Anonymous visits US DoJ, FBI, Police & Mil Cybercrime unit

1.  
2. _ _ __ __
3. __| || |__ _____ _____/ |_|__| ______ ____ ____ #antisec
4. \ __ / \__ \ / \ __\ |/ ___// __ \_/ ___\ #anonops
5. | || | / __ \| | \ | | |\___ \\ ___/\ \___ #OWS
6. /_ ~~ _\ (____ /___| /__| |__/____ \ \___ \ \___ | #lulz
7. |_||_| \/ \/ \/ \/ \/ #security
8.  
9. /*******************************************************************************
10. *** #OCCUPYWALLSTREET CRACKDOWN RETALIATION TASK FORCE ***
11. *******************************************************************************/
12. Friday 18thNov - Lulz on Cybercrime Task Forces - US DoJ-FBI-Police-Military
13.  
14.  
15.  
16.  
17. '...Subject: Pedobear info
18.  
19. Great, now they have a mascot....'
20.  
21. -Frank
22. ^trollolol XD
23.  
24.  
25.  
26. QUOTES:
27.  
28.  
29.  
30.  
31. Voicemail from +191XXXXXXXX
32. Sep 23, 2011 PM Transcript: Hi, This is Jennifer calling from D. O. J Bureau firearm
33. and I received your C C W renewal. B. O. F. It's now I'm sure you received the notifying out to France
34. is not processing the C C W request everything else looks good, however I'm missing page 2 of the
35. request in D. C. W work with them background disclosure forms. If you could give me a call. I'll be in
36. the office on Monday at 8 o'clock. My number is (916) 274-6136 and I'm here in the office until 4:30
37. today, thank you bye.
38.  
39. --------------------------------
40.  
41.  
42. Does anyone know if Facebook maintains archives of a persons webpage?
43.  
44. Scenario: Person had something on a page, when questioned, it
45. mysteriously disappeared !!
46. Is there a time frame for a subpoena to obtain an archive page ???
47.  
48. Thanks
49.  
50. John W. Yeager
51. Senior Advanced Specialist 1 - Forensics, Contractor
52. Defense Computer Forensics Laboratory
53. John.Yeager.ctr@dc3.mil
54. (410) 981-0036
55.  
56. ^ Lulz
57. -----------------------------------------
58.  
59.  
60. Is there a Facebook white paper or other document to assist with the interpretation of a Facebook url?
61.  
62. I am trying to determine when a specific Facebook account was logged in during a set time.
63.  
64. Thanks
65.  
66.  
67. William Oettinger
68. GySgt USMC
69. Marine Corps Base Hawaii - Legal
70.  
71.  
72.  
73. Generally, Facebook does not retain deleted content. If get a preservation
74. letter to them before they deleted content is removed from their server,
75. maybe 48 to 72 hours, they will hold the data for you. If not, it's gone.
76. You may be able to find deleted content on archived web pages using sites
77. like way back machine but I'm not sure how often that's updated. Hope this
78. helps.
79.  
80.  
81.  
82.  
83. ^ thanks for the tips
84. --------------------------- -------------------
85.  
86.  
87.  
88. I have an eDonkey referral - CP - from Germany - I'm attempting to get a
89. warrant written based on the information I've been provided...
90.  
91. I've attached a screenshot regarding my question -
92.  
93. Their eDonkey LOG file (text based) gives me my suspect's IP address,
94.  
95. date, time etc., with the following value of the file:
96.  
97.  
98. 6BCC76487A3389941ED5248F4F1D7513
99.  
100. However, another document they've provided also gives me the MD5 Hash
101. value of the file (NOT provided from the eDonkey logs) - the MD5 matches
102. the actual file they sent me from their law enforcement CP library - the
103. MD5 hash value of the file is this:
104.  
105. 857d5bedc3e75397246226c7a3c18bfa
106.  
107. My question is - what value is the eDonkey log reporting here ? i.e.,
108. 6BCC76487A3389941ED5248F4F1D7513 - and how do I "convert" this to show
109. it "matches" the MD5 hash value of the file itself?
110.  
111.  
112. ****Please note new address*****
113.  
114. Maggi Holbrook, CFCE
115. Sr. Computer Forensics Investigator
116. VPD-CCSO Digital Evidence Cybercrime Unit
117. 2800 NE Stapleton Rd
118. Vancouver WA 98661
119. LAB: (360) 487-7489
120. FAX: (360) 695-3530
121. maggi.holbrook@ci.vancouver.wa.us
122. Member - Seattle/Pacific Northwest Regional ICAC Task Force
123.  
124. ------------------------------------------------
125.  
126.  
127.  
128.  
129.  
130. Actually, if you are using the Vista or Win7 AIK, you can set the Windows Pre-Installation Environment not to
131. automount any devices on boot, which is what Helix, SPADA and others do with Linux. There are two changes to
132. make in the registry of the PE system to make what Troy Larson refers to as Windows FE (Forensic Environment).
133.  
134. I’ve built and tested several of these using various file systems, both Windows recognized and not, as subject
135. devices and so far none of the hash values have changed when booted with Windows FE. Windows FE is all
136. command-line but can run FTK Imager and EnCase. The only function of EnCase I haven’t got working is EnScripts
137. and Conditions/Filters. I think I need a language pack or something because when I view the code, it’s all
138. garbed up.
139.  
140.  
141. In regards to this post, at the motion I would want the defense expert to testify to how the Windows PE that he
142. intends to use is built, if he’s made any modifications to the registry, if he has loaded any drivers and
143. describe in detail the drivers he has loaded, their function and provide all these details in his testimony. I
144. read through the Microsoft Technet information on ImageX and I have questions to the forensic integrity of this
145. tool that would have to be proved through testing and validation. I’ve never used it and haven’t had anyone
146. else propose using it as a forensic imaging tool. I would expect this expert would be able to provide written
147. documentation of that testing and validation process for the prosecution’s review at the motion hearing. Those
148. tests should then be reviewed to see that they are following sound forensic procedures. In the end, the only
149. way to know if ImageX and the expert’s version of Windows PE are following forensic guidelines and practices is
150. to review and thoroughly test his proposed procedures. I know this is a last minute thing but that’s why
151. there’s caffeine in coffee.
152.  
153. ----------------------------------------------------------------------------
154.  
155. We recently got a file server a 15 TB RAID which we use for cases. We image directly to the server. The case
156. will remain on this forensic file server for 3 years, at that point it is copied using the tape drive and
157. archived, however it is purged off the server. Other than that, a case will not be deleted from the sever
158. without written authorization from the investigator (we may do this for some of the really big cases) as
159. needed.
160.  
161.  
162. in reply to
163.  
164. Question in regard to evidence retention...
165.  
166. We submit our case drives and examination result CDs/DVDs as evidence and store them in our unit (the room is
167. considered an evidence locker).
168.  
169. We're curious what other agencies are doing when paperwork is filed for evidence to be released / destroyed.
170. Are you returning / destroying the computers and associated original evidence but still maintaining the case
171. drive containing the acquired image files... Or do you destroy the CDs/DVDs and wipe the case drives for reuse?
172.  
173. For those imaging to Network Attached Storage, as opposed to case drives, do you retain the image on the NAS or
174. discard that, as well...
175.  
176. Thanks in advance for your replies.
177.  
178.  
179.  
180. ------------------------------------------------------------------
181.  
182. Subject:Processing doctor/lawyer/priest/etc computers
183.  
184. Hello,
185.  
186.  
187.  
188. I was wondering what, if any, additional steps, processes or procedures anyone is using when processing a computer obtained via search warrant from a doctors office and/or criminal law office and/or non-criminal law office, etc. Essentially, any computer where there is a good likelihood that privileged materials on it are co-mingled with materials related to the specific criminal activity which is being conducted on the part of the doctor/lawyer/priest/etc in question.
189.  
190.  
191. REPLY:
192.  
193.  
194. 1> Doctor check for sexual assault videos of unconscious patients.
195. 2> Lawyer check for fraud offences and other trust account violations.
196. 3> Priest check for CP.
197.  
198.  
199.  
200. Peter Kingsley
201. Ad.Dip.I.T. CFCE
202. Operation Manager
203. Forensic Computer Examination Unit
204. Queensland Police Service, Australia
205.  
206.  
207.  
208.  
209.