Recent in Forensics:
- PowerShellArsenal – PowerShell For Reverse Engineering
- Androguard – Reverse Engineering & Malware Analysis For Android
- Volatility Framework – Advanced Memory Forensics Framework

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,794 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 35,549 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 34,313 views

6 Responses to Collar Bomber Gets Owned By Word Metadata & USB Drive

  1. Vince August 18, 2011 at 7:45 pm #

    Why would you want a soft copy of a ransom note? That seems like a really really dumb thing to do. There are already printer marks to help identify the printer used to print the letter, why make it easier for the police.

    • Inzel August 19, 2011 at 7:31 pm #

      What an idiot. It really makes no sense to have a soft copy of the ransom note… That’s what I have been wondering too…

  2. Dirk Struan August 21, 2011 at 7:32 pm #

    Btw, Dirk Struan 1840 (from the email) is a character from the novel Tai-Pan written by James Clavell. In the novel he founds a company which would later become the most powerful corporation/conglomerate in Asia (based on the real life company Jardin-Matheson).

    I have no idea what the connection is supposed to be though. Wierd.

  3. Paul August 22, 2011 at 4:22 am #

    “so really he should have just bought a new pen-drive for the job”

    The metadata wasn’t a remnant on the drive, it was in the doc he intentionally put on there.

    He allegedly did buy a new USB stick, albeit with his Mastercard (it’s almost as if he went out of his way to leave a trail).

    • Darknet August 22, 2011 at 11:00 am #

      Yes it was, the metadata was retrieved from a deleted Word document on the drive. He must have created it on the pen-drive, converted it to PDF then deleted it.

      “But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.””

  4. Natas August 22, 2011 at 1:14 pm #

    Hahaha :D I love this!

    This is technically the exact same thing that usually let’s me rip a couple of additional files off the flashes teachers or some friends use for sharing data. Not many seem to realize that just deleting and checking the recycle bin isn’t really enough.