Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Techno, Timeline, and Training Truths
We kick off this episode with highlights from the Techno Security Conference, our 80s-themed outfits, packed LEAPP labs, AI panel discussions, and great conversations with friends and colleagues across the field.
We discuss Brett Shavers’ recent series on DFIR entry-level work, and share our thoughts on the need for better forensic training and clearer distinctions between forensics, cybersecurity, and incident response.
We also talk about recent tool changes in the industry. Cellebrite’s acquisition of Corellium could make mobile app testing more accessible, and Magnet’s purchase of Dark Circuit Labs.
We cover Harper Shaw’s Vehicle Network App, a valuable source of vehicle-related data. Alongside that, we highlight a recent blog on cached screenshots in Windows 11.
Be sure to check out the excellent “Parsing the Truth” podcast.
Heather walks through her Easter road trip to test Android's Timeline feature (formerly Google Location History). The location data was impressively accurate, but also showed how easily some points can mislead without the right context.
Catch us at IACIS Reno in January and check out the some of the resources we mentioned.
Notes:
Parsing the Truth: One Byte at a Time
https://parsingthetruth.com/
Cached Screenshots on Windows 11
https://thinkdfir.com/2025/06/13/cached-screenshots-on-windows-11/
The Vehicle Network App from Harper Shaw
https://harpershaw.co.uk/the-vehicle-network-app-1
Beklkasoft CTF
https://belkasoft.com/belkactf7/
Brett Shavers 6 part series
https://www.linkedin.com/pulse/dfir-really-entry-level-brett-shavers-ewsvc/
https://www.dfir.training/new-to-dfir/dfir-career
Artifact of the Week/Android Location History
https://thebinaryhick.blog/2024/06/28/the-green-look-back-androids-on-device-location-history/
Welcome to the Digital Forensics Now podcast. Today is Thursday, june 26, 2025. My name is Alexis Rignoni, aka Riggs, and I'm accompanied by my co-host, the Data Queen, the Master Instructor and the better half of the Digital Forensics podcast, the one and only Heather Charpentier. Of the Utah Friendship Podcast, the one and only Heather Chapman. Here, the music is hired up by Shane Ivers and can be found at silvermansoundcom. Yeah, what's up, heather?
Speaker 2:Oh, nothing, nothing. It's been a long time since we had a podcast.
Speaker 1:Yeah, yeah, you've been slacking. I don't know what's going on with you Me, it's my fault.
Speaker 2:It's my fault, my fault. Oh, it's both of us.
Speaker 1:We've had a lot of stuff going on, so uh, yeah it's been a few, few weeks, it might have even been a month, yeah, I think. Yeah, like a month. I was gonna say three weeks from techno, but I don't I don't even remember.
Speaker 2:It feels like it was ages ago we didn't end up doing a podcast from techno, though we were going to, but I don't even know what happened.
Speaker 1:I guess we were. We were partying at the was busy at the vendor.
Speaker 2:Oh sorry, we're working hard yes, working hard, exactly, don't say party no, we did have the vendor parties were pretty good.
Speaker 1:We hit them all because, of course, free food and and you know, and chit-chatting, so it's all good stuff definitely yeah um well, I mean speaking of techno.
Speaker 2:Let's show some pictures from techno. It was a great time. I had such a good time there oh, absolutely yeah.
Speaker 1:Kevin said he had too many churros. See now, now that he said that you know what, I'm gonna get the churro picture, but start talking about that while I get the churro picture okay.
Speaker 2:so while we were at techno um a, alex and I actually did a couple of presentations. We did a presentation about the leaps, what they do, how people can use them, and then we did some hands-on labs. Kevin Pagano was also in the room and very helpful for the leaps presentation.
Speaker 2:Oh, he was the third instructor there yes, 100 30 instructors, so it was fantastic to have to happen he just needed to get up and come up front with us, and it would have been perfect yeah, no, no kidding but uh, so yeah, so we did. We had a packed room for the leaps hand hands-on lab, um, and then the very first night, celebrite had an 80s party, so we got to dress up in our 80s outfits here.
Speaker 1:Getting jiggy with it 80s style so yeah. So there's me in my lovely 80s outfit and then Alex in his lovely 80s attire well, it's not really 80s, it's just zooming in there so people can bask in the awesomeness of my polo shirt oh, yeah, yeah, let me zoom right in. Yeah, give me an extreme zoom look at that really manly unicorns with ice cream and, uh, rainbows and um cup approved donuts because oh yeah, oh yeah, and you have to notice the watch matches, the donuts. Oh, yeah, absolutely.
Speaker 2:But he even went a step further and the shoes match as well.
Speaker 1:Yeah, it doesn't go with anything else, but whatever.
Speaker 2:So the first night when we went out to dinner, you know I'm a little angel.
Speaker 1:What can I tell you?
Speaker 2:Yeah, there was no devil background, Otherwise we would have had you, we would have you in it.
Speaker 1:Okay, got it. Next picture please. Next picture please.
Speaker 2:We got to hang out with some really cool people from MSAB Adam Furman, and you can see Bill Aycock in the back there too. He's not with MSAB, but he's hanging out. Yeah, we're drinking our awesome coffees. And then, of course, jessica hide from hexordia.
Speaker 1:We went and had breakfast with we were obviously the conversation that any normal person would be sitting next to be like what are these guys talking about?
Speaker 2:they must be, insane but yeah I think somebody commented on that picture something like that yeah there was a lot of talk about sqlite databases going on at that table or something among many other ones, I mean oh yeah data stores.
Speaker 1:That was just. We were scratching the surface with the sqlite one um anna.
Speaker 2:She teaches with us at iasis, so we got a picture with anna, yeah, she is she's awesome.
Speaker 1:She's a teacher for spider forensics as well yes, and then we did.
Speaker 2:Let me zoom in on this one we did an ai talk an ai talk with adam firman, so we sat on sort of like just a panel discussion about ai. It was a class at 8 30 in the morning, right, I think 8 or 8 30 it might have right at eight.
Speaker 1:And it was a packed room.
Speaker 2:I was so shocked. I thought we were not going to have anybody show up because you know parties the night before. But it was a packed room.
Speaker 1:And I think, I think people expected me to take a dump on AI and they want to hear that, and I did not disappoint, of course.
Speaker 2:So you did not. Yeah, so it. So the talk was kind of about is AI useful or useless? So we went back and forth about that.
Speaker 1:Yes, it was like useful what.
Speaker 2:And it was useful something. And then useless abstraction, useless distraction, yeah, useless distraction, yeah, useful, yeah, something like that. But it was pretty good.
Speaker 1:Adam is a great kind of moderator, slash commentator, so it was pretty good. Yeah, something like that, but it was pretty good.
Speaker 2:Adam is a great kind of moderator slash commentator. So it was pretty good. Oh yeah, definitely. And then we have a picture of Alexis here at the houseboat. So we stayed on the houseboat, which I was so excited about, because last year when I went I saw everybody on the houseboats but I was in an Airbnb up the road.
Speaker 1:So I got the houseboat for this show and they were like totally awesome. Like you see, there's like a little pier that I'm standing on and then you will walk in this pier and then the little houseboat. You can see a little ramp that you walk in and oh, they're fancy fantastic. They had like a balcony in the back and it was great.
Speaker 2:Yeah, definitely. Do you know what I just realized as we're flipping through these pictures? I don't have any pictures of us with Kevin.
Speaker 1:Oh well, that can be easily solved. Okay good, you just give me literally get to the next one.
Speaker 2:Oh well, I got you right there.
Speaker 1:You're going to want to talk about this one. Oh wait, I have to say I was going to look for Kevin's picture. Oh, of course, look at that it. Some celebrate folks. I I forgot her name. She's gonna kill. Well, sorry, I forgot your name right now, but she works for celebrate there in the back yeah and uh, yeah, she beat me at at pool but it's okay.
Speaker 2:It's okay. You don't have to look like. You look a little bit like a pro, but I was in that look?
Speaker 1:I just look like it that's it. This is just for a show, but you didn't have to call me out. You know, on the internet, you know you can't just like leave it there, you know I might know somebody named alexis that calls me out on the internet every podcast. As an introduction, I look, I only I look, look I said nice things I said nice things about you.
Speaker 2:You know what next episode get ready oh, damien says golf pro and pool pro oh, that is true people.
Speaker 1:the golf one I totally won not. Not, not that the difficulty was kid level, but whatever, I have one with Kevin and me, so I'll show you that I just flew through these.
Speaker 2:anyway, there we go. So the next one, alexis, went and got a nice selfie with my co-worker. So you see everybody in that picture works for the state police, the New York state police.
Speaker 1:Yeah, I was like how can you deal with Heather every day? And they're like we don't know, it's just we have to. You know, I kid, I kid ah, here we go.
Speaker 2:Robert pike. If you don't know robert pike, he's from north carolina, he's a uh contract instructor for celebrate and he also teaches at ncfi and he works for North Carolina.
Speaker 1:That's a one picture. Well, I mean the serious people that we are, of course, the picture really capture how serious we are about things.
Speaker 2:Yeah, definitely. And then did I miss one again.
Speaker 1:No I did not. And then we have you and I getting ready to teach our hands-on lab outside with our sign yeah, it's a point of humble pride to be in the technical science, so I'm happy about that. It's something that I wanted to do Go ahead.
Speaker 2:You're sharing a bunch of other pictures with me in the background, aren't you?
Speaker 1:Yeah, yeah, because the Churro picture and the Kevin picture, I got them all.
Speaker 2:Alright, I'm going to remove it for a minute and go find them then.
Speaker 1:Ronan is in the chat. Good to read you, man. We had a great time with him and him changing the DJ. Not the DJ, but the music that was playing at the bar the the dj me, not the dj, but the, the music on that was playing at the bar.
Speaker 1:He was just oh yeah with with the, with the thing, oh, the flipper. See, yeah, so that was, that was fun. And then they're like why isn't that changing? Well, because it's a real person singing. Now it's not, it's not, it's not the uh the thing anymore all right, I have our additional.
Speaker 2:Let me get those up here.
Speaker 1:Yeah, look everybody. I don't have that many topics today, but I want to see all the pictures.
Speaker 2:I'm getting there. I'm getting there. All right, let's go back to us at our sign. And then we have the churros, the little churro cart.
Speaker 1:They said they're going to bring out the churro cart. So I'm thinking somebody's come with a car and give me a churro. No, no, they had a cart that they actually put on the table with churros in it, so well, that's a literal churro cart it was very cute little cart yeah, no, it had like the chocolate dip and the caramel and the other one I didn't know what it was, but uh, they were good. The only bad thing about them is that they needed to have some more. There were too few.
Speaker 2:Ah, there we have a picture, kevin right out on the deck of the houseboat.
Speaker 1:Oh yeah, it was great to hang out there and the weather the first couple of days was really good in regards to it wasn't hot or nothing. Right Then at the end it got rainy, but it was pretty good the first couple of days so we could hang out there.
Speaker 2:I don't even know when this picture was taken. I think this is the first time I've seen this one.
Speaker 1:Well, you're posing.
Speaker 2:Well, you just sent it to me.
Speaker 1:Yeah, no, we were. We were walking from the. I think it was the Suburi party, right.
Speaker 2:I think the Suburi party Yep.
Speaker 1:Yeah, and then we're going we're going?
Speaker 2:going to whose back this party party hop in the whole week, so, yeah, so techno was a great time. If, uh, if anybody listening has never been there, I would definitely, uh, definitely, go to techno. It's going to be back in myrtle beach next year instead of wilmington, north carolina, so yeah, looking forward to that.
Speaker 1:We need to figure out what are we gonna submit a?
Speaker 2:talk on. So we can, definitely, definitely. So let's get into our topics. Um, so I brought this up before but I wanted to bring it up again because um registration is open for the iasis reno event. So I'm sure everybody knows about the iasis event that that's held in Orlando every year, but this will be the first year that there's going to be an additional event and it's being held in Reno, nevada, in January, the week of January 11th. So that whole week and it's all. It's a lot of the specialized classes. The BCFE will not be an option for the first Reno event, but the specialized classes will be there and you can sign up to come take the advanced mobile class with Alexis and I and the other great instructors.
Speaker 1:Yeah, so not only can you, I expect you to sign up.
Speaker 2:It's a good class, so we see you all in the chat there. We're waiting for your names to pop into the registration. No, come on over. I mean we're going to pop into the registration.
Speaker 1:No, come on over. I mean, we're going to, we're going to have a great time with we, we, we deal with a lot of neat data structures and artifacts and and things that you're not going to find anywhere else, and, uh, we get to hang out in the afternoon.
Speaker 2:So, come, come, come show, so we'll see yeah, definitely, but you gotta sign up first, so let's do it yeah, um wanted to highlight a new podcast that's out. So the new podcast is called parsing the truth one bite at a time, and the hosts of this podcast are former fbi senior forensic examiners becky passmore and stacy eldridge, who I got to meet, and I know you know both of them.
Speaker 1:Oh yeah, I know them from before they retire or left right, and I can personally vouch for them. They're legit and the show's been fantastic. I haven't been, I heard I'm kind of catching up to the episodes, but then I saw one that I wanted to hear, so I jumped on that one. I'm halfway on the expert witness. One, oh nice, wanted to hear, so I jumped on that one. So now I'm I'm halfway on the expert witness. One, um yeah. And then I heard before that I heard the um how to get into data forensics podcast great, great hour of information, especially if you're new and the uh, the one about the expert witness.
Speaker 1:They explained really well the difference between expert witness fact witness and some things to really consider when you're doing the type of role. And and both of them they have testified extensively throughout their careers when they were in the bureau and obviously at least Stacey is still involved in courts and court work, so she obviously continues to testify and Becky is now an excellent instructor in Arkansas. I think, and they're fantastic and they're really they're great personalities. So please, I highly recommend you take the time and listen to their or watch.
Speaker 2:I like watching because they have also a video.
Speaker 1:So watch, or and or listen to their podcast is going to be a lot of benefit to to yourself, as you know, to kind of grow in the understanding of your career. So go, go, check it out. And if you're new you definitely need to uh, get it and listen to it. I have them on my list for this weekend. I have not watched an episode yet, but I have it ready to go well, and they're mixing some of like like knowledge podcasts with like case studies, for example they had.
Speaker 1:the first one I listened was the btk killer and and how, how they got them based on a floppy disk and it's pretty. Now they came out with another. They're coming out with other episodes. I love it. I love that they're so consistent in throwing stuff out or making great content. They won like another case study about some criminal in a bike. Oh, so I really really like that's the next one that I want to. I'm going to listen. I'm going to jump the ones that I have listened to yet to get to that one.
Speaker 2:So it's a good balance. Sorry, they're doing weekly right.
Speaker 1:I assume because there's so many from my perspective, but that's awesome because the content is so good. Like I mean, I cannot do that. We cannot do a weekly show, we're not that good.
Speaker 2:I don't know if I have time to do a weekly show either.
Speaker 1:No, but that's the thing I mean. They're doing their show based on their own cases or other cases they know about, plus kind of knowledge of the rest of the field, so it's a great, great show to listen to. So they're on top of my podcast listening to listen to-do list. So everybody should do as well.
Speaker 2:Definitely Up next for me. So a couple of company acquisitions that have happened since we last had a show. Celebrate acquired Corellium, and if you don't know what Corellium is, it's a tool that lets you create virtual iPhones, androids and other smart devices, so kind of like having a fake phone right on your computer. Um, acts just like your real device, but you won't need to buy one or plug it in. So what you can do with that testing apps, look for bugs, explore how the devices work or even create real life scenarios. So I'm really curious to see what Celebrite does with the purchase of that company, because all of those things are great.
Speaker 1:I mean, the first thing I want to say, that is that obviously they spent a pretty penny I don't know how much, but I can assure you it wasn't like it wasn't a million dollars, it was way, way more than that to get to get corallium and corallium has been the news. It wasn't the news, you know, maybe a year or two ago, because apple had sued them for kind of virtualizing the iOS operating system and they were not allowed to do that and the core said yes, they are allowed, which is a great win in the sense of being able to use these technologies for security research. I think, from my understanding of the company throughout the years, is that their main core product or I said not product. I should maybe rephrase yeah, the competency they have right is for researchers, security researchers. You want to make sure that the apps are working properly, that you pen test them properly, that they're safe, et cetera. Right?
Speaker 2:Right.
Speaker 1:And that's a big question in regards to what is Celebrite going to do with it in regards to data forensics, because at least the only use case scenario I see for data forensics straight up is saying, okay, I want to analyze an app, right, and the app now. I don't have to spend time doing dumps and have another tool to do the dump, because in the Corelian environment I can pull the data out. It's like a virtual machine type of setup, right, and I could really go deep. I even wonder if you could take data from one device right and maybe put it inside the Corellium virtualization and maybe see how it behaves. I don't know how it's going to look, but I think that's their main thing. What else will they be able to do with it? I had no idea.
Speaker 1:Now, my big thing is this the reason, my opinion, and again, everything we say here has nothing to do with work or employers. It's all us talking as members of the community, more than experts, members of the community. Corellium is not widely used in digital forensics because of the price right. It's extremely expensive and labs don't have that money. Now, will Celerbrite integrate some of that into their insights, insights tooling, to kind of allow for that. I, I don't know um, I would like for the product to be more accessible, um in regards to cost, um for those benefits, and maybe they could have a tier system where if you're doing pen testing and different things, it's a price. If you're doing only like data forensic work in regards to app analysis, it's another price or an addition. I don't know how they're going to do it, but I really hope it's way more accessible, the technology price wise, than it is currently, because we even looked at it to make some content for the courses for IASIS, yeah, and I was. I was like wow, that's a lot of money.
Speaker 2:Yeah, I wasn't sure IASIS was going to purchase that for us, I'm thinking no yeah, the nonprofit yeah that's not happening, not going to happen.
Speaker 1:So it'll be interesting to see. I mean, it was a big win. So that came out when we were at Techno right, and it was like the talk of the floor there. It was For a day in regards to first they spent a lot of money on it.
Speaker 1:And second, what are they going to do with it in regards to be able to recover, get that ROI right? So we'll see. We'll see hopefully not too far into the future how they're going to use it and hopefully again really come up with useful use cases for data forensics. In regards to iOS virtualization technology.
Speaker 2:Yeah, so the other company acquisition that has recently been in the news is Magnet's acquisition of Dark Circuit Labs. I don't know a ton about Dark Circuit Labs, but I was looking at it prior to coming on the show tonight, and their site says that they provide services such as reverse engineering, vulnerability research and software development. So what more do you know about them?
Speaker 1:vulnerability research and software development. So what more do you know about them? Well, I mean, I want to more than them. I want to comment about and I said this before, I still think it's relevant the big differentiator between companies in the digital forensic space, specifically dealing with mobile forensics. Uh, it's not so much the parsing.
Speaker 1:Parsing is important. I want to make sure the tools give me as much as I need. It's not the translation, although I want the tools to translate stuff for me in a sense, at least give me a sense of what they're saying but we don't get to any of that if we don't have access to the data. So, yeah, we need access to the data. We need to make sure that we're able to get the full file system extractions that we need, because if we have that, if I had to do the analysis by hand, then I do it by hand. But without no data, there's no analysis, no matter what tool.
Speaker 1:You have right, and I still strongly believe that the company or companies that have a really strong exploit development chain are the ones that are going to be continue to be successful in the market and command the prices that they put out, and this has to be a really strong supply chain for lack of a better word, because things get patched all the time right, there's updates, and they have to be constantly looking ahead.
Speaker 1:So acquisitions of outfits that really know how to get to the data are going to be extremely important. And, uh, um, parsing is going to be secondary to extraction and to access access and extraction right. And and that's and that's not even adding to the fact that we need to circumvent, obviously lawfully, because we're talking about here in the in the law enforcement realm or civil realm, where it's by basic consent all this access has to be lawful, right. So lawful access of data when access has, you know, there's a password, a pin code that's unknown or does not want to be disclosed. So how do we go about that? And that's whatever companies are on it and developing. Those are going to be the leading ones in this field. The parsing piece will just follow after that.
Speaker 2:Right, so looking forward to see what happens with both of those tools being incorporated into tools we already use.
Speaker 1:Yeah, and really hear the chat on the screen real quick, you know I mean long story short yeah, the tools are expensive and yeah, there's a lot of you know R&D that goes into them Absolutely, and all that has to be balanced with how much the market was able to actually pay for things. Right, I believe that there will always be a market for I say market not because of money, but of users for open source tools. Maybe not so much in the accessing part because, like I mentioned previously, if an access method is disclosed, it will be immediately patched and it will go away. But in other functions, like in the parsing function, right, if we have the data, then we can really balance out some of that cost with open source tooling or scripting, and that's why we I'm going to add you in this we push for folks to learn some code, right, you will be able to be more productive and validate and verify validate processes and verify data if you do so. But yeah, it's expensive.
Speaker 1:It is what it is. Is it justified? And sometimes I feel that it's not. Sometimes I feel that it is. Is it justified and sometimes I feel that it's not sometimes.
Speaker 2:I feel that it is yeah. A lot of work goes into it, so I mean it's gotta you have to pay the workers that are putting the work into it.
Speaker 1:But yeah, the only thing I'm going to say is if, if, the functionality is the same as last year and the only thing that changed is how, how you call it. I and the only thing that changes is how you call it. I'm not going to be happy, so I expect more than a price raise just because a name changed. No, we need sustenance behind that, and vendors are trying to provide that, so that's a good thing.
Speaker 2:Yeah, so a recent article that came out from thinkdfircom. So it's about cached screenshots on Windows 11. And it's talking about where the screenshots are saved by default. So screenshots taken with the WinShift S key or the snipping tool itself, which is a tool incorporated right into Windows, are saved in the user's pictures screenshots folder. By default Saved screenshots have file names that are year, month, day, hours, minutes, second, png. And if the autosave is disabled in Snipping Tool, screenshots are instead stored in a temporary cache location under the user's local app data folder. So this article was really meaning to let forensic investigators know where we might find these screenshots that are being autosaved and potentially could be evidence to your case.
Speaker 1:And it's really important to know this because I remember back in the day for intrusion cases or incident response well, let's image the whole computer and go through it and figure out what happened. Well, that's not the thing anymore. Like there is no, we're going to image the whole computer anymore. On incident response, we have tooling that targets different artifacts that we care about for whatever purposes. We have tooling that targets different artifacts that we care about for whatever purposes.
Speaker 1:So it's incumbent upon you, as the incident responder, to make sure that, for example, this new location, is this something that's going to be needed in my investigation? And most likely it might, it should. So now you have to make sure that your tools are not responsive to Colate not Colate, but you know, get that data Again. Why are we not doing full copies of the whole thing? Well, there's so many reasons for that in regards to what the job entails and what we're trying to prove with it. But again, it's up on you, incidental responder, to make sure that you know what things you're going to pull from the box. That will be helpful in the investigation, and your awareness is key.
Speaker 2:So that's why this article is so good yeah, the one of the good things about it too, about this actual feature, um, is those cash screenshots that go to the temporary file. They may exist, they're going to exist, even if the user never manually saved them. So the user may think I never saved that. That evidence is gone and there it is, right there in the temporary folder for you.
Speaker 1:That's insane.
Speaker 2:Yeah, always check the screenshot default folder, but don't forget about that snipping temporary folder.
Speaker 1:Yeah, and that applies to folks that are not doing a response Us, that we are more in the data forensic side. Yeah, do I want screenshots of the activity of my suspect?
Speaker 2:Yes, definitely yes, please. Thank you so much.
Speaker 1:I would have it. Oh, look, here's the screenshot of the suspect looking for the murder weapon. I'm just kind of making something up.
Speaker 2:Yeah.
Speaker 1:Well, that might be useful.
Speaker 2:Yeah, definitely, but check out that article on thinkdefercom because it was a really good read and you it was a really good read and you'll use it as a reference in the future while you're checking those locations. Absolutely, absolutely. So recently I was chatting with Noel Loudon from the UK. He has was telling me about a new app, the vehicle network app from Harper Shaw, which is the company he works for. So this app is designed as a secure, private platform to support professionals in vehicle system forensics and collision collision um investigation and related fields. So fields related to the vehicle forensics um, the app has a ton of different things that might be helpful in your investigations there.
Speaker 2:There's continuing education, I guess like little videos. He does a weekly Friday feature, so it's a video briefing on practical analysis and the emerging trends in these different categories. There's case studies, there's open source resources, there's a whole training hub and there's also a peer-to-peer community channel. The good thing about this one, too and there's also a peer to peer community channel the good thing about this one, too, is it's only $25 a year, which I thought was great. Um, it's uh, there's additional training that you can get through that company that is not included in that $25 a year, but the $25 a year it will get you in for these resources on the vehicle network app.
Speaker 1:That's. That's ridiculously cheap. That's like like dirt, dirt cheap oh yeah yeah, I mean I don't do. I mean I took the barilac courses and all that, but my main thing is not doing cars. Um, but if it were, I would be, I would. I would get those 25 out in in a heartbeat and, heck, I would pay for the other seminars in my. You get a, you get a vehicle network app. You get one and you get one.
Speaker 2:I agree. I agree Everybody should sign up for this app, definitely. I have also done the Verla course, but I don't really go out and do vehicle forensics much either. But what I find useful in this type of platform is I'm doing reviews of other people's work and I'm doing reviews of other people's work and I'm doing reviews of people who have investigated the vehicle forensics with the burla, and if I'm not keeping up to date, I shouldn't be doing their peer reviews.
Speaker 1:So this will be helpful.
Speaker 2:Yeah, this will be very helpful in that, so check it out. I put the website up on the screen, but it'll also be in the show notes at the end. To go check out that app.
Speaker 1:Yeah, and if you have no, on your linkedin adam, because he puts a lot of great content in regards to vehicle forensics all the time, so you gotta, you gotta, follow him on linkedin definitely.
Speaker 2:Other news Belkasoft is having their capture the flag, so registration is open for their capture the flag now and it begins on July 25th.
Speaker 1:And Belkasoft capture the flags are really fun. In regards to the topics, you know the type of case you should be looking at when you do this the the catch of the flags and catch the flags as a general sense. It's always good exercises to to be involved with um, just to make sure that your your skills are sharp and that you know what artifacts mean. So, yeah, yeah, please go there and sign up. They're pretty fun yeah, absolutely.
Speaker 2:Uh. Let me just grab our next one here. So if you're're connected with Brett Shavers on LinkedIn, you've seen that he's doing a series of new posts, so he's doing a six part series. There's the breakdown of the myth that digital forensics and incident response roles are truly entry level. He's emphasizing real world experience, incorporating how valuable or well, how valuable education and training are in the digital forensics and incident response world.
Speaker 1:Yeah, and I want to. I want to comment real quick on something he wrote about that because he had. He had a post on on the, the educational gap, and he makes a point that we talk about the F? Ir like it's one thing and he even goes to the history. Uh, harlan carvey, he came out with the whole df slash ir to say, look, there's huge forensics slash like separated incident response, they're related fields. But it was, they're not the thing, right? But then, um, I think Rob from SANS I just blanked out his name. Well, rob, rob Lee, rob Lee, I was just gonna say, I just was watching him on TikTok or something I couldn't remember it.
Speaker 1:Yeah, on Twitter he started using the hashtag DFIR. It kind of makes sense you cannot put a slash in a hashtag just to kind of popularize the field and that really took off. Still to this day I use that hashtag. But the thing is that it's not Rob's fault, but the thing is that in the consciousness of the field they're the same thing. And one point that Brad makes is that, for example, universities, colleges, they say, well, we have a DFIR program and DFIR is cybersecurity. The three things are different. Dfir and cybersecurity are two different things. Now, cybersecurity can incorporate some of those and vice versa, but they're different things.
Speaker 1:So what we're seeing is a lot of folks go get some degrees in cybersecurity and then they want to put, let's say, apply for at a RCFL lab I'm making this up right A forensics lab, and they don't have the skills. They were not taught the DF side, sometimes at all. They give them a lot of IR or a lot of not technical. The episode of technical would be, you know, kind of like procedural cybersecurity. You know, you know frameworks and that's great, that's needed, but that doesn't qualify you to go and extract data from a phone and do an analysis. You know frameworks and that's great, that's needed, but that doesn't qualify you to go and extract data from a phone and do an analysis and, like he said in the article, if you don't know what a hash is, what do you spend your money on in four years of college, right?
Speaker 1:So I really recommend that. It's really percolating in my conscience and you start separating the DF from the IR more. I knew it already, but separate it more when I speak to folks and make sure I'm more specific, Because if we're more specific in our language, then that would translate more specificity in other fields, like at court or degrees that are being generated. There's a lot of good folks, like Jason Jordan. He's from South Africa and he's doing his doctoral work just on this problem in regards to how can we solve this educational issue, how can we identify the proper things to be taught at this level for DF and IR and how different they are. So that's pretty important. And all the articles in the series they're great. I haven't read them all, but they're fantastic and I highly recommend everybody to go through them.
Speaker 2:Yeah, they are excellent. I agree with so many of Brett's points, but it just makes me think about when I went to college too for computer forensics. My degree was cybersecurity, but it was concentration in computer forensics, and I went to get my master's and got into the master's program with zero computer knowledge whatsoever, like I was the type of person where I turned the computer on how. So making sure the student is ready for that type of program is another thing that I would just add to some of Brett's articles because I was not ready for that. I took the steps that I would just add to um to some of Brett's articles because I was not ready for that. I took the steps that I needed to take to catch myself up and I I mean I was doing this stuff all outside of school. And then, when I got to the.
Speaker 2:When I got to the state police and started getting those trainings, I really like jumped in and learned everything that I know now, but it was really hard to do a degree when I had no background in computers whatsoever.
Speaker 1:Well, and even you coming into your workplace, having to catch up to the other examiners because what you were expecting to have coming out of college was not one-to-one what's needed, right.
Speaker 2:No way.
Speaker 1:Actually, brett gives a good advice for people. Sometimes it might be better and I agree with his advice get a computer science degree and then get a minor or a specialty in justice, like in excuse me, in classes that relate to the criminal justice system, like criminal justice minor. Even a minor or some course is gonna. So you understand what the, the interplay between the computer science with the computers, the digital stuff and the law and the course occur right and have that, and that might be even better than getting a cyber security degree itself. And I really took to that advice because my degree is in computer science okay. So so I'm a, I'm a and again, I'm a living product of that advice. But not because I didn't want to take a cybersecurity degree. It's because they didn't exist 20 years ago when I started doing this job. But it might still be worthwhile to get that computer science degree and maybe make it stronger with some law stuff, right.
Speaker 2:That's what I was missing. So my bachelor's was in criminal justice, so I did the criminal justice part and then I went from that right into a master's for cybersecurity and computer forensics. So I w I was missing that computer science component, definitely.
Speaker 1:And that's that's. That's tough. I I did my master's is in information management, information systems and and that's a that's a management like an MBA degree, right, business administration.
Speaker 2:Yep.
Speaker 1:And the folks that come in just from straight business administration with no computers. We're struggling in that sense, right. So having that baseline is so important and really be a good consumer. If you're a person that's coming into the field, you've got to be a good consumer. You have to make your research. You can't just if the provider be it a university, a college, a certification vendor, whoever it is look at curriculums, look at what they're teaching, make sure that it maps knowledge base with what you're trying to get, at what your destination is. If you want to work at a lab for law enforcement, you got to make sure that you understand what the work that's being done and if this degree speaks to that.
Speaker 2:Yes.
Speaker 1:Just blindly going. You might come out four years later with debt and then not be ready for the job. Debt Yep, because it's not cheap to get out.
Speaker 2:No, it's not cheap. No, not at all. There, yeah, because it's not cheap. To get out of the country is not cheap? No, not at all. There's some comments in the comments. So one comment is saying that the classes, a lot of classes, are out of date too. Yeah, I agree 100%. So the college classes, I think a lot of them are behind. Just some, I guess, some experience with it. When I was taking classes it was, the material wasn't up to date. I didn't even have a mobile forensics class at all. We didn't ever even talk about cell phones. And then I got to my job and it was like 90% mobile forensics. So, um, I definitely wasn't prepared for that. And then one of the other uh comments same person says uh, they still have us learning with things like autopsy and end case. Um, yeah, it's not with the most up-to-date tools and it's not with the tools that you are particularly going to use at that job that you go get and and look and I'll look.
Speaker 1:if you give me autopsy and case, yeah, I'm okay with it. If the person teaching the class you know what I mean yes, delivers on the goods, right, because at the end of the day, I want to go to a degree and not to learn so much about tools, but to learn about the underlying things that the tools are getting at yes and what I've seen this is, I mean for folks that have told me is that the professor that's going to teach that forensic course has never done an EO1 in their life Never, they've never done.
Speaker 1:If I give them an SDK image, they don't even know where to go to make one. They haven't even made an extraction in their lives. But you know they're part of the staff and you have to teach this class. Read something and go at it. And again, we have to be better consumers. There are some great programs that have a great reputation. You have to really look into those and lean into those If you want to get a degree on for digital forensics.
Speaker 2:So so Jessica's chiming into, she teaches at one of the colleges and not all are behind. Some of us update regularly and that is right and that really plays into what Alexis just said. You need to be checking out the curriculum and seeing who those teachers are. Research the teachers for sure. All right. Make sure you're going somewhere that has people who have real life experience and make sure it's a curriculum that's going to fit with what you want to do.
Speaker 1:Absolutely A hundred percent. If you're going to spend $40,000, $60,000, $100,000 on a degree, you got to do some due diligence. My friend and I know you might be 19, 20 years old, but it's your future at stake here, switching careers, and you're a middle-aged man like myself. You need to do that research. You can't just jump blindly. You have to make sure you're getting the information that you need to make right choices.
Speaker 2:Yes, definitely, let's see here. So that brings us to ah, we're going to do an artifact of the week. You got a comment.
Speaker 1:Yeah, I got a comment. So Shane's mentioning that some organizations want feedback on their programs right from practitioners. One thing they could do and is, uh, have advisory boards like that's, that's like that's a thing, right, and, and sometimes advisory boards in some of these institutions it's just to say they have one. But a good advisory board and that applies not only to colleges or organizations Bring people from different fields that you're interested in and really query them on what's needed, what does the market require of our students in order for us to provide it. And being part of an advisory board, make sure you make that approach and make it an illustrious position right. Make sure that the folks that are part of that board are recognized. So you have to have motivation for people that are of importance in the field really give you the information that you need for your students.
Speaker 1:So make sure you I'm telling you it makes sense, heather, like it has to be something that's recognizable, that the person being part of it feels honored to be part of this advisory board, but also that whatever advice the advisory board gives, the institution follows up on to provide that service to their students. So advisory boards are so important and a lot of institutions. I don't see any or too little of that.
Speaker 2:So I definitely agree with that, and that would be so. That would just could fix so many problems.
Speaker 1:Absolutely.
Speaker 2:So artifact of the week, so I'm having fun showing like different research I've done or different artifacts that have been located. This isn't a new artifact. I actually think we may have talked about it on a previous podcast, because Josh Hickman actually wrote a blog about it about a year ago now and I'll put the link to that in the show notes. But in December of 2023, Google rebranded their location history as timeline and moved all of the data storage on device rather than to their on their servers. So the default retention was reduced from 18 months to three months and the timeline data resides under data data comgoogleandroidgms, not inside the Google Maps directory. There's locations and I actually have a slide to put up here. So there we go. There are locations found in level DB files, so it stores GPS like latitude, longitude, timestamps, the horizontal accuracy, and it's all stored in these level DB files. I have a little screenshot on the screen here and if you're listening and not watching, they're under app semantic location, raw signal DB and it's a whole bunch of level DB files.
Speaker 1:And let me say something quickly about level DBs. Yeah, those are the thing lately right, I was reading an article by a CCL group about level DBs. Because apps now they look like apps, they behave like apps in both computers and phones, but actually browsers they're just skin browsers that look like apps. And the quote unquote permanent storage. I say quote unquote because all that stuff just then migrates to the cloud.
Speaker 1:But, while it's sitting on your device, it's going to be sitting on a level DB. If it's a browser, it's most likely going to be sitting on a level db for some of these, these uh apps that behave like apps but they're actually skin browsers. So if you're not up to speed on what level db is and I said that, we said it, both of us said in other episodes we need to get on it. Like heather is showing here, all this stuff is in level dbs. You need to understand how the format works. By the way, if you come up with us to Reno, to the class in January, we'll teach you all about LevelDBs, to the point that LevelDBs are going to be popping out of your ears. But you need to get up to speed on this.
Speaker 1:This is a data store that some folks don't even know exists and they think SQLite, sqlite. Sqlite is great there's a lot of it. But LevelDB is great there's a lot of it, but level DBs. You'll be surprised how of the level of importance this humble key value pair database has in all sorts of cases.
Speaker 2:Absolutely. And I'll say too, the tools haven't really caught up with parsing the level DBs they're starting to.
Speaker 2:This artifact that I'm going to talk about now. I used Celebrite for and they parsed this location history. But where they're starting to improve is those level DB viewers so you can go in and validate it yourself. The parse data is great, but I need to see it and just going into a level DB file, it's not super easy to figure everything out that you need for your testing, gear everything out that you need for your testing. So hopefully all of the tools will follow suit and start supporting these level DBs and provide a great viewer for them.
Speaker 1:I mean, what about the level DB that's not parsed? What about the level DB that's not parsed, right? Yeah, absolutely. If you don't have a good viewer, it's like it's not even there, right? So I agree with you that support needs to really better.
Speaker 2:support for level dbs is needed across almost all tools oh yeah, definitely, and jessica said she likes moshi as a level db viewer me too. Um, it's great and I also really like rabbit hole for a level db viewer and also um arsenal's level db tool yeah, so moshi is done by ian whiffen, a great friend of the podcast, a personal friend.
Speaker 1:We had a great time he's a techno and we had a great time too. It's free. You can get that for free Rabbit hole.
Speaker 1:you have to pay, but it's a decent price and does a lot of things Not only LevelDB but does a whole bunch of stuff, and Arsenal also part of their suite that you can buy. But Arsenal also is really well known for their tooling, and actually we teach all those tools in our class as well. Yes, yep, highly recommend it. Yes, but yeah, but those last two that need to be paid. Moshi is free to use.
Speaker 2:Right. So Celebrite is parsing these for me. I found them in one of my cases. This is not my case data on the screen, but I found them in one of my cases and I decided I want to check out how accurate these are right, because locations that's always the problem. Are they accurate? Was the device really there? What's the what's the deal with these locations? Josh wrote an amazing article where he tests it on multiple different Android devices, but with all artifacts. You should test it yourself too, if you have a chance. So, to verify the accuracy of these locations, I went and took a trip Um, let me share my screen with you.
Speaker 2:So I took a trip on Easter from my house to my parents' house and I parsed my extraction after I got back and took a look at these locations in Celebrate. Once I took a look at them in Celebrate, I decided, all right, I want to export all of the relevant data, which the relevant data to me was the date and time, the latitude, longitude, that horizontal accuracy. So I exported all of that out into a CV, a CSV CSV, sorry and brought it into Google Earth so I could take a look at it. Um, so if you look at it from pretty far away. Here it is looks like the exact path that I take from my house up to my parents house on Easter day. Um, let me just so, if we go this was like I was sleeping at this time, this was like 12 AM It'll bring you right to my house All of these locations. Um, for the wee early mornings here.
Speaker 1:I just I love, I love the swimming effect and it never gets old.
Speaker 2:I love the swimming effect. It never gets old Work at my house. So about 8.30 am I'm still home, but I decide to leave the house a few minutes later or a little while later, I think, like an hour later and at 9.48, I arrive at Starbucks.
Speaker 2:So let me get to 9.48 here to get my coffee for the ride up to my parents house that's like the most american thing anybody can do we'll take a little trip over here and I'm gonna zoom in for everybody, but the starbucks building is right there and the points that these locations drop are actually me coming around the building, going through the drive-thru. So you can see there's a few points here, there's a point here and a point here. This one right here that I'm on is actually right in the drive-thru. I'm probably grabbing my coffee at that moment After actually sorry, I didn't I got a lemon loaf because I went and got an energy drink next door for my drink. So at 9.52, I go over next door here sort of next door up the road a little bit to Unstoppable Nutrition, and I get one of those energizing teas because they have way more caffeine than the Starbucks coffee.
Speaker 1:You need the lettuce stuff.
Speaker 2:Well, I was going to my parents' house for Easter, so if you can see this screenshot, I'm going to zoom way in. Let's see here. So if you look right here, there's like a little bush right here. Right next to that bush is where I walk in to grab my energizing tea, and you can see the points where the GPS has my device are right here. That literally is the parking spot that I was parked in, the parking spot right here in front of this bush. So that's how accurate these locations were at this time for my device. I then leave head up to my parents. I'm going gonna just scroll up to when I'm about to my parents house. It's a pretty long trip, like an hour and 45 minutes, so we're not right right before you rob the bank?
Speaker 2:yeah, right before. Oh shush, don't be telling my secret, no, but you're an awesome decision.
Speaker 1:A case like that. Yeah, here's the, here's the getaway vehicle after when they rob the bank.
Speaker 2:Oh, yeah, yeah, definitely, definitely. So now we're going to take a little zooming trip and we're going to cruise up the North Way. Uh, and at this point, right here, I am almost to my parents' house, and when I put all of the data from the celebrate or celebrate extraction into like a timeline, when I'm right here at this point, I actually text my sister that I'm there. I'm not actually there yet, but I want to make sure she's there too when I get there. So at 1127, there's actually a text message right at that same time, and I'm just just down the road from my parents.
Speaker 1:So at 1127, there's actually a text message right at that same time and I'm just down the road from my parents' house. It's like are you heading this way? Yeah, yeah, yeah, I'll be there in a minute. And you're still in the shower. Yeah, exactly, I'm on my way.
Speaker 2:It's still getting dressed. About a minute later I'm at my parents' house. I'm going to zoom in on my parents' house here, no-transcript, where I start traveling away from my parents' house and I'm headed back home At 7.21, I'm quite a ways into my trip there. Let me find my 7.21 for you.
Speaker 1:So we'll be in for years here of your life? Yeah, definitely, that's amazing.
Speaker 2:Well, the accuracy thing's coming up up, so I have to do my trip home so at 7 21, you see me pull off of exit 11. So this is where I'm pulling off of exit 11. Right over here is where I pull off, and I actually pull into a Dunkin Donuts because it is raining so hard that I can't even see to drive.
Speaker 1:It was not to eat a donut, though by any means it was not. I didn't even go in. It was raining.
Speaker 2:I didn't even go in.
Speaker 1:I don't know that location that is really close to the store. I don't know, no, so that's where this is awesome.
Speaker 2:That's where these locations are awesome. I pulled in and I parked way out front of the store and just sat there. This is literally the exact spot I was parked when I pulled in and I only stayed for a few minutes and decided I'm going to try and drive it'll, it'll be okay. So I stay for a couple minutes and at 735. 10, let's see here, I get back onto the north way, but then it is pouring so hard I have to get back off of the north way. I get off exit 8, pull into a stewart shop. So these are. These ones are awesome what shop again?
Speaker 1:what? What shop is this?
Speaker 2:Stewart's. It's a local gas station. You don't have Stewart's, do you?
Speaker 1:No, we have Wawa's.
Speaker 2:Okay, so I have a Stewart's, do you?
Speaker 1:have Wawa's. No, you're missing out, go ahead.
Speaker 2:So this is the Stewart's shop right here and you can see all of these points. I sat there for quite a while. It was downpouring, for a while there was thunder, lightning, everything else. But the best part of this is let me scroll in a little bit there were so many cars pulled off this exit because of the rain that none of these parking spots were open. So I parked right here where it wasn't a parking spot. So I was parked right there after the last parking spot and that's where the device logged me the entire time that I was sitting there.
Speaker 1:Okay, okay, You're parking on illegally parking.
Speaker 2:I was. I was illegally parking. I eventually get back out onto the road, I think at like 802. I sat there for a while, so let me grab 802. I went the wrong way, I'm not going to bore you with that. And I get back on the Northway and I arrive back home at about 832, I think, yeah, 832. So let me go there. We'll go to 834 because I should be home. Then we'll go to 834 because I should be home then, so all the way back to my house.
Speaker 2:So these are very accurate locations, right, super, super accurate. Are they always accurate, is the question. So, as I'm looking through these, I looked through all of these. There were tons. I'm looking through them. So I'm looking at the horizontal accuracy and there are some locations that have a very large horizontal accuracy. So what does that mean? They're not as accurate as the other locations. So I actually pulled those out of my location so I can just show these. So during the day I said, I was at my parents house all the entire day for easter. I never left the house, but while I was at my parents house, this test device was. It was out in the driveway in my car and while I was at the house there were locations logging me in the village of white hall that's where I'm from but they're logging me in the village of Whitehall out in the woods, and then they're logging me in the village of Whitehall over here in the woods at the Water Tower, and then in various other places in the village of Whitehall.
Speaker 1:I think you're saying like oh, you know that body that was found there in the Water Tower. It had nothing to do with me. I was out there by time. I'm a mom's house. It isn't always accurate, I don't know. I think it's accurate. Right, I think you were hiding the body there.
Speaker 2:So these are pretty high horizontal accuracies. So I definitely never left my parents' house. I swear, I'm not lying. But if you were looking at this in a case and maybe you didn't look right at the horizontal accuracy, the suspect left the house and went and buried the body in the woods Immediately. That's what I think. I mean. I'd test it and find out that I'm greatly wrong. But it looks like I left my parents' house during the day and I was potentially hanging out in the woods for some reason. Right yeah.
Speaker 1:I don't know, but you made the point because if the horizontal accuracy is so large, right, instead of maybe using so many resources, we need to scan the woods with dogs Maybe we need to, but if it's really an outlier, maybe we can slow down and understand the limitation of the data source, which is what you're showing us, which is so important. It's accurate, except what it isn't, and at least we have now an indicator, right, and the big key here is look at horizontal accuracy and then make the determinations considering all the data points around it. Correct me if I'm wrong, because it's like an outlier.
Speaker 1:You don't see any points going from there to there, right?
