So what went down?
Thanks to the great work of the case attorney Simone Bertollini and CQURE’s team and our pretty amazing know-how this is the first hacking case in history that was WON by the defenders!
“The CQURE Team identified serious flaws in the government’s investigation. They helped me do justice for Gasperini” – stated Simone Bertollini.
Just to put things into perspective, prior to this, no one has ever won a hacking case in the United States. This is the first complete click fraud case ever. And not to brag (even though we are bragging here ahem) but the CQURE team was there to help lady justice out by weeding out assumptions and letting (real) facts lead the way.
After two days of deliberations, the jury did not convict Fabio Gasperini on the four other charges, including another count of cyber intrusion, a count of conspiracy and two counts of wire fraud.
In other words: We are very proud to have made history in cybersecurity law!
In his court testification, Ken Wong – CQURE’s US branch CTO and cybersecurity analyst for this case, presented the results of the evidence analysis assembled through the combined know-how, support and hard work of the CQURE team.
>>> Check HERE for the technical details of the court case (August, 2017)
Before we get to the details of evidence collection you need to know one important thing:
CQURE is also strong on facts.
Greg Tworek (Director of Consulting, Cybersecurity expert, CQURE) says:
“The reason why we decided to take on this case is very straightforward: we cannot allow federal investigators and prosecutors (FBI) to think that one or two search warrants are enough to put someone to jail.“
Paula Januszkiewicz (CEO, Cybersecurity expert, CQURE) adds:
“We will never allow assumptions to be converted to facts. We promote collection of evidence that is done right. We do not allow guesses and incomplete analysis to be treated as evidence to convict a human being. Our mantra is: we want to see the job done right.”
Fabio Gasperini’s case – why did FBI fail this time?
From what we see, it’s mainly because they ignored certain evidence collection paths by using materials that did not come from the attacked systems as evidence — we have no idea why they chose to do this.
Some of the evidence seems to have been incorrectly collected thus making the analysis of the data a bit of a guessing game. They seem to have ignored a lot of components from the whole situation.
We’re not telling the FBI how to do their job, but from our side of things, by playing the guessing game, it seems as if they did not extend their full capabilities. How can you collect data from one server and not from the other one? While the FBI did collect evidence — and this was done professionally — the evidence was incomplete.
We’re taking into account that there were also affected servers not under jurisdiction of the FBI, due to the international cooperation with several countries. Each of these countries used their own procedure for evidence collection, which could be the reason for the incomplete evidence.
We at CQURE are still surprised at the level of awareness for governmental procedures in some of the countries, but that’s why we’re here! To hopefully raise the bar!
How to collect evidence correctly then? Let’s learn something here!
If you are in the position of the first responder, you need to be aware of the importance of digital evidence. It plays a crucial role in the investigation process and knowing just how delicate data can be, one should strive to keep this evidence unchanged and in the condition it was found.
The simplified principles of evidence collection are as follows:
- Evidence should remain as is throughout. Collection, storage, transportation should not change the evidence.
- There should be an incident-response procedure in place to collect evidence. For now, we have observed that organizations or even government units are often missing one.
- Documentation should be made after evidence collection. It should include: time/data/person and procedure used to collect the evidence.
Now, the technical method for collecting evidence depends on the situation but when discussing the collection of digital evidence from servers, the process is divided into four steps:
- Cybercrime scene recognition
- Memory dump collection
- Disk dump collection
- Storage and transport of the evidence
For this article, we’re only going to focus on the technical aspects of steps two and three. General rules usually apply and they may also involve the engagement of the local government (or CERT etc.).
Memory dump collection
It is in your interest to get all of the things that are not on the disk. It could be an encryption key used by ransomware (in case of symmetric cryptography), or it could be part of what was executed, or it could be decrypted in the memory piece of code.
In order to collect a memory dump, you need appropriate tools and disk space. There is nothing worse than searching for a couple of spare gigabytes in order to save a memory dump.
The correct approach should involve:
- Pre-preparation of the USB drive with the appropriate toolkit,
- Running the operations and,
- Saving the results to that drive.
Our favorite tools to run are:
- DumpIt.exe – free memory imager by Matthew Suisse. Just open it and create a dump. It is extremely important to save the dump to the external drive without overwriting the disk data that could be used as evidence (for example: deleted files, USN journal etc).
- FTK Imager – great tool by AccessData, used by the FBI in Gasperini’s case but only for creating the disc image. You can use this tool to perform memory dumps too.
Side notes: From what we noticed in Gasperini’s case, there were no memory dumps made. No such data was provided or even analyzed.
Disk dump collection
Disk dump collection is the second very important step. We could even say it is more important than memory dump as it contains a more complete data. There are two tools that are easily available and very good in the evidence collection process:
- DiskToVHD – from Microsoft Sysinternals, written by Mark Russinovich. Just run and create an image. Do not forget to save this image directly to the external drive.
- FTK Imager – once more, great tool by AccessData, used in the Gasperini’s case for creating images when it was instructed to do so.
Side Notes: In the pretty complex structure of the ‘click fraud’ solution, there were only a couple of images collected. For us at CQURE we believe when you have multiple components participating in the solution, you collect evidence from all of them and not only from couple of them (which is what we did).
Final but important thoughts
Each organization should opt for a good incident-response procedure that not only indicates the steps that should be taken in case of an attack but also one that prepares the whole process, for example: instructs on toolkit, USB drive preparation and space required etc.
This is our, very shortened, way of collecting evidence for legal purposes. As always, the magic is in details and this particular process depends on many factors.
We also often participate in cases where evidence is already collected and we are the analyzing party — unfortunately very often we see that the evidence is not very reliable because of the gathering and storage procedures being incorrect. In such cases we have to ‘struggle’ to analyze data byte by byte. You should see this process one day — it looks a bit like a lab from the Matrix movie!
As always we are also interested in what tools and core steps you use in your process. Share your thoughts here and let’s make the evidence collection better together!
Questions? Email us: firstname.lastname@example.org
Learn more about CQURE’s incident-response services by sending us a request at: email@example.com!