Subtitles section Play video
>> ERIC ROBI: Talk is about forensic fails. I'm this guy. Over here. I founded an eDiscovery
company a few years ago. I'm a forensic examiner. I've done thousands and thousands of exams.
I'm an expert witness in state and federal court and I like cats and my name is Eric
Robi. >> AUDIENCE: Hi, Eric!
>> ERIC ROBI: Hi. About this other guy. >> MICHAEL PERKLIN: Hi, I'm Michael Perklin.
You may remember from past DEF CONs from ACL Steganography. I'm a forensic examiner, cyber
crime investigator, security professional. I've also done thousands of exams. And I like
to break things. A lot. (Chuckles.)
>> ERIC ROBI: Don't break my cat. All right. So our agenda today. We've got seven amazing
stories full of fail. We are going to learn something about forensic techniques. That's
what we do. The fails are brought to you by both the suspect and the examiner. We'll get
into that in a little bit. The names have been changed to protect the idiots on both
sides. We actually changed some of the facts to protect the idiots. It seemed like a good
thing to do, basically. Because fail was not just one-dimensional, we found many dimensions
of fail in our research. We decided we need to create a fail matrix.
(Laughter.) >> ERIC ROBI: To explain how the fail ... I'm
going to explain how the fail matrix works. The first level of fail is the user retard
level. Oh, my God, I spelled that wrong! (Laughter.)
>> MICHAEL PERKLIN: Drink! Drink! For the record, he was responsible for the keynote
presentation. So this is definitely his fail. >> ERIC ROBI: This is my fail. I get ten points.
So the punishment level depends on what happens. So this particular guy lost the case. Dollars,
distress caused, let's give this 15 points. And bonus points are whatever the fuck I feel
like doing. His girlfriend left him in this case. So he gets 35 points.
Let's get into the first one. This is the "it wasn't me" defense. You may have heard
this one before. All right. So we do a lot of commercial litigation. And a really typical
kind of case is a trade secrets case. This is a typical example of that. This guy Bob,
he was working in sales at ac me. He resigned his position and decided to go work for a
competitor. This happens all the time. And some allegations were made by his employer
that he took some trade secrets. He took the customer list with him to his new company.
It happens. So Bob says I got nothing to hide. Come at
me, bros. He didn't exactly say that, but I'm paraphrasing.
We started imaging the drive and planning the examination. One thing we frequently do
is we look for deleted file and unallocated space. That's the part of the drive that can
typically contain a deleted file. When you hit shift delete and it doesn't go away, it
ends up in unallocated space. We look for stuff there. Something we do, we look for
recently used files by common programs by Word, Excel, Acrobat and so forth and USB
device insertion. We look to see how trade secrets got from acme to the new company.
The drive finished imaging and I'll share something really cool today, DEF CON exclusive,
worldwide premiere, we found a new wiping pattern.
(Laughter.) (Cheers and applause.)
>> ERIC ROBI: This is actually real. I'm not making this up. This is real.
So Bob apparently had used some kind of data destruction program that can over write every
bit of space, unallocated space. He used a pattern that, however, was not really commonly
used by Windows or any other utilities I've seen. Might have been something custom. So
you know, I thought: Hmm, this might suggest something bad was happening here. Let's maybe
take another closer look at this. (Chuckles.)
>> ERIC ROBI: We are going to zoom in on this and look at this on a molecular level now.
(Applause.) (Laughter.)
>> ERIC ROBI: I think we need to zoom in a little bit more.
(Laughter.) >> ERIC ROBI: So what have we learned in I
admit the first part, there was no Sarah Palin in this case. Data destruction can almost
always be detected even if you don't use a repeating pattern, it's detectable. We see
it all the time. Artifacts can be left behind that are part of the pattern.
We might not know what you destroyed, but we'll know you destroyed something.
Oops. This is the mic. There you go. And all of a sudden it doesn't work very well. Mean
phrases make people dislike you. >> MICHAEL PERKLIN: What about the fail matrix?
>> ERIC ROBI: We have to do the fail matrix. Da da da.
12. Pretty retarded, I think. The guy lost the case. He got sued. Under $100,000. So
not a huge amount of economic distress. I didn't give him any bonus points here. It
just wasn't that good. He gets 27. >> MICHAEL PERKLIN: I think I'll do --
>> ERIC ROBI: It's already a fail. (Laughter.)
>> MICHAEL PERKLIN: I think we can blame that guy who gave me the beer.
All right. So this case is a lot of fun. I didn't expect it to be fun when it started
out. It ended up being a lot of fun. I call it the Nickel Back guy. You'll see why in
a second. Another case of stolen confidential documents.
This guy, let's call him John. He left one company to go work for a direct competitor.
And his old company hired us to go in and take a look at his --
>> ERIC ROBI: Can we get audio for this? By the way, we need audio for this segment. Turn
it on? >> MICHAEL PERKLIN: So the company where he
left, they asked us to take a look at his work computer to look for signs of data exfiltration.
We, he worked on a lot of confidential projects and they wanted to make sure that he wasn't
taking these confidential projects to the competitor and letting them know what they
were doing. So, right. I totally said all that.
Why is this not working? There it is. We opened up the hard drive to start the analysis and
we started finding all the same stuff that you typically find on a work computer. Work
stuff, sure, some evidence of Facebooking. He's got an MP3 collection. He listened to
music while he was at work. Typical stuff. We found the confidential documents that we
were asked to make sure that he didn't take. So that was to be expected because he did
the work on this computer. And almost immediately something jumped out at me. And we will get
into why it jumped out at me in a second, but his music collection became very interesting
to me. Not because I love Nickel Back, but because -- well, again, we'll get into that.
>> ERIC ROBI: That would be fail. >> MICHAEL PERKLIN: Yeah. I'm Canadian, too,
so I ... yeah, Nickel Back is from Canada. >> AUDIENCE: (Speaker away from microphone.)
>> MICHAEL PERKLIN: Yeah, take a closer look at this photo, something may jump out at you
as well. These are MP3s, just songs, but the size of the files is a little bit off.
>> ERIC ROBI: What's wrong here? >> MICHAEL PERKLIN: Extended play Nickel Back.
This guy loved the Nickel Back. These are actually AVI files.
>> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: These are AVI file that
is he just renamed. John assumed nobody would listen to his Nickel Back MP3s. That's a good
assumption because nobody would listen to his Nickel Back MP3s. He was hiding something.
But what was he hiding? (Music playing.)
>> MICHAEL PERKLIN: Pregger porn. This guy was looking at pregger porn. These were full-length
feature films of pregnant ladies banging. And they were like, there was a ton of them
all over this guy's hard drive. >> AUDIENCE: (Speaker away from microphone.)
>> MICHAEL PERKLIN: We did have top analyze them to see what they were.
(Laughter.) >> MICHAEL PERKLIN: But I will say that the
specific techniques that we used to analyze, they're trade secrets. I can't tell you how
much depth we went into when we were analyzing them. Yeah, seems that John did a lot more
than work on his confidential project on that computer. We had to tell the company that
over the last three years while he was working there on this confidential project, he was
also doing other stuff. They were pretty happy that he left anyway.
(Laughter.) >> MICHAEL PERKLIN: All right. What have we
learned? Examiners, when we take a look at files on a computer, we don't typically look
at it in the nested folder structure. Like we don't have to go into every single subfolder,
go back, go to other subfolders, back it out. We have a big long list. It makes it easier
to analyze stuff. One of the very first things we always run is Codifile Signature Analysis.
This is a special script that looks at the contents of every final and compares what
is inside the file with the extension. If there's any discrepancies, those files are
bumped up to the top of the list to be looked at because the system knows if these don't
match, something may not be right here and a human should take a look at this.
I just said those things and so at the end of the day John's attempt at hiding his pregger
porn bumped it up to the top of the list for me to look at. If you're going to hide something,
don't just change the file name. That makes me want to look at it even more.
So the fail matrix. (Laughter.)
>> MICHAEL PERKLIN: The retard level, I would say 12. Again renaming a file is not data
hiding. If up want to hide data, come to my Steg ACL course.
The new company where he landed, he lost his job there. Distress caused was zero. Didn't
really hurt anybody. What you choose to do on your own time is up to you. Although he
chose to do it. >> ERIC ROBI: You know what the bonus points
are going to be for, don't you? >> MICHAEL PERKLIN: There are some bonus points.
About a nickel's worth. (Laughter.)
(Loud buzzer.) >> MICHAEL PERKLIN: Grand total of 30 fail
points. >> ERIC ROBI: That is the fail sound. Thank
you. By the way, do you like the font that we're using? Comic Sans. Nobody uses Comic
Sans. It's the most under appreciated font in presentations.
>> MICHAEL PERKLIN: I don't know why we don't see Comic Sans in more presentation settings.
>> ERIC ROBI: We're bringing it back. Let's look at the "just bill me later" case.
Our client, the ABC firm, out-sourced a key part of their business. Have been doing it
many years. And the part of their business that they are out-sourcing is on a time and
materials basis. So there's a lot of invoices with ours and rates. And that's basically
it. It was several million dollars a year on average that was being billed. Our client
started a review project because they thought they were being over billed. They thought
there might be a little inflation and they wanted to figure out why things were looking
inflated. They looked at some of the individual bills and thought things were taking a little
bit too long. So we came in and we decided to help.
So they had thousands and thousands and thousands of PDF format invoices. That's not going to
do us a lot of good. Even if we applied optical character recognition to it, we have unstructured
data. I can search a few PDFs, but tens of thousands of them, it's you have to to do
anything with that. We didn't have a lot of clues with this one.
Through the magic of court order we were able to go to the customer's database, their network
and get an image of everything in the network including a billing database.
Which turned out to be very handy. We made a forensic copy of this database. It was not
a -- it was in a proprietary format. In order for us to do forensic analysis in a database
we need to get it into something like SQL where we can do standard queries. We migrated
over and did standard queries. Looking at it, there's no way to compare the PDFs to
the database. We decided to reverse engineer the tables in the database. Sometimes it's
easy, but sometimes there are thousands and thousands of tables and when you don't have
tech support of developers, you have to figure it out. It's a slow, laborious process. We
did figure it out. We noticed that the audit logs were turned on in this which happened
to be particularly useful. So we ran a lot of queries and versus the
time billed versus the audit logs. We found a pattern of inflation going on. Basically
when you are billing on time and materials, all you're doing is you've got either hours
or you've got a rate. And those are the two things and they inflated.
(Loud noise.) >> ERIC ROBI: So these are the two things
that you can change there. You can change time. Or you can change the rate. But we found
the audit logs were turned off by default and the IT folks, bless the IT folks, they
turned the audit logs on which was helpful because we do a lot of database forensic cases
and this is the only one where the audit logs were turned on. We were able to compare basically