digital forensics and the most famous egg how did humpty dumpty fall?
TRANSCRIPT
Digital Forensics and the Most Famous Egg
How did Humpty Dumpty fall?
Humpty Dumpty sat on a wall,Humpty Dumpty had a great fall.
All the king's horses and all the king's menCouldn't put Humpty together again
Reasons for Humpty’s Fall
• He was pushed• He jumped• He was inebriated• The wall was structurally unsound• He faked his own demise
Agenda
• Chain of Custody• Data Sources & Imaging• Data Types• Types of Cases• What to Look For in Forensic Provider
Chain of Custody
Data Sources
• Memory• Hard Drives– Rotational v. SSD– RAID– Encryption
• Mobile• Removable Media• Cloud
Memory
• What was going through Humpty’s mind?
Hard Drives
Mobile
Removable Media
Cloud
What Do We Know?
• Largest egg producer• We don’t have RAM• We have his computer• No encryption or RAID• Always carried his smartphone• Used a tablet at home and on the road• Never seen using removable media• Might have had cloud accounts
Data Types
• Actual Files• Deleted Files• Email• Operating System Files
Actual Files
• DOCX, XLSX, PPTX, PDF, JPG– Content – Metadata• File System• File
• LNK– Metadata
• CLUE: Keyword search for “poached” turns up 2 hits.
Deleted Files
• Can be found anywhere• Due to both user and system activity• Mass deletions in short timeframe = RED FLAG• Greater chance of recovery IF– Less time from file deletion– Less activity on the disk
• CLUE: Found deleted JPG.
Recovered Photo
Email Files
• Outlook• Lotus Notes• Windows Mail• Mozilla Thunderbird• Webmail
• CLUE: No email files, but webmail URL’s found in Internet History.
Windows Operating System Files
• Registry• Event Logs• Browser• LNK• Prefetch• MFT and USN Journal
Registry Analysis
• C:\Windows\System32\Config• C:\Users\<user_name>\NTUSER.dat• MRU & Jump Lists• Shellbags• USB History• CLUE: New USB drive plugged in
7 days prior to Humpty’s death. Last plugged into the PC the morning of Humpty’s death. 2nd USB drive plugged in same day.
Browser Artifacts
• Depends upon the browser• IE, Firefox and Chrome• All very different & rapidly changing• Index.dat, SQLite, JSON
• CLUE: Carve for webmail content, but no meaningful fragments, BUT we find a new email address and domain that looks interesting.
Mobile Artifacts
• Device Encryption & Passcodes• Volatile Data• ~2M app’s between Android & iPhone• Most rely on plist or SQLite structure• Common ones are handled by mobile
forensics suites
• CLUE: Words With Friends has a chat feature.
Removable Media
• Write-block it• Physical image best, unless encrypted• PC USB• PC USB
• CLUE: Term sheet between Humpty Dumpty Eggs and Chicken Little Enterprises found.
What Do We Know?
• Pam’s recipe for Eggs Benedict from the Internet saved to the desktop.
• Deleted JPG originating from Humpty’s phone puts him at Chicken Little’s house when the thumb drive is inserted.
• Internet history reveals new email address. Subpoena shows communication with the baker about expansion plan.
• Words With Friends shows chat log with “Ace”• 1st USB drive contains term sheet between Humpty Dumpty
Eggs and Chicken Little Enterprises• 2nd USB drive is unknown
HD & CL Hatch a Plan to Corner the Egg Market
• Humpty Dumpty and Chicken Little conspire to establish an egg cartel and expand.
• Part of the egg-spansion is into other food goods, like hollandaise.
• Humpty pretexts the baker with a phony email address to get his recipe. (Turns out it’s really PAM’s)
• Baker finds out about Humpty’s plans.• Baker pushes Humpty and copies the recipe.– Butcher & Candlestick maker both have alibies.
Push Button Forensics
