DEF CON 21 - Eric Robi and Michael Perklin - Forensic Fails Shift + Delete Won't Help You Here

Subtitles section Play video

>> ERIC ROBI: Talk is about forensic fails. I'm this guy. Over here. I founded an eDiscovery
company a few years ago. I'm a forensic examiner. I've done thousands and thousands of exams.
I'm an expert witness in state and federal court and I like cats and my name is Eric
Robi. >> AUDIENCE: Hi, Eric!
>> ERIC ROBI: Hi. About this other guy. >> MICHAEL PERKLIN: Hi, I'm Michael Perklin.
You may remember from past DEF CONs from ACL Steganography. I'm a forensic examiner, cyber
crime investigator, security professional. I've also done thousands of exams. And I like
to break things. A lot. (Chuckles.)
>> ERIC ROBI: Don't break my cat. All right. So our agenda today. We've got seven amazing
stories full of fail. We are going to learn something about forensic techniques. That's
what we do. The fails are brought to you by both the suspect and the examiner. We'll get
into that in a little bit. The names have been changed to protect the idiots on both
sides. We actually changed some of the facts to protect the idiots. It seemed like a good
thing to do, basically. Because fail was not just one-dimensional, we found many dimensions
of fail in our research. We decided we need to create a fail matrix.
(Laughter.) >> ERIC ROBI: To explain how the fail ... I'm
going to explain how the fail matrix works. The first level of fail is the user retard
level. Oh, my God, I spelled that wrong! (Laughter.)
>> MICHAEL PERKLIN: Drink! Drink! For the record, he was responsible for the keynote
presentation. So this is definitely his fail. >> ERIC ROBI: This is my fail. I get ten points.
So the punishment level depends on what happens. So this particular guy lost the case. Dollars,
distress caused, let's give this 15 points. And bonus points are whatever the fuck I feel
like doing. His girlfriend left him in this case. So he gets 35 points.
Let's get into the first one. This is the "it wasn't me" defense. You may have heard
this one before. All right. So we do a lot of commercial litigation. And a really typical
kind of case is a trade secrets case. This is a typical example of that. This guy Bob,
he was working in sales at ac me. He resigned his position and decided to go work for a
competitor. This happens all the time. And some allegations were made by his employer
that he took some trade secrets. He took the customer list with him to his new company.
It happens. So Bob says I got nothing to hide. Come at
me, bros. He didn't exactly say that, but I'm paraphrasing.
We started imaging the drive and planning the examination. One thing we frequently do
is we look for deleted file and unallocated space. That's the part of the drive that can
typically contain a deleted file. When you hit shift delete and it doesn't go away, it
ends up in unallocated space. We look for stuff there. Something we do, we look for
recently used files by common programs by Word, Excel, Acrobat and so forth and USB
device insertion. We look to see how trade secrets got from acme to the new company.
The drive finished imaging and I'll share something really cool today, DEF CON exclusive,
worldwide premiere, we found a new wiping pattern.
(Laughter.) (Cheers and applause.)
>> ERIC ROBI: This is actually real. I'm not making this up. This is real.
So Bob apparently had used some kind of data destruction program that can over write every
bit of space, unallocated space. He used a pattern that, however, was not really commonly
used by Windows or any other utilities I've seen. Might have been something custom. So
you know, I thought: Hmm, this might suggest something bad was happening here. Let's maybe
take another closer look at this. (Chuckles.)
>> ERIC ROBI: We are going to zoom in on this and look at this on a molecular level now.
(Applause.) (Laughter.)
>> ERIC ROBI: I think we need to zoom in a little bit more.
(Laughter.) >> ERIC ROBI: So what have we learned in I
admit the first part, there was no Sarah Palin in this case. Data destruction can almost
always be detected even if you don't use a repeating pattern, it's detectable. We see
it all the time. Artifacts can be left behind that are part of the pattern.
We might not know what you destroyed, but we'll know you destroyed something.
Oops. This is the mic. There you go. And all of a sudden it doesn't work very well. Mean
phrases make people dislike you. >> MICHAEL PERKLIN: What about the fail matrix?
>> ERIC ROBI: We have to do the fail matrix. Da da da.
12. Pretty retarded, I think. The guy lost the case. He got sued. Under $100,000. So
not a huge amount of economic distress. I didn't give him any bonus points here. It
just wasn't that good. He gets 27. >> MICHAEL PERKLIN: I think I'll do --
>> ERIC ROBI: It's already a fail. (Laughter.)
>> MICHAEL PERKLIN: I think we can blame that guy who gave me the beer.
All right. So this case is a lot of fun. I didn't expect it to be fun when it started
out. It ended up being a lot of fun. I call it the Nickel Back guy. You'll see why in
a second. Another case of stolen confidential documents.
This guy, let's call him John. He left one company to go work for a direct competitor.
And his old company hired us to go in and take a look at his --
>> ERIC ROBI: Can we get audio for this? By the way, we need audio for this segment. Turn
it on? >> MICHAEL PERKLIN: So the company where he
left, they asked us to take a look at his work computer to look for signs of data exfiltration.
We, he worked on a lot of confidential projects and they wanted to make sure that he wasn't
taking these confidential projects to the competitor and letting them know what they
were doing. So, right. I totally said all that.
Why is this not working? There it is. We opened up the hard drive to start the analysis and
we started finding all the same stuff that you typically find on a work computer. Work
stuff, sure, some evidence of Facebooking. He's got an MP3 collection. He listened to
music while he was at work. Typical stuff. We found the confidential documents that we
were asked to make sure that he didn't take. So that was to be expected because he did
the work on this computer. And almost immediately something jumped out at me. And we will get
into why it jumped out at me in a second, but his music collection became very interesting
to me. Not because I love Nickel Back, but because -- well, again, we'll get into that.
>> ERIC ROBI: That would be fail. >> MICHAEL PERKLIN: Yeah. I'm Canadian, too,
so I ... yeah, Nickel Back is from Canada. >> AUDIENCE: (Speaker away from microphone.)
>> MICHAEL PERKLIN: Yeah, take a closer look at this photo, something may jump out at you
as well. These are MP3s, just songs, but the size of the files is a little bit off.
>> ERIC ROBI: What's wrong here? >> MICHAEL PERKLIN: Extended play Nickel Back.
This guy loved the Nickel Back. These are actually AVI files.
>> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: These are AVI file that
is he just renamed. John assumed nobody would listen to his Nickel Back MP3s. That's a good
assumption because nobody would listen to his Nickel Back MP3s. He was hiding something.
But what was he hiding? (Music playing.)
>> MICHAEL PERKLIN: Pregger porn. This guy was looking at pregger porn. These were full-length
feature films of pregnant ladies banging. And they were like, there was a ton of them
all over this guy's hard drive. >> AUDIENCE: (Speaker away from microphone.)
>> MICHAEL PERKLIN: We did have top analyze them to see what they were.
(Laughter.) >> MICHAEL PERKLIN: But I will say that the
specific techniques that we used to analyze, they're trade secrets. I can't tell you how
much depth we went into when we were analyzing them. Yeah, seems that John did a lot more
than work on his confidential project on that computer. We had to tell the company that
over the last three years while he was working there on this confidential project, he was
also doing other stuff. They were pretty happy that he left anyway.
(Laughter.) >> MICHAEL PERKLIN: All right. What have we
learned? Examiners, when we take a look at files on a computer, we don't typically look
at it in the nested folder structure. Like we don't have to go into every single subfolder,
go back, go to other subfolders, back it out. We have a big long list. It makes it easier
to analyze stuff. One of the very first things we always run is Codifile Signature Analysis.
This is a special script that looks at the contents of every final and compares what
is inside the file with the extension. If there's any discrepancies, those files are
bumped up to the top of the list to be looked at because the system knows if these don't
match, something may not be right here and a human should take a look at this.
I just said those things and so at the end of the day John's attempt at hiding his pregger
porn bumped it up to the top of the list for me to look at. If you're going to hide something,
don't just change the file name. That makes me want to look at it even more.
So the fail matrix. (Laughter.)
>> MICHAEL PERKLIN: The retard level, I would say 12. Again renaming a file is not data
hiding. If up want to hide data, come to my Steg ACL course.
The new company where he landed, he lost his job there. Distress caused was zero. Didn't
really hurt anybody. What you choose to do on your own time is up to you. Although he
chose to do it. >> ERIC ROBI: You know what the bonus points
are going to be for, don't you? >> MICHAEL PERKLIN: There are some bonus points.
About a nickel's worth. (Laughter.)
(Loud buzzer.) >> MICHAEL PERKLIN: Grand total of 30 fail
points. >> ERIC ROBI: That is the fail sound. Thank
you. By the way, do you like the font that we're using? Comic Sans. Nobody uses Comic
Sans. It's the most under appreciated font in presentations.
>> MICHAEL PERKLIN: I don't know why we don't see Comic Sans in more presentation settings.
>> ERIC ROBI: We're bringing it back. Let's look at the "just bill me later" case.
Our client, the ABC firm, out-sourced a key part of their business. Have been doing it
many years. And the part of their business that they are out-sourcing is on a time and
materials basis. So there's a lot of invoices with ours and rates. And that's basically
it. It was several million dollars a year on average that was being billed. Our client
started a review project because they thought they were being over billed. They thought
there might be a little inflation and they wanted to figure out why things were looking
inflated. They looked at some of the individual bills and thought things were taking a little
bit too long. So we came in and we decided to help.
So they had thousands and thousands and thousands of PDF format invoices. That's not going to
do us a lot of good. Even if we applied optical character recognition to it, we have unstructured
data. I can search a few PDFs, but tens of thousands of them, it's you have to to do
anything with that. We didn't have a lot of clues with this one.
Through the magic of court order we were able to go to the customer's database, their network
and get an image of everything in the network including a billing database.
Which turned out to be very handy. We made a forensic copy of this database. It was not
a -- it was in a proprietary format. In order for us to do forensic analysis in a database
we need to get it into something like SQL where we can do standard queries. We migrated
over and did standard queries. Looking at it, there's no way to compare the PDFs to
the database. We decided to reverse engineer the tables in the database. Sometimes it's
easy, but sometimes there are thousands and thousands of tables and when you don't have
tech support of developers, you have to figure it out. It's a slow, laborious process. We
did figure it out. We noticed that the audit logs were turned on in this which happened
to be particularly useful. So we ran a lot of queries and versus the
time billed versus the audit logs. We found a pattern of inflation going on. Basically
when you are billing on time and materials, all you're doing is you've got either hours
or you've got a rate. And those are the two things and they inflated.
(Loud noise.) >> ERIC ROBI: So these are the two things
that you can change there. You can change time. Or you can change the rate. But we found
the audit logs were turned off by default and the IT folks, bless the IT folks, they
turned the audit logs on which was helpful because we do a lot of database forensic cases
and this is the only one where the audit logs were turned on. We were able to compare basically
the amount that was billed at the end of the day versus how many hours were put out up
to that point. We were able to see a chronology. Maybe at the end of the day the bill was for
$1,000. But we saw it was only $800 actually billed. So the billing person, the database
person who basically was working with it, this person would change the hours and the
rate sometimes and bump it up. Interest went from 800 to $1,000 on a typical invoice. They
did this thousands and thousands and thousands of times.
So let's look at the fail matrix. So I didn't give the user retard level too many points
here because it was a bill administrator. Most people don't know what is going on inside
a database, most average people. However, they had to refund the money. So
they get 18-point for that. >> MICHAEL PERKLIN: Over the last four or
five years worth of money. It was a lot of money.
>> ERIC ROBI: It was about $12 million actually. They get 15 points.
>> AUDIENCE: (Speaker away from microphone.) >> ERIC ROBI: I wish! And bonus points, hmm,
systematic culture of over billing. (Noise.)
>> MICHAEL PERKLIN: They get 45. >> ERIC ROBI: Okay. This next one, I call
it "smokinggun.txt." If you work in the forensic arena, you probably heard the term the smokinggun.txt.
It's the gag name of what you are always looking for in the case. It could be that record in
the database. It could be that Internet history record that shows that the guy really did
something bad. It comes from the cheesy western movies where the gun was smoking after he
shot someone, and it proves he fired the shot. We say did you find the smoking gun? Yeah,
we found the smokinggun.txt. Sometimes I wish it was as easy as finding smokinggun.txt.
Another intellectual property case. You have a guy league one company to go to work for
another company. The first company says can you make sure he didn't do stupid shit and
we are called in to make sure he didn't do stupid shit. We imaged the drive. Kicked off
the analysis script, like the script I told you guys about before. Opened up his desktop
folder. I like to open up the desktop folder of every suspect I'm examining. You can tell
a lot about what a guy, or a lot about the person when you're looking at the desktop.
Did they cram a lot of files in there in an unorganized fashion or everything is neatly
packed away into my documents folder. Things like that. Are they arranged nicely or all
spattered? It tells you a little bit about the person. So you can get a little bit into
the mind of who they are. Immediately I solved the case.
>> MICHAEL PERKLIN: How did you do that? >> ERIC ROBI: Well, the smokinggun.txt. It
was almost as easy as this. >> MICHAEL PERKLIN: A barbecue?
>> ERIC ROBI: I opened up the desktop folder and I saw this.
I'm hoping you can see that in the back. You have a folder on the desktop, the bottom left
there. The folder is called Competitive Intelligence. (Laughter.)
>> ERIC ROBI: Inside that folder we've got a Power Point presentation titled "Project
Blue Book." we've got some PDFs. We've got a whole bunch of stuff about this project
Blue Book that this guy was working on from his old company. He was getting ready to deliver
this presentation to the executive leadership team of the new company, telling them everything
about this confidential project from his old company.
(Groaning.) >> ERIC ROBI: He didn't even make it difficult
for me. Not only was all that stuff there, he made a Power Point presentation describing
it and to deliver all the knowledge for this to the LT.
Yeah. So I just said that. >> Did you over bill for that?
>> MICHAEL PERKLIN: We are not the last client. >> ERIC ROBI: All right.
>> AUDIENCE: (Speaker away from microphone.) >> ERIC ROBI: Pardon me?
>> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: I don't even remember.
Probably, well, it took 20 minutes. We probably just billed one hour.
>> ERIC ROBI: Michael, what have we learned in this case?
>> MICHAEL PERKLIN: Well, we learned that sometimes people don't even try.
Fail matrix. User retard level has to be an 18.
>> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: We are saving the higher
scores for some of the later stories. >> ERIC ROBI: Numbers are going up, you may
have noticed. >> MICHAEL PERKLIN: So far each one has been
going up. He got an 18 for user retard level. If you're going to be doing this, don't leave
tracks all over your computer. Sure if you're going to say they are going to be launching
this new thing in August next year, it's one thing to say it to a person. If you put together
a whole presentation to about the whole thing. That's a fail. Punishment is ten. He had to
settle. Obviously in breach of his NDA from the old company and it cost him 1.5 million
in damages. So the distress caused is a six-pointer. Bonus points of 12 for zero effort.
This all adds up to the fail matrix score of 46.
Next story. >> ERIC ROBI: I hope you appreciate these
amazing sound effects and video editing that I did.
>> MICHAEL PERKLIN: Hold on. We need to put the presentation on hold. I have a problem.
Which one is which? >> ERIC ROBI: That one is mine on the let
hand. >> MICHAEL PERKLIN: Really, because I want
the one with more. >> ERIC ROBI: The one with yours is more.
>> AUDIENCE: (Speaker away from microphone.) >> ERIC ROBI: We will be taking questions
later. All right. The next one I call hiding in the
Cloud. So once again a top sales guy leaves a company and the sales just take a nose dive
actually and they think he took the customer list but they can't prove it. They know that
there's new customers. They know that there's old customers over at the new company but
they can't prove he took the customer list. We image the computer and look for the usual
clues. For example, link files are a Windows artifact
that show what files have been recently opened. They are a simple text final and easily parsed
and have a lot of information about the location of the file, the date and the time, all that
kind of good stuff. We look at a registry key which I love the name of this. It makes
no sense to me at all, but somebody in Microsoft maybe had a couple of these one day when we
were working. Bag MRU for some reason -- most recently used, but why bag?
>> AUDIENCE: (Speaker away from microphone.) >> ERIC ROBI: You guys are full of great answers.
>> MICHAEL PERKLIN: You want to explain why it is named that? It's still a fucked up name.
>> ERIC ROBI: It can show what files are inside a folder. That's what we typically look at
in a file exfiltration case. This is from Vista forward you have jump lists.
>> MICHAEL PERKLIN: That is a fail. It should say Vista.
>> ERIC ROBI: I have to take a drink. I don't love Vista in there to do it Wright. If you
have five Word documents open and you click on it, you have the five, those are jump lists
basically. IE history. Internet Explorer. Internet Explorer is so much morning exploring
the Internet. It records things that you do without your knowledge, like opening files.
But we are getting no love. I'm not finding anything. Show me the love, baby. He's having
a beer. So we search the IE history and we found a
.JVM file pointing to files anywhere. Who is familiar with that site? It's very much
like Dropbox. The same kind of concept but more for business users. It has a lot of really
great auditing, logging, stuff like that. If you're uploading and downloading files,
you can monitor and track them. That turned out to be a nice thing. Typically that's only
in the user control file best of your recollection we found an HTM file and we solved the case.
>> Bingo! >> ERIC ROBI: Timing fail, I'm sorry.
>> Drink! >> Drink!
>> ERIC ROBI: Bingo, we solved the case. All right. So what we got was the account ID,
the upload times, the file names, everything. We got some sweet loving. We got stolen files.
Let's look at JavaScript here. I changed the names of the file. We have recipe for Coke,
minor trade secrets. The user is the user account name. So we were able to subpoena
that from files anywhere and figure out who actually registered the account.
There is the folder that it was in. And this is really handy here, the date that it was
uploaded. And we got a whole bunch of these. In fact this is the first page of an 80-page
Excel report I prepared. These are all the file names that this guy uploaded.
So yeah. The second part of the story is -- go back. Another fail.
>> Fail! >> Drink!
>> ERIC ROBI: Which one do I drink from? >> MICHAEL PERKLIN: Good answer.
>> ERIC ROBI: The second part of the case, the opposing attorney, the guy representing
the thief handed us ab an Outlook CD, Outlook PST on it. This is part of the discovery process.
Discovery is a legal term in litigation where both sides are able to exchange evidence.
In fact, they have, they are compelled to exchange evidence through the rules of the
court. He gives us a CD. It has Outlook and Outlook PST on it.
First thing we do, there's not a lot of files in there and the first thing we do, we want
to recover the deleted e-mails in a PST. We're forensic analysts and that's what we like
doing, looking at people's e-mails. I'll show you the old school way of recovering
deleted e-mails. You use a hex editor, crack open the PST and exchange bytes seven through
13, change them to zeros. Save the file. Then you use the Outlook repair tool built in with
Microsoft. And you basically repair the tool -- sorry, repair the PST and what happens?
You get a lot of e-mails back. These are not the actual e-mails, but you get tons and tons
of e-mails back. In this case, we got tens of thousands of
deleted e-mails. What was in these e-mails? Everything that completely turned the case
around. Not only did we have this guy with all the uploads on the spreadsheets. We also
had all the e-mails about who was involved. What lists he took. Who are the, you know,
all the people that were involved. We were winning. We went to Charlie Sheen mode all
of a sudden. And the funny thing is, we were able to take
all this information and at a deposition. If you don't know what a deposition is, we
get to ask questions of the opposing party. We are asking them, what happened? Did you
guys steal anything? Did you take anything? No, no, no.
We part pulling out these e-mails one by one by one. The guy turns white as a sheet.
And he spills the beans. And basically, you know, we do pretty well. Who deleted the mails,
do you think in this case? Hmm? >> MICHAEL PERKLIN: Call it out if you think
you know. >> AUDIENCE: (Speaker away from microphone.)
>> MICHAEL PERKLIN: Wow, people got it almost immediately.
>> ERIC ROBI: They hired Saul Goodman, unfortunately. And yeah, he deleted the mails. Not a good
thing. Not a good thing. What have we learned?
>> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: The question is, did he
claim privilege on the e-mails? >> ERIC ROBI: He claimed privilege on some
of them, but not all of the 10,000 that he deleted. IE history is difficult to wipe.
It seems to leave stuff behind. We learned a new file type, the Java file type, JavaScript
files can give us love, too. We like them. And uploading files still leaves traces.
So attorneys shouldn't mess with evidence. It's against the ethical rules in every state
and probably every Canadian province and can get you disbarred.
>> AUDIENCE: Did they in this case? >> Let's look at the fail matrix.
>> ERIC ROBI: User retard level is damn high on this one. Fails on the attorney's part
and also on the ex-sales guy. Huge lawsuit. Three and a half million dollars in fees and
damages. (Whistling.)
>> ERIC ROBI: Which our client all got back basically and 15 bonus points. The attorney
might lose his license on this one. He hasn't yet. We don't track that kind of stuff.
(Buzzer.) >> ERIC ROBI: Fifty-one, we're moving up.
You ready? >> MICHAEL PERKLIN: Oh, right.
>> Fail! >> Drink!
>> MICHAEL PERKLIN: All right. Let's do this shit.
>> ERIC ROBI: That's winning. >> MICHAEL PERKLIN: This next case is probably
one of the most fun cases I've worked on. From the start I could tell that something
-- it was going to be a fun one. The RBT bounce. You'll see why. I was called in to investigate
a network breach. The company shared information with us that was evidence that at least one
computer had been breached. They didn't know why. They didn't know what. Asked us to investigate
and to tell them why and what. It was a large company. They had a lot of
computers, all of them were Windows based. Thousands upon thousands of computers in offices
all across the world and in one of their offices they noticed this computer had been breached.
So let's figure out what happened. So we move in. And actually I think I'm going
to pause here for two seconds. Eric, is this your first time presenting at
DEF CON? >> ERIC ROBI: Yes, it is.
(Laughter.) >> MICHAEL PERKLIN: Okay.
(Applause.) >> MICHAEL PERKLIN: We don't even have to
say anything anymore. You guys know exactly what is going on.
>> ERIC ROBI: Uh-oh. >> MICHAEL PERKLIN: I want to know, is Sarah
in the room? >> Show yourself!
>> Which Sarah? Narrow it down? (Overlapping speakers.)
>> MICHAEL PERKLIN: Is your name Sarah? >> Bend over.
(Laughter.) >> We are just going to leave now.
>> You are the ugliest Sarah ever. >> Fail! Another soldier bites the dust.
Winning! (Laughter.)
>> Stop that. >> The path to recovery is --
>> Paul, there's some issue about the sound person?
>> No. Sarah is supposed to be the sound person. >> Sarah is right here. You are talking about
me, right? >> I appreciate that, Sarah, but we're looking
for a different person. >> Since she is not here, Sarah, would you
come up? >> Come up. You're the next contestant on:
Will you fail? >> Thank you.
>> The other Sarah is going to be pissed. You want to go around that way?
>> You already got one. Someone counted wrong! >> Pass one to Sarah.
>> All right. >> A double.
(Laughter.) >> Find Sarah --
>> I'm sure all of you want to be Sarah right now.
>> To our new speakers and new attendees! (Applause.)
>> Whew! >> Uh-oh. How many more talks?
>> Thank you. >> Two more this hour.
>> MICHAEL PERKLIN: All right. We have 15 minutes left.
>> Is Sarah in the next -- >> MICHAEL PERKLIN: Thank you very much, goons,
for doing that. It's Eric's first time at DEF CON.
So I was talking with the RDP bounce case that I was investigating. As I mentioned,
thousands of computers, various offices all around the world. So we analyze the one computer
that they knew was breached. And it showed that RDP or remote desktop property call.
This is the tool in Windows that allows you to remotely control another computer. Some
logs showed us that RDP was used to connect using the local administrator password to
another machine. It also showed that -- actually I said it
backwards. RDP was used to connect in and also showed that RDP was used to connect out.
In this diagram I was looking at the middle computer. I didn't know at the time there
were other computers. I was looking at the middle one.
It seemed like there were a bunched used in here. It was probably the tip of the iceberg.
>> ERIC ROBI: Where do you find these logs, Michael?
>> MICHAEL PERKLIN: Specifically I was looking at the Windows event viewer. Go into the control
panel and the administrator tools. It logs by default a lot of stuff in there including
when RDP is used to connect in and when you're connecting out.
So I analyzed that machine that came before it. And same thing. There were logs that showed
that somebody was connecting into that. It was basically an entire bounce. Now, these
computers were located in different offices all around the world. This guy was bouncing
all around the world to do something. So obviously this is a pattern.
I still didn't know what he was doing. I just knew that he was clearly going through a lot
of trouble to obfuscate his trail, bouncing all around. Probably so that when he does
hit his final target there's no direct evidence to where he was coming from.
>> AUDIENCE: Were they sessions within sessions? >> MICHAEL PERKLIN: Yes, within the remote
desktop, he did this over and over. Remote desktop is not the fastest protocol at all.
I don't want to speculate how long it took him to do this.
>> ERIC ROBI: Can you imagine how long the screen redraw was by the time you get to machine
ten? >> MICHAEL PERKLIN: Jesus Christ, you have
to click a minute between clicks or something. What was the target? So I think you can all
figure out what I do next. Rather than following the trail back, I followed the trail forward.
What was he getting? Step after step, computer after computer. Site after site after site
all around the world. I finally reached a high profile machine. I wish I could tell
you which specific machine it was. I can't because it would give away too much about
this company. >> Prism?
>> ERIC ROBI: Did it have Nickel Back on it? >> MICHAEL PERKLIN: Chalkiest video ever.
I knew what he was going after when I reached that machine. He wanted confidential documents
that were only on this one machine in the entire company. He obviously knew that and
he wanted to get into the machine to get these documents.
I focused the analysis on this target machine, on this special confidential machine and I
wanted to see what did they do? Specifically which files did they take? And it took me
only about two minutes. As I was analyzing this machine. I identified the attacker immediately.
He went through all around the world. Finally when I was taking a look at his target, within
two minutes I found out who he was. >> AUDIENCE: (Speaker away from microphone.)
>> MICHAEL PERKLIN: He used his own credentials on the machine? No, he didn't use his own
credentials on the machine. >> E-mails to himself?
>> MICHAEL PERKLIN: No. >> He stole his own file?
>> MICHAEL PERKLIN: No, and he did not check Facebook and no share drives. Why don't I
tell you what he did? >> ERIC ROBI: Michael, what did he do?
>> MICHAEL PERKLIN: Printers. One thing a lot of people don't know about
remote desktop, by default it maps the printer connected to your machine to the machine that
you are connecting out to. It does this so that when you hit print inside your remote
desktop window your printer next to you is available so you can print a document besides
you. This guy didn't print any documents but just by connecting the machine automatically
mapped his local printer to the target machine, which identified his machine name.
He forgot to turn this off. There is a check box in remote desktop protocol when you open
up the RDP window, unmap printers to unmap printers. And it's a check box and he did
not map it. >> ERIC ROBI: What have re logged Michael?
>> MICHAEL PERKLIN: What have we learned? Documents logged by inside -- can give insight
into user actions. The system did this automatically. By looking at the system is doing can tell
what you the user is doing. For the fail matrix, user retard level would be about a 20 because
he went through a lot of trouble to cover his tracks and he did not cover his tracks.
Punishment level would be 15. He loss his job. He also lost his references. He can't
use that company as a reference anymore. So distress caused would be 8. Bonus points
would be 20. Do some research. If you are going to use RDP to pull off a scam, know
how RDP works. Adding it all up, we have a fail score of
63. Last story, Eric.
>> ERIC ROBI: All right. So the last story is a little bit different than the others.
(Laughter.) >> ERIC ROBI: This is the epic porno fail.
The difference in this one, all together the cases we have talked about have been commercial
litigation, civil litigation, something on this side. This one happens to be a criminal
case. From time to time we do criminal defense work. And we work either with Public Defenders
or private attorneys. This is about this kind of situation.
So our client, Edgar, has been charged with possession of contra band, aka child porn
in his computer. He claims innocence and I roll my eyes because everybody always claims
innocence. 98 percent of these people did it.
We examine the computer. We looked at the examiners report. We looked at the allegations.
Let's take a look at them. So they claim Edgar downloaded porn. All right?
They claim that Edgar's user account had passwords. This is all documented in the record. They
claim that Edgar utilized news groups to download porn, like for real?
>> Who uses news groups to download porn? I think they have the --
(Overlapping speakers.) >> ERIC ROBI: Yeah, news groups, right?
>> AUDIENCE: Pregger porn. >> ERIC ROBI: That guy I would believe. They
allege that he downloaded illegal porn. There is one thing to note. Keep this in mind. He
left his house on April 2012. His wife kicked him out because of this stuff happening. April
2012. Keep that in mind. So let's look when we examine the computer.
Let's see what we came up with. First we looked at IE history. As I mentioned before, IE history
is able to show you when a file has been opened. This is an actual example, I changed the file
name a little bit here. What was the date I just mentioned?
>> AUDIENCE: April 2012. >> ERIC ROBI: April 2012. I see some dates
here. Are these before or after April 2012? Put up your hand if it's after? Ahh!
Yes. So all right. One fail here. Let's look at his peer to peer software download folder.
In the top there I've got the path where these naughty files were downloaded and it's a pretty
typical path. These P to P programs change the name to something long. It's like T-something
something something naughty file. I'm looking at the dates here again. Michael,
do you have a calendar? >> MICHAEL PERKLIN: Give me a second here.
>> ERIC ROBI: When is December? >> MICHAEL PERKLIN: It is after April. Definitely
after April. >> ERIC ROBI: Okay, just wanted to check.
We need to verify our forensic findings before we publish them. We're verifying. Oops.
I think -- >> MICHAEL PERKLIN: Fail!
>> ERIC ROBI: Fail. Give me that beer. All right. They also claim that he used Outlook
express. Really, to download porn. Outlook express. This is 2012, remember, folks.
>> MICHAEL PERKLIN: Makes you wonder, did they even analyze this guy's machine? We saw
records of P to P, not Outlook express. >> ERIC ROBI: Outlook express, all right.
In reality, yes, Outlook express was on the machine set up with an account called porno
lover. Okay? It was set up after Edgar moved out of the house. And only headers were downloaded.
No content. >> MICHAEL PERKLIN: What do you mean by headers?
>> ERIC ROBI: A header, if you're using Outlook express, it is just the first part of the
file. The e-mail is going to have the date, the send to, the receiver, the subject line,
make the first couple words. There was no content. There was no photos in there, just
headers with, you know, admittedly porno names. Also, let's look at accusation three. They
said his user account had a password. The inference is only Edgar was able to access
it because there was a password. Let's look at the password, shall we? Maybe
we can zoom in a little bit on this. (Laughter.)
>> ERIC ROBI: This is actually a cool utility the it's free. It's LCP. I'll go back to it
here. It's a free utility, great for looking and seeing if there are passwords. You can
also use it to perform an attack, although it's not very good.
All right. So more facts undiscovered by the examiner. The P to P client was used to download
porn. The examiner didn't find that. Into a new user account called porno lover. Guess
when? After he moved out of the house. So we submitted our report to the prosecutor.
Looks like a five, ten-page report, something like that. The government dropped the charges,
years after they charged this guy, they dropped the charges. This does not ever happen really.
This is the first time. I've done thousands of cases -- well, hundreds of cases, thousands
of exams. I don't know how many, it's never happened before.
This is after the guy spent a huge amount of money on legal costs. So to do all this,
I just want to give a thank you to Rob Lee and SANs -- you know Rob Lee? We used super
timeline for this analysis. That's a super piece of --
(Lost audio.) >> MICHAEL PERKLIN: Definitely one of the
best pieces of software used. >> ERIC ROBI: So the government interviews
Edgar's friend. The friend confesses. The friend did it. The friend was trying to get
jiggy with Edgar's wife. (Groans.)
>> ERIC ROBI: And he put the porn on the computer. The court clears Edgar's name. They give him
an finding of innocence. Rarely happens. I have been to court a couple times where there
have been acquittals and we didn't go to court on this one, fortunately, but we would have.
So what did we learn? Base your conclusions upon actual evidence. Find multiple artifacts
backing up your allegations. I don't know where the password thing came from. Tie it
to a person, not just a machine if possible. Try to use at user activity that would tie
expect events to a person. Remember, the maximum you can get is 20 in
any category. However, I have decided to break the rules
a little bit for this one. Examiner ineptness, he gets five bonus points built in right there.
Oh, yeah, the guy sued the city for millions of dollars. And you know, there might be a
job security issue for somebody in this case. >> MICHAEL PERKLIN: I don't think that examiner
is really going to have a job much longer. >> ERIC ROBI: One hundred bonus points because
the court finds the suspect innocent. Factually innocent.
(Buzzer.) (Music playing.)
>> ERIC ROBI: Thank you very much! >> MICHAEL PERKLIN: Thank you, everybody!
If you want to do Q&A, we're going over to the Chill-Out Lounge.
(The session concluded at 2:45 p.m.)