Digital Forensics and the Most Famous Egg

How did Humpty Dumpty fall?

Humpty Dumpty sat on a wall,Humpty Dumpty had a great fall.

All the king's horses and all the king's menCouldn't put Humpty together again

Reasons for Humpty’s Fall

• He was pushed• He jumped• He was inebriated• The wall was structurally unsound• He faked his own demise

Agenda

• Chain of Custody• Data Sources & Imaging• Data Types• Types of Cases• What to Look For in Forensic Provider

Chain of Custody

Data Sources

• Memory• Hard Drives– Rotational v. SSD– RAID– Encryption

• Mobile• Removable Media• Cloud

Memory

• What was going through Humpty’s mind?

Hard Drives

Mobile

Removable Media

Cloud

What Do We Know?

• Largest egg producer• We don’t have RAM• We have his computer• No encryption or RAID• Always carried his smartphone• Used a tablet at home and on the road• Never seen using removable media• Might have had cloud accounts

Data Types

• Actual Files• Deleted Files• Email• Operating System Files

Actual Files

• DOCX, XLSX, PPTX, PDF, JPG– Content – Metadata• File System• File

• LNK– Metadata

• CLUE: Keyword search for “poached” turns up 2 hits.

Deleted Files

• Can be found anywhere• Due to both user and system activity• Mass deletions in short timeframe = RED FLAG• Greater chance of recovery IF– Less time from file deletion– Less activity on the disk

• CLUE: Found deleted JPG.

Recovered Photo

Email Files

• Outlook• Lotus Notes• Windows Mail• Mozilla Thunderbird• Webmail

• CLUE: No email files, but webmail URL’s found in Internet History.

Windows Operating System Files

• Registry• Event Logs• Browser• LNK• Prefetch• MFT and USN Journal

Registry Analysis

• C:\Windows\System32\Config• C:\Users\<user_name>\NTUSER.dat• MRU & Jump Lists• Shellbags• USB History• CLUE: New USB drive plugged in

7 days prior to Humpty’s death. Last plugged into the PC the morning of Humpty’s death. 2nd USB drive plugged in same day.

Browser Artifacts

• Depends upon the browser• IE, Firefox and Chrome• All very different & rapidly changing• Index.dat, SQLite, JSON

• CLUE: Carve for webmail content, but no meaningful fragments, BUT we find a new email address and domain that looks interesting.

Mobile Artifacts

• Device Encryption & Passcodes• Volatile Data• ~2M app’s between Android & iPhone• Most rely on plist or SQLite structure• Common ones are handled by mobile

forensics suites

• CLUE: Words With Friends has a chat feature.

Removable Media

• Write-block it• Physical image best, unless encrypted• PC USB• PC USB

• CLUE: Term sheet between Humpty Dumpty Eggs and Chicken Little Enterprises found.

What Do We Know?

• Pam’s recipe for Eggs Benedict from the Internet saved to the desktop.

• Deleted JPG originating from Humpty’s phone puts him at Chicken Little’s house when the thumb drive is inserted.

• Internet history reveals new email address. Subpoena shows communication with the baker about expansion plan.

• Words With Friends shows chat log with “Ace”• 1st USB drive contains term sheet between Humpty Dumpty

Eggs and Chicken Little Enterprises• 2nd USB drive is unknown

HD & CL Hatch a Plan to Corner the Egg Market

• Humpty Dumpty and Chicken Little conspire to establish an egg cartel and expand.

• Part of the egg-spansion is into other food goods, like hollandaise.

• Humpty pretexts the baker with a phony email address to get his recipe. (Turns out it’s really PAM’s)

• Baker finds out about Humpty’s plans.• Baker pushes Humpty and copies the recipe.– Butcher & Candlestick maker both have alibies.

Push Button Forensics

Forensic Analysis

QUESTIONS?

Mike LombardiVertigrate

mike@vertigrate.com(602) 283-1212