Computer Forensics – A case analysis

As presented by Det. R. McWhorter

Bexar County Sheriff’s Office High Tech Crimes Unit

This analysis will walk us through each step of an actual case which involved the use of computers to facilitate several types of crime.

The names, where ever possible, have been changed as to not further victimize the complainants.

A citizen contacts the Sheriff’s Office to report that he received a credit report which shows an address different than his and an employer he has never heard of. The complaint reviews his credit card bills and identifies unauthorized charges to his account.

The officer write his report and forwards it to the Criminal Investigations division.

Law Enforcement agencies during the course of an investigation have to show that they have a legal right to request certain information. This is so that private companies can protect themselves and the clients from undue search and seizure or disclosure of the personal information.

For this reason some information requested requires investigators to get the “okay “ from the court. This is done through the use of a court order known as a subpoena

Subpoena- a writ commanding a person designated in it to appear in court under a penalty for failure

Generally there is an option to produce the records requested in lieu of appearing in court.

The report identifies the company of IOMEGA as one at which a transaction was completed using the credit card of the complainant the other charge was to NetZero for internet service.

Subpoenas were sent to

NETZERO & IOMEGA, requesting all information surround in the transaction completed with the CC ####-####-####-####

To include the IP address or telephone number from which the transaction originated, shipping addresses, connection logs user identifications and passwords.

The next step of the investigation was to research the address listed as the complainants home.

Which turns out to be a lot with 3 mail boxes and two trailers one of which is empty

A meeting with the one resident who lives on the property stated the address I was looking for had been moved away several weeks ago and the owner had asked her to keep the mail . A review of the mail provided about 20 different names.She also stated that several UPS and FedEx trucks have come by an dropped off packages.

One of the names happened to be the Doctor from the Credit report of the complainant. After contacting the doctor it was established that every name on the pieces of mail was a former patient of the Doctor’s, while he worked at a different Medical Group.

A subsequent review of all the names and additional information showed that the point of compromise for the data about our original complainant and his credit information was going to be the Medical Group.

But How ? And Who?

After meeting with the Doctor who owned the practice I went over the architecture of his medical record storage and the practices in place to protect the patients data.

The paper records for the business were locked in a very hot attic of the business and all of the data was duplicated in an office computer network which was not connected to the internet or any other outside business. The office utilized a commercial software package called “MOMS” ( medical office management system).

A review of the paper files revealed that all the files for the victims where properly filed and not missing from there sealed containers.

What’s the only other option for the compromise of the data? HINT the FBI says they are responsible for 55% of all loss

If you said an insider you would be right ! Now I have to interview every employee who had access to the computer system.

You may ask why didn’t you check the audit logs for file access and modification and compare them to the user log on files maybe even the work station user logs.

ANSWER- Because the system was antiquated and did not have those options or they did not have them turned on.

TURN ON LOGGING,

SPACE IS CHEAP

After interviewing all the employees two suspects were identified : A disgruntled former secretary and the owner’s son who also was the system administrator.

Remember this picture of a country road in the middle of Atascosa County, Well both suspects and the address used for the fraud are right next to each other

Secretary

Fraud Address

Owners Son

About this time the responses from the subpoenas come back in.

Realize the specific requests from Law Enforcement about internet & ecommerce activities are researched and answered by the administrators and technicians from the private companies the victim or criminal utilized

So if your company is called upon to assistance will you be ready and do you know what will be asked of you?

The subpoena from IOMEGA shows a shipping address consistent with the same address used for the other fraud and and IP address collected by their server at a specific time. The time happens to be in EDT. The connection logs from ICG Nethead, which is the actual ISP for Net Zero in this region, show a connection to the internet for their user at a specific time GMT. The information provided by ICG also showed the ANI (automatic number identification) for the user who dialed into the ISP. Another subpoena was sent out to the phone company for the subscriber information and outgoing dialed numbers for the specific dates and times Which were provided in UTC.

TIME CODING is IMPORTANT! What are we here in San Antonio?

ANSWER- Depends, Currently we are Central Daylight Time which is UTC (Universal Time Coordinated) –5 hrs. When we switch back to standard time we will be UTC -6

Further investigation into both suspects and after interviewing both it was determined that only one of the suspects had the technological knowledge to access the data base of the medical group retrieve all to information necessary and make purchases online and establish credit online in the names of the victims. And finally the phone number which dialed into the ISP was always the home office of the Medical Groups owner. Which is the location at which the suspect, his son lived prior to moving next to the fraud drop zone.

Now we know who and where he did it what next?

Just like with the information which was protected, so the locations which have the evidence of the crimes and the profit from them. The Constitution protects the public against unlawful search and seizure . So we need a

SEARCH WARRANT!

Actually two: one for the Doctors house and one for his son’s new trailer

As the investigator with all the facts of the case I write out and affidavit for a Search Warrant.

affidavit - a sworn statement in writing made especially under oath or on affirmation before an authorized magistrate or officer

Search Warrant gives me the right to look for the evidence and fruits of the crime.

The following special consideration presented to the court gives me the right to conduct the forensic evaluation of the computers seizedB.                              THE FOLLOWING CONSIDERATIONS AND PRACTICALITIES GOVERN THE MANNER OF THE EXECUTION OF THE SEARCH WARRANT:

  Based upon Affiant’s knowledge, training, and experience, and experience of other law enforcement personnel, Affiant knows that in order to completely and accurately retrieve data maintained in computer hardware or on computer software, all computer equipment, peripherals, related instructions in the form of manuals and notes, as well as the software utilized to operate such a computer, must be seized and subsequently processed by a qualified computer specialist in an appropriate setting. Accordingly, it

is very often necessary to take all computer hardware and software found at the suspected location in order to have it examined in a qualified forensic environment. Such will sometimes be the only way that items such as previously sent and received e-mails can be effectively recovered from a computer or its password, can be encrypted, or could have been previously “deleted.” In light of these concerns, Affiant requests the Court’s permission to seize at the search location all the computer hardware, software, and peripherals that are believed to potentially contain some or all of the contraband, or instrumentalities described in the warrant, and to conduct an offsite search of these computer materials for such evidence. Affiant intends to transport all such seized computer materials to a qualified forensic facility for imaging and analysis by experts.

Additionally, Affiant believes that evidence of violations of Texas Penal Code Section 32.31 & 32.51 are contained or concealed in tapes, cassettes, cartridges, streaming tape, commercial software and manuals, hardware, computer disks, disk drives, monitors, computer printers, modems, tape drives, disk applications programs, data disks, system disk operating systems, magnetic media-floppy disks, tape systems, digital cameras, hard drives, digital cameras, and other computer related operating equipment located at the suspected place.

Now based upon the facts presented and discovered during the course of this investigation it is necessary to examine any information which may be relevant to the commission of multiple crimes and contained in the computers or electronic storage devices.

Where do I get started with the forensic exam?

1. Well you already have by having technicians gather the stored electronic records about the connections and transactions

2. You have obtained the legal authority to examine the computers based upon your search warrant

NOTE: Legal authority my be based upon a number of factors depending on;

•the location of the computer,

•its use,

•the actual owner,

•the possible content,

•use policy of your business

3. Following sound forensic practices, in this situation of having a stand alone personal PC with the power off The hard drive is :

4. Removed

5. Photographed

6. Inspected

7. Imaged ( by using a forensic software package and a hardware write blocking device)

The rest of the electronic storage media or evidence was acquired by the same processes as not to alter its state. In this case the storage media was :

•Two HDD

•One SCSI HDD

•Two ZIP250 Disks

•6 floppies

When a forensic image is made it is necessary to verify the integrity of the original evidence and to insure that the image is exactly the same, this is done by

“hashing” or getting a hash value for all the data

Now we know we have an exact image of the evidence so we store the original evidence and begin to search our image for clues.

This can be done by the means of any number of forensic tools. The tool I used in this case was Guidance Software’s EnCase ®

The manner in which these automated tools work must be understood prior to their use.

WHY? Because when the Judge asks you how did it do that you have to be able to explain it.

This is why it is important to develop the ability to understand the way in which a computer works and stores information

Lets get on with the forensic examination and what we found.

What are we looking for?

•Victims Names

•Addresses

•Credit card numbers

•Ecommerce Web pages

Lets start with web pages. When a page is stored in you computer what does it look like and were would it be?

<html> <head> <script language="JavaScript"> function ChangeIfUtf8(Utf8InCookies) { var URL = document.location.href; var strUtf8 = "utf8="; var index = URL.indexOf(strUtf8); var inCookie = Utf8InCookies; if(index>0) { var indexValue = index + strUtf8.length; if (indexValue+1 < URL.length) { if (URL.charAt(index-1) == "?") URL = URL.substring(0,index) + URL.substring(indexValue+2); else URL = URL.substring(0,index-1) + URL.substring(indexValue+1); } else { URL = URL.substring(0,index-1); } } var IsFirst = URL.indexOf("?"); if (IsFirst>0) strUtf8 = "&" + strUtf8; else strUtf8 = "?" + strUtf8; if (inCookie=="0" && document.charset=="utf-8") { URL = URL + strUtf8 + "1"; if (URL != document.location.href) { window.location.replace(URL); var wHnd = window.open("", "", "height=1,width=1,menubar=no,resizable=no,titlebar=no,scrollbars=no,status=no,toolbar=no,menubar=no,location=no"); wHnd.close(); } } else if (inCookie=="1" && document.charset!="utf-8") { URL = URL + strUtf8 + "0"; if (URLHTML code usually found in the temp

internet file, swap or unallocated space. What is this?

You will notice that the page is incomplete that is because not all images referenced in the page are available , but this web based email is what we call evidence!!

The following are few other web pages recreated from html code left in various locations

Another area in which clues can be found are in the cookies a computer collects during its web connections

Just like web pages images are nothing more than stored code. How are these images found. We search for the header information which identifies the file type

JPEG Header Created with Photoshop 3.0

They say that an image is worth a thousand words imagine the story the following images are telling

There are a few other files which also proved to be of interest such as MSWord documents which are headed as

This subject kept track of his victims by writing down what he had done with each ones information

Other areas in which things are stored are areas which the operating has used in the past but does not keep track of the data that was once there. Primarily these areas are

File Slack- The area left at the end of a cluster when a file is written

Unallocated space-space which is not currently listed in the FAT or indices or being directly accessed.

File slack works like this:

Suppose a cluster is 512 mb and a file is 400mb the 400mb file is deleted and a 250mb file is written at the same location

The OS only sees the red file but the end of the blue file was not over written and is retrievable

The unallocated space is often time the portion of the hard drive the OS has designated as the virtually memory location and during the session the OS identifies this area by physical address. So no references to the area are identified but the still contain data. Such as the following patient list which had been converted to a document and added to with the actions and history of our criminal.

This patient list was actual never stored on the system it was viewed on, it had been down loaded by using an external ZIP 250 drive which was not present at the time of the seizure but evidence that it had been connected remained in the form of a link file. The drive was later found in the suspects vehicle along a zip disc containing the entire data base from the medical group

This presentation by no means gives a complete list of all the action which took place during this investigation, but you can see how one person has utilized a limited knowledge to compromise the personal information of hundreds of people and started an investigation which caused the use of computer forensics at several different levels

If you only get a few things from this it should be:

•Turn on Logging, Space is Cheap

•Details are important keep good business records

•Have the lawful authority before you act

•If you are going to conduct a forensic evaluation KNOW WHAT YOU ARE DOING