Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | forensics & things

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
8 minutes reading time (1695 words)

Case study - Placing the Suspect Behind the Keyboard

Digital Forensics
Brett Shavers
Monday, 09 October 2017
3086 Hits
0 Comments

Not too long ago, I read an article where the state’s largest cocaine bust happened because the driver was stopped for speeding.  The first thing I thought was, “Speeding…yeah, right”.   So, I called a good friend of mine who I worked some cool drug cases with and asked if that was his case.  But of course it was.  The article read like cases we worked together for some years.   The case is public knowledge today, but in short, a year of investigative work resulted in ‘taking off’ lots of drugs and cash using pre-textual traffic stops as wall cases to keep the core case going.  We did that a lot and it was a lot of work.

My point in the story is that when you see a simple case publicized, there is usually a lot more that has happened behind the scenes that most people will ever know.  Some of this is intentional, such as when a small part of a case is ‘walled off’ to protect the core of an investigation and other times the work is so intensive that to start talking about it will (1) bore the listener to death and (2) talk a week to flush out the details.

So here comes a really cool case I just found to illustrate these points.  In brief, this case is a cyberstalking case that was righteous in all aspects in that the cyberstalker truly needed to be caught and that the work done was awesometacular.

I’ve taken a few snippets from the affidavit to discuss some of the notable investigative aspects of the case.  As a reminder, that what you read in the affidavit is like seeing the tip of the iceberg of a case.  There is so much more in a case like this that is not in the affidavit.  Having written more search warrant affidavits than I can count, I cannot imagine how much work was done on the case based on what was included for the affidavit.  Very cool.

Side Note:  Read the entire affidavit when you get a chance.  Flesh it out.  Read it like a novel.  What would you have done differently or better?

https://www.justice.gov/opa/press-release/file/1001841/download 

 

This is a key point. Either iCloud was hacked (as in a technical hack) or someone had access to the account physically (as in, someone who knew the victim and could have accessed her devices).  Eliminating the suspects who could hackers is impossible.  Eliminating suspects who are known to the victim is possible.

The suspect, “Lin”, erred in using variations of his name in social media accounts.  It’s only a clue, but important to build upon.  In all cyber cases, keep track of user names.  Sometimes there is a reason a username was chosen and perhaps clues to other information.   For each online service, such as Instagram, also consider that accessing each service can be done using many different devices from many different locations on many different occasions.  With each connection, the suspect risks being discovered either by his mistakes or service provider.  That means for you to look at every connection of every message, text, email, or login.

 

 Not much was mentioned in how the anonymity was obtained, but again, each communication is a potential disclosure due to a suspect’s mistake.  Considering that the false flag in the Matthew Brown is known by the victim, the assumption is that the suspect is known to the victim and/or Brown.  This can narrow the list of potential suspects down.

I threw this in just as a reminder for employers (and to remind your clients!) to backup/image departing employee devices for a set time period, just in case.  This is also a reminder to employers that even if they think nothing is left on the computer, usually there is something.  I’ve come across this multiple times and in one case, the entire case was closed with a single forensic analysis on a reinstalled OS from a departing employee.

At this point, it’s easy to see that the suspect (Lin) is probably the guy.

The similarity in style and content from multiple accounts can be tied together, at least as being too similar to be a coincidence.  By itself, not enough to prove a crime/incident, but when taken in totality of all evidence, it is very important.

This would be called a “slip up” by the suspect.  When details known only to a few people are discussed, the list of potential suspects gets very short.

Again, if physical access is needed to commit a crime, the list of suspects can be shortened.

Never give up on uncovering someone because of technology being used for anonymity.   Keep at it.  Keep looking.  Keeping thinking.  Time and effort works for you.  Time works against the suspect.

Technically, this is called, “the suspect screwed up”.   But it took getting the records from Google, which required having the idea to do along with the labor to gather legal cause to request it.

 

Social engineering by the suspect.  Very creative.  However, it required the suspect to create a social media account, email account, and obtain a phone number.  Again, consider how many times he would need to connect to the Internet, from one or more devices, from one or more locations in order to do this.  Each act is a potential windfall of evidence when the suspect makes a mistake. You just have to check every connection known and find the mistake. It is there.  You have to look.

 

And yet another Internet service to add (TextNow) to your investigation.  This is a good thing.  I have heard complaints from investigators about the number of leads to add to the list of things to do in an investigation every time something else comes up.  For me, I love it.  A dozen social media accounts? Cool.   A hundred social media accounts?  Even better.

 




Like I said, the more the merrier.  Most suspects do not realize that everything they do is not separate from each act.  There is usually some connection. It might be the same device used.  Or it might be the same IP address used. Or it might be the same service provider used.  The above would make a cool timeline to visually show the connections.

