Summary In this episode of Forensic Fix, host Adam Firman interviews Jessica Hyde, a digital forensics examiner and educator. Jessica shares her unique journey from a punk rock lifestyle to a successful career in digital forensics, detailing her military service, early experiences in the field, and the evolution of mobile forensics. She emphasizes the importance of education and training in the field, as well as her passion for supporting the mission of digital forensics through her company, Hexordia. In this conversation, Adam and Jessica discuss the essential skills and knowledge required for effective digital forensics, emphasizing the importance of foundational training, understanding unsupported applications, and navigating the challenges posed by changing technology and legal frameworks. Jessica highlights the role of open-source tools, the necessity of contextual understanding in forensic testimony, and the pressing need for education among legal professionals to bridge the knowledge gap in technology. The conversation also touches on the implications of AI in forensics and the ongoing challenges related to policy and evidence preservation.
Jessica Hyde's journey into digital forensics is unconventional and inspiring.
Her military background significantly shaped her career path.
The transition from traditional forensics to mobile forensics is crucial.
Education plays a vital role in developing skilled professionals in the field.
Hands-on experience and research are essential for success in digital forensics.
The importance of validating forensic tool results cannot be overstated.
Jessica emphasizes the need for mission-focused work in digital forensics.
Training should encompass both tool usage and foundational knowledge.
The digital forensics field is rapidly evolving, requiring continuous learning.
Hexordia aims to provide education and support for the next generation of forensics professionals. Foundational training is crucial for forensic professionals.
Understanding unsupported applications is essential for effective investigations.
Changes in app support can lead to data loss in investigations.
Open-source tools provide valuable resources for forensic analysis.
Contextual understanding is vital for accurate forensic testimony.
Legal frameworks often lag behind technological advancements.
Education for legal professionals is critical to understanding digital evidence.
The role of AI in forensics is evolving and requires careful consideration.
Preservation of evidence is a key concern in forensic investigations.
Forensic professionals must navigate complex policy challenges.
Adam Firman (00:04.622)
So hello and welcome to episode 18 of Forensic Fix, a podcast brought to you from MSAB, where we invite guests from the industry to discuss the latest news in DFIR, current issues, and a general chat about all things digital forensics and investigation. So I'm your host, Adam Firman a tech evangelist here with MSAB. So without further ado, I'm delighted to say that today's guest is Jessica Hyde. Hi. A digital forensics examiner and an educator. Now I first met Jessica
quite a number of years ago in London when I was a customer of Magnet and you were working with Magnet Forensics at the time. So we've known each other for quite some time now, but I can't imagine there's many people out there who aren't aware of you, but Jessica, can you give our listeners a summary of your work and history and how you made your way into the field of digital forensics? that's like a two for question, huh? It is. So currently.
I am the owner and founder of Hexordia. We're a digital forensics research services and training organization. And I still function in all three of those roles. So even as I'm organizing it, I still write and teach some of our training courses, although we have others who help write and teach other classes. I still perform services, both on contracts as well as directly for law enforcement agencies that hire me as an external resource. And I still conduct a lot of research, which is...
part of my love. when you are running the organization, you can make sure that you're still keeping your hands in if you want to. But I amazingly have an incredible team that helps with that. So that's where I am right now and what we're doing. In terms of my history, do you want me to work from the beginning or work backwards? I don't even know which way you're asking. Work from the beginning. Work from the beginning. All right. So how far back do we start?
As back as you want to share. Okay. Okay. It's all about it's all about time. So I would have never imagined I would have wound up where I am today. I teach in the master's program at George Mason University. I have a master's degree. I've published work. I've been working in this field for a while. And if you would have asked 16 year old Jessica, this is where she'd be.
Adam Firman (02:24.364)
The answer would not have even been in the realm of possibility. I never thought I would go to university, nevermind, obtain two degrees and teach. I never imagined I would be working as a professional in a professional occupation. So 16 year old Jessica was a little bit punk rock. Picture shaved head, mismatched crazy outfits, going to punk rock clubs, living in New York City, and a high school dropout.
Yeah. I was a retail manager working. I worked at a variety of places, but at the time I was at, I worked at Bed Bath and Beyond at their flagship store at the time. then I made a change. was at American Eagle Outfitters. I was a store manager. I was, I was a good store manager. If I'm going to do something, I do it well. and I had a lot of fun and September 11th, 2001, I was overnight doing a floor set.
We were changing our displays at American Eagle Outfitters. was there at one of my assistant managers and we had been working completely overnight to get the store looking fresh in the whole brand new look for opening the next day. And if you didn't know that that's how that happens, that is how that happens. A bunch of people come in in the middle of the night and for some reason, know, yesterday's colors were red, blue and green and today's colors are magenta and cyan, right? And they, change the whole thing. So.
Working the overnight, we have the radio on and we hear about the plane hitting the first tower. The plane hits the second tower, listening to it on the radio. They immediately close everything in the New York City and Metro region. So I'm in Livingston, New Jersey doing this floor set, which is within 20 miles of New York City.
