Forensic Fails 3: Smoking Gun.txt and Hiding in the Cloud

Michael Perklin and Eric Robi recall two more non-trivial cases about fails due to no or little effort hiding insider activities, including IE history.

The 'Smoking Gun.txt' fail Michael: I call the next one “Smoking Gun.txt” (see right-hand image). If you work in the forensic arena, you’ve probably heard the term ‘the smoking gun.txt’. It is the gag name of what you are always looking for in a case. It could be that record in the database; it could be that Internet history record that shows that the guy really did something bad. It comes from the cheesy western movies where, you know, the murderer’s gun is still smoking after he shot it. It proves that he was the one who fired the shot.

So in forensics you always say: “Did you find the smoking gun?” – “Yeah, found the smoking gun.txt.” Sometimes I wish it were as easy as finding a file named ‘smoking gun.txt’, but you can only wish.

This is another intellectual property case. Again, you got a guy leaving one company to go work for another company. And the first company says: “Can you make sure he didn’t do stupid shit?” And we were called in to make sure that he didn’t do stupid shit.

Things done on the case So we imaged the drive, kicked off our standard analysis scripts like the file signature analysis script I told you guys about before, and opened up his desktop folder. I like to open the desktop folder of every suspect that I am examining because you can tell a lot about the person when you are looking at the desktop. Do they cram a lot of files in there in an unorganized fashion, or maybe everything is neatly packed away in the My Documents folder? Things like that… Are they arranged nicely, or is it just all smattered? It tells you a little bit about the person so you can get a little bit into the mind of who they are, and immediately I solved the case.

Big ol' smoking gun, indeed Eric: How did you do that?

Michael: Well, this is the ‘smoking gun.txt’. It was almost as easy as this (see right-hand image).

Eric: With a barbecue?

Oh, really? Michael: So I opened up the desktop folder and I saw this (see left-hand image). I will read it out for you: you’ve got a folder on the desktop, and you can see at the bottom left there that the folder is called “Competitive Intelligence”. And inside that folder we’ve got a PowerPoint presentation titled “Project Bluebook”. We’ve got some PDFs, we’ve got a whole bunch of stuff about this “Project Bluebook” that this guy was working on from his old company. He was getting ready to deliver this presentation to the executive leadership team of the new company, telling them everything about this confidential project from his old company.

He didn’t even make it difficult for me. It was not only that all this stuff was there, but he made a PowerPoint presentation describing it to deliver all the knowledge for this.

Main lesson learned Eric: Michael, what have we learned in this case?

Michael: Well, we learned that sometimes people don’t even try. Fail matrix: alright, the user retard level has got to be 18. Sorry, we are saving the higher scores for some of the later stories.

Eric: The numbers are going up as you may have noticed.

Fail matrix scores for the case Michael: Yeah, so far the numbers have been going up. He got 18 for user retard level because if you are going to be doing this, don’t leave tracks all over your computer. I mean, sure, if you are going to say they are going to be launching this new thing in August next year – that’s one thing to say it to a person but if you put together a whole presentation about the thing – that’s fail. Punishment level is 10 because he had to settle, he’s obviously in breach of his NDA from the old company. And it cost him 1.5 million dollars in damages. So the distress caused is a six-pointer, and bonus points of 12 for zero effort. This all adds up to the fail matrix score of 46.

Intro to Fail #5 Eric: Alright, the next one I call “Hiding In The Cloud” (see right-hand image). So, once again, a top sales guy leaves the company, and the sales just take a nose dive actually, and they think he took the customer list but they can’t prove it. They know that there are old customers over at the new company but they can’t prove that he has taken the customer list. So we image his computer and we start looking for the usual kind of clues.

OS components that might be of help For example, link files, a Windows artifact that shows what files have been recently opened; they are simple text files and they are pretty easily parsed and they have got a lot of information about the location of the file, the date and the time, all that kind of good stuff. We look at a registry key, and I just love the name of this. It makes absolutely no sense to me at all but somebody at Microsoft maybe had a couple of beers when they were working, it’s called BagMRU for some unknown reason.

So it is a registry key that can show user activity and it can show what files are inside a folder. That’s one of the things that we typically look at in a data exfiltration case. Jump lists, which are from Vista – I just don’t love Vista enough to put it in there. Anyways, the jump lists are the thing on your taskbar if you’ve got, like, five Word documents open, and you click on it and you’ve got the five – those are jump lists, basically.

