Law Enforcement, Methodology, Software

The “I’ve Been Hacked” Defence

By: Yuri Gubanov, Oleg Afonin
(C) Belkasoft Research, 2016

Abstract

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had.

I’ve Been Hacked

The “I’ve been hacked” tactic is the most common defense when it comes to crimes committed on or with computers. However obvious it might be, the burden of proof lies on you and not on the suspect. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

Checking for Malware

Well, what about checking if there indeed was a malware? Will the absence of malware prove the suspect’s lie?

Scanning the disk image for malware is one thing, yet it rarely proves anything. No malware means nothing, and any malware that does exist does not prove anything. Why? If there is NO malware, why can’t it be explained by the fact that it just deleted itself by a command from a remote control center? If there IS malware, it does not automatically mean that it indeed downloaded anything.

Capturing a memory dump and looking for active VPN sessions may give you a hint of some unusual activities, but again it won’t prove anything.

In order to discover whether or not the “hacked” defense has grounds, you will need to look at other factors.

Physical Presence

One of the easiest things to check is proving whether or not the person was physically present at the crime scene. And since we’re talking about high-tech crimes, how about collecting location data from the suspect’s smartphone? Android smartphones record GPS coordinates every 15 minutes, passing them on to Google’s servers for location reporting. You may access these records by logging in to the suspect’s Google Account and either reviewing their Location History or using Google Takeout to download the data for offline analysis. Apple’s iPhones also collect location information, and although extracting the data is not as easy as acquiring Android phones it still can be done.

geolocation.png (594?766)
Belkasoft Evidence Center (BEC) can gather geolocation from different sources, such as Google Maps apps, browser searches, geo-enabled chats and so on. You can review one or multiple locations in the Google Maps window right inside the tool.

Timeline

Building a timeline based on multiple data sources is arguably one of the best ways to show the activity happened when the suspect was physically present at the crime scene. Don’t assume; instead, try to acquire as much data as possible to build a comprehensive, geo-tagged timeline.

  • Location data. Proves physical presence at the crime scene
  • Photos captured with their smartphone. Can contain GPS tags which coupled with time prove the physical presence.
  • Posts to social networks. Could have location data as well, and even if not, sometimes allow proving that a post was made from the computer or mobile device from the crime scene. If you extracted such post from a running computer memory dump, it was definitely made from that computer
  • Text messages or emails. Are they sent from a desktop computer? Someone present physically at the computer (while alone it does not prove that it was the suspect; theoretically it also could be a malware, while basing on email text you can prove otherwise).
  • Logs acquired from the suspect’s mobile service provider.

All of those may link points in time with points on the map or a stationary device, helping you build a connection between a suspect’s activities and their physical presence at the crime scene.

Windows Event Logs and Registry Records

Event logs and Registry records are a valuable source of information that is rarely cleaned. These may contain information which can prove suspect’s presence at a particular desktop computer at a time of illicit actions:

  • Logging in. Both Event log and Registry store information on user login attempts. Remember the question above: was it the suspect who sent an email or text chat? If you compare time of sending an email with login times, you can prove that it was indeed a suspect, logged in at the time of interest, not their spouse or children. The same info and logic can be used if an illicit picture has “last access time” matching time of interest.
  • Running a program and opening files. Registry stores last opened files and last run applications (e.g. in Windows Explorer registry keys); you can also inspect User Assists. While malware can run a program and open a file, it is not likely that it will download illicit images, then open a Word document and run Windows Media Player

UserAssists are automatically extracted by BEC when processing registry files. You can see that VirtualBox.exe was executed twice with last run time on June 26, 2013.

  • Attaching and detaching USB devices such as flash drives. It is hard to imagine attaching of a USB device by malware, so if a device was plugged in, someone was definitely present at the computer.
  • Remote control sessions, established VPN connections and so on. While theoretically could be opened by malware, coupled with activities of other kinds it is very unlikely.

Thumbnails

For performance reasons, Windows stores smaller previews of all pictures in a folder, being browsed in Windows Explorer under some views, such as “Large icons”. The format is different for different versions of Windows (thumbs.db, ehthumbs.db, Thumbnail Cache) but presence of a preview can give you important evidence. At least it means that a folder containing pictures was open in Windows Explorer and a user could have viewed them. Even if malware indeed downloaded some illicit images, it is not a regular behavior to open the containing folder and switch it to “Large icons” view.

Belkasoft BEC supports searching for thumbnails in any format created by Windows, and if deleted, can carve them.

See related story of how thumbnails were used in real FBI investigation dealing with child abuse: https://www.cnet.com/news/fbi-posts-fake-hyperlinks-to-snare-child-porn-suspects/

File Activities and Jumplists

While thumbnails do not give you an answer about whether the suspect explicitly opened a picture, jumplists can help with that.

Jumplists are a feature of Windows 7, 8, and 10 that keeps information about recently accessed applications and documents. Unlike other indicators (such as the “last accessed time” NTFS attribute), jumplists indicate that a certain file was opened or launched by the user logged into a certain Windows account. Jumplist records are not created if files are being copied or moved by malware; however, they will be created whether the user opens files locally or over a remote control session. Jumplists can give a certain answer to whether or not a certain file (such as a picture) has been opened in a certain app or not.

BEC shows pictures opened with IrfanViewer along with last opening time. This is a definite proof that a file called “board2.jpg” has been viewed by someone at the computer mentioned in NetBIOS name field (alexcomputerdev) at the specified time (2013.06.27, 16:08:54).

While jumplists can be cleaned (just as every other artifact), they are still relatively little known and rarely wiped. And again, if you see someone with completely cleared jumplists, this is at least suspicious.

Jumplists are preserved during Windows updates; we’ve seen computers with jumplists going back several years.

Privacy Guards and Cleaners

The use of privacy guards, InPrivate browsing and temporary file cleaners is not a crime. However, installing such a cleaning app or performing a wipe session immediately after an alleged crime does look suspicious (yet does not prove anything by itself).

Conclusion

You can work around the “I’ve been hacked” defense by collecting information from the PC/mobile being analyzed as well as from multiple other sources. Establishing physical presence, proving the use of a certain USB drive and proving access to certain files at certain times can be enough to make a weighted decision.

About authors

Oleg Afonin is an author, expert, and consultant in computer forensics.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as HTCIA, FT-Day, CAC and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at
http://linkedin.com/in/yurigubanov.

A full list of articles by Belkasoft Research can be found at belkasoft.com/articles.

Discussion

3 thoughts on “The “I’ve Been Hacked” Defence

  1. Interesting, additionally one can also look into:

    *Shellbags – which folders were recently browsed by the user
    *Browser Usage – History, Cookies, Cache, Session Restore – Specially Flash and Super Cookies can be used to check user account used while visiting the website with timestamp

    Posted by Harpreet Dardi | October 24, 2016, 10:29 am
  2. When confronted by the ‘I’ve been hacked’ defence I always approach it from a different direction.

    Rather that prove what didn’t happen, I prove what did happen.

    Take the creation of child abuse images, work around that activity and show what did happen at that time.
    How was the computer powered on, what logon occurred, what file activity occurred.
    In essence I do not disprove that a computer was ever ‘hacked’, I prove that relevant activity is Local, invariably there is then activity that suggests an individual was sat at the keyboard, not a third party.

    Is it possible that any computer has been hacked in its life and traces of those attacks removed, yes.
    In the same way that it is possible for me to walk on the Moon, possible bit highly improbable to ever happen.

    Posted by J C. | October 25, 2016, 9:27 am

Trackbacks/Pingbacks

  1. Pingback: The “I’ve Been Hacked” Defence | We Are 4n6 - October 24, 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 995 other followers

%d bloggers like this: