 Welcome everyone. My name is Weasel. This is Simple Nomad where probably the two oldest members, obviously he would be, but the oldest members of the Nomad Mobile Research Center. We've been doing quite a bit of research for quite a few years and never finishing much of it. So here's a few things that we've actually gotten a chance to get through and get to the end with and we'll go through that. All right. Basically, I guess what we were trying to do here with the plausible deniability toolkit was come up with something that basically goes beyond anti-forensics. The big problem with anti-forensics from someone who may be doing something that may get them in trouble at a later date or doing something for whatever reason, anti-forensics has a serious problem with removing possible alibis and basically if you can't prove that you were somewhere else, therefore it's just as feasible that you were doing what you're accused of as opposed to what you may or may not have been doing instead. So we wanted to go through and kind of identify basically a methodology, maybe not that formal, but a methodology to help people come up with a good game plan for doing the things that we like to do without possibly looking like we're doing them. Yeah, and the whole point of this is to basically get you thinking, all right? Basically start you in a thought process that makes you aware of what it is that when you're using the computer, when you're doing what it is, what you do. In a lot of cases, a lot of us as researchers, we do things that maybe on the surface even just look suspicious even though we're well within our legal rights to be doing so. And then when you start talking about perhaps you're traveling internationally or something like that, going into extremely hostile environments, then you've got a completely different scenario there. So we wanted something kind of broad in general and we're going to delve down into I think enough detail that's actually going to hold your interest. And a lot of these methods are very useful for people trying to expand their skillset while they're at work, so that's what we'll definitely hope to find some room here. Okay, clarifications. This is not a rolled toolkit in the classic sense. Really, I guess what we were looking at is verbiage that actually fit for what we were doing, but it's not really a downloadable set of tools. Obviously the big problem there is that you create a fingerprint when something is downloadable and pre-rolled and does specific functions or has a specific function. What we wanted to do was move towards something that would have legitimate uses, something that is dynamic and just methods that work without actually saying this person is trying to hide what they're doing. Yeah, if we had a tarball of the plausible deniability toolkit.tgz and then you download that and someone finds that in a forensic investigation on your laptop, any type of alibi legitimate or not would probably go away at that point. And we do understand the entertainment value of creating such a toolkit and seeing all the idiots get popped for it, but we thought we would try and watch people's back this time around because, yeah, I can't imagine just how fun that would be just to see how many people get fired because web sense updated their hacking category to include the URL to any kind of plausible deniability toolkit. So it's like how to murder my wife Google searches. It doesn't work. You don't do it. It's not right. Murdering your wife. Okay. Don't search on how to do it. Okay. EFF has a booth. I recommend finding it. They're right there. Oh, there you go. EFF's right there in the room. Uh-oh. My wife. We'll use that term. It's just, you know, a significant other. Someone who drives you fucking crazy. Just whatever. It doesn't have to be female. It doesn't, whatever. All right. So as I've already gone over is PDTK is not anti forensics, although it does use many of the, you know, it could visibly use many of the methods used in anti forensics, but don't get the two confused. The two are the same. Let's see. I think we covered everything. Yeah. And I kind of covered the point that, you know, when you just take an anti forensic mentality when you're doing the things that we do, as I said, you really cover up alibis. You really cover up a lot of very important information you might want to leave behind that you would like to be there. So, okay. By the way, our goal is to get heckled by the EFF on almost every slide. So, just so you know. Let me get my take-shoot going in. All right. The objectives provide methods to use, to the users to reduce threat of incrimination, obviously. We'll go pretty quick to the first few slides or just to make sure that we get the points out that we want to get in the beginning. Bring forward technologies for legitimate uses such as protecting activists and whistleblowers that have most likely been used in the underworld for years. Yeah, but most of the technologies and stuff that you would use in plausible deniability are not new technologies. You're not going out and looking for new tools. You want to use old tools. You want to use established tools. You want to use legitimate tools. Why would you go through and say, you know, download, I didn't do it.bin? And it's, you know, it's obvious you did something wrong. You're doing something wrong or shouldn't be doing what you're doing. So, let's see. Yeah, specifically that. No, let's go ahead. Let's keep moving. Okay. There's some concepts for PDTK as data generation, specifically like logs, deleted files, fun stuff like that where you basically go through and create files. Go through and create files that give the appearance that something happened as opposed to what actually may have happened. And this is kind of a tricky, this is kind of a tricky, you know, tight wire to walk because if you're going to actually go to the trouble to construct actual evidence that you think is going to exonerate you. In theory, it's got to be above your current skill set. Absolutely. Absolutely. You don't want to claim the hacker defense. If you're a hacker simply because, you know, and we'll get into that a little bit later. We'll go into more details there. Data tampering, you know, altering data to get it to twist and twist the bits a little bit and make the data more in your favor instead of against your favor. I can be saying anything from, you know, editing WTEMS, the stuff that we've been doing for years, all the anti-forensic stuff and so forth, all the way to tampering data on other people's machines and maybe pointing an investigation in a different direction than yourself. I want to make a couple of points on this. When we're talking about pointing things in different directions and whatnot, just to kind of really start to bring this home. What we're talking about here is what we refer to as lost keys syndrome. And that is if you've lost your keys and then you find them in the living room, then you usually stop looking for your keys at that point. It's always in the last place. Yeah. You don't start going, you know, I think I'm going to check the kitchen just to make sure. Because you've already got them. And what happens in a lot of cases during a forensics investigation is that once they find what looks like the evidence that they are wanting to find. Which you didn't do. Then that's where the investigation will probably stop at that point. Because they've got like huge caseloads and there's always tons and tons of work for them to get through and they're going to go through these things in a big hurry. Okay. Let's go through a little bit more specifics of the tools we wanted to bring out here. Forensics tools and books alone are bad. This is like if you've got, if the only thing that you've got at your house, if you're doing bad stuff, you know, like is a whole bunch of tools and books on anti forensics. And someone comes and kicks in your door, then it's going to be, oh, well, look at that. That's the kind of stuff that we'll be taking in, taking in as evidence. What's sad about this is if you're doing stuff that's actually legitimate work, okay, this could still possibly be used as a, what's I guess referred to as indirect or circumstantial evidence as opposed to, you know, I mean the book didn't commit the crime. You know, but nonetheless the book is suggesting that you, just because you're in this particular mindset. So, I mean, another one specifically is talking about the books also like it seems to me that it would be pretty much normal in this case for everyone here that we collect a lot of security books and whatnot. So we're going to have, you know, a pretty big library and it would not be beyond the stretch of, you know, the imagination that you're going to actually have some forensics books. Maybe some anti forensics books you will have stuff in there. As far as your collections of tools, I mean, if you're focused specifically on forensics and anti forensics and that's all you have, that could potentially look bad. Now having something like, and I've seen this a lot here, is a backtrack which is fairly popular and it has some forensics tools on there. Being in a possession of that backtrack CD or the distro and have it, you know, put it on your heart, you put it on your hard drive or whatever. That's not too unusual, particularly if you're doing research, if you're a pen tester, that type of thing. This is something that would be considered a part of your arsenal for you to actually do your legitimate job. Yeah, and if you've got forensics and anti forensics books in your library, don't highlight methods that you'll be using. I mean, just to give me, these are your slides. Yeah. There are a lot of tools that already exist on the systems that you can use. You know, there's various things, like I mentioned, like HEX, Editors, DD. There's a lot of different tools that if you start looking and playing with and saying, OK, well, I know this is how this particular tool works. I know this is how these types of forensics tools work and really learn how these things actually happen. You get kind of a real feel for what you can do. Now the whole idea here is that, you know, you've got control of your system. You have physical control of your computer, correct? So you should be able to, at that level, at a very low level, be able to make changes on their very, very low level type stuff. Now if you're able to do that and you understand how the forensics tools work, you can conceivably control the flow of the forensics investigation. OK. You see, that's roughly the point we're getting at here. You're controlling the flow of the investigation. Absolutely. Yeah, let's back up one slide. Yeah, I mentioned here like FISC, OK, on here. And this basically, what FISC normally does on most systems is it's looking for, to make sure that the inode stuff are all, they won't have orphans and it's basically looking for a parent. And a common old school thing was to, you're going to take in, you're going to create basically loops between inodes and when it's time to get to that data you've hidden, then you reconnect things and then now you can get to it and then maybe you undo it and hide it again. This can work both ways. Maybe that's something that you may want to leave in place and there's something in there that's like, you know, evidence of a root kit is hidden in something like that where all of a sudden where, and you leave it there where a forensics investigation may or may not uncover it. And we'll get into that a little bit deeper where the, you know, the defense forensics investigator may find something and you may want him to find it as opposed to the prosecutor or whatever. But I mean, but you want it to be found, that kind of thing. Keep that in mind when we're talking about these types of techniques where you're scrolling away various bits and bytes on your systems. Right. And if you're trying to guide that investigation and whatnot, the last, you want to have the mentality that you want it to be found, but don't hide it so well that it can't be found and don't make it so obvious that it's obvious what happened. The last thing you want it to be doing is directing any kind of investigators verbally or any other manner after the fact of how to find this data, right? Don't go through and try to direct the defense team on, well, if you look in this location, you might find that maybe I was compromised. It's just, it's not going to work. That kind of gives it up. Right. Which, you know, that basically pretty much, you're done. Another interesting one, I don't know how many people here saw Matt Conover. He did a presentation called Profiling Root Kits and Malware Through Executive Objects. This is a Windows thing. This is a really, really interesting, it was basically a method for modeling actions and stuff going on on a Windows system. The purpose of it was by modeling what's going on, you can actually detect root kits. The thing is, is that this could obviously be extended to actually be the root kit itself. Kind of like the, it's like a root kit, a little bit different layer that you go in there with. This is the kind of thing where I would encourage, if you're really wanting to squirrel away something and hide it, this may be a thing you may want to do. Now, if you're hell-bent on doing something goofy, or let's say you're going to be traveling overseas into hostile territory and you don't want evil government, whatever, to be stealing your laptop and getting all your zero-day, then maybe you want to... Canada. Yeah, Canada, you know, because they're out to get us, okay? We know, we got NMRC members that are Canadian and they're, you know, it's fierce and ugly. But nonetheless, I mean, you want to make sure this stuff is safe. The stuff in there might be a good idea. And at the same time, if you've got this root kit in there that legitimately you install it, you know, today, and then let's say in two years or so, you're going to Cansec West and the Mounties grab you, okay? And they do the forensics on your laptop. Maybe things have caught up and now this type of, you know, these executive objects root kits are now detectable, okay? And now it's detected, now it's there, and there you have it. Particularly, and we'll give this a little bit more, particularly if your core skill set is in, you know, Linux, but you're taking the Windows laptop because you're doing a presentation at a conference, for example. Not that we're saying that there's anything on this laptop and we didn't do anything bad. And I don't know anything about Windows. Yeah, we don't know anything about Windows at all. Okay. Legitimizing tools, we kind of touched on this already. And I think we've actually probably don't even need to stop on this slide, but absolutely legitimize your tools. Your tools that you have in your possession have to have legitimate function. Do not, do not, do not. That's all I can say. And this, again, this applies whether you've done anything bad or not. Which you didn't and won't. Correct? Oh, yeah. Yeah, we, there's really no reason for this slide in the presentation. I did mess with the gamma to bring the dark areas up a little bit, but it was not pleasant. Bruce, are you in here? Is Bruce here? No. Good. We got more slides. We'll show you later. Yeah, it's great. Okay, distribution. This gets a little touchy. How do you get the functionality and the methodologies and all those fun things out to people who want to use them without creating a web log that says they're looking for it? We don't quite know yet. We do know where we're going to store them. In the meantime, get them anonymously in any way you can. I noticed there were some kiosks over down the way a bit. If you happen to have a spare credit card that may not be yours, feel free to use it, but I didn't tell you to do it. Oh, absolutely not. I'm sorry? Oh, yeah. The kiosk has a camera. Yeah, there's no cameras in the casino as well. No one will spot that. But if you're going to be doing this, consider using some privacy measures. Even if you're just curious about what this is and you think, well, I'm never even going to need this type of material. We don't have much up there right now. We've got the presentation, including Bruce's crotch up there. But we will be adding a lot more specifically over the next few days once we get past all the partying and whatnot. Use Tor. Tor is a wonderful tool that I encourage everyone to use. It's a good example of a use for it. I'm going to be looking at something that someone else might be considered questionable. And you know what? It's my goddamn business if I look at it. I'm not caring what anyone else says. No one needs to know about it. Go ahead and use something like that. And if anyone can come up with some alternate methods, how we might get some of this stuff out. We don't have to talk about it here in this room, but contact us afterward and we can come up with some other creative ways to, as this grows, that we can get more and more information out to people. Right. And I guess feasibly one distribution method would be on some of the other toolkits like, I don't know, maybe backtracks a good place to put something like this. As long as it doesn't sway the mass opinion that backtrack would be used to hide evidence or change evidence, cover evidence, whatever. You know, maybe that's where a distribution like this belongs. But if anybody's got anything, please get in touch with us and we'll try and see if we can push that along. Go for it. Yeah. Okay. Yeah, definitely. PDTK definitely has some misuse primarily from entities that may want to set you up. I don't know how to fix that, but it definitely could be used in an evil manner. Specifically, if someone's wanting to, like in a political case where you're in the log somewhere, someone may, I'm not saying that the feds that are here are corrupted in any way whatsoever, or motivated to do anything other than bring us 100% justice. But if someone was on tight budget and needed to finish a case and you had made enemies at conferences by bad mouthing them and making statements like I just said to them, you know, you might want to watch your back and make sure stuff's not going on. So, you know, do your old school diligence stuff and just kind of watch for things happening like that. You know, even if you've got to modify your tools to look at deleted files nightly and see if anything that was created was actually ever existed on the system, stuff like that. Presenting yourself as a dumbass when there's plenty of evidence that proves otherwise is a bad thing. Once again, this is don't use the hacker defense. We will go a little bit more into how that hasn't worked very well in a couple of case studies, but it just doesn't work. You have to be pretty much a 90-year-old living in a shack out in the forest who manages to have a computer with Wi-Fi. I don't know. But to believe it, you know, first of all, I want to believe it. It's just it's not a good thing. So don't ever, you know, as we mentioned, don't try to set up a system that you, that's your caveat operating system or your caveat hardware set. You stuff that you're well-known for not knowing. Yeah, it's kind of hard, too, because a lot of people don't know they're dumbasses. And so this is kind of almost an ambiguous thing. It's just, you know, don't present yourself as a dumbass when, in fact, many of you may be, we may be presenting ourselves as complete dumbasses. I mean, actually, considering we're talking about this whole methodology at this point, none of this applies to us anymore. We've kind of, you know, dumbassed ourselves out of ever using any of this stuff in these slides by giving a public presentation on it. And, you know, we've discussed it. It's like, well, you know, but so we're giving it to you. We're going to take the bullet on this one. And we're just going to make sure I'll go in the dunk tank for EFF and, you know, hopefully, you know, that kind of thing. Well, you know, we won't have to deal with that kind of thing. That's at 430 outside. And by the way, just so you know, I mean, we'd prefer that you just don't do something stupid, okay? Simply because there's a lot of bright people in here that are doing a lot of, you know, extremely fun and clever things. But if it reaches the point where you realize you're under an investigation of some type, it's too late to start thinking about, oh, I'm going to go ahead and start doing that, you know, that inode manipulation thing, okay? It becomes obvious during, like I say, during a forensics investigation where you've created these inodes on there or you've created files on your system that makes it look like it's got some type of cool root kit on there. And then the forensics investigator, and they trust me, I mean, a lot of them are extremely bright, will go through there and they'll take a look at the listing of inodes and look at the date and time stamps. And you may have some date and time stamps on those inodes you just created from six months ago that give you a perfect alibi. However, the inode number itself is not even close to the range where it should be, for example. This can happen where it's even close to where it should be for other files created during that same time frame. You see what I'm saying? So you can't necessarily, you know, always rely on that. And I mean, yeah, you can do some really low level type things maybe and get around some of that. Or you can decide I'm going to throw an encrypted file on there of, you know, whatever size every, you know, every so often and then delete it. And I've got an inode there I can use and I can show something there. I mean, you can try, you can get really, but see, that's a lot of work and I know a lot of people don't necessarily want to do that. But I mean, this is something you have to actually kind of keep in mind as you're going through this. Yeah, laziness is your enemy. And I think we covered that first one. Oh, yeah, this is the second one, though. I mean, if you're going through and you're trying to prove that you're, you know, that you're innocent because someone else popped you, I mean, you know, don't have, and you can't say, well, yeah, well, this has happened. I mean, I've actually been owned with my own exploits before. I mean, it's horribly embarrassing, you know, as a, you know, as a, you know, giving a presentation, you know, saying here's this, you know, badass way to break in. And then you find out later, you got owned by that same, same supposed badass way. But typically, if there's something like really cool zero day that you've got, you don't have the source code to that zero day and say, you know, that's probably how that other guy that did it got in and you've got the source code for the damn exploit and, you know, right there in your home directory. Or the web log showing that you downloaded the source code or anything like that. Yeah, I just, you know, it looks, you know, that's not something you want to, you want to have happen there. All right, now this is going to be, we wanted to actually, you know, we debated on whether doing demos or not. And we thought this actually was going to be a little bit more interesting. We're going to talk about four different cases. Now our backgrounds, I mean, Weasel's done a lot of forensics work and he's actually worked and helped take cases. You know, he's basically taken stuff and where it's gone to trial and put a bad guy away or whatever. I think mainly child porn. Child pornographic cases. Yeah, and so we're going to take some examples from that. And both of us have done some pro bono work where we've actually helped out some defense expert witnesses to help them fill in the gaps when they hit something that they didn't understand. And so we want to talk about some real cases. There's at least a couple of them that hopefully are fairly well known that you've actually heard of that might be kind of interesting, where we know some of the principal players and we can give you a little bit more background on what happened. All of these have a forensics element that's somewhat interesting that I think will, this is probably, in my opinion, the best part of the presentation because everything we just talked about kind of is going to start to apply. This one is mine. In this one we had a, it was a, the defendant, it was a child porn case and the defendant is wanting to go to trial because he's basically saying, because I'm innocent, I'm not taking a plea bargain, I'm not doing any of this stuff. I didn't do it. And without going into like the other things, like I don't, there was not any other physical evidence. There wasn't like magazines or printed out pictures or anything like that. It basically was files in a laptop. During the forensics, the original prosecution forensics investigation, they collected a lot of data, but again this is one of these things where the forensics investigator, he's got 40 other things to get through. He misses that there is a remote access Trojan on this window system. And again, also the guy that's happened to, not real computer savvy, okay? So the defense goes to the prosecution because they've got like file listings to start with and they say we want copies of these particular files, the binaries of these particular files. They put in the request, and specifically they're one of the binaries of these Trojans. Shortly after that, the prosecution, and this is right before they are going to trial, the prosecution basically figures out where the defense is probably going to go with this and they go ahead and drop the case, okay? Now this is just to give you kind of a, well here, let's move on to the next one there. Again, defendant was not savvy, all right? So basically if you're doing, if you've done something bad, okay, and you're in this room, this isn't going to work, all right? This is, if you're savvy about this kind of stuff, you can't just leave an old version of sub seven sitting there on your computer because odds are you probably might have checked for it. I mean, that second bullet is kind of funny, but I don't know, maybe in my jaded way I heavily believe this. Behind every prosecutor, or I guess in front of every prosecutor is a district attorney with political agenda and their stats actually come into play in their career. So I don't know, maybe I'm wrong on that, but I just really feel that cases get dropped pretty easily if they don't, if they look like it's going to be a chore or they're not going to at least get a plea bargain out of it. Just to give you an idea, in the federal court in the New York area they have a 97 to 98% conviction rate, okay? So essentially, if you get busted, it's going to be bad. You're almost essentially guilty, all right? Which is why we wanted to bring this kind of stuff up. Yeah, and running trials costs money. And if you're thinking of a prosecution system that's managed like a business, they're not going to invest money in areas where they're going to lose. Yeah, and again, the other interesting thing about this, though, was that the forensics examiner missed this remote access trojan and should have caught it. This would be something that, and a lot of times that's one of the things they ask them when they get on the stand. It's like, did you find any evidence of viruses? Is there any type of back door that had been put there by someone? They asked those types of questions, and this guy had missed that. And that probably right there because he missed it was probably why they were going to say, how can you trust the rest of the forensic data? He missed something this obvious, blah, blah, blah, and that's probably the reason. He'll tell it out on the cop car defense. Is this one yours? No, that's the one that's missing. All right, this is a case that I helped out with the defense expert by looking at the evidence and so forth. Basically what the case was was that someone was accused of child pornography, trading him in IRC. More specifically, he was using the old IRC F-servers, the DCC stuff to trade and host anonymous trading of anonymous from access level where people could access his F-server and download and upload pornography. So he was found fairly easily because he was allowing anonymous access. He wasn't controlling access to the data that he was sharing and it came up. I want to think that he was actually found with maybe some bots, somebody who was running an IRC that was going out and doing analogy on the file names and so forth and actually found him that way. He claims seeing black screens and random text appearing. Those of you who know Sub-7 pretty well has a little matrix screensaver where you can black out the screen and put text across the top. Really old stuff. It's just for screwing with people. But he basically tried to say, hey, you know, I've got something going on and he was smart enough to not say I've got Sub-7 on my system. He said, I've got something strange happening on my computer. I don't know what it is. But come to find out the guy was extremely technically savvy, understood. It was proven that he understood things quite well. He understood all the components of the compromise on his system and come to find out he actually planted the Sub-7 on his system. So basically here's someone that tried to pioneer the digital plausible deniability and failed and he ended up, I believe, taking an extremely long sentence because of it. Actually, we were talking about this this morning. He actually, he got 10 years for this, which in this case is good. So basically we've kind of the main things about this is that, again, the claims of stupidity, you know, oh, I got hacked. It's not going to work. The hacker defense is not a good defense and it is rarely going to work at all. The prosecutors, if you are going to come up with the hacker defense, prosecutors are probably going to get even more pissed off and be even more venomous because it just irritates the fuck out of them. I believe in this case specifically, the judge that oversaw the trial, saw the hacker defense coming in through that whole bit out and said, I'm not going to allow it. I want to make one other comment because you mentioned child porn in these first two examples and you're probably thinking, oh, we got these two evil long-haired hippies that are helping out child pornographers in their defenses. I mean, everyone deserves a fair trial. But the other thing to keep in mind is that a lot of times the defense expert witness comes back to the lawyer of the defendant and says, you know what? I found all this stuff. He is absolutely 100% guilty. In fact, I found more than what the prosecutor found. This needs to be, you know, there's no reason to even go to trial. You need to plead this one. They'll plead it out pretty quick. Simply because, I mean, the attorney is going to want to know if their client is telling the truth. They don't often know. And sometimes this is basically how this ends up playing out is that you've got the defense expert witness that's actually saying, yes, by God he is guilty. And I can think of it in a couple of several instances where a defense expert witness says, I recommend me because all I'm going to do is just make things even worse. And this is not just child porn, but in just regular hacking cases as well. Or he says, don't put me on the stand. I think the guy is guilty and that's what I'll say. And he went off with his five grand, ten grand fee for being a defense expert witness. And there they went. Okay. This one you know more about than I do. Yeah, this one, we have a state senator this under investigation for fraud in Pennsylvania. This one is fascinating. Absolutely fascinating. Two system admins. They're basically being told from higher up, the senator, they're being told get rid of all the evidence of our fraud. The guy is doing some kind of goofy money laundering thing through a non-profit. It's kind of ugly if you Google on these people, I'll give you some information. We've actually got a link to the indictment in here too. It says, delete every piece of email that you can. Now what happened is these guys are running around with PGP wipe. They're running around doing all this other kind of goofy stuff trying to delete every piece of email they can. And some of the things they forgot to delete was their chatter back and forth in email like, hey, did you delete Connie's PC with the stuff. And they forgot to delete that kind of stuff. It's 65, 70 pages of stuff in there. It's fascinating and I recommend everyone in this room read that thing because you get to really, really see what it, you can get into the mindset of what they were going through and by implication you see the mindset of why these two guys, from the prosecution standpoint, why these two guys got indicted. The shows where these guys were so focused on covering the cracks for the senator, they didn't think about themselves. And that's how they got popped for it. What's sad is that and I haven't been following it here just lately, but these guys were indicted before the senator was. So the senator will be indicted. Do what? This took place this past May. Yeah, it's still playing out. It's not done. Anyway, basically there's a couple of interesting things that you'll gather from reading the indictment. Number one, you run PGP wipe, there is a fingerprint that it actually leaves on the system. It uses a it's like there's some type of, there's some temp files and stuff that it uses when it's writing and it does a race but it doesn't do a secure race of its temp file. So what happens is you can tell with a date and a time stamp when PGP wipe was run. Something to keep in mind. If you're going to be doing PGP wipe on a regular basis for years and years, that's one thing. But if all of a sudden your boss has been in, you know, is under investigation for something and starting the next Monday you're running PGP wipe on everything it's going to look like you're possibly involved in some type of cover-up. Yeah, I've got a question. As the cipher leaves any traces. I don't my understanding is that it does but I don't know that for sure. Okay. Pardon? Yeah, yeah. In a lot of cases, yes, there's certain things that they may not be able to identify the specific tool, but they can tell something's been done. It depends on the way the wipe's done. If the wipe is like where they do random data in there or they wipe with a pass with all zeros and then all f's or something like that. I mean then it's you can see that. I mean it'll look pretty obvious that something's been done because in all your free space, especially if it's a tool that goes in and does file slack then it'll see all those spaces in there where things have been putting in there. And it's conceivably if it's random data, I mean I don't know if they want to do this maybe some defense expert want to keep this in mind. In theory you could run some type of analysis on the data to say is this random? Does this look like there's a pattern to it? Is it more random than this other's part? That kind of thing. But again, that's the thing that gets really interesting from our perspective. But remember that the jury is like your grandmother and whatnot. And so they're not even they're just going to hear a bad guy did something. And a guy in a suit is telling me that he has positive proof that I don't understand that he did it. And I wasn't smart enough to get out of jury duty so which we're going to touch on in a minute. We don't think that's we think actually, well we'll get to that in a minute. But the thing is you know, the admin just so you know in this particular case and you know how like the DOJ really likes to make the numbers look big because when it comes budget time it looks good when they're saying these big numbers. But like for for these two guys one of them is like 50 years old the other one is like 36 years old. One of them and this isn't the goddamn press release this is you know he's could spend 495 years in jail and 7.5 million dollars in fines and the other guy is like you know he's getting apparently a pretty easy deal he's only got you know 25 years and why did I take that exam. I mean now granted it's not they're not going to give a guy you know 500 years for you know wiping emails but I mean you get the idea I mean it's looking grim and they really stack it up to where it looks really really ugly. I'm going to scare the shit out of those two for obvious reasons. Yeah well yeah they're going to go back and basically roll over on the senators what they're going to do. Anyone recognize this one the Zezoff or whatever it is this is the guy this is the Michael Bloomberg case and this is where this came down I guess just fairly recently last last year or two anyway this particular individual this is before Michael Bloomberg the mayor of New York he ran this big firm they have this you know financial software this guy over in Russia no he wasn't from Russia but he was Russian but he's one of the he was he was in a stand or a Vakia okay one of the stands or one of the Vakias and I don't remember off the top of my head okay give me a break but nonetheless I mean he found a flaw and then he was and it's kind of interesting technically where there's like normally the software there'd be a login but then there's like some secondary stuff that goes in under the covers to make sure that the rest of the transaction is going to work and this guy is like you know soft dice and could bypass the first part which is using the second part and so he gets into the point where he's in like their their Solaris you know back-end system and so now he's sending emails from Bloomberg to Bloomberg saying I've found holes in your stuff and Bloomberg forwards it off to you know the guy saying hey I got this weird message can you look into this and the guy says no I told he sends another message saying don't send it off to your tech person I'm telling you you gotta help me he's really kind of you know he's really fucking with the guy alright so the thing that's really interesting about this this really hasn't been made public is that cause he's like you know cause a stand or whatever it is that he's in they confiscate his computer overseas and after he gets arrested and everything they confiscate his computer overseas and it's in the possession of a foreign government now there were modifications now the defense expert found that there were modifications made from the time with a time stamp that was after the seizure by the foreign government but before it was turned over to the US who did the forensics investigation so the guy has essentially plausible deniability and the two main threatening emails that came were it's like you're gonna pay me a couple hundred thousand dollars and everything these two emails are like worded slightly different you know words are misspelled in these that are not misspelled in all the other emails