1 00:00:00,042 --> 00:00:02,876 ERIC ROBI: Talk is about forensic fails. 2 00:00:04,250 --> 00:00:06,542 I'm this guy. 3 00:00:06,999 --> 00:00:07,999 Over here. 4 00:00:07,999 --> 00:00:11,876 I founded an eDiscovery company a few years ago. 5 00:00:11,876 --> 00:00:12,999 I'm a forensic examiner. 6 00:00:13,042 --> 00:00:16,209 I've done thousands and thousands of exams. 7 00:00:16,375 --> 00:00:21,250 I'm an expert witness in state and federal court and I like cats 8 00:00:21,250 --> 00:00:24,417 and my name is Eric Robi. 9 00:00:24,417 --> 00:00:25,584 AUDIENCE: Hi, Eric! 10 00:00:25,584 --> 00:00:32,999 ERIC ROBI: Hi. 11 00:00:32,999 --> 00:00:33,999 About this other guy. 12 00:00:33,999 --> 00:00:36,292 MICHAEL PERKLIN: Hi, I'm Michael Perklin. 13 00:00:36,292 --> 00:00:37,125 You may remember from past DEF CONs 14 00:00:37,125 --> 00:00:39,501 from ACL Steganography. 15 00:00:39,999 --> 00:00:43,999 I'm a forensic examiner, cyber crime investigator, 16 00:00:43,999 --> 00:00:46,709 security professional. 17 00:00:46,999 --> 00:00:49,375 I've also done thousands of exams. 18 00:00:49,959 --> 00:00:51,999 And I like to break things. 19 00:00:52,375 --> 00:00:53,375 A lot. 20 00:00:53,375 --> 00:00:58,334 (Chuckles.) ERIC ROBI: Don't break my cat. 21 00:00:59,334 --> 00:01:00,999 All right. 22 00:01:00,999 --> 00:01:01,999 So our agenda today. 23 00:01:01,999 --> 00:01:04,584 We've got seven amazing stories full of fail. 24 00:01:04,584 --> 00:01:07,918 We are going to learn something about forensic techniques. 25 00:01:07,918 --> 00:01:08,999 That's what we do. 26 00:01:08,999 --> 00:01:14,459 The fails are brought to you by both the suspect and the examiner. 27 00:01:14,459 --> 00:01:16,125 We'll get into that in a little bit. 28 00:01:16,125 --> 00:01:19,459 The names have been changed to protect the idiots on both sides. 29 00:01:19,459 --> 00:01:22,751 We actually changed some of the facts to protect the idiots. 30 00:01:22,999 --> 00:01:25,167 It seemed like a good thing to do, basically. 31 00:01:25,709 --> 00:01:28,334 Because fail was not just one-dimensional, we found many 32 00:01:28,334 --> 00:01:31,334 dimensions of fail in our research. 33 00:01:31,334 --> 00:01:35,334 We decided we need to create a fail matrix. 34 00:01:38,167 --> 00:01:42,167 (Laughter.) ERIC ROBI: To explain how the fail ... 35 00:01:42,167 --> 00:01:45,459 I'm going to explain how the fail matrix works. 36 00:01:45,626 --> 00:01:49,584 The first level of fail is the user retard level. 37 00:01:50,375 --> 00:01:52,999 Oh, my God, I spelled that wrong! 38 00:01:52,999 --> 00:01:55,083 (Laughter.) MICHAEL PERKLIN: Drink! 39 00:01:55,083 --> 00:01:56,083 Drink! 40 00:01:56,083 --> 00:02:02,292 For the record, he was responsible for the keynote presentation. 41 00:02:02,292 --> 00:02:03,999 So this is definitely his fail. 42 00:02:03,999 --> 00:02:05,292 ERIC ROBI: This is my fail. 43 00:02:05,542 --> 00:02:06,999 I get ten points. 44 00:02:06,999 --> 00:02:10,834 So the punishment level depends on what happens. 45 00:02:10,834 --> 00:02:12,667 So this particular guy lost the case. 46 00:02:12,999 --> 00:02:15,959 Dollars, distress caused, let's give this 15 points. 47 00:02:15,959 --> 00:02:19,375 And bonus points are whatever the fuck I feel like doing. 48 00:02:20,250 --> 00:02:22,709 His girlfriend left him in this case. 49 00:02:22,709 --> 00:02:25,209 So he gets 35 points. 50 00:02:26,999 --> 00:02:28,999 Let's get into the first one. 51 00:02:29,375 --> 00:02:32,292 This is the "it wasn't me" defense. 52 00:02:33,375 --> 00:02:35,751 You may have heard this one before. 53 00:02:35,751 --> 00:02:37,125 All right. 54 00:02:37,125 --> 00:02:39,792 So we do a lot of commercial litigation. 55 00:02:39,918 --> 00:02:43,792 And a really typical kind of case is a trade secrets case. 56 00:02:44,083 --> 00:02:45,999 This is a typical example of that. 57 00:02:45,999 --> 00:02:49,584 This guy Bob, he was working in sales at ac me. 58 00:02:49,584 --> 00:02:52,959 He resigned his position and decided to go work for a competitor. 59 00:02:52,959 --> 00:02:54,959 This happens all the time. 60 00:02:55,167 --> 00:02:57,918 And some allegations were made by his employer that 61 00:02:57,918 --> 00:03:00,459 he took some trade secrets. 62 00:03:00,459 --> 00:03:03,167 He took the customer list with him to his new company. 63 00:03:03,584 --> 00:03:04,584 It happens. 64 00:03:04,751 --> 00:03:07,417 So Bob says I got nothing to hide. 65 00:03:07,459 --> 00:03:08,876 Come at me, bros. 66 00:03:09,375 --> 00:03:14,709 He didn't exactly say that, but I'm paraphrasing. 67 00:03:14,709 --> 00:03:18,125 We started imaging the drive and planning the examination. 68 00:03:18,501 --> 00:03:21,292 One thing we frequently do is we look for deleted file 69 00:03:21,292 --> 00:03:23,501 and unallocated space. 70 00:03:23,876 --> 00:03:26,250 That's the part of the drive that can typically contain 71 00:03:26,250 --> 00:03:28,083 a deleted file. 72 00:03:28,542 --> 00:03:31,459 When you hit shift delete and it doesn't go away, it ends 73 00:03:31,459 --> 00:03:33,999 up in unallocated space. 74 00:03:33,999 --> 00:03:35,125 We look for stuff there. 75 00:03:35,626 --> 00:03:38,959 Something we do, we look for recently used files 76 00:03:38,959 --> 00:03:42,626 by common programs by Word, Excel, Acrobat and so forth 77 00:03:42,626 --> 00:03:45,209 and USB device insertion. 78 00:03:45,209 --> 00:03:49,751 We look to see how trade secrets got from acme to the new company. 79 00:03:51,125 --> 00:03:55,751 The drive finished imaging and I'll share something really cool today, 80 00:03:55,751 --> 00:03:58,751 DEF CON exclusive, worldwide premiere, we found 81 00:03:58,751 --> 00:04:00,999 a new wiping pattern. 82 00:04:11,167 --> 00:04:13,999 (Laughter.) (Cheers and applause.) ERIC ROBI: This 83 00:04:13,999 --> 00:04:15,999 is actually real. 84 00:04:17,501 --> 00:04:19,751 I'm not making this up. 85 00:04:19,751 --> 00:04:20,751 This is real. 86 00:04:23,999 --> 00:04:28,792 So Bob apparently had used some kind of data destruction program that can 87 00:04:28,792 --> 00:04:32,999 over write every bit of space, unallocated space. 88 00:04:33,209 --> 00:04:36,459 He used a pattern that, however, was not really commonly used 89 00:04:36,459 --> 00:04:40,083 by Windows or any other utilities I've seen. 90 00:04:40,083 --> 00:04:41,959 Might have been something custom. 91 00:04:41,959 --> 00:04:44,876 So you know, I thought: Hmm, this might suggest something bad was 92 00:04:44,876 --> 00:04:46,626 happening here. 93 00:04:47,834 --> 00:04:51,083 Let's maybe take another closer look at this. 94 00:04:51,083 --> 00:04:52,999 (Chuckles.) ERIC ROBI: We are going to zoom in on this and look 95 00:04:52,999 --> 00:04:55,375 at this on a molecular level now. 96 00:05:01,626 --> 00:05:04,334 (Applause.) (Laughter.) ERIC ROBI: I think we need to zoom 97 00:05:04,334 --> 00:05:06,292 in a little bit more. 98 00:05:12,626 --> 00:05:17,209 (Laughter.) ERIC ROBI: So what have we learned in I admit the first part, 99 00:05:17,209 --> 00:05:20,626 there was no Sarah Palin in this case. 100 00:05:20,751 --> 00:05:24,167 Data destruction can almost always be detected even 101 00:05:24,167 --> 00:05:28,999 if you don't use a repeating pattern, it's detectable. 102 00:05:28,999 --> 00:05:30,083 We see it all the time. 103 00:05:30,083 --> 00:05:32,999 Artifacts can be left behind that are part of the pattern. 104 00:05:34,083 --> 00:05:36,125 We might not know what you destroyed, 105 00:05:36,125 --> 00:05:39,375 but we'll know you destroyed something. 106 00:05:40,083 --> 00:05:41,459 Oops. 107 00:05:42,083 --> 00:05:43,959 This is the mic. 108 00:05:43,959 --> 00:05:44,959 There you go. 109 00:05:44,959 --> 00:05:47,501 And all of a sudden it doesn't work very well. 110 00:05:47,999 --> 00:05:50,083 Mean phrases make people dislike you. 111 00:05:50,083 --> 00:05:53,751 MICHAEL PERKLIN: What about the fail matrix? 112 00:05:53,876 --> 00:05:58,209 ERIC ROBI: We have to do the fail matrix. 113 00:05:58,209 --> 00:05:59,209 Da da da. 114 00:05:59,209 --> 00:06:00,209 12. 115 00:06:00,209 --> 00:06:01,626 Pretty retarded, I think. 116 00:06:01,999 --> 00:06:03,999 The guy lost the case. 117 00:06:03,999 --> 00:06:04,999 He got sued. 118 00:06:05,375 --> 00:06:07,083 Under $100,000. 119 00:06:07,083 --> 00:06:09,542 So not a huge amount of economic distress. 120 00:06:09,834 --> 00:06:11,959 I didn't give him any bonus points here. 121 00:06:11,959 --> 00:06:13,459 It just wasn't that good. 122 00:06:14,459 --> 00:06:16,209 He gets 27. 123 00:06:16,209 --> 00:06:22,999 MICHAEL PERKLIN: I think I'll do -- ERIC ROBI: It's already a fail. 124 00:06:22,999 --> 00:06:26,083 (Laughter.) MICHAEL PERKLIN: I think we can blame that guy who gave 125 00:06:26,083 --> 00:06:27,876 me the beer. 126 00:06:30,459 --> 00:06:31,876 All right. 127 00:06:31,876 --> 00:06:35,083 So this case is a lot of fun. 128 00:06:35,167 --> 00:06:37,667 I didn't expect it to be fun when it started out. 129 00:06:37,667 --> 00:06:39,083 It ended up being a lot of fun. 130 00:06:39,083 --> 00:06:40,959 I call it the Nickel Back guy. 131 00:06:40,959 --> 00:06:42,459 You'll see why in a second. 132 00:06:43,209 --> 00:06:46,459 Another case of stolen confidential documents. 133 00:06:46,459 --> 00:06:49,083 This guy, let's call him John. 134 00:06:49,083 --> 00:06:52,292 He left one company to go work for a direct competitor. 135 00:06:52,459 --> 00:06:56,292 And his old company hired us to go in and take a look 136 00:06:56,292 --> 00:07:00,999 at his -- ERIC ROBI: Can we get audio for this? 137 00:07:00,999 --> 00:07:03,083 By the way, we need audio for this segment. 138 00:07:03,083 --> 00:07:04,417 Turn it on? 139 00:07:04,918 --> 00:07:06,918 MICHAEL PERKLIN: So the company where he left, 140 00:07:06,918 --> 00:07:09,834 they asked us to take a look at his work computer to look 141 00:07:09,834 --> 00:07:12,334 for signs of data exfiltration. 142 00:07:12,792 --> 00:07:15,083 We, he worked on a lot of confidential projects and 143 00:07:15,083 --> 00:07:18,083 they wanted to make sure that he wasn't taking these confidential 144 00:07:18,083 --> 00:07:20,584 projects to the competitor and letting them know what 145 00:07:20,584 --> 00:07:22,250 they were doing. 146 00:07:22,709 --> 00:07:24,292 So, right. 147 00:07:27,751 --> 00:07:29,999 I totally said all that. 148 00:07:30,918 --> 00:07:32,417 Why is this not working? 149 00:07:32,876 --> 00:07:33,876 There it is. 150 00:07:33,959 --> 00:07:35,250 We opened up the hard drive to start 151 00:07:35,250 --> 00:07:39,459 the analysis and we started finding all the same stuff that you typically find 152 00:07:39,459 --> 00:07:41,459 on a work computer. 153 00:07:41,667 --> 00:07:44,876 Work stuff, sure, some evidence of Facebooking. 154 00:07:45,209 --> 00:07:47,292 He's got an MP3 collection. 155 00:07:47,459 --> 00:07:49,584 He listened to music while he was at work. 156 00:07:49,584 --> 00:07:50,626 Typical stuff. 157 00:07:50,751 --> 00:07:52,334 We found the confidential documents that we 158 00:07:52,334 --> 00:07:55,626 were asked to make sure that he didn't take. 159 00:07:55,626 --> 00:07:58,959 So that was to be expected because he did the work 160 00:07:58,959 --> 00:08:01,209 on this computer. 161 00:08:01,626 --> 00:08:04,709 And almost immediately something jumped out at me. 162 00:08:04,709 --> 00:08:08,999 And we will get into why it jumped out at me in a second, 163 00:08:08,999 --> 00:08:14,584 but his music collection became very interesting to me. 164 00:08:14,584 --> 00:08:16,999 Not because I love Nickel Back, but because -- well, again, 165 00:08:16,999 --> 00:08:18,999 we'll get into that. 166 00:08:18,999 --> 00:08:20,709 ERIC ROBI: That would be fail. 167 00:08:20,709 --> 00:08:22,417 MICHAEL PERKLIN: Yeah. 168 00:08:22,417 --> 00:08:23,834 I'm Canadian, too, so I ... 169 00:08:24,792 --> 00:08:26,709 yeah, Nickel Back is from Canada. 170 00:08:26,709 --> 00:08:28,083 AUDIENCE: (Speaker away from microphone.) MICHAEL 171 00:08:28,083 --> 00:08:30,999 PERKLIN: Yeah, take a closer look at this photo, something may jump 172 00:08:30,999 --> 00:08:32,959 out at you as well. 173 00:08:32,959 --> 00:08:39,167 These are MP3s, just songs, but the size of the files is a little bit off. 174 00:08:39,292 --> 00:08:42,709 ERIC ROBI: What's wrong here? 175 00:08:42,709 --> 00:08:45,083 MICHAEL PERKLIN: Extended play Nickel Back. 176 00:08:45,083 --> 00:08:46,709 This guy loved the Nickel Back. 177 00:08:46,751 --> 00:08:48,876 These are actually AVI files. 178 00:08:48,876 --> 00:08:51,667 AUDIENCE: (Speaker away from microphone.) MICHAEL 179 00:08:51,667 --> 00:08:56,083 PERKLIN: These are AVI file that is he just renamed. 180 00:08:59,209 --> 00:09:03,459 John assumed nobody would listen to his Nickel Back MP3s. 181 00:09:03,459 --> 00:09:05,999 That's a good assumption because nobody would listen 182 00:09:05,999 --> 00:09:08,459 to his Nickel Back MP3s. 183 00:09:09,792 --> 00:09:12,334 He was hiding something. 184 00:09:12,334 --> 00:09:13,834 But what was he hiding? 185 00:09:13,834 --> 00:09:24,709 (Music playing.) MICHAEL PERKLIN: Pregger porn. 186 00:09:26,792 --> 00:09:31,209 This guy was looking at pregger porn. 187 00:09:31,209 --> 00:09:36,417 These were full-length feature films of pregnant ladies banging. 188 00:09:36,417 --> 00:09:41,459 And they were like, there was a ton of them all over this guy's hard drive. 189 00:09:41,501 --> 00:09:43,417 AUDIENCE: (Speaker away from microphone.) MICHAEL 190 00:09:43,417 --> 00:09:46,999 PERKLIN: We did have top analyze them to see what they were. 191 00:09:47,334 --> 00:09:50,584 (Laughter.) MICHAEL PERKLIN: But I will say that 192 00:09:50,584 --> 00:09:56,709 the specific techniques that we used to analyze, they're trade secrets. 193 00:09:56,709 --> 00:10:01,000 I can't tell you how much depth we went into when we were analyzing them. 194 00:10:01,792 --> 00:10:03,792 Yeah, seems that John did a lot more than work 195 00:10:03,792 --> 00:10:06,709 on his confidential project on that computer. 196 00:10:06,918 --> 00:10:09,999 We had to tell the company that over the last three years while 197 00:10:09,999 --> 00:10:12,999 he was working there on this confidential project, 198 00:10:12,999 --> 00:10:15,751 he was also doing other stuff. 199 00:10:15,999 --> 00:10:18,083 They were pretty happy that he left anyway. 200 00:10:18,083 --> 00:10:20,459 (Laughter.) MICHAEL PERKLIN: All right. 201 00:10:20,459 --> 00:10:21,584 What have we learned? 202 00:10:22,375 --> 00:10:25,501 Examiners, when we take a look at files on a computer, 203 00:10:25,501 --> 00:10:29,999 we don't typically look at it in the nested folder structure. 204 00:10:29,999 --> 00:10:32,626 Like we don't have to go into every single subfolder, go back, 205 00:10:32,626 --> 00:10:35,459 go to other subfolders, back it out. 206 00:10:35,459 --> 00:10:37,042 We have a big long list. 207 00:10:37,584 --> 00:10:40,542 It makes it easier to analyze stuff. 208 00:10:40,999 --> 00:10:45,083 One of the very first things we always run is Codifile Signature Analysis. 209 00:10:45,083 --> 00:10:48,334 This is a special script that looks at the contents of every final 210 00:10:48,334 --> 00:10:52,626 and compares what is inside the file with the extension. 211 00:10:52,626 --> 00:10:54,999 If there's any discrepancies, those files are bumped up to the top 212 00:10:54,999 --> 00:10:57,459 of the list to be looked at because the system knows 213 00:10:57,459 --> 00:10:59,999 if these don't match, something may not be right here 214 00:10:59,999 --> 00:11:02,876 and a human should take a look at this. 215 00:11:03,626 --> 00:11:07,959 I just said those things and so at the end of the day John's attempt 216 00:11:07,959 --> 00:11:12,125 at hiding his pregger porn bumped it up to the top of the list for me 217 00:11:12,125 --> 00:11:13,959 to look at. 218 00:11:14,417 --> 00:11:17,959 If you're going to hide something, don't just change the file name. 219 00:11:18,999 --> 00:11:21,167 That makes me want to look at it even more. 220 00:11:21,999 --> 00:11:23,999 So the fail matrix. 221 00:11:24,834 --> 00:11:28,083 (Laughter.) MICHAEL PERKLIN: The retard level, I would say 12. 222 00:11:28,083 --> 00:11:30,751 Again renaming a file is not data hiding. 223 00:11:30,751 --> 00:11:33,542 If up want to hide data, come to my Steg ACL course. 224 00:11:38,876 --> 00:11:42,999 The new company where he landed, he lost his job there. 225 00:11:43,999 --> 00:11:46,125 Distress caused was zero. 226 00:11:46,125 --> 00:11:47,667 Didn't really hurt anybody. 227 00:11:47,667 --> 00:11:50,417 What you choose to do on your own time is up to you. 228 00:11:50,417 --> 00:11:51,792 Although he chose to do it. 229 00:11:51,999 --> 00:11:55,999 ERIC ROBI: You know what the bonus points are going to be for, 230 00:11:55,999 --> 00:11:57,834 don't you? 231 00:11:57,834 --> 00:12:00,250 MICHAEL PERKLIN: There are some bonus points. 232 00:12:00,250 --> 00:12:01,501 About a nickel's worth. 233 00:12:05,584 --> 00:12:10,918 (Laughter.) (Loud buzzer.) MICHAEL PERKLIN: Grand total of 30 fail points. 234 00:12:10,918 --> 00:12:14,876 ERIC ROBI: That is the fail sound. 235 00:12:14,876 --> 00:12:15,876 Thank you. 236 00:12:15,876 --> 00:12:18,209 By the way, do you like the font that we're using? 237 00:12:18,834 --> 00:12:20,459 Comic Sans. 238 00:12:20,999 --> 00:12:23,209 Nobody uses Comic Sans. 239 00:12:23,209 --> 00:12:26,999 It's the most under appreciated font in presentations. 240 00:12:26,999 --> 00:12:28,334 MICHAEL PERKLIN: I don't know why we don't see Comic Sans 241 00:12:28,334 --> 00:12:30,584 in more presentation settings. 242 00:12:30,584 --> 00:12:33,334 ERIC ROBI: We're bringing it back. 243 00:12:35,083 --> 00:12:38,250 Let's look at the "just bill me later" case. 244 00:12:38,250 --> 00:12:40,667 Our client, the ABC firm, out-sourced a key part 245 00:12:40,667 --> 00:12:42,876 of their business. 246 00:12:42,876 --> 00:12:44,542 Have been doing it many years. 247 00:12:44,626 --> 00:12:47,999 And the part of their business that they are out-sourcing is on a time 248 00:12:47,999 --> 00:12:49,959 and materials basis. 249 00:12:50,083 --> 00:12:54,334 So there's a lot of invoices with ours and rates. 250 00:12:54,334 --> 00:12:55,667 And that's basically it. 251 00:12:55,667 --> 00:12:59,167 It was several million dollars a year on average that was being billed. 252 00:12:59,250 --> 00:13:00,918 Our client started a review project 253 00:13:00,918 --> 00:13:03,999 because they thought they were being over billed. 254 00:13:03,999 --> 00:13:05,918 They thought there might be a little inflation and they wanted 255 00:13:05,918 --> 00:13:08,999 to figure out why things were looking inflated. 256 00:13:09,334 --> 00:13:11,167 They looked at some of the individual bills 257 00:13:11,167 --> 00:13:15,083 and thought things were taking a little bit too long. 258 00:13:15,083 --> 00:13:18,626 So we came in and we decided to help. 259 00:13:18,626 --> 00:13:22,959 So they had thousands and thousands and thousands of PDF format invoices. 260 00:13:22,959 --> 00:13:24,792 That's not going to do us a lot of good. 261 00:13:25,292 --> 00:13:28,999 Even if we applied optical character recognition to it, 262 00:13:28,999 --> 00:13:31,751 we have unstructured data. 263 00:13:32,083 --> 00:13:35,751 I can search a few PDFs, but tens of thousands of them, it's you have 264 00:13:35,751 --> 00:13:38,083 to to do anything with that. 265 00:13:39,417 --> 00:13:41,999 We didn't have a lot of clues with this one. 266 00:13:42,417 --> 00:13:45,999 Through the magic of court order we were able to go 267 00:13:45,999 --> 00:13:49,999 to the customer's database, their network and get an image 268 00:13:49,999 --> 00:13:52,667 of everything in the network including 269 00:13:52,667 --> 00:13:54,999 a billing database. 270 00:13:55,417 --> 00:13:57,083 Which turned out to be very handy. 271 00:13:57,083 --> 00:13:59,501 We made a forensic copy of this database. 272 00:13:59,501 --> 00:14:02,918 It was not a -- it was in a proprietary format. 273 00:14:03,292 --> 00:14:07,125 In order for us to do forensic analysis in a database we need to get it 274 00:14:07,125 --> 00:14:09,667 into something like SQL where we can do 275 00:14:09,667 --> 00:14:11,709 standard queries. 276 00:14:11,709 --> 00:14:13,999 We migrated over and did standard queries. 277 00:14:14,334 --> 00:14:18,083 Looking at it, there's no way to compare the PDFs to the database. 278 00:14:19,999 --> 00:14:23,626 We decided to reverse engineer the tables in the database. 279 00:14:23,626 --> 00:14:25,792 Sometimes it's easy, but sometimes there are thousands 280 00:14:25,792 --> 00:14:28,250 and thousands of tables and when you don't have tech 281 00:14:28,250 --> 00:14:31,751 support of developers, you have to figure it out. 282 00:14:31,751 --> 00:14:33,792 It's a slow, laborious process. 283 00:14:33,876 --> 00:14:34,999 We did figure it out. 284 00:14:35,250 --> 00:14:36,751 We noticed that the audit logs were turned 285 00:14:36,751 --> 00:14:39,999 on in this which happened to be particularly useful. 286 00:14:40,250 --> 00:14:42,999 So we ran a lot of queries and versus 287 00:14:42,999 --> 00:14:46,792 the time billed versus the audit logs. 288 00:14:46,792 --> 00:14:49,501 We found a pattern of inflation going on. 289 00:14:49,584 --> 00:14:52,125 Basically when you are billing on time and materials, 290 00:14:52,125 --> 00:14:55,542 all you're doing is you've got either hours or you've got 291 00:14:55,542 --> 00:14:56,999 a rate. 292 00:14:56,999 --> 00:14:59,417 And those are the two things and they inflated. 293 00:14:59,584 --> 00:15:02,876 (Loud noise.) ERIC ROBI: So these are 294 00:15:02,876 --> 00:15:07,709 the two things that you can change there. 295 00:15:07,709 --> 00:15:08,792 You can change time. 296 00:15:08,792 --> 00:15:10,751 Or you can change the rate. 297 00:15:10,999 --> 00:15:12,999 But we found the audit logs were turned 298 00:15:12,999 --> 00:15:16,999 off by default and the IT folks, bless the IT folks, they turned 299 00:15:16,999 --> 00:15:19,167 the audit logs on which was helpful 300 00:15:19,167 --> 00:15:22,751 because we do a lot of database forensic cases and this 301 00:15:22,751 --> 00:15:26,999 is the only one where the audit logs were turned on. 302 00:15:26,999 --> 00:15:30,999 We were able to compare basically the amount that was billed at the end 303 00:15:30,999 --> 00:15:36,459 of the day versus how many hours were put out up to that point. 304 00:15:36,459 --> 00:15:38,083 We were able to see a chronology. 305 00:15:38,083 --> 00:15:40,626 Maybe at the end of the day the bill was for $1,000. 306 00:15:40,626 --> 00:15:43,834 But we saw it was only $800 actually billed. 307 00:15:43,834 --> 00:15:46,876 So the billing person, the database person who basically was 308 00:15:46,876 --> 00:15:49,250 working with it, this person would change 309 00:15:49,250 --> 00:15:53,125 the hours and the rate sometimes and bump it up. 310 00:15:53,125 --> 00:15:55,999 Interest went from 800 to $1,000 on a typical invoice. 311 00:15:55,999 --> 00:15:59,667 They did this thousands and thousands and thousands of times. 312 00:16:00,083 --> 00:16:02,834 So let's look at the fail matrix. 313 00:16:03,125 --> 00:16:06,083 So I didn't give the user retard level too many points 314 00:16:06,083 --> 00:16:09,292 here because it was a bill administrator. 315 00:16:09,292 --> 00:16:10,667 Most people don't know what is going on inside a database, 316 00:16:10,667 --> 00:16:12,417 most average people. 317 00:16:13,083 --> 00:16:16,501 However, they had to refund the money. 318 00:16:16,667 --> 00:16:18,501 So they get 18-point for that. 319 00:16:18,501 --> 00:16:19,999 MICHAEL PERKLIN: Over the last four or five years worth 320 00:16:19,999 --> 00:16:21,459 of money. 321 00:16:21,459 --> 00:16:22,959 It was a lot of money. 322 00:16:22,959 --> 00:16:25,250 ERIC ROBI: It was about $12 million actually. 323 00:16:25,292 --> 00:16:27,501 They get 15 points. 324 00:16:27,501 --> 00:16:28,292 AUDIENCE: (Speaker away from microphone.) ERIC ROBI: 325 00:16:28,292 --> 00:16:29,542 I wish! 326 00:16:30,125 --> 00:16:36,125 And bonus points, hmm, systematic culture of over billing. 327 00:16:36,209 --> 00:16:40,542 (Noise.) MICHAEL PERKLIN: They get 45. 328 00:16:42,999 --> 00:16:45,501 ERIC ROBI: Okay. 329 00:16:46,209 --> 00:16:49,083 This next one, I call it "smokinggun.txt." 330 00:16:50,083 --> 00:16:53,959 If you work in the forensic arena, you probably heard 331 00:16:53,959 --> 00:16:56,918 the term the smokinggun.txt. 332 00:16:57,542 --> 00:16:58,999 It's the gag name of what you are always looking 333 00:16:58,999 --> 00:17:00,542 for in the case. 334 00:17:00,792 --> 00:17:02,999 It could be that record in the database. 335 00:17:02,999 --> 00:17:05,292 It could be that Internet history record that shows that 336 00:17:05,292 --> 00:17:08,209 the guy really did something bad. 337 00:17:08,209 --> 00:17:10,167 It comes from the cheesy western movies where 338 00:17:10,167 --> 00:17:13,542 the gun was smoking after he shot someone, and it proves 339 00:17:13,542 --> 00:17:15,626 he fired the shot. 340 00:17:17,584 --> 00:17:20,250 We say did you find the smoking gun? 341 00:17:20,250 --> 00:17:22,083 Yeah, we found the smokinggun.txt. 342 00:17:22,083 --> 00:17:25,083 Sometimes I wish it was as easy as finding smokinggun.txt. 343 00:17:28,584 --> 00:17:30,999 Another intellectual property case. 344 00:17:31,209 --> 00:17:35,834 You have a guy league one company to go to work for another company. 345 00:17:35,834 --> 00:17:38,542 The first company says can you make sure he didn't do stupid shit 346 00:17:38,542 --> 00:17:42,626 and we are called in to make sure he didn't do stupid shit. 347 00:17:43,125 --> 00:17:45,751 We imaged the drive. 348 00:17:45,751 --> 00:17:49,709 Kicked off the analysis script, like the script I told you guys 349 00:17:49,709 --> 00:17:51,667 about before. 350 00:17:51,918 --> 00:17:53,792 Opened up his desktop folder. 351 00:17:53,876 --> 00:17:58,292 I like to open up the desktop folder of every suspect I'm examining. 352 00:17:58,292 --> 00:18:01,876 You can tell a lot about what a guy, or a lot about the person when you're 353 00:18:01,876 --> 00:18:03,999 looking at the desktop. 354 00:18:04,417 --> 00:18:07,626 Did they cram a lot of files in there in an unorganized fashion or everything 355 00:18:07,626 --> 00:18:10,918 is neatly packed away into my documents folder. 356 00:18:10,999 --> 00:18:12,417 Things like that. 357 00:18:12,584 --> 00:18:15,999 Are they arranged nicely or all spattered? 358 00:18:16,250 --> 00:18:18,334 It tells you a little bit about the person. 359 00:18:18,334 --> 00:18:21,083 So you can get a little bit into the mind of who they are. 360 00:18:21,083 --> 00:18:23,792 Immediately I solved the case. 361 00:18:23,792 --> 00:18:26,999 MICHAEL PERKLIN: How did you do that? 362 00:18:26,999 --> 00:18:28,999 ERIC ROBI: Well, the smokinggun.txt. 363 00:18:29,083 --> 00:18:33,542 It was almost as easy as this. 364 00:18:33,542 --> 00:18:35,083 MICHAEL PERKLIN: A barbecue? 365 00:18:35,083 --> 00:18:40,334 ERIC ROBI: I opened up the desktop folder and I saw this. 366 00:18:41,459 --> 00:18:44,125 I'm hoping you can see that in the back. 367 00:18:44,999 --> 00:18:49,083 You have a folder on the desktop, the bottom left there. 368 00:18:49,083 --> 00:18:51,999 The folder is called Competitive Intelligence. 369 00:18:51,999 --> 00:18:54,751 (Laughter.) ERIC ROBI: Inside that folder we've got 370 00:18:54,751 --> 00:18:59,083 a Power Point presentation titled "Project Blue Book." 371 00:19:01,584 --> 00:19:03,584 we've got some PDFs. 372 00:19:03,584 --> 00:19:05,709 We've got a whole bunch of stuff about this project Blue Book that this 373 00:19:05,709 --> 00:19:08,375 guy was working on from his old company. 374 00:19:08,375 --> 00:19:10,417 He was getting ready to deliver this presentation 375 00:19:10,417 --> 00:19:13,167 to the executive leadership team of the new company, 376 00:19:13,167 --> 00:19:16,167 telling them everything about this confidential project 377 00:19:16,167 --> 00:19:18,334 from his old company. 378 00:19:18,334 --> 00:19:24,334 (Groaning.) ERIC ROBI: He didn't even make it difficult for me. 379 00:19:24,334 --> 00:19:26,999 Not only was all that stuff there, he made 380 00:19:26,999 --> 00:19:31,667 a Power Point presentation describing it and to deliver all the knowledge 381 00:19:31,667 --> 00:19:33,918 for this to the LT. 382 00:19:35,417 --> 00:19:36,834 Yeah. 383 00:19:36,834 --> 00:19:37,999 So I just said that. 384 00:19:39,999 --> 00:19:42,542 Did you over bill for that? 385 00:19:42,542 --> 00:19:44,999 MICHAEL PERKLIN: We are not the last client. 386 00:19:44,999 --> 00:19:46,083 ERIC ROBI: All right. 387 00:19:46,083 --> 00:19:46,999 AUDIENCE: (Speaker away from microphone.) ERIC ROBI: 388 00:19:46,999 --> 00:19:48,292 Pardon me? 389 00:19:48,292 --> 00:19:50,167 AUDIENCE: (Speaker away from microphone.) MICHAEL 390 00:19:50,167 --> 00:19:52,709 PERKLIN: I don't even remember. 391 00:19:52,834 --> 00:19:55,792 Probably, well, it took 20 minutes. 392 00:19:55,792 --> 00:19:57,375 We probably just billed one hour. 393 00:19:57,375 --> 00:20:01,334 ERIC ROBI: Michael, what have we learned in this case? 394 00:20:01,334 --> 00:20:05,999 MICHAEL PERKLIN: Well, we learned that sometimes people don't 395 00:20:05,999 --> 00:20:07,709 even try. 396 00:20:10,959 --> 00:20:12,584 Fail matrix. 397 00:20:12,667 --> 00:20:15,209 User retard level has to be an 18. 398 00:20:15,292 --> 00:20:17,834 AUDIENCE: (Speaker away from microphone.) MICHAEL 399 00:20:17,834 --> 00:20:20,334 PERKLIN: We are saving the higher scores for some 400 00:20:20,334 --> 00:20:22,459 of the later stories. 401 00:20:22,459 --> 00:20:27,083 ERIC ROBI: Numbers are going up, you may have noticed. 402 00:20:27,083 --> 00:20:29,959 MICHAEL PERKLIN: So far each one has been going up. 403 00:20:30,000 --> 00:20:32,751 He got an 18 for user retard level. 404 00:20:32,999 --> 00:20:35,250 If you're going to be doing this, don't leave tracks 405 00:20:35,250 --> 00:20:37,501 all over your computer. 406 00:20:37,501 --> 00:20:38,959 Sure if you're going to say they are going 407 00:20:38,959 --> 00:20:41,999 to be launching this new thing in August next year, it's one thing 408 00:20:41,999 --> 00:20:44,042 to say it to a person. 409 00:20:44,042 --> 00:20:44,584 If you put together a whole presentation 410 00:20:44,584 --> 00:20:46,334 to about the whole thing. 411 00:20:46,959 --> 00:20:47,999 That's a fail. 412 00:20:47,999 --> 00:20:49,834 Punishment is ten. 413 00:20:50,083 --> 00:20:51,959 He had to settle. 414 00:20:51,999 --> 00:20:57,834 Obviously in breach of his NDA from the old company and it cost him 415 00:20:57,834 --> 00:21:00,999 1.5 million in damages. 416 00:21:01,209 --> 00:21:04,250 So the distress caused is a six-pointer. 417 00:21:04,876 --> 00:21:07,959 Bonus points of 12 for zero effort. 418 00:21:08,083 --> 00:21:13,334 This all adds up to the fail matrix score of 46. 419 00:21:14,501 --> 00:21:15,999 Next story. 420 00:21:15,999 --> 00:21:18,667 ERIC ROBI: I hope you appreciate these amazing sound effects 421 00:21:18,667 --> 00:21:21,083 and video editing that I did. 422 00:21:21,792 --> 00:21:23,334 MICHAEL PERKLIN: Hold on. 423 00:21:23,334 --> 00:21:25,375 We need to put the presentation on hold. 424 00:21:25,375 --> 00:21:26,375 I have a problem. 425 00:21:26,375 --> 00:21:27,375 Which one is which? 426 00:21:27,375 --> 00:21:29,709 ERIC ROBI: That one is mine on the let hand. 427 00:21:29,709 --> 00:21:32,876 MICHAEL PERKLIN: Really, because I want the one with more. 428 00:21:32,876 --> 00:21:34,918 ERIC ROBI: The one with yours is more. 429 00:21:34,918 --> 00:21:37,876 AUDIENCE: (Speaker away from microphone.) ERIC ROBI: We 430 00:21:37,876 --> 00:21:41,501 will be taking questions later. 431 00:21:44,375 --> 00:21:45,626 All right. 432 00:21:45,626 --> 00:21:47,999 The next one I call hiding in the Cloud. 433 00:21:48,709 --> 00:21:51,918 So once again a top sales guy leaves a company 434 00:21:51,918 --> 00:21:55,999 and the sales just take a nose dive actually and they think 435 00:21:55,999 --> 00:22:00,334 he took the customer list but they can't prove it. 436 00:22:00,334 --> 00:22:03,083 They know that there's new customers. 437 00:22:03,083 --> 00:22:04,959 They know that there's old customers over at the new company 438 00:22:04,959 --> 00:22:07,834 but they can't prove he took the customer list. 439 00:22:07,999 --> 00:22:12,542 We image the computer and look for the usual clues. 440 00:22:12,999 --> 00:22:18,167 For example, link files are a Windows artifact that show what files 441 00:22:18,167 --> 00:22:21,209 have been recently opened. 442 00:22:21,209 --> 00:22:22,999 They are a simple text final and easily parsed and have a lot 443 00:22:22,999 --> 00:22:26,125 of information about the location of the file, the date and the time, 444 00:22:26,125 --> 00:22:28,501 all that kind of good stuff. 445 00:22:28,876 --> 00:22:32,667 We look at a registry key which I love the name of this. 446 00:22:32,667 --> 00:22:34,083 It makes no sense to me at all, but somebody 447 00:22:34,083 --> 00:22:37,250 in Microsoft maybe had a couple of these one day when we 448 00:22:37,250 --> 00:22:38,999 were working. 449 00:22:38,999 --> 00:22:42,334 Bag MRU for some reason -- most recently used, 450 00:22:42,334 --> 00:22:44,334 but why bag? 451 00:22:44,334 --> 00:22:47,083 AUDIENCE: (Speaker away from microphone.) ERIC ROBI: You 452 00:22:47,083 --> 00:22:49,876 guys are full of great answers. 453 00:22:49,876 --> 00:22:54,999 MICHAEL PERKLIN: You want to explain why it is named that? 454 00:22:54,999 --> 00:22:56,334 It's still a fucked up name. 455 00:22:58,999 --> 00:23:02,292 ERIC ROBI: It can show what files are inside a folder. 456 00:23:02,375 --> 00:23:05,792 That's what we typically look at in a file exfiltration case. 457 00:23:07,292 --> 00:23:10,709 This is from Vista forward you have jump lists. 458 00:23:11,083 --> 00:23:13,959 MICHAEL PERKLIN: That is a fail. 459 00:23:13,959 --> 00:23:15,375 It should say Vista. 460 00:23:18,334 --> 00:23:21,250 ERIC ROBI: I have to take a drink. 461 00:23:21,250 --> 00:23:24,334 I don't love Vista in there to do it Wright. 462 00:23:24,334 --> 00:23:28,250 If you have five Word documents open and you click on it, you have the five, 463 00:23:28,250 --> 00:23:31,250 those are jump lists basically. 464 00:23:31,250 --> 00:23:33,083 IE history. 465 00:23:33,083 --> 00:23:34,083 Internet Explorer. 466 00:23:34,083 --> 00:23:36,083 Internet Explorer is so much morning exploring 467 00:23:36,083 --> 00:23:37,959 the Internet. 468 00:23:37,959 --> 00:23:40,667 It records things that you do without your knowledge, 469 00:23:40,667 --> 00:23:42,959 like opening files. 470 00:23:43,250 --> 00:23:45,083 But we are getting no love. 471 00:23:45,417 --> 00:23:46,959 I'm not finding anything. 472 00:23:46,959 --> 00:23:47,999 Show me the love, baby. 473 00:23:48,125 --> 00:23:49,375 He's having a beer. 474 00:23:49,501 --> 00:23:54,209 So we search the IE history and we found a .JVM file pointing 475 00:23:54,209 --> 00:23:56,918 to files anywhere. 476 00:23:56,918 --> 00:23:58,709 Who is familiar with that site? 477 00:23:58,709 --> 00:24:00,918 It's very much like Dropbox. 478 00:24:01,083 --> 00:24:03,959 The same kind of concept but more for business users. 479 00:24:03,959 --> 00:24:07,876 It has a lot of really great auditing, logging, stuff like that. 480 00:24:07,876 --> 00:24:11,999 If you're uploading and downloading files, you can monitor and track them. 481 00:24:11,999 --> 00:24:14,459 That turned out to be a nice thing. 482 00:24:14,459 --> 00:24:17,083 Typically that's only in the user control file best 483 00:24:17,083 --> 00:24:22,250 of your recollection we found an HTM file and we solved the case. 484 00:24:22,250 --> 00:24:23,250 Bingo! 485 00:24:23,250 --> 00:24:25,999 ERIC ROBI: Timing fail, I'm sorry. 486 00:24:26,083 --> 00:24:28,083 Drink! 487 00:24:28,334 --> 00:24:30,292 Drink! 488 00:24:30,584 --> 00:24:34,918 ERIC ROBI: Bingo, we solved the case. 489 00:24:35,125 --> 00:24:36,125 All right. 490 00:24:36,125 --> 00:24:38,834 So what we got was the account ID, the upload times, 491 00:24:38,834 --> 00:24:41,751 the file names, everything. 492 00:24:41,751 --> 00:24:42,999 We got some sweet loving. 493 00:24:42,999 --> 00:24:44,626 We got stolen files. 494 00:24:44,626 --> 00:24:47,083 Let's look at JavaScript here. 495 00:24:47,584 --> 00:24:49,417 I changed the names of the file. 496 00:24:50,167 --> 00:24:55,459 We have recipe for Coke, minor trade secrets. 497 00:24:55,667 --> 00:24:58,083 The user is the user account name. 498 00:24:58,083 --> 00:25:00,083 So we were able to subpoena that from files anywhere and figure 499 00:25:00,083 --> 00:25:02,834 out who actually registered the account. 500 00:25:02,834 --> 00:25:04,999 There is the folder that it was in. 501 00:25:05,417 --> 00:25:08,999 And this is really handy here, the date that it was uploaded. 502 00:25:09,209 --> 00:25:11,584 And we got a whole bunch of these. 503 00:25:11,584 --> 00:25:16,999 In fact this is the first page of an 80-page Excel report I prepared. 504 00:25:16,999 --> 00:25:19,542 These are all the file names that this guy uploaded. 505 00:25:22,999 --> 00:25:24,167 So yeah. 506 00:25:24,167 --> 00:25:26,542 The second part of the story is -- go back. 507 00:25:26,542 --> 00:25:27,542 Another fail. 508 00:25:27,542 --> 00:25:28,542 Fail! 509 00:25:28,542 --> 00:25:29,542 Drink! 510 00:25:29,542 --> 00:25:33,876 ERIC ROBI: Which one do I drink from? 511 00:25:33,959 --> 00:25:35,876 MICHAEL PERKLIN: Good answer. 512 00:25:35,999 --> 00:25:39,125 ERIC ROBI: The second part of the case, the opposing attorney, 513 00:25:39,125 --> 00:25:42,584 the guy representing the thief handed us ab an Outlook CD, 514 00:25:42,584 --> 00:25:44,667 Outlook PST on it. 515 00:25:44,667 --> 00:25:46,542 This is part of the discovery process. 516 00:25:46,542 --> 00:25:51,334 Discovery is a legal term in litigation where both sides are able 517 00:25:51,334 --> 00:25:54,083 to exchange evidence. 518 00:25:54,083 --> 00:25:55,417 In fact, they have, they are compelled to exchange evidence 519 00:25:55,417 --> 00:25:57,626 through the rules of the court. 520 00:25:57,751 --> 00:25:59,125 He gives us a CD. 521 00:25:59,709 --> 00:26:02,999 It has Outlook and Outlook PST on it. 522 00:26:03,083 --> 00:26:05,999 First thing we do, there's not a lot of files in there and 523 00:26:05,999 --> 00:26:11,167 the first thing we do, we want to recover the deleted e-mails in a PST. 524 00:26:11,250 --> 00:26:14,125 We're forensic analysts and that's what we like doing, looking 525 00:26:14,125 --> 00:26:16,250 at people's e-mails. 526 00:26:17,292 --> 00:26:22,999 I'll show you the old school way of recovering deleted e-mails. 527 00:26:22,999 --> 00:26:26,999 You use a hex editor, crack open the PST and exchange bytes seven 528 00:26:26,999 --> 00:26:30,501 through 13, change them to zeros. 529 00:26:30,501 --> 00:26:31,959 Save the file. 530 00:26:32,250 --> 00:26:34,125 Then you use the Outlook repair tool built 531 00:26:34,125 --> 00:26:36,209 in with Microsoft. 532 00:26:36,334 --> 00:26:40,417 And you basically repair the tool -- sorry, repair the PST 533 00:26:40,417 --> 00:26:42,834 and what happens? 534 00:26:42,834 --> 00:26:45,459 You get a lot of e-mails back. 535 00:26:45,459 --> 00:26:47,083 These are not the actual e-mails, but you get tons and tons 536 00:26:47,083 --> 00:26:48,834 of e-mails back. 537 00:26:48,876 --> 00:26:54,501 In this case, we got tens of thousands of deleted e-mails. 538 00:26:54,667 --> 00:26:56,083 What was in these e-mails? 539 00:26:56,083 --> 00:26:59,083 Everything that completely turned the case around. 540 00:26:59,083 --> 00:27:00,667 Not only did we have this guy with all the uploads 541 00:27:00,667 --> 00:27:02,626 on the spreadsheets. 542 00:27:02,999 --> 00:27:06,375 We also had all the e-mails about who was involved. 543 00:27:06,375 --> 00:27:07,999 What lists he took. 544 00:27:07,999 --> 00:27:10,918 Who are the, you know, all the people that were involved. 545 00:27:11,167 --> 00:27:12,792 We were winning. 546 00:27:12,792 --> 00:27:14,999 We went to Charlie Sheen mode all of a sudden. 547 00:27:16,083 --> 00:27:20,334 And the funny thing is, we were able to take all this information and 548 00:27:20,334 --> 00:27:22,292 at a deposition. 549 00:27:22,292 --> 00:27:24,375 If you don't know what a deposition is, we get to ask questions 550 00:27:24,375 --> 00:27:26,375 of the opposing party. 551 00:27:26,459 --> 00:27:28,959 We are asking them, what happened? 552 00:27:28,999 --> 00:27:30,918 Did you guys steal anything? 553 00:27:30,918 --> 00:27:31,999 Did you take anything? 554 00:27:31,999 --> 00:27:32,999 No, no, no. 555 00:27:32,999 --> 00:27:37,459 We part pulling out these e-mails one by one by one. 556 00:27:37,459 --> 00:27:38,999 The guy turns white as a sheet. 557 00:27:38,999 --> 00:27:41,751 And he spills the beans. 558 00:27:41,918 --> 00:27:45,792 And basically, you know, we do pretty well. 559 00:27:45,792 --> 00:27:48,125 Who deleted the mails, do you think in this case? 560 00:27:48,125 --> 00:27:49,125 Hmm? 561 00:27:49,125 --> 00:27:51,999 MICHAEL PERKLIN: Call it out if you think you know. 562 00:27:51,999 --> 00:27:52,083 AUDIENCE: (Speaker away from microphone.) MICHAEL 563 00:27:52,083 --> 00:27:54,626 PERKLIN: Wow, people got it almost immediately. 564 00:27:59,999 --> 00:28:03,999 ERIC ROBI: They hired Saul Goodman, unfortunately. 565 00:28:05,167 --> 00:28:09,459 And yeah, he deleted the mails. 566 00:28:09,999 --> 00:28:11,167 Not a good thing. 567 00:28:11,167 --> 00:28:12,167 Not a good thing. 568 00:28:12,167 --> 00:28:13,250 What have we learned? 569 00:28:13,250 --> 00:28:15,999 AUDIENCE: (Speaker away from microphone.) MICHAEL 570 00:28:15,999 --> 00:28:21,542 PERKLIN: The question is, did he claim privilege on the e-mails? 571 00:28:21,542 --> 00:28:23,792 ERIC ROBI: He claimed privilege on some of them, but not 572 00:28:23,792 --> 00:28:26,626 all of the 10,000 that he deleted. 573 00:28:27,167 --> 00:28:30,834 IE history is difficult to wipe. 574 00:28:31,083 --> 00:28:33,501 It seems to leave stuff behind. 575 00:28:37,999 --> 00:28:41,125 We learned a new file type, the Java file type, 576 00:28:41,125 --> 00:28:44,999 JavaScript files can give us love, too. 577 00:28:44,999 --> 00:28:45,999 We like them. 578 00:28:45,999 --> 00:28:48,667 And uploading files still leaves traces. 579 00:28:48,667 --> 00:28:51,334 So attorneys shouldn't mess with evidence. 580 00:28:51,334 --> 00:28:53,417 It's against the ethical rules in every state and probably every 581 00:28:53,417 --> 00:28:56,501 Canadian province and can get you disbarred. 582 00:28:56,501 --> 00:28:58,542 AUDIENCE: Did they in this case? 583 00:28:58,709 --> 00:29:00,667 Let's look at the fail matrix. 584 00:29:02,083 --> 00:29:06,125 ERIC ROBI: User retard level is damn high on this one. 585 00:29:06,125 --> 00:29:10,125 Fails on the attorney's part and also on the ex-sales guy. 586 00:29:10,209 --> 00:29:11,999 Huge lawsuit. 587 00:29:11,999 --> 00:29:15,999 Three and a half million dollars in fees and damages. 588 00:29:15,999 --> 00:29:20,334 (Whistling.) ERIC ROBI: Which our client all got back basically 589 00:29:20,334 --> 00:29:22,959 and 15 bonus points. 590 00:29:22,959 --> 00:29:25,292 The attorney might lose his license on this one. 591 00:29:25,292 --> 00:29:26,292 He hasn't yet. 592 00:29:26,292 --> 00:29:27,999 We don't track that kind of stuff. 593 00:29:27,999 --> 00:29:30,999 (Buzzer.) ERIC ROBI: Fifty-one, we're moving up. 594 00:29:33,375 --> 00:29:34,834 You ready? 595 00:29:34,834 --> 00:29:36,292 MICHAEL PERKLIN: Oh, right. 596 00:29:36,292 --> 00:29:37,292 Fail! 597 00:29:37,292 --> 00:29:38,292 Drink! 598 00:29:38,292 --> 00:29:39,959 MICHAEL PERKLIN: All right. 599 00:29:47,584 --> 00:29:49,125 Let's do this shit. 600 00:29:49,125 --> 00:29:50,751 ERIC ROBI: That's winning. 601 00:29:50,751 --> 00:29:51,834 MICHAEL PERKLIN: This next case is probably one 602 00:29:51,834 --> 00:29:54,959 of the most fun cases I've worked on. 603 00:29:55,292 --> 00:29:57,209 From the start I could tell that something -- it 604 00:29:57,209 --> 00:29:59,584 was going to be a fun one. 605 00:29:59,751 --> 00:30:01,000 The RBT bounce. 606 00:30:01,000 --> 00:30:02,000 You'll see why. 607 00:30:02,250 --> 00:30:05,083 I was called in to investigate a network breach. 608 00:30:05,417 --> 00:30:08,334 The company shared information with us that was evidence that 609 00:30:08,334 --> 00:30:11,626 at least one computer had been breached. 610 00:30:11,626 --> 00:30:13,125 They didn't know why. 611 00:30:13,125 --> 00:30:14,292 They didn't know what. 612 00:30:14,292 --> 00:30:16,999 Asked us to investigate and to tell them why and what. 613 00:30:17,999 --> 00:30:20,459 It was a large company. 614 00:30:20,459 --> 00:30:24,959 They had a lot of computers, all of them were Windows based. 615 00:30:24,999 --> 00:30:27,584 Thousands upon thousands of computers in offices 616 00:30:27,584 --> 00:30:30,709 all across the world and in one of their offices 617 00:30:30,709 --> 00:30:34,584 they noticed this computer had been breached. 618 00:30:34,584 --> 00:30:37,334 So let's figure out what happened. 619 00:30:37,542 --> 00:30:38,709 So we move in. 620 00:30:38,709 --> 00:30:42,918 And actually I think I'm going to pause here for two seconds. 621 00:30:42,999 --> 00:30:46,083 Eric, is this your first time presenting at DEF CON? 622 00:30:46,083 --> 00:30:47,334 ERIC ROBI: Yes, it is. 623 00:30:47,334 --> 00:30:49,375 (Laughter.) MICHAEL PERKLIN: Okay. 624 00:30:55,876 --> 00:30:57,959 (Applause.) MICHAEL PERKLIN: We don't even have 625 00:30:57,959 --> 00:30:59,918 to say anything anymore. 626 00:30:59,918 --> 00:31:01,876 You guys know exactly what is going on. 627 00:31:01,876 --> 00:31:02,918 ERIC ROBI: Uh-oh. 628 00:31:02,999 --> 00:31:08,999 MICHAEL PERKLIN: I want to know, is Sarah in the room? 629 00:31:08,999 --> 00:31:09,999 Show yourself! 630 00:31:09,999 --> 00:31:10,999 Which Sarah? 631 00:31:10,999 --> 00:31:13,626 Narrow it down? 632 00:31:13,999 --> 00:31:19,999 (Overlapping speakers.) MICHAEL PERKLIN: Is your name Sarah? 633 00:31:21,417 --> 00:31:22,999 Bend over. 634 00:31:22,999 --> 00:31:26,375 (Laughter.) We are just going to leave now. 635 00:31:26,375 --> 00:31:28,083 You are the ugliest Sarah ever. 636 00:31:28,292 --> 00:31:30,501 Fail! 637 00:31:31,999 --> 00:31:34,584 Another soldier bites the dust. 638 00:31:36,626 --> 00:31:37,999 Winning! 639 00:31:39,999 --> 00:31:44,083 (Laughter.) Stop that. 640 00:31:44,083 --> 00:31:47,083 The path to recovery is -- Paul, there's some issue 641 00:31:47,083 --> 00:31:49,709 about the sound person? 642 00:31:50,876 --> 00:31:52,584 No. 643 00:31:52,751 --> 00:31:54,876 Sarah is supposed to be the sound person. 644 00:31:54,876 --> 00:31:55,999 Sarah is right here. 645 00:31:56,375 --> 00:31:57,999 You are talking about me, right? 646 00:31:57,999 --> 00:32:01,959 I appreciate that, Sarah, but we're looking for a different person. 647 00:32:01,959 --> 00:32:04,334 Since she is not here, Sarah, would you come up? 648 00:32:04,334 --> 00:32:05,334 Come up. 649 00:32:05,334 --> 00:32:07,751 You're the next contestant on: Will you fail? 650 00:32:17,167 --> 00:32:18,999 Thank you. 651 00:32:19,292 --> 00:32:22,334 The other Sarah is going to be pissed. 652 00:32:22,334 --> 00:32:27,626 You want to go around that way? 653 00:32:27,626 --> 00:32:28,792 You already got one. 654 00:32:28,792 --> 00:32:29,999 Someone counted wrong! 655 00:32:29,999 --> 00:32:30,999 Pass one to Sarah. 656 00:32:30,999 --> 00:32:31,999 All right. 657 00:32:31,999 --> 00:32:32,999 A double. 658 00:32:32,999 --> 00:32:36,876 (Laughter.) Find Sarah -- I'm sure all of you want to be Sarah right now. 659 00:32:36,876 --> 00:32:39,999 To our new speakers and new attendees! 660 00:32:43,999 --> 00:32:45,999 (Applause.) Whew! 661 00:32:49,999 --> 00:32:51,626 Uh-oh. 662 00:32:51,626 --> 00:32:52,626 How many more talks? 663 00:32:52,626 --> 00:32:53,626 Thank you. 664 00:32:53,626 --> 00:32:55,083 Two more this hour. 665 00:32:55,083 --> 00:32:57,083 MICHAEL PERKLIN: All right. 666 00:32:57,083 --> 00:32:58,834 We have 15 minutes left. 667 00:32:58,834 --> 00:33:00,999 Is Sarah in the next -- MICHAEL PERKLIN: 668 00:33:00,999 --> 00:33:04,959 Thank you very much, goons, for doing that. 669 00:33:04,959 --> 00:33:07,083 It's Eric's first time at DEF CON. 670 00:33:10,999 --> 00:33:13,999 So I was talking with the RDP bounce case that I 671 00:33:13,999 --> 00:33:16,083 was investigating. 672 00:33:16,083 --> 00:33:19,918 As I mentioned, thousands of computers, various offices 673 00:33:19,918 --> 00:33:22,584 all around the world. 674 00:33:22,667 --> 00:33:23,999 So we analyze the one computer that 675 00:33:23,999 --> 00:33:25,959 they knew was breached. 676 00:33:25,959 --> 00:33:30,083 And it showed that RDP or remote desktop property call. 677 00:33:30,083 --> 00:33:31,542 This is the tool in Windows that allows you 678 00:33:31,542 --> 00:33:34,626 to remotely control another computer. 679 00:33:34,626 --> 00:33:38,125 Some logs showed us that RDP was used to connect using 680 00:33:38,125 --> 00:33:42,709 the local administrator password to another machine. 681 00:33:42,999 --> 00:33:47,999 It also showed that -- actually I said it backwards. 682 00:33:47,999 --> 00:33:49,999 RDP was used to connect in and also showed that RDP was used 683 00:33:49,999 --> 00:33:51,751 to connect out. 684 00:33:51,876 --> 00:33:55,999 In this diagram I was looking at the middle computer. 685 00:33:55,999 --> 00:33:58,834 I didn't know at the time there were other computers. 686 00:33:58,834 --> 00:34:00,250 I was looking at the middle one. 687 00:34:00,250 --> 00:34:02,999 It seemed like there were a bunched used in here. 688 00:34:03,417 --> 00:34:05,999 It was probably the tip of the iceberg. 689 00:34:06,417 --> 00:34:09,083 ERIC ROBI: Where do you find these logs, Michael? 690 00:34:09,083 --> 00:34:09,459 MICHAEL PERKLIN: Specifically I was looking 691 00:34:09,459 --> 00:34:11,876 at the Windows event viewer. 692 00:34:12,626 --> 00:34:15,834 Go into the control panel and the administrator tools. 693 00:34:16,083 --> 00:34:19,999 It logs by default a lot of stuff in there including when RDP is used 694 00:34:19,999 --> 00:34:23,918 to connect in and when you're connecting out. 695 00:34:24,209 --> 00:34:28,626 So I analyzed that machine that came before it. 696 00:34:28,626 --> 00:34:29,751 And same thing. 697 00:34:29,834 --> 00:34:34,417 There were logs that showed that somebody was connecting into that. 698 00:34:34,417 --> 00:34:36,999 It was basically an entire bounce. 699 00:34:36,999 --> 00:34:41,459 Now, these computers were located in different offices all around the world. 700 00:34:41,459 --> 00:34:45,751 This guy was bouncing all around the world to do something. 701 00:34:45,751 --> 00:34:47,709 So obviously this is a pattern. 702 00:34:47,709 --> 00:34:49,834 I still didn't know what he was doing. 703 00:34:49,834 --> 00:34:52,209 I just knew that he was clearly going through a lot 704 00:34:52,209 --> 00:34:56,918 of trouble to obfuscate his trail, bouncing all around. 705 00:34:56,918 --> 00:34:59,918 Probably so that when he does hit his final target there's no 706 00:34:59,918 --> 00:35:03,375 direct evidence to where he was coming from. 707 00:35:04,918 --> 00:35:08,209 AUDIENCE: Were they sessions within sessions? 