Broken Arrow - Will Baggett

all right broken arrow in the 60s the u.s army had a term for if the enemy had been if the enemy had penetrated the u.s forces and they needed reinforcements air support because the enemy was inside the perimeter the nature of this talk is about what happens how can we help the domestic abuse victim who comes to us as information security professionals because the situation has moved from in my slides here we go hang on one second technical difficulties i love my mac

oh man sorry about this i've got a little bit of a glitch

dirt i'm going to have to punt okay not a problem take your time sir they will stand by i'm going to set you back up again i don't have any control for anything else on my screen yeah hold on a second i'm setting you back up there you go try it now all right

do you have control you should have control

okay let me see if i get someone else to help out uh hold on

yes sir thank you for everybody who stuck around through this i mean or there probably should be a sans course in uh remote presentations after this pandemic is over so the idea of we've heard the beginning about the enemies inside the perimeter people come to us as information security professionals and they say instead of fix my desktop i build a computer over the weekend i'm setting up wi-fi they want us to fix their situation they're being stalked somehow by an ex by a former partner going through a divorce split what have you but they come to us because information security professionals to say can you fix my desktop and like most people who get a

jared ticket in the queue on a friday afternoon you want to do something you want to be able to say here's how i can do it here's how you fix this a system architect versus somebody who's working on the blue team versus somebody who's doing digital forensics it's a different skill set the purpose of this talk is to give you a general framework on what we found as operation safe escape what the common things are that you're encountering when people are going through domestic abuse situations i'm a volunteer with operation safe escape if you want to either a work with us to help people get out of mexico situations the website is go askgrows.com safe safeascape.org if you want to

volunteer help at safe escape.org or if people want to seek guidance to help digitally disconnect an abuser help safescape.org is how people can reach us another good resource is the smart girls guide to digital privacy now that said the three information security principles of data confidentiality data availability and data integrity we take those that tree ad and we apply it to this of helping somebody get away from a bad situation you want to control the environment watch for identity theft and then make sure you have data availability that way you still have the cool little cia triad there but it means something just a little bit different now out of these three the most important

is to control the environment meaning not just the digital but the physical environment that's something we don't usually think about physical security in our daily jobs as information security you might think about phishing you know dropping the usb drive by the entrance to the facility but the hardcore physical security making someone's physically safe that's not usually in our swim lane and for controlling an environment whether it's you or somebody going through a bad situation another three things to keep in mind your personal security the data security and family disclosures and by that for personal security the most important is to get off the x when i was actively with cia we had a overseas meetings go bad the case

officer came back to the station and the station chief markey after hearing about how this situation just kept getting worse and worse and worse had this gym he said no bad situation ever got better by sticking around whether that's a personal relationship with abuse whether it's a bad job situation a living situation it's not going to get better by staying it's okay to leave and as i was going through this for the leadership team at revolutionary security uh jim pruitt one of our leaders said you never have to ask permission to leave a dangerous situation he gave the example of a uh engineer who was in the field and people were out of the bar and they

wanted to drive home in one car for the driver was drunk the guy didn't want to take a cab because he was afraid of getting in trouble for having a separate expense and that's for jim's line you never have to ask permission to leave a dangerous situation applies to the domestic abuse front if things are bad leave and then figure out how to make it work afterwards but most important is to get off the x to have a bug out bag packed uh this was a live physical presentation i do a show of hands or who knows what a bug out bag is but for the digital presentation a bug out bag is a bag that you keep with you whether

it's a backpack purse knapsack with a credit card your driver's license important documents passport birth certificates your laptop if you can phone a phone charger that way if you have to leave in a moment's notice you can leave and then begin to rebuild your life after you have a bad situation you want to keep your electronic devices with you with a caveat of one of your stalker wear on those devices and i'll show you how to defeat that in a minute if you have the ability not everybody in the audience or not everybody we encounter is going to have this but consider having a prepaid cell phone and a prepaid credit card somewhere outside whether it's in your office a

friend's house so that if the abuser disconnects your cell phone disconnects the credit card deactivates the credit cards excuse me you still have the ability to at least get a hotel room for the night or two to contact people to let them know what's going on just in case you have that loss of service you know a backup on your basic raid service let me talk a little bit about what happens how to flee the situation and we'll get into that more but what if they leave what if the abuser leaves the situation and you're left behind in your house in your condo in your apartment most important thing consider this of course change the passwords i want to

say that a thousand times in the next 45 minutes what i would do hypothetically i would call the landlord i would call a locksmith whoever controls the physical lock to the house change the locks change the key codes the law enforcement officers are going to respond differently to an abuser return to the house versus an abuser broke into the house that's going to get a different level of response and get more help for you so a bad situation doesn't occur so in this timeline as the locksmith is coming as the landlord's coming to change locks and garage door codes start to change your passwords and i've got here a lot of people have suggestions from these talks i've

incorporated them change your garage or remote access frequency because sometimes if the car has the garage door access code programmed into the car itself all the former person has to just drive up to the house hit the garage door code they're back in the garage a lot of people don't lock your garage door they're back in so remember to change that garage short code too so you've got a couple of physical things to change here and the importance of changing all the codes is this

in domestic situations such as a father and his two children having a disagreement such as anakin luke and leah an order code still checks out a lot of people forget to change the basic passwords and the basic passcodes after a divorce you remember to change your garage shortcode your access code harden the perimeter first and then work forwards to change your router passwords change your security questions because if you can go to genealogy ancestry.com simple google search it's not a ocean exercise to be able to find basic information on people go to a known safe machine change your security questions and your passwords but it's okay to lie online that's one of the key takeaways for this

presentation when creating a new security question fabricate your favorite locations your informations and events they're not looking for accuracy excuse me they're not looking for truth they're looking for accuracy where did your parents meet tatooine what was your high school mascot an ewok what was a when did you get married on naboo it doesn't have to be where you truly got married it just has to be whatever the system is told is your answer something that's not easily searchable don't get so acute that you can't remember the answers to your own security questions but make it something that you can remember it's okay to lie americans are trained from we're taught never to lie to always tell the truth

winston churchill said it's okay the truth is guarded by that i can't talk today too much zero the truth is protected by a bodyguard of lies definitely apply that here you don't have to tell the truth about your security questions looking at your route it's a little bit of an abrupt transition you come in you gotta change your passwords first thing is to look at your router screen see what other devices are connected take a screenshot that could be evidence for later so here you got a galaxy x8 you have a mac laptop and an iphone renamed pc you don't have to name your device jim's iphone it can be whatever you want if it's something very specific

colonel sanders iphone you're coming to the top of the attention anybody's using cali or looking at logs that this is someone's specifics iphone connecting different talk all together but harden yourself and not have the exact name of who you are on your phone so here we see there's no rogue devices connected and we'll come back to that in a minute this is key for these situations take a screenshot if there is and again this talk can't cover every router that's in production remember to search for your specific router look at the logs just like you would in a nine to five job looking at the logs with splunk capture the logs to see if there's an anomalous traffic there

that doesn't belong so you've changed your the locksmith is coming you've changed the wi-fi password now you go to your smartphone to change this while you're changing your password things to look at you go to settings and then you go to scroll down a little bit and you can see the number of devices you are connected to that middle picture and that's the number of apple devices that are sharing your id it's very common where people think their infosec gurus their hacker elite they're hacking the planet they add themselves to their spouse's former spouse's iphone so they're getting dropped copies of all the messages the next thing you want to go to find my iphone and see

where your device is located because you're giving the opposition a blue force tracker to see everywhere you're looking and you can see the number of devices that you can track through this account you'll want to take screenshots one then disable it next thing we want to go to share my location and family sharing very simple for this for the salt you don't want to share your location you don't want the opposition we'll just call it that the opposition to know where you are at every moment going through that situation where you're fleeing an abuser the second thing we saw this working with nato special forces in summit uh the agency where people had photo sharing set up with family so when

they're taking pictures of the war zone of whatever site whatever battlefield their cool guy hero photos those photos were getting shared back to their kids their spouse their grandmother phone their phones definitely in a combat situation intel situation you don't want to have it enabled but the same here if you're going through an abuse situation you don't want to share your new life or documentation of evidence with the abuser you want to make sure this is turned off whether they enable it whether you enable it at this point it does matter but turn it off a new one apple keeps adding features we'll call them features i call them security risk but they call them features test

text message forwarding so here we have this text message boarding to two devices this is set up to go to both of my macs that's finally good i know these devices these are mine but if this goes to the opposition's phone your imessage and your sms messages that go to your i account ios account are now copied over to the opposition's device as well so they can see everything you're doing one case i worked the uh former spouse had five years worth of legal battles for custody increasing child support just constant harassment all because it was something as simple as the spouse knowing where her text messages were coming from so if she said i'm going out to have a

glass of wine with friends i'll see you at five o'clock at fredo's on monday morning it was here's papers my attorney you went out drinking this weekend and left the kids unattended it's a fabrication but he only knew this because the text messages were forward on the other side of the aisle with the android you'll want to go and look at the number of places you've logged into your android phone and where that's also shared so this is the android messages showing up the gym i can't talk today the gmail account is showing up on a windows account on an iphone and a mac you want to take a screenshot of where the malicious account is showing up and then disable

it the next thing you'll want to definitely change your password in safe machine because your google takeout account if you've not looked into the google takeout capability it's something that we've used it revolutionary security for inside our threads we used it at nato to look and just show the troops where this data is still shared it's everything you've ever done when you've signed into an android account your cell phone locations your cell phone tower locations your deleted text messages your deleted emails your photos your web traffic history it's everything ever done with that google account that's something once you lose that you can't get it back that's a treasure trove you can parse through a magnet axiom magnet has donated some

great light a free license of vaccine to operation safe escape we've parsed through some google takeout for abuse victims and we're able to see all the data that was deleted off the device showing that they were compromised we were able to recover that with the victims help through google takeout i'd say that because you don't want to lose this to the opposition on the apple side apple security i believe is a little bit better it takes multiple steps for validation to request the backup data you can see on the side here the slides will be available you can see all the data that's available from apple it's a seven day download waiting period for the

opportunity to then download the data it takes multiple steps again to validate two-factor authentication password security questions to download today it's pretty secure i'm impressed with it so yes this data is available from apple but the the level of detail to get it is a little bit more robust and much more secure than google on the facebook this is one of the most egregious i believe it's worse it's bad it's tick tock in my opinion go to security settings and then active sessions see where you're logged into facebook because not only can they shadow you facebook messenger keeps a copy of all of your messages the usu the us t-con providers we keep at most

three days of text messages between a to b they would have the record that alice texted bob but not the details facebook messenger records this file of who you talk to the body text of photos and then who you called how long you talked to and that's kept for at least a year which is primed for abuse harassment singing if you're talking to an attorney building a case against you or just general harassment so this is the holy of holies this is what you want to keep the opposition from gaining that's when you've got to change your password for facebook and lock down your two-factor

authentication other ways one particular case she lost controller for apple account there was a shared family mac in the living room she left all he had to do is go back here this is infused 2017 from before the world change back when we had physical conferences go to your keychain access type in keychain from finder and then search for the google account this is just an example whether it's gmail facebook whatever reddit if you store your password it's stored in cleartext so you can do is type in username and password the infused 2017 password with the username and password is guidance this technology still exists in apple they're still using it this is a huge vulnerability people are

aware that you can gain someone else's password in cleartext with just two or three easy steps on a mac i say be persistent and thorough if you leave a usb drive behind when you leave a house this use this photo was off of a usb drive that was given to me by a private investigator that they thought they liked they hadn't these are a covered text message that somebody deleted off their phone the pi recovered put on the usb drive he thought he'd leave it in something as simple as this drill a 70 program online was able just to recover this file so if you're going to leave data behind wipe it don't delete it

because deleted data can be recovered and used against you persistent and thorough means your smart devices your netflix account your facebook a neighbor bought a 65-inch tv off a facebook marketplace it's easier to buy this than type locally than try to transport it across town and move tvs are becoming incredibly cheap the person who log left their facebook login as well as their youtube and their twitter the question is who's looking at twitter on 65 inches you know the person whose attorney should be logged out of the accounts you know you don't lose your license because you're cyber stalking in general but there's nothing good that comes out of this so when you leave the scene if you're

leaving the domestic view situation logging out of facebook in the smart apps on your device make sure you do that because unless you know to go back and look at your facebook account you're going to forget about this and somebody can easily stalk you through your continued log on the data's still out there so there are issues not issues there are apps available through github where you can plug in someone's facebook id and gain their sleeping pattern if you're going through a domestic abuse situation everything that's out there can be harvested whether it's for the little bit too creepy too personal ads or whether it's somebody using this against you now that you've got a new

