John B. Baird
Computer Forensic Portfolio
Open to relocation
johnbairdpc at gmail dot com
Computer Forensic Investigation of Online Identity Theft
Case Number: [REDACTED]
Examiner Agency / Company: [REDACTED]
Examiner Name: John B. Baird
Examiner Contact: 941-363-1144
Examination #[REDACTED] of suspect [SUSPECT]'s digital properties.
This case started because a number of victims have reported someone making unauthorized purchases with their credit card for around $750. Items have been bought online using stolen credit card information and the packages sent to vacant homes. Special Agent [redacted] has identified one of the victims as [redacted].
A 2703(f) letter to request preservation of all data related to [victim] credit card account had been sent to CitiCard (his credit card company), Newegg (the online store where his credit card was used) and to UPS (the shipping company that shipped the item). A 2703(d) order was also submitted for access logs. These legal tools were the most appropriate at the time as a criminal investigation warranted their use because there was enough of a threshold of proof for the breadth of data required.
We asked [VICTIM] for permission to perform a forensically sound examination of his computer, which he agreed to. The examination of [VICTIM]'s computer was completed using a forensically sound, bit-by-bit image of [VICTIM]'s hard drive. The hash values of the image were compared to the original and were identical.
An examination was conducted, which showed that malware was installed on his computer by downloading the video game “FreeGameSetup.exe”, which was downloaded from a website called [REDACTED]. A keylogger was then silently running while [VICTIM] used his computer. His keystrokes were secretly being recorded and sent back to an email address.
An interview was requested with the website owner of [redacted]. The web site owner revealed that his site was hacked. The owner of [redacted] did not need to be served legal tools as he was willing to cooperate. No useful information was found from the web site’s server logs because the hacker either cleared all traces of the logs or the web site simply did not keep a track of the logs used.
Analysis of the malware that was uploaded to [REDACTED] revealed that keystrokes from the victim’s computers were being sent to an email address of “[EMAIL 1]@gmail.com”. A search warrant was sent to Gmail for the account “[EMAIL 1]@gmail.com”. A search warrant was the most appropriate legal tool at this time because there was enough threshold of proof for the breadth of data required.
The information provided by NewEgg to make the fraudulent purchase with [VICTIM]'s credit card yielded an IP address of “[IP 1]”. This IP address, based on online research of IP look-up services, belongs to a Verizon Wireless subscriber.
A subpoena was sent to Verizon Wireless. The subpoena states that the IP address belongs to a [PERSON 1]. This legal tool was served at this time as there is probable cause to believe our suspect is using this IP for communication and only requested subscriber information (which is why we are using a subpoena and not a tool with a higher threshold). Agents went into the neighborhood of [PERSON 1] with wireless scanners and determined that [PERSON 1] was using an unsecured wifi access point. Agents were sent to interview residents of the household and it has been determined that [PERSON 1] is not our suspect.
The other residence of the household are [PERSON 1]'s spouse, who also does not appear to be our suspect. [PERSON 1]'s children were also identified and they also do not appear to be our suspect.
Surveillance of the houses within [person1] wifi access point showed activity within a house that corresponded to the same access times of the unauthorized individual accessing the wifi access point. The individual was identified as [REDACTED]. [SUSPECT] was arrested and his computer was seized.
A search warrant has been issued and served for the examination of the imaged file “[REDACTED].ad1”. The search and seizure warrant for the computer was issued because it is believed this computer holds evidence useful to this investigation.
Chain of Custody
I have taken possession of the digital image “[REDACTED]HD.ad1”.
In order to ensure the evidence remains forensically sound, I have verified the hash values of the image:
SHA1: [REDACTED] (Figure 1.1)
Figure 1.1 showing hash values of “[REDACTED].ad1”
Specifics relating to Evidence Item
File System: NTFS / Partition: 1 / Volume: NONAME
OS: Windows XP
User accounts: [REDACTED]
Analysis of Gmail data received via search warrant for “[EMAIL 1]@gmail.com”
On 09/30/2012, I focused on analyzing the information retrieved from Google subpoena for the Gmail account of “[EMAIL 1]@gmail.com”. I analyzed the header information of some of the emails. Email headers can provide useful data, such as the IP address of a sender or if false details are provided to mask a user’s origins. The email header did not provide useful information.
Some of the email messages provided very useful information. One email with the subject “New business”, communicating with an email address of “[EMAIL 2]@yahoo.com”. In the email, the two discuss receiving / selling stolen credit card numbers belonging to “[VICTIM]” “[REDACTED]”, “[REDACTED]”, “[REDACTED]” and “[REDACTED]”.
I then analyzed the IP address used to access the Gmail account “[EMAIL 1]@gmail.com”. The IP address “[IP 2]” appears to come from the IPS “Telekom Romania Communication S.A” from “Romtelecom Data Network” in the city of Pitsti, Romania.
The emails provided from Google for “[email]@gmail.com” also contained keylogger logs matching the keylogger installed on [VICTIM]'s PC, including the name “[REDACTED]” and the text that matches his credit card information: “[REDACTED]”. The keylogger also recorded the windows application name “Tetris for Windows”, which is significant because this is the program that was confirmed from earlier reporting to be the source of the hacked gaming website [REDACTED]. This is how [VICTIM] got a keylogger installed on his machine.
Forensic analysis of image “[redacted].ah1”
On 09/30/2012, I loaded the image provided into FTK “[REDACTED].ad1”. Once the image was successfully loaded. Following hash computations were provided:
My own hash computation produced in the same values.
This verifies the image I have loaded is forensically sound and has remained unchanged.
I discovered evidence of the suspect looking for vacant houses for sale for the purpose of picking up packages. (Figure 2.1)
Figure 2.1 showing vacant homes
I discovered evidence of the suspect looking up for sale listings of the address used to ship the camcorder at [REDACTED]. (Figure 2.2)
Figure 2.2 showing suspect looking up for sale listings of the address used to ship the camcorder at [REDACTED]
I discovered evidence of the NewEgg purchase of the Sony Camcorder fraudulently purchased with [VICTIM]'s credit card under the email address “[EMAIL 2]@yahoo.com”. (Figure 2.3)
Figure 2.3 showing evidence victim “[victim]” purchase
I discovered evidence of the user of “[EMAIL 2]@yahoo.com” making an Amazon.com purchase of the same camcorder by victim “[REDACTED]”. (Figure 2.4)
Figure 2.4 showing victim “[REDACTED]” purchase
I discovered evidence of a NextTag.com purchase for the same model camcorder under “[REDACTED]” and shipped to “[REDACTED]”. (Figure 2.5)
Figure 2.5 showing victim “[REDACTED]” purchase
I discovered evidence of a Buy.com order of an “Apple iPad with Wi-fi + 3G 16GB” under “[REDACTED]” and shipped to “[REDACTED]”. (Figure 2.6)
Figure 2.6 showing victim “[REDACTED]” purchase
I discovered evidence of a Corsair-brand removable USB storage device has been used at some point with this machine located in one of the registry hives of Windows.
I discovered evidence found by recent shortcut link “Deploy.lnk” of a keylogger located on “C:\Documents and Settings\[redacted]\Desktop\KeyLogger\Deploy.au3”, with NetBIOS target name of “[REDACTED]” and a MAC address target of “[redacted]” (Figure 2.7 & 2.8)
Figure 2.7 showing top portion of keylogger metadata
Figure 2.8 showing bottom portion of keylogger metadata
On 10/01/2012, I loaded the image provided into FTK “[REDACTED].ad1”. Once the image was successfully loaded, I ran a hash computation to verify the image has remained unchanged.
My hash computation produced in the same values.
I found evidence in the “system” registry hive that a TrueCrypt partition is present on the machine within the encrypted file of “temp.mpg”. (Figure 2.9)
Figure 2.9 showing TrueCrypt partition history in “system” registry hive
I found a file that appears to be the TrueCrypt volume, “temp.mpg” in the My Documents folder of the user [redacted] files. Due to time constraints, a forensic examination of this volume could not be done at this time.
Results / Conclusions
The evidence suggests that the computer owned by [suspect] was used in the commission of credit card fraud to purchase items online with stolen credit card information.
Email conversations show possible criminal operations with people in Romania. The only two leads I have discovered so far is the user of the IP address “[IP 2]” and any (additional) users of the email addresses “[EMAIL 1]@gmail.com” and “[email2]@yahoo.com”.
I believe there is a TrueCrypt partition hidden on the suspect’s computer on the file “temp.mpg” and should be forensically examined.
I also believe there is a Corsair-brand removable storage device that may have data useful to this investigation and recommend obtaining this device via existing legal tools or by obtaining additional legal tools to perform a search and seizure.
Two chronology logs have been provided as separate documents.