CYBERSTALKING by CRIMINALS FOR FUN AND PROFIT

[Music] all right good all right I will try to make this good I know this is the last presentation between you guys and some beers so trying to make it good my name is Ken Weston and I'm from Portland Oregon I'm going to be talking to you guys about some things that I did prior to my job at Splunk I actually worked and developed various tools and technologies to actually track criminals I'll talk about some of those cases but also talk about some of the theory and some of the things I learned as well actually doing some of these investigations so I've been doing security for about 18 years training to both defensive and offensive security if

you want to follow me on Twitter there if you want to send me eight mail and death threats there's my gmail account so I developed a number of tracking technologies and tools some of them are actually I got to Pat so we're issued I actually had a start-up as a result of it it allowed me some freedom to actually explore and actually start to develop and leverage some of the technologies the hackers were actually using to do malicious things but actually turn the tables and actually leverage those technologies and actually help people to fight crime to help recover your devices if they're stolen and through that process I actually learned quite a bit I actually

built another search engine that actually tracks and looks at image metadata you heard Sarah talking earlier about dark web and some of the things you can do with access data I actually both a search engine they actually mined a lot of the information and I'll talk about how that actually came to be and how we actually use that information to solve crimes I ended up assisting and training law enforcement and how to use open source intelligence for investigations when they get data like we would collect from devices how do we make use of this information so I ended up kind of holding their hand through a lot of this stuff as you can imagine sometimes law

enforcement is not particularly savvy when it comes to technology and I tried to help bridge that gap it was a little frustrating at times but I feel like it isn't good work there I ended up putting a lot of bad people in jail probably about several dozen people actually the with the data that I actually collected actually led to a number of convictions not only did I recover stolen devices but usually I would also identify other crimes are being committed we would actually unveil large organized crime rings particularly in Portland Oregon there seem to be a lot of organized groups that are tied to Russian groups and I'll talk a little bit about that as

well will actually go into some of those cases I'm currently it's Blanc and I focus on helping organizations with security analytics I love data especially when we're talking about hunting and things like that I really enjoy it I do a lot of work with insider threat actually about two years ago I presented up here different location for a V seismic Coover I talked about insider threat with my friend or fawn and I just kept kennel you guys know - a lot of this is my own independent research it's not tied to my employer especially the things I'm going to be talking about these are things that I did will before my employment all right so all right so

that was a charge watching right good I actually did this presentation some of the material at Def Con 23 and I got a lot of media attention I was actually called a professional cyber stalker it's not too bad I got called the the real-life mr. robot that pissed me off Oregon was a little nicer as I called the organ business Maggie called me the good hacker so next year going to be doing a presentation about how to make yourself a target for being doxxed and that's that's how it started so these are what I call my wallet shame these are actually photos were captured from devices or people that actually recover their devices and results from

the technologies I used this is just some of the ones I can actually talk about I blurred up the faces to protect the guilty and we'll talk about some of those cases and why I actually do that some of them aren't blurred out not everyone likes the work I've done I thought this was kind of Awesome actually I actually applied to speak at blackhat a talk about this stuff and one of the reviewers said I think you should reflect on the ethical implications of the technology you're happily distributing and it's important that you know that kind of hurt my feelings right because um what I wanted to do is actually take this technology and actually help people

with it not only help you recover devices but also help people understand that these are the tools and technologies the criminals are using to track you right so that was my whole goal with this stuff so anyway it made me a sad panda but I got over it and I presented at Def Con that year which was way better so some things you'll kind of see this pattern is when Raphael was up here we talked a lot about machine learning and leveraging data science and you know artificial intelligence and things like that when you're dealing with criminals they're something you need to take into account right we need to understand that there's also real stupidity right not

artificial intelligence but people will make mistakes and these are the three things that I find that usually leads criminals to get caught and the FBI law enforcement they rely on this as well a lot of times they don't know how to solve a crime but then they get lucky because someone screws up so it greed is the main one usually when someone's committing a crime and they start to make money from it they're going to start getting sloppy they're going to start taking additional risk and with that it's going to lead to additional mistakes pride a lot of arrogance sometimes is people just having a false sense of security of that hey they haven't been caught yet there's no way

they're going to be able to track me another is just being lazy alright we see that not just in criminals but we and some of our environments in our corporations right with our users but but those are things to remember so if you are considering life of crime just take this into account so a lot of the work I did I was always trying to understand you know what is it I'm looking for there's sort of this underlying theme and there was a guy named Evan Lockhart and he's a French forensic scientist he was actually one of the first forensic scientists that it was a lot of the things we have this is even before fingerprints and things like

