COMPUTER FORENSICSHOW FAR DO YOU GO?

WHEN DO YOU GIVE UP?Emory “Casey” Mullis

February 16th, 2013

Brief Introduction• Custom Building Computers for over 15 years• Trained at FLETC (Federal Law Enforcement Training Center)

• Trained at GBI (Georgia Bureau of Investigation)

• Trained Online and Training DVD’s• Designed and Setup Computer Lab for Coweta County

Sheriff’s Office• Conducted Computer Forensics for Coweta County Sheriff’s

Office and other agencies• Self Motivated in the area of Computer Forensics & Google• My passion is fulfilled by “GOOGLE”

When do you give up?

If you or a family member were the victim of a sex crime or fraud over the internet and you were tasked with finding the evidence on a suspect machine, how far do you go?

This is for illustration purposes only. Data Evidence can be found in all types of cases. This goes for Criminal and Civil cases.

If you were a suspect in a crime and you know you were innocent. How far would you want the authorities to go? What corners would you want them to cut?

I will be the first to tell you the following:

“You dig and dig until the Facts meet the Truth!”

Because in todays digital world, the Facts are not always the Truth!

• Hackers Go Wild, CNET1

• President Bush Email Hacked2

• Anonymous Hacks IRS Database3

WORLD NEWS…

Personal Experience…iPhone (Child Molestation Case)

In this case we had a Federal Agency look at the cell phone but they did not find anything, so they said and sent back nothing.My gut instinct lead me to do a complete forensic exam at which time I found images a child described, in a hidden location created by an app.This suspect almost got away with child molestation, because the Investigating Officer did not have any evidence to move forward in the case.

Dell Computer Tower (Corruption and Obstruction)In this case it was alleged that an officer(s) had altered police records. Through my examination of the computer, I found that the accounts on the system had been hacked / compromised. Based on the facts at hand it appeared that one or all of the officer(s) did in fact commit a crime. Due to a persistent computer forensic examiner, the facts eventually met the truth.

The technology issues of todayIn today’s world with technology getting smaller and faster, it is easier and easier forsomeone to make it look like you did something, you did not.On the flip side of the coin because of technology, it is easier to hide a criminal actfrom prying eyes. So it takes skilledcomputer analysis to uncover the facts and truth in a case. There are many ways to senda spoofed text message and make it looklike someone else did it.There are open source tools to spoof an IPAddress or even the MAC Address. How doI know these things? GOOGLE! & TRAINING!This is a Very Small example because we do not have time to talk about everything.

New MacBook Pro

Recently I was asked to assist another agency with the imaging of a new model MacBook Pro.As you can see below, there are only USB 3.0 and Thunderbolt connections.Now What? Do you give up?What about pulling the hard drive? Lets look at that.

New MacBook Pro Hard Drive

Imaging the hard drive is a good thought, if you know how to pull this type of drive and image it. Oh yeah, you have to have the adapter also, if there is one. This is new!

Blackbag Technology There is no CD/DVD Rom to boot from, so Paladin and Raptor are out of the question. The only other tool at hand was Blackbag’s “MacQuasition”, which is a bootable USB drive. When you boot with this tool, the Mac would freeze. Now what? Do you give up? NO! We called Blackbag Tech Support and found out that this model was to new and MacQuasition did not support it.Tech Support did give us an option. We needed to by an adapter to convert from Thunderbolt to Firewire. We also needed another Mac with Firewire. Just so happen I had one and it was an older model that is supported by MacQuasition .

Adapter

The adapter to the right was purchased at a Mac Store.This adapter allowed us to do a cross over connection to a secondary MacBook computer, with the suspect computer set in target mode.

Technology• Changes Fast• Getting Smaller• Getting Faster• Getting Cheaper• Getting EasierDo we give up or persevere to find Solutions?There are no problems, Only Solutions!

MacBook Imaged, How?1. Set suspect machine in “T”arget mode by booting the machine and

holding the “T” key down.2. Connect the thunderbolt to Firewire cable to suspect machine.3. Run Firewire cable from adapter on suspect machine to your Macbook

Firewire port.4. Plug Blackbag MacQuasition in to your Macbook.5. Turn your Macbook on and hold down the “Option”/”Alt” key down6. Select the MacQuasition USB drive from the list on your Macbook7. MacQuasition will see the connected (Suspect) computer in target

mode. This gives you complete access to the hard drive in a forensically sound manner

8. Connect external storage media to your computer and mount as read/write to dump suspect hard drive image to.

Follow UpNow as a follow up and for your edification MacQuasition will have an update soon that will support the newer model Macbook’s.Another option on the market and FREE is Paladin and Raptor. Never give up, not while freedom is on the line. Give it everything you got and then when you think you have done everything You can, call a couple other people to see if they have any ideas. Remember in this digital age “No one person can know it all. We need each other.”

QUESTIONS?