Broken Arrow 2022: Detangling Digital Domestic Situations

is the current director of digital forensics is a former CIA officer and he was a fire security Special Operations

I see thank you and welcome to me 501 no wait that's his class it's my son and here's a hump will Baggett and thank you for coming out Gladwell made it here from the hurricane and my mics aren't on so this one on all right all right all right thank you for coming out my name is will back this is mechanical engineering 501 um turning your oh wait no that's Will's joke he asked me to make it before I walk in that's my son in the front row over there um Tyler talk his Broken Arrow and they're all now laughing at him fantastic uh Broken Arrow so that's the Army term back in the 60s so if the

American forces are overrun they would send it out over the radio to ask for any and all air support in whatever means whether it's a B-52 for blanket bombing Napalm or even a Cessna just giving a little bit of guidance to the American troops would know which way to navigate away from the enemy and I say that because working in the Cyber field a lot of people come to us and say you know I've got this situation and before it used to be fix my desktop back when I'm dating myself I'll realize but back when we had desktops that people would build aside from Gamers and crypto miners building your machine was an issue and

the common person comes a cyber security person an I.T person that asked him to build it that's now shifted from fixing things generally laptops and phones or non-repairable generally ifixit.com might help but now it's fixed my situation whether it's I'm being gang stalked on Instagram or you know my ex knows everything I'm doing on iMessage you know I think my account's been hacked can you come help me fix this and that talks relevant because here in in Augusta between the national lab and the things that go on over at Fort Gordon we might be we like I'm still in it but we might be the Superior at building drones that go deep underground to take nuclear measurements

or we might be able to determine how many people of Interest are living in a house in Pakistan based on the water drawn power draw through sources and methods but when you leave that skiff life and come back out to your car and start to drive home and in Georgia you can't touch your phone for however long it takes to get back into your house that's when you truly get back into the civilian world and you might be a GS 1510 looking at something truly in-depth in technical but once you get home oh again because he's here I didn't know you can make phone calls through Snapchat and I was a comms expert for CIA

for counterintelligence group but we didn't know that because we don't play with Snapchat and you know you can still learn from people I didn't know you can make phone calls through PS4 no idea never thought to make phone calls because I'm an adult I have a phone but you can and you can actually stalk people and see what's going on you one person she built a scraper to see how long people had been online the amount of times they're spending on video games and took that report to the judge to say uh you know this person claims they can't get a job but they spend 80 hours a week on Call of Duty Black Ops zombies

they can obviously get a job so from all that when they come to us and say can you help us our inclinations say yes and we want to do something so on the job a lot of us have seen this you basically sign your life away and the graphic looks a lot better on small screen than big screen you basically say you consent to all monitoring and then after leaving the intelligence community and working Insider Threat by God yes they mean they can see everything so you've got Splunk you can see all if it's set up correctly which if it's not it's a lot of money and that's why the splunking engineers also have a huge

salary but you can see every bitten byte that goes to and from all the email attachments websites visited then drilling down with o365 which that's not vulnerable one bit but you can see all the email all the teams chats away active messages all that can be harvested remotely without the end user knowing what's going on with druva you can connect remotely previously uh before the virus you would actually have to do dead box forensics collect the Box image it and then look at the data and with endpoint software you can now go out remotely collect just the files of interest and look to see is this person a flight risk for leaving the company is

this a counter Espionage case are they looking to take our proprietary research and then sell it to the competitor or take it with them for a new job and even McAfee you can see which USB device has been plugged in what was copied to it and where the data went and you can get the full pattern of life without the end user ever knowing it but again going back one slide you agreed to that as part of the job that doesn't work at home people should have a reasonable expectation on privacy and legally they do and I've got this in here for a pause I gave this talk at Defcon in one of the not critique suggestion was for the

short version the TBR version if you need resources if you go back to the Augusta Airport if you're flying out of here oh I heard this talk on escaping domestic digital abuse the takeaways are go askgrows.com safeascape.org it's a collection of people like myself there's the founders working for DARPA people tied to Facebook Instagram Twitter to help work to squash some of the issues people are having if you want to volunteer we always need more volunteers help at safeascape.org or if you know somebody who needs help help at safeascape.org we'll parse the email where it goes of this if you've taken any cyber security class you're familiar with the Triad data configiality data availability and data Integrity I've got

a hundred plus slides my old Mentor did eight slides in four hours a lot of people falling asleep in that class so you lose attention after six seconds I have a lot to cover this is a basically a week of counterintelligence technical counter surveillance crammed into 50 minutes the slides are available if you want I'll give my email at the end uh but we've got this we all know that so from that Triad the risk mitigation principles for the domestic abuse front you need to control the environment be aware of identity theft and you have to make sure you have data availability unlike AWS as your maybe digitalocean and maybe how the NSA has a site out in

Utah that data related to these specific domestic cases that's the only USB drive that's the only hard drive you have from this you have to make sure you make additional copies because if you lose that the person you're helping won't have any evidence whatsoever of the abuse but out of everything you have to control the environment where you can and from that it breaks down to another three points the personal security the data security and social media leaks personal security is obviously the most important one the horrible example but the flight that went down the Malaysian 317 flight that vanished oh everyone's dead but we have the Black Box it doesn't matter everyone's dead you have

to take care of yourself first and foremost now cyber practitioners this is one of the newer slides we've refined the process at safe Escape you have to look for the iocs just like when you're dealing in a sock environment one is this person why are they concerned how do you think this is happening and what are the indicators of compromise why are they think that something is going on and we've learned over time improbable doesn't mean impossible we've most of the cases are just coincidence there's some true hacking and we've had some black hat hackers who actually pursued the victim digitally to erase the evidence of their abuse with some zero days they've earned some unreported

exploits in order to try to erase evidence and he kept reconnecting her devices to make sure that pictures of her abuse were erased it was a cat and mouse game but that was a very unique situation that was one out of hundreds but it did happen so kind of tying this into last night you never have to ask permission to leave a dangerous situation getting off the exit means if you think you're in danger it's okay to leave no bad situation ever get better by sticking around you know last night looking at driving down here from Charlotte we were looking at I-77 and looking at I-20 westbound and we'd have driven straight through the middle of the hurricane tropical

storm coming over to here or we wait till the next morning get up early and drive in if I've just spent two 12-hour days worrying about 0365 volt about a remote connection vulnerability for a computer I'm never going to see plus a new hypervisor vulnerability again on thoroughly dispersed machines sitting on AWS cloud why would I risk my personal life to drive through a storm to speak when I can just wait 12 hours I didn't ask permission it was just we're going to wait that was a smart call same thing if someone's in a bad situation leave first make it to the next day and then start to rebuild from there getting off the X again this is a

domestic abuse digital case however have your bug out bag pack just like for a hurricane if we had your wallet your keys important papers babies passports babies documents babies vaccine records your phone and the charger because my iPhone both life is terrible and you want to keep the devices with you but you have to consider what if they're stalker wear some of the people I don't like to say victims some of the clients we've worked with been very ingenious one of them was a vet and she kept her alternate phone documents and prepaid credit cards in the safe her medicine safe in her office and said that if my ex breaks in to the office breaks into the safe

they're not just breaking and entering this is a major feeling because there's controlled substances and the police are going to respond much differently than just keeping these documents in my car now that said here's where we want to split a little bit we've got a person leaving a bad environment and then we've got what if that person leaves the house leaves the apartment leaves the assigned housing watch through a couple of things first you want to change your passwords that's obvious I want to say that a lot you probably won't hear it in your sleep I want to say it in my sleep you want to change to Locks and codes to your alarm panels the

third one added in because it seems so bizarre again being in the cyber security field there is a flap there was there's a flap but you pull it down on the garage door panel to enter your code to unlock your garage and raise it and it said if you forget your code do this to gain access right there on the door I mean username admin password and right there hard stamped at the manufacturer that's a bad thing if you're uh if their person has a shared garage door opener with someone else when the when the locksmith comes out that's something else to remember to get re-keyed this is physical perimeter hardening first and foremost the police

getting a phone call this person came back into my house with a key that's one thing but they broke in because I change the locks they're going to respond much differently now from there on a known safe machine and a known safe Network change your security passwords and questions meaning something you wouldn't find from a genealogy or ancestry.com or something posted on Facebook because it's okay to lie online it's okay it's Americans we're conditioned to always tell the truth and for those of us who've been through polygraphs they don't want the truth for four hours they want for eight hours because they get paid for the full day but you can't say that wait I did say that so it's

okay to like where do your parents meet ukawakadugu oh where did they get married Tatooine uh what was a memorable experience in your life living in a van down by the river something they're not looking for the truth they're just looking for the right answer that you've put in it's okay to lie about this my niece is over here laughing oh Uncle William told me I can lie yes lie don't tell the truth online except to your mom because she knows where you live okay so locksmith is coming the apartment managers coming they're changing the locks while you're waiting look at your router have your technical friend look at your router and here's where I'm going to start

saying capture evidence if necessary the only things connected should be things you recognize so here you've got a Galaxy phone an iPhone named PC because separate conversation if you name it colonel Smith's phone now you're beeping out to the top of the target list when you can to a uh say a Starbucks who goes to Starbucks but you're still oh this guy is important to the military let's sniff his traffic with Wireshark versus PC phone who wants to look at that so this is good this is a normal looking network if you see something unusual stop call law enforcement because if you've got a bug in the house of remote camera that's also a felony and as

