There is this badass gal named Detective Dana who works for the Meatspace Police Department. She's an underappreciated computer forensic analyst in her small town. The department is lucky to even have a computer expert, much less somebody of her caliber. She's no amateur. She knows her stuff and nobody questions her when it comes to computers. She spends most of her time playing helpdesk to the local department, but she always manages to stay sharp even though her day job isn't a challenge. She finally met her match with one strange case.
The Drug Den Raid
It started on a dark and stormy night, the department had a warrant and was raiding a suspected drug dealer. When they arrested him he was on his computer. The place was smoky and they could see the flies and rotting food laying out on the sink. One observant officer noticed something interesting on the computer. He didn't know what the hell he was looking at (a PuTTY terminal) but they saw a black screen and blinking characters and they just knew they should call 'the computer girl'.
She tells them they did the right thing and she wants to come investigate the computer while it's on and unlocked. She emphasizes how important it is to not let it to go to sleep or to the screensaver so he needs to keep moving the mouse until she gets there. What should have only taken 20 minutes took her an hour. She texted him the whole time, "Don't forget to wiggle the mouse! Please it is important!"
When she gets there, he is sitting in a chair swinging his arm left and right like a clock pendulum swaying the mouse back and forth. That's when she realized he had been sitting there swaying his arm for an entire hour.
She thanks the officer profusely for wiggling the mouse for an entire hour. She is thankful to have a go at an unlocked computer. A wet dream for forensic analysts. There's not much there at first glance. She sees a PuTTY terminal and a Pulp Fiction wallpaper (in 2016? Whatever). First things first though, she starts pulling a memory dump with Volatility to her removable storage device. While that is going on she starts exploring this logged in PuTTY terminal.
Remote VPS Investigation
who; last; finger; l; ls; pwd; whoami; cd ~; du -h; df -h; free -h; history; cat /var/log/auth; netstat;
Who has logged in to this remote server and when? Who is logged in now? What directory was he in? What's his username? How much disk space is being used? Which files are using the most? How much RAM does the computer have? What is the bash shell history? Nothing interesting. It looks like a brand new server with barely any history and only a couple logins. The only clue is that Tor software was downloaded so he must have been attempting to access Tor. Looks like he didn't even get to installing it though. Netstat did not show any interesting or suspicious ports listening.
Then there was a sudden flash followed by a crashing boom and then the sudden quiet of the refrigerator, computer, and air conditioner all shutting down at once. Nothing but quiet darkness and the sound of rain. Damn! There goes the computer. At least she got a memory dump. That's something. They'll have to take the computer back to the office for further investigation. Hopefully it didn't fry in the power outage, get damaged in transportation, or have full disk encryption. She prays that the memory dump finished because she wasn't paying attention while exploring the PuTTY terminal.
Full Disk Encryption
Back at the office they plug in and power on the machine. She is met with a TrueCrypt login screen. She realizes he is using full disk encryption. Damn! What now? Well the guy won't hand over his password we know that. So what does she have to go on? Does she just start brute forcing or making up dictionaries? Wait! She did manage to get a memory dump before the power went out. She uses CryptScan, the Volatility plugin for finding plain text TrueCrypt passwords from memory dumps. Sure enough, it returns a plain-text password!
She powers off the machine and pulls out the hard drive. She plugs it in using a SATA to USB converter cable and mounts it using the TrueCrypt password. Bingo! She's in.
But where to go from here? A hard disk has a lot of stuff on it. Well, how about starting with the home folder. She navigates to the home folder in her terminal and starts to look around.
pwd; ls; ls -lah; du -h;
The Anomalous File
What's in the home folder? What time have the files changed? How big are they? Are there any hidden files? Wait. That. What is that? A hidden folder in the home directory that is half a terabyte. That's not normal. Look inside that directory. A single file. A .qrxz or some bullshit that has got to be fake or proprietary. Gotta figure out what kind of file that really is. She writes a quick script to inspect all the bytes of this file and try to match known file signatures. Success right away, it comes back as a JPEG file. Well, that's a little strange but whatever she renames it to a .jpg and sure enough a thumbnail generates in the explorer and it opens in a photo viewer. Something is still wrong though. It's way to big to be a single picture. She reruns her file format checker and finds a bug. It is only returning the first file signature it matches and does not continue any further. This time she runs it to continue checking against all known types. It takes much longer this time. She let's it run while she eats and she comes and it also found a ZIP file signature. Then it dawns on her. It's a classic jpg+zip steganography trick.
It works because the JPG headers are at the beginning of the file and the ZIP headers are at the end so they don't conflict with each other. It is the crudest form of steganography though. He could have hid the data in the low bits of an image but he would need a massive image to do that. He could do the same thing in audio or video which would have more room but it would take a really long time to extract and pack and would leave the files vulnerable and unencrypted until the long packing was complete and then it would still need to be securely deleted by overwriting the old bits where the unencrypted files existed.
She tries to unzip it. Password protected. So it is a ZIP. What is inside this massive hidden and passord protected ZIP archive?
The Password Protected ZIP
She already got the hard disk password so how hard could this one be? Well it turns out a lot harder. He used a different password than the one for the whole hard disk. He used a passphrase instead of a password for the hard disk. A fortune cookie quote of some kind. This guy obviously knew a little bit about security. He likely used another passphrase but how would she figure it out? This one pushed her to her limits. She tried all the possible word lists she could think of and tried every string that she found in the memory dump.
She was so close to something. She could feel it was something big and it was eating away at her. She was all but ready to give up and running out of time when she was trying to think of any little clue that might help her. Wait. Pulp Fiction. This guy liked quotes as passphrases and he had a wallpaper of Pulp Fiction on his desktop. She writes a small Python script with BeautifulSoup and scrapes a list of popular quotes from the movie. She strips out all punctuation and makes everything lower case and generates a word list. This is it she thought. The last ditch effort that is such a reach it will never pan out. The flame of her motivation about to burn out. She runs it through crunch to add some extra permutations and lets the Python brute force script run as she went to eat. When she comes back she is surprised to see it already found the password.
"english motherfucker do you speak it"
Son of a bitch.
The zip file is full of images. Tons of images. Nothing but images. They are long file names. They are distinctly in the format that facebook uses for image file names. Looking at the time stamps she realizes this guy has been collecting Facebook pictures of local young girls for a long time. While that's really creepy and suspicious of him, there's no real crime yet.
Is there anything else in here? Yes, aside from all of the Facebook images there is one folder. A folder named DCIM. That's the name of an Android or digital camera image directory. She was not prepared for what she saw next. A picture of a young girl tied up. Her world started to spin and she knew this was way bigger than just some drug dealer. She had to help this girl. How? Where is she? When was the image taken? Who took it?
She starts to extract the EXIF metadata with Python. It was taken with an Android. The same model that the suspect owned. It was taken that day. GPS coordinates show it coming from down the street in the same neighborhood.
They search the house and find the girl. They set up a sting and catch two more men who come to the house later that night. After sweating them in the interrogation room they all crack and give up all the details on a large human trafficking ring. Dozens of girls are freed from various locations and the whole gang is busted and waiting their prison sentences.