What’s Up With Whatsapp

Posted on October 31, 2013 by Lee Reiber

WhatsApp Messenger is a cross platform mobile application which allows you to exchange messages without paying for SMS. This information is taken from www.whatsapp.com that also describes that the application can be used on the iPhone, Android, Blackberry and Windows Phone. What it does not say is that this application has now 350 million active users each month. Users can share photos, chat and more all without SMS services of the cellular carrier. What this means to you the examiner is easy, the simple automated tool that extracts the SMS is going to miss a tremendous amount of information. Moreover, if your case hinges on a message that was sent or received you should be prepared to examine this application if it exists.

Taking a look at the database that we obtained from an iOS device running iOS 7 using AccessData’s MPE+ iLogical function you can quickly see it is a SQlite database typical to all applications on iOS and Android. Let’s look at the databases in the net.whatsapp.Whatsapp folder.

Figure 1 Filesystem view

Contained in the Documents folders are both the ChatStorage.sqlite file and Contacts.sqlite. Both are self-explanatory with ChatStorage containing chats and Contacts containing the contact lists. The Library folder contains the application data as well as the Snapshots folder. This folder will hold the last screens used and are stored in a png format. This can be some great information. Typically there will be one picture of the last chat and also the last contact screen. The Media folder is a treasure trove holding any audio, video or images shared and sent via the WhatsApp application. What is even better is this information is listed in subfolders with the Whatsapp user name. The Whatsapp user name is going to be the phonenumber associated with the user. An example is shown below. The net.whatsapp.Whatsapp.plist shows the user information for the device you are examining. This contains the username, status and associated times.

Figure 2 Media folder location

The real examination comes when we look inside of the databases. Let’s first look at the Contacts.sqlite file.

The Contacts.sqlite has several tables that correspond to the buttons in the application. The favorites table uses both the WACONTACT and WAPHONE table to identify the users. Using the PHONE column in both the WAFAVORITES and WAPHONE table you can ascertain the phone number associated in the WACONTACT table to determine the full name of the Whatsapp contact. The WACONTACT table is a duplicate of the iOS device contacts at the time of accepting the access requested by WhatsApp to access the devices contacts. The most important database to an investigation is going to be the ChatStorage.sqlite file which is also located in the same directory as the Contacts.sqlite.

The ChatStorage.sqlite contains several tables as well. For brevity I am going to only speak about a few. The WACHATSESSION table lists the active chats, the last date, the name of the user and their ID. The WAMEDIAITEM table lists the location in the filesystem, geolocation and a ton of metadata associated to the media stored. The WAMEDIALOCALPATH column points to the filesystem of the device showing where that attached media item is located. Using this table along with WAMESSAGE table you can link the media to the chat session and associated user. Speaking of the WAMESSAGE table let’s get into the most important table in my opinion.

The WAMESSAGE table contains several rows of importance but we are only going talk about ISFROMME, MESSAGESTATUS, MESSAGETYPE, MEDIAITEM, MESSAGEDATE, FROMJID, PUSHNAME, TEXT and TOJID. These tables can put together a complete picture for you as an investigator. Let’s get started.

ISFROMME – This column indicates if the message originated from the active account of the database you are examining. The column will contain a 0 or a 1. 1 indicating that the message originated from the database you are examining and it’s account and if a 0 the message did not.

MESSAGESTATUS – This column indicates the status of the message. If the message that has been sent or received has been read by both parties you will see a 2. If only one party as read the message it will have a 1. If there is a 0 this has been seen to indicate part of a group message or whatsapp message. If you look at the interface and see a check next to the message the table will reflect a 1; if there are two checks you will see a 2.

MESSAGETYPE – This column indicates if the message is a regular message, contains a file, is a message from whatsapp or has location attachment. If this column contains a 0 the message contains text, 1 will contain media, 6 is a whatsapp message and 5 indicates a location was sent. The location is a media file that can be found in the stored media folder as well.

CHATSESSION – This column indicates the chat session number. This table would be used to show the entire thread of the chat session.

LASTSESSION – This column will indicate the last message in the CHATSESSION. The number is corresponds to the CHATSESSION number and is in the column to indicate that message is the last message in the thread.

MEDIAITEM – This column give the media number that corresponds to the WAMEDIAITEM table.

MESSAGEDATE – This column gives the date of the message when sent and when read by the user. This format will depend on the OS whatsapp is running. For iOS it is a MAC Date and for Android I have seen microseconds.

FROMJID and TOJID can be used to get additional information on the whatsapp users.

PUSHNAME – This column will identify the name of the username of the sending party and can be tied to the contacts database for more information on the user.

TEXT – This column contains the chat text.

Of course with any release of an application the tables and associated markers can change, so please look into the data and make sure the information contained in this document is what you are seeing.

The best part about the database is the output when you put it all together. Using AccessData’s MPE+ I am able to select the database and then the associated tables and rows and create immediate output of the data into my report.This is all done without even leaving the application. Below is an example of pulling the data from whatsapp for the geolocation, date, URL in the database folder, the name of the user that sent the media and if any text was associated with the media. This can immediately be published into a report.

Figure 3 Pulling whatsapp data sample

Another example is using AccessData’s MPE to pull the content from the message table, associate with the user and get the date of the message. What is fantastic is the fact these queries are all saved and can allow reuse over and over in your examinations.

Figure 4 Pulling message data from whatsapp

Locating and analyzing application data on smart devices is of paramount importance in today’s digital examinations. Whatsapp is only one application in a sea of millions of iOS and Android applications available for smart device users.

If you are relying on the simple automated solution to pull data from the standard locations you are missing valuable data that can be easily obtained using tools built to handle the analysis of this type of digital data.

 

 

 

 

 

Posted in Information, Products, Training | Tagged , , , , , , | 1 Comment

Modern day hieroglyphs.

Posted on October 8, 2013 by Lee Reiber

Depending on the age of the person using SMS messaging or receiving SMS messaging you may know what an emoji is.  If you do no know what an emjoi is let me give you first the description/definition and some examples.

Wikipedia:  Emoji (絵文字, or えもじ?); Japanese pronunciation: [emodʑi] is the Japanese term for the ideograms or smileys used in Japanese electronic messages and webpages. Originally meaning pictograph, the word literally means “picture” (e) + “letter” (moji).
http://en.wikipedia.org/wiki/Emoji

Some examples of these from the iPhone emoji set:
iPhone emoji

 

 

So what do these little items have to do with SMS and more than one meaning.

Since SMS is utilized more than voice in today’s world we try to infer the meaning, the tone, the attitude of each and every SMS message.  These emojis can change the meaning of once thought benign SMS to fighting words in a blink of a smiley.

A perfect example would be a simple message sent from a colleague.

what was sent:          Hey, great job today!Thumb down

what was received:   Hey, great job today!

Now of course that is not the best example, but you as a receiver of this SMS message feel pretty good about how you performed (because you did not receive the emoji), but the actual sender thought differently.  Now lets think about this as a forensic examiner.  Could a message that is sent by a nefarious sender have a different meaning if your software cannot decode the iPhone emojis?

I am coming to get you!

I am coming to get you!

I am coming to get you!

Without a doubt the SMS messages have different meanings even with the same text content.  Which one would you like to take to court?  Most likely the one with the firearm, but what if the third is the only option as so many software solutions portray.

In AccessData’s MPE+ the iPhone emojis will display in the SMS readout to help portray the meaning of the SMS message.  Using MPE+ you can see exactly what emoji was used in the SMS message. and that can help explain what the sender was intending.  In the examples below you can see there are some messages that are just emojis.  What if your software is not displaying these for you?  You might miss the entire meaning behind the SMS, since it is none existent in your report!

As you can see in these simple examples MPE+ will display the emoji that was sent along with the message.

In today’s electronic discovery you must “see” the entire picture as it relates to communication.  Communication in the world today is done via portable devices via applications and SMS so you must be prepared to decipher the modern day hieroglyphs. Having a tool that can help makes that job just a little bit easier.

Posted in Information, Training | Leave a comment

iLogical Support

Posted on September 20, 2013 by Lee Reiber

 

MPE+ Startup

AccessData’s MPE+ added not only support for iOS7 but enhanced the iDevice support with the new iLogical™ selection.

Prior to the 5.4 release a user had to select the manufacturer as well as the make when conducting a collection of an iOS device. Now, the user simply selects Apple and then iLogical Device to conduct a collection on ANY iDevice from the original iPhone to the new iPhone 5S or 5C; it is that easy.

Also, in prior versions of MPE+ the logical collection was just like any other tools collection by using the standard iTunes backup engine. So,that of course limited the data to only what iTunes allowed to be backed up. That is no longer the case! Not only is iTunes not needed for the collection, but data capabilities can be selected that recover data not backed up by the iTunes service! This includes application data, device information and network information to name a few.

How about iTunes Backup encryption? Since most tools use the iTunes backup service to obtain a logical collection of the data the user is stopped in their tracks if the user has set the backup to be encrypted via iTunes. The information is collected by the data is encrypted, unreadable and unusable. MPE+ now solves this problem a couple of ways.

If the iTunes backup password is known the user can enter this information into the MPE+ interface and all capabilities are available.

What if the passcode for iTunes is not known?

No problem, MPE+ will bypass this encryption and recover application data, user information, media and much more!

Ok, this may be a first for any software with Backup encryption enabled but what about the actual passcode to the device?

MPE+ has a built in browser to obtain the needed files to unlock ANY iDevice. This includes the newest iPhone 5S and 5C! If you have the computer the device had synced to these files are available. They also can be obtained using AccessData’s Triage tool if needed.

Just looking at the filesystem view in MPE+ the application data obtained is really unbelievable. Application caches, user storage as well as locally stored files are available to the user.

If iDevices are something that you are processing regularly then the new AccessData MPE+ 5.4 is a software application you cannot do without.

Here is some more information :  http://www.accessdata.com/mpe-ios-support/

Posted in Information | Tagged , , , | Leave a comment

MDM and the Corporate Shield

Posted on February 27, 2013 by Lee Reiber

The corporate environment of today is reliant on the mobility of the team members. By mobility I mean the team must be attached to every member all the time, at a moments notice. In order to maintain this connectivity the team must use devices that can allow them to be untethered and unhooked from the standard ethernet cable and out in the invisible land of cellular. In doing so they take with them mobile devices ranging from the iPad to the Galaxy Tab to the iPhone to the Motorola Droid.

These mobile devices are so powerful and versatile that companies are no longer issuing laptops to take into the field but a mobile cellular device. Gartner, Forbes and Business Wire all have published studies on mobile devices vs laptops/PC in todays work environment. All studies point to the demise of the outdated PC and in with the new mobile device. This blog is being generated, created and edited on a mobile device with a portable keyboard.

With power should also come responsibility correct? What does power, mobile device distribution, allowance and governance have to do with responsibility? It should come as no surprise that a mobile device of today is not the antiquated device of yesterday. Today’s mobile device can send, transmit or otherwise take a company to bankruptcy from any part of the world or universe with a single tweet, post or attachment via their 10 megapixel mobile device camera. What are companies doing about it? BYOD aside, companies are using Mobile Device Management software, also known as MDM, in an effort to deter, monitor and maintain data breaches, leaks and breaks. Is MDM the answer to the investigation of a data breach?

MDM was first seen in applications, or wrappers, that allowed the user to enter into this application and conduct the work via the mobile device and all “work” would be safe within the MDM application. This allowed the user and corporation to feel safe that data leakage of important company information was not being transmitted using built in applications for email, SMS etc where data leakage may occur. The next step in the evolution of MDM was a full administrative tool. When the MDM software application was installed it would monitor the device for approved applications, reset the device should it be lost or stolen, and monitor the device and capture data to the administrative server. This is not an exhaustive list of all of the features of MDM software, but as you can see this mimics what a BES (Blackberry Enterprise Server) has always done with Blackberry devices. The problem with the onslaught of MDM software in the corporate environment is the false sense of security it may bring if a critical incident occurs. MDM companies will be the first to admit their tool is not made for investigations, but at a reported 16 billion dollar industry by 2016 why rush it..

Should a data breach occur and a company is requested to produce ESI from a custodian a tool utilized for forensic investigations should fill the bill, not a Mobile Device Management tool. Past precedent has been laid by many companies using Blackberry Enterprise Severs. While data residing on a server is very important to a possible ESI event; data living in the now on a mobile device is paramount.

Posted in Information | Tagged , , , , , , , | Leave a comment

Validation and MDF Tools

Posted on November 16, 2012 by Lee Reiber

At every speaking event I make sure to let the attendees know that there is not a one tool solution when it comes to MDF (mobile device forensics). I always add, “if a company says they are the only solution do not buy from them”. This is true for two reasons, one they do not know what they are selling and two, they do not know the complexities to mobile device collection and analysis. The focus tends to be just on stamping “Industry First” on the feature and pushing it into the market.

Sometimes rushing to the head of the line makes one overlook the steps to get there; often giving a sub par feature out to the customers will be the result. What can we do with multiple tools in our toolbox?

Support more devices

This is the most obvious. Mobile device tools do not support all devices that come to market, period! This is easily recognized by the 20 emails I receive every day from phonescoop.com telling me of a new device that has been approved in the United States and Canada. Yes, only in North America. Now when we talk about the phones that come to market worldwide per day, I always use the statistic 2 phones per hour per day across the world. So actually supporting all phones, no matter if a company touts they have an in with cellular companies, is preposterous. Armed with multiple tools you can cover a much wider spectrum. Even then, supporting every device you might see is nearly impossible. So, look to the statistics in your area. Do you see CDMA, GSM, iOS, Android or others? Select tools that cover the wide array of devices you will be encountering in your area and that complement your other forensic tools.

Validation of data

Having a number of tools allows you to validate the data collected. Is the data in UTC or local time, is the device information properly formatted, was the UTF-8 properly decoded and displayed. Was the correct number of SMS displayed? Contacts?

It is extremely important to run these types of tests upon upgrade, update and installation. Ultimately it will be the user that will have to explain that the tool or tools do not add data to the device. This is extremely important because a couple of the tools that are on the market as a mobile forensic solution really come from the data transfer market. In that market the tools actually add data like contacts, sms, pictures, call logs to another phone via a cable transfer. You will see this when you goto your local cellular company upon upgrading to a new device.

Validating that the data is consistent with collections across the tools that you have in your tool box is needed, but determining whether data is altered, deleted, manipulated is paramount.

Support additional fields (better analysis)

Would you be surprised that even if multiple tools support the same device; further the same category, say contacts, each tool might not support a particular field within that category. Take for example: Tool A vs Tool B

Tool A and Tool B both support the iPhone 4S running iOS 6.0.1. A collection is performed with Tool A and an analysis of the iMessages is completed. Looking at the fields there are 4 fields representing the iMessage. Think you have it all right?

The same collection from Tool A is imported as a image into Tool B ( AccessData’s MPE+). The image is parsed for the iMessages and now an additional 4 fields are shown. What does this mean to you as an investigator? Simply put, more data = more evidence. If you where using only Tool A you would be without an additional four fields of user data for that iMessage. So in this instance using multiple tools benefited the overall case because one tool performed better analysis of the data.

Having more than one mobile device forensic solution available to you will benefit you in many ways. As you have read, having multiple tools will allow you to validate the collection and extraction, allow for better analysis and recovery of data not supported by the initial tool and allow you to support more devices that come into your lab.

Posted in Information, Products, Training | Tagged , , , , , , | Leave a comment

Mobile Phone Examiner + with versatile image support

Posted on September 8, 2012 by Lee Reiber

In @Accessdata MPE+ you now have the ability to import many different image types. Not only can you import any Accessdata AD1 files you can import compressed folders, TAR, DD, YAFFS, YAFFS2, EXT (all flavors), FAT, IPD and what I am going to focus on in the blog, E01 files.

What does this capability mean to you the examiner? Honestly, it means you now have a tool that can process formats from many, if not all current mobile phone tools. If the tool exports to a folder, zip it up and bring it in; if the tool exports the iOS to a TAR or DD or DMG, bring it in. If you have used AccessData’s Forensic Toolkit you are familiar with the many files and filesystems it can process; MPE+ is capable as well.

Why import a file or image from another tool? Simple question with a simple answer; it is because doing so allows you the flexibility to look at the data differently. By looking at the data differently you can not only validate the tool that collected the data, but quite possibly recover additional data not recovered or supported by the original tool.

A perfect example of this is with an image of an Android device. The E01 image contained a YAFFS2 partition of the user area. In this software example, the image was mounted as you can see in Figure 1 but the userdata areas where not parsed out. If the user data is not parsed out, the examiner would need to jump into the SQL databases and grab/script/convert/bookmark the data. This of course is extremely time consuming, and honestly not the easiest task to accomplish.

Screenshot of image

Figure 1

This same E01 image was imported into MPE+ via Import Image. The E01 file immediately mounted into the filesystem view but looks like the other software mounted image. So what is the difference?
MPE+ Mounted E01 file  Figure 2

With the built in parsers in MPE+ you simply select iOS or Android and MPE+ will traverse the filesystem – finding the selected capabilities – and when completed present them to the examiner in the MPE+ interface.

Android Parsing

Figure 3

The data can now be viewed, selected, exported and reported.

Toolbar with Data ViewsFigure 4.

Not only can MPE+ perform the physical collections on both iOS and Android devices but as you can see MPE+ also a compliments other mobile phone tools that might lack the robust parsing capabilities that MPE+ possesses.

As I always say, one cannot have just one tool when it comes to mobile device forensics, but without a doubt AccessData’s Mobile Phone Examiner Plus should be in your toolbox.

Posted in Training | Tagged , , , , , , | Leave a comment

Mobile Phone Examiner Plus 5.0

Posted on August 27, 2012 by Lee Reiber

Ok, readers. Some of you following, or simply users of @AccessDataGroup or @ADMobilTraining Mobile Phone Examiner Plus say,

“Hey, did the version go from 4.8 to 5.0?”

A resounding yes.

The easy explanation:

There are so many upgrades to 5.0 that users of 4.8 will not even recognize the look or the operation of the product. Seriously, the product has not only been re-skinned but injected with unbelievable features.

Yes @AccessDataGroup has added over 1300 new device profiles to include the legacy phones that no other tool currently represents, but added new Android devices and Blackberry profiles. This upgrade is keeping up with the joneses but coupled with the addition of physical support of Samsung Galaxy Series II devices that are locked AND have USB Debugging OFF, MPE+ is moving into a category of it’s own. Yes, USB Debugging OFF!

Honestly though, those features pale in comparison to the user interface update, visualization, SQLDatabase Viewer and FreeFile Parser. This is a FIRST in the mobile forensic community; the addition of all these unique features under one hood is unprecedented and unrivaled.

Lets break each of those features down with some iCandy and captions.

New User Interface

MPE+ 5.0 Interface

The look and feel of MPE+ 5.0 allows custom skins for the user. Whatever the preference of the user, they simply have to goto the settings menu and select from MPE Black to Blue to Windows 7. We also added the ability in the settings menu to customize the concurrent carvers. This allows our data carving to move much faster since we allow the examiner to tailor to their hardware.

Visualization

MPE Timeline Visualization

 

The visualization component is a feature that first came to FTK and now has been added to MPE+. There are some companies that talk about analytics, but when you “see” the data it makes an impact. If it makes an impact on you, what do you think it will do with the courtroom, litigation team and customer. This feature is a trail-maker, path-burner, zero-day event. The other vendors will be scrambling for a solution after this release.

With MPE+ 5.0 you can visualize both a timeline and/or social communication in MPE+. This allows you to immediately see, snap a picture and report on ONLY the data you are looking for based upon a date/time or date range you choose. Also, the social analyzer allows you to select the contacts you would like to see, visually, and what their communication patterns with the phone owner looks like for Email, SMS, MMS and Call Logs. This is all laid out in a pie, bar graph, grid and cluster chart. Here are a few adjectives to describe this feature: unrivaled, unparalleled, unbelievable and incredible! You can immediately see who is hot and who is not!

SQL Database Viewer

SQLite Explorer

I hate to say it but iOS and Android devices are so active with applications there is no way a software company can keep up with the demand of forensic support of all of them! So, @AccessDataGroup has added the ability to visualize ALL SQLite databases and their tables from within MPE+. You can view the columns and rows uncovering usernames, passwords, geodata, dates, times and any other data held within the device’s treasure trove. Not only can this data be viewed but you can export directly to Microsoft Excel. Say MPE+ does not do what you want with the file? Simply right click and export the raw file to any place you want it! It’s that easy!

FreeFile Parser

FreeFile Parser

This could go on and on with the new features, but lets end it with the FreeFile Parser and Filters. We know that deleted data can live within logical SQL database files in iOS and Android, but few tools allow you to actually get into those “pages”. Well, MPE+ 5.0 now allows to simply right-click on any SQL database and select to parse for deleted data. This immediately harvests all the data strings from the area allocated to store this deleted data and displays it to you in a nice grid format. Now add the next feature, filters, and you will understand why @AccessDataGroup skipped to 5.0.

Filters

Filters

You can filter ANY datatype column in MPE+ on a datatype that lives in a cell and even filter based on user set criteria  Nested filtering is also supported. What this will allow is the ability to narrow the focus of your examination, select and export only the relevant data. So, looking through 25,000 SMS files for that one message is made easy.

If you are a current MPE+ user, I cannot wait to hear what you think. If you are a current FTK user without a copy of MPE+, why have you not added the software to your toolset? If you have other mobile phone solutions can you currently conduct this type of examination?

The release date for @AccessDataGroup MPE+ 5.0 is August 28th, 2012.

Posted in Products, Training | Tagged , , , , , | Leave a comment

Mobile Security in the BYOD

Posted on July 18, 2012 by Lee Reiber

I presented at the AccessData User Conference this year about mobile security and spoke about the BYOD or Bring Your Own Device phenomenon in today’s corporate world. At that time, BYOD was taken by my audience as “he misspelled BYOB”. No, I did not forget my own beverage, further more this term had only been located in a handful of articles during my research for the event at ADUC. Since; BYOD talk has gone viral ; for good reason.

Bring Your Own Device really has manifested into today’s working environment at an alarming rate. This is evinced in the many companies I consult with; the principal factor: cost. It is simply cheaper to allow an employee to bring their own device. In essence, this allows the company the freedom to grant the employee the choice of bringing their own device to work; attach to the corporate network and (steal) stay “connected” and productive while mobile. Fantastic concept when you look at the money saved for cellular contracts, equipment and employee data overages. Ludicrous idea when you think of the litigation expenses, liability and governing of a device not owned or controlled by the company.

This BYOD is not something that will be removed from the corporate scene, but there should be a movement on how to mitigate exposure. Some suggestions:

1. Create a policy outlining usage of a BYOD on the corporate network – This should outline the governing agencies access to the device
2. Forensic staff to respond to possible data breach armed with proper software and training with mobile devices.
3. Mobile Data Monitoring software
4. Consult with a security company
5. Look to purchasing devices maintained by your internal IT group.

The BYOD issues will continue to grow as the “connected” workforce grows. Statistically, the number of data loss events seen in the US involving a mobile device outnumber the events that do not. Due to data speeds, device storage and device capabilities continual growth the number might grow gradually but the data loss volume will increase exponentially.

The technology is here to stay and will forever be in our offices, our companies and societies streets. It is now up to the organizations to prepare themselves for a response to a data loss event.

Posted in Information | Tagged , , , , , , | Leave a comment

MFI Class Information

Posted on July 18, 2012 by Lee Reiber

Mobile Forensics Inc has brought a new face to the front, Kevin DeLong.

Kevin comes from the Lima, Ohio Police department where he has been a forensic examiner of computers and mobile devices. Kevin will take the role of the Manager of mobile forensic training at AccessData Group, heading up the MFI training arm. Kevin will continue to focus AccessData on the training brought by Mobile Forensics Inc. MFI training will remain non vendor in it’s approach; focusing on multiple tools when collecting digital evidence from mobile devices.

Kevin and I will be bringing new courses to MFI and AccessData in the coming months to keep up with the constant flux of the mobile phone community. MFI has always been and will continue to be a forerunner when it comes to mobile phone training.

New classes will include multiple day topics including but not limited to iOS, Android, Artifacts in mobile devices, Flash recovery and also software specific topics. We have launched an online Learning Management System that allows our mobile phone peeps to learn at a pace that is good for them.

This LMS idea will allow the user to put the class on “pause” when needed, navigate to the module they need or just learn in the comfort of their slippers. The LMS program is included in the all access pass, aka “all you can eat”, mobile phone curriculum at AccessData. Classes are added often; take a look.

So, say hello to Kevin DeLong @kevindelong and shoot him a “congrats” if you can. MFI will only continue to excel with Kevin navigating the training ship.

For any info on the LMS program or mobile phone training by MFI shoot an email to sales AT Accessdata DOT com.

Posted in Training | Tagged , , , , , | Leave a comment

SANS #DFIRSummit

Posted on June 27, 2012 by Lee Reiber

So as I leave the #DFIRSummit in Austin, TX and at 30, 000 feet I have time to reflect.

I submitted a paper requesting submission into the fold and was accepted to speak at the SANS SUMMIT (which honestly, I am honored – even though Rob Lee and Lee Whitfield are invovled – no help with the “equal name game”. 😉 )

Furthermore, since becoming a “VENDOR” (yes a V word) most entities see me as the POD of mobile forensics (Prince of Darkness – Freak – Just Selling Product) which of course is further from the truth if you talk to me.

Side Bar: For those who ventured near POD thank you and you are welcome to purgatory. 😉

This addition brought to you by WordPress and @United (Always a plug for those who keep you sane).

This time, although extrememly short at #SANSummit, has taken me back; to my roots so to speak. I say taken me back because due to many circumstances, I have been sent to the corner, on subjects of anonymity (yes @CindyMurphy you saw that at lunch); sometimes have my hands tied and mind duct taped due to this new world I am a part of. I will be forever an examiner, developer and hacker; always thinking of the what-if, no matter who, what or where I am working. I truly felt a part of the front line, not the bottom line today and I thank every one of the attendees at the SANS event in Austin for this.

I truly live and grow in a world of communication. I believe, as I said in my talk, that we are the frontline, the pioneers and the forensicators. I will forever respect and honor those in the community, understanding that there is always so much to learn no matter your station. Those attending the event in Austin are not only the pioneers in the industry but the “zero-day” examiners. Again, I am honored.

I honestly hope that I can contribute to this wonderful community of “freaks”.

Side Bar: This term is of course a term of endearment as I put myself in this catagory

All kidding aside, thank you for the opportunity to present at the conference as a practitioner and not a body of “VENDORISM”.

Welcome to Denver…..BLOG END.

@Celldet

Posted in Information | Tagged , , , , | Leave a comment