Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Ryan S. Lin: Cyber Stalking, VPN’s and Digital Forensics

leave a comment »

          October 6, 2017 Sketch by Jane Flavell Collins

 

A minion of mine was tasked with choosing a new story about INFOSEC this week to talk about in our weekly threat intel calls and chose a story about a cyber stalker who was in the news this month. Ryan S. Lin, a graduate of RPI, has been charged with numerous counts that involve everything from cyber stalking, to child pornography, to wire fraud. Lin plead guilty on October 6th and the story featured the affidavit by the FBI special agent who worked the case. This is a long and twisted tale of stalking a former roommate online that spiraled out to numerous people around that target individual as well. The psychological damage to the parties involved must be pretty bad and the whole affair is quite messed up, but, I wanted to share this all with you in the INFOSEC field because of the work the FBI and local PD in Waltham, Newton, and other areas that these events took place in. I also wanted to cover some of the OPSEC and psychology as well concerning this case and the old school detective work done by the FBI.

Full Story:

Ryan Lin, the stalker in this case, seems to have been a mentally disturbed individual showing signs of that instability going all the way back to his high school years in Connecticut. His abuse of people online and off seems to stem mostly from his inability to form real relationships with people and likely has some sort of personality disorder. However, this is no excuse for his actions and as yet I have yet to hear that in his intake into prison has there been any kind of psychological evaluation of him. If indeed he does not have some mental disorders, then we can just chalk his actions from his teens on in this regard as just a malignant personality with a bent on what seems to border on “incel” behavior.

In the case that brought him to court he was charged with cyber stalking and what that consisted of is the following;

  • He accessed his female roommates Macbook and her Google drive
  • He began a campaign of abuse online that included
    • Impersonation of the roommate sending lewd and threatening texts to family, friends, and coworkers
    • Creating multiple persona’s online to directly harass the roommate
    • Sending child pornography
    • Sending threatening texts (rape, gangbang, death threats)
    • Sending threatening texts (bomb threats) as the target roommate)
    • Sending messages alleging as the roommate that she killed people’s pets
    • Wire fraud accessing the roommate’s bank accounts and transferring funds

Lin used the usual means to try to cover his trail online in that he used TOR, VPN services, and anonymous text services as well as cutout accounts online created using all these tools. All of these efforts though only delayed his discovery as the assailant because in the end, his actions directly led the FBI to him outside of the technological means of covering up his tracks. It is quite clear when you read the affidavit by the special agent involved in the case, that Lin, for all his security measures, was incapable of being sagacious enough to leave real doubt that he was in fact the attacker.

  • Lin used the roommates diary, which was on the google drive accessible from her unsecured laptop to send direct commentary AS HIMSELF citing the diary which she had not shared with anyone
  • Lin was incapable of acting out about this roommate and seemed fixated on her while in the house they shared
  • Lin’s actions started once she refused to sell him pot after the first time she did ended up with him accosting her in her room at 3am out of his mind from drugs
  • Lin was incapable of separating his dual lives/actions online where he had dialog about the very same VPN services he used to carry out the attacks as well as taunt slyly about the ongoing spate of bomb threats ongoing in Waltham and Newton where he lived

It is my belief that Lin, a student of RPI and a computer programmer was mentally impaired enough to be unable to separate these activities from the rest of his online and offline life in a manner that befits what is called in criminal profiling as “A disorganized personality” which led to his downfall. Overall, the problems of OPSEC today that we in the community often talk about with regard to online actors can be clearly seen failing in this case. I have said many times in my blog and elsewhere that OPSEC always will fail because of human nature and in some cases that human nature (or un-diagnosed mental illness) will eventually give you up to the dogged investigator.

 

 

In the Lin case, it is important to note that it wasn’t JUST the evidence collection of IP addresses that led to Lin in the end but instead it was good old fashioned gumshoe interviews and forensics that did. When the FBI went to Lin’s employer after it became clear just from circumstantial evidence that he was a prime suspect they learned that he had just been let go. It seems that Lin had been acting strangely at work as well and when he was let go, he asked if he could log out of “personal accounts” on the laptop. The company declined that and then turned over the laptop to IT for re-image.

Now I know what you are thinking… It got re-imaged and game over right?

Nope.

The FBI was able to get the laptop either by warrant, or I think more likely, was just handed over after being asked by the employer. The laptop had indeed been re-imaged but FBI forensics was able to pull incriminating evidence from the slack space even afterwards. What they found was a number of data points that showed Lin had been using the corporate asset for his attacks on the roommate.

  • VPN software and traffic
  • Browser cache data
  • Logins/software for the anonymous texting service used in the threats (bomb threats too)

It was this evidence that was key that led the FBI to marry up this information along with his online posts on Twitter and Facebook as well as the VPN logs that led to his arrest. See kids, if you use a VPN there is a high chance that your raw IP is going to be logged to your VPN pool address for the times you were online and used as evidence. Many Anon’s seemed to have learned that lesson but I guess everyone has yet to catch up. Lin, a computer science grad from RPI thought he could hide his traces but even he was wrong.

Take heed those who want to do bad things because eventually you will screw up and you will be caught.

I suggest you all read the affidavit for more detail.

Lin affidavit

In closing I just wanted to share this with you all as a lessons learned and as an appreciation of the world of digital forensics. As someone who does forensics as part of my daily job, I have to tell you all it is one of the more interesting parts of my day. I do love uncovering evidence and creating narratives that lead to wrongdoers getting their come-uppins as they say. I also wanted to once again point out that there are many avenues to investigation that even someone as a digital forensics practitioner, can employ in their day to day. Consider the psychology of the actor and their patterns of behavior. Often times I have a portion of my mind that is working that angle as I work on a forensic image in cases.

What actions would this person take given what I have seen so far?

What are the motives?

How would I do things were I them?

All questions that should be asked when performing work like this. It may lead you to some answers that you can back up with forensic evidence. All of this plays out as well with Threat Intelligence as well and intelligence analysis. Look at the larger picture kids, just don’t get buried in the bits and bytes.

K.

Written by Krypt3ia

2018/10/13 at 14:16

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: