Belkasoft Helps Find a Missing Girl

We are continuing publishing stories on how Belkasoft Evidence Center helps the law enforcement in their work. Today’s story is about a teenage girl who went missing from her parents’ home.

The story begins in a dark December night when a 13-year girl had a conflict with her parents. She slipped through the door and silently vanished in the darkness. For two full days the girl was missing. Though parents reported to the police almost immediately when they have not found her in her bed in the morning, the search gave no results. The police checked every place where the girl could naturally hide, including her school, her close friends, and even the dancing club where the teenager was practicing her dance skills. After that they ran out of ideas.

The time worked against the police. The parents started suspecting their daughter was kidnapped. The more time was passing, the more worried they became.

Kaspersky story

Their fears were substantiated. A story of Kaspersky’s son being kidnapped just a few months ago hit the news in Russia. The father is the owner of Kaspersky Lab, a well-known anti-virus company. The kidnappers demanded a high ransom. The police freed Kaspersky’s 20-year-old son after analyzing the phone calls and identifying an address in Moscow where he was being held (see,2817,2384235,00.asp).

With this kind of stories floating around, her parents became restless.

Analyzing the Digital Media

Meanwhile, the digital department of the city police were investigating the girl’s personal laptop into a lab. The computer was analyzed by the Russian high-tech crime unit (called the “K” unit). Immediately after waking up the laptop, the investigators captured its memory dump with Belkasoft Live RAM Capturer. This tool is used by all digital detectives in Russia to prepare Live RAM dump for further analysis.

Acquiring a memory dump with free Belkasoft Live RAM Capturer

The computers’ volatile memory may contain the most recent evidence such as last minute chats or messages sent and received in social network. And this was what the police discovered. The high-tech crime specialists found a number of chats made in “VK” (“vkontakte) social network Vkontakte


Vkontakte (translated as “in touch”) is the largest social network in Russia and second largest in Europe with hundreds of millions of registered accounts. This social network is even more popular in Russia than Facebook. Literally everyone in the country has an account there, besides, probably, some senior people. Almost 100% of the youngsters have an account in Vkontakte.

Checking the girl’s own account was among the first things her parents did, with no success. However, the chats found with the help of Live RAM Analysis appeared strange to the parents. The chats did not originate from the girl’s account.

Portable Version of Evidence Center in Action

In Russia, the police have special powers when it comes to investigating cases of kidnapping. In particular, the police can legally investigate the user’s live PCs. In this case, the police investigated a working computer instead of a disk image. The investigation was conducted with the help of Belkasoft Evidence Center Portable, which is routinely used in field conditions to analyze live systems. The Portable version runs from a USB flash drive and does not require installation.

The analysis of the girl’s computer revealed a strange thing. Some messages were sent from that computer from an unidentified social network account. Confusingly, that account appeared to belong to a male adult. The tricky teenager was hiding her secret messages from her parents and from the police.
The next step was finding a password to that account. Knowing the account name, the investigators used Belkasoft Evidence Center Portable to parse Chrome password storage, and bingo! They discovered a cached password to that very account. The police logged in to that account using the newly discovered credentials.

Logging in to that VK account, the experts saw a conversation with another nickname. The girl’s parents were able to identify the nickname as one of their daughter’s friends. As it turned out, the girl made an arrangement to spend a few nights with her friend on a condition of not telling her parents.

Apparently, she was hiding with her classmate. A special response unit was sent to her classmate, and the missing girl was retrieved and safely returned home.

End of story, a happy end. And what’s the most amazing thing here? For two full days, the police was trying to find the missing girl with traditional methods, and failed. The high-tech unit equipped with Belkasoft tools was able to locate her in less than 30 minutes. The products they used were Belkasoft Evidence Center Portable and Belkasoft Live RAM Capturer.

Download Belkasoft Evidence Center

Download Live RAM Capturer

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: