Darwinism via Forensics People Make Dumb Decisions With Today’s Technology Bill Dean, CCE Senior Manager, LBMC Information Security February 7, 2017
Today’s Agenda Digital Forensics Basics • How Does it work? Applicable Case Studies • They Really did that? “Pro” Tips Along the Way This Will Not Be Boring 2
Digital Forensics Basics Recovering/Analyzing Deleted Information Keyword Searching Digital Communications Internet Activities Pictures/Movies File Activity External Storage Usage Metadata/EXIF Data Application Execution Histories Anti-Forensics Efforts 3
Technologies We Analyze Computers Servers Memory Mobile Devices Cloud Storage Removable Media GPS Devices Watches/FitBits 4
Deleted Information 5
Deleted Information 6
Keyword Searching Valuable..But Boring Very Flexible • Operators (and, or, not) • Proximity (plum w/5 pear) Stemming Fuzzy Synonym 7
Communications Conventional Email Webmail (Gmail, Hotmail, etc.) Associated Attachments Social Network Communications We will discuss TXT messaging later 8
Internet Histories Tells a Story We Know What You Are Thinking Google Keeps Your Search Histories (and more) We Recover Deleted Internet Histories We Don’t Care Which Browser You Use 9
Facebook Chats Suspected Affair Suspect Learned About Investigation • Cleared All Chat Histories • Deleted Internet Histories Didn ’ t Matter 282 Facebook Chat Messages Recovered Exactly What Was Suspected 10
Employment Matter Workplace Injury “Diminished Quality of Life” Internet Research • Condition Symptoms • Workers’ Compensation Calculators • Computer Forensics Personal Pictures • Vacations • Orange/White Game • Lake Activities 11
File activity Creation Modification Accessed Deleted Opened • From Where 12
External Storage Usage We Know Every USB Device Used • USB Storage • Mobile Phones • GPS Devices • Anything Else First and Last Times Used • Sometimes Each time • And How Long Model and Serial Number 13
14
15
Intellectual Property Theft 12/22 – Employee Resigned from Company 12/02 – Google Search for “ Is ____ a good company to work for?” 12/10 – Copied “Projects” Folder to Desktop Folder Contained 5000+ Proprietary Designs 16
Intellectual Property Theft 12/22 @ 1:10AM – Laptop was powered on 12/02 @ 1:11AM – Laptop recognized USB drive 12/22 @ 1:13 – The “Projects” folder was moved to USB 12/22 @ 2:03 – Laptop was powered off 17
Application Executions We know the first execution date/time We know the last execution date/time We know how many executions We know what user executed the application 18
“Easy” Trade Secret Theft Employee Resigned on May 6, 2011 Google Query “ How do I link another email account to Gmail if that other account uses IMAP? ” Copied sensitive information to USB DropBox installed March 3, 2011 DropBox uninstalled May 6, 2011 19
“Easy” Trade Secret Theft 20
“Easy” Trade Secret Theft 21
“Easy” Trade Secret Theft 22
DropBox ≠ “Easy” Trade Secret Theft Analysis of home machine Business secrets “synchronized” Copied sensitive information to USB Copied to USB drive on May 7, 2011 DropBox uninstalled May 6, 2011 23
MetaData/EXIF Data “Information about Information” • Dates of Creation or Access • Authors • Prior Histories • Editing Histories • Printing Email Spreadsheets Office Documents Pictures 24
MetaData Case Study #1 25
MetaData Case Study #1 26
MetaData Case Study #2 27
Anti-Forensics Efforts Effort to Conceal/Destroy Most Often Noticeable Special Programs System Utilities 28
Anti-Forensics Case Study 29
30
Klumb v. Goan Young Attorney Marries Established Businessman We Need to “Monitor” the Children Speculation of a “Plan” 31
http://www.goklg.com/2012/08/01/ex-spouse-hit-with-20k-in-damages-for-email- eavesdropping-klumb-v-goan/ 32
Divorce Grand Scheme All Computers Involved Hundreds of YahooMail! Emails Recovered Discrepancies of Emails Produced in Discovery “I don’t have a USB drive” Conflicting Antenuptual Agreements http://cyb3rcrim3.blogspot.com/2012/08/eblaster-wiretapping-and-prenup.html 33
Ruthless Business Partner Company Ownership Split Competing Company Knew “Everything” Thought Offices Were Bugged 34
Triple Crown Winner 11/10 – Employee Dismissed (All Access Not Removed) 1/24 – Someone Connected and “Cracked” Passwords 1/25 – Someone Installed Remote Control Software • Began Accessing Sensitive Computers • Began Accessing CCTV Systems • Accessed Sensitive Information 35
Triple Crown Winner 2/20 – Connected to Computer • Recovered Passwords • Accessed Email of – IT Director – Purchasing Manager Placed Online Orders Searched for More Credit Card Info 36
Nation State Espionage “ I Have Not Been to China”
Nation State Espionage “OK.. Maybe Once or Twice”
iMessage Sync = $ Divorce Suspected Affair iMessage Communications Borrowed Son’s iPad Entire Conversation Synced 39
Bill Dean, CCE bdean@lbmc.com (865) 862-3051
Recommend
More recommend