Again, when you have the “same” of anything in a case, do not discount it as a coincidence.  The same IP or the same email or the same username or the same style of writing can all point to the same suspect.

Search the devices to which you have access to either confirm or rule out suspects.  In this case, searching Lin’s previous workplace computer found evidence that linked him to the crimes he was committing using other devices.

Not conclusive, but when you put all the evidence together, no one will see anything other than Lin as the suspect because of being overwhelmed with the little things, like this, that point to him.

 

Past behavior is a good indicator of future performance/behavior.  In Lin’s case, based on his past behavior, I would say that this is what he is: a cyberstalker.  Once you read the entire affidavit, you’ll see what I mean.

Here’s my take on the case. 

The timespan was lengthy, and there isn’t a lot you can do about that.  I don’t know the details of how many people or agencies worked the case, but I can imagine that there were a few (maybe one or two) who spent a lot of time on it, bantered back and forth on the best way to work it, suffered through a lot of investigative failures and wasted time*, and worked hard to get resources to put the case together.

I can imagine the number of court and administrative orders to obtain the records of all the social media services, ISP records, and phone logs being overwhelming at times.  That is the way it is, so in that aspect, don’t feel like any one case is getting you down more than another case.  I would hope that every user account that the suspect used was investigated, including the “anonymous” accounts.   Other cases have shown that even when a third-party provider promises anonymity, they don’t really mean it.  You will never know until you ask and you will never know what great evidence you can get without asking for it.

I’m not plugging the books I wrote for these types of cases, but if you get these kind of cases, check out the books for some tips.  They are in a lot of libraries, easy to buy online, and the main point I work to get across is to find the one thing that will make your case. 


On Oct 17, I am giving a short webinar on Placing the Suspect Behind the Keyboard.  If you stick around for the entire half hour, you’ll get a printable cert of attendance that you can take back to your employer for training credit to justify the time to join during work.   And also, if you stick it out to the end (it’s only a half hour…..), I’m giving a discount to the 13-hour online course that is the biggest I’ve ever done.  $45 for the entire $799 course.   But the promo will only be good for an hour after the webinar, and only for 100 attendees in the webinar; meaning that you’ll have to sign up right away if you want the course. 

Be sure to add your name to the webinar here: Register


If you are like me, you like to dig.  You like to find out whodidit.  You want to put together a good case.  And most importantly, you want to stop bad people doing bad things to good people.  Isn’t that the point of all this?

 *Sarcastically I said “wasted time”. I mean that time spent without a positive result may seem like wasted time, but it is not, since you have to spend time investigating and much of it results in not much forward movement of the case.  Accept the time spent feeling like you are running in circles as part of what it takes to get it done.

Tweet
Share on Pinterest
0
If you are a “Self-Proclaimed Hacker” looking for ...
Free Webinar - Tips and Case Studies on Placing th...

About the author

Brett Shavers

Brett Shavers

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Tuesday, 26 January 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

RegRipper investigations Windows Forensic Environment X-Ways Forensics bitcoin forensics University of Washington email book expert privacy Jimmy Weg X-Ways Forensics Practitioner's Guide windows fe investigation training tor browser Placing the Suspect Behind the Keyboard case studies dfir Hiding Behind the Keyboard wiretap phishing windows forensic environment Registry Forensics Bitcoin Forensics surveillance writing Hacker bitcoin presentations winfe 4cast Virtualization forensics gmail Volume Shadow Copy imaging North korea

Search Blog

Most popular posts

Brett Shavers
Brett Shavers
06 December 2015
RegRipper
RegRipper
Digital Forensics
The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)http://github.com/keydet89What is RegRipper?RegRipper was created and maintained by Harlan Carvey. ...
0
38786 Hits
3 comments
Read More
Brett Shavers
Brett Shavers
25 April 2019
Game of Thrones, DFIR Style
Game of Thrones, DFIR Style
Digital Forensics
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little deeper. Actually, I didn’t have to dig far at all to find trul...
0
37310 Hits
0 comments
Read More
Brett Shavers
Brett Shavers
10 September 2019
The Five Stages of the DFIR Career Grief Cycle
The Five Stages of the DFIR Career Grief Cycle
Digital Forensics
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig, that I was honored that he agreed to write the foreword of a book that Eric Zimmerma...
1
36773 Hits
0 comments
Read More

Magnet Forensics Conversation

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!

More posts

Date
Date
  • When OSINT is turned into the Baseball Bat of Internet Mob Justice

    When OSINT is turned into…

    When OSINT is turned into the Baseball Bat of Internet Mob Justice

    We are of a curious mind, we the forensic examiners, private investigators, OSINT professionals, and journalists. Our work is for the public good, and we…

    Thursday January 14

    by Brett Shavers

    6615 hits / 0 comments

  • I took a look at Instagram's Terms of Service so that you won't have to.

    I took a look at…

    I took a look at Instagram's Terms of Service so that you won't have to.

    Who really reads the Terms of Service anyway?Are EULAs and TOSs intentionally designed as multi-page, single-spaced, 4 font, legalized writing to confuse users or simply…

    Saturday December 26

    by Brett Shavers

    8546 hits / 0 comments

  • White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    White Paper: The Susceptibility of…

    White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user

    I read an article that China used technology to spy on users via their phones (https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks). Here is my white paper analysis.#1 - If...

    Wednesday December 16

    by Brett Shavers

    4701 hits / 0 comments

  • How long does it take to get into the DFIR field?

    How long does it take…

    How long does it take to get into the DFIR field?

    Question I received: How long does it take before I can expect to get into a DFIR career?Answer: It depends!It depends on your available resources +…

    Thursday November 12

    by Brett Shavers

    14901 hits / 0 comments

  • An expert is just one page in a book ahead of you

    An expert is just one…

    An expert is just one page in a book ahead of you

    Let me dispel your notion of what an “expert” is. An expert is someone who has more information than you. That’s it. Imagine being stranded…

    Friday October 30

    by Brett Shavers

    5832 hits / 0 comments

  • Should you improve your DFIR skills on your personal time?

    Should you improve your DFIR…

    Should you improve your DFIR skills on your personal time?

    Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…

    Friday September 04

    by Brett Shavers

    28430 hits / 0 comments

  • TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    TikTok is like a big,…

    TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.

    Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find.  You know that the cheeseburger is unhealthy,…

    Tuesday July 07

    by Brett Shavers

    24033 hits / 0 comments

  • Jessica Hyde and I talk about forensic stuff

    Jessica Hyde and I talk…

    Jessica Hyde and I talk about forensic stuff

    Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics.  In case you missed it, here it is!

    Thursday June 11

    by Brett Shavers

    10751 hits / 0 comments

  • Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    Facebook Spoofing: Your Reputation, Investigations,…

    Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

    A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue,…

    Sunday June 07

    by Brett Shavers

    2671 hits / 0 comments

  • You do not want to work in DFIR.

    You do not want to…

    You do not want to work in DFIR.

     The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…

    Thursday June 04

    by Brett Shavers

    3295 hits / 0 comments

  • COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    COVID-19’s Investigative Impacts on Digital…

    COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

    The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…

    Saturday April 25

    by Brett Shavers

    16870 hits / 0 comments

  • Mini-WinFE 10 and WinFE 10 Updated

    Mini-WinFE 10 and WinFE 10…

    Mini-WinFE 10 and WinFE 10 Updated

    The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded.  I update WinFE developments (including the downloads for…

    Sunday April 05

    by Brett Shavers

    10838 hits / 2 comments

  • Eat your broccoli first

    Eat your broccoli first

    Eat your broccoli first

    Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…

    Saturday January 18

    by Brett Shavers

    30983 hits / 0 comments

  • The Second Decade of the 2000s is almost over!

    The Second Decade of the…

    The Second Decade of the 2000s is almost over!

    We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…

    Thursday December 26

    by Brett Shavers

    10728 hits / 0 comments

  • Public Records

    Public Records

    Public Records

    I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…

    Thursday December 12

    by Brett Shavers

    5231 hits / 0 comments

  • The Five Stages of the DFIR Career Grief Cycle

    The Five Stages of the…

    The Five Stages of the DFIR Career Grief Cycle

    I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…

    Tuesday September 10

    by Brett Shavers

    36773 hits / 0 comments

  • Our World is Going to Turn Upside Down with DeepFakes

    Our World is Going to…

    Our World is Going to Turn Upside Down with DeepFakes

    The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…

    Sunday September 01

    by Brett Shavers

    4467 hits / 0 comments

  • If you are comfortable in DFIR, you might be doing it wrong

    If you are comfortable in…

    If you are comfortable in DFIR, you might be doing it wrong

    I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…

    Thursday August 29

    by Brett Shavers

    4812 hits / 0 comments

  • Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    Everything I Needed to Know…

    Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp

    You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits.  In fact, you can probably enjoy the…

    Saturday August 17

    by Brett Shavers

    6443 hits / 0 comments

  • Personality of a computer

    Personality of a computer

    Personality of a computer

    From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…

    Wednesday July 31

    by Brett Shavers

    5108 hits / 0 comments

© 2021 Brett Shavers