If you suspect insurance fraud and you live in Washington state, please report it.
Wednesday, July 31, 2013
Agent charged with theft and forgery; collected commissions for fictitious customers
If you suspect insurance fraud and you live in Washington state, please report it.
Tuesday, July 30, 2013
Daily Blog #37: Web 2.0 Forensics Part 2
Sunday Funday is always fun for me for two reasons. One it gets me two blog posts out of one so I get more time to get work done and two I like getting a general feeling of what level of understanding exists on certain artifacts. So while you get a prize, that I strive to make worth your effort, I get to see what I can continue to help you learn by writing additional blog posts to fill those gaps. With that said we are continuing the web 2.0 series today that I realized was needed from the IEF Sunday Funday challenge two weeks ago.
Json Data Structures
Json data structures are fairly easy to find, they are structure name pairs that are exchanged between the web server and the web client, for instance the Gmail server and the Chrome browser. In this example the Chrome browser would then parse the data to generate the view that you see.
Here is what a message summary from your Gmail inbox looks like:
Index data for gmail
["140303866b4ce541","140303866b4ce541","140303866b4ce541",1,0,["^all","^i","^o","^smartlabel_notification"]
,[]
Email from/subject/message preview and date
,"\u003cspan class\u003d\"yP\" email\u003d\"mail-noreply@google.com\" name\u003d\"Gmail Team\"\u003eGmail Team\u003c/span\u003e","\u0026raquo;\u0026nbsp;","Welcome to the new Gmail inbox","Hi David Meet the new inbox Inbox tabs put you back in control with simple organization so that you",0,"","","10:35 am","Tue, Jul 30, 2013 at 10:35 AM",1375198584460000,,[]
,,0,[]
,,[]
,,"3",[0]
,,"mail-noreply@google.com",,,,0,0]
Here is what a full message loaded and what the email header looks like:
Gmail Team
<mail-noreply@google.com>
10:35 AM (36 minutes ago)
img class="f T-KT-JX" src="images/cleardot.gif" alt="">
to me
This is followed by the body of the message.In addition on each page you have a listing of all the labels, email counts, circles and more data that is preloaded to each page providing you with a large amount of data on your custodians activities but also providing for a large amount of duplicates.
Tomorrow we will go into the important fields and their meanings and I'll provide a regex for carving them out. Recovering webmail used to be simple, just find a javascript library known to the service and carve out the html before and after it, now with JSON/Ajax services like Gmail we get fragments of emails and possibly entire messages but we either have to manually carve them or use a tool like IEF to do it for us.
I start with IEF and let find the fully formed messages and then go back myself to find partials knowing the users email address.
See you tomorrow! Leave comments or questions below if your seeing data differently. I'm going to install fiddler on my system tonight to show how the data looks as its being transmitted.
Smokey Eyes (First Date) � Tutorial!
I was feeling super inspired a couple of weekends ago and decided to film myself getting ready (for a date, ooo-err) and made it into a tutorial for you guys! Admittedly, this is nothing special makeup wise � I wear this look daily to work and find it really quick and easy to do; it just consists of a bit of eyeliner, flawless base and smokey under-eye shadow.
Watch the video below to see how I created this look!
Products Used:
Kiehls Ultra Light Daily Defense SPF 50
Urban Decay Primer Potion
Benefit Stay Flawless Primer
Sleek Ink Pot Gel Eyeliner in Dominatrix
HD Brows Kit (matte black shadow to help pro-long the gel liner)
Cover FX Total Cover Cream Foundation with the Real Techniques Buffing Brush
Avon Supershock Gel Eyeliner in Black
Urban Decay Brow Box
HD Brow Kit (Taupe shadow under the eye)
MAC Studio Finish Concealer in NC15 with the Real Techniques Deluxe Crease Brush
Rimmel Stay Matte Powder
Japonesque Eyelash Curlers
YSL Babydoll Mascara
MAC Blush in Strada
Zoeva Contour Brush
MAC Sushi Kiss Lipstick
I really hope you guys enjoy this! I�m quite embarrassed about going totally eye makeup free (don�t think I�ve EVER done that before on this blog) but I think it adds to the before & after look! If you are short of time but want to try this look, swap the gel liner for a liquid liner in a pen form, it�s a lot quicker!
Do let me know if you would like to see any more tutorials from me in the future!
xxxxx
Monday, July 29, 2013
Daily Blog #36: Sunday Funday 7/28/13 Winner!
I got a lot of answers after, do you need me to change the rules to give you more time to play? I thought 24 hours (I try to post at Saturday midnight CST) was enough time, but you need more time to play I can change the rules to let more people participate. I'm hoping as these contests continue we will continue to get great prizes to give away that will tip you over the 'should I try this one' cliff.
Here was the challenge:
The Challenge: I'm going to step down the difficulty from last week, I may have been asking for a bit much on a Sunday. So this weeks question is going back to basics:
For a Windows 7 system:
Your client has provided you with a forensic image of a laptop computer that was used by an ex-employee at their new employer, it was obtained legally through discovery in a litigation against them. You previously identified that the employee took data when they left where on the system would you look for the following:
1. The same external drive was plugged into both systems
2. What documents were copied onto the system
3. What documents were accessed on the system
1) The manufacturer, model, and serial number of USB keys plugged into a system are stored in the registry at HKLM\SYSTEM\Control\(CurrentControlSet|ControlSet001|ControlSet002)\Enum\USBSTOR. Comparing these keys on the two systems should show any common devices.
2) The created timestamp on the above registry key can be used to filter a timeline of file creation times to determine what files were added to the system around the time it was plugged in. These files could contain metadata about where they were originally created as well as other interesting information that can be manually collected.
3) Documents accessed on the system should show up in jump lists and (potentially) shellbag information stored in the users' ntuser.dat hive.
Here is Harlan's answer:
Sorry this is late, but I was at a couple of events yesterday starting at around 2pm...I'm not sending it in so much as a submission, but more to just provide my response...
*1. The same external drive was plugged into both systems
This type of analysis starts with the Enum\USBStor keys. I would locate the subkey that contained the device identifier for the external drive in question, and see if there is a serial number listed. If not, that's okay...we have other correlating information available. If there is a serial number pulled from the device firmware, then we're in luck.
Beneath the device serial number key, I can get information about when the device was first plugged in, from the LastWrite time to the LogConf key, as well as the Data value (FILETIME time stamp) from the \Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 subkey. I would correlate this time with the value in the setupapi.dev.log file, as well as with the first time for that device that I found in the Windows Event Log (for device connection events). I could then get subsequent connection times via the Windows Event Log, as well as the final connection time from the NTUSER.DAT hive for the user, via the MountPoints2 key (for the device, given the volume GUID from the MountedDevices key) LastWrite time value.
To be thorough, I would also check beneath the \Enum\WpdBusEnumRoot\UMB key for any volume subkeys whose names contained information (device ID, SN) about the device in question.
Getting the disk signature for the specific external drive can be difficult on Win7, using just the System hive file, as there is very little information to correlate the Enum\USBStor information to the information in the contents of the MountedDevices key. However, further analysis will be of use, so keep reading. ;-)
The "\Microsoft\Windows NT\CurrentVersion\EMDMgmt" key in the Software hive contains a good deal of information regarding both USB thumb drives and external drives; the subkeys will be identifiers for devices, and for external drives, you'd be interested in those that do NOT start with "_??USBSTOR". The subkey names will have an identifier, as well as several underscores (""); if the name is split on underscores, the first to the last item, if there is one, will be the volume name, and the last item will be the volume serial number, listed in decimal format. This final value changes if the device is reformatted, but it wouldn't make any sense to copy files to the device, reformat, and then connect it to the target device, so we can assume that this information won't change between the two systems.
I could then use this information to correlate to LNK files in the Windows\Recent and Office\Recent folder within the user profile, as well as LNK streams within the user's *.automaticDestinations-ms Jump Lists.
At this point, I will have a drive letter that the external drive was mapped to, so I can then return to the MountedDevices key in the system hive, and by accessing available VSCs, locate one in which the drive letter was available for the ext. drive. This will provide me with the disk signature of the device itself, as well as the volume GUID.
At this point, I have device identifier, the device serial number, the volume serial number, potentially the disk signature, and the time(s) of when the external drive had been connected to the laptop. I can then use this information to correlate to the other system.
*2. What documents were copied onto the system
I would create a timeline of system activity, correlating file creation dates on the system with times when device was connected to the system, based on the time-based information provided in the response to #1 above.
*3. What documents were accessed on the system
The shellbags artifacts likely won't server you much use this time, as on Win7, they tend to not contain the same sort (and volume) of information as they do on WinXP. However, I would start by looking at the shortcut/LNK files in the user's profile (Windows\Recent and Office\Recent), as well as Jump Lists. This information also helps us identify the application used to access the documents (Office, Adobe, etc). I would also, for clarity sake, verify this information via Registry MRUs, even though some of them (ie, RecentDocs) will not contain full path information. However, now that we have information about the applications used (from the Jump Lists, after performing any required AppID lookups), I would be sure to examine any available application-specific MRUs.
Harlan gave a great answer but didn't get in on time, so the winner of a Specialist Track ticket to PFIC is Jonathan Turner. There is still more to be said on this topic though. I use specific operating systems for a reason as artifacts change between them and there are still artifacts and scenarios not clearly being shown even in both of these answers. When I'm done with the web 2.0 series I'll go into depth on it.
In the mean time, do you want to go to PFIC? I still have more tickets to give away next week. If two answers make it in on time that are both great (or I change the rules based on your feedback to extend the time), I can give away more than one! Tomorrow we resume the web 2.0 series and I hope you follow along as it continues to give me the motivation to keep these up daily! Only 316 more blogs before the year is up!
Poker Training Software free download latest version
In Case the Falcons Tear Down Friendship Baptist
It's beautiful. The institution itself has been REAL important for a long time though the buildings aren't particularly old.
The 2002 "Listed in National Register of Historic Places" plaque doesn't necessarily mean it's safe.
It's not in perfect condition, but it is in immaculate condition.
The gulch swallows it up. It's in such an open area, it doesn't have much visual impact until you get close.
View Larger Map
The church is picturesque but the setting isn't. Friendship is a buffer between the Georgia Dome, the railroad gulch, Castleberry Hill, and the Atlanta University Center.
Go see.
The 2002 bronze plaque plaque (2nd picture in this post) says 1866; this stone says 1862.
This is the 1968 cornerstone. This one says "1862" too.
The pastor's cornerstone says 1862.
This deserves more study but I was having a look around. Northside at Martin Luthor King is an "amen corner" with four churches.
Mount Vernon Baptist Church would be a goner if they pick the south site but they aren't talking with the press so we don't hear much about it.
Central United Methodist Chruch is on the west side of Northside Drive. I presume it's not at risk from the stadium.
The West Mitchell CME Church is also safe. Pardon me for taking a picture of the back side. You can't always tell with moderns.
Go see.
Friday, July 26, 2013
Introducing Balthazar!
I don�t know about you, but whenever I see a blogger posting about their pet (whether it be a kitten, bunny rabbit, dog or even hedgehog) I am immediately filled with delight and happiness and sigh a big fat �awwhhh� out loud. Now, my mum and sister are allergic to cats and dogs (I would love nothing more than a little kitten running around at home) so for my whole life we have always had little hamsters! I�ve never done a post on hamsters before but thought I�d introduce you to the current cutest member of the Snooks family!
Having a staring contest (excuse the bare, no makeup face!)
Ladies and gents, I introduce you to Balthazar, the light of my life! Balth is coming up to two years old now so is turning into a little old girl, but she is still as energetic and loving as ever. Whenever I�m feeling down I just look to Balthazar and she instantly makes me happy. I�m the trainer of Snooks family hamsters and am always given the job of holding the hamsters first and teaching them not to bite, but Balth has been the only hamster we�ve ever had that has never bitten, ever! She loves cuddles and I like to feed her food whilst holding her (bonding sessions).
She had to have a little operation a few months ago as she had a little lump that kept growing on her ear, so a vet removed it and she has been happy (but silly looking) ever since and was so brave, running all over the place once she came round from the anaesthetic.
Our last little hamster was called Bishmael, who was equally as loved and adorable. You can watch a video of Bish and I here -
There we have it! I hope you enjoyed (and squealed �awwh�) at this post. I�d love to know if you have any little pets, tweet me a photograph! @katesnooks
Do you have a little hamster? What�s your favourite pet to have?
xxxx
Thursday, July 25, 2013
How to find an old life insurance policy (and other unclaimed property)
Here are some quick tips. For more specifics and links, please see our brand-new "how to find an old life insurance policy" web page.
- Try to track down as much information as possible. You'll presumably know the name of the policyholder (any name changes?), and it also helps to know the state or states that the person lived in.
- Ideally, you'll be able to locate a copy of the policy itself, which will have a number on it. But sometimes there's a wrinkle: the insurance company or its name may have changed, especially for older policies. That can be a challenge, but your state's insurance department can probably help you track down the current company information. If you live in Washington state -- we're the state insurance regulator there -- feel free to call us at 1-800-562-6900 and talk to our consumer advocacy staff.
- If you can't find the policy, try going through the person's financial records, looking for payments made to an insurer. Also, look through old mail: the company may have sent periodic statements or billing reminders. It's also worth checking with the person's auto- or homeowners insurers, since people sometimes buy life insurance from the same company.
- You could opt to pay a search company to run a check for the person's name through industry databases or send queries to a large number of insurers.
- If a policy goes unclaimed for a long time, insurers are supposed to turn the money over to state-run unclaimed property programs. They hold the money, often forever, in case someone files a claim. You can easily run the person's name through these free, state-run online search sites. Washington state's is at http://ucp.dor.wa.gov, and you can easily find other state's unclaimed property programs at www.unclaimed.org.
- One other important tip: Many life insurance policies automatically end at a certain age.
Wednesday, July 24, 2013
Favourite Summer Nail Polishes!
I love choosing out makeup and nail polish shades for different seasons and decided to pick a whopping 18 nail polish shades that I adore for this summer. This post will be mainly picture heavy, but watch my video to see why I chose these particular shades out!
L-R Colour Club in London Calling, Bourjois in Green Fizz, Bourjois in Amande Defile, 17 Lasting Fix in Mint Choc Chip, China Glaze in Too Yacht To Handle, Bourjois in No Blues
L-R Deborah Lippmann in Lara�s Theme, Mavala in Jaipur, Colour Club in Reign in Spain, 17 Lasting Fix in Orange Soda, Bourjois in Melon.
L-R Bourjois in Peach and Love, Pixi Glow in Pirouette Pink, China Glaze in Neon & On & On, Models Own in Pink Punch
L-R Colour Club in Pardon My French, 17 Lasting Fix in Parma Violet, China Glaze in That�s Shore Bright.
I explain exactly why I love each polish and show more swatches of it in the video, so have a peak to see why I chose these babies out!
What are your favourite polishes for Summer?
xxx
Tuesday, July 23, 2013
The Low Museum's Very First Show - Gallery Opening on Monday!
Pastiche Lumumba's projected survey based on "Girl with a Pearl" hashtags was live and interactive.
The High Museum closes on Mondays. The Low Museum opens. You can't get a haircut or visit a gallery on Monday. But there I was last night for the very first show at The Low Museum of Contemporary Culture in the Old Fourth Ward.
It's brand new, an idea rather than a place, run by focused students rather than veteran mavens. (The Low Museum is on Facebook and on Twitter @TheLowMuseum.)
It was a gallery hop with only one hop. It takes a little courage to visit a gallery for the first time. Would I see anyone I knew?
The show - #MoreOfTheSame - featured hashtags: "...we are intrinsically aware of the fact that anything we do has been done before."
Clovice Holt, Chris Holloway, Pastiche Lumumba, Steffen Sornpao, Jordan Stubbs, Beau Torres.
This is the place, a gallery in a student's apartment on this odd row of houses on John Wesley Dobbs just off Boulevard. I was happy to see inside after all these years of drive-bys.
The living area became a gallery.
By Steffen Sornpao.
"Double Rothko" by Chris Holloway was huge and delightful.
You young folks will "get" the hashtag stuff. I'll have to study.
I think "Iconversation" by Clovice Holt is a work in progress. It's been getting attention around town.
Jordan Stubbs is the Low Gallery guy. This is his "Last Supper," one in a set of 9 works. The phone in a frame is part of the work. Esme Jarrell is in the "Last Supper" and the only person I knew. Thanks for saying hello Esme.
These outward looking gender-confused portraits at eye-level by Clovice Holt were in charge of the glamor.
These witty artist-at-work self-portraits by Beau Torres rewarded a long look.
The opening and the gallery worked. Folks kept arriving, doing the gallery-browse and gallery-chat.
It was breezy on the porch and we needed it.
Time to go. I switched to architecture tourist mode. The building is at a high point on the Boulevard corridor, on a wide street with a view of downtown. It feels open and airy.
I wondered about this side-facing ghost portico next door.
It was nice to get a close look. I watched it being built in 2004. It never really clicked with me though I liked the geometry, the innie/outie curves, and the scored bands. And who can resist a red awning? Last night I decided that the rustic California-style stucco finish muddied the crisp lines.Was the designer on vacation when they did the stucco?
Thanks for an interesting Monday.
The Low Museum is on Facebook and on Twitter @TheLowMuseum.
COBRA and Medicare: How to avoid a common (and costly) mistake
Here's why: Health insurers generally include language in their policies that says they can refuse to pay bills if they find out that you stayed on COBRA coverage after you were eligible for Medicare.
A lot of consumers get caught in this trap. Many people who are on COBRA don't know that they should sign up for Medicare when they become eligible. Instead, they assume that COBRA will continue to pay their medical bills, so they delaying signing up for Medicare until their COBRA coverage ends.
Then, months after becoming eligible for Medicare, they find out that their COBRA plan is refusing to pay for medical care that the consumer already received. They can't backdate their Medicare enrollment, so they're stuck with those medical bills. Yikes.
Don't get caught in this trap. If you're on COBRA and become eligible for Medicare, sign up.
Saturday, July 20, 2013
"My doctor says I need a treatment, but my insurer won't cover it. What can I do?"
A: Yes, there definitely is. Contact your health insurer, tell them you want to file an appeal, and ask what you need to do to start the process.
Then collect materials to support your argument, such as letters from your doctors describing why this is the best treatment for you, any medical journal articles or studies showing the treatment's effectiveness, etc.
You may also want to point out the health problems that will or can arise if the company doesn't pay for the treatment. Be sure to provide and estimate of the costs of treating those problems, especially if those costs would be significantly higher than paying for the treatment.
After you send in your appeal to your insurer, don't give up. Most people don't win the first round, but the odds of winning increase as you reach higher levels of appeals. The change of winning is highest when your appeal reaches the final level, called an "independent review organization."
For more tips on appeals, including templates, sample letters and detailed pointers, please see the appeals section of our website or call our consumer advocates at 1-800-562-6900. (If you live in a state other than Washington, please contact your own state's insurance department.)