Time
58 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:00
All right, Let me, uh, hit on the question for here, but
00:05
ah, the crystal ball question. What's the What's the future of Evan entry?
00:10
So, yes. So we've been working on some some fun things lately. The main focus that we've had has bean on supporting logical acquisition. Uh, so,
00:24
um, I gave a presentation at death out of us conferencing Portland's in July
00:33
on the work that we've been doing on forensic jail breaking off iPhones. Eso
00:40
to sort of to cut it short, I think we're entering a world now where devices are increasingly locked down. And,
00:48
um, if you, you know, you look at the most recent Mac books. Um, I think it's since high Sierra, we've had access to the primary physical disc locked down from from you from
01:00
use the space even if you've got room.
01:03
Um, so you know, we're going to a world where we're not gonna have physical everywhere A ll the time anymore. So what? We've been living with that for iPhones down for a while. Yeah. Yeah, exactly. That kind of the
01:19
We've kind of been ignoring that over in the disc. Forensic kind of world. Have it. There's a lot of people that just do either or and gather view, boys.
01:30
So, um,
01:33
so the talk I gave it the a part of us was showing some of the work we've been doing on using,
01:40
um, open source jailbreaks to, uh, get higher level access inside an iPhone and be able to do full ball system. Logical images.
01:49
So basically, we've we've because ever met Tree is focused on both dead disc and live forensics. We already have a live agent that runs on Mac clinics and windows and does volatile memory and does physical disc.
02:04
Um, so that particular application's been out testing ground for implementing logical acquisitions.
02:10
Ah, and ah,
02:14
um, that's ah, uh, something That's, um
02:17
we've got a few users already out there using the theological
02:23
format changes to a fit for
02:27
um, the main thing that we're working on at the moment is not so much the theological imaging stuff which we've already done. It's the although the system level stuff, so that we can actually point a ah, regular forensic tool at Indian progress. Logical AC was issued and actually start doing some analysis.
02:46
So
02:46
taking the stuff that we really do with physical that enables live analysis, what during acquisition and making that work for the logical sense.
02:54
Um, do you handle a lot of iPhones in your civil practice?
03:00
Uh, yeah. We get quite a few of those, Um, and it's bean kind of. Ah,
03:07
I I'm sure you see as well. Yes. It's a common problem of the last
03:15
a few years,
03:15
we've been taking a lot of iPhones and putting them in our evidence locker for six months or so on waiting for a jailbreak to come out and then using whichever jailbreak is applicable.
03:29
And that's been giving us a reasonable access to, um the
03:35
a little of that other evidence that you wouldn't get out of a regular backup Beiste acquisition. And it's been really great evidence that in there that you just Oh, yeah,
03:43
I don't know. Look at and system logs and everything else is, you know, all tucked away in there.
03:49
Yeah. Yeah. And like just ah, excesses of traces of access and the like. So this bit of work I was doing was really looking at. Well, how can we safely jailbreak phones? Um, that's That's always a concern, right? That's it.
04:09
just gonna wreck this thing
04:11
exactly. Because, you know, with just downloading a jailbreak, you don't know
04:15
the technique the jailbreak uses. You don't know the origin of the code. You don't know what else could be doing.
04:20
Um, what else could be downloading?
04:23
Uh, etcetera. Say, um
04:27
the interesting part about doing forensic jailbreaking is that
04:32
you actually need Thio do a whole lot less work. Really, all you need to do is to get yourself, um,
04:40
privileged access to the false system.
04:44
Whereas if you're if you're a jailbreak, you also need to be able to re mount the false system Installed package managers in stall two weeks Is a whole lot of other heavyweight changes that a regular jailbreak makes telephone that really,
04:59
from a forensic perspective, we really want to avoid
05:00
so, um, having exploitation approach that is just very minimal. Task specific and limited. Thio. Just getting the access that we need is,
05:15
I think, the important thing to do moving forward with with my ball forensics and and as well, I think, possibly even live computer forensics.
05:27
Sure.
05:28
Yeah,
05:29
she said,
05:30
it's about to ask you the whole great key question, but I think we'll table that one.
05:34
Just not get into that.
05:35
Yes. So I think I think sort of keeping going on where I was going, the way we haven't. Um uh we haven't done anything publicly with that bit of the prototype that we built.
05:47
Um, the primary reason for that has bean, um, the release of the new boot Rahm Exploit. Um, yeah. Yeah, that, uh,
05:58
is appears, Thio,
06:02
open up a lot more opportunities for lower level acquisition, so way kind of not seeing the need for,
06:11
um when it was kind of just what you described. They're just sort of gave you access only. Didn't really do anything beyond that.
06:19
Yeah, yeah,
06:21
um, so yellow. It can't constantly she think Sands, what else we're working on. Um,
06:30
so really, we, uh, trying thio grow out even further? Kind of that the system forensic story that we've been focusing on so obviously ever met Tree grew
06:44
out of the desire to do real work and speed up acquisitions of large numbers of computers at the same time.
06:49
So, you know, at that point, large numbers of computers was sort of in the the multiple tens.
06:57
Um, but the future that we looking at really well looking to address the problem of
07:04
forensics of thousands of you visit a time. So it's a large enterprise. Forensics.
07:11
Yeah, exactly. Yeah. We definitely run into that here,
07:15
um,
07:15
you know, and and also, you know, remote over distance, right? Like, really two separate enterprises, right? Our European and our Latin American operations and, you know, and and and and
07:29
Yeah. Yeah. And so the challenge is there. Ah, ah, uh uh.
07:35
Many and varied. But, um, the the work that we've done around being able to,
07:42
um,
07:44
shift evidence storage devices as close as possible to,
07:48
um, the suspect machines, I think is something that particularly works particularly well when you're dealing with forensics in the cloud or absolutely, club location. Whatever. Yeah,
08:03
So
08:05
the what we're working on at the moment is really taking all of those those
08:11
building blocks that we've already got in place and making them easier to arrange on the board. And, uh
08:18
um, um scale up
08:20
nice.
08:22
All right?
08:24
I would add anything else that is there in a f F five coming.
08:26
I don't know about a secret air 55 There is no way for five. At the moment, I think I think we'll concentrate on getting the A fitful, logical stuff. Some consensus around that. We've just
08:41
implemented encrypted
08:46
support for as before.
08:48
So if you're wanting Thio
08:50
Ah, a choir,
08:54
an image that's encrypted,
08:56
um, sometimes do it.
09:00
Oh, no. I realize some people have a requirement to do it. Things like that. Just, uh, you've probably run into this in your civil practice, the very least, or maybe in the criminal side. You know, uh, it gets encrypted out there by somebody, and they failed to do proper documentation because
09:18
we never do our documentation the right way on. And then, uh, you know, and then four years later, down the road, when it's, you know, right before that thing's headed into a courtroom or depositions or something.
09:30
Oh, wow. Who's got the password for this? Nobody knows. Nobody's got the key anymore. What? Whatever it was, you know, and,
09:39
you know, horrible conference, you know, situations created because of that.
09:46
Some boys,
09:46
I think. Excuse me. I think the, uh
09:52
I'm not convinced that, um ah,
09:56
the I suspect that speed is gonna be a problem if using encryption, you're not going to get the feeling out of the field as quick as you otherwise would have ever met. Cherie,
10:07
Um, that Yankee management is is the central problem. Right? Right.
10:13
So what? What we've done with the implementation is two very closely follow the full disk encryption approach off.
10:22
Um Ah. Well, sort of the encryption approach of I ps face. Um,
10:28
we are allowing people to encrypt the images using a password, but at the same time, you can actually have a ah, public key certificate that you could use a cz well, and have
10:41
that as another option for unlocking it. So
10:45
that's a great idea.
10:48
But, you know, obviously you don't least problem, Kate again, Back to the same problem.
10:52
Uh, have you ever had any of those problems on, like, a significantly long case where you know, we had one that ran eight years
11:00
and which is not normal, but big enough litigation? It's not uncommon.
11:05
And, uh, you know, you get that
11:09
call from some panic stricken attorney was like, Oh, my God. Oh, my God. We can't find the password anywhere. Do you guys still have it?
11:16
Well, of course we do, but you know, But they said switched in illegal teams two or three times, right?
11:22
Everything that was documented. This is long gone.
11:28
Yeah, And you know, from from from your perspective, you want to be really careful about how you manage that key came material, and that's that's an additional burden to protect it and, well, vice to protect it. And don't lose it.
11:41
Thio two big risks from a re Spanish perspective to your phone. Uh, we see it a lot in enterprise backup environments
11:52
where they've, you know, mandated, you know, encrypted backups,
11:56
and then their key management just is not solid. So some awful thing happens, right? And, you know, ransomware, whatever it might be,
12:03
And it ends up encrypting the keys because they're just laying on some system somewhere.
12:09
And, uh, you know now are backups are unavailable to
12:13
Yeah, that's Ah, that's a bad day right there.
12:16
All right. It's a lot about its

Up Next

Evimetry: Interview with Dr. Bradley Schatz

In this free course we talk to the co-author of AFF4 and creator of Evimetry, Dr. Bradley Schatz. We’ll hear from Dr. Schatz on his involvement in working on both while learning what’s next for Evimetry and Dr. Schatz’s favorite Evimetry feature.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor