 All right. So as you might guess, wow, we're the unpopular ones because now everyone's gone. We feel the love for those of you who are here. I really miss a clip, Mike, too. I'm going to keep doing that. This is CSICon. If anybody read our abstract, it was rather interesting. But we're going to walk you through a case. And the reason why that you will be interested, first off, I just did a lot of vodka. Secondly, mixed with caffeine, it's the whole goal of forensics is the goal to prove whether... I'm going to keep doing that. I hate this. It's the goal of whether or not you're innocent or guilty. Believe it or not, we'll actually kind of go both ways. So I am Amber Schroeder. I'm from Pariban Corporation. I am not a fed. Hello. But I make a shitload of money off of them and I enjoy every minute of it. So my partner in crime, I'm Tyler and I actually am a fabulous fed. We changed it a little bit because although she does do the whole fed thing, she is quite fabulous. And she has much better fashion sense than most of them. So we kind of go for that. Just in case you guys didn't get a chance to see our abstract in the lovely little documentation, we made a movie because that's pretty cool. We like that. So hang on one sec. So kind of fun. Yeah, we have fun with that. But that's kind of where we're going to pick up. Yes. See, it's one of those that he did mention he wasn't going to be a free man for very long. Yeah, so. Yeah, it's one of those spread in moments. Oh, just wait. Jack Grove is really just Johnny Long. I think this is going to be some fun. We've got some innocence or guilt. It's our job to prove if he's innocent or guilty. Well, then the presentation said goodbye. Have a nice day. So where are we going to start? Well, we started collecting our evidence. Some of this evidence is actually a little bit volatile. So we have to go through some special steps to preserve it. Then we're going to go through analysis and then reporting. And then at the end, guess what? You guys get to participate and have the verdict. You get to decide. So in proceeding forward, we have three pieces of evidence we took from him. We have a Blackberry or Crackberry. Who would have known? I thought he was such an upstanding citizen. We have a Nokia. Oh, a 6101. Hello. Could have done better. Oh, and the iPod shuffle. The shuffle. Is that all the capacity you've got? I'm disappointed. I'm disappointed. Oh, it's all about the size. Take it down into two different areas, because digital forensics is not the same every day of the week. It's not a whole bunch of Wonder Bread out there. It's like, woohoo, Wonder Bread again. Woohoo, Wonder Bread again. It doesn't work that way. We actually have two different areas that we're going to look at. We're going to go computer forensics. Which, yeah, oh, it's me. Okay, get used to it. Computer forensics, which is bitstream imaging, so we're making exact copies of things. They're static. They don't change a lot. And then we have handheld forensics, which does active memory imaging, because the little buggers are sitting there changing all the time. So we do a form of snapshot forensics. And that's a huge difference in between the two. And so we're going to split it up, because everyone has their special skills. And mine's in the handheld forensics. And Tyler, she's going to do some computer forensics and deal with the iPod. That's right. So, we get to use a toolbox now. A very fashionable one. So one of the things that we need to do if we're responding to some kind of scene is we have to check all areas for potential evidence. And I do mean all areas, because some of these devices are kind of small. Now, Amber's got her little forensic toolbox. We take this with us, because you never know when you're going to be in a situation where you have to search in... Yeah, it doesn't work that way. It's one of those bend over and cough moments a lot of the time. You should have picked a bigger iPod. That's just the answer of the day. But you'll have to be prepared for all things. It's always good to have a handy toolbox. And always wear gloves. Ah, yeah. Hello, handhelds. Nasty, nasty, nasty. Are you asking a question? The extra one will fit in my pocket on the plane. So there's other methods you can do. We can just put them in the room with the guy named Biff. They'll find it. It's not a problem. They're not as nice with the lube, though. So we kind of balance that out. So gloves are important. There is biological evidence that you have to maintain. There's a reason I chose to do digital. It's not as gross. It's a lot more entertaining. So this is my favorite part. Because it's more than just gathering the evidence. It's dealing with the suspect. So you're going to have to balance it out a little bit. And that's where other fun things from my toolbox come into play. So this is how Amher gets the password out of a suspect if they're not willing to give it up. This is also how we find the friends of suspects as well. Okay. Your whip is asked till it gives up his password. Is that better? Yeah. It's hard to do both. I'm not that multi-talented. But that does mean if we have any AV