Speaker 2:No, so there were 29 of them in I don't know thousands and thousands and thousands for this period of time. There were twenty nine of them that just didn't make sense and had that huge horizontal accuracy. All twenty nine of them were, were, were while the phone was sitting in my car in my parents driveway throughout the day. And actually Jessica asked a great question so how accurate is the horizontal accuracy numbers? And actually Jessica asked a great question. So how accurate is the horizontal accuracy numbers? I tested a couple of them. Some of them appeared to be around two miles from where I was at and the actual location where I was at was a little bit over two miles. A couple of them, so a couple of them were just slightly outside of the horizontal accuracy, but several of them were right in. Most of them were right inside the horizontal accuracy, but I definitely didn't leave my house.
Speaker 1:Well, and again that speaks to you have to look at data not as just a point, but what the collection of points tells you, and use your brain right. You got to make sure you understand that if I have these points and I don't have any points in between, plus your horizontal accuracy is high, then this might be outliers that don't really mean anything to my investigation.
Speaker 1:And you know we might need to verify that and that's appropriate, but then we don't set everybody's hair on fire when we should be maybe devoting resources to actual things that could be leads that could be followed up on.
Speaker 2:Well, I think you were making the point a minute ago too leads that could be followed up on. Well, I think you were making the point a minute ago too. Um, so these I'll give in context the the the path that you saw me take up to my parents house. Those horizontal accuracies were like four meters, three meters, five meters, six meters. These 29 points have more like 2200 meters, or 30, 3500 meters big.
Speaker 2:Yeah, and the good thing about these 29 points, I have other points right almost at the exact same time that have me at my parents' house, so you can use that horizontal accuracy to determine. Okay, this one is within four meters and this one's within 2,200 meters. Where was I actually at?
Speaker 1:Yeah, and that's knowing the artifact, because the bias sometimes comes in. I want, I want that person to bury that. I want to find the body somewhere. And we can't let the bias influence us. We need to actually look at the data source and let the data source speaks to us what the truth is. We, we, we can't just interject it. It's because I want to find the body and I have data points in the woods. Therefore, right, we got to be really careful with that.
Speaker 2:You watch. Somebody is going to find the evidence at the water tower in Whitehall and they're going to have seen the podcast and come and arrest me now. So, in other words, I'm incriminating myself.
Speaker 1:No, no, you're creating your alibi. You're so sorry.
Speaker 2:Publicly. I said it wasn't me and I yeah, exactly it was you. I know it was you, oh my goodness.
Speaker 2:So these, uh, these locations are great um we're always talking about the iOS cache locations that are so amazing on the iOS and I think there really wasn't a great um, I guess, equivalent on the Android devices until I saw these, I think, I think, think these are just as good as those iOS locations. As you know, the iOS locations once in a while will also have the outliers with the large horizontal accuracy, so I would compare these in Android to those iOS cache locations on, I guess, reliability and usefulness in your cases.
Speaker 1:That's great. That's great that we can find those data sources. So no, thank you for explaining it. I enjoyed following you around Check out.
Speaker 2:Josh's blog too, because he did it with numerous devices he used a Pixel, he used a Samsung and shows the differences. But he also breaks down some of the LevelDB data in. I think he was using Mushi in his blog, so he breaks down the data where he's finding it, how you can actually go into these files and validate the data that you're seeing yourself as well.
Speaker 1:Go check it out, my good friends. It's good stuff.
Speaker 2:Definitely All right. So we are, I believe, at the meme of the week we are at the end of the show.
Speaker 1:So let me pop that up here yeah, I love the meme of the week. Go ahead oh no, go ahead no, I said I love the meme of the week. It's uh, it's always, it's always fun definitely.
Speaker 2:Um, oh, I have to stop sharing the other screen is what it's telling me I.
Speaker 1:I will never figure out this screen sharing stuff and whenever we start figuring it out, they change it yeah, oh, they did.
Speaker 2:They changed it. I think my stuff was missing, right the one showing all these screenshots, the one podcast and everybody's in the comments saying, oh, we can't see your screen. Um so, meme of the week. Go ahead. This one's all you so so we have.
Speaker 1:I forgot the name of the of the actor, but he's he's. He's a great actress, a lot of movies. Uh, lately he's always been in the mandalorian. He's a muff gideon. That's the character, but I forgot his real name. Well, the thing is that this great actor, really serious actor, has a suit on kind of playing with his tie, making it tight, and it says you use tools to see what they can find. I use tools to see what they can find. I use tools to see what they can't find.
Speaker 1:We are not the same, and the point of the meme is that the template speaks about a contrast between things that sound really alike, but a little detail makes an extreme difference, and the point is not to say that this person is better because of that. The point is to make the illustration that tool limitations are just as important as tool capabilities, because if you go by what a tool can find, that's great, but if you're not aware of what is missing, what it's not designed to do, then you'll be doing a disservice to your stakeholders. To your case, right, and a simple example if you run your AI on your tool to give you the chats, that's great. Is the AI aware of this other app that's not parsed by the tool to give you the contents of those chats? Well, if you're not aware that the AI cannot get into unstructured data I say unstructured in the sense of, let me not say unstructured the AI cannot get into unparsed data by the tool then you assume that this is all there is right. So you got to be really aware of what the tool, what the AI, whatever it is that you're going to use. And again, everybody knows what we think about AI right now, at least at this stage. I'd rather not use it at all, but you got gotta be aware of those limitations, right, and so I?
Speaker 1:I think we should change our mindset. Instead of being well, I'll learn the tools you can find no, let's this. We, we know the tool will find stuff. Our job really, as examiners, starts to figure out the stuff that the tool doesn't show, because I will give to my investigator what the tool shows and they will go through it. They don't need to have a degree of no sorts to just read chats or do whatever, but to get to what the tool doesn't show. That's the gap between the knowledge and the data that we need to fill Right, and I think we should be really conscious of our role within that context.
Speaker 2:Yeah, absolutely All right. Well that brings us to the end.
Speaker 1:Yeah, no, it was good it was. I thought it was going to be a short show, but it never is. No, it never is.
Speaker 2:So, yeah, we were talking about that before the show. I'm like I don't have that many topics we can make it short, maybe a half an hour. We've said that like five or six podcasts and I think a couple of them have gone to like an hour and 20 minutes. So it's never.
Speaker 1:We always have enough to talk about well, it's always fun to you know talk about things with you, so I appreciate you always being around and same to you all your insights, so listen.
Speaker 2:I couldn't think of a better podcast partner oh, look at that look at all the love, all the good vibes in the show.
Speaker 1:All right, and also, I couldn't think of a better community that's built around the podcast and around the work that we do for the community. So I thank everyone that's been on the podcast, have been chatting. Everybody can be seeing their messages on the screen. It was great always having you. We leave a smart group of people Josh, ronan, bruno, matthew, kevin, everybody so thank you for being around. So anything else before we go to the order Bruno, matthew, kevin, everybody so thank you for being around.
Speaker 1:So anything else before we head out that's it until next time alright, my good folks, we'll let you know when the next show is. When we know when the next show is yeah, definitely alright, everybody take care thank you and with the music we say goodbye, bye, thank you.
