18 August 2011 | 13,147 views

Collar Bomber Gets Owned By Word Metadata & USB Drive

Cybertroopers storming your ship?

There were other more technical and probably relevant stories to report on today, but for some reason I just found this story very odd and strangely fascinating.

Now here a strange case, a man climbs into a young girls bedroom in the middle of the night, threatens her with a baseball bat and then chains a bomb to her neck. His random instructions include e-mailing to a Gmail account and he leaves a ‘soft copy’ version of the ransom note on a pen-drive with the girl.

You can find the court docs here – Collar Bomber Complaint

The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn’t realize is that he also left his name, hidden deep in the device’s memory.

Court documents unsealed Tuesday describe the harrowing Aug. 3 incident, which began when a man broke into Madeline Pulver’s bedroom wearing a striped balaclava and wielding a black aluminum baseball bat. He told her to sit down and chained a black box around her neck.

He also draped a purple lanyard over the terrified girl with a note saying that the black box was a bomb. The note included ransom instructions for Pulver’s family, telling them to e-mail a Google address — dirkstraun1840@gmail.com — for further instructions. Also on the lanyard was a 4GB USB stick that contained a digital version of the note, saved as a pdf file.

The next 10 hours were a gruelling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.”

On Monday, U.S. authorities arrested Paul “Doug” Peters, 50, in La Grange, Kentucky, seeking to extradite him to Australia to face kidnapping and breaking-and-entering charges. It’s not clear why Peters attempted such a bizarre crime, but U.S. prosecutors say he once worked for a company linked to Pulver’s family. The girl’s father, Bill Pulver, is the CEO of voice recognition software company Appen Butler Hill.

There are plenty of metadata extraction tools such as Metagoofil and The Revisionist. And well even without those, after recovering the file you can just open it in Word and view the metadata.

I’m guessing this Paul Peters chap wasn’t so familiar with wear levelling and metadata. He should have known better, and well he was doing this for a ransom..so really he should have just bought a new pen-drive for the job.

But as we know well, these people don’t think like we do – that’s why they end up in the news.

Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say.

Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.

As computer geeks and investigators know, when users delete a file from a computer the file isn’t deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.

With flash drives things are more complex, thanks to mechanisms built into the drives to prolong their lifespan. Because flash memory cells stop working after they’ve been overwritten too many times, flash devices use tricks called “wear leveling” to even out how the memory cells are used. A side effect of wear levelling is that it is “almost impossible” to completely erase data from a flash device, McClain said.

That can come in handy for people trying to recover photos or other files they’ve accidentally deleted, and there are many tools, some of them free, to help recover their data.

The collar bomber’s first mistake was thinking he could delete something completely from his USB stick. But he also erred by not altering the metadata in his Word document. When Word saves a document, it automatically saves data, such as the user’s login name, as part of the file. Office 2007 users can see this metadata by hitting the Office button, then “Prepare” and “Properties.”

Well there you go, an interesting mid-week story – not entirely sure what is going to happen to this guy. Doesn’t seem like a really strong case for extradition – he just seems like a complete nutcase.

He had a decent enough idea for extortion I suppose, just a really poor execution. Perhaps he’s been watching to o many Hollywood movies where these things seem really easy and nothing even goes wrong.

BTW if any of you readers out there see any cool new tools/techniques or news tidbits that I may have missed, I always welcome a heads-up so just hit me up on the Contact Page here.

Source: Network World


Recent in Forensics:
- Rekall – Memory Forensic Framework
- DAMM – Differential Analysis of Malware in Memory
- Malheur – Automatic Malware Analysis Tool

Related Posts:
- The Revisionist – Metadata Retrieval Tool
- Just-Metadata – Gathers & Analyse IP Address Metadata
- Metagoofil v1.4 Released – Metadata and Information Gathering Tool

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,214 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 33,268 views
- sslsniff v0.6 Released – SSL MITM Tool - 27,160 views

Low-cost VPS Hosting

6 Responses to “Collar Bomber Gets Owned By Word Metadata & USB Drive”

  1. Vince 18 August 2011 at 7:45 pm Permalink

    Why would you want a soft copy of a ransom note? That seems like a really really dumb thing to do. There are already printer marks to help identify the printer used to print the letter, why make it easier for the police.

    • Inzel 19 August 2011 at 7:31 pm Permalink

      What an idiot. It really makes no sense to have a soft copy of the ransom note… That’s what I have been wondering too…

  2. Dirk Struan 21 August 2011 at 7:32 pm Permalink

    Btw, Dirk Struan 1840 (from the email) is a character from the novel Tai-Pan written by James Clavell. In the novel he founds a company which would later become the most powerful corporation/conglomerate in Asia (based on the real life company Jardin-Matheson).

    I have no idea what the connection is supposed to be though. Wierd.

  3. Paul 22 August 2011 at 4:22 am Permalink

    “so really he should have just bought a new pen-drive for the job”

    The metadata wasn’t a remnant on the drive, it was in the doc he intentionally put on there.

    He allegedly did buy a new USB stick, albeit with his Mastercard (it’s almost as if he went out of his way to leave a trail).


    • Darknet 22 August 2011 at 11:00 am Permalink

      Yes it was, the metadata was retrieved from a deleted Word document on the drive. He must have created it on the pen-drive, converted it to PDF then deleted it.

      “But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.””

  4. Natas 22 August 2011 at 1:14 pm Permalink

    Hahaha :D I love this!

    This is technically the exact same thing that usually let’s me rip a couple of additional files off the flashes teachers or some friends use for sharing data. Not many seem to realize that just deleting and checking the recycle bin isn’t really enough.