Forensics Talks

EP 103 | Jean-Philippe Noat | Digital Intelligence

Eugene Liscio Season 2024 Episode 103

Forensics Talks Episode 103: Digital Intelligence with Jean-Philippe Noat 

Join us on Thursday, July 4, 2024, at 2 PM Eastern for an engaging episode of Forensics Talks! We're excited to welcome Jean-Philippe Noat, a renowned international cyber security and forensic expert. Jean-Philippe has extensive experience as a Digital Intelligence Specialist at Cellebrite and as CEO of Uriel Expert. 

In this episode, we'll dive into the security of apps like WhatsApp and Signal, plus discuss intricacies of digital intelligence and explore the pivotal role in modern that digital intelligence has in forensics. Don't miss this opportunity to learn from one of the industry's leading experts.

Originally aired on: July 4, 2024

00;00;29;29 - 00;00;48;18
Speaker
Hello everyone, it's Eugene. And welcome to another episode of Forensics Talks. We are at episode 103, and my guest today is going to be Jean-Philippe Noat. And we're going to be talking about digital intelligence. Now, before we get started, just a few things. And the first one is, well, it's July 4th, so I call this the,

00;00;48;18 - 00;00;50;27
Speaker
July 4th edition for our friends in the US.

00;00;51;04 - 00;00;52;05
Speaker
happy July 4th.

00;00;52;05 - 00;01;03;01
Speaker
you're probably having barbecues or traveling or enjoying some time at the beach or something like that. I know it's a big travel. time in the US, so. Hey, if you're watching. Great. Fantastic. Glad to have you here.

00;01;03;01 - 00;01;23;21
Speaker
Okay. So, but we're going to jump right in today. We have plenty to discuss. And I want to introduce or give a little bit of background on my guest. And his name is John Philip Newhart. And he has a really impressive background in digital forensics. And cybersecurity. He has a career that spans over 18 years and working in, digital intelligence.

00;01;23;23 - 00;01;30;25
Speaker
And he's a specialist at celebrate, and he's contributed to the development and delivery of advanced digital forensic techniques.

00;01;30;25 - 00;01;51;18
Speaker
his work includes creating technical webinars for international markets, providing advanced support for law enforcement agencies that he works on cases, active cases, he enhances capabilities in handling complex digital investigations. And he served as the senior director of Strategic Advisory Services at Celebrate where he led a global forensic and advisory services.

00;01;51;21 - 00;02;14;21
Speaker
and he was instrumental in guiding C-level executives on cyber security strategies. his role also extends to enhancing customer relationships, delivering customized training and expanding business partnerships and strategic alliances. And he has an extensive history of working as an expert witness for high profile cases, including those at the International Criminal Court in The Hague. And I definitely want to ask him about that.

00;02;14;23 - 00;02;37;16
Speaker
I first met him in Romania. I was last October 2023, and I saw a presentation that he did which was focused primarily on WhatsApp. And, you know, it's a very popular app. A lot of people know about it, and there are similar apps as well. But, you know, he's really looking at, you know, what kind of information we can extract from these devices even when we have, you know, these very secure and encrypted apps.

00;02;37;23 - 00;02;57;20
Speaker
And so, I thought it was a really fascinating presentation, a really, really good information. So let me bring him in here and there he is. Hey, John. Philip, how are you? Hey. Eugene, I'm very glad to be here tonight. sorry. Today. sorry. I mean, I’m in Europe so for me tonight. That's. That's right. We have to actually let people know.

00;02;57;20 - 00;03;03;16
Speaker
So, you are in Monaco right now, right? So, I am in Monaco. Okay, but,

00;03;03;16 - 00;03;14;22
Speaker
where did you grow up or where you originally from? So, indeed, I grew up in Monaco. I was very, very lucky to grow up in Monaco. Then I went to study in Paris a couple of years. More than,

00;03;14;22 - 00;03;16;07
Speaker
Yeah, 15 years.

00;03;16;09 - 00;03;16;24
Speaker
Then,

00;03;16;24 - 00;03;23;14
Speaker
come back to Monaco and, work in digital forensics. Excellent, excellent. Okay. Well,

00;03;23;14 - 00;03;35;04
Speaker
Yeah, it's been a long time since Romania. but I did see your presentation there. I thought it was, was a great conference, so thank you to, Doctor Papa, that it was, great. to have you there and to invite us there as well.

00;03;35;04 - 00;03;45;18
Speaker
But you were only there a short time, so we hardly we spoke only a little bit on the bus, together. Exactly. Yeah, yeah, in and out, I guess, but are you are you, I don't know, are you able to go back,

00;03;45;18 - 00;03;50;00
Speaker
for the next one? So normally, yes, I should, again, I never know.

00;03;50;00 - 00;04;12;18
Speaker
It depends on the real case, the emergencies that could happen at any time. But normally I wish I could spend more time this year, you know? Yeah. Okay. Okay. Well, so let's, I just want to get into your background and how you got started. So, I normally ask the guests about when they were young and just sort of their mentality when they were kids, really.

00;04;12;24 - 00;04;35;29
Speaker
I mean, were you, a scientific kind of kid? A nerdy technical. You like these kinds of toys and things like that, or were you sort of a different, sort of character at that time? No, to be honest, I enjoy computer science always. So, I start my first program. If you remember, it was very Z 81.

00;04;36;01 - 00;04;59;06
Speaker
So, it was in the in the 90s or 80s, early 80s. And I start writing my first basic program. And, slowly but surely, I continue with, with computer. I wanted also at the same time to be a pilot, to be an aircraft pilot. But, you know, life decided the opposite. And so finally I study mathematics. Physics, engineering.

00;04;59;07 - 00;05;26;17
Speaker
So, computer. So for, what we call, I don't know, the engineering level, so up to five years after A-level and, so I worked in for, companies like HP, like, tell us for the French, Ministry of Defense and finally come back to when I come back to Monaco, I discover, it was in the around the 2000.

00;05;26;19 - 00;05;57;13
Speaker
I discovered child pornography over internet. And, with some friends, we decided to create some dedicated program to fight child pornography. And, I have a wonderful, I would say, some wonderful meeting and a wonderful, luck with my life. So, I met an extraordinary person, conservator who was my forensic godfather. I would say so in did it.

00;05;57;13 - 00;06;27;04
Speaker
Trust me? He introduced me. And finally, I could work for a different judge because of is, I would say is friendship. And we made all together dedicated website conferences.org, but used to be a technical, technical support for law enforcement or not only in France, most of course it was French in initially, so it was for French speaking, guys.

00;06;27;06 - 00;06;49;27
Speaker
But, then we have more and more guys from Canada, from, UK, from Germany, from Swiss, etc. and finally we made a beautiful story for, more than ten years with this, website. And then the technology change, of course, it's not going to be computer forensic. It was going on more and more with mobile forensic.

00;06;49;29 - 00;07;14;08
Speaker
And of course, the security also changed. We have more and more, you know, hackers and, so we need to protect because, what we did and finally we had no time to maintain this. And now, you know, we have WhatsApp, we have signal, we have groups of, everything. So of course, the website itself as a concept was not useful anymore.

00;07;14;15 - 00;07;37;19
Speaker
So, we finally close it, but we keep, of course, the link with the community. And, you know, what is fantastic, really, in this job is the school, as I said, the school of humanity. You know, the more you learn, the more you need to learn. And really, you learn more with your mistakes than with your success.

00;07;37;21 - 00;08;02;13
Speaker
And this is, you know, I was always, happy to share when they fail because I wanted the other guys not to do the same mistakes. So, this is why. And again, if you will, you should do it with us with some humility. But of course, with, passion, it's going to work, as I said.

00;08;02;13 - 00;08;23;10
Speaker
Always said in my course, never give up in front of a digital evidence. Never give up. Right? Right. Yeah. Interesting. So, when I was young, I had the Commodore Vic 20. So, I remember begging my father for I begged him, please, please buy me. And so, I used all my, like, birthday money and things like this.

00;08;23;13 - 00;08;31;16
Speaker
And so, I was into programing and it's funny, I was also interested in becoming a pilot and I got.

00;08;31;18 - 00;08;53;25
Speaker
Oh, you unmute. Yeah. There's something sorry about that. I got halfway through when I was a pilot. and then I, and then I was moving around in jobs. So, I couldn't do it anymore. But it's interesting. We had some very similar interest. And you mentioned Serge. I didn't catch his last name. Oh. Says Autumn, it's, it's a guy from the Belgium police.

00;08;53;25 - 00;09;15;02
Speaker
Now he's retired, but he's, he still is still very present in my heart. I never forget him. And I really, you know, I'm sure Will is sooner or sooner or later you will listen this. And he knows what is in my heart forever, right? So and so around. So, we're talking about what timeframe? When you first met him.

00;09;15;05 - 00;09;45;02
Speaker
so, I met him in the 1990, something like that. So, even, yeah. Yeah. 19. no. Sorry. try to be younger. we, we talk about 20, you know, 22 005. Exactly. So, almost 20 years. Okay. So, at that time that he was inside doing this digital intelligence, or was he doing something different?

00;09;45;05 - 00;10;09;24
Speaker
Yeah, it was indeed the, the head of the technical police in, in the city and, he showed me the job because, you know, we at this time, we have no school. We have no way to, to become, to have experience except practicing, practicing and practicing. And the problem is the, you know, the law enforcement community is quite close.

00;10;09;24 - 00;10;38;00
Speaker
If you're not coming from the law enforcement. Really. And this was the challenge. And, of course, when you share something to the law enforcement community, it's easy. But for them to share something with you, it's more complicated. Okay, so tell me about what you do as a digital, intelligence expert. I mean, it's a very it seems like a very broad title or topic, and there may be many facets or aspects to it.

00;10;38;00 - 00;11;02;11
Speaker
So how do you break it down in your mind, or how do you divide that area, or how would you describe it to somebody. Yeah of course. So indeed, learning to be a kid, you know, first, if you want to be a real specialist is you are just learning every day, and, you leave a passion and you must see, the new evidence like a child.

00;11;02;14 - 00;11;32;10
Speaker
Okay. Yes, I see that. And I want to improve that. And you use different tools, and you say, no, you are not happy with what you have. And so, you need to deep dive. You need to understand what's behind. And so if you leave a passion and if you leave, if you refuse to give up, also, especially when you are working on your case, if you refuse to give up and say, okay, I have just the name of the person, but I don't have the date, where can I find the date?

00;11;32;10 - 00;11;55;08
Speaker
Where can I retrieve the date? Is it there is a time zone issue, I am sure of what I'm saying, etc. so it's a passion. It's a game. and always a challenge for sure. Okay. And so, when you talk about the kind of work or cases you might be on, I mean, I saw your presentation, we were talking about WhatsApp.

00;11;55;08 - 00;12;18;05
Speaker
So, in that case you're dealing with a mobile device, but computers, maybe other types of devices that had information. So, what is the scope of what you do? Because it seems very broad. Yeah, indeed. The goal is to assist, different jurisdictions, so different church all over the world and of course, different police to be sure.

00;12;18;08 - 00;12;44;12
Speaker
of the, the evidence they have on, you know, different digital evidence. So, it's starting indeed to preserve digital evidence. This is very important. Why? Because imagine you find phone on the street. What will be your first attitude? Switch off, put flight mode. Do not touch the premise. Do not touch. Okay. Wonderful. But you know it can be done remotely.

00;12;44;14 - 00;13;11;06
Speaker
Okay. If you want to preserve digital evidence, you need to think about it and you need to anticipate. So, if you put the flight mode, what's the consequences? Okay. That's great. My phone is going to be put in flight mode, but indeed I will have some impact on the locks I will find on the phone. So, each I would say each attitude must be followed and anticipated.

00;13;11;08 - 00;13;30;05
Speaker
Okay. If you have a guy what does killing himself okay. Does it mean that you need to keep the phone on of how you can go to unlock the phone, you see, so you have a lot of, of question. And of course, if you, for instance, if you switch off the phone, you will not retrieve the same amount of data.

00;13;30;05 - 00;13;52;08
Speaker
But if you keep the phone on. So indeed, and this is the challenge, the good attitude of the first minute is the key. Yeah, exactly like DNA. Indeed. You know, if and if, if I'm coming to a crime scene and say, okay, I want to help and I bring this and this on the crime scene, of course it's not going to work.

00;13;52;08 - 00;14;17;11
Speaker
And I will put my fingers, I will put all of my, my lack of hair. Sorry, but indeed I will put everything, it will put everything on the crime scene except, I would say, the, the evidence I'm looking for here. It's exactly the same. So, the first minutes are critical. If you want to preserve digital evidence in front of a hacking.

00;14;17;11 - 00;14;37;21
Speaker
Of course. Because, you know, if you just see that you have been hacked on your PC was a good attitude. You have to switch off. You leave it on. But if you switch off, you lose evidence. So, what's a good attitude? And exactly same for the phone. Exactly the same if you have a drawer or if you have the cloud, you know, cloud evidence.

00;14;37;24 - 00;15;01;03
Speaker
Exactly. The problem is of digital evidence. If changing in real time, meaning you have a limited amount of time to take the good to right decision. Interesting. Yeah. And, what about, I mean, you're talking about preservation here, which is obviously very important because you don't want to destroy the evidence. And then what about, retrieving.

00;15;01;03 - 00;15;18;11
Speaker
So, one part of it is, hey, well, how do you preserve the evidence? But then the second important part is, what do you what can you pull from this device or something like that? Right. So, talk to me a little bit about retrieval of, of evidence of digital evidence. Yeah. So indeed, you have a different, different example.

00;15;18;14 - 00;15;43;24
Speaker
Imagine you have a computer in front of you. Okay. I would say, normal PC, classical PC or desktop or whatever. So here is the PC is of okay, you just take the hard disk. You put a blocker of course, to preserve the digital evidence and you acquire everything meaning including the empty space so you can retrieve deleted data.

00;15;43;24 - 00;16;06;05
Speaker
And again, always I always think how to maximize the quantity of data I could retrieve. Okay. So, this is for computer. But imagine you have a live computer. The situation is different. So, imagine you have a mac, have a mac, live. So, are you going to remove the hobbyist from the Mac? Of course. No. the Mac is working.

00;16;06;05 - 00;16;32;17
Speaker
So here it's more complicated. especially with a mac. Encryption is a challenge. So, you need to anticipate that before switching off everything. You need to anticipate that you might have an encryption issue. So, and here, of course, if you are working on the scene, you can see that if you have, you know, some post-it, some note with a code or you take a picture of everything, etc.

00;16;32;17 - 00;17;03;28
Speaker
So, it's very, it's super important to identify every I would say, object near the computer. Okay. Now imagine you have a phone on two steps. It can be locked or unlocked if it is a lock. Okay. In the past and this is very interesting because I if you remember, we talk about what is what's up. In the past I used to say, yes, I want to see the what's up now, I want to see the message, etc.

00;17;03;28 - 00;17;26;11
Speaker
And this is now when do you again? That's why it's a this this job is wonderful because it's changing every day. And in the past, I would say, okay, look, if you have WhatsApp locate, you have signal, etc. here, I would say if the phone is on lock, please switch off all the messaging apps, which we know. Why?

00;17;26;13 - 00;17;52;26
Speaker
Because you have ephemeral messages. If email messages are not your friend and you need to anticipate that and be sure to switch off all the messaging apps so that we can maximize the quantity of data, we are going to retrieve from the phone. If your phone is on WhatsApp, discontinuing is running. What's going to happen? You are going to have the phone for two, three, four hours to extract it.

00;17;52;29 - 00;18;18;18
Speaker
But the premise, if a message is going to be programed to be deleted for the next one, two, three, four hours, it's too late, okay, you will not be able to retrieve it. So that's why you need to anticipate that. And this is completely new in the, in our agencies to think about, anticipate ephemeral messages. Very interesting.

00;18;18;21 - 00;18;41;14
Speaker
so, you've probably run into some situations or cases where you've actually seen this happen, where somebody maybe there's new messages coming in or there's messages being wiped out as they go is, yeah, true. Yeah, absolutely. So of course, sometimes normally when you just arrive on scene or you want to put the phone, the phone in flight mode, but is it, is it enough?

00;18;41;14 - 00;19;15;19
Speaker
Of course not. Does that have some smartwatch? So indeed, with the watch you can already interact with the phone, even if the phone is in flight mode, for instance. So, you need to yeah, you need to preserve as much evidence as you can. And of course, consider, your phone as sealed. So, it means that here you need to protect it, and you need to put it in, you know, in a box or something like that to cut between all the waves and all the connection from outside.

00;19;15;19 - 00;19;42;20
Speaker
So, this is really important. And then you need to extract the content and of course all the recent phones now, you know, Android or iOS, the encryption is an issue. Okay. And that's why Cellebrite is a wonderful and extraordinary company, because they know how to face encryption, and they are helping law enforcement agencies to decrypt all this content.

00;19;42;22 - 00;20;08;04
Speaker
And I would, to be honest, without the capabilities of I know that many, many cases could not be solved. so, for you specifically, I mean celebrate sales products, which allows people to, you know, sort of pull, evidence from digital devices. Yeah. What I know that you work on cases. Like, I remember you've been busy working on international cases and everything.

00;20;08;04 - 00;20;35;05
Speaker
So, is it just a matter of when there's the really difficult stuff, they send it to you? Is that what's happening or is urged to celebrate? Provide services as well. So? So, I provide services. you know, Cellebrite is assisting law enforcement agency all over the world. Okay. So, I am a member of a wonderful and extraordinary expert team, with, you know, for instance, Heather Michalek.

00;20;35;07 - 00;21;05;22
Speaker
no, no, Jared. yeah, we've been Josh Shakman, Paul Lawrence, you know, all these extraordinary guys, they have more than 15 or 20 years of experience. And all together as a team, we are assisting law enforcement, meaning, you know, all together, we have some unique capabilities. And again, it's not me. It's all the team. And this is super important because really it makes an impact because you cannot know everything.

00;21;05;24 - 00;21;30;16
Speaker
But all together, I believe we can answer a lot of challenging questions about how to interpret an artifact. I give you an example. Yeah. And within, just testify about the case. And, you know, there were two artifacts when, Safari opened, website and when they reached the record in the internal DB and there was some difference.

00;21;30;16 - 00;21;58;23
Speaker
So how to interpret. But you have this time in the database and another time, six seconds, six seconds later. So indeed. Yes. All this understanding of how the phone is working internally. this is an example for the phone, but computer forensic exactly the same. We try to assist and answer all those questions, making some test and making some research.

00;21;58;25 - 00;22;23;04
Speaker
You know, we are not good. I promise. We are always working. Working and working and testing, testing and testing. when I'm making all these webinars, you know, about the snapshot, about what's up, we always made a lot of testing, to be sure we understand. And we ask the right question, and we understand the internal behavior of the phone.

00;22;23;06 - 00;22;48;00
Speaker
And what is wonderful in this job, if what you say three months ago. Hey, it changed three months ago, three months later, it's not true anymore. So, that's why we have we have job for now. And we are not complaining because, we are building a what we call the one-on-one community. So, you mean a strong community all together to assist each other?

00;22;48;00 - 00;23;13;00
Speaker
And to really to build a strong and trusting relationship. I remember when I was watching your presentation, one of the thing that struck me, and actually, we had a brief conversation just before the interview here, and you said something and it struck me, and that is that, you know, when we see or at least from a layperson's perspective, the apps like WhatsApp signal, you know, Instagram, whatever.

00;23;13;00 - 00;23;34;25
Speaker
Sometimes there's, people try to communicate to you that they're super secure and encryption and all this stuff. And to an extent, the some of this is true. but I think you said, you know, sometimes you even when you feel you've hit a dead end or the like, okay, we got nothing. Sometimes there's always little, little crumbs that appear or that present themselves.

00;23;34;25 - 00;23;49;06
Speaker
And I thought that was really interesting. So can you talk about some of the things that, and this is really for a lot of the people in law enforcement around the world that maybe watching this one day thinking that, oh, you know, we got this phone, but I don't think we're going to get anything from it. Whatever.

00;23;49;09 - 00;24;16;25
Speaker
What kinds of things should they be looking for or could present themselves as an opportunity for them? Let me give you an example. you have we talk about, signal, WhatsApp or whatever. You have some messaging, hope and imagine the situation. Okay. You the guy before being caught by the police, just delete the app. Okay? So, when you are calling the phone, you have no you have no evidence of the app.

00;24;16;26 - 00;24;46;29
Speaker
You know that. Indeed. You used to have this app. You know that messages were sent or exchanged during quite a long period of time, but you don't have everything. So indeed, as I said, you must never give up. First, you must try to find some backup, okay? Some backup locally or some backup on the cloud. If, of course, the law allows you to look on the cloud, then what else?

00;24;47;01 - 00;25;12;02
Speaker
Hey, let's think about that. Our. We search, for instance, on iOS, you have new evidence called bio. It's wonderful evidence. Why? Because you have notification. In the notification, you have two lines of the message you receive. So indeed, even if the app has been deleted, even if you don't have any backup, I should say, guys, try to look at the volume.

00;25;12;04 - 00;25;52;06
Speaker
Try to look. If you don't have any notification. And indeed, you have until 28 days of data that could be retrieved. It's not always 2080 depend on the size of the quantity of the data. But as I said, never give up. Try to see if you can look something here. This is an example for iPhone, but you talk about some of the what you presented in Romania in WhatsApp because there was other information like for example, you, you were talking about and I it doesn't hit me right now, but I remember seeing that you were able to receive, or, or know that, you know, part of a message was sent or something was received

00;25;52;06 - 00;26;13;08
Speaker
or there were ways that you could do things like that. Indeed, it's what we called the metadata, indeed, that you have a lot in the you need to study the internal database of WhatsApp, for instance, and you find a lot of metadata. For instance, you know, if, you are a member of a group who is the admin of the group, okay.

00;26;13;08 - 00;26;41;02
Speaker
And then it can give you an information about who is leading the group. Another thing is you try to send a video, or a picture and you send it partially. So, you receive it from someone. So indeed the, you just if you look initially, you just find the picture on the phone and said, okay, you need to think about how does this picture came to the to the phone to the phone.

00;26;41;05 - 00;27;10;02
Speaker
Is it sent by WhatsApp? Is it sent by SMS? It is sent by another way. So indeed, you are needed to answer this question. And so, WhatsApp even if you deleted the WhatsApp conversation, WhatsApp has some wonderful metadata that could help here. And so, this is so I don't want to be too technical, of course. And, to the hope of full, webinar, all the technical, on WhatsApp, technical data on WhatsApp.

00;27;10;09 - 00;27;34;27
Speaker
But indeed, you find a lot of valuable data about, when this picture has been sent or, you know, you can find some digital signature that can prove that indeed those pictures are the same, even if you don't retrieve it, you know? So sometimes indeed, putting everything, I would say, all the puzzle together, you are going to build the truth.

00;27;35;00 - 00;28;10;09
Speaker
And this is the goal we are trying. And again, we must be very humble, but we are trying to build the truth. And this is what our role here, I keep thinking about the mobile phone because everybody uses phone for communication and everything. But you pointed to the watch before, and I'm wondering, are other devices is now being looked at like maybe some of those fitness tracking things or maybe, I don't know, okay, other types of devices that might be in your car or just in other places, what can you tell me about other things other than mobile phones?

00;28;10;12 - 00;28;37;10
Speaker
So indeed, first, most of the time, what is interesting for case location data and if the person was at a particular place and when you were at this place. So indeed, you have timestamps, you need to have a timestamp and location data. Okay. So, most of the time you solve, I would say 80% of the case with that if you don't know.

00;28;37;10 - 00;28;57;26
Speaker
But this guy was precisely at this position at this time you solve the case. The problem is location data is not trusted on the phone. So, you have millions of artifacts. For instance, you can ask Google a, I want to go to that restaurant. Does it mean that you went to that restaurant? No, but you wanted to go.

00;28;57;29 - 00;29;24;03
Speaker
but on the on the other side, you don't. You are you run the hub like, the fork and the fork took the position from you directly and put it into that database. What does it mean here at this time? I know where you are, but location is not enough because you have what we call accuracy. So, imagine you are in a car park in the level -1 or 2.

00;29;24;05 - 00;29;49;16
Speaker
You know, they look at the Gpio signal that would be very weak, meaning the location will not be very precise. But if you are on the street, if you are, if you are not in the middle of building, for instance, yes, the location will be very precise. So, as I said, we cannot bring millions of location data without bringing some accuracy and bring trust.

00;29;49;16 - 00;30;14;22
Speaker
So that's why the this is the challenge we have. And you talk about some other things. What is you talk about, you know, when you go to sports, you know, that you are going to run or you know, you have location, location artifact because you run to this place at this speed, etc.. So indeed, the sport is a wonderful source of, location data and for digital evidence.

00;30;14;24 - 00;30;38;24
Speaker
So, it comes from the watch. It could come from, some equipment, you know, sometimes just, I so that, the shoes sometime, you know, the, you know, the number of steps or, what the guys did, on the cars also car also so wonderful. source of forensic, I remember I have a case indeed.

00;30;38;27 - 00;31;08;11
Speaker
the guys. So what? We know the guys have no phone. Okay? He just cut his phone. But, with the car, we prove that he went in the forest in the cemetery in a certain amount of time, and you went to the forest, and even more, the weight of the vehicles lost 200 kilos. Meaning at this period of time, we exactly know that the, in weight.

00;31;08;11 - 00;31;37;27
Speaker
But the weight that were seated on the on the car, we lose 200 kilos and then we win. We have 100 kilos coming back. And then when the cars come back, we lost 100 kilos. What does it mean here? It's the weight of a body. So indeed, using that evidence and of course, we some, Alan truths, police, policemen and, inspectors, we will definitely prove.

00;31;37;29 - 00;31;56;25
Speaker
But indeed, the guys took the body to the forest, and even more with the location of fact, we can retrieve, the car. We could retrieve the body. That's amazing. I never I've never heard of that before. Of looking at the weight of the vehicle. Is it being recorded? That's amazing. Yeah, it's really, really interesting. I meant to ask you before, so I.

00;31;56;25 - 00;32;18;10
Speaker
I'm going to jump back a little bit, but you do work. well, you started doing work some time ago, and I believe you still do work for the International Criminal Court, correct? Yeah, exactly. When needed. When you told me, actually, I have no idea. How does one begin, working with the International Criminal Court and maybe you can tell me about your experience there and how they how you get cases.

00;32;18;10 - 00;32;43;20
Speaker
What is the dynamic there? So indeed, first, it's come from France because I work with different judge in France and this judge were nominated in Europe. Okay. And so, they wanted to continue to work with me initially it was that. So, they asked me to apply to the International Court of Denmark so that I could definitely continue to, to work with them if needed.

00;32;43;22 - 00;33;12;09
Speaker
And the goal was also, you know, the problem is, with in a human relationship, the problem is to trust. And especially when you work on very sensitive case, the different church wants to continue to work with the same team. Okay. So indeed, the dynamic is what we call in French ordinance. The commission expects. So, you have indeed the judge asking for permission to you.

00;33;12;10 - 00;33;37;00
Speaker
So, they ask for you, for instance, and indeed, they asked for assistance about. Okay, I need to have a terrorism case. I really need to, to have your help, to be sure that I am going to, to arrest the right person because I will rule is also to bring the truth.

00;33;37;00 - 00;34;02;12
Speaker
So sometimes you are protecting someone, or you are defending someone because you were arrested, but you were not guilty. You know, looking at the digital evidence, it was not guilty. So, it really, it depends. And sometimes you need also to and, I was thinking about the murder case I work with couple of, couple of, years ago.

00;34;02;14 - 00;34;31;23
Speaker
Indeed. The, the guys claimed that, so the suspect, the I would say the suspect claims that his girlfriend was, was working on the into an internet on the computer, meaning, okay, she was not there at this time, and she was playing or working with the computer. And the problem I have is how to prove that behind the keyboard, you have a human being.

00;34;31;25 - 00;34;50;21
Speaker
Okay? And you know, this is quite challenging. It's funny because, indeed, first, that you have a mouse, so you have a mouse, and you have a cat. So indeed, the cat could move the how the mouse. So, this is the first thing. And it will happen because here we have a cat. Second, we have a browsing history.

00;34;50;21 - 00;35;16;18
Speaker
And, we need to understand why you have a browsing history. Is it because, I want is it malware, or is it because, it's automatic and then we have, sometimes we have, you know, a crash. And so, we need to understand the behavior and is there a human being behind that? So indeed, I was lucky because I used to have at this time a Bluetooth keyboard.

00;35;16;21 - 00;35;44;10
Speaker
So, Bluetooth keyboard, if you press on the key, you have an interruption on the, even plug in windows. So, if nobody presses a key on, on windows, it means that you can interact with the computer only with the mouse. Okay, because you have no interaction with the keyboard. And so, if you have only interaction with the mouse, it means if you want to start a program, you need to go to start and start a program.

00;35;44;12 - 00;36;17;22
Speaker
Or because remember you are not typing on the keyboard. So, it was really interesting. And finally, I could prove, and the guy was done for 20 more than 20 years of jail. And I could prove that indeed, this was bullshit. And, really, there was nobody behind the keyboard. Even if you have internet browsing activities, this is because you have a technology called HTML five, and it means you have dynamic entries, like if you are looking for CNN, okay, each 15 minutes you refresh the screen.

00;36;17;27 - 00;36;42;13
Speaker
But it doesn't mean when you have interaction. Okay. And so, this, this was funny. Interesting. you were mentioning a lot of your colleagues before, some really good people in this area. So, is there, is there an organization like a European organization or a global organization of people working on digital, evidence or digital intelligence? Well, that's a great question.

00;36;42;13 - 00;37;09;06
Speaker
I don't think so. We know each other for sure. We have, we have we have of course, the, the in Europe, the International Court of Denmark. And we have in, in France different, what we say, Court of Appeal, but we work with but we, we don't have a real, centralized organization because each country as its own.

00;37;09;06 - 00;37;32;21
Speaker
No. Meaning, you know, some, attitude. Good. Or some, yeah, I would say some habits must be lost if you work with this country. Give you an example very easily to understand the cloud. You know, the cloud legislation is changing every month, and it depends on the country. So, on some countries especially, you know, I believe in Monaco.

00;37;32;21 - 00;37;53;03
Speaker
So, my country in Monaco, of course, I can investigate on the cloud. My country is two square meters. So indeed, if I cannot investigate on the cloud, I wouldn't be able to do anything. But if I'm talking about France, for instance. France. The witness must be here. The suspect must approve. But you go to his cloud is to trust.

00;37;53;03 - 00;38;21;24
Speaker
So, the situation is much harder. in Germany, it's. The situation is different. So, you say, as always, there is no one good attitude. You need to adapt to the habits of the country. And this is the challenge. And you in Singapore, for instance, you can go to the cloud everywhere. You have no, no limitation. There are, there's probably going to be some students and some academics maybe watching this, who might have an interest in this particular area.

