Here are some great articles on computer forensics if you are interested in learning that field, or are just interested in the kinds of things that we do. From finding hidden data, to cracking bios passwords, some interesting reading is available. All of these articles that I have read contain some really good info and will definitely help you create a baseline in how and what you do in your computer forensics investigations.
Computer forensics: Finding hidden data If you don’t know anything about how computers store data, this might be an eye opener for you, and a clue on how some file recovery programs are actually able to recover data, mostly, because it’s never really deleted, just eventually overwritten. From finding stuff in slack space, swap space and hibernation files, there are MANY places to find incriminating evidence on a suspect’s computer.
Computer forensics: Cracking a protected BIOS and creating disks for analysis How to get into a system with a bios password, and the steps you need to take to ensure you get a forensic copy of a suspect’s hard drive, as well as tools to make sure you don’t do anything to it, i.e. write data to it, to compromise the image.
Protect endpoint devices from swap and hibernation file data leaks Suggests turning off hibernation and swap files to prevent people from finding sensitive data easily.
Computer forensics: Preparing for electronic evidence acquisition When to do a live or dead forensics analysis, when you do a dead analysis, always unplug the power from the computer, this article says unplug from the wall, one of the classes I took said to unplug from the back of the computer, but I don’t remember why off the top of my head.
Other articles, such as collecting physical evidence, access control and securing permission are covered, and there are many downloads available, mostly free chapters from books you have to buy, etc. Check out the forensics tag from Techrepublic here.
I am starting to play with FTK now and will be going to a training for it in a couple months, hopefully I will learn some new stuff, which I doubt, but learning the proper use of the software will be great all by itself.
This is one cool little USB drive, and I am currently looking for a Windows version, drop a comment if you know of one. The MacLockPick is a USB device that will allow you to perform live computer forensics on a suspects Mac OS X system, once the software is run, the drive will extract data from the Apple Keychain and system settings to give the examiner fast access to the suspect’s critical information with as little interaction or trace as possible.
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers. Source: MacLockPick, live forensics for OS X via MacUser
Here is some of the data you will have after the software runs:
Files that have been viewed in the preview program.
Recent QuickTime file names.
Recent Applications, Documents, and Servers.
IM default login and buddy list.
Email account details, address book and opened attachments.
Complete web history, including search strings in the Google toolbar, cached bookmarks, current bookmarks, cookies, and browsing history, including the number of times visited and the date and time of the most recent visit!
Serial numbers of attached iPods.
Unfortunately, this device if for law enforcement only, you must provide proof that you are a licensed law enforcement professional and that the use of this technology is legal on federal, state and local levels.
More of the daily tech text links.
Microsoft confirms Vista OEM hack More on the hacks that allow users to bypass the product activation in Windows Vista.
Viridian and Virtual Server Timing Updates Windows Server virtualization will ship in the second half of 2007 not in the first half, like originally announced.
Three Of Four Say They Will Stop Shopping At Stores That Suffer Data Breaches Could be the beginning of user revolts against stuff, hopefully, it will transfer over to merchants who advertise in spyware.
Collections Redux for Scoble A PM for Live Maps responds to Scoble’s post from yesterday about how he liked Google Maps better than Live Maps.
Massive spam shot of ‘Storm Trojan’ reaches record proportions They are calling it the biggest spam blast of the year. “We’re seeing 50 to 60 times the normal volume of spam.”
Top 10 Free Computer System Recovery Tools A look at some of the free tools that can help you recover your systems from failure. I’m downloading most of these right now. Many will be used as part of our computer forensics toolset.
The Zune Review, Part 1: The Out of Box Experience A thorough review of the unboxing of his Zune, the hands on review is to come.
101 Hidden Tips & Secrets For Photoshop Just what it says.
If you purchased a system with Windows Vista Home Basic or Premium installed, you may be surprised if you try to restore a file using the Previous Versions feature. Apparently, you will need to upgrade to Vista Business, Enterprise, or Ultimate before you will be able to use the Shadow Copies that are created by the Previous Versions feature. Isn’t that lovely.
The answer is Yes, No, and Maybe. All versions of Vista (Home, Home Premium, Business, Enterprise, and Ultimate) have a new feature called Volume Shadow Copy. Now instead of tracking changes to your system files, Vista is now tracking EVERY change to every file. Big and small, important and irrelevant, every bit and byte is now being tracked by Vista. This is starting to feel more like Big Brother than David Copperfield. The primary reason given by Microsoft is that it enables us to look at previous versions of our files. If I had an Excel spreadsheet that I had made modified to the point that it was unintelligible, sometimes it is best to start over. Previous Versions make this possible. (Dave has some more thoughts on the implications of Vista’s Previous Versions.) Source: The Illusions of Vista
Now, I know everyone is thinking, if Vista keeps a backup copy of my files, what happens when I have to delete a file I need to get rid of? Well, looks like you might be stuck, as Vista will keep the hidden copies of your files, unless you disable Volume Shadow Copy, and that will, in turn, disable your ability to use the system restore feature! But, in doing so, you will actually be able to delete the hidden copies of your files now. So, turn off system restore, delete the file, empty the recycle bin, do a little disk cleanup and turn system restore back on. The main disadvantage to this is the fact the Windows will delete all of your old system restore files, so, you will only be able to restore files going forward from when you turned it back on. They also note that the system restore files are huge compared to Windows XP, with some being 400 times bigger, and one they had on their system was 8 gigs! That will eat up hard drive space pretty quickly, hopefully Microsoft will set the default space setting for system restore pretty low. On their system, it ate up about 15% of the drive.
This could be a good feature for some people who do computer forensics, if people don’t realize that Windows Vista is keeping the copies, then there may be some pedophiles who get caught because they were “using” this feature. I like that. I probably won’t buy a Home version of Vista anyway, but there are lots of people who will because they can get it cheaper. This makes two bad stories for Vista and Microsoft today, wonder what is coming next?
In another post on the PC Pitstop site, they end with a nice little paragraph about a new version of Vista Microsoft should be selling.
There is perhaps one other option, suggested by my business partner Charlie “Knuckles” McGee: Windows Vista Document Ransom Edition. That would add just the Previous Versions feature, for a “minimal” fee. After all, you have such nice-looking documents…it would be a shame for anything to happen to them. Source: The Vista Backups That You Can’t Have
I forgot to post this the other day, but, the Julie Amero case has been delayed again, this time without a reason given, but, hopefully, it is to help her case. It has been delayed until April 26, 2007 in the Norwich Superior Court. The Norwhich Bulletin, the local “newspaper”, is still spinning it like she was some drooling pervert and we are her fervent supporters.
Amero has been portrayed by her growing number of fervent supporters as the helpless victim of pop-up pornography ads.
Amero never denied the porn appeared on the computer. She said she had done everything she could to prevent the children from seeing the computer screen that day. The examination of her computer showed she had accessed the Internet for nearly the entire school day, with porn sites accessed for several hours during that time. Source: Amero sentencing put off until April
Sorry Greg, but it is awful easy for people who know computers to pick out some bullshit information and call someone on it, like when Lounsbury, the gentleman who did the wonderful forensics job on the computer, said “You have to physically click on it to get to those sites”. Hello, red flag, it just records every website visited, it doesn’t matter how it was initiated. Anyway, good luck Julie, hopefully Alex Eckelberry and some of the other computer experts can help you get away from the Keystone cops.
In a related story, apparently, students at the Hebron elementary school were sent home a link that was supposed to go to a farm they were going to visit on a field trip, but, as things sometimes go on the Internet, it didn’t turn out that way. Instead, up popped a porn site that had bought the domain name after it was accidentally allowed to expire.
Vasquez said that instead of seeing images of the farm, her daughter found graphic sexual images on the site.
Vasquez said she informed the school, which then sent out letters to the students’ parents, trying to explain what had happened.
Superintendent Ellie Cruz said that the school checked the site a few weeks ago and it was fine, but the farm did not renew its Web site address, and a pornographic company bought it. Source: Students Sent Home With X-Rated Web Link
Wonder who is going to jail for this flub up?
More time to work on her case that is. The sentencing, which was originally scheduled for last Friday, has been postponed until March 29th, 2007. Her defense attorney requested the postponement so he could have more time to help familiarize another attorney and a consultant with the case.
In his letter to the court, Cocheo said attorney William Dow has become involved in the case, along with sentencing consultant Clinton Roberts. Cocheo could not be reached for comment Monday. Source: Amero sentencing postponed
If you haven’t been following the case, Julie Amero was accused of visiting porn websites in front of her class as a substitute teacher at Kelly Middle School and is facing 40 YEARS in prison for it, yes, 40 years. But the case has taken a turn and is now focused on the the fact that she didn’t turn the computer off, even though she was told not to, or did not do more to prevent them from seeing it. So, she is actually facing 40 years in prison because the school system did not have filters in place to block porn websites, was using outdated, less secure equipment and provided no training in what to do in such circumstances, and she was not allowed to properly defend herself.
Assistant State’s Attorney David Smith, who prosecuted the case, has said Amero did not do enough –such as shutting of the computer — to protect the children from exposure to the pornography.
If that is what she is guilty of, then she certainly does not need to be facing 40 years in prison. The case started out accusing her of visiting the porn sites, they said, “It is the state’s contention that she purposefully went to these websites”, how can this change? With all of the great computer people, like Alex Eckelberry, who are helping with the case now, hopefully they can spin this back around and point it right back at the school system and the local legal system, who should be held responsible for this.
The PaperGhost has quite a few posts on the Julie Amero case, and has been very vocal on the Norwhich Bulletin website, where they have repeatedly slanted their stories against her, and, after being pressured, have deleted blog posts and comments on their site. Check out his website for more, like this post Julie Amero Court Transcripts Online: AKA, Ragearama 2007.
If you add one blog to your feed reader, or subscribe to an alert from google blog alerts, it should be to the Sunbelt Blog, it always has tons of good info about what kind of security things they are currently going through, spam, spyware and virus they are fighting, but it also includes all kinds of good tips and tricks they find on other sites, plus there is always good commentary by Alex Eckelberry about all thing tech. I first read about the Julie Amero case on that blog, and hopefully, they have been instrumental in helping her out, I haven’t heard anything yet.
But a post I just read concerning IT managers and the first quarter of 2007 is so true. There are so many things that can cause them problems of all sorts, new operating system, new version of Office and a new version of IE7.
IE 7 rollouts. Legacy software breaking and certificate problems. Here are a couple of posts I just picked off our NTSysadmin forum:
Right now, when a user uses IE6 and goes to a https website that does its own certificate (like ours) it comes up and gives them the option to view the certificate then install. Then no more issues.
But with IE7, NOOOOOOOOO, it blocks the content and maybe, perhaps it’ll let the user through if they beg, but maybe it won’t.
Other than removing IE7 off all the machines (which is the current solution), is there any way for IE7 to trust us? I even did that http://domain/certsrv and installed the certificate manually (which works with IE6) but it won’t freaking work with IE7. Source: When life sucks to be an IT manager
Definitely worth a daily check if you have no feed reader. They also touch on something that could be big to, the change in daylight savings time could be big, I guess I will be preparing for it this coming week. Ugh.
Nice write-up in the USAToday about the Julie Amero case, if that’s what you want to call it, it is more like one of those old fashioned railroad jobs, where they decided she was guilty and that’s what happened.
Imagine you know next to nothing about computers. You’re a substitute teacher for a seventh grade class. There’s a computer in the classroom and, knowing you’re going to be sitting there for a while, you ask a fulltime teacher if you can use it. He logs you in with his password and tells you not to shut it off because you couldn’t get back on.
Not that you have a clue about this stuff, but that computer is running Windows 98 and the outdated Internet Explorer 6.02. Its filtering and anti-virus software have expired, and it has no anti-spyware software.
You step out of the classroom for a moment. When you get back the kids are clustered around the computer, checking out hairstyle websites. But one is actually a link to porn sites, and it loads a Trojan onto the unprotected computer.
Suddenly, pop-ups start appearing, X-rated popups. Source: Police, school get failing grade in sad case of Julie Amero
The writer did misspell her name in the title, he must be like me, I never remember to spell check the title either. He really sums it up when he says, “Thus according to that jury, “not having the sense to turn off a computer” is a multi-count felony punishable by 40 years in prison. Wow.” I wish Alex Eckelberry and everyone working on the computer forensics of this case good luck and hope they can find all of the proper evidence to help show she’s inoocent. If there is anything I can do to help, please let me know.
Her husband has started a blog where you can donate to help pay for her case, Julie Amero. From the blog,
George Orwell was a little off, but not by much. Technology has engulfed the average American at an alarming rate. To think that it is possible for the average layperson to understand all the ins and outs of how a computer works is just not reasonable. What’s worse, our employer’s don’t know any more than we do, and they rely on us to identify problems when they happen. If you are lucky, your employer will know what to do when a crisis happens with your system. If not you?ll end up like Julie arrested, ridiculed, demeaned and left with useless teacher’s degree in special education.
The illicit pornography industry is a business with estimated profits in excess of $2 billion annually. That?s a lot of reasons to attract rogue scriptwriters to circumvent any patch that Microsoft can come up with. Make no mistake, these programmers do not care about you or anyone else for that matter. Regardless of where these rogue programmers are located, they operate under the radar of social conscience and in my opinion are or should be considered terrorists or criminals at the very least.
Julie is scheduled to be sentenced on Friday March 2nd, next week.
I posted recently about a teacher who has been convicted of visiting porn sites in front of her class, Kelly Middle School in Norwich, and exposing same students to pornography and whatever else was on the screen at the time. She was charged with 10 counts of risk of injury to a minor, or impairing the morals of a child, and while 6 counts were dropped, she was convicted on the other four. This teacher, Julie Amero, faces 40 years in prison and will be sentenced on March 2, 2007 in Norwich Superior Court.
To say that this is a miscarriage of justice is an understatement. It appears to me that this is all about the conviction now, and the fact that these people don’t want to lose. In a post yesterday on the Norwich Bulletin, the prosecutor for the case David J Smith said all she had to do was turn it off, but that she let it go on for “hours”.
“I think the state proved she was the person using the computer at the time the pornographic Web sites were accessed,” Smith said. “By her own testimony, she allowed those hardcore pornographic images to be accessible in a class of 11-, 12- and 13-year-old children. All she would have to do was turn off the monitor or cover the monitor. But she allowed the situation to go on for hours.” Source: Teacher porn case draws world’s ear
This is the first time I saw anyone mention it going on for hours, so I don’t really know what that is referring to, but, she was a substitute teacher, the normal teacher logged her in and told her not to turn it off because she wouldn’t be able to get back on. So, I guess that is why she just didn’t turn the computer off, that, and being overwhelmed with porn and not knowing what to do in such situations. Without proper training, what would you do?
The main thrust of this post is how Computer Forensics combined without a full knowledge of how a computer works and why and where data is stored can be a very dangerous thing. This is the definition of computer forensics at wikipedia:
The simple definition of Computer Forensics, “… is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.” (Kroll-OnTrack). This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, either fixed like hard disks or removable like compact disks and solid state devices. Computer forensics experts:
- Identify sources of documentary or other digital evidence.
- Preserve the evidence.
- Analyze the evidence.
- Present the findings.
Source: Computer forensics
The police detective Mark Lounsbury says he knows she visited those sites and that by looking at the source code he could tell that it was not popup based. From today’s article on the Norwich Bulletin:
Norwich Detective Mark Lounsbury maintained his investigation showed Amero knowingly accessed sites, which included meetlovers.com and femalesexual.com, along with others with names too graphic to print.
In examining the computer’s hard drive, Lounsbury said he found numerous instances in which graphic images would have appeared on the computer screen. He said he can differentiate between what is and what is not a pop-up based on the source codes.
Here is where it gets dangerous, because this cop says he knows it to be true, he is influencing the jury, the judge, and the public because he is an “expert” in this case. This expert was using software called ComputerCop, available here, software that was created years ago, as this case actually happened in October of 2004 and is just now coming to trial, a software program that was designed to restore deleted files, it did not check where or how they got there. So, he looked at the URLs recorded in the registry, looked at the images and determined she had to go there, and it could not be from a popup. The article also said this is the very first time this software has ever been used as an acceptable tool for convicting someone in a court case.
“To my knowledge, this is the first conviction using ComputerCop software as an acceptable tool for police officers to conduct a computer forensic examination that is acceptable to the court,” Jacobs said.
That is mostly because it’s not really designed for that. Her defense lawyer had their own guy, Herbert Horner, who has worked in computers since 1966, called in as their expert witness who forensically copied the suspect’s hard drive and did their own examination. He said their antivirus programs send security alerts because it detected the spyware, and that the spyware was tracking the computer before the day of the incident. Some of his findings:
Most significantly, we noted freeze.com, screensaver.com, eharmony.com and zedo.com were being accessed regularly.
On October 19, 2004, around 8:00 A.M., Mr. Napp, the class’ regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr. Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer.
http://www.hair-styles.org was accessed at 8:14:24 A.M., A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.
All of the jpg’s that we looked at in the internet cache folders were of the 5, 6 and 15 kb size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35 kb and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.
We asked the prosecution to arrange for the defense to have unfettered access to the internet so that we could reenact the events of October 19, 2004. It was not granted. I went to court with two laptops and a box full of reference material prepared to very clearly illustrate what happened to Julie Amero. But, the prosecution objected because they were not given “full disclosure” of my examination. I was allowed to illustrate two screens, that of the www.hair-styles.org , and www.new-hair-styles.com sites.
If there is an appeal and the defense is allowed to show the entire results of the forensic examination in front of experienced computer people, including a computer literate judge and prosecutor, Julie Amero will walk out the court room as a free person. Source: The Strange Case of Ms. Julie Amero: Commentary by Mr. Herb Horner
But they didn’t let him testify because her lawyer forgot to tell the prosecution about him, and since the prosecution case did not check for spyware or anything else that could’ve caused these websites to popup, there is no sure way to tell for sure whether she visited them or whether a website or software caused them. Also, the school system had not paid their bill for their content filter, and this caused it not to update, so, something that should’ve blocked it to start with was not even running, which, if you ask me, puts the blame squarely on the school system. I’ll quote one more person from the Norwich bulletin article to wrap this up:
Since the computer search by investigators did not include spyware, malware or adware — typically advertising integrated into software — there is no way to decisively prove she was the cause of the sexually explicit sites showing up on screen, he said.
Nancy Willard has worked in the field of educational technology for 17 years and spent the last decade focusing on effective management of Internet use in schools and youth risk online. She said the school should have a policy in place to report technical concerns.
“Since none of the technology protections can be trusted to be entirely safe, every staff member and student should be taught that the action to take, if inappropriate material appears, is to turn off the screen and report the problem to the technical department so that the department can investigate and resolve the problem,” Willard said.
Technical fixes are never going to provide total protection, Willard said.
So true. I work for our state school system and I have been to forensic training classes, so I know a little bit about what we are talking about. Hopefully Julie’s defense will be able to get Mr. Horner or someone else in so they can show how these things can happen innocently and how the prosecution did not really prove she visited these websites on purpose. Anyone involved in the case can feel free to contact me if they need some direction.
As anyone who has ever read this blog knows, I always try to tie these spyware, adware posts back to my friends from Zango, those guys who never do anything wrong, it’s always an affiliate or another website. While Zango is not mentioned, I bet money one of their programs was installed, hehe. But I just read this article from Computer World by Preston Gralla, Porn-surfing teacher: Spyware made me do it!, who obviously should not be posting about spyware, as it appears he does not have a clue and his blog post is a complete joke.
A recent court case found a Connecticut substitute teacher guilty of surfing for pornographic sites in front of her seventh grade class, and now, she faces 40 years in prison. Wow, forty years, I was watching something on TV the other night where two guys killed someone and the max they could and did get was 15 years. But this teacher could get forty years? That is just plain wrong. Anyone who is involved in anyway with school systems know, most teachers aren’t prepared for something like this, the teacher was probably as overwhelmed and shocked as the students were when it happened and was just trying to get them to close down. And if it has happened to you, when you click the x to close a popup, one or many more can popup on you, making it look like you may have actually clicked on the popup itself.
Not only that, the prosecutor wanted to know, but if in fact spyware was on the PC, why didn’t the teacher merely turn off the computer or pull the plug on it?
Julie Amero had no answer.
Lawyers have come up with some novel defenses over the years, including the “Twinkie defense” in which a lawyer argued that defendant Dan White’s eating of Twinkies and drinking Coca-Cola proved that he was depressed, and so not responsible for his actions in murdering San Francisco Mayor George Moscone and Supervisor Harvey Milk in 1978. The defense was partially successful; White was convicted of voluntary manslaughter rather than murder.
Luckily, it seems as if the spyware-made-me-do-it defense doesn’t cut it in court. For once, justice prevails. Source: Porn-surfing teacher: Spyware made me do it!
A substitute teacher is just that a substitute, and has not been in similar situations, and probably had no idea unplugging the machine or turning off the projector would have been the best way out, plus, the school system has to have content filtering in place to be able to get E-rate money to help fund all of the computers, internet access, etc. The school systems filters should’ve prevented most porn sites from popping up to start with, so, why isn’t the school system on trial and not the teacher?
And according to a quote from Alex Eckelberry, who is President of Sunbelt Software, they didn’t even check for spyware.
The court actions of the case were flawed as well. For example, one source reports that the Trial Judge, Hillary Strackbein, was seen falling asleep during proceedings and made comments to the jury that she wanted the case over by the end of the week. It was also reported that Judge Strackbein attempted to pressure the defense into an unwanted plea deal, in place of a trial. The defense attorney for Amero, moved for a mistrial shortly before closing arguments Friday, based on reports that jurors had discussed the case at a local restaurant.?
Was justice done here? A bad spyware infestation can splatter a machine full of porn popups and it?s a bit unnerving to think that a teacher could get hard prison time for something that was likely to have been completely innocent.
We need far more evidence than what is available to come to the conclusion that “justice was done”. In fact, all the available evidence shows quite the opposite — that this might just be a grave miscarriage of justice. Source: Alex Eckelberry
I have recently had the chance to attend several classes on computer forensics, so sure, the police found evidence that those sites were visited, but ANY window that is opened on the computer will show up in the cache and list of websites visited. The fact that neither the defense nor the prosecution tried to show how it happened is incomprehensible to me. If it was one website that caused this to happen, it would be so easy for them to repeat what happened. This quote from computer crimes investigator in an article on the Norwhich Bulletin is very telling,
“You have to physically click on it to get to those sites,” Smith said. “I think the evidence is overwhelming that she did intend to access those Web sites.” Source: Teacher guilty in Norwich porn case
You do NOT have to click on any link, it can be loaded from spyware apps, malware, or other malicious websites, it can be loaded from a website, that was loaded in a popup, from a website that was loaded in another popup, from another website that was loaded in a popup, and as the saying goes, on and on and on. This is just a case of one investigator only having the tools to do forensic investigation and not the knowledge of how a computer works to go along with it. Anyone involved in the Julie Amero case feel free to leave me a message at 304-521-2582 or an email to webmaster at tipsdr.com with “Julie Amero case” as the subject and I will be happy to explain how this could happen with the teacher only opening one “innocent” webpage on her computer. The 40 years should go to the spyware makers or to the school system, not this substitute teacher.