Forensic Fails 5: Wrongfully Accused

This part covers the presentation’s final forensic case where charges against a person got dropped in the long run owing to examiners’ scrupulous analysis.

Getting down to a new case Eric: Alright, the last story is a little bit different than the others. This is the “Epic Porno Fail”. The difference in this one is all the other cases we’ve talked about have either been commercial litigation, civil litigation, something on that side. This one happens to be a criminal case, and from time to time we do criminal defense work and we work either with public defenders or with private attorneys, and this is about this kind of situation.

So, our client Edgar has been charged with possession of contraband aka child porn on his computer, pretty unsavory stuff. He claims innocence, as usual, and I kind of roll my eyes because everybody always claims innocence, and 98 percent of these people did it.

Allegations We examined the computer, looked at the examiner’s report. We looked at the allegations, and let’s take a look at them (see left-hand image). They claim Edgar downloaded porn. They claimed that Edgar’s user account had passwords; this is all documented in the report. And they claimed that Edgar utilized newsgroups to download porn.

Michael: Who uses newsgroups to download porn? Anybody?

Important fact to bear in mind Eric: Ok, so they alleged that he downloaded illegal porn, and there is one thing to note, keep this in mind as we go through the talk: he left his house in April 2012 because his wife kicked him out because of all this stuff happening basically; so, April 2012, keep that in mind.

Edgar's IE history Let’s see what we came up with while examining the computer. First we looked at IE history (see left-hand image). As I mentioned before, IE history is able to show you when a file has been opened, so this is an actual example. I’ve changed the filename a little bit here. And what was the date that I just mentioned? April 2012. Ok, I see some dates here. Are these before or after April 2012? Put up your hand if it’s after. Alright, one fail here.

Analyzing the guy's P2P software download directory Let’s look at his peer-to-peer software download folder (see right-hand image). So, in the top there I’ve got the path where these naughty files were downloaded. And it’s a pretty typical path; these P2P programs change the filename to something long, so it’s like t-something-naughty file. I’m looking at the dates here again and… Michael, do you have a calendar? When is December?

Michael: It’s after April.

Eric: Ok…

Michael: Definitely after April.

Eric: Just wanted to check, we need to verify our forensic findings before we can publish them. So, you know, we’re verifying.

Michael: Fail!

The alleged use of Outlook Express Eric: They also claim that he used Outlook Express, really, to download porn. This is 2012, remember folks?

Michael: Makes me wonder, did they even analyze this guy’s machine? Where are they coming up with this stuff? We saw records of P2P, not Outlook Express.

Something's wrong here Eric: In reality, yes, Outlook Express was on the machine, set up with an account called “PornoLuvr”. Ok, it was set up after Edgar moved out of the house, and only headers were downloaded, no content.

Michael: What do you mean by headers?

Eric: If you are using Outlook Express, a header is just the first part of the file. The email is going have the date, the sender, the receiver, maybe the subject line, maybe the first couple of words. But there was no content, there were no photos in there, just headers with, you know, admittedly porno names.

Allegation about the password Let’s take a look at accusation number three (see left-hand image). They say his user account had a password, and the inference is that only Edgar was able to access it because there was a password. Let’s look at the password, shall we? Maybe we can zoom in a little bit on this. Using LCP to check for passwords

This is actually a really cool utility, it’s free, it’s called LCP (see right-hand image). I will just go back to it for one second here. It’s a free utility. It’s really great for looking and seeing if there are passwords. You can also use it to perform an attack although it’s not very good.

More facts Alright, more facts (undiscovered by the examiner). The P2P client was used to download porn – examiner didn’t find that – into a new user account called “PornoLuvr”, guess when – after he moved out of the house.

Charges dropped! So we submitted our report to the prosecutor, a 5-10 page report, something like that, and the government drops the charges years after they charged this guy (see right-hand image). This does not ever happen, really. This is the first time. I have done hundreds of cases, thousands of exams, I don’t know how many. It had never happened before. And this is after the guy spent a huge amount of money on legal costs.

So, to do all this I just want to give a thank you to Rob Lee and SANS. We use Super Timeline Analysis to do a lot of this work. Super Timeline is a really amazing piece of software that will, basically, go through the computer and look at all the computer-generated artifacts and put everything into a nice chronological sequence for you. So, a really awesome piece of software.

Michael: Definitely one of the best pieces of software I have used.

Unexpected findings Eric: So, the government interviews Edgar’s friend; the friend confesses, the friend did it. The friend was trying to get jiggy with Edgar’s wife and he put the porn on the computer. The court clears Edgar’s name (see left-hand image). They give him a finding of actual innocence; never happens.

Michael: I’ve had many people claim innocence, and this guy actually claimed innocence, and he really was.

Eric: Yeah, rarely happens. I have been to court a couple of times where they have been acquittals. And we didn’t go to court on this one fortunately, but we would have.

What has been learned? So, what have we learned? Base your conclusions upon actual evidence. Find multiple artifacts backing up your allegations – I don’t know where the password thing came from. Tie it to a person, not just a machine if possible. Try to look at user activity that would tie specific events to a person.

Credits Remember, the maximum you can get is 20 in any category. However I have decided to break the rules a little bit for this one. So, examiner ineptness – he gets 5 bonus points built in right there. Oh yeah, the guy sued the city for millions of dollars; and, you know, there might be a job security issue for somebody in this case…

Michael: I don’t think that examiner is going to really have a job much longer.

Eric: And 100 bonus points because the court finds the suspect innocent, factually innocent. Thank you very much!

Michael: Thank you everybody!

Read previous: Forensic Fails 4: The RDP Bounce Story

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: