Will Baggett - Broken Arrow 2022: Detangling Digital Domestic Situations

is the current director of digital forensics is a former CIA officer and he was a fire security Special Operations I see thank you and welcome to me 501 no wait that's his class it's my son and here's a hump will Baggett and thank you for coming out Gladwell made it here from the hurricane and my mics aren't on so this one on all right all right all right thank you for coming out my name is will back this is mechanical engineering 501 um turning your oh wait no that's Will's joke he asked me to make it before I walk in that's my son in the front row over there um Tyler talk his Broken Arrow and they're all now laughing at him fantastic uh Broken Arrow so that's the Army term back in the 60s so if the American forces are overrun they would send it out over the radio to ask for any and all air support in whatever means whether it's a B-52 for blanket bombing Napalm or even a Cessna just giving a little bit of guidance to the American troops would know which way to navigate away from the enemy and I say that because working in the Cyber field a lot of people come to us and say you know I've got this situation and before it used to be fix my desktop back when I'm dating myself I'll realize but back when we had desktops that people would build aside from Gamers and crypto miners building your machine was an issue and the common person comes a cyber security person an I.T person that asked him to build it that's now shifted from fixing things generally laptops and phones or non-repairable generally ifixit.com might help but now it's fixed my situation whether it's I'm being gang stalked on Instagram or you know my ex knows everything I'm doing on iMessage you know I think my account's been hacked can you come help me fix this and that talks relevant because here in in Augusta between the national lab and the things that go on over at Fort Gordon we might be we like I'm still in it but we might be the Superior at building drones that go deep underground to take nuclear measurements or we might be able to determine how many people of Interest are living in a house in Pakistan based on the water drawn power draw through sources and methods but when you leave that skiff life and come back out to your car and start to drive home and in Georgia you can't touch your phone for however long it takes to get back into your house that's when you truly get back into the civilian world and you might be a GS 1510 looking at something truly in-depth in technical but once you get home oh again because he's here I didn't know you can make phone calls through Snapchat and I was a comms expert for CIA for counterintelligence group but we didn't know that because we don't play with Snapchat and you know you can still learn from people I didn't know you can make phone calls through PS4 no idea never thought to make phone calls because I'm an adult I have a phone but you can and you can actually stalk people and see what's going on you one person she built a scraper to see how long people had been online the amount of times they're spending on video games and took that report to the judge to say uh you know this person claims they can't get a job but they spend 80 hours a week on Call of Duty Black Ops zombies they can obviously get a job so from all that when they come to us and say can you help us our inclinations say yes and we want to do something so on the job a lot of us have seen this you basically sign your life away and the graphic looks a lot better on small screen than big screen you basically say you consent to all monitoring and then after leaving the intelligence community and working Insider Threat by God yes they mean they can see everything so you've got Splunk you can see all if it's set up correctly which if it's not it's a lot of money and that's why the splunking engineers also have a huge salary but you can see every bitten byte that goes to and from all the email attachments websites visited then drilling down with o365 which that's not vulnerable one bit but you can see all the email all the teams chats away active messages all that can be harvested remotely without the end user knowing what's going on with druva you can connect remotely previously uh before the virus you would actually have to do dead box forensics collect the Box image it and then look at the data and with endpoint software you can now go out remotely collect just the files of interest and look to see is this person a flight risk for leaving the company is this a counter Espionage case are they looking to take our proprietary research and then sell it to the competitor or take it with them for a new job and even McAfee you can see which USB device has been plugged in what was copied to it and where the data went and you can get the full pattern of life without the end user ever knowing it but again going back one slide you agreed to that as part of the job that doesn't work at home people should have a reasonable expectation on privacy and legally they do and I've got this in here for a pause I gave this talk at Defcon in one of the not critique suggestion was for the short version the TBR version if you need resources if you go back to the Augusta Airport if you're flying out of here oh I heard this talk on escaping domestic digital abuse the takeaways are go askgrows.com safeascape.org it's a collection of people like myself there's the founders working for DARPA people tied to Facebook Instagram Twitter to help work to squash some of the issues people are having if you want to volunteer we always need more volunteers help at safeascape.org or if you know somebody who needs help help at safeascape.org we'll parse the email where it goes of this if you've taken any cyber security class you're familiar with the Triad data configiality data availability and data Integrity I've got a hundred plus slides my old Mentor did eight slides in four hours a lot of people falling asleep in that class so you lose attention after six seconds I have a lot to cover this is a basically a week of counterintelligence technical counter surveillance crammed into 50 minutes the slides are available if you want I'll give my email at the end uh but we've got this we all know that so from that Triad the risk mitigation principles for the domestic abuse front you need to control the environment be aware of identity theft and you have to make sure you have data availability unlike AWS as your maybe digitalocean and maybe how the NSA has a site out in Utah that data related to these specific domestic cases that's the only USB drive that's the only hard