“Would you tell me, please, which way I ought to go from here?”
“That depends a good deal on where you want to get to.”
“I don’t much care where –”
“Then it doesn’t matter which way you go.”
― Lewis Carroll,
If you’re seeking adventure, you really couldn’t pick a much better place to start than Belize. Home to the Mayans, countless buccaneers, and lush jungle flora and fauna, Belize is an adventurer’s dream. And Belize is precisely where a recent Gillware Digital Forensics case began. (Unfortunately, though, none of us here at Gillware got to make a trip there for this laptop forensics case.)
Our client sent in a laptop that had belonged to a recently-fired employee for our computer forensics specialists to examine. Our client suspected that the ex-employee had used the company laptop for outside business, among other things. When the employee left, they took a company-owned laptop with them.
The laptop eventually made its way back to the company via another employee. Once the laptop returned, however, the company discovered that someone had installed a pirated version of Windows 7 Ultimate on the laptop. The company’s data was no longer accessible. It looked like a suspicious situation. The client needed the help of laptop forensics experts to evaluate the veracity of their suspicions.
Our client knew the laptop had a tale to tell, and asked our laptop forensics experts to uncover that story. They hoped that we would be able to recover some of the data that used to exist on the machine.
In digital forensics, it is important to start with specific goals in mind. Otherwise, the examiner may end up wandering aimlessly in a sea of data, like sailors without a compass. We asked our client for details about the types of files they were hoping to recover, the dates of employment for the ex-employee, and what authorized and unauthorized activity would look like on the system. Basically, we asked them to tell us the story of the laptop as they knew it so that our laptop forensics team would have context to work with.
And then the archaeological digging began. After removing the hard drive and obtaining a forensic image of it, we began our forensic examination by looking at the details and artifacts surrounding the installation of the pirated operating system. On a day just after our client fired the employee in question, the laptop had hit a wireless access point at a pawn shop in a Santa Elena, Belize, which it had connected to at the beginning of the installation process for the pirated operating system. Our further analysis of the registry showed that the computer had connected to this access point at least twice, nearly a month apart.
How did we know we had a pirated operating system on our hands? For that matter, how does Microsoft know? Microsoft has various means of checking whether an operating system is legitimate. We have our various means of checking as well.
In this case, we knew for a fact that our adventuresome laptop left the safe port of home with Windows XP installed. When it returned from the wilds of Belize, it had an OEM version of Windows 7 Ultimate installed on it. OEM stands for “Original Equipment Manufacturer”. In other words, this copy of Windows 7 Ultimate should have shipped with original system hardware, pre-installed on a brand new computer, and shouldn’t have ended up installed onto this laptop.
During the Windows activation process, Microsoft checks to make sure a genuine, properly authorized version of their operating system is installed. In our case, the activation failed on a date check problem. The computer hardware preexisted the advent of the operating system, and Microsoft knew it!
With deeper digging we were able to find and recover deleted copies of the system’s registry hives in unallocated space on the hard disk drive. These registry hives included the original, genuine operating system installation information. One great tool for doing this type of work is Arsenal Forensics’ Registry Recon.
By examining MFT (Master File Table), LogFile, and USN (Update Sequence Number) Journal records records using ANJP TriForce, the archaeological dig continued to a deeper level. We discovered file names, file paths, and dates and times associated with previously existing files. We recovered a handful of files, though many of the preexisting files were overwritten and not recoverable. More importantly, we provided a long list of previously existing files. These files proved that the ex-employee had in fact used the laptop for outside work, just as the employer suspected.
It’s not unusual to find stolen laptops ending up in pawn shops. What was a bit unusual in this laptop forensics case, though, was how our laptop returned home. The ex-employee gave the wayward laptop to another employee, who returned it to its owner. Circumstantially, this makes it appear that the visit to the pawn shop was made specifically to clean up the computer and cover up unauthorized activity. Some cases are intrinsically interesting based on what is found during a forensic examination.