Computer Forensics – A case anal

Document Sample
Computer Forensics – A case anal Powered By Docstoc
					Computer Forensics –
  A case analysis

       As presented by
     Det. R. McWhorter
 Bexar County Sheriff’s Office
    High Tech Crimes Unit
This analysis will walk us through each
step of an actual case which involved the
use of computers to facilitate several
types of crime.
The names, where ever possible, have been changed as to not
further victimize the complainants.

                  A citizen contacts the Sheriff’s Office to report
                  that he received a credit report which shows an
                  address different than his and an employer he
                  has never heard of. The complaint reviews his
                  credit card bills and identifies unauthorized
                  charges to his account.

  The officer write his report and forwards it to the Criminal
  Investigations division.
Law Enforcement agencies during the course of an
investigation have to show that they have a legal right to
request certain information. This is so that private
companies can protect themselves and the clients from
undue search and seizure or disclosure of the personal
For this reason some information requested requires
investigators to get the “okay “ from the court. This is done
through the use of a court order known as a subpoena
Subpoena- a writ commanding a person designated in it to
appear in court under a penalty for failure
Generally there is an option to produce the records
requested in lieu of appearing in court.
The report identifies the company of IOMEGA as one at
which a transaction was completed using the credit card of
the complainant the other charge was to NetZero for internet

Subpoenas were sent to
NETZERO & IOMEGA, requesting all information surround
in the transaction completed with the CC ####-####-####-
To include the IP address or telephone number from which
the transaction originated, shipping addresses, connection
logs user identifications and passwords.
The next step of the investigation was to research the address
listed as the complainants home.

                                      Which turns out to be a lot
                                      with 3 mail boxes and two
                                      trailers one of which is
A meeting with the one resident who lives on the property
stated the address I was looking for had been moved away
several weeks ago and the owner had asked her to keep the
mail . A review of the mail provided about 20 different
names.She also stated that several UPS and FedEx trucks
have come by an dropped off packages.
One of the names happened to be the Doctor from the
Credit report of the complainant. After contacting the
doctor it was established that every name on the pieces of
mail was a former patient of the Doctor’s, while he worked
at a different Medical Group.
A subsequent review of all the names and additional
information showed that the point of compromise for
the data about our original complainant and his credit
information was going to be the Medical Group.

           But How ? And Who?

After meeting with the Doctor who owned the practice
I went over the architecture of his medical record
storage and the practices in place to protect the patients
The paper records for the business were locked in a
very hot attic of the business and all of the data was
duplicated in an office computer network which was
not connected to the internet or any other outside
business. The office utilized a commercial software
package called “MOMS” ( medical office
management system).
A review of the paper files revealed that all the files
for the victims where properly filed and not missing
from there sealed containers.

What’s the only other option for
the compromise of the data? HINT
the FBI says they are responsible
for 55% of all loss
If you said an insider you would be right ! Now I have to
interview every employee who had access to the computer
You may ask why didn’t you check the audit logs for file
access and modification and compare them to the user log
on files maybe even the work station user logs.

ANSWER- Because the system was antiquated and
did not have those options or they did not have them turned

            TURN ON LOGGING,
               SPACE IS CHEAP
 After interviewing all the employees two suspects were
 identified : A disgruntled former secretary and the owner’s
 son who also was the system administrator.

Remember this
picture of a country
road in the middle of                           Secretary
Atascosa County,
Well both suspects
and the address used
for the fraud are right
next to each other

About this time the responses from the subpoenas come back

Realize the specific requests from Law
Enforcement about internet & ecommerce
activities are researched and answered by
the administrators and technicians from
the private companies the victim or
criminal utilized
So if your company is called upon to
assistance will you be ready and do you
know what will be asked of you?
The subpoena from IOMEGA shows a shipping address
consistent with the same address used for the other fraud and
and IP address collected by their server at a specific time. The
time happens to be in EDT. The connection logs from ICG
Nethead, which is the actual ISP for Net Zero in this region,
show a connection to the internet for their user at a specific
time GMT. The information provided by ICG also showed the
ANI (automatic number identification) for the user who dialed
into the ISP. Another subpoena was sent out to the phone
company for the subscriber information and outgoing dialed
numbers for the specific dates and times Which were provided
in UTC.

here in San Antonio?
ANSWER- Depends, Currently we are
Central Daylight Time which is UTC
(Universal Time Coordinated) –5 hrs.
When we switch back to standard time
we will be UTC -6
Further investigation into both suspects and after
interviewing both it was determined that only one of the
suspects had the technological knowledge to access the data
base of the medical group retrieve all to information
necessary and make purchases online and establish credit
online in the names of the victims. And finally the phone
number which dialed into the ISP was always the home
office of the Medical Groups owner. Which is the location at
which the suspect, his son lived prior to moving next to the
fraud drop zone.

Now we know who and where he did it
what next?
Just like with the information which was
protected, so the locations which have the
evidence of the crimes and the profit
from them. The Constitution protects the
public against unlawful search and
seizure . So we need a
Actually two: one for the Doctors house
and one for his son’s new trailer
As the investigator with all the facts of the
case I write out and affidavit for a Search
affidavit - a sworn statement in writing made
especially under oath or on affirmation before an
authorized magistrate or officer

Search Warrant gives me the right to look
for the evidence and fruits of the crime.
The following special consideration presented to the court gives
me the right to conduct the forensic evaluation of the computers
       Based upon Affiant’s knowledge, training, and experience, and experience of other law enforcement
personnel, Affiant knows that in order to completely and accurately retrieve data maintained in computer
hardware or on computer software, all computer equipment, peripherals, related instructions in the form of
manuals and notes, as well as the software utilized to operate such a computer, must be seized and subsequently
processed by a qualified computer specialist in an appropriate setting. Accordingly, it
is very often necessary to take all computer hardware and software found at the suspected location in order to
have it examined in a qualified forensic environment. Such will sometimes be the only way that items such as
previously sent and received e-mails can be effectively recovered from a computer or its password, can be
encrypted, or could have been previously “deleted.” In light of these concerns, Affiant requests the Court’s
permission to seize at the search location all the computer hardware, software, and peripherals that are believed to
potentially contain some or all of the contraband, or instrumentalities described in the warrant, and to conduct an
offsite search of these computer materials for such evidence. Affiant intends to transport all such seized computer
materials to a qualified forensic facility for imaging and analysis by experts.
       Additionally, Affiant believes that evidence of violations of Texas Penal Code Section 32.31 & 32.51 are
contained or concealed in tapes, cassettes, cartridges, streaming tape, commercial software and manuals,
hardware, computer disks, disk drives, monitors, computer printers, modems, tape drives, disk applications
programs, data disks, system disk operating systems, magnetic media-floppy disks, tape systems, digital cameras,
hard drives, digital cameras, and other computer related operating equipment located at the suspected place.
Now based upon the facts presented and discovered during the
  course of this investigation it is necessary to examine any
  information which may be relevant to the commission of
  multiple crimes and contained in the computers or electronic
  storage devices.

Where do I get started with the forensic
1. Well you already have by having
   technicians gather the stored electronic
   records about the connections and
2. You have obtained the legal
   authority to examine the computers
   based upon your search warrant
NOTE: Legal authority my be based upon a number
of factors depending on;
•the location of the computer,
•its use,
•the actual owner,
•the possible content,
•use policy of your business
3. Following sound forensic practices, in
   this situation of having a stand alone
   personal PC with the power off The
   hard drive is :
1. Removed
2. Photographed
3. Inspected
4. Imaged ( by using a forensic software package
  and a hardware write blocking device)
The rest of the electronic storage media
or evidence was acquired by the same
processes as not to alter its state. In this
case the storage media was :
•Two HDD
•Two ZIP250 Disks
•6 floppies
When a forensic image is made it is
necessary to verify the integrity of the
original evidence and to insure that the
image is exactly the same, this is done by
“hashing” or getting a hash value for all the
Now we know we have an exact image
of the evidence so we store the original
evidence and begin to search our image
for clues.
This can be done by the means of any
number of forensic tools. The tool I
used in this case was Guidance
Software’s EnCase ®
The manner in which these automated
tools work must be understood prior to
their use.
WHY? Because when the Judge asks
you how did it do that you have to be
able to explain it.
This is why it is important to develop
the ability to understand the way in
which a computer works and stores
Lets get on with the forensic examination
and what we found.
What are we looking for?
•Victims Names
•Credit card numbers
•Ecommerce Web pages
         Lets start with web pages. When a page
         is stored in you computer what does it
         look like and were would it be?
<html> <head> <script language="JavaScript"> function ChangeIfUtf8(Utf8InCookies) { var URL =
document.location.href; var strUtf8 = "utf8="; var index = URL.indexOf(strUtf8); var inCookie = Utf8InCookies;
if(index>0) { var indexValue = index + strUtf8.length; if (indexValue+1 < URL.length) { if (URL.charAt(index-1) ==
"?") URL = URL.substring(0,index) + URL.substring(indexValue+2); else URL = URL.substring(0,index-1) +
URL.substring(indexValue+1); } else { URL = URL.substring(0,index-1); } } var IsFirst = URL.indexOf("?"); if
(IsFirst>0) strUtf8 = "&" + strUtf8; else strUtf8 = "?" + strUtf8; if (inCookie=="0" && document.charset=="utf-8") {
URL = URL + strUtf8 + "1"; if (URL != document.location.href) { window.location.replace(URL); var wHnd ="", "",
=no"); wHnd.close(); } } else if (inCookie=="1" && document.charset!="utf-8") { URL = URL + strUtf8 + "0"; if (URL

      HTML code usually found in the temp
      internet file, swap or unallocated space.
      What is this?
You will notice that the page is incomplete
that is because not all images referenced in
the page are available , but this web based
email is what we call evidence!!
The following are few other web pages
recreated from html code left in various
Another area in which clues can be found are
in the cookies a computer collects during its
web connections
Just like web pages images are nothing
more than stored code. How are these
images found. We search for the header
information which identifies the file type

JPEG Header           Created with
                      Photoshop 3.0
They say that an image is worth a
thousand words imagine the story the
following images are telling
There are a few other files which also
proved to be of interest such as
MSWord documents which are headed

This subject kept track of his victims by
writing down what he had done with each
ones information
Other areas in which things are stored are
areas which the operating has used in the
past but does not keep track of the data
that was once there. Primarily these areas
File Slack- The area left at the end of a
cluster when a file is written
Unallocated space-space which is not
currently listed in the FAT or indices or
being directly accessed.
  File slack works like this:
  Suppose a cluster is 512 mb and a file is
  400mb the 400mb file is deleted and a
  250mb file is written at the same location

The OS only sees the red file but the end of
the blue file was not over written and is
The unallocated space is often time the
portion of the hard drive the OS has
designated as the virtually memory
location and during the session the OS
identifies this area by physical address.
So no references to the area are
identified but the still contain data.
Such as the following patient list which
had been converted to a document and
added to with the actions and history of
our criminal.
This patient list was actual never stored on
the system it was viewed on, it had been
down loaded by using an external ZIP 250
drive which was not present at the time of
the seizure but evidence that it had been
connected remained in the form of a link
file. The drive was later found in the
suspects vehicle along a zip disc containing
the entire data base from the medical group
This presentation by no means gives a
complete list of all the action which took
place during this investigation, but you can
see how one person has utilized a limited
knowledge to compromise the personal
information of hundreds of people and
started an investigation which caused the
use of computer forensics at several
different levels
If you only get a few things from this it
should be:
•Turn on Logging, Space is Cheap
•Details are important keep good business
•Have the lawful authority before you act
•If you are going to conduct a forensic
     evaluation KNOW WHAT YOU ARE