ksaj · June 6, 2021 23:17 · ksaj · Jun 5, 2021 · ksaj · Jun 6, 2021
diff --git a/On @Unix_Guru b/On @Unix_Guru
 A few comparisons with what we discovered about Michael Ball yesterday
 ----------------------------------------------------------------------
 by: KSAJ

 In the early 2000's, digital forensics was a new sport, and I had a few forensics certs.

 After what we just learned about @unix_guru, I thought I might talk about two cases I worked on that will give an idea what to expect going forward. They both had entirely different outcomes, and in both cases on behalf of the defense.

 CASE#1: The officers received child pornography in an IRC (chat system) sting operation. This led to an arrest, and the officers found what they described as "the worst child pornography we've seen" and "toddler porn." Adding to the urgency, the suspect's wife was pregnant and expecting a daughter, and the charges were a clear threat to the family unit.

 The defendant claimed that his system must have been infected by a virus, which just happens to be one of my two main areas of expertise, and the reason my services were retained. The judge initially accepted the claim, but followed that it was up to the defendant to prove that this is how the material got onto his system.

 I was hired to write a report detailing if and how a computer virus could be used that might result in child pornography being deposited on and traded over irc from a computer system. At the time, viruses were heading far more into the "back door" style trojan, so this was a plausible scenario, and my report framed it as such, with a list of current viruses and other malware that were capable of doing so.

 The judge correctly decided that even though the defense was plausible, it was not sufficient to prove that this is what actually occured. So I was re-engaged to do a forensic analysis of the system to turn a plausible alibi into usable evidence, for a second report.

 The material was easy to find because it was all contained in a single directory tree, and the file names were very long and quite horrifying in their descriptive detail. This analysis found that the system did have web trackers on it, but none of them carried such mechanisms. The suspect was back at square one.

 Then things got REALLY expensive for the suspect, because the he convinced the judge that if I were to do a full examination, he would be exhonerated. The judge agreed. He sold his truck to pay for the third report.

 Since I was working for the defense, I had a very potent tool at my disposal: The suspect signed off on issues that would allow me to be far more targetted than a plaintiff would have been legally permitted. And I used it to make sure there was zero chance my results were implicating the wrong person. I actually wanted to be wrong, even if that would have made me look like less of an expert. If he was telling the truth, this would be clear. But the initial evidence clearly suggested otherwise. I stuck to the strict order of detailing what did happen - but with far more precision than anyone expected they would receive.

 I demonstrated that his operating system had been re-installed twice, and both times, subsets of the material collection were included almost immediately. APT's didn't exist yet, so this was already quite an incriminating discovery. As well, after the first OS re-install, a GUI-based ftp client had been installed. I cracked its username / password file by installing the same software on a lab system and then copying over the credential file. Surprisingly it worked. The user name matched the irc user name, and the transfer logs were now cleartext within the ftp client. Note that this established either remote desktop or someone physically sitting in front of and operating the system, versus back door command-line activities which would have been far more likely in an external attack at the time. It also established how at least one subset of the material arrived onto the system. That material was also found on the second re-installed system even though the ftp client was not, and gave me new search words. I imagine this new information expanded the sting operation, since it added a second relevant location that was previously unknown.

 I also asked him for the working hours of everyone in his household, and plugged them into the timeline. All the material's MAC time info, and the transfer logs showed activity during times that the suspect was home, in about a 1 or 2 hour window before his wife returned home, and not on weekends when his son from a previous marriage was visiting.

 There were also several instances of the GUI-based irc client installed and maintained over time, and I was able to carve out a few snippets of the log files and several private chats, which further established the local user name. In one of the private chats, a person offered the user access to their FTP server. The very one found in the ftp config and logs.

 Even the current and deleted registry were filled with related activity that was entirely limited to the window between the suspect's and his wife's return from work. There was such a preponderance of evidence that it remains the thickest (and most horrific) report I've ever written on a single event. Because he had implicated errors in my work, I made sure to provide a detailed time line of what images he viewed at what speed on the day before the search warrant was exercised. A lot of evidence is volatile, but recent last-time activities are pretty easy to recover. It was essentially "Came home from work. Emailed these two people. Then proceeded to look at the following list of images with this particular viewer, in the following order, at these exact times. The activity stops moments before his wife's arrival from work. The system was rebooted at the time of his wife's expected arrival. The system was booted one more time, and then unplugged the next day." I don't think anyone expects their wank fests to be detailed so overtly, or for it to be quoted aloud in a court of law.

 I'd never been so nervous giving a results presentation (I even skipped the powerpoint we consultants are so well known for), because the defendant was so adament that I was wrong, and he had brought his pregnant wife to witness the presentation where he expected to be exhonorated. Of course she was gobsmacked and spontateously offered further evidence to corroborate the findings. She had caught him viewing the material around one of the times I specified in the report, but he had claimed to her the system was hacked, and subsequently reinstalled the OS to "get rid of it." Now everyone in the room was clear about what happened. He got up and yelled at me "I paid you to prove that I'm innocent!" and I responded "Don't make this worse. You hired me to give increasingly detailed reports of how these files got onto your system. I am so confident of these results I will not edit even one letter in this final report."

 Only then did he finally admit guilt. He would have been found guilty by the second report anyway, but would not have lost his truck and everyone else's patience if he would have gone to court with it instead of hoping for an unlikely miracle in a third report. I took my leave at this point, because there surely was a lot of client-privilege discussion to be had. 

 Moral of the story: If you hire an expert to defend you, DO NOT LIE TO THEM and DO NOT EXPECT THEM TO LIE FOR YOU. Experts are hired to discover and present evidence, and are even required to prove that it has not been tampered with or falsified in any way while in your possession. You also can't pick one of your friends or colleages - having no foot in the fight is a requirement to obtaining an unbiased report. One single error can invalidate the whole thing, and a purposeful one could result in the expert being criminally charged. Falsified evidence is something you will not be able to convince an expert to provide. And the actual evidence is hard to falsify anyway, since "the other side" is doing the same investigation you are, and every difference will be viewed under a microscope.

 This spanned many months. It is surprising how slow the legal process is. But there are a lot of things going on in the background before a trial can even hope to begin. He was inevitably pled guilty, and served weekends.

 CASE#2 A lawyer reached out to me on behalf of a client who had taken their computer in for repairs. The technician found what they thought might be child pornography and immediately handed it over to the police. The system owner was in a church leadership position, and his claim was that at some point there was a rough spell in his marriage, and he set out to find some porn to entertain himself one night. He claimed that he was not searching for illegal porn, but was so abhored by what he found that he did not continue the search. The site he went to was ultimately responsible for the sudden sluggishness he reported to the repair tech. The tech allegedly referred to it as "tracker hell."

 This case was far more clear cut (and inexpensive to the client) because the evidence comprised solely of images found in the Recycle bin. For this analysis, I was provided only the police evidence report and the images on a CD. My job was to determine if it could have been accidental as per the claim, and where the images came from.

 What I noted peculiar about the provided evidence was that the images were all exactly square, and did not have the hallmark verbose naming scheme noted in CASE#1. Mainly they were non-English female names followed by a randomish string of letters and numbers. Only a few images appeared questionable, so I was skeptical.

 I used TinEye reverse search on one of the images that was clearly of a legal adult, and one of the first results was for a porn redirect site. That page contained ALL of the suspected images in a grid, each with a link to clearly adult pornographic websites, so this one page was likely the very source for the entirety of the evidence provided. The images that appeared to be of children were not (hint: the word "shaved" was used a lot) and seeing the images in context made it clear they were of perhaps obsessively-hygenic adult body parts.

 The client's story totally matched the findings. It didn't even appear that he had visited any of the sites, since the only images were uniform in their presentation. The case was dropped, and the client was spared having to appear in court.

 CONCLUSION: Two very different stories with very different outcomes. In the first case, the client was found guilty, but maintained a charade throughout the process even to the people that were working on his own legal team. His punishment was surprisingly tame for what the police had termed "the worst child pornography we've ever seen," especially given the birth of the very subject of the alleged pornography he was charged with trading. The judge obviously felt he would not be a threat to his daughter, and history since suggests that he wasn't. According to Google, he now runs a one-man consulting company around encryption. He certainly had the motivation to learn the subject thoroughly.

 In the second case, the client was found to be innocent. He told the truth, even while he found it embarrassing, right from the start. Without that analysis, his career would probably be jeapordized since even the appearance of guilt would probably end it.

 What makes the case with @unix_guru completely different than either of these is that the evidence spans 20 years, and is not limited to pornography. While he must be presumed innocent unless proven guilty, the addition of victims known to him means he will need to be absolutely open and truthful with his legal team, even if it is utterly embarrassing and incriminating. Even if he is wholly innocent of the charges, he should strive to keep the case as uncomplicated as possible. If lied to, the team will be forced to dig a lot deeper, which is guaranteed to make it harder to advocate on his behalf. Especially if the evidence increases instead of absolves, as it did in CASE#1.

 I also noticed that someone had already called him out on the charges back in March, but it didn't show up in any of our Twitter feeds until now. The search warrant was excercised in September, and charges laid 3 months ago in March, when it was also posted on Twitter. He made a lot of content even since the arrest that a lot of followers and bystanders viewed, which is Twitter's bread and butter. My gut instinct is that the Twitter algorithm saw the call out as negative, and won't promote a post that might diminish the value of other posts pertaining to him. I personally see this as a flaw which has come up in other ways as well, since he developed a lot of trust from his online followers that could have ended in a bad way if the charges prove to be true. Like CASE#1's wife, we were all blindsided as this unfolded. I truly hope that his is more like CASE#2 than CASE#1, but it is clear even without seeing it which way the evidence is leaning.

 Today I Googled his name and see that the news links have now been de-listed. Keep in mind that the vast majority of people who will see this article do not have enough knowlege of the case details to make a judgement. Until his day in court, he and his family still deserve their personal safety. Right now he is a suspect, and if he's not being held, it is apparent the court does not currently see him as a threat to the personal safety of others.

 Please note that I no longer am certified nor interested in conducting forensic investigations. The training, certs, lab costs and insurance are sufficiently expensive that it is not worth maintaining if it's not your intended vocation, and I hadn't intended to do criminal forensics in the first place. Computer viruses, malware and hacks are far less tragic to analyze, and lacks the stress of opposing lawyers breathing down your back simultaneously. I'd even say they are genuinely interesting. Also, I am not a lawyer. Nothing here should be considered legal advice. It is simply two heavily redacted examples with personal advice from someone who has seen, from the inside, two sides of a relevant coin as they played out.
	A few comparisons with what we discovered about Michael Ball yesterday
	----------------------------------------------------------------------
	by: KSAJ

	In the early 2000's, digital forensics was a new sport, and I had a few forensics certs.

	After what we just learned about @unix_guru, I thought I might talk about two cases I worked on that will give an idea what to expect going forward. They both had entirely different outcomes, and in both cases on behalf of the defense.

	CASE#1: The officers received child pornography in an IRC (chat system) sting operation. This led to an arrest, and the officers found what they described as "the worst child pornography we've seen" and "toddler porn." Adding to the urgency, the suspect's wife was pregnant and expecting a daughter, and the charges were a clear threat to the family unit.

	The defendant claimed that his system must have been infected by a virus, which just happens to be one of my two main areas of expertise, and the reason my services were retained. The judge initially accepted the claim, but followed that it was up to the defendant to prove that this is how the material got onto his system.

	I was hired to write a report detailing if and how a computer virus could be used that might result in child pornography being deposited on and traded over irc from a computer system. At the time, viruses were heading far more into the "back door" style trojan, so this was a plausible scenario, and my report framed it as such, with a list of current viruses and other malware that were capable of doing so.

	The judge correctly decided that even though the defense was plausible, it was not sufficient to prove that this is what actually occured. So I was re-engaged to do a forensic analysis of the system to turn a plausible alibi into usable evidence, for a second report.

	The material was easy to find because it was all contained in a single directory tree, and the file names were very long and quite horrifying in their descriptive detail. This analysis found that the system did have web trackers on it, but none of them carried such mechanisms. The suspect was back at square one.

	Then things got REALLY expensive for the suspect, because the he convinced the judge that if I were to do a full examination, he would be exhonerated. The judge agreed. He sold his truck to pay for the third report.

	Since I was working for the defense, I had a very potent tool at my disposal: The suspect signed off on issues that would allow me to be far more targetted than a plaintiff would have been legally permitted. And I used it to make sure there was zero chance my results were implicating the wrong person. I actually wanted to be wrong, even if that would have made me look like less of an expert. If he was telling the truth, this would be clear. But the initial evidence clearly suggested otherwise. I stuck to the strict order of detailing what did happen - but with far more precision than anyone expected they would receive.

	I demonstrated that his operating system had been re-installed twice, and both times, subsets of the material collection were included almost immediately. APT's didn't exist yet, so this was already quite an incriminating discovery. As well, after the first OS re-install, a GUI-based ftp client had been installed. I cracked its username / password file by installing the same software on a lab system and then copying over the credential file. Surprisingly it worked. The user name matched the irc user name, and the transfer logs were now cleartext within the ftp client. Note that this established either remote desktop or someone physically sitting in front of and operating the system, versus back door command-line activities which would have been far more likely in an external attack at the time. It also established how at least one subset of the material arrived onto the system. That material was also found on the second re-installed system even though the ftp client was not, and gave me new search words. I imagine this new information expanded the sting operation, since it added a second relevant location that was previously unknown.

	I also asked him for the working hours of everyone in his household, and plugged them into the timeline. All the material's MAC time info, and the transfer logs showed activity during times that the suspect was home, in about a 1 or 2 hour window before his wife returned home, and not on weekends when his son from a previous marriage was visiting.

	There were also several instances of the GUI-based irc client installed and maintained over time, and I was able to carve out a few snippets of the log files and several private chats, which further established the local user name. In one of the private chats, a person offered the user access to their FTP server. The very one found in the ftp config and logs.

	Even the current and deleted registry were filled with related activity that was entirely limited to the window between the suspect's and his wife's return from work. There was such a preponderance of evidence that it remains the thickest (and most horrific) report I've ever written on a single event. Because he had implicated errors in my work, I made sure to provide a detailed time line of what images he viewed at what speed on the day before the search warrant was exercised. A lot of evidence is volatile, but recent last-time activities are pretty easy to recover. It was essentially "Came home from work. Emailed these two people. Then proceeded to look at the following list of images with this particular viewer, in the following order, at these exact times. The activity stops moments before his wife's arrival from work. The system was rebooted at the time of his wife's expected arrival. The system was booted one more time, and then unplugged the next day." I don't think anyone expects their wank fests to be detailed so overtly, or for it to be quoted aloud in a court of law.

	I'd never been so nervous giving a results presentation (I even skipped the powerpoint we consultants are so well known for), because the defendant was so adament that I was wrong, and he had brought his pregnant wife to witness the presentation where he expected to be exhonorated. Of course she was gobsmacked and spontateously offered further evidence to corroborate the findings. She had caught him viewing the material around one of the times I specified in the report, but he had claimed to her the system was hacked, and subsequently reinstalled the OS to "get rid of it." Now everyone in the room was clear about what happened. He got up and yelled at me "I paid you to prove that I'm innocent!" and I responded "Don't make this worse. You hired me to give increasingly detailed reports of how these files got onto your system. I am so confident of these results I will not edit even one letter in this final report."

	Only then did he finally admit guilt. He would have been found guilty by the second report anyway, but would not have lost his truck and everyone else's patience if he would have gone to court with it instead of hoping for an unlikely miracle in a third report. I took my leave at this point, because there surely was a lot of client-privilege discussion to be had.

	Moral of the story: If you hire an expert to defend you, DO NOT LIE TO THEM and DO NOT EXPECT THEM TO LIE FOR YOU. Experts are hired to discover and present evidence, and are even required to prove that it has not been tampered with or falsified in any way while in your possession. You also can't pick one of your friends or colleages - having no foot in the fight is a requirement to obtaining an unbiased report. One single error can invalidate the whole thing, and a purposeful one could result in the expert being criminally charged. Falsified evidence is something you will not be able to convince an expert to provide. And the actual evidence is hard to falsify anyway, since "the other side" is doing the same investigation you are, and every difference will be viewed under a microscope.

	This spanned many months. It is surprising how slow the legal process is. But there are a lot of things going on in the background before a trial can even hope to begin. He was inevitably pled guilty, and served weekends.

	CASE#2 A lawyer reached out to me on behalf of a client who had taken their computer in for repairs. The technician found what they thought might be child pornography and immediately handed it over to the police. The system owner was in a church leadership position, and his claim was that at some point there was a rough spell in his marriage, and he set out to find some porn to entertain himself one night. He claimed that he was not searching for illegal porn, but was so abhored by what he found that he did not continue the search. The site he went to was ultimately responsible for the sudden sluggishness he reported to the repair tech. The tech allegedly referred to it as "tracker hell."

	This case was far more clear cut (and inexpensive to the client) because the evidence comprised solely of images found in the Recycle bin. For this analysis, I was provided only the police evidence report and the images on a CD. My job was to determine if it could have been accidental as per the claim, and where the images came from.

	What I noted peculiar about the provided evidence was that the images were all exactly square, and did not have the hallmark verbose naming scheme noted in CASE#1. Mainly they were non-English female names followed by a randomish string of letters and numbers. Only a few images appeared questionable, so I was skeptical.

	I used TinEye reverse search on one of the images that was clearly of a legal adult, and one of the first results was for a porn redirect site. That page contained ALL of the suspected images in a grid, each with a link to clearly adult pornographic websites, so this one page was likely the very source for the entirety of the evidence provided. The images that appeared to be of children were not (hint: the word "shaved" was used a lot) and seeing the images in context made it clear they were of perhaps obsessively-hygenic adult body parts.

	The client's story totally matched the findings. It didn't even appear that he had visited any of the sites, since the only images were uniform in their presentation. The case was dropped, and the client was spared having to appear in court.

	CONCLUSION: Two very different stories with very different outcomes. In the first case, the client was found guilty, but maintained a charade throughout the process even to the people that were working on his own legal team. His punishment was surprisingly tame for what the police had termed "the worst child pornography we've ever seen," especially given the birth of the very subject of the alleged pornography he was charged with trading. The judge obviously felt he would not be a threat to his daughter, and history since suggests that he wasn't. According to Google, he now runs a one-man consulting company around encryption. He certainly had the motivation to learn the subject thoroughly.

	In the second case, the client was found to be innocent. He told the truth, even while he found it embarrassing, right from the start. Without that analysis, his career would probably be jeapordized since even the appearance of guilt would probably end it.

	What makes the case with @unix_guru completely different than either of these is that the evidence spans 20 years, and is not limited to pornography. While he must be presumed innocent unless proven guilty, the addition of victims known to him means he will need to be absolutely open and truthful with his legal team, even if it is utterly embarrassing and incriminating. Even if he is wholly innocent of the charges, he should strive to keep the case as uncomplicated as possible. If lied to, the team will be forced to dig a lot deeper, which is guaranteed to make it harder to advocate on his behalf. Especially if the evidence increases instead of absolves, as it did in CASE#1.

	I also noticed that someone had already called him out on the charges back in March, but it didn't show up in any of our Twitter feeds until now. The search warrant was excercised in September, and charges laid 3 months ago in March, when it was also posted on Twitter. He made a lot of content even since the arrest that a lot of followers and bystanders viewed, which is Twitter's bread and butter. My gut instinct is that the Twitter algorithm saw the call out as negative, and won't promote a post that might diminish the value of other posts pertaining to him. I personally see this as a flaw which has come up in other ways as well, since he developed a lot of trust from his online followers that could have ended in a bad way if the charges prove to be true. Like CASE#1's wife, we were all blindsided as this unfolded. I truly hope that his is more like CASE#2 than CASE#1, but it is clear even without seeing it which way the evidence is leaning.

	Today I Googled his name and see that the news links have now been de-listed. Keep in mind that the vast majority of people who will see this article do not have enough knowlege of the case details to make a judgement. Until his day in court, he and his family still deserve their personal safety. Right now he is a suspect, and if he's not being held, it is apparent the court does not currently see him as a threat to the personal safety of others.

	Please note that I no longer am certified nor interested in conducting forensic investigations. The training, certs, lab costs and insurance are sufficiently expensive that it is not worth maintaining if it's not your intended vocation, and I hadn't intended to do criminal forensics in the first place. Computer viruses, malware and hacks are far less tragic to analyze, and lacks the stress of opposing lawyers breathing down your back simultaneously. I'd even say they are genuinely interesting. Also, I am not a lawyer. Nothing here should be considered legal advice. It is simply two heavily redacted examples with personal advice from someone who has seen, from the inside, two sides of a relevant coin as they played out.