What did they take when they left? Part 4 (External Devices) - Where did it go and what did they take?

Howdy Reader,

It's been quite some time since my last blog post, I apologize. Things have been pretty busy, apparently the recession/depression has really spurred civil crimes and I had a very nice vacation. In our last time together we discussed more detectable methods of how suspects remove data from their systems. I've left off the most common and lengthy portion of the post so I could give it the detail and supporting documentation it deserves. In this post we will finish the concept exploring method 3 in this post and 4-5 in the next. This series does focus on Microsoft windows systems as they are the most popular business system in use, I will write another linux or mac specific series at another time.

Method 3 – Copying data to an external drive

1. How did they take data from the system
   

   
   

   The first step you should take in a windows system is examining the contents of the registry keys that track storage devices plugged into the system. Inside these registry keys located under the system registry file under the system control sets are at least three keys keeping track of three types of external storage devices:
   

   
   

   1. USB Devices
      

   USB storage devices have their information store under the USBSTOR key found under:
   

   system\currentcontrolset\enum\usbstor
   

   
   

   1. Firewire Devices
      

      
      

   Firewire devices that are also storage devices can be found in the system registry under the system control set as well at:
   

   
   

   System\currentcontrolset\enum\sbp2
   

   
   

   1. eSATA Devices
      

      
      

   eSATA devices that are plugged into the system can be found in the system registry under the system control as well at:
   

   
   

   system\currentcontrolset\enum\ide
   

   
   

   It's important to know that the type of eSATA enclosure (for instance I was testing with a Simpletech Prodive) will not appear in the IDE registry key. The type and serial number of the drive will appear in the registry but you will have no way to identify what enclosure the drive was in from the registry. Of course you can compare the drives in enclosure to find the right drive but if drafting a subpoena you will not be able to specify what enclosure the drive is in.
   

   
   

   1. Responsive to all types of devices:
      

   
   

   There are additional versions under the system key some of which are duplicates of currentcontrolset so make sure to check each one. Each controlset that is numbered such as controlset001 is a configuration state of the system that booted successfully at one time. The currentcontrolset points to the numbered controlset that was last booted from successfully.
   

   
   

   An easy way to parse out these registry entries is with RegRipper which creates a nice text file with all the most useful parts of the registry for the forensic examiner but in its latest version does not include the sbp2 key but I'm sure it will be added soon.
   

   
   

   There is one registry entry under these keys for each storage device that has been attached to the computer since it was first installed if these keys do not exist or are empty then someone has run a system cleaner as the key will only get created on the first attachment of a storage device except for IDE which will exist if their is an IDE drive in the system. Remember these entries are in the system registry so it applies to every user who has used the system. This means that if you have a multi user system you still will have to verify who plugged it in during the times and dates we find. These entries will contain digital cameras, thumb drives, external hard drives, ipods, cell phones, anything that provides some type of storage and will be accessed as a drive letter. Each entry will contain the parent id, the vendor id and what is marked as the serial number of the device. The serial number reported to windows is not always the serial number printed on the physical device and this varies by manufacturer so when requesting these devices in a subpoena or other form make sure to specify it 'as reported to Microsoft Windows'.
   

   
   

   The last written date of the registry key for each device entry tells you the last time the device was plugged into the system. We can determine the first time the device was plugged into the system by searching for the device name we found in the USBSTOR/SBP2/IDE keys and searching for it in the setupapi.log file found in the 'windows' directory in windows xp and in the setupapi.dev.log located under 'windows\inf' in Vista.
   

   
   

   To find out each additional time the device was plugged into the system we can look at the backed up copies of the system registry located in the restore points. For Windows XP this is located under the 'system volume information folder\rp'. There is a new version of regripper for restore point registry examination called ripxp that will run the ripper not only against the current registry file but also all the previous copies of it in the restore points.
   

   
   

   Windows Vista restore points are renamed to "system restore" points and utilize the shadow copy service to make a separate volume where previous versions of files and system files are kept depending on the configuration and version of windows vista. You can use programs such as Shadow Explorer to access these volumes on a live system (or an image running in a vm) where you can browse the point in time back up of each partition on the system for the same registries. I have not found a forensic tool to date that can mount these shadow volumes in the way that shadow explorer can.
   

   
   

2. What did they take
   

   
   

   If our suspect did not wipe the system clean of the information we now know all of the external devices they could have copied information to. Determining the extent of what they have copied on to these devices is not as well recorded by the system. There are several ways that a suspect may attempt to copy data to the external drive.
   

   
   

   1. Backup programs
      

      There are a variety of backup programs a suspect can use. Some of them will come bundled with the external media and others are built into the operating system. We can determine what backup program the suspect ran from the techniques discussed in part 2. Once you've identified the software used a quick google should reveal what if any logging the software left behind. For instance in Carreker Corporation v. Cannon et al (4:06-cv-00175-RAS-DDB) we found the use of Dantz Retrospect which creates a log file for each of the backups performed logging the configuration, directories backed up, files backed up and total data copied for each backup done with the software.
      

      
      

   2. Copy programs
      

      Some suspects will choose to use utilities such as robocopy or xxcopy to copy the data to external media. In those cases the techniques discussed in part 2 will help you identify what program they used and when they copied the data.
      

      
      

   3. Standard copy and paste
      

      If our suspect copied the data to some external media with just a copy and paste or drag and drop there will be no record that I have found to date to reflect it.
      

      The next thing we have to determine is what they copied on to the external drive. There are two reliable methods generated by Windows automatically that can tell us what files and/or directories they accessed from the external media.
      

      
      

      1. LNK Files
         

      Windows shortcut or 'LNK' (pronounced link) files have been a standard feature of windows since windows 95. LNK files as most forensic examiners refer to them are created for a variety of reasons. What is most important to us for this method is that for files and directories opened in windows explorer a LNK file will be created in the users recent directory ('\documents and settings\user name\recent' in windows xp, '\users\user name\recent' in windows vista) and if a program such as Microsoft office is associated with the file then a second lnk file will be located in the program's own recent directory located in the application data directory. The LNK file in its normal usage allows a user to quickly access the file that it points to. We can examine the LNK files and see which of them show that the file or directory it points to existed on an external disk. For more information on LNK files read this or this. For a free utility that will parse these files and other try Windows File Analyzer (most forensic tools have this capability already either built in or through some provided script).
      

      
      

      The LNK file tells us many important facts about a file that it points to.
      

      1. The time the file was first accessed on this computer
         

         The created date of the LNK file will tell you the first time the file was accessed through windows explorer, this captures the first access to the file. If the modification date varies from the creation date then you have the last time the file was opened as well.
         

      2. The time the file was first created on the media it resides on
         

         The LNK file captures the creation, modification, access dates as well as the size of the file that it points to within the LNK file structure. This allows us to know the creation time of the file which reflects the first time the file was copied onto the media. We can then determine when the data our suspect has taken was first copied on to the media. We will only know this if the suspect accesses the files or directories after copying them to the disk.
         

      3. The name, type and volume serial number of the media the file resided on.
         

         Using this we can determine which files accessed came from external media and match it up to those devices we identified in this section.
         

         
         

      1. MRU
         

         Most Recently Used entries in the registry exist for multiple types of applications and windows components. They keep track of the last files opened by the user for that application but they only track the file opened and the date on which the file was opened. The only way to determine if the path where the file was opened was on external media is to check if the drive letter shown was not local to the system. You can easily pull out most MRUs with regripper.
         

At this point we can now determine what external devices were in use and what files we can determine were placed there. The last two methods to discuss are copying data to network locations and uploading data to file hosting websites.

The Diet-Heart Hypothesis: Oxidized LDL, Part I

In my reading about lipoprotein particles (LDL, HDL, etc.) and how they associate with cardiac risk, I've come across three LDL-related markers that associate with risk: LDL cholesterol, LDL particle number, and LDL size/density. Is this a coincidence, or is there a reason for it?

The first marker, LDL cholesterol, is probably nothing more than a crude approximation of particle number. But LDL particle number and size/density are related to something else, that probably actually causes atherosclerosis rather than simply being associated with it: oxidized LDL (oxLDL).

oxLDL is formed when the lipids in LDL particles react with oxygen and break down. This happens specifically to the unsaturated fats in LDL, because saturated fats, by their chemical nature, are very resistant to oxidative damage. Polyunsaturated fats are much more susceptible to oxidative damage than saturated or monounsaturated fats. Linoleic acid (the omega-6 fatty acid found abundantly in industrial seed oils) is the main polyunsaturated fatty acid in LDL.

LDL is packaged with antioxidants in the liver, primarily vitamin E and coenzyme Q10 (CoQ10), to prevent its oxidation. However, the more time it spends in the blood, the more likely it is to exhaust its antioxidant store and become oxidized. Also, the smaller the LDL particle, the more likely it is to become trapped in the vessel wall and become oxidized there.

Oxidized LDL Correlates Tightly with Cardiac Risk

oxLDL has turned out to be a very sensitive marker of cardiac risk, surpassing traditional markers like LDL, HDL, and triglycerides in most studies to date. Since the discovery of sensitive assays that detect oxidized LDL drawn directly from patient blood, a number of studies have been published supporting its ability to detect atherosclerosis (plaque buildup in the arteries), heart attack risk and even the metabolic syndrome.

Holovet and colleagues published a study comparing the ability of oxLDL and a traditional risk factor assessment to detect coronary artery disease. The traditional method is called the Global Risk Factor Assessment Score (GRAS), and includes age, total cholesterol, HDL, blood pressure, diabetes and smoking status. It's similar to the commonly used Framingham risk score (which, interestingly enough, doesn't include LDL).

GRAS was able to correctly differentiate a healthy person from a person with coronary artery disease 49% of the time, while oxLDL was correct 82% of the time. Thus, oxLDL by itself was far more accurate than a whole battery of traditional cholesterol and cardiac markers. Coronary patients had more than twice the level of circulating oxLDL than the healthy comparison group.

In a large prospective study by Meisinger and colleagues, participants with high oxLDL had a 4.25 higher risk of heart attack than patients with lower oxLDL. oxLDL blew away all other blood lipid markers by nearly a factor of two. From the abstract:

Plasma oxLDL was the strongest predictor of CHD events compared with a conventional lipoprotein profile and other traditional risk factors for CHD.

Oxidized LDL Makes Sense

 Regular, non-oxidized LDL has few properties that would make it a suspect in atherosclerosis. It's just a little particle carrying cholesterol and fats from the liver to other organs. As soon as it oxidizes, however, it becomes pro-inflammatory, immunogenic, damaging to the vessel wall, and most importantly, capable of transforming immune cells called macrophages into foam cells, a major constituent of arterial plaque.

Researchers have been interested in the plaque-generating properties of oxLDL for over three decades, and quite a bit of data have accumulated. They've identified cellular receptors that allow macrophages to ingest oxLDL (CD36 and SR-A). These receptors are specific for oxLDL and do not recognize normal LDL to a significant degree. Mice whose macrophages lack either of these two receptors have the same amount of circulating LDL as normal mice, yet have 60 to 70 percent less atherosclerosis when fed a plaque-forming diet (1, 2). Shorter-term studies have not always been consistent however, suggesting that there are alternative mechanisms. I'll expand on this more later.

Another line of evidence comes from the ability of LDL-borne antioxidants to prevent atherosclerosis in animal models. The powerful synthetic antioxidant probucol greatly reduces atherosclerosis in a number of animal models. It also reduces the extremely high cholesterol rodents and herbivorous animals get when they eat a high-cholesterol "atherogenic diet", but several studies have concluded that the majority of probucol's effect is due to its antioxidant ability rather than its ability to reduce cholesterol (ref).

Vitamin E and CoQ10 are two other LDL-borne antioxidants that can reduce atherosclerosis in animal models, particularly in combination with one another. Vitamin E alone is not as effective, and in some studies totally ineffective, which is one possible explanation for the equivocal results of vitamin E cardiovascular trials in humans. The most effective combination of antioxidants is probably the one provided by a nutrient-dense diet.

In Summary

Multiple lines of evidence suggest that oxidized LDL plays a dominant role in atherosclerosis. Not only is it associated with cardiovascular risk, there's also a large body of evidence suggesting it actually directly contributes to it. 

The Diet-Heart Hypothesis: Subdividing Lipoproteins

Two posts ago, we made the rounds of the commonly measured blood lipids (total cholesterol, LDL, HDL, triglycerides) and how they associate with cardiac risk.

Lipoproteins Can be Subdivided into Several Subcategories

In the continual search for better measures of cardiac risk, researchers in the 1980s decided to break down lipoprotein particles into sub-categories. One of these researchers is Dr. Ronald M. Krauss. Krauss published extensively on the association between lipoprotein size and cardiac risk, eventually concluding (source):

The plasma lipoprotein profile accompanying a preponderance of small, dense LDL particles (specifically LDL-III) is associated with up to a threefold increase in the susceptibility of developing [coronary artery disease]. This has been demonstrated in case-control studies of myocardial infarction and angiographically documented coronary disease.

Krauss found that small, dense LDL (sdLDL) doesn't travel alone: it typically comes along with low HDL and high triglycerides*. He called this combination of factors "lipoprotein pattern B"; its opposite is "lipoprotein pattern A": large, buoyant LDL, high HDL and low triglycerides. Incidentally, low HDL and high triglycerides are hallmarks of the metabolic syndrome, the quintessential modern metabolic disorder.

Krauss and his colleagues went on to hypothesize that sdLDL promotes atherosclerosis because of its ability to penetrate the artery wall more easily than large LDL. He and others subsequently showed that sdLDL are also more prone to oxidation than large LDL (1, 2).

Diet Affects LDL Subcategories

The next step in Krauss's research was to see how diet affects lipoprotein patterns. In 1994, he published a study comparing the effects of a low-fat (24%), high-carbohydrate (56%) diet to a "high-fat" (46%), "low-carbohydrate" (34%) diet on lipoprotein patterns. The high-fat diet also happened to be high in saturated fat-- 18% of calories. He found that (quote source):

Out of the 87 men with pattern A on the high-fat diet, 36 converted to pattern B on the low-fat diet... Taken together, these results indicate that in the majority of men, the reduction in LDL cholesterol seen on a low-fat, high-carbohydrate diet is mainly because of a shift from larger, more cholesterol-enriched LDL to smaller, cholesterol-depleted LDL [sdLDL].

In other words, in the majority of people, high-carbohydrate diets lower LDL cholesterol not by decreasing LDL particle count (which might be good), but by decreasing LDL size and increasing sdLDL (probably not good). This has been shown repeatedly, including with a 10% fat diet and in children. However, in people who already exhibit pattern B, reducing fat does reduce LDL particle number. Keep in mind that the majority of carbohydrate in modern America comes from refined wheat and sugar; a diet of unrefined carbohydrate may not have these effects.

Krauss then specifically explored the effect of saturated fat on LDL size (free full text). He re-analyzed the data from the study above, and found that:

In summary, the present study showed that changes in dietary saturated fat are associated with changes in LDL subclasses in healthy men. An increase in saturated fat, and in particular, myristic acid [as well as palmitic acid], was associated with increases in larger LDL particles (and decreases in smaller LDL particles). LDL particle diameter and peak flotation rate [density] were also positively associated with saturated fat, indicating shifts in LDL-particle distribution toward larger, cholesterol-enriched LDL.

Participants who ate the most saturated fat had the largest LDL, and vice versa. Kudos to Dr. Krauss for publishing these provocative data. It's not an isolated finding. He noted in 1994 that:

Cross-sectional population analyses have suggested an association between reduced LDL particle size and relatively reduced dietary animal-fat intake, and increased consumption of carbohydrates.

Diet Affects HDL Subcategories

Krauss also tested the effect of his dietary intervention on HDL. Several studies have found that the largest HDL particles, HDL2b, associate most strongly with HDL's protective effects (more HDL2b = fewer heart attacks). Compared to the diet high in total fat and saturated fat, the low-fat diet decreased HDL2b significantly. A separate study found that the effect persists at one year. Berglund et al. independently confirmed the finding using the low-fat American Heart Association diet in men and women of diverse racial backgrounds. Here's what they had to say about it:

The results indicate that dietary changes suggested to be prudent for a large segment of the population will primarily affect [i.e., reduce] the concentrations of the most prominent antiatherogenic [anti-heart attack] HDL subpopulation.

Saturated and omega-3 fats selectively increase large HDL. Dr. B. G. of Animal Pharm has written about this a number of times.

Wrapping it Up

Contrary to the simplistic idea that saturated fat increases LDL and thus cardiac risk, total fat and saturated fat have a complex influence on blood lipids, the net effect of which is unclear. These blood lipid changes persist for at least one year, so they may represent a long-term effect. It's important to remember that the primary sources of carbohydrate in the modern Western diet are refined wheat and sugar.  Healthier sources of carbohydrate have different effects on blood lipids.
* This is why you may read that small, dense LDL is not an "independent predictor" of heart attack risk. Since it travels along with a particular pattern of HDL and triglycerides, in most studies it does not give information on cardiac risk beyond what you can get by measuring other lipoproteins.

MRFIT Mortality

The Multiple Risk Factor Intervention trial was a very large controlled diet trial conducted in the 1980s. It involved an initial phase in which investigators screened over 350,000 men age 35-57 for cardiovascular risk factors including total blood cholesterol. 12,866 participants with major cardiovascular risk factors were selected for the diet intervention trial, while the rest were followed for six years. I discussed the intervention trial here.

During the six years of the observational arm of MRFIT, investigators kept track of deaths in the patients they had screened. They compared the occurrence of deaths from multiple causes to the blood cholesterol values they had measured at the beginning of the study. Here's a graph of the results (source):


Click on the graph for a larger image. Coronary heart disease does indeed rise with increasing total cholesterol in American men of this age group. But total mortality is nearly as high at low cholesterol levels as at high cholesterol levels. What accounts for the increase in mortality at low cholesterol levels, if not coronary heart disease? Stroke is part of the explanation. It was twice as prevalent in the lowest-cholesterol group as it was in other participants. But that hardly explains the large increase in mortality.

Possible explanations from other studies include higher infection rates and higher rates of accidents and suicide. But the study didn't provide those statistics so I'm only guessing.

The MRFIT study cannot be replicated, because it was conducted at a time when fewer people were taking cholesterol-lowering drugs. In 2009, a 50-year old whose doctor discovers he has high cholesterol will likely be prescribed a statin, after which he will probably no longer have high cholesterol. This will confound studies examining the association between blood cholesterol and disease outcomes.

The Diet-Heart Hypothesis: A Little Perspective

Now that we've discussed the first half of the diet-heart hypothesis, that saturated fat elevated total and LDL cholesterol, let's take a look at the second half. This is the idea that elevated serum cholesterol causes cardiovascular disease, also called the "lipid hypothesis".

Heart Attack Mortality vs. Total Mortality

We've been warned that high serum cholesterol leads to heart attacks and that it should be reduced by any means necessary, including powerful cholesterol-lowering drugs. We've been assailed by scientific articles and media reports showing associations between cholesterol and heart disease. What I'm going to show you is a single graph that puts this whole issue into perspective.
The following is drawn from the Framingham Heart study (via the book Prevention of Coronary Heart Disease, by Dr. Harumi Okuyama et al.), which is one of the longest-running observational studies ever conducted. The study subjects are fairly representative of the general population, although less racially diverse (largely Caucasian). The graph is of total mortality (vertical axis) by total cholesterol level (horizontal axis), for different age groups: If you're 80 or older, and you have low cholesterol, it's time to get your affairs in order. Between the age of 50 and 80, when most heart attacks occur, there's no association between cholesterol level and total mortality. At age 50 and below, men with higher cholesterol die more often. In the youngest age group, the percent increase in mortality between low and high cholesterol is fairly large, but the absolute risk of death at that age is still low. There is no positive association between total cholesterol and mortality in women at any age, only a negative association in the oldest age group.

Here's more data from the Framingham study, this time heart attack deaths rather than total mortality (from the book Prevention of Coronary Heart Disease, by Dr. Harumi Okuyama et al.): Up to age 47, men with higher cholesterol have more heart attacks. At ages above 47, cholesterol does not associate with heart attacks or total mortality. Since the frequency of heart attacks and total mortality are low before the age of 47, it follows that total cholesterol isn't a great predictor of heart attacks in the general population.

These findings are consistent with other studies that looked at the relationship between total cholesterol and heart attacks in Western populations. For example, the observational arm of the massive MRFIT study found that higher cholesterol predicted a higher risk of heart attack in men age 35-57, but total mortality was highest both at low and high cholesterol levels. The "ideal" cholesterol range for total mortality was between 140 and 260 mg/dL (reference). Quite a range. That encompasses the large majority of the American public.

The Association Between Blood Cholesterol and Heart Attacks is Not Universal
The association between total cholesterol and heart attacks has generally not been observed in Japanese studies that did not pre-select for participants with cardiovascular risk factors (Prevention of Coronary Heart Disease, by Dr. Harumi Okuyama et al.). This suggests that total blood cholesterol as a marker of heart attack risk is not universal. It would not necessarily apply to someone eating a non-Western diet.

Subdividing Cholesterol into Different Lipoprotein Particles Improves its Predictive Value

So far, this probably hasn't shocked anyone. Most people agree that total cholesterol isn't a great marker. Researchers long ago sliced up total cholesterol into several more specific categories, the most discussed being low-density lipoprotein (LDL) and high-density lipoprotein (HDL). These are tiny fatty droplets (lipoproteins) containing fats, cholesterol and proteins. They transport cholesterol, fats, and fat-soluble vitamins between tissues via the blood.

The LDL and HDL numbers you get back from the doctor's office typically refer to the amount of cholesterol contained in LDL or HDL per unit blood serum, but you can get the actual particle number measured as well. One can also measure the level of triglyceride (a type of fat) in the blood. Triglycerides are absorbed from the digestive tract and manufactured by the liver in response to carbohydrate, then sent to other organs via lipoproteins.

The level of LDL in the blood gives a better approximation of heart attack risk than total cholesterol. If you're living the average Western lifestyle and you have high LDL, your risk of heart attack is substantially higher than someone who has low LDL. LDL particle number has more predictive value than LDL cholesterol concentration. The latter is what's typically measured at the doctor's office. For example, in the EPIC-Norfolk study (free full text), patients with high LDL cholesterol concentration had a 73% higher risk of heart attack than patients with low LDL. Participants with high LDL particle number had exactly twice the risk of those with low LDL number. We'll get back to this observation in a future post.

In the same study, participants with low HDL had twice the heart attack risk of participants with high HDL. That's why HDL is called "good cholesterol". This finding is fairly consistent throughout the medical literature. HDL is probably the main reason why total cholesterol doesn't associate very tightly with heart attack risk. High total cholesterol doesn't tell you if you have high LDL, high HDL or both (LDL and HDL are the predominant cholesterol-carrying lipoproteins).

Together, this suggests that the commonly measured lipoprotein pattern that associates most tightly with heart attack risk in typical Western populations is some combination of high LDL (particularly LDL particle number), low HDL, and high triglycerides.
In the next post, I'll slice up the lipoproteins even further and comment on their association with cardiovascular disease. I'll also begin to delve into how diet affects the lipoproteins.