Presented by: Greg Chatten, CEO Forensic Computer Service, Inc. 636.273.4400 gchatten@forensiccomputerservice.com (c) Forensic Computer Service, Inc.

Presented by: Greg Chatten, CEO Forensic Computer Service, Inc. 636.273.4400 gchatten@forensiccomputerservice.com

Before consumer electronics hit the world electronic recovery and examination of computer media was simply called Computer Forensics Today all electronic items that store data have a CPU and are, by default, a computing device. Examples: PC s, Cellular Phones, Digital cameras, IPOD, Servers, Routers, Cellular towers, WIFI networks, Televisions, Satellite receivers, Automobiles, GPS, Planes, Tablets, E-Book Readers, Hard drives, Thumb Drives, SD Cards, Watches, Home automation, Wireless remotes Digital Forensics encompasses all digital media that store electronic data AND all software that is used to process that data The digital forensics examiner follows the cardinal rules The Five As

1. Admissibility must guide actions: document everything that is done; 2. Acquire the evidence without altering or damaging the original; 3. Authenticate your copy to be certain it is identical to the source data; 4. Analyze the data while retaining its integrity; and.

5. Anticipate the unexpected.

E-Discovery refers to discovery in civil litigation which deals with the exchange of information in electronic format (often referred to as electronically stored information - or ESI). These data are subject to local rules and agreed-upon processes, and is often reviewed for privilege and relevance before being turned over to opposing counsel. Digital Forensics is, however, commonly used to produce ESI The reality of electronic discovery is it starts off as the responsibility of those who don t understand the technology and ends up as the responsibility of those who don t understand the law.

Recovering deleting files Unauthorized access to other computers Utilization of resources Discovering illegal data on computer system Recovering damaged file information Monitoring live activity Retrieving Data from unallocated space Uncover spoliation Detection of external device use and logs Recent files listing Determine user intent / Timeline analysis Review restore points Documents printed / when

Programs when run Operating system changes CD Burning Activity Internet Browsing History Recover web-based Email Social Networking data On-line chatting Cell phone contents Cell location Tracking Malware/Spyware/Virus Data Theft Analysis of backup data And more.

3/13 company 3 employees discuss leaving and create their own competing 3/13 3/28 Emails go back and forth between the 3 and others regarding office space, advertising, staff, etc. using non-company Email accounts 4/15 4/25 Sensitive documents and data of the company are copied onto thumb drives and external hard drives (such as customer records, operating procedures, etc.) from their own computers and company servers. Some are Emailed out using personal GMAIL and YAHOO accounts to bypass company servers 4/29 (a Sunday) One employee with full access installed spy software on computers used by: President/CEO CFO HR Dir. Of Operations, Dir. Of Development, Dir. Of Marketing, Dir. Of Sales Engineering and Product Development A TOTAL OF NINE COMPUTERS CONTAIN SPYWARE WHICH WAS INSTALLED IN LESS THAN 30 MINUTES ON ALL THE COMPUTERS ABOVE

5/1 First Employee quits 5/8 Second Employee quits 5/10 Third employee is terminated with cause (for other reasons) After 4/29 these employees could monitor all activity on the infected computers COMPANY HAS UP-TO-DATE ANTI- VIRUS, HOWEVER, IT CANNOT DETECT THE TYPE OF SPYWARE INSTALLED

1. The purpose is to monitor and/or control a computer remotely 2. An internet connection is required. It may be any type of connection (wired, wireless, intra-net) 3. The victim has the SERVER software installed while the controlling computer has the CLIENT software installed 4. The victim computer connects to the controlling computer automatically 5. The controlling computer usually has 100% control of the victim computer 6. Anti-virus software on the victim computer is typically useless in finding the good spyware because of the way it s created

THE KANSAS CITY STAR Breaking News Guilty plea in central Missouri college computer hacking April 12 A former University of Central Missouri student pleaded guilty Friday to participating in a computer hacking conspiracy. Joseph A. Camp was one of two former UCM students charged in U.S. District Court in Kansas City with illegally hacking into the university s computer system and downloading large amounts of data containing faculty, alumni and student information. Prosecutors said they also attempted to change grades and transferred money to their student accounts. Camp, 28, has been in custody since he traveled to New York in December 2009 and attempted to sell 90,000 stolen identities for $35,000, according to prosecutors. Charges against him are still pending in New York. According to Friday s plea agreement, Camp will receive a three-year prison sentence and pay $61,500 in restitution. His co-defendant, 23-year-old Daniel J. Fowler, has previously pleaded guilty and is also awaiting sentencing. Tony Rizzo kcstar.com (MOWDCE 4:2010-cr-00318)

Hacking software can be used on any PC The really good hacking software is well hidden in the search engines but can easily be found on hacker web sites if you know what you are looking for During testing I created the virus program to infect the victim s computer in less than 5 minutes I copied the virus to a thumb drive Inserted the thumb drive into a running computer Copied the virus onto the hard drive Ran the virus to infect the computer DONE in less than 30 seconds NOW LET S SEE WHAT WE CAN DO!

Physical Access (use a thumb drive) Via Email fake user into downloading the spyware file Other Methods that are more technical

GAMEOVER virus information release by FBI in 2012: Malware Targets Bank Accounts Gameover Delivered via Phishing E-Mails 01/06/12 Cyber criminals have found yet another way to steal your hardearned money: a recent phishing scheme involves spam e-mails purportedly from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC) that can infect recipients computers with malware and allow access to their bank accounts. The malware is appropriately called Gameover because once it s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it s definitely game over. http://www.fbi.gov/news/stories/2012/january/malware_010612 FCSI discovered this virus in use as of 2009 where portions of a 1.4 million dollar ACH transfer was re-directed

Yes, it exists but the software is not widely available like it is for PC s Infections occur by having physical access to the phone or by the user clicking on a fake Email to download the infection software Gets installed as an APP Sophisticated users could find and uninstall Limited capabilities when compared to PC spyware but keylogging and other functions are possible depending on the phone make/model and operating system If you think you are infected the best course of action is to HARD RESET the phone. This will restore the phone to factory settings. Make sure you backup your contacts, etc. before doing this. Forensics may also find the spyware

Employers who plan to terminate an employee should do so on the spot. Pay their severance and walk them out of the building Forensic analysis of the company or home network can record data packets sent and received from the Internet. This information can be used to identify spyware Forensic software may be able to detect the use of the spyware CLIENT software but requires the perpetrator s (if known or suspected) computer to be examined. Use one of these:

Use Anti-Virus software and keep your paid subscription up to date This will catch most viruses/malware/spyware, however, nothing except real-time packet monitoring will detect the presence of such activity from very good spy software Please note the spyware demonstrated in the previous movie example was not detected by three of the most popular anti-virus programs The presence of spyware on the victim computer may be an affirmative defense in a criminal or civil case If selling your consumer electronics such as cell phones, gaming consoles and the like make sure you reset these devices to factory settings as this will wipe all user data and make it extremely difficult for the purchaser to find any personal information. Destroy or wipe hard drives.

Find a good forensic company. Note in Missouri anyone engaged in computer forensics MUST have a current Private Investigator license in good standing. Check the Missouri Department of Professional Registration database or call Ask for attorney referrals Ask how many times they have testified and where Ask how many cases they have examined and how long they have been in business Ask for rate information NOTE: Some companies on the web advertise forensics in many States, however, these are Vonage numbers that go to one location, usually out of State costing you a lot more money for the work and possible testimony Compare companies!

For PC s and Notebooks: Pull the power cord on any equipment to go to a forensic lab. Do NOT shut down the computer normally. On laptops, unplug and remove the battery It is recommended that all equipment goes directly to the forensic lab from the client. A Chain of Custody form should be used Include all power cords. Accessories such as mouse, keyboard, speakers, etc. are usually not needed. The battery from laptops should be sent to the forensic company If this is a corporate environment there are many other factors involved that the forensic company will discuss with their IT staff first

For cell phones: Remove the battery and provide the exact make/model number which is on a sticker underneath the battery The data that can be obtained differs by cell phone even make and model. FCSI uses the same equipment the FBI and other law enforcement agencies use. Make sure your forensic company is using the best equipment AND the phone is supported before sending it in Including the power cable If the battery is dead either purchase a new one or the forensic company will need to. Cell phones, even if plugged in to a charger, will not power up without a working battery installed Discuss how long the forensic company will need the phone before it can be returned to you

Typical Cellular Tower WE KNOW WHERE HAVE YOU BEEN...

o o o If your GPS is on there are apps to share your location with your friends, etc. This useful and fun! If your GPS is off you are still being tracked by your cellular company! If your phone is powered off there are no records Location tracking it typically used by law enforcement in: o Capital Offenses o White Collar o E-911 Emergency Calls o Missing Persons Federal Law requires all cellular phone companies to provide, within 30 meters, the location of any cell phone requested by law enforcement within six minutes. Sometimes this is accurate, sometimes it s not. This is for emergency (911) situations only

The topic of cellular tracking could go on for hours. Today we will stick to the basics Here are some facts: 1. The data from the cellular company must be by subpoena a. Law enforcement has no problem getting the data b. Criminal defense attorneys should have no problem getting the data 2. The records, however, were designed for billing purposes and are now being used to place suspects in or near a crime scene (or vice-versa). This is not the purpose for which the records are being kept by the cellular companies 3. MANY of the maps I ve seen misrepresent the evidence and so does the testimony of these experts Imagine your client being found guilty based on inaccurate testimony! 4. A cell phone can only be placed in a geographic area that could span thousands of acres

This depiction of cell coverage is Junk Science as it pertains to where a cell phone was: While a cells towers typically provide 360 degree coverage you can t say the cell phone could have been anywhere in the drawn circle. Cell antennas are divided into SECTORS

Where was he? This is a sketch artists rendering of cell towers and coverage in a real triple homicide case. Portions of this map are technically inaccurate and Junk Science

Here we go, an accurate map: (c) Forensic Computer Service, Inc. 2012 2013

Most Cell Sites are divided into 3 sectors and each one has an antenna. Each antenna covers 120-degrees. Think of an apple pie cut into thirds. Each cell antenna covers a third of the 360-degree coverage (Some towers are six-sectors, some have less than three) Yummmm. The information provided by the cellular companies is just enough to place a cell phone in a wide geographic area. There is no way to pin-point a location with any accuracy except for E-911 calls or other methods and then we have found discrepancies in that data

Here s a Good Looking Map made by Law Enforcement: Here are the major problems: 1. The arc with the blue color is not an accurate depiction of coverage 2. The straight lines on either site of the center point are 100% inaccurate. The LEO interpreted the data incorrectly 3. The straight lines appear to limit the cell tower range for which there is no reliable data to support such limit 4. Do you want a jury to believe this and hear testimony that it s correct?

REDACTED

REDACTED REDACTED WRONG RIGHT This is the same cell tower (both depictions are North). Using the suspect s call detail records along with cell tower information you can easily see how inaccurate mapping of call and tower records could greatly affect your case.

QUESTIONS? GREG CHATTEN PRESIDENT FORENSIC COMPUTER SERVICE, INC. ST. LOUIS, MO. 636.273.4400