The following transcript was generated by AI and may contain inaccuracies.
Si: Good morning, afternoon, or evening, wherever you are. Ladies and gentlemen, boys and girls, and the people who want to make up their own minds about where they sit on that spectrum, we would like to welcome you again to a lovely episode of the Forensic Focus Podcast. I say it’s lovely. It’s for you to make up your own minds. But today we are very privileged and very lucky to have with us Justin Tolman, who is coming from Exterro, formerly known as FTK, at least they were when I started, back in the day, and I had an FTK license at some point along the way.
And it’s been Exterro now for longer than I can remember. But we’re going to have a lovely conversation with Justin and find out where Exterro is taking some of their products and what sort of features we can look forward to coming up in the near future. But before we kick off with that, Justin thank you firstly for joining us. That’s very kind. And we know you are probably sort of late afternoon in the US where you are based. But would you mind introducing yourself to us and letting us know a little bit about why and how come you’re still in the wonderful world of forensics that we love and call our home.
Justin: Yeah, sure. No, I appreciate the invite to be here today. Always happy to come talk forensics. Yeah, so I’m with Exterro, and Exterro bought Access Data, which is how I got into Exterro, and with that came all the FTK stuff. But my journey into forensics is interesting in that I probably would’ve ended up here on my original plan anyway, or at least in forensics, because I was in my undergrad program, at university, and was a computer information technology major, and then decided I don’t want to be an IT guy. No offense to any IT guys, but I got to a point where I’m like, this is fixing other people’s problems. Doesn’t sound like the future for me.
So I was going to go work for a police department. And then one of my professors said, hey, you’ve got this degree. You should go be a computer cop, go get this other degree called cyber forensics and combine the two. And that’s what I did. So I went to Purdue University, got a cyber forensics degree, and then went to work for the Ohio Bureau of Criminal Investigation. And fell in love with it because of the change.
It’s every case, even it’s the same type, it is always different because you’re dealing with people and their output stored on digital devices. So it was just, it was awesome. And then I got recruited by Access Data to train for them years ago, 10 years ago this last September, and have been moving through different roles ever since then.
Si: So you went in as a trainer with Access Data from your role in the police department?
Justin: That’s right.
Si: What was it specifically you were teaching? Was it a sort of a general course or was it a bit more niche than that?
Justin: Well, funnily enough, I don’t know how far back the collective memory goes, but Access Data had a product called Mobile Phone Examiner.
Si: It goes back that far for some of us. Yeah. Desi wasn’t even born back then.
Desi: The first thing I remember is using FTK Imager in the military.
Justin: I was brought on to teach Mobile Phone Examiner, and while I was there, I learned to train all of the software and different things. And so yeah, I was brought over to do that and then have moved on to leading the training department for a while, and then now I do this, which is talk all day for a living.
Si: Are you still involved in any sort of hands-on forensics or does Exterro have a consultant? Well, Exterro does have a consultancy wing. I know that. So but do you get involved in that at all now?
Justin: Not with Exterro. I dabble. I’ll do a couple contracting gigs here and there to stay fresh or whatever, but other than that, not consistent investigations anymore, unfortunately. I miss that. I jumped out of BCI law enforcement because unfortunately at the time, love of the game didn’t pay the bills. And Access Data offered me more money, and I had two little kids and it was a matter of doing what was best for the family and everything. But to this day, 10 years later, I still miss doing investigations.
It’s just, I love my job, but that was so much better. And yeah. So if the opportunity ever opens up to get back into it, don’t tell Exterro, but I would come back to investigations. It’s just, there’s, I don’t know, as forensic guys there’s nothing like it. It’s a good time.
Si: Yeah. Yeah, I had similar experience where I, you know, I started off as an IT guy, a Unix geek and then worked my way into security. And then there was a certain point where I sat around writing documents all day. And at that point I was like, no, I’ve got to go and do something else. This is killing me. And then got into forensics so that people would let me touch computers again. Because when you’re too far removed, you become the security risk. And it gets a bit tricky.
Desi: Yeah.
Si: So I’m going to let Desi take the next question. Because he’s the expert on FTK Imager here.
Desi: It was my first foray into forensics. Still very fond memories of it, and it was something that I always went back to. But the launch of FTK Imager Pro, why is there the shift to pro now and what’s the aim to help the market?
Justin: Yeah, that’s a good question. So as a quick background, although pretty much everyone who has dabbled in forensics on any level has probably touched Imager, it was originally this lightweight, free tool that’s always been around to duplicate drives. Right?
And for many years, actually, people have been wanting us to add more and more features. The list of feature requests for Imager is long and have been coming in for years. But the mentality is we’re a business unfortunately – fortunately, but unfortunately – and so a lot of those features that people have requested have
gone into the proper FTK suite, because, it’s like, hey, we’re going to spend all this time and development and all this sort of stuff and put it into a free platform.
Well, as time went on, we determined that there’s a good low cost option for a bunch of these features, and so Imager provided the platform to deploy some of these features at a lower cost. Because you might say, well, for example, we added BitLocker and a couple other encryption type decryption abilities in Imager Pro.
Well, are you going to make me buy this huge forensic suite if that’s all I need? And so we say, let’s take that code, we’ll add it to Imager and provide a paid option. We’re not getting rid of the free imager, but it’s now a paid option. I got a stack of hard drives. They’ve got BitLocker on ’em. I need to image these off decrypted. That’s all I need. Well, we got a solution for that now in Imager Pro. So. That’s my background.
Si: So how, how does the Imager Pro work? I mean, I can still go and download the imager part of that, and then what, I license individual subsets of it – for BitLocker or for something else – and I sort of put license keys in, or what does the actual methodology look like here?
Justin: Yep. So the Imager Pro and Free Imager are the same download. It’s like any freeware software or that has a premium portion to it. So you would if you downloaded Imager today, it would work Imager has always worked. You can create disc images. What you would see is grayed out features if you hadn’t purchased the license and put that into Imager Pro. And we are updating our licensing process to make the whole system easier.
If we still use Code Meter on our FTK stuff and right now Imager Pro still uses Code Meter to do those authentications, but we are updating that here in the coming months to make it a lot easier and smoother. But yes, Imager still works as Imager and if all of a sudden it was, oh, yep, I need this decryption capability, I go to the external online store, purchase the license. They send you the license, you put it in, you’re good.
Desi: So, yeah it’s good to hear that the free version’s still sticking around. Because that was such a huge part of my learning curve in getting into digital forensics. I never did digital forensics as a job. I mainly did incident response, but it was still a tool that I used all the time. And I learned a lot from it. Other features are going to be in the pro version though, other than the BitLocker, and is it the one purchase gets you Pro, gets you all those features ,or you can pick and choose if you had different use cases?
Justin: So yeah, let’s walk through that. So I do want to say, yeah, that the free version is sticking around. There are people within the company that have been longtime practitioners as well, and big fans of the FTK in this case Imager platform. And we fought hard over a long period of time to make sure the free imager didn’t go away.
Desi: Yeah.
Justin: And we won that battle, and so they offered the pro version to add these features. So we get the best of both world. So right now we have decryption both with imaging and. With triaging and you do need the password or the key. Now looking into basic brute forcing stuff is stuff that they’re dabbling with and deciding when working with the market and if that’s something that is needed.
Desi: Hmm.
Justin: We also added iOS logical and advanced logical collection.
Justin: So you can plug in iOS devices. Android is on the roadmap as well for coming soon. And we’re looking at a couple other things in the near future to add to it. And as it stands now, the prices holistic. So any features that we add, if you had a PRO license, you would get any future drops that we put in. Yeah.
Si: And for reference, that price currently is 499 US dollars and 390 British pounds. And I’m sorry I can’t do the translation to Australian mate. But I do have to say if that if you’re going to drop Android and iOS imaging is already in there. If you’re going to drop Android in there, that probably makes it one of the cheapest options for imaging phones that exist on the market actually. Other than doing it through a DB Bridge or an iTunes backup or something that. Yeah. It’s going to be probably the cheapest commercial software for doing a forensic acquisition of a phone. So that’s cool. And will probably encourage me to buy a license.
Justin: Well, and that kind of, that’s a good point. Because Imager has always been an entry level thing, right? It’s that start of your case it’s not a big tool. It’s not some overly complicated thing. It’s, you need to get data imager will help you get the data and then. You can analyze it however, wherever you want.
Si: Yeah, I’m going to say it’s because of its free nature. It’s been one of the things that we’ve recommended to students. You start a forensics course, and one of the first things you teach somebody how to do is create a forensic image. And we do DD and raw acquisitions and all sorts of things, and then you go, right, and here’s, here’s the tool that everybody does use and give them forensic give them FTK Imager and everybody’s happy.
So yeah, I’m very glad that you didn’t make a paid for version even at the base level. It’s a very good marketing idea.
Desi: Yeah.
Si: Because every student knows FTK Imager. So that knowledge is worth the investment. But I do like this pro idea, I have to say. Yeah. I think it’s a very good way of handling that.
Desi: I want to go off script a little bit. It wasn’t one of our questions, but does Exterro have any resources for training, for using FTK or points people to a particular community that can help because it this is still you said, an entry level tool for the community, for practitioners?
I think when I first learned FTK Imager, it was in a SANS course. So there was a whole section in SANS. And I think it was back when SANS sent you physical things
to do. They’ve definitely gone away from that now, but I think they sent a hard drive with the case on it or something. We had to image it. So yeah. Is there anything that even if you guys don’t have that, there’s a good community resource that you can point to for our listeners?
Justin: So we do have a course, it’s on demand, and I know it’s free for law enforcement. I wrote it and it uses Imager, but it’s about, I don’t know, I didn’t record it, but I’m going to say it’s designed to be a one-day course. So the recording might be six hours or something, and the idea is to not only teach the buttons of Imager, but to teach the core concepts of imaging. What is, what do terminology mean? What are you doing? Why is it important? So that. If somebody was called onto the stand to defend their work, it’s not I pushed button and button go. It’s I can explain a little bit of what’s going on. So yeah, we do offer that on demand training for our imager users.
Desi: Nice.
Si: So that’s, that’s obviously your entry level products. What’s happening in the world of the, the full blown forensic suite, the exterior FTK actual investigation software at the moment? Is there anything new and exciting coming on that I had a license of this years and years and years ago. And, uh. I managed somehow to swindle a student license, which I understand you’ve never done and you never, it’s absolutely impossible to get. I clearly wrote to the right person at the right time.
But right when I ceased being a student, unfortunately I lost my FTK license, but what’s happening with the main the newest version of FTK?
Justin: Yeah, so we have, over the last few years, the interface is updated. We still have the interface that you’re probably familiar with, believe it or not we haven’t, we call it the core interface and that’s, we’ve divided into two interfaces to serve two different communities that we saw growing is you still have those that want to deep dive hex search complicated filters that have 600 rules and stuff where I to be.
But then what we found is a lot of forensics is becoming, for better or for worse, that’s a different podcast episode. Review. I need to read these chats. I need to look at these pictures, I need to look at these videos, and then I’m getting out. And what we found is that the m the FTK interface was overly complicated for that workflow. Again, different podcast episode about whether this migration is a good thing or a bad thing.
But the new interface was designed for that. Okay, I need to review some images, serve it out. I need to review some chats, serve it out. And so we’ve been working hard on that in our simplified filtering in our portable case support. But where Exterro is putting a lot of effort into FTK is scale is continuing our scalability. So FTK, that’s kind of, its, it’s, um. Power, it’s, it’s differentiator in the market is we can handle obscene amounts of data in our processing engine. And that’s continued to be a focus to maintain that. And so, yeah it’s been more of that. But while pro the trick is you process a ton of data. Nobody wants to look at a ton of data. So then
our interface features are how to make that data small, and that’s where that review interface comes in.
Desi: I remember we spoke to other vendors with reviewing data and software is FTK image in the suite run on dedicated servers, orders exterior also offer the cloud option that some vendors are going towards?
Justin: Both. Yeah. So, but our bread and butter, I guess to use a cliche, is OnPrem on dedicated hardware.
Desi: Yeah.
Justin: And the cloud is. Always going to be this new thing. I think it’ll always stay new for its own sake. Yeah. But it’s interesting how many people I went to InfoSec world last week and it’s, it’s interesting how many people came up and said, oh, you have this solution, but does it run on-prem and is it air gapped? And we’re yes. And they’re okay, cool. Because we have a strict note cloud or we have a, you know. Yeah. And so that’s not going away. We, there’s a large group of our
customers and potential customers that want that offline. Yeah.
Desi: I find that interesting. Because last year, Cy, I reckon we spoke to maybe three or four people that, and we were talking about cloud quite a lot and they were offering both. But cloud seemed to be a big topic. Whereas this year, it seems like. There’s less conversation around it, and now people are maybe coming to you being Hey, do you run on-prem? Because it’s might be becoming more normalized, but I’m not in the industry space for it, but yeah. Is that the trend?
Si: I’ll be, I’ll be honest, I’m going to say, I’ll be honest with you. I think, I think what the trend is that vendors and I use this term pretty universally across all it, and you’ve seen it in incident response, you’ll see it in security, you’ll see it all is that there is the term de jour, there’s the thing that everybody wants to sell to and over the, for a few years it was cloud and it was yes, you can have your SIEM in the cloud.
You can have your monitoring in the cloud, you can put your servers in the cloud. We can store all your data securely in the cloud. We can do processing for forensics in the cloud. All the vendors got there. So now the differentiator is we’ve got ai, we can do stuff with ai.
So we’ll come onto that in a second. But what we’ve seen over the last 12 months is vendors, forgive me for using the phrase, and I apologize in advance, but jumping on the bandwagon of how, let me, no, I will rephrase, I’ll rephrase in advance. Vendors, good vendors, bad vendors, jumping on the bandwagon, good vendors trying to figure out what benefits can be leveraged from the use of machine learning Yeah. To aid in this process. Yeah. So, but what we’re seeing, what everybody we talk to now is we are starting to integrate some AI into our products.
Desi: Yeah. And it’s that fine line of marketing to hype it up, but then not overselling what the actual benefits are. Because you see the, the bad vendor side, there’s so much well, you saw with cloud, right? There’s so much snake oil all the time. And that’s security in general, I think. And yeah, anyway, I digress. I was, I just, no, I think it’s off my mind. Because we were talking about cloud and I was man, we talked about cloud so much last year.
Si: I think it’s interesting because I can see the advantages for something tied up forensics and where you’re running a centralized database. You’ve got lots of people in different departments feeding into a centralized cloud storage. Yeah. And you’re getting that processing that on demand processing power. But you are effectively talking about in order to make it truly effective and secure. You’re talking about private cloud anyway. You’re talking about a data center.
Desi: Stuff that I was thinking about last year though. The private clouds that they were setting up, which was cool.
Justin: I think some of the push in that space comes from the enterprise side of forensics, and especially if you mix in e-discovery, because what we found in law enforcement cloud is one, they, there’s this hesitancy due to the content, right? But also, and this was an eyeopener when Exterro bought access data, and I don’t think I’m sharing anything crazy. Is Exterro’s a SaaS company on the e-discovery side of the house? They don’t have any on-prem solutions access data in the purchase of that brought on prem solutions to Exterro.
Desi: Yeah.
Justin: But what they found was when a IEC unit, an inter internet crimes against children unit seizes 60 terabytes from some dude’s house, they’re, they got to upload allegedly 60 terabytes to the cloud. Well guys, that’s. Not going to happen by the time that uploaded, they could have been done or halfway what I mean?
Si: Yeah. Yeah, exactly.
Justin: And then the cost of storing that much data, even if you were to put it into ar archive Sub-Zero glacier storage. Yeah. It’s still there. And if you need to pull it down, that’s when it gets spiny and so on. The enterprise need discovery side. They filter their data. You know, you may pull 60 terabytes, but you’re only going to upload one. Well, that’s much more manageable to them. And they bill the end user, try billing the suspect for your cloud costs. Good luck. Work that off from prison or whatever.
Desi: Imagine if that was the sentencing, they’re all right, you’re, you’re sentenced to five life sentences for this crime. And also you need to pay back 1.2 million in cloud costs while you’re in prison. That’d be awesome. Yeah. Good luck getting your two, your 20 cents an hour paying that.
Justin: Yeah, exactly. And so I think there are benefits of cloud bridging that AI you guys mentioned and we can get into is you do have access to scalable compute in the cloud to do graphic processing. So when I type in the word gun, it can search 60 terabytes of data, you know? Yeah. And bring back pictures and videos and content that talks about gun. Okay, fine. I got to get it there. And that’s the thing, and I won’t say who, but I’ve talked to cloud providers and even they’re struggling to
address that law enforcement market holistically. There’s agencies here and there that are doing it, of course, but not, especially in the United States where we have lots of smaller departments.
Si: Yeah.
Justin: Getting that funds and equipment to upload data to the cloud is difficult.
Si: I think one of the issues with it at the moment again is to do with issues. Issues are always to do with supply and demand. But at the moment there’s a lot of sort of sexy startup funded venture capitalist funded AI type startups kicking up who are buying up huge amounts of GPU compute resource and stockpiling that.
So I think the commoditization of it is being a bit of a problem at the moment for everybody who wants to buy in a slightly more general way than these people who have a lot of money to spend. So I can see, yeah, without the additional problems of small funded police departments and things that.
Desi: Yeah.
Si: So it’s definitely something that. But while we’re on the topic of ai, because it is something that is of interest to us at the moment mm-hmm. Because it is being introduced both by the criminals who were, we’re starting to see using sort of various tools and methodologies to leverage that and other vendors. What, where, where does Exterro stand on the use of AI? And is there anything integrated currently into the into the offering?
Justin: Yeah, so we, how do I say, the stance of AI, so the stance right now is to have it as an assistant, not as a solution. So for example, I mentioned being able to type in the word gun. It can take that text in a contrastive AI and return pictures video and that sort of thing so that I can filter across modalities, right? But the output of the AI is not what I put in my report, right? It shows me a bunch of images and then I, as the person determine what that is.
The other feature we recently added was the ability to summarize large documents we do all the time in our consumer. Here’s this huge PDF, I’m going to put it in a chat, GPT or whatever, and summarize this. We have that as well to give you a quick idea, but you’re not going to, it’s not designed to be the thing that you put in your report. And if you do that’s on you. It’s designed I have this 600 page PDF, what’s it about? Oh, I should, take more time with it. Or maybe not.
And I do think those are the two main features right now. And I think that is, you said it’s a hot button topic and very polarizing. That’s my position and where Exterro seems to be leaning is ai, especially generative AI should never be the output that goes into your report. Here’s a real life example that we had a little while ago. A client reached out to us and they asked, hey, I need to build a regular expression to return all US addresses on this drive.
I know the basics of RegX, but US addresses is a tough RegX because it’s an address and they’re all over. Mm. So I went into ChatGPT, and I said, I need a regular expression that returns US addresses, and it kicked it out. I put it into FTK, ran the search, and it was amazing.
Desi: Mm-hmm.
Justin: Now. Generative AI generated the Reg X, but the output that I would, and this client would put in the report, that’s a search result that you would run anyway and you’re going to validate that is a thing and go through. I think that’s a totally fair and beneficial use of generative AI in a forensic workflow because while we learn over time how to write RegX, sometimes a lot of us don’t have the time to become good enough to write a RegX to return street addresses or this or that. And so
that’s where I see AI.
Anytime we see cases where we used generative AI to enhance a video or something that, nah, we’ve crossed a we’ve crossed a line. And fortunately at Xterra we’re, we’re not doing that, but. I think there is a place where AI is going to be a force, a huge force multiplier for forensic investigators.
Si: I’m going to sort of a slightly cheeky question. I was in a meeting earlier today and somebody who was supposed to be mimicing the meeting, invited in an AI audio transcribing bot.
Justin: Mm-hmm.
Si: First of all, it was probably the worst transcribing I’ve ever seen in my life. But I can see that again is another interesting use case is that there’s obviously going through a million pictures is one thing, going through a million audio files is something else. Is that something that’s, that’s a feature that you have at the moment or is that something you’re looking at doing?
Justin: Yeah, so we do have an audio transcription process that then allow, then loads it into our index search system so that you can search, text via. Search audio via text. And so yeah, huge help because the one thing I hated the most was ever turning on the audio for any video or audio when doing an exam. So, huge thing.
Funny enough, it’s been years now, but Open AI put their whisper system as open source and I put up a YouTube video and showed how to integrate Whisper with FTK a couple years ago, and now we’ve officially integrated it more recently, but yeah, huge benefit to be able to search cross modality there use text search to do audio, video and picture. Yeah, huge.
And again, the cool thing about Whisper is it also does translation. So even you can tell it to bring it back into English. Now again, is that translation your final output? Hopefully not. You’re going to give it to a translator, but I know now which video I need to give to my translator instead of giving them all 600 and letting them sift through it.
Si: Yeah. Translation is a particularly tricky problem. There’s a, there’s a lovely example that someone admittedly a fairly old one, but it’s it, I think it gets the point across quite well is that there’s you can say in English, obviously the spirit is willing, but the flesh is weak. And whatever translator you put it into to that, it was in the day that translated it into Russian, came back with the vodka is good, but the meat’s gone off. So translation, machine translation is a very interesting thing.
And I also heard somebody say the other day an interesting side point, is that, um. No matter how efficient a language is, when you translate from one language to another, you always end up with more syllables in the newly translated language than you started with in the one you’re going. But it works both ways. So if you translate from English to Japanese, you end up with more syllables and Japanese than you start in English. But if you go from Japanese back to English, you end up with more syllables in English than you started with in Japanese. It’s a weird way that languages are constructed.
Justin: I think that’s so important, because I think AI, new technology, always brings up problems with how it’s going to be used. That always happens. AI has been so accessible at so many different levels that I think that accelerated it. And I, again the translation, as long as it’s not the final thing going into your report, I think it’s okay because the vodka is strong, but the, you know, the meat is bad. Okay, whatever. If I can now give that to my translator instead of, again, giving him 600
videos to translate and he can translate now five that this Whisper translation isolated it down to, I’m going to use his translation in my report, but I use Whisper to filter my results. Yeah.
And I think that is so important and I think it’s one of the things in the debate that everybody fights for, but it’s the middleman. It’s the filter, it’s the search benefit, it’s the point you in the right direction and then still have people that are experts make the decision.
Desi: I see it as the, the argument of always the push button forensics, right? People not understanding how the tool does it for them, spits it out the end. You still need an expert to assess whether what has come out of that tool. Is what it’s saying in the case. And the AI assistance’s the same thing. Because there’s, there’s so much I said, in my daily work it will generate all this stuff we’ve got a, an investigation assistant on ours and, but you still need to understand the core investigation to
make sure that what it’s spitting out is accurate.
But to me in this sense, I don’t see it any different from those push button forensics. It’s our, the next evolution in this industry for that. And, but I, it’ll go through that period of, people need to understand that and then you’ll still have people who are professionals in the field that will take the output in one form or another from some tool and present it and it’ll hallucinate or it’ll be wrong or it won’t match the actual forensics. Mm-hmm.
Si: I think, I think one of the risks that we have though is that we need to be careful about the faith that people have in Yeah. These solutions. Because if example, I type in a, a search. We, we talked about guns, so let’s stick with guns. Because it’s a good, it’s a good example. I say image search for gun. And he comes back with a slightly blurry image of a guy who’s holding a black object and goes, this is a gun and I’ve searched for gun. It’s returned gun. I look at that image and I go, oh yeah, that’s a gun.
You’ve biased the investigation through the provision of that, and that’s something that we need to be careful about is that where we set our thresholds is a higher standard for AI possibly than lower. Because the question is which one do we want more? Or which one do we want less? Do we want false positives or false negatives?
And it will depend upon what we’re searching for, is the honest answer to that, because I’d rather get all of the IIOC and filter out with the opportunity to save people in the thing versus every guy who’s holding a screwdriver in his hand is holding a knife. That’s the other side of the equation. So it’s six to one and a half a dozen of the other. But the introduced bias that is introduced to the stage before us, by training material, and then influences us, I think is probably a philosophical argument. And it’s a concern that needs to be addressed before AI can become truly mainstream as a thing in forensics.
Justin: You think about the level of. Criticism, not criticism. Well, we double check. So you have Project Vic in the United States Project Kade in uk and I’m not sure many countries passed that, but the ability to identify CSAM using hash matches and that’s hash matching and you still, I haven’t met an investigator that takes those hash matches and goes to trial without validating that they are CSAM.
Desi: Yeah.
Justin: And yeah, to your point, let’s apply that same level of rigidity, because to the AI you wouldn’t take these CSAM hits and ship ’em. You validate same with AI, but you got to be extra careful due to that bias. That’s a good point. I’ve never thought about it at that level. We had a case here in Seattle where they had a shooting and they tried to use AI to enhance the video. And that was the thing – this blurred thing in this guy’s hand – they couldn’t tell whether it was a phone or a gun.
But they ran with it because, as you pointed out, that bias. I’m going in on a shooting. The AI built it into what it wasn’t, because most likely of the prompts they used, and you get something that wasn’t there. Fortunately it was thrown out, but it’s already started that bias and those mistakes.
Si: Yeah.
Desi: Yeah. Kind of. But there’s so many situations that. If you were going into a shooting. And you had blurred body cam footage, the person who would be taking that in would be biased to be oh I was there, this happened. But then human memory is fallible, the image is fallible. I think the bias that we have with AI is no different from the bias of all technology that we’ve already experienced. The greatest risk is that we seem to have this higher level of confidence, and I hope the forensics community is super skeptical and is aware of our own biases.
Desi: But the general public, and even people that I’ve worked with, have this overconfidence in AI that the output is going to be more accurate than the work they could do themselves. So then they skip the validation, or they skip the amount of rigor that they apply to that validation. In the example of the gun in the images, they do get all these images, and then they quickly scan through them and say, ‘Yep, cool, cool. Gun, gun.’ And then one of them isn’t—it’s some blurry phone that was misidentified. But the point was sure, you may miss out on some, but you are getting the benefit of having it. You still need to do a rigorous review of that data. I think that’s the inherent top risk of AI.
Si: It’s an interesting one because nobody likes going to the topic of IIOC or CSAM. But I did a case where I was acting for the defense and reviewing what the prosecution had found. As we went through it, what we found was that a lot of the images, although they contained young ladies and various things happening to them, came from legitimate sites, and these people were of an age that made this all legal. There were little details—one of the ones that was flagged up, she was wearing a wedding ring and had tattoos.
Clearly you are into a different category here that is not that. But that was a human not wanting to look into detail because it’s unpleasant and you don’t want to be there. So you look at it superficially, say ‘that’s it,’ click the button, and move on. But if there’s only 10 or 15 images that have been categorized and seven of them are dubious and eight clearly aren’t, your case is falling apart. So this is something that is important to bottom out. But the inverse of this is that it’s a hugely unpleasant thing to do, and the more we can take it away from humans and save people from having to do it, the better. So it’s an absolute catch-22 on the whole concept.
Justin: And then you have the downside of training an AI on CSAM—they’re definitely going to rise up and kill us.
Si: Yeah.
Justin: I do think we’re still in the very early stages, especially in the forensic community, of how AI will help. But we don’t need to tell any agency what their real backlog is. And I think we may not quite have the solution yet—not from Exterro, but I think there will be some speed and some workflow-enhancing AI things that will have to be used. Because when we talk about backlog, that’s victim backlog, right? People that aren’t getting their stuff. And if we can provide something that’s going to help people maintain a high level of quality, that’s the most important thing. But also speed up the rate at which we can get to that finish line. I think it should be the goal of all forensic vendors.
Si: Yes. Yeah, couldn’t agree more.
Justin: To that point.
Si: Yeah. I’m dealing with cases from 2021 at the moment, and this is ridiculous. And on that note, we did have a couple of talking topics, and it segues nicely: How is it that we as vendors, how is it that we as consumers of tools, can we collaborate well with the tools that we have? Is there time for a new forensic container format? Are we able to transfer information in a good way? Are we enabling our tools to talk to each other enough? You were saying a fantastic example of integrating Whisper with FTK, which implies that there’s a very good API in there that allows you to interface with it, which means that whatever you want, you can probably write a tool to talk to Oxygen or AMPED or whatever it is that you want to work with, assuming they have a similar API. But what’s your take on this?
Justin: Yeah, FTK has grown over the years. Our first entry into that more open aspect was the FTK Python Scripter. Autopsy had been doing this for years. But one of the differentiators, not with Autopsy but with other vendors—big box vendors—is we wanted to allow for scripting that didn’t require you to know our scripting language.
We started off with Python. If you knew Python, all you had to do was provide an input path and an output path and you’re good. Anybody could write anything to integrate into FTK at that level. Then we moved to our API, which is a RESTful API. So if you knew how to write Python or C++, you could write plugins to that on an enterprise level. I think APIs are super important. I do believe that there are a couple of open image formats, and I know I work for a vendor, but we’re not unique in this way—there’s this mentality of locking your collection into your ecosystem because it’ll drive sales.
Fortunately, FTK has tried to minimize that. We do have our AD1 format—I’m not going to gloss over that. We do have the AD1 format, which is pretty much only supported by us, but we also support AFF and all these SMART and E01s, of course, and all that sort of stuff. But I do believe we need to open things up and allow data to move between platforms. That’s hard for vendors whose focus is sales.
Si: Is AD1 an open standard? Is that something that we can look at?
Justin: AD1 is officially not an open standard. It’s AD1 because it was started by AccessData. But it technically locks you into our format. Fortunately, you can, through using FTK Imager, export any AD1 into some other format. So you’re not truly locked. It’s that if you create an AD1, it’s going to go into an Exterro product, but you can move your content out of an AD1 into some other container if necessary.
Si: I have used Imager to do that in the past. And it’s an interesting point about Imager. Although the interface is—I’m not going to say it’s bad—for a computer-literate person, the interface is fantastic. I have no issue with it at all. The issue I had was that I got a request from a barrister who said, ‘I would like to look at the contents of this AD1. Can you please tell me how I can do it?’
And trying to explain FTK Imager to him over the phone so that he could do that was a bit of a nightmare. But at the same time, he could download it for free and he could do it on his desktop. And it was something that he was eventually capable of doing, which is a cool feature, I have to say.
Justin: I think that would be a good feature. My thought when you said that is the ability to display data a little easier. Because here’s a funny example: Imager was never built to be an analysis platform, right? It’s in its name. But when it was first released, think about the cameras on our phones and the cameras that we carried around—the megapixel sizes would easily fit in that little box. And so Imager’s default setting is to show pictures at actual size. Not a problem until our phones now take 8K, high-megapixel images.
And so now when you load an image, on my screen you would see that little white dot up in the top corner and you’d have to zoom around. So I think there’s an opportunity there to increase the ability to review data in Imager Pro without sacrificing other stuff. But yeah, the interface of Imager hasn’t changed in—when was it released? Twenty years ago?
Si: Yeah, thinking back to my timeline with it, yeah, about that.
Justin: Yeah.
Si: And I think that’s oddly, for those of us that have a sort of familiarity with Windows and its iterations over the years, it is that familiar sort of—not quite Windows 3.1, but Windows XP certainly—format of tools. So that familiarity is a comfort to some of us. I totally get that.
Desi: Yeah.
Justin: No, it hasn’t changed much, that’s for sure.
Desi: Going back to the AD1 that you guys were talking about, this is an interesting question for me: Is there, from a vendor’s perspective, a reason other than to lock into the ecosystem for those formats to exist? Do the tools work better with AD1s than they would if there was an open standard?
Justin: So in a way—and I can’t speak for all specific ones—but one of the things that AD1 did was allow you… AD1 is technically a logical image format, not a bit-for-bit full physical image. So what people might think when you say that is, ‘Oh, I can’t get deleted data.’ But the cool thing about AD1 is that in the creation of it, it will abstract unallocated space and treat it as a file and put that into your AD1, so you can still get the unallocated and deleted space in an AD1 image.
Desi: Yeah.
Justin: So that adds a little thing here. So why do companies do it outside of little niche features? Yeah, probably a sales thing.
Desi: I guess it makes sense. At the time it’s being developed, they’re like, ‘Hey, we don’t want everything.’ Well, in Access Data’s case, ‘We don’t want everything. Here’s all the stuff that we want for our tool,’ and then it got built. And now today, ten years later, you’ve got all these other tools doing the same thing, but it was where it started at the time. That makes sense.
Si: Some of it’s to do with the self-verification as well, because if you’re using DD to create this image, you end up with a file and then you have to hash it. Whereas if you’re using Imager, it hashes into the AD1. So when you load it, it automatically pulls that hash and it will verify the image for you without those additional steps for you to have to carry out.
And there’s some other metadata in there about the acquisition time, the size of the bytes that were read, and all of the other good stuff that you are otherwise making huge amounts of notes on paper that you’ve lost six days later, or typed up into your notes. But yeah, it does consolidate all of that data.
And again, there’s AFF, which was the Advanced Forensic Format, which was an open-source attempt to do the same sort of thing. But the only two that—well, the three I see—I see raw, so the DD images, I see E01s, and I see AD1s. So those are the three formats that turn up on my desk for disks. For mobile phones, all bets are off.
Desi: Yeah.
Justin: A lot of it’s trust in the process, because at least my experience is a lot of forensic knowledge is passed down through the investigators, right? You get somebody new, they’re going to stick them with you. You’re going to be like, ‘I prefer E01,’ so that guy’s like, ‘All right, we’ll use E01.’ And they’re like, ‘Hey, we have this new AFF format,’ and they’re like, ‘All right, is E01 still cool?’
And they’re like, ‘Yeah, that’s still cool.’ ‘I’ll stick with that one.’ And so I do think that’s a lot of why things failed to gain traction in the forensic world. Myself included, my initial training was sitting with a detective for a year at Lafayette, Indiana Police Department. He was like, ‘This is what I do, this is what I use,’ and you’re like, ‘All right, E01. That’s our life now.’ And you go with it.
Si: Yeah.
Justin: So I think momentum is a wonderful thing.
Si: Momentum is a wonderful thing.
Justin: Yeah. Because there are some image formats we used on some special cases at BCI. Andy Rosen built—I think he calls it SMART. It’s not the SMART, but it’s a high-compression format image. Super, super high compression. But you’re like, ‘How do we get ahold of that?’ And it’s niche and he owns it and different stuff. So it’s hard to get those types of things rolling. You said momentum—going for something new when it’s like, ‘What am I solving?’
Si: Yeah. Compression is probably the one thing that is genuinely useful about using any of these formats, because everything else you could do anyway. And the other one is splitting it into segments, which is again a useful one.
Justin: That’ll be the next successful image format—whoever builds it. And this is with any product, but I feel a lot of the entries into the imaging world haven’t done it. You’ve got to provide maximum benefit over whatever else is out here. Maybe the compression is out of this world, the segmenting is cool, it processes insanely fast. I don’t know, whatever that is, it’s got to provide enough to get busy forensic practitioners to change their workflow.
Si: Well, I was going to say it needs to do all of those things and then it needs to do it at the price point that FTK Imager does it at, which is free. So you don’t stand a chance. You might as well give up now.
Justin: Exactly. That’s the trick, right?
Si: Yeah. Absolutely.
Desi: Mm-hmm.
Si: So Desi, we’re coming to the top of the hour. Anything you’d like to add?
Desi: Yes, there is. You carry on then.
Si: As you are waking up and I’m going to sleep.
Desi: Yeah, exactly. This is how we roll. I think we had one last point to cover, in particular about our Forensic Focus podcast. And then you were also on a podcast as well, Justin.
Justin: Yeah. So Exterro—I have two; one’s on hiatus right now, but the one that we are currently doing is Data Exposure, and it is focused primarily on enterprise forensics, so corporate forensics, corporate investigations. And we focus on how managing your data can help reduce risk. And we’re talking to experts around the field about what they do, what they see, issues, how to mitigate problems before they become expensive in the corporate world. And one of the biggest things that we see is retention. So we call them—at least I call them—archivers, when you’d hit someone’s home and they’ve saved literally everything from the birth of the digital age.
That’s good for us as investigators, but it’s not good for organizations that hold onto things that they shouldn’t be retaining. As we saw with the TalkTalk hack, they had pictures of women’s driver’s licenses and home addresses and all sorts of stuff that they shouldn’t have still been retaining but had forgotten about. And that was leaked out on the internet. Bad data governance caused a bigger issue for them than it otherwise needed to be.
And so we talk about that, investigation practices, what to do once something happens, how to go a bit quicker and optimize between departments and stuff. So it’s been cool talking to people on that side of the house.
Desi: Yeah, that sounds cool. So where can people—and we’ll provide the link—but can people grab that podcast from any place they grab their podcast from? And is it on your website as well?
Justin: Yep. On the website, we post to Spotify, Apple Podcasts, and YouTube Music Podcasts, Google Podcasts, whatever they call it now. And the funny thing is I’m a YouTube Music subscriber. I’ve been YouTube Music since it was Google Music. But I don’t know—they switch things. It’s a Google thing: things come in and things go out and they change the name. So it’s whatever, but we’re there as well.
Desi: Yeah.
Si: Google has such a good reputation for that, don’t they? You get used to using something, then they either kill it or change the name. It’s brilliant. The only thing that’s stuck around is Gmail.
Desi: Yeah.
Justin: Exactly.
Desi: And how often are those episodes coming out?
Justin: Every other week. And we have three hosts, so not that people are tuning in for me, but I only post every six weeks.
Desi: Cool.
Justin: But yeah, so we have a new episode every other week.
Desi: Nice.
Si: Oh, awesome. That’s pretty cool. That’s a great frequency, something we aspire to.
Justin: It’s always a trick. So my other podcast for Exterro is FTK Over the Air, which, despite its name, was a tool-agnostic, forensic-based podcast, which I said is on hiatus right now. But it’s hard to maintain that cadence while still doing your day job and your guests are doing their day job. So yeah, it’s a trick for sure.
Si: Yeah. And then you add in three different time zones and it becomes fun.
Desi: Oh man.
Justin: The sun never sets on Forensic Focus podcasts. That’s your new thing.
Desi: The last question that I do have, Justin, is because I recently saw you before we did our spot at the conference that we were recently at—you do a talk on forensics and local AI generation, which was super fascinating. And I missed the first 10 minutes, which I’ve got to go back and watch. But do you have anything coming up as well in terms of community stuff?
Justin: So I did that presentation what, last week actually, and then a little bit ago. So the next—my speaking engagements, as far as I know, are wrapping up for the year. We’re pretty late in the year. The next big thing that we have that’s community-driven will be what we call Exterro Inform. And it’s 15 hours back-to-back of podcasts. We start at 11:00 PM Pacific Time, which is something Dubai time, and then we go back-to-back and march across the globe.
Desi: Yeah.
Justin: And one of my marketing team wants to do two more episodes to catch Australia this year, because 3:00 PM Pacific Time, I guess, is 9:00 AM somewhere in Australia anyway. But that’ll be January 28th. But again, it’s not Exterro speakers, it’s not a plug for Exterro software. It’s just we grab 15 to 20 speakers from around the world that talk on forensics all day and it runs back-to-back. You tune in like a TV station and it runs.
Desi: Oh, that sounds like fun.
Si: Such fun.
Desi: Yeah. That’s the Lord of the Rings Director’s Cut trilogy, but for forensics. That’s how we market to forensics nerds—back-to-back. You get up. We’re doing this 15 hours straight, plus the two more to get Australia as well, right?
Justin: Yep.
Desi: Yeah, that sounds epic. So if there’s anything—we’ll chuck that in the show notes, any information on it. But yeah, that sounds cool too.
Justin: Yeah.
Si: And I would love to attend at least some of that 15 hours straight.
Justin: We put it all up on demand as well. Obviously we don’t expect everybody to hang out, but as it passes through your time zone, you can turn it on, have it going, listen to it. We had a lot of great topics ranging from specific artifact stuff to policy stuff to how to solve certain problems with multiple solutions. It was a good run last year, and so we’re doing it again this year with a whole new set of speakers that we’re currently looking out for. So if you guys have something to present, let me know.
Si: We can talk later. I’ve got what, three, four talks lined up in the next year already. One before the end of the year. Two before the end of the year.
Justin: Localized AI—that’s a little hobby project of mine.
Si: Mm-hmm.
Justin: Because right off the bat, we talked about AI—bad actors are starting to use AI, and they’re not going to be using ChatGPT or whatever. Those have guardrails. They’re going to use homebrew stuff.
Desi: Yeah.
Justin: And when officers hit a house and seize that, where are you going to look? What are you looking for? What types of things should you expect? And that was my presentation—hey, here’s the basics.
Si: I enjoyed it. Because I had played with Ollama only a couple of weeks before, actually, funnily enough, for the exact purpose of trying to summarize some documentation that there was no way I could upload it to anything that was cloud-based because it was a bit court-sensitive. And I was like, ‘There’s 2,000 pages of this and I can’t read it all.’ So I wanted to do it. So I downloaded Ollama and tried to get it to process it to give me summaries. With very mixed success, I have to say. I didn’t give it that much time, but it’s a lot harder than it looks. I have to say. And I think you made it look rather easy in your presentation.
Justin: Yeah, there’s some shenanigans that go into it. But to your point, the mixed results—that’s what I found. I don’t have a behemoth of a machine to run it on. I pulled a random laptop, but the models, you’ve got to train them. But yeah, it’s a mess. But people are doing it, so we’ve got to be aware of it.
Desi: It’s certainly going to get better and better. We’ve already seen—what’s the guy that runs NVIDIA?—going around giving all the billionaires the desktop supercomputers essentially. That’s the full warning that we’ve got of where commercial products are going next. People eventually have those small boxes on their desk and then the models get better. And so that’s going to be the future of illegally generated AI-generated CSAM—it’s going to be at home. None of it’s going to be online for people to do. So yeah, super interesting watching that. That’s awesome. I’m looking forward to the Lord of the Rings trilogy of forensics in January for sure, which sounds fantastic.
But Justin, we want to thank you so much for joining us today. It’s been super interesting chatting about FTK, where it’s going, the tangents that we went into about AI—that was fantastic as well. So thanks so much for your time. It was a pleasure talking to you, and we’d love to have you back on in the future at some point as well.
Justin: Anytime. Appreciate it.
Desi: Yeah. For everyone else, all of our listeners, thank you for tuning in all the time. You can grab our podcast from our website at forensicfocus.com/podcast. You can also find us anywhere that you get your podcasts from, including Apple Podcasts, Spotify, or YouTube, because we put the video on our website and on YouTube. And yeah, if you want to find us, jump into our Discord. We’re there quite actively chatting to people and kicking people out who are inappropriate, which is great for us. And we’ll see you all in the next episode. Thanks everyone.
