Belkasoft Helps Solve Drug Trafficking Case

This was a real case investigated in 2013. All images, snapshots and advertisements appearing in this story are real. They were used by the convicts to advertise their “goods” and communicate with their buyers.

What caught attention of a law enforcement officer was this ad (at the right) advertising “spice” and “free trials”. The ad appeared on the streets, sprayed in the course of the night. This turned out to be a drug dealer selling so-called “designer drugs” over the Internet.

What is “designer drugs”? These are often sold from ordinary looking online stores. The drugs are frequently labeled as “bath salts”, “cactus fertilizers”, “shoe polish” or “aquarium fish food”. These drugs are specifically designed to circumvent the restrictions imposed by the list of prohibited substances, and contain no chemical structures exactly matching those of available (and prohibited) drugs.

In this case, the drugs were sold via street advertising containing Skype and ICQ contacts, and advertised on Facebook. The dealer communicated with their customers via Skype and ICQ. The Facebook account contained images of the “goods”. The presence of a toll-free (8-800) number is a sign of a semi-legal “grey market”, although in this particular case the toll-free number itself was registered to a fake identity (a “dead soul”) and pointed to a voicemail system.

Considering the amount of contact information available to the police, the suspect was quickly identified and arrested, with his computer seized for an investigation. Apparently, the suspect used elevated security settings, so no immediately visible Skype or ICQ histories were discovered after a quick manual search.

Facebook communications were performed with the browser’s InPrivate mode enabled, which leaves no cached items, no cookies and no history files on the hard drive.

When it came to Belkasoft Evidence Center, the following was available:

The analysis of the E01 hard drive image with Evidence Center returned no data relevant to the investigation due to the elevated security settings used by the suspect. The analysis of the page file revealed some traces of information including fragments of chat conversations. However, that was not nearly enough. The only remaining hope was analyzing the memory dump.

When given a chance, we always talk about the importance of obtaining a memory dump when acquiring a suspect’s PC. Memory dumps tend to contain essential volatile evidence, often allowing investigators establish the necessary links when there is little or no evidence available on the hard drive. To make it easier for investigators to acquire a memory dump, we released Belkasoft Live RAM Capturer about a year ago. Since then, this tool has been used by law enforcement personnell. This is the first live report we received on our tool helping solve a real trafficking case.

The investigator used the Live RAM Analysis function of Belkasoft Evidence Center, with “BelkaCarving” option turned on to ensure that all relevant data is extracted even if fragmented. This is how it works:

BelkaCarving is off BelkaCarving is on

Long story short, the investigator was able to extract numerous Skype chats, a Facebook URL pointing to the page that advertised the drugs, and copies of cached Facebook pages containing images of the samples.

This information, combined, helped the investigator to establish a definite connection between the suspect and the Facebook account used to advertise designer drugs. In addition, evidence of communication between the suspect and their customers was acquired.

This investigation completed in 2013. At the time, two dealers were arrested, and more than 30 kilograms of designer drugs seized. Distributed in 1 gram packets, this constitutes some 30,000 doses – enough to kill several hundred addicts in one year.

Belkasoft Evidence Center 2014

The tool used to perform this investigation was Belkasoft Evidence Center 2014, Ultimate edition:

With Belkasoft Evidence Center, investigators can discover many types of evidence located on the suspect’s hard drive, drive images and memory dumps. Supporting Windows, Linux and Mac OS X, it can analyze all types of storage devices, forensic images in all popular formats, the content of virtual machines, volatile and virtual memory, captured network traffic and the content of mobile devices including backups, chip-off images and UFED dumps.

Request a quote

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: