Michael Perklin and Eric Robi recall two more non-trivial cases about fails due to no or little effort hiding insider activities, including IE history.
Michael: I call the next one “Smoking Gun.txt” (see right-hand image). If you work in the forensic arena, you’ve probably heard the term ‘the smoking gun.txt’. It is the gag name of what you are always looking for in a case. It could be that record in the database; it could be that Internet history record that shows that the guy really did something bad. It comes from the cheesy western movies where, you know, the murderer’s gun is still smoking after he shot it. It proves that he was the one who fired the shot.
So in forensics you always say: “Did you find the smoking gun?” – “Yeah, found the smoking gun.txt.” Sometimes I wish it were as easy as finding a file named ‘smoking gun.txt’, but you can only wish.
This is another intellectual property case. Again, you got a guy leaving one company to go work for another company. And the first company says: “Can you make sure he didn’t do stupid shit?” And we were called in to make sure that he didn’t do stupid shit.
So we imaged the drive, kicked off our standard analysis scripts like the file signature analysis script I told you guys about before, and opened up his desktop folder. I like to open the desktop folder of every suspect that I am examining because you can tell a lot about the person when you are looking at the desktop. Do they cram a lot of files in there in an unorganized fashion, or maybe everything is neatly packed away in the My Documents folder? Things like that… Are they arranged nicely, or is it just all smattered? It tells you a little bit about the person so you can get a little bit into the mind of who they are, and immediately I solved the case.
Michael: Well, this is the ‘smoking gun.txt’. It was almost as easy as this (see right-hand image).
Eric: With a barbecue?
Michael: So I opened up the desktop folder and I saw this (see left-hand image). I will read it out for you: you’ve got a folder on the desktop, and you can see at the bottom left there that the folder is called “Competitive Intelligence”. And inside that folder we’ve got a PowerPoint presentation titled “Project Bluebook”. We’ve got some PDFs, we’ve got a whole bunch of stuff about this “Project Bluebook” that this guy was working on from his old company. He was getting ready to deliver this presentation to the executive leadership team of the new company, telling them everything about this confidential project from his old company.
He didn’t even make it difficult for me. It was not only that all this stuff was there, but he made a PowerPoint presentation describing it to deliver all the knowledge for this.
Michael: Well, we learned that sometimes people don’t even try. Fail matrix: alright, the user retard level has got to be 18. Sorry, we are saving the higher scores for some of the later stories.
Eric: The numbers are going up as you may have noticed.
Michael: Yeah, so far the numbers have been going up. He got 18 for user retard level because if you are going to be doing this, don’t leave tracks all over your computer. I mean, sure, if you are going to say they are going to be launching this new thing in August next year – that’s one thing to say it to a person but if you put together a whole presentation about the thing – that’s fail. Punishment level is 10 because he had to settle, he’s obviously in breach of his NDA from the old company. And it cost him 1.5 million dollars in damages. So the distress caused is a six-pointer, and bonus points of 12 for zero effort. This all adds up to the fail matrix score of 46.
Eric: Alright, the next one I call “Hiding In The Cloud” (see right-hand image). So, once again, a top sales guy leaves the company, and the sales just take a nose dive actually, and they think he took the customer list but they can’t prove it. They know that there are old customers over at the new company but they can’t prove that he has taken the customer list. So we image his computer and we start looking for the usual kind of clues.
For example, link files, a Windows artifact that shows what files have been recently opened; they are simple text files and they are pretty easily parsed and they have got a lot of information about the location of the file, the date and the time, all that kind of good stuff. We look at a registry key, and I just love the name of this. It makes absolutely no sense to me at all but somebody at Microsoft maybe had a couple of beers when they were working, it’s called BagMRU for some unknown reason.
So it is a registry key that can show user activity and it can show what files are inside a folder. That’s one of the things that we typically look at in a data exfiltration case. Jump lists, which are from Vista – I just don’t love Vista enough to put it in there. Anyways, the jump lists are the thing on your taskbar if you’ve got, like, five Word documents open, and you click on it and you’ve got the five – those are jump lists, basically.
And IE history – Internet Explorer is so much more than just exploring the Internet. It actually records things that you do without your knowledge, like opening files. But we’re getting no love, I’m not finding anything. Show me the love baby.
I have changed the names of the files in this case, but, you know, we got “Stolen_File”, “Recipe_for_Coke” for example – you know, minor trade secrets. The user is the user account name, so we were able to subpoena that from filesanywhere.com and figure out who actually registered the account. There is the folder that it was in (see right-hand image), and this is really handy here – the date that it was uploaded, and we got a whole bunch of these. In fact, this is the first page of an about 80-page Excel report that I prepared, and these are all the filenames that this guy uploaded.
The second part of the case: the opposing attorney, the guy representing the thief, handed us a CD with Outlook.PST on it, and this is part of the discovery process. Discovery is a legal term in litigation where both sides are able to exchange evidence; in fact, they’re compelled to exchange evidence through the rules of the court.
So he gives us a CD and it’s got an Outlook.PST on it (see left-hand image above). The first thing we do is we want to recover the deleted emails in the PST, because we are forensic analysts and that’s what we like doing, we like looking at people’s emails.
I am going to show you the old school way of recovering deleted emails (see image above). You can use a hex editor, you crack open the PST and you change bytes 7 through 12 or 7 through 13; change them to 0s, save the file. Then you use the Outlook Repair Tool which is built-in with Microsoft, and you basically repair the PST, and what happens is you get a lot of emails back (see image above). Now, these are not the actual emails but you get tons and tons of emails back.
So, not only did we have this guy with all the uploads on the spreadsheets, we also had all the emails about who was involved, what lists he took, who were all the people that were involved. We were winning, we went to Charlie Sheen mode all of a sudden. And the funny thing is we were able to take all this information at a deposition, and if you don’t know what a deposition is – we get to ask questions of the opposing party.
We were asking them: “What happened? Did you guys steal anything, did you take anything?” – “No!” We started pulling out these emails one by one by one, and the guy turns white as a sheet, and he spills the beans, and basically, you know, we do pretty well. So, who do you think deleted the mails in this case?
Eric: They hired Saul Goodman unfortunately, and yeah, he deleted the mails, not a good thing, not a good thing… So, what have we learned?
Let’s look at the fail matrix (see left-hand image). The user retard level is pretty damn high on this one. We got fails on the attorney’s part and also on the ex-sales guy. Huge lawsuit, 3.5 million dollars in fees and damages, which our client all got back basically; and 15 bonus points, the attorney might lose his license on this one. He hasn’t yet, we don’t know, we don’t track that kind of stuff. 51, we’re moving up.
Read next: Forensic Fails 4: The RDP Bounce Story