The following transcript was generated by AI and may contain inaccuracies.
Richard Frawley: Good day, everybody, and welcome to our webinar. ADF Pro version 6.3.0 came out of the gate about a month ago, and we’re here to show you a couple of the bigger features and let you know what’s in there, as well as some of the demo I’m going to do. This shouldn’t take more than 30 minutes.
We’re going to start with a quick intro to ADF for those of you who maybe aren’t familiar with the tool, or you’ve used it a bit and don’t know the overall sense of it. Then we’ll go through the new release and what was in there. After that, I’ll get into the live demo of showing you what’s been put into the tool.
We’ll cover key takeaways at the end, plus questions and answers. There’s a questions panel if you want to shoot your questions through — I’ll be able to take a look at those. If you have a question during the demo, shoot it through when you have it. You don’t have to save them till the end.
Let’s talk a little bit about ADF Solutions and who we are. We’ve been around over 20 years now. We started out in image identification, and we are a triage tool, first and foremost, that allows you on the front end of an investigation to get as much info as you possibly can upfront to start making decisions.
Remember, triage is about decisions. It’s not about solving the whole case. What do I need to do? What am I looking for? Is this the computer? Is this not the computer? Can I leave this behind? Which ones are going to go first? Which ones are going to go second? Can I make an arrest based on the information I pulled out of that?
If you’ve seen some of my previous webinars this year, I’ve done a couple of tool-agnostic ones just about triage and the different types of triage. The “show me” or the threshold scans, the early case assessment — give me as much information in a short amount of time so I can continue my case and make those types of decisions on scene.
Start doing preservation orders right away, reports for the next day, especially if you’ve made an arrest. You have a hearing the next morning, you can have all that information right then and there. It’s rapid on-scene intelligence to help you move along.
The show me, the threshold — we can do that. We can give you images in a very short amount of time and show you, yes, what you’re looking for is on here. Then we can build on that, what’s going to need your decision. What’s going to help you make that decision? What artifacts do you want? Analysis? We can put them all together for you, which we do in the background to show intent, so you can make those types of decisions.
We do both mobile and computer. Computer since the beginning, 20 years ago. We adopted mobile around 2017 and have been working on it ever since. You’ll see as I go through the list of things all we can do on the mobile side.
Computer first and foremost — that’s been our main bread and butter for years. We haven’t stopped developing it. We haven’t stopped working on it. It’s just as good today as it was 20 years ago.
And storage devices we come across — the different ways we connect. If you start thinking about Chromebooks, PlayStations and Xboxes, video — any kind of video you want to bring in, we can capture that a different way. Just a lot of different options. Plus some tools to help you get into 32-bit computers or Mac computers as well.
That’s ADF in a nutshell. I’m Rich Frawley, Director of Training here. 23 years in IT and the last 10 years here with ADF Solutions.
Let’s get into what’s new. I see there’s a good mix of attendees — I recognise a lot of names in here, some new ones. Let me tell you what’s in here upfront that I’m not going to demo: a lot of the artifacts that have been added. This shows you that in between our releases, there’s a lot of work put in — either updating, giving you new apps, updating older apps to newer versions, what may have changed, and where we’re getting it from.
A couple of the ones right up front: on Android rooted, full file systems, or whatever you’re getting out of your Android, we’re able to parse. We’ve got application usage, ChatGPT messages, Chrome, shortcut extractions — that’s also on iOS. Some Firefox we’ve updated, some Gmail we’ve updated.
Gmail — inbox label, message thread extraction on rooted Android. For those of you who use ADF, you’re hearing me say this and you say, “Well, you do an advanced logical.” Yeah, we do so much more. We do logicals, but you can ingest your acquisitions from the other tools.
You have those full file systems — you can bring those in. We can cherry-pick out of those what you’re looking for. We can help you make those decisions. You took the time to make that acquisition; now it’s going to take time to parse that out. A lot of our customers pull that acquisition in, run our tool against it, get the information they need up front, and then go and wait in that parsing line.
Again, you need to make decisions and keep that investigation moving. Some more in the artifacts: Gmail, some Google information extractions on Android. Discord message extraction on iOS, updated. Voicemail extraction on iOS rooted — that’s been updated or that’s new. Samsung Notes, browser, saved contacts, call and messages. A lot of work on the artifacts in the short amount of time between our 6.2.2 and 6.3.
For those of you who rely on the scan and setup side, some of this is what I’m going to be showing you today. One of the ones I’m going to show is the option when you’re bringing in your hash matches to automatically tag those, put comments on them, or automatically coordinate those with either Project VIC or CAID, by category.
We’re giving you the option to sanitise those immediately. When you go into your gallery, you’ll just see that they’re sanitised. You have matches; they’re automatically tagged. You don’t have to see them again. It’s a wellness feature — that exposure to the explicit material, you still have to go through that, unfortunately, in this line of work, but at least this minimises what you’re looking at again.
That’s a big one that’s been added, and we’re going to show that. The other one is our new scan mode for the mobile device — requests that only pull what you ask for. There is no other data, per se. We’re calling it targeted extraction.
It’s on the mobile and Chrome OS side. We’re looking for something specific, such as messaging. Good for victim-witness consent situations — if you want to grab those, you’d rather get that right from the mobile phone itself. Grab that, and when you hit run, all you have at the end are the chats you asked for.
I was talking about the ability to sanitise hashes and then our targeted extraction. With the new scan mode we have, targeted extraction — being able to go in and pull some information, and that’s all that’s left at the end. You’re not making the full acquisition. Good for victim-witness consent type situations, good for where you’re limited in what you’re able to extract from a device. This will help you along those lines.
Some of the other things in the viewer: a couple of little niceties, nice-to-haves when you’re doing your analysis. We were deduplicating the pictures; now we’re deduplicating the video gallery as well.
One of the nice things too: if something happens during an extraction or parsing — power ends, phone gets disconnected, it only parses out certain things — you will now see in your summary which parsers may not have run. They’ll show incomplete, so you’ll be able to say, “Okay, there might have been information there that we missed.”
There’s improved support for the UFED acquisitions that we ingest. We’ve added artifact logging. Then multiple fixes and improvements on the tool that happen all the time from release to release.
Let me get into the demo. You should be able to see ADF Pro on here. One of the things in 6.3 that I failed to mention at the beginning is the new branding. You have your new colour scheme — out with the teal and the old logos, in with the new colour scheme and the new logos in here as well.
When we get into Investigate Device, you’ll see up on top “targeted mobile or Chrome extraction only.” That’s a targeted extraction of the scan of connected Android, iOS or Chrome OS devices, and only the files or records requested are saved. Keeping with the way I like to show off the tool — from bottom up, fastest to the more comprehensive.
Preview — hook up the phone, get a preview. No different than doing an advanced logical acquisition. You get to see things in real time. Screen Capture — something you’re not getting in that preview that you need to capture right then and there, you can go into Screen Capture for iOS, Android devices. That’s also where you’d go in and do your video, HDMI, cameras, anything you want to bring in.
Collect Files goes along with the targeted mobile extraction. That’s going in MTP mode and pulling down just the files you want off the device. A lot better for you policy- and procedure-wise — connecting that phone and pulling the files off, maintaining the metadata, rather than emailing it to yourself or downloading or uploading it somewhere using the device that way. It pulls you from that manual operation into the ability to pull down those files.
And of course, we get into the acquisition and the scanning all in one, where you start at the beginning with connecting the phone all the way through parsing and analysis — the more comprehensive option. Targeting is up on top. This is not a quick preview-type acquisition when you’re targeting something specific. Usually in preview, you can get things really quickly and report on those, but you’re going to gather more than what you wanted.
Screen capture is a screen capture — you’re not getting the actual file or the metadata information there. So for targeted mobile extraction, you’re going to come in here.
Target devices — no different than any other screen. There’s really no learning curve here. I have an iPhone 6, an older one, connected. I typically show Android, so I figured let me do an Apple device. It doesn’t have a lot of information on it, so it goes quickly.
Under Captures, instead of what a lot of you are used to — our search profiles, where mobile goes in and collects everything, or you customise it to say, “I want A, B, and C out of a device” — here, we’ve let you pick it at this point. Instead of having to create a search profile of what you want to get out of it, we give you the immediate action to come in here and say, “I want the device information off the phone, and I want to go into my messaging or my communications, want to go to my messages.” You can see now I can pick and choose which ones I want to get.
That’s typically what happens in the consensual situation. I just have Android Messages on here. That’s all I have. So I’m going to get my device information, I’m going to get my messages, and at the end of this process, that’s all I’m going to have.
For those of you who know our tool, I’m going to go to my V4 folder, Acquisitions. The folder is empty. I’m going to go to my scan results, and you’ll see everything I have in here as far as scan results go — I have some to show you. Acquisitions is where I want to keep it.
I give this a name, hit Scan, and it goes through the process of traversing that phone. You need to know the passcode. You’re connecting the phone just like you would any other time. You’re not bypassing any security issues, and it’s going to go through the phone. There’s a process that has to be done acquisition-wise to get the data off. We look at it, see what’s there, look for what you’re looking for.
This goes through the whole process. I’m just going to stop this here and show you the results. If I go into View Results, iPhone 6 Targeted, Preview, you’ll see the Acquisitions folder. There’s nothing in there. There was no acquisition made. There’s nothing to put up for discovery.
There’s only the scan results. Here’s that iPhone 6. There are 91 messages on there that were pulled off, the device information, and saved networks. That’s all I have. There’s nothing else at the end of this process to disclose for discovery. This is what I asked for, this is what I got, this is what I’m presenting to you.
What comes along with this? With the messages — the Apple Messages that I requested — you are getting the database, you’re getting the sms.db. You may have to filter through the records. This isn’t down to record level; it’s down to single database file level. You pull that database file, you can go in and sort based on that.
But you’re not going to get all the other apps; you’re not going to get all the other information you would typically get. You’ve got your device information, and I’ve got the saved networks if that was part of my case. That’s what it is — you ask for it out of the targeted extraction, and that’s what you get.
Sanitise matches. For those of you using Project VIC, CAID, your own hash sets — your cyber tip comes in, and you’re using our tool to point to the hundred files that you were sent, to hash those and bring those in. At that time, there’s a checkbox that says, “Do you want to sanitise these matches?”
It’ll come through, and you can see all these purple boxes that have the matching icon in the upper corner. It has comments on it, and it’s been tagged. You can see the top four here are sanitised. I have all the properties. When I go to Preview, it shows it’s been sanitised.
Now, there are times you’re going to need to undo this so you can show it at discovery — when in your meeting with defence and prosecution, what’s going to be shown at trial — you can bring that up and show that picture. As soon as I click off of it, it goes back to sanitised.
When you undock it, the same thing — the undocked window will not show that picture either. Here, it opened up off screen for me. If I bring that same thing up, I can show the preview, and when I close it, it goes back to its sanitised mode.
You’ll see some in here that are not sanitised. Those were keyword hits that you still need to analyse because they’re not known. Your hashes are known — you don’t need to see them. For those who, when you’re doing a computer on scene, like our matches pane where you can see the pictures going across: they are not sanitised in the matches pane, so you can make your decisions on scene.
Maybe I’m not getting matches on my hashes, but I’m seeing the other pictures coming across. They get sanitised past that point, so you can still make your decision visually on scene. Remember, that matches pane can be hidden. If you don’t want to see anything, you can hide that matches pane and just wait till the end of the scan.
You can see everything that’s been sanitised in here that I don’t need to see. With our filters, I can filter all those — just show me those others. They’re sanitised here, and then I can filter those out so I’m looking at everything else to do my analysis. That’s sanitise. Very simple. I probably put a lot more into explaining it, but I wanted you to know how it works and where it works.
A nice wellness feature. I did another targeted extraction here. You can see I asked for phone calls, the Android messages, and the device information. Again, that’s all I have. You saw my Acquisitions folder — there was nothing in there. There’s no other data but this information.
With the targeted extractions, what I wanted to cover as well is that this part of it is really good for the databases and the artifacts that you’re allowed to pull off. Most of the time they’re saying, “I’m willing to give you my iOS messages.” You can check on that. But you can also get all the other artifacts that maybe you want to pull off.
The device information, you can usually get them to agree to that. Where this gets a little tougher is when you want those files — the specific files. “I’m willing to give you these five videos that I took yesterday when I was viewing something.”
We give you Collect Files for that. You can go directly to the phone that’s connected and pull down the files through MTP mode. You’ve probably seen this — this is not a new feature. This was already in the previous versions. You’ll be able to see the device, go to Add Files, and pick the information off those.
There’s my Apple iPhone — go to Add Files and look for it up here. There’s the internal storage, DCIM. Come in here and pick the files I want. Select Open, and now there are the five files I’m going to pull off that device. It’s connected as if I was going to do an acquisition. It’s connected through MTP. I’m just saying go in here, pull these files down. I’m going to get the files, the metadata, the path, and everything. I hit Proceed, it pulls them off.
Then you process those as well. I have the Collect Files here off a Pixel. I just ran a full profile off it to do it quickly. If I go to my gallery, there are the pictures I pulled off there. There’s the metadata, the properties, the preview, and I also got the geolocation data as well.
Targeted extraction along with Collect Files — you can cherry-pick exactly what you want off those devices. Collecting files is fast; that’s just pulling them right down off the phone itself. Think victim-witness consent situations, think witnesses, where they have something.
Typically, either you email it or send it to yourself, or, “Hey, come in tomorrow, we’ll pull it off your phone.” You can hook it up right then and there and pull it off in seconds. You can have them on their way in minutes — you pull it off in seconds.
But that’s it. That’s a lot of the new features that have come in. Again, the two big ones are sanitise and targeted extraction, plus a lot of fixes and the new branding — the new colour scheme. Hopefully everybody likes that. This is up on the website, adfsolutions.com/downloads.
Again, our tool — Rapid On-Scene Triage. This complements the other tools you’re using. We’re not competing with them. You can bring in their acquisitions; we can target those. Speed — getting the information you want.
A lot of the tools we give you in here are designed to stop the manual thumb scrolling — with the preview, with screen capture, with HDMI — getting devices that maybe are sitting on the shelf because you weren’t able to get information off them, or you revert back to a manual process with a photograph of the screen, where there’s feet in the picture. We’re solving all those issues here for you.
I want to thank you for your time. I know we all had choices today. “When will this go live and update?” is one of the questions. It’s up there already — adfsolutions.com/downloads. It’s not a menu item on our website, so adfsolutions.com/downloads.
This will be available on demand as well. It’s live and ready to go. You can install it right over 6.2. You don’t need to do anything different — there are no changes that need to be worried about or taken care of. Everything will carry over from 6.2 to 6.3.
Again, I appreciate your time. You all had choices, and you chose to be here with me for 30 minutes — I appreciate it. Have a great rest of your day, and we’ll see you next time. Thank you, everybody.
