7/31/2013

Filling up on pr0n

Doug's PC is full of pornographic pictures and movies. The problem is, this computer is sitting at a desk at the REKALL company for which Doug works. Well, it was sitting on this desk, because right now it sits on mine, under seal, while Doug and REKALL are arguing in court about wrongful termination.

But let us go back in time.

Doug works every day on his professional desktop computer, like many employees of the REKALL company. From time to time, he complains about how slow his PC has become, but don't we all... The fact is, his computer is not in its prime any more, and renewal investments seem to have a hard time reaching Doug. But today, his computer seems done for: he cannot make it run any more, or restart it. Therefore, he calls upon REKALL's IT service.

The IT service sends out a technician who witnesses the reality of the issue. After some magical passes, the technician notes that the hard drive is full, which causes the malfunction of the operating system. Some time later, the technician discovers the presence of a folder filled with pornographic files. This is the start of Doug's troubles with the REKALL company: preliminary interview, suspension, then termination.

All along the procedure, Doug denies that he downloaded or placed the pornographic files. The REKALL company does not believe a word of it, and everyone ends up before a judge.

A court expert is picked, and given the mission to analyze the hard drive, to find and list any pornographic files present on it and establish their origin. So here I am, with the computer assigned to Doug by REKALL sitting on my desk, neatly wrapped and sealed. That week end looks good...

I break the seal, unwrap the computer and start investigating.

My method is always the same: I record on a paper notebook every operation that I perform, I check for physical presence of all possible data storage devices (CD-ROMs in readers, USB keys, SSD drives, hard drivers, etc.), I take pictures before opening, record the presence of dust, the state of jumpers if any, the location of ribbon cables... In the present case, the technical file seems simple enough: a single hard drive is connected to the motherboard. I extract it, proceeding with caution.

Then I turn the computer on and inspect the BIOS settings, recording the shift between the computer clock and the phone company' speaking clock. A computer's BIOS can sometime reveal interesting clues. Here, nothing noticeable.

I connect the hard drive to my imaging PC, behind a write blocker. Then I carry out the image copy as such, as described here. My personal NAS takes the whole night to fill, bit by bit, with an image of about 500 GB, a faithful replica of the original hard drive. The morning after, I put the drive back into its original PC, but only after I have photographed it and recorded all its characteristics (serial number, make, model, etc.) on my small paper notebook. I promise, in a few years, I'll buy an inker, a Hughes nib and the dip pen from my childhood.

I analyze the content of the hard drive and, not surprisingly, I find a directory named "nvrzkflg" which contains several hundreds of gigabytes of pornographic pictures and movies. There I go, with my study's door closed, diving into what is indeed not a study about prostitution. I'm filling up on pr0n...

The files seem to be organized by theme, from the most classical to the most exotic, but some technical details get my attention. The general storage organization is rather curious, with one-character directory names. And videos are in every language, sometimes with subtitles, in every language too. I record this on my notepad.

After a few hours spent sorting files out, I set forth working on the origin of the files. Did Doug abuse his Internet access, knowing that anyway, Internet is for porn ?

I check the browsing clues left in the various caches located on the hard disk: nothing inappropriate. Granted, Doug did some personal shopping on online sites, but nothing related to my missions. I look for hints that compressed archived (zip, etc.) were extracted, typical of mass file manipulation, but there too, nothing conclusive: only documents from the REKALL company.

I then boot up the hard drive image in a virtual machine and start analyzing it with several up-to-date antivirus. Bingo! The machine is infected... A Google search informs me that the infector in question is a bot from a storage cloud. In other words, the infected PC's hard drive is linked to a group of other computers (control servers and other infected PCs) which form a great storage area at the disposal of one or more persons. In the present case, the storage area seems devoted to pornography.

To validate my hypothesis, I connect my sandbox, where the virtual machine is running, to the Internet, right after I've started a good network traffic analyzer.

I must say it was quite fascinating to see my little virtual machine being contacted from a computer which I traced back to Taiwan (certainly an infected machine too) and receiving commands to execute in order to get itself up to date and fill up on pr0n.

My report was clear (as always) on the question: Doug could be exonerated. Who was responsible for his disagreeable situation? The antivirus, ineffective and not up to date?

The IT service ? Luckily, I had not been asked that question. Anyway, since then, I keep a keener eye on antivirus updates in my company, and on suspicious behaviors in our computer equipment. In an engineering school, that is not always easy.

But above all, I never accuse a user just because of what I can find on his workstation.

--------------------------------------
Translation by Albert ARIBAUD, checked by PrometheeFeu (thx to Clem).
Photo credit stupiditiz.com

The original note is here: http://zythom.blogspot.fr/2012/04/le-plein-de-pr0n.html