Digital Forensics and the Most
Famous Egg
How did Humpty Dumpty fall?
Humpty Dumpty sat on a wall,
Humpty Dumpty had a great fall.
All the king's horses and all the king's men
Couldn't put Humpty together again
Reasons for Humpty’s Fall
•
•
•
•
•
He was pushed
He jumped
He was inebriated
The wall was structurally unsound
He faked his own demise
Agenda
•
•
•
•
•
Chain of Custody
Data Sources & Imaging
Data Types
Types of Cases
What to Look For in Forensic Provider
Chain of Custody
Data Sources
• Memory
• Hard Drives
– Rotational v. SSD
– RAID
– Encryption
• Mobile
• Removable Media
• Cloud
Memory
• What was going through Humpty’s mind?
Hard Drives
Mobile
Removable Media
Cloud
What Do We Know?
•
•
•
•
•
•
•
•
Largest egg producer
We don’t have RAM
We have his computer
No encryption or RAID
Always carried his smartphone
Used a tablet at home and on the road
Never seen using removable media
Might have had cloud accounts
Data Types
•
•
•
•
Actual Files
Deleted Files
Email
Operating System Files
Actual Files
• DOCX, XLSX, PPTX, PDF, JPG
– Content
– Metadata
• File System
• File
• LNK
– Metadata
• CLUE: Keyword search for
“poached” turns up 2 hits.
Deleted Files
•
•
•
•
Can be found anywhere
Due to both user and system activity
Mass deletions in short timeframe = RED FLAG
Greater chance of recovery IF
– Less time from file deletion
– Less activity on the disk
• CLUE: Found deleted JPG.
Recovered Photo
Email Files
•
•
•
•
•
Outlook
Lotus Notes
Windows Mail
Mozilla Thunderbird
Webmail
• CLUE: No email files, but
webmail URL’s found in Internet
History.
Windows Operating System Files
•
•
•
•
•
•
Registry
Event Logs
Browser
LNK
Prefetch
MFT and USN Journal
Registry Analysis
•
•
•
•
•
•
C:\Windows\System32\Config
C:\Users\<user_name>\NTUSER.dat
MRU & Jump Lists
Shellbags
USB History
CLUE: New USB drive plugged in
7 days prior to Humpty’s death.
Last plugged into the PC the
morning of Humpty’s death. 2nd
USB drive plugged in same day.
Browser Artifacts
•
•
•
•
•
Depends upon the browser
IE, Firefox and Chrome
All very different & rapidly changing
Index.dat, SQLite, JSON
CLUE: Carve for webmail
content, but no meaningful
fragments, BUT we find a new
email address and domain that
looks interesting.
Mobile Artifacts
•
•
•
•
•
Device Encryption & Passcodes
Volatile Data
~2M app’s between Android & iPhone
Most rely on plist or SQLite structure
Common ones are handled by mobile
forensics suites
• CLUE: Words With Friends
has a chat feature.
Removable Media
•
•
•
•
Write-block it
Physical image best, unless encrypted
PC
USB
PC
USB
• CLUE: Term sheet between
Humpty Dumpty Eggs and
Chicken Little Enterprises
found.
What Do We Know?
• Pam’s recipe for Eggs Benedict from the Internet saved
to the desktop.
• Deleted JPG originating from Humpty’s phone puts him
at Chicken Little’s house when the thumb drive is
inserted.
• Internet history reveals new email address. Subpoena
shows communication with the baker about expansion
plan.
• Words With Friends shows chat log with “Ace”
• 1st USB drive contains term sheet between Humpty
Dumpty Eggs and Chicken Little Enterprises
• 2nd USB drive is unknown
HD & CL Hatch a Plan to Corner the
Egg Market
• Humpty Dumpty and Chicken Little conspire to
establish an egg cartel and expand.
• Part of the egg-spansion is into other food goods,
like hollandaise.
• Humpty pretexts the baker with a phony email
address to get his recipe. (Turns out it’s really PAM’s)
• Baker finds out about Humpty’s plans.
• Baker pushes Humpty and copies the recipe.
– Butcher & Candlestick maker both have alibies.
Push Button Forensics
Forensic Analysis
QUESTIONS?
Mike Lombardi
Vertigrate
mike@vertigrate.com
(602) 283-1212