sleep cycle knowing you're working nights instead of days this data is still out there i would highly recommend not to use social media all that comes from my working encounter intelligence at cia and you know being a part of this community a lot of people still like facebook this is just one of the reasons you might want to reconsider it family and friend disclosures on facebook are one of the more damaging ways um working with nato special ops we saw them my husband's being deployed to afghanistan but i'm not supposed to tell anybody don't tell anybody and they posted on facebook carrie underwood had the quote here about i'm going to restaurant and my parents

talk about what i'm wearing when i go to this restaurant she's wearing her new sweater they've got to follow operational security as well otherwise if you lock your accounts down but your family and friends still leak it out you have the hard choice of having a tough discussion with them or not discussing anything with them neither one's good but it still gives you a better optic for your safety than just letting things go getting into some of the more internet of things i hate that acronym but here we are the iot i don't know how many people again this is where i'd have people raise hands back in the former world if you've ever gone back and looked at a

ring doorbell recording the uh 1080p the 4k quality is phenomenal the audio visual recording for these always on systems i helped local police there was a car crash two in the morning local police aren't very technical they asked me to get involved to help with concurrence from the homeowner went in and gathered the data of the audio in the video we were able to zone in and see the crash sequel fleeing the scene joking about the drugs they're on and the point is with this it's easy to add somebody to an access control list to be able to watch this but people don't think that to remove the x whoever from the acl just like you would at work if you're

going to put them on insider threat list for getting two weeks notice if you know somebody's moving out change your ring doorbell so that the x doesn't have access to your new life because with this ring doorbell they can see someone new comes to the doorstep police attorneys doesn't matter couple that with amazon alex's ability to record your and review your voice history all you have to do is go to amazon alexa look at the url you can go through and review every time you said hey alexa you can see the smart history the voice history and knowing that if you have access to this change your password then you can disable the burglar alarm

you can disable a smoke alarm back in 2012 when csi cyber first came on swift on security and other people on twitter were laughing about how far-fetched and ridiculous csi cyber was there's a murder case where someone disabled the smoke alarm then overheated the print jet on a laser printer to cause a fire which caused a murder that was ridiculous in 2012 now with amazon that's getting into the realm of possibility so again make sure you change your username and password nsa doesn't have the rights to watch to have a listening audio device in your house audio visual device these are nice they're convenient but they do give the opposition the ability to see what's going on

in your house going from that on the financial side i'm a certified broad examiner former banker unless you explicitly move the opposition from the amazon account you might want to close the joint account remove your joint credit cards because unless you explicitly remove the other person or your credit cards you are still responsible they can max out your amazon credit card you're liable for it despite the fact there's a divorce and process you didn't remove them you implicitly allowed this to go on it's a financial risk but it can be quite substantial so moving a little bit here got a lot of ground to cover thanks to the technical issues on my side on the printers a lot of microsoft based

printers or microsoft drivers will retain former printed files so if you still have a laptop connected to a printer you can go in and see the print queue for that machine or cover those on the offensive side you can see where the person took your money where they're going the new apartment they've gone off to if you're looking for them defensively if you've left this behind you don't want to leave a trace it's easier to buy a new printer take the laptop with you and replace them if you have the ability then leave this behind and recover the data the micro the windows side if you go to var school cups the the principle here everything that

starts with c you can remove with metadata the ones that start with d double 0 1 6 0 0 1 you can drag and drop that file to your desktop and view the pdf the files that start with c all you have to do is just run a simple strings query against that file name and it's going to pull out the header of it i don't know if you guys can see it here there we go so this it's a coupon for world market big deal someone got 25 off of something that was marked up 125 percent anyway big deal but the example remains you can still see the metadata of the files are printed on this machine

which if you're leaving the abusive situation and they can see application for new job application for new apartment they can begin to piece together what's going on with your life might want to consider taking that laptop with you getting into a little bit more nefarious things for email mail pdf social media tracking and this is not a how to stalk somebody guide this is a dual threat guy this how people are marketing companies are monitoring you superhuman in the middle gives you a marketing the ability to see when the email was opened where it was open and how often it was open there's an embedded pixel in there so you can see when they opened it where

they opened the pattern of life as they traveled to open the document which if you don't load remote images that's an easy thing to do for this for b-side san antonio yes we understand that for the average user that might be something not aware of this is a vector that could be done gmail has also added this feature to see where this email has been opened couple that with docs in for outlook and there's embedded code within the pdf which beacons back to tell them how long the file was opened where it was opened what pages were open where they spent the most time and what pages were skipped for corporate discussions if he knew that

page four had the most sensitive data that you're most concerned about the opposition negotiating against you and you knew they skipped over it versus their they keep coming back to page four you've got insight as to what they're doing on the domestic abuse side i know she read this document i know he read this document he was here when they read it they're getting blue force tracking level detail as to what you're doing with this document where it is on a mac go to terminal type in mdls metadata list drag and drop that pdf hit enter and you'll see the cookie the beacon that part comes from cloudfront.net in this case and you can see the data we spent

several hours at the nato soft classroom looking to replicate this with the troops and i'm looking for somebody come back and say here's a simple way to do it coming before an audience of this technical acumen we have not identified an easy way on windows machines to show that this has a beacon that somebody's tracking when you open this file and the easy way to mitigate this is to freaking print it it's very basic very simple you get the document you print it there's no tracking for printed paper that's very simple you might kill a tree but you have your privacy that's a little bit better in these situations coming back to the real world this is

something there's a little bit of ground swell to push back on the u.s post office informed delivery if you have the right credentials the right post-op excuse me the right driver's license if you're leaving knowing you're leaving your abusive victim you can get man in the middle i'm sorry informed delivery that's what they officially call it it's going to let you see the pdf or jpeg of every document being delivered to that po not po box post office box or mailbox worst case scenario uh letters from attorneys checks summons to court sensitive documents if you know those are going in the mailbox tomorrow you pull the one document out or in 2020 if you don't like the way the other

person's voting and they have a absentee ballot coming you remove that ballot you removed their abilities to vote that's a different level of felony but it's still the same capability the only way right now that the victim would know that man-in-the-middle informed delivery has been enabled either afa choose to enable informed delivery themselves and find it's already enabled or b if they go to the post office and physically ask if this is enabled on their po box

depending on a lot of factors people don't want to go to a post office and have physical interaction right now this is a major vulnerability and something to look out for during these abusive situations a couple other things uh audiences have had me add into this icat on google calendars so if you have something like tripit uh concur or even webinars like this you add it to your shared calendar and you forget to remove the other person from your shared calendar they're going to have your itinerary they're going to have your confirmation your seat number if somebody was truly malicious that they could call the airline call the hotel this is so-and-so calling for john smith here's his confirmation

number i want to uh cancel it do a cross-country trip assuming we ever fly again and you get there there's no hotel waiting for you because it was canceled it's simple just remember just like it worked just like in the sock you want to call the acl for somebody departing even down to your trip at your concur your shared calendars so that this can't happen to you or the victim now social media stalking let's take another time belarus 1 14 a.m 1 15 a.m from hawaii 115 from kingdom saudi arabia and when i was working with nato you can see it's uh saudi arabia moscow islam uh iran we know this isn't real it's not

possible to travel that far this quickly that's obviously not true but what is true if you go to tnfoleak.com you can see all these suites were posted between iphone and the web application which means this twitter account has an iphone you can begin to use that to reverse engineer to send a malicious payload to try to hack back into their phone that's inadvertent disclosure of vulnerability just because part of this means it's not true doesn't mean it's all doesn't mean it's all bad information you know the gru gq he recommends you signal used for i'd say assume your devices are compromised uh programs that are meant for you know monitoring your child's use of technology flexispy for monitoring

smartphones

if it's an android phone they would send you a link a phishing link you click on the link and now your phone can be cloned by a flexi spy and they can see what you're doing if you have a iphone we'll touch on that in a second get a little bit ahead of myself so assuming your meetings assuming your electronics are compromised until you know they're good use personal meetings leave your electronics behind somewhere routine and secure if you work at a vet's office leave your phone at the vet's office go have your meeting with your attorney with your family come back to where the phone is the stalker wouldn't know have a non-verbal parole for family

members like if you're a big ohio state fan and you wear a michigan shirt on your facebook profile one day as the signal saying there's something wrong please come get me you've sent your beacon for help out no one else aside from those who would know what this means would know that we need to go get jane something's going on so this is something you would have arranged a physical meeting without any electronic signature the iphone monitoring for flexispy again change your password and somebody who does digital forensics when they say that this is iphone monitoring it kind of pisses me off a little bit because it's inaccurate what flexi spy does a provides v the red

