Broken Arrow: DFIT At Home

in the 1960s in the u.s army there was a term for an overridden u.s infantry position called broken arrow if a radioman called out broken arrow any and all help from the air infantry el air calvary would come in whether it's a b-52 for carpet bombing whether it's helicopter gun chips whether it's even a small cessna acting as a site to say the enemies coming in from the north if you go to the west you'll have an escape and can live to fight another day any small amount of information was able to help the person on the ground this talk for broken arrow is for when the enemy is inside the perimeter meaning for information security

fix my desktop is now fix my situation we used to help people set up routers we used to help people build desktops build laptops to build their home network and now it's more hey you work in information security can you help me my ex is stalking me he's still able to see my facebook post he still has access to my twitter he still has access to my cell phone records is there something you can do naturally we're is a culture driven we want to do something and this talk is geared to help you get the toolkit the mindset so that you can do something to give somebody assistance when you're working in the sock we've

got a lot of different tools for digital forensics for insider threat insider incident response what have you you know we've got splunk that monitors network traffic and we'll come back to that one already and we'll start putting some hooks out there we can look and see the log on dates and times the network traffic the badge access with o365 compliance email productivity you can see what they're doing the edits they made what was deleted remote file access some companies use druva where you can remotely connect to a desktop to see what that 7zip file on the desktop truly contains even mcafee dlp we can see what usb is connected what print what was printed what data was copied to the clipboard

what sensitive data was sent out if you're working for a pharmaceutical and the keyboard is covered you'd probably be pretty busy but all that's recorded the difference is for those of us working in a sock there's a consent to monitoring every time you log on there's the warning everything you do is going to be monitored for later retrieval and analysis whether it's counterintelligence whether it's security whether it's energy compliance from doe the end user is aware that they're being monitored at home that's not necessarily the case a lot of things we're going to talk about in this upcoming 45 minutes or so are cases i've had with operation safe escape that's a volunteer organization that

provides domestic abuse resources where it's not quite a social worker it's not quite law enforcement it's the gray area for the technical means we have two websites go askros.com and safe escape.org if you want to volunteer and help it's help safe escape dot org if you need help or have somebody who wants help you can go to help at say safeascape.org the emails get parsed all the same if you want a hardback book to look for assistance the smart girls guide to privacy is a good way to go about this uh this is just a short introduction and appreciation of chris cox who started the organization and even if it's just again just a little bit of information say oh this is

how my ex is able to get my text messages if i change this radio setting on my iphone i have privacy again then the talk has been worth it so information security there's the three key principles data confidentiality data availability and data integrity you know it's a system question that's something that we deal with every day for this talk risk mitigation principles you want to control the environment there's identity theft and data availability so you still have that cool cie triad but the three principles the three pillars are still there and out of these three the most important is to control the environment if your person whether it's you whether it's someone who comes to you for assistance whether

it's a client family member doesn't matter if they don't have a safe physical environment the rest of it doesn't matter it doesn't matter that you might have remote off-site backups and data redundancy if you're physically assaulted at home not to make light of it but this is the most important thing and again the more pillars for controlling the environment personal security data security and social leaks you have to watch the social network it's not a tv show it's the friends and family leak so step one is to get off the eggs if you're in danger leap very basic uh we had a overseas meeting choosing my words because this is being recorded and it's going to be on youtube

uh long story short case officer met with an asset overseas it went south case officer came back home and we started debrief what happened the station chief basically sea level after listening to debrief he said no bad situation ever got better by sticking around you don't have to ask for permission when i was giving this i'm an employee now of accenture part of revolutionary security one of the founders said i want you to add this you don't have to ask permission to leave a dangerous situation jim told me about a recent situation where one of the co-workers was out with clients the clients were drinking heavily and the other consultant didn't want to call a separate taxi because the

additional expense he was afraid he would get in trouble for having another expense on the account rather than um fleeing the situation the same thing here if it's a bad situation at home domestic situation you don't have to stay you don't have to ask anyone to leave you just leave start over fresh the next day and deal with the cards as they stand so getting off the x here's where if this was a live presentation i would raise your hand and say who's heard of this i felt like marco rubio taking a sip of water during the presentation so getting off the x you want to have a bug out bag packed a small bag whether

it's a purse backpack with your id your cash a phone your car phone charger your keys everything you need to at least physically leave the premises you want to keep your physical devices with you at a moment's notice if you need to leave the facility you have it right there with you now a lot of the asterisks on this on these presentations are from experience dealing with cases with safe escape what if there's stock or where on the phone how do you handle dealing with that what if there's uh find my family activate on the phone and they're going to know everywhere you go one thing we've recommended is that people keep a prepaid cell phone and

prepaid credit card somewhere with them off site there is a nurse no she's a vet uh doesn't matter we do have a lot of people she ended up keeping her personal goods with her personal items with her in the safe in the veterinary office at the doctor's office because if you break into a house and get documents versus breaking into a medicine cabinet the police are going to respond a little bit differently that's far more secure than just keeping it under your seat of your car in this presentation we're going to diverge a little bit about if you leave if they leave this part what if they leave the abusers left the premises they're gone take a deep breath

what you do next obviously you gotta change your passwords change your locks and your codes to your house to your garage door your remote access frequencies you have to sit and think just for a minute what's really going on here and you know like the little cheeto the username admin password admin oh jeez i've been heavily involved in the case i'm picking and choosing what to share for the presentation was assisting one person and the garage door code itself when you pull the flap down on the keypad it says if you have forgotten your keypad your access code follow this sequence to reset to gain access to garage right there on the garage door panel

well that's not really secure username admin password admin so changing your passwords we'll get to that not to tell you how to do things i would say call your landlord call your landlord call the property manager if you own your house colleague locksmith get the keys physically change the access key cards first and foremost and after you make that call and have them coming to change the physical access then you transition over i think determine the suppose you pivot over that's the industry term over to your router and you look at that

clearance code [Music]

so there's a movie about domestic drama about a dad and his kids tragic ending for the wife and older codes still checked out and that's something i want you to keep in mind shuttle tidarium persistent and thorough across all the known shared passwords so on a known safe machine and on a known safe network that's a new addition you need to change your passwords and your security questions for your accounts if you're not sure if it's a safe machine and a safe network maybe consider going somewhere else a public library when they reopen is a good place to go the apple store would work maybe at work somewhere just not where you might have stalker wear on the

machines when you're setting up your new accounts and this is something americans do struggle with it's okay to lie online meaning fabricate your favorite security questions locations where do your parents meet tatooine uh information what was your favorite cup or what's your favorite element sand well you hate sand it's coarse it's grainy it gets everywhere but your favorite environment is sand events uh love getting pancakes at huddle house when you love waffle house something that you're going to remember that's not true that's not going to be on 23andme that's not going to be on genealogy.com ancestry.com that's on classmates on facebook you want to have an answer to the question that's all it is they're asking

question a they're just looking for whatever response you give them that's what you have to do not what's your mother's name well if you roll over to genealogy.com and can look at your mother's maiden name that's not much of a security question that's can you google the other thing i'll warn you is make sure you write down your answers probably on notepad and paper because if you give an esoteric answer you're probably not going to remember it most recent case there is a scrap on the desktop and it said beware of the things you leave behind in all the houses you change i had permission from my client to add this to the presentation because

this does deal with what's left behind in the house what data can you glean from what was left behind for your case as well as if you flee the situation what information am i leaving behind that can be used against me it's offense and defense on the same side of the coin if that makes sense so looking at your router you log on to your router and the first thing you look is to see what devices are connected here is does everything make sense you see you've got an android phone a mac laptop there's a guest account and then there's a pc well what's that well that's another key point i used to teach nato special forces you

don't have to name your device will's iphone pc is the name of my iphone for now and i'm going to change the presentation but you want to make sure everything on this screen showing what devices are on your network actually belong there and if they're not take a screenshot that's going to be important for later your standard legal disclaimer i can't tell you how to cover every single log location for the thousands of log routers in production remember to search for a specific model save your logs change your password if something's not right and it's really not right like having a wireless cam installed in your house you never install them and you have to leave and

call the police call the police this is an important time where you want to have evidence collected if there's something truly amiss talking with april before this presentation want to get a new router so if there's something you're not sure you can go to the local cable company get a new router ask for a new ip address and then you can enable a safety phrase with the isp so that even if the column the adversary calls the local cable company hey i'm bob jones calling about alice jones account i would like to add myself to it whatever unless they have that safety phrase they can't do anything with the account it's hardened again it depends on your local isp some

do some don't the local one here in tgk south carolina does have this your mileage may vary so as you're setting up your new phone you get your phone you go to settings the slides will be available later right now for iphone 13 i haven't updated yet to 14 because i don't want to come up battery life just yet you go to settings and then down here after you log into apple id after i've changed my wi-fi router i look and i see i've got three devices connected to my account that's right i have two laptops and an iphone that's like it should be for me that's perfect then i roll over to find my iphone do i

