 Hey everybody. Alright, thanks for coming to Not a Google Talk. And uh, those of you that have seen me speak before know that this is going to drive me absolutely insane. I cannot stand in one place. So, if you see me like doing a little dance, that's what it's all about. Alright, let's get started. Just to show hands, how many of you have uh, have read any of the books in the Stealing the Network series? Show of hands. Excellent. How many of you have uh, Stealing the Identity, the latest in the series? Excellent. How many of you are authors in Stealing the Network? There we go. There it is. Show of love. Alright, what we're going to do here is uh, those of you that aren't familiar with the Stealing story, there was some uh, interesting stuff that happened in the book with this psychopath named Newt, who uh, happens to be sitting in the front row. I won't point him out, but you can narrow it down from the hands that went up. Anyway, this guy Newt was up to absolutely no good. His whole thing was he didn't want to get caught by the man. So what he did is he took all his hard drives, took all his CDs, took all his removable media, and melted them down when he was done doing his thing. Alright, so, now when Singers came to me and they were like, hey we got this great book series, you know, called Stealing. We want you to write on it. I was like, sweet. I was like, this is excellent. Rock on. They're like, well, you get to catch Newt. I was like, oh. Well, the bottom line was it's, it was a tough job. So what I'm going to try to do is I'm going to try to give you an idea of what it's like to try to catch a guy like this, who's ultra paranoid, who does everything in his power to basically keep from getting caught. And as it turned out, Newt's death was going to be a death by a thousand cuts. I'm not going to ruin anything, and I'm not going to say that Newt died, but you'll have to read the book to find out. Alright, so anyway, that's basically all that stuff that I said. We are going to be looking at Newt's place through the eyes of this guy I'm calling Uber Agent. Okay, so for the next half an hour, 40 minutes or so, you get to play Uber Agent. And we're going to have some interesting, some interesting games as we go through here. We're going to be, we're going to be playing some Find the Evidence games, where you guys as an audience have to try to find the evidence in various places. I'm going to show you some pictures. We're going to have some, you know, have a little fun with it. I've got a pile of books up here that I'm going to be giving away to those of you that find the evidence the quickest. Alright, the whole hand raising thing, it's not going to cut it. Alright, if you want a book and I'm doing a Find the Evidence contest here, you have to stand up and scream at the top of your lungs the correct answer. Okay, you got to commit if you want the books. Alright, so now we're going to start off pretty lightweight. This, this is not for a prize. Okay, so please remain seated. Alright, help me find the evidence. Thank you. Yes, we're going to start off pretty easy. Alright, now in the stealing book, Nooth did not have an iPod. Okay, that wasn't part of the story, but one of the, one of the interesting devices that I'm seeing all over the place of these iPods and everybody knows they hold music, they can hold data, the whole nine yards, but the bottom line is there's a whole lot to it that folks really haven't considered. So what I'm going to do is sort of take you through what some of that stuff might be. Alright, first of all, this is the standard practice for the man, okay, the Fed, is to grab a device like this and pick it up and sort of flip through it and see what's there, hit that little about menu, you know, get information from the iPod. Well, the simple fact of the matter is that's bad news. Okay, picking up any sort of device on a scene and mucking with it is going to potentially destroy evidence and if a decent lawyer gets a hold of that in court, that evidence that you discover is going to get tossed. Okay, so doing this is a bad idea. Alright, so let's talk about some of the things that we can do to sort of investigate these things. I'll be the first to tell you, and no offense to those that do forensics full time, forensics is a little bit dry, you know, and no offense. I mean, CSI is very cool, right? You know, the slightly aging but still quite attractive redhead and the not so aging and quite attractive brunette, you know, make it interesting. But that has nothing to do with forensics, so. But I'll try to spice it up a little bit. Alright, as far as an investigative platform for these things, I hate to be, you know, some sort of raving Mac fan, okay? But the simple fact of the matter is if you've got a Mac that was or an iPod that was formatted on a Mac, the best way to actually take apart that iPod forensically is by using a Mac, okay? One of the best reasons for that, the biggest reasons for that is quite simply the HFS plus support. The iPod is basically an HFS plus portable file system. That's a Mac native file system. That's not to say Linux can't handle it, Linux can handle HFS plus, okay? But it's not native on Linux and Windows with HFS plus, well, just forget about it, alright? But the bottom line is most of the time you're going to want to be using a Mac to actually pull these things apart. Alright, now one of the things that a good investigator has to sort of figure out, and this is, this is all part of the big puzzle is, alright, I've got an investigative platform, what do I actually have to do to keep from tampering the evidence that's on this thing? Alright, and one of the things that needs to be considered is the fact that when you slap up, when you slap an iPod into a Mac, you connect it up. One of the first things that happens is this, this demon, this disc arbitration demon actually latches on to the iPod. This is the demon that actually causes things like iTunes to launch and the contact lists to update and all that stuff to sync. Well, from an investigative standpoint that's bad news, alright? You don't want, you don't want your investigation machine tramping all over this iPod and destroying evidence. So one of the first things you need to do is you need to hammer this demon. Now, this demon automatically restarts when you kill it. Okay, so actually what you have to do is you have to take this demon and you have to change mode it to zero, zero, zero, physically change mode the binary and S bin and then kill it. Okay, now once you do that you get to the point where you've got a device that you can actually hook up to a machine and start looking for evidence. Alright, but we're not exactly there yet. One of the other things that we need to do is we need to hook this thing up so that it's in sort of a read-only mode. Okay, and that takes a little bit of work as well. Just killing the demon that automatically connects to this thing and launches iTunes isn't going to be enough. So we need to get it into sort of a USB disc mode. How many of you have been inside an iPod's diagnostic mode? Show of hands. Okay, how many of you have actually used an iPod? Okay, quite a few. This diagnostic mode is key to actually pulling stuff off of the iPod without totally hosing yourself in court and this is a third generation iPod. The way this thing works is slightly different and I know this looks like a cheat on like a PlayStation or something, right? So you power it off, you hold down the forward, the backward and the center button, select and release them all at the same time. If you do that, you get the cheat code, all right? And the cheat code is diagnostic mode. You get a menu that looks something like this. It's got a bunch of different options. One of the things that we're going to hit is we're going to hit USB mode inside the iPod. After we reboot, we get a screen that looks like this. All right, at this point, you sort of have a choice between treating this like a firewire device and a USB device. I'm going to fly through the boring stuff. Once you get all that done, you get a screen that looks like this that basically says I'm in disk mode. So the iPod is no longer an iPod. It's basically a disk that's about as close to read only as you can get. Now, the reason I'm dragging you through all this boring stuff is most people don't realize how difficult it is to actually be an investigator, to be one of the good guys, to actually go through all this stuff to try to catch, well, people like you. But the bottom line is the good guys are pretty smart too. Not that I'm choosing sides here and they're not nearly as dumb as we paint them out to be. Simple fact of the matter is they will go through this process to actually get to your stuff that's on the iPod. So the question becomes what exactly can be on an iPod? Here's a file listing. The iPod actually just shows up as another device on the machine. So we mount the device, we do it, do a listing. Can anybody see anything interesting about this file listing? Anything that stands out? Next time answer slower so I can swallow. Yeah. Yeah, there's a Nopix. There's a Nopix.img file on here. This is a persistent encrypted Nopix home directory. Those of you that use Nopix realize what this thing is. Well, the bottom line is, yeah, you can absolutely put whatever you want on this iPod as a file. But one of the things that gets really interesting is when you start using the iPod for other things, for example, booting it, booting from it as a device, okay, booting from it with a Nopix CD or booting from it absolutely natively. Actually loading a distribution of Nopix on it, booting right from the iPod. You've got basically a portable platform. It's got all your attack tools on it. You can use it just like any other machine. Book it up, boot, and you go. Where's Tyler? Is Tyler here? Where's Tyler? Stand up, Tyler. Thank you. Everybody give our newest goon Tyler a big round of applause right there. Alright, now that I've absolutely embarrassed her and she's going to hide from all of you. Tyler actually submitted a talk that had nothing to do, that had everything to do with iPods. It was just about iPods and all the cool stuff you can do with them. She's actually got a shuffle that she can boot from that boots Nopix but also comes up in iTunes natively so that it can have music running from it, attack tools, the whole nine yards. Yeah, with a little device the size of a stick of gum. Okay, it's pretty cool stuff. Show of hands how many people would have been interested in a talk like that. Cool, thank you. Alright, anybody that's on the review board take note. Alright, I've done my plug. Okay, there's obviously other stuff that's on an iPod. This shows a screen from an AAC file, just a music file. Okay, but those of you that have messed around in the AAC space know that you can absolutely use these things and lock them down so that you have to authorize them on various machines and all that. Well, the thing that's interesting from an evidence standpoint, remembering we're supposed to be Uber agent here trying to catch that guy, oh, I'm not going to point at him. That bastard Nooth, who's ultra paranoid, is that we need to look in places like music files on an MP3 player in ways that are not necessarily standard. For example, you can see when I launched this AAC file that the registered email address pops up. This is the user that actually purchased this song. It's the email address that they used. So yeah, you can pull out email addresses from the music files as an investigator use those for more leads. Okay, the other thing that's often overlooked and I know this is old news, but metadata inside the files. You get a music file, you get any kind of file, there's a potential for metadata, you can have all sorts of stuff in here. Anybody see anything odd with this one? Wow, you guys are good. Yeah, the comments field. There's been a lot of work done recently in covert channels. A good friend of mine, Russ Rogers, is doing the hacking, the terror network book, talks about covert channels and things like that. The simple fact of the matter is, as bad guys, I'm not generalizing, but yeah, as bad guys, you know perfectly well that you can use covert channels just about anywhere. Music files are no different. A really good investigator is going to actually look in those files to see if there's anything that's out of the ordinary. And this is just one of the spots that he's going to look. All right, also the normal stuff that would be on an iPod, you can have your contact list, you can have your calendar, you can have all that stuff. This is just an example, but yeah, your address book syncs to it, so an investigator is going to pull all that stuff off. Yada, yada, yada. All right, other things about MP3 files in general is a lot of them use the metadata to store information about last time played and all that kind of stuff. All that stuff is going to be on there. Also if the investigator is really good, one of the things he's going to do is he's going to take all the music files, he's going to run hashes against them. And if there's peer-to-peer software on the machine, the bad guy's got peer-to-peer software, he's actually in some cases going to check the file hashes of the same songs on a peer-to-peer network to see if the file hashes match. You know, if you've got somebody that's just pirating music, there's a good chance that these hashes are going to match. If the investigator finds a song whose MD5 summer, I'm sorry, you don't use MD5 anymore, thanks Dan. Your SHA1 hash doesn't match. It'd be something worth looking at. All right, digital cameras. Obviously, I'm doing some of the more obvious things first because, you know, investigators are, you know, we're just going to do real obvious stuff. Digital cameras, absolutely they're going to be picked up. What about the images that are actually on these cameras? Well, first of all, yeah, there are images on digital cameras. Hello. You know, I think a lot of investigators and a lot of the good guys actually forget the fact that they're pictures. They're not just data. So the simple fact is actually looking at the pictures themselves to try to pull out evidence from the image themselves is a good idea. For example, here's an image with all sorts of metadata. I know it's probably very hard to read, but can anybody tell me what's wrong with this picture? What was it? There's lots of network cables, yeah. Let me give you a little bit of a hint. The date time stamp on here shows the time as being approximately four in the morning. Absolutely. Shouldn't be daylight. Okay, the simple fact of the matter is there should not be daylight at four o'clock in the morning. And the question is what does that mean? Okay, as evidence. You know, could mean a lot of things. Could mean the date time stamp on the camera is broken. What if the date time on the camera is right? It's right. The picture was taken in a different time zone. So it's things like that. The actual time on the digital camera you can't pull off. You actually have to look at the digital camera itself and figure out what the time is set to. This was actually used in one of the books to catch somebody that was, and this was the stealing book, to actually figure out that somebody took the picture in another country. Okay, and so the investigator actually picked up on that and went, okay, what are my choices? What countries is this daylight? Let's narrow it down. Let's cross-reference it. Yada, yada, yada. Another plug for stealing. Thank you. All right. A little bit more about EXIF stuff. Are the date times consistent with the pictures? There could be potential for thumbnail inconsistencies. You look at a picture, you look at the embedded thumbnail. If it's been processed in some sort of imaging program that didn't update the thumbnail, you can see the inconsistencies there, all sorts of stuff. All right. Now, I know these are very hard to read, but there's two images here. Can anybody tell me what's different between the two images? Good. Sizes, right? The create, time and dates are different. The stamp on the camera software has changed. Okay, it's gone from, you know, being an actual camera stamp to being a Photoshop stamp. So, I know this is old stuff. Okay, but the bottom line is the good guys are actually going to be using these techniques to figure out if you've processed an image outside the camera, modified it in any way, etc, etc. All right. Now, this one's easy, so it's not for a book. Not for a book. Sorry. Okay. No, it's not the USB. Sit down. For a book, where's the evidence? It was very bold and you get a book. Come on up. Very nice. You get the idea how this game works, right? Yeah, there's a USB there. There's a power book sitting there. Yeah, it's real obvious places to look for evidence. But yeah, there's a phone in the picture. Okay, and it's, you know, just a normal phone that you'd find on the desk in just about any office. But the simple fact is that there's possible data inside this phone that might not show up in things like call logs. For example, you dump the PBX logs. There's all sorts of stuff jammed in the redial. For example, in this, you know, I wasn't going to show you any real pin numbers. I dial up a number. I put in a pin number. It's actually captured inside that redial info. By playing with the phone, you can get that information out. It might be lost in a call log. All right. Other things that you can get, you can get a park settings, in dial forwarding, all sorts of information. Again, this stuff might not necessarily show up anywhere else. If the desk phone is forwarded to a cell phone, the phone itself might be the only place to actually get that information. So good investigators actually going to consider this stuff. Speaking of phones, cell phones, most of you guys know this stuff, but just for, you know, completeness, cell phones have cameras in them. Obviously, you've got images in them, yada yada yada. A lot of them have SD or mini SD cards inside of them. Those SD cards should be removed. It's not necessarily the same as a SIM card. There could be other stuff that's on there. How many saw Mudge's talk this morning? Show of hands. All right. One of the things that I found very interesting, a couple things I found interesting about Mudge's talk was he pulled out his sidekick phone. And one of the things that he revealed was that, when he basically lost his phone and got another phone, all his images and all his phone lists were automatically populated back down to his sidekick. Brand new phone, brand new SIM card. So the images actually went out to the website and once he re-registered they came back down to his phone. Bottom line is, this is fairly transient stuff that might be hard to pick up any other way. All right. Printers. Printers are often overlooked. Let's take a look at some of the ways you can actually pull evidence off of printers. One of the things an investigator has to consider, especially an investigator of the caliber that's required to catch somebody like Nooth, is that every piece of evidence is absolutely critical. Okay. You can't mess around with destroying evidence. So one of the things that you have to consider is the fact that simply printing a page off of a printer could potentially destroy evidence. Some of the things that you can do, you can actually pull data off the transfer drums. If you're like incredibly paranoid or you have access to electron microscopes, you can pull data outside of actual semiconductors. You can do all this scientific stuff. Okay. But even if you're not that desperate, there's a lot that you can do right from the LCD menu. So for example, here's the information menu on a laser jet printer. You can go in there, you can actually print off the event log to see what events actually happened on the printer. When the toner died, when there were paper jams, all that sort of stuff, get documents that look like this. One of the things that you can see is time and date stamps on all the events on the printer. A lot of those events can't happen unless somebody's actually at the printer. Okay. So a good agent is going to use this stuff to actually correlate time, you know, to see, okay, was the guy in the office at this point? Was he at the keyboard? Does that correlate with forensics logs that we have off the wire, etc., etc. The other things that there's lots of stuff that you can do, and I'm really skimming, so I'm trying to keep this, you know, fairly interesting. You can do a lot from the LCD screen itself without printing. Like, you can actually view the event log from the LCD screen without printing. So you go through the information menu, and even though it's a little bit cryptic, you know, an agent can use the LCD screen to actually write down the event log itself and then translate all this information into, you know, real stuff. The other thing is a lot of printers have web