Sensei Logo
Welcome to SenseiEnt.com
Home
Computer Forensics
Expert Testimony
Information Technology
E-Evidence Cases
Publications
Seminars
About Sensei
Newsroom
The Good Stuff
 
 
Home :: Publications :: Takedowns: Legendary Successes in Computer Forensics
Takedowns: Legendary Successes in Computer Forensics
   
 

Takedowns: Legendary Successes in Computer Forensics

By Sharon D. Nelson, Esq. and John W. Simek
© 2002 Sensei Enterprises, Inc.

Take*down (tāk/doun/) adj. Sports. A move or maneuver in wrestling or the martial arts in which a standing opponent is forced to the floor.

       - American Heritage Dictionary of the English Language Third Edition

"Takedown" has had a new meaning since the publication of the book by the same name in 1996. The story of infamous hacker Kevin Mitnick, told by the hacker/hunter who finally found him (Tsutomu Shimomura) was a "takedown" heard around the globe. Forever after, "takedown" has developed another meaning - it's a "gotcha" for computer forensic technologists when they find the pivotal electronic evidence that will bring a hacker or other criminal down.

It is difficult to explain the adrenaline rush that comes with a computer forensics case. It is Holmesian in nature: As computer technologists, when we get the call that a hard drive and media are on their way to our office, from a court or from a litigating party, our first anticipatory sensation is that "the game's afoot." Very much like Mr. Holmes, we are always on a timetable and often find ourselves proceeding down dead ends and tracing evidence that has grown cold and a trail that ultimately becomes untraceable. Sometimes what we are asked to find is "elementary, dear Watson." At other times, when we "have excluded the impossible, whatever remains, however improbable, must be the truth." Neither of us plays the violin and there is no 7% solution for inspiration, though there is a bottle of 15-year-old single malt scotch to which we have been known to resort.

Nothing equates to the delight we feel when we find the "smoking gun," whether it is deleted and damning evidence or a carefully hidden industrial espionage program transmitting the computer's secrets to someone else over the Internet. At such moments, we have been known to emulate a unconventional form of the Irish jig, break into a woefully off-key but triumphant rendition of "We Are the Champions" or simply look at one another and solemnly pronounce one reverent and victorious word: "Takedown!"

Computer forensics has become quietly pervasive in the world of law enforcement. Though it is not always front and center in media reports, many of the most notorious cases of our times have hinged on electronic evidence. Here are some of the most highly publicized cases in forensic folklore.

Oliver North - Never the sharpest tool in the shed, Colonel Oliver North set out to conceal his involvement in the Iran Contra affair, doggedly shredding all pertinent papers and deleting all relevant e-mail. Unbeknownst to North, all his diligence was in vain because the government was using IBM's Professional Office System (PROFS) and the mainframe support personnel were backing up his e-mail. All the incriminating e-mails were recovered. Gotcha Ollie.

Though Colonel North was convicted of accepting an illegal gratuity, aiding and abetting in the obstruction of a congressional inquiry, and destruction of documents in 1989, the conviction was overturned on appeal because immunized testimony had been used in his trial.

Robert Hanssen - A bizarre combination of low and high tech, the American spy and FBI counterintelligence agent Robert Hanssen favored old-fashioned mail drops to communicate information to his Russian handlers. In February 2001, he was arrested in Vienna, Virginia, while in the process of making a drop in exchange for a $50,000 payment. The arrest culminated a four-month FBI investigation in the which the agency said it used ?computer forensic analysis, substantial covert surveillance, court-authorized searches and other sensitive techniques.? Though the precise nature of the surveillance remained murky, reports suggested that the FBI had received court authority to monitor Hanssen's computer usage, as well as to intercept his cell phone calls and to place a wiretap on his home and office phones.

Hanssen had some technical bona fides. According to an affidavit filed by the FBI, Hanssen used encrypted disks, flash memory cards and even a Palm Pilot to pass secrets to his Russian handlers. He could also program in C and Pascal, according to the Washington Post, which added that the "technologically sophisticated" Hanssen created a system to automate the teletype at the FBI's Washington offices. USA Today reported that Hanssen hacked into the computer of the FBI's top Russian counterintelligence officer in the early 1990s. Ironically, FBI logs showed that Hanssen surfed the FBI computers for references to his name in ongoing investigations.

In July 2001, he pleaded guilty to charges that included conspiracy to commit espionage, 19 counts of espionage, and one count of attempted espionage. Hanssen is currently serving a life sentence without possibility of parole, under a plea agreement in which he pledged full cooperation with authorities.

Wen Ho Lee - Though computer forensics was at the heart of this case, in the end what was NOT known was as fascinating as what was. It was undisputed that Los Alamos scientist Wen Ho Lee had copied certain computer tapes and that they contained information related to building nuclear weapons. Over 40 hours on 70 days in 1993, 1994 and 1997, Lee downloaded 1.4 gigabytes of data, the equivalent of about 400,000 pages, from the secure computer system at Los Alamos. Often working on nights and weekends, and circumventing security safeguards, he moved the data to his office desktop computer and to pocket-sized tapes that look like 8-mm videocassettes, a bit thicker than conventional audiocassettes. He then made copies of some of those tapes.

Lee maintained that the tapes copied were "crown junk" and not a "crown jewel." He said he made the tapes for fear of losing material, although all manner of backups and keystroke logging are available at Los Alamos.

Lee claimed he threw approximately 17 tapes in a trash bin outside the lab in January 1999, after his security clearance was revoked. Although the FBI had this information in September of 2000, it unaccountably waited several months before searching the landfill where the laboratory dumps its garbage. Ten tapes were found in the New Mexico landfill, some of them crushed, but forensics specialists were able to recover much of the data on the tapes. After the entire hullabaloo, it turned out that the ten tapes were unrelated to the case. The tapes have never been found.

Ultimately, Lee admitted he had erased classified files that he had transferred to unclassified computers and removed secret data from three tapes that were later found in his office. He never acknowledged engaging in espionage, but said that he entered into a plea agreement because there was a 5% chance that he could be convicted, and he did want to take that risk.

On September 13, 2000, the government dropped 58 of the 59 charges against Lee and he was sentenced to the nine months he had already served, and given his freedom in exchange for his cooperation with authorities. What emerged clearly in court proceedings was a bungled investigation - upon freeing Lee, U.S. District Judge Jim Parker took the unusual step of apologizing to Lee and sternly reprimanding the U.S. government for the conditions under which he was held.

Larry Ellison - Oracle employee Adelyn Lee won a $100,000 out-of-court settlement against Oracle President, Larry Ellison, after claiming that she had been fired for refusing to have sex with him. Ellison's often colorful behavior made the scenario seem plausible. An old Ellison joke: "What's the difference between Ellison and God? God doesn't think he's Larry Ellison." He was in fact known to lavish gifts on women for, well, whatever. Commentators who reported on court proceedings wryly suggested that his favorite pickup line for female subordinates might have been "Hey, can I buy you a car?" He was an easy target. There had in fact been an off-again, on-again romance between Ellison and Lee and it was undisputed that she was terminated five days after their last date.

One of the compelling pieces of evidence was a 1993 e-mail from Lee's boss, Vice President Craig Ramsey, to Ellison, confirming that Lee had been terminated at Ellison's request. Electronic records revealed that Ramsey could not have sent the e-mail because he was driving (according to cell phone records) at the time that the network recorded the e-mail transmission. As it turned out, Lee knew Ramsey's passwords and sent the e-mail herself. In 1997, she was convicted of felony perjury and the falsification of evidence.

Kevin Mitnick - Few Americans have NOT heard the name of the world's most famous hacker. "Free Kevin" t-shirts and web sites proliferated at an astonishing rate during the height of Kevin's fame. As is so often true, the real Kevin wasn't much of a hero. Mitnick had a real problem distinguishing between fairly simple concepts of right and wrong. Breaking into other people's technology for his own self-interest was something he continually justified. If he wanted free phone time or free computer time, he used his technical skills to trespass on other people's technology and stole it. His rap sheet lengthened over time.

As a teenager, he was a phone "phreaker" making free long distance calls before Pacific Bell caught him stealing computer manuals. He was placed on probation. Mitnick first came to national attention in 1982 when he hacked into the North American Aerospace Defense Command (NORAD). Remember the movie "War Games?" Kevin Mitnick was the inspiration for that movie.

During the 80's, Mitnick also took control of three central telephone offices in New York City and ALL the phone switching centers in California. In 1989, he was charged with computer fraud and possession of unauthorized access devices that he used to hack into MCI and Digital Equipment Corp., from whom he lifted $1 million in proprietary software. He was sentenced to and served a year's time. A series of arrests ensued over the next several years and he served two more prison stretches. In 1991, he violated probation by hacking into voice mail systems at Pacific Bell. The government got a warrant for his arrest in 1992, and Mitnick became a fugitive on the run.

Mitnick went behind bars again in February 1995 on a 25-count indictment that included charges of wire fraud and illegal possession of computer files stolen from such companies as Motorola and Sun Microsystems. His arrest followed a national hacking spree that finally earned him a spot on the FBI's most wanted list. Over the 2½ years that preceded his arrest, he hacked into computers, stole corporate secrets, scrambled phone networks, and broke into the national defense warning system. During his years on the run, when he adopted the moniker "Condor" from the Robert Redford film "Three Days of the Condor" he allegedly hacked into computers at Motorola, Nokia Mobile Phones, Fujitsu, Novell, NEC, Sun Microsystems, Colorado SuperNet and the University of Southern California. Damages were estimated to be as high as $80 million.

He was finally found, not by the government, who he successfully eluded time and again, but by computer savant Tsutomu Shimomura. Mitnick finally made a mistake that would prove fatal. He arrogantly broke into Shimomura's home computer network, taunting a man whose skills proved to be more formidable than Mitnick may have imagined. Shimomura, then a security specialist at the San Diego Supercomputer Center, had originally declined to assist authorities. But when Mitnick broke into Shimomura's system, he was infuriated by the intrusion and resolved to find him.

Mitnick had stashed some of his data in a dormant account at The Well, an online-forum with 11,000 subscribers, some of whom were well known Net activists. A technical manager there noted a possible hack into the company's systems. The owner of the dormant account recognized one of the e-mail addresses as belonging to Shimomura and noted that the data that had been stashed included serious software hacking tools.

Working with the FBI, Shimomura determined that the hacker was probably Mitnick and that he was making telephone calls with a cellular modem to a Netcom phone bank in Raleigh N.C. The calls were intricately looped from a GTE Corp. office to a Sprint cellular phone switch in such a way that neither company could identify the caller. Shimomura and the investigative team were able to narrow the location to somewhere near the Raleigh-Durham International Airport.

How did they do that? Part of a cellular transmission is an "electronic serial number" of the originating device. The investigation involved searching the communications logs for the ESN and phone number of the caller. The phone number was not assigned to any entry in the cellular databases. By first checking the logs for the phone-switching network and searching on the phony number, it was determined that the call was coming from the Raleigh-Durham area. After determining the switch, each cell attached to the switch was checked to determine the appropriate cellular cell that was receiving the appropriate ESN that was associated with the bogus number.

Arriving in Raleigh, Shimomura, Sprint technicians and the FBI used cellular frequency detection devices to find Mitnick. Armed with the ESN/phone number combination, the hunt was on. Monitoring hardware can track the transmission signals and determine the ESN "tag" associated with the communication session. The detection equipment senses the strength of the signal. Basically, the team drove around in the area until they had a "fix." Mitnick was found and arrested in a nondescript apartment complex. At precisely the same time as the surveillance team was closing in on Mitnick, technicians at The Well recorded the last unauthorized intrusion into their network. Takedown.

Mitnick ultimately signed a plea agreement and was released from prison on January 21, 2001, after being incarcerated for five years. He is prohibited from using a computer and from acting as a consultant or advisor in computer-related matters until January 20, 2003.

 

What is the computer forensic process?

"They say that genius is an infinite capacity for taking pains" ".It's a very bad definition, but it does apply to detective work."

       - Sherlock Holmes, A Study in Scarlet

The careful examination of electronic evidence and the precision with which a forensics technologist must operate can be tedious and exacting. The technologist may be employed to prevent a break-in or afterwards to determine its source. The technologist may be contacted directly by a corporation, or by lawyers for the corporation or a potential defendant, either during the investigative phase or during a court proceeding. Sometimes, the judge in a case appoints the technologist as a court expert. In the latter case, the technologist will receive a call, generally from one of the parties, advising the technologist of the appointment and that one of the parties has been ordered to deliver a hard drive and various media for examination. There is a flurry of paperwork, signing the court order and agreeing to abide by the court-ordered terms of the search and disclosure of results, and to hold the results otherwise in confidence. There is a generally a big hurry to return the hard drive and media. Sometimes, in order to avoid putting a business out of business, the technologist must go to the company to "acquire" the hard drives or the acquisition must be made "over the wire."

Using special technology, hardware and software for data acquisition, such as the legendary EnCase and FastBloc from Guidance Software, the data from the target drive(s) is acquired and then searched and/or analyzed in accordance with court or client instructions. At all times, maintaining the chain of custody and the need to preserve and authenticate all evidence permeate the forensics process.


Sometimes what you get looks like this. Now you're in the data recovery business and must see what, if anything, can be recovered to be searched. Amazingly, data has been successfully recovered from computers that have been flooded, burned, hammered, and driven over.

FOR THE TECHNOIDS

There are three main methods for data acquisition:

One is a bit-by-bit (RAW) method where a single file is created. The UNIX dd command is typically used for this type of acquisition. The drive or media is scanned in a method that creates a single RAW image file of the contents. SafeBack by NTI is also a popular data acquisition program, which creates a single image file and is used by the FBI and IRS. It is only available to law enforcement agencies and not to the private sector.

The second is the way that enCase creates the evidence files. The media is also scanned in a bit-by-bit method, but the data is placed into an enCase format and can be compressed to various levels to reduce the actual evidence file size. By default, enCase creates 640MB evidence file "chunks" so that they can be burned to a standard CD-ROM format for archiving. The actual drive/media contents are preserved and then reassembled when using the enCase software.

The third method is to acquire the drive and store the contents to a larger geometry media. This is what the Media Tools product does. It does a bit-by-bit "clone" of the original media and then "pads" the balance of the destination. The Media Tools method is not as forensically "pure" as to the other two methods; however it does have the advantage of cloning media to a destination with a different physical geometry. As an example, you can clone a 10 GB hard disk to a 20 GB drive. Previous cloning methods required an EXACT duplicate of the drive size and geometry.

In all cases, it is essential that the evidence media be protected from any potential modification. Locking the evidence as "read-only" through software or hardware is the first step in maintaining integrity in any forensics effort.

Essentially, searching is the method of scanning the media contents for a specific pattern of bits. The GREP syntax allows you to specify the grouping of characters to search and can be defined as actual ASCII or hexadecimal values. GREP originated from a UNIX text editor that provided a command sequence of g/re/p, which is global/regular expression/print. Many forensics products support GREP searching, but make sure you have your beanie and propeller on before typing, as all the options can be a bit cryptic. Some products, such as dtSearch, create an index file of the patterns first and provide a GUI mechanism for search strings. In the search process, the media is scanned for files and/or sections of the media that match the pattern desired in the search.

What can computer forensics actually do for my clients? Lawyers frequently ask this question, often befuddled by what computer forensics can and cannot achieve for their clients. The headlines in the newspapers suggest a wonderful example.

Suppose your clients are shareholders in Enron and Arthur Andersen. They are not happy campers. In fact, while they are delighted at the thought of "the suits" being taken away in handcuffs and becoming guests of federal wardens, they would like some of the executives? stash to be returned to themselves as the victims of all manner of corporate misdeeds.

Enron and Andersen hold shredding party after shredding party - in the traditional mode, they are getting rid of evidence that now looks like this.

It boggles the mind that they would do something as obvious and incriminating as shred paper. The obviously disregard for the law aside, what possible good did they imagine it would do? If they thought they were getting rid of the evidence that would convict them, one has to wonder where they've been in the last decade. Did they have group lobotomies at a corporate retreat?

Let them shred to their heart's content. The evidence that will put them away is in 1s and 0s stored in too doggone many places to get it all.



There are too many local hard drives, server hard drives, back up tapes, laptop hard drives, home computer hard drives, PDAs, cell phones, etc. to ever get it all, even if they were inclined to flaunt the law and try. Did they delete oceans of files and e-mail? More than likely, given the shredding mentality. Can deleted files be recovered? Yes, most of the time. The likelihood of erasing data beyond recovery in ALL the places that data resides is almost nil. Worse yet, typically people who want to hide their trail frequently leave a perfectly visible trail of their botched concealment attempts. There are fingerprints in the electronic world too.

Computer forensic technicians will be poring over electronic evidence for months, perhaps years - the sheer volume of it daunting, but somewhere in that amazing morass they will undoubtedly strike veins of gold, after which $5,000 Armani suits may well be exchanged for prison greens.

Forensic technologists will be there when gold is struck. The endgame for them is ----what else? --- "takedown."

The authors are the President and Vice President of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, VA. 703-359-0700 (phone) sensei@senseient.com (e-mail), http://www.senseient.com (website)

 
Employment
  Contact Us
  Sensei Enterprises, Inc. Computer Forensics/Legal Technology
3975 University Drive Suite 225 Fairfax, Virginia 22030
Tel: 703.359.0700 Fax: 703.359.8434 E-mail: sensei@senseient.com

Copyright © 2007 Sensei Enterprises, Inc. All rights reserved.