Demo Live Forensic Acquisition

IFSM 457 CyberTerrorism"We can dothat."- GeekSquadAgentTopicsLive AcquisitionsPresentationsNewsDemoLive ForensicAcquisitionHelix CD Main Menu Problems with previewing a live systemEverything you do modifies the system.Every time you access a file, you updatethe access time of the file. Evenopening MS office documents, withoutsaving them, modifies their internalcontent.Be very careful, or you can contaminatethe crime scene.The Problems with Live AcquisitionsThe PC is in a constant change of fluxIf we do something, the system changesIf we do nothing, the system changesTools need for Live AcquisitionsHelix CDUSB / Network StorageMinimum: Save RAM+Maximum: RAM, Disk ImageDocumentationLet's Do ItInsert the USB stickWait for it to be recognizedRecord the drive letterLet's wipe it and format it.Make sure it is "clean"Create folder called wftShould be done on other system

Incident Response ToolsWindows Forensic ToolchestSave to USBUSB MUST be larger than RAM!We will save it to ?:\wftOptions: Yes, Yes, YesMay Take a Long Time....PresentationJacob TuuaoeBay ScamsPresentationWayne ElliottSniffingOpen D:\wft\index.htmlIn the News... AOL PasswordsAccording to this screen shot...They can be up to 16 characters... orcan they?AOL's Password Puzzler - May 5, 2007A reader wrote in Friday with an interestingobservation: When he went to access hisAOL.com account, he accidentally entered anextra character at the end of his password. Butthat didn't stop him from entering his account.Curious, the reader tried adding multiplealphanumeric sequences after his password, andeach time it logged him in successfully.It turns out that when someone signs up for anAOL.com account, the user appears to be allowedto enter up to a 16-character password. AOL'ssystem, however, doesn't read past the first eight.From Complex to SimpleHow is this a bad set-up, security-wise? Well, let'stake a fictional AOL user named Bob Jones, whosigns up with AOL using the user name BobJones.Bob -- thinking himself very clever -- sets hispassword to be BobJones$4e?0. Now, if Bob'sco-worker Alice or arch nemesis Charlie tries toguess his password, probably the first passwordhe or she will try is Bob's user name, since peopleare lazy and often use their user name as theirpassword."We're In!"And she'd be right, in this case, because eventhough Bob thinks he created a pretty solid13-character password -- complete with numerals,non-standard characters, and letters -- the systemwon't read past the first eight characters of thepassword he set, which in this case is exactly thesame as his user name. Bob may never be awareof this: The AOL system also will just as happilyaccept BobJones for his password as it willBobJones$4e?0 (or BobJones + anything else, forthat matter).ReactionsAOL spokesman Andrew Weinstein said thecompany was looking into the matter, but didn'thave any comment beyond that.Bruce Schneier, CTO of BT Counterpane, called it"sloppy and stupid. Truncating the password ateight characters is a big deal, and there's noexcuse for any company in today's world to bedoing that. Especially because AOL has...shall wesay, some less sophisticated users. Those usersneed all the help they can get when it comes tochoosing a password, and to artificially penalizethem in secret for choosing long passwords seemslike a bad thing."In the News - May 7, 2007Chesterfield man gets 30 months for child pornBy Robert Patrick, ST. LOUIS POST-DISPATCHA Chesterfield man got 30 months in federal prisontoday after a computer repairman found child pornon his computer.Vishal Sehjpal, 22,brought hiscomputer into theChesterfield BestBuy store forrepair.

DetailsOn November 1, 2004, Sehjpal brought his SonyLaptop Computer to a Best Buy store. Inexamining the computer, the technician observedimages of what he believed to be childpornography and notified the Chesterfield PoliceDepartment. Sehjpal consented to the search ofhis computer by the police and provided 30additional computer CDs. Sehjpal admitted thathe had downloaded images of child pornographyover the internet over the past six months. Someof these images depicted a minor under the age oftwelve engaged in sexually explicit conduct.Pleaded GuiltySehjpal pleaded guilty in February to two felonycounts of possession of child pornography andadmitted possessing both still pictures and videosthat contained child porn that he'd downloadedfrom the Internet.United States Attorney Catherine L. Hanawaycommented, “Thanks to the alert actions of acomputer technician, another child predator hasbeen taken off of our streets for a period of time,and will be supervised for the rest of his life. Theassistance of private citizens is invaluable to lawenforcement in identifying these crimes.”The Best Buy / Geek SquadIn the News May 7, 2007Geek Squad: im in ur hard drive, steeling ur pr0nLast week, watchdog website The Consumeristposted a long confession allegedly written by anemployee of Bloomington-based computer fix-itservice Geek Squad. The disgruntled Geekclaimed that the men in the cute New Beetles havebeen corrupted by their relationship with Best Buy.The most disturbing - and totally believable -charge? That techies snoop around customers'computers for homemade porn, downloadingpersonal nudie pics onto their own flash drives.We called a local Best Buy/Geek Squad outlet...Their Response"That's absolutely not our practice—it's part of ourpolicy to keep files private," said the Agent."Although we might see the names of the files popup, if you've saved pictures as your screensaver."So we asked, What if we brought in, say, aspouse's computer? Would you search that forhidden porn at ourbehest?The Agent paused."We can do that."From the Confession - Remember ThosePhotos You Thought You Deleted? - NewComputers are like Easter Egg Hunts.If there were a competition between a Playboyeditor, a photo lab technician, and a voyeur for theperson who has seen the most random pictures ofnaked people... the only way any of them wouldwin is if the Geek Squad agent was late...Again, this must all go back to the psychologicalgame that is played with customers, but itastonishes me how trusting people are with theircomputers.Social EngineeringIf I walked into your house right now and asked touse your computer, you would probably be, at theleast, a bit curious... if not screaming. But put mein my Geek Squad uniform, give me my badge,and put me in my VW Beetle, and you are anxiousto give up your seat. Too add to it, every GeekSquad agent is equipped with a USB thumb drive,which is basically a tool used for storage of ourtools... or any other data an agent might like.Are you aware that you can locate every imageand movie located on your hard drive by just usingthe windows search function? Did you know that,especially if you use Internet Explorer, Windowskeeps an easily retrievable record of many of yourusernames and passwords to almost any website(including banking websites), whether or not yousave your password manually? I understand that ifyou need your computer fixed, there are not manyoptions, but at least if someone is fixing yourcomputer in front of your eyes, you can make surethey don't go for a scavenger hunt in your harddrive.Let me make it clear again: if you have anyinteresting pictures of yourself or others on yourcomputer, then they--will--be--found. Some geeksare like bloodhounds when it comes topornography.TopicGarryGlitter

Paul Francis GaddGary Glitter first came toprominence in the glamrock era of the early1970s. He had one of thelongest chart runs of any solo singer inthe UK during the 1970s. Between 1972and 1995 Glitter charted no fewer than25 hit singles which spent a grand totalof 179 weeks in the UK Top 100.The HitsHis 1984 song "Another Rock N' RollChristmas" was voted one of the Top 30Christmas hits of all time.In 1998, his recording of "Rock and Roll(Part Two)" was voted as one of the Top1001 songs in music history.In 2004, a Channel 4 poll of the 50Greatest Pop Stars of all time placedGlitter at #22.Rock and Roll (Part Two)"Rock and Roll (Part Two)" caught on asa popular sports anthem in NorthAmerica. Also know as the "Hey Song",it is often used as a goal song orcelebration song, fans chant out "Hey!"along with the chorus.Video: Rock and Roll (Part Two)The ComputerIn November 1997Glitter was arrestedafter childpornography imageswere discovered onthe hard drive of apersonal computerhe had taken to aBristol branch of PCWorld for repair.The DebateThis triggered a debate over how the imageswere discovered, as it is