Forensic Fails: Shift + Delete Won't Help You Here

Video in TIB AV-Portal: Forensic Fails: Shift + Delete Won't Help You Here

Formal Metadata

Forensic Fails: Shift + Delete Won't Help You Here
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Forensic fails illustrates the rather comedic attempts at "anti-forensics" by inept computer users trying to hide their tracks. We will recount real-life stories about folks whose level of hacker-mojo might aspire to 1337 status but fall a little short. This talk covers why and how these fails happened and illustrate the forensic artifacts and the techniques used to analyze them. Eric Robi (@ericrobi) is the founder of Elluma Discovery. He has been conducting forensic exams for 11 years and has served as a computer expert witness in Federal and State courts in matters involving computer hacking, trade secrets, murder, database forensics, email forgery, and electronic discovery. He has performed forensic examinations in many hundreds of cases. Eric has spoken multiple times at forensics conferences including CEIC and The Cybercrime summit. He holds a CCE certification among other things and is an active participant in the EDRM (Electronic Discovery Reference Model) and helped publish a model for reducing risk of confidential and private information dissemination. Michael Perklin is currently employed as a Senior Investigator within the Corporate Investigations department of an Enterprise class telecommunications firm. Throughout his career he has performed digital-forensic examinations on over a thousand devices and has processed petabytes of information for electronic discovery. Michael has spoken at security conferences internationally about a variety of topics including digital forensics, computer security, data hiding, and anti-forensics. Michael holds numerous security-related degrees, diplomas and certifications, is a member of the High Technology Crime Investigations Association, and is an avid information security nut who loves learning about new ways to break things.
Quantum state Computer crime Control flow Expert system Computer-assisted translation Shift operator Information security Computer forensics Steganography
Point (geometry) Presentation of a group Computer file Multiplication sign Insertion loss Mereology Dimensional analysis Computer programming Word Medical imaging Exclusive or Goodness of fit Matrix (mathematics) Energy level Spacetime Position operator God Computer file Electronic mailing list Bit Word Personal digital assistant Pattern language Matrix (mathematics) Computer forensics Row (database) Spacetime
Point (geometry) Standard deviation MP3 Computer file Confidence interval Multiplication sign Mathematical singularity Hidden Markov model Mathematical analysis Mereology Computer Computer programming Software Matrix (mathematics) Operating system Pattern language Energy level Spacetime Utility software Hard disk drive Extension (kinesiology) MP3 Computer file Projective plane Mathematical analysis Bit Demoscene Inclusion map Digital photography Personal digital assistant Hard disk drive Pattern language Musical ensemble Physical system Window Spacetime
Presentation of a group System administrator Multiplication sign Materialization (paranormal) Set (mathematics) Database Client (computing) Mereology Computer font Steganography Medical imaging Bit rate Blog Computer network Query language Matrix (mathematics) Extension (kinesiology) Physical system Scripting language Probability density function Pattern recognition File format Software developer Computer file Electronic mailing list Bit Storage area network Electronic signature 10 (number) Process (computing) Order (biology) Hard disk drive Right angle Pattern language Figurate number Quicksort Computer forensics Row (database) Probability density function Reverse engineering Point (geometry) Optical character recognition Computer file Mathematical analysis Average Login Computer Term (mathematics) Internetworking Average Energy level Data structure Default (computer science) Default (computer science) Standard deviation Matching (graph theory) Projective plane Mathematical analysis Content (media) Client (computing) Basis <Mathematik> Database Total S.A. Grand Unified Theory Personal digital assistant Query language Table (information) Discrepancy theory Matrix (mathematics) Form (programming)
Windows Registry Point (geometry) Web page Standard deviation Greatest element Presentation of a group Computer file Multiplication sign 1 (number) Mathematical analysis Open set Client (computing) Mereology Computer Medical imaging Business reporting Goodness of fit Internetworking Matrix (mathematics) Videoconferencing Hydraulic jump Point cloud Scripting language Standard deviation Link (knot theory) Information Key (cryptography) Computer file Projective plane Electronic mailing list Mathematical analysis Sound effect Bit Windows Registry Electronic signature Category of being Uniform resource locator Word Personal digital assistant Point cloud Website Matrix (mathematics) Window Row (database)
