darwinism via forensics - tpia · recovering/analyzing deleted information keyword searching...
TRANSCRIPT
DARWINISM VIAFORENSICS
31 March 2019
Bill DeanSenior Manager, LBMC Information Security
CCE
People Make Dumb Decisions with Today’s Technology
AGENDA
DARWINISM VIAFORENSICS
Digital Forensics Basics
Applicable Case Studies
Pro-Tips Along the Way
This Will Not Be Boring
DIGITAL FORENSICS BASICS
Recovering/Analyzing Deleted Information
Keyword Searching
Digital Communications
Internet Activities
Pictures/Movies
File Activity
External Storage Usage
Metadata/EXIF Data
Application Execution Histories
Anti-Forensics Efforts
TECHNOLOGIES WE ANALYZE
Computers
Servers
Memory
Mobile Devices
Cloud Storage
Removable Media
GPS Devices
Watches/FitBits
DELETED INFORMATION
DELETED INFORMATION
KEYWORD SEARCHINGValuable..But Boring
Very Flexible
• Operators (and, or, not)
• Proximity (plum w/5 pear)
Stemming
Fuzzy
Synonym
COMMUNICATIONSConventional Email
Webmail (Gmail, Hotmail, etc.)
Associated Attachments
Social Network Communications
We will discuss TXT messaging later
INTERNET HISTORIESTells a Story
We Know What You Are Thinking
Google Keeps Your Search Histories (and more)
We Recover Deleted Internet Histories
We Don’t Care Which Browser You Use
FACEBOOK CHATSSuspected Affair
Suspect Learned About Investigation
• Cleared All Chat Histories
• Deleted Internet Histories
Didn’t Matter
282 Facebook Chat Messages Recovered
Exactly What Was Suspected
EMPLOYMENT MATTERWorkplace Injury
“Diminished Quality of Life”
Internet Research
• Condition Symptoms
• Workers’ Compensation Calculators
• Computer Forensics
Personal Pictures
• Vacations
• Orange/White Game
• Lake Activities
FILE ACTIVITYCreation
Modification
Accessed
Deleted
Opened
• From Where
EXTERNAL STORAGE USAGEWe Know Every USB Device Used
• USB Storage
• Mobile Phones
• GPS Devices
• Anything Else
First and Last Times Used
• Sometimes Each time
• And How Long
Model and Serial Number
EXAMPLE
EXAMPLE
INTELLECTUAL PROPERTY THEFT12/22 – Employee Resigned from Company
12/02 – Google Search for “Is ____ a good company to work for?”
12/10 – Copied “Projects” Folder to Desktop
Folder Contained 5000+ Proprietary Designs
INTELLECTUAL PROPERTY THEFT
12/22 @ 1:10AM – Laptop was powered on
12/02 @ 1:11AM – Laptop recognized USB drive
12/22 @ 1:13 – The “Projects” folder was moved to USB
12/22 @ 2:03 – Laptop was powered off
APPLICATION EXECUTIONSWe know the first execution date/time
We know the last execution date/time
We know how many executions
We know what user executed the application
“EASY” TRADE SECRET THEFTEmployee Resigned on May 6, 201x
Google Query “How do I link another email account to Gmail if that other account uses IMAP?”
Copied sensitive information to USB
DropBox installed March 3, 201x
DropBox uninstalled May 6, 201x
“EASY” TRADE SECRET THEFT
“EASY” TRADE SECRET THEFT
“EASY” TRADE SECRET THEFT
DROPBOX ≠ “EASY” TRADE SECRET THEFTAnalysis of home machine
Business secrets “synchronized”
Copied sensitive information to USB
Copied to USB drive on May 7, 201x
DropBox uninstalled May 6, 201x
METADATA/EXIF DATA “Information about Information”
• Dates of Creation or Access
• Authors
• Prior Histories
• Editing Histories
• Printing
Spreadsheets
Office Documents
Pictures
METADATA CASE STUDY #1
METADATA CASE STUDY #1
METADATA CASE STUDY #2
IMAGES – EXIF DATA
IMAGES – EXIF DATA
IMAGES – EXIF DATA
ANTI-FORENSICS EFFORTSEffort to Conceal/Destroy
Most Often Noticeable
Special Programs
System Utilities
ANTI-FORENSICS CASE STUDY
ANTI-FORENSICS CASE STUDY
KLUMB VS. GOANYoung Attorney Marries Established Businessman
We Need to “Monitor” the Children
Speculation of a “Plan”
http://www.goklg.com/2012/08/01/ex-spouse-hit-with-20k-in-damages-for-email-eavesdropping-klumb-v-goan/
KLUMB VS. GOAN
DIVORCE GRAND SCHEMEAll Computers Involved
Hundreds of YahooMail! Emails Recovered
Discrepancies of Emails Produced in Discovery
“I don’t have a USB drive”
Conflicting Antenuptual Agreements
http://cyb3rcrim3.blogspot.com/2012/08/eblaster-wiretapping-and-prenup.html
RUTHLESS BUSINESS PARTNERCompany Ownership Split
Competing Company Knew “Everything”
Thought Offices Were Bugged
TRIPLE CROWN WINNER11/10 – Employee Dismissed (All Access Not Removed)
1/24 – Someone Connected and “Cracked” Passwords
1/25 – Someone Installed Remote Control Software
• Began Accessing Sensitive Computers
• Began Accessing CCTV Systems
• Accessed Sensitive Information
TRIPLE CROWN WINNER2/20 – Connected to Computer
• Recovered Passwords
• Accessed Email of
–IT Director
–Purchasing Manager
Placed Online Orders
Searched for More Credit Card Info
iMESSAGE SYNC = $ DIVORCESuspected Affair
iMessage Communications
Borrowed Son’s iPad
Entire Conversation Synced
iMESSAGE SYNC = $ DIVORCE