drive you have from this you have to make sure you make additional copies because if you lose that the person you're helping won't have any evidence whatsoever of the abuse but out of everything you have to control the environment where you can and from that it breaks down to another three points the personal security the data security and social media leaks personal security is obviously the most important one the horrible example but the flight that went down the Malaysian 317 flight that vanished oh everyone's dead but we have the Black Box it doesn't matter everyone's dead you have to take care of yourself first and foremost now cyber practitioners this is one of the newer slides we've refined the process at safe Escape you have to look for the iocs just like when you're dealing in a sock environment one is this person why are they concerned how do you think this is happening and what are the indicators of compromise why are they think that something is going on and we've learned over time improbable doesn't mean impossible we've most of the cases are just coincidence there's some true hacking and we've had some black hat hackers who actually pursued the victim digitally to erase the evidence of their abuse with some zero days they've earned some unreported exploits in order to try to erase evidence and he kept reconnecting her devices to make sure that pictures of her abuse were erased it was a cat and mouse game but that was a very unique situation that was one out of hundreds but it did happen so kind of tying this into last night you never have to ask permission to leave a dangerous situation getting off the exit means if you think you're in danger it's okay to leave no bad situation ever get better by sticking around you know last night looking at driving down here from Charlotte we were looking at I-77 and looking at I-20 westbound and we'd have driven straight through the middle of the hurricane tropical storm coming over to here or we wait till the next morning get up early and drive in if I've just spent two 12-hour days worrying about 0365 volt about a remote connection vulnerability for a computer I'm never going to see plus a new hypervisor vulnerability again on thoroughly dispersed machines sitting on AWS cloud why would I risk my personal life to drive through a storm to speak when I can just wait 12 hours I didn't ask permission it was just we're going to wait that was a smart call same thing if someone's in a bad situation leave first make it to the next day and then start to rebuild from there getting off the X again this is a domestic abuse digital case however have your bug out bag pack just like for a hurricane if we had your wallet your keys important papers babies passports babies documents babies vaccine records your phone and the charger because my iPhone both life is terrible and you want to keep the devices with you but you have to consider what if they're stalker wear some of the people I don't like to say victims some of the clients we've worked with been very ingenious one of them was a vet and she kept her alternate phone documents and prepaid credit cards in the safe her medicine safe in her office and said that if my ex breaks in to the office breaks into the safe they're not just breaking and entering this is a major feeling because there's controlled substances and the police are going to respond much differently than just keeping these documents in my car now that said here's where we want to split a little bit we've got a person leaving a bad environment and then we've got what if that person leaves the house leaves the apartment leaves the assigned housing watch through a couple of things first you want to change your passwords that's obvious I want to say that a lot you probably won't hear it in your sleep I want to say it in my sleep you want to change to Locks and codes to your alarm panels the third one added in because it seems so bizarre again being in the cyber security field there is a flap there was there's a flap but you pull it down on the garage door panel to enter your code to unlock your garage and raise it and it said if you forget your code do this to gain access right there on the door I mean username admin password and right there hard stamped at the manufacturer that's a bad thing if you're uh if their person has a shared garage door opener with someone else when the when the locksmith comes out that's something else to remember to get re-keyed this is physical perimeter hardening first and foremost the police getting a phone call this person came back into my house with a key that's one thing but they broke in because I change the locks they're going to respond much differently now from there on a known safe machine and a known safe Network change your security passwords and questions meaning something you wouldn't find from a genealogy or ancestry.com or something posted on Facebook because it's okay to lie online it's okay it's Americans we're conditioned to always tell the truth and for those of us who've been through polygraphs they don't want the truth for four hours they want for eight hours because they get paid for the full day but you can't say that wait I did say that so it's okay to like where do your parents meet ukawakadugu oh where did they get married Tatooine uh what was a memorable experience in your life living in a van down by the river something they're not looking for the truth they're just looking for the right answer that you've put in it's okay to lie about this my niece is over here laughing oh Uncle William told me I can lie yes lie don't tell the truth online except to your mom because she knows where you live okay so locksmith is coming the apartment managers coming they're changing the locks while you're waiting look at your router have your technical friend look at your router and here's where I'm going to start saying capture evidence if necessary the only things connected should be things you recognize so here you've got a Galaxy phone an iPhone named PC because separate conversation if you name it colonel Smith's phone now you're beeping out to the top of the target list when you can to a uh say a Starbucks who goes to Starbucks but you're still oh this guy is important to the military let's sniff his traffic with Wireshark versus PC phone who wants to look at that so this is good this is a normal looking network if you see something unusual stop call law enforcement because if you've got a bug in the house of remote camera that's also a felony and as professionals we stop we get the law enforcement involved because we don't want to tamper with evidence you can also if you feel like it look at the law to see what device has been coming and going through the network what else is connected what's going on that you don't regularly see again the standard disclaimer I can't talk about every log location for every router in production Google it another option would be if you feel comfortable if you have your person has the time get a new router go to Comcast I know I know go to Cox Infinity wait for Infinity get a new router get a new IP address and some isps will let you set a safety phrase challenge in response so that if you call in only you would know that take note of what it is because if you forget it you won't get any help Source trust me Now on iPhone 6 uh yeah iOS 16 they've got a great new feature and this is mitigated eliminated a lot of the intake issues we had a lot of the stalking issues you go to settings privacy and security safety check and then emergency reset that just nukes everything that's had access to your phone and mating managing sharing and access you can go to lockdown mode filtering out iMessages so you don't get fished shared albums all the data that's shared that gets it off so it's not inadvertently leaked out there is a uh there was there was a NATO person who had been doing sensitive slight exploitation over in Iraq didn't know it grateful he admitted to the class not admit but he had been taking pictures of sources stuffed and things and that family album was shared out or that shared album was sent out to Memaw Papa and the whole family of stuff they probably shouldn't see probably a little bit classified but there you go because this shared setting plus you don't take your iPhone to combat but that's a whole different issue for another class for another day um the lower versions of the iOS iOS 15 and Below same thing go to settings and look to see where you have dropped copies of messages there is a case had been ongoing for five years that put actually got me into this field and the person's iMessage have been drop copied to her laptop but also to the iMac left behind at her ex's house so everything she was doing iMessage and then her email he was getting and then presenting as evidence as to why she shouldn't have the children so she was going out for friends on Friday night and getting a babysitter she got served with a change of custody papers for you know you left the kids at home on a Friday night with the unknown person you're not fit to be a mother multiply that over multiple cases over five years range of resources and it's exhausting but talking to a technical professional here's where the leak is let's fix it we also ran a honey pot trap where honestly we her person and I talked offline we went to WebMD pulled three random diseases Channel a channel B Channel C we discussed or she discussed having these symptoms when we ascertained that this is the one that her ex-husband came and said you're unfit to have the children because of this okay we know it's this Channel That's leaked out let's look at where it's going that got turned over to law enforcement CSI I backed out because I don't want to deal with law enforcement and things went from there she's got her life back all because again I want to change her password not victim always change your password if you're unsure but something like this makes a huge difference part two on the iPhone is fantastic in that you can be on your Mac you have a text message and then have it propagate through all your devices the downside is the exact same thing happens where you can forward your text messages to multiple devices again if you're helping this person and see that their ex thinks their cue from James Bond and all they did was enable a toggle button at his device really that's not hacking but again take your screenshot call law enforcement and then let them deal with it but now you know where the leak is coming from and again you've got your blue Force tracker in your pocket if you're sharing your location with unknown people like Life360 something goes on and your ex knows everything it's going it's probably like 360 Apple has this by default same for the shared family albums make sure those are disabled as well you want to start mitigating the leak and controlling the access same thing for Android you would go to recently used devices see where you're logged in and this was a fun one show of hands Has anyone used Google takeout all right what does Google takeout do what do you mean by all I would toss it but liability so lock pick set thank you use it responsibility responsible by everything all he literally meant all we would have throwaway counts for the troops to use it NATO so they would use it for two weeks in class they'd be a week two week month break reactivate the accounts wipe them and then I would have them pull Google takeout to show that here's what you did and then two weeks ago here's what this person did for training in two weeks before so that if you lost control of your Google account while you're deployed everything is out there which is fantastic if it's your person you're working with has been accused of something you can pull down from the Google servers authoritatively here's everything done which is fantastic conversely if they're looking the x is looking for information on your person it's still everything as well so it's the good and the bad Apple occasionally has this apple backup data same thing a lot more security controls but it is the same thing and I know that you know picking on my son because I'm grateful he showed up because I don't get to teach my son very often uh but it does like there was a we got a Wonder Woman ad like back in 2000 because I pulled it for my account I got a Wonder Woman game ad your sister clicked on it so it shows here are the four stats and here's the ones that she clicked on it gets that granular for what data is actually stored and I'm looking at time I've got a lot of ground to cover he broke his iPhone in New Mexico his iPad in New Mexico I'm in Charlotte I'm downloading is old data because he was like eight or nine ten whatever and I could tell like whatever video game he was level he was trying to beat that granule of a full forensic backup was pulled down from the cloud to the very point where his phone broke and apple wasn't forthcoming with what they do forensically for backups and that's when the light bulb came on if I can get a full copy of this device remotely and apple isn't featuring this yet how can we use that at the company for collection because now I don't have to go first anyway the amount of data that you can use to protect yourself in court or the amount of data tha