screen is like the big emphasis points for defcon or other conferences for this is the core of take this away this is hands-on this is useful information please implement this so for the iphone monitoring alice provides bob's mac id and password to mspy bob's iphone now has to be synced to the cloud to create a backup there's a lot of ifs here already and then m-spy downloads and images and parses the data into report for alex that's not hacking that's just you've got someone's password and you're getting a copy of their phone which again all you do is change your password in this scenario for the stalker wear meant to monitor children the stalker wear is rendered useless so

again change your password again be thorough and persistent with this i've got a couple of new advances i like this trapping your device and all the travels i used to do for cia and a lot of travel i do for a revolutionary security i use sleep cycles on my phone that uses the potentiometer on your phone to see how well you sleep in a certain bed type you know some hotels have this brand mattress some have serta some have a sleep number whatever and you can see where you sleep the best in what conditions so when it's time for a new mattress you know what works for you or just general fitness whatever but the same technology can be dual

purpose so that it's on your phone so you can see if you're sleeping in the middle of the night your phone is picked up and someone's looking at it you can see there's a spike at 3am someone touched your phone a couple of that if your phone's on top of your bug out bag you can see someone not only moved your phone they went through your bag you've got a clue an indicator that there's something wrong you've been compromised this is new i love this so you go to settings on your iphone you go to battery your battery charge level and then you can start to drill down hour by hour and see what applications

were open so at 3 am if you see your imessages your twitter your signal had been active when you were sound asleep you know someone is definitely going through your phone there's something going on that's a huge indicator of compromise and this is built into the software there's nothing you can do about it you can't disable it this is native to the ios now so a smart excuse me a secure clean machine

the apple operating system has recovery partition built in you hold down control r and go to get help online for a issue with your machine a little bit of serendipity here that get help online if you're reaching out to safeascape.org or if you're reaching out to an attorney family friends you're operating off a partition of the mac that malware can't reach at this point knock on wood so control r go online and unless you've got somebody who's very technical running splunk on your home network and then running cali to in a wire chart to see what you're doing you've got a clean way that they can't touch the keystrokes for this and see what you're doing with your machine

to get help online it leaves no trace on this it goes back to a pristine state every time you come back in so that's just command r on startup and go to get help online built into mac wasn't the original purpose of apple but it definitely works so this touch the social media we've got about 17 minutes left i've got to kick it up a speed here you found a device in your living room electronic surveillance device insulation isn't you know dsmp anymore it's not director of science technology you don't have to take years of training it's as simple as this you have power you have media and now you have the audio video storage

bug with ac power available from amazon the triad here is you have power collection and storage if you're going to have constant collection beaming out audio video you're going to have to go straight to the cloud which means ac power or you're going to have limitations on that power because you can only run that battery so long till it dies which requires physical collection if you're doing intermittent collection without much power you can have more storage you see how the three play off of each other all these devices are available from amazon you would think this is something you're getting from 20 years ago be something you classified but now it's suggested through amazon thanks to

researching for these presentations this is a 1080p hd camera audio video but because the power limitation power draw has to be connected to the power ac power of a house connects to your router remember earlier i showed you this router screen this would show the clock is connected to the router one it's 2020 who uses physical clocks anymore the mitigation for this a new clock appears unplug it put it away boom easy solved now you might want to document this for your attorney for later or law enforcement is definitely a felony you can't have monitoring of somebody in your house you can check your local law stuff the air freshener 720p camera audio video runs up a battery stores to a smart car

that requires physical access to change this the usb drive you flip the switch one way the curved notch one way it's uh continuous recording for 128 hours put the notch the other way it's short burst recording of up to 128 hours the difference is one you're only getting somebody talking versus 120 hours of parsing through the tape so these are different ways that if somebody's excuse me still monitoring you they can collect against you but these would require physical collection so in a domestic abuse situation ex situation where the kids are going back and forth you have the perfect vehicle you have a camera in here microphone battery and limited storage so that when the bear goes back to the

x's house they can switch out the battery they can switch out the usb sd card what have you and they have insight for what happened with the kids while they are at the x's or the teddy bear goes in mom or dad's office and the teddy bear in one case was used to shoulder surf gather passwords for the stalking case which eventually got referred to law enforcement but you have to think why is this being brought here why is this coming and going and here's how i'm vulnerable these are not hard devices to detect once you know what you're looking for the one caveat if you do have an electrician who wires audio video monitoring into a house

surfaceously that's a different level of monitoring law enforcement's definitely interested that would get someone some free meals for the next 10 to 15 years apple means well they really do another case we found with electronic surveillance is turning the ear pods and using those as hearing aids all that would take is leaving the ios device in the in one room enabling the hearing aid option on the iphone which is native to ios now and the abuser can be in the other room with the air pods on but using it as a hearing aid and they actually use that as a remote listening device to the conversation two or three doors away two or three rooms away

something else to consider why do they formerly take their phone with them all the time now they leave the phone behind but they leave the earpods and that's odd this might be what's going on your privacy's at risk bluetooth collection if you run something like net toolbox you can run a bluetooth scan to see what's in the house to see if there's any bluetooth collection confirm if there's anything rogue in the device like the teddy bear like the alarm clock if they're using that as the x-fil channel and bluetooth is promiscuous so once it's in that p list it's not hard for an investigator to uh p-list is a method it's the list of all the devices that are ever

connected to kind of like a database if you will so you can see this device with this bluetooth address this mac address was placed into service two days after this fight and i've been monitored that store on your phone for perpetuity that's easy evidence for the police to gather coming into the home stretch the physical tracking you can actually buy a bug off of amazon goes on underneath someone's car it's 50 or 25 dollars a month it looks like an old cellular modem and they mark it at four spouses and it gives you a collection like this where you can actually see where the car is gone which is really cool except if i tell

you that i lied to you this isn't really collection from a bug this is collection from gps data from a facebook from a phone from a case i was working the gps data was put on google maps as a kml file i don't need a beacon if i have access to your facebook or your phone and can rip that file out with the gps locations you have a bug you have to change your password so someone doesn't have access to your devices very simple fitness because a lot of people like the gopros not the gopros you have fitments the fitness trackers they connected to their twitter they advertised their runs where they've been there's a murder case in

san francisco where it was someone was arrested because their fitbit was beaconing out their daily run which coincided with the murder i like having dumb criminal that makes jobs easier but if you're worried about being stalked or the person who comes to you for help is worried about being stopped as a mentor for besides vegas said stop it stop wearing your beacon stop advertising where you're going it's that simple to mitigate this risk just the world can live without knowing susie's run they don't need to know that bob went to crossfit and then ran for three miles nobody if you're worried about being trapped get rid of the tracker very simple all right well again this is too much

i'm gonna order a pizza be persistent and thorough when i was getting this talk together i got lazy ordered bad pizza i went to dominoes and i saw that not only was my address here my phone number my credit card stored my past two years of credit my past few years of pizza orders had been stored on there

so if your person coming to you for help orders pizza every thursday night and the abuser knows this it's easy to see where they're going for their safe house to get away from the abuser change all the passwords all right we are in the home stretch a little bit happier it's a heavy subject thanks for sticking through me identity theft very simple if you're in the u.s go to identity theft.gov and report it in the fraud triangle divorce abuse situations you have the rationale rationalization of well i deserve this they've worked i've worked so hard to support them they're going to divorce me i've got the opportunity i've got their checks i've got their credit card i've

got a copy of the passport i'm going to be divorced and won't have their income but they owe me a narcissist can go down this path of self-justified there's things like spoof card you're going through a divorce situation you put in citibank's phone number you call the target someone else calls the target you know we understand these charges are going through we just need to verify a b or c it looks like it's a correct situation it's really the abuser coming back in just feel a little bit more before the case is over your guard has to be up for fraud so you go to identity theft.gov you get a ftc federal trade commission case number they work with you they work

with the banks to report this and it's very binary if there's identity theft you have to report it if you don't report it that means you're complicit that means you are okay with what they've done to you and you don't really have the longer it goes after this has happened the less of a chance the courts and the banks will work with you again very binary the technical means am i being monitored is somebody stalking me digitally are they into my account yes that's very complex there's a lot of different venues we touched on identity theft either report it or don't if you don't report it that's on you there's nothing else we can do for you to be blunt

if you do report it that goes to the ftc the consumer commission and you've got a lot of large corporations that will help you even if you go to the police with this and say this has happened they're going to send you to identity theft.gov on a clean machine to report this so the sooner you report this the better lastly we're getting into data availability we talked about controlling environment identity that the last data availability this thing used to be if it ain't cable traffic it ain't if it ain't documented if they if you don't write down dates times events when they happen whether it's just an email to yourself an email to an attorney to a friend if

it doesn't have that header for the metadata the daytime stamp of you reporting this it doesn't matter so documentation that's hard that's when you're working a ida case an intrusion case a digital forensic case domestic abuse broadcast if you don't document it it doesn't happen you've got to document these dates times and events with authorities document the files i found this event on this date and here's what do it as it occurs you know this like saying style practice if you don't document when it occurs you're going to have a backlash of files to document later and good luck with that might come from firsthand experience i can't say that for sure the other thing

about availability on the soft skill be available for the other person this isn't a pims ticket that comes into your queue this isn't a help desk ticket a uh incident that comes in through cable traffic however you get your alert to work this is a person coming to you after hours with a live situation they can't walk out of this and walk home this is their life be available if they want to talk listen if they want to go out for to eat if they can you're part of the world do it be available for the other person they're going through some hard times and they come to you for help be there for them

because it's eventually going to end and they're going to remember how people are treated so be a good person for this you know it sounds a little bit silly to say but we get so lost in the ones and zeros sometimes that we forget that the ones and zeros are data that goes back to someone's life that we're helping them rebuild to defragment and it's a necessary thing the data availability the data that you find whether it's that printer queue we talked about whether it's documents that have beacons embedded that's the only copy this isn't some multi-trillion a billion dollar corporation i recommend for the pace plan you have a primary and alternate a contingency copy

an emergency copy personally i like to make four copies have one stored in a safe deposit box one with an attorney one with a branch chief division chief law enforcement doesn't matter you have a copy you're working from but the primary is locked away that way eve murphy happens it's the unthinkable just like the beginning of the presentation where i think controlling mouse and keyboard it happens bad things are going to happen to data so you want to make sure that these files you got redundant copies stored in multiple locations so that you can help this person rebuild their lives four minutes left firm friendly final and fair a little bit of social engineering here

as we approach the in-game if you say i don't want to be on your cell phone plan anymore because i think you're stalking me that's going to be a hostile reaction if you say or the other person says you know things are getting a little bit tough i've got this new job i've got my own cell phone lie no one's gonna say anything lie a little bit i've got my new cell phone plan through work you know here's my new number you don't have to pay for this anymore it's going to lower your bill you put a little bit of a carrot and stick out there of benefit to them you no longer have to

pay that extra forty dollars a month that's one money in your pocket isn't that great but you've still removed them from access to your call data records access to your text and because of this it's the same in game both not a little bit it's a lot smoother ending for the same outcome another thing for the outcome to touch on if this does get to law enforcement that we as the infosec community has helped have been helping assisting the abuse victim we're going to be considered the guy or the gal whatever and the black hoodie the hacker who's doing this militia's activity we have to be beyond reproaching this even though you might know how to hack

into somebody's whatever account we definitely can't in general i shouldn't say that supposed to be hackers elite haha but you don't want to get involved and go to jail for someone else's domestic dispute be beyond reproaching this a little bit of humor to close this out shared technology in a domestic conflict one device had strong encryption strong authentication wasn't leaked and wasn't able to share any secrets the other device weak encryption and the device was white how fast of a movie with star wars have been if c-3po they just run you know data recovery oh that's who my dad was 30 minutes in the movie game over and george lucas would have lost millions and trillions of dollars on

merchandise revenue unauthorized devices on a network was it 2023 nebula showed up in 2014 thanos detected an authorized device on this network he did a live memory forensic analysis shout out to andrew case for this one uh google takeout analysis of location chats and images and because there's an unauthorized device in his network thanos was able to respond to a threat conversely the avengers because they lost the device she had a man-in-the-middle attack a titan in the middle attack for you like this they lost all this data and they were unaware that thanos had copies of all their plans and intents too long didn't we change your passwords over and over again on a known clean

machine change your locks report the events to law enforcement as they happen i hate to do it i don't like dealing with law enforcement but you've got to document to help the other person to get off the x make their life better document events as they happen thank you we're right at 5 pm i'm ios forensic will bag 10x engineer.com if you would like copies of the slides i don't know if we're doing questions or not but my email is right there 10x engineer.com and thank you and appreciate being part of the conference

you