And IE history – Internet Explorer is so much more than just exploring the Internet. It actually records things that you do without your knowledge, like opening files. But we’re getting no love, I’m not finding anything. Show me the love baby.

Bingo! Alright, so we searched the IE history, and we found an .htm file that had some JavaScript in it pointing to filesanywhere.com. Who is familiar with that site? It is very much like Dropbox, the same kind of concept but it is more for business users. It’s got a lot of really great auditing and logging and stuff like that. So if you’re uploading and downloading files you can, basically, monitor and track them and so forth. That turned out to be a very nice thing because typically that’s only in the User Control Panel, but we found this little .htm file, and bingo – we solved the case!

Some interesting JavaScript code found So, what we got was the account ID, the upload times, the filenames, everything. We got some sweet loving, we got ourselves some stolen files. Let’s look at this little actual bit of JavaScript here (see left-hand image).

I have changed the names of the files in this case, but, you know, we got “Stolen_File”, “Recipe_for_Coke” for example – you know, minor trade secrets. The user is the user account name, so we were able to subpoena that from filesanywhere.com and figure out who actually registered the account. Files uploaded to the cloudThere is the folder that it was in (see right-hand image), and this is really handy here – the date that it was uploaded, and we got a whole bunch of these. In fact, this is the first page of an about 80-page Excel report that I prepared, and these are all the filenames that this guy uploaded.

All emails deleted The second part of the case: the opposing attorney, the guy representing the thief, handed us a CD with Outlook.PST on it, and this is part of the discovery process. Discovery is a legal term in litigation where both sides are able to exchange evidence; in fact, they’re compelled to exchange evidence through the rules of the court.

Deleted emails recovery So he gives us a CD and it’s got an Outlook.PST on it (see left-hand image above). The first thing we do is we want to recover the deleted emails in the PST, because we are forensic analysts and that’s what we like doing, we like looking at people’s emails.

Voila! I am going to show you the old school way of recovering deleted emails (see image above). You can use a hex editor, you crack open the PST and you change bytes 7 through 12 or 7 through 13; change them to 0s, save the file. Then you use the Outlook Repair Tool which is built-in with Microsoft, and you basically repair the PST, and what happens is you get a lot of emails back (see image above). Now, these are not the actual emails but you get tons and tons of emails back.

A new turn in the case And in fact, in this case we got tens of thousands of deleted emails, and what was in these mails? Everything that completely turned this case around.

So, not only did we have this guy with all the uploads on the spreadsheets, we also had all the emails about who was involved, what lists he took, who were all the people that were involved. We were winning, we went to Charlie Sheen mode all of a sudden. And the funny thing is we were able to take all this information at a deposition, and if you don’t know what a deposition is – we get to ask questions of the opposing party.

We were asking them: “What happened? Did you guys steal anything, did you take anything?” – “No!” We started pulling out these emails one by one by one, and the guy turns white as a sheet, and he spills the beans, and basically, you know, we do pretty well. So, who do you think deleted the mails in this case?

Who deleted those mails..? Michael: Call it out if you think you know who.

Eric: They hired Saul Goodman unfortunately, and yeah, he deleted the mails, not a good thing, not a good thing… So, what have we learned?

The key takeaways IE history is actually really difficult to wipe – that’s what we’ve learned. It seems to leave stuff behind. We found a new artifact which is actually pretty cool, filesanywhere.com, this JavaScript artifact; I haven’t heard this being discussed anywhere before, so I think it’s kind of cool. JavaScript files can give us love too, we like them. And uploading files still leaves traces. And attorneys shouldn’t mess with evidence; it’s against the ethical rules in every state and in probably every Canadian province, and it can get you disbarred actually.

Scores getting higher Let’s look at the fail matrix (see left-hand image). The user retard level is pretty damn high on this one. We got fails on the attorney’s part and also on the ex-sales guy. Huge lawsuit, 3.5 million dollars in fees and damages, which our client all got back basically; and 15 bonus points, the attorney might lose his license on this one. He hasn’t yet, we don’t know, we don’t track that kind of stuff. 51, we’re moving up.

Read previous: Forensic Fails 2: “The Nickelback Guy” and “Just Bill Me Later” Cases

Read next: Forensic Fails 4: The RDP Bounce Story

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: