Welcome everybody. I’d like to just start this out saying, you are not the typical crowd who I speak to and I’m so happy about that, it’s refreshing. And one more thing that I would like to ask, just because it’s personal curiosity and I’ll preface it by saying that I haven’t been in law enforcement for three years okay. So I’m no longer sworn. How many people in this room had ever had an inquiry from law enforcement about their activities? A few. OK.Cool [Question from audience.] Well I’m talking about your technical activities Your, your curiosity with electronic devices and computers specifically. Yeah that’s, that’s what I’m talking about. There is this huge perception out there in the world, that if you’re at a hacker conference, you’re going to be surrounded by people who are doing this for nefarious purposes, right? Like that, that you guys are out here trying to hack things and steal people’s money and information and sell that on the dark web and all of those things and… And throughout my law enforcement career because I grew up as a total geek in high school and learning file systems on my father’s knee, it was always my suspicion that that was just a load of BS. And that, that when you go to a hacker conference like the vast majority of people are here just because they’re curious about how things work and they want to know more Great, so. That is actually the secret to my success in law enforcement. Is that every time, and by the way I am among few in law enforcement that I have had the honor to identify and arrest a couple of different DDoS suspects for major DDos events and one for a major hacking event. That, that actually went all the way to the US Supreme Court and, and came through okay So it made some case law in this area. But the secret to my success was talking, right because, I’m not going to assume ahead of time that their goal was bad unless it was obvious and then I’m gonna be kind of curious about what they did And how many people liked talking about doing something after they do it, right? Like it’s, it’s pretty cool. We get to do some cool stuff. The other secret to my success honestly, is that I have hidden in plain sight, my entire career. okay. I have over 30 years In enforcement. Do I look like a cop? I didn’t even really look like a cop when I was a cop, and most of that is in Computer Crimes. And I can walk into a forensics conference, or a security conference, or a hacker conference and people just kind of ignore me. Or they pay the wrong type attention to me and then they don’t get very far because I was a cop for 30 years so… So it doesn’t work out well. I will tell you when I walked into this conference, I just sauntered up to the badge thing and was waiting in line for my really cool badge. While I was waiting for that badge, two people cut right in front of me. The law enforcement came out to me and I was like “follow the rules” So for 31 years I’ve been in law enforcement. The last three I have been in the civilian world and I will tell you so far I’m really preferring the civilian world. There’s a lot more freedom out there to follow my curiosity and a lot more resources to do the sorts of things I want to be doing But for 22 plus years, I’ve been doing Computer Crimes in forensics and started my career back when law enforcement did not know crap about anything So really it was in the, and you could argue that still the case in many jurisdictions and I won’t be there arguing that too much with you. But it was in the the mid to late nineties, back when bulletin boards were a big thing and back in 1998 my dad gave me a one gigabyte hard drive for Christmas and said that is the last hard drive you’ll ever use. It’s one of the few things he wasn’t wrong about That has so much capacity you’re never

gonna fill it up. And now we regularly leave behind ram that’s you know, 16 times that big. Great so, there’s a problem there. So, I’ve done some pretty cool hacking cases. Anybody here ever or be acquainted with the TV truck Jeep from the 414 freaking club? Them, yeah? Is this someone you know? What’s that? Okay I [Audience member] was asking about one specifically because I still have some questions I’d like to ask somebody who knew him. Some investigations just never end. That took nine years of my life and if I ever meet someone, I’d like to have a beer in a conversation. But that case, I’ve done a lot of DDoS cases. I’ve done a lot of cases involving broken, smashed devices that were smashed on purpose hoping to keep cops out of them. And had the opportunity to deal with some cases where it felt like I was writing reports that belonged in comic books, rather than in police files. Doctor Chaos and Riot Boy, wow. So, I’ve had supervisors read my reports and go, what is this? Right? I don’t understand three-quarters of the words in here and then I knew I needed to go back and rewrite that report so they can understand it. I’m a certified computer forensic examiner. I testified as an expert on a number of a lot of occasions. North of probably 200 at this point. In same federal courts and now in civil courts as well. And I’ve had digital forensics cases go to both the Wisconsin Supreme Court and the US Supreme Court. And both of those thankfully went in my view the correct way. People can argue, but and they did. I’m also a certified SANS instructor and a course co-author of FOR585, although I’m not currently teaching because my personal business has just taken off to a point where I don’t have the time to dedicate to it right now. But maybe someday I’ll go back and continue to do that. And I did my master’s degree in computer forensics at University College Dublin. Earned that in 2011. It was a blended program, so some online and some in country. One of the things my dad was very right about, is if there’s something you want to do and something you have to do and you can make those things come together, it’s a great way to live your life. So I wanted the good Ireland, they had a master’s program in forensic computing and cyber-crime. I knew that the training programs that were available to law enforcement in my area weren’t cutting it for me anymore, so I went Ireland. And it’s a great program if anyone’s looking for a good one. Um, so I’m going to start this talk with a picture, all right. And it’s not a new picture obviously. This is called Flammarion and this is a depiction of the guy who first decided that the Earth probably wasn’t flat, it was round. And I like to think about technology in these terms, right Like we don’t know what’s possible until we pull that curtain aside and look beyond it, at all of the things that are possible out there. And the vast majority of the world sometimes goes on thinking that things aren’t possible, even when they’re hearing that they are possible, right? Security RD report. No thank you, OK, here’s your rank somewhere. Great, like it’s That could never happen to me. It’s not a possibility and then they get nailed So my first degree was in graphic arts I like to go back to graphic arts because I think sometimes those pictures do more for us to describe the way we look at the world versus the way the rest of the world sees the world. It is a world of possibilities out there. And even in my field of digital forensics, which is my preferred field, I’m getting pushed into incident response and security and some other places that are less comfortable for me. But even in that world, sometimes the way people see that world is so black-and-white that they forget about the possibilities. And so when I say I’m happy to be in this room talking to you, it’s because people in this room or more likely to have already looked beyond that curtain, at what’s possible. And I would encourage you to keep doing that. So… I want to talk about ground truth, right. Like those things that we know are absolute in this world The things that we were taught to

believe as truth. And I want to start out by saying after 30-plus years of law enforcement, Oscar Wilde was right. The pure and simple truth is rarely pure and never simple, right. There are always colors to the grayscale. And there are always things that challenge our beliefs about what is true the question is are we willing to go there and look at those things and see where that possibility brings us or are we gonna get stuck in what some wonderful destiny true and I’m afraid that for the vast majority of people we get stuck with what people tell us it’s true and we stop testing the limits I don’t know how I used to see this this is a game of giant Jenga played at the Sands D Empire summit every year Jared and I play a game actually we play more like 5 or 6 but this is a perfect again every piece is played all the way to the top no pieces to go and you can see the foundation down there is strong and true and at the top that goes towards tipping so again I saw this great analogy greatly the further we go out towards the edges the less stable things become and that is actually the area where I like to work in forensics is wearing wearing the truth gets kind of fuzzy the stuff that we were taught to be true has some exceptions and I like to explore those exceptions so what am i doing I’m kind of hacking right like that that’s what what you guys do so I just want to talk about a few how many people have background in forensics in this room a good number okay so for the rest of you this isn’t gonna be anything that’s going to be like totally over your heads and for those of you in forensics hopefully it won’t be totally earth-shaking but it’ll be enough to have you peeked through those curtains a little bit we’re going to talk about imaging because we were told some SuperDuper straightforward rules about imaging about how when we do a full physical image of a hard drive we go from the first bit to the last bit and we did every bit in between and that is a good image if we have it my hash Mac I’m gonna tell you why that’s not true and why we shouldn’t believe it in wine it’s been common knowledge since 2012 we just chosen to just kind of cover our eyes and ignore it and I’m not talking about firmware which I was so glad to see these badges and to see that you guys are dumping firmware I actually added a couple of slides into this presentation right out there in the hallway about case that came in this morning because it has to do with with firmware and hardware and I want to talk about hardware okay because in forensics we sort of ignore these things we sort of ignore firmware and hardware we assume that they’re doing what they’re supposed to do according to the manufacturer and that there’s nothing sneaky going on there behind the scenes that we’re not able to see same with hardware and then I’m gonna talk about what we do about it once we discover that the earth isn’t flat in forensics right that there are some exceptions to rules that we need to take into account like if for 15 years I’ve been writing police reports swearing in front of a judge that I’m telling the truth the whole truth and nothing but the truth and then I find out that I’m not getting every bit of a hard drive the next time I testified what do I say right like I I swear that I’m gonna tell the truth well really that’s not the truth the truth is a little different from the fact that we’re just getting first to last these are the slides I added does anybody know what this is just off the top of your head it’s not point a sail skimmer right so this was placed over a point-of-sale device in order to capture some credit-card information we turned that sucker over we’ve seen the back of the keypad we start to see kind of a mess it’s hard to see from there so I’ll make it bigger for you that’s where the brains live anybody especially people who made these badge is happy about the work that was done here it’s kind of a hack job right minutes in the police in the least happy sense of the word again a little bit hard to see with the lights up but I’m told that’s the way to do the video here so we’ll let it go but what we see circled in the middle is a little I think 8 megabyte CMOS chip that’s where the data gets stored before it goes out of this device via bluetooth so we get a call Monday this week from another forensics company and they say hey we have called no less than 10 elapsed I’ve sent out the information about this chip I sent up pictures of this chip and everybody says no sorry I’m eating chip ups but we don’t do that and I looked at that I’m like it’s just a CMOS chip like why don’t you do that like it’s that’s probably the simplest scenario ok so

when you guys are working on half the bag challenge right and you look at the little chip on the back you’ll see that it’s nearly identical it’s not the same naked model but you will be dumping the firmware out of that chip so those ten forensics companies that said no to this job that’s super simple you guys if you can accomplish this will at least be able to do part of that work and taking that chip off because it’s been secured by hot glue is not going to be a super challenge and there are readers for CMOS chips right so this is not a hard job so when I said yeah it shouldn’t be too bad a challenge he’s like what do you mean he’s like everybody else said no and I’m like about there’s not much data on it it’s a simple chip we have readers we have all of the information we need about how the thing is laid out on this this shouldn’t be a challenge at all and it shouldn’t even be expensive he’s like well if you get data out of this one you can have all of our typical like okay data so bonus right bonus so this is a lesson in why when somebody else looks at something and they go that’s a homemade piece of I don’t know and they probably weren’t looking to see which one of those chips held the data or which one of those might be a challenge because there’s nothing about that that’s complex it’s just not made by Samsung or by LG or by somebody else right and so so you guys would be like oh yeah I mean that’s not a big deal let’s go for it so that’s why I wanted to put this in here so that you can see that in the real world outside of conferences this sort of work is out there to be done and there are a lot of companies that are turning it down because they see it as – as a carrot to do so that’s the stuff that makes my work fun now in law enforcement I probably would have had to send that chip up right because because there aren’t too many labs that will do it but I do know of another one that will Secret Service has allowed so imaging as examples go in this ground truth area and things that are playing hiding in plain sight this imaging is kind of an oldie but goodie Todd Shipley in 2012 he’s an old forensics guy wrote the white paper talking about our our imaging verbage and what everybody was taught by a national white crime Center and by the FBI part team and by every other training organization out there and said hey we can’t keep doing this because it’s wrong I said yeah you’re getting a bit for bit image of the user addressable areas of the drive but there are all sorts of other pieces of information you’re not getting we gotta stop saying this and by the way people if they’re smart could be hiding data in those places that we’re not getting so back in 2012 I paid attention and I was like whoo I I need to change what I’m doing here because I don’t want to miss things and I don’t want to be saying things on the stand that aren’t truth right like I want to be doing the best I can do so the myth here is that when we create that drive image we’re making a full bid for the image and in reality we’re only getting a bit for the image of the user addressable areas of that device but we have these lovely tools that allow us to take that image and get a hash and match the hash afterwards after after that validation or verification process and and we have planned people who are willing to say oh I got everything we’re good move forward write the report it’s it’s easy and simple it’s easy and simple until you start realizing that there are all sorts of places in this drive the service system area reserved areas servo information post protected area firmware all of these places on the drive that you know the disk itself or within the flash memory that can be altered by the user and could have information that’s really important to a case so some of this stuff our write blockers even picked up on right so in this case we have a picture of a write blocker that I used in a case where a long-term employee he works for the company for 13 years turned into his computer after he left he worked remotely and they were like he wiped the hard drive well he didn’t wipe it well maybe she you know reinstalled Windows really waited it was a different hard drive into that computer that had only been powered up six times right so he gave them back an intact computer it just not the right hard drive so it had only been powered up five times when I got it but interestingly the write

blocker sees this serial number we were to search that bit for bit image of that hard drive or that serial number we should be able to find it right should be there it’s not because it’s not stored in the user a celeriac stored outside the user accessible area so sometimes forensic examiners see this stuff and they go okay well that’s what it says the harddrive serial number is I want to verify that I’m gonna search my image for it oops I can’t find it and they go I don’t know maybe it’s encoded somehow and then they call up Ultra doc or Tablo or whoever and they say where’d that come from I can’t find it on the drive in and then ultra black or tableau tableau sends them off to Tasha please article and they go oh you know I just pulled the curtain back and there’s this whole new world hunter so that’s out there and it’s it’s certainly an area that doesn’t probably get enough attention in terms of what can be written to that area and what can be done to manipulate the drive during during the use of that hard drive so so that’s the number one example I want to use for you the things that are hidden in plain sight for us firmware myth firmware doesn’t really matter as long as it works and the reality is from where really freaking matters like it matters all the time yes we want it to be the stock firmware but some of the most neat DX points right now are for our exploits right so so firmware can be used to turn on your computer even when it’s turned off and to access it at the lowest levels and it used to be available only to nation states but now it’s available to all of us if we just go to WikiLeaks and download the information and the tools so so it becomes problematic right because those those schools are now out there so one example I like to use when I’m talking to tops is that you know your so you think about computer users in a certain way farmers are having their own firmware in their tractors okay so if farmers are hacking their firmware in order to avoid John Deere’s man you know mandated service times at once a year then we ought to be aware of the fact that anybody with the right knowledge and tools can hack their own firmware so it’s something we have to pay attention to firmware is everywhere I have this a great pointer that I like to use when X as an example unfortunately Murphy’s Law says the best review is not fully charged so so this is this this is a pointer that does some firmware tricks so I can point it at my screen or I can point it at that screen and it will show pointers either place without a piece of a laser and it’s interacting with with that device little Bluetooth magic or a little Wi-Fi magic in between and you have you have a really cool toy but USB keyboards webcams sound cards graphic cards one major place this comes up data recovery data recovery company gillware started as a native company 1516 years ago one of the most common things that comes in is people who turn over to us they’re 64 128 gigabyte USB devices that they bought off of ebay or amazon for 14 bucks right and they go I got this huge USB I put 64 gigabytes of pictures on this and there’s nothing left what happened well when you take it apart it’s actually an 8 gigabyte chip right so you can’t put 64 gigabytes in an 8 byte chip but I think gigabyte check but you can change the firmware on that 8 gigabyte chip to make it show the user that gets a bigger USB Drive so that you can make more money so this is one very common way that this happens it can also be used by bad guys and I’ve had the great opportunity to see it being used in cases where reporters are being spied on and where bad guys are using altered USB firmware in order to create spy devices so so watch those USB keys they’re still under imaging but GPS devices traffic signals routers printers vehicles everything’s got firmware in it and we can mess with all of that firmware and make things do things other than they

were designed to do here’s the next picture I love to show looks like a hacker doesn’t it your traditional happens this is Trenton he works for me he’s not hacker he’s actually a great coder but what he’s doing right there is decrypting however many virtual machines are there from trauma from a ransomware case the problem is that we start looking for you know very computer savvy people and we should be looking for this guy really the guy who figures out that they can change that firmware in their tractor or better yet the kid who from the age of tiny decides hey those limits they’re not mine somebody else’s limits and I’m just gonna keep pushing beyond them and figure out how to make this thing do what I want it to do so if we’re not looking for those people or add those people and there’s whole roomful of those people here I’m pretty sure then we’re missing out on a lot why does it matter it can be easily exploited it’s not designed for security it’s small it’s fast to write we see meltdown inspector and we’re firmware in firmware exploits the Intel from wherever ulnar ability is is is out there and in use is is actually a screenshot from a case I pulled that out of unallocated space the Intel Active management technology screenshot and so so really if you got that Intel chip and someone has can remotely get into your computer even if it’s been turned off and in this case they could also turn the power off on you this person’s computer was doing all sorts of crazy stuff that and they didn’t know why and unfortunately they were in a in a in a very large big name company and that company was kind of owned at the firmware level so it was kind of an ugly mess I mean like operating system firmware really has easily update market mechanisms but you can go out usually and find on Russian or Chinese sites the software that you need to interact with all sorts of different firmware we can use it to help us access devices that otherwise can’t be accessed and in the mobile forensics field anybody playing with mobile devices at all firmware can really help us get into devices that are acting right or that are under otherwise inaccessible through through security mechanisms so it’s definitely something to be to be looking at hardware the myth is the hardware doesn’t really matter so long as it works I don’t know too many forensics courses that ever talk about hardware and firmware how they interact together and how they in fact what we see later on in reality hardware really matters and it doesn’t necessarily even matter whether it works or not if you’re able to get that hardware to work then then you’re gonna be a better shape so sometimes we just need to go there to get around the problem the the picture here on your left is a Qualcomm chip on the phone this is the first chip off chip back on case on never aware of so go where we said hey we could take chips off read them directly if we get in cryptid data back we know that there’s several chips involved in that encryption what if we put that chip back on another phone and replaced chips – could we get around some of that and the answer is yes you can not going to work with every phone but there are several phones that we’ve had this process work for so it’s pretty cool next one is an old SD card thing was broken off but in in ways that we just so get around them so I just did some spiderwire soldering it got the the diagrams to get the right connections and then did a physical read of the data from that card reconstructed it and got the data back on it and the third one is a donor column next to an evidence phone this is from a Chicago homicide case Chicago PD homicide case where a body was burned in a barrel along with his phone and the person obviously wasn’t identifiable the phone to look like a hockey puck but we got probably 98% of the data back out of that including the guys last pictures and his last communications and they were able

to identify the guy and solve their homicide hardware mattered in that case right like and many labs would just look at that and go not a chance I’ll go through some more pictures of that case in a little bit repairs and replacement and reconfiguration can solve some problems that other methods can’t you can go act these things all you want with a write blocker and read and read and greed but but sometimes we have to go beyond that to get data out of devices board spots chip swaps head swaps for hard drives or board swap phones can get us to dated it is otherwise coated inaccessible alternative input methods so you see the iPad there that was a password-protected I’ve had at one point but somebody left accessibility options on and we were able to insert a keyboard and do some do some hacking in order to get into that particular device and then I’m making that one a little bit bigger this is an iPhone board we’ve sprayed it with some well in this case we actually used the the free spray right but you could use your candid or upside down that way but this was a foam that was stuck in a book loop and iPhone stuck in a blue glue it would come up it would overheat and it would shut down if you spray it with cold air as it’s coming up and frost everything it becomes obvious which chips are the problem right and then you swap out those components this phone will work beautifully and it will move all the way okay so most people would say that phone is a hockey puck I’m on to the next phone that would be a mistake because you will miss your evidence great example so this is the example that pulled me out of law enforcement and into the private sector so for probably the last ten years of my career I had a lot of different people’s hey Cindy come work for us like there’s the amount of money wouldn’t he said the minute law enforcement there’s all sorts of stuff to be done out here well then I went for a tour of Gilmer’s data recovery lab to talk to them to consult with them about starting a forensics business I wasn’t going to be involved in it I was just consulting with them and walked through their data recovery lab and a guy named Greg introduced he was working on