Computer Forensics A case analysis

1
Computer Forensics A case analysis

• As presented by
• Det. R. McWhorter
• Bexar County Sheriffs Office
• High Tech Crimes Unit

2
This analysis will walk us through each step of
an actual case which involved the use of
computers to facilitate several types of crime.
3
The names, where ever possible, have been changed
as to not further victimize the complainants.
A citizen contacts the Sheriffs Office to report
that he received a credit report which shows an
address different than his and an employer he has
never heard of. The complaint reviews his credit
card bills and identifies unauthorized charges to
his account.
The officer write his report and forwards it to
the Criminal Investigations division.
4
Law Enforcement agencies during the course of an
investigation have to show that they have a legal
right to request certain information. This is so
that private companies can protect themselves and
the clients from undue search and seizure or
disclosure of the personal information. For this
reason some information requested requires
investigators to get the okay from the court.
This is done through the use of a court order
known as a subpoena Subpoena- a writ commanding
a person designated in it to appear in court
under a penalty for failure Generally there is
an option to produce the records requested in
lieu of appearing in court.
5
The report identifies the company of IOMEGA as
one at which a transaction was completed using
the credit card of the complainant the other
charge was to NetZero for internet service.
Subpoenas were sent to NETZERO IOMEGA,
requesting all information surround in the
transaction completed with the CC
--- To include the IP address or
telephone number from which the transaction
originated, shipping addresses, connection logs
user identifications and passwords.
6
The next step of the investigation was to
research the address listed as the complainants
home.
Which turns out to be a lot with 3 mail boxes and
two trailers one of which is empty
7
A meeting with the one resident who lives on the
property stated the address I was looking for had
been moved away several weeks ago and the owner
had asked her to keep the mail . A review of the
mail provided about 20 different names.She also
stated that several UPS and FedEx trucks have
come by an dropped off packages. One of the names
happened to be the Doctor from the Credit report
of the complainant. After contacting the doctor
it was established that every name on the pieces
of mail was a former patient of the Doctors,
while he worked at a different Medical Group.
8
A subsequent review of all the names and
additional information showed that the point of
compromise for the data about our original
complainant and his credit information was going
to be the Medical Group. But How ? And
Who? After meeting with the Doctor who owned the
practice I went over the architecture of his
medical record storage and the practices in place
to protect the patients data.
9
The paper records for the business were locked in
a very hot attic of the business and all of the
data was duplicated in an office computer network
which was not connected to the internet or any
other outside business. The office utilized a
commercial software package called MOMS (
medical office management system). A review of
the paper files revealed that all the files for
the victims where properly filed and not missing
from there sealed containers. Whats the only
other option for the compromise of the data? HINT
the FBI says they are responsible for 55 of all
loss
10
If you said an insider you would be right ! Now I
have to interview every employee who had access
to the computer system. You may ask why didnt
you check the audit logs for file access and
modification and compare them to the user log on
files maybe even the work station user
logs. ANSWER- Because the system was antiquated
and did not have those options or they did not
have them turned on. TURN ON LOGGING, SPACE IS
CHEAP
11
After interviewing all the employees two suspects
were identified A disgruntled former secretary
and the owners son who also was the system
administrator.
Remember this picture of a country road in the
middle of Atascosa County, Well both suspects and
the address used for the fraud are right next to
each other
Secretary
Fraud Address
Owners Son
12
About this time the responses from the subpoenas
come back in. Realize the specific requests from
Law Enforcement about internet ecommerce
activities are researched and answered by the
administrators and technicians from the private
companies the victim or criminal utilized So if
your company is called upon to assistance will
you be ready and do you know what will be asked
of you?
13
The subpoena from IOMEGA shows a shipping address
consistent with the same address used for the
other fraud and and IP address collected by their
server at a specific time. The time happens to be
in EDT. The connection logs from ICG Nethead,
which is the actual ISP for Net Zero in this
region, show a connection to the internet for
their user at a specific time GMT. The
information provided by ICG also showed the ANI
(automatic number identification) for the user
who dialed into the ISP. Another subpoena was
sent out to the phone company for the subscriber
information and outgoing dialed numbers for the
specific dates and times Which were provided in
UTC. TIME CODING is IMPORTANT! What are we here
in San Antonio?
14
ANSWER- Depends, Currently we are Central
Daylight Time which is UTC (Universal Time
Coordinated) 5 hrs. When we switch back to
standard time we will be UTC -6
15
Further investigation into both suspects and
after interviewing both it was determined that
only one of the suspects had the technological
knowledge to access the data base of the medical
group retrieve all to information necessary and
make purchases online and establish credit online
in the names of the victims. And finally the
phone number which dialed into the ISP was always
the home office of the Medical Groups owner.
Which is the location at which the suspect, his
son lived prior to moving next to the fraud drop
zone. Now we know who and where he did it what
next?
16
Just like with the information which was
protected, so the locations which have the
evidence of the crimes and the profit from them.
The Constitution protects the public against
unlawful search and seizure . So we need a SEARCH
WARRANT! Actually two one for the Doctors house
and one for his sons new trailer
17
As the investigator with all the facts of the
case I write out and affidavit for a Search
Warrant. affidavit - a sworn statement in writing
made especially under oath or on affirmation
before an authorized magistrate or officer
Search Warrant gives me the right to look for
the evidence and fruits of the crime.
18
The following special consideration presented to
the court gives me the right to conduct the
forensic evaluation of the computers
seized B.                              THE
FOLLOWING CONSIDERATIONS AND PRACTICALITIES
GOVERN THE MANNER OF THE EXECUTION OF THE SEARCH
WARRANT   Based upon Affiants
knowledge, training, and experience, and
experience of other law enforcement personnel,
Affiant knows that in order to completely and
accurately retrieve data maintained in computer
hardware or on computer software, all computer
equipment, peripherals, related instructions in
the form of manuals and notes, as well as the
software utilized to operate such a computer,
must be seized and subsequently processed by a
qualified computer specialist in an appropriate
setting. Accordingly, it is very often necessary
to take all computer hardware and software found
at the suspected location in order to have it
examined in a qualified forensic environment.
Such will sometimes be the only way that items
such as previously sent and received e-mails can
be effectively recovered from a computer or its
password, can be encrypted, or could have been
previously deleted. In light of these
concerns, Affiant requests the Courts permission
to seize at the search location all the computer
hardware, software, and peripherals that are
believed to potentially contain some or all of
the contraband, or instrumentalities described in
the warrant, and to conduct an offsite search of
these computer materials for such evidence.
Affiant intends to transport all such seized
computer materials to a qualified forensic
facility for imaging and analysis by experts.
Additionally, Affiant believes that
evidence of violations of Texas Penal Code
Section 32.31 32.51 are contained or concealed
in tapes, cassettes, cartridges, streaming tape,
commercial software and manuals, hardware,
computer disks, disk drives, monitors, computer
printers, modems, tape drives, disk applications
programs, data disks, system disk operating
systems, magnetic media-floppy disks, tape
systems, digital cameras, hard drives, digital
cameras, and other computer related operating
equipment located at the suspected place.
19

• Now based upon the facts presented and discovered
  during the course of this investigation it is
  necessary to examine any information which may be
  relevant to the commission of multiple crimes and
  contained in the computers or electronic storage
  devices.
• Where do I get started with the forensic exam?
• Well you already have by having technicians
  gather the stored electronic records about the
  connections and transactions

20

• You have obtained the legal authority to examine
  the computers based upon your search warrant

• NOTE Legal authority my be based upon a number
  of factors depending on
• the location of the computer,
• its use,
• the actual owner,
• the possible content,
• use policy of your business

21

• Following sound forensic practices, in this
  situation of having a stand alone personal PC
  with the power off The hard drive is
• Removed
• Photographed
• Inspected
• Imaged ( by using a forensic software package and
  a hardware write blocking device)

22

• The rest of the electronic storage media or
  evidence was acquired by the same processes as
  not to alter its state. In this case the storage
  media was
• Two HDD
• One SCSI HDD
• Two ZIP250 Disks
• 6 floppies

23
When a forensic image is made it is necessary to
verify the integrity of the original evidence and
to insure that the image is exactly the same,
this is done by hashing or getting a hash
value for all the data
24
Now we know we have an exact image of the
evidence so we store the original evidence and
begin to search our image for clues. This can be
done by the means of any number of forensic
tools. The tool I used in this case was Guidance
Softwares EnCase
25
The manner in which these automated tools work
must be understood prior to their use. WHY?
Because when the Judge asks you how did it do
that you have to be able to explain it. This is
why it is important to develop the ability to
understand the way in which a computer works and
stores information
26

• Lets get on with the forensic examination and
  what we found.
• What are we looking for?
• Victims Names
• Addresses
• Credit card numbers
• Ecommerce Web pages

27
Lets start with web pages. When a page is stored
in you computer what does it look like and were
would it be?

function ChangeIfUtf8(Utf8InCookies) var URL
document.location.href var strUtf8 "utf8"
var index URL.indexOf(strUtf8) var inCookie
Utf8InCookies if(index0) var indexValue
index strUtf8.length if (indexValue1 URL.length) if (URL.charAt(index-1) "?") URL
URL.substring(0,index) URL.substring(indexValu
e2) else URL URL.substring(0,index-1)
URL.substring(indexValue1) else URL
URL.substring(0,index-1) var IsFirst
URL.indexOf("?") if (IsFirst0) strUtf8 ""
strUtf8 else strUtf8 "?" strUtf8 if
(inCookie"0" document.charset"utf-8")
URL URL strUtf8 "1" if (URL !
document.location.href) window.location.replace(
URL) var wHnd window.open("", "",
"height1,width1,menubarno,resizableno,titlebar
no,scrollbarsno,statusno,toolbarno,menubarno,
locationno") wHnd.close() else if
(inCookie"1" document.charset!"utf-8")
URL URL strUtf8 "0" if (URL
HTML code usually found in the temp internet
file, swap or unallocated space. What is this?
28
You will notice that the page is incomplete that
is because not all images referenced in the page
are available , but this web based email is what
we call evidence!! The following are few other
web pages recreated from html code left in
various locations
29
Another area in which clues can be found are in
the cookies a computer collects during its web
connections
30
Just like web pages images are nothing more than
stored code. How are these images found. We
search for the header information which
identifies the file type
JPEG Header
Created with Photoshop 3.0
31
They say that an image is worth a thousand words
imagine the story the following images are telling
32
There are a few other files which also proved to
be of interest such as MSWord documents which are
headed as
This subject kept track of his victims by writing
down what he had done with each ones information
33
Other areas in which things are stored are areas
which the operating has used in the past but does
not keep track of the data that was once there.
Primarily these areas are File Slack- The area
left at the end of a cluster when a file is
written Unallocated space-space which is not
currently listed in the FAT or indices or being
directly accessed.
34
File slack works like this Suppose a cluster is
512 mb and a file is 400mb the 400mb file is
deleted and a 250mb file is written at the same
location
The OS only sees the red file but the end of the
blue file was not over written and is retrievable
35
The unallocated space is often time the portion
of the hard drive the OS has designated as the
virtually memory location and during the session
the OS identifies this area by physical address.
So no references to the area are identified but
the still contain data. Such as the following
patient list which had been converted to a
document and added to with the actions and
history of our criminal.
36
This patient list was actual never stored on the
system it was viewed on, it had been down loaded
by using an external ZIP 250 drive which was not
present at the time of the seizure but evidence
that it had been connected remained in the form
of a link file. The drive was later found in the
suspects vehicle along a zip disc containing the
entire data base from the medical group
37
This presentation by no means gives a complete
list of all the action which took place during
this investigation, but you can see how one
person has utilized a limited knowledge to
compromise the personal information of hundreds
of people and started an investigation which
caused the use of computer forensics at several
different levels
38

• If you only get a few things from this it should
  be
• Turn on Logging, Space is Cheap
• Details are important keep good business records
• Have the lawful authority before you act
• If you are going to conduct a forensic
  evaluation KNOW WHAT YOU ARE DOING