Placeholder Image

Subtitles section Play video

  • >> ERIC ROBI: Talk is about forensic fails. I'm this guy. Over here. I founded an eDiscovery

  • company a few years ago. I'm a forensic examiner. I've done thousands and thousands of exams.

  • I'm an expert witness in state and federal court and I like cats and my name is Eric

  • Robi. >> AUDIENCE: Hi, Eric!

  • >> ERIC ROBI: Hi. About this other guy. >> MICHAEL PERKLIN: Hi, I'm Michael Perklin.

  • You may remember from past DEF CONs from ACL Steganography. I'm a forensic examiner, cyber

  • crime investigator, security professional. I've also done thousands of exams. And I like

  • to break things. A lot. (Chuckles.)

  • >> ERIC ROBI: Don't break my cat. All right. So our agenda today. We've got seven amazing

  • stories full of fail. We are going to learn something about forensic techniques. That's

  • what we do. The fails are brought to you by both the suspect and the examiner. We'll get

  • into that in a little bit. The names have been changed to protect the idiots on both

  • sides. We actually changed some of the facts to protect the idiots. It seemed like a good

  • thing to do, basically. Because fail was not just one-dimensional, we found many dimensions

  • of fail in our research. We decided we need to create a fail matrix.

  • (Laughter.) >> ERIC ROBI: To explain how the fail ... I'm

  • going to explain how the fail matrix works. The first level of fail is the user retard

  • level. Oh, my God, I spelled that wrong! (Laughter.)

  • >> MICHAEL PERKLIN: Drink! Drink! For the record, he was responsible for the keynote

  • presentation. So this is definitely his fail. >> ERIC ROBI: This is my fail. I get ten points.

  • So the punishment level depends on what happens. So this particular guy lost the case. Dollars,

  • distress caused, let's give this 15 points. And bonus points are whatever the fuck I feel

  • like doing. His girlfriend left him in this case. So he gets 35 points.

  • Let's get into the first one. This is the "it wasn't me" defense. You may have heard

  • this one before. All right. So we do a lot of commercial litigation. And a really typical

  • kind of case is a trade secrets case. This is a typical example of that. This guy Bob,

  • he was working in sales at ac me. He resigned his position and decided to go work for a

  • competitor. This happens all the time. And some allegations were made by his employer

  • that he took some trade secrets. He took the customer list with him to his new company.

  • It happens. So Bob says I got nothing to hide. Come at

  • me, bros. He didn't exactly say that, but I'm paraphrasing.

  • We started imaging the drive and planning the examination. One thing we frequently do

  • is we look for deleted file and unallocated space. That's the part of the drive that can

  • typically contain a deleted file. When you hit shift delete and it doesn't go away, it

  • ends up in unallocated space. We look for stuff there. Something we do, we look for

  • recently used files by common programs by Word, Excel, Acrobat and so forth and USB

  • device insertion. We look to see how trade secrets got from acme to the new company.

  • The drive finished imaging and I'll share something really cool today, DEF CON exclusive,

  • worldwide premiere, we found a new wiping pattern.

  • (Laughter.) (Cheers and applause.)

  • >> ERIC ROBI: This is actually real. I'm not making this up. This is real.

  • So Bob apparently had used some kind of data destruction program that can over write every

  • bit of space, unallocated space. He used a pattern that, however, was not really commonly

  • used by Windows or any other utilities I've seen. Might have been something custom. So

  • you know, I thought: Hmm, this might suggest something bad was happening here. Let's maybe

  • take another closer look at this. (Chuckles.)

  • >> ERIC ROBI: We are going to zoom in on this and look at this on a molecular level now.

  • (Applause.) (Laughter.)

  • >> ERIC ROBI: I think we need to zoom in a little bit more.

  • (Laughter.) >> ERIC ROBI: So what have we learned in I

  • admit the first part, there was no Sarah Palin in this case. Data destruction can almost

  • always be detected even if you don't use a repeating pattern, it's detectable. We see

  • it all the time. Artifacts can be left behind that are part of the pattern.

  • We might not know what you destroyed, but we'll know you destroyed something.

  • Oops. This is the mic. There you go. And all of a sudden it doesn't work very well. Mean

  • phrases make people dislike you. >> MICHAEL PERKLIN: What about the fail matrix?

  • >> ERIC ROBI: We have to do the fail matrix. Da da da.

  • 12. Pretty retarded, I think. The guy lost the case. He got sued. Under $100,000. So

  • not a huge amount of economic distress. I didn't give him any bonus points here. It

  • just wasn't that good. He gets 27. >> MICHAEL PERKLIN: I think I'll do --

  • >> ERIC ROBI: It's already a fail. (Laughter.)

  • >> MICHAEL PERKLIN: I think we can blame that guy who gave me the beer.

  • All right. So this case is a lot of fun. I didn't expect it to be fun when it started

  • out. It ended up being a lot of fun. I call it the Nickel Back guy. You'll see why in

  • a second. Another case of stolen confidential documents.

  • This guy, let's call him John. He left one company to go work for a direct competitor.

  • And his old company hired us to go in and take a look at his --

  • >> ERIC ROBI: Can we get audio for this? By the way, we need audio for this segment. Turn

  • it on? >> MICHAEL PERKLIN: So the company where he

  • left, they asked us to take a look at his work computer to look for signs of data exfiltration.

  • We, he worked on a lot of confidential projects and they wanted to make sure that he wasn't

  • taking these confidential projects to the competitor and letting them know what they

  • were doing. So, right. I totally said all that.

  • Why is this not working? There it is. We opened up the hard drive to start the analysis and

  • we started finding all the same stuff that you typically find on a work computer. Work

  • stuff, sure, some evidence of Facebooking. He's got an MP3 collection. He listened to

  • music while he was at work. Typical stuff. We found the confidential documents that we

  • were asked to make sure that he didn't take. So that was to be expected because he did

  • the work on this computer. And almost immediately something jumped out at me. And we will get

  • into why it jumped out at me in a second, but his music collection became very interesting

  • to me. Not because I love Nickel Back, but because -- well, again, we'll get into that.

  • >> ERIC ROBI: That would be fail. >> MICHAEL PERKLIN: Yeah. I'm Canadian, too,

  • so I ... yeah, Nickel Back is from Canada. >> AUDIENCE: (Speaker away from microphone.)

  • >> MICHAEL PERKLIN: Yeah, take a closer look at this photo, something may jump out at you

  • as well. These are MP3s, just songs, but the size of the files is a little bit off.

  • >> ERIC ROBI: What's wrong here? >> MICHAEL PERKLIN: Extended play Nickel Back.

  • This guy loved the Nickel Back. These are actually AVI files.

  • >> AUDIENCE: (Speaker away from microphone.) >> MICHAEL PERKLIN: These are AVI file that

  • is he just renamed. John assumed nobody would listen to his Nickel Back MP3s. That's a good

  • assumption because nobody would listen to his Nickel Back MP3s. He was hiding something.

  • But what was he hiding? (Music playing.)

  • >> MICHAEL PERKLIN: Pregger porn. This guy was looking at pregger porn. These were full-length

  • feature films of pregnant ladies banging. And they were like, there was a ton of them

  • all over this guy's hard drive. >> AUDIENCE: (Speaker away from microphone.)

  • >> MICHAEL PERKLIN: We did have top analyze them to see what they were.

  • (Laughter.) >> MICHAEL PERKLIN: But I will say that the

  • specific techniques that we used to analyze, they're trade secrets. I can't tell you how

  • much depth we went into when we were analyzing them. Yeah, seems that John did a lot more

  • than work on his confidential project on that computer. We had to tell the company that

  • over the last three years while he was working there on this confidential project, he was

  • also doing other stuff. They were pretty happy that he left anyway.

