Filling up on pr0n

Doug's PC is full of pornographic pictures and movies. The problem is, this computer is sitting at a desk at the REKALL company for which Doug works. Well, it was sitting on this desk, because right now it sits on mine, under seal, while Doug and REKALL are arguing in court about wrongful termination.

But let us go back in time.

Doug works every day on his professional desktop computer, like many employees of the REKALL company. From time to time, he complains about how slow his PC has become, but don't we all... The fact is, his computer is not in its prime any more, and renewal investments seem to have a hard time reaching Doug. But today, his computer seems done for: he cannot make it run any more, or restart it. Therefore, he calls upon REKALL's IT service.

The IT service sends out a technician who witnesses the reality of the issue. After some magical passes, the technician notes that the hard drive is full, which causes the malfunction of the operating system. Some time later, the technician discovers the presence of a folder filled with pornographic files. This is the start of Doug's troubles with the REKALL company: preliminary interview, suspension, then termination.

All along the procedure, Doug denies that he downloaded or placed the pornographic files. The REKALL company does not believe a word of it, and everyone ends up before a judge.

A court expert is picked, and given the mission to analyze the hard drive, to find and list any pornographic files present on it and establish their origin. So here I am, with the computer assigned to Doug by REKALL sitting on my desk, neatly wrapped and sealed. That week end looks good...

I break the seal, unwrap the computer and start investigating.

My method is always the same: I record on a paper notebook every operation that I perform, I check for physical presence of all possible data storage devices (CD-ROMs in readers, USB keys, SSD drives, hard drivers, etc.), I take pictures before opening, record the presence of dust, the state of jumpers if any, the location of ribbon cables... In the present case, the technical file seems simple enough: a single hard drive is connected to the motherboard. I extract it, proceeding with caution.

Then I turn the computer on and inspect the BIOS settings, recording the shift between the computer clock and the phone company' speaking clock. A computer's BIOS can sometime reveal interesting clues. Here, nothing noticeable.

I connect the hard drive to my imaging PC, behind a write blocker. Then I carry out the image copy as such, as described here. My personal NAS takes the whole night to fill, bit by bit, with an image of about 500 GB, a faithful replica of the original hard drive. The morning after, I put the drive back into its original PC, but only after I have photographed it and recorded all its characteristics (serial number, make, model, etc.) on my small paper notebook. I promise, in a few years, I'll buy an inker, a Hughes nib and the dip pen from my childhood.

I analyze the content of the hard drive and, not surprisingly, I find a directory named "nvrzkflg" which contains several hundreds of gigabytes of pornographic pictures and movies. There I go, with my study's door closed, diving into what is indeed not a study about prostitution. I'm filling up on pr0n...

The files seem to be organized by theme, from the most classical to the most exotic, but some technical details get my attention. The general storage organization is rather curious, with one-character directory names. And videos are in every language, sometimes with subtitles, in every language too. I record this on my notepad.

After a few hours spent sorting files out, I set forth working on the origin of the files. Did Doug abuse his Internet access, knowing that anyway, Internet is for porn ?

I check the browsing clues left in the various caches located on the hard disk: nothing inappropriate. Granted, Doug did some personal shopping on online sites, but nothing related to my missions. I look for hints that compressed archived (zip, etc.) were extracted, typical of mass file manipulation, but there too, nothing conclusive: only documents from the REKALL company.

I then boot up the hard drive image in a virtual machine and start analyzing it with several up-to-date antivirus. Bingo! The machine is infected... A Google search informs me that the infector in question is a bot from a storage cloud. In other words, the infected PC's hard drive is linked to a group of other computers (control servers and other infected PCs) which form a great storage area at the disposal of one or more persons. In the present case, the storage area seems devoted to pornography.

To validate my hypothesis, I connect my sandbox, where the virtual machine is running, to the Internet, right after I've started a good network traffic analyzer.

I must say it was quite fascinating to see my little virtual machine being contacted from a computer which I traced back to Taiwan (certainly an infected machine too) and receiving commands to execute in order to get itself up to date and fill up on pr0n.

My report was clear (as always) on the question: Doug could be exonerated. Who was responsible for his disagreeable situation? The antivirus, ineffective and not up to date?

The IT service ? Luckily, I had not been asked that question. Anyway, since then, I keep a keener eye on antivirus updates in my company, and on suspicious behaviors in our computer equipment. In an engineering school, that is not always easy.

But above all, I never accuse a user just because of what I can find on his workstation.

--------------------------------------
Translation by Albert ARIBAUD, checked by PrometheeFeu (thx to Clem).
Photo credit stupiditiz.com

The original note is here: http://zythom.blogspot.fr/2012/04/le-plein-de-pr0n.html

After death… Nothing. Only nothing.

The facts:
A woman was found hanged.
Her husband had been away than evening.
Based on the first evidence the investigators suggested that she had committed suicide.
The husband refuses to believe the conclusions and insists that his wife’s murder must have been concealed as a suicide. He submits as evidence the absence of letter from the victim though she used to spend much time on the computer.
Could it be that the computer would contain useful information that could steer the investigation in one direction or another?
The judge orders a forensic analysis of the computer.

Output from the forensic analysis:
In this type of assignment, what are we looking for? Documents? E-mails? Images?
I went through the entire content of the hard drive.
I read all e-mails, sent or received, archived or deleted.
I visited the whole browsing history.
I studied every picture, stored and deleted.
I read all documents whatever the format.
I queried for every possible relevant keyword.
I spent more than a hundred hours in her intimacy, until I knew her like a friend.
And yet….

Nothing. Only nothing.
Not a single reference to suicide.
Not a single reference to any enmity.
The computer was switched off ordinarily two hours before the death. And I cannot say by whom.

When I think of it I can still sense her presence, mocking my inability to reveal the truth. I feel the husband who asks me questions that I cannot answer. I can sense the judge who wishes he could read something else than “I did not find anything” from my inquiries report.

That’s much contact from people I’ve never met.

The conclusion:
I charged the court ten hours of work.
I never learned what became of this case (Court experts are never told, [Translator’s note: they are kicked out of the process as soon as they have delivered their report])
I often think of it: Suicide or murder?
What help am I if the computer only contains casual stuff?
Yet…

PS: Ages, genders and links between the characters have been changed. Only the story and my dissatisfaction remain. This woman’s life still haunts me. Her death as well.


This article echoes this second article that I have written in a different manner.

--------------------------------------
Translation by No One, checked by PrometheeFeu.
Photo credit unspeakable.org

The original note is here: http://zythom.blogspot.fr/2007/10/aprs-la-mort-le-nant.html

Seeking the truth

I delve into the contents of a computer, looking for the truth. So far the woman who owns this computer seems to lead a normal life.

The analysis of her web browsing history reveals various interests: chat rooms about politics, cooking, children and sports. Online shopping websites are mixed in with local and national news websites. A few online dating sites could lead one to believe she was not fully satisfied by her marital life or more likely that she played with her erotic fantasies. I’m not a psychological expert.

Reading her emails seems more relevant : she’s got several webmail accounts besides the one furnished by her Internet service provider. Three accounts actually. The first one she uses to talk with her family and friends. The second one seems to be used only when buying online. The third one is the same as her Internet pseudonym.

She seems to lead a normal and happy life with the ups and downs everybody goes through.

There are also digital photos, neatly sorted by year or event. Among them I discover weddings, the children, the family, the holidays.

My mission requires me to look at every document, to read every email, to open every document. I am required to look for all deleted files, to reconstruct the whole recent activity of this woman.

According to her husband, only she used the family computer. She spent an hour a day on it, no more, except on Sundays when she could surf the web for several hours while her husband was tinkering in the garage or in the house, was gardening or repairing the car. She was a geek even before the word became fashionable.

Instant messaging conversations are often personal and written concisely as appropriate to the tool. They deal with the weather, everyday life, work or the moods of the moment…

As usual I don’t feel comfortable. I don’t like prying into somebody’s private life without their consent. It’s something I loathe doing. I like privacy and I like it to be respected.

However the mission I’ve been given requires me to look for the truth.

So I search the hard disk and I dig out an unbelievable quantity of piled, arrayed, stacked and deleted data. I find administrative mail, certificates and bank statements; emails of all kinds, spam, chain letters, jokes, Christmas invitations and confidential talks with friends of both genders.

It’s getting late. I’ve been working on this case for several weeks, a little bit longer every night. This woman is becoming less and less a stranger to me as I get to know her habits, verbal tics, emotions, phobias, passions and little ways… I’m tired and I start confusing Internet commands with dating websites pop-ups, spams for magic pills, party invitations and unpaid bills.

I’ve been looking for the truth, searching into her computer for more than a hundred hours.

I’m doing this to find out why this woman died, hanged, two hours after her computer was switched off.

I’m doing this so that her husband can find out, so that the investigating magistrate can find out, so that her children can find out.

So that I can find out whether her death was a suicide or a crime.

I never found out.


--------------------------------------------------
Translation by Clem, checked by PrometheeFeu.
Photo credit Koscum

The original note is here: http://zythom.blogspot.fr/2012/06/je-cherche-la-verite.html