# 13Cubed AMA - Answering Your Questions! ## Метаданные - **Канал:** 13Cubed - **YouTube:** https://www.youtube.com/watch?v=duz5BoZUly8 - **Дата:** 01.12.2025 - **Длительность:** 16:33 - **Просмотры:** 1,251 ## Описание In this special 13Cubed episode, I answer questions collected from the community! *** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. *** #Forensics #DigitalForensics #DFIR #ComputerForensics ## Содержание ### [0:00](https://www.youtube.com/watch?v=duz5BoZUly8) Segment 1 (00:00 - 05:00) Welcome to 13 Cubed. In this episode, we're going to be doing an AMA or Q& A where I answer your questions. Now, you may remember that as of this recording, within the past few weeks, I've been collecting questions through various social media channels such as YouTube, LinkedIn, X/ Twitter, and various other platforms as well. And so, I took all of those questions and distilled them down into, I think, six to eight different questions that I'm going to go through and answer here. This is completely unscripted, so I'm just going to go through and tell you what I think as I answer your questions. So, we'll see how this goes. To get started, Brandon asks, "As a DFIR newbie, I've noticed malware running entirely in browsers to evade EDR. How can we prove inbrowser payload execution when live memory capture isn't possible? And is browser forensics a broader industry blind spot? " Well, that's a very complicated question to get us started, but I think a very good question as well. Honestly, when dealing with browser only malware, memory forensics are going to be your best bet. And if you do not have the ability to capture memory, then honestly, the only thing you're left with is capturing any ondisk artifacts that are present for that particular browser profile. So, in other words, capture the entire profile directory for the user of interest. And you know, as you mentioned, you're going to have things like, you know, cache and history and other browserbased artifacts therein, which might help you, but honestly, without memory forensics, you're going to be hardpressed to perform an accurate investigation if you're dealing with browser only malware. And to answer the second part of your question, I absolutely believe that it's an industry blind spot. I think a lot of investigators are left, you know, with their hands in the air without many ways to answer the question if you don't have memory. Okay, next up, Brandt asks, "In this day and age, with all of the hype behind the AI uprising, do you feel that disc forensics will remain viable? " And I think the answer to that is absolutely yes. The second part of his question is, will there still be a need for digital forensics for the foreseeable future? And again, I think the answer is yes to that as well. Now, there was a 13 cubed episode that came out a little while back in which I used a large language model, I think it was DeepSeek in that case, to quiz it on various Windows forensics topics. And it did okay, but it conflated information where it would take something that was true about one artifact and then conflate it with something else that was kind of true and then make an assumption that it would confidently say was the case and it wasn't the case. So, you know, do I think that will get better in the future? Yes. But I think that we're not going to replace human intuition and the human investigator with AI, at least any time in the foreseeable future. I think there's always going to be a need for, you know, that human intuition, that human factor in processing evidence, and analyzing things. And even in some cases, you know, when you get that hunch where you're like, "This doesn't feel right or something is off here. I've seen this before. I remember a previous case and I think for that reason I'm going to dig a little deeper here. Well, that's the kind of thing that I feel like AI is not good at. But on the other side of the coin, if you're not leveraging AI or specifically LLMs to use what they're, you know, to do what they're good at, then I think you're missing out. Uh, for example, you know, if you needed a script really quickly to parse some data or if you needed the LLM to be able to crunch some data for you or perform some sort of complex search within a data set and bring back some information for you. That kind of thing is an excellent use of an LLM. You just have to be careful. Please do not use public models to do that kind of information. I mentioned that in the previous episode, but you know, clearly you don't want to use chat GPT or something like that and feed confidential information from your case into chat GPT. Even if you have a paid account or, you know, a nonfree account, I wouldn't recommend doing that at all. If you're going to do that kind of thing, then download a completely local and offline model and use something like LM Studio to run it completely locally without any internet connectivity. So, you know, again, leverage LLMs where they're good, you know, to automate mundane tasks or to do things that humans are not really good at, but I don't see them in, you know, replacing human investigators, at least not for the foreseeable future. And maybe this will age like milk and we'll all be out of a job and I'm completely wrong, but, you know, I don't think so in my opinion. By the way, this kind of leads into um a derivative question because I often get asked, you know, do I use AI in the creation of 13 cubed episodes or 13 cubed courses? And the answer is for some things, yes. for example ### [5:00](https://www.youtube.com/watch?v=duz5BoZUly8&t=300s) Segment 2 (05:00 - 10:00) proofreading YouTube descriptions or proofreading lesson descriptions or coming up with title suggestions or, you know, maybe taking a list of questions and making sure that they're formatted correctly or taking a paragraph of text and generating bullet points that I can use for on-screen annotations or maybe even stubbing out the basic, you know, paragraph that would explain a particular topic and then I can at least have a starting point and go through and add my own touches to it. So yeah, I use it for that. But at 13 Cubed, we hire real humans to do all things like graphic design and red team work when we need a quote unquote bad guy to, you know, to interact with one of our systems and, you know, create a lab for us. We pay real human beings to do that that have backgrounds in graphic design and red team and blue team and all these different disciplines. And I think that's really important. Uh, I don't ever see us replacing those skills with AI. Again, use AI for what it's good at, for automating those things that humans don't want to do or aren't good at. Okay, next up, uh, we have Michael who asks, "What are your favorite tools for collaboration when doing digital forensics? " Well, to be honest with you, I don't have any. Um, I work for Microsoft as you guys know and we use Teams to collaborate obviously whether it's with external customers or with internal teams. So, for example, maybe we're engaged in a hunt. We might have a screen share session pulled up in Teams where someone's driving and then other people are looking and we'll go through and look at various forensic artifacts or try to answer key questions in a case. And maybe we'll have several people staring at the data together for learning purposes or just to be able to share insights with other people. But aside from that kind of collaboration, I don't really have experience using other tools. If you guys do use other tools, of course, I'm open to learning about them, but really I keep it pretty simple. And next up, Idomar asks, "Any plans on releasing an advanced DFIR course or a cloud forensics course? " First, as far as an advanced DFIR course, not really because to be honest with you, we have four courses, right? At least as of the time I'm recording this. We have invest investigating Windows endpoints, investigating Windows memory, investigating Linux devices, and investigating Mac OS endpoints. And those four courses are all at least intermediate with many of the lessons in those courses encroaching into the advanced category. You could also take a course like investigating Windows Endpoints, which was the first one that I created, and just realize that course has had, I would say, at least a dozen major updates since its release in early 2023. So, it's undergone all kinds of updates to add things that weren't even part of the original curriculum. And that's going to continue to be the case for all of the courses. We continue to keep them up to date and add new things. And really, I think that we have covered most of the advanced topics. If there's something in particular that's missing that you'd like to see covered in any of the courses, you can always reach out to info@3cubed. com and we'll be happy to take your suggestion and incorporate it into future plans. So, um, again, I think that we are covering that broad range. All of our courses are definitely beginner friendly and they all progress into at least intermediate and some beyond that into the advanced category. Uh as far as cloud forensics, no, I do not have any plans at this time to create a cloud forensics course. Why? Well, one of the reasons is because I'm not a fan of cloud forensics. It's not my skill set. Uh I'm more of an on premises guy. But not only that, it would be extremely challenging. Think about the two big players Azure and AWS and think about how often things get renamed or moved around in the portals or you know changed in terms of functionality. So if we were to create a cloud forensics course I would say that it would be within a year completely out of date. I like I just don't see any world in which it wouldn't be because again things move so quickly on the cloud side. products get renamed, they get moved, it just it would be a nightmare, I feel like, to keep that course up to date. It would be quickly irrelevant, and I just don't see it being our bread and butter. So, hopefully that answers that question. Uh, Hackle asks, "What techniques do you use for recovering and analyzing data from damaged or deliberately wiped storage media? Besides carving, is there something else to do? " Well, I can tell you that the extent of my knowledge would be in file carving using commercial tools like X-ways or free and open- source software like test disk and photore, which is amazing by the way. We covered test disc and photore or really specifically photore in the investigating Windows endpoints course, but that is an extremely powerful file carving tool that can carve all sorts of ### [10:00](https://www.youtube.com/watch?v=duz5BoZUly8&t=600s) Segment 3 (10:00 - 15:00) files, not just photos despite its name. Now I will tell you that if someone has actually wiped solid state media for example properly wiped as in overwritten the data with zeros or random data your chances of recovery are pretty much zero. It's just not going to happen. Uh I know that in the hard drive days with magnetic storage media there have been research papers where people have been able to recover data even from wiped devices. But realistically, from a forensic investigative standpoint, if the data has been properly wiped, it's probably gone. Uh, otherwise, file carving is going to be my go-to. Now, if I do need some sort of actual data recovery beyond that, I have used Drive Savers in the past, which is a very large commercial uh company that does all sorts of advanced recovery techniques. They can actually disassemble hard drives and solid state drives and clean rooms and you know actually recover data in some cases using that method. But of course that's extremely expensive and would be a rare case. Okay, next up we have multiple people asked where did 13 cubed come from as in the name 13 cubed. All right. So, this I actually did an interview with the security noob, which is a blog in which I talked about this, but essentially I think I was 13 years old and I was in high school teaching myself C, uh, as in ANZY C, not C++. And as part of that, I decided I wanted to write a BBS door game, which I called Xspace 2197. That's right, Xpace before there was a Space X. Maybe I should have trademarked the name, but the 2197 was supposed to be the year in which it took place. And I really modeled it after Trade Wars 2002, which was one of my favorite BBS door games. And I still love that game even today. And so in creating it, the universe was a 3D array that was 13x3 by 13, which is 13 cubed. And by the way, 13 cubed is 2197, which was the year I used for the game, Xpace 2197. So when I created this company, I thought to myself, well, that seems like a great name to use. So first came the YouTube channel and then 13Cubed Studios, which is the company behind it. Uh the first company, incidentally, that I created was called Tetrosoft Computers Incorporated. And that was a company that I created in 1996 straight out of high school which I ran for about 10 years. We created high performance computer systems uh back in the day when the average computer was in the thousands of dollars and you had the profit margin available there. But you know we were using Nvidia products back with the diamond Reva TNT products. And if you're old enough to remember all of those things before Nvidia was a household name. we were using their products and building those high performance computers and then also that kind of transitioned into us doing service networking consulting training for various companies and individuals as well in the northwest Georgia area which is where I live and am from. Okay. Uh next up we have multiple people who asked what hardware and software is involved in the creation of a 13 cubed episode or course. Well, I'm a firm believer in using the right tool for the job. And to that extent, I use Windows, Linux, and Mac OS nearly daily. I can tell you that I've been a Mac user for probably the last, I would say, 25 years. And that is the main platform I use for content creation. So all of the video editing and you know any kind of graphic design work that I do is going to be done specifically on the Mac Studio over here which is an M3 Ultra Mac Studio with 512 gigs of RAM. I have a NAS that I built that's running True Naz scale uh which is of course uh using ZFS or Open ZFS and that's a Thread Ripper platform built in an HL15 chassis from 45 drives. I have about 160 terabytes of usable space um after the RAID Z2 I think it is uh configuration that I have set up. But uh aside from that I have a DFIR box that's a AMD 9950X3D uh CPU with 128 gigs of RAM and 2 TB of local storage there. And that's what I use as really just an RDP target. It's headless at this point. So, I RDP into that from Max when I'm doing screen recording or creating content. And that's just the dedicated DFIR box where I've got all of the different disc and memory images throughout 13 cubed courses and things of that nature. So, uh yeah, I really just use a little bit of everything I would say, but certainly Mac OS is the main platform for the content creation part. Uh, prior to that, I did have a Thread Ripper Pro 7985WX ### [15:00](https://www.youtube.com/watch?v=duz5BoZUly8&t=900s) Segment 4 (15:00 - 16:00) 7985WX, which is a 64 core beast with 256 gigs of RAM and uh I think it was a 4090 at the time. And that was an awesome system that I built. But the reality was it generated so much heat and took up a huge amount of space, just a huge volume of space, used a lot of power, and now I've replaced it with something that's literally this big, the Mac Studio, which sips power and is dead quiet. And um yeah, I just don't see any reason to go back. Uh to be honest with you, I feel like Apple silicon is just a marvel of modern engineering, and I don't think anything else is even close. So that's what I use. And then lastly, Disruptor says, "Ronaldo or Messi? " Well, uh, since I don't follow golf, just kidding, I know it's not golf, but since I don't follow sports, uh, I had to ask my daughter, who is eight, by the way, and she says Ronaldo. So, that's going to be my answer. Ronaldo. All right. So, that's the end of the AMA/Q& A. If you found this information interesting or useful, then good. And if you want more questions to be answered, then please drop them in the comments of this video and maybe I'll make another one of these in the future. But this was just something fun I decided to do since a lot of people were reaching out asking these questions and I figured why not compile them into a short list and go through at least some of them. So again, I hope you found this information useful. Thanks for subscribing and as always, we really appreciate your support and I'll see you in the next 13 cubed episode. --- *Источник: https://ekstraktznaniy.ru/video/20315*