The Case of The Client Who Wanted … to be Wanted
copyright Steve Burgess, 2018
It was nearly Christmas, but the morning sun was pouring in through the windows of my Central Coast office, casting shoe-shaped shadows on the West side of my desk. Perhaps I should have instead been thinking of a Night before Business, while visions of fuller sums danced through my head. The concept of the bills stacking up in my desk drawer began to draw my attention. But in my reverie, my mind went back to the days of sandals and long, carefree afternoons at UCSB.
Then another shadow fell across the desk, obscuring thoughts of debtors and echoes of Birkies. It was Alicia D’Languissant, an Earth Mother from another era, with a snaggletooth grin, Ben Franklin specs, long gray hair falling over the shoulders of her tie-dye, with much-loved Birkenstocks peeking out from worn, baggy, bell bottoms. I was tempted to talk of wasting away those carefree hippie days, but then I snapped back to reality. I’m a forensicist and we’re bred to be too tough to care.
So I took Jimi asking if I was experienced off the iTunes and asked, “How may I help you, Ma’am?”
“Someone’s been hacking my computer, and I know who it is.”
Alicia, long without a main squeeze, had spent a night of revelry a couple hundred miles north at a hotel in Sebastopol. It seemed too good to be true and when the lights came up in the morning, our man was nowhere to be found. So she thought. Soon there was correspondence and the beginnings of what might have blossomed into something fresh, something new, something groovy.
Alas, it was not to be. Correspondence got spotty, and then went away. But secret visits started to proliferate. There were hints of unauthorized access to her laptop, and Alicia reported possible break-ins with doors left ajar.
We made the contract, and I tucked into her computers.
The first thing to do was to make a forensic working copy of the laptop’s hard disks. I might have pulled the hard drive from the laptop, attached it to a Tableau TD2U Forensic Imager, but Alicia wanted the computer left unopened. So instead I booted the laptop with a Kali Linux build containing CyanLine’s MinDAS Disk Acquisition System. With a couple of forensic working copies in hand, the Ms. was free to take her devices back to her home office for work.
Using Magnet Forensics’ IEF, we extracted data from the Windows Registry to see what other USB devices might have been attached to the computer, but all of the devices that turned up were known and owned by D’Languissant
We searched every which way for keyloggers, rootkits, Trojans, VPNs or any other remote access malware and logs of logins. But with three antivirus programs installed and solid passwords, it was one of the cleaner systems we had worked on. All logins appeared to be by her User account. Guest access was disabled. There were no incorrect password attempts. It was as clean as the flute solo in California Dreamin’.
Using various keyword searches in EnCase, I also searched for remnants of old malware scans in order to turn up any that might have been previously detected and removed, as well as any references to LogMeIn that might show IP addresses from remote access sessions.
There was a small amount of adware… These are relatively harmless, although possibly unwanted. They are not a source of remote control or malicious spying. They tend to get installed by websites and software, designed to deliver advertisements to you when you are browsing the web.
We checked the header from the one email she had from her potential paramour. But it was Gmail and IP addresses from those headers always resolve to Google HQ.
We found the IP address for the hotel from that one hot evening, but with no way to tell what room it had come from. She had checked out, but in her mind’s eye she was unable to leave.
To go into either Google or the hotel’s records would have required a subpoena, but it turns out that several lawyers had already turned our bespectacled goddess down, and the cops didn’t even want to hear it.
Alicia said that there had to be a way. Already a couple grand into the process, she said she could draw on her recent inheritance. I suggested that maybe there wasn’t anything to be gained in spending the money to dig further into the computer. Sometimes there’s just nothing to be found (even if someone has gotten unauthorized access).
She was sure someone was watching her, and again, she was sure she knew who. She was sure He was plotting with his friends on the DarkWeb. I found him on Twitter and found that he had mentioned her once or twice, but not by name. He was laughing about being stalked by just one person, clearly by her. They say that one is the loneliest number, and perhaps it was her loneliness creating a fictional suitor.
Alicia had dug deeply into her computer’s logs and brought in several printouts she had made of suspicious-looking activities on the computer. Indeed, some of the names of the activities would appear to the layperson to be suspicious. Router Advertisements, Remote Volume Management, Secure Socket Tunneling Protocol (SSTP), and Remote Management Services were all set to optimal configurations to be protective of her system. The Windows Vault was normal. There were no large or unusual files that might indicate a stealth partition.
I hated to burst her bubble, break her heart, and speak of what a fool believes. Using my diplomatic best I tries to persuade her that we ought to drop this line of inquiry. But she was not to be deterred.
Another sunny afternoon, and Alicia’s SUV comes bombing into the parking lot. Leaving the car running, she jogs into my office and says I have to go out to her car, RIGHT NOW. “He’s hacked the entertainment center on my car and changed the lyrics to this David Bowie song!” Reserving judgement (or at least, trying to keep it from showing on my face), I head out to witness the offending music. “Alicia, I’m sorry, but that’s Lou Reed and Velvet Underground. Come in and listen while I ask iTunes to review it for us.’
No, the lyrics to Sweet Jane were just what they’d always been.
As I told her in my report, “At least from the evidence I have reviewed, I think you have not been cyberattacked.”
Some people can’t take “you’re safe” for an answer.
She soon came back for another visit, because when she approached the TVs at the department store, the video displays changed channels to news stations that had hidden references to her and to the inamorato as she approached. Without even playing a record backwards.
Perhaps chemicals from the past had caught up with her. I urged her to save her money and to let me speak with her sister, and she gave me permission.
I shared the results of my work for Alicia with her sis. It turns out that this series of events wasn’t happening in a vacuum. Little sister had power of attorney due to past erratic behavior, and it was just another day in the life.
The thing is, when a person thinks they’ve been hacked and talks about it, people tend to think they’re on the crazy train. But people do get hacked all the time. Still, most of the hacking isn’t targeting us specifically, but is usually either targeted at millions of people to populate botnets and the like, or to hack a database with lots of credit card numbers or identities for use in fraud. Very few of us are really important enough to be individually targeted (I know I’m not). Although we all might think that we’re king of the world, we’re mostly ordinary, average guys.
If there are signs of hacking, looking into it is a good idea, but it needs to be with an open mind. It’s important when reporting it not to assume agency by a particular person. Rather than say, “He did this,” “She did that,” one will be taken much more seriously by talking about the symptoms and not asserting whodunit.
Most (but not all) of what appears a hacked phone or computer is rather a compromise of their online account or social media. In this case though, it seemed our desperate heroine was projecting and wanting hear her man say he was the one who was “crazy on you.”
Alicia’s rig was clean, sister got her some help. Much money was left unspent and so didn’t make its way to my pocket. But what do I care? I have sunshine and shadows. I’ve got 75 degrees. I’ve got some puzzles to solve. Now that this case is solved, I’ve got some peace and quiet, because I’ve also got a phone that needs to ring a little more. I’m ready to do the forensic magic man thing again and catch some nonfiction digital bad guys. Bring them on.
This is just one of the many “CSI – Computer Forensics Files: Real Cases from Burgess Forensics.” Stay tuned for more deeds good & bad uncovered by science.