Picture Perfect: Using Screenshots And Screen Recording In Mobile Device Investigations

Desi: Welcome, everyone, to the Forensic Focus Podcast. As always, we bring you as much valuable content as we can from digital forensics, e-discovery, and all the things that pop into Si and mine head. But this week, we’re joined by Rich Frawley from ADF Solutions. We just want to say thanks, Rich, for joining us. I know we’ve spoke to some of your colleagues recently and we’ve got you to come back and bring some more insight to us, but welcome to the show.

Rich Frawley: Thanks for having me here. Appreciate it.

Desi: So we usually like to start with just getting an idea of yourself, a bit of your background, how you wound up at ADF solutions. It’s always interesting to hear if someone’s come from an interesting job before they joined cyber. It’s something that I’m always personally really excited to hear because there’s some weird and wonderful jobs that people did prior to their now illustrious cyber careers, but maybe you could give us a bit of intro about yourself.

Rich Frawley: Sure. So, I started out in law enforcement, so I had 23 years of law enforcement, 17 of those years as a forensic examiner investigator. So, somewhere around turn of the century, 1999, 2000, our department was looking at starting a cybercrime unit, starting up and putting in undercover chats and being able to look at the devices. So, it was something that really, really interested me. Not as much on the undercover chat, and I found out quick something I could never do. I just liked the puzzle piece of it, the forensic side of it.

But one of the captains who was in charge of it was doing the interviews to see who we should start sending to school. He goes, “So what makes you qualified for this?” I say, “Well, I infect my computers with viruses just to see if I can get rid of them. I mean, I don’t know. Maybe that helps.” I built a website and he’s just like, “You’re in. It’s yours.”


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Desi: I love that.

Rich Frawley: I started from there. All the schooling came after that.

Desi: Yeah, yeah. I love the barrier of entry. When you think back to old cyber jobs, they’re like, “Have you ever built a computer? Oh, you’re definitely good at cyber for doing [inaudible 00:02:41].”

Si: I was going to say, there’s so many that I’ve heard. It’s like, “Have you got a computer?” People who just owned one were automatically the most qualified people for the job, which is fantastic.

Desi: I also had the thought pop to my head, you’re like, “Oh, turn of the century, and the police wanted to put together a cybercrime fighting division.” I’m just like, “Oh, it was definitely Y2K.” Everyone was scared.

Si: I fled the country for Y2K. Genuinely, I went to the furthest place I could find. I wasn’t going to go completely [inaudible 00:03:14]. I actually spent it in the Falkland Islands and I figured that if society collapsed that the Falklands was probably a fairly good place to be. Given that the technology there was a tractor, it’s hardly a problem.

Desi: Not these days. I’m sure tractors probably all have internet connected-

Si: A GPS.

Desi: … microcontrollers in them that would just stop. Thanks for that. It’s always great getting to know our guests and it’s really interesting to hear those stories, but we’ll get into I guess the thick of why we’re here today. So, maybe you can first explain to us what’s the importance of screenshots and screen recording for mobile devices and investigations and then the context that that’s used in digital forensics.

Rich Frawley: Sure. So, one of the things I like to say, we just went back to 1999, 2000, where you can pretty much get anything off a device that if you knew what you were doing, but it is changed. With mobile, like I say, it’s becoming a logical world. They’re really trying to clamp down on anything being available in a physical acquisition anymore, encrypting everything. So, looking at it from a logical side and from an investigator standpoint and trying to get your cases done, you know you’re not going to get everything in a logical acquisition. So, if you can control that as to how you’re getting it and make sure you’re getting it in the right way, because right now, everybody’s just like a user. Give me your phone. Let me go through it and see what’s on here and make decisions that way.

So, this way, you can use the screenshots and screen recordings to get the things that might not necessarily be in a logical acquisition, add it to that logical acquisition, or a lot of, I was saying, thumbing through. The other alternative to that is to get a physical and then go through and pull out what you need. Well, a lot of times, with cases, I just need this picture. I just need that video. I just need this chat. Not all crimes are homicides. Not every case needs to have the coroner swept out of it. Investigators know what they want. Listen, this is a harassment case. I need A, B, and C to put it together. I know my case better than everybody else. So, why can’t I just go get A, B, and C?

With the screenshots and screen recordings, it really helps, I guess, even the playing field in that concept. So, even the courts are saying, “I don’t want to hold physical anymore.” If this incident happened on a weekend, don’t give me five years’ worth of data off their phone. The defense is going to have a field day when it comes to discovery.

Desi: Yeah, yeah. That’s interesting, because when I came through learning about digital forensics, that was always the gold standard was physical image, have all the data, so you can go back to it and that thing.

Rich Frawley: If I say that’s always an availability, that’s always there. Fully there with you, but there’s certain times, no, it can’t be done.

Desi: Screen recording’s the body cam of the digital world for law enforcement, I guess.

Si: So what limitations are we bumping up against with screen recording versus the logical acquisition? Where do we want to draw the line and say, “Actually, you know what? We’re not going to get everything we need here just by looking at the screen and recording that data”? Where’s that line lie that we need to push the boundaries a bit more?

Rich Frawley: So yeah, there’s a few. Even using screen recording screenshots, there’s certain things you’re not going to get. There are certain times you may be letting the other side know that a screen recording or screenshot was taken. Those are few and far between. You may have to fall back on another method, but let’s just say Telegram, some of these undercover officers doing some Telegram chats and he can get everything, but there’s a secret chat in there. So, with Telegram secret chat, there’s a little more security to it. As soon as that phone’s connected and you mirror it to record it or you take a screenshot, it automatically advises the other side of screenshot’s been taken. Even if you haven’t taken the screenshot, even if you just mirror it, it’s going to tell the other side.

So, there’s choices that need to be made. You need to talk to somebody. If you’re just an investigator trying to get stuff, you’re going to need to know that there’s still a learning curve to it. You still need to know the tool. You still need to know what you can and can’t get. I always say investigators know their case better than anybody else. So, hopefully, if you’re going in and getting A, B, and C off of that and that’s all you need, that’s all there’s going to be. It’s a case where we’re not worried about, “What are they hiding? What’s been going on? Am I sure this is all I need? Are they not telling me the full story? Did they delete 15 things before they gave me the phone?”

So I think an investigator can key in on that information and say, “You know what? Screenshots aren’t right for me right now. I’m going to need to take this back and do a physical.” Screenshot, screen recording sounds great, just plug it in and get it, but you need that ability to still decipher your case. Investigators know what they’re doing. They’re smart. They know their case better than anybody else. So, as long as they know the tool, at that time, you can say, “Hey, this was best evidence at the time.” We’re talking victim witness consent where this may walk away. Sometimes you got to take those chances.

Si: Yeah, time waits for no man. Time is equal to money. Time is always the critical factor. So, yeah, I can imagine that screenshot’s being an incredibly rapid way of acquiring usable evidence as a good thing.

Rich Frawley: Yeah, I mean if you’re looking at critical incidents, mass casualty incidents, victim witness consents, we may walk out the door. Physicals and logicals sometimes have to take a back seat there. What are we looking at? What’s the end game? Do I need information to put in somebody’s hand right now so we can keep going, or are we going to wait another 24 hours to get through some of this stuff?

Si: So ADF is… I mean, I got to say, we spoke with some of your colleagues not long ago. I’ve reviewed your ADF products and I’m going to sell the thing, but it does that incredibly quickly. Is that something that you’ve actually focused on as a company to try and improve the ability of intelligence gathering and triage rather than focusing on the let’s crack this phone stuff?

Rich Frawley: Right. Yeah. So, little history on ADF, it’s been around a long time. 2005, 2006, it was founded, and it started out in image identification for child exploitation cases. So, that’s where their main focus was. Let’s get you those images quick, get you in and out, make your decisions. From there, it built up into a more robust triage tool with imaging. Somewhere in the early 2010s or mid-2010s, there was a user interface change. We went from Linux like boot disk for computers. We went from Linux to Windows to get into more computers without investigators having to make change. So, we were always focused on speed, getting the information you need up front, and staying in that lane. Then we added mobile in about 2017, and it’s the same thing.

It’s like I look at all the tools, everybody’s got a lane. Some of them like to use all the lanes, some of them stay within their lanes pretty well, but we’ve never wandered outside of that. We’re here to get you information upfront so you can make your decisions and keep going, right? We’re not going to sit here and say, “Okay, you know what? It is important for us to crack phones.” It really isn’t. We know our lane. We know what people are using us for, and somebody could pay the tens of thousand dollars more for that, where we come in and say, “This is what we’re going to do for you. This is where we’re at.” No smoke and mirrors and development is really kept with that.

When decisions are made on “What goes in? What can we get? How can we do it?”, it’s always “Can we still do it fast? Can we still make it as easy as possible without having to exploit the phone, root the phone, jailbreak it?” So fast, get to the evidence, let’s make decisions and let’s move on. The other tools can still be used. That’s our lane. You can do this. You can still do comprehensive scans and spend some time on it, but if you want to take it into something else, you have that ability to do that as well. You could always go back and get a physical or a logical.

Si: I mean ADF still does work on PCs and computers, doesn’t it?

Rich Frawley: Correct.

Si: But do you see yourselves primarily now as handling the mobile space? Just in the interface, it seems to be a bit more to the fore than the computer side of things.

Rich Frawley: Yeah, because I think it’s more what people are looking for now. There’s more mobile devices on scene. If you walk into a house now, it’s probably going to be at least a two to one ratio on probably mobile to computer. If you walk into a house with five people living there that are of age, you’re probably going to have at least five mobile devices and then maybe a work computer, school computer, Chromebook, something like that to go along with it. So, I mean, you’re looking five, eight devices sometimes minimum when you walk into a place. But yeah, we still give you the ability to do the computers and in one interface. So, you can have mobile and computers in one interface and have everything right there in front of you when you’re on scene to do the work.

Desi: So thinking back to when you’re saying you guys stick in your lane, you do it really well and it’s all about speed, does that make it easier across different mobile devices, different operating systems, different brands to just work off the bat, or do you still have the problem when it’s a new OS? When we talk to people who write the software that breaks into phones, it’s a different exploit for each OS, whether it’s Samsung, Apple, whatever. Do you find the same thing or is it a little bit easier because you already have user access and you’re just plugging in to take screenshots and screen record?

Rich Frawley: Yeah. So, on the logical end, we know we’re not doing any exploitation. We’re not doing any jail rigged routing. We are strictly coming in with standard protocols, trying to get as much off that device as we can, and then knowing what does come off and what doesn’t come off allows us to say, “Now you can take screenshots and add it to that.” Our development team and our research team and our forensics department is even looking at what we get off of rooted devices, because we can pull in physical images from other tools and parse those as well. So, even though it’s not coming off in a logical, we’re still adding it to the tool.

There’s a lot of people work out there consulting or got their own business and they may be sent something that’s already been imaged to get through and they don’t have the tools, or you do have those tools and you don’t want to parse everything out. You want to target specific information. I’ll give you an example. I have iPhone 7, fully packed, loaded, real world, not demo data. It took me 25 minutes to get a logical on it and another hour and 10 minutes to parse everything out. So, you’re looking hour, 35 minutes or so to get everything. That’s on a computer that’s only got eight gigs of RAM. So, hour, 35 minutes beginning to end, logical acquisition, parse everything out that we possibly can.

I’m just interested in contacts, messaging, the operating system or the phone data, the phone information, and maybe a couple keyword searches. Well, I can do that and get the information in 30 seconds out of that acquisition. So, now I’m talking 20 minutes and 30 seconds, instead of an hour and 35 minutes to get what I need. So, we’re able to target that data and even in the physicals. So, if you’re just looking for something specific, we can be used to do that as well.

Desi: Yeah.

Si: I’m going to say, you said it interestingly, that as an independent consultant, which I am, you get a ton of data thrown at you. Certainly, other manufacturers ship their data with a reading app. Does ADF have one of those as well?

Rich Frawley: We do. We call it the standalone viewer. So, if I were to do an acquisition and parse everything out on your device, I could then send that to you. It’s the analysis portion of our tool with everything that’s been grabbed. You can go through sort, filter, tag, comment, fully functional analysis portion of the tool, and you don’t need a license for it.

Si: Excellent.

Rich Frawley: You can even report from that as well. You can make your own report based on what was given to you.

Si: That’s really fully featured. That’s cool. I must admit some of the other ones, I’ve struggled a little bit to get them to do anything other than tell me what somebody else has already found. So, it’s not always as useful as they think it might be.

Rich Frawley: Yeah, and this one, it gives you everything. So, I could pick out a couple of things and say, “Here’s what I found. Now it’s yours as an investigator” or “Here’s everything, it’s your case. You know better than I do.” So you go through it and find it. Collaborate or just hand it off. It used to be go out on scene and grab this for me and come back. So, how many times is the examiner sitting in your office a day? Do you get, “Hey, I need this. Hey, I need that”? The case you’re sitting and looking at, now you’re walking away from it and coming back. So, we also give you the ability to… Hey, you can collect this, you can do it. We’ll give you a little trading. You can go out and grab this.

So, like I said, as long as everybody knows what the case is and what you’re looking at, it’s a lot easier to distribute the work now than it used to be. Somebody gave me a good analogy once and try and change it up a little bit. But for bigger departments, you have, like you said, the highly paid, highly trained forensic examiner. So, how many times are you actually going to send him out to a search warrant to do work? So if he takes that and trains three, four, five people to do on scene collection and analysis or have other people below that even just go out and just do collection, I don’t care what’s on it, just go out and collect it for me and bring it back. So, you can train those different levels now to take care of that.

Si: On that note, I mean ADF, you do your own training, I assume. What levels do you guys actually provide in terms of training? Do you do that fully experienced examiner, here’s all the bells and whistles stuff, and the first responder levels of stuff?

Rich Frawley: We do basically two types. One is fully user certified or certified user training goes through everything, advanced configuration, hidden configuration files that are in there that you can change, and a lot of the customization, how that works. Then we have certified operator that is really just going out and doing some scans and some analysis. They’re not creating the search profiles that target the data where it is, and they’re making decisions on, “Hey, I want this to run quick on scene” or “I want to use this back in the lab.” I don’t care if it takes three hours to run. Putting in keywords and dealing with regular expressions. Is something in a zip file or not? How do I make these changes?

Si: Regular expressions are something that you can’t do in the course. So, you have to have drunk appropriate, magical liquid in order to understand those anyway. So, anybody who can teach that is already doing well in my books.

Rich Frawley: In the certified operator course, I show regular expression, so people understand the concept of it and how some of the keywords are used. You lose them for a second, but we bring them back and this is what it is, this is what it looks like, this is how it runs, and this is the difference between a regular substream keyword and it makes sense to them at that point. Okay. Now I get it. At least they understand the concept when they see certain… Why does that look like that? How is that giving me a credit card number?

Desi: It’s just cyber magic is what regex is, and every time you have to relearn it.

Si: It’s the right incantation.

Rich Frawley: I saw you drinking out of this big water thing. I mean, that would have to be coffee if you’re trying to write a regular expression.

Desi: Yeah, definitely, and then I wouldn’t be able to sleep for three days. Talking about a solution going out and in particular the screenshot and screen recording stuff, is there any cool success or war stories that you could share where that’s played a crucial role in an investigation?

Rich Frawley: Yeah, I mean, I get a lot of, I guess, testimonials after people have gone out, it’s used a lot in the child exploitation arena on scene, right? Decisions need to be made. Hey, we went out on scene and I had 10 phones and 4 computers. Typically, I would’ve been there all day or we would’ve taken everything. We were able to spend a couple hours on scene and leave half of it behind and only take back what we needed and walk out with the person in handcuffs. Also, these task forces, they’ll go in… We had one up in Boston that plays towards our computer side, the collection keys. So, they were going into a business and they had to make decisions.

There were 75 computers in this business, and they were like, “We’ve got to go in and determine if it’s up, are we going to collect RAM and do a triage and see if we’re going to take it? If it’s off, we’re going to boot to it maybe and see, or we’re just going to image.” They made their decision and took care of everything in one day, instead of that. But yeah, screenshots are the one I hear all the time is victim witness consent situations, where it’s like I had somebody in here. The incident happened yesterday. It’s like an eight-hour span of something happening, and they didn’t want to give me their phone. Hey, give us the phone. We’re going to go in the back and make an image of it. We’ll bring it right back to you. Sign this consent form.

Nope, not going to do it. That’s an easy concept to anytime I talk or train and I’m there live. I’m saying, “All right, let me have your phone, so I can plug it in and show you a demo of how our tool works.” The only person who ever volunteers is the person who has a work phone, but you put them into that, okay, that’s where that person’s mind’s at. Instead of getting it to walk away, they can say, “All right, sit here right in front of me. You can see the screen. We’re going to hook up the phone. Even if you’re that reluctant, I’m going to let you show me what we’re looking for on the phone and then we’ll record it or we’ll image it or take a screenshot of it.”

So at that point, they’re like, “All right, I can do that.” They sit there. They see their phone on the screen and say, “Okay, that’s what we’re going to take you mind if I take the screenshot of it?” Yeah. Okay, here’s your Kik chat or here’s your Telegram chat. It’s up on the screen. It’s like 6, 7, 8 pages, 10 pages. It’s the whole chat. I’m going to scroll through and grab this whole entire chat. Is that okay? That’s fine. You scroll it and you show them what you grabbed. So, people are getting a lot more of that reluctance. Because once that door closes, you’re never going to see that again. They’re going to go call somebody. They’re going to talk to somebody. They’re going to say, “Don’t ever give them your phone.”

Desi: Because it sounds to me there’s two things at play here for people. One I think is that it’s giving them more control or perceived control, I guess, if anything, that they get to see what’s happening that it’s just a screenshot. But I guess it’s also technology that people are probably very familiar with, because phone mirroring onto TVs and everything else, most people would’ve experienced that or Chromecast or whatever. People understand that technology.

Si: Android Auto is the other common one.

Desi: Yeah, Android Auto. Whereas if you’re like, “I’m going to take an image”, people are just like, “I have no idea what that means. You’re going to break into my phone, steal all my bank account details.” Whereas if you’re like, “Oh, we’re just going to screen mirror and take some screenshots”, people are like, “Oh, okay, cool. You’re not going to take my bank account details.”

Rich Frawley: While they’re there, it’s just working with them. They feel more at ease. Hey, listen, I need to tell a story here. Do you mind if we go from point A to point B so somebody understands that? Listen, I’m just going to go into your settings and get your phone information. So, when this does go to court, I have this information to say that this was the phone and the account that ties back to our subpoenas. All right, let’s go into the chat. Let me get the person’s profile. Let me get your information here to show this information.

It’s a good way you could follow up when you’re getting this information too. You can get somebody’s user information for subpoenas or search warrants. We’d have it right then and there, because sometimes when you leave a scene, it’s like, “Hey, let’s go start getting rid of these other accounts or locking them out, so you can do preservation orders that day on certain things that you find as well.”

Si: Have you come across any areas where unfair limitation for the privacy of the victim has been exploited by the defense as an argument that you haven’t represented the whole story? It’s not contained mitigation or I don’t know, entrapment or all sorts of other exciting potential things that could have existed outside of the screenshots, because I mean, the screenshot is limited to what you can see in the screenshot. The not capturing a full acquisition is obviously going to leave things behind. So, have you actually come across scenarios where that’s become a problem?

Rich Frawley: So I’ve seen a few. Well, there’s, I guess you could say, case law with screenshots being accepted. There’s a specific case out of Massachusetts here where the defense went after everything. So, they only use screenshots. This goes back a while, and it wasn’t screenshots like we’re talking about. It was the victim took some screenshots and gave them, right? So you lose that chain of custody part that you need. Doing it like we do, you get a little bit more. You lock in that chain of custody portion that you need. But within that case, they used the screenshots.

When it came to discovery, defense made motions, they wanted everything, right? We’re talking a 48-hour period where an assault happened on a college student and they wanted every social media user account, every chat app, every log-in. They wanted a physical of the phones and every motion was absolutely denied at the court level. They were like, “No, this is going to stick. They did their job.” So how does something like that stick? Well, it comes back to good old-fashioned police work. You have your investigators that know the job and say, “Okay, I took a screenshot or they gave me a screenshot of an email.”

So what’s defense going to say? Well, you can’t verify or validate that email. There’s no header information. How are you going to trace it back? That’s just okay, I have this. Let me do my subpoenas or my search warrants to back that information up. So, where it does save some times upfront may fall back on the work you may have to do or may have been doing anyways, but it works. As long as you are investigating your case that way, it’s going to get through the court system. You’re really going to have to screw up that, I think.

Si: We’ve all seen that. Yeah.

Rich Frawley: Yeah. I mean there’s some people who just never should have sat in that chair, if you will.

Si: I mean ADF’s constantly developing, constantly moving forward to address everything, but what are you guys seeing as the future problems that you are going to be seeing in the future, opportunities as well in the mobile space?

Rich Frawley: Yeah, so I started out with before, it’s becoming a logical world and there’s more and more data, more and more devices. I don’t know if the wall’s cracked or what you want to say. We’re alluding to it before the gold standard back in the day. Some of that’s still being taught, but it doesn’t fit with, my gosh, I’m bringing 1,000 devices into this room every day, because I’m working at the border, I’m working at an airport, or I’m working somewhere where there’s a lot of devices. You can’t keep up with that. So, I think with the developers of these devices, trying to lock everybody out with privacy and the amount of devices, it’s staying in our lane and looking at it as a logical world and trying to get you the information fast and let you make your decisions.

So, people aren’t sitting that should be put away, where cases aren’t sitting that should be handled. I know I’ve been talking a lot from the law enforcement side, but it is also a corporate tool and I just speak from where I know more. But looking at that, looking at some of these devices that people aren’t even… Look at the Chromebooks. Everybody’s tried, things have changed, programs that used to work don’t work. So, I would keep an eye out for things like that in the media future.

Desi: So I think I asked this question with your colleagues and I think it’ll be for the benefit of listeners that might only listen to one or the other, but with Apple, their new iWatch that they bought out, they touted it as like your all-in-one device. I think we’ll see that continue in the sense of they’ll just want you to wear a watch. It’s no longer you carry your phone with you because it’s got everything on board. It’s got enough memory, enough storage, you can send SMS, you can pay. You can live your daily life like you normally do with your phone on your watch. Is that something you see ADF Solutions eventually getting into?

Because obviously, right now, it’s quite niche in who would use the watch that way, but I think as technology goes, things like that, and then I’m guessing smart glasses seem to have come back a little bit, even though they still look ridiculous. Well, I guess worryingly, talking about smart glasses, I’m not sure whether they have onboard storage, but the Meta Ray-Bans can record, which could be a huge thing for I guess CSAM cases, right? Is that something that ADF you think is looking for at least in a future roadmap?

Rich Frawley: With wearables or the watches, the glasses right now, we look at it as, “Is that the way it’s going as you’re mentioning, or is it now it’s being shared?” So a lot of the data you may be able to get down to the device level or the phone level. Yeah, definitely. I mean, I see it, I see that kind of, but it’s also like the computer, it’s not going away. People aren’t going to be typing all that information on their watches, and that’s really small to be watching a lot of TikToks and a lot of reels.

Si: I love the idea of a TikTok on a watch. That just sounds so appropriate, anyway.

Rich Frawley: Everybody’s sitting around the dinner table like this. Yeah, definitely. We’re always looking towards what it’s going to be, where it’s going. I think grabbing onto that, it’s going to become a logical world. Even smaller devices, we’re always going to look at, “Can we get it without routing, jailbreaking, cracking the security, making it take more time than needs to be taken from that?” We’re not going to work on every single case that you have, but there’s a lot of them that come in that we can really take care of.

Desi: Yeah, hitting majority for sure.

Rich Frawley: If you’re sitting there day after day, going through mobile devices and spending all your time, this one doesn’t have anything, or all I need is A, B, and C. How much time was spent to get there and you send it and then it gets cut out? You never really have to go back, or if you did it, here’s exactly what we need off of this device and it doesn’t go for that full dust out the corners. You’re saving yourself a lot of time and money and energy there.

Si: Yeah, I spent my weekend doing something slightly odd for me, which was I actually made an ax, which is cool, but I did discover that there are certain things when you are working on this metalwork that the rapid tools that shape quickly are actually far more useful than the ones that are shaving tiny fractions off at a time. Otherwise, you end up sitting around forever, and that sounds like what ADF is. It sounds like that real hardcore shaping tool to get things started and get through a lot of metal to start with, and then you’re going to spend time polishing a little later down the line. So, it does definitely sound like a heavy duty, a heavy lifting thing, rather than a scalpel.

Rich Frawley: You can target it to say, “Listen, out of this big mound of stuff, I know the proverbial needle in the haystack. I know that’s what I’m looking for. I have this information. I know where it generally sits. Let me target that.” It comes back and decisions are made, instead of phishing. Put it all together, let me move on. Let me grab A, B, and C, lock it down with preservation orders, and do my arrest warrant or make my decisions and then move on. Or even in the corporate world, HR, hey, I just need these messages and these contacts and this information. Let me put that together in a short order, if you will.

