You won't be a hacker, son!

You won't be a hacker, son!
I am the happy father of three children, who have now grown up. It's a long time since I wrote this post about the opening of my daughter's Skyblog...

The eldest is now in the fifth year of medical school, the second is in business school. And the third one's in high school this year. So I still have a teenager at home: -)

I tried to raise my children as best I could. I accompanied them to the school, first to the front of the gate, then dropped a hundred meters before. I encouraged them in their sporting and cultural activities. I tried to pass on values to them.

Finally, to tell the truth, I was above all my wife's assistant who took on most of the mental burden of the family organization... But hey, at least I was there. I always am.

My main role is to be the "scientist" of the family unit, in charge of the digital tools: computers, backups, network, Internet access, messaging, shared printer, scanner, shared storage, privacy, security, troubleshooting, data recovery, wifi, DHCP, DNS not liars, game consoles, etc.

As for the follow-up of the lessons, I am the bad cop of the couple (in the sense of the good/bad cop strategy), the one whose eyebrow is feared to be raised in case of a bad grade. Strangely enough, none of my children like to ask me for help in explaining an obscure point of the math, physics, or English, or life science class:"In fact, you're explaining too long. We just want the answer to the problem, you explain the whole theory to us and make sure we understand everything... It's heavy."

Being passionate doesn't just have advantages; -)

That's why I've been thinking for a long time that none of my children will be passionate about what I love: computers.

Yet, last night, my son told me at the table the next thing:
"Dad, can you explain the motherboard to me?"
He:"Because my boyfriend, he told me that to be even better in video games, I would have to go on the computer rather than the console, and that I would have to disassemble my computer to tamper with it. You agree to help me?"

In my head, some kind of nuclear explosion happened. My heart stopped beating and then went wild at 200 bpm. My hands got sweaty. I saw one of my children enter the Grail, become the master of the world, and rule over the blue-denied. Finally, the flesh of my flesh would help HAL and the Master Main Control to overcome their inhumanity to join Andrew, the 200-year-old man.

I met my wife's eyes and she radiated happiness to me.

That's why my answer threw a frosty cold:"No".

My face was closed. Was I aware of the immense task that remained to be accomplished in order to reach the top of my discipline? Or the overwhelming face of ubiquitous computing in our more truly private-private lives? Was I going to let my innocent son participate in the digital debauches that are announced in all the objects that will encircle us?


I let a few seconds go by. My wife looked at me with a sorry look. My son was in great distress.

I had just passed my most beautiful father joke of the week.

In my family, fathers have an extraordinary sense of humour, but that only makes them laugh. The devastating horn blow in front of the college gate. The subtle wordplay in front of the children's friends. In short, what we call in our little circle, a "father joke".

hahahahaHAHAHAHAHAHAHA (risus sardonicus)

EVIDENTLY, it is with great pride that I will teach my son to dismantle his computer, improve it, tinker with it, hack it.

You'll be a hacker, son!


Password cracking

Source : xkcd
When I was a young IT manager, in the 90s, there was a "tradition" between network admins at that time: testing the users' passwords to check the security and safety of the network environment we were in charge of.

This is how I discovered the software named "crack", freely and widely distributed on the Internet.

It is also at that moment I realized how useful it was to share useful knowledge for those who want to protect themselves, based on the fact those who attack already have this knowledge.

This is a blog entry on the tools I use today in the forensic analysis I have to deal with, either in a legal affair, either in the professional world (who, as an admin, never had to workaround a root or a BIOS password?). I hope it can help any new legal expert, or anyone who want to test their personal or professional IT network.

Reminder: any illegal use of that kind of tool can lead to legal consequences. If you're trying to get your boss' password or prank a colleague, please move along. If you're a network admin, please confirm you have the approval of your management team, which is not always the case. Finally, dear parents or dear children, password cracking of other family members to use them against their will is prohibited by the law.

Long story short: bad is bad, illegal is illegal...
If he weren't dead, he would still be envied.

Note to readers already working or aware of computer security, don't expect any major discovery or incredible technique in what comes next. Please consider this note as an introduction to my "watishesayin" or the curious.

0) The magic tool, the one which impresses the friends: Ophcrack

Get on the Ophcrack download page, download the LiveCD that suits your needs (e.g. Vista/7), burn it and boot your Windows 7 computer with it. Look and admire, it's plug and play.

Ophcrack works pretty well on virtual machines, for examples with disk images created with "dd" and mounted using LiveView.

For those of you who want to go further, there are "rainbow tables" available for download more or less freely on the Internet, improving the performance on the password recovery.  Be careful, those table can weigh a couple gigabytes. You can also create them yourself (e.g. using RainbowCrack), using a VERY powerful computer and a few months of calculation...

Ophcrack is a precious tool during searches, where Windows XP or 7 are often met.

Advise to newbie IT admins: block the "Boot on CD" mode on the desktop systems you are managing...

1) The eldest, the one that will give you the geeky beard : crack

Crack is a software that searches for password based of dictionary words found in flat files. I own this software my best collection of "dictionaries", the word meaning here "list of words" (with no definition). I have dictionaries of words in a large number of languages, dictionaries of words written in phonetic alphabet, some rules of coding/decoding SMS language (1to for into), etc. I also gathered, when they became available on the Internet, all the password files from anonymous users (sometimes millions)...

As I've said before, it's the first program I used in the context of my network's security, to validate the password chosen by the students. Let me say here that I am moderately bearded. 20% from the students' passwords were found in less than 5mn, 80% in less than 1 hour. I displayed in the corridor of the lab the password list in order of discovery (without the associated account), with the formal order for the students to change their passwords... The old days ;-)

Crack is a tool created for and working in UNIX. The "Troll" category of the FAQ has details about this. For those who have a bit more time, read the most curious emails sent to the developer of crack.

It's an educational tool, which can still be useful, even if I have to admit I haven't used it for a long time.

2) The must-have: John The Ripper

John The Ripper (JTR) is one of the most well-known in the world of password cracking. While being a bit old now, it evolved to use different methods.

It has the big advantage of working in multiple environments: Windows, Linux, Mac OS, etc. It is also a dictionary based tool.

I tell here the story of this software being present on the workstation of an employee having his boss' password in a textfile...

3) The remote multi-protocol attack: Hydra

If you have to audit a bundle of servers, workstations, protocols, services, remote stuff, or even a single computer, without moving from your chair, here is what you need: THC-Hydra.

I copy/paste here the description of the product coming from the manual:
THC-Hydra is a very fast (multi-threaded) network logon cracker which supports many different services: afp, cisco, cisco-enable, cvs, firebird, ftp, http-get, http-head, http-proxy, https-get, https-head, https-form-get, https-form-post, icq, imap, imap-ntlm, ldap2, ldap3, mssql, mysql, ncp, nntp, oracle-listener, pcanywhere, pcnfs, pop3, pop3-ntlm, postgres, rexec, rlogin, rsh, sapr3, sip, smb, smbnt, smtp-auth, smtp-auth-ntlm, snmp, socks5, ssh2, svn, teamspeak, telnet, vmauthd, vnc.

This software has two ways of working: brute-force attack or dictionary-based. By the way, don't forget the features less known of the network swiss-knife tool: nmap and its ways of brute-fore attacks.

4) The forgotten BIOS password: PC CMOS Cleaner

Everything is in the title. Here again, a liveCD to download to boot on. Quick, efficient, but modifies the sealed computer, so forbidden.

Another way, the old method of "removing the BIOS battery" still works, but you need to know where to find it, especially on laptops. Again, forbidden if working on a seal.

5) Efficient but slow: emails

The best of all methos is a simple fact I often make: the vast majority of perople ony use one or two passwords for all authentication systems they face.

It is highly probably that the user of the computer chose his "default" password to sign up on any shopping, webmail or download website. Amongst all those sites, it is frequent that at least one of them will send the signup password in CLEAR TEXT in an email.

You just have to analyse email accounts (Outlook, Thunderbird, log traces of browsers, etc), to find emails saying "your password is ZorroFromHell, thank you for not deleting this email" (yes, thank you indeed). When you list the passwords you found using this method, you rarely have more than 3 or 4. You only have to test them on the targeted account to find the one.

This is basic social engineering...


The privacy lover that I am will start by an advice on passwords  choose them so that they can't appear in a password list, and make them long enough so that they can resist a brute-force attack. I usually give the example of the first letters of a song or a poem, with a mix of upper-case and lower-case letters. E.g.: LsLdvdLBmCdULm, to which you can add some numbers (upper-case, of course...): LsLdvdL1844BmCdULm1896. It's nice, it's long, it's good, it's hard to guess when watching you type on the keyboard (unless you're singing).

Be careful thought, it's not unbreakable (cf first point on Ophcrack and the CD-ROM boot).

Then, another advice, a bit more painful: use a different password for every account you have. Ten accounts, ten password. 50 accounts, 50 passwords. One for twitter, another for Facebook, another for Gmail, etc. Of course, human nature is made in a way that the memorization of all those passwords becomes complicated. I would recommend of software such as Keepass to store them securely. This software is even certified by the ANSSI, which means a lot. It can also generate long random passwords, with the option of copy/pasting them, which leads to not even knowing your own passwords.

So you only have to remember one password, which you will never write down: the one that opens the Keepass database. Moreover, this software is double authentication based (file + password). You can even upload it on the cloud to have access from anywhere !

Password cracking is a fun activity, a small technical challenge accessible to anyone. It is a bit harder for some students to remember that this technical challenge and knowledge must remain on the light side of the Force. No matter what: sit vis vobiscum !

Translation by Wobak
Photo credit xkcd



Increasingly, we are using devices that can track our travels with full knowledge, but also, at times, without realizing it.

I recently discovered in an article that some GPS road trafic information systems use the fact that, even when in standby mode, our mobile phones still receive a signal from the network terminals. A freak accumulation of phones on a road therefore indicates a traffic jam, the information can thus be relayed to those who suscribed to the traffic warning systems. Unknowingly, you contribute to those running systems.

In an organized crime case, it was ordered that a forensic examination be made on the GPS system of one of the cars that had been seized. Here is the account.

Some sophisticated cars have a GPS integrated system. The GPS in question includes a hard disk. Since the GSE's have sealed this hard disk, I was left here with an unusual analysis. I contacted the magistrate in charge of the case. The latter reassured me, he had sufficient evidence at his disposal. The examination was required in addition, just in case... I was left then with a hard disk to be analyzed, but without the detailed instructions, if I may say so.

My initial reaction was to make a bit-by-bit copy of the hard disk, by using the tools I needed for my other forensic examinations : a write blocker, the creation of an accurate digital image (taking into account any bad sectors on the disk) and its analysis. But here's the thing, a proprietary format that was not recognized by my analysis tools was used to format the disk. At my level, no analysis whatsoever could be performed... and I hadn't any worthwhile information at that moment.

I started my afternoon with phone calls. First I got through to Police Officer for more details on the GPS brand and model. I also called the French distributor, the German subcontractor, and the ''Europe'' distributor. After spending much time waiting for the on-hold music, calling back because of meetings, and secretariat filters, I reached the door opener that every forensic scientist know well (as does anyone who call for help support) : a technically competent person at the other end of the phone.

After several days of negotiations, explanations, and e-mail exchanges, we agreed to the following procedure : I would personally bring the hard disk to the technical parisian structure so that it could be analyzed in my presence via a special intern procedure specific to the manufacturer. Under conditions of confidentiality.

On D day, I found myself in a small suburban area, and was greeted by a careful technician. I described him the conditions under which I would like the operation to be carried out, I gave him my write blocker and my hard disk. He put everything into a proprietary analysis system that did the complete reading of the hard disk data. He explained me that the embedded GPS performs approximately one measure per second and stores it on the hard disk regarded then as an endless tape. I came out of that place with an Excel file containing all the measures (and of course the hard disk was sealed again).

I was just back home with a set of GPS coordinates that were converted to decimal degrees WGS84 (World Geodetic System 1984) and a list of valuable advice provided by the technician ''always use caution when converting if you intend to use maps so as to place points on it.''

It is indeed quite a challenge to move from those coordinates to my usual LAMBERT coordinates (used in spelunking with the military IGN maps) in sexagesimal format (base 60).

So I thought of using Google Earth that uses a simple cylindrical projection with a WGS84 datum for its imagery base. As a result, I was able to set the points from my Excel file on a map (after many attempts, I admit it). I was also able to track the movements of the car in question.
As well as its prolonged stops at some addresses. The addresses proved to be those of the alleged accomplices, supposedly unknown to the car user.

Since Google Earth is not an expertise software (read the terms of use) and does not ensure the accuracy of the deferred points, I carried out several tests with my IGN maps to check if I was not making a mistake. I submitted a full report detailing my method and the addresses of the identified stop points. The magistrate who was on the phone looked satisfied with my job. Unfortunately I don't know the follow-ups to my case, having been ''expelled'' from the procedure as soon as my report was submitted.

But since then, I don't see neither my phone nor my Tomtom device in the same way...

Translation by Kevin Oheix
Photo credit xkcd

The original note is here: http://zythom.blogspot.fr/2011/04/gps.html


I’m too weak

I’m fascinated by her looks of infinite sadness, despite her fake smile. The face of this little girl is filled, eaten up by her two big brown eyes. I have her face on dozens of photos, taken under different angles. Sometimes she looks the objective, sometimes she stares into emptiness. The hardest is when her eyes dive into mine.

In every picture of her, a man’s sex. Close to her face, in her mouth or in her hands. Without being a doctor, I think she is five or six years old. I’m fully into a forensic assessment on child pornography photos.

I’m alone in my office, at home, door closed, with ban on disturbing me to my children. I hear them pass near the window laughing. It’s shining, it’s a beautiful weekend of spring. 

New photo, always of her. Her big eyes obsess me. Her little naked body seems so fragile that we want to protect her, to go through the screen to prevent this man from approaching her, from hurting her, from raping her. But I’m powerless to act, I can only watch and take notes for my report.

I’m ashamed of my weakness, of my reactions, of my sensibility. So many people work in difficult conditions : doctors, firemen, “gendarme”, policemen etc. But they help each other, talk to each other, shares, evacuates in words all of the horrors they are next to.

Me, I’m alone. I don’t have any training to manage what I feel, what I see. I’m a simple IT that help the justice. I only have this blog.

Next photo. It has been three hours now that, my brain is absorbing those photos, I’m inventorying them. I’m taking a break, closing my eyes. Why can’t I contain my tears ? I am a human being, I consider nothing that is human alien to me (https://en.wikipedia.org/wiki/Terence).
I’m a weakling.

I return to my investigations, a little apathetic. Nothing force me to spend as much time on each photo. I accelerate the visualization. Other girls, other faces, other ages, other men, so many positions.

It’s late, the night is advanced. I finish my report, I write the annexes, burn the DVDs. To make easier the reading of the paper report by the “OPJ”, court recorders and magistrates, I avoid illustrations, I reject them at the end of the report, enclosed.
I chose some photos among the most significant. I chose those where this children looks the camera with her big sad eyes, with in her mouth that man’s sex as large as her head.

I still have this picture in my head.
I’ve to manage my emotions.
Other experts are able to do that.
I’m too weak.

Translation by TearsOfSky.
Photo credit chilloutpoint.com

The original note is here: http://zythom.blogspot.fr/2013/09/je-suis-trop-faible.html


The hospital complex

Assigned to (yet another) pedophilia case, I was given instructions to “provide [the examining magistrate] with a list of all e-mail addresses found on the hard drive belonging to sealed exhibit X.” 

“Stick to the assignment, the whole assignment, and nothing but the assignment,” my major professor had always told me.

After several hours of research with the help of specialized open source search tools, I was able to bring up a set of e-mails which I then proceeded to analyze: X had written to Y, whose response was copied to Z, etc. On my notepad, a communication network had begun to emerge...two, in fact. One contained exchanges which included certain pedophilia-themed e-mails; the other was a set of e-mails discussing medical topics.

Doctors? Involved in a pedophile ring? But then why the two separate networks?

I took a closer look at the dates of both the current and deleted files on the hard drive. Further analysis, assisted by police findings, revealed that the computer had begun its trajectory in a hospital and was then sold second-hand, eventually winding up in the possession of a pedophile. Of course, the data that had been deleted before the computer was sold was still on the hard drive.

I had almost included in my report people with no relation whatsoever to the case.

But what about “the assignment, the whole assignment, and nothing but the assignment?” Mine had been fairly clearly to provide a list of ALL e-mail addresses found on the hard drive.  

I consulted the examining magistrate, who left it up to me: follow the assignment strictly or go out on a limb and report my findings selectively.

So I took a risk and made the executive decision to include only the first set of e-mail addresses. The Outreau Affair never ceases to haunt.

Still, whenever I think back on it, I feel a shiver in my spine – perhaps from lingering perspiration.

Translation by Jennifer.
Photo credit Australian Childhood Fondation

The original note is here: http://zythom.blogspot.fr/2007/03/un-rseau-bien-hospitalier.html


Filling up on pr0n

Doug's PC is full of pornographic pictures and movies. The problem is, this computer is sitting at a desk at the REKALL company for which Doug works. Well, it was sitting on this desk, because right now it sits on mine, under seal, while Doug and REKALL are arguing in court about wrongful termination.

But let us go back in time.

Doug works every day on his professional desktop computer, like many employees of the REKALL company. From time to time, he complains about how slow his PC has become, but don't we all... The fact is, his computer is not in its prime any more, and renewal investments seem to have a hard time reaching Doug. But today, his computer seems done for: he cannot make it run any more, or restart it. Therefore, he calls upon REKALL's IT service.

The IT service sends out a technician who witnesses the reality of the issue. After some magical passes, the technician notes that the hard drive is full, which causes the malfunction of the operating system. Some time later, the technician discovers the presence of a folder filled with pornographic files. This is the start of Doug's troubles with the REKALL company: preliminary interview, suspension, then termination.

All along the procedure, Doug denies that he downloaded or placed the pornographic files. The REKALL company does not believe a word of it, and everyone ends up before a judge.

A court expert is picked, and given the mission to analyze the hard drive, to find and list any pornographic files present on it and establish their origin. So here I am, with the computer assigned to Doug by REKALL sitting on my desk, neatly wrapped and sealed. That week end looks good...

I break the seal, unwrap the computer and start investigating.

My method is always the same: I record on a paper notebook every operation that I perform, I check for physical presence of all possible data storage devices (CD-ROMs in readers, USB keys, SSD drives, hard drivers, etc.), I take pictures before opening, record the presence of dust, the state of jumpers if any, the location of ribbon cables... In the present case, the technical file seems simple enough: a single hard drive is connected to the motherboard. I extract it, proceeding with caution.

Then I turn the computer on and inspect the BIOS settings, recording the shift between the computer clock and the phone company' speaking clock. A computer's BIOS can sometime reveal interesting clues. Here, nothing noticeable.

I connect the hard drive to my imaging PC, behind a write blocker. Then I carry out the image copy as such, as described here. My personal NAS takes the whole night to fill, bit by bit, with an image of about 500 GB, a faithful replica of the original hard drive. The morning after, I put the drive back into its original PC, but only after I have photographed it and recorded all its characteristics (serial number, make, model, etc.) on my small paper notebook. I promise, in a few years, I'll buy an inker, a Hughes nib and the dip pen from my childhood.

I analyze the content of the hard drive and, not surprisingly, I find a directory named "nvrzkflg" which contains several hundreds of gigabytes of pornographic pictures and movies. There I go, with my study's door closed, diving into what is indeed not a study about prostitution. I'm filling up on pr0n...

The files seem to be organized by theme, from the most classical to the most exotic, but some technical details get my attention. The general storage organization is rather curious, with one-character directory names. And videos are in every language, sometimes with subtitles, in every language too. I record this on my notepad.

After a few hours spent sorting files out, I set forth working on the origin of the files. Did Doug abuse his Internet access, knowing that anyway, Internet is for porn ?

I check the browsing clues left in the various caches located on the hard disk: nothing inappropriate. Granted, Doug did some personal shopping on online sites, but nothing related to my missions. I look for hints that compressed archived (zip, etc.) were extracted, typical of mass file manipulation, but there too, nothing conclusive: only documents from the REKALL company.

I then boot up the hard drive image in a virtual machine and start analyzing it with several up-to-date antivirus. Bingo! The machine is infected... A Google search informs me that the infector in question is a bot from a storage cloud. In other words, the infected PC's hard drive is linked to a group of other computers (control servers and other infected PCs) which form a great storage area at the disposal of one or more persons. In the present case, the storage area seems devoted to pornography.

To validate my hypothesis, I connect my sandbox, where the virtual machine is running, to the Internet, right after I've started a good network traffic analyzer.

I must say it was quite fascinating to see my little virtual machine being contacted from a computer which I traced back to Taiwan (certainly an infected machine too) and receiving commands to execute in order to get itself up to date and fill up on pr0n.

My report was clear (as always) on the question: Doug could be exonerated. Who was responsible for his disagreeable situation? The antivirus, ineffective and not up to date?

The IT service ? Luckily, I had not been asked that question. Anyway, since then, I keep a keener eye on antivirus updates in my company, and on suspicious behaviors in our computer equipment. In an engineering school, that is not always easy.

But above all, I never accuse a user just because of what I can find on his workstation.

Translation by Albert ARIBAUD, checked by PrometheeFeu (thx to Clem).
Photo credit stupiditiz.com

The original note is here: http://zythom.blogspot.fr/2012/04/le-plein-de-pr0n.html


After death… Nothing. Only nothing.

The facts:
A woman was found hanged.
Her husband had been away than evening.
Based on the first evidence the investigators suggested that she had committed suicide.
The husband refuses to believe the conclusions and insists that his wife’s murder must have been concealed as a suicide. He submits as evidence the absence of letter from the victim though she used to spend much time on the computer.
Could it be that the computer would contain useful information that could steer the investigation in one direction or another?
The judge orders a forensic analysis of the computer.

Output from the forensic analysis:
In this type of assignment, what are we looking for? Documents? E-mails? Images?
I went through the entire content of the hard drive.
I read all e-mails, sent or received, archived or deleted.
I visited the whole browsing history.
I studied every picture, stored and deleted.
I read all documents whatever the format.
I queried for every possible relevant keyword.
I spent more than a hundred hours in her intimacy, until I knew her like a friend.
And yet….

Nothing. Only nothing.
Not a single reference to suicide.
Not a single reference to any enmity.
The computer was switched off ordinarily two hours before the death. And I cannot say by whom.

When I think of it I can still sense her presence, mocking my inability to reveal the truth. I feel the husband who asks me questions that I cannot answer. I can sense the judge who wishes he could read something else than “I did not find anything” from my inquiries report.

That’s much contact from people I’ve never met.

The conclusion:
I charged the court ten hours of work.
I never learned what became of this case (Court experts are never told, [Translator’s note: they are kicked out of the process as soon as they have delivered their report])
I often think of it: Suicide or murder?
What help am I if the computer only contains casual stuff?

PS: Ages, genders and links between the characters have been changed. Only the story and my dissatisfaction remain. This woman’s life still haunts me. Her death as well.

This article echoes this second article that I have written in a different manner.

Translation by No One, checked by PrometheeFeu.
Photo credit unspeakable.org

The original note is here: http://zythom.blogspot.fr/2007/10/aprs-la-mort-le-nant.html


Seeking the truth

I delve into the contents of a computer, looking for the truth. So far the woman who owns this computer seems to lead a normal life.

The analysis of her web browsing history reveals various interests: chat rooms about politics, cooking, children and sports. Online shopping websites are mixed in with local and national news websites. A few online dating sites could lead one to believe she was not fully satisfied by her marital life or more likely that she played with her erotic fantasies. I’m not a psychological expert.

Reading her emails seems more relevant : she’s got several webmail accounts besides the one furnished by her Internet service provider. Three accounts actually. The first one she uses to talk with her family and friends. The second one seems to be used only when buying online. The third one is the same as her Internet pseudonym.

She seems to lead a normal and happy life with the ups and downs everybody goes through.

There are also digital photos, neatly sorted by year or event. Among them I discover weddings, the children, the family, the holidays.

My mission requires me to look at every document, to read every email, to open every document. I am required to look for all deleted files, to reconstruct the whole recent activity of this woman.

According to her husband, only she used the family computer. She spent an hour a day on it, no more, except on Sundays when she could surf the web for several hours while her husband was tinkering in the garage or in the house, was gardening or repairing the car. She was a geek even before the word became fashionable.

Instant messaging conversations are often personal and written concisely as appropriate to the tool. They deal with the weather, everyday life, work or the moods of the moment…

As usual I don’t feel comfortable. I don’t like prying into somebody’s private life without their consent. It’s something I loathe doing. I like privacy and I like it to be respected.

However the mission I’ve been given requires me to look for the truth.

So I search the hard disk and I dig out an unbelievable quantity of piled, arrayed, stacked and deleted data. I find administrative mail, certificates and bank statements; emails of all kinds, spam, chain letters, jokes, Christmas invitations and confidential talks with friends of both genders.

It’s getting late. I’ve been working on this case for several weeks, a little bit longer every night. This woman is becoming less and less a stranger to me as I get to know her habits, verbal tics, emotions, phobias, passions and little ways… I’m tired and I start confusing Internet commands with dating websites pop-ups, spams for magic pills, party invitations and unpaid bills.

I’ve been looking for the truth, searching into her computer for more than a hundred hours.

I’m doing this to find out why this woman died, hanged, two hours after her computer was switched off.

I’m doing this so that her husband can find out, so that the investigating magistrate can find out, so that her children can find out.

So that I can find out whether her death was a suicide or a crime.

I never found out.

Translation by Clem, checked by PrometheeFeu.
Photo credit Koscum

The original note is here: http://zythom.blogspot.fr/2012/06/je-cherche-la-verite.html


Just a Regular Weekend

She is dressed in colorful clothes and is running along a dirt road. Several people are running with her. The video quality is not very good. It is difficult to identify what the people are holding in their hands.

The videographer zooms in awkwardly.

The woman comes into focus before me, a simple viewer watching a computer screen, and I see that the people running with her are men, armed with machetes, chasing her.

One of them catches up to her and plants his machete into her skull.

The woman's eyes bulge as she as she falls, screaming. This video has no sound but her cry jumps out at me. The man iterates his gesture shattering her skull.

Pieces of brains scatter on the road, while the remaining pursuers catch up.

They laugh.

And I, despite my ten years of experience as a legal expert, I cry.

I endured this sequence while examining the contents of a hard drive kept under seal. As is customary, I was commissioned by the magistrate to analyze the hard drive in search of images and movies containing child pornography. And as usual, I view a large number of images and films, among which there are a large number of pornographic images and movies, of which some could be child porn... as well as this clip, probably filmed during the massacres in Rwanda.

And I have to carefully view each and every film and image to do my due diligence.

Those who think that violence on TV shows or movies trivializes real violence are making a mistake. A movie like "The Silence of the Lambs," "Hannibal," "Alien", or any other slasher movie, sends shivers up my spine, but everything is false. It is always "just a movie". Even when it is based on a true story, the viewer knows it is staged.

But when you sense it is true, that the images are real, it's very different. You are witnessing the violent death of a person and are not prepared. Can one even be prepared for such a thing? Even the first 20 minutes of "Saving Private Ryan" did not prepare me for that, though they shook me.

I quickly scanned over the rest of the video to make sure that no child pornography had been inserted in the middle of the massacre scenes. There was none and I found none elsewhere on that disk, just pornography. This video of massacres was in a file labelled with the name of a pornographic film.

But this scene will remain etched in my mind.

Prime Minister Michel Rocard said that "France cannot accommodate all the misery of the world, but we must learn to do our part". I certainly had my share for that weekend.

It was just a regular weekend for a small provincial court expert.

Translation by P., checked by PrometheeFeu.
Photo credit darkroastedblend.com

The original note is here: http://zythom.blogspot.com/2009/09/un-petit-week-end.html



Manon is thirteen. She works well in school, where she has many friends. She plays, she laughs like many children her age.

Her parents love her, pay attention to her education, buy her things, but not all she asks. Well, she does have a cell phone like everyone else and a computer in her room. But they are careful not to let her have TV in her room.

Manon loves to chat with friends at night on her computer. She is internet savvy and knows all the stuff like lol, smileys and emoticons. She uses Windows Live Messenger to easily follow a dozen simultaneous conversations. She has a webcam she uses from time to time when her friends have one. Her nickname is manon13from31 because she was 13 and she lives in Haute-Garonne (31st french county), and it's funny because 31 is 13 backwards.

Manon also uses the Windows Mail system to send her friends all the texts she finds fun. Her father does not like that, he calls that "chain-mails", but she finds it so funny. And isn't it true: if you do not forward the email to 15 people, you might not know who is in love with you the next day. And that's too important to miss out on. Of course, the parents cannot understand, they are too old. Her love is for Killian. But he isn't quite ready to kiss her yet.

Manon subscribes to several websites: the one where you can play with virtual animals, the one where her friends discuss the latest celebrity gossip. And of course, Manon has a blog where she puts online photographs of herself and her friends. But she changes often, because her father does not like her publicizing her life on the internet. He does not want her to open a Facebook account, and she thinks that sucks because Cindy, the popular girl at school, already has one. She regularly creates a new blog with a new nickname: manon13_from31, manonfrom31_13, manonLOL1331, manonXX13_31 ... She even created a blog cindy13from31 where she put a photo of Bob in the pool. Bob is the dumbest guy of the school, haha.

One evening, Manon speaks with her friends on Messenger. For several weeks, she has been nibbling a few extra minutes from her parents who want her to go to bed early. Gradually, she managed to stay later, and now she is the last to disconnect. She is currently discussing with her new girlfriend Celia, who is really nice and who she has known for a month.

What Manon did not realize was that this girl is a boy. A 20 yr. old man.

What Manon did not realize was that every time she used her webcam, her "girlfriend" recorded sequences. It was a pity they couldn't chat live because "her girlfriend"'s webcam was always defective.
What Manon did not realize was that the sequence where she goofs around in her room in ridiculous pajamas had been recorded by "Celia".

And now the boy threatened her to put it on YouTube! He tunes in on his perfectly functioning webcam, and she hears him speak clearly. He tells her that if she does not do what he wants, he will broadcast the video on YouTube...

So she does what he asks.
And he records.
And he records himself.
And she has to watch.

What Manon did not realize was that a police officer would also look at the videos, and a court too.
What she did not realize was that a computer forensic expert would look at all the videos, even those "Celia" had deleted, every chat, and all her emails, and all her pictures, and all her blogs.

What she did not realize was that her parents would have to see all this as well.

In fact, Manon, 13, from 31, did not know much.
But now she feels wrong.


Name, age and department have been changed.
Translation by P., checked by PrometheeFeu.

The original note is here: http://zythom.blogspot.com/2009/11/manon13.html
Photo credit: Series Cold Case .

Starting point

I am working occasionally as a computer forensic investigator.
Since 2006 I've been writing some stories on Zythom's french blog about French justice. 
I have decided to try my best to translate some of these stories into English.