My colleague, she lived right by Norwick Airport. She had a baby, I said, get home. they were not going to open the mall because any public destination, was very, nobody knew what was going on. We obviously had a terrorism situation, third plane hits. I drove home from my apartment at the time I lived in a town,
Adam Firman (04:50.99)
just outside the city and I lived, my apartment was on a hill and we were the top story of the building. And so I saw the towers fall with my own eyes. And it changed my life and I realized I needed to do something. I needed to give back and do something. And when I do something, I do it the hardest way I can. So I decided to join the United States Marine
So I went from being this like total punk rocker to I'm gonna join the Marine Corps. Very different lifestyle. My friends took bets of how long it would take before I got dropped out. I did not know about this. When I came home on bootleaf, they told me, I said, don't you owe me all my money, because no one bet I would make it. They did not give me the money, but that's okay. And so I went into Marine Corps and I was an avionicsman. And I was a good avionicsman.
While I was, because the Marine Corps told me, you have a knack for electronics, you know, based on the ASVAP, and this is what we're going to do, I decided, you know, wow, this is really cool. Everything I've learned about ACDC theory and wiring, et cetera. And I'm like, I'm going to get an electronics engineering degree. I have access to free education now. And so what did I do? started going to school. Going to school while on active duty, not easy. A lot of start a class.
You get put on a detachment, you have to leave the class. Luckily, a lot of changing schools because of what's available to you. And at the end of the day, I think it took me five different universities in total to finish my undergrad. I got out an electronics engineering degree. So I got out and I did not want to lose the mission.
On September 11th, the insights of me changed. And the most important thing in the world to me became doing something for the better good. Doing something to help stop terrorism. I mean, that's why I joined the Marine Corps. Fun fact, they asked me what I wanted to do. recruiter said, what do you want to do? By the way, if you have a high school equivalency, it is quite hard to get in. I had a waiver.
Adam Firman (07:16.864)
It's because I scored well in the ASVAB, so they let it go. And I was a woman, and they don't get enough women to fill the tunes. So I'm pretty sure that helped my waiver get approved. Fun fact, they have a second waiver. Maybe I should save that for the end. I know you're going to ask me a fun fact. That would be a good one for the end, then. That's a good one. That's a good one. I'll tell you what my second waiver was at the end. So it wasn't what I was planning on, but now it is. And it's a fact that I don't think.
anyone except for a couple of my former roommates now. So this is a big one. I mean, my husband knows, but you know, whatever. All right, so it's not that exciting, y'all. Stick around to the end and you'll learn something not exciting about Jessica Hyde. I'll edit that part out. So I had this sense of mission. So I took a job.
with my new degree and my experience in the Marine Corps at the Terrorist Explosive Device Analytical Center, which is where we reversed engineered IEDs or improvised explosive devices at the time coming back from the wars in the Middle East at that time. So I was still supporting the mission and it was fantastic because my work was helping save the lives of my brothers and sisters who were still serving and doing what I used to do.
a long way from being an avionics technician, an avionicsman. I think we learned something interesting right before the call. I don't know if you want to. did. That's where he's going to take forever because we're going to interject. Yeah. So I let Jessica know that at 16, I also left school and went into the British Air Force as an avionics tech. So how many people are both people who left school at 16, wind up in digital forensics and also happen to be avionics techs? There actually are quite a few avionics technicians in our field. Leslie.
Carhartt, avionics technician in the Air Force, Eric Capilano, avionics technician, also Air Force, some very well-known digital forensics examiners. So something about, you know what it is, right? When you're working on aircraft, and this is really important for anyone who's hiring, thinking about what other skills are transferable, it's not just that we understand how power works and how electricity works, and maybe we're the right people, we know how to solder.
Adam Firman (09:37.996)
We know how to probably have soldering professional training in that. We know how to deal with wires. We probably can get on a circuit board and extract data. Great. Great skill to have. But that's not what's transferable skill. The transferable skill is the ability to troubleshoot. To be able to have a problem said to you in a high stress, high priority situation that involves actually quite a bit of danger, physical danger, and being able to think logically under those situations.
know how to test, right? So what are the things we have to do in digital forensics? And I teach my five steps to supporting, to figuring out how to deal with unsupported third party apps, right? The first thing we need to do is find out what the data is. It's a discovery phase. So what is the problem? Yeah. Right. Then the second thing we do is test. What do we do on aircrafts? We figure out the promise and then we test, right? Then you
find the source of what it is once you've done the testing, then you parse it out. That's actually like identifying, you know, the difference between finding out, okay, it's in the B probe of the fuel system. Now I pull up the B probe. Now I'm going to parse. I'm going to find out exactly which wire is broken, fix it. And then that last part, script and share, I am going to document everything I did. So when that gripe comes back, either on that jet or another jet, it can be referenced, the methodology we went through to fix the next aircraft.
So the mental process of troubleshooting, testing, documenting, all of those things you have to do, writing a report at the end, it's all very much the same and briefing those results to generals. I did that in the Marine Corps as a Navy Onyxman, and I've done it scores of times as a digital forensics examiner. So it's the same transferable skill sets. You're just applying it to different sets of data.
That's a really good way of pointing that. Right. So I think that's why you may find so many people who happen to have been in that particular occupational field in military service wind up as very competent digital forensics examiners because they built that process. Yeah. Was drilled into. Yeah, exactly. So continuing along the path. Right. So I take this job at TDAC and at TDAC I was reverse engineering IEDs and I'm not disclosing anything classified in saying this. You can look at pictures on the Internet of this.
Adam Firman (12:02.506)
a lot of improvised explosive devices are triggered or received by mobile devices. Now we are talking way, way, way, way, way, way before smartphones, right? So these are feature phones. These are your Nokia 1200s, your 1180s. Maybe the fanciest you'll get is a Razor phone, but these phones are being used to communicate with the improvised explosive devices to either be the receiver or the transmitter in the electric system.
So I did a lot of schematic derivation. did a lot of data reconstruction and 100 % of the mobile phones that I got as well as the devices were post blast. So I was working on phones that were well came to me in bags and pieces or parts were missing or they were very, very damaged. So I did a lot of binary extractions from physical connection to the data store area. And I think that
Those specific words are really important because it feeds into the definition of physical, these devices at that time unencrypted, extracting the data and then figuring it out. And so as I was working there, not only were we doing the schematic derivation, figuring out how these things were working, but we were also extracting the data from the mobile devices, reconstructing that data to be able to give information to the investigation. And I was like, wow.
I love the digital forensics aspect of what I do. once in while I'd get a hard drive, but I was a mobile girl through and through. And I'm like, man, am I the most niche person in the world in this field? Right? If you're doing forensics, I am starting with devices that are in pieces. I am extracting data at the binary level. mean, if you look at my resume, have like, not only that I that I'm IPC certified and soldering, right? 7711, 7721.
But I have that I know how to use scanning electron microscopes and computed tomography. And it all came from that world of trying. But then we'd extract the data. We'd get the raw binary and get our sectors, whatever, get the raw binary, and then have to reconstruct the file system and then get to the data. And only then could we take it and then put it into a forensics tool and then do our analysis at that level. So it was really an amazing experience. But man, I was pretty darn niche. You're not going to exactly hire me to go do your incident response.
Adam Firman (14:29.036)
So I did two different things to broaden myself. Number one, I went and got a master's degree in computer forensics. Went to George Mason, learned so much, fantastic organization, university. All the instructors are also practitioners and I just loved that. I also decided that I couldn't keep working professionally that niche and I went to what at that time was Ernst & Young is now just called EY.
which is one of the big four accounting auditing firms. And of course, I worked for them in their forensics technology discovery services department doing digital forensics. So work there and I got more broad. That's where I got exposure to insider threat investigations, incident response, traditional computers, all of that stuff. I wasn't a mobile gal at the time, right? Like I did a lot of their mobile stuff because I had good depth.
in that area. then, know, then we started getting modern phones came out, we got smartphones, I mean, we started getting smartphones at the end of my time at TDAC. we, you know, that was just we moved the world, you know, the world of blackberries. you know, this is what was about 3830. What was it about phones compared to computers that grabbed you more? So phones were more complex. Like I said, I do everything to harvest. Yeah.
You know, specifically at that time, every single phone had a different connection, but even more importantly, they had proprietary operating systems. You had to reconstruct that. You had to figure it out. was looking at the data sheets that actually describe how the chips function to figure out the layout of the data. That's freaking amazing.
I actually, I mean, I did work cases that involved computers and I have my whole career, I've done Windows investigations and Mac and Linux, just like everybody else. But at the end of the day, the mobile was the harder problem. That's exactly why I enjoyed it. And I did computers as well, but every time I'd want to, I'd get a case and it was involved in LineWire or something else. And there was already a white paper. Somebody had already solved that puzzle.
Adam Firman (16:43.372)
So to me, it took the enjoyment away. the time, let's be honest, we were all using IEF back then and we're running IEF and getting back the search history. it's like, thanks, Chad. But phones didn't have that. But phones didn't have that, exactly. And so it gave the opportunity to do a lot more research, a lot more, how do we get data from this? Where's the data? And at the time, it was just so rapidly evolving. But I got to tell you the truth. What did I say about me? Where's my heart? Mission. Yeah. I wasn't getting that mission love.
at EY, right? was corporate investigations. They're very important. Of course. But it didn't fulfill my heart. Yeah. And I saw Heather Mahalik, who I had known from my previous role, because we both worked in different labs as contractors. She had an opening on her team at Basis, where Brian Carrier was, for somebody to join. And I'm like, whoa, I can go work with Heather, who, again, I had known from the field. This is before like,
before Heather was like, woo, famous. She was actually writing the first edition of Practical Mobile Forensics at the time. And so I went and interviewed with her. They offered me the job. I dropped my nose. I went to go work at the National Media Exploitation Center as a contractor for Basis Technology. And I got right back to Mission, and they were the people at the time who were solving the hardest problems that were technically for Mission. I thought I was going to go work with her on the CELEX team she hired me to. I showed up for the first day of work, and she said, surprise.
I actually hired you to replace me. I said, I took the job to work with you, Heather. So we did get to work a little bit because she was in another role at basis. She was technically my boss. then soon after, not so soon, but at some point thereafter, she moved on. And then I got to work directly for Brian Carrier, which talk about a dream person to work on, right? I remember the first time I met Brian, was like, was like, like, know, fan girling. But I kept my cool, kept my cool, didn't let it.
I didn't like show, I was good. And you know, and I love Brian. Luckily, I love when I still get to run into him and we have a good time. And so then I worked at the National Media Exploitation Center. I loved it. I thought I was gonna be there forever. I got to work the best cases. I worked with the best team. had access to anything I needed to do my job. And I worked the weird. It could be from an acquisition perspective, or the analysis perspective. And it wasn't just mobile phones. It was also any other type of non-traditional computer that came in.
Adam Firman (19:09.762)
came to my team. We had a hardware exploitation lab. So I ran a mobile exploitation team. had mobile phones and we also had a development team and got to work with both those teams, build that capability and it was amazing. And then there was what we call a BRAC here in the US, which is a base realignment enclosure. And that's when the US government says, we're going to combine and consolidate the facilities we use and we're going to move.
this lab across the river from Northern Virginia to Southern Maryland. Now, technically, I think those two labs are 12 miles apart. That 12 miles in DC Metro traffic, who's anyone who's ever lived in DC Metro would know, was the difference between me being able to have childcare for my kids or not with the commute. You have to get the kids on the school bus. Daycare is only open to a certain point.
I was kind of like, I don't think I can make the brak. My husband worked in DC, so he had to take mass transit out to DC. And I had two young kids at the time. I still have two kids. Yeah, just clarify. They're just bigger. But I had two young kids at the time and couldn't make it work. so.
I was like, I'm gonna have to leave. And I mentioned it to the Magnet people, not looking for a role, just we were communicating about things and I was like, yeah, I might be leaving. we talked and they created the role of the director of forensics for me at Magnet. And I went on to spend five amazing years there, getting to meet so many people in the community outside of just the worlds I had been in in terms of Department of Defense and the IC in the US.
outside of my corporate experience at EY. I got to meet people from all over the world. I got to work with the product team. What a dream. The fantastic people there. I got to do research with JAD and share and publish and working with both the product team and the community and advocating for what we do in digital forensics. was amazing. And still working the mission. And still working the mission. I still got to
Adam Firman (21:30.52)
help on cases. I'm going to tell you, some people ask me about that. They're like, who knew me and knew my passion for the mission and that I'd left the corporate world to go back to government. And the way I explained it was, you know, when I work a case, I'm helping one case at a time. Yeah. One victim or maybe maybe scores of victims on a given case. I've worked cases where there are scores and sometimes thousands of victims of a particular incident, sometimes more. Right.
But it's one case at a time. When I went to Magna in that role, and I'm sure you feel the same way in your role here with MSAB, is that I was able to help thousands of cases in a moment. That my work's impact was multiplied. That my feedback to product or the discussions I was having with customers or the blogs and white papers I was able to produce and put out, that that
Content was able to help thousands of cases at a time. Yeah and That allowed me to really support the mission and I continued to still support the mission In other ways the entirety of my time there. I went and you know, I taught again I started teaching at George Mason University. I've been teaching there for I think eight years now Teaching their mobile forensics course. So that allows me to also reach out to the future of building this up
And as you know, the need for digital forensics isn't getting smaller. It's definitely getting bigger. And, you know, it was just an amazing experience. But I did really, really miss that same mission. And I really have to be true to my passions. So I really wanted to get back to supporting the same customers that I supported during my time at TDAC and NMEC. And so I started my own company.
to be able to support that mission set again through services. really, there are a lot of organizations that provide support to defense. is really an honor and a privilege to be able to provide that support to US government as well as state and local. And so that's really our focus in terms of services. And that's why I wanted to passion, but I also really
Adam Firman (23:53.59)
wanted to make sure that we were providing education and building up the next generation in a way that's a little bit different than the way that everything's being done now, on education using all open source and free tools. And we can talk about why later. And yeah, and of course, I've never stopped researching. So we have a research team and we, to be honest, we spend a lot of our
time figuring out how to deal with the consistent challenges. by having folks who are dedicated to that research at Hexordia, we're able to focus on the issues that we are running into in our active casework and what's coming to us from training. And I just love it because I'm back to doing that mission. And that's what I want to be doing. And it's what I love. And I couldn't be happier. And I couldn't feel like I could have had a more
blessed career and path. And again, if you think back to the beginning of this, how I got here, and I know this has been a long story, I apologize. Thank you all for listening and hanging on here. But can you imagine that 16 year old girl ever thinking I'd be here? Yeah. No, not at all. But what a journey. And you're back almost where you started, back helping the guys and girls out there on the front line. That's exactly it.
I can understand your passion for training and want them to go in because one of the things that bugs me and I know it bugs you and there's a few others that it bugs is push button forensics. And it's really, there is a need for it. Of course there is, but you also have to understand what goes on when you press that button and what that button isn't retrieving and how to deal with that. Wow. What a setup there. Yeah. I've been doing a DFI or thought of the day.
Recently. Yeah, I've seen them really good and I actually just did one about the fact that You you brought up two things like training as well as the concept of push button Forensics and I will start with the caveat There is 100 % a need for tools that are able to quickly parse and provide results. Yeah, so that we can make quick decisions and be able to
Adam Firman (26:20.11)
respond, especially when you're talking about forward operators, frontline folks, be able to respond to things in the field immediately when things need attention, right? This is how we save lives. Of course. 1000 % needed and 1000 need those tools to do that. The second thing I'm going to caveat is it is 1000 % important that people do know how to properly use their tools, understand what their tools do, how they work and how they don't work.
so that they don't make sense. So tool training by tool vendors is an important piece of the puzzle. However, I don't think that that's the foundation that people need.
Your training needs to provide you the ability to do five things. Number one, you need to be able to validate those results from the tools, period. If it is your smoking gun, you need to be able to look at that result and be able to test, validate, and tell if it's right. And you need to be able to do that by doing manual analysis. You need to use open source tooling. When I teach at the university,
We do have access to commercial tools. My students have access to that. It's in our lab, but their labs, as they start, they do everything manually first. And we'll get to the reason why as we get through the other four of these points. Number two. So one is validating your smoking gun. Number two is being able to speak to what your results were both in your report and on the stand.
If you just say because tool X told me so in your report, I'm, no, that's not where we want to be. Okay. You need to be able to testify and you need to be able to deal with that in your reporting. It's foundational. no, no, no, the answer bucks about it. Number three, you need to be able to function when your tools aren't available to you.
Adam Firman (28:31.724)
What does that mean? Well, has anybody else ever been in a position where they've been fighting with procurement, but their license still expired on them? Yes. And you aren't the one who has the direct control to get that license updated because of policies and procedures? Because I have. You said yes, right? You need to still be able to function. You still have a mission. You still have active cases. So you need to be able to pivot to open source and freeware. I've had it happen when I wasn't at home, right?
I've also had gongles break. I've had software crash. I've had, you know, all the things you still need to be able to function. All right. So we've got being able to explain your results. We've got being able to verify your smoking gun. If it is your smoking gun and you are talking about, you better have verified and validated. We talked about functioning when you don't have it. Having a strong foundation of training that teaches you how things work is the only way you can deal with those three.
Yeah. Okay. Now we've got the unsupported.
I'm going to, I'm going to mobile's my world. I'm a mobile and IOT girl. So we're going to stick in mobile with this example. Google play and Apple app store total number apps that exist out in the universe between those two about 6 million.
Adam Firman (29:57.71)
No negative context to any forensics tool vendor out there. Y'all don't post its part six million apps Of course we don't the parsing support from all the tools I would estimate it's about 2,000 apps and I'm probably being generous. I'm Being kind on that side 2,000 versus 6 million. There's a little bit of a gap Yeah now the focus is of course because it takes time to develop these are I've worked for vendors. I get it. It's time consumptive
I've done private research, I've published, it takes time, a lot of time to research an application. You've got an encrypted application, you've got data stores that are all over the place. You've got, there's so much to look at, okay? It takes time to create these parsers and put them in a tool and be able to present the findings, validation, going through internal testing. It takes time.
It's not the vendor's fault that they don't support all six million apps. It would be impossible. Yeah, people wouldn't pay the license fee. You wouldn't pay your license fee if there were a thousand developers at every single one of these firms, plus the staff to support those thousand developers. So of course, the focus is going to be on the most popular apps and the most common things used by nefarious actors, right? What the customers are requesting. Through proper training, you can go through that methodology that I defined earlier.
where you can figure out what's not supported, but you need to know how to do that. Which means you need to understand data structures, right? And now it's not just SQLite, everyone. You've got to be able to understand PLS, level DB, how to deal with a protobuf, how to deal with seg B, how to deal with Android binary XML, and how to, right? And I mean, I teach that, right? We teach that now. We teach a data structures course. And that's why, because you need to be able to go to that level in order.
to deal with the unsupported app. And you might be like, well, Jessica, if those 2,000 apps that are supported are the most common and the most ones that are used by nefarious actors, shouldn't that cover my bases? No. All right. How many weather apps are parsed by commercial tools? I've had wins on weather apps and cases because the nefarious actor checked the weather where they were going as part of their pattern of life. But then also,
Adam Firman (32:12.49)
It had their current location set to always on because weather apps check your location. And I pulled the location data of where they were and where they went with timestamps from weather application. I had similar with Spotify and a fatal car collision. Exactly the same. Because they're listening to music while they're driving. Yeah. Which is a normal thing to do. It's not like they were doing an operator error. But yeah, I've I've had success with games, games that aren't supported.
children are contacted via games, but I've also had nefarious actors choose to use video games to communicate. And some of those game apps aren't supported by commercial tools. You can chat and scrabble. You can chat and it will send you. And because they're not commonly used apps, it's used as way of obfuscation. So being able to identify that those apps are there, look at the permissions that the apps have access to to determine, is this something that has access to my mic or my camera?
or what about not even like communication or Spotify and that. I've worked cases where some of these apps that are meant to hide your data, the lock away apps, et cetera. You put in a wrong pin code, they take a picture. worked a case where my field guy's picture was in the data set, right? Had to immediately, my investigation was no longer about that. was what went back to our nefarious actors group about
our person in the field, since a picture of them is now in the data set, do they now know who acquired this device? Do they know where we acquired the device? Does this picture include the exit data? Like there was, do we have a safety issue? Do we need to get this person out of their area? And my investigation changed, right? any rate, how do you do that if you don't know how to deal with unsupported and you need that training? So now I'm up to number five. And number five is your tool may say it supports the most common app. What's the common app that everybody supports?
WhatsApp, WhatsApp, everybody supports WhatsApp, right? Every tool supports WhatsApp. Has WhatsApp kept a consistent schema through every version? No. No. So let's say WhatsApp updates today and your user has their phone set to auto update, which most users do. They're going to be on the newest version of WhatsApp. Schema changes, they go ahead and they start now putting everything inside of protobuf, even though it's in that same SQLite database as before. just...
Adam Firman (34:36.534)
Now they're protobuffing all their blocks, whatever, whatever change they make. They've added base64 encoding. In other words, I'm saying sometimes it's not extraordinarily difficult what the change is, but it's a change nonetheless. Yeah. But it's different to how the vendors handle and pass that data. Guess what? So now your tool may actually, and I've seen this before where you might even wind up with two databases, the new one and the old one. So the tool may even report back to you WhatsApp data. But that WhatsApp data stops.
the day before you seize the phone because it got the update date before. And that day was a day of the bad thing. Guess what? You think you have what's up data for the entire period because you see it parts by your tool, but there was a change. You have a new version of the application. And now you don't even know that you're missing data. So the other, the last one, the five one is to be able to deal with changes of supported apps because let's be honest, is that, is that going to get fixed in a day? No, yes. The, the
Commercial vendor probably knows if it's WhatsApp that it changed. They're probably testing that very regularly. But now they have to build the support. They have to do the dev work, but most go through testing and then it has to come out in the next release. most commercial vendors are pushing out what 10 to 12 updates a year. I'd say most of them are once per month. Yeah. And how many updates are happening to these major apps? And I've seen Facebook update three times in one week. They do that. Right. Like, and where are they changing the schema? Not just an update.
So those are the five reasons that I really strongly believe that training needs to happen. And when you're talking about that, when I'm saying using the open source community, let's give some credit where credit's due. The open source community has provided us incredible utility. If we just think historically, I mean, autopsy, we've got volatility. So some of the critical tools that we use,
came from the open source community and today look at what Alexis Brignoni and the 50 plus community members who are supporting and contributing to that process have done with the leap project supporting a variety of different things, everything from vehicles to Android to iOS to Chromebooks. There has been more returns, there has been so much development and what they're doing is trying to fill the gaps and they're giving a speedy result.
Adam Firman (37:03.336)
And it gives me a source to verify.
It gives me a secondary source to show the same results that I know isn't done by the same thing. want to, if I can, just one of the other things, if you have the deep training, can manually analyze. It gets rid of the false assumption that if two tools have the same result, that it's correct. Because it is possible that those two tools are doing the same process. So it gives a false sense of comfort because it is possible that a lot of tools rely on open source libraries.
So if they're using the same two libraries, yeah. And I'm going to go back to one more of the points there if you don't mind. And that has to do with the understanding what it means for your testimony and your report.
What is the purpose of the tool? The tool is there to use algorithms, coded functionality to provide you a parsed result of what the data is as stored. The purpose of the examiner is to provide the meaning. If you don't understand what, why, how it was caused, sure, fine, that time stamp exists. Sure, fine, that chat message exists. Sure, fine, that contacts there.
But why is it there? How did it get there? What does that mean that it's there? Because the tool does not give you that. The tool is not testifying, you are. And to be frank, if it was just saying the tool did it and not understanding that and not being the examiner provides the meaning, at the end of the day, you could be replaced by AI. The reason you're not is you can provide meaning. And if you actually believe in what you're doing in this field, it is important for us to be reminding folks about that.
Adam Firman (38:52.59)
I think there's a lot of false assumptions about what AI can do, and AI cannot provide the contextual meaning of how the data got there. Last time I checked, AI isn't going out and doing the testing. No. It's about thinking of all of the possible scenarios that could have made that occur.
And AI is the buzzword. It is. AI has been in your forensics tools since before 2016. already existed. You just weren't as knowledgeable about it. Now it's in your face. But now the ways it's being used are different. And that differentiation in AI means a lot of things. And it's all being jumped together. There's a very big difference between
the types of decisions. This isn't a whole discussion and episode about AI, but I think it's important for folks to know that it has existed in your tools. If you go back to the eDiscovery tools, targeted assisted review, is, know, NOSTAR, TARP, TARP3, that's all rank scoring based on what you are saying yes to. And it's using...
that information to determine what it should produce to your nets. That's the most likely thing is you saying, yes, that's responsive. I remember seeing that in 2012. AI has been here. It's just you don't know it. I had the pleasure of working with the Magnet AI team in 2016.
all of the automated content-based image recognition. Content-based image recognition or CBIR, which you've heard of before. were talking about AI as the buzzword it is. That is what it is. There's tons of functionality and people need to understand it. People need to know what they're testifying to and how they're using their tools and what results their tools are providing back. There is nuance here and it's a whole separate conversation.
Adam Firman (41:07.04)
And AI, I don't know if you saw, I created a couple of posts on LinkedIn and the actual recording platform that we're using today to record this pod, because just FYI for everybody, Jessica and I are at the MSAB Arlington office. actually doing it in person together. person. This is, we are not over the internet. It is amazing. It is. But this software has, because I've recorded, I recorded True and the Fat with Phil Cobbler using this software. So it's heard my voice for a long time.
It now offers to create AI voice clips if I just provide text. And I created some sort of 40 to 50 second clips, gave it some text. I played it to my son who is seven. He thought it was me. wow. Your kid thought it was you. That's really fascinating because that's like natural human brain recognition. if I played it to you, you'd say no, it sounded far too posh to be me.
But my son from instantly listened to it for it was me. So this is the hard part. And this all goes back to validation, doesn't it? We're going to have to take a selfie together so people know we were in person. But it is. It's about validation, isn't it? Because I know Heather Mahalik has covered a lot about sort of AI imagery. Yeah. And now voice is coming into it as well. 100%. Yeah. The challenges that we have in the future are
really, really, really intriguing, right? And that's the, okay, so it's stored there, but how did it get there? What generated that data that is stored there? And so we have, we're in a position where, and again, this isn't supposed to be about AI, but here we are, because I guess it's what we're dealing with, right? There are two different ways in which we are interacting with AI in our professional space. One is the artificial intelligence that is providing the capability of our tools.
to react at the speed we want it to and provide us the results we want it to and feel amazing in the fact that it's able to tell me, here's a picture of every blue door. That's AI. Yeah. OK? The other side of it is that the people whose devices we're investigating, those devices have content and capabilities that are from AI. Yeah. And so we have to deal with that. But at the end of the day?
Adam Firman (43:27.054)
I don't think it's our biggest challenge. No. And what do you think is the biggest? The biggest challenge is policy. Yeah. Legal hurdles. The biggest challenge, we can play cat and mouse as a profession with encryption, with AI, with all of these things. I think that we are smart enough as a community. We are responsive enough. We have brilliant developers. We have brilliant examiners. We have brilliant investigators.
we can deal with the continual challenges that have helped us, that we've seen for 40 years, right? I see 40 years HTCI has been around 40 years. So it's kind of that we are a professional organization. I'll consider our community. I know that there has been digital forensics before this. I am a very big fan of the Cuckoo's egg. Anyway, Cliff Stoll, by the way, if you ever get the opportunity to see Cliff Stoll present anything, do it. Anyway, the author of the Cuckoo's egg, the...
the person who theoretically worked the first digital forensic. Read the book, read the book. And he is the most brilliant speaker I've ever seen. Even if you see him do like astrophysicist talk, because that's where he's professional. I digress. I'm sorry, I forgot to warn you, talking to me is...
The challenge is policy. And I'll give a really great example what's going on right now. Right now, there was a big change from iOS updates where devices are within 72 hours of being unlocked. They will switch from AFU to BFU if they have not had interaction. Well, not since unlock, since interaction. It will go from being in an after first unlock state
to a before first unlock state. And if you do not have tools or access or passwords to get a full file system extraction, but you do to get a BFU or an AFU extraction, an AFU extraction has way more data than a BFU extraction. So you are losing your ability to access data. In some jurisdictions, seizure is when you pick up the device and put it in the bag.
Adam Firman (45:41.588)
In some jurisdictions, the extraction from the data is not considered preservation. It is instead considered a search. Now, this is a fascinating concept. To me, when I acquire data from a mobile phone, I am preserving that data because it's not just the AFUBFU thing, right? If we look at an iOS device, every day I'm losing a cache location.
And there's only seven days worth of cash locations. I am losing pictures. I'm losing anything from knowledge C DB. I'm losing data every day I wait. So if I want to be able to have what potentially need be exculpatory and inculpatory evidence, I need, and you see I do exculpatory first. I think that's important. It's important. It's very important.
Our job is justice, not just putting somebody and blaming somebody for something when we're trying to figure out the forensics. That's not our responsibility. Our responsibility is to truth. We're supposed to, and this is really the crux. If you look on any Hexordia stuff, it'll say that's finding truth in data. That's what we do.
So the problem is, is when the law prevents us from being able to do that to the best of our abilities, because you now have to go get a search warrant in order to acquire the data from the CCD. And now you may have expired into the point that your device has rebooted or that you've lost your cache locations or that you've lost photos that were sent to the leak. There is data loss. So in my personal opinion,
from a technical perspective, acquisition of the data, forensic image creation, like you do with a forensics tool, that is preservation. Yeah, of course it is. Right, of course we're like, crap, it's preservation.
Adam Firman (47:48.162)
But depending on your jurisdiction, the court says that's a search. Now, some tools start showing you results without maybe we need a mode that's like no results, please. No information. Just extract, extract, it in a file. Don't show me anything. In this instance, I am not worried about speed to analysis. I am worried about preservation. This is a preservation acquisition. Maybe that's what the tools need to call it. Preservation acquisition. Acquiring evidence at the state in which it was seized.
Yes. And the fact that the device is consistently changing, this is because things change over time. There's a very big ruling in 2014 in the US, Riley, California v. Riley and US v. Worry decided together on the same day back in 2014. And that ruling is the reason that phone data cannot just be seized.
incident to an arrest in the US. Because in the ruling, it does state that there are measures like Faraday enclosures to prevent data from being wiped or changing. The thing is, is the Faraday bag doesn't prevent data from being changed in 2024. 2014, 10 years ago, technology moves at a rate that policy, legal requirements, the courts don't always
keep up with. And so that's been the biggest challenge. That's the biggest challenge. That's really good. And because technology is changing, because we're demanding it to, we want to open our photos app and search for dog. And how do we think these technology companies are making that happen? They're applying changes in the background. So you're right that preservation is the key point. And the problem is these policies are being made by people who don't understand. That's certainly happening in the UK.
And I'm guessing it's the same here. It is. that brings us back to education. Yes, there are programs to teach lawyers, lawyers, attorneys, judges, et cetera. But there is not the quantitative amount of that education to meet all of the needs that there are. I have been fortunate enough to be involved in education for legal professionals. That is something that Hixordia is we're developing a course specifically for that right now.
Adam Firman (50:15.21)
digital evidence for legal professionals. It is something that is critical. There are places where you can get that education. It is just not as available as it needs to be, nor is it seen as as important as it needs to be. And I'll tell you why I think that happens. You ready for this? Every single person who we communicate with in the process of an investigation, they all are
operators of this technology. And as operators and users of this technology, actually falsely believe that they actually have that depth of understanding because they interact with these devices. But they're only interacting with the front window. They're not interacting with the entire building behind it. And that's where we work and live.
And so when we describe these things and we talked about the importance of being able to explain information, when you're explaining information, either in your report or in your testimony, we have to make it understandable. Of course we do. So we use analogies and we oversimplify. And that also encourages that feedback as someone who is a user of the technology that they understand it enough. So I think that the reason that
maybe folks aren't as educated is because they have a sense of confidence of their ability to understand the technology, which is a combination problem with the fact that they are intensive users. And if you're looking at younger attorneys and judges and investigators as well, they may have natively been using this technology since birth. Yeah. So they have an understanding of how it works.
and a false confidence that they understand it completely. Yeah. That's really insightful. Hopefully we'll make people think and I'm aware that we've been talking for a fair while now. And I apologize. So I want to wrap up. Yes. And we said we'd go back to this about the other waiver. okay. We're going to the other waiver. Yeah. So fun fact and not something I've ever disclosed and I can't believe I'm telling you this. I have a tattoo.
Adam Firman (52:37.314)
which is if you look at the way I present myself, I do not appear to be somebody who would have a tattoo. Yeah. And I have a tattoo waiver. So there's your fun fact. There we go. So we've all learned something about Jessica, that only her husband and your... My former roommates. and to answer the question, you're not seeing it and I'm not telling you what it is. I wasn't going to go there. I meant to, anybody else who runs into me who's heard this podcast. Yeah. They'll see you at a conference and say, where's the tattoo? But no, thank you very much, Jessica, for taking time out of...
You're very, very busy schedule to come in today and then yeah, thank you. Thank you so much for the opportunity. No problem. And so great to see you again. Better in person, far better than online. But yeah, thank you very much guys and girls for listening and we'll catch you soon on Forensic Fix.