problems, I think we'll have success to balance. The other thing is collection and preservation actually changes quite a bit with this type of digital evidence because it is very volatile. On the handheld side, you've got live wireless devices. And as you all know, a kill command is a real bitch to a blackberry. It makes all the data go bye-bye. So we balance that out by dealing it with a holiday cage. We put them in these cool bags. And they are very cool and shiny. We like shiny stuff. And this blocks all the wireless signals from 0 up to 10 gigahertz. I think we're pretty much covered at that point. But the problem is you like working in a bag. It's not that fun. So we balance that out one stage higher with a tent. Have you ever heard of the whole seven minutes of heaven in the closet? Yeah? It's a seven minutes of heaven in the third day tent. It's fabulous. We have a tent club at the office. Very interesting. Yeah. All about experimentation. But we know our wireless evidence is protected in there. And we're not going to have any problems with signals being added to it. New calls being received and overriding some of the data that we needed in the first place. So it is about the protection of that evidence. So one of the things that you need to do is you have to prioritize your exam. You want to get any volatile data first. You want to get any data that you could lose information on. So you'd want to go with your PDAs before something static like the iPod. Because the iPod is essentially a hard drive. And you're not in danger of losing that evidence. With the PDA, no power, no data. With a cell phone, you've got the pin, you've got the puck, and then you're just going to end up fucked. It really sucks. It's a whole lot of legal paperwork that you just don't want to go through. And so you try to plan ahead, maintain the power. You put it in the third day, and you're usually good to go for about eight hours. So our big question is we want to answer this evening. We want to know what was Jack Rove up to. We want to know who his accomplices were. And most importantly, we want to see if we have evidence to prosecute. Because remember, we're here in the lab and we're not trying to find guilt or innocence. We're just trying to find what the evidence is. And sometimes it's going to prove innocence, and sometimes it's going to prove guilt. And final, of course, we've got the verdict. And that's where you guys come in that you actually get a vote. Remember, it's a jury of your peers. It makes it a lot more interesting. So we want to know what he was up to. One of the first things we look at in forensics is we go to the time stamps. Because we want to prove that you were actually doing it within an existing period of time that the theft, the hack, or whatever occurred. And so we have to look at the time stamps of all these different devices. You have dynamic devices and you have static devices. Are they all in the same sync? Are they even from the same time zone? So we kind of go through those. As we go through them, we do things like use the development libraries for Blackberry and you can make your virtual Blackberry. And then you set up and go through and verify your time stamp on the device. It's a snapshot. It's from that point that you seized it that you're going to check. On a cell phone, we have another problem. It's not on there. It's not on there through any of the conventional methodology that you pulled down because your time is continually changing. As you hit the different time zones, you have a variation. As your time stamps hit with SMS or a call log, it changes based on the zone and it doesn't actually mark what zone it was in on the device. So it becomes a lot more difficult to deal with. It's high maintenance evidence is how we refer to it. With the iPod, it's a little bit different. Sometimes you're going to be able to get a time zone based on what region it's in. It also is just going to depend on if you have the computer that has iTunes with it. So it's a little bit more difficult. We do know Johnny was smart enough to destroy his laptop before he got to us at this point. He probably did shit back in the green room, so we'll see. The other side that we get is something that doesn't happen on the actual digital devices. We actually go to the providers. We go through their data through all the proper legal paperwork. We hire our lawyers and we pay them a ton of money. They write up the subpoenas for us and they bring that data down. But the value of that to us in forensics is it tells us it's subscriber information. Every time you buy a phone, they take a shit load of information about you. Even if you're smart like Johnny was, where he bought a pay-as-you-go phone, because the 6101 is a very popular pay-as-you-go phone, some of that information is still recorded as far as the equipment identifier is in the store. It was bought in Virginia. It was done here, here, here. All of that is recorded whether or not they took his name or not. You still get a starting point for your examination to occur from. The other is the call detail records. We cross-reference what actually