708 00:35:09,125 --> 00:35:12,292 MICHAEL PERKLIN: Yes, within the remote desktop, 709 00:35:12,292 --> 00:35:14,999 he did this over and over. 710 00:35:15,584 --> 00:35:18,999 Remote desktop is not the fastest protocol at all. 711 00:35:19,209 --> 00:35:22,083 I don't want to speculate how long it took him 712 00:35:22,083 --> 00:35:23,959 to do this. 713 00:35:23,959 --> 00:35:26,292 ERIC ROBI: Can you imagine how long the screen redraw was 714 00:35:26,292 --> 00:35:29,167 by the time you get to machine ten? 715 00:35:29,167 --> 00:35:31,542 MICHAEL PERKLIN: Jesus Christ, you have to click a minute 716 00:35:31,542 --> 00:35:33,999 between clicks or something. 717 00:35:35,751 --> 00:35:37,375 What was the target? 718 00:35:37,375 --> 00:35:41,334 So I think you can all figure out what I do next. 719 00:35:41,334 --> 00:35:44,918 Rather than following the trail back, I followed the trail forward. 720 00:35:44,918 --> 00:35:45,959 What was he getting? 721 00:35:46,083 --> 00:35:48,999 Step after step, computer after computer. 722 00:35:48,999 --> 00:35:51,918 Site after site after site all around the world. 723 00:35:52,083 --> 00:35:54,417 I finally reached a high profile machine. 724 00:35:54,584 --> 00:35:58,209 I wish I could tell you which specific machine it was. 725 00:35:58,417 --> 00:36:03,292 I can't because it would give away too much about this company. 726 00:36:03,292 --> 00:36:04,292 Prism? 727 00:36:04,334 --> 00:36:08,292 ERIC ROBI: Did it have Nickel Back on it? 728 00:36:08,292 --> 00:36:12,375 MICHAEL PERKLIN: Chalkiest video ever. 729 00:36:14,375 --> 00:36:18,918 I knew what he was going after when I reached that machine. 730 00:36:18,918 --> 00:36:20,709 He wanted confidential documents that were only on this one machine 731 00:36:20,709 --> 00:36:22,626 in the entire company. 732 00:36:22,999 --> 00:36:25,542 He obviously knew that and he wanted to get into the machine 733 00:36:25,542 --> 00:36:27,542 to get these documents. 734 00:36:28,083 --> 00:36:30,999 I focused the analysis on this target machine, 735 00:36:30,999 --> 00:36:36,501 on this special confidential machine and I wanted to see what did they do? 736 00:36:36,501 --> 00:36:38,584 Specifically which files did they take? 737 00:36:38,999 --> 00:36:42,459 And it took me only about two minutes. 738 00:36:42,459 --> 00:36:44,667 As I was analyzing this machine. 739 00:36:44,667 --> 00:36:47,209 I identified the attacker immediately. 740 00:36:47,334 --> 00:36:49,334 He went through all around the world. 741 00:36:49,334 --> 00:36:51,083 Finally when I was taking a look at his target, 742 00:36:51,083 --> 00:36:54,125 within two minutes I found out who he was. 743 00:36:54,125 --> 00:36:56,083 AUDIENCE: (Speaker away from microphone.) MICHAEL 744 00:36:56,083 --> 00:36:59,584 PERKLIN: He used his own credentials on the machine? 745 00:36:59,584 --> 00:37:02,209 No, he didn't use his own credentials on the machine. 746 00:37:02,209 --> 00:37:03,375 E-mails to himself? 747 00:37:03,375 --> 00:37:05,918 MICHAEL PERKLIN: No. 748 00:37:06,083 --> 00:37:08,209 He stole his own file? 749 00:37:08,209 --> 00:37:11,459 MICHAEL PERKLIN: No, and he did not check Facebook 750 00:37:11,459 --> 00:37:13,999 and no share drives. 751 00:37:13,999 --> 00:37:15,501 Why don't I tell you what he did? 752 00:37:15,501 --> 00:37:18,959 ERIC ROBI: Michael, what did he do? 753 00:37:18,959 --> 00:37:21,083 MICHAEL PERKLIN: Printers. 754 00:37:24,918 --> 00:37:26,999 One thing a lot of people don't know 755 00:37:26,999 --> 00:37:29,209 about remote desktop, by default it maps 756 00:37:29,209 --> 00:37:31,417 the printer connected to your machine 757 00:37:31,417 --> 00:37:35,083 to the machine that you are connecting out to. 758 00:37:35,083 --> 00:37:38,292 It does this so that when you hit print inside your remote desktop window 759 00:37:38,292 --> 00:37:41,167 your printer next to you is available so you can print 760 00:37:41,167 --> 00:37:43,501 a document besides you. 761 00:37:43,501 --> 00:37:47,709 This guy didn't print any documents but just by connecting 762 00:37:47,709 --> 00:37:53,584 the machine automatically mapped his local printer to the target machine, 763 00:37:53,584 --> 00:37:57,250 which identified his machine name. 764 00:37:57,584 --> 00:37:59,083 He forgot to turn this off. 765 00:37:59,501 --> 00:38:02,334 There is a check box in remote desktop protocol when you 766 00:38:02,334 --> 00:38:06,876 open up the RDP window, unmap printers to unmap printers. 767 00:38:06,876 --> 00:38:10,083 And it's a check box and he did not map it. 768 00:38:10,083 --> 00:38:15,083 ERIC ROBI: What have re logged Michael? 769 00:38:15,083 --> 00:38:17,292 MICHAEL PERKLIN: What have we learned? 770 00:38:19,584 --> 00:38:22,417 Documents logged by inside -- can give insight 771 00:38:22,417 --> 00:38:24,584 into user actions. 772 00:38:25,834 --> 00:38:27,999 The system did this automatically. 773 00:38:28,501 --> 00:38:30,918 By looking at the system is doing can tell what you 774 00:38:30,918 --> 00:38:32,918 the user is doing. 775 00:38:32,999 --> 00:38:35,876 For the fail matrix, user retard level would be 776 00:38:35,876 --> 00:38:38,959 about a 20 because he went through a lot of trouble 777 00:38:38,959 --> 00:38:42,999 to cover his tracks and he did not cover his tracks. 778 00:38:43,083 --> 00:38:45,083 Punishment level would be 15. 779 00:38:45,083 --> 00:38:46,083 He loss his job. 780 00:38:46,083 --> 00:38:48,083 He also lost his references. 781 00:38:48,167 --> 00:38:51,292 He can't use that company as a reference anymore. 782 00:38:51,792 --> 00:38:54,167 So distress caused would be 8. 783 00:38:54,167 --> 00:38:56,083 Bonus points would be 20. 784 00:38:56,083 --> 00:38:57,209 Do some research. 785 00:38:57,209 --> 00:39:02,334 If you are going to use RDP to pull off a scam, know how RDP works. 786 00:39:02,626 --> 00:39:08,999 Adding it all up, we have a fail score of 63. 787 00:39:08,999 --> 00:39:10,292 Last story, Eric. 788 00:39:10,292 --> 00:39:13,417 ERIC ROBI: All right. 789 00:39:13,417 --> 00:39:16,417 So the last story is a little bit different than the others. 790 00:39:16,417 --> 00:39:21,792 (Laughter.) ERIC ROBI: This is the epic porno fail. 791 00:39:21,792 --> 00:39:22,959 The difference in this one, all together 792 00:39:22,959 --> 00:39:26,083 the cases we have talked about have been commercial litigation, 793 00:39:26,083 --> 00:39:29,167 civil litigation, something on this side. 794 00:39:29,167 --> 00:39:31,125 This one happens to be a criminal case. 795 00:39:31,709 --> 00:39:33,999 From time to time we do criminal defense work. 796 00:39:34,083 --> 00:39:35,999 And we work either with Public Defenders 797 00:39:35,999 --> 00:39:37,999 or private attorneys. 798 00:39:37,999 --> 00:39:40,209 This is about this kind of situation. 799 00:39:40,209 --> 00:39:42,751 So our client, Edgar, has been charged with possession 800 00:39:42,751 --> 00:39:46,334 of contra band, aka child porn in his computer. 801 00:39:48,083 --> 00:39:51,834 He claims innocence and I roll my eyes because everybody always 802 00:39:51,834 --> 00:39:53,834 claims innocence. 803 00:39:54,083 --> 00:39:57,083 98 percent of these people did it. 804 00:39:57,999 --> 00:39:59,999 We examine the computer. 805 00:40:00,000 --> 00:40:01,918 We looked at the examiners report. 806 00:40:01,918 --> 00:40:03,292 We looked at the allegations. 807 00:40:03,292 --> 00:40:04,626 Let's take a look at them. 808 00:40:04,626 --> 00:40:09,167 So they claim Edgar downloaded porn. 809 00:40:09,999 --> 00:40:11,167 All right? 810 00:40:11,167 --> 00:40:14,083 They claim that Edgar's user account had passwords. 811 00:40:14,542 --> 00:40:16,999 This is all documented in the record. 812 00:40:16,999 --> 00:40:21,876 They claim that Edgar utilized news groups to download porn, like for real? 813 00:40:21,876 --> 00:40:23,999 Who uses news groups to download porn? 814 00:40:23,999 --> 00:40:28,792 I think they have the -- (Overlapping speakers.) ERIC 815 00:40:28,792 --> 00:40:32,999 ROBI: Yeah, news groups, right? 816 00:40:32,999 --> 00:40:34,417 AUDIENCE: Pregger porn. 817 00:40:34,417 --> 00:40:39,626 ERIC ROBI: That guy I would believe. 818 00:40:41,375 --> 00:40:44,209 They allege that he downloaded illegal porn. 819 00:40:44,459 --> 00:40:45,999 There is one thing to note. 820 00:40:45,999 --> 00:40:46,999 Keep this in mind. 821 00:40:47,125 --> 00:40:49,375 He left his house on April 2012. 822 00:40:49,375 --> 00:40:52,209 His wife kicked him out because of this stuff happening. 823 00:40:52,292 --> 00:40:53,792 April 2012. 824 00:40:53,792 --> 00:40:54,999 Keep that in mind. 825 00:40:55,501 --> 00:40:58,292 So let's look when we examine the computer. 826 00:40:58,292 --> 00:41:00,292 Let's see what we came up with. 827 00:41:00,292 --> 00:41:02,334 First we looked at IE history. 828 00:41:02,959 --> 00:41:05,542 As I mentioned before, IE history is able to show you when 829 00:41:05,542 --> 00:41:07,834 a file has been opened. 830 00:41:07,834 --> 00:41:11,125 This is an actual example, I changed the file name a little bit here. 831 00:41:11,125 --> 00:41:12,999 What was the date I just mentioned? 832 00:41:12,999 --> 00:41:15,375 AUDIENCE: April 2012. 833 00:41:15,375 --> 00:41:16,999 ERIC ROBI: April 2012. 834 00:41:16,999 --> 00:41:18,667 I see some dates here. 835 00:41:18,876 --> 00:41:21,375 Are these before or after April 2012? 836 00:41:21,375 --> 00:41:23,083 Put up your hand if it's after? 837 00:41:23,751 --> 00:41:25,292 Ahh! 838 00:41:25,876 --> 00:41:26,876 Yes. 839 00:41:26,876 --> 00:41:28,125 So all right. 840 00:41:28,125 --> 00:41:29,459 One fail here. 841 00:41:30,083 --> 00:41:34,834 Let's look at his peer to peer software download folder. 842 00:41:34,834 --> 00:41:38,459 In the top there I've got the path where these naughty files were 843 00:41:38,459 --> 00:41:42,167 downloaded and it's a pretty typical path. 844 00:41:42,167 --> 00:41:46,501 These P to P programs change the name to something long. 845 00:41:46,501 --> 00:41:47,751 It's like T-something something something 846 00:41:47,751 --> 00:41:49,292 naughty file. 847 00:41:49,667 --> 00:41:52,125 I'm looking at the dates here again. 848 00:41:52,751 --> 00:41:54,292 Michael, do you have a calendar? 849 00:41:54,292 --> 00:41:56,459 MICHAEL PERKLIN: Give me a second here. 850 00:41:56,459 --> 00:41:57,999 ERIC ROBI: When is December? 851 00:41:57,999 --> 00:41:59,999 MICHAEL PERKLIN: It is after April. 852 00:42:00,501 --> 00:42:02,250 Definitely after April. 853 00:42:02,250 --> 00:42:04,375 ERIC ROBI: Okay, just wanted to check. 854 00:42:04,375 --> 00:42:07,667 We need to verify our forensic findings before we publish them. 855 00:42:07,667 --> 00:42:08,834 We're verifying. 856 00:42:08,918 --> 00:42:09,999 Oops. 857 00:42:09,999 --> 00:42:13,292 I think -- MICHAEL PERKLIN: Fail! 858 00:42:13,292 --> 00:42:14,292 ERIC ROBI: Fail. 859 00:42:14,292 --> 00:42:15,417 Give me that beer. 860 00:42:20,709 --> 00:42:22,083 All right. 861 00:42:22,083 --> 00:42:24,999 They also claim that he used Outlook express. 862 00:42:24,999 --> 00:42:26,250 Really, to download porn. 863 00:42:27,876 --> 00:42:29,417 Outlook express. 864 00:42:29,417 --> 00:42:31,751 This is 2012, remember, folks. 865 00:42:31,751 --> 00:42:32,542 MICHAEL PERKLIN: Makes you wonder, did 866 00:42:32,542 --> 00:42:34,959 they even analyze this guy's machine? 867 00:42:35,375 --> 00:42:39,292 We saw records of P to P, not Outlook express. 868 00:42:39,292 --> 00:42:42,083 ERIC ROBI: Outlook express, all right. 869 00:42:42,375 --> 00:42:45,751 In reality, yes, Outlook express was on the machine set 870 00:42:45,751 --> 00:42:48,999 up with an account called porno lover. 871 00:42:50,959 --> 00:42:52,292 Okay? 872 00:42:52,626 --> 00:42:56,250 It was set up after Edgar moved out of the house. 873 00:42:56,334 --> 00:42:59,584 And only headers were downloaded. 874 00:42:59,584 --> 00:43:00,626 No content. 875 00:43:00,626 --> 00:43:02,999 MICHAEL PERKLIN: What do you mean by headers? 876 00:43:02,999 --> 00:43:05,751 ERIC ROBI: A header, if you're using Outlook express, it 877 00:43:05,751 --> 00:43:09,334 is just the first part of the file. 878 00:43:09,459 --> 00:43:12,209 The e-mail is going to have the date, the send to, the receiver, 879 00:43:12,209 --> 00:43:15,626 the subject line, make the first couple words. 880 00:43:15,999 --> 00:43:17,209 There was no content. 881 00:43:17,209 --> 00:43:20,999 There was no photos in there, just headers with, you know, 882 00:43:20,999 --> 00:43:23,999 admittedly porno names. 883 00:43:23,999 --> 00:43:26,501 Also, let's look at accusation three. 884 00:43:26,542 --> 00:43:29,792 They said his user account had a password. 885 00:43:30,125 --> 00:43:33,334 The inference is only Edgar was able to access it 886 00:43:33,334 --> 00:43:36,167 because there was a password. 887 00:43:36,709 --> 00:43:39,999 Let's look at the password, shall we? 888 00:43:40,626 --> 00:43:44,125 Maybe we can zoom in a little bit on this. 889 00:43:44,125 --> 00:43:49,751 (Laughter.) ERIC ROBI: This is actually a cool utility the it's free. 890 00:43:49,751 --> 00:43:50,751 It's LCP. 891 00:43:50,751 --> 00:43:52,083 I'll go back to it here. 892 00:43:52,083 --> 00:43:59,999 It's a free utility, great for looking and seeing if there are passwords. 893 00:43:59,999 --> 00:44:03,999 You can also use it to perform an attack, although it's not very good. 894 00:44:05,751 --> 00:44:06,999 All right. 895 00:44:06,999 --> 00:44:09,667 So more facts undiscovered by the examiner. 896 00:44:10,584 --> 00:44:13,459 The P to P client was used to download porn. 897 00:44:13,459 --> 00:44:15,375 The examiner didn't find that. 898 00:44:15,709 --> 00:44:18,876 Into a new user account called porno lover. 899 00:44:19,584 --> 00:44:20,999 Guess when? 900 00:44:21,083 --> 00:44:22,999 After he moved out of the house. 901 00:44:24,334 --> 00:44:27,292 So we submitted our report to the prosecutor. 902 00:44:27,292 --> 00:44:30,209 Looks like a five, ten-page report, something like that. 903 00:44:30,209 --> 00:44:32,999 The government dropped the charges, years after they charged this guy, 904 00:44:32,999 --> 00:44:35,209 they dropped the charges. 905 00:44:35,209 --> 00:44:37,417 This does not ever happen really. 906 00:44:37,999 --> 00:44:39,792 This is the first time. 907 00:44:39,792 --> 00:44:41,584 I've done thousands of cases -- well, hundreds of cases, 908 00:44:41,584 --> 00:44:43,501 thousands of exams. 909 00:44:43,876 --> 00:44:46,334 I don't know how many, it's never happened before. 910 00:44:46,501 --> 00:44:50,542 This is after the guy spent a huge amount of money on legal costs. 911 00:44:50,959 --> 00:44:54,209 So to do all this, I just want to give a thank you to Rob Lee 912 00:44:54,209 --> 00:44:57,083 and SANs -- you know Rob Lee? 913 00:44:57,209 --> 00:44:59,709 We used super timeline for this analysis. 914 00:45:06,834 --> 00:45:09,584 That's a super piece of -- (Lost audio.) MICHAEL 915 00:45:09,584 --> 00:45:13,959 PERKLIN: Definitely one of the best pieces of software used. 916 00:45:13,959 --> 00:45:17,292 ERIC ROBI: So the government interviews 917 00:45:17,292 --> 00:45:19,876 Edgar's friend. 918 00:45:20,501 --> 00:45:22,334 The friend confesses. 919 00:45:22,959 --> 00:45:24,876 The friend did it. 920 00:45:24,876 --> 00:45:27,751 The friend was trying to get jiggy with Edgar's wife. 921 00:45:27,751 --> 00:45:31,999 (Groans.) ERIC ROBI: And he put the porn on the computer. 922 00:45:32,584 --> 00:45:35,167 The court clears Edgar's name. 923 00:45:35,167 --> 00:45:37,209 They give him an finding of innocence. 924 00:45:37,209 --> 00:45:38,501 Rarely happens. 925 00:45:43,999 --> 00:45:47,083 I have been to court a couple times where there have been 926 00:45:47,083 --> 00:45:50,584 acquittals and we didn't go to court on this one, fortunately, 927 00:45:50,584 --> 00:45:52,542 but we would have. 928 00:45:52,876 --> 00:45:54,999 So what did we learn? 929 00:45:54,999 --> 00:45:57,918 Base your conclusions upon actual evidence. 930 00:45:58,459 --> 00:46:02,292 Find multiple artifacts backing up your allegations. 931 00:46:02,292 --> 00:46:04,876 I don't know where the password thing came from. 932 00:46:04,876 --> 00:46:07,999 Tie it to a person, not just a machine if possible. 933 00:46:07,999 --> 00:46:12,542 Try to use at user activity that would tie expect events to a person. 934 00:46:12,834 --> 00:46:14,709 Remember, the maximum you can get is 20 935 00:46:14,709 --> 00:46:16,417 in any category. 936 00:46:17,125 --> 00:46:21,792 However, I have decided to break the rules a little bit for this one. 937 00:46:21,792 --> 00:46:24,083 Examiner ineptness, he gets five bonus points built 938 00:46:24,083 --> 00:46:25,999 in right there. 939 00:46:26,999 --> 00:46:29,999 Oh, yeah, the guy sued the city for millions of dollars. 940 00:46:30,999 --> 00:46:34,918 And you know, there might be a job security issue for somebody 941 00:46:34,918 --> 00:46:36,667 in this case. 942 00:46:36,667 --> 00:46:38,417 MICHAEL PERKLIN: I don't think that examiner is really going to have 943 00:46:38,417 --> 00:46:40,083 a job much longer. 944 00:46:40,083 --> 00:46:42,999 ERIC ROBI: One hundred bonus points because the court finds 945 00:46:42,999 --> 00:46:45,292 the suspect innocent. 946 00:46:45,999 --> 00:46:47,792 Factually innocent. 947 00:46:47,792 --> 00:46:50,999 (Buzzer.) (Music playing.) ERIC ROBI: Thank you very much! 948 00:46:50,999 --> 00:46:53,083 MICHAEL PERKLIN: Thank you, everybody! 949 00:46:53,083 --> 00:46:56,250 If you want to do Q&A, we're going over to the Chill-Out Lounge.