The AI Conversation I've Been Avoiding

Welcome to 13 cubed. This episode is going to be a bit different than most because it's completely unscripted and it's just an opportunity for me to talk to you about AI. Yes, I know we're all sick of hearing about AI, but I have some things that have kept me up at night that I really want to just sit down and talk about. So, I would highly encourage you to interact with this video in the comments below if you're so inclined. I also wanted to say that if you're watching this and you're new to digital forensics or considering entering the field, please stick around because I've got some important thoughts to share with you at the end of this video. Now, I do have some loose notes here on my phone so I can stay on topic. And the

first thing I want to talk about is the current state of AI and we'll start with public models. Let's talk about how I use public models for work because yes, on occasion I do use public models for work. We're talking about models from open AI, from Nfrontic or Google or XAI, things like that. So, let me give you an example. Just the other day I was investigating a compromised Linux appliance and on that appliance I encountered a database format that I'd never heard of before. So, what I wanted to do was install this database software within an Ubuntu 24. 04 instance in WSL2. I then wanted to mount the disk image from the appliance, attach the database to it, and then query the database. A pretty logical thing that you would want to do, right? Well, again, not having any context or knowing anything about this database format, I went to Claude and I described the database and I said, "Here's what I'm trying to do. " I didn't give it any details about the investigation itself, but just that I wanted to query the database and I asked it to prompt me every step of the way and while it took about 45 minutes, it worked and I was able to actually have the end result of being able to query the data. But again, I didn't share any details about the investigation itself. And that's in another example, I had some unstructured but very important data that I pulled out with strings and various other methods and I needed to take that unstructured data and turn it into a presentable CSV with, I think it was three or four columns and I needed to be sorted and deduplicated and so on. Now, I could have done that manually with grep, sed, awk, cut, and various other tools and it might have taken me 20 or 30 minutes, but I needed this now. In fact, someone was waiting on the data. So, I asked for a bash script that would do that for me. I just described, you know, the type of data it was and, you know, go look for this particular field name and then extract out the data or whatever the case may be. And sure enough, within a few seconds I had a script, I ran it, it worked perfectly. And once again, I did not provide any details about the investigation to the public model. And that's important. So, if you are using public models for work, I would advise you to use them in that way. Be very, very careful and please do not make the assumption that even if you have a plus plan or a pro plan or whatever they're called for the various models, don't make the assumption that just because you have that, your data is somehow more safe and protected versus using a free plan or something like that. Trust me, these models are training on your data and if you start providing company secrets and sensitive information to those models, you're going to have what I like to call an RGE or a resume generating event. That's a fancy way of saying you'll be out of a job. So, please don't do that and use these public models responsibly if you use them at all. Now, the other thing I want to talk about is how I use them for 13 cubed. And I'll give you a couple of examples here. Let me tell you first though, I do not use any LLM to generate graphics. For years now, I've had two graphic designers for 13 cubed to create motion graphics, they can do blender animations, they can do after effects, they can create thumbnails, all these different things and I pay these human beings to do this because their work is awesome and it fits my vision of what I'm trying to do for 13 cubed. Yes, I'm sure I could use some kind of AI to generate these graphics for me and it would probably look terrible like any other AI generated graphic and that's just not something I'm interested in. I think that humans are better at being creative and I'd rather pay a human being to do that versus using an LLM. Now, here's what I do use them for in terms of 13 cubed work. Maybe I'll ask it to create the stub of a script, something that'll get me half of the way there and then I can take that script for my video and add my own flair and kind of fix it up and do my own thing. And, you know, it'll help, it'll get me most of the way there or at least in some cases half of the way there. — [snorts] — Or maybe I have, let's say, a paragraph of text and I need some bullet points to put on screen so that I can go through and list some things when you're watching the video. And maybe I feed the LLM that paragraph of text and say, "Give me five bullet points that summarize this text. " Again, perfect use for an LLM. And again, I've used those exact use cases multiple times for 13 cubed.

Let's talk about local models. Now, behind me I'm fortunate enough to have an M3 Ultra Mac Studio with 512 gigs of RAM, which is pretty insane. There's a video on the channel from a few months ago called, I think it's AI versus Windows forensics or something like that, where I used local models on this machine. And, you know, since then I played around with them a bit and asked various forensic questions and it's been hit or miss to be honest with you. It's confidently told me things confidently that are completely false because it's conflated how various artifacts work and it's basically told me one thing that's true about one artifact as being true about another artifact and things like that are just completely wrong. And in other cases it's been spot on, but it's very, very hit or miss. So, would I trust it? No. However, if you're watching this and you do want to use AI to draw investigative conclusions or to actually analyze sensitive data, the only option you have is a local model for sure. Please do not use a public model for something like that if you're feeding it sensitive data. Even then though, as I said, and we'll talk more about this in a minute, I really think that AI is best at parsing data and helping you, you know, maybe with the basics of analysis, but not a full-on investigation. Okay, let's talk about DF/IR

tools with AI built in because there are a lot entering the marketplace. Now, if we're talking about a commercial tool or something from, you know, Magnet Forensics or Exterro or something like that, um, or something from Basis Technology, places like that, sure, I would trust it as long as I have the ability to turn that feature off. In fact, it should be off by default. And if I want to turn on some sort of AI assisted data parsing, that's great. What I do not want the tool to do is to investigate for me because I simply don't trust it. Maybe there are some tools where that capability is built in and you can turn that on if you want to, but as for me, no, thank you. What I would like to do is leverage LLMs and AI to speed up the parsing of data, but let me perform the analysis. However, if you are hell-bent on letting an AI perform an analysis for you, let me give you a piece of advice. Perform an analysis yourself first and make sure you have the skill set to do so. And then if you want to ask these local tools, these local models running in local tools, to, you know, come up with an investigative conclusion itself and see if it matches what you found, sure, why not? But don't do the opposite. Don't let the tool tell you what it thinks happened and then go and try to do the investigation because what you're going to do is end up with something called confirmation bias where you're looking for things to support the conclusions that were drawn by the AI tool. And that's going to throw you off. So, be really careful. Again, my key takeaway here is that if you're going to use AI at all, use it to speed up the parsing of data, the slicing and dicing of data, but not the analysis.

