DC3 2009

Print Friendly

Carved Files

Through file carving, we also recovered a word document which we have provided as “letter[108391].doc” in the evidence directory. Its contents are a threatening letter. Contents as follows:

B,

You just watch your self man, you are walking on thin ice. You know the time is coming soon and we can’t afford any more mistakes. If we don’t hit this place by Friday we’re gonna miss our chance and you know I cant afford that. If youre planning on chickening out don’t even think about it, I got ways of making sure you don’t back out. And don’t think about telling anyone, you know I know how to shut people up if I need to.

We were also able to carve an HTML cache file which we have provided as “login[2][42362].htm” in the evidence directory. This file is from a yahoo login page, note the text prompt

This ID is not yet taken.

Are you trying to

register for a new account?

Examining the HTML of the document reveals the register link to be:

<a href=”http://rd.yahoo.com/reg/login1/tst_pst/suli/signup/us/my/*https://edit.yahoo.com/config/eval_register?login=yogibear1953&.intl=us&.done=http%3A//cm.my.yahoo.com&.src=my&.v=0&.u=6g9gk4l3v9g53&partner=&.p=&promo=&.last=&.testid=tst_pst”>

Note the username previously observed in chat conversations. This would indicate the registration of this account is new, potentially making IP log information available from yahoo via subpoena to further link Stallman to the account.

Encrypted Documents

All encrypted Documents are located in the encryption subdirectory of the evidence directory.

There are two sets of encrypted word documents. The first set are named as recipes:

  1. D:/Documents and Settings/Default User/My Documents/4 Cheese Bacon MacNCheese Recipe.doc

  2. D:/Documents and Settings/Default User/My Documents/Chili Recipe.doc

  3. D:/Documents and Settings/Default User/My Documents/Stringbean Casserole Recipe.doc

The second set contains one document:

  1. E:/Users/Master of Disaster/Documents/Dr. Marshall Complaint.docx

The first set are encrypted with 40bit RC4 encryption, while the second set uses strong AES128 encryption. The former are easily broken by brute forcing the 40bit key which allows decryption but not password recovery.

4 Cheese Bacon MacNCheese Recipe.doc has key 0xd0ced1aad4

Chili Recipe.doc has key 0xbb8611d3ae

Stringbean Casserole Recipe.doc has key 0xaeafed1cd5

The first set appears to be the documents from the 2008 challenge regarding apemen. We used the MPI based password cracker mentioned in our tools section to recover the 40bit keys primarily because we do not have licenses for the various instant recovery password suites and reimplementing such was free. As a side note we did use LONI, the Louisiana Optical Network Initiative, for this.

Suspicious Software

There are a number of suspicious folders in the Program Files directory on the second partition.

  1. DriveWiper Pro 1.10

  2. EvidenceEliminator5.0

  3. Steg Creator Plus

  4. STEG_IT_v7

  5. SuperVault Encryption Service 2.4

The individual folders are mostly empty, but their presence suggests the use of data sanitizing and data hiding software consistent with The Documents’ portrayal of Stallman as a paranoid individual. Exports of these directories are provided in the Suspicious Software subdirectory of the evidence directory.

EvidenceEliminator5.0 is specifically sold as a count-forensics tool. A paper was presented at the 2005 Digital Forensics Research Workshop entitled, “Evaluating Commercial Counter-Forensic Tools.” This paper reviewed EvidenceEliminator5.0 as part of the study and found

Targeted files are renamed with 243 characters with no filename extensions. All except

the first 10 characters are pseudo-random combinations of lowercase letters. The first

10 characters are sequential numerals that appear to increment by one for every file

wiped. Example:

0000002825wtkdvjiiugvwgveodruvlmdptxgpgfyrqnxpxyjajkqrienrnebnzhoshuyfzhdvzvvv

veszlikswlhqpwbetowmznlvzquveyvhkrkcidsmpgpjrxjgpzaxcffvdxynlxiikdnhgachijkuajmd

fdcvxbupesrwdyykqfckndbqwittwnyfmtcesftoxtyrnfdwwoblkpcvzwseokhydmcvtvodbrwyv

vmewuoge

Searching through the deleted file information did not yield any matching file names, but this application could potentially have been used on the USB storage devices which were not provided. If it was, these traces may have been left behind further implicating Stallman.

A list of deleted file entries is provided in the deleted files list subdirectory of the evidence directory.

Posted in Digital Forensics Tagged with: , , , , ,