Difference between pages "BitLocker: how to image" and "Famous Cases Involving Digital Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Traditional Imaging)
 
m (2005 Dennis Rader)
 
Line 1: Line 1:
 +
===2000 Michelle Theer===
 +
''E-mails document the conspiracy to murder her husband''
  
= Imaging Options =
+
On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt<ref>http://www.wral.com/news/local/story/1061742/ </ref> after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison<ref>http://www.wral.com/news/local/story/114276/</ref>.
  
There are multiple ways to image a computer with bitlocker security in place.
+
===2002 [http://en.wikipedia.org/wiki/Scott_Tyree Scott Tyree]===
 +
''Postings on Yahoo reveal a kidnapping''
  
== Traditional Imaging ==
+
On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.
  
One can make a traditional image with the image containing encrypted information.
+
* [http://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/ article on the abduction]
 +
* [http://www.popularmechanics.com/technology/how-to/computer-security/2672751 Popular Mechanics article]
 +
* [http://notonemorechild.org/map/9 Congressional testimony of Alicia Kozakiewicz]
  
Options to offline decrypt the information, provided the password or recovery password is available, exists some are:
+
===2005 [http://en.wikipedia.org/wiki/Dennis_Rader Dennis Rader] --- The "BTK" Serial Killer===
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where  Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)
* [[EnCase]] (as of version 6) with the (optional) encryption module
+
* [[libbde]]
+
  
The recovery password is a long series of digits broken up into 8 segments.
+
===2005 Corey Beantee Melton===
<pre>
+
''Caught up in child pornography''
123456-123456-123456-123456-123456-123456-13456-123456
+
</pre>
+
  
There is no whitespace in the password including not at the end.
+
Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.
 +
* http://www.forbes.com/sites/kashmirhill/2010/10/12/the-geek-squad-becomes-the-porn-squad/
 +
* http://law.justia.com/cases/alabama/court-of-appeals-criminal/2010/08-1767.html
  
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into or if stored in escrow.
+
===2007 James Kent===
 +
''University Professor caught up in child pornography''
  
The basic steps are:
+
In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.
 +
* http://www.dailyfreeman.com/articles/2010/10/20/blotter/doc4cbe74442fd0d812453451.txt
 +
* http://usnews.nbcnews.com/_news/2012/05/08/11602955-viewing-child-porn-on-the-web-legal-in-new-york-state-appeals-court-finds?lite
 +
* [http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/120508_NY_ChildPorn_Ruling.pdf Opinion]
 +
* http://www.forbes.com/sites/kashmirhill/2010/10/15/i-was-doing-academic-research-not-an-adequate-defense-for-child-porn-possession/
  
# Make a "traditional" full disk image.
+
===2009 James M. Cameron===
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
+
''Assistant attorney general for Maine caught up in child pornography''
## Once booted log into the computer
+
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
+
## record the password
+
#:
+
# For EnCase v6 or higher with the encryption module installed
+
## Load the image into EnCase
+
## You will be prompted for the password.  Simply enter it and continue.
+
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
+
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
+
  
== Live Imaging ==
+
On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.
  
=== FTK Live Imaging of a physical drive ===
+
"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."
  
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
+
* http://www.pressherald.com/news/Cameron-sentenced-to-16-years-in-prison.html
 +
* http://www.mahalo.com/james-m-cameron/
  
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
 
  
=== FTK Live Imaging of a logical partition ===
+
==See Also==
  
This has not been verified to work or fail at this time.
+
* [http://groups.google.com/group/alt.comp.virus/browse_frm/thread/f5d9d7c71c6fb540/e0e9a7986d4df76b?tvc=1 Tracking down the author of the Melissa virus] - Usenet discussion which revealed lots of information about the author of the [http://en.wikipedia.org/wiki/Melissa_%28computer_worm%29 Melissa worm/virus].
 +
* [http://www.securityfocus.com/infocus/1676 IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot]
  
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
[[Category:Investigations]]
 
+
[[Category:Law]]
=== FTK Live Files and Folders collections ===
+
 
+
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
+
 
+
== See Also ==
+
* [[BitLocker Disk Encryption]]
+
* [[Defeating Whole Disk Encryption]]
+
 
+
[[Category:Disk encryption]]
+
[[Category:Windows]]
+

Revision as of 09:51, 26 July 2013

2000 Michelle Theer

E-mails document the conspiracy to murder her husband

On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt<ref>http://www.wral.com/news/local/story/1061742/ </ref> after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison<ref>http://www.wral.com/news/local/story/114276/</ref>.

2002 Scott Tyree

Postings on Yahoo reveal a kidnapping

On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.

2005 Dennis Rader --- The "BTK" Serial Killer

After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)

2005 Corey Beantee Melton

Caught up in child pornography

Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.

2007 James Kent

University Professor caught up in child pornography

In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.

2009 James M. Cameron

Assistant attorney general for Maine caught up in child pornography

On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.

"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."


See Also