unclear whether therepair Glitter's machine required would havenecessitated access to the hard drive withimages being discovered by accident duringthis, or whether PC World staff accessed thecontents of the hard drive when they had nolegitimate reason to do so, either as aroutine activity performed on all customers'machines, or performed on Glitter's due tohis celebrity status.The Investigation - Gary Glitter's LaptopBarrett, Neil (2004) Traces of Guilt, chapter 7Barrett was asked by DC Pete Lintern of Avon andSomerset Police to consult on the Gary Glittercase."I was there to review the computer evidence inthe case of Regina versus Paul Gadd - betterknown to the world as Gary Glitter. The story isnow a familiar one, though at the time it came as ahuge shock to the world. Once more popular afteryears in the wilderness, the fifty-year-old star hadalways been dogged by rumours of sexualmisbehaviour...The Laptop"Then he had handed in a laptop computer forrepair at PC World in Bristol, and staff had found acollection of what were alleged to be paedophileimages on the hard disk. They had reported this tothe police and handed over the laptop, and Gaddhad been arrested and pilloried in the press. Notall of the criticism had been directed at the popstar; some voices were raised against the staff atthe shop, with suspicions that they had onlyinspected the laptop because of its associationwith a well-known figure. It was precisely becauseof this that Pete Lintern was asking me to becomeinvolved, concerned to ensure that they hadconsidered every possible aspect of the case."BackgroundAt a conference, he gave "a talk to a policeaudience on the way in which defence computerexpert witnesses approach the analysis ofpolice-produced computer evidence. I presentedthe problems and issues that had been raisedduring the case of 'Christopher Robin' a fewmonths earlier. With the luxury of a relativelyexpert audience, I had gone into great detail aboutall the possible defence approaches concerningpaedophilia. I had discussed the increasinglypopular 'hacking' defence: the claim that thematerial had been placed on the system by someother user or as a result of a hacking intrusion.The Pop-Up Defence"And I had covered the so-called 'pop-up' defence:the claim that the paedophile pictures were notconsciously accessed and downloaded butappeared as a result of an unasked-for pop-upwindow. I had also outlined an approach to theanalysis of paedophile and other computer-misuseoffences that I had called the 'scene-of-habitation'analysis, developed in the aftermath of the'Christopher Robin' case. The junior barrister in thecase, Nick Lockett, had been adamant that Chris'spicture collection had come about as a result of acomputer intruder, and in fact at least some of thecomputer evidence had been produced by theuniversity's system administrator.

Whodunit"That aspect of the case had raised an importantquestion: was it possible to ascribe computerevidence to a specific person, even when theywere masquerading as some other user? Or was itpossible to be sure that computer evidence did notrelate to a specific user, even though the computerrecords showed the association?"I realized that there was no definite answer butthat there might be a way of adapting techniquesused in other types of crime-scene analysis."Legal and Illegal"Whilst a computer might indeed be used to storepaedophile material, or to plan a series ofrobberies, or even to plan a sadistic murder, it isalso used to hold information relating to perfectlylegitimate activities.""For example, a user might write abusive email,but they would also use the PC to write quitenormal email. By analysing unconscious patternsin the normal writing, and by then looking for thosepatterns in the criminal writing, it may be possibleto reinforce an assertion that the user was theauthor."The Approach"Analyse closely the patterns of behaviour andeven of personality that could be derived from theinnocent data. Through those, I would construct adetailed picture of what the subject routinely did -and only then turned to the criminal material.Armed with the features of the innocent material, itis possible to see whether common patterns ofbehaviour are present in both, and to try from thatto ascribe identity and responsibility.""It was a technique that promised to beenormously useful, and the case of Paul Gadda.k.a. Gary Glitter was the first opportunity I hadhad to use the method in a real criminal case."Making Sure"DC Pete Lintern had approached me after thepresentation in Edinburgh... It was a case thatwas attracting a lot of media attention and so theyneeded to be totally sure that they had doneeverything correctly. They had already appointed acomputer expert witness, but what they wanted inaddition was a comfort factor.""They wanted to know that nothing had beenmissed, and they wanted some idea of whatpotential objections could be raised by a defenceexpert witness. Pete wanted me to do that job forthem, as an unpaid favour, with the promise that Iwouldn't have to give evidence in court."The Process"First of all, I decided to try and tackle theevidence as though I were the defence computerexpert, looking to see what aspects might allow achallenge to be mounted. Second, I wanted to seewhether there was anything that thescene-of-habitation analysis could bring tostrengthen the prosecution case.""Computer evidence has to satisfy a number ofprecise requirements. Because the data is easilyaltered it is vitally important to show that it cannothave been changed... I first went through the'chain of evidence' for the computer material."The ChainThe document showed "the seizure and safe handlingof the laptop from its collection at the shop through toits receipt at the Bristol forensic laboratory where Iwas sitting. There were statements from the staff atPC World, covering what they had done to the laptop;there were statements from the uniformed officerswho had 'bagged and tagged' the unit, delivering it toan exhibits officer at the Central Bristol police station.The statements showed that the laptop had not beenactivated at all from when it had last been booted bythe PC World staff shortly before they contacted thepolice - though the statements did illustrate that thosestaff had viewed some of the image files, therebychanging the last-access date stamps on a subset ofthe evidence collection."And More..."It looked as though the laptop had beenamazingly well handled in its progression fromdamaged piece of hardware at PC World throughto suspect piece of equipment at Pete's laboratory.The final collection of papers included Pete's ownwitness statement, along with the laboratoryrecords showing the safe receipt of the sealedevidence bag containing the laptop. A laboratoryreference sheet recorded Pete breaking the sealon the bag, removing the tiny hard-disk drive fromthe laptop... and then mounting that disk driveinside a 'caddy unit' so that it could be hostedwithin Pete's laboratory computer system. Fromthere it was copied onto CD-ROM."Details"[Pete] even recorded the measures he had takento ensure that static electric shock could not haveaffected the disk drive during the removal of theunit itself, and the small error that he had observedin the laptop's internal clock.""I was fairly sure that a defence computer expert...would not be able to find anything to object to inthe process of preserving the laptop contents."Analyzing the Contents"I started with the explorer-mode of the forensicapplication used by Avon and Somerset. It wasn'thard to see what had attracted the PC Worldstaff's interest: three folders, not even hidden orencrypted, with names like 'My Gang' andcontaining picture files... there was no doubt thatthese were paedophile images. At that point, Iwasn't particularly interested in exploring thecontents of the picture files themselves; that couldwait until I had a better feel for the structure of thecomputer. I continued browsing through theexplorer-mode, looking to establish that he had anInternet account set up.

Internet AccessHe had, with a long list of similar paedophilepictures apparently downloaded from several'Lolita-style' websites; there were records showinghis having visited those sites a large number oftimes. He also had an email account and a simpleoffice-automation application installed, apparentlyused to keep track of the details of hisengagements up and down the country. It was inmany ways a typical laptop structure, representinga non-computer expert's use for predominantlypornographic browsing. The laptop seemed tohave been used 90% of the time for access topaedophile-interest websites and only 10% of thetime... to support the 'Gary Glitter' business."Two Questions"First of all, did the laptop contain paedophilematerial with which Paul Gadd could beprosecuted? That is, was it possible to show thatthe photographs discovered could satisfy thedefinition of 'indecent pictures of children'? Could Ishow that the possession of the picture files wasdeliberate?""Second, could I establish that it was indeed PaulGadd himself who was responsible for the picturesappearing on his computer - rather than, say, thestaff at PC World, or anyone else who might havehad access to the laptop without his knowledge?"Collecting Pictures"It took only seconds to collate and arrange thegallery, and then I was able to step through thepictures, collecting into an evidence gallery allthose that looked indecent. There was little doubtbut that the vast majority of the picture collectionamassed by Gadd was indeed illegal. Moreover... Icould see that the pictures appeared in theTemporary Internet Files location... before thenappearing in a second temporary file location,showing them downloaded from the Internet, andfinally appearing in the folder collections that hadfirst been detected by the PC World staff. I wasconfident that I had reasonable proof of Internetpaedophile behaviour."Who Did It: Gadd or PC World?"I had the timeline of the case, showing the periodover which the laptop had been outside of Gadd'scontrol up to the moment at which it had beenseized by the police. ...it was easy to follow thedate and time stamps on the listed files and foldersso as to see the behaviour of the PC Worldengineers. I could see when they had booted thelaptop and I could follow the file-access timestamps to see them inspecting 'My Gang' foldersand a handful of the picture files within the folders.I could even see the specific picture viewingapplication that they had used, since thelast-access time on the program file also changedduring this period.Changes"Whilst each picture file showed that it had beenaccessed during this period of PC Worldinspection, the date and time stamp showing whenthe file had last changed was unaltered. Thosestamps were for the time - several months earlier -when the user of the laptop had downloaded thefiles from the Internet."To corroborate that, I switched to the raw-mode,so as to examine the disk clusters representing theblocks of the image files. Those clusters weresandwiched between clusters from other,unaccessed files with date and time stamps thatshowed them to be in the correct sequence."Unlikely"The physical evidence of the clusters on thehard-disk drive matched perfectly with theevidence of the laptop file-system arrangement ofthe files. I could be confident that the image fileshad not been introduced by staff at PC World."I went through each of the dozen or so picturefiles that I had selected for my mock exhibits,ensuring that each of them was physically in anappropriate place on the disk. There were nopicture files that were not in the appropriatephysical sequence... The paedophile pictures hadappeared on the laptop months before it had beenhanded in to PC World in Bristol for repair."Who Downloaded and Collected Them?"The laptop had had no password set: neither forthe boot-up, according to Pete's own notes, nor foractually logging onto the system. Anyone whocould get their hands on Gadd's laptop could bePaul Gadd as far as the laptop was concerned,and as far as any of us analysing the computerafter the event was concerned. If I were thedefence computer expert, that would be the pointfrom which my analysis would proceed. Ienvisaged that Gadd would have had staff, friendsand lovers at his house from time to time, allhaving access to a greater or lesser extent to theroom where he might keep his laptop.Records"His telephone records showed when Gadd hadaccessed the Internet, and the police hadestablished from his schedule and bookings diarythat he was indeed at home at those times - but, ofcourse, others might have been there as well. Ihad no idea whether that could be true but it wasan obvious objection to raise with Pete over hiscase.""All of the material produced by [the] Police said,'Gadd did the following ...' whereas it should havesaid, 'The user of the computer did the following ...'and then established that the user of the computerwas indeed Paul Gadd."Scene-of-Habitation Analysis Techniques"I started by building a picture of the Internet use,looking at the date stamps on the access toentirely legal websites. Some of these related tovenues that Gary Glitter had played at and tied inwith email messages that were signed by PaulGadd. Examining those email messages, I beganto construct a detailed analysis of the way in whichhe wrote email and.. other documents also storedon the laptop... He wrote short sentences...misspelled certain words consistently; he used acomma where a semicolon should have appeared,but unlike most people used the apostrophecorrectly. [I built] a profile of Gadd's personalityas he appeared on the computer.

And now for the illegal"The time periods over which legal, then illegal,then legal websites were visited was often as shortas a few minutes. There was also an emailmessage sent by him to the operator of apaedophile website, in which the author gaveGadd's credit-card details and complained that hewas having difficulty using the password and log-indetails that had been supplied. The text wasalmost totally consistent with [Gadd's] writing style.It seemed to me beyond reasonable doubt that theuser of the laptop was indeed Paul Gadd, and thathe had used the computer and Internet accesspredominantly in the pursuit and collection ofpaedophile material."Changing SidesHaving found no problems, "I decided to seewhether or not the prosecution case could bestrengthened in any way. Had Gadd himself takenany of the paedophile photographs? Had he sentthem on to others? Had he received them fromindividuals whom we could trace? I examined eachof the pictures in the gallery of paedophile imagesthat Pete and I had collected. None of them was inthe format that would have shown them to havebeen digital camera shots saved onto thecomputer, or saved after having been scanned. Allwere of the compact format associated withimages downloaded from the Web."Saving GraceThey searched his email "looking for obviouspaedophile correspondence. There was none:Gadd had neither sent nor received paedophileimages by email, and he had had no other[method] to allow the image files to be sent orreceived in any other way. It seemed likely that hehad simply collected the paedophile pictures thathad attracted his attention, storing them on thelaptop in a way that was convenient for when hewanted to look at them. He was neither a creatornor a distributor of paedophile images, which wasperhaps a blessing. He was simply a 'consumer' ofchild pornography, which is of course bad enoughbut not as bad as it might have been."The Impression was..."...of a rather solitary man. His email waspredominantly related to his tours, as were the fewletters and other documents saved on the laptop.His Internet use was almost totally devoted tosearching out the Lolita-style websites, and themajority of things stored on the laptop were thosepictures.""It almost seemed beyond comprehension thatsomebody could have been so foolish as to haveallowed the laptop to have been examined by thestaff at PC World - Gadd had in fact delivered thelaptop himself, asking the staff to examine the diskfor him!"The Trial"During the trial a few months later, noattempt was made to challenge thecomputer evidencepresented by the police."End of Barrett, Chapter 7The FalloutThe following years held further trouble forthe singer. Glitter was convicted ofpossession of child pornography in 1999 andclassified formally as a British sex offender,serving two months of a four-monthsentence. He was also charged with havingsex with an underage girl, Alison Brown,when she was 14 years old. Glitter wasacquitted of this charge after it emerged thatBrown had sold her story to News of theWorld and stood to earn more money fromthe newspaper on Glitter's conviction.No Place to StayGlitter moved to Spain, then Cuba, and thenCambodia. The uproar over his presenceled Cambodian authorities to expel him in2002, determining that he was 'a threat tothe security of a country and to the nationalimage of Cambodia'. Hewas been jailed for 3nights on suspicion ofsex offences, but wasnot convicted of anycrime. Glitter thenmoved to Vietnam.Troubles in VietnamOn November 12, 2005, Gary Glitter fled hishome, despite having applied for permanentresidence in Vietnam. Three days later, hewas arrested in Ho Chi Minh City while tryingto board a flight to Thailand. Six girls andwomen in Vietnam, aged 11 to 23, admittedto having sex with Glitter; the age of consentin that country iseighteen.TrialGlitter was jailedthroughout the criminalprobe, which wascompleted on December26, 2005. The charge of rape was droppedfor "lack of evidence", although the singeradmitted that an 11 year-old girl had slept inhis bed. Glitter could have faced the deathpenalty by firing squad if convicted of childrape. After having received compensatorypayments from Glitter, the families of thegirls appealed to the courts for clemency.

More ChargesGlitter was tried on chargesof committing obscene actswith two girls, aged 10 and11, and could have faced upto fourteen years in prison ifconvicted. The trial openedon March 2, 2006 and ended the nextday, upon which Glitter was found guiltyas charged and sentenced to threeyears' imprisonment.The FutureHe could be eligiblefor parole afterserving one-third ofhis prison term, orone year, with creditfor the four months he spent in jail fromNovember 2005 to March 2006. Glitter'ssentence includes mandatorydeportation after serving his sentenceand payment of 5M Vietnamese dong(US$315) to his victims' families.His ResponseGlitter continued todeny any wrongdoing,saying he believes hewas framed by Britishtabloid newspapers.He announced heplanned to spend partof his sentence writingan autobiography,which he began duringhis pre-trial detention.The NFLSept. 4, 2006 - The NFL haseffectively banned stadiumsfrom playing Gary Glitter's"Rock and Roll Part 2" afterthe Brit rocker was convicted ofmolesting underage girls in Vietnam,prompting a search for a substitutecelebratory anthem. The DenverBroncos switched to Big Bad VoodooDaddy's "Go Daddy-o"; Kansas CityChiefs fans voted for P.O.D.'s "Boom."Parting Thought - Smoking Kills...Unlike the regular Internet, which was originallydesigned to withstand a nuclear attack, theInternet2 is designed primarily for speed - up to9.08Gbps in most recent tests. But that means itcan't withstand a single cigarette. Thrown by ahomeless man onto amattress under Boston'sLongfellow Bridge, the blazemelted the fiber-optic linkbetween Boston and NewYork. It was offline for 4hours.End of This Lesson