Darwinism via Forensics People Make Dumb Decisions With Todays - - PowerPoint PPT Presentation
Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE Senior Manager, LBMC Information Security February 7, 2017 Todays Agenda Digital Forensics Basics How Does it work? Applicable Case Studies
February 7, 2017
People Make Dumb Decisions With Today’s Technology
2
Digital Forensics Basics
Applicable Case Studies
“Pro” Tips Along the Way This Will Not Be Boring
3
Recovering/Analyzing Deleted Information Keyword Searching Digital Communications Internet Activities Pictures/Movies File Activity External Storage Usage Metadata/EXIF Data Application Execution Histories Anti-Forensics Efforts
4
Computers Servers Memory Mobile Devices Cloud Storage Removable Media GPS Devices Watches/FitBits
5
6
7
Valuable..But Boring Very Flexible
Stemming Fuzzy Synonym
8
Conventional Email Webmail (Gmail, Hotmail, etc.) Associated Attachments Social Network Communications We will discuss TXT messaging later
9
Tells a Story We Know What You Are Thinking Google Keeps Your Search Histories (and more) We Recover Deleted Internet Histories We Don’t Care Which Browser You Use
10
Suspected Affair Suspect Learned About Investigation
Didn’t Matter 282 Facebook Chat Messages Recovered Exactly What Was Suspected
11
Workplace Injury “Diminished Quality of Life” Internet Research
Personal Pictures
12
Creation Modification Accessed Deleted Opened
13
We Know Every USB Device Used
First and Last Times Used
Model and Serial Number
14
15
16
12/22 – Employee Resigned from Company 12/02 – Google Search for “Is ____ a good company to work
12/10 – Copied “Projects” Folder to Desktop Folder Contained 5000+ Proprietary Designs
17
12/22 @ 1:10AM – Laptop was powered on 12/02 @ 1:11AM – Laptop recognized USB drive 12/22 @ 1:13 – The “Projects” folder was moved to USB 12/22 @ 2:03 – Laptop was powered off
18
We know the first execution date/time We know the last execution date/time We know how many executions We know what user executed the application
19
Employee Resigned on May 6, 2011 Google Query “How do I link another email account to Gmail
Copied sensitive information to USB DropBox installed March 3, 2011 DropBox uninstalled May 6, 2011
20
21
22
23
Analysis of home machine Business secrets “synchronized” Copied sensitive information to USB Copied to USB drive on May 7, 2011 DropBox uninstalled May 6, 2011
24
“Information about Information”
Email Spreadsheets Office Documents Pictures
25
26
27
28
Effort to Conceal/Destroy Most Often Noticeable Special Programs System Utilities
29
30
31
Young Attorney Marries Established Businessman We Need to “Monitor” the Children Speculation of a “Plan”
32
http://www.goklg.com/2012/08/01/ex-spouse-hit-with-20k-in-damages-for-email- eavesdropping-klumb-v-goan/
33
All Computers Involved Hundreds of YahooMail! Emails Recovered Discrepancies of Emails Produced in Discovery “I don’t have a USB drive” Conflicting Antenuptual Agreements
http://cyb3rcrim3.blogspot.com/2012/08/eblaster-wiretapping-and-prenup.html
34
Company Ownership Split Competing Company Knew “Everything” Thought Offices Were Bugged
35
11/10 – Employee Dismissed (All Access Not Removed) 1/24 – Someone Connected and “Cracked” Passwords 1/25 – Someone Installed Remote Control Software
36
2/20 – Connected to Computer
Placed Online Orders Searched for More Credit Card Info
39
Suspected Affair iMessage Communications Borrowed Son’s iPad Entire Conversation Synced