00;38;21;29 - 00;38;58;02
Speaker
Now you have a background, with, with like programing, computer science a little bit and that sort of thing. most of the people who get into this do they require a technical like software programing background is and, but my other question is, are there any schools or programs that you know of that are highly recommended? So first, I would recommend I know it's very expensive courses, but the best courses I have ever seen on cybersecurity, but you need to have some experience is sounds okay.

00;38;58;08 - 00;39;25;00
Speaker
The sounds organization this is this is the top level I would say okay. Then you have of course some other trainings you could follow. Okay. but I have no chance to become a specialist. but I would say first you need to have a passion. Okay? This is first, do not do your job because you need to wake up at eight and you need to do the job and to 4 p.m..

00;39;25;00 - 00;39;50;16
Speaker
Okay? It's it doesn't make sense if you really, want to do this job. Passion and serve studying meaning. And this is the problem. Of course you will have some, university that will be able to teach that, but, you know, not nothing will replace your own experience. And even your, I would say, remember you, even when you fail, you are learning more.

00;39;50;16 - 00;40;22;24
Speaker
When you fail, when you win. And, so meaning your, you know, you can play with what we call the CTF capture the flag challenges. So, a CTF set about is organizing one another organization, organizing some orphans. So, this is first thing to play with and to acquire I would say the passion okay. Because again you cannot go to university or you cannot study that if you think that it's a job, but finish at four and stop at eight, okay.

00;40;22;27 - 00;40;47;18
Speaker
And this is my recommendation. Leave the passion. Second, we did not talk about that yet, but I'm sure you are going, and you are a wonderful and clever person. So, I'm sure you are going to ask what about AI artificial intelligence? Okay. And here to be honest, I believe nobody can replace human intelligence here. artificial intelligence could help.

00;40;47;19 - 00;41;20;08
Speaker
Yes, you could categorize picture. You can. You can play with similar face. You can ask for help to analyze millions of, of picture. But, you know, at the end human for so you cannot, and this is super important for me. You cannot combine someone only with digital, with artificial intelligence. Okay. Because I so now most of you know, a lot, you a lot of case now push button and, you have the report, and you have everything, and you see.

00;41;20;13 - 00;41;42;04
Speaker
And in red, this guy is guilty. In green. This guy is innocent. no, this is on the film, okay? When you watch TV, you know, in 40 minutes, you have the most expert but sold everything. But this is not the real life, okay? I remember I took on some case one months. Okay, to understand the behavior of the phone.

00;41;42;06 - 00;42;04;14
Speaker
Okay, so it means here, but you need to be ready to lose time if needed. And to deep the. I went to understand how it works. So yes, there is a lot of you. I talk about sense, but, you have also easy conceal. don't know if you heard about that. Easy conceal. This is another company that do a lot of general training.

00;42;04;19 - 00;42;29;07
Speaker
Of course, you can start with some, you DeMaio stuff, etc. that will be, but we help. But at the end, I believe here you need to have as I was lucky to have like a godfather of forensic. Okay. That will really help you. But we show a here you are the wrong way. Here you are in the right way.

00;42;29;10 - 00;42;52;05
Speaker
And at the end, really, you need to have the mentality to never give up. It's interesting you say that about AI because I know that, you know, there's almost like a race to implement AI and machine learning and all these different software programs and such. So, so for example, to celebrate, they have already done they already have implemented a lot of AI tools and things like this inside the software?

00;42;52;07 - 00;43;19;02
Speaker
Of course they are. But there is still human. The human must decide if a guy is guilty, not AI. So yes, AI is helping. I would say to solve the case quicker, but AI is not really able at 100%, meaning you need to be behind AI. You need to understand the limit of AI. You need to understand that I can be wrong sometime.

00;43;19;04 - 00;43;50;01
Speaker
Okay, so of course it's some help. It's saved your time. But as always, validate your findings. If you think that this is the case, please be sure to use another software or, the open-source solution to be sure you have the same result. Okay. Or try to understand what is behind and try to do the other. Yeah, I remember for just one day, for just one day, it took me, three days to be sure of this.

00;43;50;01 - 00;44;19;04
Speaker
Deleted information was right. And I want to put it correctly, because I used to have 20 software, and 20 software have 20 different answers because it was deleted information. So, what was the right thing? And of course, if a lawyer of the defense come to say I'm using that, then I say Mister, mister, not you are wrong. I said, no, I'm not, but I explain one, so you need you need to explain to court why you have found limitation on different software.

00;44;19;11 - 00;44;50;03
Speaker
So, this is super important. That's why I am wonderful. I can save time, but I at the end is not really that 100%. If you were to look back at when you began in this area and then look at things today, I guess because of all the new technologies and things like that, I can see how you must constantly be updating your skills and tools and all these new code being written and trying to adapt to the technology that's coming by.

00;44;50;03 - 00;45;09;12
Speaker
But I wanted to ask, is this area getting easier or is it getting more difficult now because there's a wider variety of things? but over the years has its sort of stayed the same. You always have to try and be ingenious in what you do, or if you, you have more tools today that make it easier for you.

00;45;09;13 - 00;45;30;06
Speaker
What has happened over, you know, from when you started to know. It's any things you can talk about. Yeah. Of course. You know, I am a very old person. Okay. What does it mean here? I start with the phone. You just have ten, ten calls and one picture. Okay. Now, all the phones are the one terabyte of data.

00;45;30;08 - 00;45;50;19
Speaker
Meaning, you know, if you print the content of the phone, you print three times the height of the Eiffel Tower. Okay, so is it going to be more complicated? Yes, for sure. We have to face encryption. We used not to have encryption before. We have to face big data. You know big data more and more that that.

00;45;50;20 - 00;46;16;04
Speaker
What does it mean here? When I have a judge telling me, JP, I need you to retrieve everything on that phone, I said, okay, I'm not your man. I'm sorry. I'm not your man anymore. I used to be your man, but I am not. So indeed, finding everything on everything is not now an answer. Okay. You have on your computer, you have terabytes and terabytes of data, and I don't talk about the servers.

00;46;16;07 - 00;46;38;03
Speaker
I don't talk about what you have on the cloud. So indeed, you need to focus about what is essential for you, what you need to know, what you are looking for, what does it mean? You need to use keywords. You need to use timestamps. So, you need to know okay, I'm going to start my investigation between January 1st and February 1st.

00;46;38;06 - 00;47;00;07
Speaker
Okay? I'm not going to investigate on everything. If I want to do that, I'm going to lose time. I don't have the tools, and I am going to even for the jury, it will be absolutely a nightmare to explain the story. So that's why we need, to I would like to come back to more, to human.

00;47;00;12 - 00;47;22;08
Speaker
So, what does it mean here? If you imagine your phone that is a black box. Okay, the black box is impossible. So, you need to cut it into small pieces that are understandable for, a human, for the jury. And so, more and more, you need to cut into smaller and smaller pieces if I can use this expression.

00;47;22;10 - 00;47;44;17
Speaker
Yeah, yeah, it's interesting point. And, you know, you talk about explaining and, explaining why and also, you know, the jury and judge and things like this. So, I have a question about the, you know, some of the pressures and the responsibility and how you maybe approach things when you're at trial trying to explain these to maybe not so technical people.

00;47;44;19 - 00;48;05;20
Speaker
do you find what is what is difficult about the role you have when you're at court and trying to explain it to the judges and, and lawyers and things like that? Have you if you come across any difficulties or, you have an easy way to explain things? yeah. So indeed, that you need to make the most complex thing simple.

00;48;05;22 - 00;48;31;16
Speaker
Okay. So, use simple words. Do not use, I used to hash with Sha1, etc. it doesn't mean anything for the judge. Just say that you bring trust, and you double check your data to be sure that you have the integrity of the data you are working with. If you say influence on this expression instead of, I use the hash, then define to be sure that.

00;48;31;24 - 00;49;03;20
Speaker
Okay, so indeed, the way the words are important here. Okay. And that's why yes, you trying to make it simple, but if you need to deep dive you can deep dive. And this is exactly one, my wonderful friend Yann within did, court, a few weeks ago, explaining how Safari is working. Okay. Question about, legal jurisdictions and different laws around the world.

00;49;03;22 - 00;49;22;15
Speaker
you work in a global capacity. I know you have projects and cases and files from all over the place. Are there things that you can do or is there evidence that you can provide in some countries that you can't in others, or certain things they will allow you to do in one place that they won't allow you to do in another.

00;49;22;17 - 00;49;46;06
Speaker
Of course, I talk about the cloud. Exactly the cloud. So, imagine if I am in France. I need to have an agreement with the suspect. If I want to extract the cloud. So, it's not really no, the case anymore. Because as an expert, I could do that because I am supposed to be neutral between the police and, between the suspect.

00;49;46;08 - 00;50;10;19
Speaker
But officially, yes, we have some, restriction depending on the country. So, if I'm working for, you know, on a case on the dedicated country, I need to know the laws. I need to know what I'm allowed to. it's exactly it's written normally in, what we call the procedure panel. So, it's a dedicated law books that tells you what you are allowed to.

00;50;10;22 - 00;50;33;28
Speaker
And, what about you are not allowed to do when, for instance, in Italy and in Italian, you don't have the same as that in Spain or many France. So, it's always a challenge, even if the, if the border is next to your country. So, for me, I mean, Monaco, meaning Italy is very near, France is very near, and even Spain is, one overflight.

00;50;34;00 - 00;50;51;06
Speaker
Right? Right. Hey, I've got a question here. I'm going to bring this up here on the screen, but it goes back to your, the case you talked about the vehicle there. There are a few people here I think, that are interested. What vehicle was recording the weight from and what ECM, I guess, what module was that data stored on or in?

00;50;51;08 - 00;51;12;16
Speaker
He says, never heard of such a thing before, and he, any. Okay, so I don't know if you can say or not, but do you know if what vehicles might have this information. Yeah, yeah. Of also indeed you have a lot of information on so indeed first you have the several things. If you want to investigate on an accident.

00;51;12;19 - 00;51;38;01
Speaker
Okay. You you're in it now. Almost all the vehicles. Okay. I've achieved the system, but also, you know, enough bag. So, when airbag is working, you need to know that airbag is always recording the speed, the acceleration, the brake if you push the brake or not, etc.. So, in it you have all that information. This is for an accident okay.

00;51;38;04 - 00;52;01;04
Speaker
Is it used or not? It depends because sometimes it costs a lot of money to retrieve that because now it's, it's encrypted. But when I did this case, it was not encrypted. And you have the main, I would say the main computer, of the car, what we call a unit. And in this unit, you have a lot of valuable information.

00;52;01;06 - 00;52;21;28
Speaker
When I say a lot, you have almost everything. If the door is locked, the door is unlocked. The position of, the, you know, of the speed of you if you are first or second of 4G, 4G. And you have also if you have some guys sitting on the seat and the weight of, okay, you need you have to wait.

00;52;21;28 - 00;52;41;22
Speaker
So, you need you have the weight of the driver, you have the weight of the passenger. You have the weight on the backbone. Of course, if you put the body on the back, you will not have anything. But here we I mean, the global weight was 200 kilos and then when he came back, he lost the 100 kilos.

00;52;41;25 - 00;53;05;23
Speaker
So, sorry for, I'm not going to tell exactly the car if you don't mind, but, yes, it's, it's very, very, so first, we have many cars now but support this feature. So, I saw that on the chat that it could be your phone, but not only it will be, some American cars, but it will be also some German gas.

00;53;06;00 - 00;53;23;05
Speaker
Okay, so not only US cars, so not too General Motors. It could be, Ford, but it could be some others. Yeah. Very interesting, because I know that in my car, if I have sometimes if I just put my backpack or something on the on the passenger seat, it knows that exactly if the airbag has to be thought.

00;53;23;05 - 00;53;47;13
Speaker
But I didn't think about it recording weight, per se. So that's a very interesting thing for the future. I think I think you've given these gentlemen here some, some ideas here for the future, which is great. Awesome. what, what kinds of things do you see coming? in the very near future for your area of, you know, digital evidence and digital intelligence?

00;53;47;13 - 00;54;08;10
Speaker
Are there any pressing things right now? I mean, we talked about AI obviously coming in. I think that's one. is there are there any other hot topics or really important things that are happening right now and into the future? So indeed, we need to be more and more efficient. What does it mean here? We need more and more to face audio messages okay.

00;54;08;15 - 00;54;37;08
Speaker
So audio is a key because now, most of the time no audio is being asked to be recorded. So, it means that you need to understand audio and you need to type what you guys said, and you have sometimes some bad qualities of, of audio. So, the goal here is, to improve that. So, because here we only talk in English and in us of course we it's easy.

