Difference between pages "Java" and "Famous Cases Involving Digital Forensics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(IDX file format)
 
m
 
Line 1: Line 1:
{{Expand}}
+
===2000 Michelle Theer===
 +
''E-mails document the conspiracy to murder her husband''
  
== Java WebStart Cache ==
+
On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt<ref>http://www.wral.com/news/local/story/1061742/ </ref> after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison<ref>http://www.wral.com/news/local/story/114276/</ref>.
As of Java version 6 the Java WebStart Cache can be found in the following locations.
+
  
On Linux
+
===2002 [http://en.wikipedia.org/wiki/Scott_Tyree Scott Tyree]===
<pre>
+
''Postings on Yahoo reveal a kidnapping''
/home/$USER/.java/deployment/cache/
+
</pre>
+
  
On MacOS-X
+
On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.
<pre>
+
/Users/$USER/Library/Caches/Java/cache/
+
</pre>
+
  
On Windows XP
+
* [http://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/ article on the abduction]
<pre>
+
* [http://www.popularmechanics.com/technology/how-to/computer-security/2672751 Popular Mechanics article]
C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\
+
* [http://notonemorechild.org/map/9 Congressional testimony of Alicia Kozakiewicz]
</pre>
+
  
On Windows Vista and later
+
===2005 [http://en.wikipedia.org/wiki/Dennis_Rader Dennis Rader]===
<pre>
+
''The BTK Serial Killer''
C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\
+
</pre>
+
  
== IDX file format ==
+
After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)
Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systemsAs such, the following information should not be considered to have been exhaustively researched.
+
  
Values are in big-endian.
+
===2005 Corey Beantee Melton===
 +
''Caught up in child pornography''
  
<pre>
+
Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.
00000000  01 00 00 00 02 5b 00 00  00 00 1d c7 b4 00 00 01  |.....[..........|
+
* http://www.forbes.com/sites/kashmirhill/2010/10/12/the-geek-squad-becomes-the-porn-squad/
00000010  1f 81 29 fe b8 00 00 00  00 00 00 00 00 00 00 01  |..).............|
+
* http://law.justia.com/cases/alabama/court-of-appeals-criminal/2010/08-1767.html
00000020  2b 24 4a cb dd 01 00 00  00 00 00 00 00 00 00 00  |+$J.............|
+
00000030  00 00 00 00 00 00 00 00  01 2b 24 4a a4 cd 00 00  |.........+$J....|
+
00000040  01 2e 45 83 f4 18 00 00  00 00 00 00 00 00 00 01  |..E.............|
+
00000050  01 00 00 00 00 00 00 00  00 00 00 00 01 2b 24 4a  |.............+$J|
+
00000060  a4 cd 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
</pre>
+
  
The header is 128 bytes in size and contains:
+
===2007 James Kent===
{|
+
''University Professor caught up in child pornography''
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
|
+
| Unknown, seen 00 00 00 00 and 01 00 00 00
+
|-
+
| 4
+
| 4
+
| 02 5b 00 00
+
| Signature?
+
|-
+
| 8
+
| 7
+
|
+
| Unknown
+
|-
+
| 15
+
| 6
+
| 01 1f 81 29 fe b8
+
| Unknown timestamp, POSIX timestamp in milli seconds
+
|-
+
| 21
+
| 10
+
|
+
| Unknown, empty values
+
|-
+
| 31
+
| 6
+
| 01 2b 24 4a cb dd
+
| Unknown timestamp, POSIX timestamp in milli seconds
+
|-
+
| 37
+
| 19
+
|
+
| Unknown
+
|-
+
| 56
+
| 6
+
| 01 2b 24 4a a4 cd
+
| Unknown timestamp, POSIX timestamp in milli seconds
+
|-
+
| 62
+
| 2
+
|
+
| Unknown, empty values
+
|-
+
| 64
+
| 6
+
| 01 2e 45 83 f4 18
+
| Unknown timestamp, POSIX timestamp in milli seconds
+
|-
+
| 70
+
| 22
+
|
+
| Unknown
+
|-
+
| 92
+
| 6
+
| 01 2b 24 4a a4 cd
+
| Unknown timestamp, POSIX timestamp in milli seconds
+
|-
+
| 98
+
| 30
+
|
+
| Unknown, empty values
+
|}
+
  
To convert a timestamp in e.g. Python
+
In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.
<pre>
+
* http://www.dailyfreeman.com/articles/2010/10/20/blotter/doc4cbe74442fd0d812453451.txt
print datetime.datetime(1970, 1, 1) + datetime.timedelta(milliseconds=0x011f8129feb8)
+
* http://usnews.nbcnews.com/_news/2012/05/08/11602955-viewing-child-porn-on-the-web-legal-in-new-york-state-appeals-court-finds?lite
2009-02-16 22:17:07
+
* [http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/120508_NY_ChildPorn_Ruling.pdf Opinion]
</pre>
+
* http://www.forbes.com/sites/kashmirhill/2010/10/15/i-was-doing-academic-research-not-an-adequate-defense-for-child-porn-possession/
  
<pre>
+
===2009 James M. Cameron===
00000080  00 00 00 39 68 74 74 70  3a 2f 2f 77 77 77 2e 74  |...9http://www.t|
+
''Assistant attorney general for Maine caught up in child pornography''
00000090  6f 70 63 6f 64 65 72 2e  63 6f 6d 2f 63 6f 6e 74  |opcoder.com/cont|
+
000000a0  65 73 74 2f 63 6c 61 73  73 65 73 2f 43 6f 6e 74  |est/classes/Cont|
+
000000b0  65 73 74 41 70 70 6c 65  74 2e 6a 61 72          |estApplet.jar  |
+
</pre>
+
  
{|
+
On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 128
+
| 4
+
|
+
| Hostname string size
+
|-
+
| 132
+
| ...
+
|
+
| Hostname string (UTF-8 without an end-of-string character?)
+
|}
+
  
<pre>
+
"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."
000000b0                                          00 00 00  |            ...|
+
000000c0  0c 36 36 2e 33 37 2e 32  31 30 2e 38 36 00 00 00  |.66.37.210.86  |
+
</pre>
+
  
{|
+
* http://www.pressherald.com/news/Cameron-sentenced-to-16-years-in-prison.html
! align="left"| Offset
+
* http://www.mahalo.com/james-m-cameron/
! Size
+
! Value
+
! Description
+
|-
+
| ...
+
| 4
+
|
+
| IP string size
+
|-
+
| ...
+
| ...
+
|
+
| IP string (UTF-8 without an end-of-string character?)
+
|}
+
  
<pre>
 
000000c0                                          00 00 00  |            ...|
 
000000d0  07 00 06 3c 6e 75 6c 6c  3e 00 0f 48 54 54 50 2f  |...<null>..HTTP/|
 
000000e0  31 2e 31 20 32 30 30 20  4f 4b 00 0e 63 6f 6e 74  |1.1 200 OK..cont|
 
000000f0  65 6e 74 2d 6c 65 6e 67  74 68 00 07 31 39 35 31  |ent-length..1951|
 
00000100  36 36 38 00 0d 6c 61 73  74 2d 6d 6f 64 69 66 69  |668..last-modifi|
 
00000110  65 64 00 1d 4d 6f 6e 2c  20 31 36 20 46 65 62 20  |ed..Mon, 16 Feb |
 
00000120  32 30 30 39 20 32 32 3a  31 37 3a 30 37 20 47 4d  |2009 22:17:07 GM|
 
00000130  54 00 0c 63 6f 6e 74 65  6e 74 2d 74 79 70 65 00  |T..content-type.|
 
00000140  18 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 61 76  |.application/jav|
 
00000150  61 2d 61 72 63 68 69 76  65 00 04 64 61 74 65 00  |a-archive..date.|
 
00000160  1d 53 61 74 2c 20 31 38  20 53 65 70 20 32 30 31  |.Sat, 18 Sep 201|
 
00000170  30 20 31 30 3a 30 31 3a  30 36 20 47 4d 54 00 06  |0 10:01:06 GMT..|
 
00000180  73 65 72 76 65 72 00 06  41 70 61 63 68 65 00 1b  |server..Apache..|
 
00000190  64 65 70 6c 6f 79 2d 72  65 71 75 65 73 74 2d 63  |deploy-request-c|
 
000001a0  6f 6e 74 65 6e 74 2d 74  79 70 65 00 1a 61 70 70  |ontent-type..app|
 
000001b0  6c 69 63 61 74 69 6f 6e  2f 78 2d 6a 61 76 61 2d  |lication/x-java-|
 
000001c0  61 72 63 68 69 76 65 1f  8b 08 00 00 00 00 00 00  |archive.........|
 
...
 
</pre>
 
  
{|
+
==See Also==
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| ...
+
| 4
+
|
+
| Number of value pairs
+
|-
+
| ...
+
| ...
+
|
+
| Array of value pairs
+
|}
+
  
A value pair is variable of size and consists of:
+
* [http://groups.google.com/group/alt.comp.virus/browse_frm/thread/f5d9d7c71c6fb540/e0e9a7986d4df76b?tvc=1 Tracking down the author of the Melissa virus] - Usenet discussion which revealed lots of information about the author of the [http://en.wikipedia.org/wiki/Melissa_%28computer_worm%29 Melissa worm/virus].
{|
+
* [http://www.securityfocus.com/infocus/1676 IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot]
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
|
+
| Value description string size
+
|-
+
| 2
+
| size
+
|
+
| Value description string
+
|-
+
| ...
+
| 2
+
|
+
| Value string size
+
|-
+
| ...
+
| size
+
|
+
| Value string
+
|}
+
  
Analysis of *.idx files have revealed a number of interesting findings.  One is that specific offsets appear to be based on the version or "magic number" of the *.idx file.  For example, for files with the second DWORD of the binary contents of the file (thought to be the "magic number") of 0x5a02, the URL from which the data was retrieved starts at offset 0x20, and is an ASCII string terminated by "\x00\x00". 
+
[[Category:Investigations]]
 
+
[[Category:Law]]
For a magic number of 0x5d02, the size of the URL string can be found at offset 0x80. The first two string values to extract from this data are prefaced with their lengths in 4-byte DWORDs, stored in big endian order.  To get the first string, read the DWORD at offset 0x80, and translate it as a big endian value (in Perl, use <i>unpack("N",$data)</i>).  Beginning at offset 0x84, the string is <i>length</i> characters long.  At the end of that string, the next DWORD is the length of the second string, also in big endian format.
+
 
+
Once you've completed reading the initial strings, there is a DWORD value which can be interpreted as a <i>type</i> value, of sorts, and the remaining data (i.e., strings following the apparent <i>type</i> value) appears to follow a fairly regular pattern.  The <i>type</i> value appears to represent the number of string pairs in the remaining data.  Each string is prefaced by a WORD (2-byte) value, in big endian format, which tells us how long each string is...using this information, it is a fairly straightforward process to parse through the information and collect the strings, and pair them up.
+
 
+
In many cases, the <i>type</i> values of 2 include an HTTP Response code of 302; the values of  6, 7, and 8 (values that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.
+
 
+
== External Links ==
+
* [http://sploited.blogspot.ch/2012/08/java-forensics-using-tln-timelines.html Java Forensics using TLN Timelines]
+
* [http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html Almost Cooked UP Some Java]
+
* [http://journeyintoir.blogspot.com/2011/11/finding-initial-infection-vector.html Finding Initial Infection Vector]
+
 
+
[[Category:Analysis]]
+

Revision as of 13:19, 29 June 2013

Contents

2000 Michelle Theer

E-mails document the conspiracy to murder her husband

On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt[1] after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison[2].

2002 Scott Tyree

Postings on Yahoo reveal a kidnapping

On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.

2005 Dennis Rader

The BTK Serial Killer

After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)

2005 Corey Beantee Melton

Caught up in child pornography

Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.

2007 James Kent

University Professor caught up in child pornography

In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.

2009 James M. Cameron

Assistant attorney general for Maine caught up in child pornography

On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.

"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."


See Also


Cite error: <ref> tags exist, but no <references/> tag was found