AntiSec raid reveals forensic investigation methods

Supporters of the AntiSec movement have once again targeted the U.S. Department of Justice, leaking thousands of emails and documents related to forensic investigations, as well as the personal emails of a Special Agent Supervisor in California.

“As part of our ongoing effort to expose and humiliate our white hat enemies, we targeted a Special Agent Supervisor of the CA Department of Justice in charge of computer crime investigations,” the AntiSec notice starts.

“We are confident these gifts will bring smiles to the faces of our black hat brothers and sisters (especially those who have been targeted by these scurvy dogs) while also making a mockery of "security professionals" who whore their "skills" to law enforcement to protect tyrannical corporativism (sic) and the status quo we aim to destroy.”

The raid consisted of two Gmail accounts maintained by Fred Baclagan, a 20-year veteran of law enforcement. Access to Baclagan’s accounts yielded more than 35,000 emails, including the email list from 2005-2011. The IACIS archives contain tips, tricks, documentation, and tactics for a wide range of forensic investigation techniques, shared among several law enforcement officials.

The documents within the leaked emails are repeated several times, but some things did stand out. For example, an Excel file contained nearly 1,000 arrestee records. The file, created in September, included the full name, Social Security Number, Date of Birth, race, gender, full address, offence, number of counts, and conviction date, among other department data.

A majority of the people in the list are listed as being on probation, including some branded as a sex offender, violent offender, or child abuser, where their supervision type is concerned.

Another interesting discovery was a reference manual for collecting forensic evidence from Mozilla’s Firefox, but the document was rather dated. Written in 2009, and aimed at version 3.x, it was one of the few detailed guides discovered that focused on Mozilla’s application.

Most of the other documents in the leaked data focused on Microsoft Windows, and Internet Explorer. There were also several documents outlining the requirements to obtain information from Yahoo, MySpace, Facebook, eBay, and Photobucket, just to name a few.

“The information in these emails will prove essential to those who want to protect themselves from the techniques and procedures cyber crime investigators use to build cases...,” the data release notes explain.

“There are discussions about using EnCase forensic software, attempts to crack TrueCrypt encrypted drives, sniffing wireless traffic in mobile surveillance vehicles, how to best prepare search warrants and subpoenas, and a whole lot of clueless people asking questions on how to use basic software like FTP.”

A brief listing of some of the documents are below.

The listed year represents the time when the document was created. This is only a record of some of the items contained in the PDF files leaked by AntiSec. Other Word, PowerPoint, and Excel documents were unavailable for examination.

2005 - Using Knoppix Forensic Boot Discs from the Command Line When All Else Fails: A Simple Solution

2006 - Facebook Subpoena / Search Warrant Guidelines
2006 - Yahoo Compliance Guide
2006 - Skype Log File Analysis
2006 - Best Practices For Seizing Electronic Evidence (DHS)
2006 - MySpace Law Enforcement Investigators Guide
2006 - Law Enforcement Investigators Guide

2007 - Comcast Cable Law Enforcement Handbook
2007 - Telecom Provider list, from FCC (data retention policies)
2007 - iPod Forensics Update
2007 - eBay PayPal Law Enforcement Guide

2008 - Guide to Bypassing User Passcode on Apple iPhone Devices
2008 - Blizzard (WoW) Law Enforcement Guide to Requests for Information
2008 - Yahoo Compliance Guide
2008 - Law Enforcement Handbook
2008 - AOL Law Enforcement Manual
2008 - LimeWire examinations
2008 - Shareaza (Wndows Vista) Forensic Research
2008 - LimeWire (XP 32-bit) Forensic Research
2008 - Drive Prophet for Windows Quick Start Guide
2008 - Facebook Subpoena / Search Warrant Guidelines

2009 - Photobucket Law Enforcement Compliance Guide
2009 - Mozilla Firefox Forensic Investigator's Reference Manual
2009 - Apple iPhone Passcode Work-Around
2009 - Verizon Law Enforcement Resource Team
2009 - Whitepaper on Live U3
2009 - Southern Oregon HTCTF - Policy on Evidence Retention and Destruction
2009 - Southern Oregon HTCTF Computer Forensics Training Manual
2009 - Skype Responding to Law Enforcement Records

2010 - A Seemingly Innocent Menace an Introduction to “PEDO BEAR”
2010 - Retention Periods of Major Cellular Service Providers
2010 - AOL Law Enforcement Manual
2010 - iPhone Call History Examination with Encase
2010 - Bulletin: magicJack Lawful Interception
2010 - Smudge Attacks On Smartphone TouchScreens
2010 - Facebook Subpoena / Search Warrant Guidelines

Unconfirmed Date – A PDF explaining the locations for forensic information when dealing with AIM, ICQ, Internet Explorer, MSN Messenger, Outlook, Outlook Express, Yahoo Messenger, Windows Messenger, and various other application, system, and networking data.

Like this article? Please share on Facebook and give The Tech Herald a Like too!