Collar Bomber Gets Owned By Word Metadata & USB Drive

Use Netsparker

There were other more technical and probably relevant stories to report on today, but for some reason I just found this story very odd and strangely fascinating.

Now here a strange case, a man climbs into a young girls bedroom in the middle of the night, threatens her with a baseball bat and then chains a bomb to her neck. His random instructions include e-mailing to a Gmail account and he leaves a ‘soft copy’ version of the ransom note on a pen-drive with the girl.

You can find the court docs here – Collar Bomber Complaint

The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn’t realize is that he also left his name, hidden deep in the device’s memory.

Court documents unsealed Tuesday describe the harrowing Aug. 3 incident, which began when a man broke into Madeline Pulver’s bedroom wearing a striped balaclava and wielding a black aluminum baseball bat. He told her to sit down and chained a black box around her neck.

He also draped a purple lanyard over the terrified girl with a note saying that the black box was a bomb. The note included ransom instructions for Pulver’s family, telling them to e-mail a Google address — — for further instructions. Also on the lanyard was a 4GB USB stick that contained a digital version of the note, saved as a pdf file.

The next 10 hours were a gruelling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.”

On Monday, U.S. authorities arrested Paul “Doug” Peters, 50, in La Grange, Kentucky, seeking to extradite him to Australia to face kidnapping and breaking-and-entering charges. It’s not clear why Peters attempted such a bizarre crime, but U.S. prosecutors say he once worked for a company linked to Pulver’s family. The girl’s father, Bill Pulver, is the CEO of voice recognition software company Appen Butler Hill.

There are plenty of metadata extraction tools such as Metagoofil and The Revisionist. And well even without those, after recovering the file you can just open it in Word and view the metadata.

I’m guessing this Paul Peters chap wasn’t so familiar with wear levelling and metadata. He should have known better, and well he was doing this for a really he should have just bought a new pen-drive for the job.

But as we know well, these people don’t think like we do – that’s why they end up in the news.

Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say.

Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.

As computer geeks and investigators know, when users delete a file from a computer the file isn’t deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.

With flash drives things are more complex, thanks to mechanisms built into the drives to prolong their lifespan. Because flash memory cells stop working after they’ve been overwritten too many times, flash devices use tricks called “wear leveling” to even out how the memory cells are used. A side effect of wear levelling is that it is “almost impossible” to completely erase data from a flash device, McClain said.

That can come in handy for people trying to recover photos or other files they’ve accidentally deleted, and there are many tools, some of them free, to help recover their data.

The collar bomber’s first mistake was thinking he could delete something completely from his USB stick. But he also erred by not altering the metadata in his Word document. When Word saves a document, it automatically saves data, such as the user’s login name, as part of the file. Office 2007 users can see this metadata by hitting the Office button, then “Prepare” and “Properties.”

Well there you go, an interesting mid-week story – not entirely sure what is going to happen to this guy. Doesn’t seem like a really strong case for extradition – he just seems like a complete nutcase.

He had a decent enough idea for extortion I suppose, just a really poor execution. Perhaps he’s been watching to o many Hollywood movies where these things seem really easy and nothing even goes wrong.

BTW if any of you readers out there see any cool new tools/techniques or news tidbits that I may have missed, I always welcome a heads-up so just hit me up on the Contact Page here.

Source: Network World

Posted in: Forensics, Legal Issues

, , ,

Latest Posts: - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.

6 Responses to Collar Bomber Gets Owned By Word Metadata & USB Drive

  1. Vince August 18, 2011 at 7:45 pm #

    Why would you want a soft copy of a ransom note? That seems like a really really dumb thing to do. There are already printer marks to help identify the printer used to print the letter, why make it easier for the police.

    • Inzel August 19, 2011 at 7:31 pm #

      What an idiot. It really makes no sense to have a soft copy of the ransom note… That’s what I have been wondering too…

  2. Dirk Struan August 21, 2011 at 7:32 pm #

    Btw, Dirk Struan 1840 (from the email) is a character from the novel Tai-Pan written by James Clavell. In the novel he founds a company which would later become the most powerful corporation/conglomerate in Asia (based on the real life company Jardin-Matheson).

    I have no idea what the connection is supposed to be though. Wierd.

  3. Paul August 22, 2011 at 4:22 am #

    “so really he should have just bought a new pen-drive for the job”

    The metadata wasn’t a remnant on the drive, it was in the doc he intentionally put on there.

    He allegedly did buy a new USB stick, albeit with his Mastercard (it’s almost as if he went out of his way to leave a trail).

    • Darknet August 22, 2011 at 11:00 am #

      Yes it was, the metadata was retrieved from a deleted Word document on the drive. He must have created it on the pen-drive, converted it to PDF then deleted it.

      “But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.””

  4. Natas August 22, 2011 at 1:14 pm #

    Hahaha :D I love this!

    This is technically the exact same thing that usually let’s me rip a couple of additional files off the flashes teachers or some friends use for sharing data. Not many seem to realize that just deleting and checking the recycle bin isn’t really enough.