Defcon 21 - Forensic Fails - Shift + Delete Won't Help You Here

Video Statistics and Information

Video

Captions Word Cloud

Captions

our talk is about forensics fails um I'm this guy over here I found it a discovery company about 11 years ago I'm a forensic examiner I have done thousands and thousands of exams I'm also an expert witness in state federal court etc and I like cats and my name is Eric Roby all right about this other guy um hi I'm Michael Parkland you may remember me from other Def Con talks such as ACL steganography I'm a forensic examiner a cybercrime investigator security professional I've Dallas have done thousands of exams and I like to break things a lot don't break my cat all right so our agenda today we have got seven amazing stories full of fail we're going to learn something about forensic techniques because that's what we do and the fails today are brought to you by both the suspect and the examiner and we'll we'll get into that in a little bit the names have been changed to protect the it's on both sides we've actually changed some of the facts to to protect the idiots and it seemed like a good thing to do basically but because fail was not just one-dimensional we found many dimensions of fail in our research we've decided we need to create a fail matrix to explain how the fellow so this is just I'm just going to explain how the fail matrix works the first level of fail is the user retard level oh my god I spelled that wrong Drake Drake for the record he was responsible for the keynote presentation so this is definitely his fail this is my fail I get ten points alright so the punishment level depends on you know what happens so that particular guy lost the case dollars distress calls let's give this one five points and bonus points are just whatever the fuck I feel like doing this girlfriend left him in this case so he gets thirty five points alright so let's get into the first one this is the it wasn't me defense you may have heard this one before alright so we do a lot of commercial litigation and a really typical kind of case is a trade secrets case and this is a typical example of that so this guy Bob he was working in sales at Acme and he resigned his position and he decided to go work for a competitor this happens all the time and some allegations were made by his employer that he took some trade secrets he took the customer list with him to his new company it happens so Bob says I got nothing to hide come at me bro I didn't exactly say that but it sounded good I'm paraphrasing so we started imaging the drive and we started planning the examination one thing we frequently do is we look for deleted files in unallocated space and unallocated space is the part of the drive that can typically contain deleted file so it's you know when you hit shift delete and it doesn't go away it ends up an unallocated space so we will look for stuff there it's something we also do is we look for recently used files by common programs like Word Excel Acrobat and so forth and we might look for USB device insertion we're basically looking to see how trade secrets got from you know acne over to the new company the final final the dry finished imaging and I'm actually going to share something really cool today it's a Def Con exclusive worldwide premiere we found a new wiping pattern this is actually real I'm not making this up this is real so you know Bob apparently had used some kind of data destruction program that can overwrite every bit of space and Onalaska on allocated space he used a pattern that however was not really commonly used by windows or any other other utility live scene might have been something custom so you know we thought hmm this might suggest something bad was happening here what's uh you know maybe it let's let's take another closer look at this so we're going to look we're gonna zoom in we're gonna look at this on a molecular level now I think we need to zoom in a little bit more so what have we learned I admit the first part was actually the second part there was no Sarah Palin in this case but so data destruction can almost always be detected um if you even if you don't use a repeating pattern it's still detectable we see it all the time there's artifacts left behind that could be part of the pattern or there's artifacts in the operating system itself so we might not know what you've destroyed but we'll definitely know you destroyed something this is the mic here you go and also it doesn't work very well and mean phrases make people dislike use what about your fail matrix we got to do the fail matrix all right but uh all right twelve pretty retarded I think you know the guy lost the case you got sued under $100,000 so not a huge amount of economic distress and I didn't really give him any bonus points here because it just wasn't that good so he gets 27 it's already fail I think we can blame that guy who gave me the beer all right so this case it was a lot of fun I didn't expect it to be fun when I started out but it ended up being a lot of fun I call it the Nickelback guy you'll you'll see why in a second so it was another allegation of stolen confidential documents this guy let's call him John he left one company to go work for a direct competitor and the his old company hired us to go in and take a look take a look at his can we go can we get an audio for this by the way we're going to need audio for this segment so if you could turn it on um so so yeah uh the company where he left they asked us to take a look at his work computer to see to look for science of data exfiltration we he worked on a lot of confidential projects and they just want to make sure that he wasn't taking these confidence to projects to the competitor and letting them know what they were doing so right totally said all that so we why is this not working there it is we open up the hard drive to start to start the analysis and we started finding all the same stuff that you typically found on a work computer yeah there's some work stuff sure some evidence of you know facebooking he's got a an mp3 collection like listen to music while he's at work typical stuff we found the confidential documents that we were asked to make sure he didn't take so that was to be expected because he did the work on this on this computer and almost immediately something jumped out at me and we'll get into why it jumped out at me in a second but his music collection became very interesting to me not because I love Nickelback but because well again we'll get into this that when we fail yeah and I'm Canadian too so I I yeah Nickelback from Canada um yeah you take a closer look at this photo something may jump out at you as well these are just mp3s just songs but the size of these files is a little bit off um what's wrong here yeah the extended play Nickelback this guy really loved his Nickelback so these were actually a bunch of avi files ah yeah yeah these are just avi files that he had renamed so it seems to John assume that nobody would listen to his Nickelback mp3s which is probably a good assumption because I don't think anybody would listen to his Nickelback mp3s and he was hiding something but what was he hiding Praeger porn this guy had a quite big fetish for preggers porn these were full-length feature films of pregnant ladies banging and and they're just like there's there was a ton of them all over this guy's hard drive now while we did have to analyze them to see what they were but but I will say that the specific techniques that we used to analyze their trade secret so I can't tell you how much how much depth we went into when we're analyzing them but yeah it seems John did a lot of more than just work on his confidential project on that computer so we had to tell the company that you know over the last three years while he was working there on this confidential project he was also doing other stuff they were pretty happy that he left anyways all right so what have we learned examiner's when we take a look at that files on a computer we don't typically look at it within the nested folder structure like we don't have to go into every single subfolder go back out go into other subfolders back it out we see it all in a big long list it makes it a lot easier to to analyze stuff also one of the very first things that we always run is what's called a file signature analysis this is a special script that looks at the contents of every file and it compares what's inside the file with the extension and if there's any discrepancies those files are bumped up to the top of the list to be looked at because the system knows if these don't match something may not be right here a human should take a look at this I just said those things and so at the end of the day john's attempt at hiding his preggers porn actually made it bump up to the top of the list for me to take a look at so if you're going to hide something don't just change the file name that that doesn't hide something that that makes me want to look at it even more all right so the fail matrix the reuse a retard level I would say 12 because again renaming a file is not data hiding if you want to do real data hiding need you to come to my ECL steganography talk punishment level 13 he lost his job not only the previous company where he left but the new company where he landed he lost his job their distress caused was zero didn't really hurt anybody I mean what you choose to do on your own time is up to you although he chose to do it on work time with work stuff what the bonus points are going to be for don't you yeah this there's going to be some bonus points I would say about a nickels worth a grand total of 30 fail points all yours that is the fail sound thank you by the way do you like the font that we're using Comic Sans going to get our hand for Comic Sans nobody uses Comic Sans the most underappreciated font in presentations I don't know why we see we don't see Comic Sans in more business settings I mean we really we're bringing it back we're bringing it back it's a new movement alright so let's look at the just Bill Me Later case so our client the ABC firm they outsource take e part of their business they've been doing it for many years and the part of their business that they're outsourcing is on a time of materials basis so there's a lot of invoices with ours and rates and that's basically it it was several million dollars a year on average that was being billed and our client started a review project because they thought they were being over a bill they thought there might be a little inflation and they wanted to figure out why things were looking inflated they looked at some of the individual bills and they saw they thought things are taking a little bit too long so we came in and we decided to help so they had thousands and thousands and thousands of PDF format invoices now that's not going to do us a lot of good even if we OCR if we even if we apply optical character depression recognition to it we've still got a lot of unstructured data so I can't really you know I can search one or two PDFs but when I've got tens of thousands of them it's really difficult to do anything with that on so where did we start we didn't have a lot of clues in this one so through the magic of court order we were able to go to this customer's database their network and get an image of everything in their network including a billing database which turned out to be very handy so we made a forensic copy of this database and it was in a proprietary format and so in order for us to do forensic analysis in a database we need to be able to get it into something like SQL where we can do kind of standard queries so we migrated over we do standard queries and we're looking at it there's still no easy way to compare the PDF to the database so we decided to reverse-engineer the tables in the database sometimes it's easy but sometimes there are thousands and thousands of tables and when you don't have tech support of the developers you just have to figure it out so it's a really slow laborious process but we did figure it out we noticed that the audit logs were turned on in this which happened to be particularly useful so we ran a lot of queries in versus time build versus the audit logs and we found there was sort of a pattern of inflation going on because basically when you're billing on time of materials all you're doing is you've got either hours or you've got a rate and those are the two things in the got overly inflated so these are this two things that you can change there you can change time or you can change the rate but we found the audit logs were turned off by default and the IT folks bless the IT folks they turned the audit logs on which was really really really helpful because we do a lot of database forensics cases and this is the only one we've seen with it the audit logs were turned on so we were able to compare basically um the amount that was billed at the end of the day versus how many hours were put on up to that point we're able to see a chronology so maybe at the end of the day the bill was for a thousand dollars but we saw that was only 800 dollars that was actually billed so the the billing person the database person who basically was working with it this person would change the hours and the rate sometimes and bump it up so I went up from like 800 to a thousand dollars on a typical invoice they did this thousands and thousands and thousands of times so let's look at the fail matrix so I didn't give the user retard level the you know too many points here because it was a billing administrator most people don't really know what's going on inside a database most average people so however they have to refund the money so if they get 18 points for that over the last like four or five years worth of money now it was a lot of money it was about twelve million dollars actually so they got fifteen points I wish and bonus points yeah systematic culture of over billing they got forty five okay this next one I call it smoking gun txt now if you if you work in the in the forensic arena you've probably heard the term the smoking gun txt it's it's the it's the gag name of what you're always looking for in a case it could be that record in a database it could be that internet history record that shows that the guy really did something bad it comes from the cheesy western movies where you know the the murderous gun is still smoking after he shot it proves that he was the one who fired the shot so in forensics you're always saying that you know your did you find the smoking gun yeah found the smoking gun dot txt sometimes I wish it's as easy as finding a file named smoking gun txt but you can only wish this is another intellectual property case again you got a guy leaving one company to go work for another company and the first company says can you make sure he didn't do stupid shit and we called in to make sure that he didn't do stupid shit so we imaged the drive we kicked off for standard analysis scripts like the file signature analysis script that I told you guys about before and open up his desktop folder I always like to open up the desktop folder of every suspect that I'm examining because you can tell a lot about what a guy or but a lot about the person when you're looking at the desktop did they cram a lot of files in there in an unorganized fashion or maybe everything is neatly packed away in the My Documents folder things like that or are they arranged nicely or is it just all smattered it tells you a little bit about the person so you can get a live into the mind of who they are and immediately I solved the case how did you do that so well this is the smoking gun txt it oh yeah it's almost as easy as this um with us arbic you so I open up the Desktop folder and I saw this I'm hoping you can see that in the back but I'll read it out for you you've got a folder on the desktop you can see at the bottom left there the folder is called competitive intelligence and in inside that folder we've got a PowerPoint presentation titled blue Bluebird Project Blue Book we've got we've got some PDFs we've got a whole bunch of stuff about this Project Blue Book that this guy was working on from from his old company he was getting ready to deliver this presentation to the the executive leadership team of the new company telling them everything about this confidential project from his old company so yeah he didn't make it difficult for me like it was not only all this stuff was there but he made a PowerPoint presentation describing it and like to deliver all all the all the knowledge for this to the ELT um yeah I just said that do we over bill for this maybe we're not sure that last client all right part of me uh I don't even remember probably well it took twenty twenty minutes we probably just build one hour Michael what are we look what have we learned in this case well we learned that sometimes people don't even try fail matrix all right use a retard levels gotta be an eighteen that I mean ah we could but I'm sorry we're saving the the higher scores for some of the later stories yeah so the summers are going off you may have noticed yeah so far each one's been going up um yeah you got an 18-4 user retard level because if you're going to be doing this don't leave tracks all over your computer I mean sure if you're going to say all the they're going to be launching this new thing in August next year that's one thing to say it to a person but if you put together a whole presentation about the thing you're that's fail its fail punishment levels ten because he had to settle he was obviously in breach of his NDA from the old company and it cost him one point five million in damages so the distress caused is a six pointer and bonus points of twelve four zero effort this all adds up to the fail matrix score of 46 all right next door Eden I hope you appreciate these amazing sound effects and video editing that I did hold on we need to put the presentation on hold I have a problem which ones which that one is mine on the left in your left hand are you sure because I want the one that it's more then the one with more is yours nice when we'll be taking questions later all right so the next one I call hiding in the cloud so once again a top sales guy leaves the company and the sales just take a nosedive actually and they think he took the customer list but they can't prove it they know that there's new customers that they know that there's old customers over at the new company but they can't prove that he's taking the customer list so we images a computer and we start looking for the usual kind of clues so for example link files are a windows artifact that show what files have been recently opened they're a simple text file and they're pretty easily parsed and they've got a lot of information about the location of the file the date and the time all that kind of good stuff we look at a registry key which I just love the name of this it makes absolutely no sense to me at all but you know somebody in Microsoft maybe had a couple of these one day when they're working called bag mru for some unknown reason it most recently used but why bag you guys are just full of great answer so anyways explain why it's named that but it's still a fucked up name bag mr you come on anyway so it's a register key that can show user activity and it can show what files are inside a folder so that's one of the things that we look at typically in a data exfiltration case jump lists which are that's actually wrong from vista forward we've got jump lists and if you look looking at your that's a fail that is a fail that should say I got it I gotta take a drink I just don't love vista enough to put it in there so anyway so jump lists are the thing on your taskbar if you've got like five Word documents open and you see you know you click on it you've got the five those are jump lists basically an IE history internet explorer internet explorer is so much more than just exploring the internet it actually records things that you do without your knowledge like opening files but we're getting no love I'm not finding anything show me the love baby he's having a beer alright so we search the IE history and we found a dot HTM file that had some JavaScript in it pointing to files anywhere who's familiar with that site it's very much like Dropbox the same kind of concept but it's more for business users so it's got a really a lot of really great auditing and logging and stuff like that so you're uploading and downloading files you can basically monitor and track them and so forth that turned out to be a very nice thing because typically that's only in the user control panel but we found is little dot HTM file with Engle oh and we solved the case timing fail I'm sorry three bingo we solved the case all right so what we got was the account ID the upload times the file names everything we got some sweet lovin we had ourselves some stolen files let's look at this little actual bit of JavaScript here I have changed the names of the file in this case but you know we've got stolen file a recipe for coke for example you notice minor trade secrets the user is the user account name so we were able to subpoena that from files anywhere and figure out who actually registered the account there is the folder that it was in and this is really handy here the date that it was uploaded and we got a whole bunch of these in fact this is the first page of a like a 80 page Excel report that I prepared and these are all the file names that this guy uploaded so yeah so the second part of the story is going to go back another fail fail which one do I drink from good good answer all right so the second part of the case the opposing attorney the guy representing the thief handed us an Outlook CD and CD without with PST on it and this is part of the discovery process discovery is a legal term in litigation where both sides are able to exchange evidence and in fact they have a they're compelled to exchange evidence through the rules of the court so he gives us a CD and it's got outlook now what PST on it the first thing we do is we look at is not a lot of files in there and the first thing we do is we want to recover the deleted emails in a PST because we're forensic analysts and that's what we like doing we like looking to people's emails so I'm going to show you the old-school way of recovering deleted emails you use a hex editor you crack open the PST and you change bytes 7 through 12 or 7 through 13 change them to zeros save the file then you use the outlook repair tool which is built in with Microsoft and you basically repair the tool restore a repair the PST happens is you get a lot of emails back now these are not the actual emails but you get tons and tons of emails back and in fact in this case we got tens of thousands of deleted emails and what was in these mails everything that completely turned the case around so not only did we have this guy with all the uploads on those spreadsheets we also had all the emails about who was involved what lists he took who were the you know all the people that were involved we were winning we went we went to Charlie Sheen mode all of a sudden and the funny thing is we were able to take all this information and at a deposition and if you don't know what a deposition is we get to ask questions of the opposing party so we're asking them you know what happened did you guys steal anything did you take anything no now now we start pulling out these emails one by one by one and the guy turns white as a sheet and he spills the beans and basically you know we do pretty well so who deleted the Mail's do you think in this case hmm all doubt I think you know who well people got out almost immediately they hired Saul Goodman unfortunately and yeah he deleted the mails not good thing not a good thing so what have we learned the question was did he claim privilege on the privilege on the emails he claimed privilege on some of them but not on you know all of the 10,000 that he deleted so ie history is actually really difficult to wipe it was what we've learned it seems to leave stuff behind we found a new artifact which is actually pretty cool files anywhere this JavaScript artifact I haven't heard this discussed anywhere before so I think it's kind of cool javascript files can give us love - we like them and uploading files still leaves traces so an attorney's shouldn't mess with evidence it's against the ethical rules in every state and probably every Canadian province and it can get you disbarred actually so let's look at the fail matrix so the user retard level is pretty damn high in this one we got fails on the attorneys pardon also on the the ex sales guy a huge lawsuit three and a half million dollars on fees and damages which our client all got back basically and 15 bonus points the attorney might lose his license on this one he hasn't yet we don't know we don't track that kind of stuff 51 removing up you're ready oh right all right let's do this shit that's the this next case was probably one of the most fun cases that I've worked on right from the start I could tell that something was what was going to be a fun one I call it the RDP bounce you'll see why I was called in to investigate a network breach the company told us and they shared some information with us that was evidence that at least one computer had been breached they didn't know why they didn't know what and they asked us to investigate and well to tell them why and to tell them what it was is a large company they've they had a lot of computers all the more were windows-based thousands upon thousands of computers in offices all across the world and in one of their offices they they noticed that this computer had been breached so let's figure out what happened so we move in and actually think I'm just going to pause here for two seconds hey Eric is this your first time presenting at DEFCON yes it is okay hi we don't even have to say anything anymore you guys know exactly what's going on Sarah yeah joy yourself oh yeah mix Tara you dare let yeah you sir is your name soon sir bend over you're the ugliest Sarah ever finish that bale another soldier bites it does winning fall yeah there's some issue about the sound person ah know whatever is supposed to be the sound information you know I appreciate that Sarah but she's not here come on up you're the next contestant on fail others oh you ready got one someone counted wrong you're past one for Sarah all right I'm sure all of you want to be Sarah right now alrighty Sarah Palin in the talks to our new speakers and to our new attendees oh thank you thank you shoot two more to this hour all right we got 15 minutes left so thank you very much goons for for doing that it's Eric's first time at Def Con so all right so I was talking about the RDP bounce case that I was those investigating now as I mentioned thousands of computers very various offices all around the world so we analyzed the one computer that they knew it was breached and it showed that there were that RDP or remote desktop protocol this is the the tool that's built into Windows that allows you to remotely control another computer some logs showed us that RDP was used to connect using the local administrator password to to another machine it also showed that after I said that backwards it show that RDP was used to connect in and also showed that RDP was used to connect out so in this little diagram here we're I was looking at the middle computer I didn't know at the time that there were other computers I was just looking at this middle one and it seemed that there were a bunch use in here so it was probably the tip of the iceberg where do you find these logs Michael specifically I was looking at the Windows Event log the the Event Viewer if you go into the control panel and then the administrator tools there's the Event Viewer tool by default it logs a lot of stuff in there including when RDP is used to connect in and when you're connecting out so I analyzed that the machine that came before it and same the same thing there were there logs that showed that something was connecting into that it was basically an entire bounce now these computers were located in different offices in all around the world this guy was bouncing all around the world to do something so obviously this is a pattern I still didn't know what he was doing I just knew that he was clearly going through a lot of trouble to up the skate his trail bouncing all around so that probably so that when he does his final target there's no direct evidence to to where he was coming from yes there were all sessions with incessant so he opens up a remote desktop and then within that remote desktop window he opens up another remote desktop to another machine and he just did this over and over it must have taken him hours because Remote Desktop is not the fastest protocol at all and so he must do like I don't know I don't want to speculate how long it took him to to do this um you imagine how long the screen redraw was by the time you get to like machine tan Jesus Christ you probably have to double-click with like a minute in between clicks or something all right so what was the target so um I think you could not figure whatever did next rather than following the trail back I start following the trail forward what was he getting so a step after step computer after computer site after site after site all around the world I finally reached a high profile machine I I wish I could tell you why which specific machine it was I can't because it would give away too much about this company did it have Nickelback on it I did not have Nickelback on it um yeah chopping his video ever for sure so once I reach this machine I knew exactly what he was going after he wanted highly confidential documents that were only on this one machine in the entire company and he obviously knew this and he wanted to get into this machine to get these documents so I focused my analysis on this target machine on this special confidential machine and I want to see what did they do specifically which files did they take one and it took me only about two minutes as I was analyzing this machine and I identified the attacker immediately now he went through all around the world and I finally when I was taking a look at his target within two minutes I found out who he was he used his own credential on machine no he did not use his own credentials on the machine any other guesses emails himself nope he stole his own file nope he did not check Facebook no no shared drives why did I tell you what he did Michael what did he do printers so one thing that a lot of people don't know about remote desktop is by default it Maps the printer connected to your machine to the machine that you're connecting out to it does this so that when you hit print inside your remote desktop window your printer next to you is available so you can print a document beside you now this guy didn't print any documents but just by connecting the machine automatically mapped his local printer to the target machine which identified his machine a machine name he forgot to turn this off there was a checkbox in remote desktop protocol when you open up the the RDP window you can it options and then uncheck map printers to target machine is just a checkbox he did not uncheck it yeah what have we learned Michael well what have we learned log entries that are created by innocuous system events can give insight into user actions now he didn't map his printer the system did it automatically so sometimes just looking at what the system is doing can tell you what the user was doing for the fail matrix use a retard level would be about a 20 because he went through a lot of trouble to cover his tracks and he did not cover his tracks punishment level would be 15 he lost his job he also lost his recommend his references he can't use use that company as a reference anymore so distress calls would be 8 bonus points would be 20 do some research if you're going to use RDP to pull off some kind of a scam know how RDP works adding it all up we get a fail star 63 now the last story here Eric alright so the last the last story is a little bit different than the others um this is the epic porno fail so the difference in this one is all the other cases we've talked about have either been commercial litigation civil litigation something on that side this one happens to be a criminal case and from time to time we do criminal defense work and we work either with public defenders or with private attorneys and so this is about this kind of situation so our client Edgar has been charged with possession of contraband aka child porn on his computer pretty unsavory stuff he claims innocence as usual and I kind of roll my eyes because everybody always claims innocence and you know 98% of these people did it we examine the computer we looked at the examiner's report we looked at their allegations and let's take a look at them so they claim Edgar downloaded porn all right they claim that Edgar's user account had passwords this is all documented in the report and they claim that Edgar utilized newsgroups to download porn like for real who uses these groups to download porn anybody anybody hand they had the web now I mean yeah news groups right so that guy I would believe all right so they they allege that he downloaded illegal porn and there is one thing to know just keep this in mind as we go through the talk he left his house in April 2012 his wife kicked him out because of all this you know stuff happening basically so April 2012 keep that in mind so let's look when we examine the computer let's see what we came up with so first we looked at ie history and as I mentioned before ie history is able to show you when a file has been opened so this is an actual example I've changed the file name a little bit here and what was the date that I just mentioned April 2012 ok I see some dates here are these before or after April 2012 put up your hand if it's after yes so all right one fail here let's look at it as a peer-to-peer software download folder so in the top there I've got the the path where these knotty files were downloaded and it's a pretty typical path these PDP programs change the the file name to something long so it's like T - something something something naughty file anyways I'm looking at the dates here again and Michael diva calendar is is give me a second here when is December it is after April after April ok it's after April okay just just wanted to check we need to verify our forensic findings before we can publish them so you know we're verifying oops I think he'll fail give me that beer all right so they also claimed that he used Outlook Express really to download porn Outlook Express this is 2012 remember folks makes you wonder did they even analyze this guy's machine where they coming up with this stuff we saw records of p2p not Outlook Express Outlook Express all right in reality yes Outlook Express was on the machine set up with an account called porno lover okay it was set up after Edgar moved out of the house and only headers were downloaded no content so you mean by headers so a header is if you're using Outlook Express it is just the first part of the file the email it's going to have the date the send of the receiver maybe the subject line maybe the first couple words but there was no content there was no no photos in there just headers with you know admittedly some porno names so they also let's look at accusation number three they say his user account had a password in the inference is the only Edgar was able to access it because there was a password let's look at the passwords shall we maybe we can zoom in a little bit on this this is actually a really cool utility it's free it's called LCpl let's go back to for one second here it's a free utility it's really great for looking and seeing if there are passwords you can also use it to perform an attack although it's not very good all right so more facts undiscovered by the examiner the p2p client was used to download porn that's the examiner didn't find that into a new user account called porno lover s when after he moved out of the house so we submitted our report to the prosecutor it was like a five ten page report something like that and the government dropped the charges years after they charged this guy they drop the charges this does not ever have early this is the first time I've done thousands of cases and while hundreds of hundreds of cases thousands of exams I don't know how many it's never happened before and this is after the guys spent a huge amount of money in legal costs so to do all this I just want to give a thank you Rob Lee and the sands anyone a doe rub Lee we use super timeline analysis to do a lot of this work super timeline is a really amazing piece of software that will basically go through the computer and look at all the computer-generated artifacts and put everything into a nice connell chronological sequence for you so really awesome piece of software definitely one of the best pieces of software yeah yeah so um the government interviews Edgar's friend the friend confess us the friend did it the friend was trying to get jiggy with Edgar's wife and he put the porn on the computer and the court clears edgers name they give them a finding of actual innocence never happens yeah well I've had many people claim innocence and this guy actually claimed innocence and he really was yeah rarely happens I've been to court a couple times where there's been acquittals and we didn't go to court on this one fortunately but we would have so what do we learn base your conclusions upon actual evidence find multiple artifacts backing up your allegations not and I don't know where the password thing came from tie it to a person not just a machine if possible try to look at user activity that would tie specific events to a person so remember the maximum you can get is 20 in any category however I've decided to break the rules a little bit for this one so examiner ineptness he gets five bonus points built-in right there oh yeah the guy sue the city for millions of dollars and you know there might be a job security issue for somebody in this case yeah I don't think that examiner is gonna really have a job footing and 100 bonus points because the for the court finds a suspect innocent so factually innocent with eyes get soon

Info

Channel: HackersOnBoard

Views: 526,631

Rating: 4.4145341 out of 5

Keywords: 2013, defcon, 21, defcon21, t429, defcon 21 videos, def con 21, Forensic Fails, Forensic Science (Field Of Study)

Id: NG9Cg_vBKOg

Channel Id: undefined

Length: 47min 10sec (2830 seconds)

Published: Sat Nov 16 2013

Reddit Comments