The other thing I want to talk about here is vibe coding. Now, I know that there have been a slew of tools that have entered the open source arena in terms of vibe coding, you know, AI tools. You'll have someone, for example, that wants to go through and have a tool that does everything in one go instead of having to run multiple tools. They want a single tool that will do all the things for them and give them the results that they're after. And there's nothing wrong with wanting that. I think that's great. I mean, who wouldn't want to simplify their workflow? All I'm saying here is that you should be really, really careful with these vibe coded tools. Now, if it's something like a wrapper that wraps an existing tool and just helps run that tool and automate it, which there's an upcoming 13 cubed episode that's all about that, that's fine. But if it's a tool that's performing analysis of data and it's been created by some sort of vibe coding method, you know, for a one-off thing, I would just caution you to be really, really careful. Consider the fact that the forensic tools that we rely upon in the industry, like the Zimmerman tools, consider the fact that those tools are used globally, around the world. They have thousands, tens of thousands of people using these tools. They are scrutinized, they are well-trusted and vetted by the community over years of use versus some tool that an AI spit out in a few seconds that's supposed to parse data. That may very well end you up in hot water if it gives you a false positive or a false negative or something like that. So, just be really, really careful if you're using vibe coded AI tools. Always trust, but verify.

And then the last thing I wanted to talk about here was people who maybe entering the field. If you're new to digital forensics or considering entering the field. First off, you should. It's an awesome field. And I will also tell you that you should learn AI. I'm not telling you to ignore AI. You will fall behind in your career if you don't understand how these models work. So, I'm not telling you that, but what I am telling you is there are no shortcuts here. I'm sorry, but there's no Staples easy button that you press and it performs an investigation for you. And even if there were such a thing that supposedly exists, would I trust it? Hell, no. I would not. I think AI is best at parsing this data and helping us with maybe some basic analysis, but not performing a full-on investigation. There just simply are no shortcuts. You as person in digital forensics need to understand at a very in-depth level how artifacts work, how the operating system works. And you also need to understand how to be an investigator. Remember the Alexu principle that we talk about in 13 Cubed courses. Need to understand how to ask the right questions and how to get the data to be able to answer those questions and how to interpret that data. Those things are absolutely critical skills and you need to learn them. There are no shortcuts. So, if you're in a college class right now or if you're taking some online forensics course, shout out to training. 13cubed. com by the way, just make sure that you are learning all of those core concepts. Do not skip them because some AI tool does it for you. Even in investigating Windows endpoints, we go down into the hex level in the MFT and actually show you how to manually parse data in the MFT by looking at a hex dump, by looking at actual hexadecimal and being able to pull out timestamps and things like that. These things are critical. While you may not need to do that on an average case, just knowing how these things work behind the scenes and under the hood is critical. If you're coming into an investigation and you don't have that knowledge and you're using some AI powered tool to press a button and draw conclusions, this is going to lead to really bad things happening. I can see it now. This is the kind of thing that keeps me up at night. So, please understand that there is no shortcut here. You've got to learn these fundamentals and how to be an investigator. The other thing, too, that I'll briefly mention is that I think that AI is never going to replace human intuition. You know, sometimes when you're working an investigation and you've got that itch that you just can't scratch, you've got like something that's bothering you and you can't quite figure out what it is. Well, that's the kind of thing, that intuition or that premonition where you've got something doesn't feel right. Those things, I'm sorry, but AI can't replace that. I'll give you a quick anecdote here. There's a person I work with in my job. Obviously, I'm not going to name who he is, but years ago he told me that he ran across this really, really weird edge case when investigating this particular forensic artifact. It was something he had never seen before and he filed it away in his brain and years later, again, he hadn't seen it in the real world until that point years ago, but years later, fast forward and he sees that exact same thing happen. And he's like, "Wait a minute. I remember this. That's something I encountered years ago and I remember specifically encountering that and filing it away up here. " Well, it turned out that thing that he had found led to one of the largest investigations that we have ever worked and it was absolutely critical. Obviously, I can't go into any details about what it was, but my whole point here is to say that human intuition and that human element is something that an LLM is just simply not going to replace. So, and maybe I'm just being overly optimistic, but I think our jobs, at least for now, as forensic investigators are safe, but like I said, on the flip side of the coin, AI is not going anywhere. It may look completely different when the dust settles, but it's not going anywhere. You need to learn it, but just be careful in how you use AI and just know that you've got to learn those in-depth things and you know, also don't let your skill set dwindle or go to waste because you start leveraging AI tools and you forget how to do some of these things. That's another thing that worries me. Anyway, sorry to ramble on, but those are the thoughts that I had written down here, the things that keep me up at night and I wanted to share it with you. So, feel free in the comments below to leave your thoughts and interact with this video. If you haven't already, check out training. 13cubed. com. In my opinion, we have some of the best digital forensics training around. It's cross-platform, Windows, Linux and macOS. It's affordable. Certification attempts are included. Everything you need is in one place, so be sure to check that out. If you haven't already and you want to support this channel, please do consider subscribing. It really helps us out and I would love to stick a 13 Cubed YouTube silver play button or whatever it's called on the wall at some point. So, please subscribe if you haven't already. And that's it. Thanks for watching and I will see you in the next 13 Cubed episode.