NGDC Insider Threat and Unauthorized Surveillance Investigation Report

A kernel-level keylogger (LogKext) is running as root on Tracy's MacBook Air (Tracys-MacBook-Air.local). The keylogger captures all keystrokes from users 'tracysumtwelve' and 'terrysumtwelve'. Logs are automatically emailed via Postfix (running as root, userid 0) to joe.sum.twelve@gmail.com with subject "Logfile" at regular intervals. First observed daemon startup: "LogKext Daemon starting up : Thu Jun 28 15:41:39 2012". The emails originate from the MacBook Air's IPv6 addresses on the 2600:1003::/32 prefix. This represents unauthorized surveillance of Tracy and her daughter Terry.

Key evidence from email headers:
- From: root@Tracys-MacBook-Air.local (System Administrator)
- To: joe.sum.twelve@gmail.com
- Subject: Logfile
- Sent via Postfix from userid 0 (root)

Keylogger data shows Tracy (tracysumtwelve) created an encrypted ZIP file of confidential documents related to a rare stamp collection exhibit at the National Gallery DC (NGDC) on July 9, 2012. The keystrokes captured show:

Terminal commands typed:

ls
cd Documents
ls
zip -e documents.zip Sta[mps] Ins[urance]

Password used for encryption: "Hercules" (typed twice for confirmation)

Tracy then emailed the encrypted documents to coralbluetwo@hotmail.com (Coral/Perry) with the message: "Hey Perry, here are those documents I talked to you about. The password is your old dog's name." - confirming the ZIP password is "Hercules" (Perry/Coral's old dog's name).

Earlier keylogger entries show Tracy and Coral/Perry discussing finding valuable items at NGDC to exploit for financial gain. Tracy mentioned a rare stamp collection coming to the gallery and called it "our ticket."

Tracy's external USB drive (exFAT, volume "External") contains a directory "NGDC things" with confidential National Gallery DC documents:
- Stamp insurance 1.pdf (inode 268646403)
- Stamp Insurance 2.pdf (inode 268646407)
- Stamp insurance 3.pdf (inode 268646411)
- securityrotation.pdf (inode 268646415) — security guard rotation schedule
- NGDC_blank.doc (inode 268646419) — blank NGDC letterhead template

Additionally, deleted copies of these files exist at the root level of the drive (inodes 3108, 3112, 3116, 3120, marked with * in fls output), along with a deleted "NGDC letterhead" directory (inode 3124). This indicates Tracy first copied files to the drive root, then reorganized them into the "NGDC things" folder.

The securityrotation.pdf is particularly concerning as it would reveal when security guards change shifts — critical intelligence for planning a physical theft of the stamp collection.

Bulk extractor recovered email metadata from Tracy's MacBook Air showing an email sent from tracysumtwelve@gmail.com to coralbluetwo@hotmail.com with subject "things" and attachment "public.zip". The email is stored in the Sent Messages mbox at:
Users/tracysumtwelve/Library/Mail/V2/IMAP-tracysumtwelve@imap.gmail.com/Sent Messages.mbox/

The attachment contained a "docs" directory with the stamp insurance PDFs. There are also draft versions of this email found at the Drafts location, suggesting Tracy composed it before sending.

Additionally, documents.zip was found in Tracy's Trash (inode 430246), along with "Stamp insurance 1 2.pdf" and "Stamp insurance 1.pdf.zip" — evidence of Tracy cleaning up after exfiltration. The original documents exist in Users/tracysumtwelve/Documents/docs/ and Users/tracysumtwelve/Documents/docs 2/.

The keylogger confirms the ZIP password is "Hercules" (Perry/Coral's old dog's name).

Joe (joesumtwelve) installed the LogKext kernel-level keylogger on Tracy's MacBook Air. Evidence:

1. Deleted user account: Users/joesumtwelve (Deleted) — Joe had an active user account on the MacBook Air that was subsequently deleted to cover tracks.

2. Browser history showing research: Joe's Safari cache contains search history for "logkext minmeg" at:
   Users/joesumtwelve (Deleted)/Library/Caches/Metadata/Safari/History/

3. Full LogKext installation found on the system:

4. System/Library/Extensions/logKext.kext/ (kernel extension)
5. Library/LaunchDaemons/logKext.plist (persistence via LaunchDaemon)
6. Library/Application Support/logKext/ (support files including logKextKeyGen, logKextKeymap.plist)
7. private/var/root/Library/Preferences/com.fsb.logKext.plist (configuration)

8. Installation receipts at private/var/db/receipts/com.fsb.logkext.*.pkg (logkext, logkextclient, logkextdaemon, logkextExt, logkextkeygen, logkextkeymap, logkextReadme, logkextuninstall)

9. Automated exfiltration: Keylogger configured to email logs via Postfix (root) to joe.sum.twelve@gmail.com every ~3 hours.

Joe likely installed the keylogger to monitor Tracy's activities, possibly related to their personal/divorce situation (divorcerates.doc found in Tracy's Documents).

Within minutes of receiving the stolen NGDC documents from Tracy, Coral (coralbluetwo@hotmail.com) forwarded them to Perry Patsum (perrypatsum@yahoo.com) with subject "Some things for you."

Email recovered from Carry's tablet (which contains Coral's Thunderbird email client configuration):
- From: Coral coralbluetwo@hotmail.com
- To: Perry Patsum perrypatsum@yahoo.com
- Subject: Some things for you
- Date: Mon, 09 Jul 2012 10:22:17 -0700 (1:22 PM EDT)
- Message-ID: 4FFB1349.70506@hotmail.com

Timeline:
1. Tracy created encrypted ZIP of stamp insurance documents on MacBook Air ~9:22 AM EDT on July 9
2. Tracy emailed the ZIP to coralbluetwo@hotmail.com with subject "things" ~1:01 PM EDT
3. Coral forwarded to Perry Patsum at 1:22 PM EDT — approximately 20 minutes later

This confirms a three-person conspiracy: Tracy (insider at NGDC) → Coral/Carry (intermediary) → Perry Patsum (end recipient). The stolen documents include stamp insurance valuations and security guard rotation schedules.

Search history recovered from Tracy's MacBook Air (from Joe's deleted user account and system-wide browser caches) shows extensive research into the LogKext keylogger:

1. "what does minmeg do logkext" — searched 66 times (most frequent query on the system)
2. "logkext minmeg" — searched 36 times
3. "what does minimum megs do logkext" — searched 24 times
4. "logkext" — searched 7 times
5. Multiple cached pages from logkext.googlecode.com (source code review)
6. Visited logKextClient.cpp source code directly

Most critically:
- "is it ok to keylog children" — searched 7 times, showing Joe was aware of the legal/ethical implications and was also monitoring his daughter Terry
- "mac mail and crontab daughter" — Joe set up automated emailing of keylogger data via crontab

Other searches of interest:
- "Prufrock Preparatory tuition" — Terry's school, showing Joe's concern about tuition costs (matching Tracy's conversations)
- "buick" — appears in multiple searches

Joe clearly planned, researched, installed, and configured the LogKext keylogger to monitor both Tracy and their daughter Terry on the shared MacBook Air, then configured Postfix/crontab to automatically email the logs to joe.sum.twelve@gmail.com.

Keylogger data from July 10, 2012 shows Tracy offering to help someone (likely Coral/Carry) bring a tablet device past NGDC security and gain access to view exhibits:

"I can definitely help get your tablet in. Our security guards can be pretty ridiculous sometimes! When would you want to get in and take a look around?"

This suggests Tracy is facilitating unauthorized or improperly authorized physical access to the gallery for her co-conspirator to case the stamp exhibit. Combined with the document exfiltration, this indicates planning for potential theft of the rare stamp collection.

An email recovered from Carry's tablet reveals a wider conspiracy network beyond Tracy and Coral:

Email details:
- From: Pat TeeSumTwelve patsumtwelve@gmail.com
- To: throne1966@hotmail.com (addressed as "King")
- CC: coralbluetwo@hotmail.com (Coral/Carry)
- Subject: "can't pass up"
- Date: Fri, 6 Jul 2012 11:49:31 -0400

This email, with subject "can't pass up," was sent just days before Tracy exfiltrated the stamp insurance documents (July 9). It establishes that Pat, King, and Coral/Carry were communicating about an opportunity that was too good to pass up — consistent with the stamp exhibit theft conspiracy.

Keylogger data also shows Tracy typed "throne1966@hotmail.com...King, first..." — indicating Tracy was also in contact with King.

Identity network:
- Tracy Sumtwelve (tracysumtwelve@gmail.com) — NGDC insider
- Carry "Coral" Carsumtwotwelve (cat2welve@gmail.com, coralbluetwo@hotmail.com) — intermediary
- Pat TeeSumTwelve (patsumtwelve@gmail.com) — conspirator, possibly Tracy's relative
- Perry Patsum (perrypatsum@yahoo.com) — received forwarded documents from Coral
- "King" (throne1966@hotmail.com) — recipient of "can't pass up" email

Multiple evidence sources establish Tracy's financial desperation as the motive for the NGDC document theft:

1. Keylogger captured searches: "private school tuition help", "financial advisor washington dc", "private school financial aid", "best alternative to private school"
2. Email to Joe: Tracy emailed joe.sum.twelve@gmail.com asking for help with Terry's tuition at Prufrock Preparatory: "is there any way you would be willing to help me out with her tuition for this year?"
3. divorcerates.doc: Found in Tracy's Documents folder, suggesting ongoing divorce proceedings
4. Keylogger email (June 29): Tracy wrote to Coral: "If anything comes up around the office that we can maybe... get in on... please lets try to do so. Kiddo is getting really bent out of shape about possibly having to switch schools."
5. July 2 keylogger: Tracy called the stamp exhibit "our ticket" after learning about its value
6. Terry's own awareness: Terry (terrysumtwelve) searched "how to help your parents with private school" and "help parents afford private school"

The financial pressure from private school tuition and divorce costs directly motivated Tracy to steal confidential NGDC documents about the valuable stamp exhibit.

Tracy's external USB drive contains a VM.vmdk (virtual machine disk) at the root level alongside the stolen NGDC documents. The presence of a virtual machine on a portable drive used for transporting stolen documents between home and work raises concerns about:
1. Potential use for covert activities that leave no trace on the host OS
2. Possible encryption or additional document staging
3. Bypassing workplace security monitoring

The VM.vmdk file coexists with the "NGDC things" directory containing stolen stamp insurance documents and security rotation schedules. The external drive (exFAT formatted, volume "External") was used to transport data between Tracy's home computer and work computer according to the evidence README.

Network packet captures from the NGDC interior network (SSL-stripping middleman) captured on July 6, 9, and 10 reveal workstation activity:

1. 192.168.1.101 (interior IP, maps to 10.10.1.169 exterior):
2. Accessed mail.google.com on July 10 at 15:13:00 UTC (11:13 AM EDT)
3. Connected to outlook.com (pod51018.outlook.com) on July 10 at 15:12:45 UTC
4. Browsed www.louvre.fr and Wikipedia's Palais du Louvre article on July 6

5. Searched Google for "gmail" on July 10

6. 192.168.1.100 (separate workstation):

7. Windows Update traffic
8. Microsoft Watson error reporting (ASUSTeK EB1012P)

The combination of Gmail and Outlook/Hotmail access from the same workstation during work hours is consistent with Tracy accessing both her personal Gmail (tracysumtwelve@gmail.com) and potentially Coral's Hotmail (coralbluetwo@hotmail.com) to coordinate the document exfiltration. The Louvre browsing suggests research into museum operations.