explain the artifacts just because we understand them does not mean that our stakeholders, our prosecutors, whoever the the tool report is going to is going to understand them. And I'm gonna tell you, it's not that it doesn't mean they're not gonna understand them. They absolutely are not going to understand them.

Meme Of The Week And Reporting Standards

SPEAKER_03

Oh look, I I I am the uh I am the uh the father of the of the of the daughter there of the girlfriend. I'm the father, girlfriend with that meme. And if you want to look see it, you just go to LinkedIn, look for my name, and you'll find it. Um, yeah, I am that guy. Because I've seen many uh cases I heard from other agencies where the examiner goes, does uh a parsing, takes the report because uh uh portable case, a viewer, uh UFDR, whatever the vendor or tool you use calls it, it's just a report. There's no analysis, there's no examination. Then they take that and give it to a stakeholder, in this case, stakeholder meaning a defense attorney or prosecutor or whoever. And good luck. Yeah. I understand, I get it. Reports have columns for some explanation, so what uh it could be easily misinterpreted by somebody that doesn't have the expertise to give meaning to it.

SPEAKER_01

And we've seen that in court cases.

SPEAKER_03

Constantly, yes. You can say, well, look, here's a timestamp for something that happened at a particular time, therefore it happened at that time.

SPEAKER_02

Right.

SPEAKER_03

And maybe that time stamp is not representative of when it happened. That timestamp might be representative of when a particular set of actions started that culminated with what's recorded in the database. That's a big difference between when something started to be recorded versus when it happened. And the report only says timestamp.

SPEAKER_02

Right.

SPEAKER_03

So now what? And you give that to a person that doesn't have that background knowledge on how to interpret that properly, then they will do analysis. Analysis is not something that's done by just for the fact that you're an examiner. If anybody takes something and interpret it to get to a conclusion, that's an analysis. It will be a wrong analysis, right? But it's still an analysis. So we are tasked with actually doing the analysis. Now, do I give provocations to folks to find chats or sure? I mean definitely. Find the chats, find the pictures with the contraband, that's great, right? Yep. And then give give it back to me, and then we'll have a discussion in regards to where we at with what you found and what it means, and what report is gonna go with it, what narrative report will go with it uh as needed.

SPEAKER_01

I I think a good uh another good point to to make before we have to uh close for today is um standards, right? Uh we've heard of Daubert hearing, we've heard of Fry Hearing, we have Fry in New York. Um it admits expert testimony only if the techniques are generally accepted in the field. If you aren't writing a report, how at your Fry or Daubert hearing are you going to be able to uh testify to what has been done, to the methodology that's been used to uh generate this tool report or to get to that point. Um, I feel like the report is the most important part of digital forensics.

SPEAKER_03

So we're out of time, but for the next episode, we're gonna definitely take a big section because I wanna I wanna hear more about the fry standard in New York. I do I do Dauber down in in Florida, but I really love to hear more about that and how the reports play into that. Absolutely from my investigator perspective. So for the next episode, we're gonna have that. So yeah, um, it's been awesome again. Thank we run out of time. So thank you for MSIB to have us have us here, have like a just like a platform to participate with the community.

SPEAKER_01

Yeah, thank you so much.

SPEAKER_03

Yeah, it's it's been great. Thank you for the folks in the chat. The chat was fire. I loved it. Really great comments, really smart people there.

SPEAKER_01

Absolutely.

SPEAKER_03

And uh we'll see each other soon, right? Yeah, anything else we'll go to the order?

SPEAKER_01

I think that's it.

SPEAKER_03

Well, we'll see you. I don't have an outro mus outro music, but uh and because of that, Heather will sing.

SPEAKER_01

No, no, no. Thank you for joining us. That's the end of my singing.

SPEAKER_03

Take care, bye.

Head Shot

Alexis "Brigs" Brignoni

Host
Head Shot

Heather Charpentier

Co-host