 You were right, that was very brief. Hey, I'm David Smith. I work with Georgetown University. And a little bit about me, I'm an information security professional. My job is Information Security Officer for Georgetown University. And really my biggest challenge nowadays is helping researchers build a security program to protect their data. We have a lot of insider threat and a lot of foreign threats to research information. But at GU, I also have a small security consulting company where we focus on forensics. And this talk is about the Department of Defense Cyber Crime Center Digital Forensics Challenge in 2006. They came out with this challenge. I think they're great. They're the kind of thing that lets you do something creative, solve some problems, and then you get to see something back. And I scheduled my team, Team Hoya-Hacksa, to come in and do this challenge. And as you can see, we've got varied skill levels. Most of us have two-plus years of digital forensics, and we thought it'd be really cool. Hoya-Hacksa is a spirit name for Georgetown University, and it basically indicates what rocks or just kind of exciting. But anyway, sorry, my slides aren't really coming out as well as I'd like. But anyway, the Department of Defense Cyber Crime Center, they have three major divisions. And that's the Cyber Crime Institute, the Computer Forensics Laboratory, and the Cyber Crimes Investigation Training Academy. And if you know anybody from DC3, they may be a lot of them here. They have information about what they do and how they do it, and it's very useful. Basically, it's research, development, testing, and evaluation. There's lots of security problems out there to solve, and forensics is a very, very tough field. You never know. It's just following leads to get more leads and do all kinds of things, and what you can get and what you can't get. But that's really what I thought these competitions were all about. I kind of made a shot here. One of the things about DC3 this year was we all submitted our data, and we didn't get anything back. And I found out later, luckily, that it was that there was a problem and it just couldn't happen. They didn't have the scheduling down to make it happen. But originally, I was like, oh, cheap R&D, man. That's all we are. But that was why I did this talk. I wanted to return the stuff that we learned on all these challenges. There was a whole bunch of them. There was broken media, and there was a boot to a DD, a boot of DD image into a virtual machine, data carving, all kinds of fun stuff, key log breaking. And we wanted to go and solve each one of these and talk about what we did. We also came up with a lot of methodologies and some software to help with that, and we'll get into that. But that's really what this talk is about. It's what we learned and kind of that give back. I wanted somebody to at least get the information that we did. And I understand that for this year's contest, 2007, they will be doing this. So I'm pretty excited about it. We, of course, heard about this through Slashdot. And I'm sure it really got Slashdot out pretty hard, as well as there was a follow-up in Network World. So it's now called the 2006 challenge because we got a new one. And we basically had 140 teams from all over the world sign up to do this. And a quick breakdown, I'm not going to read them to you. But the prize is that you get an all-expense paid trip to their conference, which is pretty cool, especially if you love digital forensics. And you get bragging rights. I'm not going to give away who the winner is, but I'm sure that they've used their bragging rights quite well. Here's where some of the base dates. September was when it basically challenges were sent, and then it was the 15th of December. So about three months to really get things going and to get it in. The rules of engagement were pretty straightforward. After the registrations came in, you must submit in their format. You don't have to complete all challenges. You can get partial points. And then if you build the tools, they want a copy of it. And we had no problems there. And the biggest hint was that there's a secret bonus out there. And these are what the challenges were. There was two media recoveries. There was a broken CD. It came in a nice little package. Very exciting. A broken CD and floppies that were cut. There was a couple images. There was a data carving on Linux LVM, logical volume manager. There was some images that you had to boot up into a virtual machine. And this was a really cool one. I've seen some other talks spawned off of this. But image analysis. How do you say that this is a real picture of Earth? This is a computer generated picture. And if you look at some of the forums out there, you'll just be blown away by these pictures that these artists can create. And it's a really tough field. There's nobody out there that can do it all. And I'll get into that in a little bit. Some password cracking, some key log cracking. I'm sure everybody here is familiar with some of those things. And sonography and audio stenography. And those were the things we didn't really do very well on. But they're interesting nonetheless. And it really tells you how secure some of this stuff is. Some quick stats. So this is now we're getting into a little bit about the data about the contest that I really wanted to see originally. I wanted to see some of this stuff put out. But 25 submitted out of 140. And we were pretty blown away by that. The rules came out at one point in time after they went over 100 packets where they were like only the first 100 are going to be returned and graded. We're like, oh no, we're going to have to make sure we send in early. And only 25 did total. The best team got 78% of the points, which I was pretty amazed at when we got these packets. We thought this stuff was really, really hard. And the worst team, somebody submitted and didn't get any credit. But the best challenge was out of those 25 teams, only the best challenge anybody did on was 11 of them were able to take the CD that came in two pieces and get the data off of it. And then, of course, the least completed challenge was the boot of Split DD. We'll get into it later, but it's basically three DD images that you had to reconstruct in memory and then boot to it. And only one team managed to get that. And they were also the winners. So the first challenge, hopefully getting into the meat of this thing a little bit, this is what we got. And they said basically the examiners must develop and document a methodology to recover data from a damaged, compact disk. And we learned some really cool things. I'm going to get into that at the end. But right now I'm going to focus on just the challenge pieces. We had to recover some known data. So it was the highest completed challenge. And there were no partial points given. It was just the top five. I actually break out the top five scoring. So the teams that made the top five, these were the ones that did it. So everybody pretty much got it. And then we actually got this one on the very first day we got the packet. And hopefully you guys can see this. But it's actually a CD. It's not split down the middle, but it's split off, you know, what do you call that? Like, let's just say, 20, 25% of the CD is split on the edge. And what we do is we just took a ton of split CD. We started cutting them ourselves using kitchen tools and zacto knives and everything you can think of. And we found this to really be the big trick. It's called de-skins. And what they are, these little CD condoms, and you just slip them on and they actually will hold the CD together. Because what you need is you need to get structural integrity on this contest. You can kind of see it here. I'm worried that you can't really see it very well. But it's got the de-skin on it and you can see the split down the side. And in this competition, let me go back one, where the split is, it's basically, we found it to be 11 megs. What the goal was was you just had to keep structural integrity so you could read the inside data. And because it looked like a giant file, and you can see it only goes so far out, it's not the hole because of the little line. Again, you can't see that, but it's kind of hoping you would. We were actually able to pull off 11 megabytes right off the bat. And it kept saying the same thing over and over, which is I love to hear myself talk. And this is Access Data, Forensics Imager. I think it's free for non-commercial use. But anyway, it's the kind of thing you can, with CDs, there's all kinds of tricks that you can do to get it to read. And if you look at some of the forums, like CD Freaks, it's all about these mass duplicators of CDs and DVDs, but they've done incredible work on rewriting firmware and doing things to help you read the disc better. So it's kind of neat. But it's a good place to go if you want to get into sort of data recovery and doing these kinds of things. The next one was floppy diskette, right? You've got a floppy diskette in our case. Top four teams got it. And then you can see which ones are. There were no partial points either. We were able to read the floppy or not. So that was kind of interesting. But again, can you guys see this okay? Most people see the little piece of tape and things like that back in the room. Little bit. Okay. Little feedback. But anyway, the whole trick is, how do you get this floppy disk to spin up? And how do you get it to read? So if you've got anything on the drive, it's going to make that head bounce and you're not going to get a read for that. And we tried lots of stuff. Our best experience, and this is kind of what this talk is all about, is how we use splicing tape and what's the best way. We actually tried over 20 methods. We tried Super Glue. We tried Nail Polish. Everything on the Internet that we've seen of what people do. If you have to recover something off of damaged floppy and hopefully floppies are dead, so you'll never have to do it again. But over and over and over, we kept trying all kinds of things. And our best trick was very thin strips of splicing tape on just one side. And it was destined to be the bottom side. And we were able to read it and we were able to pull the most data off. I think at one point we actually got like a 45% of the disk, which was kind of nice. In a testing environment, we were able to get over 60, ones when we cut it ourselves. But on the actual final media. You also want to open up the container just enough to slip it in. So you want to have a really, really good, solid floppy disk enclosure to protect it. But that was kind of cool. Has anybody really done any of this stuff before as far as data recoveries and CDs and floppy disks? Hopefully you've got some hands, right? It's actually harder than it looks. When we first started, we tried all kinds of things and we read all kinds of things on the Internet. But we've had to do it a few times for a couple of investigations that we do throughout Georgetown University. But the end result is our old friend, D.D. We were able to make this image and use no error in sync so it doesn't bomb out and it's going to give us the whole packet. Whether everything is just zeros, it's going to keep it the original media size. And our secret message was Jack Bauer was my hero. So DC3's got some things on their mind. The next challenge was to boot the D.D. image. And if you know what a D.D. image is, when you make an image of a hard drive, a D.D. is a great, it's just a disc copy. It makes a binary image of whatever the media is that you're dealing with. So if you've got a 60 gig hard drive and you make a D.D. image, you've got a 60 gig file. And that's an exact image, exact copy of your hard drive. I actually made one of my laptop before I left to come here to DEF CON so I could actually delete everything I want off of it and then come back and bring it. But in this particular challenge, what would they give, was they gave you a D.D. and they say, let's boot it up and actually boot the image. So they'd be able to look at it and then walk around inside the image and do a live analysis of this image. And that was pretty interesting, right? I mean, we've never, we've done D.D. images, but we've never actually done this before. And so we were pretty excited to try it out. Only 16%, 4 out of 25 managed to get this. We were one of the teams, so we were real happy about that. And five teams got half score. So that was pretty exciting too. So good, total nine out of the 25, we're able to get something on this. The initial image showed that it was the X-T3, a length's kernel 2.6. And then understanding this challenge really meant understanding, you know, booting into a VM and what that entails. Obviously, VMwares is kind of the big one out there. But, you know, we identified two major issues to get started. Partition imaging, partition image needed to be converted into a disk image, so it was just a partition image. And then that partition image did not have the master boot record. And there was no boot manager, so we had nothing to boot it with. We used QEMU. Is anybody familiar with that? It's another, okay. It's another VMware-like product where it's just a virtual image, or virtual machine. And the thing I like about it is they really let you do on the second example here, HDA linux.bin. So that is my hard drive, HDA hard drive, and then my second one. So it was really easy. VMware I founded to be kind of cumbersome, to write the file or use their GUI to write my file. But in this case, what we wanted to do was create an image. We wanted to boot up into a small version of linux and then partition it so we could actually make the partition. And again, we're doing what kind of our identified issues were, which were we needed to get it to a disk image so we could boot to it, and then we needed to have some way of having a master boot record and boot manager. Once we did that, we used the dash L for QEMU just means look for the BIOS information here in this directory. But what we did was we took the disk image and then we added in our challenge dd. And then once we booted up, we were actually able to partition it and then use dd with a source and a destination to take that entire HDC, which was the image, and move it into HDB, which is our partition. So it makes a full disk image. And now we're ready to be booted. And I actually had a small version of CentOS, which I like. It's kind of the distribution I use. And I was able to boot into it and it already had grub all set up. And I already knew what I was looking for as far as the... I already knew what I was looking for as far as where the Linux kernel information was. And so I went in and I just manually typed it in. Luckily, you can tab this stuff. So that's pretty nice. But I was able to type it in and point it to our target image, which is theirs, and type in boot, nice. And I'm actually able to get it. So this is actually now booting their dd image. It was pretty nice. We really met our two goals and hopefully you can read this. Okay, it actually looks better. I guess that's my angle. You can see I actually had a couple pictures. And then once I got there, I found a directory called challenge and your quest was finished. So that was kind of cool. Any questions kind of up to date so far or where we're going here? Okay. The next one, very, very... It's a lot tougher, right? Because now you've got a split dd. It's multiple files. I don't just have one. And they specifically, specifically said and you may not concatenate the slices into one big image, right? Because imagine this. If they're 20 gigs each, how are you really going to splice 20 gigs or maybe even 100 gigs each? You're not really going to be able to splice it into a giant file and then work it in most systems. So that was really what they're trying to do is you've got to find a way to in-memory splice these things. So you've got three source files and then it just knows that when I hit this barrier, I start reading the next file. Excuse me. And anyway, we did not get points for this one. The only one person got... The only one team, I should say, got this challenge and they got the full 500 points. That was a pretty big point score for it. Three teams got half, which is pretty good. And when you look at it, it was the 40 thieves, the professionals, and Hector Factor got the 250 and Access Data got the 500. So that was a pretty big deal. It was definitely one of the toughest ones. We didn't get this and I didn't get any points, but we actually kind of screwed up the write-up. I was hoping to get partial points and I believe I would have, but I submitted an earlier copy and so it's kind of my protocol error, but we knew it would be similar to the BootDD and we knew we had to combine the files. That was the challenge piece. I had to have been working with... You can't see it, unfortunately, because it got cut off, but this content was provided by the professionals, which were the third place team for Florida State University. And here's actually getting right into the VMDK format of what they did and you're going to need something like this to go ahead and beat a challenge like this. If you ever have to do it in the real world, I think this is going to be the best way to go. I'd love to hear how AccessData did it. Maybe there's somebody here and we can get them up at the end or something like that, but we were looking around these lines and we couldn't put it together in time. But we definitely thought it was interesting. I'm going to move right on here to the Linux LVM interpretation. Anyway, it's a data carving exercise and we've got a logic of volume management. I don't know if anybody's ever lost their information or screwed up their volume management and you have nothing. It's basically at that point you're doing a full carving exercise. It's happened to me a few times. Actually, I don't know why I keep doing it. But anyway, the same thing. They're like, you've got this LVM and there's just a ton of data with no table of contents, no fat, no nothing. You had to find it. They said there's an elitid file on this thing somewhere. You need to tell me where it is. I went through, 20% of the teams got full points and then 8% got partial. Again, as far as they go, it was pretty tough. Sure enough, it was LVM volume and we imported it into FTK, non-top scene, NKs. I like WinHex. My team laughs at me for that. Anyway, we look at it and there's really nothing. It's all files. It's all text. They're all combined together. If you've ever done a data carving exercise, you know the feeling of like, I'm really looking at 7000 or 8000 files. That means absolutely nothing to me. It's LVM. The first thing we had to do was we had to unwrap it because we couldn't see it like the under it. We couldn't see EXT3 or anything because of the LVM wrapper. Again, I went to QEMU. Plus I love the open source. In this case, what I did was I actually booted up the image along with my image. I got a little bit out of order this time. I started using those volume tools. I have to make it active and I have to change it so it's active. Here's the trick. This is probably made it tough. Originally my team, I went to a first team member and then a second team member. But if you try to boot it up on your regular Linux or whatever you got, you're going to hit up with it's the exact same volume name as what's already installed. So you're like, oh, what I got to go in and change my volume names and that actually caused a data loss on my team. But no, no, no, use Helix or something like that and just boot into that because it loads up all the LVM drivers and everything you need. But you don't have to change any of the names. It just loads the drivers for you. And that probably would have been the best thing to do. But again, we're working the challenge. For some reason, we're running as hard as we can on this. It was kind of crazy. It was all off hours. So I was paying for lunches for my team and trying to get them to come for after hours of work and things like that because I love these kinds of challenges and excitement. It's pretty exciting for me. The next thing we did, we made our image. So now we've got a real-life image and we can see that it's the X-T3 and that there's two folders, Root and Lost and Found. That is what we found. Anyway, it looks a little bit better like this. We can actually see that there's a couple of deleted files. And I'm actually really known for running down the wrong path. Part of what my process is, is I have somebody that's near me and says, wait, wait, wait, you're spinning around the axle on this stop. And anyway, so I started running down the wrong path. I'm like data carving. So I go out and get scalpel and I started doing a little bit of extra research on magic recovery, which I've never had to use. Funny that F-Times and scalpel have always been there enough for me. So I started thinking, like, this is going to be tough and I'm going to write recipes. But no. I did lots and lots of searching and I found like, you know, just gigabytes of files. And you know, even there's 800 total and by the time it starts doing all the cutting and stuff like that, you get into gigs. And then it hits me. There was a file when you go back called readme.readme.text.swap. And if you're familiar with VI and it does this recovery, you're immediately like, oh, bam. And so it really was after like hours of me screwing around, doing all this stuff. My team members are laughing at me. I'm like, I just got to find the magic for VI and the swap file. So, of course, I scour the internet, run it down the wrong path. I scout the internet. I'm looking high and low, high, low. Can't find it. I really can't. And then, of course, I just go and create one myself and I get it and I get the magic out. And this is the magic. You know, again, I couldn't even find it in Google. I'm like, you know, what is the magic? What is the hex, you know, header? You know, all this good stuff for VI. And that's it. 62, 30, 15, I'm just kidding. And I cut it down and sure enough, I get five great hits. Yeah, four great hits. Excuse me. And, of course, the first one I highlighted it because it's the one I like the best. And sure enough, that's it. I get a nice, you know, I get the machine that it's on and what the path is and everything that was part of it and then whole bunch of space because it gives you all kinds of padding. But the answer in this case was water is a refreshing beverage. So that was kind of our challenge goal and we were pretty happy. Actually, we jumped up and down on this one, believe it or not. The next one starts so let's get real interesting here. Metadata extraction. You know, because I remember there was a Washington Post article a while back about a dotnet herder and he was like, you know, doing it anonymously and they put his picture on the website and he was like, you know, anonymous and he's like, I live in a small town and I didn't graduate high school and I see some people laugh and hopefully they remember this. But what happened was they left the metadata in there and they actually got the GPS coordinates of this small town and then based on the other clues they're like, oh, I live near the used car sales lot. They were actually to be able to place this guy's house within like, I think it was a mile radius of this is where this guy lives. And it's like, you know, people that were just kind of on this little forum that were talking about this, I'm pretty sure the FBI was there too because he really was talking about like hurting thousands of botnets and making all this money and how he really wants to quit and he feels bad about what he does, you know, because he knows he's going to get caught eventually but he didn't think talking to the Post was going to lead it so quickly. But anyway, it was just interesting. You know, we heard about that and I at the time I went out and was like, oh, I'm going to brush up on metadata but actually a good percentage at least got partial points on this. The top four teams plus, you know, a bunch of others got the full 200 and metadata, it's data about data. You know, hopefully everybody's familiar with that whole paradigm. You know, so you can be data and metadata at the same time and this challenge it was 13 files with 23 questions and the questions were just crazy but here's a nice picture and this is a picture and it's got a ton of metadata in it. In fact, it's got 61 metadata data inside this one picture. As you can see, I'm not going to run through all these but yeah, this one's got the GPS, it's got the tracking. I mean, I sure hope that I didn't, you know, get to let you get a picture of my silhouette and tell you that I'm hiding from the law here. But my security analyst, Trent Beckett was the one who Googled, Googled, found this out. He identified all of the primary metadata data types. ID3 for MP3 and XIF, TIF, OLAB and XML. Anybody got any of the ones to add to that? Just shout it out. I mean, I kind of thought our list was incomplete but I was just going to come with this. We found all kinds of tools but then we found this to be the bomb, XIF Extractor by Phil Harvey. It'd be great if Phil was here. We definitely love his product. It actually found 12 of the 13 files without any other work. I mean, this was a pretty easy one for us to do. We updated earlier this year and it supports almost everything that we found. The one it didn't get, I actually think I mentioned in a couple of slides, the image magic we used. But here are some of the questions. Like what is the MS Stereo and intensity stereo settings? And we're just going through the image data. We were able to go all through all this but what types of encodings were used and what's the data name and that's German for file name, all this good stuff. But anyway, but it was pretty exciting and it's, you know, use it. You'll definitely, you'll get pictures of your process and you can use those to see what's in it. Now I do it regularly for like news photos just to see what I can get out of it. It's kind of fun. All this is on the CD so you'll get these links and everything that I'm using. The next one was a secret bonus, right? And it was the, the clue was you'll know it when you see it and we were excited about this. So anyway, it was all or nothing. 36% got the full points and of course in the top five, it looks like one, two, and four got the full 300 points. And sure enough, we saw it right away. Hopefully you can see this okay, but it was on everything. It was on the CD that came, the media CD, you can see damaged media at the bottom. It was on the little folder that it came with and it was up on their website actually where I pulled that from. And it's just a binary and it doesn't look like just straight binary that people, you know, love the background on. It's actually said something. So I like breaking codes and again, since I was good on the wrong path, I'm not very good at it although I try a lot. Anyway, binary to ASCII we got something that looks right, you know. Actually, there was like colons and things in there too. And then I got kind of pulled out of here because most of the translation products we use. But yeah, it was like DC3, the three stayed in there. Oh, then the colon's there. I take that back. And so it's kind of like, okay, I know I'm onto something. Like here is, this is the word, you know. And you know, it looks monophobatic, you know, simple substitution. We were like, you know, this is cryptogram, right? And then based on the three and the colon plus the looks. And here's the tools I like to use. I like, I love crypto MX. It does all kinds of, it does all kinds of translations and substitutions and keeps tracks for you. So that's pretty neat. And I like crypto helper a lot. It's actually got like a couple of brute forces in there for, and actually used it this year for the Shmucon encryption for PlayFair. And that was actually, I managed to get that before they gave out that it was PlayFair. I was worried I was hoping I would be one of the few people because it was a tough, it was tough to look at it and realize that what it was. But it converted it from binary and then we did the frequency analysis on crypto helper. And that was kind of cool. They also had a nice feature called run the alphabet, which is just rotten one through 26, but you never know what you're going to get. And sure enough, I told us that to email DC3, the secret word, which was Hummer. That's how I like Hummer's truth. And that was kind of it. That was exciting. That was 300 points that we got pretty early on. It was nice. Key log cracking. This is one that we didn't get, but the object was to decrypt and recover the contents of a key log file. And we kind of like, what's the methodology for this? How are we going to do it? I went down the wrong path again and I started like actually working it. I was honestly like really doing everything I had, throwing everything I had at it. No team got the full points because it was two key logs and one was encrypted and one was not. So the challenge, and again, I should have looked at that and said, hey, that probably means that there's two of them, probably one's easy, one's hard, and one gets you into the right arena and the other one is, we've got to do some work. But nobody got the full points on it. And this is the right methodology to do. And this was also provided by the professionals because again, I went down the wrong path. I'm actually like doing substitutions and I was doing my ASCII charts and my HEX charts and I really was just all over the place and I'm like, my hair's all standing straight up and everything like that and working it. And I actually said to one of my guys like, damn, while I'm doing this, somebody should go out there and Google. You know, find every key and it turns out that Mike McDonald from the team professionals, he went and did that. And he's also started up a forensics company as well. So I want to plug that at the end but actual spy turned out to be the key log. And of course, it was one of the ones that had the free sample and we went and actually we did the same thing. This is what it looked like before, like down there. And I actually had it where when you look at that first line, to me it was clearly a date and time because it was very few differences between the first one and the second one and I kept saying that's a date time stamp. So I was doing all my cracking based on like 2007, 2008, you know, all this good stuff with slashes. And it was crazy. I'd love to show you some of that work. But no, no, it turns out that it's not. It's actually, they started with the same shift space shift. And that actually was exactly what I was, I kept going after because it was a shift space. Those were the same characters over and over and it just happened to match what a time date stamp field would look like. But this was actually a screen capture of the first one once it's decrypted. And you can actually see it basically says preferred recycle pads of paper. How about you? Right? So of course, you know, one-time pads, if you recycle them, that's very, very bad. And that was basically it. I mean, that's when you think about it. If you find it in the wild, you're finding key logs and how you're going to break them. You're going to do exactly this methodology. You're going to go out there and see what one's out and is it something, you know, that's part of a package. And in most cases, it's part of the package. So you just need to track it down and see it. I'd love to see like a database or a website or something, and maybe I'll do that of all the different versions and then kind of how they look once they're encrypted and things like that. That would definitely help investigators or people just doing this for fun track it down a little bit easier. This is a great one and it's image analysis and it's something that fascinated me the most. We either did the challenge, got full credit or we didn't do it. You know, all the ones that looked like this and they were interested in it, we just we saw the amount of work it was going to take and the amount of kind of we had some learning curves and things like that. We started using MathLab and doing some things like that. It was just too much for us and we were like, throw this one away. We don't know we're going to do well but nobody got full points and basically 24% got partial. The best being the lowest was 55 but still had something. It was Dr. Krantz who I saw earlier today he did very well and he actually has done some additional work on this because it's a really, really interesting field as far as how do you what kind of things can you do to tell. Never made anybody from Penn State but they actually got the high score which really impresses me because I've seen some of the methodologies and I've learned a lot more about it since the contest has ended and it's very challenging definitely. And again this is it says it provided by the professionals but real images are captured by cameras and then it can be altered and scanned from actual print films but CG's they're created and all the different products and where do we begin we did also say that all images are innocent until proven guilty and you know you look at it and naturally your brains are these incredible machines where they're like oh that's fake it looks fake to me his nose is too long or the shadow's wrong or I can't prove it but it feels fake to me the statistical test they have to they have to win the day because those are unbiased they're forensically sound reproducible results you can stand up in court and say hey I thought it was bad or you can say here's a graph showing it's bad and they'll probably believe the graph of course but we went with the hybrid approach as well we didn't go very deep but when I talked to Mike and then we kind of went over stuff afterwards it was really cool we don't think any method I don't think a combination method is equal to 100% accurate I want to get some extras behind me to really confirm that but this is what working with Matt Mike afterwards visual inspection color frequency histograms fast period transforms metadata service plots I like that he wanted to hide some of his information like oh there are individual tests and other statistical tests because he actually created some additional tests that he could do that actually provided value and I think he's actually patenting a few of them but what he did was he took the cumulative scores that increased the overall confidence into the final decision and this is this is a you be the judge here I haven't seen my guy here but anyway which one's real and which one's fake and this was one of the contest actually entries it was funny that I saw a presentation earlier and he used this exact image I was like oh my god how'd they know but anyway it's really cool because it was found by Google one of these images was the one that was in the contest and then they used Google images to find out the other one but anyway actually the original and this was just completely from the ground up rendition and earlier in the week I learned that there's a lot of differences in the space suit and the way the wrinkles are and everything like that and it was made up of two the artist took two separate pictures he took the original image and then he took and it was an exhibit and he took the picture from the exhibit and that's Dr. Krantz as well I'm thinking I'm worried in here I've got lots of slides of course but password cracking you know that's a tough one everybody's been doing and the challenge was ranging from 40 bits to 256 bits and points awarded it came in a total of four files no team really did well all got partial seven teams actually got 20 points out of 250 so it actually was better than I thought though we were surprised that access data got a zero because oops that's what they do right that's one of the things they do is they have their password recovery toolkit and it was four files and here's the examples of the passwords that were on those files we honestly didn't even come close on this I think we ran it for like a month or two and then we're like let somebody else get that one but I like number two here that's all Unicode right or ANSI excuse me Unicode sorry and I don't think we would have gotten that no the other ones were a little bit easier that's actually a nine letter 72 letter key space file could have got that maybe in a couple years and then that is Unicode at the bottom we didn't miss that that's what everybody got the people that got the partial to 20 points I think they got the Chinese document because they did tell you that it was Chinese in the name of the file and this is kind of where we didn't this is kind of wrapping some things up here but Synography using S tools it's a really great product I think your data is very secure I think there's a lot of real experts out there they'll tell you the same thing but you want to check with them two teams got 50 points out of 200 and really some of the passwords that came out there is Synography in here and then you had to look at it and say that there were all password protected so once we were able to identify you then had to turn around and actually break it so we started writing some brute force to do this stuff and we didn't get any but some people did and access data got 40 and the professionals got 20 so that was actually really cool I guess that was one and two out of those things the audio we didn't touch that as well it was really tough it got a partial turn out three teams submitted and again they got the low so it was really tough it's actually in the 2007 contest they're also doing another audio Synography for you to crack and hopefully more people will build out their methodologies I wish I could share I'm with you that's what we really tried to do was kind of say this is how we did this and this is how we went after this here's the kind of things that we attempted to do and what we tried to learn from it we actually submitted a little bit early now getting into results here we wanted to submit early because we were sure 140 people signed up and we estimated that we had 64% complete which turned out to be off because we counted a challenge that we ended up not getting any points on but anyway we got this back we're really excited that we were in the top four so we're the fourth place and that the professionals who we had I think we had chatted with them but we didn't really talk to them until after the contest was over and they also broke it out by academic Dr. Kranz came in first for the civilian sector and we came in I think it was third for academic and the grand prize winner was of course the grand champion was AccessData the French Toolkit I'd like to hopefully see that there's more real forensics companies because you know I need to learn more and that's the thing that's part of why I'm doing this is to share what I know but I'd like to see some of these contests produce some of either tools or methodologies that we can use that's kind of stuff too if you want to write in a book and then I can read it but anyway when it comes down to it 78% was completed by AccessData the grand champions and that was pretty exciting I actually broke out the scores a little bit you can see we blanked on the first four at least Team Hoya Haksa and those were the ones that we I guess most of these we didn't focus on we wanted to do the image analysis and we probably put about 15 hours into it and then it kind of got abandoned but we did better on this round where we didn't get that much DD but we were able to get the data carving and the media which is the big score thousand and the floppy and then we missed on the key log and then the final was a secret bonus and the metadata extraction this is the final score card and this really shows you how tough the competition really was it seems easy now that I'm like relaying it but yeah but it was pretty tough and we actually did a lot of different things and we learned a ton I mean that's part of what this is some of the slides are some of the things I learned about media and things from there but here's some thanks Mike McDonald from team the excellent team at FSU I met Dr. Krantz earlier this week and a little bit from before he shared some great information and then access data for winning and of course DC3 I mean I don't know how many of you are here but say hi to me please I definitely enjoyed your competition and I'm excited that hopefully on the next one that we're going to get some more information out in that methodology because that's really what I'm up here for and then the makers I use a ton of tools and people and I wish I could thank them all and of course my Georgetown team and this is an attempt to share all the weird tips and tricks we learned and this is kind of where I want some participation from some people but your mileage is going to vary so feel free to shout out what works for you and please don't give me any of the heard this works but firsthand knowledge only but for data recovery one of the things that we found is have you ever seen where the foil starts to come up what we did was we actually said hey this took me a lot to learn this you can use the labels then I'll keep the foil down so if you have damaged media that's been broken like a CD you can actually put that label on it and it'll keep that foil from coming in because once that foil comes up you're gone I mean the dye is dust basically and as soon as that gets messed up that's it those pits are gone and you won't ever get that data back I found things on the internet and I've seen books actually that tell you that if you lose any of that foil your media is gone and that's not true we actually were using a silver spray paint and basically it's not the right reflection but then too it actually keeps that dye from going anywhere and combine some spray paint with the label it actually it lets you attempt to recover sectors on a disc there's a trick that you have to do and originally I wasn't going to share it but I'm going to share it now but if you ever get it where it says media invalid media like you put the disc in and say I can't read this well what you want to do is you want to open up a CD ROM drive or hopefully not your good one but open up a CD ROM drive you'll find a little clip that keeps the disc down and then what you do is you put the CDN you can see it spinning you have the clip on it you let it settle and then once it settles you can swap it out and that firmware will never know that the CD has been changed and it will attempt if you put in a CD with a full talk it says a full 800 megs you can now do a DD and whereas before you were seeing no data you can do a DD and it will give a ton of error sectors but you'll actually see what the trick you'll actually see on there that's how you go about getting data off a CD that you couldn't even read before some tricks that you really need to do are CDs and DVDs that are exactly the same but the die the same manufacturer we found is better and we just keep doing that over and over and over you'll also be amazed that did the same with the hard drives when you see Scott Moulson talking, he was here before me when you see and try it on different OS's try it on different readers I was amazed how many things didn't go didn't go easy I think this actually got out of place here but does anybody want to actually do anyone want to say anything about data recovery any tricks or tips they've learned I actually think I have another slide in there no alright anybody want to say anything about like audio stag or s-take tools or anything they've learned to kind of help you crack those or go after them alright I'm going to keep going then here's where the data recovery picks up the DVD and CD writers are going to have a lot of work to do so the first thing you want to do is you want to go out there and you want to find a writer it's like a DVD writer to process your damaged DVD this is cool you just your kid scratches it up and it's his favorite Barney or whatever but I think I talk about this CD freaks it's a forum for duplicators and when you read their stuff they're really like oh you can get ten times and they love their Plex doors they love it early so you've got to get it off eBay so these 12X's and Pioneer actually for the DVD I use A111 A111 and that one's been doing great for me the new challenge is a lot of broken media and that was kind of cool number one rule is you don't try stuff you don't like you just stick it in and try to read it first don't clean it first or anything like that you'll find that that can actually be I don't know damaging but we found that in alcohol I have your soap and water don't use Windex sir I would do the cleaning the question was if you can't read it right away do you do the CD swap first where you can get bad media check or do you try to clean it first I would try to clean it first at that point normally I just go if I can get a read even if it's like you know error is low I still try to do the read but yeah I definitely try to clean it before you find the improvements of the CD and getting a CD that's close to the other CDs so that's pretty big I haven't seen my time signal but we'll see how it's going here the other thing is lots of recovery software exist but none of it works if you can't get past the media not found and that's kind of the really the big thing I learned and wanted to share because once you get through that you'll see the CD fan and DD rescue so if I can't if I can't live through the whole DD run DD rescue will actually randomize the sectors it tries to get so maybe you know you won't just get error after error of the bad area you'll start it you can force it to start at the end and then go backwards that's kind of cool on track of course they're big drive manufacturers and they do stuff but mostly things you can get the trial obviously you can get the full DD the next section I had was for file systems and mounting the stuff we used obviously there's a ton of great VMware disk tools out there so you can build your own images and disks and then build them back in and do all your forensics inside of there and that's pretty cool we also like mounting DD drives obviously it's easy to do like a run right down right away and of course you've got to put your EXT2 and three drivers if you want to mount these drives and run them in and these other tools like I said I love WinHex and I haven't been able to duplicate that in any of my Linux environments but I keep bringing stuff back in so I can work on it through there and then of course some boot CD ROMs I'm a big backtrack fan and the CD and the team was big on that and then if you ever do any like forensics on Spark I don't know I had to reinvent the wheel we used to have these great CDs and somehow they stopped working and I recently had to go back and say I need to do the spark recovery or a spark forensics exercise you know and nothing works I found Gen2 it worked just great I mean it seemed to be anybody that just kidding and that's basically any questions? question right here say again I'm sorry I have but not really enough to say like any kind of great methodology the question was we done any forensics on VMware snapshots which are pretty cool but no I haven't actually had like a full on case where I pulled out some information on that sorry you got anything you want to say about it? okay trust me I mean it happens soon you never know any other questions? anyone? oh here's a question right here sir I do not know the question is for the password cracking which ones did they get and this is the information I would have loved to see right because I thought these were really really tough and I don't know is the answer my guess would be that the 40 bit because there are actually hard tools out there to just crack you don't go after you're not trying to brute force it with letters you're going after the actual 40 bits and I think that's and I've seen them for word files in the past and I think it takes like a day or two but that would have been my guess but I can't say for sure I mean when you look at some of these actual passwords used I just I can't believe that anybody's really going to crack those the question was for each of these challenges you must show a methodology and the answer was no it was not shared this time and that's really why I did this presentation is I wanted to share at least my methodology and the kind of things we were thinking this time they did it it was some management issues and that they they meant to I'd love for someone if they could say something about it but anyway that's the thing and that's really what I felt strong about I was like I'm giving into this and I wanted to see some of the methodology back I'd love to learn a little bit more I heard actually as a you know kind of just a random statement was that everybody did the CD-ROM challenge differently so there was I think 11 teams there was a balancing issue in this case and it wasn't split down the middle and you had to jump the crack so any other questions that was a great question cool anyone how am I doing on time two minutes okay great great I was worried I didn't see you so I'm like how am I doing I couldn't keep track of my time this time for some reason I just came off a massive head cold yes sir say again I'm sorry the question is crinkled up floppy cut I would probably attempt to you know just press it you know I would go ahead and remove it I would press it down it'd be a lot of the same and get rid of it as much as you can you know I'd probably test it a few times I want to see if ironing works to be honest you know like with the right stuff it's you're worried about the magnetics but I think it can handle some heat those drives get hot and we were surprised we got what we got especially we got like over 60% on one of our tests and really we did run like 20 tests I mean we had CDs floppies I mean I'm sorry floppies all over the place and I think everybody took home like five and there that was their homework was to do that but it was interesting yep anyway cool any other questions you can hit me up I do a Q and A afterwards it's okay if you don't come great well thank you very much