  • (Laughter.) >> MICHAEL PERKLIN: All right. What have we

  • learned? Examiners, when we take a look at files on a computer, we don't typically look

  • at it in the nested folder structure. Like we don't have to go into every single subfolder,

  • go back, go to other subfolders, back it out. We have a big long list. It makes it easier

  • to analyze stuff. One of the very first things we always run is Codifile Signature Analysis.

  • This is a special script that looks at the contents of every final and compares what

  • is inside the file with the extension. If there's any discrepancies, those files are

  • bumped up to the top of the list to be looked at because the system knows if these don't

  • match, something may not be right here and a human should take a look at this.

  • I just said those things and so at the end of the day John's attempt at hiding his pregger

  • porn bumped it up to the top of the list for me to look at. If you're going to hide something,

  • don't just change the file name. That makes me want to look at it even more.

  • So the fail matrix. (Laughter.)

  • >> MICHAEL PERKLIN: The retard level, I would say 12. Again renaming a file is not data

  • hiding. If up want to hide data, come to my Steg ACL course.

  • The new company where he landed, he lost his job there. Distress caused was zero. Didn't

  • really hurt anybody. What you choose to do on your own time is up to you. Although he

  • chose to do it. >> ERIC ROBI: You know what the bonus points

  • are going to be for, don't you? >> MICHAEL PERKLIN: There are some bonus points.

  • About a nickel's worth. (Laughter.)

  • (Loud buzzer.) >> MICHAEL PERKLIN: Grand total of 30 fail

  • points. >> ERIC ROBI: That is the fail sound. Thank

  • you. By the way, do you like the font that we're using? Comic Sans. Nobody uses Comic

  • Sans. It's the most under appreciated font in presentations.

  • >> MICHAEL PERKLIN: I don't know why we don't see Comic Sans in more presentation settings.

  • >> ERIC ROBI: We're bringing it back. Let's look at the "just bill me later" case.

  • Our client, the ABC firm, out-sourced a key part of their business. Have been doing it

  • many years. And the part of their business that they are out-sourcing is on a time and

  • materials basis. So there's a lot of invoices with ours and rates. And that's basically

  • it. It was several million dollars a year on average that was being billed. Our client

  • started a review project because they thought they were being over billed. They thought

  • there might be a little inflation and they wanted to figure out why things were looking

  • inflated. They looked at some of the individual bills and thought things were taking a little

  • bit too long. So we came in and we decided to help.

  • So they had thousands and thousands and thousands of PDF format invoices. That's not going to

  • do us a lot of good. Even if we applied optical character recognition to it, we have unstructured

  • data. I can search a few PDFs, but tens of thousands of them, it's you have to to do

  • anything with that. We didn't have a lot of clues with this one.

  • Through the magic of court order we were able to go to the customer's database, their network

  • and get an image of everything in the network including a billing database.

  • Which turned out to be very handy. We made a forensic copy of this database. It was not

  • a -- it was in a proprietary format. In order for us to do forensic analysis in a database

  • we need to get it into something like SQL where we can do standard queries. We migrated

  • over and did standard queries. Looking at it, there's no way to compare the PDFs to

  • the database. We decided to reverse engineer the tables in the database. Sometimes it's

  • easy, but sometimes there are thousands and thousands of tables and when you don't have

  • tech support of developers, you have to figure it out. It's a slow, laborious process. We

  • did figure it out. We noticed that the audit logs were turned on in this which happened

  • to be particularly useful. So we ran a lot of queries and versus the

  • time billed versus the audit logs. We found a pattern of inflation going on. Basically

  • when you are billing on time and materials, all you're doing is you've got either hours

  • or you've got a rate. And those are the two things and they inflated.

  • (Loud noise.) >> ERIC ROBI: So these are the two things

  • that you can change there. You can change time. Or you can change the rate. But we found

  • the audit logs were turned off by default and the IT folks, bless the IT folks, they

  • turned the audit logs on which was helpful because we do a lot of database forensic cases

  • and this is the only one where the audit logs were turned on. We were able to compare basically