professionals we stop we get the law enforcement involved because we don't want to tamper with evidence you can also if you feel like it look at the law to see what device has been coming and going through the network what else is connected what's going on that you don't regularly see again the standard disclaimer I can't talk about every log location for every router in production Google it another option would be if you feel comfortable if you have your person has the time get a new router go to Comcast I know I know go to Cox Infinity wait for Infinity get a new router get a new IP address and some isps will let you set a safety phrase

challenge in response so that if you call in only you would know that take note of what it is because if you forget it you won't get any help Source trust me Now on iPhone 6 uh yeah iOS 16 they've got a great new feature and this is mitigated eliminated a lot of the intake issues we had a lot of the stalking issues you go to settings privacy and security safety check and then emergency reset that just nukes everything that's had access to your phone and mating managing sharing and access you can go to lockdown mode filtering out iMessages so you don't get fished shared albums all the data that's shared that gets it off so it's not

inadvertently leaked out there is a uh there was there was a NATO person who had been doing sensitive slight exploitation over in Iraq didn't know it grateful he admitted to the class not admit but he had been taking pictures of sources stuffed and things and that family album was shared out or that shared album was sent out to Memaw Papa and the whole family of stuff they probably shouldn't see probably a little bit classified but there you go because this shared setting plus you don't take your iPhone to combat but that's a whole different issue for another class for another day um the lower versions of the iOS iOS 15 and Below same thing go to settings and look to see where you

have dropped copies of messages there is a case had been ongoing for five years that put actually got me into this field and the person's iMessage have been drop copied to her laptop but also to the iMac left behind at her ex's house so everything she was doing iMessage and then her email he was getting and then presenting as evidence as to why she shouldn't have the children so she was going out for friends on Friday night and getting a babysitter she got served with a change of custody papers for you know you left the kids at home on a Friday night with the unknown person you're not fit to be a mother multiply that over multiple cases over

five years range of resources and it's exhausting but talking to a technical professional here's where the leak is let's fix it we also ran a honey pot trap where honestly we her person and I talked offline we went to WebMD pulled three random diseases Channel a channel B Channel C we discussed or she discussed having these symptoms when we ascertained that this is the one that her ex-husband came and said you're unfit to have the children because of this okay we know it's this Channel That's leaked out let's look at where it's going that got turned over to law enforcement CSI I backed out because I don't want to deal with law enforcement and things went from there she's got her

life back all because again I want to change her password not victim always change your password if you're unsure but something like this makes a huge difference part two on the iPhone is fantastic in that you can be on your Mac you have a text message and then have it propagate through all your devices the downside is the exact same thing happens where you can forward your text messages to multiple devices again if you're helping this person and see that their ex thinks their cue from James Bond and all they did was enable a toggle button at his device really that's not hacking but again take your screenshot call law enforcement and then let them deal with

it but now you know where the leak is coming from and again you've got your blue Force tracker in your pocket if you're sharing your location with unknown people like Life360 something goes on and your ex knows everything it's going it's probably like 360 Apple has this by default same for the shared family albums make sure those are disabled as well you want to start mitigating the leak and controlling the access same thing for Android you would go to recently used devices see where you're logged in and this was a fun one show of hands Has anyone used Google takeout all right what does Google takeout do what do you mean by all

I would toss it but liability so lock pick set thank you use it responsibility responsible

by everything all he literally meant all we would have throwaway counts for the troops to use it NATO so they would use it for two weeks in class they'd be a week two week month break reactivate the accounts wipe them and then I would have them pull Google takeout to show that here's what you did and then two weeks ago here's what this person did for training in two weeks before so that if you lost control of your Google account while you're deployed everything is out there which is fantastic if it's your person you're working with has been accused of something you can pull down from the Google servers authoritatively here's everything done which is fantastic

conversely if they're looking the x is looking for information on your person it's still everything as well so it's the good and the bad Apple occasionally has this apple backup data same thing a lot more security controls but it is the same thing and I know that you know picking on my son because I'm grateful he showed up because I don't get to teach my son very often uh but it does like there was a we got a Wonder Woman ad like back in 2000 because I pulled it for my account I got a Wonder Woman game ad your sister clicked on it so it shows here are the four stats and here's the ones that she

clicked on it gets that granular for what data is actually stored and I'm looking at time I've got a lot of ground to cover he broke his iPhone in New Mexico his iPad in New Mexico I'm in Charlotte I'm downloading is old data because he was like eight or nine ten whatever and I could tell like whatever video game he was level he was trying to beat that granule of a full forensic backup was pulled down from the cloud to the very point where his phone broke and apple wasn't forthcoming with what they do forensically for backups and that's when the light bulb came on if I can get a full copy of this device

remotely and apple isn't featuring this yet how can we use that at the company for collection because now I don't have to go first anyway the amount of data that you can use to protect yourself in court or the amount of data that can be used against you it's all the same it depends on the optic and this one same thing for Facebook everyone some people love their Facebook you go to account settings security active sessions see everywhere you're logged in there's a lot of places people that have logged in onto Facebook don't realize they're there in we've only got 45 minutes left I don't have time to touch everything but literally so many places that can be logged in

that people can Shadow what you're doing unless you're doing that case in point Georgia Tech Hotel went to use one of the shared iMacs and somebody who had their math their PHD paper in cyber security remain logged into Facebook so yeah this is one of the holy of holies there is a ZIP file on Facebook that contains you can read as well as I can read it to you but contains records of granular details for all of your calls and text messages between you and whoever for the past year plus again if you're a pro athlete and someone's accused you of doing something you've got an authority of sourcing here's the actual calls here's what's actually gone

on you pull it from Facebook it's authoritative conversely if someone's looking for information to use against you or to say you've done something wrong that's also there that's why you've got to make sure that Facebook password is changing locked down a little bit easier here but going to an iMac or going to a Mac laptop if you go to keychain in the username and password if you search your laptop people should know it and then you go to keychain find the Wi-Fi password Facebook password Gmail doesn't matter and then you type in the username password for that laptop in clear text you get to see the password that that person thought was there protected so

again change the password it's stored in so many places for your convenience you're not even sure where everything is the one percent of the cases I talked about earlier he had full physical access to her laptop he enabled sharing on Mac go to settings sharing users and groups to look at those two he gave himself full remote login remote remote management so her battery life is terrible everything every copy and paste every logon he had a full remote SSH so anytime she was logged on he was able to Shadow everything she was doing online flip side is the oh it's going to compliment but the person his uh gpg key that he left on there to

activate the remote hacking was actually under his true name on Roots so there's your evidence going further for the person you want to go social to the accounts and look and see what's running on the logon this one I like I was working with a local Pi a long time ago he gave me a USB drive and this is a deleted text message saying make sure you delete your text messages that the Pi had deleted from the USB drive that he gave to me I ran this Grill and he's able to recover that so if you're in a contentious case you don't want to just share it used USB you want to use New Media the ten dollars

you spend at Walmart for clean versus I think it's okay it's ten dollars versus data security we talked about Facebook helped a neighbor move a 65-inch TV that began picking on my son he got a 55-inch TV for him and his he and his twin sister Christmas a few years back that was the second TV the first TV your dad put in the cart at Walmart and the weight of the TV kind of bent and you know flat screens are fragile be honest here yeah so that one got returned because a nice big crack down the middle so anyway the person's moving a 65-inch TV left the TV behind sold on Facebook Marketplace and the attorney told me they were still

logged into Twitter in Facebook why someone needs to see Twitter on 65 inch TV I don't know but you've got to consider if it's a bad domestic situation you have to log out of all the edge devices something else to consider with Facebook there's some repositories on GitHub also on oscent framework.com you can take the aggregate of Facebook IG Instagram Twitter and look and see when someone's working when they're sleeping when they're prevently posting if they're posting after 5 30 P.M Monday through Friday and they're silent from eight to five are they working in a skiff or on the other side for the counterterrorism side you can see okay this person's betting down on these

hours were they sleeping or if you're a little bit unscrupulous you can say okay Tom Brady didn't sleep well last night I'm going a bit on the Green Bay Packers instead of the Bucks because based on the Sleep Cycle would never do that she was a little scuzzy to me but that's still there that's implied data from Facebook that's already out there we talked about family and friends data leaking see a lot of this actually in the military and some in the IC of hey Mom's going here don't tell anyone Dad's going here well if you post it on Facebook of don't tell anyone dude it's online so if you're saying you know my daughter's under this issue but she's

going out tonight with her friends down to Frontier in Stockbridge well right there now the Hostile Target knows they're going there they don't have to hack anything because someone else shared the data for you something else just like onboarding off-boarding at corporations if they've had access to the ring doorbell has anyone worked with a ring doorbell data anyone set one up nobody in the audience has a ring doorbell one person what's that right the camera quality is amazing the audio quality is even better like it's Crystal Clear there's an accident near the house two in the morning police had me pull the data from the camera and I don't have one at home I just

don't it was superb it wasn't like the bank videos where it's all blurry it was like movie quality so you've got uh 4K video quality and all you have to do is add someone to the access control list but do you remember to take them off because now they've got someone new coming into your house they can hear the conversations to and from the porch add that into the Alexa date model or they can go back if they have access to your Amazon account and they can go back in here every conversation you've had every Alexa hey Alexa sorry if I triggered anything you can also used to be a terrible CSI cyber episode you know Swift on security

is making fun on Twitter way back in the day but you can actually disable the smoke alarm burglar alarm so if the Hostile other person can have access to disable this just through your Amazon Alexa account that's a bad thing so you need to disable that change your password same thing because as a fraud examiner you have implied trust implied approval that if even though you've split and they still have access on Alexa to on Amazon to your credit cards and they rack it up you've still left them there you didn't remove them that means you're still responsible for the your person's responsible for it again changing that just like off-boarding at work you have

to off-board someone from all of your digital media same for the printers so they're leaving I would say take the printer with them printers are relatively cheap and there's a point to this sorry one of the classrooms over in Belgium to demonstrate that the metadata that's left behind we just walk over hit print list and you can see the travel itineraries of the soldiers is the headers and you could go back and show and piece together based on the travel itinerary this group is going here that group is going there just based on the file names printed so again there I was in a skiff for a partner country not I don't have access for National I

just walk over did the same thing and lo and behold it prints every single document ever print on that print until it ran out of paper I looked at that like I'm not touching that I went and got the warrant officer to look I was doing this as part of the class there's all y'all's classified data about 500 pages I'm not touching it and that was something they fixed but in this world with the potentially hostile abuser if they have the ability to just reprint every file as a feature of the printer that's something that's also got to be considered on an Apple if you've left it behind if they've left it behind you go a little

bit more you go into uh oh you go to terminal far spool cups and then you get a list of every file ever printed the ones that start with C you get the metadata the ones that start with D the ones is ends in zero zero one that's an actual PDF so you can move copy that PDF to the desktop and see the image of what's printed so this a simple strings command on that in terminal you can see it that one random one for this example it was a World Market coupon printed off big deal but you get the example that there's your proof of concept if you want to see everything ever done on that printer

that could be done on the Mac something else to consider what you leave behind or that person leave behind this is a creepy one email mail and PDF social media tracking superhuman it's a marketing tool I yeah it's going to let you see every time the user has opened the email where they open the email in the geographic location where they opened it that's the service they offer for money that's cool so when you get the emails from vendors that say Hey we've seen you open this email four times are you interested in our product that's what they're using the way you block this is blocking the tracking pixel through a VPN Gmail is now also out of this so if

you're in sales personally think it's a little bit creepy and even better now you've got PDF tracking again for sales where they can see what pages you open on the PDF how long it's been open what pages you skipped what you read and how long you read it so you combine the two if you're thinking of uh business acquisition whether you're thinking a contentious divorce child custody case and you can know how long they took to read that document and when they opened it you're going to have an Insight which again I believe is Thoroughly unethical there is an easy risk mitigation for this printed done because if you print it they're not going to be able to track you

we found one way to identify the beacon haven't been able to identify this yet on a Windows box so open Terminal type in mdls metadata list drag and drop that hit enter and you're going to see that B can pop out there most PDFs most files won't have that extension pulling down the beacon to let them know how long you've read it and if this is a classroom or we had more time I'd have you all open your Mac mdls take something from iMessage and view the file metadata and then see where the file came from who composed it how long it took them to compose it whether it was phone number whether it was email address and

actually see the metadata short story a friend sent me a photo he said hey I'm interested this girl keeps talking to me online something doesn't feel right same mdls and the photo is actually from a model website he has been catfished he cut contacts saved his time but the example is still there whether it's flip side if you're sending that out with your GPS enabled now the abuser can see your new location for your house so that's something you consider we've actually got real packet interception from man in the middle anyone heard of this informed delivery by the post office anyone used it okay no problem right only two ways to know that if what you

get I won't get ahead of myself you get a PDF for jpeg of the incoming mail so if someone has signed you up for it they can see if you have a check something important coming they can take that document out of the Sacramento you've got the rest of the mail and a Bed Bath and Beyond coupon that never expires you've got that but you don't know the key check from the government's coming the two steps I went to the Postmaster General it's not that big of a deal I went to the Postmaster General in Fort Mill South Carolina I was in line of just curious the only two ways to identify this risk is to ask in person in the post office

if it's been enabled for your account or to try to sign up for it yourself and it would tell you it's already been signed up fantastic if your TDY PCS overseas and want to know what's coming at home how you're deployed but for the domestic abuse this is another Vector where you have true packet interception another case where we've seen is the I calendar if you forget to remove someone from shared eye calendars you're going to see what's going on as well as for your travel schedule so that can definitely disrupt you the same for your social media account you go to tnfolique.com and you can see the person's using iPhone which would give you the vector to say hey this is

iMessage click here to verify your account so something else to consider do you really need to be on social media and you're in a contentious event you can spoof your GPS location I actually was in the back of the classroom at NATO I was posting from Dara slum Mogadishu and Iran that was just to show some things on your recon are accurate some things aren't so don't believe everything you see online uh the grug grugq says you signals use tour I say assume everything is compromised until you've reset it from the new Star Wars series never carry anything you don't control if you've not got this locked down and secure if you person thinks they're

being stalked use personal meetings just like old style Russia House tradecraft bricks and sticks personal meetings leave your electronics somewhere routine secure if you go to Planet Fitness leave your phone there walk next door to the coffee shop have your meeting with your family with your attorney whoever it's going to Beacon out that you're still at Planet Fitness when you're actually having a meeting you'll have the chance to arrange non-verbal paroles in my case it would be posting a picture of yourself wearing a rival teams shirt so if you ever saw me online with Georgia Bulldog shirt send Lawyers Guns and Money it's gone bad people would know I've never done that uh very quickly iPhone monitoring I'm

the biggest one we've seen at safe Escape is mspy for if a has B's username and password they give to mspy here's a lot of ifs you have to sync up connected to Wi-Fi while powered in mspy connects your entire device to the cloud gives a report that's what you done that's not hacking that's just having your password the more malicious one is the Android where you can create a custom phishing link the target clicks on it and then mspy Begins hoovering the data down again change your password reset your device we've seen it working over at whatsapp where a fuzzy picture of puppies was sent the target clicks on the picture and it loads malware that's a more

esoteric case but it is out there's a change your username change your password one thing for trapping your device program called Sleep Cycle put on your mattress and you can see how well you sleep that's cool but that would also tell you 4am my phone's been picked up and tampered with and put back down that's formed 95 I think for the pro but now Apple has your battery health is a cycle that cannot be reset unless you reset the whole phone so if at 2 am Snapchat Twitter and Facebook are open when you've been sound asleep that's going to let you know something's going on with your phone your person is compromised and you're not spending any money or

millions of dollars on the government program for camper awareness same I just made that up oh it would be over here I'm sorry uh right there you can see the date and the time under battery 12 p.m 3 8 P.M 6 A.M and you'll see what apps are open at what time when you click on the time so if your mom wants to make sure you're not on Snapchat with your friends at three in the morning then that would work conversely that's everyone's looking at the 16 year old in the audience um but that's a way to know that your person's going through the phone thank you or someone's tampered your phone or you left you leave your bag in the hotel

room while you're overseas and this would let you know your phone has been moved and tampered with while you're which might mean either the maid was curious or there's someone looking through stuff one trick we not trick on a Mac if you hit command R if you think your phone is a laptop is compromised command R it gives you a startup option to boot from a protected environment no key loggers no vpns no grammarly just the absolute value of a clean OS and then ironically you go to get help online where you can access email that people wouldn't have access to because of trackers on your phone or your excuse me on your laptop so someone comes to you and says they

found a device they think they're being tracked we're getting more into the NSA the s p Total Access style tracking that civilians have access to now the fun thing is the devices that before took painful and hard cable coordination between the field and headquarters to get access to the device these are now things you can order off of Amazon so here's a power charger not my video put the SD card in plug it in put the faceplate back over it you've got audio video downside is someone's gonna have to watch the video process the take and listen to it and that's a lot of free time and no one's ever said oh they stalked me so I

I went back to like doesn't gain you anything it's terrible as for a nanny cam possibly but in a domestic situation that's a hard no the limitations of electronic surveillance devices if you have continuous collection you're going to need AC power and if you have a continuous collection with AC power that means your storage is going to be either limited to the device which means someone has to physically come and collect it or it's going to connect to Wi-Fi going back to the router if we saw the beginning of the talk so if it's got limited collection limited power they're going to have a service it changes the batteries change the SD card again photos from Amazon

this alarm clock is Wi-Fi enabled has a 1080p camera and audio collection so if there's a string situation your person's come to you about and you see this is plugged in that's a pretty big clue there's a surveillance device I would leave the house call the police let them deal with because again that's a major felony that's not something you would want to deal with just point the police out let them deal with it the other devices are more the Amazon blink camera just to drop in the living room it's pretty obvious why it is but you could still change the housing make it a surveillance device that would still have to go back through

Wi-Fi connection the device if you don't recognize on the router log there it is uh that is a 128 gig USB drive you flip the switch up it's continual recording you flip it down it's burst recording only when it hears something the battery is good for about a week downside is processing the take does anybody want to sit through 120 hours of audio No Hands no takers for one thing if it's a collection of a foreign adversary of you know troops are moving here here's our nuclear secrets that's one thing you may be able to run that through classified AI but the inflection given for a domestic case or that'll never happen versus oh that'll never happen

AI is going to miss that so somebody had to physically process that so even though it's there you've got to think does the adversary have time to truly process the take that's a 720P camera built into an air freshener limitations are storage and Battery meaning someone's gonna have to come back into the residence and change those out anybody guess what's coming next what's that no not air tag no no yeah because when the kids go from parent Aid apparent B's house and they take their favorite teddy bear we had a where the teddy bears behind mom and the teddy bears shoulder surfing usernames and passwords because it has SD card camera and batteries which every teddy bear

needs right now again that's again completely legal it's a nanny cam sure if you want to have it in the newborn's bedroom watching to make sure they're sleeping just get a regular camera they're babies you don't have to go through James Bond level just to watch your kids the next one is good for the right environment but it's terrible for collection as a domestic so something else to consider the Apple air pods paired with a hearing aid feature on your phone you can leave your phone in a room put the airpods in and then listen to the conversation around the phone even though you're upstairs completely unethical and I really don't want to know what someone's saying about

me if I'm out of the room I'm just not emotionally strong enough to hear like the person I truly love is running me down I'm not good with that like yeah whatever my cooking's terrible but I will say it's good it's fine the same thing for the Bose headphones we had somebody reverse engineer these so they could actually serve as a microphone because you have the active listening microphone again esoteric case but the one person did that again dude if you're going that far to watch what your person's doing it's over move on pinders free hinges free I don't know what you kids date on if it if it's Clemson sheep Harmony I don't know but

just like no that it's impressive but don't go that far same thing if you're on the phone you've got winterpod and someone else is listening the second earpod and you don't know what probably a little bit over the line something else to consider Amazon offers tracking devices it goes into Pelican little bitty Pelican case under the car looks like an old 2G antenna or you can track your spouse or person or whoever you have to have physical access to change the battery and this is what I lied that's not from a beacon that's a GP that's a image of an iPhone that I scraped the geolocation from a location I think it was Twitter but that's actually GPS stored from

Twitter so your devices are always speaking if you have GPS enabled plus that's a cool KML file I just want to show off but you have to watch what your blue Force tracker these things will give away your data if you don't control it there is a Strava issue where classified locations overseas were beaconed out by Strava fitbits if you're concerned about your person's concerned about being stalked don't wear one problem solved easy like don't wear the beacon if you think you're being followed by your beacon all right right it's too much it's a nice thick Chicago deep dish pizza right no because face uh Domino's stores two years of your history of where you've ordered pizza delivered

so if you get pizza every Thursday night you go to a new place to get away from the abuse of X and you don't change this password now your ex knows you get pizza every Tuesday night and you haven't cleared this you've just given your location away I wouldn't do that I go to the gym I'm a gym rat well Planet Fitness also tracks all of your logins so you've got to go for the low hanging fruit because if you don't change all of the passwords and the person's wondering how they're being tracked the Myriad of ways that it's out there that you're unaware of you've got to consider the whole picture because most stalker wear isn't Magic

Agatha all along Apple Google Amazon telecommunications and Home Access got to change the usernames and passwords one of the issues transitioning from the control of the environment to identity theft we see this a lot identity theft.gov it's one of the few government websites it's actually well done well read and efficient the fraud triangle you have I'm going to divorce this person I've done so much for them they haven't given me my fair share I'm going to lose half my three quarters of my income I've got pressure rationalization opportunity I have access to all the documents and as a certified fraud examiner that's the triangle they teach us of the conditions or someone that's still Financial issues

add in the spoof card app where if you know the SunTrust phone number is 404-230-5555 it's going to show up on your phone as SunTrust you can spoof that call where it beacons out as SunTrust as Planet Fitness as Bank of America whoever and you've got the implied trust because it looks accurate your person has to be aware that this would be a vector of identity theft and they have to watch what they're saying so you go to Identity theft.gov click on the link start the case you get a case number if you go to the police they're going to send you here as well and that gives you a case number where you can

start to stop start to stop is that right the fraud that's going on again it's either by either there's identity theft and fraud or there's not pretty simple to deal with if it is reported if it's not cool move on from there last bit data availability we would say in the CIA if it ain't in cable traffic it ain't but if it's not documented it doesn't happen when you're going through all of this and you're looking the files and helping this person get out from what's going on this is a from disk drill good luck remembering which file it's which you've got to document The Source trust me no don't want to do that again

find an interesting file I'll go back to it and take notes when it's happening make copies share it out because you don't want to duplicate work create that timeline you've got to document things with authorities as they happen and the other is not to be all mushy but you've got to be available because if this person's come to you for help and they call and say hey I'm going through a rough time let's meet at your pie and get pizza tonight yeah it they're going through a lot you've got spare time why not be a decent person the old Pace plan for the data you found the screenshots everything else if you've got a primary copy an

alternate copy the contingency copy and emergence so you've got the primary that might go on a safe deposit box the alternate copy and contingency might be the two you're working on and the emergency might be stored with your friends over in ugawagadu I don't know but that way you've got Geographic disbursement of this sole source of data that way when they have to go before the judge go before attorneys and say this is what's happened you've got redundant backups because you don't have AWS to build bill you for what's going on a couple of things is we're wrapping up here the end game for this as your person's escaping when we would close out a sensitive or a human asset

and even though they might be fantastic they might be terrible you don't tell them that you don't build resentment it's hey you provide a lot of good information you've helped us achieve our gains that we had mutually together you wanted to help stop this regime's oppression of this group we've achieved that your data went to the present it but it went to the president he took action on it and you know here's we'll take that old laptop back let's copy your data out let's give you a new laptop and here's an extra bonus for your time thank you so much you've effectively terminated the relationship you've got your stuff back they've got cash they've got a new

laptop their egos been stroked they're happy and this world it's I want my own cell phone plan I don't want them to know who I call I don't want them to know what's going on but if you say that it's an adversarial issues hey I've got a great new cell phone plan through work I've signed up for it I know money's tight right now and that's going to help save us some money it looks like you're doing a benefit but what you've actually done is taken your data off of their plan so they don't get the Insight the metadata for everything you're doing or they're doing same outcome versus I don't want you to see who I'm calling well that's a red

flag versus being a little more persuasive about it so there's this movie called Star Wars it's about this domestic conflict um there's these two store there's these two Androids one of the strong encryption strong Authentication and the other had weak encryption and was white if the data had just been deleted you run disk reel you're an undulation oh wow Anakin's actually gone bad Star Wars is over in about 20 minutes the right uh forensic technician right same thing to keep in mind unless you're sure that it's truly locked down maybe get a new device maybe get a new USB drive maybe get a new laptop just to make sure Bring It Forward a little bit

unauthorized devices on a network I hate to say it that's a good movie about dating it when Thanos saw that nebula showed up he had a unauthorized device on his Network he performed live memory forensics did an extraction of her memory did a takeout analysis of her location chat and images to find out what the opposition was doing which is pretty fantastic for literally blue team operator working kind of with the sock Maybe but that remains conversely The Avengers didn't know that one of their devices had fallen in the adversary's hands and everything that they thought was confidential and secure had been leaked out so you want to make sure your device is not being cloned to somewhere else

couple of things we've had to remind Folks at safe Escape nobody has unlimited resources today's October 1st start of the fiscal year for the government anybody who yesterday was scrambling because they're out of budget now is a flush new budget for the next 12 months regardless unless you're the FED Reserve but most people don't have an Elizabeth of resources Occam's razor anybody want to guess for that all right simplest answer is the best and who will process the collection just because someone says it's possible oh they're listening to all my phone calls all the time how let's talk about it let's get to the why do you think that's happening because oh there everyone's following

okay whereas gang's talking may be a thing having a full-blown surveillance team watching you 24 7 365 is an amazing amount of resources in gasoline I drive a Jeep gas is not cheap and I'm not going to just drive around 24 7 to follow somebody for why for no money what that's not going to happen so the short version of all this of 102 slides change your passwords if your person thinks something's going on on a clean machine change the password change your locks report the events as they happen to law enforcement document everything because if you don't document it it didn't happen it's my Twitter handle my email if you go to mail.com you can there's 200

different domains if you're looking for work rather than having AOL Gmail or whatever else you can go to engineer.comconsultant.com just to help you stand out and it's free but that's it and remember if it's probably not hacking it's probably Agatha all along it's probably Amazon Google Facebook it's probably access to one of those so with the next last minute left any questions yes sir

that's slick so get to the first time you spoke at the beginning about uh volunteers yes Three Links to those those three links and uh

second question was when you're talking about leaving devices in certain locations when you're doing you know meeting with lawyers and stuff like that um thanks pouches are those valid devices can be used for stuff like that uh well one of the the two links geez I feel like Jim pasaki will Circle back first it's go ask rose.com safeascape.org and then to get help as a volunteer or as a incoming client it's help at safeascape.org second the Faraday bag one will drain your battery two then you're going to disappear from the network so you've got a gray spot where you're not truly there so pick your poison do you want to either trust the device is going to be

secure or leave it somewhere in pattern say if you work at one of the secure sites you leave it in a locker or whatever people might do there and take your car drive somewhere else so pick your poison but