Binary Intelligence

Turning RegRipper into WindowsRipper

2010-06-01T16:16:00.004-05:00

Harlan Carvey has given us a great tool in RegRipper and it’s undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose – parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Read on and watch the video to see just what WindowsRipper could become.

What Can Happen With Just an IP Address

2010-05-14T14:44:00.003-05:00

After the Facebook post last week, much of the backlash consisted of, "Who cares if someone has my IP address? That information is almost always out there." Well, here is a great example of what someone can do with an IP address.

Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.
Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.
I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dogs name was, or where you went to school?
Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.

Run RegRipper Against a Mounted Drive

2010-05-14T13:08:00.004-05:00

This post was written by guest blogger Adam James. Please feel free to post any questions or comments for him on this blog.

-------------------------------------------------

Modifying RegRipper to automatically run against a selected mounted drive.

When using RegRipper I began running into user to computer interface problems. Namely, for some reason I would select a hive file to process, but forget to tell RegRipper what plugin file to use against it. After doing this several dozen times and having to rerun the reports after realizing I had done it, I started thinking about ways to modify RegRipper to alleviate my obvious “stupid” user issues. I figured since I can’t remember to select the plugin types I want, why can’t the program just throw all the available plugins against the hive and determine which ones should work against it. Then that got me thinking… for that matter why am “I” having to know where all these registry hives are at. I have to extract them from an image, remember where I took them from, and then run RegRipper against each one. That is way too much work. I wish RegRipper would just do that all for me so I can do what I really care about, look at the great output from the program.

To accomplish this task there were a couple of problems that needed to be solved. The rest of this post will be about how a proof of concept that I did solved these problems.

Problems:

1.RegRipper is intended to only run plugins against a single and specified type of registry hive. The plugins can be run against any single hive it is just not likely that any of the key value pairs will be successfully foundoHow if it is not of the correct type.

2.RegRipper expects the user to know the location of each registry hive that needs to be processed.

Potential Solutions:

1.Modify RegRipper to allow the user to select one or more registry hives. Have RegRipper attempt to determine each hive’s type and then run only the plugins that are intended for that hive against it.

This is pretty easy… right? All we need to do is (a)come up with some code to determine a hive file type, (b)programmatically determine what hive type a plugin is supposed to run against, (c)allow the user to select multiple hives, and then (d)iterate through all of the hives. That doesn’t seem too bad.

a.To determine the hive type, Harlan has already provided us with code in rip.pl that tries to guess the hive type, so that is done, we just need to add it to RegRipper. For my proof of concept I came up with a similar way, I just used different keys. (starts at line 563 of code)

b.To determine the hive each plugins should be run against the basic design of the RegRipper could be used. In each plugin the developer can specify what hive types the plugin should be run against. You could just pull the %config=>hive value from the plugin and use that. When reviewing the plugins I noticed that some could be potentially run against multiple hive types. I figured to keep closer to the current user experience it might be a better idea to still allow users to create their own plugin files, so I came up with my own format. Instead of putting just the plugin name in the plugin file, place the hive type you want to run it against in front of it. ie: “system:usbstor”. I had to modify the main RegRipper code to parse the new plugin file format, and also keep it backward compatible with the current plugin file format. (starts at line 434 of the code)

c.To allow the user to select multiple hive files an additional perl module is required. I used the FileOp::OpenDialog which allows the user to select multiple files. (line 251 of the code)

d.Since selecting multiple files with the OpenDialog returns an array of file names looping through them is easy to implement. (line 267 of the code)

So the first problem has been successfully solved and I no longer have to remember to change the plugin file type each time I run RegRipper against a new hive. As a side benefit I can run RegRipper against all of my exported hive files all at once if I want to also. Now on to the next problem.

2.Modify RegRipper to allow it to be run against a mounted drive. Have the program find all of the relevant hive files on the system and process them in a systematic manner.

Now this one looks a little more difficult… maybe? Ok, so we need to (a)allow the user to select a drive letter to run against, (b)grab the basic hive files from windows\system32\config, (c)parse the software hive for a list of profiles and grab the NTUSER.DAT file for each profile, (d)then iterate through all of the identified registry files. Shouldn’t be too tough, I guess.

a.To allow the user to specify running RegRipper against a mounted drive I added a checkbox to the GUI. When this box is checked the BrowseForFolder option from the FileOp perl module is used. (line 605 of the code)

b.Grabbing the basic hives from the mounted drive is a little more difficult than it first looks. Sure the standard location is C:\Windows\System32\config. I first tried this, but when running it on actual cases ran into some issues. Seems some of our corporate clients for some reason have created their own golden images that put the %systemroot% at somewhere other than C:\Windows such as C:\Win.

Now this creates a little bit of an issue, as it messes up what should have been an easy step. To resolve this on Windows XP the %systemroot% can be determined from the boot.ini file in a fairly straightforward manner. (starts at line 639 of the code) To resolve this issue in Vista and beyond is a little more difficult. The boot configurations are now stored in a registry hive called the BCD. So you have to parse the GUID and element key/value pairs to get the value that specifies the %systemroot%. (starts at line 614 of the code) If you want to replicate what is in the code I provided a link at the end of this post that should provide the relevant information about the BCD.

Lastly I tossed in some extra code just in case the boot.ini and BCD registry hives can’t be found to default to windows\system32\config. Cause it never hurts to try if nothing else was found.

c.To determine the profiles on the system Harlan has already provided the code in the profilelist plugin. I used a modification of that code to grab all of the NTUSER.DAT files. (starts at line 690 of the code).

d.The issue of iterating through multiple hive files was solved in the previous problem. For this I just had to make sure each hive file found was placed in an array to be processed. (line 267 of the code, again)

For me the proof of concept works. It is definitely a rough cut in my opinion, but the source is all there and this post explains the process if anyone wants to make improvements. I am not totally sure I really like the output file that this proof on concept results in, but it is a start. Drastically changing the output options of RegRipper is probably a more difficult undertaking than making it run against a mounted drive, so it may not be worth it.

Links

http://regripper.net/?page_id=150 (download the code)

http://search.cpan.org/~jenda/Win32-FileOp-0.14.1/FileOp.pm

http://ezinearticles.com/?Windows-Vista-Boot-Process-Overview&id=794745

http://www.geoffchappell.com/viewer.htm?doc=notes/windows/boot/bcd/index.htm&tx=5

Free VPN Accounts

2010-05-09T13:12:00.008-05:00

The last post about Facebook including users' IP addresses in notification emails got a lot of traffic. We also sent quite a bit of traffic to myiptest.com through the link provided in the story. Adrian from myiptest.com contacted me about VPN access as he also helps run hideipvpn.com.

The benefits of using a VPN or proxy service is clear. Your personal IP address won't be seen by the sites you visit and it can help protect your privacy. If you were using a VPN/proxy service, you wouldn't have been affected by the Facebook notification email problem. If you need more info on VPNs, visit the Wikipedia articles for VPN and Proxy servers.

I have not used the services of hideipvpn.com yet and hadn't heard of them before, but I did check out their privacy policy and terms of service. Both seem to be standard and I didn't see anything concerning, but I always suggest checking them out for yourself. As with anything else, use at your own risk. You can also see some reviews of their service here and here.

Adrian was kind enough to set aside 25 free accounts for readers of this blog. For full disclosure, he also promised me use of a premium/paid account.

Since there is no reason to turn down a free account, go grab one from here. If you don't make it in time to get one of these accounts, check out the hideipvpn.com blog for future chances. You can also follow them on Twitter. Please let me know how things go and leave me a comment about what you think of their service.

Update: Be aware that during the sign-up process your passwords will be emailed to you in plain text. They also seem to be stored on the hideipvpn.com's servers in plain text. Use a unique password for this site and make sure you don't use it anywhere else.

It also looks like they never validate your Google Checkout or Paypal account since it will never be charged.

Facebook Leaks IP Addresses

2010-05-07T16:13:00.004-05:00

Update: It looks like Facebook fixed the default behavior of the sent emails. Your IP Address is no longer included in the notification emails. I will give Facebook credit that they solved this in less than 24 hours. Now, if they can just shore up some of the other issues...

Original Post:

Facebook has nice email notifications whenever a friend comments on your status, sends you a message, or a variety of other reasons. The emails have subjects similar to "John Doe commented on your wall post." The unfortunate thing is that this email also appears to contain John Doe's (or your other friend's) IP address.

The email headers contain a line similar to:

X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])

Copy this line out and feed it to this page:

http://www.myiptest.com/staticpages/index.php/trace-email-sender

You will get the IP address of your friend and clicking on it will get a geolocation-based map. This will also show you if your friend used their cell phone to post and who they use as their service provider.

This information is great when a fugitive is taunting law enforcement through their Facebook page, but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication.

This isn't the end of the world compared to some of Facebook's other privacy problems, however, there is simply no need for Facebook to include these IP addresses and it should be quickly fixed.

Looking for new Authors

2010-01-25T11:00:00.002-06:00

Hi all...

I just don't seem to write as many posts as I'd like, but I don't want this space to go to waste. If you have some topics you'd like to write about, please let me know. I'd love to add some new authors to this blog.

Let me know at matt @ binint.com or DM on Twitter @_remnant_.

Guide to Changing Your Facebook Privacy Options

2009-12-09T15:25:00.005-06:00

Facebook is rolling out the new Privacy options today. There are a couple good things and a couple bad things. I suggest reading this article by the EFF for a good breakdown on the new changes. Sadly, your friends still have some bearing over how your information is used. In my opinion, Applications still get way too much leeway on what personal information they are able to see, collect, and use.

To maximize your privacy, I suggest the following changes. This guide should walk you through each screen and make sure you don't miss anything important.

The basic Privacy Settings screen looks like this:
Start with the first group, Profile Information. There are several settings to update and every choice within this group should be set to "Friends Only". You'll have to click the Edit Settings button for Photo Albums and set each album to "Friends Only" as well.

The next group is Contact Information. This is how my settings look, but you may want to adjust for your own tastes.

The next group is Applications and Websites. The options here are:
For "What you share", click on Learn More and you'll see an info screen. Click the link in the very last sentence or just go here.

Click on "Edit Settings" for each application. Change the options to "Friends Only". You might want to look at the "Additional Permissions" to see if the application can post to your stream.

Also, on the top right of this screen there is the drop down box labeled "Show". Make sure you go through all of those screens so that you don't miss any applications.

A quick note about Applications... make sure you delete any Applications you aren't using. Every application has access to your personal information and this really isn't a good thing. Take it straight from the creator of Mafia Wars.

The next group within Applications and Websites is "What Your Friends Can Share About You". Uncheck everything and then click Save Changes.

The last two sections, "Blocked Applications" and "Ignore Application Invites" probably don't need to be edited.

The fourth main section is Search. In this section you will need to Uncheck "Allow Indexing" and set "Appear in Search Results" to "Friends of Friends" or "Friends Only". This section will help restrict the general public from finding your profile. Again, the point of this article and the settings presented is to protect your privacy.

The last main section is Block List and probably doesn't need to be edited at this time.

Now we've walked through the main sections to protect your privacy. This is a great first step, but as the EFF article points out

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI."

To help minimize what you're sharing with the public, you'll have to change some of this info as well.

To begin, click on "Edit My Profile" underneath your profile picture. Uncheck "Show my sex in my profile" and make sure the dropdown box underneath your birthday is set to "Don't show my birthday in my profile".

Next find the box on the lefthand pane that shows your friends. Click on the pencil and uncheck the box that says "Show my friends on my profile".

Your profile picture is displayed publicly despite your Photo Album settings. If you're not comfortable showing your picture to the world, change it to something else.

The final pieces of information will have to be removed entirely if you don't want them publicly displayed. Current City, Networks, Recent Activity, and Fan Pages are all publicly available. I deleted everything (although I really didn't have much to begin with).

To see how your new Profile looks to the public, click on Privacy Settings, Profile Information, and then Preview Profile. If there is any information displayed that you don't want, go back through the settings and remove it. Again, some things must be manually deleted.

After following these steps, the only information I have publicly displayed is my name, my fake profile picture, and one Fan Page.

Good luck changing your settings. If there was something I missed, please let me know in the comments. If you have trouble changing a setting, let me know that as well and I'll try to help you out.

News Story

2009-10-30T10:44:00.002-05:00

Here is a news story that Jim and I participated in on Facebook and securing your private information.

http://www.wowt.com/home/headlines/67332677.html

Facebook Security - Relying on Friends

2009-10-23T14:23:00.003-05:00

Another article came along regarding Facebook security and hijacked applications. What I found most interesting was this quote:

On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz...or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.

"...or even when your friend takes one." I've always thought that it's kind of shady that quizzes and applications can access my friends' personal data. I shy away from the apps and quizzes for this specific reason. But, are my friends providing me the same courtesy? By being on Facebook, am I putting my personal information security in my friends' hands? Facebook has done better with increased privacy settings, and hopefully users have changed those settings to be more restrictive.

If I was a malicious user, I would absolutely create as many quizzes as I could that would take advantage of the automatic data mining capabilities of Facebook.

It seems like a recurring theme on this blog lately, but be careful of what you post online.

"Bad" Social Networking Links

2009-10-20T13:07:00.003-05:00

Wow. We all know that social networking can be "bad". Here are a few recent articles.

Interview and Interrogation - Balloon Boy

2009-10-18T15:03:00.004-05:00

Stan B. Walters is well known as "The Lie Guy". He gets a fair amount of press and I've attended his Kinesic Interview and Interrogation course. Stan often uses current events to illustrate his techniques and talking points. In his most recent blog post, he takes on the "Balloon Boy" family.

We now know that the balloon stunt was a hoax. Stan mentions that "it all came down to the verbal and nonverbal cues of deception generated by the Heenes." Unfortunately, he doesn't go into any detail on what he thinks those cues were. However, there are a few listed in the CNN article linked above.

Stan talks about narrative based interviews as a way of gathering information. You can learn a lot from just listening to someone talk and watching their body language. He also mentions that the interviewer needs to be aware of what signals they are giving back to the interviewee. These are a lot of the same points I tried to make in the Social Engineering Podcast and Stan's post is a good read.

Cellebrite Gets Early Info

2009-10-13T09:51:00.003-05:00

I've been waiting for an Android phone to hit Verizon for a while, so I've been following some mobile phone blogs. This post from Boy Genius Report was interesting to me on the cell phone forensics front.

One of Cellebrite's selling points for forensic use is that they often get previews of new devices in order to get their units up to speed for use in the carrier's stores. The photos in the BGR post (if real) certainly give some credibility to that statement. I wonder if other cell forensic suites get similar updates.

Social Engineer Interview Podcast

2009-10-04T08:18:00.005-05:00

I mentioned a few posts back that I've been helping contribute content over at Social-Engineer.org. Today they released their first podcast and I was lucky enough to be the interview guest. The podcast builds on this post I did a while back about interviewing techniques.

I think the podcast presents some useful information. Even though the topic is interrogation, pieces of the conversation should be useful in everyday interaction.

Give it a listen and let me know what you think. If you RSS and don't want to come back here to leave comments, hit me up on Twitter @_remnant_ .

Thanks to everyone over at Social-Engineer.org for making a great site and some fun times.

FTK3 Review

2009-09-22T18:31:00.004-05:00

For those forensic folk that may have not have seen this, I did a review of FTK3 for the good folks over at Forensic 4Cast. Check it out here, http://4cast.whitfields.org/?p=438.

Also, follow the 4Cast guys on Twitter at @Schizophreud and @englishgit.

Burglary by the Tweets

2009-09-20T21:32:00.014-05:00

It's not hard to look around and see that people are posting way too much personal information online. There are tons of articles about it and now we can even find out if you're gay or straight.

Most of the information seems harmless and a lot of people don't care if others know about their personal lives. But how much trouble can it get you in to? One couple thinks their Twitt er posts led to their burglary.

Is it that easy?! Let's find out...

Chirpcity.com let's you search tweets by location. I chose a random city from the list and then searched for all tweets mentioning "vacation".

How lucky that the first result includes a potential victim. I don't want to get a real person in trouble here and create a ready-made victim, so I'm blocking out all identifying information. Plus, I don't think this person is actually going to be gone for five weeks during the school year as their Twitter feed also says they're a student. See how quickly we can learn about someone?

Ok, so let's go look at Twitter profile.

Now we're getting somewhere. Our second webpage gave us their last name and website address. If we wanted to learn more we could check out their webpage to hopefully see what kind of stuff they might have we could steal. Now we just need to find out where they live. Cue Zabasearch.com!

This was the most recent entry was for this person. I blacked out all the personal info so it doesn't look like much, but I now have a middle initial and possible address. I guess I could double check with other people searching sites. For a low monthly fee I could even subscribe to a data mining site and have instant information that includes much more than this!

Using free resources and five minutes of my time I located a potential victim and her address. I suppose it would be worth it to spend another 30 minutes and drive by the address to scope it out. Of course, if I really was a criminal I would have found multiple victims to go check out.

I guess it really is that easy. Be careful everybody!

Skype Replacement?

2009-09-17T12:27:00.001-05:00

What does everyone use for instant messaging and VOIP? Skype is such a great product but has been plagued lately by some bad press.

It's EULA has been plaguing people for a while and the new trojan causes worries as well. With all the lawsuits, will Skype even be around in two years?

Right now there seem to be more benefits than pitfalls, as communications are encrypted and it's one of the most recognizable IM/VOIP platforms.

But for the future, are there any other good programs I should check out?

How time flies by...

2009-09-17T12:11:00.003-05:00

It looks like it's been a few months since the last post. Both Jim and I have been busy with work and other outside projects. I plan to start posting more often and get the site back on track.

One of the side projects Jim and I have been involved with is www.social-engineer.org. We've both contributed content to the framework and plan on being active there as well.

More soon...

PS3 Forensics and Decryption

2009-07-04T13:59:00.003-05:00

As we talked previously on here before about PS3 forensics, I thought I would do a quick followup. There has been some advancement in the area of decrypting PS3s, though the process is not currently in a state that it could be considered a first stop for the average investigation.

The process requires a couple drives, the original PS3, and an amount of time. I will not be testing it out myself, but if anyone wants to try please leave a comment on how it works for you. You can see all the details up here.

Forensics on Backtrack 4

2009-05-31T01:52:00.002-05:00

Up at the Offensive Security blog, we put up a little introduction to the forensic additions to Backtrack in this new version.

I have been really enjoying the new BT, a very well put together OS. (And to think, I used to be a BSD head.) The forensic additions to it are really simple, but do the job. I tested them out quite a bit, and everything came back clean. As it is a new forensic tool, I don't suggest anyone use it until they test it out.

Any problems with the forensic side are on me. Let me know if anything comes up, but I am confident that it is going to be very useful. The offsec and remote-exploit crew really put together something special here.

Backtrack 4

2009-05-30T15:29:00.002-05:00

Informer subscribers have access to the Pre-Final version of BT4!

With this install, all future updates will be released though a simple apt-get upgrade. So if you don't have a subscription to Informer already, do so now then not have to DL an updated version again.

New version has an installer, forensic boot mode, etc etc. I have been using it for a bit here, and it is a great update to the older versions. There are a ton of videos on how to interact with it up at the Offensive-Security blog.

POC for Acrobat

2009-04-28T10:35:00.001-05:00

New POC for Acrobat was posted.

That Security Show

2009-04-28T09:34:00.004-05:00

Been very tied up the last month or so. Sorry for the lack of updates.

Wanted to share a link to an interview j0e did with Johnny Long for Marcus Carey's That Security Show. Really well done, and worth a watch. Everyone involved in the production of this show is top notch. I have had the pleasure of meeting them all in person at one time or another, and I can say they are all as good of people in person as they appear to be online.

Take a few mins to watch the show. And check out Hackers for Charity while you are at it.

Researchers can ID anonymous Twitterers

2009-03-27T10:30:00.001-05:00

Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin.

They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn't 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format.

Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these "anonymized" data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.

From NetworkWorld.com.

No More Free Bugs

2009-03-19T20:43:00.003-05:00

CanSecWest is currently going on, and I am not there. No complaints however, as I am finishing up a week long training class in X-Ways Forensics. (Verdict: top notch. Check out the program.)

Catching up on the news tonight, I found these quotes from an interview with Charlie Miller (winner of the PWN to OWN contest against OS X) very interesting:

Did you consider reporting the vulnerability to Apple?

I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.

I have heard this rumbled about for a while. There is no disputing that there is a market for bugs, and it is sort of refreshing to hear someone be upfront about their reasons for finding bugs. A lot of people like to pretend that this work is done for "the good of the community". Really, there are a few reasons white hats find the bugs: a) To keep private to add value to their pentests, b) to release to the public to show off their skillz and c) to sell.

I don't see any shame in that. Why should companies like Apple, MS, etc. expect customers to do their work for them? What is the value?

You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three “high-value” bugs for $5,000 each?

It’s clear he’s incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.

For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they’re paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.

Other thing that jumped out at me was some of the comments about targeting Macs.

Why Safari? Why didn’t you go after IE or Safari?

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

Take that quote, combine it with some recent commentary about the number of security professionals using Macs, and with meterpreter now being ported to the Mac (complete with the ability to take pics with built in iSight cameras), and times might get interesting. Going to my above statement about one of the main reasons for tracking down bugs being to show of your skillz, it makes one wonder how many infosec people one could bag at a con...

When Forensics Bites Back

2009-03-19T20:13:00.002-05:00

This story is kind of funny, but kind of sad.

MARCH 18--Meet Michelle Owen. Concerned that an ex-boyfriend had used her laptop to search for child pornography, the Indiana woman asked police to search the computer for illegal images, but had her plan backfire when cops discovered two videos of her engaged in illicit acts with a dog. Owen, 24, was charged last week with two felony bestiality counts in connection with the video files, which a detective found in the laptop's "recycle bin." At the time Owen asked cops to search the computer, she was locked up in the Johnson County Jail on a public intoxication charge (which violated the terms of her release in a prior drunk driving case). According to a police affidavit, a copy of which you'll find here, a cop told Owen that he had found videos of her on the laptop and asked if she "knew what those files might be." Owen, pictured in the below mug shot, replied, "The one with the dog." Cops believe that the dog in question, Toby, is a beagle. After asking if she was "going to be charged with this," Owen said that the videos "were just something she did when she was drunk and barely remembers it," adding that she tried to "delete them the next day when she was sober."

From TheSmokingGun.com