Case file: Reality Winner
Below are resources for people who attended our advanced operational security session, “Beyond Tor and Signal” at AMC 2017. This article will be fleshed out throughout the Summer and is part of a series. In this example we are looking at the evidence collected against Reality Winner . The idea of this session was learning from actual cases, real details, FOIA or unsealed public records, and verified published accounts of how circumvention technologies can be defeated. The hope is to improve operation security (#opsec) and glean sources, capabilities , methods of various security forces and law enforcement agencies. Again this will become an ongoing series, ‘Case File’ at our new medium publication, Beyond Install Tor & Signal.
What went wrong…
METADATA IN THE FILES & PRINTER CODES ON THE PRINT OUTS:
Reality Winner is accused of printing out classified documents and mailing them to a news organization. Whenever someone prints something in color, special codes are deposited on the page as yellow dots. Researchers at Perdue University in 2004 were also looking at ways to identify black &white prints & copies. The codes contain information about the exact printer used, its make, manufacture, serial number, the time and date of the printing. The common solution to circumvent these machine identification codes was printing black & white or using copiers but Professor Edward Delp of Perdue University has spoke about other techniques to track documents that don’t rely on yellow dots of information. Furthermore there are patents by Microsoft to watermark screenshots to detect the source of leaks.
What they should have done…
Removed metadata: Using tools like MAT Metadata Anonymizer Tool , for TailsOS (an anonymized and secure operating system you can boot off a USB). For information on making your own “tails stick” out of a 4GB (or higher sized) USB read here. Be sure to change the creation & modification dates on files, its an obvious piece of metadata that many forget about. Adobe offers users a process for securing PDF files with the “redact” tool. Micah Lee & the First Look Media team created, PDF Redact Tools.
Removed printer codes: One option is simply retyping the document manually. Another is to use technology for reading the text in an image or document and “retyping” those characters, for example Optical Character Recognition. OCR will allow a new version of a document without tracking data to be found, effectively removing printer codes and other tracking methods. One of the best tools for this is Google & HP’s Tesseract, available as a library you can run on your computer if you are a bit technical (or you can bribe a nerd you know with human contact and caffeine to do it for you). There are easier to use programs that make use of Tesseract as well
Resources:
- When I am personally cleaning metadata M.A.T is the first step in a “triple washing” that I do. Renaming, copy and pasting the file also is intelligent
- Security researcher Martin Shelton shared with us an article written by Quinn Norton & Ted Han for Open New’s “SOURCE”, Protecting Your Sources When Releasing Sensitive Documents. The article details step by step things to consider when attempting to clean metadata.
- EFF’s documents on printer codes that are used to track the time, date, make, manufacture of color printers at EFF Machine Identification Code Technology site. It makes sense to understand these markings before trying to remove them.
- Adobe PDF security docs are always a go to for me when I am working on a PDF. Before running the document through MAT I will check whats there here.
- Last but not least are the First Look Media’s PDF Redact Tools which make redacting easy. After running things through MAT which handles metadata, I will run it through this script.
- To learn more about USB Forensics in Forensics Wiki
What went wrong…
PRINTER LOGS:
This section will be completed soon.
What went wrong…
GOOGLE SEARCHES:
- What google knows about you, you can choose“DELETE activity by” though at Google’s My Activity.
- Google does their best to collect location data in enhance accuracy of the info on your google profile, Click the trash on the map to remove this at Google Location History
- Review data, Purge email by label, other cool options to all google users at Google Takeout
This section will be completed soon.
What went wrong…
INSERTING USBS:
- Windows USB first insertion article by Swift Forensics
- USB Oblivion is an open source app designed to erase windows logs of USB inserts http://www.cherubicsoft.com/en/projects/usboblivion
- OSX USB logs are in /private/var/log/system.log and article by forensics/security firm Black Bag Technologies on where mac computers store information on usb insertions.
- This section will be completed soon.
What went wrong…
PRISON AND JAIL PHONES/MEETING ROOMS:
This section will be completed soon.
What went wrong…
LOOKING AT COURT DOCUMENTS & EVIDENCE COLLECTED
This section will be completed soon.