interfaces. Yes, I ripped this from one of my Google talks, but yeah. And yeah, there's the Google query in the top that found the example. And the little oval button that says configuration wizard. But anyway, that's the Google talk. I'm doing a different talk now. Where am I? Who are you people? But anyway, yeah, you've got web interfaces on printers. You can connect to them. You can get lots of information off of those. This printer, for example, this RICO, it actually queues up print jobs through the web interface. You can go into the web interface and actually get print jobs off of that. Again, good evidence from an investigator standpoint. A couple more things. Fax machines are often overlooked because of the fact that most of the time an investigator is going to get call logs. You know, they'll go to the PBX, they'll actually pull back the call logs. Fax machines themselves can absolutely contain evidence. Again, we're at an LCD screen thing where you can actually go in and get time date headers, company name. Again, you can see that bastard, Nooth. You can see fax functions, phone numbers. You can see all sorts of stuff. Again, just by going through the LCD menu. A lot of times investigators tend to pass by these devices. Investigators these days are getting better and better and even pulling evidence off of these. All right, some more stuff. The phone book entry can be pulled off in transmission reports. Again, date, time stamps, places that were called, produce reports that look like this. So you've got the number that was called, the duration of the fax, the number of pages, all sorts of stuff. All right, faxes and multifunction devices. Multifunction devices, you know, printers, fax machines, copiers, all that stuff. They pretty much act the same way. It's a printer, it's a fax machine, whatever. The bottom line is that device can contain evidence. And this is a talk in and of itself. But, you know, everybody pretty much knows that network devices themselves can contain a lot of data. You know, you got a Cisco, you got, you know, a wireless device. Those devices can contain information. Network devices actually played a critical role in figuring out exactly what Nooth was up to. Because even though the guy melted down his hard drives, used a belt sander on his CDs and got rid of all his disposable media stuff, the removable media stuff, he left behind the actual desktop machines and his network gear and his printer. Okay, so at that point an investigator has to, you know, friggin catch the guy with just what's left over. Okay, now this is, this is going to be fun. Our next slide is for a book. All right. And I'm going to push the little button here and see if you can find the evidence. Who said that? Come on up. What's that? Oh, man. That's excellent. Yeah. Fingerprinting model glue from none other than Mudge. Thank you, sir. Come on up. Do you have something to drink? You should be, you should be just sitting up here. So everybody welcome Mudge. And no, he hasn't been sniffing model glue. Yeah, that was excellent. Whoever jumped out of their frequency right there, dude, you are the man. Yeah, look at all this stuff. All right, you got USB drives, you got PDAs, you got all this stuff, you got CF cards, you got all this crap all over here. Well, let's clear the table. And where's the evidence now? Yes, those are breath. No, no, that wasn't for a book. I like this. We're going to get like the wave going. This is going to be hot. All right. Yeah, those are breath strips. And no, that's not the evidence. But yes, this happens to be a USB watch. Hook this puppy up to a machine. It's actually got USB storage. Okay, a decent a decent agent is not going to overlook something like a watch. They're actually going to pick this stuff up going to pull the data off of it. Holy crap. Come up here and say that. I just pointed out if it was actually a mechanical watch at any point on the inside that based upon the spring expansion, you could figure out roughly the date that it was created and be able to go back to figure out when they were sold. Thank you. All right, I've been told that I can talk as long as I want. No, unfortunately, the mob can't speak for my day job, which would absolutely get rid of me if I was on the TCP IP drinking game. But thank you for the invite. Can call me a wuss if you want, but I'll be watching safely from the front row. Or thank you. I'll be cheering for much, though. All right, here we go. This is this is for a book. Yeah, we're OK on books. All right, everybody ready? Getting what did you say? Come up here. He stood up boldly and he proclaimeth. Penn, very nicely done. Pick a book. Oh, that is my blockbuster card, isn't it? And my yo yo, I have yo yo skills. I do. Maybe if we're killing time, I'll do some yo yo kung fu up here. All right, yeah, absolutely. The bottom line is USB pen devices. They're a lot more common than you think. You get a drawer filled with junk like this. There's going to be crap that's hiding in the crevices. OK, if you got to if you got to, you know, think geek shop in full that you're trying to catch down, he's going to have stuff like this. And you can figure out how much ink is in it and do an analysis to figure out how long he's been. Where do you come up with this stuff? This is why I would never be on a TCP IP drinking game against this guy. That's true. That's true. All right. Yeah, good stuff. All right, let's let's do another one for a book. You guys ready is right over here. I heard it. Yes. Low and behold, it is the duck. Yeah, baby. That was very nicely done. Oh, and all you people that were just calling out without standing up, do not think that that will get you a book. That's not the enthusiasm I'm looking for. We're down to we're down to two books. So I think I might skip this one and make this one a freebie. Yeah, we're going to skip this one and make it a freebie. All right. It's not for a book. You can stay seated. Fluoride. What? You USB Clorox sounds definitely like something Mudge would have said. It does look like the Unabomber was there. USB TP comes. Here it comes. You ready for it? Ready for it? Here it comes. Oh, what is it? USB flashlight. Yes, this is an embedded USB digital camera flashlight combination. Yeah, Uber agent is going to pick that stuff up. Let's take a look at this one. I really got to spread these books out here, man, because I got a lot more slides. All right, this one, this one, this one's not for a book. It's just, it's just kind of fun. Can anybody find the evidence in this picture? Oh my goodness. You are Uber. Without hesitation, without any hesitation whatsoever, and without the benefit of the Zoom, he proclaims Tiki Torch. There it is. Now, this is, this is a very nice Tiki Torch that normally I would tell you to go to a place like Think Geek to actually purchase. But Think Geek did not think anything of the DEF CON conference, because when I called them and said I was doing this talk and I'd really like to get some pictures of their gear, guess what they said? They said nothing. So buy it somewhere else. Bastards. I borrowed this from a friend who didn't get it from Think Geek. OK, you guys are so smart. Let's do it again. Where's the evidence? Nope. The what? Oh, that was nice. From the front row, we have the digital photo picture frame. Yes, USB capable digital photo frames can contain data. It's an excellent spot to hide stuff. Good job. All right. Let's do this again. Where's the evidence? Not the stapler, but he stood. Not the network card. Nice. Right here. The knife. We got it. We got the answer. No, it's not the Microsoft Coaster, which most of you should have just taken one look at and gone. There's something suspicious about that. No, it's not Kevin Mitnick's business card, which most of you should have gone. There's something suspicious about that. It is. Actually, there it is. Come get a book. That was worth it. USB Swiss Army knife. Yep, USB Swiss Army knife. I've never seen a USB stapler. Oh, that's he actually said stapler and he was right. But sorry, that wasn't the answer I was looking for. I'll give you other swag. We'll do that. All right, you guys ready? This one's for a book. Find the evidence. Do not listen to Mudge. His idea is way too smart. No, there's no evidence here people. It's a bowl of fruit. You guys are not very good Uber agents. Oh, it's kind of cool. I wanted to pull a Mudge and answer my phone when somebody was calling me while I was on stage. Go to rock. All right, let's see. I think this might be our last one for a book. No, we'll do it in the next picture. This one's just a freebie. Where's the evidence? Oh, yes. You guys are getting the hang of this. I heard it on the right. Here it comes. Wait for it. Wait for it. There you go. USB camera binoculars. OK, you guys are getting the hang of this. Whole point of the talk is that it takes an interesting outlook on various locations like this to find stuff that could potentially be meaningful. When you've got a world that's filled with digital devices like this, it's going to take a death by 1,000 cuts to catch somebody like Newt. That's what the entire book is about. I hope you guys will check out the stealing book. Let's do our last one for the book. And we need some enthusiasm here. You've got to stand up here. You're not going to win it. Where's the evidence? Mudge. Who was it? Who was it? In the back that said sushi. Come forward. No, it wasn't Bruce Sterling's Zenith book. It was the sushi. We've got to get the transition work in here. Go with the flow. Nice. Thank you. All right. So anyway, USB sushi. All right. So you guys got the hang of this. That's the idea. Other places evidence can hide. You guys have probably seen most of this stuff. I couldn't actually taunt you by putting these into a picture because most of them are too easy. How many of you have actually seen these Oakley thump glasses like in person? These things rock. They also look like freaking Vulcan space goggles. All right. So anyway, Nooth was an ultra paranoid and did everything right. But in the end, was he busted? I'm not going to spoil it. You'll have to get the book to find out. Stealing the network how to own the identity by Singers Publishing. We're going to do a book signing right after this over at the book booth inside. We've got several of the authors of various books. Specifically, we're going to do ASD, but we'll have lots of folks over there. So if you have questions, see over there. Thanks a lot.