occurs on the phone versus what is showing in your records that they charge you for. Let's just be serious. All of its cell phone providers are anal retentive. They want to charge you for everything and they keep track of it. And they provide that over as part of your forensic examination. If you made the call, they have a record of it because you paid for it. So we use that information to cross-validate. We use some of the great tools out on the net and we build a map with them. We want to see, are you making calls in the area of which we had a hack occur, for instance? Obviously, we're dealing with a hack here. So, balance it out. Was he even in the vicinity? Was he close enough? Was it a physical penetration or was it a digital penetration? I just like saying that. It was fun. So, I'm like a child. I'm like, hehe. It was cool to see how often I could make Tyler blush. So, all right. Again, our big question. Who are his accomplices? That's what we're trying to determine. So we've got to figure out where to start. So we're going to go through things like address books. We're going to look through text messages. We're going to try to see if there are any photographs, emails, all kinds of records like that. And then sometimes things just kind of come up. That always happens. So we balance it out. Big question. Is there enough to prosecute? A lot of times there just isn't. It's been wiped. It's been killed. And the case goes to the side. The problem is habitual users, meaning you keep coming back over and over again and you make silly mistakes. Which means it just builds up more and more cases. It's kind of like all those years in school and your high school file was like five inches thick. It's the same. They keep track of you. They want to know how often were you actually doing this? Oh, you're back again. It's a reunion moment. So you balance it. But the important part we hit at this stage is acquisition. Did we do the right procedures? Because that's one of the important parts that people can really screw up. So, okay. Now we're going to kind of go over the iPod a little bit just its structure. How many of you guys have an iPod in here? All right. That's like pretty much everyone. Good participation. We like that. Yeah, we do like participation. It's good. It's positive. The default systems that are going to run on the iPod, you're going to have HFS Plus or FAT32. Does that mean those are the only file systems you can have on an iPod? No, not at all. Okay. Essentially the iPod is just a storage device. It's hidden if you're storing information in there because its primary function is a digital media device. But you can hide photos, trade secrets, hidden files, hacking tools, pretty much whatever you want. Does anyone use their iPod as a storage device? Yeah, pretty much everyone does. I do. Okay. And again, you can have hacking tools on your iPod. You can have your Metasploit. You can have whatever you want. And you can also bring evidence back to the iPod for safekeeping. If some investigator is in your house digging for things, they're not always going to look for that iPod. It's just becoming more and more convenient to have those devices with you as well. Everyone has their iPod all the time. And you can transfer files. It's just kind of a good thing. All right. And then there's also small Linux distributions that can run on an iPod. These three are actually bootable Linuxes. So you can actually have your iPod as a bootable Linux. Now, I've used all three of these, but the one that I've had the most success with is the damn small Linux. You can actually set it up so it's running in conjunction with iTunes so that it'll still function like a regular iPod. All right. One of the issues that we have with this device is we have to image it. Now, when we're imaging this device, we're taking the evidence and we're making a working copy of it. It's an exact digital replication of that device because we never want to be working with our actual original evidence. We always want to be working with what's called a best working copy, which is essentially the exact same thing. But one of the problems that we can run into is that these devices, a lot of these imaging tools run on Windows. And if I take my iPod and plug it into my Windows machine, what's going to happen? Instant corruption. That's what Windows does. It's all about the corruption. Exactly. We don't like that. That's bad for forensics. Very, very bad. It's a very, very bad idea to muck up your evidence. You might find yourself out of a job very fast. All right. These are some of the tools that you can use. And then there's pretty much any forensic tool you can use for analyzing the iPod. All right. Now, what you're essentially trying to find is you're trying to find what's normal on an iPod and then find things that are not normal. Now, all the iPods are different, and iTunes is actually different. As it goes up in versions, it deals with things a lot differently. Some of the things you'll find, you'll find a calendar folder. You'll find the iPod control folder, pretty much the nerve center of the iPod. There's podcast folders and