company a few years ago. I'm a forensic examiner. I've done thousands and thousands of exams.

I'm an expert witness in state and federal court and I like cats and my name is Eric

Robi. >> AUDIENCE: Hi, Eric!

>> ERIC ROBI: Hi. About this other guy. >> MICHAEL PERKLIN: Hi, I'm Michael Perklin.

You may remember from past DEF CONs from ACL Steganography. I'm a forensic examiner, cyber

crime investigator, security professional. I've also done thousands of exams. And I like

to break things. A lot. (Chuckles.)

>> ERIC ROBI: Don't break my cat. All right. So our agenda today. We've got seven amazing

stories full of fail. We are going to learn something about forensic techniques. That's

what we do. The fails are brought to you by both the suspect and the examiner. We'll get

into that in a little bit. The names have been changed to protect the idiots on both

sides. We actually changed some of the facts to protect the idiots. It seemed like a good

thing to do, basically. Because fail was not just one-dimensional, we found many dimensions

of fail in our research. We decided we need to create a fail matrix.

(Laughter.) >> ERIC ROBI: To explain how the fail ... I'm

going to explain how the fail matrix works. The first level of fail is the user retard

level. Oh, my God, I spelled that wrong! (Laughter.)

>> MICHAEL PERKLIN: Drink! Drink! For the record, he was responsible for the keynote

presentation. So this is definitely his fail. >> ERIC ROBI: This is my fail. I get ten points.

So the punishment level depends on what happens. So this particular guy lost the case. Dollars,

distress caused, let's give this 15 points. And bonus points are whatever the fuck I feel

like doing. His girlfriend left him in this case. So he gets 35 points.

Let's get into the first one. This is the "it wasn't me" defense. You may have heard

this one before. All right. So we do a lot of commercial litigation. And a really typical

kind of case is a trade secrets case. This is a typical example of that. This guy Bob,

he was working in sales at ac me. He resigned his position and decided to go work for a

competitor. This happens all the time. And some allegations were made by his employer

that he took some trade secrets. He took the customer list with him to his new company.

It happens. So Bob says I got nothing to hide. Come at

me, bros. He didn't exactly say that, but I'm paraphrasing.

We started imaging the drive and planning the examination. One thing we frequently do

is we look for deleted file and unallocated space. That's the part of the drive that can

typically contain a deleted file. When you hit shift delete and it doesn't go away, it

ends up in unallocated space. We look for stuff there. Something we do, we look for

recently used files by common programs by Word, Excel, Acrobat and so forth and USB

device insertion. We look to see how trade secrets got from acme to the new company.

The drive finished imaging and I'll share something really cool today, DEF CON exclusive,

worldwide premiere, we found a new wiping pattern.

(Laughter.) (Cheers and applause.)

>> ERIC ROBI: This is actually real. I'm not making this up. This is real.

So Bob apparently had used some kind of data destruction program that can over write every

bit of space, unallocated space. He used a pattern that, however, was not really commonly

used by Windows or any other utilities I've seen. Might have been something custom. So

you know, I thought: Hmm, this might suggest something bad was happening here. Let's maybe

take another closer look at this. (Chuckles.)

>> ERIC ROBI: We are going to zoom in on this and look at this on a molecular level now.

(Applause.) (Laughter.)

>> ERIC ROBI: I think we need to zoom in a little bit more.

(Laughter.) >> ERIC ROBI: So what have we learned in I

admit the first part, there was no Sarah Palin in this case. Data destruction can almost

always be detected even if you don't use a repeating pattern, it's detectable. We see

it all the time. Artifacts can be left behind that are part of the pattern.

We might not know what you destroyed, but we'll know you destroyed something.

Oops. This is the mic. There you go. And all of a sudden it doesn't work very well. Mean

phrases make people dislike you. >> MICHAEL PERKLIN: What about the fail matrix?

>> ERIC ROBI: We have to do the fail matrix. Da da da.

12. Pretty retarded, I think. The guy lost the case. He got sued. Under $100,000. So

not a huge amount of economic distress. I didn't give him any bonus points here. It

just wasn't that good. He gets 27. >> MICHAEL PERKLIN: I think I'll do --

>> ERIC ROBI: It's already a fail. (Laughter.)

>> MICHAEL PERKLIN: I think we can blame that guy who gave me the beer.

All right. So this case is a lot of fun. I didn't expect it to be fun when it started

out. It ended up being a lot of fun. I call it the Nickel Back guy. You'll see why in

a second. Another case of stolen confidential documents.

This guy, let's call him John. He left one company to go work for a direct competitor.

And his old company hired us to go in and take a look at his --

>> ERIC ROBI: Can we get audio for this? By the way, we need audio for this segment. Turn

it on? >> MICHAEL PERKLIN: So the company where he

left, they asked us to take a look at his work computer to look for signs of data exfiltration.

We, he worked on a lot of confidential projects and they wanted to make sure that he wasn't

taking these confidential projects to the competitor and letting them know what they

were doing. So, right. I totally said all that.

Why is this not working? There it is. We opened up the hard drive to start the analysis and

we started finding all the same stuff that you typically find on a work computer. Work

stuff, sure, some evidence of Facebooking. He's got an MP3 collection. He listened to

music while he was at work. Typical stuff. We found the confidential documents that we

were asked to make sure that he didn't take. So that was to be expected because he did

the work on this computer. And almost immediately something jumped out at me. And we will get

into why it jumped out at me in a second, but his music collection became very interesting

to me. Not because I love Nickel Back, but because -- well, again, we'll get into that.

>> ERIC ROBI: That would be fail. >> MICHAEL PERKLIN: Yeah. I'm Canadian, too,

so I ... yeah, Nickel Back is from Canada. >> AUDIENCE: (Speaker away from microphone.)

>> MICHAEL PERKLIN: Yeah, take a closer look at this photo, something may jump out at you

as well. These are MP3s, just songs, but the size of the files is a little bit off.

>> ERIC ROBI: What's wrong here? >> MICHAEL PERKLIN: Extended play Nickel Back.

This guy loved the Nickel Back. These are actually AVI files.

>> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: These are AVI file that

is he just renamed. John assumed nobody would listen to his Nickel Back MP3s. That's a good

assumption because nobody would listen to his Nickel Back MP3s. He was hiding something.

But what was he hiding? (Music playing.)

>> MICHAEL PERKLIN: Pregger porn. This guy was looking at pregger porn. These were full-length

feature films of pregnant ladies banging. And they were like, there was a ton of them

all over this guy's hard drive. >> AUDIENCE: (Speaker away from microphone.)

>> MICHAEL PERKLIN: We did have top analyze them to see what they were.

(Laughter.) >> MICHAEL PERKLIN: But I will say that the

specific techniques that we used to analyze, they're trade secrets. I can't tell you how

much depth we went into when we were analyzing them. Yeah, seems that John did a lot more

than work on his confidential project on that computer. We had to tell the company that

over the last three years while he was working there on this confidential project, he was

also doing other stuff. They were pretty happy that he left anyway.

(Laughter.) >> MICHAEL PERKLIN: All right. What have we

learned? Examiners, when we take a look at files on a computer, we don't typically look

at it in the nested folder structure. Like we don't have to go into every single subfolder,

go back, go to other subfolders, back it out. We have a big long list. It makes it easier

to analyze stuff. One of the very first things we always run is Codifile Signature Analysis.

This is a special script that looks at the contents of every final and compares what

is inside the file with the extension. If there's any discrepancies, those files are

bumped up to the top of the list to be looked at because the system knows if these don't

match, something may not be right here and a human should take a look at this.

I just said those things and so at the end of the day John's attempt at hiding his pregger

porn bumped it up to the top of the list for me to look at. If you're going to hide something,

don't just change the file name. That makes me want to look at it even more.

So the fail matrix. (Laughter.)

>> MICHAEL PERKLIN: The retard level, I would say 12. Again renaming a file is not data

hiding. If up want to hide data, come to my Steg ACL course.

The new company where he landed, he lost his job there. Distress caused was zero. Didn't

really hurt anybody. What you choose to do on your own time is up to you. Although he

chose to do it. >> ERIC ROBI: You know what the bonus points

are going to be for, don't you? >> MICHAEL PERKLIN: There are some bonus points.

About a nickel's worth. (Laughter.)

(Loud buzzer.) >> MICHAEL PERKLIN: Grand total of 30 fail

points. >> ERIC ROBI: That is the fail sound. Thank

you. By the way, do you like the font that we're using? Comic Sans. Nobody uses Comic

Sans. It's the most under appreciated font in presentations.

>> MICHAEL PERKLIN: I don't know why we don't see Comic Sans in more presentation settings.

>> ERIC ROBI: We're bringing it back. Let's look at the "just bill me later" case.

Our client, the ABC firm, out-sourced a key part of their business. Have been doing it

many years. And the part of their business that they are out-sourcing is on a time and

materials basis. So there's a lot of invoices with ours and rates. And that's basically

it. It was several million dollars a year on average that was being billed. Our client

started a review project because they thought they were being over billed. They thought

there might be a little inflation and they wanted to figure out why things were looking

inflated. They looked at some of the individual bills and thought things were taking a little

bit too long. So we came in and we decided to help.

So they had thousands and thousands and thousands of PDF format invoices. That's not going to

do us a lot of good. Even if we applied optical character recognition to it, we have unstructured

data. I can search a few PDFs, but tens of thousands of them, it's you have to to do

anything with that. We didn't have a lot of clues with this one.

Through the magic of court order we were able to go to the customer's database, their network

and get an image of everything in the network including a billing database.

Which turned out to be very handy. We made a forensic copy of this database. It was not

a -- it was in a proprietary format. In order for us to do forensic analysis in a database

we need to get it into something like SQL where we can do standard queries. We migrated

over and did standard queries. Looking at it, there's no way to compare the PDFs to

the database. We decided to reverse engineer the tables in the database. Sometimes it's

easy, but sometimes there are thousands and thousands of tables and when you don't have

tech support of developers, you have to figure it out. It's a slow, laborious process. We

did figure it out. We noticed that the audit logs were turned on in this which happened

to be particularly useful. So we ran a lot of queries and versus the

time billed versus the audit logs. We found a pattern of inflation going on. Basically

when you are billing on time and materials, all you're doing is you've got either hours

or you've got a rate. And those are the two things and they inflated.

(Loud noise.) >> ERIC ROBI: So these are the two things

that you can change there. You can change time. Or you can change the rate. But we found

the audit logs were turned off by default and the IT folks, bless the IT folks, they

turned the audit logs on which was helpful because we do a lot of database forensic cases

and this is the only one where the audit logs were turned on. We were able to compare basically