Please forgive me for being that defense lady again, what makes it ok to post any part of evidence on any case on the net which is crawled and will be able to be searched. You could say you posted a part which contains no names or identifiers, but then you would be missing the point.
How did you verify these findings on this software which was written for you? Surely if you were being charged with a crime, you wouldn't want to accept that someone jumped on a forum saying they were stuck, and another person wrote an application for them, and you (the defendant) got jail time based on text messages as any part of your guilt
I mean, do you use Encase because someone said it works, because you plugged it in and it spit out some words which looked good, or do you use "based on my experience and training" like we were taught at the academy?
Just curious.
I want to thank everyone for the response you guys are great. Big thanks to Ryan Manley (xaberx) for the app he created, it worked great. I also want to thank forensicranger he also sent me an app that worked great as well.
This goes to show that this forum site works well together. Everyone that contributed just assisted in putting a local drug dealer away. Thx again guys I would have been stuck without you.
I understand your concern and to reassure you on what I did I will explain.
I didn't post the actual evidence file that i was trying to convert or which had anything to do with the specific case I was working on. i used a separate .dat file that from an LG phone to test. And for the one that was posted i jumbled the contents so it would not contain anything relevant to anyone. I verified the data from running it on a separate program that was provided by another LEO agency, and tested it against the one that was provided here to compare the results. that alone wasnt enough to convince me of the output so i looked at the file once again in HEX view and compared the results to see if they matched. I wound up not using the program provided here and opted to use the one that has already been tried and tested by the other LEO agency that uses it. So I would like to say that I verified my tools before applying them.
Regardless I wanted to thank the people that put forth the effort to assist because I felt it was the right thing to do even though it wasnt utilized. Though I feel you have no faith in the ability of us lowly LEO to attain any further training other than my "training and experience" received in the academy but I have gone through my fair share of training to know what I am doing. Thanks again for your concern.
LOL. I don't have any concern in your training, I was with LE, I went to the academy, my questions were totally relevant. Maybe you want to rethink your stance, maybe not.
Someone said
"can you provide a sample in hex format"
and you post
20202020170220204899022017D41939
100515212632202008D4193901012020
20202020022020202020202020014865
79206A757374206B6E6F77206F6E6520
7468696E67204920646F206361726520
61626F757420796F7520616E64204920
616C7761797320686176202020202064
9197CA0D5D79F441AF76FEE837EECA83
A68D3BB3A0928326F418F0F2CA830E2D
FD7A20F3BFAA0C3BB22092830ECEF87C
F341A30F6CA83965CF87AF2C9B32F3E6
837E641B7CA0C38FA69DFBB9A0E9875E
5418F0F2CA81DA902020202020202020
20202020202020202020202020202020
20202020202020202020202020202020
20202020202054657272792063656C6C
20202020202020202020202020202020
20202020202020353535353535353535
35202020202020202020202020202020
20202020202020202020202020202020
20202020202020200A01282020202020
You could have said no I can't provide a sample, but I will provide something from another phone. But you just up a sample.
You followed that up with saying thank you for the help, the app you created worked great but didn't say anything about verifying it against anything else.
Are you telling me as a detective this wouldn't raise any flags with you? You wouldn't ask a civilian examiner how he verified things or ask the prosecutor to do that, and from you not explaining something just posting code, this were someone else posting would you think based on the text that someone had just posted evidence from a case?
I understand your concern and to reassure you on what I did I will explain.
I didn't post the actual evidence file that i was trying to convert or which had anything to do with the specific case I was working on. i used a separate .dat file that from an LG phone to test. And for the one that was posted i jumbled the contents so it would not contain anything relevant to anyone. I verified the data from running it on a separate program that was provided by another LEO agency, and tested it against the one that was provided here to compare the results. that alone wasnt enough to convince me of the output so i looked at the file once again in HEX view and compared the results to see if they matched. I wound up not using the program provided here and opted to use the one that has already been tried and tested by the other LEO agency that uses it. So I would like to say that I verified my tools before applying them.
Regardless I wanted to thank the people that put forth the effort to assist because I felt it was the right thing to do even though it wasnt utilized. Though I feel you have no faith in the ability of us lowly LEO to attain any further training other than my "training and experience" received in the academy but I have gone through my fair share of training to know what I am doing. Thanks again for your concern.
I apologize if I was defensive in the last post but it seemed as if you were attacking my ability. By the time the others on this forum responded with solutions I have already found a solution.
I thought it would be more beneficial to the forum site to let it play out instead of recanting my post and say something like never mind I already found a solution. The program that was drafted is good and it did work even though it wasnt used I still appreciate the willing of others to help out and discuss things.
And yes I would ask others how they were verified and everyone should test and verify even tools that are widely known. I guess in my opinion you should have PM me and questioned me that way. I feel that your post has taken away from me trying to be appreciative of others work and efforts.
LOL. I don't have any concern in your training, I was with LE, I went to the academy, my questions were totally relevant. Maybe you want to rethink your stance, maybe not.
I personally wrote the tool to deconstruct that file, during the process I voiced my concerns that I could not verify the date 100% accuracy due to not having a reference to examine(it was non unix timestamp) as you would have read in my prior postings.
The issue you raised sounds more like "Well if it isn't Encase\FTK it isn't accurate\credible" is that a correct interpretation?
or was it "Leaking evidence on internet = bad" when he stated vital info was hexed out and was seeking help on exporting the file information.
I wont be ignorant and state that I wrote a computer forensics package thus I know how to deconstruct files(I know better wink ) as I know there may be things I missed and I cannot interpret without further information from a white paper or another comparison app.
I founded my company to help the forensic community with challenges and problems with innovation. So just because Encase or FTK hasn't come out with it yet doesn't mean it isn't credible just means one must verify the results and determine if they are accurate.
But out of curiosity how accurate were the dates and times when compared to another tool? That was the part I was most worried, especially as I was unsure if it held the same start offset of 1/1/1980 and if it was in UTC or Local…though this situation the phone was locked so hard to say..
I didn't attempt nor did I take anything away from your thanks. I tried to ask a few questions which I would think the answer would benefit others seeing the answer.
I can't program, and appreciate others doing things like that, you didn't document what was going on, just that it put someone away, and back to my post you did just post hex and didn't clarify in that post what it was you were posting.
There may be others out there who think they can cut and paste things to a forum and I just wanted someone to think about the possible implications of doing that.
You somehow thought I was slamming LE as lowly, when I had just stated that is what I used to do and the phrase "training and experience" was pounded into heads the entire time and is a most frequent language to an affidavit for a Terry stop.
I apologize if I was defensive in the last post but it seemed as if you were attacking my ability. By the time the others on this forum responded with solutions I have already found a solution.
I thought it would be more beneficial to the forum site to let it play out instead of recanting my post and say something like never mind I already found a solution. The program that was drafted is good and it did work even though it wasnt used I still appreciate the willing of others to help out and discuss things.
And yes I would ask others how they were verified and everyone should test and verify even tools that are widely known. I guess in my opinion you should have PM me and questioned me that way. I feel that your post has taken away from me trying to be appreciative of others work and efforts.
Hmmm. the last thing I would say is that if it isn't Encase or FTK then it isn't accurate or credible. I'm all for using some software and verifying it and entering it into the record and then if successful using that software again based on it being successful (if there was a challenge to the software and not just a Judge saying that things sounded ok)
People all the time post things from actual cases, or they email things to someone to look at, IF the post was qualified with, this is a sample from another phone which was never used in any case then I wouldn't have a post.
You write software, and he arrests people, I get faulted for trying to stick up for the "drug dealer" and see that he has rights?
The issue you raised sounds more like "Well if it isn't Encase\FTK it isn't accurate\credible" is that a correct interpretation?
or was it "Leaking evidence on internet = bad" when he stated vital info was hexed out and was seeking help on exporting the file information.
I wont be ignorant and state that I wrote a computer forensics package thus I know how to deconstruct files(I know better wink ) as I know there may be things I missed and I cannot interpret without further information from a white paper or another comparison app.
I founded my company to help the forensic community with challenges and problems with innovation. So just because Encase or FTK hasn't come out with it yet doesn't mean it isn't credible just means one must verify the results and determine if they are accurate.
But out of curiosity how accurate were the dates and times when compared to another tool? That was the part I was most worried, especially as I was unsure if it held the same start offset of 1/1/1980 and if it was in UTC or Local…though this situation the phone was locked so hard to say..
Just wanted clarification, granted Im not LE but I do assist LE from time to time. I have always been told that if the the investigator validates the tool and testifies to the validity as part of the case. Showing how/why it is indeed valid…Partial on this as I currently am seeking the "Blessing" of the court for my own toolkit.
but in either case I am glad to help the community even if the software was not used.
Ryan
Hmmm. the last thing I would say is that if it isn't Encase or FTK then it isn't accurate or credible. I'm all for using some software and verifying it and entering it into the record and then if successful using that software again based on it being successful (if there was a challenge to the software and not just a Judge saying that things sounded ok)