Si: I’m going to bring in a lovely buzzword at this point in this conversation. I mean, everybody in the world and their dog wants to know about AI, and I know that there is some categorization within ADF. How do you guys feel about the use of AI? How do you actually implement it and how do you see that going forward as part of your product?

Rich Frawley: Yeah, so yeah, we have machine learning, natural language processing, AI in there for our categorization of the images, either an age group detection or your categories, weapons, vehicles, currency, scanned documents. We’re using some to determine whether things are actually a picture or an icon or an emoji. It speeds up that as well. It’s always a discussion. We’re always looking at it. Myself, I think when we have those discussions, I sit on the skeptical side right now. Let’s really, really, really be sure that it’s going to do what it’s supposed to do and it’s not being used in somewhere where something critical may get missed.

Age group detection and things like that, you can do that. You can sort it. You can find it. There’s going to be false positives. You know that. You can reverse the search and go back and look at what was filtered out or filtered in. So, it lets you come back on that, but I really don’t know if I trust AI all that much yet, even though it’s been around for a long time. Like I said, it is a buzzword, right? It’s just fast and furious, I guess, you could say.

Si: So jumping around here again, because I know we talked about it before in terms of the example you gave with the defense, they wanted everything. You might have the screenshot of an email. If you were taking lots of screenshots, and you also mentioned taking a picture of the settings to get the phone information, when that’s plugged in, that’s not taking that phone information at all when it’s taking the screenshots or screen recording. You have to physically go do that.

Rich Frawley: It does with your initial connection and everything. It says, “Hey, it’s connected to this.” It’s going to say it’s an Apple iOS 17.0.2, this is the serial number. So, you have all that information grab, but let’s say you want the IMEI or any other network information that you can get from your settings, you can go in and screenshot that. If you could bring it up on the screen, you can get it. Unless, like I said, the Telegram secret chats, either they’re going to be notified, or on the Android side, they actually black out the screen.

Desi: I guess thinking about then taking that to court and maybe the defense or whoever needs to cross examine the information, is the package of information then in a transferable format that can go to other tools for the defense to look at, or are you just passing across screenshots and videos?

Rich Frawley: Yeah, no, good question. Because we can also save the screenshots and screen recordings into that logical acquisition. So, hey, I’m going to do a logical acquisition, but I want all the WhatsApp. So, you grab all the WhatsApp and then do the logical acquisition and everything’s in one. So, any tool can probably go in and grab our acquisitions that way.

Desi: Okay. Yeah. Cool.

Rich Frawley: As far as the screenshot, screen recordings, yeah, they’ll be able to grab those, bring them into another tool as well. As far as losing like, “Hey, am I going to get the metadata? I’m not going to have this”, it depends on the phone, but if you can open up the metadata on the device, you can get it. If the app like Apple Mail, I can’t get the headers when I bring up that email, but I have the information enough to do what I need to do. Like I said, we may have to fall back on some other method to verify that.

Desi: Yeah, okay, cool.

Rich Frawley: Yeah. But the reporting, so HTML formats, PDF formats, CSV formats for images and stuff, we have the JSON format for VIX data and [inaudible 00:42:43] data, and then the standalone viewers. So, they should be able to bring it into anything they want. It comes with date and time, device it was taken from, and there’s a hash value of that image or screenshot or screen recording that you took. So, another method of somebody just took a screenshot and gave it to you. You lose your chain of custody. This was directly to the device into your tool, your reports.

Desi: Well, I know I’m out of questions from what I have found really interesting and a really good discussion, learning about the tool again. That’s for sure. Si, do you have anything else you want to ask, or Rich, if you’ve got anything else that you think that we’ve missed or you really want to tell the listeners about in terms of the tool? Is there anything you guys have?

Rich Frawley: I would just say on the mobile side, we were all over a little bit with doing computers and we focused on screenshots and screen recordings. But for those on scene upfront, we also do real-time previews of devices. So, you can just plug it in. It starts making that logical acquisition, but letting you see what it’s grabbing in real time. So, in investigations that involve multimedia, you’re going to know within seconds how many nearly images or videos are on there and start getting all the properties, the metadata, everything you need. So, if there’s something recent on that phone, you can actually preview it. Once you see it and it’s in there, you can stop and it’s been collected for you. So, another simple way to get information off a device without having that.

Si: So that’s a logical acquisition being done, feeding straight into the pausing engine. Is the screen live at that point in time? Is that happening in the background, so you can carry on scrolling and doing something else, or is it-

Rich Frawley: Correct.

Si: Okay, so that’s recording the screen and doing something else at the same time.

Rich Frawley: Oh, no, I’m sorry. On the preview, you get to see exactly in real time what’s being parsed out. Instantly, it’ll say, “Hey, there’s 3,000 images on here, and start making the thumbnails and the properties, collecting the metadata and collecting the photo as well.” So you’ll be able to see all that. You’ll be able to see videos. We pull off 50 frames of it, so you can go through and see that first before playing it. Yeah, not interested, not interested. Oh, this may have something in it, and then play that video.

Some artifacts, Android comes up a little easier or a little faster. iOS is a little later in the process, but yeah. So, the screenshots and screen recordings, if you see something on there during that preview, you can say, “Okay, that’s my next step.” Stop it. Go to screenshot, screen recording, full advanced, logical acquisition.

Si: Cool.

Desi: Just for the onsite people that are there, if there’s a whole bunch of SD cards, USBs lying around, they can just plug those directly into the kit and it does the same.

Rich Frawley: Correct.

Desi: It’ll start looking through it and give them a preview of what’s there and everything.

Rich Frawley: If the phone has the SD or micro SD card in it, we’re going to get that information-

Desi: Yeah, anyway.

Rich Frawley: … while it’s there. But if they have them laying around, absolutely.

Desi: Yeah. Cool.

Rich Frawley: As long as you’ve got adapter or reader there on your tablet, your Laptop, you’ll be able to-

Desi: Yeah, make sure you bring your adapters for all the different types of devices you can use.

Si: Well, I have to say, and again, I was lucky enough to be shipped a Peli case of ADF field kit with a waterproof tablet in it. So, I could use it in the shower, which it is a frequent thing I do now. I do all my acquisitions in the shower. With waterproof phones, waterproof kit, why not? But it did come, it shipped with an SD card or a card reader of assorted flavors and multiple cables. It was a very neat little package. I do love Peli cases, absolutely fantastic. I need to get more. I can’t justify the cost, but I need to get more.

Desi: Yeah, it’s so expensive.

Si: I know. Oh dear, right. Anyway, digresses into luggage. I’m going to say I am one of those. If I was a woman, I would have so many handbags, but I just collect bags. I have laptop bags, I have camera bags, I have backpacks, I have everything. You name it, I’ve got them. I think they’re brilliant. Anyway, you can tell it’s getting late at night, can’t you? So for yourself, I mean, outside of the joys of working fantastically with ADF, have you got anything interesting on the go for yourself at the moment? You’re coming up to Thanksgiving in the US.

Rich Frawley: No, just we’ve remodeled our house recently, so it’s just trying to get it all in order for, like you said, our Thanksgiving’s coming up and then Christmas is not too far after that. So, it’s preparation season, if you will.

Si: Starts to put all the furniture back where it started off before you started remodeling. Yeah, that’s the way.

Rich Frawley: Yeah, that is not an easy process.

Si: No, no. We’ve done the same, and the furniture is still not entirely where it started off. Yeah, it’s taking a while. So, I feel your pain. Well, I’d just like to say thank you so much for joining us this evening. It’s been an absolute pleasure talking with you. Desi and I have run through a fantastic list of questions, and you’ve answered every one of them comprehensively, which has been brilliant. So, I will end here and say thank you very much to you. Our listeners, thank you for coming along and spending time with us again. This will be available on Spotify, Apple, whatever it is, the other things where you can download podcasts. I’ll really must write this down.

Desi: Yeah, every time.

Si: But you can all figure it out. You’re all forensic analysts if you’re listening to this. If you can’t find a podcast, then you really need help. So, thank you very much for joining us. Thank you again, Rich. We really appreciate you coming and spending time with us and sharing your knowledge of ADF and the fantastic product that it is. I will therefore close this. Any passing comments, gentlemen?

Desi: None for me.

Rich Frawley: Thank you. Enjoy. Thank you.

Si: All right, brilliant.

Desi: Thanks, everyone.

Si: Take care, everyone.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles