EFTA00157083.pdf

Date: Mon, 21 Oct 20194:01:12 PM (UTC) Sent: Mon, 21 Oct 20194:01:14 PM (UTC) Subject: RE: Keychain cracking — UNCLASSIFIED From: To: CC: Classification: UNCLASSIFIED We tried to do an EC way back when, but the case classification did not allow for us to do it. The UCFN is 3IE-NY-3027571 (Epstein) Senior Forensic Examiner Office) Cell) (Fax) From Sent: Monda , October 21,2019 11:32 AM To: c: Subject: RE: Keychain cracking --- UNCLASSIFIED Classification: UNCLASSIFIED Hey there, DID we have an EC/Lead for this? Or a UCFN for tracking purposes? Trying to document this for our records (and yours potentially) Let me know. Thanks From Sent: onday, October21,2019 I I:2U AM To: Subject: RE: Keychain cracking-- UNCLASSIFIED Classification: UNCLASSIFIED 3503-01I Page I of SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001898 EFTA00157083 I've said it before, and say it again. THERE IS NOBODY BETTER THAN YOU GUYS!!!! Thanks. The password you provided unlocked the drive. I owe you a beer. Senior Forensic Examiner From' Sent: Monde October 21 201911:14 AM To: Cc: Subject: RE: Keychain cracking — UNCLASSIFIED Classification: UNCLASSIFIED Good momin STXU has recovered a password "asdfasdfasdfasdr (no quotes) for item NYCO24364. Once your forensic analysis is complete. a brief summary (a few sentences) as to the value ofSTXU's efforts/password provided is appreciated when convenient. This helps STXU focus our expertise and streamline decryption efforts in support of figure investigations. STXU will remove all copies ofthis data and considers this request complete. Please contact STXU for further dissemination ofthese results outside ofthe FBI. If you have any funher quest ions, please contact EE at If everything looks good and you have no further questions, please "remove HQCU-VAP permissions in the CAT tool". IT Specialist /Senior Forensic Examiner Secure Technologies Exploitation Unit (STXU) Orcrntional Technology Division (OTD) - Miami From Sent: Thursday, October 17, 2019 12:16 PM To: Cc: 3503-011 Page 2 of SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001899 EFTA00157084 Subject: RE: Kcychain cracking — UNCLASSIFIED Classification: UNCLASSIFIED Yes. I'll make sure you have permissions. The image can be found at IINYCART-FS/Cases0Uny-3027571_219047/Evidence/NYC024364 It isa I TB E01. Senior Forensic Examiner From Sent: Thursday, October 17, 201911:58 AM To Cc Subject: RE: Kcychain cracking --- UNCLASSIFIED Classification: UNCLASSIFIED Is the image on OPWAN so I can take a look at it? Thank you. From: Sent: Thursday, October 17, 2019 11:56 AM To: Cc: Subject: RE: Kcychain cracking —• UNCLASSIFIED Classification: UNCLASSIFIED It isn't a T2 system, but I was having many difficulties acquiring the drive with Macquisition, so I had to remove the drive and use a TXI. This is not the latest generation ofMacBook, I believe it is the generation right after they removed the CD drive, so it is recent, but not brand new. It is wry possible that this was somebody else's machine, but without being able to browse the uscmamcs. I can't be 100 %cenain. Senior Forensic Examiner 3503-011 Page 3 of SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001900 EFTA00157085 (212)384-4838 (Office) (917)855-6666 (Cell) (212)384-1334 (Fax) From (OTD)(FBI) Sent: Thursday, October 17, 2019 9:40 AM To C Subject: RE: Keychain cracking — UNCLASSIFIED Classification: UNCLASSIFIED Good moming Is this a T2 system as well? Also, do you have any indication ofwho the user ofthe laptop may have been? As 1reca , t ere was at least one system that I looked at when I was working on the original request that was used by someone other than him. Please let me know. Thank you! From (NY) (FBI) Sent: Wednesday, October 16, 201912:55 PM To Subject: RE: Keychain cracking — UNCLASSIFIED Classification: UNCLASSIFIED Hcy I have another MacBook Pro that is locked for the same case. The password hint is "stroke4". The passwords below did not work. Any help is appreciated. Thanks. Senior Forensic Examiner From: Sent: Thursday. September 05.201910:56 AM To: Cc: Subject: RE: Keychain cracking --- UNCLASSIFIED 3503-011 Page 4 of SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_0000 190 1 EFTA00157086 Classification: UNCLASSIFIED I'm glad we could be ofassistanc Please let us know if you need anything else and don't forget to send us an update o nee your forensic analysis is complete. A brief summary (a few sentences) as to the value ofSTXLI's efforts/password provided is appreciated when convenient as this helps STXU focus our expertise and streamline decryption efforts in support of future investigations. Thank you, From (NY) (FBI) Sent: Thursday, September 05 201910:50 AM To Cc Subject: RE: Kcychain cracking -- UNCLASSIFIED Classification: UNCLASSIFIED You guys arc great. The password "irking" worked. I am now in the machine and imaging it. Thanks for all your help. I obviously could not have done it without you. Senior Forensic Examiner From: Sent: Thursday, September 05, 20199:47 AM To: Cc Subject: RE: Kcychain cracking -- UNCLASSIFIED Classification: UNCLASSIFIED Oh yes, NYC024353 was the one with the user account JEE and I had already obtained the user password as part ofyour previous request which was 'Irving' (no quotes). In his kcychain he had the following passwords which you can try: irvingirving neptunemermaid (this one was used extensively) asdfasdfasdf [this was used for a Gmail account) yes8"tin [this was the password for his multiple AirPort routers] Please let me know your results once you try them so I can update our internal system accordingly regarding your request. 3503-01 I Page 5 of SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001902 EFTA00157087 Thank you! From: Sent: Thursda . S tember 05.2019 8:53 AM To Subject: RE: Keychain cracking -- UNCLASSIFIED Classification: UNCLASSIFIED The machines in question arc Macs running APFS. and their images arc aff4 files. I have them here in Blacklight. but I can't confirm which one because the Case Agents are using my one Blacklight machine to review. The images are NYCO24353 and NYCO24329. One of them has a user account ofJEE or a similar usemame which is obviously the subject. If you have a list of possible passwords, could you forward that for me to try on the T2 iMac? From- Sent: Tbursda Se tember 05 2019 8:43 AM To: Cc: Subject: RE: Keychain cracking UNCLASSIFIED Classification: UNCLASSIFIED Good morning can certainly try. When I worked on your request I was able to recover several passwords for him from other systems (and their keychains) that were provided so I may already have it. Which ones did you want me to check? Let me know and I'll take a look at it. IT Specialist /Senior Forensic Examiner Secure Technologies Exploitation Unit (STXU) tional Technology Division (OTD) - Miami From 3503-0II Page 6 of 8 SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001903 EFTA00157088 Sent: Wednesday. September 04.2019 3:35 PM To: Subject: Keychain cracking --- UNCLASSIFIED Classification: UNCLASSIFIED You seem to be the Mac guy for your unit. Quick question. If I give you an un-encrypted image ofa Mac either in APFS or HFS+, would you be able to recover the password for the user account? I have multiple images ofmacs from Epstein, and they all have the same password hint. Figuring he just used the data migration tool and rolled everything along. Hope it can give us a password for a T2 iMac we can't get an image of. NYOLAKI Coordinator Senior Forensic Examiner Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED 3503-011 Page 7 of 8 SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001904 EFTA00157089 Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED Classification: UNCLASSIFIED 3503-011 Page 8 of 8 SUBJECT TO PROTECTIVE ORDER PARAGRAPHS 7, 8, 9, 10, 15, and 17 EFTA_00001905 EFTA00157090