This part covers two stories where an insufficiently vigilant ill-minded ex-employee and an overinflated billing scam got exposed via forensic analysis.
Michael: Alright, this case (see right-hand image) was a lot of fun. I didn’t expect it to be fun when I started out but it ended up being a lot of fun. I call it “The Nickelback Guy”, you will see why in a second. So, it was another allegation of stolen confidential documents. This guy, let’s call him John, left one company to go work for a direct competitor, and his old company hired us to go in and take a look at this.
The company where he left asked us to take a look at his work computer to look for signs of data exfiltration. He worked on a lot of confidential projects and they just wanted to make sure that he wasn’t taking these confidential projects to the competitor and letting them know what they were doing.
So, we open up the hard drive to start the analysis and we start finding the stuff that you typically find on a work computer. Yeah, there is some work stuff, sure some evidence of facebooking. He’s got an mp3 collection. He liked listening to music while he was at work. We found the confidential documents that we were asked to make sure he didn’t take. So, that was to be expected because he did the work on this computer.
And almost immediately something jumped out at me. And we will get into why it jumped out at me in a second. But his music collection became very interesting to me, not because I love Nickelback but because, well, again, we’ll get into this.
I’m Canadian too, and Nickelback is from Canada. If you take a closer look at this photo (see right-hand image) something may jump out at you as well. These are just mp3’s, just songs, but the size of these files is a little bit off.
Eric: What’s wrong here?
Michael: Yeah, the extended play Nickelback. This guy really loved his Nickelback. These were actually a bunch of .avi files that he had renamed. So it seems John assumed that nobody would listen to his Nickelback mp3’s, which is probably a good assumption because I don’t think anybody would listen to his Nickelback mp3’s. He was hiding something but what was he hiding?
We did have to analyze them to see what they were, but I will say that the specific techniques that we used to analyze – they are trade secrets, so I can’t tell you how much depth we went into when we were analyzing them.
It seems John did a lot more than just work on his confidential project on that computer. So we had to tell the company that over the last three years while he was working there on this confidential project, he was also doing other stuff. They were pretty happy that he left anyways.
Alright, so what have we learned? When we examiners take a look at files on a computer, we don’t typically look at it within the nested folder structure. We don’t have to go into every single subfolder, go back out, go into other sub-folders, back it out. We see it all on a big long list as it makes it a lot easier to analyze stuff.
Also, one of the very first things we always run is what’s called a file signature analysis. This is a special script that looks at the contents of every file and it compares what’s inside the file with the extension, and if there are any discrepancies those files are bumped up to the top of the list to get looked at because the system knows if these don’t match something may not be right here, a human should take a look at this.
And at the end of the day, John’s attempt at hiding his pregger porn actually made it bump up to the top of the list for me to take a look at. So, if you’re going to hide something, don’t just change the filename – that doesn’t hide something, that makes me want to look at it even more.
Alright, the fail matrix. The user retard level – I would say 12 because, again, renaming a file is not data hiding. If you want to do real data hiding you should have come to my ACL Steganography talk. Punishment level – 13. He lost his job, not only the previous company where he left but the new company where he landed – he lost his job there. Distress caused was zero, he didn’t really hurt anybody. I mean, what you choose to do on your own time is up to you, although he chose to do it on work time with work stuff.
Eric: You know what the bonus points are going to be for that, don’t you?
Michael: Yeah, there are going be some bonus points, I would say, about a nickel’s worth. That gives a grand total of 30 fail points.
Eric: By the way, do you like the font that we are using? Comic Sans! Can we get a hand for Comic Sans, nobody uses Comic Sans. It is the most underappreciated font in presentations.
Michael: I don’t know why we don’t see Comic Sans in more business settings, I mean, really.
Eric: We are bringing it back, it’s a new movement. Alright, let’s look at the “Just Bill Me Later” case (see right-hand image). Our client, the ABC firm, outsourced a key part of their business. They’ve been doing it for many years. And the part of their business that they are outsourcing is on a time and materials basis.
So, there are a lot of invoices with hours and rates, and that’s basically it. It was several million dollars a year on average that was being billed. And our client started a review project because they thought they were being overbilled. They thought there might be a little inflation and they wanted to figure out why things were looking inflated. They looked at some of the individual bills and they thought things were taking a little bit too long. So we came in and decided to help.
They had thousands and thousands of PDF format invoices. And that is not going to do us a lot of good even if we OCR it, even if we apply optical character recognition to it we still got a lot of unstructured data. I can search one or two PDF’s but when I’ve got tens of thousands of them it’s really difficult to do anything with that. So where do we start? We didn’t have a lot of clues in this one.
So, through the magic of court order, we were able to go to this customer’s database, their network and get an image of everything in their network including a billing database, which turned out to be very handy.
We made a forensic copy of this database, and it was in a proprietary format. In order for us to do forensic analysis in a database, we need to be able to get it into something like SQL where we could do kind of standard query. So we migrated over, we do standard queries and we’re looking at it, and there is still no easy way to compare the PDF to the database. So we decided to reverse engineer the tables in the database. Sometimes it’s easy but sometimes there are thousands and thousands of tables, and when we don’t have tech support or the developers you just have to figure it out. So it’s a really slow laborious process but we did figure it out. We noticed that the audit logs were turned on in this, which happened to be particularly useful.
So, we ran a lot of queries – time billed versus the audit logs, and we found there was sort of a pattern of inflation going on; because basically when you’re billing on time and materials, all you’re doing is you’ve got either hours or you’ve got a rate, and those are the two things that got overinflated.
Basically, there are two things that you can change there. You can change time or you can change the rate. But we found the audit logs were turned off by default and the IT folks, bless the IT folks, they turned the audit logs on, which was really, really helpful because we do a lot of database forensics cases and this is the only one we’ve seen where the audit logs were turned on.
So we were able to compare, basically, the amount that was billed at the end of the day versus how many hours were put up to that point, we were able to see a chronology. So maybe at the end of the day the bill was for a thousand dollars but we saw that there was only eight hundred dollars that was actually billed.
The billing person, the database person who basically was working with this – this person would change the hours and the rates sometimes and bump it up. So it went from, like, eight hundred to a thousand dollars on a typical invoice. They did this thousands and thousands and thousands of times.
So, let’s look at the fail matrix. I didn’t give the ‘user retard level’ too many points here because it was a billing administrator. Most of the average people don’t really know what’s going on inside a database. However, they had to refund the money, so they get 18 points for that.
Michael: …Over the last 4 or 5 years’ worth of money. So it was a lot of money.
Eric: It was about 12 million dollars actually. So they get 15 points. And bonus points – systematic culture of overbilling. They get 45 total.
Read previous: Forensic Fails: Shift + Delete Won’t Help You Here