an SD card that a wedding photographer had accidentally reformatted after coming back from Hawaii and shooting a high-dollar celebrity wedding she was in trouble rage so so she sent this SD card in and you reformat it any time we read this with Windows what is it going to tell us it’s an empty card it’s all zeroes I can apply my write blockers and I can take the physical image of that drive first bit too last bit all I want and it is always going to show me all zeroes okay in law enforcement if that had come to me USB Drive SD card I put it on a write blocker I preview it and it’s all zeros I’m on to the next piece of evidence and I’ve worked Child Exploitation doses for 17 years okay so a lot of pieces of evidence so I watched Greg that day I happen to get lucky recovered 300 plus images from an SD card that would read all zeros what kind of magic is that Christmas big wait like I’m supposed to be an expert and you just did that and I always thought the data recovery people were just sort of forensics light right it’s not anything yes we have these perceptions that we come into this business with right that that data recovery people are just getting people’s data back it’s just you know what did they do we don’t get that back what’s yeah so but this was some sort of magic or I just like what wait like how did you do that and how can I be involved in doing that so then I started to read more and learn more about flash memory and Greg gave me and I knew some of this like I had heard academically a lot of this stuff but until I saw it in action I didn’t realize you know how fooled I was about about what was visible versus what was it so we have the file system level our software based it was just kind of reach there and understanding through windows through Linux through whatever you’re looking at it through an operating system all you’re going to get is that level on these flash memory devices USB devices thumb drives or flash memory or even the Flex hard drive they have this flash translation layer that just basically sits there and says here’s what I want to show you and you’re not seeing anything else okay and I like to think of that as the wizard from The

Wizard of Oz do not look behind this curtain right because everything back here is stuff you no longer need to know about I’ve been told to reformat this drive so all you can see is eros but underneath that lays both NAND flash memory and that ROM and if you can directly read that chip rather than reading it through an SD card has data on it until garbage collection and we’re leveling happened which is less common with SD cards and USB devices than it is with more modern hard drives but here we are above that we see the logical level and we can get a physical image of the logical level okay so that’s the part that was screwing with my head because I thought I’m getting a physical image of this my tools tell me that my processors tell me that my experience tells me that I’ve done this a hundred times but all I’m getting is anything that the Wizard of Oz tells me I can see if we’re able to go down below the five translation layer then we can see the rest of it by the way this looks by person so there isn’t a thing underneath there that makes any sense whatsoever two people were talking about it it’s so if I erase it the stuff at the top is gone the stuff behind the Wizards curtain though it is still there and the worst thing people can do is start messing with that device and trying to get it back through a file system read great like the worst thing they can do is apply power to that and start working on it because you’re not going to get to it that way you have to take the chip off do a directory and then put that million piece puzzle back together again so there’s two avenues of extraction we can either do a normal device interface so you say that I am MCS do all of the different interfaces we have or we can do a directory to the flash memory of one or more chips so in this case we’re seeing a more modern SSD where we have removed all of the chips from that device we will do directories on each and every one of those chips and then we will put together that five billion piece jigsaw puzzle well it’s hard it’s not easy and it takes a long time but if you look underneath there with these tools they have tools that help you to figure out the patterns and to visualize them and it reminds me of my graphic arts days I go back and I kept oh that’s pretty it must be right and half the time it’s right so so if you can get the right tools to do this work there is data there and you can bring it back but there’s significant puzzles of building involved in it so why don’t we just do it all the time wrecking like chip off everything and I was there for a minute it took I said slow down sitting that’s okay we can’t do this all the time because a lot of times those flash and chips the NAND flash chips have industry standard interfaces and they’re not so easy to read or the data layout is proprietary or you have a tentacle ship after chip by making model up firmware and you look underneath them the patterns are all totally different great like they haven’t used a standard layout on the memory underneath encryption is another problem if that drive is encrypted then the data underneath is also encrypted by and the other issue here is that when we’re dealing with these larger drives that have we’re leveling and garbage collection that happens on a really regular basis and Trend commands and all of that stuff that gets rid of a lot of the data that we would be after anyway pretty automatically and pretty quickly so the the more modern devices the larger devices there’s actually less chance of recovery from those although we do find in spare area and over provisioned area on these devices that we’re getting back lots of little files and lots of versions or little files so it’s still not a possibility seems straightforward but it’s not really the truth here is not simple and oh yeah it can be physically destructive to the original device like once you take those tips off depending on the device putting them back on is not necessarily going to be a successful thing or if it is it may not last for a long time so when I tell you we’re doing chip off chip bonds for phones we are we’re doing them on a fairly regular basis now and having some success with that but we’re not handing that back to the customer and saying hey here’s your LG phone go ahead and use it right because that’s a temporary fix for us to get that data out and then to move forward so let’s talk about that oxide case just a little bit because I think this is a great example 90% of law

enforcement lab we’ve got a phone in in this condition would consider that phone to be toast okay and they would not have gone any further the phone itself was melted to the point where getting the micro sd card out was pretty difficult and then once the SD card came out does it look like it’s in good condition so anybody heard any rumors about how flash memory is heat sensitive okay so all of these issues should be a problem by the way don’t we that last thing flash memory in my experience is so tolerant to all sorts of abuse like you can throw it under salt water you can you can bury it for a couple years you can burn it like this and we’re still able to do some pretty amazing things to get data back it’s a pain in the butt and this one by the way the whole lab would stomp like burning plastic so this this was not a pleasant case to work on so that if you ever have a battery that looks like that it’s time to get that battery out of your building okay that’s that’s my safety advice or put it into an arson can and wait for it to explode because it’s going to at some point so that’s Mike’s hands my kids are one of our best chip off guys he did two puffs work in Afghanistan and he’s really fabulous at it and has the studies hands of anybody I know Mike did the chip off on this basically took the chip off of the donor board and we replaced it on to the other board and we’re able to pull the data out so that’s the chip as it came off of the board you can see the nice clean spot it came out of great he’ll clean that up make it pretty might have to reball it might have to resolder it depends on the job but then we can get that data out so so we were able to get back like most of the data all of the name came off of that flash memory chip and we were able to recreate it we got like a 90% read on the SD card so we didn’t get everything and there was a little bit of corruption there but but what we got back helped to solve that case so what do we do about all this right because a lot of what I’m talking about is those areas where we go now is that’s just forensics or is this like science fiction right because this is this where science meets fiction and we’re doing stuff that didn’t used to be considered to be possible and the thing is the longer you’re around and I’ve been around for 30 plus years in law enforcement and in 25 now or something and doing forensic the longer you are around the more you keep hearing oh that stuff that used to be impossible we’re not doing like all the time right it’s and and the thing is we moved forward but often times we don’t stop to say hey that’s no longer true so stop writing it in your reports and stop swearing to it every time on the sand and this seems like a simple advice though but I will tell you as someone who’s testified a number of times the first time I write a report and then testifying that notice isn’t a complete image of the hard drive this is an image of the user addressable areas of hard drive there was a very smart defense attorney on the other side that said hey Cindy you and I’ve done a lot of cases together and I’ve heard you testify lots of times why is this different than that other one up like why did you use to get all the data up and now you’re not is there something different about this partner okay and then then you had that moment where you go grab and you go no no I was wrong all those other times then I testify afraid like I was wrong and that’s a really hard thing to say and the problem is you had to follow it up and say I was wrong but not in a way that substantially changes that case right like I just learned that not only can I get all of that these are international stuff but there’s other stuff out there that I could get to if I need to dig that deep and so what to do about it is we can’t be so afraid of those moments where we go how do I explain this that we just take the easy route and say I’m not gonna explain it I’m just gonna keep doing it the way I’ve always done it and hope nobody else notices because it’s too hard right it’s not we just have to educate people as we go and we have to keep learning and reaching and growing and when our understanding changes we have to be humble enough to say I didn’t know or I don’t know or I was wrong and that actually gets harder the more experience and expertise you have under your belt the long run around the more I know I don’t know crack right like that’s that’s a really what it comes down to which makes me a

good forensics person because I’m always questioning the stuff that I assume to be true which is after all what science is about right so so that’s that’s a really the message I have for you about those things that are hiding in plain sight it’s all around us like it’s not just in this conference room the stuff that we believe to be true in forensics is our understanding of forensics at this point in time and like I’ve shown you a few examples here but there are many others of how that is just going to expand and grow as time moves forward and technology changes and so any questions I have with me I don’t know they’re my new key cartoon room this was a shirt that is from anonymous in Amsterdam I was at math conference in Amsterdam and a guy walked up to meetings like Cindy I want you to have this I’m like oh okay thanks I have a shirt and I said you know I can’t wear this at work right my boss would get sick but he said I’m giving this to you to let you know that some of us in Anonymous and he said this in a really nice Amsterdam accent appreciate the fact that you’re keeping our streets clean right he’s like because our goal when if we set out was to make things right and there’s so many people who are out like ddossing you know SeaWorld and children’s hospitals and I want you to know that we appreciate the people who are policing our streets too so I brought this shirt to give away though so if anybody is a European large and has an interest by the way your Kmart is smaller than a US large just for those of you who don’t know and try to figure out how to give this shirt away but I think what I’m going to do is give it to Mike and then halfway with who’s not in the room anymore because apparently you know he can’t be bothered I’ll get to Mike and and some challenge in the next couple of days will include this shirt as well ok so that’s your bonus flash memory because if I do a direct read of men’s memory and Crowell does it or some other company does it that direct read of Nan memory if we were to hash it after the rebuild they may rebuild it slightly different than I do and it’s not going to be the same like if we hit it the same that would be amazing so if it can be an issue and we just have to be prepared to say you know sort of like Ram is never the same cell phones are going to be rarely the same if you if you image them twice those things that are actively changing are a little bit different so the chain of custody is usually of that physical device but it can be of the data too and so it can get a little messy because they can have one exhibit number four for our dump and a different one for another dome that people can spend hours arguing which one’s right even though above the flash translation layer the data is all exactly the same so you know that billion taste soft and the puzzle that we’re putting back together if we rebuild some things differently underneath it’s not necessarily going to show above so so yeah it can be an issue than this one that we we still are working through I think honestly that’s part of the reason is collecting Ram stores like it doesn’t say hi say this is the correct image of brand because the next one I take will be different so if we have a court order that allows us

to try to break that encryption or to come up with a hardware or firmware way around we may be able to get past it it’s it really depends on the makeup model of phone though and the technology involved this is really prevalent to buy phones right now great link if you are affiliated with law enforcement you may have the ability to get a great kini extraction which is going to have more data in it even for a password-protected phone which they could break the passwords on then you can from any civilian available tool and so it’s not an equal world out there in a lot of different ways and whether we can get around encryption on a particular phone really depends on the make and model of phone the version of the operating system on that phone and potentially other things as well chipsets can make a difference Acushla so every every phone is its own individual problem we have time for one more question have I ever been told to stop my investigation man you know when I retired did you get me just ask the whole audience did anybody know her Jeep me try if you did I’d like to have a conversation with you yeah no I have never been told to stop an investigation usually what happens is that so many other investigations come in after it that it dies a natural death so you know it’s it’s like you’re a chef at a 12 burner stove and everything’s burning over at once that thing that requires your attention the least is most likely to slide from your attention so I’ve never been ordered to stop but I usually follow the rules and I’m very nice great I got I’m very nice to the people I talk to whether their hope that guy or a good guy and and I try to follow rules and get permission sometimes okay thanks you

You Want To Have Your Favorite Car?

We have a big list of modern & classic cars in both used and new categories.