Thanks to the great work of the case attorney Simone Bertollini and CQURE’s team and our pretty amazing know-how this is the first hacking case in history that was WON by the defenders!
“The CQURE Team identified serious flaws in the government’s investigation. They helped me do justice for Gasperini” – stated Simone Bertollini. Learn more about case.
So what went down?
Just to put things into perspective, prior to this, no one has ever won a hacking case in the United States. This is the first complete click fraud case ever. And not to brag (even though we are bragging here ahem) but the CQURE team was there to help Lady Justice out by weeding out assumptions and letting (real) facts lead the way.
After two days of deliberations, the jury did not convict Fabio Gasperini on the four other charges, including another count of cyber intrusion, a count of conspiracy and two counts of wire fraud. We are very proud to have made history in cybersecurity law!
In his court testification, Ken Wong – CQURE’s US branch CTO and cybersecurity analyst for this case, presented the results of the evidence analysis assembled through the combined know-how, support and hard work of the CQURE team. You can find the context of the case including technical details here,
Before we get to the details of evidence collection you need to know one important thing:
CQURE has never supported cybercrime activities and no CQURE employee has ever participated or supported illegal cybersecurity activities.
CQURE is also strong on facts.
“We will never allow assumptions to be converted to facts. We promote the collection of evidence that is done right. We do not allow guesses and incomplete analysis to be treated as evidence to convict a human being. Our mantra is: we want to see the job done right.” – said Paula Januszkiewicz (CEO, Cybersecurity expert, CQURE)
Fabio Gasperini’s case – why did FBI fail this time?
From what we see, it’s mainly because they ignored certain evidence collection paths by using materials that did not come from the attacked systems as evidence. Some evidence seems to have been incorrectly collected thus making the analysis of the data a bit of a guessing game. They seem to have ignored a lot of components from the whole situation.
We’re not telling the FBI how to do their job, but from our side of things, by playing the guessing game, it seems as if they did not extend their full capabilities. How can you collect data from one server and not from the other one? While the FBI did collect evidence — and this was done professionally — the evidence was incomplete.
We’re taking into account that there were also affected servers not under jurisdiction of the FBI, due to the international cooperation with several countries. Each of these countries used their own procedure for evidence collection, which could be the reason for the incomplete evidence.
We at CQURE are still surprised at the level of awareness for governmental procedures in some of the countries, but that’s why we’re here! To hopefully raise the bar!
How to collect evidence correctly then? Let’s learn something here!
If you are in the position of the first responder, you need to be aware of the importance of digital evidence. It plays a crucial role in the investigation process and knowing just how delicate data can be, one should strive to keep this evidence unchanged and in the condition it was found.
The simplified principles of evidence collection:
- Evidence should remain as is throughout. Collection, storage, transportation should not change the evidence.
- There should be an incident-response procedure in place to collect evidence. For now, we have observed that organizations or even government units are often missing one.
- Documentation should be made after evidence collection. And it should include: time/data/person and procedure used to collect the evidence.
Now, the technical method for collecting evidence depends on the situation but when discussing the collection of digital evidence from servers, the process is divided into four steps:
- Cybercrime scene recognition
- Memory dump collection
- Disk dump collection
- Storage and transport of the evidence
For this article, we’re only going to focus on the technical aspects of steps two and three. General rules usually apply and they may also involve the engagement of the local government (or CERT etc.).
Memory dump collection
It is in your interest to get all of the things that are not on the disk. It could be an encryption key used by ransomware (in case of symmetric cryptography), or it could be part of what was executed, or it could be decrypted in the memory piece of code.
In order to collect a memory dump, you need appropriate tools and disk space. There is nothing worse than searching for a couple of spare gigabytes in order to save a memory dump.
The correct approach should involve:
- Pre-preparation of the USB drive with the appropriate toolkit,
- Running the operations and,
- Saving the results to that drive.
Our favorite tools to run are:
- DumpIt.exe – free memory imager by Matthew Suisse. Just open it and create a dump. It is extremely important to save the dump to the external drive without overwriting the disk data that could be used as evidence (for example: deleted files, USN journal etc).
- FTK Imager – great tool by AccessData, used by the FBI in Gasperini’s case but only for creating the disc image. You can use this tool to perform memory dumps too.
Side notes: We noticed in Gasperini’s case, there were no memory dumps made. No such data was provided or even analyzed.
Disk dump collection
Disk dump collection is the second very important step. We could even say it is more important than memory dump as it contains more complete data. There are two tools that are easily available and very good in the evidence collection process:
- DiskToVHD – from Microsoft Sysinternals, written by Mark Russinovich. Just run and create an image. Do not forget to save this image directly to the external drive.
- FTK Imager – once more, great tool by AccessData, used in the Gasperini’s case for creating images when it was instructed to do so.
Side Notes: In the pretty complex structure of the ‘click fraud’ solution, there were only a couple of images collected. We believe that when you have multiple components participating in the solution, you collect evidence from all of them and not only from a couple of them (which is what we did).
Final but important thoughts
Each organization should opt for a good incident-response procedure that not only indicates the steps that should be taken in case of an attack but also one that prepares the whole process, for example: instructs on the toolkit, USB drive preparation, space required, etc.
This is our (shortened) way of collecting evidence for legal purposes. As always, the magic is in detail and this particular process depends on many factors.
We participate in cases where evidence is already collected quite often as an analyzing party. It is, unfortunately, a common problem that the evidence is not very reliable because of the incorrect gathering and storage procedures. In such cases, we have to ‘struggle’ to analyze data byte by byte. You should see this process one day — it looks a bit like a lab from the Matrix movie!
As always we are also interested in what tools and core steps you use in your process. Share your thoughts here and let’s make the evidence collection better together!
Forensic is so exciting! Try it for free with Forensics and Prevention Mastery Course FREE TRIAL.