that yeah these sort of theories and it sort of led to all things like we saw with DNA and fingerprints and things that are actually used in forensics and crimes and of course he was talking about physical crimes the idea is that when you commit a crime you take something with you and you leave something behind and it's referred now as la cartes exchange principle and I believe this actually carries over into the digital world as well the trick is being able to identify where that data is and how to log that information and sometimes it's in places you would never expect and talk about that and some of the investigations so we talk about data and

there can be little pieces of data it can start with the social security number we can look at IP addresses we can look at device IDs we look at phone number geolocation there's all these little pieces of data and a lot of times that data on itself by itself doesn't mean anything doesn't actually identify an individual it might defy a device but some magical things happen we start to do correlation when we start looking to all these different data points that actually make that up we can actually start to actually develop a profile of an individual and we can actually even identify who that person is and sometimes we don't have all the evidence but this can be saw enough for probable

cause to actually dig deeper into investigations and I'll show you some examples of that so we look at all the different things we talk about our laptops or devices we hear a lot about Internet of Things and people are always worried about oh they're going to hack my refrigerator or maybe your microwave right because they're doing surveillance on us now but I think the bigger problem here is the information that has gathering that data is being gathered a lot of times it's being stored in the cloud and a lot of times it's these companies that are actually developing these tools and they're not actually taking security seriously and there's all this information that's actually available so if it does get breach there

are ways to draw these correlations and actually start to identify patterns and behaviors things I've actually identified it could be everything from you know what you like to do your running patterns and things like that all that information can be useful if someone's actually trying to profile and identify you so these are called crazy walls anyone act watched CSI probably seen these right so the whole idea here is that you're gathering evidence and you're doing it over a time line and you're drawing the connections right and so that's we're doing in the virtual world and we talk about machine learning to insecurity that's really what we're just trying to help leverage that technology to actually help us identify

these patterns and data because that's what it's all about it's identifying patterns and if you're a hunter and environment or if you're doing this type of work you sort of have this innate gift of actually identifying these patterns and maybe seeing things that other people don't see and that's probably why a lot of you were in this field um just to give you a little example me and uh one of my peers we actually got tasked on national TV show called crime watch daily they said there was a six million dollar smart home that was unhackable challenge accepted we we were able to hack into the home because the Wi-Fi password was actually the guy's cell

phone number it's the people that set this up they didn't actually set the Wi-Fi password he did but once we got inside we found that all everything else had default passwords we were able to monitor all the different devices and everything was still using the default passwords so I got into surveillance camera as we did all these different sorts of things and then for dramatic effect you guys want to watch the video I'm not going to play here but um we actually they had a party that night we had 24 hours to hack it we got everything we into it we could and then we started [ __ ] with them we we turned the lights off which we lowered

the curtains we projected the security camera footage on to the TV we started showing all the people's faces that were at the party scaring the crap out of them and then we piped in some audio too it was a computer-generated voice mr. robot ish that talked about how we hacked them and stuff like that it was fun but but it just goes to show there's just a little piece of information right and we even talked about things we could have done there - I had access to his computer like I got to do his file share was able to access some of his information that's where we stopped we said we're not going to go any farther

in there we told him about what we could access and we didn't leave that environment until we actually made sure that it was secure so so we talked about the interactive things a lot of times one day to get to collected so there is needed is created by us and this is data that we actually have control of right so information that we're aware of that you know we can delete emails and things like that and we feel like we have some control of that data but as we do that there's also data that's created for us so your stock portfolio when you access your medical records when you look at any sort of analytics tools right this

is generated for us we don't have a lot of control of that we may be able delete some of it but you know how far can we go then there's data that's created about it and a lot of times we don't even know about this right I actually talk a lot with the FBI and investigators they say people think we collect all this information about people it's like no we go to companies the marketing department they're the ones that have all the information about people so when we talk about breaches of that kind of data right how important is security to those organizations they're trying to make a quick buck they're trying to profile people they're using

machine learning they're doing all these sorts of things but how is it information protected usually it's not secured at all and then it gets even scarier what I call boogie data people can't talk about data exhaust things like that and this is where you start looking at it may be logged in it may have some information that can identify you it can also consist of breach data so information that you may not even notice in breach this actually being sold in underground markets and things like that we talked a little bit about darknets earlier Michael Myers gets thrown there scary so give you an example just one thing I want to say is what do you guys

think is the best way to secure your customer data amen stop [ __ ] collecting it right we don't need to store it if you don't need to collect it information there's no business purpose for it don't collect it and if you do need to collect it you know a cryptid hash it do something you can to protect that information not only are you protecting your customers but you're also protecting your organization from liability if there is a breach of that information when that gets out if it was that part of your privacy policy where people aware of your collective information right a lot of times people in business they may not even understand how the information can be used against