photo folders. Now, why do you think you'd never find a photos folder on an iPod shuffle? Exactly. And you wouldn't even know the blind record. Man, a shot. There's one open. Here he comes. Yeah, you're smart enough to know there's no screen on a shuffle. When's a shot? Look at that. All right. So what's not normal? This makes matched file extensions. This is anything that has a header with an extension that doesn't match, and we're going to actually see some of that when we start doing the analysis. Anything that's hidden? Something like too many partitions or non-standard file systems? Does that mean that if we see an iPod that's got Linux on it, that it's evidence? No, not necessarily. And this is true of all types of digital evidence. It's not as easy to play around with a blackberry or a phone. They are kind of playing one team most of the time. However, you can do your modifications to them, and those are things that you look for in the digital evidence range to say, how is it going to be different, and how is it going to respond differently to my acquisition procedures, and how does the data relate back and forth? Because that's the interesting thing. The blackberry is codependent. It needs other devices deeply. So it passes data back and forth. You have multiple points of digital fingerprinting. So now what we're going to do is we're actually going to break down the evidence for you. We have a wee bit of what I call Martha Stewart magic because I just hate her. Oh, she's just really annoying. And we pre-acquired them just to make it a little faster, and this is like 50 minutes. So we're kind of working through that. So we're going to actually go through the blackberry, the cell phone, and the iPod for you, and you can help us find evidence. This is that key point where it's interaction. It's interaction. It's a good thing. So which device do you guys think we should do first? Which one? Oh, you paid attention. Awesome. We feel the laugh. I wish we had like presents to throw. It might hurt a little. Just a little. Or you can come up, and now that wouldn't work either. Okay, anyway. All right, this is going to be a problem holding a mic, standing and driving. Why don't you just echo it back in the stand? I'll see me drunk. Okey dokey. And now you can't hear me. Okay. Yeah, we have to lean forward. All right, we've got our blackberry. Blackberry is pretty simple. Believe it or not, it takes 15 minutes to acquire a blackberry in a forensic manner. That's it. It's a little anticlimactic to be honest with you. It's like, oh, windows takes longer. Scary. Blackberry simply consists of databases. What's the prime purpose of a blackberry? Email. Email. Very good. So I think that's probably the first place we're going to look. Lovely. Looks like Jack had an email problem. Looks like he had an apple problem as well. He was going to iTunes. Been very busy. How does it feel to have your email read on a screen? Is that good feeling? Happy feeling? Do they always say that? Always. It's got a Gmail account like every other person on the planet. Looks like he has some gaming. MSN. I'm disappointed in you, Johnny. I'm disappointed. Let's see. What else are we going to look for? I see nothing that really kind of blows the skirt up. Have to be honest with you. It's okay. Okay. Memos. Hang on. We have a board meeting. Project coin. Nice. Address book. This is always nice to see Bastard in someone's address book. That's how you know they feel the love. Oh, yeah. So we've got a CEO Bastard. It looks like it's Robert Proctor. There are some issues there. Oh, Alexandria, Virginia. That kind of matches up, doesn't it? We thought that the whole thing was occurring in the Virginia, DC area. That's what our call detail records told us. So interesting. Oh, and check it out. It looks like he's done some social engineering there. Dog's name is Tigger. His... Oh. Mr. Proctor's wife buys stuff from Amazon. Imagine that. Oh, and he was working the secretary. She likes sunsets. In beach walks. That's just precious. Absolutely. Ah. Bosses habits. Hates the new computer systems. Upgraded them all to new software. Couldn't remember it, but oh, check it out. The phone system is an old PBX with an open port. Wow. Now who's saying bend over now? Hmm. Sounds like opportunity there. So we need to keep looking around. See what else we've got going on. Um... You know, one of the areas I always find to be interesting on a blackberry are pin messages because that's one blackberry user to another. It's all in the network. It doesn't hit outside. So it's important to always check those out as part of your evidence. So what do you think? We've got masking of an IP. Cool. We've got a check made on the passwords or the passwords for the whole case. Among other things. Among other things. I do believe we have some open opportunity here. But do we have enough for a verdict? This is that interaction moment. No! Oh, thanks! You're not dead. Oh, let's check out the next one. This should be really fun. Because you realize that the number one digital fingerprint people leave is their cell phone. Why? Because we all can't live without them. We just have to be that reachable. So, I mean, how many of you guys have cell phones? Yeah, I felt like we were doing the wave there for a minute. That would be everybody. And if you don't, you're a liar and we know it. So, we've got choices. Looks like we have a web-enabled cell phone. Looks like he was out surfing as well. With T-Mobile. Again, disappointment. Oh. Okay. What else do we have in here? We have logos. Did he have them on? Did he have them off? Call logs. Those are always important. Alright. There's someone named Tanya in your life. Always interesting. Spock. Satan. Always important. I love getting the calls from Satan. Always a positive sign. So, hmm. Phone book. On the phone. Oh, Johnny, you call your mom. That's so sweet. And evidently, Cartman. Hmm. Who would have thought? I didn't think the cartoons picked up, but you never could help. He's saving them to the phone, though, and not the SIM card. And that tells you something about your evidence. It means it's probably temporary. If he's moving a SIM card around to different phones, you'll see almost 100% of it stored over on the SIM. And so there's a balance with that. And as we all know with the new dual SIMs, you can be multiple people at once. Schizophrenia is now popular and digital. So, you balance it out a little bit. His own number. And then you hit the good stuff. You know, I always find something very telling about people. I think their ringtone really says a lot about who they are. Do you agree? Absolutely. Do you want to hear his ringtone? Yeah, because it's kind of fun. And so we go on our tones. Pick it up. It's a demanding ringtone at that. Now, he thought it was pretty tricky, because earlier I went through it, and I noticed that he had actually surfed to T-Mobile to download this. Now, those special people, and by special I mean evil bastards, at T-Mobile decide that they want to encrypt everything. Yeah, so you can't share their stuff after you pay the 599 for it. Pisses you off. It's like I paid for that picture. Hello? So, you know, he thought he was being pretty tricky. He thought none of you would get to hear his ringtone. Well, you know what? Sometimes you have other skills. And I happen to have some of those. It was good. I actually exported it out, because I have to take it outside of my evidence image. You never work within your image because you can't modify it. So, I exported it out. I also decrypted it. And now you get to hear it. Jessica Simpson. Did you hear it? Here, we'll do it again. You have Jessica Simpson saying pick it up, pick it up. She's calling you on your phone. Aren't you so proud? You know, that goes beyond fan at that point. So, what else do we have here? In the file system, that's where we're going to find all the images associated with the camera phone. We do know that this is an actual camera phone. So, all of the images are going to be stored by default on the device. We also know that both of these devices, and I'll just mention it because we don't have much time to go through it, have SIM cards associated with them. This is a GSM device. The BlackBerry has a SIM card as well. Both of those would have forensics done on them in addition to doing the actual default device. I didn't go through those because we're going to run out of time otherwise. What I did do is I carved out all of his graphics. Here we go. I like the flowers. Those are nice. We are confirming he indeed has been in the DC area. Looks like he's taking some pictures of some security around buildings. Always nice. Ah! Probably the girlfriend. Ah! The belly dancer. Always nice. Been to Paris. I think Rome. That's also DC again that we see here. Even some of the damaged images are still recoverable after they've been deleted off of the device. It's amazing how long a digital fingerprint is left on a cell phone. It's about two months. It's a long time, and that's with active use. So we have some options there. And of course, as we saw up here, we always cross reference. How were the call logs? He really didn't dial a lot of people with this device. The number one form of communication on a cell phone, however, isn't talking on the actual phone. How many people get pissed off that it's like, could you just quit texting me and pick up the damn phone? It's got a call button. If you've got four paragraphs to send to me, it's a lot easier. It seems that Johnny has that problem as well. So let's check out some of his text messages. Skittish problems. Specs on a device. Russian server. Always popular. Oh, the hi honey. I can't wait to see you. Hurry back, I'm wearing your favorite. Nothing. I don't think you're going to get a chance to see that. Just thought I'd warn you. Maybe Biff will indulge with your favorite. In the information, we pull out what the number is. We pull out when it came in. How it was delivered. What the status is on it. We've got payment. Rude on a target. Again, gaming. Oh, working with FedEx. Nice. Oh, he's been downloading pictures as well. And again, that T-Mobile service. We have our default templates that come with it. No big deal. But I always find it interesting to look at the save text messages. Because either you're just too lazy or you're worried you're going to forget. And so you put them in there. I'm no narc. I don't doubt that. Cool coin next week, Saturday. Awesome. F-00Q's end. A little fat fingering, huh? A little problem there. A little too much to drink. We can give you a shot before you go to jail. It's all good. And then of course we have our access points knowing that he has also activated the GPRS service. Which means it's being recorded at the provider level as well as the phone. And all of that gets picked up. At the end of both of these pieces of evidence, do we have enough for a verdict? No. You lean in one way or the other? Guilty. I love it. I thought you were more popular than that. Geez. So, we've got one last piece of evidence. Let's see how it relates to both our blackberry and our cell phone. Okay. So I've already pre-imaged this iPod to save us some time. This is what the file system looks like. We see that this is actually FAT16 which is a non-standard file system for the iPod. But in and of itself, that is not evidence. What do we see here? What just kind of jumps out at you almost immediately? Not big. We've got this boot.cat come down here. We see syslinux. What do we think that that is? Do we suspect that this might be a bootable linux? We suspect it might. Can we tell based on this successfully booting linux? No, we can't. What's this? That's metasploit. So we see here that he's done some configurations with his iPod. Based on what we see here that he's got hacking tools on here. Do we have enough evidence with this? No, of course not. All right. So the shuffle is a little bit different than any of the other iPods. It's a little bit simplistic in what it has. The iPod control folder is the nerve center of all the iPods. He attempted to delete this iPod as we can see by this little red X. But when you and I'm sure that you guys are all aware of this, when you delete a file it doesn't really go away. Usually we can still get it back. So in here we have this iTunes folder and we have this music folder. Now iTunes actually controls everything that happens on the iPod. It controls everything. Have any of you guys tried to get music off of your iPod and you have to go through this crazy process to do it? It's because iTunes is controlling everything on there. And if we remember we had another reference earlier to iTunes on our Blackberry. He said all the emails for his iTunes to go down to his Blackberry account. So we have a relationship between the two pieces of evidence that's always very important to find out how they work with one another. So what happens when you first build this device is this f00, f01, f02 directories are created and then if you have more music more directories are just going to be created. Now I just want to show you the structure of one of these. I'll show you this one. Oh boy. Oops, I did it again. Britney Spears? Johnny. So what this version of iTunes does is it'll take the song iTunes will put the song into the device it'll have this 01 it'll have a number over here and then the song and then what happens is that gets deleted and it changes it into this four code beginning with the extension. What do you guys think this number is? That 01 in front of oops, I did it again? Absolutely, that's the track number. Now not all versions of iTunes do this. The earlier versions will leave the entire song title and newer versions do this. So let's take a look at two files I want you to see. This is the iTunes database file. What this is is this is kind of a map to everything that's on that device and iTunes controls this again. So everything that iTunes has put into this device anywhere will be in this file. So if we kind of come through here we see Don't Stop Believing Journey's Greatest Hits Whoa. And then we see where it is. We see it resides in iPod Control Music F02 and then it's got the extension that it's given it. It's called it RHEA.MP3 and so on and so on. Amber are you interested in any other music he's got on here? I am curious about what his entire playlist is. Ooh, a Lannis Morcette. Johnny, that's hot. Wow. All hot and bothered. Natasha Bell. I can't look at this anymore. He may not be guilty overall, but he is guilty of bad music choice. I agree. Really bad. So then I want to show you this file as well. This is the iTunes Shuttle database. This is only on the shuttle. This is not going to be on any of the other devices and it's just kind of a condensed version of what we just saw. All it tells you is the location of files. It's not going to give you any information about those files, but let me throw this out there. If I found something in say that F00 directory that was not in this database, what would that tell me? What would that signify to me? Exactly. He did it by hand. So let's just kind of look in here. Now we see here we've got Ashley Simpson. I don't even know what that one is. But what pops out almost immediately? What's the first thing that we see here that could possibly be suspect? Which one? You say the hidden one? Yeah. Something called hidden.mp3 will first off, it doesn't have the four code beginning. Something that is typed in. Something else that you might notice as well. Let me move over here is the size. This file is significantly smaller than the other mp3s that we have on here. So that's kind of a giveaway as well. Now this tool and most tools will do this for you. Some tools don't. Some you have to actually go in and do yourself. What it's doing here is it's doing something called a signature analysis. And what a signature analysis is is it's taking the header of this file and it's saying that header, because we look up here we see that header does not match the file extension. So what this tool has done is it's gone through and it's found three of these files. And it says these files are not what they appear to be. So let's take a look at them. Hey, did he have any graphics on there? Just as a side thing, just because you have a viewing window doesn't mean it doesn't have graphics. Ooh! Wasn't that the same picture you had on your cell phone? I think so. I could be associated with that evil CEO person, I imagine. And then this is coming a little bit big. I don't think we should be looking at that one. Oh! The girlfriend. Yeah, black and white usually means only one thing. And then we have a picture. Give me a shot. All right. And then we have a picture of DC. All right. So... All right, so how does it... How do the different pieces of evidence link together? Was there anything on the iPod that... Well, there's one more thing that I want to show them. I want to show you if you purchase a song from iTunes if you come in here come down, down, down. What do we see here? Name Jack Grove. He purchased that song. Now, where do we think that that name actually comes from? How many of you think that that's just kind of arbitrarily there? Good. All right. How many of you guys think that that's the name that he registered with iTunes? And that's where that actually came from? Okay. How many of you guys think that that is the name that's affiliated with the credit card that he used to purchase his songs? All right. You guys are right. It actually is the name that he used to purchase the... It's the name affiliated with the credit card. Which means he really can't get away from the fact that he did, indeed, pay money for Britney Spears. So bad. Ooh. All right. So, Amber, I'm starting to think here that we do not have enough evidence. You think we should keep looking? I do have that one question. Did you notice those text messages? I'm a big texture myself, so there was that one weird one. F00 fat fingering moment. I've seen Johnny's fingers. They're not very fat. That's true. I have to think he's a decent typist. What did that say? Again, do you guys remember what that said? Okay. F00, HZ, blah, blah, blah, and... That blah, blah, blah, blah. MP3 right here. Now, this MP3 is obviously what it says. It is an MP3 because it would have come up in signature analysis. And if we look at this header, we see that it is indeed an MP3. Now, if I actually played this, I have a feeling that the song would actually play. So, I'm not really sure what to do from here. What was the end of that text message? End. It sounds like someone likes and stuff. Check the end. All right. Okay. Do you guys really want to hear his music? You guys really want to hear out of the beat? I don't. My ears would bleed. What do you guys think that that means? What do you think he was saying? Okay. Let's try that. Let's go down. Okay, I'm at the literal end. Wow. What's that? Ha, ha, ha. You'll never catch the likes of Jack Grove. Oh. It's a love note. It's a definite love note moment. Do you want to say answer that? I'm not sure after the Britney and Jessica Simpson. I think that one was an avril. Yeah. Not sure about that one. So, we have a choice. We have a verdict moment. And then we get to decide what its sentence is. It really is kind of the best part of it. Because there's no judge. So, what are you thinking? Guilty, not guilty. We had a blackberry. I love organized chaos too. Everyone just straight yelling, yeah, that works. Uh-huh. It works now. Beyond that, I think the implication that he has some hacking tools and is mocking some investigators is not grounds for, you know, convicting him. So, I don't think he's guilty. Ah. I really think he's not guilty. You don't think he should be flogged for his choice of music at very least? Edward, you just want to use that flogger. I know. I have a focus issue. There's a club down the street that we can go to later if you like. Thanks. Uh-huh. You know, don't you think this has been a little overdone at this point? Free Johnny shirts? Come on. Yeah, a little over the top. All right, so are we voting not guilty? Thank you. There's actually enough to prove him innocent. Could you imagine forensics? You're proving him guilty. What? And since you're guilty, oh no, there's two sides. You got to be kidding me. Forensics does both. Hmm. It looks like we have probably a popular vote of a lot of free Johnny's. Thank you for a good sense of humor. Okay, I think I'm going to retrieve my items. Thank you, everyone for setting me free, and I think it's time for shots. Yes!