In this episode of Forensic Fix, host Adam Firman interviews Matteo Epifani, CEO of RealityNet Systems Solutions, who shares his extensive experience in digital forensics. The conversation covers Matteo's journey into the field, the evolution of digital forensics, challenges in data preservation, the limitations of forensic standards, the importance of cross-validation, and the complexities of course creation in forensic education. Matteo also discusses the unique challenges faced by DFIR professionals in Europe compared to their US counterparts. In this conversation, Mattia Epifani discusses various aspects of digital forensics, focusing on the European approach, the implications of GDPR, and the challenges of cross-border collaboration. He emphasizes the importance of cloud data and the evolving role of RAM in investigations. The conversation also touches on the need for research in mobile RAM, the significance of preserving vital data during investigations, and the value of teaching in the field of digital forensics. Mattia shares personal insights about his hobbies and interests, highlighting the importance of sharing knowledge in the forensic community.
Mattia's blog - https://blog.digital-forensics.it
Connect with Mattia on LinkedIn - https://www.linkedin.com/in/mattiaepifani/
Adam Firman (00:00.958)
So hello and welcome to episode 21 of Forensic Fix, a podcast brought to you from MSAB, where we invite guests from the industry to discuss the latest news in DFIR, current issues, and a general chat about all things digital forensics and investigations. I'm your host, Adam Firman a tech evangelist here at MSAB. So today we are honored to welcome a very well-known figure in digital forensics, Matteo Epifani. So as the CEO of RealityNet Systems Solutions,
an Italian cyber security and digital forensics consulting firm, Matteo has dedicated his career to uncovering digital evidence for courts, law enforcement agencies, legal professionals, and private enterprises. Matteo's expertise is vast, encompassing smartphone forensics, Windows and Mac OS investigations, and incident response. He's a certified instructor with the SANS Institute, teaching courses like FOR 500, Windows Forensic Analysis,
and FOR 585 Smartphone Forensics Analysis in depth. His commitment to education is evident in his hands-on approach, often sharing real-world scenarios to equip students with practical skills. Beyond teaching, Matteo contributes to the academic community as a contract professor at the University of Genoa, where he imparts knowledge on digital forensics. His research endeavors include participation in EU-funded projects,
aiming to enhance the exchange of digital evidence across European law enforcement agencies. Mateo also co-wrote Learning iOS Forensics and its second edition, providing invaluable insights into analyzing iOS devices using the latest forensic tools and techniques and of course, open source formats too. Mateo's contribution to the field have been recognized internationally and you will often find him at international conferences.
including the most recent one just last week at the RSA conference in San Francisco, where he explored how digital forensics can uncover daily routines and behaviors through data silently collected by modern smartphones, which had the extremely impressive title, Every Move You Make, Every App You Play, I'll Be Watching You. And that is very, very apt for mobile devices. So Matteo.
Adam Firman (02:24.99)
I've given our listeners a brief insight into your career highlights. Could you first of all, welcome to the show and could you offer an introduction as to how you've ended up as CEO today and teaching for SANS?
Mattia Epifani (02:40.27)
So Adam, thank you very much, first of all, for the kind introduction, for your kind words. I'm really happy finally to get the chance to talk with you at your podcast. So, well, I started using my first computer.
When I was six years old, I still remember the under the Christmas tree when I got my first C Commodore 64. That was at that time, the best computer you could have. yeah, yeah, I think the people of our age, we all aimed to have that computer. And so at the beginning I was only just playing. So.
Adam Firman (03:14.312)
I also had one of those.
Mattia Epifani (03:30.082)
playing games. But then I started an understanding that you can actually give computers instructions and ask computers to do what you like. So that when it became interesting. So when I ended my high school, I had to decide where to go at the university. Well, my mother was an English teacher at the high school.
And my father was a lawyer. So at that time they were all expecting me to study law and to become a lawyer. And then I said, no, I don't think I want to be a lawyer. My job is something in it. And so I started studying it. I got my degree. but then after my degree, I've always had enduring my degree. I've always had in mind, maybe there will be.
strong connection between Lowe's and IT at some point. And so this is how basically I started studying and being more and more interested in digital forensics. I got my degree and then I started my company and I started basically from zero. It was 2002, so about 23 years ago. And this field was really...
unexplored, we were still beginning. then I started building my career on that. So by practicing, studying, I studied in Italy, I studied abroad, I studied in US. And then I had my first cases. And then I became an expert slowly. The most important thing is that after 23 years,
I still love my job. I still get up every day and manage my company, but also really doing the practical and technical stuff because this is basically the only thing I'm able to do. it's my main field as a job, but also as a patient, basically.
Adam Firman (05:55.984)
And you're right. And I have to admit, I'm still exactly the same. I feel very privileged that I to be involved in this industry as a job, because it's also a passion and a hobby. And adding on to the sort of the techie side of things, which obviously both attracted us to begin with, with the Commodore 64 and then probably the Amiga and so on and so on. But it's the puzzle.
Mattia Epifani (06:23.949)
Of course.
Adam Firman (06:25.148)
It's the puzzle solving and it's the constant change of this industry that keeps people just hooked into this industry, doesn't it?
Mattia Epifani (06:34.988)
Yeah, it is. If I think about my first case, it was Windows 98. Now, and it was only computers. Okay. At that time, we were mostly analyzing traditional computers with Windows operating system. That was because 95 % of computers in the world were Windows.
Smartphones were not yet existing because they were born 2007. So with the first smartphone, first Apple, so back at that time, we were analyzing computers and it was a different word because most of the data were residing locally. So we were relying on everything, anything that was on the hard disk. That's why it was crucial to say
You don't have to tamper. You have to be careful in getting the data. You have to not modify every single sector of the hard disk because every single sector count. And it was absolutely true. It is still true, but we know that the world has changed both in the way in which devices work in the way in which they store data. has become much, much more challenging for us to be honest.
This maybe has created a myth, no, that we can recover everything because a computer or a smartphone, they store the data and the data must be there forever because if it was recorded, it should be there forever. And that is not the case as we know nowadays, or at least now what is of essence more than not only the approach, but also timing.
Timing is crucial nowadays for a variety of reasons. Volatility, the order of volatility, which is an old concept, right? So it was born in 2002. You remember the first guidelines, they were mentioning the order of volatility. It's an old concept that nowadays is really the changing point. We can go into more details later maybe, but if we think about
Mattia Epifani (08:57.612)
Nowadays on a smartphone, you need to collect the data and you have a car accident. Okay. And you want to know a simple question was the user using the phone? If you don't act properly, at the moment in which you are extracting data, you could maybe lose all the evidence is that we need that, that you need. So the word has really changed. And as you said, the nice thing is that we still have.
the patient, the love and the accuracy to change our mindset based, our investigative mindset based on how things are changing.
Adam Firman (09:40.19)
Yeah. And I hadn't proposed this, or I hadn't sort of given you the heads up for this question, so I apologize. But the conversation has led there, and I did warn you that we'll go off on tangents. But we spoke about the preservation and the order of volatility. And Scientific Working Group recently published an article emphasizing exactly that, about acquiring smartphone data before a device is locked because of Google and Apple.
changing the parameters and to secure users data, which we totally understand. One of the things, and you may know about sort of the Italian and more European, in the UK, we have strict regulations on the ISO 17025. And part of those processes that have been defined would ask a user who is extracting the data. So not necessarily even reviewing the data that following an extraction,
that they should go in and check to make sure that if a vendor tool is extracted WhatsApp to go in and dip sample five messages to say that those chats are accurate in the extraction report. Now I did a case where I relied on the logs of WhatsApp, for example, to show that a user had entered a chat thread. And it's exactly like you just said that every time you enter chat threads, entries in that logger overwritten and lost,
So almost these standards that are being put in for ISO that maybe aren't reviewed enough because it's costly, it's time consuming for those processes to be written. So if a user is being asked to go in and dip sample apps, that's surely going to be overwriting logs and dependent on the case. So really it shows that ISO
I can understand its requirement, but it's also not keeping up to speed with the way we have to operate.
Mattia Epifani (11:45.002)
Nothing written can be keep up the speed of digital. know, there's no low, there's no piece of paper. There's no standard. There's no document that can always keep up with the latest and greatest. There's always, we are, we are building a science that is constantly changing. We are testifying on a science that is constantly changing. If you compare with things like
handwriting or blood. I don't want to say it doesn't change. It changes because we know more. But the blood of our blood or our handwriting is something that we had from ages, centuries. And it's always the same kind of blood and the same hand kind of handwriting, right? Computer or a smartphone, a new version, because it's a human created thing. So a new version will be
Maybe different, we'll work in a different way. And in most of the cases, we don't know because we have a black box. Okay. Because these products are black box and it's normal. They are, they have to preserve their business. Right. So they cannot reveal everything. In some cases it's easier, as you know, maybe with Android, you can go in the source code and try to spot what is this feature about? How is.
the source code managing this database, you can spot something. But with Apple, it's all about testing, reversing, verifying on iOS, maybe 17, and then iOS 18 comes out. There's a new maybe sensor on the iPhone 16 and you don't know what is this thing? What is this new table in the database? How is filled? When it is added? There are a lot of discussions going on, for example, now in
during trials. Now, for example, like the reliability of the health application, Apple Health, but also various Android health applications. And it's really interesting because can we rely on, I don't know, the distance the number of stats climbed when the user climbed a floor or, I don't know, whatever, the heart rate, how accurate it is.
Mattia Epifani (14:13.038)
These are kind of questions that could be really relevant in certain investigation, you know? So, and there's no answer, 100 % correct answer that you can provide on a black box. You can always say, based on my testing, I try to replicate with this phone, with this version of iOS, the error percentage level is this one. But it's really, really hard.
compared to other forensic science to evaluate the error rate. Because we don't know what is expected, to be honest. Not in all cases. Sometimes, really, like a WhatsApp message that is in a database. It's a database. You have a table. You have a timestamp. You have a text. You have either a sender or a recipient. And then you have some flags. Easy.
In other contexts, it could be really, really hard.
Adam Firman (15:15.068)
And you've highlighted the point perfectly. And that's exactly how I used to run cases when I worked in law enforcement was if I wasn't sure I replicated to the best of my ability to go out and test. So then when I stood and gave my testimony, you could say to the best of my knowledge, this is my belief. This is what I think. And these are the inaccuracies. this is my, but the problem with
ISO and I've seen this in the UK is it's created an army of push button forensics of people not understanding what is going on behind that sort of the the magic buttons and relying too much on what tools are producing rather than having the initiative to question and say this case involves WhatsApp. I'm not going to dip sample this app because I'm unsure if it's going to overwrite data.
and having that stance, whereas now people are very much, my process is telling me to follow steps one through to 10, that is what I'm gonna do. And that initiative and sort of thinking outside the box is being lost in this industry from what I can see.
Mattia Epifani (16:30.126)
Yeah. Luckily. Yeah. Yeah. And we still have the chance to replicate test in court. We, we don't have mandatory 17 or 25 at the moment regulations. It will probably be something similar, even in you in the next months or years. Who knows? Uh, but yes, I completely agree with you. Uh, that's why.
Adam Firman (16:30.93)
Yeah, and that's very difficult.
Mattia Epifani (16:59.254)
I always say you need to cross validate at least with tools. Even if you cannot go into the, maybe into the bits and bytes manually, because there are some restrictions, there could be various reasons. but at least validate by using more than one tool. have seen tragedies.
based on using a single tool and not your tool, another tool, a third tool. Any tool can make, can have a mistake, you know, because it's based on the same reasonament. You did reversing, you tested, or there is maybe a paper that was written by someone else. You implement that technique in your tool, but then there is a change or there is a new thing that was not evaluated.
And the result produced by the tool is not accurate. The order is not complete or maybe sometimes it's even wrong. And this is really dangerous because what I see is that it happens that judges, as they do not have the knowledge to understand, they think, okay, if the tool is claiming that this message was sent from Mattia to Adam, this must be true. Because this is...
used by tool, which is a certified tool or the well-known tool or whatever. And at least validation, cross-validation with more than one tool is crucial. And this is something that is not hard. It can be done by even by non-technical people. I understand it's a matter of timing, but what I think, I've never worked in law enforcement. I work with law enforcement.
But what I think is if you have to put someone in jail, you need to be sure that your evidence are, evidences are accurate. The evidence you are providing to the judge are accurate. Okay. And for me, this is what, what, what is like my daily job is to make sure that I'm doing as much as possible to provide an answer that is accurate as to the best of my knowledge. Of course, I'm not.
Mattia Epifani (19:21.758)
I don't know everything I learn every day based on my, on my errors also. I always think this is one of my, you know, one of my nightmare. I always think if I've had the, the knowledge I have now in a case I managed five years ago. Okay. Maybe I could have find more, I would have provided a more detailed answer.
This stress me a lot and I think I have, I don't want to say I have knowledge, but I have patience and I, I, I've studied a lot. So every case for me is relevant. And I really understand when I discovered a new artifact, a new topic, when a new paper is out, where a new feature from a tool is out. said, God, this, if I only had, I've had these features two months ago or six months ago in that specific case.
And sometimes I even go back to prosecutors if the trial is still on saying, Hey, we need to reprocess it. We need to go more in that. Maybe we could find something more, but you really need to be patient. And you have really have to remember in your mind the cases because it's complicated. So yeah, this one of the things that stress me a lot.
Adam Firman (20:39.326)
Yeah. Yeah.
And I'm glad to hear I'm not the only one because I do exactly the same. And I try and reason with myself to say, you did the best to your ability at that time and you only knew what you knew at the time because otherwise it can eat you up of that knowledge. And so you've mentioned that you briefly mentioned that you work with law enforcement. What does a typical day look like for you in your current role?
Mattia Epifani (21:16.078)
Uh, well, um, to be honest, I have various hats at the moment. Uh, I'm the CEO of my company and we do provide digital forensic services. So our daily job in our company is like any digital forensic lab. We do extractions, we do analysis. We work both with law enforcement, like public prosecutor offices, various public prosecutor offices in Italy.
but also with private companies because in Italy you can be hired as a private consultant by the public prosecutor office for certain cases, complicated cases that cannot be managed directly by law enforcement, for example, and then also private companies. So our daily job is really traditional. We do mostly devices.
So mostly computers and smartphone, but we also do post incident response forensics. So when you got act and you need maybe to produce a report to your insurance or to your, to our, GDPR office, you know, the privacy officer in Italy to, to, explain how you got act. So I see various kinds of things, both, let me say more human nature crimes like.
homicides or, or, or these drug dealers and this kind of stuff, but also computer crimes, like companies got being hacked. this is my first hat. The second hat is doing research and the teaching. I teach for the science Institute as you mentioned. So I teach, I teach windows and smartphone. And I'm also now
since the 1st of May, so it's a new thing. I'm also one of the co-author of the Windows Forensic course. So I spend a lot of time, a huge amount of time testing, you know, to update course content, to create new labs, to explore new features of the new versions of the various operating systems, mostly computers and smartphone. I don't deal with things like network.
Mattia Epifani (23:35.098)
I do a little bit of reversing my, but I'm not a malware reverser. So my daily job is really traditional forensics. And as I said, teaching, also teach at the university. where we do master tases with students in emerging trends and topics. So we are now, for example, we are now working on a tases on the new Microsoft recall feature for computers, which would be really interesting for.
forensic investigators because it seems to store a lot of relevant data for our cases. And we are working on researches on private browsing. So I like doing both. like working and studying and researching. Luckily, I was able to manage my life in a way that I can do both. So I'm really happy about that. And I also try to stay at...
as much as possible with my family. I have a four years old daughter, I love spending time with Yes, absolutely.
Adam Firman (24:38.014)
keeps you busy.
Adam Firman (24:42.206)
So for those who are unaware, I've sort of dabbled in course creation and teaching and it baffled me when I first got into it. So for those considering sort of, I might become like, can you explain just how long it takes to create like an hour's worth of content for a course?
Mattia Epifani (25:02.062)
That's a long, that's a complicated question. I always say you have to triple the time at least minimum. So one hour, takes three hours to prepare and at least other three hours to validate.
because you need to prepare on your own, then you need someone else testing and validating. And if there's something wrong, you need to go back and validate again. You know what I think? I take teaching really seriously. Because if you are trusted and you have people coming to your classes,
they will use your words in the same way they use the buttons in the tools. Like, okay, this is true because it's written there or because Adam or Matija told us that this is the reality. So you have to be really careful in creating content that are correct, but also set the boundaries to the audience. Okay? This is true under these circumstances.
circumstances and always test and validate. Okay. When we say in forensics, the answer is it depends. Now it's a joke. Now every time you have a talk, say, what is the answer? depends. But it's true. I mean, it's really depends on a variety of different point of views that really every case is different. So.
Adam Firman (26:18.004)
Yeah.
Mattia Epifani (26:42.562)
That makes important to create content and constantly update and validate if what you said is still valid, at which extent it has changed, how you can enhance your reasonaments based on certain aspects, and so on and so forth. So yeah.
Adam Firman (27:07.592)
Yeah. And, and we used to, we used to have like a golden rule that for an hour's worth of course content, could, you could see it as like eight hours to produce one hour of course content. By the time the investment goes in on the creating the validation. And I love that you like the word validation as much as I do, because whenever I talk about anything, I always validate is the strongest thing I can say.
And even though I work for a tool vendor, I would still say you need to validate what our tools say. If a developer pushes out a new update to me, it's for me to test and validate. That's why they push it to me, because they want me to go away and validate it.
You've worked across Europe and obviously you meet a lot of people in Europe. We both deal with our colleagues across the big pond in the US. What do you think are the unique challenges that DFIR professionals face in Europe compared to like our colleagues in the US?
Mattia Epifani (28:11.79)
Well, the first thing is I think that most, the majority of the big companies are US based. Okay. So if you are in law enforcement and you need to get like request access to data stored on Apple servers, Meta servers, Microsoft servers, I don't know about UK, but I can tell about Europe.
It's of course much more complicated than being in U.S. directly. Okay. There are, course, you know, there are the portals for law enforcement now. We have takeout features. It has the cooperation is being enhanced, but still is different because the legislation, the U.S. legislation, the companies from U.S.
Law enforcement are from US. I don't want to say that Apple or Facebook or Meta will help for everything. We know the San Bernardino case. We have had the cases. know the story. But for us, the typical thing is we're doing an investigation. I received the smartphone, for example, we extract the data and I don't know, we want to get Instagram chat. You extract the data from the phones.
from the phone and chats are not there because Instagram is installed, but chats were not synced with the phone. And then I go to law enforcement and I explain, Hey, we need to get the data from the cloud. And we need to either request the data to Meta or using passwords, tokens, whatever, getting access to the account. This is complicated because one side is we need to send a subpoena abroad.
to US, it takes time. The other chance is we need to get data from the cloud. And our legislation in getting data from the cloud is still not really clear because you're extracting data from a computer that is not in Italy. It's outside Italy. So there has been a big debate. Can you do it? Is it in the extent of your court order, of your search warrant? Is it?
Mattia Epifani (30:32.902)
or it's something outside. Now in practice, we do it. So during certain season, if I'm working with law enforcement and we find an accountant, we think that it's relevant, we can request a takeout or whatever is the best way to extract that up. But still, I think that cooperation is improving, but it's harder for us to get in contact with, at the same extent that I think then law enforcement in us.
On the other side, what I think of Europe is that in general, we have a more in-depth approach. What I see is we are in general more careful in, as I said, again, validating, cross-checking in the sense that...
We have a mindset which is probably, we don't want to be too prone to errors. don't know. This is something that I see at least in Italy, but not only in Italy. I've had the chance to work with law enforcement from various European countries. And I see that we have a particular, peculiar approach to things in general. Then we.
Adam Firman (31:41.876)
Yeah.
Mattia Epifani (32:03.406)
The GDPR has also introduced some new levels of maybe complication in certain cases, especially when you do investigation with private companies. But still, this is something that is more on the legal side, not on the technical side.
Adam Firman (32:21.118)
Yeah. And that leads perfectly to another question that I had for you and that it was around sort of collaboration across our borders. And you made a good point about how smartphones and Windows as a service are changing and they're storing more data on the cloud. And I still think I get, well, I would put, would back myself to say that Apple already have devices on their shelves without
data ports that they'll literally go to a wireless charging data port. And basically you'll just have thin client nodes that because of the always connected mentality that we live in, that you'll basically just buy a subscription service from Apple, that you'll want a device that has this much storage and can compute. You'll basically buy cloud hosted phones, which leaves us, especially here in Europe.
Mattia Epifani (33:19.244)
Yes.
Adam Firman (33:20.136)
with access requests because that is how data extraction is going to occur. In my opinion, this is where I think it's going to go. So in that mindset, sort of digital forensic standards and practices, do you think that we're still too siloed by country or agency in this approach? Because I know we go to conferences and we speak to one another and we have the various platforms. But like even from the UK, we have all these different
police districts, they all work differently and that's one country. And certainly from my experience, I've seen it across in other regions that it's exactly the same.
Mattia Epifani (34:04.642)
Well, I think it's the same. can say in Italy, we also have different kind of law enforcement and they all have their own approaches. They are similar, but with differences. I also agree with you with the fact that we don't own our smartphone. It's not relevant how much storage you have. The integration with the cloud is...
Crucial. think that there will be a time, as you said, in which we will not have even a cable to connect the phone to a computer. This is my main nightmare. I don't know how we will be able to track that. I have an iPhone 15 and my USB port got broken one year ago. I still have it broken. I have not repaired it. I charge it constantly with my wireless and I use it.
perfectly. if someone needs to seize my phone, you need to repair the USB port before extracting the phone. This is for Italian law enforcement. If you need to seize my phone, you have to know that you have to repair the USB port. then, well, yeah, so we, it's hard to standardize. I've worked in various European projects in the past, and this has been always in
in discussion, you know, how to create a framework or something that can be used by various law enforcement in Europe. I know that Europol has a platform called Sirius, which is really, it's only for law enforcement, but it's it's a great platform that you can, where you can basically find all the point of contacts, what is the best method to get access to data from various providers.
We are still, we still have a need of, let's say standardization or at least improving or even the knowledge of law enforcement. Because sometimes I talk with them, they say, we could ask these. really? We could. We have chances to get, I don't know, IP addresses or history of devices that were used by the user. Okay. Which device was using the user at that time?
Mattia Epifani (36:28.046)
when the crime happened. And this is something that is crucial. Sometimes they see, we have the phone. Yeah, perfect. But this phone was reset one month ago. The case was one year ago. We need to find a phone that was in use at that time, right? So cloud could be crucial for this kind of thing. It's crucial for what you cannot physically see, you know, to get data.
And maybe with that data and with that knowledge, extend your search and sees or cross-correlate data with other sources, which is not always a technical source, right? Maybe you have technical data, you have a traditional investigation, and you have always to learn how to merge the two things together. And this is hard because I'm not, I'm an IT person.
And then you have a law enforcement, which has an investigative mindset. so building the two, the two is probably the hardest part. And it's also the hardest part to teach, to train people because you need experience, you know, you need cases. And only after months or years, you can say, I'm improving, but you will never be at the point that you can say, okay, I've arrived. I'm the best.
There's no way because either from the technical or the investigative perspective, you will always have to learn something new. So if you want to start working in this job, in this field, you know that you will die at some point because it's the end of our life and you will never be at the point that you have like, okay, I have arrived. It's not like an actor or a singer that you have your best movie or your best song.
and everybody will start singing in that song. My research from five years ago, okay, great, Matija did a great research. 90 % mostly is useless because now a lot of things has changed. complicated life.
Adam Firman (38:36.852)
If we revert it back to how we started on the Commodore 64, you can never complete this game, can you?
Mattia Epifani (38:46.402)
Correct. Correct. Absolutely. Never ending game.
Adam Firman (38:47.699)
Yeah.
And you spoke earlier, you spoke earlier about how you often think about your old cases when new developments take place. If you could go back to your very first case or start on your career in digital forensics, what do you wish you knew now that you didn't know then? I don't mean pacifics about technology, what like my key, what I would say to myself on day one would be to learn coding faster.
help me. What would be your advice?
Mattia Epifani (39:24.642)
For sure, what I improved more is my ability of cross-correlating information. So the investigative mindset, because I have always been a nerd or a technical person. So I'm not worried about looking into X-Dashable or raw data and understanding what is a file format or how the data is there when...
It's something that of course, Windows 95 is different than iOS 18, but it's the same. It's the same thing. It's a computer with a CPU, with memory and with an hard disk, whatever it is. This is the basic. Okay. The basic of IT is the way in which it works. What was, what I missed 20 years ago is the investigative mindset. Now I have a bit, of course, as I said before.
You can improve, of course, after 20 years, have much more than 20 years ago. So this is what I missed. What mostly, and then some peculiarities, you know, some edges that, this is the case, something that you discover maybe in a specific case, because nobody else has looked into it. Sometimes I even blog about it. Sometimes not because I don't have time. I'm for sharing.
I'm not for keeping secrets. Sometimes you don't have, basically you don't have the time to write everything, you know? So, so there are small edges of cases in which maybe I found an evidence and they said, these evidence would have been really crucial in a previous case, in previous similar case I had. But what I missed most is the investigative mindset.
Adam Firman (41:16.146)
Yeah, that's it. And we discussed it before we sort of went live and we were talking about the developments around mobile RAM and the potential from what you can get from mobile RAM. And with what we've discussed in regards to onboard storage, RAM could play an even more crucial part in regards to finding these volatile pieces of data that could assist with unlocking certain apps.
But what's your views on sort of, because I know that you've had a lot of involvement with RAM from computers and a lot of people automatically discount RAM from phones because they have the same mindset of computers, which is if you pull the plug, you've lost RAM. Now that isn't the case with mobile devices because they're constantly gotten on source power. So what future research would you like to see conducted into RAM?
And what do you think the possibilities are there?
Mattia Epifani (42:18.367)
Well, I think it was, now you started, but it was a completely unexplored field. We mentioned an order of volatility probably, so it's an old but gold rule and it's 20 and more years old. I think we have to follow the same approach.
for mobile, for smartphones. And to be honest, I'm not really surprised when we started, I'm not really surprised that we are not yet at the point, because when I started and when we started with computers, we knew we could get one, but at that point there was no any volatility style tool being able to go in depth.
understanding the process structure, the process tree, network connections, and all that kind of stuff. I did my first course as a student with sons back in 2012, when Volatilie was just out. Okay. Since one year, less than one year, but memory dump were there since 20 years. Okay. Windows was invented 20 past years before.
And we knew we had the information, but we didn't have the tool. We didn't have people starting on it. We didn't have people testing on it. And I still think that I have had cases with computers where either the memory dump or the Iberfield, which is in some way is the idea on how modern smartphone work now. The idea that we are always in standby. We are never turned off. Okay.
You always have to be ready to get up. data could persist. And at which extent? I don't know, but what could I, what we should expect in RAM in a smartphone, like in a computer, tokens, encryption keys for applications, activities done in private mode, for example, in private browsing, I need some testing, but even passwords.
Mattia Epifani (44:39.534)
like things like you type password and you can even find the password in clear text in RAM. I remember like 20 years ago, was demoing that you can, you could find clear text password in memory dumps and people were really like, really? Well, if a computer works, anything you see on your screen should be somewhere on your computer, at least at the moment in which you're looking at the screen. Okay.
So it must be physically there. So if it is there, the only good, the hard thing, are two hard points. One, how to extract it. And second, how to make a proper interpretation of it, which is not always easy. These are two hard questions. Extracting, as you know, from a technical perspective, extracting RAM from smartphone is not like, okay, I connect the cable and they have a RAM dump. There are various things involved and even have a RAM dump.
Then you have to start studying again. So it's a field. It's a new field in which I hope we will be able to get more. We will be able to even to have more people researching on it. The only way to improve, as I said, always is sharing, asking, reading what was written, improving what was already written by other people.
So it's, it's, it's really, really, really important. I remember if you, if the audience have the chance, I did a presentation at the sun's on summit back in 2022. think that was called the order of volatility in modern smartphone investigations. And it is exactly about that. I was not at that time mentioning maybe exactly run dump, but the idea was to explain that if you have a device.
which is you take it as a law enforcement, you take under, under your possession in search and seizure during the search and seizure. There are a lot of data that you could try to extract before turning off before doing all of all of what is expected by your procedures. And you need to extract them as soon as possible. Of course, if you have a chance to get the raw data, to get the entire RAM, that is the best approach. But if you cannot.
Mattia Epifani (47:08.48)
It's not a good reason to say, okay, I'm going to turn it off and put it away. we have, for example, with iOS, the, unified logs, you know, in a car accident, they, had cases with car accidents in which luckily they did a good preservation and they, generated like, for example, assist diagnose, which included the unified logs from the last couple of days. But this is the.
Adam Firman (47:19.55)
Yeah, huge.
Mattia Epifani (47:38.184)
most detailed second by second artifact that you can have because it's detailed log of anything you need. So if you take a look recently, there were some tests by the guy who developed a UFAD tool on what is the, at which extent you could lose data when you extract the data with tools. Okay. And this could be dangerous because if you don't know how the tool is working,
You could, I don't want to say a tool or another tool. doesn't matter.
Adam Firman (48:10.14)
Yeah. And, Peter, the creator of you fade, he, he wasn't knocking tool vendors for that. He was just making people aware that if these logs are vital to your case, think twice before you use them. And I think all he wanted was for that, for the vendor to notify users that, Hey, this could happen. And because like you say, if it was a fatal car incident, those logs,
They could prove more beneficial than even a full file system extraction. That's all they need.
Mattia Epifani (48:41.518)
Absolutely. Absolutely. I had in-car accidents, to be honest, if you find an iPhone in a car accident, law enforcement worldwide, generate assist diagnose. It's like freezing the Unified logs and it's just pressing some buttons. And I know that in the mindset, it could say, you could say, Hey, I'm writing data on the phone. No, you're preserving.
data that you're going to lose if you don't do that action. It would be, there are various ways, depending on how technical you are, but explaining to a trainer, to a law enforcement, which is not even a non-technical one, how to generate a CIS diagnosis on a phone or an iPhone, it's really, really easy. Okay. And in certain cases, in certain kind of investigation, you should do it.
Because that, that maybe gigabyte is much more than 256 or 512 gigabytes stored in the, the internal land, because you, you're not interested in picture of a pastel pesto of the, he cooked the evening before. We are interested if, if, if he was using the phone in that specific second, you know, so.
Adam Firman (50:06.58)
Exactly.
Mattia Epifani (50:08.6)
really depends on the case, of course. If you are dealing on, if you are discussing about, need to read the chat, most probably you need a full-file system. You just see how it is useless. That's the investigative mindset.
Adam Firman (50:23.668)
And that's the beauty of this industry and the sharing of sort of knowledge and Christie and Peter who made the tool, YouFade, and I know Jessica Hyder of HexAudio is creating a lot of open source tools. And that's where sharing the knowledge and empowering us all and making us all better to have those investigative mindsets. And you said you're an instructor for SANS, which is the extremely respected training organization.
What's been your experience like and how has teaching influenced your own way of investigation? Because I always found when I taught that I would always come away from each class learning something for myself, even as a teacher.
Mattia Epifani (51:11.976)
I absolutely agree. And I start all my classes saying every time I teach, I learn something new. Because it's normal. I could be the most experienced person in the class. But if you had the case and you have spent hours with your mind in that specific case, in that specific artifact or in that specific scenario, your experience in that scenario will be
much more than my experience, or at least it's your experience. And you can tell me, you can tell me what you saw, what you tested. And the second thing is even when you have a person asking a question, just out of curiosity, I ask you, what does it happen when you do this and you don't know all the answers, right? You cannot know all the answers, all the possible scenarios.
And so why it then it becomes, okay, I don't know. I've never tested it. We can test it. Okay. Let's take maybe also now after the lesson, we try to replicate and see what happens. We extract the data. This is what happened. This is how it works. Is it a complete answer to your question? No, it's a starting point. You can move on. Do we want to really go in depth? We need time. need
At first we need, we can write a paper, we can write the research, whatever. So what is important is it's hard to build the content. And when you have a content, this is the starting point because you train on the content, but you received questions that will ask you to go further to your content. Even if you're really comfortable with your content because you created it, you tested it. said before one hour, eight hours. So, okay, this is my content. I'm the...
But as I said, it's not a song. It's not singing my song. It's explaining you how it works, but your approach could be different. And your approach will help me improving for the next time, for the next case, or for the next research, whatever.
Adam Firman (53:10.376)
Yeah.
Adam Firman (53:24.168)
Yeah, no, it's perfect. And I'm mindful of your time because I know how busy you are. And I know you've just got back from my minus nine hour time difference with you. to close out the show, what's one thing about you that a hidden talent, a surprise and hobby that nobody in the DFIR world would expect you to have?
Mattia Epifani (53:47.21)
So, first of all, I am a football fan. you're right, in Italy, football is an important part of our culture. Thanks, UK, for, because you invented football. My football team is Genoa, and Genoa was founded by UK, is the first, British, is the first Italian football team.
Adam Firman (54:02.26)
Yeah.
Mattia Epifani (54:14.326)
So my spare time is either with my family or following my team. So you can always see me at the stadium. And to be honest, if you see me at the stadium, I'm on the stage in a different way than when I'm on the stage as a speaker or as an instructor. So this is my, my, you know, my part of life. The other thing is I like DJing.
stopped a little bit now because I'm getting older, my, I've always liked teaching on the beach. You know, I live in Italy. live by the sea. So especially in summertime, this has always been my, my patients since I was, since I was young. And I love dogs. That's the other, the other thing. So we have two dogs. So two gray hounds, really nice.
Adam Firman (55:09.3)
So there you go. So the next time you're at a conference and there's a spare set of turntables going, they can invite you up to go and help out.
Mattia Epifani (55:18.892)
Yes, of course, absolutely.
Adam Firman (55:21.554)
And the next time you're in the UK, I will take you along to a football match as well.
Mattia Epifani (55:26.734)
That's absolutely something. I love UK stadiums. I try when I travel. I visited Various London Stadium. So it's getting harder to find tickets and they are getting really expensive. But when I was younger, I had the chance to go to Various Stadium in UK. But definitely if we can meet at the stadium, it will be great.
Adam Firman (55:38.579)
Yes.
Adam Firman (55:50.664)
Definitely. And I just want to thank you for giving up your time for joining us. I'm sure a lot of people, most people are going to be aware of you, Matteo, but for those of you who aren't, I'm going to make sure I link out to your LinkedIn profile, to the blog that you run, because you put some really useful and insightful sort of research onto their research and validation. And you also offer some of the same sort of, I don't like to call them cheat sheets, but sort of references to sort of common artifact locations as well. So.
Mattia Epifani (56:18.594)
Yes, of course sir.
Adam Firman (56:20.69)
I'll link out to some of them as well. But thank you once again for your time and hopefully I'll get to see you in person soon. But thank you, Matteo.
Mattia Epifani (56:29.72)
Yes, I hope. Thank you, Adam. It was great. And thank you to the audience. And I hope to meet you. If you have any question and you meet me at any event, feel free to come, ask, share. Don't be shy. Just come to me and say, hey, I want to talk about forensics or football. I will be happy about that.
Adam Firman (56:52.936)
Yeah. And that's what this industry is all about is the more we share, the more we become more and more knowledgeable. And that's what it's all about. So thank you, Matteo.
Mattia Epifani (57:03.266)
Yes. Yes.