In this episode of Forensic Fix, host Adam Firman interviews Steve Bunting, a seasoned expert in digital forensics. They discuss Steve's journey into the field, the evolution of digital forensics, and the importance of comprehensive evidence gathering. Steve shares innovative approaches to forensic investigations, the challenges faced in modern forensics, and the significance of expert testimony. The conversation also touches on the future of digital forensics, emerging trends, and the need for collaboration across jurisdictions.
• LinkedIn: Stephen Bunting - (1) Stephen Bunting | LinkedIn
• Bunting Digital Forensics, LLC: https://buntingdigitalforensics.us/
• Article: “The Art of Hunting for Nothing” (fsevents / quiet-time approach) - https://buntingdigitalforensics.us/insights/the-art-of-hunting-for-nothing/
• Author pages: EnCase Computer Forensics: The Official EnCE Study Guide and Mastering Windows Network Forensics and Investigation - Publications - Bunting Digital Forensics
Adam Firman (00:01.454)
Hello and welcome to episode 25 of Forensic Fix, a podcast brought to you from MSAB, where we talk with experts in digital forensics, investigations and related fields. I'm your host, Adam Firman, and today I'm very pleased to welcome Steve Bunting to the show. Steve has a long and a distinguished career that spans over three decades of law enforcement and more than 25 years specializing in digital forensics.
He is now the founder and principal examiner at Bunting Digital Forensics, LLC, where he works as an independent consultant, expert witness, and a senior instructor. His work has included mobile devices, cloud, legacy storage media, and courtroom testimony, bringing real world depth and clarity to complex digital investigations. Now, Steve, firstly, welcome to the show.
I've given our listeners a very small insight into your journey and your achievements for your career. For those people of the show who may not be as familiar with your background, could you share some more about your career path and what inspired you to focus so intently on digital forensics and expert testimony?
Steve Bunting (01:13.582)
Well, one day I had to do an internal affairs investigation. yeah. And I knew nothing about digital forensics at the time. I had a lot of interest in computers and it was back when the days of Nutscape Navigator. And I saw this file in there called history. And wow, I said, this looks like just what it says, you know, and started going through it because it was all about misuse of computer resources.
Adam Firman (01:20.126)
That's a good way to start.
Adam Firman (01:32.334)
That's...
Steve Bunting (01:45.218)
Cops checking on porn, surprise, surprise. So anyway, I went through it and I found all these timestamps and they were back, the old Unix timestamps. What are these things? I had to figure all this out myself. And I was just talking to the chief after I was over and I said, you know, it's got to be a better way. And he said this, look at this. He talked about this course called BDRA, Basic Data Recovery Course from...
asked for white collar crime. said, Hmm, give that a try. So I went to it, and, Keith Lockhart and Ben were there and it was a room full and I just enjoyed it. Went to Adria and couldn't get enough of it. So it kind of started me down that path. And, from there I went, within case and, they asked me to teach for them. So I started teaching there and then
Next thing you know, we write a few books. So I those books for guidance. There were three editions. I used to be in martial arts years ago. My sensei said, if you really, really want to know something in life, teach others. And so that, I found it also right about it too. Because you've really got to dig deep. You've got to research.
And you've to be accurate. So it's kind of cast my path down the forensic trail, if you will.
Adam Firman (03:20.792)
That's impressive. it's probably a surprise unto a lot of people who are sort of five years in this industry that a lot of people were just thrust the computer and said, Hey, you're the computer guy. Work this out. That's how a lot of forensic labs started.
Steve Bunting (03:35.118)
Yeah. absolutely. Somebody who knew more about computers than anybody else and suddenly everything was starting to go out. And it grew and you had to back in those days, it was still, you're still trying to figure out the internet was something that was going to be viable. And we worked with the DOS boot disks and it was interesting times. I remember finding emails that are full HTML text cached away. It's beautiful.
Adam Firman (03:42.649)
Yeah.
Adam Firman (04:05.156)
in in
Steve Bunting (04:05.72)
But the change in security has really been overwhelming.
Adam Firman (04:09.442)
Yeah, and the constant change in this industry as well, isn't it? It never stands still.
Steve Bunting (04:15.688)
no. And anytime anybody asks me, I always say, well, this is the we did it yesterday. I can't guarantee it's going to work that way today. It's just...
Adam Firman (04:25.217)
Exactly. Yeah.
In in your current role Steve so as I'm currently talking to you people can obviously hear from your accent They're gonna be expecting you to be sat in the US, but you're currently not So what does a typical day look like for you now? running bunning bunting digital forensics
Steve Bunting (04:48.046)
Well, at the moment I'm in Albania. I started here doing mentoring work for the State Department on a five-year contract. And for the past year, I've been doing other things. We've spun up a lab here, and we bring some people in. We let them work here. Our plan is to try to work with a local college and university here so that we can basically bring some interns in here. Because, I mean, where do you go get training?
in a country like this. I they get manufacturers training once in a while, but it's usually sponsored. They have minimal resources. So this is a way we're working here to try to bring some people in. anyway, that's what we're doing here. My day here, doing everything from DVRs to...
mobile devices, whatever they bring in the door.
Adam Firman (05:45.528)
Yeah. So giving them a real insight into the forensic world.
Steve Bunting (05:50.254)
It is, yeah, it is. And you know, it's a communist country, or used to be rather, and it takes a while for the, you know, things were done a certain way. it's, most of the Balkans countries are this way. It just takes a while to bring about change. And so there's a lot of rigidity in the administrations here. They're not open to change and the resources are very slim.
trying to do what we can to help some people.
Adam Firman (06:21.988)
And that's what this industry is about, is about spreading knowledge and...
Steve Bunting (06:22.658)
Yep. yeah.
Steve Bunting (06:27.766)
It is, I'm 73 years old, I don't know how much flow-crop I'll be doing this, but as long as the mind's sharp and everything's still working, my concern now is the new generation.
Adam Firman (06:39.65)
Yeah. And the reliance on push button.
Steve Bunting (06:43.278)
I mean, that's the easy way. I it's an artifact-based world, but you know, and that's easy and people want the things that are under those push buttons, the location, they want the pictures, they want the messages. You know, it's always good to get into the device. That's pretty simple stuff, but sometimes the facts of the case require a much deeper dive.
Adam Firman (07:08.76)
Yeah. And in your long career and your experience, having worked both in law enforcement and now as an independent consultant over those years, Steve, what major shifts have you seen in our forensic landscape?
Steve Bunting (07:28.078)
Well, security is one. mean, it had to be. And sometimes I think Apple hates cops. But I understand where they're coming from. mean, they also, they're dealing with the evolution of smartphones. I mean, it used to be that they sent messages and make calls. And now your entire life is on a phone. Your payment system, everything about you is there. Your medical, your biometrics, it's all stored in that device.
Adam Firman (07:34.05)
Yeah.
Steve Bunting (07:58.082)
There needs to be security on that. I don't think we would want to have it any other way. But it's getting harder and harder to get into them and it just, yeah.
Adam Firman (08:01.304)
Yeah, of course.
Adam Firman (08:08.9)
And and you raise a good point because You and I back in the day that and I think Brett Shivers has written many articles about this is putting the suspect behind the keyboard that was always the challenge with a computer because a computer is a shared well Predominantly it can be a shared device and I saw many of the sort of excuses of it wasn't me we had a
Steve Bunting (08:29.474)
That was. Yeah.
Adam Firman (08:38.444)
a Russia sailor stay with us for the night. And it was extremely hard to work a case and look for artifacts that would support the context of your suspect sat in that chair. like you've rightly said, phones are everybody's lives. They're kept in people's pockets. So there's no wonder that the privacy and security needed heightening.
Steve Bunting (08:39.86)
Yeah.
Steve Bunting (08:59.032)
Yeah. And of course, once you get into the phone, it's hard for them to say it wasn't me because the biometrics you require to get into the phone pretty much make it you. So on the plus side.
Adam Firman (09:06.582)
Exactly.
Yeah.
Yeah. And you spoke in your introduction about some of the books that you've offered. So you've offered NCASE computer forensics, the official NCE study guide. And for those of you out there who haven't worked with guidance software, the NCE was sort of the stable, almost like the renowned sort of industry certification, wasn't it, for being accepted as an expert testimony. What motivated you at the time to sort of get involved with that and
Steve Bunting (09:34.668)
It was, yeah. Yep. Yep.
Adam Firman (09:41.646)
Do you see that those books are still relevant today?
Steve Bunting (09:48.696)
I mean, the title suggests it was written for certification. But they basically, when we said about how we were going to cover it, what we were going to do with it, the publisher wanted it be broader. Naturally, it sells more books. they wanted it to be not only the certification, but also a general course in digital forensics. So they wanted me to go way outside that. Of course, the NC certification doesn't
isn't really software oriented. It is to some degree, but it's also very general practice too. So it's wide in scope anyway. And so we wanted it to be also a book on how to use NCASE. Now, at the time, the training division was kind of bristled over that because it cut into the training, but it really supplemented it. So it basically was a how to use NCASE certification, a general forensics book as well.
Adam Firman (10:31.684)
Mm-hmm.
Steve Bunting (10:46.402)
called it the Bible after a while. But so it was fun project and probably the last one is it still relevant? mean, the last one took NK7 at the time and it went from six to seven. That was a huge change in everyone's life. It did, it did. And I don't know personally if I were...
Adam Firman (11:04.553)
upset a lot of people in my old forensic lab.
Steve Bunting (11:12.982)
not writing the books, whether I would have been one of those or not. But anyway, the benefits were there once you worked through it all and got to use the interface. And it had to go that way because it was all about big data. I mean, you couldn't do things the way you were. So they had to make some major changes. that book really covers not, I mean, in case today might be up at 20 some, but it's really the same.
Adam Firman (11:20.569)
Mm-hmm.
Steve Bunting (11:40.814)
user interface that they switched over to with 7. So it still has some relevance.
Adam Firman (11:42.446)
Mm-hmm.
But people don't like change do they? People don't like when interfaces change or methods change.
Steve Bunting (11:48.834)
No, they don't.
If you don't like change, you're the wrong business.
Adam Firman (11:56.109)
Yeah, definitely.
Recently, you offered an article and we chatted before we came on air about the importance of this and the article is titled The Art of Hunting for Nothing. And I recently promoted it at a techno security West because I was doing a talk around how you have to go beyond the artifacts presented by your forensic tool because sometimes there may be data sitting within a device that can help assist your case. And this article that you published
proved exactly that. You describe how the absence of evidence actually spoke words for itself. The long quiet periods on a mobile device can be just as telling as traditional artifacts. And could you walk us through, Steve, how you discovered that approach and why it's important for forensic examiners to think outside the box? I sort of used my or I spoke to you about my example, which is where devices were being submitted for fatal
road traffic collisions and always the onus was I want to prove that that person was sending a text message and I almost had to re-educate people that there could be other valuable evidence on there. Yeah.
Steve Bunting (13:09.552)
absolutely.
Steve Bunting (13:13.23)
Yeah, well, this case we're talking about here was a homicide case. And the fellow's name was Keith Gibson. He was out of Philadelphia. And he has served a previous sentence for homicide and served 10 years and had just gotten out about a year prior. So in a way, he had not grown up with social media, so to speak. He didn't have it in prison.
And so for 10 years he was, you know, not dependent on it so he could get by a couple hours without having his Facebook or Instagram. But of course he had other things he did. He was basically a street guy and he wasn't going to go back to jail. That was his plan. So anyway, they brought me into the case and it was, they were trying to find out the location information. Was he at the scene of these crimes? Because there were several murders.
And they kept asking for location data. And then finally they found where, okay, here's where the robbery occurred on this day, but we had given you a narrow time frame. We've now found that his car was found in Philadelphia after he committed the crime in Wilmington. And so could you expand on that time frame? Again, looking for location data. And that's when I started really looking at it, because what happens? We were able to, backing up for little bit, it was kind of like,
Okay, maybe we're finding the location data because there isn't any there. Why isn't there? know, location services was on. So then you start looking at other possibilities. Well, maybe the guy turned the phone off. And so we had the day they were looking for was out beyond 30 days. And most of your good logs on iOS have a time to live TTL.
And 30 days is pretty much it for most of those logs. Some are, of course, hours. So some of those arrive the next recharge when the phone cleans up at night. You know, I mean, there's various time to live settings for all kinds of logs. So anyway, started looking at known times that he committed crimes. And sure enough, once we started looking at other logs, we looked at the GUI. When you press an iPhone to bring up the GUI to turn it off, I mean, that brings up
Steve Bunting (15:40.91)
It's called SB Power Down. I think that's it. Yeah, but anyway, so suddenly we started realizing that he was turning the phone off. And all those incidents of where he turning the phone off aligned with times that we had for known crimes. But this one that was really concerned about was outside that range. And it just so happened I started looking through the FS events. And for those who don't know what they are, they're the...
Adam Firman (15:43.022)
Yeah, springboard, springboard power down.
Steve Bunting (16:11.342)
I guess it's really for developers. keep a track of most anything that happens to a file or folder on the system. And they put several thousand of these inside an archive and they're a sequence of what happens to the file system, hence FS events. And the archive itself has a timestamp. It's about a created date and a last modified. They're always the same. I've never seen them not be. And the events inside there,
I think there's several thousand. What happens, they each have a GUID. It's a 64-bit number, so it's unique. So you can sequence them so there's a perfect way of tracking everything that happens to the file system for whatever you have time period for. So in this particular case, we had basically a birth to death for whatever reason they had not been purged. So back to the very beginning when that film was put in service, we had these.
Adam Firman (16:50.585)
Yeah.
Steve Bunting (17:09.742)
rate up until the time he was arrested. anyway, started looking for that particular day. Now, when you start looking through these, I mean, you're looking through millions of records. And yeah, it is. I mean, you sit there and go blind. So it took me several hours just to find where that gap was in that period. Suddenly I looked at it and said, wow, just about 10, 15 minutes prior to the homicide, he turned off the phone. And then
Adam Firman (17:19.746)
Yeah, so it's hard to see through the noise.
Steve Bunting (17:39.726)
Later, shortly after about 8.30 that night, this happened around 4.30, three hours later, he stole the victim's car, dipped it up in the Kensington area in Philadelphia. And sure enough, that's when his phone came back on. So now you see the gaps. Now I said to myself, there's gotta be more here. But to do this in any kind of meaningful way is...
Again, you're looking at millions of records and looking for gaps is very difficult. it came down to, I said to myself, if time was short at the time, I didn't have time to develop any other tool to do it. So eventually I built a Python script that went out and looked for gaps. And so it allows you to paint a picture, you will, times when people turn the phone off. And it's variable. You can set the time for the gaps. mean, somebody's going to.
turn off a phone, commit a crime, it's not going to be five minutes. It's usually going to be a much longer period of time because they do it before they get in the area. You've got to figure it's going to probably include the travel time because they don't want that on there. It's going to be whatever time they commit the crime. They want to get somewhere a long way away before they turn it back on. So that's until you're looking for significant gaps. this script allows you to adjust the gaps, see what kind of differential you want between them.
Adam Firman (18:45.156)
Mm-hmm.
Steve Bunting (19:03.448)
Paints graphs gives you really good picture of what's going on. So you can align those on a timeline with known crimes. So again, you're not looking for location. You're looking for the absence of the phone's activity. If you think about it, look at other ways you could, of course, what was interesting too, they never told me that this guy had engaged in such extreme anti-forensic measures. They just said,
Find the location. If I had known what this guy was like, he was actually, you know, he was taking his, wearing gloves, a new pair of gloves for each crime. He was using a revolver, so no shell casings. He was using frangible ammunition. Every time he robbed somebody, he'd shoot them right in the head. No ballistics. He was wearing a hood, a mask, changing his clothes. I he was anti-forensics all the way. So why wouldn't he his phone off?
So, you he didn't want to get caught.
Adam Firman (20:07.732)
And we'll link out to the article and you've included your scripts there as well, haven't you?
Steve Bunting (20:13.122)
Yes, I have. the easiest way to do it is, of course, if you unpack the archives, you're going to get millions of records. So to process it more efficiently, if you just take the archives themselves and you can export out, basically all you need is a name and the path of it and a date. And if you just do that with the archives and you can find the gaps, otherwise you're looking for
Adam Firman (20:16.257)
and
Steve Bunting (20:43.074)
millions of records that have whatever, what the, the, the infants do is they inherit the date from the archive that contains them. So as they're created, what it does, everything happened. The timestamp will be created. Everything will be happening since the previous timestamp. So you've got all these that had the same several thousand records that have the same timestamp. rather than look at those individuals, look at the containers themselves.
and it runs a lot faster. But that's not to say you can't do it the other way.
Adam Firman (21:15.117)
And because...
And that's always the way with most investigate like when you and I started data was a lot smaller. And whereas now
Steve Bunting (21:25.362)
yeah.
Steve Bunting (21:29.358)
Staggering.
Adam Firman (21:29.408)
is terabytes upon yeah it's staggering and you can no longer go in and review everything you have to have a strategy and if you have your date and time yes there may still be thousands within each container but at least you've been able to narrow that container down because otherwise you're just not going to see the wood for the trees are you
Steve Bunting (21:51.33)
Yeah, then you go blind. Yeah, you got to do it with scripts.
Adam Firman (21:53.858)
Yeah.
I wanted to ask Steve because I always got told that if you were gonna Examine a Mac you needed a Mac Do you find looking through FS events and that sort of is it easier if you've got a Mac and you've got access to terminal and things or it is there ways that you can deal with it
Steve Bunting (22:15.299)
Well.
If you take, I know I'm not here to talk about other products, but when you try to take an FSEvent log and unpack it in Windows, it's difficult. And so you're trying to take something that was really intended to be this face and hand done with a Mac. It's a proprietary technology. So you expect it to probably do better. in this case, with these particular
events. They're basically just files and taking the time stamps and looking for gaps. So you're fine with that. Where it gets with unified logs is where it gets really crazy. Because when you try to do that in Windows, you're having to make some, you're making compromises. You don't get the full data. So when it comes to unified logs, come over to it back.
Adam Firman (22:59.428)
Mm-hmm.
Adam Firman (23:08.632)
Mm-hmm. Yeah.
Steve Bunting (23:16.33)
And they have data commands to handle it, and it's wonderful.
Adam Firman (23:16.664)
and
Adam Firman (23:20.61)
Yeah, and we're not trying to discourage anybody here. And it's always the case of whatever actions you carry out, as long as it's documented and recorded and repeatable, then you can justify your actions, isn't it?
Steve Bunting (23:32.578)
Yeah, it's true. And you were talking about auto accidents earlier. We've been doing some testing and it's hard to create a recreated auto accident because that, let me tell you, we tried. And it has to be a serious accident for it to trigger. But the same events that occur on the iPhone, basically if you have a watch and you fall, now I don't fall, but if you're in Albania, every time you meet somebody here, you're going to give them a big hug.
Adam Firman (23:41.634)
Yes.
Steve Bunting (24:02.862)
And so I'm continually getting my watch going off once enough ahead of fall and I'm just an Albanian we're hugging each other That's just the way it's done But if you forget it or the moment of triggers and let it go through a cycle It's going to talk to your phone and it's going to leave a lot of logs in the unified logs Especially if you let it trigger so the same set of events the same triggers happen on the phone if it detects a crash on the phone
Adam Firman (24:02.99)
Mm-hmm.
Steve Bunting (24:30.818)
So those logs are in the unified logs and there's tremendous evidence there. But what I'm seeing is it only lasts about 24 hours.
Adam Firman (24:40.46)
Yeah, because of the amount of them.
Steve Bunting (24:41.934)
Yeah, they don't have the time to live that's any longer than that. So we don't see them much after 24 hours. So if you're really looking anymore, it's almost the digital evidence is so voluminous, they can't have it live very long. You wouldn't have enough storage on your phone. So what I'm finding is you almost have to think about digital evidence the same way you do in a traffic accident for blood alcohol.
It almost has that volatility. so, you know, trying to work with some of the attorneys that do the trucking accidents in the trucking industry and looking at a new protocol. Because basically, if you get this phone immediately after a traffic crash, and I'm talking about doing this within 24 hours, if you trigger a a system diagnose,
Adam Firman (25:14.776)
Yeah, that's a really good way of putting it.
Adam Firman (25:39.726)
Yep, which you can do, can't you, from the handset? Yep.
Steve Bunting (25:41.198)
which you can do. You can do it buttons. It's tricky. Nothing out there is printed about it as right. I spent a lot of time figuring it out. I pretty much got it down so I can do it almost 100 % of the time. But if you do that, that log is going to get written. So that gives you some time. You capture the data that's in the unified logs and kind of preserved it. And then if you get to the phone, you can use AirDrop to get it, know, move it off and...
Adam Firman (25:46.839)
Yeah.
Adam Firman (26:01.39)
Mm-hmm.
Steve Bunting (26:08.194)
That is a huge, huge first step for getting traffic accident data.
Adam Firman (26:11.758)
Yeah. And this is almost like for cops 101, isn't it, who do traffic. It's almost like it's part of the procedure.
Steve Bunting (26:20.494)
Yeah, it should be. mean, you you do all these things to get information. I mean, your fatal accident team should be doing this. They got a phone. Now, an Android's a totally different animal in that regard. I mean, if you try to the same thing, get the same kind of data from there, good luck. But an iPhone is really nice to do that with.
Adam Firman (26:39.364)
Yeah, and the problem with Android is you've got so many different flavors and vendors and a Samsung can push out an S25, but it can still have 70 variants. Yeah, and it makes it really difficult, especially the company I work for to extract devices to say that they support an S25, but do they support variant A through to Z? Yeah. Yeah.
Steve Bunting (26:44.481)
yeah.
Steve Bunting (26:49.4)
Exactly. Yeah. Yeah, it does. It does.
Steve Bunting (27:01.294)
Oh, God, it's all over the place. Yeah, so there's not much out there on the cyst diagnosis, but they've got the unified log zone. There's a couple of ways of doing it, but only one way, and that's doing it with the buttons to get the full one, which is what you're looking for.
Adam Firman (27:15.918)
Yeah. And you're obviously involved in the training side of things. And we're very fortunate here at MSAB to have you as a contract trainer for us.
Going back to your law enforcement days, do you see that digital forensics is now part of a cop's initial training that they need to have that insight? Yeah.
Steve Bunting (27:39.854)
Oh my God, they have to, they have to. Right now, mean, with the recent changes in iOS, I mean, if they don't handle that phone right, it's sensitive to where you are now. I mean, you have a trusted zone around you and the levels of security are horrible once you step outside that zone. If you put your face up there as a, oh, I'm a cop, here's a big guy, can put it in there, as soon as it sees your face, says, I know you, you're not the owner.
Adam Firman (27:51.596)
Yeah. Yeah.
Adam Firman (28:01.198)
Well, to me...
Adam Firman (28:07.46)
Yeah. Yeah. Well, cops and people who are involved in investigations are always told about preserving a scene. Don't trample over the scene, you know, preserve it for forensics. And that has been part and parcel of a cop's training from day one. So we're exactly on the money really with digital forensics now.
Steve Bunting (28:24.878)
yeah.
Steve Bunting (28:30.286)
Yeah, I mean, it used to be don't touch the mouse, don't touch anything. Now you have to. I mean, you've gone to complete and but of course how you do it is very important. I mean, if you're to do something with the phone, have to turn it on its side, not put your face in it. You know, well, now that made it seize your face and made a way it knows that you're not the owner. the
Adam Firman (28:33.666)
Yeah. Yeah.
Adam Firman (28:43.522)
Yeah, don't record yourself and...
Adam Firman (28:51.458)
Yeah, you've changed there.
Steve Bunting (28:53.558)
change the, yeah, you change the phone.
Adam Firman (28:56.406)
And you've obviously given expert testimony and for those listeners who have done it as well, it requires translating, especially like going back to the case, the art of hunting for nothing. It requires translating technical evidence into understandable courtroom language. What are some of the pitfalls that you've seen practitioners face over the years or any advice that you can give to people who maybe haven't given testimony yet?
Steve Bunting (29:26.018)
I'll just try to take something technical and turning it into real world examples that people can relate to. I I said that about the blood alcohol. It's the volatility of it. It doesn't last very long. Well, alcohol is going out of your system very quickly. So those are two examples. Try to explain FS-Event logs. Basically, I would say, look, these are the logs for the phone to be on. These are going to be here.
Adam Firman (29:45.486)
Mm-hmm.
Steve Bunting (29:56.59)
turn it off, there could be a gap. It's just the way it works. Don't try to get too technical and just say a gap in that log tells us the phone was off. And try to not get too technical. I mean, you have to answer the questions, but the moment you go get technical and look at that jury, teach them. That's what I think. That's what I try to do. Just turn around, forget the attorney over there and just turn around, look at the jury and talk to them.
Adam Firman (30:25.174)
And you're correct and you make the point of not being too technical. I've seen colleagues and we had a review system in place where we used to review each other's reports before they'd go into the prosecution. And some people would want to highlight their expertise and they perhaps would say, because this bite was in Lendi and this value indicates this.
You may know that whilst you're sat in your lab with all your forensic case books, but when you're given evidence, you're under pressure and given testimony. If a defense then asks you and questions you about that, you may soon forget all of that level of training you've had and then they've made your expertise. And that's why you make the good point of don't try and make it too technical. A jury is not going to understand Little or Big Endian, for example, and just explain it. Yeah, explain it on and off.
Steve Bunting (31:18.211)
Forget that.
Adam Firman (31:21.27)
is a way that people would understand.
Steve Bunting (31:24.024)
Yeah, you gotta dumb it down. You lose them quick.
Adam Firman (31:29.494)
And looking ahead to the future, we've already covered such a major change since the day when you first thrust your first computer case. But what emergent trends or anti-forensic techniques are concerning you the most that examiners are going to face?
Steve Bunting (31:50.488)
I'm not sure where it's headed with Apple. only Apple can tell you. I mean, look what they're doing. You know, the features they're putting in now, they're moving to biometrics. I see that as a showstopper in some regards. I mean, right now, if you want to get into an iPhone, you even have the passcode as long as you think that's good enough. But if they had the stolen device protection turned on, to turn that off, to be able to dump the data, you have to have the face.
I mean, we run into that with people who die. The family knows the passcode, but the person's face is dead. So, I mean, I've taken my phone and made another person as an alternate face. So something happened to me, at least somebody could get into my phone. Yeah, yeah. And that's come about in last couple months. So I see biometrics is gonna be the way into phones, because it's very easy to sit behind somebody and get their passcode.
Adam Firman (32:35.118)
At least it can be, yeah.
Steve Bunting (32:49.026)
happens all the time. a class, there was a guy in one of my classes one time, and he had one of those unique occupations. You would hire him to go get in somebody's And he would make, you know, he would follow them around, and he was sitting in the classroom, and within, say, 20 minutes, half hour, he had everybody's passcode for their phone just sitting in the back row. Because he just had that ability to map it out.
patterns, anything you needed. those kind of people are out there. And then the next course thing to do is you steal the phone. And that's how they get in. mean, biometrics are going to be there. What that does, that's going to be a real big, big showstopper. I mean, we're used to having passcodes override that, but in some cases, not now. And again, it depends on where you are with the phone. It's very sensitive to whose face is looking at it and where it is.
Smart security. Smart phone. So that's one thing. Yeah. And of course, encryption and the sheer volume of it.
Adam Firman (33:49.656)
Yeah. Yeah, exactly. And from the, yeah.
Adam Firman (34:01.624)
Yeah. And does it concern, like we've touched on it briefly about the reliance on push button forensics?
Steve Bunting (34:11.52)
yeah, mean, the sheer volume of data forces you to go that way. I mean, I can't imagine myself now starting new. Because there's so much to throw at you. I it's a very complicated field now. When I started, it was pretty simple. I mean, it wasn't simple, but it was much easier than today.
Geez, it's hard to imagine not, and of course the pressure on the labs, the backlog, they don't have time to dig deep. That's a problem too. And so, you know, the only way you're gonna do it is research and who's got the time in a modern lab to do that? I'm fortunate because I've always taken the extra time to do it.
Adam Firman (34:44.228)
Yeah.
Steve Bunting (35:04.462)
I'm curious. I want to figure things out and I test. know, it's, I almost wish they had a course for doing research. People could get taken out of their routine and given a research project and really dig in. I mean, I think it'd be a fun course.
Adam Firman (35:12.825)
Mm-hmm.
Adam Firman (35:20.548)
It definitely makes you a better examiner. I was very fortunate in my lab. We had the time to research and validate and sort of test findings, but that isn't the case for the majority of labs. And I remember, and you've probably found the same, that you attend conferences, you network, you speak with people and they'll tell you about a case they worked where they found this artifact in this database or something else, for example, and you go back and
Steve Bunting (35:23.925)
yeah.
Steve Bunting (35:32.93)
No, no.
Adam Firman (35:49.805)
You think to yourself, I worked a case six months ago. That would have been an absolute gold mine for that case. But you can't beat yourself up around that. You only know what you know at the time. Because this industry is constantly changing.
Steve Bunting (35:53.24)
Yeah. yeah, absolutely.
Steve Bunting (36:06.124)
it is. It is. I mean, there's nuggets out there we haven't found yet. And of course, you know, it's hard to share. I mean, in a secret not shared is soon forgotten. know, you've to have mechanisms to share information and you don't want to covet it because other people need to do the job.
Adam Firman (36:11.363)
Yeah.
Adam Firman (36:18.242)
Yeah, it is.
Adam Firman (36:24.868)
Mm-hmm.
Adam Firman (36:35.618)
And there's some really good blogs out there that detail some of this research. There's some amazing open source projects that have been worked on, like the leap series that Alexis Brignoni started. And now the whole community is taking over. And it really is a case of if, you've turned over that stone and worked out the pattern, share it with everybody. Yeah. And from
Steve Bunting (36:57.752)
Sure.
Steve Bunting (37:02.028)
Of the downside of that is Apple sitting here watching. And you start sharing the information you're finding, then they're going to shut it down. And so it is. is. Some things you want to keep to yourself just because of that. Not that you don't want to share it. don't want Apple to know about it because they'll shut it down, make it more difficult.
Adam Firman (37:05.304)
That's, yeah, that is the issue.
Adam Firman (37:12.504)
Yeah, that is the real hard balance, isn't it?
Adam Firman (37:24.738)
Yeah, yeah And we've we've covered the reasons why at the manufacturers have to do that but Sometimes you do wish that you'd have a an investigator key that just unlocks it for you Yeah And You're sitting there based in albania at the moment global training to independent consultant how
Steve Bunting (37:39.95)
Yeah, just for me.
Adam Firman (37:54.361)
How important is the cross jurisdictional sort of and collaborative approach in forensic work? How important do you see that? Because like we both come from a five eyes nation where data is shared freely. It has to be doesn't
Steve Bunting (38:09.432)
Yeah, it does, it does. It's hard to do it. We started looking at this like in Balkans, you have all the different languages here. mean, you travel in the States, at least you've got English everywhere. Here you cross the country the size of New Jersey, you're into a different country, a different culture, a different language. So that alone is difficult.
Adam Firman (38:31.236)
Mm-hmm.
Steve Bunting (38:37.87)
And like here, the lab is doesn't even have the internet. They've taken it away. They got hacked, the government did. so anyway, they're functioning without it for the most part. They purchased it themselves and they all chip in and have one little wireless router with a data source on it and they use it for their stuff. So it's difficult for them to engage and they don't have the time.
Adam Firman (38:41.272)
Mm-hmm. Yeah.
Steve Bunting (39:09.714)
and you take a lot of the labs where air conditioning doesn't exist. And you're talking some pretty hot labs and it wears you down. So I I've seen a lot of different labs in a lot of different countries.
Adam Firman (39:17.934)
Yeah. Yeah.
Steve Bunting (39:24.91)
We're very fortunate to have some of the labs we have, but not everybody has that advantage.
Adam Firman (39:28.174)
Yeah and and we spoke about those boundaries and we sort of covered that You covers cover mobile devices cloud legacy devices I want to talk about cloud because cloud is really hard because it depends what kind like MSAB makes products and we add features in that if you're sat in the US
Steve Bunting (39:47.405)
It is.
Adam Firman (39:56.773)
you're going to find far easier to gain access to a warrant return, for example, for Google, whereas it's extremely difficult if you're based in a European country to then go and serve papers onto Google.
Steve Bunting (40:01.336)
Sure.
Steve Bunting (40:10.686)
Yeah, it is. It used to be difficult and there's a lot of misinformation about that. In this country here, for instance, the embassy wants people to do it. And they can see that nobody's done that here in three years. That's sad. And they've automated the process so it's a lot better now. I mean, they don't have the struggle that they used to have. But the information has to get to the right people.
Adam Firman (40:16.654)
Mm-hmm.
Steve Bunting (40:40.19)
And they think it can't be done. So they don't bother to try. You we just did one today and we couldn't crack into the phone, but we at least got to be a few extraction out. So we know the person's cloud identity, all the numbers they need. If they just took that to Apple for the search warrant, if they backed it up to the cloud, they could have it. But they don't want to bother because they don't think they can get into it. we had that.
the information, the tools we have once we get those returns to work with them. Most of the manufacturers do it, MSAB has it. But in these countries, they think they can't get it. That's what I've seen.
Adam Firman (41:20.556)
And even the country where I'm from, the UK, if we had cloud tokens, just, and I've been out of law enforcement since 2019. So hopefully it's changed, but it, but it was a lot of processes to go through. The case would really have to justify it.
Steve Bunting (41:28.106)
Yeah.
Steve Bunting (41:38.572)
Exactly.
Adam Firman (41:40.554)
And yeah, hopefully those processes are being made simpler because even extraction of data is getting harder. So yeah.
Steve Bunting (41:48.472)
Yeah. Yeah, so it's better to have a search word, the paper, and get it back there.
Adam Firman (41:55.918)
Definitely. Well, Steve, I just want to thank you for joining me today on this episode and sharing your experiences and your deep expertise. Your work has helped shape the field, elevated best practices, and I should imagine supported hundreds of complex investigations. And I'm sure our listeners will find your insights hugely valuable. And I'm going to link out to your articles, to your publications, and I'll also put a link out to your LinkedIn as well so people can connect with you. But
Thank you very much Steve for joining me for episode 25.
Steve Bunting (42:26.382)
If I can help anybody to have my phone call away. Okay. Take care. I'll talk to you tomorrow. Bye bye.
Adam Firman (42:30.661)
Thank you, Steve. Wish you a great rest of the day. Bye.