 Our talk is about forensic fails. I'm this guy over here. I founded a e‑discovery company about 11 years ago. I'm a forensic examiner. I have done thousands and thousands of exams. I'm also an expert witness in state, federal court, et cetera. And I like cats. And my name is Eric Roby. Hi. All right. About this other guy. Hi. I'm Michael Perklin. You may remember me from other DEF CON talks such as ACL steganography. I'm a forensic examiner, cyber crime investigator, security professional. I've also done thousands of exams. And I like to break things a lot. Don't break my cat. All right. So our agenda today. We have got seven amazing stories full of fail. We're going to learn something about forensic techniques because that's what we do. And the fails today are brought to you by both the suspect and the examiner. And we'll get into that in a little bit. The names have been changed to protect the idiots on both sides. We've actually changed some of the facts to protect the idiots. And it seemed like a good thing to do, basically. But because fail was not just one-dimensional, we found many dimensions of fail in our research. We've decided we need to create a fail matrix to explain how the fail ‑‑ so this is just ‑‑ I'm just going to explain how the fail matrix works. The first level of fail is the user retard level. Oh, my God. I spelled that wrong. Drink. Drink. Drink. For the record, he was responsible for the keynote presentation. So this is definitely his fail. This is my fail. I get ten points. All right. So the punishment level depends on what happens. So the particular guy lost the case. Dollars distress cause. Let's give this one five points. And bonus points are just whatever the fuck I feel like doing. His girlfriend left him in this case. So he gets 35 points. All right. So let's get into the first one. This is the it wasn't me defense. You may have heard this one before. All right. So we do a lot of commercial litigation. And a really typical kind of case is a trade secrets case. And this is a typical example of that. So this guy, Bob, he was working in sales at Acme. And he resigned his position and he decided to go work for a competitor. This happens all the time. And some allegations were made by his employer that he took some trade secrets. He took the customer list with him to his new company. It happens. So Bob says, I got nothing to hide. Come at me, bros. He didn't exactly say that, sounded good. I'm paraphrasing. So we started imaging the drive and we started planning the examination. One thing we frequently do is we look for deleted files in unallocated space. And unallocated space is the part of the drive that can typically contain deleted files. So when you hit shift delete and it doesn't go away, it ends up in unallocated space. So we look for stuff there. Something we also do is we look for recently used files by common programs like Word, Excel, Acrobat, and so forth. And we might look for USB device insertion. We're basically looking to see how trade secrets got from Acme over to the new company. Finally the drive finished imaging. And I'm actually going to share something really cool today. It's a Defcon exclusive. Ruled by Premiere. We found a new wiping pattern. This is actually real. I'm not making this up. This is real. So, you know, Bob apparently had used some kind of data destruction program that can overwrite every bit of the space in unallocated space. He used a pattern that however was not really commonly used by Windows or any other utilities I've seen. Might have been something custom. So I thought, hmm, this might suggest something bad was happening here. Let's, you know, maybe, let's take another closer look at this. So we're going to zoom in. We're going to look at this on a molecular level now. I think we need to zoom in a little bit more. So what did we learn? I admit the first part was actually the second part. There was no Sarah Palin in this case. So data destruction can almost always be detected. Even if you don't use a repeating pattern, it's still detectable. We see it all the time. There's artifacts left behind that could be part of the pattern or there's artifacts in the operating system itself. So we might not know what you've destroyed, but we'll definitely know you destroyed something. This is the mic. Here you go. And also, it doesn't work very well. And mean phrases make people dislike you. What about your fail matrix? We got to do the fail matrix. All right. All right. 12. Pretty retarded, I think. You know, the guy lost the case. He got sued. Under $100,000, so not a huge amount of economic distress. And I didn't really give him any bonus points here because it just wasn't that good. So he gets 27. It's already fail. I think we can blame that guy who gave me the beer. So this case was a lot of fun. I didn't expect it to be fun when I started out, but it ended up being a lot of fun. I call it the nickel back guy. You'll see why in a second. So it was another allegation of stolen confidential documents. This guy, what's it called, John, he left one company to go work for a direct competitor. And his old company hired us to go in and take a look at his... Can we get audio for this? By the way, we're going to need audio for this segment so if you can turn it on. So yeah, the company where he left, they asked us to take a look at his work computer to look for signs of data exfiltration. He worked on a lot of confidential projects, and they just wanted to make sure that he wasn't taking these confidential projects to the competitor and letting them know what they were doing. So... Right. I totally said all that. So we... Why is this not working? There it is. We opened up the hard drive to start the analysis, and we started finding all the same stuff that you typically find on a work computer. Yeah, there's some work stuff. Sure, some evidence of Facebooking. He's got an MP3 collection. He liked listening to music while he was at work. Typical stuff. We found the confidential documents that we were asked to make sure he didn't take. So that was to be expected because he did the work on this computer. And almost immediately, something jumped out at me. And we'll get into why it jumped out at me in a second. But his music collection became very interesting to me. Not because I love Nickelback, but because... Well, again, we'll get into this in a second. That would be fail. Yeah. And I'm Canadian, too. So I... Yeah, Nickelback's from Canada. Yeah, if you take a closer look at this photo, something may jump out at you as well. These are just MP3s, just songs. But the size of these files is a little bit off. What's wrong here? Yeah, the extended play Nickelback. This guy really loved his Nickelback. So these are actually a bunch of AVI files. Yeah. Yeah, these are just AVI files that he had renamed. So it seems that John assumed that nobody would listen to his Nickelback MP3s, which is probably a good assumption because I don't think anybody would listen to his Nickelback MP3s. And he was hiding something. But what was he hiding? Pregor Porn. This guy had quite a big fetish for Pregor Porn. These were full-length feature films of pregnant ladies banging. And there was a ton of them. All over this guy's hard drive. Well, we did have to analyze them to see what they were. But I will say that the specific techniques that we used to analyze their trade secrets. So I can't tell you how much depth we went into when we were analyzing them. But yeah, it seems John did a lot more than just work on his confidential project on that computer. So we had to tell the company that over the last three years while he was working there on this confidential project, he was also doing other stuff. They were pretty happy that he left anyways. So what have we learned? Examiners, when we take a look at files on a computer, we don't typically look at it in the nested folder structure. We don't have to go into every single subfolder, go back out, go into other subfolders, back it out. We see it all in a big long list. It makes it a lot easier to analyze stuff. Also, one of the very first things we always run is what's called a file signature analysis. This is a special script that looks at the contents of every file and it compares what's inside the file with the extension. And if there's any discrepancies, those files are bumped up to the top of the list to be looked at because the system knows if these don't match, something may not be right here. A human should take a look at this. I just said those things. And so at the end of the day, John's attempt at hiding his pregar porn actually made it bump up to the top of the list for me to take a look at. So if you're going to hide something, don't just change a file name. That doesn't hide something. That makes me want to look at it even more. All right, so the fail matrix. The user retard level, I would say 12 because again, renaming a file is not data hiding. If you want to do real data hiding, you should have come to my ACL steganography talk. Punishment level 13, he lost his job. Not the previous company where he left. But the new company where he landed, he lost his job there. Distress cause was zero. Didn't really hurt anybody. I mean, what you choose to do on your own time is up to you. Although he chose to do it on work time with work stuff. You know what the bonus points are going to be for, don't you? Yeah, there's going to be some bonus points I would say about a nickel's worth. So that is a grand total of 30 fail points. All yours. That is the fail sound. Thank you. By the way, do you like the font that we're using? Comic sans. Can I get our hand for comic sans? Nobody uses comic sans. It's the most underappreciated font in presentations. I don't know why we don't see comic sans in more business settings. I mean, really. We're bringing it back. We're bringing it back. It's a new movement. All right, so let's look at the just bill me later case. So our client, the ABC firm, they outsourced a key part of their business. They've been doing it for many years. And the part of their business that they're outsourcing is on a time and materials basis. So there's a lot of invoices with hours and rates. And that's basically it. It was several million dollars a year on average that was being billed. And our client started a review project because they thought they were being over billed. They thought there might be a little inflation. And they wanted to figure out why things were looking inflated. They looked at some of the individual bills and they thought things were taking a little bit too long. So we came in and we decided to help. So they had thousands and thousands and thousands of PDF format invoices. Now, that's not going to do us a lot of good. Even if we OCR, even if we apply optical character recognition to it, we've still got a lot of unstructured data. So I can't really search one or two PDFs but when I've got tens of thousands of them, it's really difficult to do anything with that. So where did we start? We didn't have a lot of clues in this one. So through the magic of court order, we were able to go to this customer's database, their network, and get an image of everything and their network, including a billing database, which turned out to be very handy. So we made a forensic copy of this database and it was in a proprietary format. So in order for us to do forensic analysis in a database, we need to be able to get it into something like SQL where we can do standard queries. So we migrated over, we do standard queries and we're looking at it and there's still no easy way to compare the PDF to the database. So we decided to reverse engineer the tables in the database. Sometimes it's easy but sometimes there are thousands and thousands of tables and when you don't have tech support of the developers, you just have to figure it out. So it's a really slow laborious process but we did figure it out. We noticed that the audit logs were turned on in this which happened to be particularly useful. So we ran a lot of queries versus time build versus the audit logs and we found there was sort of a pattern of inflation going on because basically when you're billing on time and materials, all you're doing is you've got either hours or you've got a rate and those are the two things and they got overly inflated. So these are the two things that you can change there. You can change time or you can change the rate. But we found the audit logs were turned off by default and the IT folks, bless the IT folks, they turned the audit logs on which was really, really, really helpful because we do a lot of database forensics cases and this is the only one we've seen where the audit logs were turned on. So we were able to compare basically the amount that was billed at the end of the day versus how many hours were put up to that point. We were able to see a chronology. So maybe at the end of the day the bill was for $1,000 but we saw that was only $800 that was actually billed. So the billing person, the database person who basically was working with it, this person would change the hours and the rate sometimes and bump it up. So it went up from $800 to $1,000 on a typical invoice. They did this thousands and thousands and thousands of times. So let's look at the fail matrix. So I didn't give the user retard level too many points here because it was a billing administrator. Most people don't really know what's going on inside a database. Most average people. However, they had to refund the money. So they get 18 points for that. Over the last four or five years worth of money. So it was a lot of money. It was about $12 million actually. So they got 15 points. I wish. And bonus points. Systematic culture of over billing. They got 45. Okay. This next one, I call it smoking gun.txt. Now, if you work in the friends at Carina, you've probably heard the term, the smoking gun.txt. It's the gag name of what you're always looking for in a case. It could be that record in a database. It could be that internet history record that shows that the guy really did something bad. It comes from the cheesy western movies where the murderous gun is still smoking after he shot it. It proves that he was the one who fired the shot. So in forensics, you're always saying, did you find the smoking gun? Yeah, found the smoking gun.txt. Sometimes I wish it's as easy as finding a file named smokinggun.txt, but you can only wish. This is another intellectual property case. Again, you got a guy leaving one company to go work for another company. And the first company says, can you make sure he didn't do stupid shit? And we called in to make sure that he didn't do stupid shit. So we imaged the drive. We kicked off our standard analysis scripts like the file signature analysis script that I told you guys about before. And opened up his desktop folder. I always like to open up the desktop folder of every suspect that I'm examining because you can tell a lot about what a guy or a lot about the person when you're looking at the desktop. Do they cram a lot of files in there in an unorganized fashion or maybe everything is packed away in my documents folder. Things like that. Are they arranged nicely or is it just all smattered? It tells you a little bit about the person so you can get a little bit into the mind of who they are. And immediately I solved the case. How did you do that? So well, this is the smokinggun.txt. It's almost as easy as this. With a barbecue. So I opened up the desktop folder and I saw this. I'm hoping you can see that in the back but I'll read it out for you. You've got a folder on the desktop. You can see at the bottom left there. The folder is called competitive intelligence. And inside that folder we've got a PowerPoint presentation titled project blue book. We've got some PDFs. We've got a whole bunch of stuff about this project blue book that this guy was working on from his old company. He was getting ready to deliver this presentation to the executive leadership team of the new company telling him everything about this confidential project from his old company. Yeah. He didn't even make it difficult for me. It was not only all this stuff was there but he made a PowerPoint presentation describing it and like to deliver all the knowledge for this to the ELT. Yeah. I just said that. Do we over build for this? We're not that last client. All right. Pardon me? I don't even remember. Probably it took 20 minutes. We probably just had one hour. Michael, what have we learned in this case? Well, we learned that sometimes people don't even try. Fail matrix. All right. User retard levels got to be in 18. We could but we're saving the higher scores for some of the later stories. Members are going out. You may have noticed. Yeah. So far each one's been going up. Yeah. He got an 18 for user retard level because if you're going to be doing this, don't leave tracks all over your computer. I mean, sure if you're going to say they're going to be launching this new thing in August next year. There's one thing to say to a person but if you put together a whole presentation about the thing, that's fail. It's fail. Punishment level is 10 because he had to settle. He was obviously in breach of his NDA from the old company and it cost him 1.5 million in damages. So the distress caused is a six pointer and bonus points of 12 for zero effort. This all adds up to the fail matrix score of 46. All right. Next story. I hope you appreciate these amazing sound effects and video editing that I did. Hold on. We need to put the presentation on hold. I have a problem. Which one is which? That one is mine on your left hand. Are you sure? I want the one that is more. Then the one with more is yours. Nice. When? We'll be taking questions later. All right. So the next one I call hiding in the cloud. So once again, a top sales guy leaves a company and the sales just take a nosedive actually. And they think he took the customer list but they can't prove it. They know that there's new customers. They know that there's old customers over at the new company but they can't prove that he's taking the customer list. So we image his computer and we start looking for the usual kind of clues. So for example, link files are a windows artifact that show what files have been recently opened. They're a simple text file and they're pretty easily parsed and they've got a lot of information about the location of the file, the date and the time, all that kind of good stuff. We look at a registry key which I just love the name of this. It makes absolutely no sense to me at all but somebody at Microsoft maybe had a couple of these one day when they were working called bag MRU for some unknown reason. Most recently used but why bag? You guys are just full of great people. So it's a register key that can show user activity and it can show what files are inside a folder. So that's one of the things that we look at typically in a data exfiltration case. Jump lists which are, that's actually wrong, it's from Vista 4 where we've got jump lists and if you look at your... That's a fail. That should save Vista. I just don't love Vista enough to put it in there. Anyway, so jump lists are the thing on your task bar if you've got like five word documents open and you see you click on it, you've got the five, those are jump lists basically. And IE history, Internet Explorer. Internet Explorer is so much more than just exploring the Internet. It actually records things that you do without your knowledge like opening files. But we're getting no love. I'm not finding anything. Show me the love baby. He's having a beer. So we searched the IE history and we found a .htm file that had some JavaScript in it pointing to files anywhere. Who's familiar with that site? It's very much like Dropbox, the same kind of concept but it's more for business users so it's got a lot of really great auditing and logging and stuff like that so if you're uploading and downloading files you can basically monitor and track them and so forth. That turned out to be a very nice file. Bingo! And we solved the case. Timing fail, I'm sorry. Bingo! Bingo! Bingo! We solved the case. So what we got was the account ID, the upload times, the file names, everything. We got some sweet lovin. We got ourselves some stolen files. Let's look at this little actual bit of JavaScript here. We did the file in this case but we got stolen file, recipe for Coke for example, this minor trade secrets. The user is the user account name so we were able to subpoena that from files anywhere and figure out who actually registered the account. There is the folder that it was in and this is really handy here. The date that it was uploaded and we got a whole bunch of these. In fact, this is the first page of a 80 page Excel report and these are all the file names that this guy uploaded. So, yeah. So the second part of the story is I'm going to go back another fail. Fail! Which one do I drink from? Yes! Good answer. Good answer. So the second part of the case, the opposing attorney, the guy representing the thief handed us an Outlook CD and CD with Outlook is part of the discovery process. Discovery is a legal term in litigation where both sides are able to exchange evidence and in fact they have their compel to exchange evidence through the rules of the court. So he gives us a CD and it's got Outlook and Outlook PST on it. The first thing we do as we look at is not a lot of files in there and the first thing we do is we want to recover the deleted emails and that's what we like doing. We like looking at people's emails. So I'm going to show you the old school way of recovering deleted emails. You use a hex editor. You crack open the PST and you change bytes 7 through 12 or 7 through 13. Change them to zeros. Save the file. Then you use the Outlook repair tool which is built in with Microsoft and you basically repair the tool repair the PST and what happens is you get a lot of emails back. Now these are not the actual emails but you get tons and tons of emails back and in fact in this case we got tens of thousands of deleted emails and what was in these emails? Everything that completely turned the case around. So not only did we have this guy with all the uploads on the spreadsheets we also had all the emails about who was involved what lists he took all the people that were involved we were winning we went to Charlie Sheen mode all of a sudden so and the funny thing is we were able to take all this information and at a deposition and if you don't know what a deposition is we get to ask questions of the opposing party so we're asking them what happened, did you guys steal anything did you take anything? No, no, no we start pulling out these emails one by one and the guy turns white as a sheet and he spills the beans and basically you know we do pretty well so who deleted the emails do you think in this case call it out if you think you know who deleted wow people got it almost immediately they hired Saul Goodman unfortunately and yeah he deleted the emails not a good thing, not a good thing so what did we learn? the question was did he claim privilege on the emails? did he claim privilege on the emails? he claimed privilege on some of them but not on all of the 10,000 that he deleted so IE history is actually really difficult to wipe is what we've learned it seems to leave stuff behind the new artifact which is actually pretty cool files anywhere this javascript artifact I haven't heard this discussed anywhere before so I think it's kind of cool javascript files can give us love too we like them and uploading files still leaves traces so an attorney shouldn't mess with evidence it's against the ethical rules in every state and probably every Canadian province and it can get you disbarred actually so well let's look at the fail matrix so the user retard level is pretty damn high in this one we got fails on the attorney's part and also on the ex sales guy huge lawsuit three and a half million dollars on fees and damages which our client all got back basically and 15 bonus points the attorney might lose his license on this one he hasn't yet we don't know we don't track that kind of stuff 51 we're moving up you ready oh right let's do this shit so this next case was probably one of the most fun cases that I've worked on right from the start I could tell that something was going to be a fun one I call it the RDP bounce you'll see why I was called in to investigate a network breach the company told us and they shared some information with us that was evidence that at least one computer had been breached they didn't know why they didn't know what and they asked us to investigate well to tell them why and to tell them what it was a large company they had a lot of computers all of them were windows based thousands upon thousands of computers in offices all across the world and in one of their offices they noticed this computer had been breached so let's figure out what happened so we moved in and actually I think I'm just going to pause here for two seconds hey Eric is this your first time presenting at DEF CON yes it is we don't even have to say anything anymore you guys know exactly what's going on I want to know is Sarah Sarah show yourself yeah which Sarah you Sarah is your name Sarah bend over we thought Sarah was going to be here so we're just going to leave you you were the ugliest Sarah ever finish that fail another soldier bites the dust winning I have to recover Paul yes there's some issue about the sound person uh no Sarah is supposed to be the sound person you know I appreciate that Sarah but we were looking for a different Sarah she's not here Sarah would you come up come on up you're the next contestant on will you fail someone count is wrong your pass one for Sarah alright I'm Sarah I'm sure all of you want to be Sarah right now we already have Sarah pale in the talk to our new speakers and to our new attendees thank you two more to this hour alright we got 15 minutes left so thank you very much goons for doing that it's Eric's first time at DEF CON alright so I was talking with the RDP bounce case that I was investigating now as I mentioned thousands of computers various offices all around the world so we analyzed the one computer that they knew was breached and it showed that RDP or remote desktop protocol this is the tool that's built into Windows that allows you to remotely control another computer and logs showed us that RDP was used to connect using the local administrator password to another machine it also showed that actually I said that backwards it showed that RDP was used to connect in and it also showed that RDP was used to connect out so in this little diagram here I was looking at the middle computer I didn't know at the time that there were other computers I was just looking at this middle one and it seemed that there were a bunch used in here so it was probably the tip of the iceberg where do you find these logs Michael? specifically I was looking at the Windows event log the event viewer if you go into the control panel and the administrator tools there's the event viewer tool by default it logs a lot of stuff in there including when RDP is used to connect in and when you're connecting out so I analyzed the machine that came before it and same thing there were logs that showed that somebody was connecting into that it was basically an entire bounce now these computers were located in different offices all around the world this guy was bouncing all around the world to do something so obviously this is a pattern I still didn't know what he was doing I just knew that he was clearly going through a lot of trouble to obfuscate his trail bouncing all around probably so that when he does hit his final target there's no direct evidence to where he was coming from yes there were all sessions so he opens up a remote desktop and then within that remote desktop window he opens up another remote desktop to another machine and he just did this over and over it must have taken him hours because remote desktop is not the fastest protocol at all so he must I don't even want to speculate how long it took him to do this can you imagine how long the screen redraw was by the time you get to machine 10 you probably have to double click with like a minute in between clicks or something alright so what was the target so I think you can figure out what I would do next rather than following the trail back following the trail forward what was he getting so step after step computer after computer site after site after site all around the world I finally reached a high profile machine I wish I could tell you what I mean it was I can't because it would give away too much about this company did it have nickel back on it it did not have nickel back on it choppy as video ever yeah choppy as video ever for sure so once I reached this machine I knew exactly what he was going after he wanted highly confidential documents that were only on this one machine in the entire company and he obviously knew this I went into this machine to get these documents so I focused my analysis on this target machine on this special confidential machine and I wanted to see what did they do specifically which files did they take and it took me only about two minutes as I was analyzing this machine and I identified the attacker immediately now he went through all around the world and I finally when I was taking a look at his target within two minutes he was he used his own credentials on the machine no he did not use his own credentials on the machine any other guesses emails himself nope he stole his own file nope he did not check Facebook no no share drives why don't I tell you what he did Michael what did he do printers so one thing that a lot of people don't know about remote desktop is by default it maps the printer connected to your machine to the machine that you're connecting out to it does this so that when you hit print inside your remote desktop window your printer next to you is available so you can print a document beside you now this guy didn't print any documents but just by connecting the machine automatically mapped his local printer to the target machine which identified his machine name he forgot to turn this off there is a check box in remote desktop protocol when you open up the RDP window you can get options and then uncheck map printers to target machine it's just a check box he did not uncheck it what have we learned Michael well what have we learned log entries that are created by innocuous system events can give insight into user actions now he didn't map his printer the system did it automatically so sometimes just looking at what the system is doing can tell you what the user was doing for the fail matrix user retard level would be about a 20 because he went through a lot of trouble to cover his tracks and he did not cover his tracks punishment level would be 15 he lost his job he also lost his references he can't use that company as a reference anymore so distress cause would be 8 bonus points would be 20 do some research if you're going to use RDP to pull off some kind of a scam know how RDP works adding it all up we got a fail score of 63 now the last story here Eric the last story is a little bit different than the others this is the epic porno fail so the difference in this one the other cases we've talked about have either been commercial litigation civil litigation something on that side this one happens to be a criminal case and from time to time we do criminal defense work and we work either with public defenders or with private attorneys and so this is about this kind of situation so our client Edgar has been charged with possession of contraband a.k.a. child porn in his computer pretty unsavory stuff he claims innocence as usual because everybody always claims innocence and you know 98% of these people did it we examined the computer we looked at the examiner's report we looked at their allegations and let's take a look at them they claim Edgar downloaded porn they claim that Edgar's user account had passwords this is all documented in the report and they claim that Edgar utilized news groups to download porn like for real who uses news groups to download porn anybody I think they have the web now I mean yeah news groups right so that guy I would believe alright so they they alleged that he downloaded illegal porn and there is one thing to note just keep this in mind as we go through the talk he left his house in April 2012 you know stuff happening basically so April 2012 keep that in mind so let's look when we examine the computer let's see what we came up with so first we looked at IE history and as I mentioned before IE history is able to show you when a file has been opened so this is an actual example I've changed the file name a little bit here and what was the date that I just mentioned April 2012 okay are these before or after April 2012 put up your hand if it's after ah yeah so alright one fail here let's look at his peer-to-peer software download folder so in the top there I've got the path where these Naughty files were downloaded and it's a pretty typical path these PDP programs change the file name to something long so it's like T dash something something something Naughty file anyways I'm looking at the dates here again and Michael do you have a calendar give me a second here when is December it is after April after April okay just wanted to check we need to verify our forensic findings before we can publish them so you know we're verifying oops I think give me that beer alright so they also claim that he used Outlook Express really to download porn Outlook Express this is 2012 remember folks makes me wonder did they even analyze this guy's machine where are they coming up with this stuff we saw records of P2P not Outlook Express Outlook Express alright in reality yes Outlook Express was on the machine called porno lover okay it was set up after Edgar moved out of the house and only headers were downloaded no content so what do you mean by headers so a header is if you're using Outlook Express it is just the first part of the file the email it's going to have the date the sender the receiver maybe the subject line maybe the first couple words but there was no content there was no no photos in there just headers with you know admittedly porno names so they also let's look at accusation number 3 they say his user account had a password in the inference is only Edgar was able to access it because there was a password let's look at the passwords shall we maybe we can zoom in a little bit on this this is actually a really cool utility it's free it's called LCP I'll just go back to it for one second here it's a free utility it's really great for looking and seeing if there are passwords you can also use it to perform an attack although it's not very good alright so more facts undiscovered by the examiner the P2P client was used to download porn that's the examiner didn't find that into a new user account called porno lover guess when after he moved out of the house so we submitted a report to the prosecutor it was like a 5-10 page report something like that and the government dropped the charges years after they charged this guy they dropped the charges this does not ever happen really this is the first time I've done this and well hundreds of cases, thousands of exams I don't know how many it's never happened before and this is after the guy spent a huge amount of money on legal costs so to do all this I just want to give a thank you to Rob Lee and the Sands we use super timeline analysis to do a lot of this work super timeline is a really amazing piece of software that will basically go through the computer and look at all the computer generated artifacts and put everything into a nice chronological sequence for you so really awesome piece of software definitely one of the best piece of software reviews so the government interviews Edgar's friend the friend confesses the friend did it the friend was trying to get jiggy with Edgar's wife and he put the porn on the computer and the court clears Edgar's name they give him a finding of actual innocence never happens I've had many people claim innocence and this guy actually claimed innocence and he really was rarely happens I've been to court a couple times where there's been acquittals and we didn't go to court on this one fortunately but we would have so what do we learn? base your conclusions upon actual evidence find multiple artifacts backing up your allegations and I don't know where the password thing came from tie it to a person not just a machine if possible try to look at user activity that would tie specific events to a person so remember the maximum you can get is 20 in any category however I've decided to break the rules a little bit for this one so examiner and he gets five bonus points built in right there the guy sued the city for millions of dollars and you know there might be a job security issue for somebody in this case I don't think that examiner is going to really have a job much longer and 100 bonus points because the court finds a suspect innocent so factually innocent thank you very much thank you everybody