and that kind of so there's like these things that are created in there that makes that are really the bad stuff this evidence is not thrown out okay they managed to say it's okay to let this stuff in of course the bad thing is of course it's like you know pay me two hundred thousand dollars and you know I'll meet with you and you give me the money and everything like that what's weird about it was the guy that if it were convicted him was the guy still showed up at the meeting with Bloomberg to get his cash which is when they when they when they got him so I mean this kind of it's still kind of stupid his actions are really what convicted him on it but nonetheless if it just been the threat and they grab him on that there was evidence there and it was actually thrown out and I believe that there was speculation by the defense off the record was that maybe this was an agreement between the foreign government and our government to show that they were working together really well so maybe some evidence was still accepted even though it may have shouldn't have or anything I don't know that there was enough there to actually bring up an appeal of any sort I don't know if there is an actual appeal appeal in the works in that case either but nonetheless I mean there were politics involved in this obviously you got Bloomberg it was just a circus of a trial just google for the names in here and you'll find plenty of stuff on it also the other thing to keep in mind this guy was actually the defendant was acting nuts in court and yelling and screaming and rushing at people he wanted to wear his jumpsuit which everybody knows you dress well and look like you're a good standing citizen so see our motivation not to ever get busted is because we don't want to cut our hair so it's essentially it so there you go but yeah he was acting erratic the guy had been in jail for two years waiting for the trial and his family showed up and the kid was in the court his two year old or I guess three or four year old son was in court and he went barreling through the court to jump over to hug his kid and that was just looked really poorly to the jury intercepted him before he got there so it looked like he was trying to make a dodge for the door and all this stuff so yeah his behavior was very damaging to him to the jury yes the question was so are you saying that Mudge got busted that's why his hair is short you'll have to ask Mudge that question either that or he's now busting people we haven't decided which one you know which one it is Mudge is a fed useless slide this we took this yesterday right before Bruce spoke of Bruce's crotch and so we just thought we'd throw it into our presentation for no apparent reason alright so a few conclusions here again as I mentioned if you can control the bits and bytes in your computer and read that indictment for sure but if you can control the bits and bytes of an investigation you can kind of control the flow of it but you have to act now if you want to control the flow of it and quite frankly I recommend you do it now whether you think you're going to do anything bad in the future whether you know you're not going to do anything bad in the future because you really never know I mean the whole design of this is if you're living under a repressive regime that you may want to do this because you're starting to lose some trust in the government and that is happening to a certain degree here it could get better it could get worse I'm not giving an anti-bush thing because I thought Clinton was a dick too but I mean well I mean hey come on there's some pardon clipper chip clipper chip let's see DMCA whose watch was that on there were some bad things that have gone it was drafted at the same time USA Patriot all these things I mean it's kind of scary time so we may have to actually try to do some of these things now again I mean we're just talking about mainly the forensics thing we can't tell you how to walk and talk and act and behave but if you're going to walk the walk and talk the talk of a good model citizen because you don't want to get caught then actually do it I guess don't give up talks on DEF CON about thwarting government investigations might be a good start but you see what I'm saying you get kind of the idea and even the best stuff even the best stuff you do if you're like you know bragging to your buddies about it that hey I pop this box I mean that's just you know that's kind of stupid do it to learn not to brag exactly and the last point on here and I encourage everyone to do this instead of trying to get out of jury duty show up in a suit and tie and try to actually participate and actually see what goes on in a court because it is conceivable that if something does happen to you I think it's a good idea for all of you to meet your jury of peers okay it can be an enlightening and very frightening experience again it's a large group of people who are not smart enough to get out of jury duty yeah so go in there I say go in there and learn something educate these people while you're in there as well I mean go in there and actually participate yes we got the EFF not heckling which is pretty good we can do a quick Q&A so this is what happens when Weasel's working on slides while watching CNN so if anyone's got some questions there's a mic up there we got time for just just a few yes the presence of encrypted files it could be considered evidence against you if you have encrypted files on your system encrypt everything not just the good stuff that's just encrypt your porn encrypt meaningless logs whatever you want you are welcome to encrypt anything you want and it's been done where people have actually pled the fifth instead of giving up their PGP passphrase now in case there is something in there that you really don't want them to be looking at I mean it's worked to they okay it was Mitnick and we all know how shitty that turned out for him but I mean nonetheless you know you can do that if you want okay and they didn't tack on extra time for not turning over his passphrase but yeah I can it you should be using everyone should be using encryption anyway for the same reason if we see some technological piece of doodad that we want to play with simply because we're hackers that's what we do you should encrypt for the exact same reason because you can yeah question I'm kind of curious you're talking about putting stuff in beforehand but I mean if you're putting in a root kit to prove that give yourself some plausible deniability don't you really need to also have that root kit actually doing something like collecting your passwords and other things that actually makes it look like it's something other than just a random root kit that didn't really do anything sure not one file you want to layer all of the stuff that you're doing you want to create deleted files that were created by the root kit even something like a root kit that appeared to be active for three or four months and then it's no longer active show up in your ISP logs as a zombie for it a little bit and then you do something else and then you do something else and you just layer these things on that's what we're talking about you can't just leave a copy of it lying on there now if you're clever you may leave a copy of it lying on there that when pulled out inside of a forensics investigation it's like what would be a natural remnant of someone who really hid stuff well and there's this little piece that's left you may even want something like that as well now as a part of doing something like this I mean that requires a lot of effort and follow up and chasing it down and isn't it just simpler to as you were just saying encrypt everything make sure that that's your habit and then if you get popped just plead the fifth yep use the fourth amendment yeah and I just brought this last slide Bruce Potter still isn't in here is he okay good this is what I want everyone to do alright take pictures of his crotch okay send him to this email address you certainly don't have a question about his crotch do you then I we don't have anything against his crotch is just that we use a couple of their cameras our cameras are against his yeah it just send us pictures to this email and we've got an idea for some stuff that we'd like to do okay don't tell them why you're doing it just take a picture of his crotch don't tell Bruce no one you're in our group and we're over here the cool people who take pictures of Bruce's crotch and the rest of you but anyway okay the next question yeah earlier on you were talking about the lost key syndrome yes given your experience in forensics what is there an approach to take in evidence creation where they're more likely to find one particular thing earlier on I'll touch on this right now maybe not but I think everybody can agree with me that universities will soon be turning out in case jockeys and investigations probably won't go beyond that tool so if you understand the tools are going to be used against you then you know exactly what you need to do yeah that's pretty much it the best one I can the best example I can give is you know if you're a linux guy you know you put all the bad stuff happening on your windows box of rice versa okay the system you don't know as much about it's a good learning experience you get to learn a new operating system it increases your skill set and maybe you'll throw the bad stuff on yet another operating system that comes along later on but basically think about what they would grab and then go from there thank you earlier you mentioned something about the fingerprint of well pgp white have you have you done any or are you aware of any research into things like what a hard drive looks like when it's fresh from the manufacturer perhaps writing tools that restore a hard drive to look like it's never been written to I've done a little bit of stuff in that arena and that is that I've just like a lot of googling and what not Peter Gutman who's actually here at this conference did a paper a number of years ago that talked about the drive and how you should do like 27 passes and what not technology has changed so much drive technology has improved so much since that paper he's one of the first ones to say this doesn't apply anymore and so to get it to a state to where it's back to the way it was so to speak is fairly easy to do with conventional wiping tools okay and you can use stuff like I mean because pgp does have they've got other tools for assisting in this there's other people that have tools for assisting in this where you can actually go through there and actually really you know zero the thing out you don't have to do the oh by the way just because I do know a little bit about this I've spoken to both the people that developed the NSA the NSA person that developed the standard for wiping it is not seven passes it's three they say seven passes a lot of times because there was a product that was approved for use in the government that happened to do seven passes it did four extra so it met the criteria so everyone says I'm government you know certified I do seven passes three passes is enough you do once with zeros once with FFs and then you do a random character that you verify that you've read and write back from the drive to verify it's actually there and that's considered good enough for pretty much anything and you're certainly yeah again you're going to thwart the in case jockeys or whatever with that stuff gone but are drives coming from the factory with randomness or are they coming with all zero oh that's what I mean no there'll be some there'll be some data on there because they do a lot of them test and stuff like that now yeah conceivably you could fingerprint and say okay they use these types of tools to test the drive so we're going to have these types of bytes on there conceivably yeah you could write a tool that actually I haven't heard of a tool yet so that'd be a fun thing to do all right thanks all right I think we've been cut off but one more question one more question from John yeah I you know I'm John Callis I'm CTO at PGP I was going to say that just about all wiping programs have some sort of passive fingerprint that you can tell what wiping program was done on it and they are also not designed to make it look like your disk was not wiped to do that you would need to after you do your three passes or whatever then do an additional pass that layers over some data that looks like the disk was not wiped if you want to regularly wipe your drive you are much better off having some sort of cron job or something else that that wipes it at 5 a.m. every Sunday and and say this is my policy I wipe it every week then you are to wipe it once it is the wiping it once right after something bad happens that that is a huge signal yeah again that's yeah that's that exactly exactly what we've been saying so thank you all right thanks John all right yeah we've been cut off thank you very much guys