(electronic music)
(audience applauding)
- Welcome, Heather and I are teaming up again this year
if you saw our presentation last year.
This time we're doing DFIRfit or bust.
We got a hashtag in there.
We're not quite millennials, but we do like our hash tags.
That's right, we got matching goin' on here too.
A little bit about what the heck is DFIRfit?
DFIRfit kind of has its originations
in this conference last year.
We can either blame or high five forensics woman Stacy,
so, if you see her around, she's the one
who really came up with the hashtag.
So, it's kind of one of those things that we've taken on
in the past year or so to try to get off our butts to try
to actually get out from not in front of the computer,
as we usually are every single day, every single night,
and actually start doin' some exercise,
trying to get out of there either for sanity,
for health reasons, for whatever purpose.
So, we're gonna talk a little bit about
the technical aspects of the IOS health database,
as well as givin' you a little bit
of motivation to do it yourselves.
We're gonna get into some acquisition and analysis
of this health data and try to motivate you.
A little bit about us and our goals.
About a year ago, Heather, Phil, Rob,
we're all talking about this Orange Theory thing.
I'm like, what the heck is this Orange Theory thing?
It's got a weird name to it, and they were tryin'
to get me to do this early in the morning.
I do not do early mornings.
I very much like to sleep.
I also don't particularly like to exercise,
but I went home from the summit.
I really needed to get off my butt and to exercise.
I just changed commute location, so I had
an extra hour of the day, so I really wanted
to spend that time getting to the gym
and trying to be a little bit healthier,
so I did this whole Orange Theory thing,
and it's kind of worked out for me, so that's
what I spent my last year or so kind of working on,
also collecting data because why not?
- Those of you who remember last year,
I had a really little baby with me
and still some baby weight clinging on,
so that's honestly why I joined Orange Theory,
or as Rob's wife calls it, the cult.
It's really not a cult.
I think CrossFit is the cult.
Everyone has their own opinions, but I hate running.
I honestly, Rob wants us to do this Disney half marathon,
and I think I would rather cut off some fingers
than do that, and I don't.
You can see, I prefer walking, so I do my steps,
try to walk as far as possible,
but I needed something to put me over the hump
of getting the baby weight to finally go away,
so that was the motivation behind some of my stuff.
Acquisition, so we're gonna start with
how do we even get this health data?
Sarah and I tried a little bit of everything,
and to keep it fair,
we looked at jailbroken and nonjailbroken devices.
The good news is all the data that we received was the same,
so you don't have to jailbreak
to get what you're seeing in our data sets here.
If you use commercial forensic tools,
as long as your tool encrypts the backup,
you will get the data, so you don't have to really stress.
I personally did iTunes.
I just used iTunes, encrypted my backup,
and looked at the data that way.
I believe you did the same.
With iCloud, which we're going to hit on here in a minute,
iCloud, you can see in that screenshot right there,
I have it set to put my health data in iCloud.
When you go to load your data into iCloud,
there's not the option to encrypt or not encrypt.
The data is just there and stored by Apple in iCloud.
None of the methods I used to pull down my iCloud data,
or Sarah's iCloud data, had our health database in it,
so we can't confirm at this point
if it's the exact same files or not, but we assume it is,
and we'll hit on that a little bit later.
With simple exports, say you just have a device,
and you do not have access to a backup,
or you can't create a backup,
you can actually export out the health data,
which you see in Sarah's picture there,
where you can choose export health, and it looks like this.
So, if you're okay with looking at this,
and your eyes are crossing, it's fine.
You could write a script that parses this,
and ultimately that's kind of what we wanted to do,
but we ran out of time, but there are easier ways
to do that, and that's what we're going to show you,
but this export does contain everything
that we're going to cover in the slides coming up.
- A little bit about what we're taking out
from this particular presentation.
We're really gonna focus on the native health database.
There's two applications.
There's the health app, and there's the activity app.
They both use the same database on the backend,
but if you have an IOS device,
you have two separate applications,
and I'll show you some screen shots in the next slide.
Another thing to keep in mind, if you have
third party applications, you often get the option
to allow access to the health database.
It's in your permissions.
If you do like a Couch to 5K or the MyFitnessPal
for dietary things, a lot of that data can be pushed
into the health database as well, so you might be looking
at the IOS health data, but you also wanna, maybe,
take a look at third party applications as well.
Sometimes they do push that data in there.
Sometimes they don't, so just be aware of that.
We're also going to be talking quite a bit
about the heart rate stuff today.
So, we're primarily gonna be talking about the Apple Watch.
We both have Apple Watches, so a lot of the data
that we populated for this presentation
came from our own data sets,
came from our own Apple Watches, but it's worth noting,
if you have other devices, Fitbits
and nonApple-based devices, a lot of that data could
also potentially be pushed into the health application.
It's just really up to the device itself.
A couple of screenshots here.
These are the two applications
that we're primarily gonna be talking about.
Generally speaking, if you see the data
in these particular applications,
you can pull that out in the database.
It's not gonna look as nice.
It's not gonna look as pretty.
You don't get the colorful rings and things,
but that data is being stored
in that very, very large database on the backend.
So, the health application more or less keeps track of
all your health data versus the activity application
which is really just doing the workouts
and achievements and things like that.
The primary health databases, we are primarily going to
be looking at the healthdb secure SQLite database.
Even though it says secure in there,
it's not encrypted at all.
Now, it is coming out of an encrypted backup,
so it is being protected, but just because you see
the word encrypted or secure in these database file names
does not mean it's SQLCiphered or anything like that.
You can pull that out.
You can make your own queries.
We're gonna show you some examples of those as we go along.
There's the other healthdb SQLite database
that also contains some information
that Heather'll get into, but primarily the stuff
that it's storing is all your health data,
so workout, nonworkout-based data, just general
living type data is being stored in this database,
and these are huge databases.
I think I pulled mine off, and it's about
90 megs or something like that.
It's extremely large because it's persistent,
and it's storing a lot of data over the multiple years
that I've had access to those particular applications.
I got some pads in here.
If you do wanna go get on the device or pull it out
of a backup, you're gonna find it in the library
health directory on there in both different databases
that we're gonna be talking about in the presentation.
Another one that we found, this one is relatively new.
This healthdb_secure.hfd.
This appears to be some sort of encrypted file.
We think it's an encrypted database.
We honestly can't see the information in there,
and we really don't know what this one is storing thus far,
but since Apple is introducing a lot more health records
and privacy type stuff, I'm kinda curious if
that's the stuff that's being pushed
into that encrypted thing.
It looks like a database, but I can't be completely sure,
so we just have some working theories at this point.
We did not get time to actually dig into that
and see what it was actually all about.
- All right, a closer look at some of these databases.
The first one that I took a quick look at,
it's not as interesting from the workout perspective
as the healthdb SQLite file.
Things you will find that I always think are helpful.
If we start looking at this, what types of devices
does the user have access to?
So, if you look at mine, it shows all the Apple Watches
I've ever owned, so all the different series.
Also, all of the iPhones it was paired with
and the version that was running on that IOS device.
So, if you're ever quizzed on
how many versions of IOS was this user using,
look at the health database file because it's going
to give you a quick glimpse as Apple tracks this.
It's also going to show you if the user is using Runkeeper
or MyFitnessPal or any of the calorie type apps
that are syncing all this information in.
All of this paired together will really help you.
Another thing, and I didn't realize this until I was doing
a scenario, that you'll see later, that almost threw
my back out for this presentation, so I was gonna claim
some worker's comp against SANS there if that occurred,
but luckily it didn't, cloud pairing.
I expected as soon as I did an activity
to dump my device, and it would be there,
but I was doing it a little too quickly, so I noticed
about a five minute lapse after I completed an activity
until it was actually in cloud or in my device for backup,
so just something to consider there.
But it does show, when you look at my health database,
that I am syncing with cloud and all the pairing
that's actually occurring.
So, that's the primary ones you'll see there,
and we'll cover these in a little bit more detail here.
The health database secure SQLite, again, not encrypted,
completely available as long as you have
an encrypted backup file that you can decrypt.
Things like achievements, so have you met achievements?
It will also track the last time that achievement,
so when we look at these databases,
you'll see current activity,
and then the last time that achievement was met,
your friends' achievements, your workouts.
This is where a lot of our stuff on heart rate,
how many steps you took, when you're sleeping.
Is your watch on or is it off?
And you'll see why you may actually work a case
where this stuff matters.
Right now, you're probably thinking, who cares
on some of these artifacts, but it is.
We're going to give you forensic scenarios
where all of this stuff comes into play,
and it is very, very helpful.
99% of your time is going to be spent in this database here.
This is where a lot of the bang for the buck is.
The records at the bottom, this is newer,
and I honestly, I don't go to the doctor unless I'm dying,
so that may come into play later in our scenarios,
so I don't have medical records.
I'm lucky enough that I don't really have many allergies.
Vaccinations, I feel like unless you're a child
going to school, it doesn't really matter,
so I don't have any of these records syncing,
and Sarah doesn't either, for us to tell you
what that's going to look like, but that's something
that could occur in the future should we get to it.
This slide here is for your awareness.
You're going to see, we're going to refer to data types,
and we wrote a lotta queries to parse the health secure file
that we're going to be focusing on.
But, main things you'll see in our presentation coming up,
five is heart rate,
so we wanna see when our heart rate spikes.
Also, number of steps seven, flights climbed 12,
so these are the things that really matter.
70 is is the watch on, so you know if it's being tracked
through the watch or the phone, and that will also come
into play in some of our scenarios coming up.
So, this is more just for your awareness
on what you're seeing here.
- First scenario, just a simple pattern of life,
why do we care about pattern of life?
It tells a story.
How does the user do their daily stuff?
I get up in the morning.
I put my watch on.
I go to work.
I maybe go to a workout in the morning,
in the afternoon, it depends on the day,
and then at bedtime I usually take it off.
I throw it on the charger.
Everybody has a different pattern of
how they do their daily stuff.
So, a couple different things
that we can do pattern of life on.
We could do the workouts.
How often are they working out?
Are they lazy like I was a bout a year ago,
or are they doing it because they feel like they might die?
Now, that's how I feel now.
Steps and distance, I'm gonna show you an example
of my steps and distance to kind of give you an idea
of what my pattern particularly is.
You could do calories burned.
Are they burning a lotta calories?
Why are they burning a lotta calories?
Is it normal that they're doing this?
And certainly heart rate, heart rate, I think,
we're gonna focus on quite a bit because it does tell
a lot about how the person is doing
what they're doing on a per day basis.
One example, so this is one of my workouts.
Each workout, if you set it up on your watch,
is tracking some metadata.
What was the weather?
Where was it?
Now, this one is showing that
it was 82 degrees and 60% humidity.
I was doing it at Arlington, and I have a workout
from about 11:30 in the morning to 12:30 in the afternoon.
This was one of my weekend workouts.
You can see how much time, how many calories,
and all that good stuff too.
So, I could pull out the metadata for this,
and I've highlighted some of the interesting bits in there.
I have locational information, lat and long information.
I have the weather information,
whether the workout occurred in the daytime
or in the nighttime, and we do get a start and end time
for that too, so this is purely just metadata.
The workout information's stored in a different area,
but I do have highlighted here
in that pink column in the middle there that
there is a data id associated with a particular workout.
Now, there's a whole table with the workouts,
with the health database that you can pull out
and correlate that with there.
Now, you notice these queries.
This query is kind of large.
There is a lot of correlation that you have to do
to pull all this information together.
The health database itself is not obvious.
You have to sit there.
You have to figure out what all these different tables are,
and how they correlate in between each other,
so we do have these queries.
Hopefully, they'll help you in future investigations.
But, I'm purely looking at one workout metadata here.
Now, I can take this metadata and start correlating that
over multiple workouts, so I'm gonna focus here on location.
Where is this person at any given point in time?
You might need to know
are they on the West Coast, on the East Coast?
Are they doin' workouts in Florida, wherever,
might help an investigation.
So, I pulled out some of my data here,
and Arlington is my home base, so I do have a lot
of workouts in the Arlington area, so I got Arlington.
That's the one I have shown, another Arlington.
You kind of get a pattern.
Do I do morning workouts?
Do I do afternoon?
I certainly have a pattern.
I ideally would like to get it done before work,
but sometimes I have to do it after work,
and I'm always hitting it on the weekends 'cause I have
a little bit more time associated with that.
Now, I do have this block of San Diego.
I travel a lot.
I teach a lot.
So, when I was in San Diego, Heather and friends
dragged me out to do Orange Theory at an ungodly hour
of like six a.m. or something, and I went.
I complained.
I will always complain about that, but I did get
three workouts done in San Diego that particular week,
and then I came back to Arlington,
so we do have some travel information in there.
You might not care that they had a workout,
but the travel information could be potentially useful
in an investigation.
It's also worth noting that the coordinates.
Coordinates are actually pretty accurate
in my particular scenario.
This is my Orange Theory gym in Boston.
The database location and the actual gym location,
very, very close together.
Now, I do mention this in my class.
You'll see there's a little
Dunkin' Donuts thing right there.
If you look at your significant locations before
sometimes it goes back and forth between another location,
but it looks like I'm at Dunkin' Donuts
for an hour every morning.
Not exactly good feeling.
It's actually the gym that's right next door to it.
As much as I would love to drink coffee
and stuff my face with doughnuts every morning,
that's not gonna get me to where I wanna be,
so take that with a grain of salt.
Look at the locations, does it make any sense?
I found mine to be pretty darn accurate.
Now as far as another pattern, steps or distance per day.
I'm not a big walker.
I tend to drive to work.
I don't walk to work or anything like that.
It's the D.C. area.
I'm sitting in my car most of the time,
so the pattern is interesting in there.
This particular query, I'm extracting the mileage
for each day for a particular month.
I have some highlighted here.
One day, for some reason, I couldn't go to my normal gym
and decided to just run on a treadmill.
Just started running just to see how far I could go,
and I knocked out a 5k which I thought was pretty awesome.
I loathe running by the way.
I think it's the most boring thing you could possibly do,
but I did that, and it'll show you the mileage associated
with that, so that was kind of an oddity for me.
Now we start graphing this.
Now, the problem with this is that I can graph this
all day long, but if I don't put context to it,
if I don't correlate other data to it,
it's not gonna make a whole lot of sense.
So, this is my month of April.
Now, the green bars, this is the weekend
just to kinda give you a feel for when this actually is.
So, I see some high points in here.
But now, if I throw in these little guys,
this is every single time I did a workout.
So, I can pull that out of the database as well,
and say I did workouts on these particular days,
and these are the days that I have higher mileage.
I'm running, I'm walking.
I'm doing something to get that mileage up.
Then, I start putting my calendar into play here.
So, I'm traveling during this time too.
I'm teaching at SANS Orlando.
I spoke at BSidesCharm at the end of the month,
so I did get a couple of workouts in.
I don't workout as much when I am traveling,
but I do tend to get some workouts in
especially if Heather, Phil, Rob start harassing me
to get up at ungodly hours of the morning.
But now, if you look here, I see some workouts.
There is this gap.
Right after SANS Orlando, it kind of just drops.
Am I lazy?
Maybe, that has potential.
Maybe I'm just exhausted from SANS Orlando, you know,
you don't know, and sometimes you can't correlate that data.
This was actually when I was out sick,
so came home, went to work the next day.
I started feeling just very, very ill.
Turns out I had to go to the urgent care.
I had to go to the ER.
I have to get my gull bladder out in about two weeks or so,
so that'll be fun, right?
Medically induced vacation is what I like to call it.
So, that one day that is particularly low,
I actually stayed home from work that day.
I literally did nothing 'cause I was in so much pain,
and that does show in the data.
So, you can start correlating this stuff, but nowhere,
at least nowhere I think, on my phone could you find
a calendar entry or something to say
that I went to urgent care or something like that.
Maybe a receipt or something
that you can start correlating that with.
So, context is key.
- All right, we have some scenarios for you here.
Recently, there's a lot of Apple health in the news,
and ironically while Sarah and I were doing research
for this, I got several student emails saying hey,
what about the health database?
What about this?
Can we pull this information?
So, we're trying to replicate some things here.
So in the news, the Apple health database was used,
and the forensic examiner testified successfully
saying hey, this woman was murdered.
She was dragged down an embankment,
and then the man climbed back up this hill,
and the detectives replicated this.
They went through the whole process
and proved this to be true.
So, this was kind of our goal, and Sarah came up with
the brilliant idea of you should drag your husband
and see what this looks like, and I'm like yeah,
I can definitely drag my husband.
Unfortunately, he is not Sarah's size,
so you're going to get to see what this looks like.
Just as another disclaimer, in this database
that you're seeing here on the left,
heart rate is data type number five.
I have a really hard time getting my heart rate to spike
and then stay up which I guess is good for heart health,
very annoying for a situation like this.
You could see here with my heart rate, it spikes.
It starts at 66.
Sometimes my heart rate is as low as like 53,
and I think that's weird.
I'm like wow, I'm like an Olympian.
My husband's like no, you have no heart
for it to detect anything, so this is where perspective.
I think I'm more of the healthier, but he thinks no heart.
You can't find it.
Nothing can detect it.
But you can see, I go from 66, and then it spikes up,
and it gets to like 148.
You can also see where it's highlighted
in the middle screen shot there.
My heart rate spiking, and then what it looks like.
So, this is our situation here.
I had my husband lay on a tarp because
I think that would be easier to drag him.
My back was killing me after this.
My knuckles were killing me from trying to pull the tarp.
The tarp was actually ripping at one point,
but we have a little video here.
(birds singing) (Heather grunting)
of my struggles.
(Heather laughing) (Heather grunting)
I know, I put socks on.
(Heather grunting)
I'm gonna need help.
This is fun.
- [Sarah] I'll help you.
(Heather grunting)
- It's bad.
(tarp crinkling)
Yeah, so I probably, I didn't make it very far.
(audience applauding) I did not make it very far.
I think I like ruined my knees, my back, my wrists,
and Sarah's like I'm sorry.
I'm sorry for recommending that.
But, we wanted to replicate this, so I did,
I wanted to pull him down my entire yard.
I honestly probably made it about 30 yards,
and then I walked back up which wasn't very exciting,
so it only showed one flight, so you're not seeing that,
but I didn't have a steep embankment, and I was also afraid
I would tumble down backwards trying to drag his body
down an embankment, but he plays a good dead person.
He is still alive, so you'll see him.
He's actually at this summit.
But, this is what it looked like.
So, you can see my normal resting heart rate,
and then I dragged that body, and it matches the date,
time stamps how long it took me to do this,
but then you see some weird spikes at the end there.
Sarah and I thought it would be a little morbid,
but my four-year-old wanted me to drag his body,
so we did not include a video of that,
but I was able to drag him a little faster
down the hill on the tarp (laughing).
So yeah, sometimes your kids just want that as well.
- [Sarah] Another scenario, a couple things
that we wanted to try, again, focusing on heart rate.
You get a lotta data out of heart rate.
We had this scenario.
Again, we go dark.
What happens when somebody dies when they have
their heart rate monitor slash Apple Watch on?
Does it just drop, as far as the heart rate goes?
Now, as much as I tried to test this, it's very hard
to mimic dropping your heart rate, and I tried to test it.
I took the Apple Watch off.
I kind of put it away from my wrist, but it actually,
the detection of it was quite good, quite accurate,
so I was unable to actually drop that heart rate.
So, again, if you wanna volunteer or somethin',
we can make this happen.
But that one is particularly hard.
So, my theory is, somebody gets murdered
or something, the heart rate will drop depending on
how fast they lose their heart rate.
So, what I did test was more of the alive scenario.
So, showing the activity for a particular person per day.
So, this is a, it has a lot of assumptions.
The user must have an Apple Watch,
something to track their heart rate.
It's just gonna show periods of activity versus rest,
so you can kind of get a good feeling for that.
Also, if you're looking and you're maybe doing
surveillance of the person, you could figure out
what they're doing as well, and you also wanna
correlate this with other IOS activity,
so it's not just the health database.
We also want to look at, say, the application usage.
I kind of have one of the other databases
that I've talked about in previous presentations,
the current PowerLog, that PL/SQL,
this is actually gonna show you like an app-by-app basis
of what is being used at any given time.
It is a fantastic database.
It used to be backed up.
It does not appear to be backed up anymore in IOS 11,
so just a heads up on that.
Another day in the life.
This one is me in a particular day.
I think it's April something.
I can't remember to be perfectly honest with you.
This is me tracking my heart rate.
So, you can make some assumptions here.
You can look at the time stamps.
I put on my Apple Watch at six a.m., so as soon as
I put the Apple Watch on, it starts tracking.
It starts recording my heart rate.
It does it maybe every, I don't know, 30 seconds or so.
At the end of the day, I take it off.
I go to bed, I put it on the charger.
So, we got about six a.m. to 10 p.m.
That in and of itself is very useful,
so you can kinda get a good feeling if you know
that they wear their Apple Watch all the time,
how long they were doin' their thing during the day.
Now, if you look at the actual beats per minute,
it gets up there to about 180, and it looks like
it's for most of the day until you start looking
at the times stamps associated with that.
My heart rate is not at 180 beats per minute all day long.
That would probably make somebody die doing that.
When you do a workout, when you actually set
your Apple Watch, you do a workout,
the heart rate monitor itself is actually doing
a little bit more sampling, so every few seconds or so,
it's actually taking a heart rate sample of it
to better track your workout,
your calories and things like that.
Again, putting context to the data,
knowing how the health application works,
how the heart rate monitor works,
is gonna give you a little bit more data.
So, this whole blue section here is really just
a one-hour workout, but once you take that out
and then start correlating over the day
without the workout information, you'll actually see
the spikes and things as I go throughout my day,
if I walk up stairs, things like that.
- One of the questions that came up in email, ironically,
and why Sarah looked at that, and obviously
we can't mimic death, I had a previous student email me.
He is working an investigation where they believe
the wife was killed on a Tuesday, and that the husband
took her phone and texted her friends
as if she were still alive for three days.
So, he actually sent me the health data,
which I can't, obviously, share with you,
to just take a look at what he is seeing,
and every day he tracked where her watch was put on,
and then the heart rate just stops, so he wanted to know
is that when the battery on the watch died or did she die?
So, he was trying to correlate that with
what the coroner said on time of death,
but what's really creepy is you will see activity
from the phone as her husband, it was like taking
88 steps as he's like walking around texting people
from her device, but it's no longer on her watch.
So, things like that really do come into play,
but, again, we didn't have a dead body,
or someone die in front of us fortunately to test this.
- [Sarah] Just hold on a second, we gotta test this.
Can we strap this watch onto you real fast?
Really fast?
- So, another reason you can have this.
You can nark on your homies, or this can motivate you
when I'm sitting at I'm desk, and I'm like damn,
everyone did a workout, and everyone, the only friends
I share this with are Phil, Rob and Sarah.
Those are my only friends.
So, when they all complete it, and I'm like man,
I'm not doin' so well, but then on this particular day,
so I see, I was like what did Phil do today
that he's at 135%?
Phil did yoga, so if you wanna see some
of Phil's yoga moves, you can check that out.
That actually surprised me.
I thought that was a good one there,
but there is a contacts.dat file, and this will show
who you're sharing your health activity information with.
Where this may be useful is if I'm under investigation,
and you only have Sarah's device, and she's cooperating,
you will get some of my information from her device
because we share it with one another.
This contacts.dat file is hideous looking.
I use Celebrate to look at this,
and this is something that made it look a lot nicer
versus just the blobs that you'll normally see,
but just to be clear, it did not parse it.
I used the tool to look at the data that I stumbled across.
Then, we took it a step further, and I tried every
forensic tool I have access to to parse this information.
Oxygen Forensics did the best.
This is what you see.
Some things they do really well, and some things
it needs a little work and validation on your part.
So, here we can see two flights climbed
in my health secure database, and that may not seem
like a lot of flights climbed, but I was 40-weeks pregnant
trying to walk that baby out of my system
before I was forced to have her the next morning.
So, you can see I have two flights climbed.
What is incorrect here, time zone,
so it's just UTC versus local time.
The query we wrote, we said show us in local time
versus UTC, so if you're not sure about your tool
just make sure you validate it.
On the far right side, you can see all the categories
that Oxygen is pulling our for you saying hey,
if you care about heart rate, or if you care about pulse,
you can just click on those,
and it will show you that information.
I cannot stress enough to make sure you validate it.
Why you need to validate.
Oxygen things I'm a male which I have no idea why.
It's very interesting.
They must know my alter ego.
So, if you look there on the left also,
that picture of my bulldog when he was a puppy,
I have no idea where Oxygen's pulling that from.
That is not my profile picture on anything,
but apparently at some point in time it must have been.
It also has my birthday wrong by one day,
and I assume that's just because of the time zone settings,
so on the left, that is what Oxygen shows.
That I'm male.
My birthday's wrong by one day.
It does show my blood type though,
and do you notice in that next screen from my phone
it does not have my blood type set.
It's pulling that because I'm an organ donor,
so we believe it's going in and looking at organ donation
where I have my blood type set,
and that's where it's pulling that.
On the far right side, that is the truth in the information
just so you could go and verify
all of the data that you see.
So, in summary here, we assume that all this data
will be accessible in cloud.
I know that a lot of the vendors
are chasing health data in cloud.
I know that ElcomSoft is going to release this capability
in the next two months, so just stay tuned.
There will probably be some kind of
blog post or follow up on this.
We obviously need to test medical records.
To be honest, I'm probably never going to
put medical records into my phone because I don't
care enough to do that, but if anyone ever comes across this
and sees what the information looks like,
please let us know.
We cannot stress enough, when a tool comes out and says hey,
we support all your health data, does it really?
Does it get it all?
Does it know how to correlate it?
Does it understand time stamps?
Always validate your tools because at some point,
there is going to be something that is not correct.
- Yeah again, tool support is certainly lacking.
This is a great opportunity
for writing scripts, writing queries.
We've done the queries, but actually putting
and correlating all the data together
there is a lot of work to be done.
This database is gigantic with just a ton, a ton
of records in it which is good from a forensics perspective.
You always want more data.
More data is nothing to complain about.
So, as far as other tracking, because of these data bases,
these records, there is stuff that
we certainly didn't have time to talk about.
Are you interested in testing a scenario?
Get out there.
Test it yourself.
Like those investigators in Germany.
They needed to test something.
They wanted to see what it actually looked like,
so they found a guy.
The said hey, can you do this one thing.
You have the same build as a suspect,
and they actually did some active research,
some active testing, so I encourage you to do so as well.
Or, you know what, just get out there and get motivated,
get out from in front of the computer, go to the gym.
I know it sucks.
I'm with you there.
But, you know, it'll probably make your life better
if you don't, you know, start running and just fall
off the treadmill like I tend to do every once in a while.
So, this is, again, this is part technical.
It's part motivation.
We've been workin' our butts off the last year mostly due
to peer pressure, a good peer pressure in this case.
We hope you enjoyed some of the DFIRfit tweets
that we've kind of sprinkled throughout here.
A lot of those folks are in this audience right now,
so if you see them, high five them.
They've done a great job.
Hope you guys use the hashtag in the future as well
'cause it really has taken off.
If you wanna see any more of our research,
we both have blogs that are out there.
We have not listed the blogs on here,
but we both also teach classes,
and we're here for the next 10 days or so.
Heather is teaching her 585.
I'm teaching my Mac forensics,
so smartphone and Mac forensics.
We're teaching in a lotta different places,
going to some awesome places, Prague, Sydney,
Vegas of course, Miami in November.
Oh, what a hardship that is, right?
- [Heather] Cindy's in Paris in two weeks.
That's a tough one.
- [Sarah] Yeah, tough, tough, tough gig right there.
So, if you are interested in classes, check the schedule,
check the websites on there,
and they are available on demand too
which means you can take these at the gym, right?
You can take your laptop on the treadmill.
Anybody do that?
Am I the only nerd who's probably done that?
- [Heather] I would fall, so that's not good.
- [Sarah] I'd definitely have fallen, definitely, worth it.
But again, I hope you enjoyed the presentation.
If you've got any questions for us, please let us know.
We do have, I think, a few minutes for questions.
In the meantime, I'm gonna share a few other tweets here,
some of my other favorites.
Again, all of these guys are in the audience.
So, thank you.
- [Heather] One more thing, Sarah and I are both releasing
brand new forensic challenges this week.
So, if you've taken our classes in the past,
brand new challenges being introduced,
so, you may wanna take it again.
- [Sarah] Yeah, yep, you might wanna take it again,
brand new data sets.
- [Heather] Brand new data set and our brand new
smartphone poster's available
for you guys out there as well.
- [Man] All right, big round of applause.
(audience applauding)
(electronic music)
Không có nhận xét nào:
Đăng nhận xét