Time
58 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:00
So here's my tough questions. My only tough questions in here, um
00:05
a P f s
00:07
has been problematic. I think is mostly in the way. Apple just sort of went blah. Here's a P F s. We'll get around to the documentation someday.
00:16
Um, they dumped it on everybody. And then, of course, you know, I've been I've been
00:22
kindly beating on you about bit luckier for a while now.
00:27
Uh, totally beating, just just asking the question over and over again. So you go ahead and a lightness on both of those things.
00:36
Um, so we've just finished an implementation off a P. F s, including decryption support.
00:47
The the trick with AP AFIS is really what Apple have done with the new T too. Short story is, but as a couple of interesting parts to the moving parts to that to the short stories, they they've
01:03
like the iPhone, that, well, that the new architectural looks very similar to the way they've done encryption on the,
01:08
um um, but
01:11
as most people would know, I phone the main key is baked into the silicon on. There's no way that we're getting that out. Practically speaking.
01:22
So Thio do a physical off a 22 device that's got bit locker enabled. Um, there's kind of two approaches you can do. One of them is to use your father's file. I, um Sorry.
01:41
Oh, yes. Sorry for the trouble. Yeah, yeah, yeah. Um, one of the approaches is to use. Um uh
01:51
oh. Did you call it?
01:53
All right,
01:56
target mind. What's what's that called again you're talking about So you could do that over, um, thunderbolt or USB thumb. The other one is to use a forensic operating system boot into it as far as the 3rd 1 is to do. Logical.
02:14
So we've been focusing on logical recently, but also getting getting physical with ap afis.
02:21
Um, the challenge that we need Thio to resolve is the, um, the decryption. Being able to work with a with Apple's encryption scheme too,
02:35
cause the device that we are acquiring to do the decryption forests, and then we're storing decrypted copies of the physical blocks that way. Copy.
02:47
So, I,
02:49
um, there's this This is real work involved in doing that on, and that's ah, something that is a
02:55
ah, really, Nate. Technical challenge to be working on. Um
03:00
bit loca. Um, we are wanting to support that. And I think given our recent experiencing,
03:10
um, working with full disk encryption and with, uh,
03:15
a P f s is sort of version of that, that's something that well, firstly, we want to be in the elementary system. The a lot. A lot better at flagging to the user from a U X perspective that there's a bit locker in play. It's always a nice feature. Yeah. So,
03:36
um, usability is a huge, huge focus for us at the moment.
03:39
Um, so, firstly, detecting meat locker. So people know to do something about it. I think it is a first step, Um,
03:47
supporting but locker, um, from ah Allah.
03:53
And obviously we can,
03:54
from a
03:57
complete acquisition perspective, that locker is not an issue for us. We can just
04:00
take an inquisition required.
04:03
Um, it's just the problem is that to do a nonlinear acquisition off a bit, Locker encrypted. Dr.
04:11
Uh, we need to do that at the volume. Live at the decrypted volume level. It would be a nice feature to have um, uh, the ability for us to natively read locker. So,
04:26
for example,
04:27
um, reading and decrypting on the fly a bit lower. The volume is slow, uh, than doing a physical acquisition of the encrypted image Sure are, and actually makes a larger images. Well,
04:42
um, the way that SS D's and full disk encryption work these days,
04:46
all of the treatment area of the drive ends up being trimmed in the physical image. But if you do the logical image, all the trimmed areas actually turn into spot into
04:56
high entropy dada and is un compressible.
05:00
So if you're imaging logically, that can slow you down. So
05:04
I'm getting into the weeds here. But, um, it would be really nice to be able to notify the user that luck is in play.
05:13
Have them provide a recovery key or a key
05:16
verify that that that key works store that key in the physical image, but then to take a physical image of the the physical
05:27
part of it, but then have that key material there so that when you get back to the office, it could be decrypted on the fly by the false system bridge or or a forensic tool. That noise have indicated that was kind of how we were imagining so We've done different bits of work using Libby tea and stuff like that and, you know,
05:46
mountain it from
05:47
from ever metreon things like this and point with, you know, there's
05:51
is there some work around in a skeleton on there to make all that happen. But that was that was one of our thoughts early on to was, if you could incorporate the virtual ization using the Libby T
06:03
right here so you could actually provide the key. Or, you know, at that point,
06:08
how cool would that be?
06:11
Yeah, Well, that I mean that that that could actually be ah, shorter term solution for, uh, for convenience. We could, uh,
06:19
painful, you know, because he could always know
06:23
do something else from there. But, you know, it's mostly about easy accessibility. That data, right? Yeah. You know that that was one of those thoughts, you know?
06:31
Yeah, it's just us not knowing anything in house. We're just sitting around going Oh, you know what you should do, you know? So tell me, uh, you're, uh you're saying Imagine if it bit of bit locker out there in the field. What? We We see it in the enterprise environments just
06:50
all over the place. It's everywhere,
06:53
Um, and so so it's our biggest concern all the time.
06:57
How much of that? The looker you seeing where it's using the T P m off the computer
07:04
that we're not running into as much on? I don't know if that's because, you know, maybe in your big corporate purchases of computers and things like this. I mean, there's still a lot of, you know,
07:15
mediocre grades, you know, hardware out there, right? You know, they're not exactly buying high end material and stuff like that for pick enterprise networks. So it's we don't run into nearly as much as that is, as you would expect sometimes,
07:30
um,
07:30
you know where is on the max? I just kind of there
07:33
forced forced upgrade stack. You know, eventually we'll have everybody there.
07:40
Um,
07:41
so, yeah, I mean, so that that's that's really where we're at with it is,
07:46
you know, it's just it's starting to become very ubiquitous, especially in those
07:49
those enterprise networks where they have regulated data of some sort,
07:55
right, cause it's a super easy solution. They just go because it's a compliance checklist thing, right?
08:01
You know, is your data encrypted at rest Click. We turned a bit luckier. Yes, it is.
08:07
Yeah.
08:07
Um, you know, and sometimes that means managed. And oftentimes that means completely unmanaged. But, uh,
08:16
but, you know, it is out there and which is course why I keep going. Hey, Bradley, when's that gonna happen?
08:24
Just cause we deal with it
08:26
almost daily.
08:28
Ah, and surprisingly, even in small office locations and stuff like that, too.
08:33
And, you know, Microsoft Surface is being super popular. Now, you know that comes already activated there. So it's just seeing you seeing we're seeing a lot more commonly in a lot warm, widespread than we used to.
08:46
Maybe that's that's where we sing it nicely with the with surfaces. Yeah.
08:50
Um, by the way, have metric has fantastic acquisitions of your Microsoft surface
08:58
last.
09:03
So yeah.
09:05
All right. Cool. Uh, anything else you wanna talk about their that we might have missed that. You you're passionate about,
09:13
um I think pretty much covered it.
09:16
Awesome.
09:16
Thank you.
09:18
No, it was great. Having you, um, so is summery because we have a summary slide.
09:24
Uh, let's see. We're gonna talk. We talked about, you know, the F F for four men. How that came about, Um, we're, uh
09:33
you know what the generator genesis of that was. And then we talked to Dr Schatz about all his various plans for the product and continuing which we love.
09:43
And, ah, as always, if you're still out there doing forensics the three old fashioned way, you know,
09:50
start watching our courses and come run with us.

Evimetry: Interview with Dr. Bradley Schatz

In this free course we talk to the co-author of AFF4 and creator of Evimetry, Dr. Bradley Schatz. We’ll hear from Dr. Schatz on his involvement in working on both while learning what’s next for Evimetry and Dr. Schatz’s favorite Evimetry feature.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor