I was taking a small midday break from my computer forensics lab to enjoy a few minutes of a sunny 75 degree June day in my Santa Barbara County office when I got the call from a Tino Zatara, Boston lawyer. He was sweating and it wasn’t just because Boston was having an 85-squared day (temperature and humidity) in the bullseye of approaching Tropical Storm Andrea. No, it was because his client in Philadelphia had been accused of hacking a government nuclear research site and trying to sell access to an FBI agent. Yeah, they were sweating worse in Philly.

Here’s the deal.

The FBI heard about a guy, code name GreeenHat, who wasn’t yet a famous hacker, but seemed to be a wannabe, so they decided to help him. They contacted him to buy access to a couple of servers, and then looked to see if they could get something bigger from him.

Here’s how the papers wrote it up:

“… [the hacker] and other members of a hacking group called the Underground Intelligence Agency hacked into networks…” -Ars Technica

“A Pennsylvania man affiliated with the Underground Intelligence Agency hacker collective…” -RT Online

“…worked with another group member …, who wasn’t indicted.” – Information Week

“Hacker … peddling computer access to U.S. national security lab.” -PCWorld

“Apparently, a guy’s gotta entertain himself somehow.” -me

When I got the call from the Boston attorney, he was new to the case. GreeenHat’s previous attorney may have been cognizant of how our fair government had been making it uncomfortable for those who gained unauthorized access to government resources – even during PSE (the Pre-Snowden Era). That particular legal beagle may have had this in mind when he, perhaps a bit prematurely, advised GreeenHat to plead guilty and try to get a deal.

It’s actually not unusual for people to plead guilty especially when feeling a little guilty, when faced with questioning by the Man, and when faced with hard time. The Secret Service had investigated a greener GreeenHat for hacking when he was 14, and he had been messing around on the Web since then, so his conscience might have had a little itch. The FBI had him in custody and are skilled at, shall we say, certain kinds of interviews. And the kid was facing 20 years in prison, a $750K fine; 9 years supervised probation, tens of thousands of dollars in restitution, and … $300 in court assessment fees.

So what Mr. Zatara wanted to know was – did he do it? Or in any case, was there evidence that he did? Or didn’t

I chatted with Greeen and found him knowledgable. And smart. And young. And full of himself. I thought we might need to talk him down a little to save him from his self-image.

One of the clues about the sophistication of this alleged superhacker was that he sold two sets of passwords for about $500 each. Not your average plutocrat. And he had the money wired via Western Union to an account in his own real name. Who does that?

Well, it wasn’t long before a pile of hard disks, copies of Federal indictment papers, transcripts of alleged chats, a copy of the plea deal, and a few other odds and ends showed up at the shop.

There is just about no end to the work we can do with really deep pockets, but every case has a budget and we just advise and wait for consent. Here’s what we dug up.

My ever-intrepid tech, Jessica, formidable in forensics, searched 60 keywords and phrases, using EnCase Forensic, for each and every hard disk and flash drive. As we didn’t have our own supercomputer, we searched on ten or so terms at a time to avoid the big bad blue screen. Just like with people, there’s nothing worse than an unresponsive computer.

We included text from alleged chat transcripts between GH and the Feds, names of supposed users, names of servers, URLS, slang, nicknames and plenty more.

Our search hit results were half a million strong (Woodstock, anyone?) but we didn’t find anything that looked like the chats the FBI gave us. Seeing as there were so many hits, we could tell that GH hadn’t scrubbed his computers free of the terms.

We produced all IP addresses on all of the devices, especially IP addresses of servers he supposedly stole. Bupkis.

We manually inspected every log file.

We recovered bucketloads of files, some intact and some not. There was one file that looked like logins & passwords – but each one’s password was the same as the user name. Who does that?

We searched for irc chat client software and found some, but only on one hard disk and with no activity logs. Even so, we’d expect to find something in slack space, unallocated space, or the virtual memory. Nothing worth noting.

But just a minute – didn’t he sell passwords or backdoors to the Feds? Apparently – one was for a server that showed clever little sayings about pizza. One was for a webhosting company – but we never saw access to any of the hosting company’s host of clients.

Yeah, but what about the national nuclear lab? Didn’t they have proof of that? In the transcripts the G-men had, there was text that looked like a splash screen from a lab that said to get out if you weren’t authorized to be in. Good advice. But just text. And there was a list of volumes that looked like big Unix volumes. Also just text.

Here was the Man, offering cash (well, Western Union) to a guy they said was a crook, taking his word as Gospel. And who were they tipped off by? The other supposed crook conspirator, trying to save his own heinie from the slammer. This is what we in the biz call cherrypicking.

Oh wait – the other crook, wasn’t he part of this evil “Underground Intelligence Agency hacker collective” thing? Yes, they said. And it turns out that the Feds figure this shadowy group consisted of: some unknown possible guy in Australia, the snitch (excuse me – the “unindicted co-conspirator”), and GH himself. It was beginning to look a lot like a collective of one.

We thought that, to get a fair shake, you know, we ought to have a gander at the electronic media where the government had these chat transcripts and other damning evidence. Well, darned if they didn’t produce it to us.

Nope, they didn’t.

Well then, what about the list of IP addresses for these bunches of servers that Mr. Hat gave the Feds (you know, the ones I didn’t mention yet)? We did a WHOIS search on the companies and found that most of the same IP addresses were public info.

So in these megabuckets of bytes, there was just not much in the way of goods on the kid. Or as we said officially, “We do not find evidence to substantiate the FBI’s claims regarding Mr. H’s alleged hacking activities, including the alleged installation of backdoors or root-level access to servers. Of note, the chat logs provided by the FBI do not appear on these drives.”

The Telecom with the open backdoor said they had more than $10K in damages from compromised passwords and such. But my buddy Nate charges more than that to do the kind of security audit they should have had. Of course, he gets hired to do this stuff, so it’s legit in his case, and called Pen (Penetration) Testing.

This left one big white elephant in the room. For whatever reason, GH’d already pled guilty. Like what a white elephant leaves behind, that’s always a hard thing to sidestep. But with what looked like a weak case, at least from our end, the government decided to deal. 18 months and 26 grand, as long as Mr. H. admitted everything, promised not to change his mind later and say that he didn’t do it, and as long as he said he was really, really sorry. Then they promised they wouldn’t keep him locked up until he was middle-aged.

So G will be trading in his tee-shirt for stripes, and though I wouldn’t want to pull any time myself, it’s not for so very long. I’ll be looking for a JibJab card one of these days with GH’s smiling mug in warmer digs instead of a mugshot from a cold lockup.

As I jot down the notes of this case, it’s 75 degrees and sunny in Santa Barbara County (again), but in Boston folks are throwing buckets of boiling water in the air to see it become instant snow. When they’re not ducking out of the sleet.

The more things change, the more they stay the same. As for me, I’m waiting for that next call, to get a chance to reveal the whole truth. ‘Cause that’s how we roll at Burgess Forensics.

This is just one of the many “CSI – Computer Forensics Files: Real Cases from Burgess Forensics.” Stay tuned for more deeds good & bad uncovered by science..

Subscribe to our free and informative weekly forensics newsletter!