have the blue force tracker enabled where i can see everywhere my phone is it's speaking back out if that's on guess what take a screenshot turn it off you don't have to ask permission after you take your screenshot apple's also got a great feature 99 of the time under messages where you can forward your text messages to both of your laptops again that's great

but with safe escape we've seen guys who think they're hackers kind of insulting and they just add their phone number to the text message forwarding for their spouse and now they're getting dropped copies of all those former spouses text messages that's not hacking that's enabling a p list turn it off very simple same thing share my location family sharing obviously you want your location sharing turned off family sharing for all of your notes photos everything about your iphone is shared with drop copies to everyone enabled ah yes some people like that we've seen both when i was with cia and now with uh nato special forces guys will go to the war zone soldiers excuse me we'll go to the war

zone take photo of sensitive sites things that happened and now grandma is getting dropped copies of war zone photos because family sharing was turned on if this is enabled you didn't enable it take a screenshot turn it off easy on the android side android's a little bit more i believe vulnerable i'll get some hate for that on the discord channel but i don't have my apple hoodie on but android does have some more concerns go to your account your recently used devices and see where you're signed in do these logins match with what you know should be accurate if not log them out if so leave it as is but change your password a couple of the key

data dumps i suppose for a google account for your google takeout uh magnet axiom chris vance with axe uh magnet donate a full copy of axiom to us we thoroughly appreciate it we've been using that with google takeout to download every bit of activity associated with the account and once that data is downloaded you don't get it back we all know this so you want to make sure you have your google takeout and your google account locked down before the adversary realizes what they have access to apple has this as well there's if you log into icloud.com there's a way you can request your data uh apple's got multiple validation steps multiple two-factor authentication it's

a seven-day download period to get it and then once you go to download the data you have to step back through the 2fa process multiple times to get the data apples is not as granular as google for good for bad but all the a lot of the video texts the ip login addresses deleted emails a lot of the data that the user thinks is gone is still there so again the yen and the yang the good and the bad this is out there you want to make sure this is buttoned up and locked up on the other hand if you know there's something in your account that was deleted you can go back and recover it

everybody's favorite facebook they collect more data obviously than a lot of tcom companies do first step you want to go to account settings security active sessions to make sure everywhere you log into your facebook account is truly what you want if it's not take a screenshot log the other person out remember to change your password and here's the other thing again this will be available facebook records if you have facebook messenger installed on your phone it records all the text messages and phone calls granularity between a and b for at least a year so if you have something horrifically abusive you need to recover this is one way to get it the downside is if they have access to this they can

access this file the adversary can see everything you've done which could leave you in a vulnerable situation so it's the good and the bad this isn't telling you how to hack somebody this is telling you this state is out there you've got to lock it down there are places on the mac people some people know this oh yeah i forgot about this but this is just a lot of information at once on your mac if you go to a search icon type in keychain.app you'll see a list of all the saved passwords on the mac within the keychain type in the username password again this is for mp's 2017 conference back when we actually had physical

conferences and because i knew the username and password the wi-fi password is guidance so rinse and repeat poc or gtfo same concept can be applied to gmail accounts whatever password is stored on that machine unless you explicitly remember to change that password the adversary has access to these passwords in cleartext with that password conversely you'll know what is at risk and make sure you change your password this is a new one from the active case i'm working today unauthorized access so you go to your mac go down to your system preferences look at sharing look at users and groups those the two ones i just work on right before this presentation under users and groups you want to make

sure the accounts that are there are the accounts that should be there who has access to my account to log in do i have you can have a guest account shadow or being shadowed by the admin accounts you know kid situation for parents shadowing kids but has your ex or the ex of your person are they shadowing this account through nefarious means and you can also see what else is logged on uh sign in i had open vp can connect from the dining initiative doing the capture of the flag i want to disable that just for a little bit of performance just because i need every bit i can get the other this is uh right before the

talk the adversary had enabled remote management on the laptop and then had excuse me had the name of the person that was able to remotely ssh in on port 22 to the laptop every time they connected again screenshot talk to local law enforcement disable that so the client doesn't have this risk but this is something new most people aren't going to go this length to monitor your ex but it does happen

being persistent and thrown this image it's like inception i received a usb drive from a local private investigator that had files on it why else did they just give me a usb drive right so i ran disk drills a great program i think it's 79 dollars for the full program it undeletes files pretty decent interface you can mount it as a dmg and harvest the files later if you want they also have a forensically sound enterprise version i don't work for them but it's 500 not bad for a forensic tool anyway i'm kind of curious to see what else the pi had on there recovered this image you've read probably a couple of times so i've been talking about making sure

you delete the messages that aren't so it's a deleted message that was recovered then deleted and are covered again on this usb drive so if you're going to leave usb drives behind make sure you wipe them versus delete them or just take them with you conversely if something has been left behind in your of the right mind run this drill and see what's available you might find something of use to say i did horrific thing i have guilt the more information you can get to protect yourself from the adversary the better all right why's he got tv on here one of the neighbors bought a 65 inch tv off of facebook marketplace asked me to move it i did

they connected the tv and saw that the person who sold it was still logged into facebook netflix hulu youtube and twitter why you want to watch twitter on a 65 inch tv twitter's toxic enough especially 65 inches of inanity i yeah so the person working in law enforcement obviously went through logged everything out it didn't stalk the person they bought it from logged out did the right thing but you have to remember if you're still logged into these accounts the other person does have access into a window for your life that you might have forgotten you logged into that includes sharing netflix spend the 7.99 a month to get a new account you don't have to

keep using the x's account just it's not worth it so even if you're starting to lock your life down hiding the evidence online there are some apps out there that are available that might still reveal what's going on with you from osnpframework.com there's a app that will let you go through and see a person's sleep cycle so if you want to see how well cam newton is sleeping up in new england because where is cam i don't know anymore i've lost track if you want to see where is it jameis winston new england how well he's sleeping before he plays the panthers you can plug in his uid uuid from facebook and get cam newton or jameis winston's sleep

cycle which is great if you're doing nato special forces renditions to see where the adversary is sleeping conversely even though all you're doing is liking and updating photos of your deer the adversary can still get your sleep cycle just because you're still posting on facebook we talked earlier about the leaks from family and friends even if you've locked everything down and you're following good operational security your family and friends can still say oh will's going up to tk short club don't tell anybody but he's wearing the new hoodie he got from b-side trunk well now you know where i'm going and what i'm wearing so if you're an adversary you know my house is unsecured for the

next hour and a half two hours three hours getting on the services slow up there you know what i'm wearing and now i'm more of a target because family and friends leaked out that data that's a fun example but again in the nato world we would see oh dad is deploying mama's deploying to the war zone for the next year now you've beaconed out to the adversary that you're a target for approaching for oh what's their specialty how long have they been doing this the illustration from the true foreign adversary can come in but on the domestic front the same threat is still there you have to watch and say mom i know you are proud of this but you can't put this

online you've got to have everybody on board with it or you start you stop telling them the plans and intent i realize i've got picked the pace up a little bit here with the ring doorbell i don't people install them i don't know how many people that in the audience have actually gone back to look at the quality they're superb it's 1080p 4k high quality high definition audio visual adding somebody to this acl access control list is very simple you give them the email you connect it to this and they can see all the conversations having at your front you're having your front door this being a carolina conference we long talk we have long conversations at the door when

we arrive we have long conversations when we leave now the adversaries got this window to see everything you're talking about and listening to in explicit high definition detail and you might have forgotten oh yeah the excel has access to the store belt so scrub it just like you're working at the sock working for security at work remember to take them off that control list the same for amazon alexa i'm not going to say the phrase but hey every time you say that that's recorded on your amazon account you've got your voice history your smart alert history your smart home history and your permissions you know this was a bad episode of csi cyber back in 2012 people back in an

innocent time we would tweet how ridiculous this was that somebody could actually remotely access your smoke detector remotely disable your burglar alarm and then start a fire by overheating your printer but we're not too far from that where you can actually remotely disconnect the smoke detector and burglar alarm and all i have to do is just have access to alexa so again scrub your acl on this and also a certified fraud examiner there's a phrase called implied trust unless you explicitly remove them from this shared amazon account they can have all these things shipped to their new house on your credit card because you didn't explicitly remove them they won't be processed they won't be

prosecuted because you still gave them concurrence so it's something else you're going to want to scrub

you know printers i'm choosing my store here there's some of the windows properties you can go back and look at the files and see what was printed uh some of the corporate printers one of the tricks i like to do when i'm going to a nato site i don't have access to the network but i'll hit print last or print spool oh one place in belgium i got a list of all the headers for the emails even though it's on class i was able to see okay so this unit is going here here's the number of people that are going through the travel arrangements and here's where they're coming back just by the titles of the document

different place classified environment i did hit print last it printed every single document that printer had ever stored still stored in ram for the network didn't touch it i was expecting to get one piece of paper i got 500 piece of papers i went and got the security officer told them what happened like hey i'm not touching this you've got a vulnerability you want to teach about it but i'm not touching your classified because not authorized if that can happen in the corporate environment that can still happen in a home environment even something as simple as my 40 printer from walmart remember to take the document out from the scanner you okay i'm leaving well you might have

left your driver's license your passport open up the document open up the printer and look and see what's left on the flatbed before you leave or did they leave something behind on the mac again this will be available go to vars full cups the documents that start with c the files that start with c you're going to have the metadata the ones that start with d are pdfs and those are recoverable to the desktop so here i just did the strings on a c file as you will see this is a coupon for world market it's always a coupon for world market and bed bath and beyond but even just a metadata you can get an

idea of the plans in intent of what was left behind or for you apartment lease agreement for i don't know i don't know apartment complex but you got the point this is all still available for any mac laptop [Music] so picking this up a little bit email mail and pdf and social media tracking thanks to marketing there's a lot of available data that's out there that i don't feel people should have access to program called superhuman it uses a one by one cookie to pull back and that's going to give you the date time and approximate gps and ip of where the person read the email how often they read it using a vpn will defeat that obviously

google's added this as well for gmail to see how often the email has been opened so now you know where they're reading the email and with something like docs in for outlook there's this beacon and you can see now how long have they read the document what page did they read what did they skip over and now they know exactly where you read the document they've got this granular details so in from business negotiations if they're skipping over a key clause on page 14 that you're worried about that's going to give you business intelligence here you may not want to give the adversary that benefit so on a mac type in open terminal type in ndls

metadata list drag and drop the file in there and you're going to see this beacon this large where's the form from the beacon will sit there if you work with this you'll see the difference between files that have a beacon and files that don't windows doesn't have this capability yet we've been looking up continue to research for about a year i haven't found anything it's a very simple two-prong approach three-prong approach use a vpn or use paper using print it out they're not going to track out track that you printed document you have complete freedom with that but be aware that these are some things that can be used against you another thing man-in-the-middle real

world aversion i went to a fort mill post office talked to the fort mill postal inspector that sounds fancy doesn't it you get a pdf or a jpeg of every piece of mail that comes to your door that's great if you're deployed overseas or if you're going to be away in a business chair if you remember what those were conversely the adversary can enable this before they leave and get copies pdfs of every single piece of mail coming to your mailbox and if you're getting a court document check something crucial they can remove the one key file from the mailbox for true packet intercept and the victim wouldn't know this is available there are two ways to mitigate

this either a try to enable man-in-the-middle informed delivery yourself or go to the post office and ask if anything like that has been enabled so this is something to be cognizant of it's a new threat we haven't heard much about this but it is available and people are malicious that's the point of the talk another threat vector we received when i gave this talk previously were the icalendar and google cal for things like tripit you send your delta itinerary to plans at tripit.com and it's going to park something a great app your itinerary your booking confirmation your seat number arrival time same for hotels i would use this my spouse would get it my boss would get it

client would get they would know all the details about this but if that person is no longer part of your life they don't need to get dropped copies of the plans you're going to have your business because of all the intel they can collect so make sure you screw up even your travel apps or your kids school calendars so

not everything on the internet is true i hate to break it to you but things can be fake 1 14 am belarus 115 hawaii 115 kingdom saudi arabia you can project your gps location on twitter just like luke skywalker from whatever water planet he was on it and pay attention episode 8 i hated it so he's on that and kylo ren sees the projection of luke on whatever salt planty thing he was on you can actually use that to force project your gps for your tweets to be nearby right now i could geolocate from tbk south carolina i'm still in the right gps box i can have my presentation my tweets appear from the western conference room in

downtown charlotte so you're going to have some ability to manipulate where you're actually projecting from and if you're consistent it can actually hide where you are you don't have to use your true location the further away you are i did this in class last year for the nato guys i showed okay i'm in the back of the room and i'm tweeting from iran moscow and dara salaam even though you guys see me in the back of the room this is obviously not real the more granular the detail the more accurate your twitter leak and this website is tnfoleak.com if you're curious all that's fake that's great that's good but what's not fake is that i'm coming

off of twitter from iphone that's bad come back to that in a second the grug says use signal use tor well i disagree i say soon your devices are compromised programs like flexi spy using m spy it's very simple to target and something like tienpo lick is going to tell you if you're leaking out your twitter information to say here's how i'm vulnerable here's how to target me so i would say personal meetings at pre-arranged dates times i'll see you next wednesday at toast cafe at 11 pm 11 a.m leave your electronics behind somewhere routine secure don't assume they aren't bugged until you know you have clean devices have non-verbal parole so that if i you guys can probably see or the

audience can see i've got georgia tech banners if i was on facebook when i'm not on facebook but if i was on facebook for the university of georgia sweatshirt that would be the warning that hey something's wrong please come by and help me something's off here as long as you have a prearranged parole and they know it means something a misspelled hashtag in a tweet or sending out a tweet from boston means i've talked with boston fbi something only you and the other person are aware of there's still a lot of nonverbal communication you can use the adversary wouldn't be aware of now for iphone monitoring they call this hacking i uh whatever so for m spy

alice provides bob's mac id and password to m spy and then like was it dude where's my car and in bob's phone has to be synced to the icloud with power connected and then all that has to be provided to mspy they then parse out a backup of the phone and give all the data back to alice that's not hacking that's just you've got my username and password you're harvesting my backup but on android m spy has a beautiful thing you create a phishing sms targeted to bob's phone within a m-spot bob clicks on the link and now you've got access to all the data on the phone and we're supposed to talk about updates

so for the 2020 stock update if a work from home employees bring your own device says stalkerware how's your site going to respond to this it's more than an information security concern it's a life problem you can't just call jane doe in the office why do you have hacker wear on your phone she may not be aware that somebody's put this on her phone it's a little bit gentler concerned a little bit gentle handling and if you don't plan to handle this before something arises with the large employers like bank of america at t american airlines the probability of this happening probably at least one to two cases but be aware this could be something you're

encountering now for trapping your device if you want to see if someone's accessing your phone while you sleep there's a great app called sleep cycle it uses the potentiometer within the phone to see how well you're sleeping at night you put the phone on the mattress goes face down and if your phone's not moving you're in heavy sleep if your phone's tossing and turning like you are you'll know you didn't sleep well i use that when i travel a lot to see you know which mattress works for me which one am i going to buy when it's time for a new mattress yeah that's part of getting old i guess you're worried about your mattress and

your sleep cycle but if you put your phone on your bug bag bug out bag with sleep cycle running you've got the cover story of oh i just had my phone on my bag i'm sorry i forgot to put on the nightstand and now you can see your phone's moved in the middle of the night you've got an indication that something else is going on now the latest iphone update you've got even more granular information if you go to battery because we're all monitoring battery updates because ios updates coming to make you buy a new phone it's not conspiracy theory it's proven a home you can look at your battery level and see from oh was it

11 pm until 6am basically i didn't touch my phone that's a miracle and you can see very granular exactly what device was used what app was used in those hours minute by minute so you put your phone down nothing happens that's a great sign or if your iphone or if you're imessages your twitter and your instagram or open from 3am to 5am that's a problem and now you've got an indication that there's a level of distrust and you might want to start considering fleeing the situation if that's right for you we talked about using a known safe machine apple has a dual purpose in that if you reboot your laptop hold down command r for recovery you can google your laptop

to make sure you things haven't changed since i gave the speech you can get help online which is actually freaking ironic but you have a clean os without any spyware stalker installed you enter your credentials from to connect to the router and now you have a clean session on your laptop clean up any spyware where you can log on to a clean gmail send something to help at safeescape.org or whoever and start to beacon out to ask for assistance getting away from the stalker situation and once you reboot back there's no trace left on the laptop unless looking around my lab here unless they actually brought it in and did a full-blown black light magnet axiom analysis but

probability that's probably not going to happen so that's a lot on the iphone that's a lot on the laptop side on the printer side with the advent of amazon people think they're james bond they think they're cies d s t they think they're cute dude you want amazon bought something that's not hacking so something as benign as this uh micro usb camera put the sd card in put it in the wall now you've got power you have collection and you know that's great if your apartment complex is going to send somebody over that's not me he's wearing red i don't wear red unless it's a problem then i'm wearing red but now you've got this camera of

okay the repair person persons coming in the house they have this i can see who's coming in how long they're there everything's good okay it has a use that's cool but if we're talking the surveillance of a domestic partner that crosses the line that's a little bit illegal we have three settings to play with there's the power the collection the storage with the power if it's always on and always collecting it has to be hardwired into ac if it's always collecting you're going to run out of storage so it's going to have to beacon back connect to the wi-fi for connection to the cloud or connection to another device so that would show up to both being

plugged into the ac network of the house as well as a wi-fi network so you start to see how these work together if it's low power limited collection and short storage someone's going to physically come in and service the device and okay these are all from amazon my search history is trashed you've got a 1080p camera that connects the iphone through the wireless router so you can always see what goes on in the house that's a little creepy risk mitigation for this is unplug it call the police if this has been left behind that's wire capping it's illegal surveillance they take this pretty seriously and i hate that these keep getting updated the more i give this talk

because there's just more it looks like a normal air freshener it's a 720p camera has battery life and it has limited storage for the sd card so someone actually have to come in and physically monitor that the amazon alexa blink mini show me the living room come on that's not anything q would have to do for james bond that's just a camera connected to your living room you should know that's out there i would hope um the last thing is a 128 hour usb recording device just for audio you flick the knob one way it's continuous recording you flick it the other way it's first recording um you put something like a blacklight logo on there or some other

appropriate company tool it just looks like a company drive so if you need to protect yourself check with an attorney and see if it's legal but now you have a non-obtrusive way to monitor a conversation if it's going a little bit south or if you need to carry it during your traffic stop whatever else you get the idea because that's far less intrusive and confrontational than you know being that guy that you see on nine gag or youtube or twitter holding up the phone and recording people this is very benign if you need to use but be aware these are out there for the recording device we talked about the device that would come and go between

you know having to service it well the nanny cam we had a case where the kids put the nanny cam right behind mom they didn't know as a nanny cam but the dad was able to remotely solder able to watch her they can't talk they would take the nanny cam back to dads or the excuse me the stuffed animal he was able to get her keystrokes access her twitter and access her facebook in stalker she was in court for about five years until he cracked the case to figure out it was the nanny cam the kids are taking back and forth so now he gets i think three meals a day a cot and health free health care in the

government facility uh the electronic surveillance devices we've got this is a new one with apple you can use your air pods in hearing aid mode again that's pretty cool it's not bad but the downside is you put the earbuds in connected to your iphone with bluetooth you leave your phone in the room you walk off to other rooms and you're still able to listen using the microphone on your phone to listen to the room's conversation whoever's in there remotely kind of creepy now we've seen this a little bit writ large where they reverse engineered the bose headphone app because of those noise cancelling headphones are always listening to see what's being said to cancel it out

now this person reverse engineered it and they're funneling that take back to their server to listen to see now what the x is saying about him so if there's something off you know why did they give me these headphones right before they left get rid of them

i love amazon one of my good friends works there but it's all the things they sell are questionable there is showing my age a little bit there's a it looks like a 2g modem on a mini pelican case it goes with the magnet under the car it's 49.95 got four star rating that's not bad for stalkers you're 37 165 people out there who need to rethink their lives it goes under the spouse's car and you can monitor it for 25 a month with the app very questionable it's very easy to see you know if you've got this thing underneath the car okay but here's your beacon collection except this isn't it's not a beacon i was doing forensic

analysis of my iphone and that's not my beacon that's my iphone driving around for quite some time in charlotte and i took the gps via kml file drag and drop to google maps google earth and there you go you can see you don't need a beacon to physically be stalked if they have access to your phone backup change passwords a couple more cases of this if you're worried about being stalked get rid of the fitbit get rid of the strava uh fitness app just don't if you're worried about that just leave it at home put it on the dog i've got deer right here outside the window put it on deer just don't publish where you're going for a

jog it you'll be okay uh the latest photo 2 39 in the afternoon my phone's already on red apple's now got a family set up for the apple watch where you can monitor and see where the phone goes 99 percent of the time it's fine but if you have a situation where the x is stalking you maybe consider not having the beacon on your wrist all right well i get it it's too much i'm going to order pizza if you're on the south side i would say go to luigi's pizza it's the best pizza in charlotte but if you're like me getting this talk ready go to domino's and you have to be persistent and

thorough because domino's retains the last two years of your order history if you order pizza every thursday night with your kids you take the kids to a new location they know your twitter pa your twitter they know your password they can still see where you are because you forgot to change your password but dude i'm skipping pizza i'm going to the gym it's finally open that's great but planet fitness now logs every login every time you badge in at planet fitness that's available so that's something else you've got to consider changing your password believe it or not we're in the home stretch identity theft is very binary if there's by identity theft you have to go to

identitytheft.gov and report it this hits the fraud triangle of opportunity rationalization and pressure the adversary knows you're going to lose your income from the split they know that it's going to be harder they've got a divorce to pay for the chance for domestic fraud and most cases don't get prosecuted for domestic fraud there's an author pink color fraud guideline she's on linkedin she's got a book on this the da's don't like to prosecute domestic fraud so it's more urgent that you pay attention to this and make your person your victim whatever you want to call them aware that they've got to be aware of this i tie this in a thing called spoof card it's fun but

you could plug in suntrust banks uh their telebank number 404-230-5555 if you're a suntrust customer and i call you from this number this 544-23055 is going to show up as a number in their contact list and it's going to say this is sundress there's the implied trust and because of all the financial turmoil during a domestic split they're going to be more apt to volunteer information so you have to be aware there's so many vectors for fraud through a domestic split you have to be more aware i'm repeating myself but the opportunities are ridiculous um go to identitythef.gov if it's happened you have to report it again known safe secure computer the local police will tell you you have to

log in here as well to get a case number once you get the case number you can report that to the banks and they can start to process that but for infosec professionals if there's identity theft clean safe machine identity theft.gov they've got to report it they have to call the police they have to contact the bank unless you report it there's nothing they can do the last day we had control the environment we had identity that the last is data availability we would say if it ain't in cable traffic it ain't oh yeah i was promised i was going to get a pcs to maui well if it ain't in cable traffic it ain't

same mindset here if you don't document what happens as it happens it doesn't count so as you're helping your persons you're helping the victim i don't like the word victim as you're helping this person overcome a negative event document files make a label create an index this is data recovery i did shame on me you can which one is the key file which one is the spam and which one is the hotel check-in good luck with that this is recovery from disk drill which is also not to go back to disk drill i don't work for them i was able to recover all of these files with disk url but the name itself leaves a lot to be desired from the

program but this recovered files that were scanned that weren't searchable with ocr so it's some good and some bad but again you got to document things as you find them be available for the other person it might sound basic they're coming to you the technical problem but the technical problem is just a larger part of what they're going through that's not going to be the rest of their life this is just for this slice of time i have this issue i need your help i'm talking like you know the world is back to normal but if they want to go back to go get a pizza instead of going to domino's be available for them be a normal person

it's okay i shouldn't have to say that but you deal with all personality types i'm kind of digging a hole here but being old taking the football taking the basketball back or the gym if we can do that anymore but remember they're going through something horrific and being a good person goes a long way two is one one is none in the avengers font that i had to show off here so if you get this usb drive you get a copy of the phone you have your primary your alternate a contingency copy and emergency pace with operation safe escape if a victim has a client has key files and documents a copy will go to an attorney a copy to a family

member i copy to the volunteer working with them and then another copy for safe deposit box that way even if one goes down there are three backups especially working with usb drives and laptops off the corporate system we can't go back to druva and recover the data that's been out there for years that one drive is lost the whole case is lost you want to make sure you have a documented reliable backup plan

one thing couple of things to consider as we get into the end game for this we do have a stigma for being hackers people give us magic powers if you oh he's a hacker she's a hacker she can do this and that and the other well not really but to law enforcement to other attorneys anything that's an anomaly if you actually do cross the rubicon and do something there's going to be more attention brought to your actions trying to hack into someone's gmail you don't want the attention stay beyond reproach do the right thing now when we would terminate a human asset overseas and not turn it like we just cut the relationship we wouldn't

terminate that sounds horrible instead of saying hey bob we're done with you well now you've got distrust you've got resentment hey i've got my own cell phone plan i don't want you to see who i'm calling but if you say you know going through work we've got a great cell phone plan i'm able to get a plan through them at a severe discount that's going to save you a hundred dollars a month i can take care of it that's going to help you out my new numbers i'm not sure what it is yet i'm getting well you've hidden your new number you've told them it's already happened it seems like a good thing you're saving

the other person 100 a month and it's done you're not asking for permission it's already complete it's just an example but there's ways you can approach the situation to get that separation without causing a confrontation last couple of slides i want to stick with you shared technology in a domestic conflict one device here strong encryption strong authentication data repository was actually used as a backup for the other source of encryption uh c3po weak encryption for domestic conflict the device was white a couple of times now and when you're considering leaving something behind the domestic conflict if i deleted the files or did i wipe the files last one unauthorized devices on a network looking at your router if thanos had a

router he sees nebula 2014 no nebula 2023 show up with a 2014 network a rogue devices detected he did live memory forensic analysis shout out to andrew case on that one he always loves that joke um and thanos was able to do a takeout analysis of all the chats locations and images of plans and intents being used against him conversely there was a drop copy of nebula created the avengers weren't aware of their plans intent and were leaked out to the adversary they didn't know it which caused a major domestic problem when thanos showed up with the doorstep unexpectedly because he knew where to go because of the memory analysis in the offense and the

defense so we're at the end here too long didn't read change your passwords change your locks document things and you still have to report events to law enforcement if you don't report events as they happen it's tough but you've got to do it for the record to protect yourself to protect the other person thank you for sitting through this i'm pretty sure i went a little bit over i'm ios forensic on twitter 10x engineer.com and thank you for coming to the presentation