That CP one was actually horrifying because it meant without the work of these two brilliant analysts that poor guy would have been found guilty along with all the stigma that goes along with being a known paedophile. That guy's life was literally on the edge of the knife.

best wiping pattern ever.

Which one should I drink from? "yes"

The banter between the two for drinking a single beer is excruciating.

I wiped my drive at my former employer simply because I had all my passwords saved and I didn't want anything left behind. Kinda scary to think that could have been enough to prove I stole anything and bankrupt me, ruining my future for ever.

this is pretty interesting, but goddamn, these guys are some turbonerds

One of my Favourite Defcon Talks that i keep cming back to when i need a laugh.

Defcon - the drinking game

Who needs Big Bang Theory when you have real-life awkward nerds like these guys.

Ugh this is back when everyone was yelling "fail" all the time.

Seems like there should be a subtitle of "Don't use Windows, unless you want to get caught" lol

Wait, you gave the guy crap for having Nickelback albums, but he didn't! They were just porn renamed so nobody would open it!

Maybe the RDP guy was clever, connecting to a first computer with RDP without his printers, then sharing the printers of the subsequent machine?

The last one was brutal, but is also shows just how horribly bad things can go when you have the wrong people against or for you. That poor guy basically had to uproot his whole life and start fresh, which a few million dollars might help with but it is mostly just a small help getting started.

Based on the technical skill shown here I guess I could be running my own computer forensics company

I do have a problem with case #1. If this is all of the evidence they had against him, there is no way he should have been found guilty, at all. They can tell you deleted something, okay, but without KNOWING what was deleted and unrecoverable they have nothing but speculation. I am hoping there was actual evidence to base the verdict on, but the way the legal system works in this country now, it is actually very possible that they did not and used the sole fact that he deleted something unknown to base their decision on.

I learned a lot, but oh my god these meme spouting nerds, I mean I'm as nerdy as the next guy but even I would give these guys some wedgies.

Presenter: *breathes* Audience: (in unison) FAIILLLLLL faIL FaIL FAAILLLfAILL

Michael seems a little nervous... however, his explanations are clear AND he makes good jokes ^^ Eric Rob is quite the connoisseur in fraud. Very nicely put. Thanks for all this info and laughter guys :)

The audio on this is awesome! Thank you for the upload!

That last story caught me so off guard, and like some older comments here, it's really really fucking scary how easy someone could frame you for such a thing. People make jokes about "trust no one" but damn, this really makes you want to trust NO ONE.

Hmm, overwriting sectors, even with random data, can almost always be detected? What if you had a destruction tool that grabbed blocks of data from a non-deleted file, and used that to overwrite the deleted data? To make it look like a different file had been on those blocks, and had been deleted?

I know half this shit is based on real cases but i laughed my ass off - thanks buddy

Awesome presentation and great choice of ending music!

I found it interesting...nothing bored and they mention some useful tools

I'm pretty sure that by the time of this talk fedoras were considered pretty unfashionable

so, according to #1 people can sue you for using a drive wiping program if you can just vaguely connect a case to you

“mean phrases will make people dislike you” - guy who put the R-slur in a powerpoint

Ok, new idea for anti-forensics: Download gigabytes of the most disguting images you can find to your hard drive and change the file ending.

probably would have been fine with just one adderall

Fail #1. Now there is SSD with TRIM support, which automatically zeroes out some of the unallocated space on supported platforms.

Had to pause and create a smoking gun.txt on my desktop for fun!

Why is it that every Defcon conference I've seen those guys wearing the medal things always comes up and interrupts the speakers? Very annoying.

I'm glad they were able to clear that guy in the last case. That must've been a horrible thing to go through

Quality talk about experiences performing forensics analysis. Plenty of useful tidbits interleaved with some pretty funny stories.

I can't finish watching these guys.....

You can sometimes extract text from PDF so OCR may not have been necessary (I have seen where the text was in an image though).

Love these talks

The problem with the first one is their must have been something else to catch the guy or his lawyers were crappy. cause the fact that you wipe something does not prove a crime. All it proves is something was wiped. Yo can't prove a negative. The reason I know this is because I've been in a lot of courtrooms in my 41 years. I remember a case that just got into the hearing and was thrown out by the Judge because while the hard drive's unallocated space was wiped they could not prove what was there but could only prove it was wiped.

Holy shit. This is like entering a wormhole and going back to 2013... #Winning

I find it funny when I see a conference guy that looks very nervous like that. He doesn't show it too much but I know that, inside of himself, he's completely terrified. :D

Damn i kinda wanna know what ended up happening with the guy in the last case? did he get back with his wife? did he win the court case against the state?

This video is a great resource for those who wish to exfiltrate data.

I wonder if it would be possible to create a software that progressively overwrites your documents with mp3 files (i.e. from iTunes or Google Play) and then changes all extensions to .mp3. Would forensic IT be able to find the meddling and provide the company with a proof of suspected behavior?

The guy in the "Nickelback Guy" case would have had an even harder time hiding his files if it was a Linux system...

So when you hear all about these forensic examinations of hard drives, reading magnetic patterns with electron microscopes because it's been overwritten, is that ever taking place? It sounds like it's not needed from the ineptness shown by the people in these examples.

on the cp thing, there are issues with windows that can cause the system to constantly overwrite the creation, edit, and access dates to the current date. mine does it all the time with certain folders.

Man, what a couple of cheeseballs.

Can someone explain the first case to me? Could they prove that he had that list? I thought they could only prove that he deleted something. Also, if he filled his harddrive to the brink with movies or computer games and deleted those again, would that have the same effect as running one of those tools to remove evidence of a deleted file?

Them god dayme check boxes..

Fail #3 could now be done without court order using some heavy Spark processing of the pdfs. Cost of the research might be an issue though.

lol. Jump lists are in Win 7 and later, they were not in Vista. So the guy was actually right in the presentation.

When you start drinking beer because of the fails then fail more often due to drinking the beer.

How was the first guy prosecuted? In what way wiping data beyond restore off *your own* drive is illegal?

Proof of deletion isn't proof of crime. How did he lose? How'd the pregger guy lose his second job?

The Magistr email worm filled hard disks with the text "YOU ARE SHIT"

4:10 anybody an idea what program "Bob" used? i really need this in my Life xD

I'm confused, if you were going to steal IP from your old company to bring to a competitor, why would you do it on your work computer? Wouldn't iit make more sense just to copy all the files you need onto a private, or even secret computer?

Can you see if someone burned a CD?

Love Comic Sans - My fav font

Poor Edgar.

40:48 The date of the files they talk about is in 2012, government drops charges years later, this video is uploaded in 2013... Am I missing something here?

Nickelback guy is a god because they clicked nickelback songs with the porn and didnt click the more obscure ones that were actual trade secrets ;)

5:34 The Chad cryptographer VS the virgin FBI

Ummmm that was some funny stuff. And it amused me jolly. Keep it up

Question, so how do you prevent someone just use his/her cell phone camara to capture all sensitive data on their personal phone?

Seems like quite a lot of these detection methods would be thwarted by using a live cd of some kind of Linux and putting documents on a thumb drive. Anyone know of a weakness with that strategy?

If you cut out the annoying people interrupting this video would be 15 minutes long.

He didn’t say “yes, of course I wiped my drive, I moved to another job with a direct competitor. I wouldn’t want to accidentally take data with me.”?

Whats that blue light movie on his shirt !

With the deletion thing what if you just filled up your HDD with garbage data? Like you intentionally emailed yourself a worm that multiplied until you you were full and then just deleted all those garbage files?

Omg Charlie Sheen did that interview more than 5 years ago??

As vile as pregger fetish porn might be, it's *still* better than if it had actually been Nickelback!

11:05 A person that was a teenager when the first PCs were a thing helps me with my mid to high end gaming rigs from time to time (although less and less in my defense) and the first time I gave him my 1st PC he said he liked how I simply just had a folder labeled Porn within a subset of documents relating to a story I want to write. (the story docs were password protected naturally) I asked him how he knew that and he said he always goes looking for what kind of porn people have on their comps as it could bust a pedo and that people normally hide it in innocent sounding work related folders. He also said he respected my story password. I approved of this thinking but at the same time it tis somewhat of a violation of privacy, especially regarding muh story cos little did I know there is list of all passwords buried in the system of Windows that people in the know can easily access when using muh PC. So what I learned that day was the people who you hand your technology into for repairs probably know more about your habits than you might like. So what could people find who really want to find something? The answer is everything ever put into 1s and 0s as a rule of thumb.

Reminds me of when a woman got fired at work and when they searched her computer they found she was using a messenger to talk to another woman and they were both saying really nasty rumor mongering shit about management. Other woman got fired after that too.

I'm thinking of what to call my new program in the covering of the tracks... how's about; infinite spectrum Quasimodo redundancy matrix

Man, they're really meme spouting, turbonerds... but they do a good job.

this has got to be one of the worst talks in recent history. And they probably still think they are 'pretteh funneh'...

Did anyone go back to check if he grabbed the right beer?

Which one is Beavis...?

The second he said check unallocated space my mine instatly though "Fuck this dudes Fed status run away"

DIMENSIONS OF F A I L

Couldn't see the screen too well to read the program name and the audio didn't really seem to work for me hearing it. What's the name of that CP program?

thx good talk

I oddy wished I worked in a position that a company would spend the money to research my company computer if I quit. Working for a retail company they will just format the computer , not like I know any trade secrets or anything lol. I really don't no one tells me shit.

4:00 Bob's case: probably used Active @ killdisk

I want the drive wiping program from the 1st case... it would come in handy when I get rid of failing drives... #hidemahpronz

What was the cat balloon thing about?

wait some dude got 100k sued and the proof was that he just destroyed something? he could have argued that is was just porn

lol "fuck you fuck you fuck you"

Not sure which I found mopre entertaining, the video or the comments. I would have to say the comments as this was not Defcon's best presentation. Thanks for posting.

Now I'm thinking all prego porn has a soundtrack of NickleBack 0.o

Not all heros wear capes, some wear fedoras.

*Stores a valid PE/exe File with data destruction* Can you trace that?

21:10 "wow" had me laughing so hard

Como cuando eres la unica que habla espaňol neutro en Los comentarios:v Ahhh! Un clasico ksdjsxD

Fail #7 - When your malicious government actions get exposed, blame incompetence.

Oops, there's no such thing as "PDF format."

What did we learn? Use a ubuntu live cd.

MS SQL? That's a fail.