DARWINISM VIAFORENSICS

31 March 2019

Bill DeanSenior Manager, LBMC Information Security

CCE

People Make Dumb Decisions with Today’s Technology

AGENDA

DARWINISM VIAFORENSICS

Digital Forensics Basics

Applicable Case Studies

Pro-Tips Along the Way

This Will Not Be Boring

DIGITAL FORENSICS BASICS

Recovering/Analyzing Deleted Information

Keyword Searching

Digital Communications

Internet Activities

Pictures/Movies

File Activity

External Storage Usage

Metadata/EXIF Data

Application Execution Histories

Anti-Forensics Efforts

TECHNOLOGIES WE ANALYZE

Computers

Servers

Memory

Mobile Devices

Cloud Storage

Removable Media

GPS Devices

Watches/FitBits

DELETED INFORMATION

DELETED INFORMATION

KEYWORD SEARCHINGValuable..But Boring

Very Flexible

• Operators (and, or, not)

• Proximity (plum w/5 pear)

Stemming

Fuzzy

Synonym

COMMUNICATIONSConventional Email

Webmail (Gmail, Hotmail, etc.)

Associated Attachments

Social Network Communications

We will discuss TXT messaging later

INTERNET HISTORIESTells a Story

We Know What You Are Thinking

Google Keeps Your Search Histories (and more)

We Recover Deleted Internet Histories

We Don’t Care Which Browser You Use

FACEBOOK CHATSSuspected Affair

Suspect Learned About Investigation

• Cleared All Chat Histories

• Deleted Internet Histories

Didn’t Matter

282 Facebook Chat Messages Recovered

Exactly What Was Suspected

EMPLOYMENT MATTERWorkplace Injury

“Diminished Quality of Life”

Internet Research

• Condition Symptoms

• Workers’ Compensation Calculators

• Computer Forensics

Personal Pictures

• Vacations

• Orange/White Game

• Lake Activities

FILE ACTIVITYCreation

Modification

Accessed

Deleted

Opened

• From Where

EXTERNAL STORAGE USAGEWe Know Every USB Device Used

• USB Storage

• Mobile Phones

• GPS Devices

• Anything Else

First and Last Times Used

• Sometimes Each time

• And How Long

Model and Serial Number

EXAMPLE

EXAMPLE

INTELLECTUAL PROPERTY THEFT12/22 – Employee Resigned from Company

12/02 – Google Search for “Is ____ a good company to work for?”

12/10 – Copied “Projects” Folder to Desktop

Folder Contained 5000+ Proprietary Designs

INTELLECTUAL PROPERTY THEFT

12/22 @ 1:10AM – Laptop was powered on

12/02 @ 1:11AM – Laptop recognized USB drive

12/22 @ 1:13 – The “Projects” folder was moved to USB

12/22 @ 2:03 – Laptop was powered off

APPLICATION EXECUTIONSWe know the first execution date/time

We know the last execution date/time

We know how many executions

We know what user executed the application

“EASY” TRADE SECRET THEFTEmployee Resigned on May 6, 201x

Google Query “How do I link another email account to Gmail if that other account uses IMAP?”

Copied sensitive information to USB

DropBox installed March 3, 201x

DropBox uninstalled May 6, 201x

“EASY” TRADE SECRET THEFT

“EASY” TRADE SECRET THEFT

“EASY” TRADE SECRET THEFT

DROPBOX ≠ “EASY” TRADE SECRET THEFTAnalysis of home machine

Business secrets “synchronized”

Copied sensitive information to USB

Copied to USB drive on May 7, 201x

DropBox uninstalled May 6, 201x

METADATA/EXIF DATA “Information about Information”

• Dates of Creation or Access

• Authors

• Prior Histories

• Editing Histories

• Printing

Email

Spreadsheets

Office Documents

Pictures

METADATA CASE STUDY #1

METADATA CASE STUDY #1

METADATA CASE STUDY #2

IMAGES – EXIF DATA

IMAGES – EXIF DATA

IMAGES – EXIF DATA

ANTI-FORENSICS EFFORTSEffort to Conceal/Destroy

Most Often Noticeable

Special Programs

System Utilities

ANTI-FORENSICS CASE STUDY

ANTI-FORENSICS CASE STUDY

KLUMB VS. GOANYoung Attorney Marries Established Businessman

We Need to “Monitor” the Children

Speculation of a “Plan”

http://www.goklg.com/2012/08/01/ex-spouse-hit-with-20k-in-damages-for-email-eavesdropping-klumb-v-goan/

KLUMB VS. GOAN

DIVORCE GRAND SCHEMEAll Computers Involved

Hundreds of YahooMail! Emails Recovered

Discrepancies of Emails Produced in Discovery

“I don’t have a USB drive”

Conflicting Antenuptual Agreements

http://cyb3rcrim3.blogspot.com/2012/08/eblaster-wiretapping-and-prenup.html

RUTHLESS BUSINESS PARTNERCompany Ownership Split

Competing Company Knew “Everything”

Thought Offices Were Bugged

TRIPLE CROWN WINNER11/10 – Employee Dismissed (All Access Not Removed)

1/24 – Someone Connected and “Cracked” Passwords

1/25 – Someone Installed Remote Control Software

• Began Accessing Sensitive Computers

• Began Accessing CCTV Systems

• Accessed Sensitive Information

TRIPLE CROWN WINNER2/20 – Connected to Computer

• Recovered Passwords

• Accessed Email of

–IT Director

–Purchasing Manager

Placed Online Orders

Searched for More Credit Card Info

iMESSAGE SYNC = $ DIVORCESuspected Affair

iMessage Communications

Borrowed Son’s iPad

Entire Conversation Synced

iMESSAGE SYNC = $ DIVORCE

QUESTIONS?

ANY QUESTIONS?

BDean@LBMC.com

(865) 862-3051

Bill DeanSenior Manager