Email Group action Multiplication sign System administrator Execution unit Client (computing) Mereology Tracing (software) Web 2.0 Business reporting Facebook Mathematics Blog Different (Kate Ryan album) Computer configuration Computer network Matrix (mathematics) Videoconferencing Pattern language Cuboid Diagram Office suite Recursive descent parser Physical system Point cloud Email Touchscreen Mapping Computer file Electronic mailing list Computer Bit ACID Computer Virtual machine 10 (number) User profile Hexagon Process (computing) Website Text editor Right angle Moving average File viewer Pattern language Figurate number Remote procedure call Physical system Asynchronous Transfer Mode Point (geometry) Trail Computer file Civil engineering Continuum hypothesis Virtual machine Letterpress printing Password Hidden Markov model Mathematical analysis Login Computer Rule of inference Event horizon Field (computer science) 2 (number) Chain Goodness of fit Spreadsheet Term (mathematics) Profil (magazine) Energy level Default (computer science) Default (computer science) Electronic data interchange Information Quantum state Mathematical analysis Group action Existence System call Mathematics Personal digital assistant Password Communications protocol Matrix (mathematics) Window Local ring
Expression Email Outlook Express Computer file Content (media) Virtual machine Bit Line (geometry) Content (media) Mereology Computer programming Number Peer-to-peer Inference Digital photography Word Software Object-oriented programming Password Software Shared memory Right angle Utility software Row (database)
Point (geometry) Web page Frame problem Multiplication sign Virtual machine Mathematical analysis Client (computing) Event horizon Computer Rule of inference 2 (number) Business reporting Utility software Information security Multiplication Inheritance (object-oriented programming) Mathematical analysis Drop (liquid) Maxima and minima Bit Sequence Category of being Process (computing) Software Personal digital assistant Password Right angle Freeware
our talk is about forensics fails um I'm this guy over here I found it a discovery company about 11 years ago I'm a forensic examiner I have done thousands and thousands of exams i'm also an expert witness in state federal court etc and i like cats and my name is Eric Roby all right about this other guy
hi I'm Michael parkland you may remember me from other def con talks such as ACL steganography I'm a forensic examiner cyber crime investigator security professional I've dolls have done thousands of exams on and I like to break things a lot don't break my cat
all right so our agenda today we have got seven amazing stories full of fail we're going to learn something about forensic techniques because that's what we do and the fails today are brought to you by both the suspect and the examiner and we'll we'll get into that in a little bit the names have been changed to protect the idiots on both sides we've actually changed some of the facts to to protect the idiots and it seemed like a good thing to do basically but because fail was not just one-dimensional we found many dimensions of fail in our research we've decided we need to create a fail matrix to explain how the fellow so this is just I'm just going to explain how the fail matrix works the first level of fail is the user retard level oh my god i spelled that wrong Drake Drake for the record he was responsible for the keynote presentation so this is definitely his bail this is my fail I get 10 points alright so the punishment level depends on you know what happened so that particular guy lost the case dollars distress calls let's give this 15 points and bonus points are just whatever the I feel like doing this girlfriend left him in this case so he gets 35 points alright so let's get into the first one this is the it wasn't me defense you may have heard this one before alright so we do a lot of commercial litigation and a really typical kind of case is a trade secrets case and this is a typical example of that so this guy Bob he was working in sales attack me and he resigned his position and he decided to go work for a competitor this happens all the time and some allegations were made by his employer that he took some trade secrets he took the customer list with him to his new company it happens so bob says I
got nothing to hide come at me bro I didn't exactly say that but sounded good I'm paraphrasing so we started imaging the drive and we started planning the examination one thing we frequently do is we look for deleted files in unallocated space and unallocated space is the part of the drive that can typically contain delete a file so it's you know when you hit shift delete and it doesn't go away it ends up an unallocated space so we will look for stuff there it's something we also do is we look for recently used files by common programs like word excel Acrobat and so forth and we might look for USB device insertion we're basically looking to see how trade secrets got from you know acne over to the new company the final final the drive finished imaging and I'm actually going to share something really cool today it's a def con exclusive worldwide premiere we found a new wiping pattern this is actually real I'm not making this up this is real so you know Bob
apparently had used some kind of data destruction program that can overwrite every bit of space and Onalaska unallocated space he used a pattern that however was not really commonly used by windows or any other other utility love scene might have been something custom so you know I thought hmm this might suggest something bad was happening here what's uh you know maybe it's let's take another closer look at this so we're going to look we're gonna zoom in we're going to look at this on a molecular level now I think we need to zoom in a little bit more so what have we learned
I admit the first part was actually the second part there was no Sarah Palin in this case but so data destruction can almost always be detected um if you even if you don't use a repeating pattern it's still detectable we see it all the time there's artifacts left behind that could be part of the pattern or there's artifacts in the operating system itself so we might not know what you've destroyed but we'll definitely know you destroyed something this is the mic here you go and also it doesn't work very well and mean phrases make people just like you what about your fail matrix we got to do the film matrix all right but uh all right 12 pretty retarded I think you know the guy lost the case you got sued under a hundred thousand dollars so not a huge amount of economic distress and I didn't really give him any bonus points here because it just wasn't that good so he gets 27 it's already fail I think we can blame that guy who gave me the beer all right so this case is it was a lot of fun I didn't expect it to be fun when I started out but it ended up being a lot of fun I call it the nickelback guy you'll you'll see why in a second so it was another allegation of stolen confidential documents this guy let's call him John he left one company to go work for a direct competitor and the his old company hired us to go in and take a look take a look at his can we go can we get an audio for this by the way we're going to need audio for this segment so if you could turn it on um so yeah uh the company where he left they asked us to take a look at his work computer to see to look for science of data exfiltration we he worked in a lot of confidential projects and they just want to make sure that he wasn't taking these confidence to projects to the competitor in letting them know what they were doing so right totally said all that so we why is this not working there it is we open up the hard drive to start to start the analysis and we started finding all the same stuff that you typically found on a work computer yeah there's some work stuff sure some evidence of facebooking he's got a an mp3 collection like listening to music while he's at work typical stuff we found the confidential documents that we were asked to make sure he didn't take so with that was to be expected because he did the work on this on this computer and almost immediately something jumped out of me and we'll get into why it jumped out at me in a second but his music collection became very interesting to me not because i love Nickelback but because well again we will get into this that when we fail yeah and I'm Canadian too so I I yeah nickelback from Canada um yeah you take a closer look at this photo something may jump out at you as well these are just mp3's just songs but the size of these files is a little bit off um what's wrong here yeah the extended play Nickelback this guy really loved his Nickelback so these were actually a bunch of avi files uh yeah yeah these are just avi files that he had renamed so it seems to John assume that nobody would listen to his Nickelback mp3s which is probably a good assumption because I don't think anybody would listen to his Nickelback mp3s and he was hiding something but what was he hiding
preggers porn this guy had a quite big fetish for preggers porn these were full-length feature films of pregnant ladies banging and and they're just like theirs there was a ton of them all over this guy's hard drive now well we did have to analyze them to see what they were but I will say that the specific techniques that we used to analyze their trade secrets oh I can't tell you how much how much depth we went into when we're analyzing them but yeah it seems John did a lot of more than just work on his confident to a project on that computer so we had to tell the company that you know over the last three years while he was working there on this confidential project he was also doing other stuff they were pretty happy that he left anyways all right so what have we learned examiner's when we take a look at that files on a computer we don't typically look at it within the nested folder structure like we don't have to go into every single subfolder go back out go into other subfolders back it out we see it all in a big long list it makes it a lot easier to to analyze stuff also one of the very first things that we always run is what's called a file signature analysis this is a special script that looks at the contents of every file and it compares what's inside the file with the extension and if there's any discrepancies those files are bumped up to the top of the list to be looked at because the system knows if these don't match something may not be right here a human should take a look at this I just said those things and so at the end of the day John's attempt at hiding his preggers porn actually made it bump up to the top of the list for me to take a look at so if you're going to hide something don't just change the file name that that doesn't hide something that that makes me want to look at it even more alright so the fail matrix the reuse a retard level i would say 12 because again renaming a file is not data hiding if you want to do real data hiding need you to come to my ACL steganography talk punishment level 13 he lost his job not only the previous company where he left but the new company where he landed he lost his job their distress caused was zero didn't really hurt anybody I mean what you choose to do on your own time is up to you although he chose to do it on work time with work stuff oh what the bonus points are going to be for don't you yeah this there's going to be some bonus points I would say about a nickels worth a grand total of thirty fail points all yours that is the fail sound thank you by the way do you like the font that we're using Comic Sans going to get our hand for Comic Sans nobody uses Comic Sans the most underappreciated font in presentations I don't know why we see we don't see Comic Sans in more business settings I mean we really we're bringing it back we're bringing it back it's a new movement all right so let's look at the just bill me later case so our client the ABC firm they outsource takee part of their business they've been doing it for many years and the part of their business that they're outsourcing is on a time of materials basis so there's a lot of invoices with hours and rates and that's basically it it was several million dollars a year on average that was being built and our client started a review project because they thought they were being over bill they thought there might be a little inflation and they wanted to figure out why things were looking and flighted they looked at some of the individual bills and they saw they thought things are taking a little bit too long so we came in and we decided to help so they had thousands and thousands and thousands of PDF format invoices now that's not going to do us a lot of good even if we ocr'd if we even if we apply optical character depression recognition to it we've still got a lot of unstructured data so i can't really you know i can search one or two pdfs but when i've got tens of thousands of them it's really difficult to do anything with that on so where did we start we didn't have a lot of clues in this one so through the magic of court order we were able to go to this customers database their network and get an image of everything in their network including a billing database which turned out to be very handy so we made a forensic copy of this database and it wasn't a proprietary format and so in order for us to do forensic analysis in a database we need to be able to get it into something like SQL where we can do kind of standard queries so we migrated over we do standard queries and we're looking at it there's still no easy way to compare the PDF to the database so we decided to reverse engineer the tables in the database sometimes it's easy but sometimes there are thousands and thousands of tables and when you don't have tech support of the developers you just have to figure it out so it's a really slow laborious process but we did figure it out we notice that the audit logs were turned on in this which happened to be particularly useful so we ran a lot of queries in versus time build versus the audit logs and we found there was sort of a pattern of inflation going on because basically when you're billing on time of materials all you're doing is you've got either hours or you've got a rate and those are the two things in the gut overly inflated so these are these two things that you can change there you can change time where you can change the rate but we found the audit logs were turned off by default and the IT folks bless the IT folks they turned the audit logs on which was really really really helpful because we do a lot of database forensics cases and this is the only one we've seen with it the audit logs were turned on so we were able to compare basically on the amount that was billed at the end of the day versus how many hours were put on up to that point we're able to see a chronology so maybe at the end of the day the bill was for a thousand dollars but we saw that was only eight hundred dollars that was actually build so the the billing person the database person who basically was working with it this person would change the hours and the rate sometimes and bump it up so I went up from like eight hundred to a thousand dollars on a typical invoice they did this thousands and thousands and thousands of times so let's look at the fail matrix so I didn't give the user retard level the you know too many points here because it was a billing administrator most people don't really know what's going on inside a database most average people so however they have to refund the money so they get 18 points for that over the last like four or five years worth of money now it was a lot of money it was about 12 million dollars actually so they got 15 points I wish and bonus points yeah systematic culture of overbilling they got 45 okay this next one I call it smoking gun txt now if you if you work in the in the forensic arena you've probably heard the term the smoking gun txt it's it's the it's the gag name of what you're always looking for in a case I could be that record in a database it could be that internet history record that shows that the guy really did something bad it comes from the cheesy western movies where you know the the murderous gun is still smoking after he shot it proves that he was the one who fired the shot so in forensics you're always saying that you know you're did you find the smoking gun yeah found the smoking gun doubt txt sometimes I wish it's as easy
as finding a file named smoking gun txt but you can only wish this is another intellectual property case again you got a guy leaving one company to go work for another company and the first company says can you make sure he didn't do stupid and we called in to make sure that he didn't do stupid so we imaged the drive we kicked off her standard analysis scripts like the file signature analysis script that I told you guys about before and open up his desktop folder I always like to open up the desktop folder of every suspect that I'm examining because you can tell a lot about what a guy or a lot about the person when you're looking at the desktop did they cram a lot of files in there in an unorganized fashion or maybe everything is neatly packed away in the My Documents folder things like that or are they arranged nicely or is it just all smattered it tells you a little bit about the person so you can get a living into the mind of who they are and immediately I solved the case how did you do that so well this is the smoking gun txt it oh yeah it's almost as easy as this um with us arbic you so I open up the Desktop folder and I saw this i'm hoping you can see that in the back but i'll read it out for you you've got a folder on the desktop you can see at the bottom left there the folder is called competitive intelligence and in inside that folder we've got a powerpoint presentation titled blue blue / Project Blue Book we've got we've got some PDFs we've got a whole bunch of stuff about this project blue book that this guy was working on from from his old company he was getting ready to deliver this presentation to the the executive leadership team of the new company telling them everything about this confidential project from his old company so yeah he didn't make it difficult for me like it was not only all this stuff was there but he made a powerpoint presentation describing it and like to deliver all the all the knowledge for this to the alt um yeah I just said that do we over bill for this maybe we're not sure that last client all right part of me uh I don't even remember probably why they took 20 20 minutes we probably just build one hour Michael what are we look what are we learned in this case well we learned that sometimes people don't even try fail matrix alright use a retard levels gotta be an 18 that mean ah we could but I'm sorry we're saving the the higher scores for some of the later stories yeah so the summers are going off you may have noticed yeah so far each one's been going up um yeah you got an 18-4 user retired level because if you're going to be doing this don't leave tracks all over your computer I mean sure if you're going to say all the they're going to be launching this new thing in August next year that's one thing to say to a person but if you put together a whole presentation about the thing you're let's fail it's fail punishment levels a 10 because he had to settle he was obviously in breach of his NDA from the old company and it cost him 1.5 million in damages so the distress caused is a six-pointer and bonus points of 12 40 effort this all adds up to the fail matrix score of 46 all right next door you I hope you appreciate these amazing sound effects and video editing that I did hold on we need to put the presentation on hold I have a problem which ones which that one is mine on the left in your left hand are you sure cuz i want the one that it's more then the one with more is yours nice when will be taking questions later alright so the next one I call hiding in the cloud so once again a top sales guy leaves the company and the sales just take a nosedive actually and they think he took the customer list but they can't prove it they know that there's new customers that they know that there's old customers over at the new company but they can't prove that he's taking the customer list so we images a computer and we start looking for the usual kind of clues so for example linked files are a Windows artifact that show what files have been recently opened there a simple text file and they're pretty easily parsed and they've got a lot of information about the location of the file the date and the time all that kind of good stuff we look at a registry key which I just love the name of this it makes absolutely no sense to me at all but you know somebody in Microsoft maybe had a couple of these one day when they're working called bag em are you for some unknown reason it most recently used but why bag you guys are just full of great answer so anyways explain why it's named that but it's still a up name bag em are you come on anyway so it's a register key that can show user activity and it can show what files are inside a folder so that's one of the things that we look at typically in a data exfiltration case jump lists which are that's actually wrong from Vista forward we've got jump lists and if you look looking at your that's a fail that is a fail that should say I got it I got to take a gank drink I just don't love Vista enough to put it in there so anyway so jump lists are the thing on your taskbar if you've got like five Word documents open and you see you know you click on it you got the five those are jump lists basically an IE history Internet Explorer Internet Explorer is so much more than just exploring the internet it actually records things that you do without your knowledge like opening files but we're getting no love I'm not finding anything show me the love baby he's having a beer alright so we searched the IE history and we found a dot HTM file that had some JavaScript in it pointing to files anywhere who's familiar with that site it's very much like Dropbox the same kind of concept but it's more for business users so it's got a really a lot of really great auditing and logging and stuff like that so you're uploading and downloading files you can basically monitor and track them and so forth that turned out to be a very nice thing because typically that's only in the user control panel but we found is little dot HTM file with eagle oh and we solved the case timing fail I'm sorry bingo we solved the case alright so what we got was the account ID the upload times the file names everything we got some sweet lovin we got ourselves some stolen files let's look at this little actual bit of JavaScript here I have changed the names of the file in this case but you know we've got stolen file a recipe for coke for example you notice minor trade secrets the user is the user account name so we were able to subpoena that from files anywhere and figure out who actually registered the account there is the folder that it was in and this is really handy here the date that it was uploaded and we got a whole bunch of these in fact this is the first page of a like a 80 page Excel report that I prepared and these are all the file names that this guy uploaded so yeah so the second part of the story is going to
go back another fail fail which one do I drink from good good answer alright so the second part of the case the opposing attorney the guy representing the thief handed us an Outlook CD and CD without with PST on it and this is part of the discovery process discovery is a legal term in litigation where both sides are able to exchange evidence and in fact they have a they're compelled to exchange evidence through the rules of the court so he gives us a CD and it's got outlook now what PST on it the first thing we do is we look at is not a lot of files in there and the first thing we do is we want to recover the deleted emails and a PST because we're forensic analysts and that's what we like doing we like looking to people's emails so i'm going to show you the old school way of recovering deleted emails you use a hex editor you crack open the PST and you change bytes seven through 12 or 7 through 13 change them to zeros save the file then you use the outlook repair tool which is built in with Microsoft and you basically repair the tool we're sorry repair the PS happens is you get a lot of e-mails back now these are not the actual emails but you get tons and tons of emails back and in fact in this case we got tens of thousands of deleted emails and what was in these males everything that completely turned the case around so not only did we have this guy with all the uploads on those spreadsheets we also had all the emails about who was involved what lists he took who were the commune oh all the people that were involved we were winning we went we went to charlie sheen mode all of a sudden and the funny thing is we were able to take all this information and at a deposition and if you don't know what a deposition is we get to ask questions of the opposing party so we're asking them you know what happened did you guys steal anything did you take anything no now now we start pulling out these emails one by one by one and the guy turns white as a sheet and he spills the beans and basically you know we do pretty well so who deleted the males do you think in this case hmm call it out Thank You Know Who Wow people got out almost immediately they hired Saul Goodman unfortunately and yeah he deleted the male's not good thing not a good thing so what have we learned the question was did he claim privilege on a privilege on the emails he claimed privilege on some of them but not on you know all of the 10,000 that he deleted so ie history is actually really difficult to wipe it was what we've learned it seems to leave stuff behind we found a new artifact which is actually pretty cool files anywhere this JavaScript artifact I haven't heard this discussed anywhere before so I think it's kind of cool javascript files can give us love to we like them and uploading files still leaves traces so an attorney's shouldn't mess with evidence it's against the ethical rules in every state and probably every Canadian province and it can get you disbarred actually so let's look at the field matrix so the user retard level is pretty damn high in this one we got fails on the attorneys pardon also on the the ex sales guy a huge lawsuit three and a half million dollars on fees and damages which our client all got back basically and 15 bonus points the attorney might lose his license on this one he hasn't yet we don't know we don't track that kind of stuff 51 removing up you ready oh right all right let's do this that's exciting the this next case was probably one of the most fun cases that I've worked on right from the start I could tell that something was what was going to be a fun one I call it the RDP bounce you'll see why I was called in to investigate a network breach the company told us and they shared some information with us that was evidence that at least one computer had been breached they didn't know why they didn't know what and they asked us to investigate and well to tell them why and to tell them what it was is a large company they've they had a lot of computers all them were windows-based thousands upon thousands of computers in offices all across the world and in one of their offices they they noticed this computer had been breached so let's figure out what happened so we move in and actually think I'm just going to pause here for two seconds hey Eric is this your first time presenting at Def Con yes it is okay hi we don't even have to say anything anymore you guys know exactly what's going on Sarah yeah show yourself oh yeah mixed eric weiner let ya you sir is your name soon so bend over you're the ugliest Sarah ever finish that bale another soldier bites it does winning fall yeah there's some issue about the sound person uh no whatever is supposed to be the same impression you know I appreciate that too but she's not here come on up you're the next contestant on fail others oh you ready got one someone counted wrong your past 14 Sarah all right I'm sure all of you want to be Sarah right now alrighty Sarah Palin in the talks to our new speakers and to our new attendees oh thank you thank you shoot two more to this hour all right we got 15 minutes left so thank you very much goons for for doing that it's Eric's first time at Def Con so all right so I was talking with the rdp bounds case that I was those investigating now as I mentioned thousands of computers very various
offices all around the world so we analyzed the one computer that they knew it was breached and it showed that there were that our DP or remote desktop protocol this is the the tool that's built into Windows that allows you to remotely control another computer some logs showed us that our DP was used to connect using the local administrator password to to another machine it also showed that fact I said that backwards it show that our DP was used to connect in and also showed that our DP is used to connect out so in this little diagram here we're I was looking at the middle computer I didn't know at the time that there were other computers I was just looking at this middle one and it seemed that there were a bunch use in here so it was probably the tip of the iceberg where do you find these logs Michael specifically I was looking at the windows event log the the event viewer if you go into the control panel and then the administrator tools there's the Event Viewer tool by default it logs a lot of stuff in there including when our DP is used to connect in and when you're connecting out so I analyzed that the machine that came before it and same the same thing there were their logs that showed that something was connecting into that it was basically an entire bounce now these computers were located in different offices in all around the world this guy was bouncing all around the world to do something so obviously this is a pattern I still didn't know what he was doing I just knew that he was clearly going through a lot of trouble to up the skate his trail bouncing all around so that probably so that when he does his final target there's no direct evidence to to where he was coming from yes there were all sessions with incessant so he opens up a remote desktop and then within that remote desktop window he opens up another remote desktop to another machine and he just did this over and over it must have taken him hours because remote desktop is not the fastest protocol at all and so he must do like I don't know I don't want to speculate how long it took him to to do this um can you imagine how long the screen redraw was by the time you get to like machine town Jesus Christ you probably have to double click with like a minute in between clicks or something alright so what was the target so um I think you could not figure whatever did next rather than following the trail back I started following the trail forward what was he getting so a step after step computer after computer site after site after site all around the world I finally reached a high profile machine I i wish i could tell you which specific machine it was I can't because it would give away too much about this company did it have nickel back on it I did not have nickel back on it um yeah choppy his video ever for sure so once i reach this machine I knew exactly what he was going after he wanted highly confidential documents that were only on this one machine in the entire company and he obviously knew this and he wanted to get into this machine to get these documents so I focused my analysis on this target machine on this special confidential machine and I want to see what did they do specifically which files did they take one and it took me only about two minutes as I was analyzing this machine and I identified the attacker immediately now he went through all around the world and I finally when I was taking a look at his target within two minutes I found out who he was he use his own credentials on machine no he did not use his own credentials on the machine any other guesses emails himself nope he stole his own file nope he did not check facebook no no shared drives why did I tell you what he did Michael what did he do printers so one thing that a lot of people don't know about remote desktop is by default it maps the printer connected to your machine to the machine that you're connecting out to it does this so that when you hit print inside your remote desktop window your printer next to you is available so you can print a document beside you now this guy didn't print any documents but just by connecting the Machine automatically mapped his local printer to the target machine which identified his machine a machine name he forgot to turn this off there is a checkbox in remote desktop protocol when you open up the the RDP window unit options and then uncheck map printers to target machine is just a check box he did not uncheck it yeah what have we learned Michael well what have we learned log entries that are created by innocuous system events can give insight into user actions now he didn't map his printer the system did it automatically so sometimes just looking at what the system is doing can tell you what the user was doing for the fail matrix use a retard level would be about a 20 because he went through a lot of trouble to cover his tracks and he did not cover his tracks punishment level would be 15 he lost his job he also lost his recommences he can't use use that company as a reference anymore so distress calls would be eight bonus points would be 20 do some research if you're going to use rdp to pull off some kind of a scam know how r DP works adding it all up we got a fail star 63 now the last story here Eric all right so the less the last story is a little bit different than the others um this is the epic porno fail so the difference in this one is all the other cases we've talked about have either been commercial litigation civil litigation something on that side this one happens to be a criminal case and from time to time we do criminal defense work and we work either with public defenders or with private attorneys and so this is about this kind of situation so our client Edgar has been charged with possession of contraband aka child porn on his computer pretty unsavory stuff he claims innocence as usual and I kind of roll my eyes because everybody always claims innocence and you know ninety-eight percent of these people did it we examine the computer we looked at the examiner's report we looked at their allegations and let's take a look at them so they claim Edgar downloaded porn all right they claim that Edgar's user account had passwords this is all document in the report and they claim that Edgar utilized newsgroups to download porn like for real who uses these groups to download porn anybody anybody hand they had the web now I mean yeah newsgroups right so that guy I would believe alright so they they allege that he downloaded illegal porn and there is one thing to know just keep this in mind as we go through the talk he left his house in April 2012 his wife kicked him out because of all this you know stuff happening basically so April 2012 keep that in mind so let's look when we examine the computer let's see what we came up with so first we looked at IE history and as i mentioned before IE history is able to show you when a file has been opened so this is an actual example I've changed the file name a little bit here and what was the date that I just mentioned April 2012 okay I
see some dates here are these before or after April 2012 put up your hand if it's after yes so all right one fail here let's look at it as a peer-to-peer software download folder so in the top there I've got the the path where these naughty files were downloaded and it's a pretty typical path these PDP programs change the the file name to something long so it's like T dash something something something naughty file anyways I'm looking at the dates here again and Michael diva calendar is is give me a second here when is December it is after April after April okay it's after April okay just just wanted to check we need to verify our forensic findings before we can publish them so you know we're verifying oops I think he'll fail give me that beer alright so they also claimed that he used outlook express really to download porn outlook express this is 2012 remember folks makes you wonder did they even analyze this guy's machine where are they coming up with this stuff we saw records of p2p not Outlook Express outlook express all right in reality yes Outlook Express was on the machine set up with an account called porno lover okay it was set up after Edgar moved out of the house and only headers were downloaded no content so you mean by headers so a header is if you're using outlook express it is just the first part of the file the email it's going to have the date the sender the receiver maybe the subject line maybe the first couple words but there was no content there was no no photo is in there just headers with you know what middle teens in porno names so they also let's look at accusation number three they say his user account had a password in the inference is the only Edgar was able to access it because there was a password let's look at the passwords shall we maybe we can zoom in a little bit on this this is actually a really cool utility it's free it's called lcpl let's
go back to for one second here it's a free utility it's really great for looking and seeing if there are passwords you can also use it to perform an attack although it's not very good all right so more facts undiscovered by the examiner the p2p client was used to download porn that's the examiner didn't find that into a new user account called porno lover guess when after he moved out of the house so we submitted our report to the prosecutor it was like a 5 10 page report something like that and the government drops the charges years after they charge this guy they drop the charges this does not ever have early this is the first time I've done thousands of cases and while hundreds of hundreds of cases thousands of exams I don't know how many it's never happened before and this is after the guy spent a huge amount of money in legal costs so to do all this I just want to give a thank you Rob Lee and the sands anyone 80 Robley we use super timeline analysis to do a lot of this work super timeline is a really amazing piece of software that will basically go through the computer and look at all the computer-generated artifacts and put everything into a nice Connor chronological sequence for you so really awesome piece of software definitely one of the best piece of software yeah yeah so um the government interviews Edgar's friend the friend confess us the friend did it the friend was trying to get jiggy with Edgar's wife and he put the porn on the computer and the court clears Edgar's name they give them a finding of the actual innocence never happens yeah well I've had many people claim innocence and this guy actually claimed innocence and he really was yeah rarely happens I've been to court a couple times where there's been acquittals and we didn't go to court on this one fortunately but we would have so what do we learn bass your conclusions upon actual evidence find multiple artifacts backing up your allegations not and I don't know where the password thing came from tie it to a person not just a machine if possible try to look at user activity that would tie specific events to a person so remember the maximum you can get is 20 in any category however I've decided to break the rules a little bit for this one so examiner ineptness he gets five bonus points built-in right there oh yeah the guy sue the city for millions of dollars and you know there might be a job security issue for somebody in this case yeah I don't think that examiner is gonna really have a job footing and 100 bonus points because the for the court finds a suspect innocent so factually innocent with guys get soon


  580 ms - page object


AV-Portal 3.20.2 (36f6df173ce4850b467c9cb7af359cf1cdaed247)