📄 Extracted Text (1,299 words)
Date: Mon, 21 Oct 20194:01:12 PM (UTC)
Sent: Mon, 21 Oct 20194:01:14 PM (UTC)
Subject: RE: Keychain cracking — UNCLASSIFIED
From:
To:
CC:
Classification: UNCLASSIFIED
We tried to do an EC way back when, but the case classification did not allow for us to do it. The UCFN is 3IE-NY-3027571
(Epstein)
Senior Forensic Examiner
Office)
Cell)
(Fax)
From
Sent: Monda , October 21,2019 11:32 AM
To:
c:
Subject: RE: Keychain cracking --- UNCLASSIFIED
Classification: UNCLASSIFIED
Hey there,
DID we have an EC/Lead for this? Or a UCFN for tracking purposes?
Trying to document this for our records (and yours potentially)
Let me know.
Thanks
From
Sent: onday, October21,2019 I I:2U AM
To:
Subject: RE: Keychain cracking-- UNCLASSIFIED
Classification: UNCLASSIFIED
3503-01I
Page I of
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001898
EFTA00157083
I've said it before, and say it again. THERE IS NOBODY BETTER THAN YOU GUYS!!!! Thanks. The password you
provided unlocked the drive. I owe you a beer.
Senior Forensic Examiner
From'
Sent: Monde October 21 201911:14 AM
To:
Cc:
Subject: RE: Keychain cracking — UNCLASSIFIED
Classification: UNCLASSIFIED
Good momin
STXU has recovered a password "asdfasdfasdfasdr (no quotes) for item NYCO24364.
Once your forensic analysis is complete. a brief summary (a few sentences) as to the value ofSTXU's efforts/password provided
is appreciated when convenient. This helps STXU focus our expertise and streamline decryption efforts in support of figure
investigations.
STXU will remove all copies ofthis data and considers this request complete.
Please contact STXU for further dissemination ofthese results outside ofthe FBI. If you have any funher quest ions, please
contact EE at
If everything looks good and you have no further questions, please "remove HQCU-VAP permissions in the CAT tool".
IT Specialist /Senior Forensic Examiner
Secure Technologies Exploitation Unit (STXU)
Orcrntional Technology Division (OTD) - Miami
From
Sent: Thursday, October 17, 2019 12:16 PM
To:
Cc:
3503-011
Page 2 of
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001899
EFTA00157084
Subject: RE: Kcychain cracking — UNCLASSIFIED
Classification: UNCLASSIFIED
Yes. I'll make sure you have permissions. The image can be found at
IINYCART-FS/Cases0Uny-3027571_219047/Evidence/NYC024364 It isa I TB E01.
Senior Forensic Examiner
From
Sent: Thursday, October 17, 201911:58 AM
To
Cc
Subject: RE: Kcychain cracking --- UNCLASSIFIED
Classification: UNCLASSIFIED
Is the image on OPWAN so I can take a look at it?
Thank you.
From:
Sent: Thursday, October 17, 2019 11:56 AM
To:
Cc:
Subject: RE: Kcychain cracking —• UNCLASSIFIED
Classification: UNCLASSIFIED
It isn't a T2 system, but I was having many difficulties acquiring the drive with Macquisition, so I had to remove the drive and use
a TXI. This is not the latest generation ofMacBook, I believe it is the generation right after they removed the CD drive, so it is
recent, but not brand new. It is wry possible that this was somebody else's machine, but without being able to browse the
uscmamcs. I can't be 100 %cenain.
Senior Forensic Examiner
3503-011
Page 3 of
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001900
EFTA00157085
(212)384-4838 (Office)
(917)855-6666 (Cell)
(212)384-1334 (Fax)
From (OTD)(FBI)
Sent: Thursday, October 17, 2019 9:40 AM
To
C
Subject: RE: Keychain cracking — UNCLASSIFIED
Classification: UNCLASSIFIED
Good moming Is this a T2 system as well? Also, do you have any indication ofwho the user ofthe laptop may have
been? As 1reca , t ere was at least one system that I looked at when I was working on the original request that was used by
someone other than him. Please let me know.
Thank you!
From (NY) (FBI)
Sent: Wednesday, October 16, 201912:55 PM
To
Subject: RE: Keychain cracking — UNCLASSIFIED
Classification: UNCLASSIFIED
Hcy
I have another MacBook Pro that is locked for the same case. The password hint is "stroke4". The passwords below did not
work. Any help is appreciated. Thanks.
Senior Forensic Examiner
From:
Sent: Thursday. September 05.201910:56 AM
To:
Cc:
Subject: RE: Keychain cracking --- UNCLASSIFIED
3503-011
Page 4 of
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_0000 190 1
EFTA00157086
Classification: UNCLASSIFIED
I'm glad we could be ofassistanc Please let us know if you need anything else and don't forget to send us an update o
nee your forensic analysis is complete. A brief summary (a few sentences) as to the value ofSTXLI's efforts/password provided
is appreciated when convenient as this helps STXU focus our expertise and streamline decryption efforts in support of future
investigations.
Thank you,
From (NY) (FBI)
Sent: Thursday, September 05 201910:50 AM
To
Cc
Subject: RE: Kcychain cracking -- UNCLASSIFIED
Classification: UNCLASSIFIED
You guys arc great. The password "irking" worked. I am now in the machine and imaging it. Thanks for all your help. I
obviously could not have done it without you.
Senior Forensic Examiner
From:
Sent: Thursday, September 05, 20199:47 AM
To:
Cc
Subject: RE: Kcychain cracking -- UNCLASSIFIED
Classification: UNCLASSIFIED
Oh yes, NYC024353 was the one with the user account JEE and I had already obtained the user password as part ofyour previous
request which was 'Irving' (no quotes). In his kcychain he had the following passwords which you can try:
irvingirving
neptunemermaid (this one was used extensively)
asdfasdfasdf [this was used for a Gmail account)
yes8"tin [this was the password for his multiple AirPort routers]
Please let me know your results once you try them so I can update our internal system accordingly regarding your request.
3503-01 I
Page 5 of
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001902
EFTA00157087
Thank you!
From:
Sent: Thursda . S tember 05.2019 8:53 AM
To
Subject: RE: Keychain cracking -- UNCLASSIFIED
Classification: UNCLASSIFIED
The machines in question arc Macs running APFS. and their images arc aff4 files. I have them here in Blacklight. but I can't
confirm which one because the Case Agents are using my one Blacklight machine to review. The images are NYCO24353 and
NYCO24329. One of them has a user account ofJEE or a similar usemame which is obviously the subject. If you have a list of
possible passwords, could you forward that for me to try on the T2 iMac?
From-
Sent: Tbursda Se tember 05 2019 8:43 AM
To:
Cc:
Subject: RE: Keychain cracking UNCLASSIFIED
Classification: UNCLASSIFIED
Good morning can certainly try. When I worked on your request I was able to recover several passwords for him from
other systems (and their keychains) that were provided so I may already have it. Which ones did you want me to check?
Let me know and I'll take a look at it.
IT Specialist /Senior Forensic Examiner
Secure Technologies Exploitation Unit (STXU)
tional Technology Division (OTD) - Miami
From
3503-0II
Page 6 of 8
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001903
EFTA00157088
Sent: Wednesday. September 04.2019 3:35 PM
To:
Subject: Keychain cracking --- UNCLASSIFIED
Classification: UNCLASSIFIED
You seem to be the Mac guy for your unit. Quick question. If I give you an un-encrypted image ofa Mac either in APFS or
HFS+, would you be able to recover the password for the user account? I have multiple images ofmacs from Epstein, and they all
have the same password hint. Figuring he just used the data migration tool and rolled everything along. Hope it can give us a
password for a T2 iMac we can't get an image of.
NYOLAKI Coordinator
Senior Forensic Examiner
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
3503-011
Page 7 of 8
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001904
EFTA00157089
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
Classification: UNCLASSIFIED
3503-011
Page 8 of 8
SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17
EFTA_00001905
EFTA00157090
ℹ️ Document Details
SHA-256
b85ab1f3b1873833158cd2dcfd958cc6a5fe06450758362bc9e12c37e1141a9a
Bates Number
EFTA00157083
Dataset
DataSet-9
Document Type
document
Pages
8
Comments 0