WEBVTT 1 00:00:00.120 --> 00:00:02.240 Look around your room right now, Like, seriously, just take 2 00:00:02.240 --> 00:00:05.480 a glance around. Do you have a smart speaker sitting 3 00:00:05.480 --> 00:00:07.000 on a shelf somewhere. 4 00:00:06.719 --> 00:00:09.800 Or you know, maybe thermostat on the wall right. 5 00:00:09.800 --> 00:00:12.560 Or a Wi Fi enabled security camera pointing out the 6 00:00:12.560 --> 00:00:15.320 front window. Now, I want you to imagine if a 7 00:00:15.359 --> 00:00:19.359 crime took place right where you are sitting, what story 8 00:00:19.399 --> 00:00:21.920 would those devices tell to an investigator. 9 00:00:22.559 --> 00:00:26.120 It's a really fascinating thought experiment, especially for anyone who 10 00:00:26.199 --> 00:00:30.600 actually pays attention to how data flows through a modern network. Yeah, totally, 11 00:00:30.719 --> 00:00:33.280 because we tend to install these devices just for our 12 00:00:33.320 --> 00:00:36.280 own convenience, right. We treat them as these passive tools 13 00:00:36.280 --> 00:00:38.960 that are just waiting for an API call or like 14 00:00:38.960 --> 00:00:40.039 a voice command. 15 00:00:39.679 --> 00:00:42.280 And they're just asleep until we need them exactly yea. 16 00:00:42.399 --> 00:00:46.159 But in reality, they are these silent, unblinking witnesses. They 17 00:00:46.280 --> 00:00:51.359 generate this massive, interlocking web of telemetry about our physical environment. 18 00:00:51.520 --> 00:00:54.640 And untangling that invisible web is exactly what we are 19 00:00:54.640 --> 00:00:57.359 doing in this deep dive today. We're looking at excerpts 20 00:00:57.359 --> 00:01:01.799 from the book Digital Forensic Education Experiential Learning Approach. 21 00:01:01.759 --> 00:01:05.280 Right, and specifically we're going to unpack how university students 22 00:01:05.280 --> 00:01:07.079 tackled the DFRWS. 23 00:01:07.359 --> 00:01:10.239 That's the Digital Forensic Research Workshop For those who don't. 24 00:01:10.079 --> 00:01:13.400 Know, Yeah, they're IoT forensic challenge. It is basically a 25 00:01:13.439 --> 00:01:18.120 simulated raid on an illegal drug lab, complete with a 26 00:01:18.200 --> 00:01:21.079 cast of shady characters and a house that is just 27 00:01:21.560 --> 00:01:23.200 packed full of smart home gadgets. 28 00:01:23.400 --> 00:01:26.680 It's so cool. It serves as a literal masterclass in 29 00:01:26.719 --> 00:01:31.599 how everyday network telemetry and device logs are transformed into 30 00:01:31.640 --> 00:01:32.400 courtroom evidence. 31 00:01:32.480 --> 00:01:36.079 The DFRWS challenge is somewhat legendary in the field because 32 00:01:36.079 --> 00:01:38.680 it's intentionally messy, like really messy. 33 00:01:38.760 --> 00:01:40.439 Yeah, they don't hold your hand, not at all. 34 00:01:40.560 --> 00:01:42.040 So our goal today is to look at the raw 35 00:01:42.079 --> 00:01:45.799 mechanics of this investigation, like how do digital breadcrumbs, raw 36 00:01:45.879 --> 00:01:51.079 packet captures, proprietary school light databases, or fin cash files. 37 00:01:51.560 --> 00:01:53.959 How does all that get synthesized into a rock solid 38 00:01:54.040 --> 00:01:54.959 narrative of a crime. 39 00:01:55.319 --> 00:01:57.519 We're going to trace the steps of these student investigators 40 00:01:57.560 --> 00:02:00.680 to see how they reconstructed a really volatile, careotic physical 41 00:02:00.719 --> 00:02:03.400 event strictly from binary data and network logs. 42 00:02:03.519 --> 00:02:05.519 It's like putting together a puzzle where half the pieces 43 00:02:05.519 --> 00:02:06.680 are invisible. 44 00:02:06.400 --> 00:02:09.280 Literally, but before we kick in the door of this 45 00:02:09.439 --> 00:02:12.719 simulated drug lab. We need to talk about the educational 46 00:02:12.719 --> 00:02:17.039 philosophy driving this, because teaching digital forensics isn't like teaching 47 00:02:17.120 --> 00:02:18.280 chemistry or physics. 48 00:02:18.360 --> 00:02:19.120 No, it's really not. 49 00:02:19.319 --> 00:02:23.360 It didn't start in some pristine university ivory tower with 50 00:02:23.680 --> 00:02:25.800 established centuries old laws. 51 00:02:25.960 --> 00:02:28.879 Yeah, the history of digital forensics is super unique because 52 00:02:28.919 --> 00:02:33.840 it grew almost entirely bottom up, bottom up. 53 00:02:33.919 --> 00:02:34.080 Right. 54 00:02:34.280 --> 00:02:37.120 What does that mean in this context, Well, it started 55 00:02:37.159 --> 00:02:40.680 decades ago simply because law enforcement would seize a machine, 56 00:02:41.000 --> 00:02:44.199 realize there was data trapped inside a hard drive, and 57 00:02:44.240 --> 00:02:47.159 they literally had to build the extraction tools from scratch. 58 00:02:47.280 --> 00:02:49.719 Wow. So no instruction manual none. 59 00:02:49.879 --> 00:02:53.159 Early practitioners were relying on like basic hex editors and 60 00:02:53.280 --> 00:02:57.319 raw bitstream imaging long before commercial suites like Celebrate or 61 00:02:57.479 --> 00:03:00.919 XAM even existed. The tools were entirely homegrown out of 62 00:03:00.960 --> 00:03:02.360 sheer operational. 63 00:03:01.840 --> 00:03:04.840 Necessity, which means they were essentially building the airplane while 64 00:03:04.879 --> 00:03:08.360 flying it. And frankly, even with today's commercial tools, that 65 00:03:08.439 --> 00:03:11.960 dynamic hasn't really changed, right, I mean, the technology evolves 66 00:03:11.960 --> 00:03:16.360 so fast that relying on traditional textbook learning is basically 67 00:03:16.360 --> 00:03:18.199 a recipe for obsolescence. 68 00:03:18.280 --> 00:03:21.520 Oh one, by the time a university actually publishes a 69 00:03:21.560 --> 00:03:26.319 textbook on Android filesystem forensics. The kernel has updated, the 70 00:03:26.400 --> 00:03:29.919 encryption architecture has changed, and you know your extraction methods 71 00:03:29.919 --> 00:03:30.719 are totally broken. 72 00:03:30.879 --> 00:03:32.280 That is so frustrating. 73 00:03:32.439 --> 00:03:36.479 It is. That's why the text we are analyzing heavily 74 00:03:36.919 --> 00:03:41.000 emphasizes experiential learning, drawing specifically on David Colb's theory. 75 00:03:41.120 --> 00:03:44.560 Right Coolb's theory, which centers on learning as a continuous 76 00:03:44.599 --> 00:03:47.960 iterative cycle. You can't just passively absorb lectures about file 77 00:03:48.039 --> 00:03:48.560 system No. 78 00:03:49.000 --> 00:03:52.400 Students have to transition into active experimenters. When you're doing 79 00:03:52.439 --> 00:03:55.159 an extraction in the real world, you're inevitably going to 80 00:03:55.240 --> 00:04:01.000 encounter a proprietary IoT device or some some firmware build 81 00:04:01.039 --> 00:04:02.080 you've literally never. 82 00:04:01.919 --> 00:04:04.719 Seen before, and the commercial tools just choke on it exactly. 83 00:04:04.759 --> 00:04:07.319 Commercial forensic tools will often just fail to parts the 84 00:04:07.400 --> 00:04:09.360 data completely. If you only know how to push a 85 00:04:09.360 --> 00:04:11.319 button on a software suite, you're dead in the water. 86 00:04:11.639 --> 00:04:13.759 Yeah, you have to know what's happening under the hood, 87 00:04:14.080 --> 00:04:14.680 you really do. 88 00:04:15.000 --> 00:04:16.639 You need to know how to drop down to the 89 00:04:16.759 --> 00:04:19.759 raw hex level and actually carve the data manually. 90 00:04:19.959 --> 00:04:22.399 Let's use an analogy here to make this bit more relatable. 91 00:04:22.680 --> 00:04:25.680 Learning digital forensics via textbook is kind of like learning 92 00:04:25.720 --> 00:04:27.800 how to cook by reading a recipe. 93 00:04:27.839 --> 00:04:28.920 That's a good way to put it. 94 00:04:28.920 --> 00:04:32.879 It's great in theory, but entirely useless if you are 95 00:04:33.000 --> 00:04:36.639 suddenly dropped into a chaotic burning kitchen where the stove 96 00:04:36.759 --> 00:04:39.560 is broken and half your ingredients are mislabeled. 97 00:04:39.680 --> 00:04:41.639 Right, you can't just follow step three, You've step two 98 00:04:41.720 --> 00:04:42.759 is on fire exactly. 99 00:04:42.800 --> 00:04:45.120 You have to learn to think on your feet, smell 100 00:04:45.160 --> 00:04:48.399 what's burning, and improvise with what you actually have. 101 00:04:48.800 --> 00:04:52.079 And what's fascinating here is how the instructors design this 102 00:04:52.160 --> 00:04:57.199 specific curriculum to replicate that exact burning kitchen. The students 103 00:04:57.240 --> 00:04:58.000 were given a choice. 104 00:04:58.040 --> 00:04:59.199 Okay, what was a choice. 105 00:04:59.319 --> 00:05:03.759 They could conduct a standard predictable research paper or dive 106 00:05:03.800 --> 00:05:09.839 into this grueling DFRWS challenge. And the challenge is famously 107 00:05:09.879 --> 00:05:11.639 difficult because it's completely open ended. 108 00:05:11.720 --> 00:05:14.040 There's no like answer key at the back of the book. 109 00:05:14.199 --> 00:05:18.240 Nope, there is no single flag to capture. It perfectly 110 00:05:18.319 --> 00:05:23.240 mimics the imperfect, asymmetrical nature of real world investigations where 111 00:05:23.279 --> 00:05:25.879 you just have fragmented data and a ticking clock. 112 00:05:26.000 --> 00:05:28.120 I love that they opted into the chaos. I mean 113 00:05:28.160 --> 00:05:31.360 that takes guts. So let's set the scene for this challenge. 114 00:05:31.399 --> 00:05:34.240 The setup is straight out of a premium cable drama. 115 00:05:34.319 --> 00:05:35.959 Oh, it really is. It's very cinematic. 116 00:05:36.120 --> 00:05:40.519 It's May seventeenth, twenty eighteen. At exactly ten point four 117 00:05:40.680 --> 00:05:44.199 a m. Police get an alert about an unsuccessful arson 118 00:05:44.240 --> 00:05:46.439 attempt at an illegal drug lab. 119 00:05:46.240 --> 00:05:48.720 And they arrive on the scene at ten four or five, right. 120 00:05:48.759 --> 00:05:50.839 And they owner the lab, a guy named Jesse Pinkman, 121 00:05:50.920 --> 00:05:53.560 which is obviously a nod to breaking bad, but the 122 00:05:53.600 --> 00:05:55.839 students have to treat him as a factual target. Well, 123 00:05:56.399 --> 00:05:58.120 he's missing, right, Pinkmin is gone. 124 00:05:58.480 --> 00:06:00.879 But during the initial SUITEP police do locate two of 125 00:06:00.920 --> 00:06:04.040 Pinkman's known associates, Deep Pandana and as Varka. 126 00:06:04.279 --> 00:06:06.519 Okay, so they have suspects, they do, yeah, and. 127 00:06:06.480 --> 00:06:08.839 Both men admit they have Wi Fi credentials for the 128 00:06:08.879 --> 00:06:12.439 labs network, but they completely deny any involvement in the 129 00:06:12.519 --> 00:06:15.519 raid or the subsequent fire right, and they claim Pigman 130 00:06:15.639 --> 00:06:19.040 was super paranoid about rival gang, so he installed this massive, 131 00:06:19.199 --> 00:06:22.839 multi layered security system and always kept the alarm heavily 132 00:06:22.959 --> 00:06:25.920 armed in home mode while he was working inside. 133 00:06:25.560 --> 00:06:30.000 Okay, which immediately tells the investigator something crucial. If Pinkin 134 00:06:30.079 --> 00:06:32.600 was inside when the fire started, the system should have 135 00:06:32.600 --> 00:06:34.519 recorded the perimeter breach exactly. 136 00:06:34.639 --> 00:06:37.959 The logs should show someone coming in. So the forensic 137 00:06:37.959 --> 00:06:40.720 team walks in to catalog the hardware, and it is 138 00:06:40.920 --> 00:06:42.360 just an IoT nightmare. 139 00:06:42.439 --> 00:06:44.279 It's a gold mine and a nightmare all at once. 140 00:06:44.319 --> 00:06:44.959 What do they find? 141 00:06:45.120 --> 00:06:47.920 They find an Ice smart alarm system, a QB camera, 142 00:06:48.040 --> 00:06:51.160 a nett camera, an arlow pro setup, an est Protect 143 00:06:51.240 --> 00:06:55.040 smoke detector, an Amazon Echo, a wink hub, a Raspberry 144 00:06:55.040 --> 00:06:56.480 Pie acting as a rogue router. 145 00:06:56.759 --> 00:06:58.040 Wow, it's a lot. 146 00:06:58.240 --> 00:07:02.000 And crucially Pinkman's personal sound Sung Galaxy S six edge. 147 00:07:02.319 --> 00:07:06.360 Okay, so it's the quintessential fragmented IoT environment. You have 148 00:07:06.519 --> 00:07:12.079 a dozen distinct devices, varying communication protocols like zigb Z 149 00:07:12.279 --> 00:07:14.920 Wave Standard eight to two point one one, all routing 150 00:07:14.959 --> 00:07:16.600 to different proprietary cloud server. 151 00:07:16.879 --> 00:07:19.120 Right, it's the total mess of different ecosystems trying to 152 00:07:19.120 --> 00:07:19.759 talk to each other. 153 00:07:19.959 --> 00:07:21.920 But wait, I have a massive problem with how the 154 00:07:21.920 --> 00:07:23.360 students approach this initially. 155 00:07:23.560 --> 00:07:24.240 Oh, what's that? 156 00:07:24.680 --> 00:07:27.800 If the house is literally plastered with high end security 157 00:07:27.839 --> 00:07:32.439 cameras like the nest R low QB, why did the 158 00:07:32.480 --> 00:07:35.800 student group spend the majority of their initial analysis meticulously 159 00:07:35.879 --> 00:07:39.480 ripping apart a single Samsung phone. I mean, wouldn't any 160 00:07:39.519 --> 00:07:44.279 sane investigator just pull the cloud video feeds or check 161 00:07:44.319 --> 00:07:45.600 the local SD cards? 162 00:07:45.680 --> 00:07:48.000 Well, you would, hope, so sure, But in a real 163 00:07:48.079 --> 00:07:51.680 world IoT deployment, the cameras often act as dumb terminals. 164 00:07:51.879 --> 00:07:53.639 Really just dumb terminals. 165 00:07:53.680 --> 00:07:56.600 Yeah, the video is pushed directly to an AWS bucket 166 00:07:56.920 --> 00:08:00.560 or a proprietary cloud server. If the suspect provoke the 167 00:08:00.560 --> 00:08:03.120 cloud tokens, or if law enforcement doesn't have a warrant 168 00:08:03.160 --> 00:08:06.040 serve to Google or Amazon yet, that cloud data is 169 00:08:06.160 --> 00:08:07.319 entirely inaccessible. 170 00:08:07.399 --> 00:08:10.360 Oh so the physical tammery in the house is basically empty. 171 00:08:10.199 --> 00:08:13.959 Often yes, Plus local storage is frequently overwritten or just 172 00:08:14.000 --> 00:08:16.920 absent on these models. The smartphone, however, acts as the 173 00:08:16.920 --> 00:08:17.839 central orchestrator. 174 00:08:17.879 --> 00:08:18.319 Got it. 175 00:08:18.319 --> 00:08:21.600 It holds the apikeys, the cash thumbnails, the apps sandboxes 176 00:08:21.680 --> 00:08:23.560 in the local network configuration files. 177 00:08:23.839 --> 00:08:26.560 Okay, so the phone is basically the remote control for 178 00:08:26.639 --> 00:08:28.680 the entire physical environment. 179 00:08:28.360 --> 00:08:32.879 Precisely, but proving that phone is the orchestrator requires some 180 00:08:32.960 --> 00:08:37.039 really solid network forensics. Group two didn't just assume the 181 00:08:37.080 --> 00:08:38.399 S six edge was driving. 182 00:08:38.120 --> 00:08:39.639 The traffic, right, you can't assume anything. 183 00:08:39.759 --> 00:08:42.120 They had to actually anchor it to the network toatology, 184 00:08:42.639 --> 00:08:46.639 So they parsed a massive wire shark PCCAF file basically 185 00:08:46.639 --> 00:08:49.399 a packet capture from the local network, and mapped out 186 00:08:49.440 --> 00:08:51.320 all the IP and MB addresses. 187 00:08:51.919 --> 00:08:55.519 But MBA adjuresses can be easily spoofed, right, especially by 188 00:08:55.519 --> 00:08:58.279 someone running a rogue Raspberry Pi router in a literal 189 00:08:58.360 --> 00:09:01.879 drug lab. How do they definitively linked that specific network 190 00:09:01.919 --> 00:09:05.559 traffic back to Pinkman's physical device sitting in the evidence. 191 00:09:05.159 --> 00:09:08.720 Locker By diving into the Android file system itself. They 192 00:09:08.720 --> 00:09:11.480 accried the file system from the S six edge and 193 00:09:11.559 --> 00:09:15.240 extracted a specific system file located at wifey slash dot 194 00:09:15.279 --> 00:09:18.519 mac dot info, a hidden file exactly, and this file 195 00:09:18.600 --> 00:09:21.960 hard codes the device's truemec address, which was AC five 196 00:09:22.120 --> 00:09:24.120 f three e seventy three eighty three seventy eight. 197 00:09:24.159 --> 00:09:26.600 Okay, so they have the hard coded identity, right. 198 00:09:27.399 --> 00:09:29.919 So by matching that hardware level file to the Mac 199 00:09:30.039 --> 00:09:34.879 address broadcasting in the PCAP, they totally eliminated the spoofing theory. 200 00:09:35.480 --> 00:09:38.120 They proved Pinkman's phone wasn't just resting on a table 201 00:09:38.360 --> 00:09:41.639 it was actively routing traffic to the Raspberry Pie and 202 00:09:41.720 --> 00:09:45.600 facilitating communication between the environmental sensors and the ice mart 203 00:09:45.639 --> 00:09:46.559 alarm based station. 204 00:09:46.879 --> 00:09:49.519 That is brilliant. So they essentially found the conductor of 205 00:09:49.559 --> 00:09:52.440 the orchestra. Now that they have the layout and the 206 00:09:52.559 --> 00:09:56.799 verified devices, the students had to actually reconstruct the timeline 207 00:09:56.840 --> 00:09:59.960 of the arson. How are they extracting invisible trigger events 208 00:10:00.159 --> 00:10:02.200 to build a real chronological sequence? 209 00:10:02.440 --> 00:10:05.919 This requires diving deep into the abs sand boxes. The 210 00:10:05.960 --> 00:10:09.240 students managed to extract a squire light database belonging to 211 00:10:09.279 --> 00:10:13.519 the Icemart alarm app, specifically a file named tb underscore 212 00:10:13.559 --> 00:10:14.480 IPU dairy. 213 00:10:14.399 --> 00:10:16.399 Which acts as an audit log for the alarm. 214 00:10:16.480 --> 00:10:19.360 States right, yes, exactly, But if you've ever dealt with 215 00:10:19.399 --> 00:10:22.919 IoT databases, you know this data isn't neatly form added 216 00:10:22.960 --> 00:10:25.679 for humans. The timestamps are logged in epoch time. 217 00:10:25.799 --> 00:10:28.480 Oh no, epoch time is anyone who works with databases 218 00:10:28.600 --> 00:10:31.159 nos is a massive headache when you're trying to reconstruct 219 00:10:31.200 --> 00:10:34.399 a localized physical event. It really is, because the database 220 00:10:34.480 --> 00:10:37.120 just gives you a ten digit integer representing the seconds 221 00:10:37.120 --> 00:10:40.759 that have passed since nineteen seventy and it's inherently in UTC. 222 00:10:40.559 --> 00:10:44.320 And that time zone offset is exactly where forensic timelines 223 00:10:44.360 --> 00:10:47.200 live or die. The lab was physically located in the 224 00:10:47.279 --> 00:10:50.240 UTC plus two time zone. Oh boy, right, So for 225 00:10:50.320 --> 00:10:53.120 every single entry in that squad database, the students had 226 00:10:53.159 --> 00:10:56.840 to script a conversion to translate the epoch integer into 227 00:10:56.879 --> 00:10:59.559 a human readable date and then manually apply that two 228 00:10:59.600 --> 00:10:59.960 hour off. 229 00:11:00.360 --> 00:11:02.759 And if you missed that offset, your entire timeline of 230 00:11:02.799 --> 00:11:04.919 the crime is shifted by one hundred and twenty minutes, 231 00:11:05.120 --> 00:11:07.039 which completely destroys your case in court. 232 00:11:07.159 --> 00:11:09.200 Oh, the defense attorney would have a field day. 233 00:11:09.360 --> 00:11:10.000 Ah. 234 00:11:10.039 --> 00:11:12.799 But they nailed the conversions, and once they queried that 235 00:11:12.879 --> 00:11:17.759 ipudiary database, they started seeing specific user profiles, triggering the 236 00:11:17.799 --> 00:11:20.559 alarm states what kind of profiles? Well, they found logs 237 00:11:20.559 --> 00:11:23.720 for a user called fee Boss, which they actually correlated 238 00:11:23.759 --> 00:11:26.480 to voice commands issued at the Amazon Echo. They found 239 00:11:26.519 --> 00:11:30.279 a profile for j Pinkman. Naturally, and crucially, they uncovered 240 00:11:30.320 --> 00:11:33.679 a third user ID pand Adote Panda doodo. 241 00:11:33.840 --> 00:11:36.679 Wow. That third user idea is highly suspicious given the 242 00:11:36.720 --> 00:11:40.440 suspects they have in custody, I mean deep Pandema right, yeah, exactly. 243 00:11:41.200 --> 00:11:45.080 But the investigation wasn't a straight line. Group one, for instance, 244 00:11:45.360 --> 00:11:48.200 spent a massive amount of time analyzing a Google Mail 245 00:11:48.279 --> 00:11:51.120 database found on the S six edge, hoping to find 246 00:11:51.159 --> 00:11:52.759 communications orchestrating the raid. 247 00:11:52.879 --> 00:11:54.600 Okay, that makes sense, check the emails. 248 00:11:54.720 --> 00:11:57.279 Yeah, but inside the database columns they hit a wall 249 00:11:57.360 --> 00:12:01.080 of compressed blobs binary large objects. 250 00:12:01.919 --> 00:12:04.360 Here's where it gets really interesting, though, because, as you 251 00:12:04.399 --> 00:12:07.519 mentioned earlier, if a commercial tool fails to parse a 252 00:12:07.559 --> 00:12:11.080 proprietary database blob, you have to drop down to the 253 00:12:11.120 --> 00:12:11.720 hex level. 254 00:12:11.840 --> 00:12:14.120 And that's exactly what Group one did. They pulled the 255 00:12:14.200 --> 00:12:18.480 raw hexadecimal code of these unreadable blobs and went hunting 256 00:12:18.519 --> 00:12:20.320 for file signatures. 257 00:12:19.679 --> 00:12:22.759 Just manually scanning the hex code. That is tedious work, 258 00:12:22.799 --> 00:12:23.759 it is, but. 259 00:12:23.720 --> 00:12:26.720 They identified a specific magic number at the header zero 260 00:12:26.879 --> 00:12:27.840 x seven eight nine C. 261 00:12:28.240 --> 00:12:32.039 Wait zero x seven eight nine c in the context 262 00:12:32.080 --> 00:12:35.080 of filecarving. Seeing that immediately tells an investigator that the 263 00:12:35.120 --> 00:12:38.240 app developers utilized zlib compression to save space on the 264 00:12:38.240 --> 00:12:38.840 mobile device. 265 00:12:38.960 --> 00:12:40.840 You got it, It's the standard sold header. 266 00:12:40.600 --> 00:12:43.960 So they recognize aszlibheader, stripped it out, passed the raw 267 00:12:44.000 --> 00:12:46.759 payload through a decompression algorithm, and the data just unfolded. 268 00:12:47.000 --> 00:12:49.759 It was a truly brilliant piece of manual file carving. 269 00:12:50.200 --> 00:12:55.399 They successfully extracted forty fully readable HTML emails, and twenty 270 00:12:55.440 --> 00:12:58.639 of those emails were system alerts generated by the IoT 271 00:12:58.759 --> 00:13:03.039 devices themselves, kind of alerts, status updates from the net system, 272 00:13:03.120 --> 00:13:05.240 subscription alerts, safety summaries, things like that. 273 00:13:05.279 --> 00:13:07.720 Okay, that sounds like an absolute gold mine for building 274 00:13:07.759 --> 00:13:08.399 a timeline. 275 00:13:08.440 --> 00:13:11.039 It sounds like one. Yeah, but this highlights the sheer 276 00:13:11.120 --> 00:13:15.440 frustration of digital forensics. After all that manual hex analysis 277 00:13:15.440 --> 00:13:18.759 and decompression, the emails were a total dead ad. 278 00:13:18.799 --> 00:13:19.480 You are kidding me. 279 00:13:19.600 --> 00:13:23.799 Ope. They provided some background context about the network configuration, sure, 280 00:13:24.000 --> 00:13:27.559 but absolutely no operational intelligence reguarding the raid or the fire. 281 00:13:27.799 --> 00:13:29.480 There's no smoking gun in the inbox. 282 00:13:29.600 --> 00:13:33.120 Wow. That is brutal. But I guess that dead end 283 00:13:33.200 --> 00:13:36.480 forces them to pivot, which really validates the whole experiential 284 00:13:36.559 --> 00:13:38.879 learning model we talked about. They hit a wall with 285 00:13:38.919 --> 00:13:41.720 the emails, so they pivot their focus to the Amazon Echo. 286 00:13:42.039 --> 00:13:45.120 Right. They pull a database file called sift underscore Amazon 287 00:13:45.240 --> 00:13:49.639 Underscore Alexa dot dB, and inside they locate an audio 288 00:13:49.720 --> 00:13:53.360 dot wavefile that was recorded and cashed at exactly ten 289 00:13:53.440 --> 00:13:54.639 point two two am. 290 00:13:54.960 --> 00:13:56.279 Okay, ten point two two. 291 00:13:56.120 --> 00:13:58.120 They hit play on the file and it is this 292 00:13:58.240 --> 00:14:01.919 incredibly loud, piercing, rhythmic beeping sound. 293 00:14:02.000 --> 00:14:05.679 Now, human intuition takes over here. You are actively investigating 294 00:14:05.720 --> 00:14:08.159 an arson case at a drug lab. You find an 295 00:14:08.200 --> 00:14:10.440 audio file of a blaring alarm in the house at 296 00:14:10.440 --> 00:14:13.240 ten point two two. The immediate assumption is that the 297 00:14:13.279 --> 00:14:15.840 fire started at ten point two two and triggered the 298 00:14:15.840 --> 00:14:16.559 smoke detector. 299 00:14:16.600 --> 00:14:20.399 Oh. Absolutely, any traditional detective walking onto that scene listens 300 00:14:20.399 --> 00:14:23.080 to that tape and immediately writes down in their notebook 301 00:14:23.360 --> 00:14:26.639 ten point two two am incendiary device deployed. 302 00:14:27.000 --> 00:14:29.759 Right. But this is digital forensics. You don't trust your ears. 303 00:14:29.840 --> 00:14:32.360 You trust the corroborating logs exactly. 304 00:14:32.480 --> 00:14:34.600 And if we connect this to the bigger picture, this 305 00:14:34.679 --> 00:14:38.639 is arguably the most critical lesson in the entire DFRWS curriculum. 306 00:14:38.919 --> 00:14:43.320 In a distributed IoT environment, isolated data points are inherently untrustworthy. 307 00:14:43.360 --> 00:14:45.720 You need multiple points of failure or confirmation. 308 00:14:45.919 --> 00:14:49.600 Rather, Yes, you must synthesize and cross reference across different 309 00:14:49.639 --> 00:14:53.480 vendor ecosystems. The students absolutely refuse to accept the audio 310 00:14:53.480 --> 00:14:56.000 file at face value. They were digging for the raw 311 00:14:56.039 --> 00:14:58.440 telemetry from the nest Protect smoke detector. 312 00:14:58.519 --> 00:15:01.799 They found the cash file for it, right, a Jason payload, Yeah. 313 00:15:01.519 --> 00:15:04.840 A file labeled cash dash one three three two two 314 00:15:04.960 --> 00:15:06.559 five two three sixty two dot. 315 00:15:06.639 --> 00:15:10.080 Json and JSON payloads and proprietary apps can be deeply 316 00:15:10.200 --> 00:15:11.840 tested and heavily obfuscated. 317 00:15:11.919 --> 00:15:14.360 Right, very much so. But they managed to parse the 318 00:15:14.440 --> 00:15:17.399 key value pairs and when they extracted the time stamps 319 00:15:17.679 --> 00:15:22.480 for the specific event key labeled protect underscore smoke underscore worn, 320 00:15:22.960 --> 00:15:25.360 that data was completely contradictory to the audio file. 321 00:15:25.440 --> 00:15:26.480 Oh really, what did it say? 322 00:15:26.799 --> 00:15:29.200 The nest protect did not log a smoke event until 323 00:15:29.240 --> 00:15:30.919 ten point three six am. 324 00:15:31.080 --> 00:15:34.759 Ten point three six. That is a massive fourteen minute gap. 325 00:15:35.000 --> 00:15:38.360 Right. The environmental sensor definitively proves there was zero smoke 326 00:15:38.559 --> 00:15:41.120 or particulate matter in the air at ten point two two. 327 00:15:41.240 --> 00:15:43.960 Okay, so this forces the students to completely re evaluate 328 00:15:44.000 --> 00:15:46.240 the audio file. If it's not a smoke alarm, what 329 00:15:46.399 --> 00:15:46.639 is it? 330 00:15:46.720 --> 00:15:49.279 Well, they crossed reference to ten point two two timestamp 331 00:15:49.360 --> 00:15:52.440 back to the eismar alarm logs in that IPU dairy database. 332 00:15:52.720 --> 00:15:55.600 They discovered that at the exact second the echo recorded 333 00:15:55.600 --> 00:15:58.000 the beeping, the peripheral door sensor logged that the front 334 00:15:58.039 --> 00:15:58.679 door was a jar. 335 00:15:58.960 --> 00:16:00.200 Oh, I see where this is going. 336 00:16:00.279 --> 00:16:03.679 While simultaneously a voice command was issued to arm the system. 337 00:16:03.799 --> 00:16:07.360 That is such a satisfying piece of deduction. The Amazon 338 00:16:07.399 --> 00:16:10.600 Echo wasn't recording a fire alarm at all. It accidentally 339 00:16:10.600 --> 00:16:13.120 woke up as an open mic and captured the security 340 00:16:13.200 --> 00:16:16.799 keypad furiously beeping because Pinkmin was trying to arm the 341 00:16:16.840 --> 00:16:18.559 system while the front door was wide open. 342 00:16:18.759 --> 00:16:23.120 Exactly, it completely rewrites the physical timeline. It proves Pinkmin 343 00:16:23.240 --> 00:16:25.559 was just fumbling with the security system at ten point 344 00:16:25.639 --> 00:16:27.679 two to two, not fleeing an active fire. 345 00:16:27.960 --> 00:16:32.519 It perfectly demonstrates why digital investigations require this relentless skepticism 346 00:16:32.559 --> 00:16:35.399 of your own biases. You really have to let the 347 00:16:35.440 --> 00:16:39.000 synthesized network data dictate the physical narrative, not the other 348 00:16:39.039 --> 00:16:39.559 way around. 349 00:16:39.720 --> 00:16:42.360 You do data first, narrative second. 350 00:16:42.399 --> 00:16:45.360 Okay, let's unpack this, because with all these disparate logs 351 00:16:45.399 --> 00:16:48.480 finally synchronized on a unified timeline, we've got the I 352 00:16:48.559 --> 00:16:52.480 smart alarm database, the parse nest Jason, the offset epoch times. 353 00:16:52.720 --> 00:16:56.159 We can actually answer the Attorney General's primary questions. 354 00:16:55.759 --> 00:16:58.360 Right, who initiated the fire and what the hell happened? 355 00:16:58.360 --> 00:17:00.960 To the disabled QB camera guarding the entrance. 356 00:17:01.159 --> 00:17:03.519 Let's walk through those final minutes leading up to the arson. 357 00:17:03.840 --> 00:17:06.440 The synchronized timeline is incredibly tight. 358 00:17:06.200 --> 00:17:09.000 Here very tight. So at ten point three four and 359 00:17:09.079 --> 00:17:12.160 seventeen seconds, the logs indicate the system is set to 360 00:17:12.200 --> 00:17:15.200 home mode by the user profilety Boss. 361 00:17:14.839 --> 00:17:17.440 And by correlating this with the Amazon Echo logs, we 362 00:17:17.559 --> 00:17:21.559 know the Boss utilizes voice commands, which indicates Pinkman is 363 00:17:21.599 --> 00:17:25.559 physically present inside the lab actively securing the perimeter right. 364 00:17:25.599 --> 00:17:28.680 But a mere fourteen seconds later, at ten point three 365 00:17:28.799 --> 00:17:32.279 four and thirty one seconds that exact same squall light 366 00:17:32.400 --> 00:17:37.279 database logs a state change. The alarm is abruptly disarmed. 367 00:17:36.880 --> 00:17:40.640 Wait disarmed, and the user token attached to that disarmed 368 00:17:40.680 --> 00:17:42.400 command panded dodo wow. 369 00:17:42.480 --> 00:17:44.759 This is immediately followed by the contact sensor on the 370 00:17:44.759 --> 00:17:48.279 front door logging in open state. Then the logs show 371 00:17:48.319 --> 00:17:49.400 a dark period. 372 00:17:49.160 --> 00:17:51.240 A dark period for how long there is. 373 00:17:51.200 --> 00:17:54.400 A gap of about ninety seconds of completely unrecorded physical 374 00:17:54.400 --> 00:17:57.559 activity inside the lab. And then at exactly ten point 375 00:17:57.559 --> 00:17:59.799 three six and nine to six seconds, the nest Jason 376 00:17:59.799 --> 00:18:03.279 five registers the protect underscore smoke underscore warren key. 377 00:18:03.480 --> 00:18:05.960 The arson attempt is officially underway exactly. I mean, it 378 00:18:06.000 --> 00:18:08.000 doesn't take a twenty year homicide veteran a piece that 379 00:18:08.119 --> 00:18:11.960 logic together. The user profile Pandado do is glaringly obviously 380 00:18:11.960 --> 00:18:14.240 the indocia they have in custody deep Pandana. 381 00:18:14.319 --> 00:18:17.960 Yep. The logs prove he authenticated, dropped the alarm system 382 00:18:18.240 --> 00:18:20.839 and open the door a minute and a half before 383 00:18:20.880 --> 00:18:21.839 the accelerant was lit. 384 00:18:22.119 --> 00:18:26.440 The students logically concluded he was the primary infiltrator. The 385 00:18:26.519 --> 00:18:30.599 digital breadcrumbs place him actively bypassing the perimeter security at 386 00:18:30.599 --> 00:18:32.880 the precise moment the raid initiates. 387 00:18:33.000 --> 00:18:37.039 They absolutely nailed him, but the Attorney General had one 388 00:18:37.279 --> 00:18:40.079 lingering question that really threatened the integrity of the case. 389 00:18:40.400 --> 00:18:42.119 Right the QB camera. 390 00:18:41.960 --> 00:18:45.039 Yeah, the QB camera pointing directly at the entry vector 391 00:18:45.200 --> 00:18:48.279 was dead. So the question is did the fire melt 392 00:18:48.319 --> 00:18:52.519 the circuitry or was it intentionally neutralized by the suspects beforehand. 393 00:18:52.839 --> 00:18:55.240 And this is where the dynamic of having competing student 394 00:18:55.279 --> 00:18:58.200 groups really pays off. Group one, the ones who did 395 00:18:58.240 --> 00:19:01.720 that amazing manual file carbon on the zlib emails, they 396 00:19:01.759 --> 00:19:03.920 actually hit a brick wall with the QB camera. 397 00:19:04.039 --> 00:19:07.960 They did, They did fantastic work pulling cashed thumbnail artifacts 398 00:19:08.000 --> 00:19:11.160 from the ARRLO base station. They showed unidentified figures moving 399 00:19:11.160 --> 00:19:13.640 in the lab, but the QB camera just remained a 400 00:19:13.680 --> 00:19:14.920 total black hole to them. 401 00:19:15.039 --> 00:19:17.000 But Group two took a different route. 402 00:19:17.119 --> 00:19:21.839 Group two approached the camera anomaly from a network infrastructure perspective. 403 00:19:22.400 --> 00:19:25.200 Remember the wire Shark PCP file they used to anchor 404 00:19:25.240 --> 00:19:28.599 the ssex edges mme address earlier, right the packet. They 405 00:19:28.680 --> 00:19:31.279 went back into those raw packets, but instead of looking 406 00:19:31.279 --> 00:19:34.359 for data payloads, they started hunting for dropped connections. 407 00:19:34.640 --> 00:19:38.559 See I am naturally skeptical of this approach. How do 408 00:19:38.640 --> 00:19:41.559 you prove a camera was intentionally tampered with just by 409 00:19:41.599 --> 00:19:44.480 looking at a PCCAT file. Couldn't the camera have just 410 00:19:44.559 --> 00:19:49.200 experienced like a power surge or a flaky Wi Fi drop. 411 00:19:49.519 --> 00:19:52.480 That is exactly the assumption defense attorneys love to make. 412 00:19:53.119 --> 00:19:56.759 But network traffic has specific behavioral baselines. 413 00:19:56.839 --> 00:19:58.880 Okay, what does that mean in this context? 414 00:19:59.000 --> 00:20:02.799 Group two filtered PCK for the Raspberry Pyrider's automated keep 415 00:20:02.839 --> 00:20:05.839 alive pings. These are just little signals constantly hitting the 416 00:20:05.920 --> 00:20:08.240 QB camera's I address to make sure it's still. 417 00:20:08.039 --> 00:20:10.000 There, just saying are you there? Are you there? 418 00:20:10.160 --> 00:20:13.680 Exactly? And they noticed that cameras suddenly stopped acknowledging the pins. 419 00:20:14.559 --> 00:20:18.720 There was no TCP teardown, no graceful network disconnect, just 420 00:20:19.000 --> 00:20:22.559 a sudden, hard drop into a dead state. Oh and crucially, 421 00:20:23.119 --> 00:20:26.480 this anomalous flat line occurred prior to Pandana dropping the 422 00:20:26.480 --> 00:20:28.519 alarm at ten point three four. 423 00:20:28.720 --> 00:20:31.599 Ah. I see, It's like a hospital heart monitor flatlining 424 00:20:31.640 --> 00:20:33.279 before the patient even goes into surgery. 425 00:20:33.319 --> 00:20:34.440 That's a perfect analogy. 426 00:20:34.680 --> 00:20:38.799 In network forensics, the absolute absence of packets is just 427 00:20:38.839 --> 00:20:42.200 as vital as a data payload. The total silence from 428 00:20:42.240 --> 00:20:46.119 that specific IP address preceding the physical breach by Pandana 429 00:20:46.480 --> 00:20:48.759 proves the camera didn't melt in the fire of all. 430 00:20:48.799 --> 00:20:52.519 It was preemptively and manually disconnected from the network infrastructure. 431 00:20:52.599 --> 00:20:54.279 It was premeditated tampering. 432 00:20:54.440 --> 00:20:57.039 It was, And this raises a really important question about 433 00:20:57.039 --> 00:21:00.359 how we structure forensic teams in the real world. Think 434 00:21:00.359 --> 00:21:04.839 about it. Group one hyper focused on visual artifacts and filecarving. 435 00:21:05.279 --> 00:21:08.519 Group two focused on network topologies and packet analysis. 436 00:21:08.599 --> 00:21:12.240 Right, and neither group possessed the complete picture independently exactly. 437 00:21:12.799 --> 00:21:17.039 Experiential learning proves that modern digital investigations require serious cross 438 00:21:17.039 --> 00:21:21.319 disciplinary collaboration. You need the host based forensic analyst parsing 439 00:21:21.400 --> 00:21:25.240 databases right alongside the network engineer analyzing traffic flows to 440 00:21:25.279 --> 00:21:26.759 build an undeniable case. 441 00:21:27.119 --> 00:21:29.480 It's not just a lone wolf hacker staring at a 442 00:21:29.559 --> 00:21:32.960 terminal in a dark room anymore. It's a synchronized team 443 00:21:33.079 --> 00:21:35.839 attacking the architecture from multiple vestors. 444 00:21:35.960 --> 00:21:40.000 Yeah, one person is writing Python scripts to offset epoch time, 445 00:21:40.519 --> 00:21:44.240 someone else's isolating slibheaders in a hex editor, and a 446 00:21:44.279 --> 00:21:47.880 third person is filtering millions of packets until they realize 447 00:21:47.920 --> 00:21:51.519 a simple lack of ping responses proves criminal intent. 448 00:21:51.599 --> 00:21:55.160 And that synthesis is really the ultimate takeaway from this analysis. 449 00:21:55.599 --> 00:22:00.000 These students took raw hexadecimal code, abstract network packet capture, 450 00:22:00.200 --> 00:22:03.759 and these highly confusing cash files and molded them into 451 00:22:03.799 --> 00:22:07.519 a highly specific, undeniable timeline of human behavior. 452 00:22:07.680 --> 00:22:11.160 They prove deep Pandana, operating under the alias Pandido doo 453 00:22:11.359 --> 00:22:15.359 bypassed a perimeter alarm, infiltrated a secure facility, and less 454 00:22:15.359 --> 00:22:18.119 than two minutes later triggered an environmental sensor with an 455 00:22:18.200 --> 00:22:19.680 arson attempt, all. 456 00:22:19.440 --> 00:22:24.000 While a key surveillance node had been systematically blinded beforehand. Incredible. 457 00:22:24.200 --> 00:22:26.440 So what does this all mean for you listening outside 458 00:22:26.440 --> 00:22:29.599 the classroom. It's an incredibly rigidsus piece of analytical work 459 00:22:29.640 --> 00:22:31.400 by these students, But it brings us right back to 460 00:22:31.440 --> 00:22:32.720 the thought experiment. 461 00:22:32.279 --> 00:22:34.000 We started with, the one about your own room. 462 00:22:34.359 --> 00:22:38.559 Yes, think about your own home network. Every single time 463 00:22:38.599 --> 00:22:40.960 you open your smart lock, every time you ask your 464 00:22:41.039 --> 00:22:44.119 voice assistant to dim the lights, every time your phone 465 00:22:44.440 --> 00:22:47.559 quietly handshakes with your router just to maintain a connection, 466 00:22:48.559 --> 00:22:51.240 you are generating a forensic timeline. 467 00:22:51.319 --> 00:22:55.160 You really are. You are continuously writing an autobiography encoded 468 00:22:55.200 --> 00:22:57.839 in proprietary databases that you will probably never have the 469 00:22:57.880 --> 00:22:59.079 tools to actually look at. 470 00:22:59.319 --> 00:23:02.200 We operate in an era where our physical environments are 471 00:23:02.240 --> 00:23:06.279 meticulously logged by sensors we explicitly purchase and installed just 472 00:23:06.359 --> 00:23:07.279 for our own comfort. 473 00:23:07.799 --> 00:23:11.759 But, as the DFRWS challenge so clearly demonstrates, those sensors 474 00:23:11.839 --> 00:23:15.279 possess absolutely no loyalty to their owners. They simply log 475 00:23:15.359 --> 00:23:18.559 the state changes truthfully and coldly. 476 00:23:18.200 --> 00:23:19.920 Which leaves you with the thought I just haven't been 477 00:23:19.920 --> 00:23:22.359 able to shake since reviewing these case files. What's that 478 00:23:22.759 --> 00:23:25.759 as our homes, our vehicles, and our urban infrastructure become 479 00:23:25.839 --> 00:23:31.039 perfectly recorded, deeply interconnected IoT environments. What happens to the 480 00:23:31.079 --> 00:23:35.039 concept of an unwitnessed event. Wow, If every smart plug, 481 00:23:35.200 --> 00:23:38.319 smoke detector, and Wi Fi router is silently maintaining a 482 00:23:38.400 --> 00:23:42.200 database of state changes, is the perfect crime even theoretically 483 00:23:42.240 --> 00:23:45.519 possible anymore? Or will the burglars and arsoness of the 484 00:23:45.559 --> 00:23:48.039 future have to possess the skill set of a senior 485 00:23:48.079 --> 00:23:52.960 network administrator meticulously spoofing Mac addresses and wiping JSON caches 486 00:23:53.359 --> 00:23:55.119 just to get away with kicking in a front door. 487 00:23:55.720 --> 00:23:56.799 It's terrifying thought. 488 00:23:56.920 --> 00:23:58.960 It is definitely something to think about the next time 489 00:23:59.000 --> 00:24:00.720 you ask your smart speaker to check the weather.