people and it may not be that data if you correlate that with additional information like your your your flight information with your medical information your histories OPM anybody right how can that information be used against people just something to consider I'll give an example Ashley Madison I actually helped an organization with an investigation they actually had some suspicions about a particular executive in the organization and then someone was searching around and they found that hey our company name is actually in the data file and this is one particular individual he made the mistake of using the billing address of the company he used the email address of the corporation and then dump should even use the debit corporate debit card

right so usually the company wouldn't be able to do anything right and it's hey whatever you do is it's your own business you know legally we can't do anything here hey it's between you and your family but the fact that he was using this information or corporate assets that became a bigger issue so we were able to look at things where they had billing address they had the last ajiz the credit card number and there was even a defense where I can say well someone used my email address and they registered as me problem is we also had VPN logs were actually logged as IP address the Ashley Madison date also had the IP address of

one that actually occurred so then you also have the time stands to go along with that right busted so we're able to correlate IP address with vpu + n and there was also some endpoint logs he actually had created a shadow corporate account he was kind of a pretty savvy when it came to Finance almost kind of white-collar that's a fraud and he was actually had a lot of other expenses so this led to a larger investigation they got board approval as well they found that he was actually using this account to pay for golf he was paying for bar bills all sorts of different things a lot of other things I won't even go into but just to give an

example of when that gets breached right actually managed and they even told people that hey working to delete your information he even tried that the last transaction he tried to delete the account right but this information was still there so that's a violation of trust also I helped with another thing it was actually a telmex it's the largest provider in Mexico they actually acquired a company called prodigy which it was one of the biggest email providers at the time but they did not keep the servers past they didn't configure things correctly and as a result a lot of the emails they were in this one particular account we were actually getting indexed by Google so I

work with the organization to clean up this configuration and I also helped make sure that that information got removed from Google but a lot of the data we actually pulled from here you're finding like bank statements a lot of other information and it's kind of scary and place like Mexico where some of this information can be used against people right so you never know when your email provider might make a Mis Mis configuration your data can all of a sudden be public so it's just something to think about so I'm going to change a little go back into some of the actual tools that I built focusing more on the endpoint and recovering stolen devices I

got really interested in USB based Trojans I actually developed a website called USB hacks you can actually download some of these tools I'll talk about go on USB hack zip on the USB tax com you're going to get an error of course it says it's malware because it is just so you know I have to put it out there because people say like hey I get to weird alert oh [ __ ] but there's a number of exploit tools that are available there you know these are sort of old like 2008-2009 when I was experimenting with these but I was really interested in how these were actually being used I'm a lazy hacker like trying to hack

from outside that's really difficult but if you're inside an organization holy crap it was so easy you know you can deploy all sorts of malware to the organization you can download data all these tools just made it super simple and so what I did was actually I worked on my my Master's dissertation where I was like what if I can take some of these tools that are have malicious purpose and actually you know make them a good thing so what I did was I took these USB based surgeons and I made them a happy little Trojan right so you plug that into a device if let's say that device gets stolen it hijacks the computers connected to it then sends

information out to a remote server so we replicate information like IP address name of the person that's logged in and some other data just start out as an experiment I didn't think was going to be anything I offered it for free you know back then it was dig calm for you Millennials that's like reddit but back in the day and it got dug to death the site went down because it was on a share toast but I got a back up and running you know modified it some more and actually found and actually used that data that was bringing in to identify all the different types of devices that this would actually use basically anything they had USB mass-storage I was

able to to track and I developed a start-up around this as well so this is pretty simple it's taking advantage of a vulnerability within Windows you can actually download the source code for the initial USB client that I developed if you want to actually pick it apart since P plus plus but it really leveraged a lot of the autorun capabilities I also social engineered it so the file would also look like a passwords file and things like that so some want to be more likely to click on it but again this would hijack the computer is connected to again careful when you download the code I'm not I'm not going to repair any of your

computers and so you think that USB is you know it's you know that's that's kind of old and done with but you know we've we've seen it again the Stuxnet virus it was initially delivered via USB it's particularly when you look at industrial environments or you look at the medical environments to they're still to Windows XP systems that are still there still vulnerable still a target and we've still seen this even today even in 2017 we're still seeing this if you guys are familiar now with bash bunny con hack five I have mine on order it's being shipped should be there when I get home but basically the commoditization of these USB hacks and there's a number of them that are

available there's a lot of really interesting things you can do with these types of tools for 100 bucks right so you know your people that are gonna be targeting organizations have access to these tools as well so it might be good for you to kind of play with these tools within your environment see if you can detect them so there's a problem with the IP address when we were doing these recoveries a lot of times I we get the username of the person so that would be helpful evidence but you know if you have an IP address it required a lot of work from law enforcement that's all a lot of paperwork it's no identity so it doesn't actually

put the person in front of the computer probable cause is also a big challenge it's not always accurate it takes a really long time legal process and law enforcement is generally apathetic or they're busy with other things more more violent crimes for example so the first iPod recovery I had we got a connection and you know the username was kalapa cos family and there was only one person in that particular organization that actually had that last name so that was very simple one just gives you an idea it's like if you have IP address you have additional information you want to collect as much as you possibly can then I got approached by a company that makes

thermal imaging cameras and they had a problem because these devices cost anywhere from like five thousand to three hundred thousand dollars they also had issue with these devices because some of them were export controls they weren't allowed in certain countries and so there what we did was we built a special version of the software that would actually rewrite itself so if for example they they removed the SD card and they put a new one in the firmware would see hey this is a new SD card it would redeploy the Trojan right so if someone does connect that to a camera then we're able to get the location we got some interesting things some devices showed up in the Middle East that

shouldn't have been there were some ideas that we also attached to that as well so we can identify the distributor right so there's some interesting things you can do there as well that's that organization lost their business also disguised the Trojan as a thermal image itself and that's the one I use right there my cat his name was Nabi still going to go on a quick tangent to is like well you know these are all windows what about Mac when I actually worked on this presentation for DEFCON a couple years ago actually found some old source code and I brought it back out how you can actually develop the same similar tool for for Mac products so I'm

going to talk about how to build a USB Chodron for Mac so I used AppleScript why because it's trusted Apple script is trusted by all the different applications in the operating system I'm also an incredibly shitty and lazy coder I'm not going to learn objective-c or Swift or whatever the hell it is now but Apple script you know even though it's a real pain in the ass to work with at least I know this trusted inscripted and I can easily develop tools for it and one thing I found was that OSX has a little security thing where if you put it like a dot mp3 it'll throw a dot app on the end to tell people if like this

isn't an mp3 this is an application so what I did was there's these things called homo glyphs all right nobody chuckles all right you guys are all over 12 so so I think use this character called an organic it's a Turkish character looks like a period with a little tiny tail but users can't see it if you threw that on the end in through mp3 then it wouldn't throw the dot app on it so I told Apple about this they said it wasn't the vulnerability so I'm now publicly talking about it but this is kind of what the contents of it looks like somehow I was able to actually take that script and make it useful and

here's the actual code and if you guys want it you can't see it I'm sorry because it's kind of small here but it's on my github comm flash Kwest slash Apple razor and you can actually download the actual code you compile it out but the idea here is I'd actually use sift info object some other things that actually have available to gather information about the system the user that's on that system I got really frustrated because I was able to open up a web browser and I could Excel data through the query string but it's really obvious to the user so I'm like hey instead I'm going to use iTunes right so that's what I do here is I tell

application iTunes to activate and then I wanted to open up this URL and in that URL I pass all the data through the query string and then that when it does that hang out then it responds back with an mp3 file so they think when they clicked on the mp3 they're actually loosing an mp3 and usually I know when people are actually downloading this in the presentation because I used the rickroll song right Swee someone starts playing with it in their audience and yeah anyway but uh yeah and then down here you can also do shell scripts you can call a lot of other things too so this is actually was an exploit when I release this Def Con

for Mac they can do some some nasty stuff but just be careful with it and people will ask about gatekeeper yes gatekeeper will block this now but back in the day they didn't have gatekeeper but a lot of times I found users don't always have gatekeeper enabled so that might be something you can leverage or take advantage of and I've also heard that there might be a bypass so so kind of getting back to this when I started actually doing a lot of recoveries you know it's not just the the Machine data itself but we had one device that was singing out we're getting IP address for AT&T but then we also got a connection

to a computer lab at the University of North Texas just the flash I was actually belong to a professor he has a bunch of research on it and it got stolen from him he wanted to back that's why he had our software installed on the device and so we tracked into this computer lab and then we talked to the campus security and we found that okay well we have a timestamp of when that device was plugged in we also found out that the organization had a number of laptops were stolen so they actually had required a student badge to be swiped in so we had badge information in the log data as well and then we also found that

they had security cameras as well so we were able to sync that with the timestamp and we're able to identify who actually had that flash drive when we got it back for the professor so just an example of a lot of times you need to think about all the different data sources you may have available to you when you're doing these types of investigations um if you get stumped you know just ask around see what other information might be available so after that I actually thought about how can I actually use this technology to actually recover stolen laptops themselves at the time there were a number of tools they actually can do that recovery but a lot

of them I didn't trust because they provided a backdoor into the system and I was real nervous about that but I said you know it's my device what if we can develop a tool that I can track that so what I did was I was able to leverage the web camera which wasn't particularly new but when we combine that with geolocation so this is around when the first iPhone came out and it was using a skyhook wireless it was actually using Wi-Fi to get location so I approached them and I got access to their API and is able to use it for stuff recovery into a tool and it gets us within 10 to 20 meters which is perfect for over

we're trying to do with def recovery so we would capture a photo of the person that stole the computer we look at the locations of them and we would send it to them every 15 minutes or so so and we're able to monitor that the activity of the device so a lot of topic got stolen you know we could actually identify you know who actually had it and at the time I didn't want to build the infrastructure at the backend so I actually just attached into Flickr so if you had a Flickr account you would have your laptop it gets stolen you activate tracking and then that data would go automatically into your Flickr account

is private and then you could provide that to law enforcement and it worked really well so we used the wireless now in which every device has location-based into it you can actually access it your most api's and those scrips so you could you could home grow this now even the Google Maps API you can get location data from that as well here's the first recovery I actually had it was a it was an iMac that was stolen in New York along with a bunch of photo equipment and you'll see in the background there's all kinds of really other cool stuff this guy has he has a lot of really cool toys the police went in and I swear to

god the police officer he'd worked with some of these other tools he was like great now I got to do all this paperwork and he's calling me is like you got a you know I have to get the information like no I have location look at the report you have the location and he didn't believe me you know and so I said no believe me Princip photo out go to the location ask around if anyone has seen this guy and he's like don't tell me how to do my job all right and but then he did it you know and he got the recovery and this guy he was actually a tattoo shop owner and this

was like his back office and he was actually fencing a lot of other stolen property and after that then they were like you want to be my best friend and next time I'm in New York we're going to go see a baseball game or something so what's cool another one we had was in Portland Oregon all of a sudden a lot of the schools in Portland were getting hit a lot tops were getting stolen so I actually approached them I said let me help you guys out we deployed our software on a number of date laptops that weren't in the that weren't locked up it was weird like they would get stolen they would replace them and then two

weeks later these people would come in and steal them again it was just it was it was crazy so we did started getting connections from one of them we got the data and then we actually mapped it out it was actually in a house in Vancouver I had to work with the police on this one in Vancouver and it was frustrating because they gave me a dress it's been 10 to 20 meters to go to the location and the guy the police officer knocks on this guy's door and the guy opens door he knew it this guy is the guy that works on his roof and he's like this guy's not the criminal your technology

doesn't work I got pissed off I'm like [ __ ] you yes it does so I drove out there and I started I had my laptop and I was looking at the Wi-Fi networks verifying that the data I had was correct and then I swear to God out of the door there's a guy this guy right here he walks out of his door he deflects right next door right and there's a the network we had was it's Russian pride something or other and on the bumper of his his car was this thing about Russia right so I'm like great so then I called the police they came out and you know and they said yeah this is

great you know now we can actually follow it up it's like it's a good thing that you know he didn't see you because he's got his friend across the street that lives close by and he's bad news I'm like what do you mean yeah he got out of prison he almost tried to kill someone I'm like all right thanks guys was awesome but anyway I learned a lot from that like don't get to at all another one we had was Victor there was a laptop that got stolen we didn't hear anything from it for like two weeks I got really pissed off I'm like great our technology doesn't work you know there may be the reformat it for parts or

something like that and then all of a sudden I started getting pings from like Missouri of all places and it was this guy and I was tracking them all over I saw him in McDonald's he was in a hotel with some girl in the back doing god-knows-what he was everywhere and we had a lot of information on him the nice thing that he really did I'm going to step out of my box sorry is that he changed the username in his full name so remember I talked about the vulnerabilities the stupid and that's that's one of them right so if you still a laptop don't put your full name into the user okay alright so from that I was able to

go to MySpace you know I saw he was a really big Scion car fan I found that he's a username mapped to a bunch of car forums so it was really cool to is I also had his license plate number that was really nice of him to take photo of his license plate for me he was selling a lot of parts on eBay for cars so again what kind of business is he involved in and then he ended up he's a nice guy he sold the laptop along with a stolen bike to his friend and what happened was is that his dad is actually the one that gave him the laptop and what was happening

was they were actually loading up a bunch of stolen property into a van in Portland and then they would ship it to Missouri they would then load up a bunch of stolen property their ship it back to Portland because if your stuff gets stolen where's the first place you're going to look Craigslist right so that's what they were trying to do and they did all this thing and it was his birthday and his dad gave him a stolen laptop yeah that's sweet really sweet and a criminal record thanks dad we had another one what's more violent it was a carjacking to Brazil it was actually a veterinary student and these guys put a gun to them and they said get out of the

car smash the guy that was the driver his friend broke his nose and they took off and they bought the laptop with them we're able to get these photos provided the information to the police and they were able to get the laptop back this was a good one too because he was a veterinary student you know he had a bunch of his final work on there it was his final year he didn't have it backed up so I feel pretty good about this we also you know got the guy that broke his french nose so then I looked at how can we apply this to the mobile side so the geolocation became a lot easier we

looked at mobile devices the IP address is a little more problematic because it keeps changing with the different carriers we then also wanted to do photo and contact back so the devices we find that people don't really care about the value of the phone they can get a new one but they care about the data but I didn't want to have unencrypted data I was really nervous what if I get hacked I'm very paranoid right what does I mean for a customer so we actually developed technology where you would install the software you would enter a privacy key the only you know knew that would then encrypt the data and when it gets uploaded you can download it and then

you would enter that encryption key and it would decrypt the data so that way even if FBI came to us and say we need all these guys photos here's your encrypted blob now you need to go and you know go talk to them about getting the key we're hands off and if we do get breached we wouldn't have these sort of you know the fappening types of situations where backed up information becomes compromised and I'm going to talk let me play a video here hopefully this works this is actually this technology got deployed to a number of wireless stores they actually deployed them to their demo units and so let's make sure this works of course it's not going to work

try it again

where that helping track them down they've generally spent each have spent the past two days with police and investigators on the trail of swiped cell phones he's live outside the Washington Square Mall with the theft took place at well the main years of the audio are here in Washington Square bill basically it's the Washington we're talking saw or is actually a miles away guy here went into and slower onto their demo but they ended up writing you an arrest they stole several thought this is a felon with this wanted out wing of a 150 dollar kind of a parade to it I display Kramer course Oman held to del phones you're in store at Washington

Square we also have a security footage without actors in the video self employees mom and then they were able act like we're back telephone stolen phones we were able to not only find the GPS location of the individuals about how much took loan cost we've been able to it looks like Donnelly there happen to a lot of us are wired LAN tourism activity area adopted my office shoes or someone else shortly after the same thing is a can photo sometimes police admit right so bravely soldiers I know phones one girl told to send back pictures once you're strong I can I get not only on the fact one of the interests of our that went together

photo during their experimental two actors were able to get points to be very sure credit holders information for Salalah what I know the Portland creator of your software cracking up Thatcher says I can the police are on the right track it's an awful fees I definitely know who stole it and if you look at I am don't you'll see in the window and Oregon temporary are very smart Philip I'm today with the help of a gadget trows estimator on phone we had a religious : I'm anything else you just ask there we found you a robbery permit and please are full enough work a camera a man she called Peter that was a girl except it's totally over a Saturday

evening but says she knew nothing about the phones right I get attractive second cell phone but I go to beautiful black about eggs locks away we don't have an exercise Samsung Epic Games okay you're the other for it but these were here yesterday looking for anyway I'll skip so it just gives you an idea is that you know we have the surveillance camera we had a lot of information for whatever reason the phone it wasn't sending the location data as we need it but we were able to still get the location data from the photos themselves because that XF data in it so we have the GPS coordinates of where the phone was taken in a time stamp that was really helpful

for the investigation of course you know having that as well the trip permit that's just that's just gravy the ended up getting these guys and there was about six or seven people that were actually involved in this particular group and they give me recovered a stolen car this wasn't the car that we do cover but one of these guys has already had a warrant out for his arrest so again we unveiled a larger larger crime ring and so when I was doing this to is there's a lot of data associated with with that are actually embedded in images you know it's not just within cell phones where you have GPS coordinates you have timestamp I

also found it in higher end digital cameras it would embed the make model as well as the serial number of the camera right so that was really interesting to me and I was like what if those away because I could search for the serial number of a camera to see you know identify all of the photos that were taken by a particular camera and I actually found that these are all the different makes and models of the cameras that actually will embed the serial number of the camera in the exif data a good example was I report or actually reached out to me you know when the when celebrities had some other photos a compromised Scarlett Johansson I had to

download the images at the research research research people keep your clean keep it clean media was saying that the phone was hacked when actuality if we actually look at the exit data it actually reveals that the it was from multiple phones over the course of several years and it was actually the point of compromise was email with this guy Chris Chaney he's now serving 10 years in jail because you know he was guessing the passwords the passwords weren't particularly complex and that's how I was able to get access to the images um so then I thought you know there's got to be a way to mine this exif data so at the time i was working

with a friend of mine who had a startup was called CP usage and they actually have sort of like the study at home model right so instead of volunteering your computer time we would actually pay you for your computer time so i access to lie 500 to 1,000 computers so what we did was we got around Flickr I was trying to use just the the API of course that limits how many requests you can make I got this stuff I'm like there's got to be a way around it that's what I want to mind so I use those 500 computers from all these different computer labs from universities and other places all around the world and then we started mining the

Flickr data and we were able to do I think was like 5 billion images within about 2 or 3 weeks we were able to grab it also from other sites like 500 pics panoramio Twitpic I found that Twitter will actually scrub the exif data from engine images you upload but a lot of the profile images still have the exif data it was really weird you'd find these tiny little thumbnails and they'd just be tons of exif data including GPS coordinates and serial numbers and all sorts of interesting things so we mined that as well just for research so the way it works is we would mine these sites we would actually download the data we would have this information we

then put it into a database and then again I launched as a free product you could just do a quick search and of the serial number and we'll show you all the different photos we actually found that were actually taken with that particular camera and we actually started getting recoveries it got featured in New York Times and The Economist and some other publications imported refers heard about it this one guy John Heller he had a camera stolen about a year prior he did a search and he got a hit on Flickr we then were able to map that username to another account on Facebook and it was a guy who was also professional photographer who just happened to have

photos of all of his gear and there was his camera he was like that's my camera he contacted the police they got involved what happened was he was at the Egyptian theater and somehow like $7000 of the camera equipment he was on assignment for Getty Images and he turned around to talk to someone turn back around all his gears gone right that's that's for an independent contractor six $7000 of camera equipment it's pretty scary so the guy stole it he then sold it to someone on Craigslist and then he sold it to someone eBay and so what we were able to do is actually trach this guy who had it on Facebook he bought it from someone on eBay the

police went to that guy on eBay about it from a guy on Craigslist okay what was the address they went to that guy's address this is a year after the camera was stolen they go back to this guy's apartment and they find all kinds of other stolen property right so he got busted bad thing is the guy that had it on a rig at the end there he would didn't commit a crime but he was in possession of stolen property so he did have to hire an attorney just to make sure that all the stuff got worked out but first recovery was kind just using a little bit of data EXIF data right so this put people on

notice that a camera can be tracked right if it gets stolen a year two years three years later and that guy got arrested there's a copy of the receipt so so we had a few of these other ones another one guy a guy tried to sell a camera on Craigslist and you know he looked it up and there was a case where he was showing someone the camera out in his garage and then this other guy drove up in his car the guy he was showing it to popomon face knocking to the ground took the camera ran off and then so we're able to identify who had it and it was this guy and we had his name identified his

business he was a professional photographer and DJ he had addresses we had some domain registrations able get a cell phone number from his ads as well identified all the social media and photo sharing accounts he had about 12 different high-end cameras that he would get every 12 months so we actually mined all of his images that he was posting so he so he was trying to like do this with girls like hey if you want to be a model I'm a professional photographer that sort of thing but he had tons of photos if some photos he probably shouldn't be taking so you had photos of his marijuana he had a photo of him holding a firearm up to his his head there there

wasn't a license there was no registered firearms under his name when we talked to police you like to take photos of him and his friends smoking marijuana as well as going to a concert I think was a jay-z concert or something they were smoking weed on the way looking to date stamp and just a note if you are going to take a photo of yourself smoking weed make sure you don't take a fit photo of your speedometer going 110 miles an hour because then we had geolocation time stamp and everything that was doing so the police really like this one we gave them all this information right all sorts of probable cause interesting things you learned about

people and so this technology was actually I was approached by ice and there was a Child Exploitation investigation unit and they wanted access to this via API the idea here is that you know Joe sicko he's taking photos of kids and he's uploading them to darknets right so those images may have exif data still in them with serial numbers and we'd be able to match that up with maybe that same camera that's being used it's flicker when he's taking a photo with his family Disneyland right so they were actually using that API they couldn't tell me if they'd caught anybody but just giving them free access and I'm hoping that maybe they got one or two guys with it I'd be great I also

went to a thorn as a hackathon with Facebook Facebook and thorne and one of the challenges with this is that sometimes the police will come they'll see a phone or they'll have an image that may have been sent to a kid on social media but they don't have time to do a forensic image of that device it can take months or even longer than that what this allows them to do is actually be on the device right immediately they can actually upload an image to this tool Xiao and it'll tell them if there's any GPS coordinates serial numbers anything it's identifiable in that in that image and they can do it from a mobile phone and they can do it from a

laptop as well so sort of a simple solution but it's something that is being used by law enforcement and that was it man I was right on 45 minutes so I have a little bit of time for questions so or do you guys just want to go drink beer right there do a microphone sure I can you can scream and I'll repeat it

so would would any one of you guys experts think or investigate what's going on now with Russians and would you agree that at least professional space sponsors hackers from foreign country would not probably live ah obvious signs that they are involved in it or is anyone looking at this from the professional side some are looking at TV and stuff is like come on it's so obvious are you guys involved in this and do you have any insight on that yeah I don't want your comment I don't get involved in the nation-state stuff that scares the crap out of me when I was involved it just it simplify I don't want to details but like really anyone

here can probably agree if I'm professional hacker on that level I would probably not leave my own signature in that software itself right that's kind of its own predictors there's always no experts are standing up and saying so right there's always you know you're always looking for for someone to make a mistake I've been involved in other types of investigations that are more like intrusions and things like that and you know you talk about attribution and things like that it's a lot harder to prove but you can start to look at some of the larger campaigns incorporated intelligence additional data sources you can start to make assumptions right but you're not going to be able to actually

prosecute them or get all the evidence unless you get the other nation states actually involved to actually help with that investigation right so a business they kind of they can only do so much the FBI can only do so much if some of these countries are not they're not working with us they're not willing to participate then you can only your investigation is only going to go so far unfortunately

right

yes so you mentioned with Twitter they seem to scrub exif data that seems to becoming RB becoming more popular with stuff like imager comm does scrubbing exif data on image house like that like the ward some of your efforts yeah for this but one thing I did learn and in one investigation I won't say which social media platform but that information is still stored so you can if you believe that there might be evidence associated with an investigation you can actually go to some of these providers they either have the original image uploaded somewhere or they've actually extracted a lot of that exif data i'm actually found that a lot of the data that's in those that in the

images it does have marketing use you know looking at GPS coordinates things like that make model a camera so the some of those organizations are harvesting that information it's it's available either in a database or they have the original image so if you're in the FBI or someone like that they have access to that information still so if you're involved in crimes you want to make sure you scrub the image before you upload it to a website they already know this container this question here thanks all that was an awesome presentation i'm just there's a couple like buzzwords you didn't talk about and I'm just kind of curious like how these figure into your work mainly like MAC addresses and like

IMEI numbers and phones and laptops and stuff like how accessible are those to forensic departments like do are they just staying on the router and therefore they're not going over the wires you just can't really do anything with them or like there's there ways to work with those yeah we include those and we include that in the software we get the MAC address for systems because the IMEI the IMSI all that information anything that's available in the SIM card we're able to pull yeah we have access to all that data it's in the report we've got another guy here I'm here oh yeah two mics guys really just a quick question the problem would the exist

tool was that when you create laughter oh not snapchat a screenshot from the picture then you have no data or metadata of that picture so is there any idea do you have any idea how to overcome that yeah yeah so the question was regarding it is you can it's pretty easy you can even easily scrub information from images you can also you know take a screenshot of the image right so that was your question it removes all the data well there's other technologies that are available for that if you look at Microsoft photo DNA they're doing some really interesting things particularly for identifying they call innocent images so even if you take a screenshot of it there's ways they can

actually look at the image itself and there's some really interesting things that hackathon I went to there was a bunch of data scientists we had data sciences from our team there and they were showing all these really cool things the guys that actually did this stuff where they're actually looking at when you go to a hotel take a photo of the bedsheets and everything like that and upload it and they're able to use machine learning to identify you know these images they can see like what you know if it's a Holiday Inn in Texas or something like that they could identify some of that there's a lot of really cool things in the images themselves but

that's for people that are like way smarter than I am

you you just mentioned or alluded to this in your previous response but I was wondering what your experience was with the various image recognition engines you know there's so many more of them making themselves available and they're growing in performance and maturity and affordability so have you started to integrate those tools into the work that you're doing or it's still early days well I think a lot of really interesting things on the machine learning side with the images kind of we were talking about - with like the photo DNA and things like that and you know that kind of gets you know beyond like what I what I I do I deal with just like data I'm really

bad at math so I'm good investigations I might leverage some of those tools to do an investigation but yeah there's a lot of really cool stuff that's happening that's you know again it's kind of beyond my skill set hi why is it that you don't like being compared to a real-life mr. robot yeah I'm not that smart so that's the thing is like a lot of this stuff I kind of stumbled into it you know I didn't really create a lot of these tools I sort of had theories and I tie things together right there's got to be a way to bring this data together and you know I trained a defence of security and things like that but yeah when

someone starts calling you mr. robot you're like come on [ __ ] off any more questions so I'll be around so if you want to talk to me some more more than happy to answer more questions thanks a lot appreciate it