The Case

							Kidnapping Case
         Alisha K., Val R., Miles B.
                            CFR101
                   The Case
 “You have been called by the parents of a young
  girl who is missing after an argument with her
  parents. She spent a lot of time on the Internet and
  her parents gave you permission to take her
  laptop. The zipfile is the image you made.”

 Where is the girl? Did she run away, or was she
  kidnapped? Can we find her?
            Data Integrity
 Hashes of the drive image, from WinHex:

   SHA-1
      8F4E3297B8A8C05292C077696AB0EC6B19B3B
       DAE


   MD5
      9849B5A5DB87B13543C33736A8AD7AB3
                 For Starters
 My Documents Folder:

   “Teenchat.doc”

   “Chat - How It Works.txt”

   “Dating Beautiful Women Made Easy.txt”
                 More Text
 Research on American government
  conspiracy theories

 “Teen girl abducted after meeting.txt”

 Seaside.doc
   bus schedule for trips to Seaside, Oregon.
                   Clues
 Pictures labeled “adult[1-6].jpg”

 And one called “Gary.jpg”
                   More Clues
 All-seeing eye, political conspiracies
    666HolyBible[1].txt
    Mind Control.txt
    Federal Reserve Facts.txt
                        Roadblocks
Possible use of
 Virtual Machines
     Bootlog.txt
 Stego / Crypto
     On the drive were traces of
       tools such as SNOW and
       ICE
     Steganos Security Suite
     HIP, Hide In Picture
 Forensic Software
     WinHex
 These are programs provided
   freely to the public
          Roadblocks cont’d
 SNOW                     ICE
   Compress messages        Information
   Use encryption to         Concealment
    hide messages             Engine
    within anything
                             64-bit private key
   Looks normal to the       block cipher
    observer
                             Stronger than DES
 Provided free, GNU
                           Provided free
SNOW
         Roadblocks cont’d
 Secure drives   Excerpt from Cypherix,
                    makers of Cryptainer LE
                   “Creates an encrypted
                    container (vault) to store
 Cryptainer LE     any type of data.
                   128 bit strong encryption
                   Simple drag and drop
                    operation
                   Easy to use, Impossible to
                    break.
                   The best part - It is FREE
                    – Never Expires. No Nag
                    screens.”
                    Evidence
 Possible use of Stego / Crypto / PGP
 Extensive research into picking up women, and
  chatting among a young(er) crowd, young-adult
 Traces of a virtual machine
    If the virtual drive is destroyed there is almost
     no chance of data recovery
                    Where else?
 Bedroom
    bus schedules, ticket stubs, ticket receipts, travel
     brochures, etc;
    diary or other written journal
    cell phone/PDA
    clothes
    school books and notebooks

 Online accounts (chat, email, etc)
                    Who else?
 Friends from school

 Contacts from online chat
    Really_hot_penguin
    Really_creamy_cookie

 Cell phone contacts/recent call numbers

 Get more info on girl from family
Reminders
YOU ARE NOT A PSYCHOLOGIST
     •That being said, the contents of the drive
      are somewhat suspicious for a teenage girl
     •Also, people are crazy
Standard warnings apply
     •Write blocker
     •Chain of custody
     •Documentation
            CONCLUSION
 No solid evidence of kidnapping, but foul
  play not ruled out, either