While presenting at Defcon, forensic examiners Eric Robi and Michael Perklin tell some hilarious stories about data destruction fails they’ve come across.
Eric Robi: Our talk is about forensic fails. I’m this guy over here (see right-hand image). I founded Elluma Discovery Company about 11 years ago, I’m a forensic examiner. I have done thousands and thousands of exams; I am also an expert witness in state, federal court, etc. And I like cats. And my name is Eric Robi.
Michael Perklin: Hi, I am Michael Perklin (see left-hand image). You may remember me from other Defcon talks such as ACL Steganography. I am a forensic examiner, cybercrime investigator, security professional. I have also done thousands of exams, and I like to break things a lot.
Eric: Don’t break my cat! So, our agenda today (see right-hand image), we have got seven amazing stories full of fail. We are going to learn something about forensic techniques, because that’s what we do. The fails today are brought to you by both the suspect and the examiner, and we’ll get into that in a little bit.
The names have been changed to protect the idiots on both sides. We have actually changed some of the facts to protect the idiots, and it seemed like a good thing to do basically. But because fail was not just one-dimensional – we found many dimensions of fail in our research – we’ve decided we need to create a fail matrix (see left-hand image). I am just going to explain how the fail matrix works. The first level of fail is the ‘user retard level’; oh my god, I spelled that wrong…
Michael: For the record, he was responsible for the keynote presentation, so this is definitely his fail.
Eric: This is my fail, I get 10 points. So, the ‘punishment level’ depends on what happens, so this particular guy lost the case. ‘Dollars distress caused’, let’s give this one five points, and bonus points are just whatever the fuck I feel like doing. His girlfriend left him in this case, so he gets 35 points.
Let’s get into the first one. This is the “Wasn’t Me” defense (see right-hand image), you may have heard this one before. Alright, so we do a lot of commercial litigation, and a really typical kind of case is a trade secrets case, and this is a typical example of that. So, this guy Bob was working in sales at Acme and he resigned his position and he decided to go work for a competitor. This happens all the time. And some allegations were made by his employer that he took some trade secrets. He took the customer list with him to his new company. It happens.
We started imaging the drive and we started planning the examination (see left-hand image). One thing we frequently do is we look for deleted files in unallocated space, and unallocated space is the part of the drive that can typically contain deleted files. You know, when you hit Shift + Delete and it doesn’t go away, it ends up in unallocated space. So we look for stuff there.
Something we also do is we look for recently used files by common programs like Word, Excel, Acrobat and so forth, and we might look for USB device insertion. We are basically looking to see how trade secrets got from Acme over to the new company.
Finally the drive finished imaging, and I’m actually going to share something really cool today. It is a Defcon exclusive, worldwide premier – we found a new wiping pattern (see leftmost image below).
This is actually real, I’m not making this up. Bob had apparently used some kind of data destruction program that can overwrite every bit of unallocated space (see middle image above). He used a pattern that, however, was not commonly used by Windows or any other utility I have seen, it might have been something custom. So, yeah, I thought: “Hmm… This might suggest something bad was happening here.” Let’s take another closer look at this. We are going to zoom in and we are going to look at this on a molecular level now. I think we need to zoom in a little bit more (see rightmost image above).
So, what have we learned? (see left-hand image) Data destruction can almost always be detected. Even if you don’t use a repeating pattern, it is still detectable. We see it all the time, there are artefacts left behind that could be part of the pattern or there are artefacts in the operating system itself. So we might not know what you have destroyed, but we will definitely know you destroyed something.
We have got to do the fail matrix (see right-hand image to check out Bob’s grand total for fail matrix): alright, 12 – pretty retarded, I think. Now, this guy lost the case, he got sued under a hundred thousand dollars, so not a huge amount of economic distress, and I didn’t really give him any bonus points here because it just wasn’t that good, so he gets 27.