 All right, well, thank you so much for joining us today. This is a special event Basically the idea was to celebrate 20,000 subscribers on YouTube. I just I honestly can't believe that that many people Are interested in our videos and are interested in digital forensics and information security. So Just thank you so much for that many people Liking our liking our stuff and willing to stick around and and have a look So today what we're looking at are Hardware write blockers. I thought we'd do something a little bit special and Hardware is a little bit difficult to get access to. I know that you tend to see hardware like forensic write blockers in laboratories, but a lot of people just don't have them in their labs, especially if they're not doing like criminal investigations if they're You know working in a In a academic lab or something like that. You might not have access to this hardware stuff So I I reached out to a couple different companies and one of them was a tola technology. They loaned us a piece of hardware talk we'll talk about also digital intelligence loaned us a lot of equipment that we'll talk about and then after this stream I'll also release videos on Going over the hardware and how to use all the hardware. So please stick around and have a look at that I hope it's useful for you because you know, I didn't have access to a lot of this hardware whenever I was studying and We finally got into a lab and I just kind of got handed a kit and a way I had to go So I hope it's useful for you and interesting right so First I want to thank all of our subscribers. I just I still can't believe it. Hello Kevin and then All of our members and patrons I'm I really couldn't do this without you guys like everything that I get from members and patrons in terms of contributions I put back into the community so You know being able to to even run this kind of stream is because of members and patrons. So thank you so much That being said I'm also going to like anything that's that's possibly made. I've never done super chats before this is like my first time streaming second time streaming If we make anything from super chats everything that we make we'll go back to the The digital forensics community hardware fund that we started So a couple people got together and wanted to buy a more expensive piece of hardware to do research on it was the oculus The oculus headset for doing things in the metaverse So we are hello idea okay, so we are Putting a fund together to be able to buy that piece of equipment and then the idea of the community fund is that Once we buy the equipment we will generate digital forensic data sets and then release the data sets to the community And then anyone who participated in the fund can like borrow the hardware for however long they need to do their research. So I hope this gives access to More hardware for more people to do more research This is totally based off the awesome work that Josh Hickman is doing with the android images So every year basically he comes out with a new android image and then there's just so much that comes out of it And I mean we can do it with android. We can do it with a lot of other devices as well. So Yeah, anything we make today We'll go directly to that fund and if you want to donate to that fund. I will provide a link shortly Right Okay, so Two devices That were given or one device that was given to us by atola technology They let us borrow the atola insight software and then the disc sends two And then digital intelligence let us borrow an off ultra block kit So you've probably seen these around they're in a pelican case They're usually very bright yellow and they are external right blockers. I really like them for their flexibility Especially if you have to go on scene or something like that And then they also let us borrow a tableau tx one, which I'd never had the opportunity to use before And it's also a forensic imager. So we're going to show all of those things today. I'll switch over real quick Okay So we have the the hardware laid out ready to go and this is what we're going to take a look at today Talk about some of the adapters talk about Just how the hardware works and what you can do with it basically So thank you again for those companies letting us borrow that equipment And then also magnet forensics came in and said, hey, we want to sponsor some prizes So I said that sounds awesome. So we also have some giveaways and magnet forensics is going to help us with that So to get started We're going to start off with a quiz And I've never done this live before either. So let's see if it works Second, let me get this going It's not a hard quiz It might be hard to begin. Geez Okay So We've got the quiz up if you go to aha slides.com slash df ir psi zero one I'll put that in the chat. Um, I'll give people some time to join slash deeper side Super one. Do you work with digital forensics in a company? If yes, do you enjoy it? So, uh, christian asked the question Do we work digital forensics in a company and do we enjoy it? Well, yeah, I enjoy it. I love I absolutely love Working in digital forensics, which is why we're we're doing this. I especially love the research side of it Do I do it in a company I have worked Um With law enforcement Pretty much all over the world. So I'm mostly on the criminal investigation side of things Uh, I have done consulting for different companies. Um, I Haven't really worked full-time doing digital forensics for them. It's usually like incident response or they bring me in for specific occasions, essentially So for private companies mostly consulting for Law enforcement, I've worked in a law enforcement lab before and then Now I do my own consulting out of my out of my own lab. Do I enjoy it? Yeah. It's it's amazing. Um, this is one of the the fields that Everyone needs all over the world like I had a lot of students like I used to be a professor in digital forensics as well and a lot of students would ask me do you Like is there any jobs basically in in digital forensics and information security? I said Everywhere in the world like legislation might change but digital investigation is the same So I've worked all over the world. Um, now I'm working with the united nations. Uh, basically training law enforcement All over the world, uh, how to do digital investigations um And there's a need for it everywhere. There's a need for capacity everywhere There's need for more education more skilled people which is why I put videos out there for free because, um, you know Every country needs digital investigation experts now, especially for things like just, um Disc analysis phone analysis things like that. So that was a really sorry. That was a really long-winded question or answer um, but yeah, um I've worked with companies at least consulting. I've worked in, uh, criminal investigation labs um, and I've always loved it. It's hard work and you can get into some really really Uh, crazy cases that are kind of emotionally Um tough, but yeah, I love the work and I love the research. I hope that answers your question Oh, somebody loved the the forensics course. Thank you so much and then, uh Oof do I have a favorite case that I've worked on and you can share Favorite case is is tough. We worked on a lot of stuff A lot of the stuff that I personally work on was around child protection um and like I didn't I I hated working on the case. Let's say Um, so the content of the case just the nature of the case was awful um But at the end I saw someone who was being victimized Like I saw them stop being victimized and I know that they're protected now. So Like the work is really hard sometimes depending on, you know What you're working on, um, especially if you work on on abuse is essentially really really emotionally difficult But at the end whenever you know that you've helped somebody and their life is going to be changed for the better after that um, I mean, that's a really good feeling. So Uh I can't say there's a specific case that actually happens quite often. Yeah What is my favorite tool? Um, you know, I try to cover if you've if you've been watching the channel I try to cover a lot of different tools Most of them are open source and free and the reason I cover so many tools is because you never really know what you're going to need right so, um I think I mean, there's a couple go-tos like I talk about autopsy a lot. I use that really often um Volatility I find myself using quite often these days Uh, but you know, it really just depends like autopsy the good thing about autopsy is Thank you so much Niko The good thing about autopsy is that It's a starting point, right? So from autopsy you can get a really quick overview and have the ability to be able to search search for things and then From autopsy I usually break out other tools depending on what I need to do at the time, right? So every case is is different and there's no not going to be one tool that just does everything perfectly for you um, also the tool itself like How can I say this in digital forensics, especially if you're working on criminal investigations You're going to have to validate your tools Which means that I have a tool that I really like to use because I'm very comfortable with it Well, how do I know that that tool is correct? I'm going to have to test it with some other methods. So it could be um I just realized I wasn't even showing the the screen I'm I'm not a normal streamer guys. I'm sorry about that. Okay, so Okay Yeah, so uh validation whenever you're using a tool you have tools that kind of your are your go to that you tend to use a lot But you need to validate those tools and usually I'm using other tools to do that validation so I guess my point here is You can have tools that you're comfortable with but try to be comfortable in as many tools as possible that way Whenever you have a a challenge coming up, you can switch over to other tools very quickly That's that's basically what I would say and then of course validation Celebrate you you said versus signal messenger thoughts Jack you're talking about uh celebrate and signal messenger They're kind of back and forth with the blog posts. Is that what you're talking about? I thought it was um interesting and hilarious But let me let me know what else you you What else you think about that? Uh, hello, Alexi. How are you and then uh jim any luck with memory forensics on a case? Yes um in multiple countries we've actually had um once Really the trick here is uh first up getting first responders that can actually make a memory acquisition um That was probably the biggest challenge is like whoever is first on the scene So far or in a lot of cases they've been taught just shut systems down immediately pull the plug And and take the computer or whatever it is you're looking at So getting first responders trained up on How to actually do some basic live acquisition Uh was the biggest problem, but whenever we go on scene ourselves and we actually find a system that's on then yeah, um In a lot of cases i've been able to get a memory acquisition And then use that in the case memory forensics like I I push it so hard Because even though it is difficult to get on scene There's just so much information there like especially if you're doing criminal investigations the ability to um To see what the user was doing um, sorry The ability to see what the user was doing uh During the last like boot of the computer if you have ram you can just recover so much user activity And even even if it's not user activity it might be you know malware Um connections remote connections coming in there's just so much interesting good information coming from a ram analysis So I always recommend that people do it. It's difficult to get it, but um, yeah We've had we've had good success on the case with ram analysis um In my case it helps to establish that the user was aware of different files like um, so for example for child exploitation cases you have to show Um that the user knew that the content was on there and with ram If you can see that images were loaded and you can even see what program they were using to load those images then And in what time then all of a sudden you can say okay Uh, we know that these things were executed on the system. Did anyone else have access To that computer and if they say no, I'm the only one with access Well, now you have kind of a connection to a user activity Showing that they were at least aware of those images. So um, anyway, yeah always try to get ram. It is super useful for cases Really, that's a first responder training issue if we can do that Uh, okay. What's on the screen? So I have a Let me see if I can move this thing Okay, so we're going to do a quiz. Um, and if you go to ahaslides.com slash dfir psi zero one, then you can join the quiz The way that this quiz works, um Hopefully it's not too difficult The way this quiz works is um, whoever answers first gets more points And then I'm going to take the top Three people and then you're going to get Uh, basically sticker packs and pins and things like that from the first science. Okay So please go ahead and join And then we will We'll go in a second as we answer some questions Jesse hello Uh, did you ever have to parse something manually? In hex and how did you how did that stand in the final report? Yeah, um The final okay, so have I ever parsed anything manually? Yeah, I go to the hex editor a lot. I'm fairly comfortable with A hex editor. How'd that stand in the final report? No problem um Because I can explain How I'm parsing it and what I'm trying to do so Uh, you wouldn't just say oh, here's here's some data in hex and that tells me the person's guilty That doesn't make any sense, right? You have to actually show that you parse the information Plus research that shows that this data structure is A certain way, right? So that could be an academic paper. It's better It's better if it's an academic paper because then you're not relying on your own Uh expertise. You're basically saying these researchers Outside have this expertise and they say that this piece of data um Tells me that's that something happened in the system. So if you can use the Um, uh published research Uh, it'll really help back up any type of manual parsing you're doing but like Think about if you're using a hex editor If you're writing your own parsers in python, for example Using a hex editor and doing things in python It's basically going to be the same thing like you are doing your own research You're finding out what that data structure is and then you're trying to extract that information so As long as you can justify why you think um That data structure is like that and show that it's true then no problem If you have your own in like individual research try to get it published is what I would say Uh Can the hibernate file be used in lieu of a ram copy? Uh Yes You can you can analyze a hibernate file um, and then Depending on how it was hibernated the operating system things like that you can get a lot of information back from from hibernate um The problem is that whenever you're doing hibernate like Whenever you make that file you're potentially overwriting other hibernation files Right, so you could have actually had kind of two copies of ram the currently running system plus an older version And then done some uh change analysis on both copies to see what what happened in the system over time Um, but if that if that's the only way that you can get a ram dump That's what you have to do so Yep, you can use you can definitely use hibernate To get some information Okay All right, we have 18 players. So I am just gonna start and we see where we go from here Okay, now the deal with this Uh, there is a bit of a lag between the time that I'm clicking something on the screen And the time that you guys actually hear it or see it So Watch your screen if you're doing the quiz Um, and uh, don't don't just listen for me. Okay Oh, no, I totally messed it up Sorry about that Uh This is what happens Okay, try number one totally failed. Let's try this if you can tell i'm not a professional streamer Sorry about that. Okay, we got 18 Oh, we got 19 coming in. All right, maybe we'll get a couple more Yeah, so thank you guys so much for the questions. Um That's great. If you have anything else, just let me know and I'll try to answer as best I can We'll give it a couple more seconds for people to come in Yep, luke as I'm not sure Maybe I missed something Okay, let's go ahead and try this Again Let's go So you have a minute to answer Do I have published research articles? Yep. Um, I do have a couple of them Well, you guys are taking the quiz. I will post some links Let's see times up Volatility, oh wow Okay, thank you guys so much for watching Let's see who the leader is Oh He was real fast awesome Okay Next question This one's a little bit harder So in chat, I just posted about the uh d4 hardware community hardware fund and So what volatility plugin can help get windows user passwords? So windows plist handles netstat or hash dump hash dump will dump the windows password hash And then we can use that hash try to crack it with something like Hashcat or john the ripper and then try to get the password back ps list will list all of the currently running processes in ram from your ram dump and then handles will List all of the open handles. So for example, if we wanted to get file handles any um Any programs that are accessing files At the time that we collected ram then we can match the program to the file access and then Extract those file handles and the netstat is for network. Obviously See how the leaderboard looks Oh, man, still doing good. Oh Yeah, cool. Okay Jesse says no jeopardy music listen my computer is about to die just running this quiz. So Please give me a break um Yeah, there's a lot going on here Next time next time i'll try to get jeopardy music and sound effects and explosions Oh, no new old sad. Why sad? ah, okay, so um, which windows registry key can help you find the number of program executions so, um Basically, we're looking at user assist. It keeps track of the number of program executions plus focus time um, and uh Focus count essentially um, so user assist is super handy and if you're looking at volatility volatility can pulse out parse out user assist directly, but Anyway, user assist is just great key Shell bags is also probably one of my favorite, uh keys What you can do with shell bags is find out that um user was accessing Folders and directories and you can even with shell bags with some other Keys reconstruct filenames inside directories. It's really really a powerful Key run mru Anytime you see mru. It's the most recently used list. You can use mru lists to Um to reconstruct essentially actions that happen. So especially if you're doing some type of snapshot analysis of Um, what used to be windows restore points or shadow copies You can look at mru lists over time And then try to estimate how many runs Happened at a particular time, but anyway mru lists are really interesting for investigations Especially powerful with some type of snapshot analysis if you can do that And then usb store Yeah, that won't really help you with executions But usb store is also super interesting because we're always interested in external devices being plugged into the system, right? So let's see See how the leaderboard's coming out Man, they're still quick. Geez. Okay. I think there's one more. Yep Don't worry. We'll have other other quizzes today. We still have a couple prizes Um up for grabs for this quiz. We're going to be doing sticker packs And I'm going to make some, uh, like lapel pins and things. Um, I have planned so for the top three You'll get a sticker pack and then, uh magnet forensics has supported um Uh, some prizes as well. So they are supporting coupons for their magnet forensic shop So stay tuned for the other quizzes and we'll have some Some nice prizes and then I'll try to do some other things as well This one's super hard Can you can you research it in 60 seconds? I don't know Best guess Oh Nope so Deeper science, um, we started in 2008 as cybercrime tech So for those four people, that's either a really lucky guess or you've been stalking me for a really long time I don't I don't really know Um Yeah, uh, we still have the blog up. We've been we've been doing stuff for actually a long time. So Um, oh, I sent yep. So I thought it was a quick osn Question, uh, you can just go to defer dot science, which is our blog And then just go to the last page and it's it's 2008. So Um, so yeah, good job for those four Bottom place should get a bonus gift bottom place should get a bonus gift I'll I'll see what I can do. We'll see how that shakes out Oh, man kp still got it Naiko coming up awesome Well done everyone Okay, so um for the top three, I'm gonna uh, hopefully you put in your your correct email address I'm going to uh use the email address for the top three. Um, I'll be emailing you and then uh And then, um Yeah, I'll get you information about the uh the sticker packs and get some stuff sent over to you Jesse you don't look that old yet. Uh, huh. Well, it's dark. So I keep it dark. That way you can't see all the gray coming in over here Yeah, okay so Um, I actually started the blog, um, whenever I started my, uh, phd program at university college dublin in In digital investigation. So, um Yeah, it's been a long time now that I think about it All right Hope that was interesting Sorry, I messed it up the first time Let me reset this Okay, and on that note, um Yeah, basically the reason that we started, um The reason that we started digital, um, uh Defer science in the first place I want to make sure I get those responses The reason we started digital forensic science or defer science in the first place is because, um We were training for Interpol and, um Ekteg which is a european training group And after I would go in and do training for local law enforcement Uh, they would come back and have more questions about how to do some specific task In their investigations So the whole point of Of starting the blog and starting, um Specifically the youtube channel is because I needed a place to be able to show how to Do something in the investigation or how to do some task And, um, I mean wanted it to be just available to everyone because if one investigator has that question A lot of them do, um, and it turns out that a lot of investigators did have the same question And then, uh Three guys should not be included in the quizzes. Okay Maybe maybe that's true. If you if you win, um, we'll see how the other quizzes go. They're not, uh, they're not technical so Maybe it's an even playing run. I don't know. We'll see about the who who wins the next ones. Um Right, so basically from questions that I was getting from investigators all over the world Especially whenever I was working in central america um just So many questions and they wanted Knowledge and they also needed to do investigations very Inexpensively so they couldn't necessarily like their labs couldn't afford all of these different expensive tools or tool kits So it's like how do you? investigate real crime And get that evidence into court locally if you have no budget Um, so that was kind of the basis for everything. How can I do something Very inexpensively And as easy as possible. So like I mean I could I could recommend for example a magnet tool That might do the job very very easily very very quickly, but um Some of those labs just couldn't afford it, you know, especially Especially way far out in the countryside where they have like one person for the entire lab. Um, they just can't afford tool sometimes and A lot of countries do help with like grants trying to buy software for For laboratories, but Eventually those grants dry up and then licenses run out and then they can't use the tool anymore. So I was looking for cheaper cheaper alternatives. Sometimes I tried to develop tools myself and then make them open source alexi Does some amazing work on a leap I leap all the leap series stuff and jesse is working on that as well. So I mean those tools are invaluable to local investigators around the world that Don't have any support locally and will never get support locally They rely on those tools to do their entire investigations. So um Yeah, 2008 yikes Some people were probably born in 2008, right? What how how yeah, that's okay. Whatever. Anyway, um, so Uh Yeah, the whole idea was how can we help investigators and how can we make um Access to the tools as cheap as possible, but also access to the knowledge because you can give people software all day, but um Or you can tell people go to github because there's a lot of free interesting tools on github but Learning how to use github is not easy Especially if you're not a developer, right? So the reason that in most of my videos If there's a tool on github, I still go through the process of downloading it from github is because Some people have just never been exposed to that, right? So we have to expose people um And teach them how to get access to these tools and then teach them how to use the tools And that's basically where we're coming from and and why I started youtube in the first place So honestly, I expected the channel to be like Four investigators around the world and and me just saying hey How do we investigate this kind of thing? And then I would make a video about it But I never expected 20,000 people to to say Um to be interested honestly, so um Yeah People are talking about 2008 anything advanced get investigated with free tools. That's a matter of performance Maybe not some mobiles. Yep. Mobile is um tricky again Look at alexis a leap. I leap Free tools actually all tools in general we we had a question earlier about Using a hex editor all tools are based on using a hex editor Understanding a data structure and then making a parser, right? So everyone could do a completely manual investigation, but we also don't have time for that You have to do what you have to do. So if you don't have a tool that can do it Yeah, you need to go in that deep and start start Developing your parser developing research on the data structure but um Oh Let's see Yep matter of performance and honestly like Especially since the open source digital forensics conference open source tools have gotten Amazing it's been going on for a long time now and we are um spoiled basically because just the the level of the free open source tools now is Higher than what um a commercial product would have been 10 years ago, right? So 10 years ago. We only had a couple options really and they were kind of all over the place. Um now I think everything is going in in the right direction um Commercial tools are are amazing open source tools are Amazing and and now there's actually a community of people who are developing and actively releasing that stuff and I think that's a huge step in the right direction because like I said Some people can afford commercial tools. Most people can't or at least uh on the On the criminal investigation side. So criminal investigation labs and police is basically what i'm talking about dark modes Yeah I can agree with that So I I mean just open up the terminal. I always use the terminal white Dark mode your terminal. That's it If you know what you're doing uh low level is quicker. Yeah, um a lot of times like If I know exactly what I'm looking for I don't even bother to do indexing and you know Carving everything parsing everything out you can focus your investigation Whenever you have the skill to do it at a very low level um Sometimes but for an average investigation, I don't think that's true like for If I get 10 10 laptops in and and five phones in or something like that. I'm gonna be going through Probably a triage step and then um doing a full acquisition of of everything And then doing a full processing of everything so Professor of the money heist I Don't think I is that a movie. I don't think I've seen money heist Let's see what we got here. Has anyone seen money heist. Is it a thing? money heist TV series Let's see if we can find the professor somebody said I looked like the professor from money heist Oh, it's on netflix. Maybe I can watch it If I still have an account Okay, so our assignment is to watch money heist and see if I'm a professor on money heist, I guess um Do you suffer from imposter syndrome and how to deal with it in order to keep learning? Uh, yeah, really badly Man Imposter syndrome is just I don't know. Maybe maybe everyone has it Yeah, um, I I definitely have it and uh I definitely have it and Like think of it think of it from this way. Um, is that the professor on the end there? Sorry, I'm jumping around Who's the professor this guy? Well, I'll take that as a compliment Okay, uh imposter syndrome. Yes, um, uh, whenever I look at the work Especially the amazing work that people are are putting out there on twitter. I'm just like man Should I even be here? These people are just amazing at what they do And and consider that I have a phd in computer science uh with a Focus on automating human reasoning and digital investigation. Like that's that's my area But then I look at what people are putting out there like alexi like jesse. Um, and I'm just like This is amazing. How how can how can I even fit in in here? so, um, the way that I deal with it is Um, first off read read what they do find out what you're actually interested in and then just start publishing stuff Like find a way to help the amazing people. You know what I mean? So um I might not be able to to do everything that they're doing but I can definitely Uh Support them and at least get their message out there You know try to try to give them as much support as possible Maybe do some research for them write blog posts things like that that actually helps people Um at the end of the day, it's kind of like earlier. I was talking about um criminal investigations and the investigation side can be really really Physically and emotionally hard But then once you see a victim Like not being a victim anymore um That's really what what makes it worth it. So like a blog post for example It's kind of just a blog post but actually a lot of investigators and researchers come to blog posts Learn how to do some task and then write tools that they can use um In their investigations and then that also helps justice. So just kind of keep a bigger picture about it and um The work that you're doing if even if you're writing a simple blog post It can help people it can help save lives potentially because we're working on on some really dark stuff sometimes, right? so and these days um You know, there's going to be a lot more cyber attacks people need to be able to respond to that So if you have a blog post about how to you know do some simple detection Then maybe that's going to help somebody in the future. Um, so just think that there is a bigger picture out there Just keep producing stuff and um, see where You can help and then just try to help there. That's all I can really recommend how to actually deal with it emotionally um imposter syndrome I don't know. It's like it's something something you just gotta Something everyone has to deal with I think um Alexi won a dark mode Yep, okay talking about x-leap. Um, if you haven't seen uh x-leap yet x-leap project is trying to combine all of the i-leap a-leap Into one framework. It's a really interesting framework. Um I'll try to post a link about that in a second and then john jonan jonan Said I really like the fast prototyping video. Thank you very much. Um, I wasn't really sure what people would think about it Um, but that's exactly how I write scripts or any code is Just chop it down into a simple Simple problem first like if you're trying to learn the framework um Yeah, if you're trying to learn like a leap I leap framework and then write a module on top of it It gets a little bit complicated But if you just break your problem down write a script that solves that problem and then put that script into a leap I leap it's it's much more easy to um think about so I'm glad you like that video. I wasn't really sure how how people liked it Uh, what's your motivation to keep on in the field? Um Justice and protection honestly, uh a lot of people want to do good things um A lot of people want to do good things in the world and Because they don't have How do I say this? How do I say this? Uh somewhat diplomatically um, there's a lot of bad people that take advantage of of People situations and the fact that people don't know certain things or have access to certain resources and um My motivation to keep going is that like anytime you write a blog post or any like Obviously if you're working on a case that directly helps a victim Then there's like a tangible outcome that you can see That's a really good motivator even if the case was difficult at the end you see the result and you're like, yeah, this this changed a life um, but then for things like blog posts like I said, um A surprising number of people like this channel a surprising number of people came to the channel And like the videos well Is that because it helped them in some way? So then I'm happy like it motivates me that I can help those people understand digital forensics a little bit better um But then at the end of the day They might also be investigators or might be investigators in the future and then I've helped all of their All of their cases as well, which means that all the victims in their cases Potentially I've helped that as well So I just try to again have this bigger kind of mindset about like the work we do in digital forensics Really helps people You might not be being You might not be working on the the case directly But everything that you can do to improve digital forensics or work on digital forensics. It's gonna help Um, I'm talking too much So I need to keep going motivation in the field. Yep. Okay The glasses won. Thank you so much For saying I'm the professor. I'm gonna I'm gonna watch money heist and um And I hope that's a compliment I'm working on cryptocurrency forensic tool for my final year project in university I'm thinking about starting a company and selling it. Have you ever worked with selling forensic software? um Yeah, I mean I've worked with commercial companies that sell forensic software Uh, I haven't done sales myself like even um Even putting logos on this stream was a bit odd to me because um I've never really done anything like this before Um, I guess it would be what's your question about that? Um, what I would do in any case is if you're going to sell cryptocurrency forensic tools Um, go talk to law enforcement and see what they think about it Like provide demos and provide enough time for people to try the demos and then provide A lot of information about your tool that way. It's easy for people to Access it understand what it is and understand how they can use it in their investigations And then part Kyung Jae with 1001. Thank you so much Kyung Jae speaking of software Uh, Kyung Jae, uh works with, um HM company in south korea and we worked together a really long time. He's from the best of the best program Uh way back in the day for information security Awesome guy awesome company. They also do forensic software Processing in the cloud. So, um, go check out HM company and I'll try to provide a link for them a little bit later Okay Uh Keaton says imposter syndrome is proof that you have space to grow and yourself aware. Um I appreciate that it feels bad, but maybe maybe you're right Uh And then Jesse I enable others to understand what they can do and I think that's a great thing to do Yep, like just supporting each other. We're all working towards justice. Um, in one way or another No matter what types of cases we work on so really that at the end of the day is is what it's all about Uh Lucas says are you working on investigating malware and lateral rural movement or are you only focused on crime? Um, I do a little bit of malware. I don't really do much reverse engineering Um, I've been wanting to get a little bit more into it But all of the the stuff I end up working on Is normally for criminal investigation laboratories. So that's really where my focus is still um That being said some of those labs are advanced enough to have their own kind of malware investigation section um, so I I I think I dabble I would say The longer I work in cyber the less tools I need Okay And then Jesse you tried to post a link, but I think the link wasn't shared. So um If you text it to me, I'll try to post it Keaton says Videos really helped me great. I'm glad they helped you Thanks for the great two videos about autopsy. I have a lot of old videos about autopsy But I said um a lot and I didn't cut it out. So sorry about that Yeah, if you guys have any Uh, any specific topics that you want to see just let me know and I'll try to put it put it in there And then make a video whenever I can just um comment on on anything you'd like to see What are your thoughts on specializing in specific fields of defer versus more generalized approach? um It depends it really depends on what what what your interests are um Some people absolutely love malware reversing for example So the the problem of malware reversing itself is is so interesting to them. That's what they want to focus on for a really long time Uh Okay I have the x-leap Link up there. This is from Jesse. So definitely go check out x-leap on github and then I've already done some videos on a leap and I leap so you can go check those out But x-leap Is basically combining all of those different projects together Uh, so specializing in digital forensics or more generalized approach digital forensics incident response is A huge area in itself. So if you want to be generalized, you can move to a lot of different organizations or organization types um really the problem Is it a problem? um The problem in our field is that you're really working with, you know, military law enforcement And then sometimes uh private sector military law enforcement are very very closed and rightly so Um, so it's hard to get in with them Um, you have to do a lot of networking. You have to build a lot of trust before you can actually start working with them And then for private organizations, um, they usually Focus on a specific aspect like audit for example, or maybe they have forensic service That does a specialty like maybe memory analysis or something like that. So um I tend to take a more generalized approach because I'm going into a lot of different countries and and doing digital forensics for them Uh Or teaching on a lot of different topics to establish laboratories um If you want to travel around the world and do Do stuff like that and work on cases around the world um You can do it both ways either be general and then train on general topics around the world or Specialize and then be a consultant and go into each country doing your specialization There's no there's no right answer. Um, I think I would probably be more on the generalized side Uh, can you please share any internships for the students juniors in defer? Um Yes, if you follow me on twitter, so d f i r science on twitter anytime I see internships Or jobs whether it's advanced or beginner I always try to retweet them. So if you follow me on twitter, that's where I see the most interesting jobs posted LinkedIn also has some jobs posted, but um, I think there's a lot more On twitter, so I would just say follow me on twitter and then And then that if you email me I can try to find you some specific stuff depending on your country and and what you're interested in Are you planning to make a series on registry forensics? I would love to make a series on registry forensics. It's just about time So if people are super interested like The video I made recently about registry forensics did pretty well So I think the interest is there. I just I just have to get the time. That's that's it Do you guys want to see more on registry forensics? Um, do you have any recommendations on certifications? Certifications are very tricky There are some professional level certifications that are that are interesting um It depends where you're at in your in your in your, uh Career I think so, um, I think I will do a blog post on certifications because like It really depends on a lot of factors and what your goals are So again, whether you want to be a generalist or specialize in something There's some amazing malware analysis kind of certifications that you can get Um, generally there's some some general investigation certifications And then there's also some e-discovery stuff. So, um, I'll probably do a blog post on that Yeah, so jesse is working. Um, so it doesn't have time for development That's another thing to think about like a lot of these open source tools for digital investigators are made by digital investigators. So, um We basically have day jobs and then produce this stuff at night most of the time. So Thank you so much jesse for for everything you do And that whole community Uh, could you be able to show how to add autopsy modules, uh from github? If not today, maybe create a dedicated video for that, please. Yep, uh, ruck. I will I will keep that in mind I'll make a note about it And then, um, what I really want to show is how to make your own modules in github. Um, that way you can You can do it How often do you come across stuff to do with steganography in real life? A lot of cts focus on it. Uh, we did a study in korea actually, it was probably about seven years ago and The cybercrime investigators In korea were saying that steganography, um, and anti forensics. They were kind of loop grouped together, um Was about 7% of the time that was seven years ago. So um Yeah, it's it's possibly there. Um, the problem with it is it's really hard to detect. So how do you know? How do you know if you detected it? How would you acquire a burnt hard disk drive? Um I think it was a tola so one of the the companies that have given us a piece of hardware today they, um Have a case study on a burnt hard drive. Let me see if we can find it I've worked with a couple labs that, um They had burnt hard drives come in and that was a really interesting case They did a paper on it in japan and they had a hard drive from a black box of a helicopter that went into the sea and it was, um Basically in the sea for a long time. So the salt water started to corrode the disks and they were still able to Get some data back from Obviously a hard disk drive. Okay This is the manual I think it was on their blog okay I don't know. I'll try to find it but um a tola is one of the companies that provided us some hardware today and then there's also um digital intelligence and Both of these have some pretty advanced tools for Getting back data Um, one thing that I worked on In ucd in ireland was Uh, a spin stand Not like that Yeah, like this. Okay, so a spin stand Is basically a piece of equipment and you can kind of see if I can zoom in maybe You can see that there's this Spindle and you can put a disk on that and then try to read Directly from the disk Once you take the hard drive apart So basically cleaning up the platters and then using a spin stand and trying to read the data out of it and then reconstruct from that So that's one way to get data back If the mechanism in the disk is broken and you only have part of a platter This is basically how you're going to do it Mentioned building labs in different countries. Have you ever done anything for philippines? Yeah in the philippines. We worked quite a lot with with investigators That was a grant through coica, which is a korean organization we um Worked with the cyber crime unit in the philippines and tried to get them Kitted up and then we gave them quite a bit of education on new techniques But the u.s. Was also funding philippines a lot related to child exploitation investigations so Their lab is Last time we we saw it. I visited there and their lab was Getting to be pretty nice actually so um, they definitely have capacity and now they have at least the equipment that they need So yeah, philippines is doing pretty good Better than better than 10 years ago. Definitely Please make some videos on email forensics. This is in the pipeline. Um, I've been trying the current meta spike challenges Me too. Um, oh man, uh, I've been working on those and it seems like there's a lot of structures to cover Yep, uh, you're probably talking about the mappy question um, from last week Uh, yeah, there's so much to talk about with email forensics. I really want to do a series on it. Um Again, it's just time, but that's in the pipeline Do you have any training on meta spike? Not really. Um, I can I can basically use meta split, but I'm not a hacker. Um, I can hack just enough to Get into a system and then investigate it So I've practiced like this is one way that I tried to learn how to Practice digital forensics use a framework and use like a tutorial. Um Like I have a book Called well, it's a new book on ethical hacking for example So I read stuff like that and then I practice it on a system And then after I practice then I try to take an image and then analyze that image To understand what that type of hacking kind of looks like if that makes sense So do I have training on meta split? There's there's better people to teach you meta split I think if you want to know how to investigate Someone who's been hacked with meta split. That's more my my area Struggling struggling to create a virtual lab Um Wilton, I'll tell you. Uh, I've been wanting to make videos on creating a virtual or a A virtual lab for a while now And I'm planning a video series on that one. So that and email forensics are are definitely on my list Um, so those will be coming up soon. Yep Like a lot of people say build a virtual lab, but they don't necessarily say how or what the best way is Um, or they say build a home lab So the thing I'm going to try to do is teach everyone how to actually make a home lab that way um, you can practice and then Hopefully publish what you find and then by publishing that it looks really good on cvs because people can actually see what you've done Um, so yeah Any resources for android and ios practice data sets? Yes, uh, josh hickman has the best android And I think he has an ios data set So, um I'd say the josh hickman stuff right now and what i'm trying to do with the Defer community hardware fund is basically get more of those data sets like josh hickman quality is is essentially what i'm looking for okay, uh right, so Thank you so much for the questions. I really didn't expect um that many questions, but Um There's lots of different ways some are better than others Uh, the issue with d4 is all the data you need. Yeah, so But even even with um digital forensics data like now we have the digital forensics corpora Which has a lot of really interesting data in it if you go through that analyze everything. It's it's just huge um, and then josh hickman's data for research and then um Some laboratories are putting out data sets that are also interesting And then I find there's a lot of network dumps Uh with malicious activities Also being released mostly from certs these days So the community is really starting to put out a lot more data sets that are interesting for research and learning Um, and we need to We need to curate those okay Uh, right, so what i'm gonna try to do Okay Uh CSI linux is a nice distro to get started easy to set up. Yep. Um, CSI linux is Uh, nice as well as surugi linux, which I've talked about on the channel before Both of them are free linux distributions. Um, actually a lot of my investigations are done completely on linux. So Some people think it's not practical, but Uh, you can absolutely use CSI or surugi um for those I tend to go with surugi because the The authors are the original authors of deft linux for investigators and i've been using deft I was using deft for a very long time before um, and then deft kind of got cancelled and then Some split off and made surugi and Yeah, that's just That's just my preference. Those are mostly investigators from italy and italy is really interesting because they Passed a legislation. I don't know if it's been Contested or not, but I think a while ago they passed a legislation that said that all tools used in investigations must be auditable which means that um closed-source tools are not allowed in courts, which means they were kind of forced or preferred open-source tools Right now a lot of countries, um, don't necessarily have that standard But italy was one of the first ones and then that prompted a lot of open-source development from italy And surugi is kind of one of those Yeah, so jesse says we have a lot of data and Don't have a good place to store it yet This is the problem and how to go back and actually systematically use all of that data that's that's created So I've been trying to scale back on some of the data that i'm using as well Oh no Zimmerman's tools now work on linux. I was also hopefully um, this will be later in the year, but I'm planning on doing Set on that surugi os is great. CSI linux has some great tools in it as well. Yep, and then uh, okay All right, so um, feel free to keep the questions coming. What I'm gonna do Is uh get started on Uh, some of this hardware. So first off we have I'll try to show this This is one of the coolest things. Um, I've had a lot of issues with m2 uh m2 drives so Digital intelligence provided the ultra block external write blockers. I'm gonna release a video about this Very soon I actually have the unboxing videos for each of these devices so you can see what's it actually in the kits um In depth and then I'll show how to actually use all of them But one of the coolest uh adapters that I found was for the m2 And basically my m2 like my suspect disc My suspect disc is here And then this adapter essentially turns it into a normal sata disc Okay, it's hard to see but in the tutorial video. I'll make it easier to see So the idea behind this is we need to be able to image these m2 devices Um, so they have this little adapter and I just thought it was awesome Uh, so it comes in a little case You put the case on You put the case on and then it basically looks like a normal sata drive And um, and then you can image from it and your your disc is protected. Okay Yep sift Cain uh cane is mostly used actually in the uk. Um, we used it in the ireland lab And then I've never used rim rim nuts, but I've used sift. I've used cane csi and suruki Chins it's volunteering for csi. Oh, that's really interesting. I didn't know they had volunteers. Cool I might have to look that up Okay, so uh the idea behind this is Let's go ahead and try to get Try to get at least the external drive So i'm going to go ahead and set up the external disc imager any more space All right, so what we have here, um Basically, I have my external right blocker Uh, this usb cable is going to my forensic workstation And then I have sata connection to our converter for our m2 Adapter here. So now whenever I turn the right blocker on we should get First off right block protection that way my system cannot write anything to the Suspect disc and then my computer should be able to detect the Disc just like a normal disc. So it will actually look like a normal disc from this side Um, except we cannot write to it. So it'll be a read-only system And then uh, yeah, so with these external right blockers whenever you turn them on If you get a pop-up that looks like a normal disc Being connected to your system totally normal. You treat it like a normal disc except we will Look except we'll try to image it. Okay, so i'm gonna go ahead and turn it on So you notice the first light that pops up after power is right block You definitely want to be checking for that every single time and then we have the Host is detected and sata detected and then on my system I'll switch this over On my system. I have this folder that popped up because it understood whatever the file system was So my system automatically mounted the um the drive now if I try to for example Write something Let's just go into a terminal So if I try to write something to the disc, it just says it's a read-only file system Um, I didn't mount it a special way like it's just auto mounted. It's except it's only detected as read only Okay Now I'm going to open up guy major And then we have our So our disc is sda I used ls block in linux to be able to see that This is our mount point that we just saw Let me double check that Yeah, two five four three seven. Okay Okay, so we want sda and then We can just do a choir image now. This is um I'm using guy major for the imaging in linux if you're using for example, we talked about csi sorugi Um sans sift all of them have a guy major installed. It's a pretty quick imager Um, but the really the important thing here is that we're connected to the right blocker Um, our system was detected as read only and then with that adapter. I'm able to image an m2 Uh device Okay, let's do I'll put it in home. Okay Click start. Yes We get an error message Because there's 128 gig disc, but I don't have that much space left So I'm probably not going to do everything but it's not necessarily a problem as long as you have compressed images um Because the compression will usually get you between like Let's say 25 off to 50 off Depending on how the compression is used Have you ever experienced cosmic bit flips change the hash of values in your image? Um, no once we've once we've created images cosmic bit flips are normally created during transmission. I think um Every time that I had an image come out where the hash value um Where the hash value was weird it was always because of the hardware So I I could always explain it with with the hardware. I never have experienced cosmic bit flips I thought that was more on the transmission side of things um Now that's actually that's a really important point if you are imaging And you are not getting consistent Uh consistent hashes like I've had some usb sticks that were just trash Um, but they're the suspects usb sticks. So you have to image it every time I image the usb stick Um, I would verify and the hash would always be different Right, so then you have to explain that well in that case What that apparently what was going on with that particular usb stick is that the flash was being Uh overly aggressive about garbage collection. So basically it would always wipe stuff. I don't know like um, it was the way that the flash worked that made the the Uh usb stick always have a different hash value. Um, so really weird situation. I've only had it I've had it a couple times but um Not very often So yeah, if if you are getting invalid hashes for your images, you have to be able to explain it now What most people do is just Reimage rehash and see what happens And then if they get a consistent hash, then they're usually happy with that Um, if it keeps changing and you can't get a consistent hash, you have to investigate it There has to be a reason for it. It could be that your device is going bad it could be the um The source device is going bad. It could be your destination device is going bad. What you'll see whenever i'm talking about, um Especially the itola disc sense this this device here um Is you can very actually the disc sense and the tx one you can check uh smart on your Source and destination drives and with smart you can kind of tell if your drives are about to go bad So definitely check The smart readout for all of the discs that you're looking at including your destinations. That way, you know if you should You should retire them. So everyone's a a csi person. Okay Are all of these open source Csi I believe is open source. Uh surugi is definitely open source sand sift is it uses open source tools um, yeah Okay Ah, okay. So flare and rin mux for reverse engineering. That makes sense Like I said, I'm not really a reverse engineer that much Uh, what model of right blocker supports the m2. So ruck. This is not the right blocker. This is a adapter um, so this Let me zoom in So this Is an adapter for m2. Um, it's not the right blocker itself So I connected the adapter To the right blocker. So this box here is the right blocker This is the adapter and this adapter comes in the ultra block kit. Let me get something real quick They also have these adapters. Um, which is basically PCie connection. So uh m2 to pcie Little pcie connector goes in the back here. Um, so these adapters are really awesome one reason that I really like um The digital intelligence Ultra block kits and I recommend them normally for small labs Is because they're very flexible like you you're not always going to necessarily have an m2 Uh device sometimes you're going to have just a normal, you know Even a sata hard disk drive or maybe an id hard disk drive But with the kits you can at least have one adapter for Devices that you might come in contact with and for a small lab having that flexibility is really Um, really important now for bigger labs with more budget, um You can get all sorts of adapters and connectors for those things, but um, yeah, usually for small labs I'm recommending kits and then custom picking the Um adapters that you're most likely to use So I really like that and then I I love this little this little adapter here And that adapter can actually work with any of the devices because It's just basically converting our m2 drive into a normal sata connection So anything that can understand sata Can image it so Yep, if you use sata you can normal sata. Okay. Looks like what he's doing. Yeah Sorry, I'm just going trying to catch up with the chat Do I ever use our studio to carve files? No, um I can understand the reason that you would use our studio to carve files If you're doing new and experimental ways Um, because our studio is a is basically statistical software Um, so if you're doing statistical statistical analysis over an image and then trying to carve files that way and you're trying new methods Then I would I would consider our studio Um, just because of the amazing, uh statistical packages that they have But uh, once I understood the statistics, I would get it into something a little bit more Commercial, I guess like most investigators can run a python script, but very few investigators can probably put together an r studio um Package get everything they need and then run it So I would try to make it as easy as possible once I understood Um, what data structures I was carving out then I would try to replicate that and something like python Or maybe just make an executable out of it Yep, so, um How to connect the nvme ssd hard drive, uh digital intelligence in the ultra block kit they have an adapter for it um, and then it it converts it to I think they have one that's sas connection and Maybe one for e p c i e or p c i e So I would go check out their adapters uh I don't know of any write blockers or or imaging devices that that take it directly Um, but yeah, I would look at their adapters on digital intelligence Which usb drive was that I I don't know which usb drive you're talking about What's a good way to start learning digital forensics? Um Like in most of the videos that I produce I give links to the software that I'm talking about and then I try to give links to a data set Download the software download the data set and then um just explore One of the best ways to quickly learn is to um Analyze your own systems because you already know what your system should look like Take an image of your disc process that image And then you'll start to find things and say, oh, okay If I do this thing then this is here and then once you kind of have an idea of how your um How your own system is working and some basic investigation skills then you can move to Building your own kind of labs like getting a virtual machine Doing something imaging it and then testing that thing and then basically doing that process Make sure you document all of that and then publish it so everyone else can see it too But that's one of the best ways to learn is you just got to start practicing CTFs are also quite good. A lot of the CTFs. I've seen are Um Fairly well done at least for the basic concepts. So try some CTFs Cain has built-in software right blocked. Yes. Um, so does Sarugi and I'm I'm sure CSI does too. Um Built-in software right blocking is fine But Hardware right blocking is better Like it's very difficult to just make a categorical statement like that But if I can right block even before I hit the computer um Then I don't have to worry about it. So with like Cain with Sarugi They're trying to do right blocking at the kernel level, which is a very low level, but What happens before that right so really? um Really what it comes down to is what's the court going to question so if If you have a really good lawyer and they came in and said Are you sure the disc wasn't written to before your right blocking kicked in? Well with software you you're not really sure Like it would be hard to answer and you would have to do a lot of testing and prove that you've tested to do that With hardware right blockers as long as you're testing your right blocker is working So every so often whatever your standard procedure is then Then you can say yeah, I used an external hardware right blocker I know it doesn't do that and the computer doesn't matter because it's already right blocked before it gets there. So um right blocking Is partially a court question, right? So what will the court question you on? And how strict will the the lawyer be that's this questioning you now lucky for us most lawyers Don't know what to question yet. So You're probably not going to get that for a while, but If it ever comes up and you say, uh, I don't know then There there goes your entire case and possibly even older cases that you had So better to be safe T35 you yeah, I think that's the t35 you Yep, um, this one is the SATA IDE bridge. Uh, they also let me borrow PCie and usb Yeah, they look exactly the same just PCie and usb Paladin for imaging is great. Yep. I agree Sorry, I'm going through there were quite a few chats and I'm trying to catch up if I missed you. I'm sorry about that Yep, 13 cubed has some amazing videos For artifacts too Yeah, 13 cubed is awesome. They're also on youtube if you haven't seen them go check them out How to make an image? Which one software use for imaging it so right now the image that I'm working on We're connected Our m2 suspect disk into a converter for m2 to sass Uh, SATA connection to the external right blocker and then right blockers turned on you can see the activity light here We have a blue cable going to our forensic workstation and then on screen Um, I'm making an image With geimager and if you didn't see me hook up the right blocker Basically, I can't write any data to the right blocker. That's about it. Okay, so right now. I'm using geimager on linux Um, so if you're using csi linux, uh surugi Sift, uh, you should be able to use geimager. It doesn't work for windows. Unfortunately on windows I would probably use be using something like magnet aquire ftk imager Yeah, I would probably stick to those Solution for tpm encrypted, uh drives what to do um Thanks, how do you say it geo geo, uh, thanks for the difficult question tpm encrypted drives basically the tpm is um, uh, a hardware module On the computer itself that's used to do the encryption of your disk So if you remove the disk from the hardware, then you no longer have access to the keys. So Um, imaging it is pointless because you just won't be able to get it back um Really the only thing you can do is image from the suspect drive or from the suspect system itself um And ideally in a live environment then make a logical image or possibly a live physical image, but basically a live Uh logical image if you can so if you suspect tpm, which it's happening a lot these days Um, if you can get the system in a live environment And if there's some type of encryption, uh Like bitlocker then um try to make a live logical image That's what I would say like that'll save you so much because trying to do it any other way is going to be nasty Jesse has a discord community also. Um, check out the digital forensics discord community Um, I will try to put a link there and I'm running out of space. So I'm going to close this Um, digital forensics discord community is an awesome resource. There's a lot of uh Digital forensic investigators in there that can answer all sorts of questions. We're also in there Uh ftk imager is king make sure you get the newer versions because they did have a huge speed increase recently Um Where to learn basics of chipoff forensics? Oof. That's really difficult Uh, it is very specialized and you do need some special equipment to do it You can just try removing chips from old phones Um to get down Taking off a chip without damaging it But then the second part of that is actually reading data from the chip once you do chipoff for memory phone analysis for phone analysis So chipoff. Yeah, it's super specialized If you have some old phones that you can get access to practice removing the chips basically with a heat gun And then hopefully if you can get it to the point where you don't burn up the chips Whenever you take them off, then you can try trying to get some data off of them, but it's a process It's it's really difficult to learn on your own Yeah, there's no room to mess up with chipoff Yeah, lucas has a good point if you're if you're talking about a corporate environment you want to uh acquire a disk from your domain you can set up active directory to store Recovery keys for bit locker. That's a few control it So I was I was assuming again kind of from criminal investigation side I would get a laptop from a suspect and if they have bit locker encryption on Then what do you do? Um, but if you control the environment? Yeah, you have a lot more options than that um Jessica Hyde's been doing some amazing work actually for chromebooks if you haven't seen uh Jessica Hyde's chromebook stuff and I think there's a lot of stuff posted on magnet forensics about chromebook analysis You can find her on twitter Um amazing follow any tools for remote forensic imaging acquisition And free tools. Oof rock with the hard questions. Um, what I will show Because we need to talk about it is the um Both the tx1 which is Both the tx1 which is this and um The atola disc sense They both, um have the ability to save your images Not only to a local disc like cloning but also to a local image to a destination drive and to Remote sources so if you have a nas setup They can both save the image To a nas now. I know what you're asking is you have Remote systems on a corporate network and you want to image them. There's a couple tools I would probably recommend Veloxity I need to go find it Oh, I could never remember their name Sands just did a I think a webinar. I just can't remember the name right now heavy metri from Shats in In australia is really interesting. Um, they got some really good stuff going on But it's not it's not what I was thinking of so I'll try to find the link and post it later um F secure is good, but they're not the ones I was thinking of either Uh for lock screen on windows the thing that I used the most actually was whenever Laptops had firewire you could get direct memory access and then use a direct memory access attack to unlock the screens so when systems had Firewire it was an amazing time to be an investigator because lock screens didn't matter at all You could totally get passwords. You could unlock. You could control a lot of stuff You could even take memory images through firewire. Um, so I really I really wish I don't know. I'm happy. We don't have it anymore because it's a huge security risk, but Um, it was a good time. Let's say I haven't used bash bunny for it Some countries will cause the data to be useless for investigations. That's true If you use hacking tools, um, depending on your court and your local jurisdiction, it can be an issue Uh But um, that's why that's also why um firewire was so nice because you could basically make a ram dump Which is acceptable parse out the ram dump and then get the user's password for the login Um, so that was a good time Thank you. Jesse for posting the Discord link. I hope that's the right one for the the digital forensics community Uh, what do you think about password? Password is excellent and um I'm pretty sure digital intelligence just partnered with Password Okay, I just can't find anything I'm looking for now Uh, Jesse also posted his own discord address. Um, I don't have discord I do everything on the defer community discord app. So, um Follow defer community and then I will post everything there Okay Um, so next we're going to look at the tx1. I just want to show you the interface Okay, so on the tx1 you can kind of see So on the interface, uh, I'm not sure if you're going to be able to see this again I'm going to make a video about this so you'll pretty much see something similar later But um, it is a touchscreen interface on the right hand side is your destination disc on the left hand side is your source disc the tar or the the suspects disc and uh from the interface we can do a couple things first is Um duplicate next is local file acquisition if you have specific files you want Super interesting about the local file acquisition is you can actually set up keywords Um, and then it will go through and search based on keywords or some file properties and then image those directly Next we have hashing based on the The acquisition report we can verify our hashes Oh, sorry. We have verification based on the report. We can verify our data we've collected After that we have hashing And then we have browse if we want to browse files on the source or destination And then restore if we want to write an image back to the Back to the hard drive, okay, so the idea behind this is fairly simple First we need to initialize the drive. So again on the right hand side As you're looking at it. These are all Um not write protected discs like they are destination discs that you can write data to on the other side They're all right protected and you cannot write any data to them Um, first we need to initialize the disc. So I'll go through that process now We can click on destinations. I'll try to move this over. We can click on destinations Click the disc we want to initialize And then we can wipe it format it Uh also check smart so we can see if the disc is actually going bad So I'm going to format We can format to ex fat in tfs ex t4 fat or hfs plus. We'll just do ex fat for now So now I'm formatting the destination disc Okay, so that's done You log just to make sure everything's okay Now we want to duplicate And I need to choose a source and the awesome thing one of the coolest things about the tx1 at the very top you can see this kind of Circularly arrows and that is automate Automate the acquisition. So if you turn that on you can specify a destination location that could be for example your nas it could be Um A very big disc and then any sources that you plug in after that will be Automatically imaged to whatever your destination is. So if you do plug this into network attached storage Um, you can basically just image all day long two sources at a time plus. I think a usb source pcie and And ide okay So the automatic imaging feature is really nice If you have a bunch of hard drives that you need to go through basically you can set up all of your imaging Go take some hard drives from additional laptops while you're doing that the imaging is just automatically running Whenever they're finished remove that and then um And then plug in another one and away it will go, uh We're asking which hardware is that this is the tableau tx1 from digital intelligence Let's see if I missed anything Where to buy the equipment I use how much does it cost right blocker place in the link. Yep. So actually below the um YouTube video I have where everything comes from Uh, the cost really depends on the accessories that you get like if you get the the PCie adapters or the mtu adapters Um, those are going to cost a little bit more. So Every lab has different requirements. So get it for um Based on your requirements. The one that we're talking about now is the tx1. This is a self contained Forensic imager. So before if I'm dealing with the external right blocker I connect this to my forensic I connect this to my forensic workstation And my forensic workstation does all the imaging this just right blocks The tx1 has right blocking built in on the left hand side and then destination on the right hand side And it's completely self contained computer. I think it's running some type of linux Um, so you don't need to bring your forensic workstation if you're just doing imaging tasks Um, yeah, so I recommend the auto imaging feature. It'll help you burn through those those disks really quickly Okay, so let's go ahead and start one So Okay, so since there's only two disks like one source one destination it automatically detected all the settings All I had to do is click start Like I said, though, if I was using this in the lab, uh, and I had a lot of systems come in I would set up automation. Um, and then just automatically Image all those things. So it's going now the interesting thing about these disks I specifically chose disks that are going bad both for the source and the destination. So, um I expect it to take longer because these are Almost dead, right? I wanted to give it a challenge. So we'll see how long It takes And it already says errors encountered encountered on it. Let me see if I can move that up a little bit You can kind of see a little bit better But basically there's a red message here that says errors encountered on the disk because those disks are Dead like they are they're having trouble, but it hasn't um It hasn't given up yet. So um, that's something you can also set how many times it retries on on busted disks um, so we'll see It already it already encountered errors. So we'll see how that goes Uh, okay Zimmerman's tools Zimmerman's tools are great. Um, if you can support Zimmerman do, um, Just amazing the work that he's doing Lucas, thank you for so coming So coming thank you for coming. Thank you so much for coming Uh, for remote acquisition, um, it wasn't f-response f-response is very good But there is another tool. I just cannot think about it. Um I'll post it. I'll post it as a As a community post on YouTube if I can if I can find the links and I'll try to post all the links we're talking about actually as a community post Can you discuss offsets of file system? Where does it? Where was it mounted before and recommend any book about hfs plus forensics? Whoo? So offsets, um of file systems Where it was mounted before So on your disk, uh, I'm gonna make a really bad drawing. Uh, so if you have a disk then, um basically depending on on what you're, um The question was are you making a backup or copy? Uh, in this case, we are copying directly to uh, we are In this case, we're making an image To our destination drive. So this destination drive. We are going we already Formatted it uh, ex fat and then the system automatically creates a folder with some naming structure that we've preset and And then makes a disk image and we are imaging to Ex zero one, uh, which is the newer in case format or in case expert witness format Uh file type Um, so it basically supports ex one type the newer type and then e zero one type dd and um DMG So those are the types of images that you can create. So from our Source drive our suspect disk on the left hand side We're copying all of the data from the beginning of the end to the disk And then saving it into an image file on our destination drive. Sorry, that wasn't clear Okay, so uh discuss offsets of file system. So the idea is you have your physical disk and then um, you create a partition Right and the partition can actually be located anywhere and it can be any size, right? So you might have a partition at the beginning Um And then let's say you have some space and you have another partition That goes the rest of the space Well, whenever you make these partitions. So this is our partition one This is our partition two When you make these partitions, um, because they can be located anywhere You also have some extra space in between You can not always but Many times you do And this extra space is slack space and you can still write data into this slack space. It just won't have Um a pointer necessarily to it, but I can save data in there and if I know how to find it I can go find it again later. So he's asking about the offsets of file systems um Whenever you have a partition After you create a partition the next thing we tend to do is put a file system on top of the partition So let's say that this is I don't know ntfs file system Right, so the offsets of the file system depend on the offsets of the partition Right now things can get a little bit tricky. Um Because you can be very flexible in the way you Partition disks and then now we also have some cloud Disks or we have things like raid where we're joining physical devices together to kind of make a virtual device And then putting a file system on top of that. So, um, there's a lot of different ways that a disk can be partitioned and that all has to do with um Where the offsets are located So really I would be looking at the partition And then as soon as you see the partition you're pretty much going to see the file system Directly on top of that if it's formatted with a file system Um, but there's a lot of there's a lot of gotchas there, but that's basically how it works Okay Uh, what do you think of pc 3000 pc 3000 is awesome If you're doing anything with low level disk recovery Um, it's pretty amazing. That being said, uh, the atola device that we have here The disk sense, uh, now it's too close, but basically this disk sense device Can do quite a few things that the pc 3000 can do so um PC 3000 was very nice whenever I used it Um, and I'm sure it's just gotten better over the years But I was really surprised at how much the disk sense could do with the pc 3000 kind of kind of recovery stuff. So um And with disk sense you also get, uh, imaging and quite a few other utilities that you don't really get with pc 3000 so Something to think about. I don't know like they're both awesome tools. That's that's all I can say money heist And you guys have so many good tv series to watch that I've never heard of and I'm like I need to watch them, but I also need to make more videos. So What I wanted to watch them while I'm making videos. Okay all right, um Okay, what we're gonna do is Give me one second try not to make the same mistake as last time I have Another quiz for you This one this one is really open source intelligence. So, um Get your get your investigation ready. Okay, and uh for this one Um The winner of this one gets a $50 coupon to magnet forenses magnet forensics's Uh online shop so you can get something at their shop $50 coupon. All right So let's go ahead and go ahead and try to join And then we will Give away some magnet forensics swag Okay, while you guys are joining I will be right back Oh got coffee five people joined so far Six oh Let's see if we can get a couple more eight Yeah So this one is going to be specifically about digital intelligence They're the company that like I said, let us borrow the um The tx1 and the ultra block kits. So I really appreciate them Letting us see it. I thought it would be a good idea again since Since a lot of people just don't have direct access to this hardware Like whenever I was studying it would have been really cool to be able to see it Um, so we'll see how that goes one second Nine people joined my computer is dying All right, we got 11. I think that's probably gonna do Let's go ahead and remember this one is about, um Uh open source intelligence about digital investigation the company or digital intelligence. I'm sorry the company Um So have a look make sure you have a browser open so you can do some o ascent um, and this one is for uh top prize is the $50 gift certificate to magnet forensics shop. So Be ready and we're gonna start in just a second Okay, and remember there is a lag between The time that I talk and the time that you guys hear the audio So make sure you're just watching your screen and not trying to listen for me to say start. Otherwise, um Yeah, otherwise, you'll have some issues. Okay All right, so we're gonna go soon. I'm pretty curious how people are gonna do on this I mean Oh, Wisconsin you guys got it Um Yeah, amazing. So Wisconsin, uh, if you went to their about me page, it was basically in there Oh Derek so quick Next I hope 60 seconds was enough if you guys got the first one Probably this one will be easy. Oh, yeah, okay So digital intelligence, uh founded 1999 amazingly, I learned about them in 2003 then we tried to work like we our lab got equipment from them in uh, I think it was around 2006 or 2007 so yeah quite a while ago They've been around for a long time um and actually like Even now whenever I go into most criminal investigation labs, I still see their equipment Um as kind of the primary equipment that most investigators use so I'm very popular Oh Derek Oh who got knocked out JB But jersey came up nico came up. Oh, ho, ho. It's close one All right So this question if you ask an investigator What uh What forensic workstation they want they'll usually give you this answer And the tx1 is not um technically a forensic workstation. It's just a forensic imager But they have a special forensic workstation. That's especially custom built basically with a right blocker and Kind of like these external right blockers that we've been looking at today Um, they have a built-in uh, right blocking system And directly into a bay and then they also have the ability to like swap out They also have the ability to swap out drives. So they're very handy for investigators. Oh, yeah, most people got it. Nice How how is the evil computer? from space odyssey how is um Yeah Someone's like I want it to be howl. Okay so Um, uh-huh slides is nice very cool for online Class assessment. Yeah, it's pretty nice. Um A little bit expensive for a year license but But yeah, I like it because people can join there's A couple of their game sites that are like that, but this is the only one that I could find for slides. So, yeah I'm glad you like it. And then uh, yeah, the answer was fred So a lot of investigators if they're asking for a fred, it's basically um It's basically the digital intelligence forensic workstation that's specifically designed for uh forensics the um They also have a lot of like back-ends server stuff like high performance Computing for storing your images and then uh, cluster-based processing and stuff They just have a ton of hardware based stuff. So digital intelligence is a really good company Derek again I hope Derek isn't from digital intelligence. Maybe I should have checked that like maybe You know the ceo is is is Derek saying yeah, I know these answers Um, yeah Derek if you're CEO We'll talk Uh, jersey and nico still okay One last question. This is for all the bananas Ultra block. Okay. Yep So everyone got it and that's uh, the ultra block is actually what we were looking at Here So this device is uh from digital intelligence. It's their ultra block and specifically the ultra block 2 Um to usb Okay Oof nico you almost got it Derek Is the man There you go. So Derek you just won uh $50 coupon Last question froze had to oh nico So Derek uh $50 coupon for magna forensics shop. I will be emailing you. Hopefully you put in the right email And then we'll we'll get that over to you as soon as possible Let me make a note We had a question come in so thanks everyone from playing Um, that was about digital intelligence again. They let us borrow this equipment today. So Thank you so much, uh digital intelligence for Letting us learn more about hardware. Honestly That was really the whole point the sparklers look great, but my computer's dying. So Come on Let's move back over here Oh, I got stumped from the price. Don't worry. We have uh one more Uh quiz coming up so another chance to win another $50 coupon for um magnet forensics So if you couldn't join last time or like you said if if the last question said time's up or something like that just um Uh hold on and we'll have another one and Always the bridesmaid never the bride Okay last question froze on me. Sorry about that Okay Uh, we also had another question come in Uh, what do you think the best skills in defer and what do you think the challenges in this field in the next 10 years? Um, do we need to prepare for encrypted and useless data? Thank you again um Encrypted and useless data like encryption has been steadily increasing um Anyway for the past 10 years. So um, am I really worried about encryption in the future? Not so much um Every country kind of has a different strategy Um, Europe as a whole seems to be going in the direction of like Europe tends to be more more privacy focused anyway. So, um Europe knows encryption is coming and the response is helping investigators Um be able to crack the encryption So not necessarily building backdoors in but like you get a laptop. It's encrypted. Um, how can the investigator actually Get access to that data that tends to be Europe's stance and I'm working with a group called ektag They are the european One of the main european training groups for law enforcement You can find them at ektag.eu Oops tag.eu European cyber crime training and education group. This group is awesome and they basically everyone there loves open source software They love security But they're also law enforcement. So they know kind of the trade-off between security and accessibility So, um, this is a great group if you are law enforcement, especially if you're from uh, europe Definitely start working with ektag. They're doing some amazing stuff. Their focus is more on accepting that encryption is going to be a part of life and then Kitting out investigators with the ability to actually break that encryption if they need to Other approaches are like building backdoors into encryption or mandating Mandating that companies put backdoors in so for example, australia had some very controversial legislation about putting backdoors in And giving access to keys and things like that Uh, it's not usually a good idea. Like I understand where they're coming from You know, I work on on child exploitation cases myself So I understand the desire to want full access to all that data, but it's just so easily abused So, um, it's a very fine line Whenever you're talking about encryption and I think ektag stance is a is a good stance to have Um, so do I think that uh, encrypted data is going to be useless in the future? Like we're already there for encrypted data. I don't think it's going to be any more useless than before A lot more thing is going a lot more things are going to cloud. So being able to access cloud data um actually Helps us And in the encryption department because if you have a locally encrypted disk, but all your data is backed up on the cloud Well, now you can actually request the cloud service provider to give you the data from the from the service provider So you can kind of bypass encryption that way. Um So I don't necessarily see it as a has a huge problem In the next 10 years. Oh, it's so difficult like, um Mobile devices and embedded devices are hitting Right now and for digital forensic investigators in the criminal investigation space embedded devices are going to be a huge thing to deal with And a lot of labs aren't kitted out for embedded investigations. That's why the chrome book analysis stuff is so amazing because um It's a weird device that we're going to start seeing a lot more of There's also kind of atomic computing and that can have some implications for digital investigations If you're talking about incident response For attack and defense Um artificial intelligence is going to be a lot more of a thing So, you know, those william gibson nobles about the artificial intelligence that basically do all the Um attack and defense against each other That is coming in the next 10 years like it's already kind of started But it's really going to be advanced in the next 10 years. So for incident response We're going to see a lot more in terms of In terms of ai kind of dominating everything Um read william gibson That's all I can say and you'll kind of have an idea of the next 10 years for incident response for digital investigators In 10 years, we're still going to have embedded devices kind of like phones And that's really going to be digital investigators main focus uh corporate laptops and things like that That's that's still going to be around. So, um, I don't see a lot changing just the way the way we work Microsoft does have um kind of interesting stands now new versions of microsoft professional Windows professional are Going to require an online account So as microsoft makes everything an online service A lot of the data that we're looking at is going to also migrate to cloud services. So that's something to Think about or look forward to in the next uh next few years. We'll see We'll see how that works out. Um, I think a lot of people might switch over to linux finally, but we'll see Can you make image with blocks write or make one-to-one sector sector copy? Yeah, um, you can do cloning with Not with the external blockers like this one, but you can do cloning But you can do cloning with the tx1 um disc to disc and also the um Uh, a tola uh disc since two Yep So you can do cloning to another disc Uh, hello hider Can you also share simple images disc and mobile that are available for practice? Yep on all of the videos that I talk about Um, I try to link to a data source that you can practice with Um, I would also recommend, uh, for example for android can't really do any better than josh hickman it was by binary hick and android timit tin so the binary hick dot blog and then he posts just amazing stuff constantly He is uh I believe a police officer I don't know if he's you know, I think he's a local police officer Um, just doing some amazing stuff. I don't think he's fb high, but anyway amazing work and amazing data sets Uh to practice with and then on all the videos that I do um Like I said, I try to post links to everything So if you watch a video of mine, just go below where the description is Usually underneath like the the times of everything I'll have a links section and then I try to put data sources that are digital resources there. Okay All right so next what we're gonna do Is set up a disk sense and uh And then I'll try to show you if I can I'll try to show you the um a tola insight software. So one second um magnet user summits ctf magnet um actually does quite a few magnet and celebrate both do ctfs Quite often at their user summit or um Uh, yeah, just ctfs constantly and then they are releasing data sets that are usually like Super advanced so um you can use them not only for the ctf but also to practice on and uh, yeah magnet and celebrate both come up with a lot of really interesting stuff And then you usually get like he says the 30 day licenses Okay, so what we're seeing now is um The a tola technology disk sense 2 it has all these cables coming out So basically you can have three sources three destinations at the same time And then the disk sense hardware works with the a tola insight software So I need to boot up my virtual machine And that's probably going to kill my system. So we'll see if this even works I just shut off immediately. You know, I've crashed Jessica Hyde's working on the images now for the next magnet ctf where she does all of them I mean she does amazing work Is she still working on the images? All right, so um with the disk sense On I'll show you the side So with the distance it's set up pretty much the same way on the right hand side If it's facing towards you on the right hand side if it's facing towards you that is the um destination Port and it's not right protected on the left hand side if the leds are facing towards you Then that is the source port and it is right protected You can toggle right protection with a little switch here If this green light is on then right protection, you know is enabled Along with the three SATA connectors there. They also have a connector for IDE using a usb usb c cable, okay on the back they have two ports for one port for A usb source and one port for usb target And then they also have two network cards. I have one network card connected In the back with a yellow cable coming out of the back and that is connected directly to my forensic workstation and then that allows you to Basically save the images directly onto your forensic workstation instead of saving them to a destination drive So we'll see how that works in a second Once I get booted, but I can tell you it's super slow and my cpu is like What are you doing today? So we'll see we'll see how this works um, unfortunately, uh, a tola insight does not work for The the insight software doesn't work for Linux or I don't think they have a mac os version only windows So that stinks but the software and the hardware is just amazing so I will boot up into a virtual machine for it. So I have my forensic workstation And um, whenever you're booting up, uh, you do need a network connection Once this loads With the network connection I can I can show you but basically you need to give um, One network card a static ip address in the 192 168 zero range And if you are using like if you're on another network like 10 000 network or I don't think they have a 172. I think it's just 192 168 zero or 10 000. Um, they have a static ip address set um, so if you use those address ranges for your internal network, um You might have some conflicts on the way that it's detected they do include um a Basically a usb to rj45 Network adapter so you can connect it directly to your forensic workstation. Um, I already had one But you can also put it on your main network And then once you do once it's detected Then you need to register it and I have a video That'll come out soon about how to register it The insight software and then it will put a license on the actual disc sense to hardware So then you can actually move the disc sense to around to different workstations and you don't have to license each workstation It's licensed by the disc sense hardware Um, so I just double clicked on it. It's now looking for the disc sense to on the network and then It's going to be super slow because my system not because of the software while it's loading up usually this just literally took two seconds, but My system really doesn't like streaming at the same time as a virtual machine um Right, so uh, you can see that with the disc sense. I have connected. We have three sata targets on the back I've connected one of them Basically just like with the tx1 I have one source the source is right blocked the destination is not and then I have a connection To my forensic workstation and then we use the insight forensic software To control it and be able to do a lot of different features with With the device I think the probably the the worst thing about it is that Actually, that's not true I was about to say the worst thing about it is that you definitely have to connect it to your forensic workstation but on the back it does have a vga connection And usb ports so you could potentially plug in a A monitor and a keyboard And then interact with the system that way So it could be completely self-contained, but I actually didn't think of that until now so I haven't tried it yet. So Yeah, maybe that's what I should do next So first you need to identify a device basically Whenever you plug something in it's not going to power the device on automatically. So you need to identify and It'll power on source and destination devices and then try to What they call identify them Okay, so we can see that our samsung source Device was detected So we can add some extra information now like our case number I've already added this source so the case number was already selected But from my forensic workstation I can now attach files and things like that And I can start to do different diagnostics for example from the Source disk the only thing I really do because I don't want to interact with the disk very much is view smart And smart is going to tell me if the disk is likely to go bad. So if I have Some fails basically in smart Then uh, I know some there's some problems. So this like this disk looks Not great for example So something to consider This device might go bad while I'm imaging. So I would just basically record smart And then that's all I would do with the suspect disk. So you can't do media scans You can do automatic checkups all of those things Um, I try not to interact with the suspect disk unless I absolutely have to except for smart to figure out Figure out what the what the situation is uh under Um Okay, so under home, uh, we are yeah under imaging. Sorry, uh, we can create a new session Um insight is a little bit interesting because they have each of the sources and you deal with each of the sources individually Let me connect another source so you can see what I'm talking about So whatever source is expanded is the the source that you're working on essentially Let's give it a second to So now we've connected a second source. So you can see that the source two has been expanded and then source one kind of shrunk back down Um, and then if I click on source one, I get the new options menu. So, um Don't get confused about which source you're on whatever is expanded is your current working source Even if this kind of area doesn't really change. So let's go ahead and select imaging I'm going to create a new session We've already seen that disk before is why they had some statistics there And then I have one target setup. So it did detect my target disk if I just select the target disk Then um, it will do a clone. So basically, uh, block by block Bit by bit writing, uh from the source to the destination If I want to create an image Then we can either do create an image file and an image will be created on my forensic workstation Or I can create image file on target and then it will create an image file on our target disk. So, um I don't really know why but cloning seems to be their defaults their default situation um Their default situation, but what I want to do is create an image file on the target because I already have this this target created And I've already made this image. Let's see if I can add it Okay, so now I've created a new image location on our target Our destination disk and then the image, uh, location shows up as the target device Right, so that clicks select Okay, so now we have, um Image on our target, uh shows up as a device And and then on our on our source, we need to say what we want to image You can say all sectors, which is most likely what you're going to do or you can specify um, uh Custom if you're doing like an advanced shop and you don't want to get everything All available heads probably what you'll change more than anything are these presets we can show settings And then this is where you set up your hash types how you want to hash your segment sizes Um, how you want to handle errors so you can completely customize your error handling Miscellaneous is pretty interesting I usually power down the source when I'm done and then artifacts while you're imaging Forensic insight or the basically the imager will try to analyze or can try to analyze the data stream So if you've ever used, um Bulk extractor kind of the same idea. I think it actually probably is using bulk extractor. So, um, it's going through and then analyzing data from your stream and then afterwards you get this report about what was in The stream so it's kind of like doing your processing while you're doing your imaging And it's it's a really fast way to kind of get a jump start on your investigation Okay, so you can also set up keywords that you want to search for regular expressions If we had keyword lists, that's where we could add all that Okay, so I'm going to go ahead and hide settings And then enable email status notification. So if I wanted to If I was connected to the internet We can start imaging and then I'll get an email whenever it's completed or if it airs out Start imaging So I've already started that one. So let's go ahead and change the imaging type Again super slow because of my computer not because of the software Okay Now it's starting imaging and like I said, I already had one started before so it's basically picking up on what it already knew about that I didn't even know it would do that feature. It's super nice um And then once we validate afterwards we can make sure that that's okay so That's extra cool. Actually Imaging percentage and then if you look at the destination It'll also say where it's imaging to and how much so we have two devices that we're looking at And then this one set to destination All right On the device itself We now have target one or source one. Sorry Showing activity and then we're writing to target one And it's all controlled from from the software. So now we can just let that run and start to work with another disc Now imaging is one thing like you definitely could get this and then try to image a bunch of discs at the same time But like we talked about with pc 3000 um, there's just so much more to To atola insight Software and a lot of that kind of overlaps with pc 3000 type stuff. So Let's go into For example, you could do file recovery You can do file system level analysis at least a basic analysis using this software It can parse out and carve out a lot of that information File recovery scan for partitions and then look through the file directory if there was a partition there So the file recovery is pretty powerful. Very interesting artifact finder Set up what your artifacts look like what you're interested in Um, you can customize again your filters looking for url's phone numbers I think are the u.s standards. You can you can basically configure all of that here Um, most people will probably recognize that if you've ever used autopsy We kind of look for the same thing and then you have to set up your keyword lists But you can just do that while you're imaging. So it'll save a lot of time Uh, and then there's a lot of like very low level sector Analysis that you can do so you can give a csv file of sectors And then it will pull out all of the files that are allocated to those sectors So some really interesting tools here You do have to have the source device then you have to have the sector list in a csv file But then it will try to Get out both the file and metadata information based on the sectors really really handy They also have a scripting section and The scripting section is Super interesting to me because I've been wanting There's some cases where I want to do ata commands and you can script basically every level of analysis that atola insight supports, which could be file level physical disk level ata commands like the whole spectrum of Discs you can script any level and I think that's where really the power is here So here's just a script for partition table detection Not totally interesting because it's relatively easy to see the partition tables or what type it is but Just the power behind the scripting engine is is huge They also have all commands that they offer And that's where I found out about the ata commands And then they have a cheat sheet for doing scripting and the scripting language looks relatively straightforward So I think the scripting thing is probably one of the most interesting features about all of this and And that's saying a lot We have the ability to do hashing Both on targets and destination and files And then verify segmented hashes depending on how you've made the image And then probably one of the most Interesting things are the device utilities and this is where we start getting in some very low level or research-oriented Functionality, so for example, we have the disk editor Where we can basically get a hex editor and start editing the disk directly If my computer will bring it up Okay, so we can read the sectors on the disk and then try to modify them directly if we wanted to I mean that's Very low-level functionality Fill or erase. So this is basically wiping except you can customize how you're doing your fills And yeah, you can do this other ways, but it's nice that it's just in there Like if you have a bunch of disks that you need to wipe really quickly You could just set this up as a You can just set this up click it go ssd trim for your destination disks If you want to make them go faster whenever you're wiping them you can do ssd trim right from file is basically Yeah, the ability to just save the data from an image that you already have into Into a disk compare two disks And let's see if there's anything dealing with host protected area both detection and removal or putting back on if you need to security features for the disks like A password manager locking unlocking the device We can also recover disk level passwords In some cases media recovery very flexible Very flexible tools to do all sorts of media related recovery And then one of the most interesting for me was to generate bad sectors You can say where you want to generate the bad sectors and then it will um It'll try to create bad sectors on a disk that you can then fix later. So I spent a long time trying to collect um Discs that likely had bad sectors that way I could test these devices and see if they would actually work with errors And then I found out that uh forensic atola insight just lets you create them anyway So I didn't actually need to buy specialty disks, but whatever so for research, um, especially low-level disk research It's an awesome tool really interesting. You can set up a lot of interesting use cases with this. So it's way more than just an imager um We can we can clone we can image to a disk like we would expect but we can also do data recovery low-level disk recovery low-level disk analysis Yeah, and then uh imaging again, I didn't show it but We can do like a new session If I create an image file without creating an image file on target Then I can image directly over our one gig network connection directly to my forensic workstation and then Save the image file as an img on my system the only thing that um I guess the only problem I have with it is that it does want to save it as an img uncompressed so you don't have the option for like expert witness format or for something like that Which I wish they had but um You have your your physical images brought in and then you can Re-encapsulate them in a container if you needed to So that's probably one of the main limitations that I found but For the amount of features you're getting out of this, especially if you're doing low-level disk analysis just awesome Okay, uh, what can you say about gray shift? Um Not a lot they're they're great. Um, I've I've seen their stuff a couple times and I've used it Uh I can't even say that I directly used it. I watched all the people used it Um, they're really hard to get access to unless you're already in a lab that uses it. So Uh They're doing some amazing work I wish they were more open That's all that's all I can really say um For for law enforcement, it's it's an invaluable tool, but you also pay the price So a lot of the labs that I work with there's no way they can ever afford to use gray shift ever um That's just that's just kind of the nature of it. So if you can afford it just amazing if you can't afford it Yeah, if you can't afford it then yeah Uh, huh Okay, so I'm gonna leave that running and it is 11 22 So we're almost an hour over what I even expected we would do um If I leave this virtual machine up We're not going to be able to run the quiz So I'm going to go ahead and close this Okay, so that was the uh, atola insight forensic software and then working with the disc since two Um, really interesting combination very fast imaging, but really More than the imaging just low level disc analysis. It's awesome Yes, I'm going to take that on this vm Before my system overheats And then we will do one more quiz Which is for another um Magnet forensics 50 dollar certificate Can't even shut down quickly. Jeez All right, we'll try this Okay, so the qr code is up Please join in ahaslides.com d for psi ato and uh Yeah, this one is for another Magnet coupon to the magnet shop. Thank you very much magnet for sponsoring some prizes Um, it's great to work with magnet really awesome company. They're always putting a lot of stuff out for the community It's just great Okay, we got a couple people joining so I'll let that run a little bit If you guys have any questions put it down below Couple more people coming in Yep, so thanks for everyone coming today and like I said, you know, I never expected whenever we posted our first videos um that That'd be such an interest in digital forensics um from from all over the world I mean, we have we have people like I said joining today from india. I saw But really I've I've seen investigators and students from Um from everywhere, so it's just really amazing that this field is growing It's definitely a necessity and even if countries don't really have The infrastructure set up yet. It's coming like there's a huge need for people to be able to analyze um computers phones Eventually embedded devices So I'm just amazed at how much it's grown. I never expected 20 000 people to To like our channel and like our content. So if you guys do have any um Specific topics that you want to see like so far today. I have uh more people want email forensics um Windows memory analysis uh I need to check back on my notes what I was saying, but basically memory forensics Registry analysis are two of the big ones that people talked about If you have any of those recommendations, just let me know and it might take a while for me to get to them but I will absolutely Try to make the the try to answer the questions that you guys have No problem and on any of the videos if you comment down below um, I try to check the comments Uh, actually that being said Commenting on youtube videos. I can see easily youtube lets me but then replies to those comments are a little bit harder to see So if you have a question make a direct comment. Don't reply if that makes sense It's just easier to find for me. I don't know why they set it up like that Yeah, so just let me know Okay, so we got 13 people in here About ready to go If anyone else wants to join oh now 12, okay 13 Okay, I'll give it a second to catch up and then we will Okay, so this one again. It's another open source intelligence one. We're talking about um, atola technology Uh, so you might want to have a browser open be able to search for some stuff and this is for Uh a magnet A magnet shop coupon for 50 bucks Stack memory analysis How do I say your name vinay vinay vinay you're you're killing me here Stack memory analysis is pretty complicated. But yeah, like I will totally try I'm gonna put that in my notes Okay, yeah, so any any topics like that. Just let me know and I will try to get to it as quickly as I can Um Awesome. Okay. So we got 13 people. Let's go ahead and start this quiz Remember there is a lag between The time that you hear me and the time that the quiz is going on so with the quiz watch your phone Um or your computer whatever you're on And don't listen to me If that makes sense Okay, getting ready to start and of course I had to typo in that one Oh, sorry vinay. I already I already started Oh, man So what when was atola technology funded? Um pretend I didn't make that that typo Uh, 2003. Yep. So that's on their website. They're actually fairly young Um, so they've done a lot of really great work in in a in a short time Uh, and then I also have a question coming in, uh, have you worked with the pc 3000? Thanks. Yes, I have worked with the pc 3000 Again for low level disc analysis Um, I don't think there's anything better Um, that being said the atola insight with the disc sense comes really close um, so Just look at the features of of both of them and then uh, depending on what your lab does if they are a more of a hardware lab then Um, you really have to consider both of them side by side. I think some pc 3000 can do some things that atola can't but um Yeah, it just depends aha Okay, so we got a tie for the top Actually, we got tie for the top three places, right? There's only one place for the uh, The magnet certificate so top one gets it. So speed is really important. Okay Oh, this is gonna be spicy Yep, canada. So atola technology hq is located in canada. Um, they have people all over the world though But uh, they are canadian So they even have a little fancy canadian flag on their on their packaging Okay, let's see Let's see who we got Oh Oh jb. Wow Pulling it out like It must have been one one second difference That's amazing. So jb got the quick one there. Okay Starting the next one this question was a little bit Uh confusing to me because It's all packaged together So Got 11 responses software Oh man Yep, so the like it is a little bit confusing Atola insight is the software And then the hardware that we're looking at is the disc sense two So, um, yeah, so this uh, let me see if I can bring it up again I mean, this was honestly a little bit confusing to me But basically this piece of hardware that we're connecting the discs to this is the disc sense two And then the software that we're using to control that is atola insight. So yeah, um I knew it was confusing for me at first, um, but I uh, yeah, I'm surprised at this result. Anyway Oh jersey So there's one more It's anyone's game one more Let's see what happens Devin with the sad face. Oh frederick with the sad face. Oh, no Disc sense. Oh, yeah so, um Unifying vibe says questions freezing. So actually people said that on the last one too. Um, I'm sorry about that. I need to check it. All I can say is Like is it in your browser? If so, it could be something with aha slides So, yeah, that's the problem with the the one that uh, You have to answer quickly. So I'll try to find a better solution for it next time Okay, so the name of the atola hardware we're using today again This piece of hardware Here is the disc sense and this is specifically the disc since two so, um Yep, that's what we're looking at So what's the what's the turnout jersey? 380 points just amazing job Uh good open source intelligence skills So great job on that, um, I'll make a note Yep So awesome job everyone Um, I hope that was funny. I thought about making it more about, you know, digital forensic kind of quiz, uh Uh, but I didn't know how much how serious to be about it. So I'm like, uh, Let's learn about these companies that are doing some great work. Um Like I said in terms of hardware It is difficult to get access to hardware and really these companies are Some of the best hardware companies that you can come across So, uh, most people or at least most criminal investigation labs know about Digital intelligence and their freds and their extramarite blockers A tola technology has been making some huge waves about their fast imagers And then like I said, it's almost a competitor with pc 3000 so Something to think about so That's really it if you guys have questions Let me know I am going to be posting videos about Device unboxing so you can see what comes in like a standard kit And then, uh, I will post videos about how to use each of the pieces of hardware plus some adapters So hopefully that at least gives you like if you start working in a lab Or if you're developing a small lab like I developed small labs all over the world We really need to know like what is worth investing in because every lab has a different requirement, right? So Um, we need to think about the best way to spend the limited limited money that we have honestly and you do need some hardware But um, for example, do we need an entire expensive kit or can we just get by with You know a couple adapters and maybe one or two write blockers Can we just use the software write blockers and then just buy a hardware adapter for m2 devices? For example, like maybe that's an option for us and then we can scale up as we need to So what I really wanted to show today is there's flexible options all around the line Um, the more expensive devices Do a lot more things and if your lab is focused on like low level disc analysis Maybe the disc sense is the first one that makes sense for you if you're only imaging Laptop hard drives once or twice a week Maybe the external ultra blocks are going to be what's right for you So um, there are options out there and we just need to get access to the hardware to to know what to look for basically so Don't feel like you're you're stuck with one device. Get what is best for your lab If you need to and start slowly. That's what I that's what I do and that's what I tell people to do What makes imaging process fast can we implement parallel computing for imaging, uh analysis process by ourselves So, yeah, uh, what makes imaging process fast? It's really down to Um understanding your bottlenecks. So you can see let me switch over So like on this, um, we have a source. We have a source and a destination, right? Well, if My source is like sata and my destination is usb 2 Then the usb 2 is going to be my bottleneck and it's going to make everything much much slower So with imaging, especially hardware imaging you want to Make sure that you understand you optimize each segment That you that is in the imaging process that way you can get the most throughput and that's usually limited by hardware So you always want to choose the fastest connection speed you possibly can for each segment that you're imaging at That's one of the biggest things that you can do right now to increase your speeds is make sure that you uh Make sure you do that and then um Parallel computing. Well, yeah, like the the basic idea behind the tx1 and the disc sense is More sources more destinations. So there is a hardware limitation. I don't think you're going to get much above three Three or four sources. I'm a tola has another device that can take a lot more sources But I think I mean eventually there's going to be a hardware limitation on how many sources and destinations you can physically get At the same time and then you just have to buy another device for example If you set it up on the on a server and then image everything from the server. It's the same concept. So, um So yeah, uh, unfortunately, we're limited by hardware now that being said a lot of stuff is going to come from cloud So, um from cloud investigations, then parallel processing can make a lot more sense Yep, thank you everyone so much for coming Cheers to 20k. Thank you so much. Um, I'm totally shocked You can use The zoom duplicator i've never actually used one but as long as it supports, um usb Then it will Ultra dock Okay, uh The zoom duplicator with the ultra dock. Yeah, I mean the ultra dock will take anything in and then it will it will right block at the Ultra dock level So if you're connecting the zoom duplicator by usb, then the ultra dock will be right blocking that but I need to look didn't zoom have right block feature I don't know but if you connect to zoom if you connect anything to to an ultra dock It's going to be right blocked at the ultra dock level You don't need to to double stack right blockers necessarily I do tend to use like an external right blocker and then a software right blocker So I will stack it that way but that's just because software right blocking is enabled by default anyway on most the systems I use Yeah, but if you have an ultra dock and you plug anything into it even if it's a duplicator Um Now that being said if you connect too many devices in through one port you're going to see Uh performance decreases. So just something to consider Okay All right, so thank everyone so much for coming. Thank you for supporting the channel Thank you for for being here with me again. Let me know if there's any topics you want to see if you have any questions Reach out to me on twitter That's really where I post things about internships and jobs and stuff like that as well as videos and and and stuff That's where the community is. Uh the digital forensic discord server is a great resource and um, yeah, just comment on any youtube videos that I have and I will try to get to the comments as quickly as I can If you give me ideas, I'll put them in the rotation and I can't guarantee that I'm going to get to them immediately but um I will get to them as quickly as possible So I have quite a few quite a few recommendations now that I need to get to um, all right, so thank you so much Wolfgang saying two separate processes. I'm not really sure Uh for imagers most imagers are already optimized for processors So you don't need to start two separate instances of most modern imaging software. It'll handle Um processing anyway, but most of the processing that happens whenever you use an imager Like an ftk imager for example, most the processing is going to be in compression So if you use compression on disks a lot of the time that it takes depends on The compression you use and how fast your computer is at compressing If you just made a raw disk image, they tend to be actually faster And they use almost no processing power. They're just using io directly, but If you want to compress those disk images and we usually do Then your cpu really matters for imaging. So, um, I'm not sure what you mean by the two separate processes But if you're thinking about imaging and processing it almost always comes down to compression Discompress or image compression Okay, so with that, uh, we're going to get out of here. Thank you so much for the support. Um, and, uh I will post more videos about the hardware, uh soon. So Keep an eye out. Let me know if you guys need anything and thank you so much