Download CLUE: Term sheet between Humpty Dumpty Eggs

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

Mobile business intelligence wikipedia , lookup

Disk formatting wikipedia , lookup

Computer file wikipedia , lookup

Transcript 
Digital Forensics and the Most
Famous Egg
How did Humpty Dumpty fall?
Humpty Dumpty sat on a wall,
Humpty Dumpty had a great fall.
All the king's horses and all the king's men
Couldn't put Humpty together again
Reasons for Humpty’s Fall
•
•
•
•
•
He was pushed
He jumped
He was inebriated
The wall was structurally unsound
He faked his own demise
Agenda
•
•
•
•
•
Chain of Custody
Data Sources & Imaging
Data Types
Types of Cases
What to Look For in Forensic Provider
Chain of Custody
Data Sources
• Memory
• Hard Drives
– Rotational v. SSD
– RAID
– Encryption
• Mobile
• Removable Media
• Cloud
Memory
• What was going through Humpty’s mind?
Hard Drives
Mobile
Removable Media
Cloud
What Do We Know?
•
•
•
•
•
•
•
•
Largest egg producer
We don’t have RAM
We have his computer
No encryption or RAID
Always carried his smartphone
Used a tablet at home and on the road
Never seen using removable media
Might have had cloud accounts
Data Types
•
•
•
•
Actual Files
Deleted Files
Email
Operating System Files
Actual Files
• DOCX, XLSX, PPTX, PDF, JPG
– Content
– Metadata
• File System
• File
• LNK
– Metadata
• CLUE: Keyword search for
“poached” turns up 2 hits.
Deleted Files
•
•
•
•
Can be found anywhere
Due to both user and system activity
Mass deletions in short timeframe = RED FLAG
Greater chance of recovery IF
– Less time from file deletion
– Less activity on the disk
• CLUE: Found deleted JPG.
Recovered Photo
Email Files
•
•
•
•
•
Outlook
Lotus Notes
Windows Mail
Mozilla Thunderbird
Webmail
• CLUE: No email files, but
webmail URL’s found in Internet
History.
Windows Operating System Files
•
•
•
•
•
•
Registry
Event Logs
Browser
LNK
Prefetch
MFT and USN Journal
Registry Analysis
•
•
•
•
•
•
C:\Windows\System32\Config
C:\Users\<user_name>\NTUSER.dat
MRU & Jump Lists
Shellbags
USB History
CLUE: New USB drive plugged in
7 days prior to Humpty’s death.
Last plugged into the PC the
morning of Humpty’s death. 2nd
USB drive plugged in same day.
Browser Artifacts
•
•
•
•
•
Depends upon the browser
IE, Firefox and Chrome
All very different & rapidly changing
Index.dat, SQLite, JSON
CLUE: Carve for webmail
content, but no meaningful
fragments, BUT we find a new
email address and domain that
looks interesting.
Mobile Artifacts
•
•
•
•
•
Device Encryption & Passcodes
Volatile Data
~2M app’s between Android & iPhone
Most rely on plist or SQLite structure
Common ones are handled by mobile
forensics suites
• CLUE: Words With Friends
has a chat feature.
Removable Media
•
•
•
•
Write-block it
Physical image best, unless encrypted
PC
USB
PC
USB
• CLUE: Term sheet between
Humpty Dumpty Eggs and
Chicken Little Enterprises
found.
What Do We Know?
• Pam’s recipe for Eggs Benedict from the Internet saved
to the desktop.
• Deleted JPG originating from Humpty’s phone puts him
at Chicken Little’s house when the thumb drive is
inserted.
• Internet history reveals new email address. Subpoena
shows communication with the baker about expansion
plan.
• Words With Friends shows chat log with “Ace”
• 1st USB drive contains term sheet between Humpty
Dumpty Eggs and Chicken Little Enterprises
• 2nd USB drive is unknown
HD & CL Hatch a Plan to Corner the
Egg Market
• Humpty Dumpty and Chicken Little conspire to
establish an egg cartel and expand.
• Part of the egg-spansion is into other food goods,
like hollandaise.
• Humpty pretexts the baker with a phony email
address to get his recipe. (Turns out it’s really PAM’s)
• Baker finds out about Humpty’s plans.
• Baker pushes Humpty and copies the recipe.
– Butcher & Candlestick maker both have alibies.
Push Button Forensics
Forensic Analysis
QUESTIONS?
Mike Lombardi
Vertigrate
[email protected]
(602) 283-1212
Related documents
Match My Souncls
Match My Souncls
Implementing a Humpty Dumpty Pediatric Falls Assessment™ in
Implementing a Humpty Dumpty Pediatric Falls Assessment™ in
The humpty dumpty fall scale
The humpty dumpty fall scale
Cheat Sheet: Humpty Dumpty Falls Scale Definitions
Cheat Sheet: Humpty Dumpty Falls Scale Definitions
The dog`s water dish was dry as a bone.
The dog`s water dish was dry as a bone.
Antigone by: Sophocles
Antigone by: Sophocles
***********8*** ***************************F***G***H***I***J***K***L
***********8*** ***************************F***G***H***I***J***K***L
Freecom Network Drive
Freecom Network Drive
scramble
scramble
Misunderstanding the Great Depression, making the next one
Misunderstanding the Great Depression, making the next one