00;54;37;14 - 00;55;06;05
Speaker
But imagine on international you have a guy talking German, talking Russian, talking Ukrainian. The difference between Ukrainian and Russian. So indeed, you need to bring, I would say, more and more AI, artificial intelligence. And yes, here it's useful to detect the language to bring, this I would say some speech to text. So, to transcript the voice on the, on the, inviting.

00;55;06;11 - 00;55;34;19
Speaker
But the problem is when you use slang, when you use some expression, the transcription would be bad. So, what's the value in front of a jury, you, see? So, yes, we will have to face the challenges very soon. We have to face more and more I would say document. So optical recognition is key. So, OCR, we will need also to more and more to I would say to mix all the digital evidence.

00;55;34;27 - 00;56;00;08
Speaker
So, you have you could have 1020 phones altogether, 1 or 2 computers and bring something that could tell you a story. Okay. And this is, would say the future also because, now we have so much data in the different phones. But to build the story is taking a lot of time, and it's a lot of resources.

00;56;00;10 - 00;56;16;20
Speaker
It's very interesting you say that. I've heard many different experts say this about building a story and telling a story with their evidence. And I think it's a very important point. It's a theme that's been coming up over and over. Let me ask you about research. You mentioned that your team does research, and you investigate things and that sort of thing.

00;56;16;23 - 00;56;40;13
Speaker
do you actually do research, affiliated with maybe, universities or with PhD students and things like this, or is this all internal research? And can you talk about some of the projects you might have going on? So, I can give you, for instance, an example, a very concrete example. I'm making some, some research today and a few days ago about a UFO.

00;56;40;16 - 00;57;11;26
Speaker
Okay. What's the occasion that that we could retrieve and how we could interpret it correctly. What does it mean here? It means that, okay, I want to go there. I'm going to go with the. Does it mean that I reach my destination? Not sure. Okay. I can stop before. Remember we go to quote. Is it. So, this is an example of our research to see okay how can I interpret correctly the data okay if I because in the database I have the destination.

00;57;12;03 - 00;57;39;28
Speaker
But does it mean that I really went to the destination. So, this is an example of our research. And it can be, we can talk about location artifact. Also, location artifact is always a challenge because, you have a lot of, I give you an example, you get out of the plane, you are in flight mode, and then if you switch on your phone, indeed, the phone thinks you are where you were in the.

00;57;39;28 - 00;58;02;14
Speaker
When you begin your journey, what does it mean here? You will have fake, location artifact. So, the location will be pure shit. Sorry to be rude, but indeed, you need to anticipate that. So, this is an example of, the different research we made. Excellent. Hey, could I show your LinkedIn profile here just in case people wanted to get a hold of you or ask you any questions?

00;58;02;16 - 00;58;20;25
Speaker
Of course. I just let me just bring it up here. Right. So here it is, Jean-Philippe. So, you can, folks, if you're interested. he is on LinkedIn, so you can contact him there. he does work with Cellebrite. And I think you can probably find him online, too. So, yeah. So, my last question is, what is next for you?

00;58;20;25 - 00;58;38;13
Speaker
I mean, you've been, celebrate. You've been doing this in this area for a while. You're teaching, you're working on cases, you're doing research. So what? Looking ahead for you and your career and where you want to go. what what's your direction from here? To be honest, I love my job now. Really? I still have a passion.

00;58;38;15 - 00;59;03;15
Speaker
you know, because I am searching for every day. I am finding new artifacts. Every day. I'm finding new methods every day. to be honest, I am never getting bored. I woke up every day saying thank God to bring me such a passion and to move forward. So really, for now, I want to continue. what am I doing?

00;59;03;19 - 00;59;23;22
Speaker
So of course I can do more case I can bring, I can make more research. I can assist, different person in setup. Right. I'm gonna see some agencies, but really, I am leaving a passion, so it's not a constraint. I want to be strong enough to be able to continue to work 16 hours a day. Like, how am I doing?

00;59;23;22 - 00;59;37;01
Speaker
To be honest? Excellent. Well, I couldn't have said it better myself. I feel the same way about the work I do, but it's nice to see that there's people that are passionate and blessed with, with what their, what they're doing. I had a friend once who used to say, you know, I have the best job in the world.

00;59;37;01 - 00;59;50;13
Speaker
You know what I mean? And same thing every day would go out and was inspired to do some things and, and you can tell I saw your presentation. I could see that you were a person that was very passionate about your work. You're very deep into what you do. So, yeah, I'm, I was very fortunate to meet you.

00;59;50;13 - 01;00;09;06
Speaker
I'm very glad that we got the opportunity to talk here. I thank you so much for taking time and speaking to me and doing this interview and educating us. So, yeah, look, a big thank you. And what can I say? I hope we catch up again. Maybe, maybe another time. Yeah. or whatever. Or if you come to Europe, peace.

01;00;09;11 - 01;00;23;16
Speaker
you know, we can meet, you know, we are in the middle of Europe, so, it will be my pleasure to welcome you as a thank you. So many. Awesome. Yes, I've been to Monaco before. It's beautiful. And we were doing our Southern France tour and with my family, and we passed through it just for a day.

01;00;23;16 - 01;00;37;16
Speaker
Drove there a beautiful place, a great to see a lot of things. So, yeah. I hope we see you again. Hey, do me a favor. Just hang back. I'm going to just do some closing comments, and then, I'll chat with you on the. Just in a few minutes. Oh, of course, no problem. All right. Thank you.

01;00;37;22 - 01;00;38;12
Speaker
Bye.

01;00;38;12 - 01;00;51;21
Speaker
Okay, everyone, that does it for this one. I want to thank everyone for their comments and everything else. answered some, interesting questions, some new things we learned today, which is wonderful. always like to learn from other people and experts from around the world. So summer is going to be here.

01;00;51;21 - 01;00;55;27
Speaker
I'm going to try to squeeze maybe another 1 or 2 of these in for the forensics talks program.

01;00;56;04 - 01;01;10;25
Speaker
And then there's going to be a little short break, but then we'll be we will be back to it, near the end of August and September. I want to thank everybody. Happy 4th of July. I know many of you are watching this while you're on vacation, or maybe having a barbecue or something like that. So, I appreciate you, joining us for this.

01;01;10;25 - 01;01;14;28
Speaker
So, hey, folks, we'll see you soon. All the best. Happy Thursday. Bye.




People on this episode