That CP one was actually horrifying because it meant without the work of these two brilliant analysts that poor guy would have been found guilty along with all the stigma that goes along with being a known paedophile. That guy's life was literally on the edge of the knife.

best wiping pattern ever.

I wiped my drive at my former employer simply because I had all my passwords saved and I didn't want anything left behind. Kinda scary to think that could have been enough to prove I stole anything and bankrupt me, ruining my future for ever.

this is pretty interesting, but goddamn, these guys are some turbonerds

Which one should I drink from? "yes"

One of my Favourite Defcon Talks that i keep cming back to when i need a laugh.

The banter between the two for drinking a single beer is excruciating.

Defcon - the drinking game

Wait, you gave the guy crap for having Nickelback albums, but he didn't! They were just porn renamed so nobody would open it!

I do have a problem with case #1. If this is all of the evidence they had against him, there is no way he should have been found guilty, at all. They can tell you deleted something, okay, but without KNOWING what was deleted and unrecoverable they have nothing but speculation. I am hoping there was actual evidence to base the verdict on, but the way the legal system works in this country now, it is actually very possible that they did not and used the sole fact that he deleted something unknown to base their decision on.

The last one was brutal, but is also shows just how horribly bad things can go when you have the wrong people against or for you. That poor guy basically had to uproot his whole life and start fresh, which a few million dollars might help with but it is mostly just a small help getting started.

Ugh this is back when everyone was yelling "fail" all the time.

Maybe the RDP guy was clever, connecting to a first computer with RDP without his printers, then sharing the printers of the subsequent machine?

Seems like there should be a subtitle of "Don't use Windows, unless you want to get caught" lol

The audio on this is awesome! Thank you for the upload!

Who needs Big Bang Theory when you have real-life awkward nerds like these guys.

Based on the technical skill shown here I guess I could be running my own computer forensics company

Michael seems a little nervous... however, his explanations are clear AND he makes good jokes ^^ Eric Rob is quite the connoisseur in fraud. Very nicely put. Thanks for all this info and laughter guys :)

Hmm, overwriting sectors, even with random data, can almost always be detected? What if you had a destruction tool that grabbed blocks of data from a non-deleted file, and used that to overwrite the deleted data? To make it look like a different file had been on those blocks, and had been deleted?

I know half this shit is based on real cases but i laughed my ass off - thanks buddy

Presenter: *breathes* Audience: (in unison) FAIILLLLLL faIL FaIL FAAILLLfAILL

so, according to #1 people can sue you for using a drive wiping program if you can just vaguely connect a case to you

That last story caught me so off guard, and like some older comments here, it's really really fucking scary how easy someone could frame you for such a thing. People make jokes about "trust no one" but damn, this really makes you want to trust NO ONE.

I learned a lot, but oh my god these meme spouting nerds, I mean I'm as nerdy as the next guy but even I would give these guys some wedgies.

Awesome presentation and great choice of ending music!

I found it interesting...nothing bored and they mention some useful tools

probably would have been fine with just one adderall

I'm pretty sure that by the time of this talk fedoras were considered pretty unfashionable

You can sometimes extract text from PDF so OCR may not have been necessary (I have seen where the text was in an image though).

The problem with the first one is their must have been something else to catch the guy or his lawyers were crappy. cause the fact that you wipe something does not prove a crime. All it proves is something was wiped. Yo can't prove a negative. The reason I know this is because I've been in a lot of courtrooms in my 41 years. I remember a case that just got into the hearing and was thrown out by the Judge because while the hard drive's unallocated space was wiped they could not prove what was there but could only prove it was wiped.

Why is it that every Defcon conference I've seen those guys wearing the medal things always comes up and interrupts the speakers? Very annoying.

Fail #1. Now there is SSD with TRIM support, which automatically zeroes out some of the unallocated space on supported platforms.

I'm glad they were able to clear that guy in the last case. That must've been a horrible thing to go through

on the cp thing, there are issues with windows that can cause the system to constantly overwrite the creation, edit, and access dates to the current date. mine does it all the time with certain folders.

Damn i kinda wanna know what ended up happening with the guy in the last case? did he get back with his wife? did he win the court case against the state?

Can someone explain the first case to me? Could they prove that he had that list? I thought they could only prove that he deleted something. Also, if he filled his harddrive to the brink with movies or computer games and deleted those again, would that have the same effect as running one of those tools to remove evidence of a deleted file?

4:10 anybody an idea what program "Bob" used? i really need this in my Life xD

So when you hear all about these forensic examinations of hard drives, reading magnetic patterns with electron microscopes because it's been overwritten, is that ever taking place? It sounds like it's not needed from the ineptness shown by the people in these examples.

I wonder if it would be possible to create a software that progressively overwrites your documents with mp3 files (i.e. from iTunes or Google Play) and then changes all extensions to .mp3. Would forensic IT be able to find the meddling and provide the company with a proof of suspected behavior?

Ok, new idea for anti-forensics: Download gigabytes of the most disguting images you can find to your hard drive and change the file ending.

“mean phrases will make people dislike you” - guy who put the R-slur in a powerpoint

Can you see if someone burned a CD?

How was the first guy prosecuted? In what way wiping data beyond restore off *your own* drive is illegal?

I'm confused, if you were going to steal IP from your old company to bring to a competitor, why would you do it on your work computer? Wouldn't iit make more sense just to copy all the files you need onto a private, or even secret computer?

I'm thinking of what to call my new program in the covering of the tracks... how's about; infinite spectrum Quasimodo redundancy matrix

Whats that blue light movie on his shirt !

Love these talks

Question, so how do you prevent someone just use his/her cell phone camara to capture all sensitive data on their personal phone?

I can't finish watching these guys.....

40:48 The date of the files they talk about is in 2012, government drops charges years later, this video is uploaded in 2013... Am I missing something here?

Had to pause and create a smoking gun.txt on my desktop for fun!

With the deletion thing what if you just filled up your HDD with garbage data? Like you intentionally emailed yourself a worm that multiplied until you you were full and then just deleted all those garbage files?

This video is a great resource for those who wish to exfiltrate data.

Seems like quite a lot of these detection methods would be thwarted by using a live cd of some kind of Linux and putting documents on a thumb drive. Anyone know of a weakness with that strategy?

*Stores a valid PE/exe File with data destruction* Can you trace that?

Holy shit. This is like entering a wormhole and going back to 2013... #Winning

Proof of deletion isn't proof of crime. How did he lose? How'd the pregger guy lose his second job?

lol. Jump lists are in Win 7 and later, they were not in Vista. So the guy was actually right in the presentation.

What was the cat balloon thing about?

Quality talk about experiences performing forensics analysis. Plenty of useful tidbits interleaved with some pretty funny stories.

Fail #3 could now be done without court order using some heavy Spark processing of the pdfs. Cost of the research might be an issue though.

Couldn't see the screen too well to read the program name and the audio didn't really seem to work for me hearing it. What's the name of that CP program?

Which one is Beavis...?

I find it funny when I see a conference guy that looks very nervous like that. He doesn't show it too much but I know that, inside of himself, he's completely terrified. :D

He didn’t say “yes, of course I wiped my drive, I moved to another job with a direct competitor. I wouldn’t want to accidentally take data with me.”?

If you cut out the annoying people interrupting this video would be 15 minutes long.

what stops these 2 guys from fabricating evidence?

So if you encrypt the whole disk, it will becompletely ok to shift-del? In case of an investigate, just destroy the key or something

Nickelback guy is a god because they clicked nickelback songs with the porn and didnt click the more obscure ones that were actual trade secrets ;)

Dudes, it is so easy to set up an encrypted drive, even with system tools. I just don't get it...

The guy in the "Nickelback Guy" case would have had an even harder time hiding his files if it was a Linux system...

Wait. Edgar was framed for a crime by his "friend". He gets put through the ringer and is eventually exonerated. But, does the "friend" get charged with downloading child porn? Or is it legal to download child porn if you're doing it to frame someone else???

Why did he get fired from his new job?

Stop smacking into the mic

Poor Edgar.

case 1 bothers me in the could be a fact for plausible dependability, how could the legal system, convict someone based on wiped files, which could have been anything, the files when wiped are not recognizable surely , there would have been no evidence that these files where was what they were, deff a case for appeal, so what was the guys brief doing

Love Comic Sans - My fav font

5:34 The Chad cryptographer VS the virgin FBI

Late to the party, but I loved this talk. Highlights how pretty much no-one fully understand how their software works, or knows about every little background thing it does. It might not even be possible for that second one, but I know nothing. Heck, even that one examiner (who probably lost his job) missed these obvious anomalies, like straight-up DATES on obviously relevant ones. That he could get a job as an examiner should mean that he had some sort of expertese, right?

wait some dude got 100k sued and the proof was that he just destroyed something? he could have argued that is was just porn

Them god dayme check boxes..

11:05 A person that was a teenager when the first PCs were a thing helps me with my mid to high end gaming rigs from time to time (although less and less in my defense) and the first time I gave him my 1st PC he said he liked how I simply just had a folder labeled Porn within a subset of documents relating to a story I want to write. (the story docs were password protected naturally) I asked him how he knew that and he said he always goes looking for what kind of porn people have on their comps as it could bust a pedo and that people normally hide it in innocent sounding work related folders. He also said he respected my story password. I approved of this thinking but at the same time it tis somewhat of a violation of privacy, especially regarding muh story cos little did I know there is list of all passwords buried in the system of Windows that people in the know can easily access when using muh PC. So what I learned that day was the people who you hand your technology into for repairs probably know more about your habits than you might like. So what could people find who really want to find something? The answer is everything ever put into 1s and 0s as a rule of thumb.

If it's that easy to undelete emails, why is it such a big deal?

Man, what a couple of cheeseballs.

What did we learn? Use a ubuntu live cd.

Ummmm that was some funny stuff. And it amused me jolly. Keep it up

When you start drinking beer because of the fails then fail more often due to drinking the beer.

At 0:15 on the left, is that Edward Snowden?

Did anyone go back to check if he grabbed the right beer?

Omg Charlie Sheen did that interview more than 5 years ago??

Why did the guy in case #1 lose? Just because he erased something from his harddrive? That's either bullshit, or they're skipping the detail of how they proved he had the list despite the erased harddrive

That unallocated hard drive space you see in your partitions? You can overwrite them multiple times with garbled junk data. You can use the standard DoD 7-pass writes with Zeroes, or just random data. But for total data destruction you can do Gutmann style that does 35-pass writes with either zeros or random data. Windows doesn't have proper data destruction built-in so you need third-party tools to do that since Windows' default deletion method is single-pass data erasure which is very ineffectively unsecure manner.

Reminds me of when a woman got fired at work and when they searched her computer they found she was using a messenger to talk to another woman and they were both saying really nasty rumor mongering shit about management. Other woman got fired after that too.

31:38 what is going on ?

21:10 "wow" had me laughing so hard

Oops, there's no such thing as "PDF format."

thx good talk

4:00 Bob's case: probably used Active @ killdisk

Man, they're really meme spouting, turbonerds... but they do a good job.

Not sure which I found mopre entertaining, the video or the comments. I would have to say the comments as this was not Defcon's best presentation. Thanks for posting.