Time
58 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:00
Alright, here we go. Question number three.
00:03
Ah. So what are the challenges that you've run into trying to get every metric up going, becoming a real viable
00:12
solution out there?
00:14
Um, look, I think I think probably the, uh
00:19
well, that this kind of really great them in the challenges into three places. There's
00:23
this kind of the ecosystem level changes. There's the technical ones,
00:30
um, and then there's kind of the the practice kind of one. So
00:35
obviously there's a lot of technical challenges we had thio thio ever come to to take effect for is a format. And then, um,
00:46
apply that in a way that actually gave us the performance that we get in the abilities that we get in intimate tree.
00:54
Um, and you know, if you're interested in those technical things, then the slide *** that you're pointing the listeners to the viewers to earlier on, I think is a really good deep dive in
01:06
in the process we went through in united. It's like where there's bottlenecks are and how we sell little that I love that. Pdf. I'm constantly whipping that out when people are like, No, that can't possibly be true. and I'm like, Oh, let's look at the test data.
01:21
Yeah, um uh, it's Ah. Um,
01:26
yes, it is the technical water testing to get to that point. And a lot of people have had over time expressed,
01:34
um,
01:36
dubiousness about the choices that we made and why we made them in terms of technically, but ultimately, the proof is in reporting, and you do the testing, and people get convinced.
01:49
So I think even when you and I first started talking, I mean,
01:53
we did extensive, like, run testing on it, like, over and over, and like, all these different use cases,
02:00
and it kept killing it every time. We're just, like, hold this the fastest thing we've ever seen.
02:05
And I was just off the charts.
02:07
Yeah, well, I mean I mean, you're, uh you're one of the I think probably that you know, the golden stories around, uh, around testing elementary, Um,
02:20
sort of the other end of the spectrum. There's there's people that that my delegate it to ah, junior, who's very inexperienced and doesn't really understand computer architecture.
02:30
And I've had many, far too many complaints from people who have tried to eat me and J.
02:36
Tindal. A USB flash drive on Dhe complained that it didn't didn't speed up. Um, and, uh, you know, ultimately attend all the USB flash drive doesn't have the Iaw bandwidth for the double the size to make any meaningful difference.
02:54
Um, yeah, it's, I think, setting people's expectations with wherever Metro's going thio uh,
03:01
improve people's workflow, I think, is a really important, but that's an important part of testing. I mean, so we we test Tosto riel drives not not test drives, Not not drives. You know, we literally took okay. We've already images this drive, but let's image this again because this is a real person's computer,
03:20
you know, and measure our test instances. And then I don't trust that drive because that's just one person's computer. Let's test five more real people's computers and compare our notes, and it was,
03:31
you know, is telling.
03:32
Look, and I think I think that the point that you're making there is it can't be emphasised enough. It is so common for people. Tiu, Tiu
03:44
come up with an assumption about a test methodology, and they're to be floors in it. Um,
03:51
the generating test out of sets in computer Forensics is a widely acknowledged problem in the scientific literature.
03:58
Um, and in terms of where we've supported people doing, um, rollouts of elementary,
04:03
I think what one of the more interesting ones that we had, um recently was,
04:10
um, someone just decided to clone. You know, Dee Dee clone a small SSD drive onto a large to terror by spinning disc and then try doing a a nonlinear acquisition.
04:28
Actually, sir, it was the reverse of that. Tried climbing a two terabyte spinning disk onto a 5 12 Meg
04:34
plucked off gig as his d so truncating off the false system at the end.
04:40
Um, and that actually in the testing all of out of our live acquisition during analysis absolutely failed, because that's not a testing thing that we've ever done. So wait, have the same problems as well. That was nice in that
04:56
it identified to us that there was some more robustness needed in error era anti best passing code
05:01
and to do things like deal with false systems that have been truncated or whatever and straight,
05:08
uh, who had, as many falls it as it can.
05:11
So you're a testing is hot, so it's Super Han. No, it is. And I really don't like, and we take a lot of from what? We also doing our discovery side, you know, it's about testing. There are a lot of the test done on that side of town with these just
05:25
curated to death data sets where you're like, Well, of course, it was extremely faster because there was no real data to that data set, you know,
05:32
is this, you know? Oh, it's all text files. Data said, Of course. You know OCR amazingly fast. You know, where's the junkie files that should be in there?
05:43
Yeah. You know, where's the 500 faxes from that? You know, local car parts dealership, or was it for you?
05:50
So things like that, but, uh, all right, um, are you running into, like, just just old school?
05:58
You know, we refuse to change stuff. Like we've been using ego ones here since Ido before, you know, ones were created, and we're gonna keep using it until I'm dead. You know,
06:08
we we we see a lot of that. Um and you know, that comes back to the challenge. I was I was alluding to earlier, which is kind of the ecosystem practice practice kind of challenge. So,
06:21
um, when we decided to do this, Um, really, um, one of one of my goals in this was to make the world a better place. Specifically, make the life of forensic practitioners. Job will make the last frame of practitioners easier.
06:41
Onda spend less time waiting and being inefficient. So,
06:45
um,
06:46
the challenge in in in changing the world like this, though, is that there's, ah, we're as forensic practitioners were very cautious bunch for good reason, very conservative.
07:00
Um, and what I've bean busy convincing the world doing is a an ecosystem might change. You can't just walk up even today to two in case and point it at an F F four directly and get it to work.
07:16
So,
07:17
um, we had a classic bootstrapping problem where we,
07:23
um,
07:24
wanted to get the world to use a f f four, but we knew that there would be a time period where, if therefore was only supported by well, starting with no tools. And at some point, more tools than none were actually grid the point that now where
07:40
Maur forensic tools than not nature's. We've been talking about this here in the courses, you know, x way supports it
07:46
through through your good work there. Um, you know, you get a black bag now supporting it with black light. I heard rumors that that magnet was gonna start supporting it.
07:59
I once I haven't. I've heard that I'm I'm waiting. Thio run it through its paces.
08:07
Yeah, and then, you know, of course, basis technologies supporting it in their products.
08:13
Um, which
08:16
that's ah, you know, good. But But also, they integrated that patch,
08:20
right?
08:22
Oh, so yet? Yeah. If you're using Sleuth Kit right now, you can You can use Native A for four files.
08:28
Excellent. They did that. Oh, come on. Don't Don't tell me you didn't know that. No, I didn't know that. E Can I recommend course number six for you? Um I write the patch. It's just I was in a way that it be Yeah, I believe they did it this summer at some point.
08:48
Yeah, because I talked Thio Brian carrier and I just recently and and he was like, Oh, yeah, we did that, you know, blah, blah. So cool.
08:58
No.
09:00
So I'm gonna clarify here. I didn't write the patch. We wrote the patch. I can't I can't unwind the work of my team. All right. How many people do you have on the team?
09:09
Um, of moments. Too
09:11
nice. That's what I like to hear.
09:13
Keeping it tight. It's very tight.
09:16
Um,
09:18
but, you know, and so when you when you got that, though, I mean, you're talking,
09:22
you know what's what's left after that? I mean, you got
09:26
in case themselves. I don't know that
09:28
open text is gonna innovate
09:31
in case any more,
09:35
you know? So
09:35
So, what else is there out there that really needs to be incorporated into? Well, since New Weeks were work with this very early on, new expects supporting, um, and the guys from get data Forensics Explorer. Wait, What was that? The folks hid in Tele. I know. I mentioned it to them several times and they were looking at it.
09:56
Um, I've heard from them recently, and, uh, they seem to be interested in getting supporting so basically any any forensic tool vendors who have reached out to me thio get supporting. I've,
10:11
um, helped them with pointing them at free source code that we've released to implement it. So many of the tools are actually using our code. Thio do the implementation,
10:22
which is great. I mean,
10:24
yeah, yeah. And then, like the good thing is being is that there's been a lot more people jumping on board without effort for support recently with a black bag adopting the format.
10:37
Joe Joe Sylvie has done some great work with the tea, too.
10:41
Support, um, in, uh, max. Um, and
10:48
that kind of adoption has driven a lot of the tool vendors to actually pay attention twice before and
10:54
and and start supporting it.
10:56
So, yes, I think going back to one of the the ecosystem wide change thing was was always going to be a challenge.
11:05
But there's been a lot of effort over the last
11:09
a few years on our part to make it easy to to get on board a fit for and to promote it and make make people comfortable with it.
11:18
Um, a cz. Well, as all of the research that's been put into it, there's there's, I think, think it's four or five paper by scientifically. Peer reviewed papers were published on it over the years, so it's on firm scientific foundations
11:33
um The only other thing I'd say is that out of rewinding to that Is that those initial times when we were both strapping waas?
11:43
Um, we still have, and we've had for a long time and Interpol intra ability story for any of the tools that don't natively support it. Right? You got the bridge?
11:52
Yeah. Um, so that course seven was the bridge
11:58
if you didn't didn't catch how to use the bridge code, of course. Seven. So And you know, the surprising part of the bridges that it actually speeds up tools like in case. So
12:09
So it's it's it's a cz. Muchas. It's a pain. Tiu have thio do a couple more mouse clicks thio two mountain air fit for images of virtual roar.
12:20
It pays back really quickly processing speeds.
12:24
Yeah, we saw that early on with ex ways.
12:28
Um, and Stephen was a big fan of Stefan. Sorry, Stephan, of complaining to you would you opened up traditional easier one images that you were using a completely inefficient
12:39
compression algorithm that that I because he feels the need to remind us. But that was one of those first place Is that early on in her adoption we saw again, we we ran real data, real cases,
12:52
and we're like that Just process, like, 30 40 50 minutes faster than it did last time.
12:58
Uh, help, You know,
13:01
that's that. You know, if you're doing this commercial, that's meaningful,
13:05
right? I mean, even even a 10 to 15 minute gain is meaningful if you're doing this commercially
13:09
over another. Yeah, it's important.

Up Next

Evimetry: Interview with Dr. Bradley Schatz

In this free course we talk to the co-author of AFF4 and creator of Evimetry, Dr. Bradley Schatz. We’ll hear from Dr. Schatz on his involvement in working on both while learning what’s next for Evimetry and Dr. Schatz’s favorite Evimetry feature.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor