DFIR 101 - Clones, drones, & prison phones

so he is going to give us an hour talk so you guys let's give Mike a warm welcome so thanks everybody can done before I can hear me okay y uh button do I hit to get my SL up there awesome so my talk here is for DFI 101 Tes drones and prison phones um uh I learned yesterday I have a lot to say so I'm going to talk fast and try to get as much can um so why am I here today uh a few years ago I was getting burned out I was looking for something new to do hands- on keyboard somehow I stumbled into digital forensics reached out to some people on Twitter I was like hey can you talk to me job is if I can Lear more and uh I got in touch with the vendor who said come to our conference they you get me gift pass mytle Beach um spent a lot of time on the vendor floor um talking about products we're learning what they do how they use them and found out this was very law enforcement Target talk about the process gather information what we look for that type of thing uh I did make the joke that spot the Fed was very easy the conference they appreciate that very at all so what is DF short for digital forensic sens response these are two topics similar process or similar ideas different processes different timelines uh infnet response is what probably most of us have been involved with for sometime something is gone wrong right Something's Happened we need to react we need to take care of the problem we need find out what it is when you contain it when you get people back up and running got lights flashing you got email coming in you got down your neck on fastpaced Hy bir what's going on just taken care of now digital Fring is more of a methodical build a puzzle find a solution type something has happened there's been a murder or a kidnapping or like getting ready to do a drug rate that type of thing so uh what information can GA to prove that this suspect a book called placing the suspect behind the keyboard by Brett Shavers who's one of the OG uh digital frenic guys he's got several books very friendly he helped me out with some of this talk um and so it's it's it's very nontechnical my talk is non-technical very basic information I title says so uh talk about putting the person at the place at the time of the incident and how do you GA that information how we so the difference between the two is high paste get things done now or find the clues Escape the Room uh typ of situation we're going to focus more on the digital forensic side today um so here's a high level view of the process we're going to identify what what devices we have out there what data can we find what data can we use we're going to collect that data how do we keep it safe obviously you don't want to wipe out the hard drive just got all the evidence on it um that would be bad um then analysis which is where most of us probably enjoy getting our hands dirty digging around looking at browser histor finding pictures gathering information doing that detective work and then documenting what we did what we found and presenting it in court as off we up so do we have anybody here that does this type of digital FRS they used to in law enforcement no no so well I guess you should go back so this right here is exactly why I wanted to do the talk so when I walked away from that that conference I had heard about products and vendors and open source tools that i' had never heard of before and I've been to several bsides and other conferences this topic has never come up I went to one conference earlier in the year where I was talking to the organizer and the organizer said you want to talk to this lady to sitting over over here she's get a presentation exactly on that today and I went and ched with her I said can I talk to you after you talk I'm excited to learn about what you're doing and the talk that she gave she didn't know digital FR she was talking about the products and what they do but she didn't know it so I wanted to kind of open it up and introduce this obviously there's nobody doing it here I assume that many people haven't heard you know how it's used in law enforcement so I just want to get that out there you do do it in law enforcement so if I say maget if you can come to me that'd be great right now everybody's in their underwear I don't want to remember you like that so yes so I'm I'm here to introduce you to something hope you guys somebody gets interested walks away go home try some tomorrow out there so a little bit more about each step of the process what information do we need to collect so we've got a suspect that've been arrested um during that process they collected a uh laptop in the as examiners we can look at that phone and determine what else is it connected to can look at the laptop and see what it go devices connected to it so now we take that information we build a search bar so they can go back to the residence and say we need USB drives digital cameras rain cameras Nest thermostats I mean everybody knows data is everywhere that's two two parts of the the title drones prison phones I put those both in there because one of the F told two stories drones we all know it collects GPS data right so we can know where it started you can get back to that that's important in law enforcement because criminals from the outside are buying cheap drones s Contra band in over the wall dropping in the yard who cares if we lose $99 a drone we got our drugs inside so now the law enfor was collecting that getting that information prison phones little tiny phones that are easily hidden and here's my call out making phone calls on the outside so uh I kind of got tickled this week thinking about all the prison phones that went off at 220 on Tuesday and they lost them that afternoon so I don't know that really happened but um obviously once we have the warrant we have to go out collect that information bring it back and then we start the documentation of our process of uh what's right here chain of cost so in law enforcement and any of us investigation is going to be important you know who had the evidence the other side is going to say this person touched it they made changes so we need to be able try to who what we did with it and pass that along as the that's just going that's just going be a simple document of the an Evidence ID number probably a serial number if possible maybe a picture we took possession of it date and time that type of thing and then the process of what was done with but [Music] prevention I mentioned we don't want to lose data we don't want to change data we don't want um to uh so there there's a concern and we'll look at some Hardware later that helps us prevent that but in a um uh in in the crime Oran criminal organizations they are teally Advanced enough now that they get a phone call that Johnny's been arrested then go push a button and wipe his phone so what do we do to prevent that from happening how do we keep that phone from getting wipes that data um if we're Bing on the door and and hack in the hoodie hit the delete all button what do we do to rush in and sa that we need to be prepared to do that um where can we get data Hardware we talked about it it just list off a bunch anybody has anything extra I mean every device in the home [Music] usually like the cloud well that's that's down there as well services and Cloud so we got all the hardware that's there we got all the software so application just so you can say radio frequency is the stuff that's being transmitted over the air absolutely way past anything I understand but if there's a way to collect it absolutely ISP ISP y i the information question for you how how would they like say you want to collect data off a hard drive or something right y but the hard drive is in the cloud oh you just get a they they're not going to mail you the hard drive from Amazon or Google but I don't know the answer that I imagine though that there's search warrants and there's processes involved to say we we we need to get an image of the server it just yeah leads more questions I'm sorry yeah so I'm sure there's a law enforcement process I know that in Reading enough stories in the news I know that there are there are request processes High other like I'm sure they prepared for it I'm sure they have respons to do it as little as often as they can um put services in Cloud so everything's in Google right all your email um all your GPS Trel information pictures um one drive's got all your files that are backed up your backed up provider got your files everything everything's there um there's several places to look urgency and time considerations so I talked about this being a slow methodic goal let's gather information look at but now we got to on the flip side there's the opportunity you know what if we're dealing with a kidnapping case right somebody's been taken what if there's a threat at the high school football game what if there's child abuse going on these are things that um that do speed up the timeline they make you be a little bit less strict about the process the flip side of that you could create the risk of not getting enough information not getting right information early enough modifying things it's just part of the process consider um when you're when you're getting ready to PL your attack on gather that information by pass security everybody's phones are locked everybody knows the Deb about passwords and Biometrics what's personal data what's protected data what's not um at this step it's as simple as asking the suspect hey want the force get your password sometimes they'll do it because it's you know they're being Cooper that's going help out uh if not there are tools vendors we'll talk about some vendors a little bit hopefully that uh they have tools built in they will just sit there and have passwords to try to get signed in probably all use the Linux boot C sign go into machine to change the password those are loser tools are available as well volatility order so now we're talking about what information all the information that's out there that we want to play what do we have the chance incl Ser so memory right information know pass we know there's other information sit out there we need to capture that first because as soon as we we start doing stuff to the machine memory's changing so you need to gather that information do it don't affect anything get as much as we can next thing down is all just documents you open the document temp files created let's cut that temp file make sure that saved so that it's showing you that's keeping track of changes that have been made to the document been deleted from the doent to be a t file make sure it gets that before word is closed that t file goes away uh remote data we talked about services and isps and that type of thing and then you've got the physical data on the disc the local disc information you going collect archived media I mean there could be some guy that's got lots of videos that wants to save and for some reason he's still Bing them my UNS the folder sit on shelf somewhere so collect that information so now that we have the devices we know what information we want uh the fund begins and this is where we dig in and we start looking for the aners so my title is clones drones and prison phones clones is a [Music] Lie the Clone is just an it's a it's a copy of data for one device something I'm going along the way but everything Rhymes so I didn't want to change the title uh so we know u a clone is you know I'm going to take data from this drive when you buy a new hard drive you put it in you got the vendor application that says copy all the DAT from here to here go to new Drive what we want is a forensic image which is a bit level one to one image of those devices so that's going to get us all the data that's on there plus everything that was deleted we all know that when a file is deleted it's not really gone it's just marked to be that space to be used again that for instage lets us have tools that we'll go and look at that those files and gather more information so that hacker that push the button to delete stuff we can p that [Music] back and then we dig around and we play uh and we seriously play and we uh we started on that case what can we find talk about all the different things PC's phones CL Services um documentation nobody likes documentation but this is important enforcement because you have to prove why you believe the outcome that you came up with so document everything I tried this it didn't work I tried this it did work that's great I gathered this information can you repeat it so that you can prove later on you're sitting in court this is Val Court you got the other side of the courtroom that's working with the same day that you are trying to come up with a different summary of langage I can't how that works to me there and then last time if you are the expert witht everybody keeping up okay good questions [Music] nothing you tell us your background one more time my background is I work for a manag service provider in North Atlanta uh I am the knock manager um I've been working with managed service providers for 20 years doing the same type of thing so in our current environment we manage about 9,000 in points for multiple clients I'm in charge of our internal systems our ticketing system our loaring system and then touches all the workstations So weing anir and I've become uh esanation point for engineer for like I said I just I just stumbled on to this it was new to me so I a lot [Music] of so we talked ear about preserving a device uh these little bags they're kind of hard to see those are faay bags so I actually have one here I have a problem um land on the inside this company actually sells baseball caps with this lining on here so you can really buy T foil [Music] hat um that m um so if you go on site you collecting device first thing we got to do is make sure it's unlocked and second thing we want do get on there make sure it doesn't lock itself now that we have it locked third we going to make sure it's got power so you can take an external power supply hook it up your phone tuck it in this bag flip it over and it's protected so those those people that are trying to wipe outside can't get to it this is a very new box so when you get back to the lab and you need to work on that phone you can take this take the phone in the bag drop it in the Box close the lid you'll see right here here's external power sources machine [Music] down they make them bigger they make popup tents so if you are on site for a raid of some sort and you've got multiple shein you can work on got full pop up T so you bring see down right blockers there are hardware and software Rec lockers basically what this is we're going to plug Source Drive is going to be the evidence Drive we're going to plug it in here we're going to plug our workstation in on this side or our Target drive to move data to this isent any right to that device so any any OS level request to hit that drive to make a change and then there's that does the same thing some um I mentioned a forensic workstation so I learned very quickly I was everybody heard cele right the name of been in the news get picked on um they had a cpf last week two weeks ago um so I signed up I downloaded the trial software installed it on my daily driver mounted the image that I wanted it to analyze went to bed and woke up the next morning and it was it like 12% this was a 30 something [Music] again now as powerful machine I don't notice any problems on but obviously C more got my son's old gaming PC it's still just chuing so I was not able to compete in the CTF but I still was on Discord talking to people last questions and there was one guy who was bragging the he had four they had all four of the images open at once to look at all of them at once I was like what type of power do you have 48 cores half a terab of Ram gold something something so these two vendors samuray and bit mes will build custom PCS I'm sure at some point everybody's gone to Dell and said I want everything ah $122,000 I was just updating stuff and I was getting $75,000 for so that's definitely consideration is probably part of you know everybody's got a budg of needs that's probably it's hard for law enforcement that type of stuff another thing storage considerations so everything we're working with is is a an image of the original thing as soon as we make as soon as we take that image of the original data we take that drive we it's inventory it's out we don't want anybody we're images so right now we've got a storage need of one to one in the cpf I have done in the past of IM me just anywhere from 8 to 30 something G the resulting reports software analyzes 50% so multiply it up to terabytes of data lots of space that's needed I don't know one question I have for law enforcement I've not been able to find anybody tell me what what do you do I assume they can't reuse those drives so I don't know if they have a bookshelf somewhere that just got a ton of hard drives to once I don't know it's just another cost you're building out these uh from the the previous vendors you have options to don't do anything but you can you can raise your OS IM you can set up a a multiple great for your database processing part and for the image itself so you know end up with a whole bunch of [Music] driv Hardware related this is J tag and chip off people may have heard J tag uh it's this will be used in the case of the phone has been crushed it's been burned it's been water damaged we can't have the cable up while we can't power it on older phones have JTAG Port where where you can uh connect specific wi to specific equipment read the data directly off the chip the chip off process is actually desoldering the chip from the board and either hooking it up to a device through the information or in some cases you can get a one to one matching of the track same phone model board everything you can actually take the chip off the good board take the chip from the bad board put it on that new phone and then you can read it up and do what you want some challenges there because now there are other chips involved for you have taking multiple chips off this is risky but it's also the last get that information talking about a little bit venders now Point forensic down in Florida I believe they have this cool little box yes screen deck let board behind it um their goal is uh so assume there's a ra and we've got 40 computers we have to go through assuming on a good day with those powerful machines we got a terab drive still going to take four or five hours you're talking about a few couple hundred hours process all that data they're optimizing they want to optimize that and go inventory the drives quickly tell you what's on it so this this this drive here has got tons of pictures let's give that a higher prior further investigation this one look like it a work station with a few docents wor about thatly this expensive workstation 41 so figure out what we do each these got different process deeper but you can do things Capt all the images push that button here dool it push that button is going to only information go look all it's look at FL space on the drive what has been [Music] get there's format make you shout out from she one EXC about this talk this uh advice sorry these are the big vender names there are tons of companies out there that have a product Su all be the same thing they all slice they all generate there different costs different levels there's different [Music] everybody I I can tell you the same size CF my daily driver is these are some free tools I talk about you going home tomorrow and do something on your own these are free and these are available FK imager magne fire these are both parts of figger swe previous companies um these are free portions so F the cager for me you could very good about getting hard drive so if you if you want