imageSuspicious employee behavior and recovery of encrypted data

A significant increase in the monthly phone bill was brought to the business owner's attention by their staff accountant. A quick glance at the length and duration of the calls raised more than a few red flags. All calls were made after normal business hours and many of the calls were to the business's direct competitors and former clients. A review of employee time cards by the business owner did not turn up anything overtly suspicious.

After reviewing the e-mail server logs it was discovered that an employee was sending numerous files to their personal e-mail address from their work e-mail account. Tracing the e-mail account back to the specific office computer which composed them, a large number of encrypted files were uncovered in a hidden directory which the employee had created several weeks prior. Many of the encrypted files on the local hard drive were identical to the files the employee had attached to emails which were mailed to his home. Further review of the time stamps in the headers of the emails showed a direct correlation between the mystery phone calls and the sending of the emails.

The passwords and encryption keys used by the employee were recovered and the files were decrypted back to their original state. The business owner confirmed the decrypted files were confidential business assets including a database of current and former clients.

The employee was immediately terminated and the business owner contacted authorities in regards to the theft of intellectual property and misuse of the company computers.
* In all of the case studies below, the names, dates, and case numbers have been removed to protect the privacy and confidentiality of the parties involved. Certain non-supporting details have also been removed or modified to increase the readability for general audiences.
COLLECTECH LLC Computer Forensics and Legal Support Services located in Boone County Missouri COLLECTECH LLC Missouri Forensics 2012 Cherry Hill Drive, Ste 202C Columbia MO 65203
Home About Us Services Case Studies Resources Contact Us

 

 

 

 

imageA not-so-civil divorce

At a divorce and custody hearing allegations of cheating and child endangerment were raised by the husband, a skilled computer technician, against his wife. He insisted that she was having an affair and that he had e-mail messages and pornographic photographs to prove it. The husband handed over several pages of printed emails and digital photos which he claimed that he obtained off their home computer from his wife's e-mail account. The wife denied having an affair and further denied having any knowledge of the photos or emails.

Because the computer was jointly owned by the husband and wife, the wife gave consent and agreed to a forensic investigation and analysis of the data it contained. The system was disassembled and two hard drives were removed and imaged. On the primary hard drive there was evidence of several recently deleted software applications including a digital photo editor, hacking utilities, and a hard drive wiping application. Further investigation turned up numerous web searches for terms relating to creating fake e-mail messages, how to win child custody, and pornography. A bit level search for all e-mail messages on the hard drive, including previously deleted messages located in allocated space, did not turn up any traces of the e-mail messages the husband had provided.

A bit level search of the second hard drive was able to locate 3 previously deleted Microsoft Word documents which contained the electronic version of the printed emails with a few modifications. After comparing the three separate documents it was apparent that someone had taken unrelated e-mail messages and modified them to appear to be messages from the wife to and from an unknown individual. Further investigation of the original e-mail headers located in the earliest created Word document precisely matched e-mail headers found in the husbands deleted e-mail folder. Analysis of the previously deleted Word document's metadata displayed that the husband was the last to modify all three documents and they had all been modified multiple times.

Information obtained from the investigation was provided to the wife's divorce attorney.

 

 

 

 

 

 

 

 

imageForensic data recovery of irreplaceable digital photos

A few days after her fellow firefighter died she attended a memorial at the local firehouse. They all sat around remembering their lost colleague and wishing they had more to remember the new recruit than just his empty locker. That is when she remembered she had several hundred digital pictures that she had taken during their days training at the fire academy together. She rushed home and found the USB thumb drive that held those precious memories and brought them back to the firehouse. Something went wrong. They all sat there at the computer waiting for the USB device to stop flashing, but it never did. When they removed the drive there was a faint whiff of ozone but they refused to give up on the drive.

The USB drive was attached to the forensic imaging server but it was not recognized by any software or operating system. Being unable to access the hardware in a conventional manner a similar drive model was located and a working device was created by swapping out the surface mount memory chips between the two.

Once the new drive was working all data was recovered and a CD was returned to the client with all 270 images intact just as they had been on the USB thumb drive before it failed.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

imageElectronic Discovery, Consumer Debt, and the FDCPA

Lenders used to send out over due accounts to various collection agencies with the hope of recovering on small percentage of their bad debts. Today due to the unprecedented increase in unpaid consumer debts a new industry was created around the buying and selling of post charge-off consumer accounts.

Unfortunately with every new industry, specifically in those that revolve around money, there are a few bad characters that prey on anyone they can, and the debt sales industry has attracted more than it's fair share of bad publicity because of it. In a nutshell, accounts are bought and sold based primarily on the word of the seller. Sellers claim that they have the rights to sell the accounts offered for sale, either as the owner of the debt or as an agent for the owner. Prospective buyers are presented with digitally produced spreadsheets containing the names, account numbers, amounts owed, and relevant dates amongst other data fields with which to make their buying decisions. There are currently no industry wide mechanisms in place to prevent a former "prospective buyer" from forwarding the spreadsheet of accounts to others, pretending to be the owner or the agent. Nor has the industry implemented even the most basic preventative countermeasures, such as CRC or MD5 digital hash signatures, to stop unscrupulous sellers or buyers from manipulating the original charge-off dates or the total amounts owed displayed in the spreadsheet's fields.

A federal law known as the Fair Debt Practices Collections Act, 15 U.S.C. §1692 et seq. (FDCPA) regulates the conduct of debt collectors in collecting debts owed or allegedly owed by consumers. It was designed to protect consumers from unscrupulous collectors, even if the debt alleged is not valid. The FDCPA broadly prohibits unfair or unconscionable collection methods including any false, deceptive or misleading statements in connection with the collection of a debt. Courts have interpreted this to include even unintentionally attempting to a collect a balance owed that is different than the actual debt - even if no valid debt even existed. Additionally, there is a strict time limit for debt buyers to bring legal action to sue for the amounts they claimed are owed; the date of which begins from the date of the last payment. Courts have also firmly stated that if the debt buyer initiates legal action after the statute of limitations to collect the debt has run out they have committed a violation of the FDCPA because the legal right to sue has expired. Each violation of this federal statute allows the debtor to sue in civil court for damages of $1,000 per violation of the statute and the award of attorney fees is mandatory should the debtor be successful in their lawsuit.

The defendant was served with a petition alleging that she owed $3,409 on an old unpaid credit card account and that the plaintiff was a debt buyer who had purchased the account. The defendant insisted that she had never had a credit card in her life and this lawsuit was the first time she had ever been contacted in regards to the alleged debt. Upon filing her answers with the court she was informed by a court clerk that the plaintiff had filed several hundred cases, including her particular lawsuit, over the previous month.

During the discovery phase of the civil case the defendant was made aware of the fact that the plaintiff had no original copies of the physical documentation to provide to them.

A discovery request was crafted to include all computer files, e-mail communications, back up tapes, cassettes, discs, and recordings, which related to the accounts they had purchased including the preservation of the files' metadata. The plaintiff stated that they had all documentation in the form of Microsoft Excel and Adobe PDF files and would turn over all emails and other related information to the defendant.

Plaintiff's council forwarded copies of the requested documents to the Defendant's council on a CD-R disk and a standard e-discovery protocol was implemented to review the data. Nothing appeared out of the ordinary with the PDF documents and the Plaintiff insisted that spreadsheet on the disk was an exact copy of the spreadsheet as they had received it from the debt seller several month prior to their filing of the law suit. Analysis of the file creation date and modification date indicated that the spreadsheet was modified 2 days after it was created or copied to another drive for the modification. Because the discovery request specifically included the analysis of any metadata associated with the files, it was also examined. At some point in the spreadsheet's life it had been set up to track all changes made to the data. The original information was still embedded in the file along with the revision history. In depth analysis of the revisions showed that all of the accounts contained in the spreadsheet were modified from their original status - some had the last payment dates changed while others had the debt balances modified. Further investigation found that many accounts were created using new unrelated names attached to the account data that had belonged to another person, including the account alleged to belong to the defendant.

Analysis of the physical CD media indicated that it was recorded using multi-session packet writing software containing several sessions recorded over the course of a few days. All discovery data provided was located in the final session of the CD, however a byte level keyword search of the media indicated that data existed in the previous sessions, which are normally inaccessible once the final session is written to the disk. The previously recorded sessions were restored and examined. Located among them was a Microsoft Word document that appeared to be a copy of the dunning letter which was in its PDF form on the final session of the disk. Analysis of the metadata contained in the Word file indicated that the original date of the dunning letter was the day before the document was copied to the CD-R which was only several days prior to the defendant receiving the CD-R from the plaintiff. The date was then modified to back-date it to appear to have been written several months before the plaintiff filed their lawsuit. The original address in the Word document also did not belong to the defendant and the account information was also later changed to match the information listed in the plaintiff's petition.

A full report was presented to the defendant and her council who immediately filed a counterclaim alleging 16 separate violations of the FDCPA and state collections laws and sought to recover $1,000 per intentional violation plus attorney fees. A few days after receiving notice of the counterclaim the plaintiff's attorney contacted the defendant and offered a cash settlement plus the dismissal of their lawsuit with prejudice.

 

 

 

 

 

 

 

 

imagePeer-to-Peer Child Pornography Criminal Defense

The defendant was arrested and charged with possession with intent to distribute child pornography after finding "multiple" illegal image files on the defendant's computer. According to the initial warrant, the police had been tipped off about a computer in their jurisdiction which was actively trading in child pornography via a peer to peer file sharing application over the Internet several months prior. Their trace of the offending IP address led them to the defendant. The officers performed a knock and talk interview and the defendant allowed the police to search his personal computer.

According to the police report the defendant admitted to accidentally downloading child pornography a long time ago while he was searching for and downloading MP3 music files. He claimed he was "tricked" into downloading a compressed archive file named BestofMyCollection.zip since it was described by the person sharing it as containing about a dozen MP3 files that he wanted for his collection. When the defendant opened the archive several hours later he discovered it contained several digital MPG videos named "Raygold or something" and no MP3s. The defendant then stated to the police that he viewed the first video, which was extracted in the download directory, and found it depicted children engaged in various sex acts. The defendant claims he immediately deleted the extracted videos and the original archive file and went back to searching for MP3 music files. The Prosecutor was unmoved by the defendant's explanation and filed a multi-count indictment against him.

The defendant, while skilled at sending and receiving e-mail, was unfamiliar with file sharing.

After discussing how file sharing and peer to peer programs operate it was clear that the defendant was unaware of the dangers in downloading unknown files and allowing others to share files from his computer. By default the application he had used allowed everyone on the file sharing network full access to his entire hard drive, not just the designated Upload directory.

A full bit-level analysis of the seized hard drive confirmed that all of the MPG videos were marked as deleted as was the BestofMyCollection.zip file. While the exact time and date of the deletion was subjective an examination of the only multimedia player application installed on the computer showed the defendant had accessed several MP3 files before opening the offending video followed by more MP3 files. A timeline was created using the extracted MAC times of the existing and deleted files located on the hard drive. Analysis of the file sharing client's search history contained no searches for pornography - just hundreds of searches for various musical artists and MP3 files. Similar search patterns were also noted in the Internet Explorer history file. There were also no other pornographic images located on the evidence drive. The extrapolated timeline was also consistent with the defendants account of events.

After presenting all findings to the defendant's attorney, who then in turn presented them to the Prosecutor, all charges were dropped against the defendant.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ACCESSIBILITY · PRIVACY POLICY · TERMS OF USE

Copyright © 2007-2008 COLLECTECH LLC