Wednesday, January 27, 2016

A contender for Germany's worst digital forensics team

Almost two weeks ago, we asked the internet to Tell the K-Landnews about European law enforcement handling of alleged online drug purchases or sales.

Today, we can report that we may have found a contender for the title of Germany's Worst Digital Forensics Team right off the bat.

It is such a doozie that the blogster wanted to FOIA some more documents to investigate if this is a widespread pattern or a rookie error, maybe caused by time pressure or whatever else could explain it.

Unfortunately, the state of Hessen, where the team resides, does not have a freedom of information law, unlike twelve of the sixteen German states. So, we go with what we have.

The case:

An online drug dealer was busted and found to have a bunch of documents squirreled away on a USB stick. The forensics folks looked at the trove and correctly figured out that they were dealing with OpenOffice documents (ODF). They opened the documents and found data relevant to the case. They were particularly happy to find "*.ods" spreadsheets with names and addresses of potential customers.

They also found that a certain number of  OpenOffice Calc .ods files were "corrupted and could not be opened." The report contains no information on other standard areas any forensics expert would investigate.

As baffling as it is, no repair efforts were made. None whatsoever.

For the non-experts among our readers, a two minute search in your favorite search engine reveals that OpenOffice files are .xml files saved in .zip format.

You can use any compression software that supports ".zip" to open an OpenOffice file and get at the component xml files.

Since files were corrupted or damaged, you should search for something like "zip file repair". Pick a tool and have a go. Of course, there is no guarantee, but there is a good chance you will get most of the data back.

This is how far you can get with off the shelf, free repair tools.

Actual forensics folks would not give up if the repair fails. Recall that an ods file consists of several xml files, what we called component xml files above. These are separate individual files, which means that a programmer could write some code to get at the specific part of a zip file that is of interest. *

An intact or repaired .ods file can be extracted to give the individual xml fiiles, which looks like this:

The one file you really want is "content.xml".

The test "content.xml" file from the above ods/zip looks like this:

Near the bottom of the screenshot, there is an entry "text:p" with the bold text "bad".
That's the text we entered into the first column of the first row in OpenOffice Calc.

We did mess with the zip file a bit by changing some bytes in a binary editor to get a "corrupted" file and ran this through several zip repair tools with good success.
As long as the "content.xml" part (or 'zip entry') is not damaged, all of the juicy data can be retrieved.

Would you agree that we found at least a contender for the worst German digital forensics team, if not the very worst?

* A good .zip repair tool will do this anyway, but we are trying to explain a more hands-on approach.

No comments:

Post a Comment