Computer Forensics Report Samples

Netsky and Sasser Worms

The earlier versions of the Windows operating contained several network-based vulnerabilities. On many occasions in the 2000s malicious scripting programs commonly known as worms exploited these vulnerabilities. The most prolific of these worms were Netsky and Sasser Worms. Although these worms were differently functioned, their basic structure was the same. Evidently, both worms shared the same creator in Sven Jaschan. The Netsky worm’s distribution depended on email communications. It was an attachment will be active if opened. Once opened, it would search all the email addresses and dispatch copies of itself to all the addresses. The damage was extensive. Although Microsoft released a patch to fix the vulnerable network protocol, it came six months late and after close to two million users attacked.
The patch relief was short-lived when a group of Russian teenagers hacked the patch code and reversed the fix. They also published the workaround on the internet. The intention was to cause embarrassment to the software giant. However, this development resulted in the Sasser worm attacking cyberspace. Unlike the Netsky worm, this new worm did not require human intervention for distribution. The damage was extensive with computers rebooting without reason. Investigators at the FBI and Microsoft noticed a message circulated through the internet that took ownership of scripting Sasser. The authors posted this message and identified themselves as the authors of Netsky.
Despite advancements in computer forensics, there is no way to link a set of code to a programmer conclusively. The hurdle in investigations involving viruses and worms is that a part of the code used is recycled from different viruses. All digital evidence presented in court as evidence is in the form of binary code. The code from Skynet and Sasser under comparison revealed the use of a distinct set of classes. Classes are short functionary programs that are usually stored in a digital library. These classes used in the main program compute a particular functionality. Moreover, while the programming structures of Netsky and Sasser were different, the classes they used were pointing to the same digital library. This piece of evidence proved that the authors were in fact the authors of Sasser.
Sven Jaschan’s classmates tipped off Microsoft for a two hundred and fifty thousand dollar reward. The tip was scrutinized by checking sample code from the earlier versions of Netsky and Sasser to those published by Sven Jaschan on his private portal. The binary code matched. The investigators at Microsoft turned this evidence over to the FBI who contacted German police. Sven Jaschan’s house was searched for evidence and code stored in a variety of digital storage devices like floppy disks, hard drives, and memory cards. Sven Jaschan eventually confessed to authoring both Netsky and Sasser soon after the search of his residence (Lemos, 2004).

Goner Worm

The Goner Worm case was simple to solve and understandably since the authors were eighth graders. The Goner worm used the DALNet server through MIRC chat client for distribution of the worm. The worm had code that allowed the authors to control the code. The authors, inadvertently used the worm to login to the chat client. Hence, whenever the worm displayed a message declining service, it invariably revealed the IP address of origin. Moreover, the authors registered on an Israeli server. DALNet network security specialists unearthed the location of the authors using this information.
The Goner Worm was potentially a threat to firewalls. However, the authors failed to firewall their movements online. They used nicknames that were registered to them in the Goner Worm messages. When the nicknames were referenced with the list of registered users in the IRC, the matches emerged. This enabled the investigators to ascertain the location of the juvenile perpetrators. The DALNet security team handed over the information to the FBI. They handed the information to Israeli Police who eventually raided the residences of the juveniles and arrested them (Leyden, 2001).

Summary

Keystroke logger case
In December 2012, a computer technician was checking a dozen computers in the Supreme Court magistrate’s office. He was there to replace the aging computers and was conducting routine scans. The first sign of trouble emerged with the presence of an unrecognized icon in the control panel on a computer used by one of the clerks in the Court. The technician, initially thought it was a computer virus and proceeded to run a virus scan. The results were conclusive of the presence of something sinister. The computer possessed a keystroke logger software connected to a device that was recording all the activities of the clerk. The device lodged between the keyboard’s port and the keyboard chord was recording sensitive information. The technician, reported the alarming finding to the police (FBI, 2013).
The case had frightening overtures on who would install a keystroke logger on a magistrate court clerk’s computer. The clerk uses the computer to send a variety of sensitive information including witnesses list, payments, and judges’ addresses. In the hands of organized crime, this information will prematurely end legal proceedings against powerful criminals. The keystroke device used a software to capture the information. Forensic specialists of the cybercrime division uncovered the destination server by verifying the software’s logs. They then narrowed it down to the IP address of the computer that accessed the keystrokes data. The IP address is a digital fingerprint. The computer of the perpetrator belonged to one of the State’s highest ranked Sheriffs (FBI, 2013).
Fearing a corruption or criminal nexus angle, the police questioned Sheriff Bernard Thompson on his involvement. Although he initially declined all knowledge of the spying device, he eventually pleaded guilty. The State Police found out that Sheriff Thompson was spying on his wife who was the clerk that used the infected computer. Suspecting the fidelity of his wife Sheriff Thompson installed the keystroke device on her work computer. The evidence included,
The registration information of the keystroke software login connected to Mrs. Thompson’s work computer at the magistrate office.

The server to which the keystroke device connected to upload data.

The account registration information provided to the keystroke logger software portal.
The IP address of the downloader.
The hard drives of Sheriff Thompson’s computer.
The receipts to the purchase of the device.
The case lasted only a week. Sheriff Bernard Thompson lost his job and received probation along with a one thousand dollar fine (FBI, 2013).

Keystroke logging, identity theft and device fraud

Identity theft is a common threat faced by anyone who uses the internet for financial transactions. Apprehending identity thieves is an entirely different matter. Identity theft and keystroke logging are not entirely dependent on software. They also rely on deceptive devices (Brown, 2015). The case of Juju Jiang had the element of luck when the perpetrator remotely accessed a user’s laptop when he was using it (Poulsen, 2003). However, this scenario does not happen too often. Allen Eric Carlson used spoofing to generate email addresses that resembled original email addresses of celebrities. In this case, the FBI utilized trace programs that followed the digital signature left behind to the origin of the emails. Eventually a Canadian company successfully tracked down Carlson using an email sent to one of their customers (Interactive Intelligence, 2010). The case of Scott Levine was a different matter entirely. He committed the largest computer fraud in American history. He used Snipermail, a company that he owned to gain access to Acxiom’s restricted FTP files by using legitimate connections (Justia, 2007).
Levine and his staff altered the FTP access codes to allow access to a larger section of the database. They downloaded nearly million accounts with comprehensive information on the users. When Acxiom launched an investigation into the illegal download, Levine and his staff attempted to cover their tracks unsuccessfully by deleting information on laptops using a software that would make recovery difficult (Justia, 2007). Unlike a regular criminal case, in a digital case, the evidence is predominantly from system logs, activity logs, and data storage devices. Digital fingerprints like IP addresses and keystroke loggers enable law enforcement to extract evidence required to convict cyber criminals (Brown, 2015).
The evidence in the Juju Jiang case will be available on his computer, storage disks, and online storage platforms. In the case of Carlson, the presence of his IP in the originating spam email was the decisive factor. The other logs from his email server, computer, and data stored (email templates) in hard disks are potent evidence to look for. In Levine’s case, the activity log of the user connection provided to Snipermail and the tracking of the destination IP for the stolen data are critical. Finally, the data itself on a personal laptop or secured location on the Snipermail server are compelling evidence (Brown, 2015).

References

Brown, C. S. D. (2015). Investigating and Prosecuting Cyber Crime:
Forensic Dependencies and Barriers to Justice. International Journal of Cyber Criminology. 9, 1. Pp. 55 – 110. DOI: 10.5281/zenodo.22387
FBI Staff (2013). Ex-Clay County Sheriff Pleads Guilty to Federal Wiretapping Charge. Retrieved from: https://www.fbi.gov/pittsburgh/press-releases/2013/ex-clay-county-sheriff-pleads-guilty-to-federal-wiretapping-charge
Interactive Intelligence Staff (2010). Spammer to jail for tampering with monitoring PC. Retrieved from: http://callcenterinfo.tmcnet.com/news/2010/03/27/4696079.htm
Justia Staff (2007). United States of America, Appellee, v. Scott J. Levine, Appellant, 477 F.3d 596 (8th Cir. 2007). Retrieved from: http://law.justia.com/cases/federal/appellate-courts/F3/477/596/606649/
Lemos, R. (2004). Netsky authors possibly penned Sasser. Retrieved from: http://www.cnet.com/news/netsky-authors-possibly-penned-sasser/
Leyden, J (2001). How Goner suspects were tracked down. Retrieved from: http://www.theregister.co.uk/2001/12/10/how_goner_suspects_were_tracked/
Poulsen, K (2003). Guilty Plea in Kinko's Keystroke Caper. Retrieved from: http://www.securityfocus.com/news/6447