Ch 13 Stealing Information Updated 42015 Topics How to look for patterns and identify artifacts How to determine where the data went How to detect which data has been taken on external devices ID: 1038211
Download Presentation The PPT/PDF document "Computer Forensics Infosec Pro Guide" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Computer ForensicsInfosec Pro GuideCh 13Stealing InformationUpdated 4-20-15
2. TopicsHow to look for patterns and identify artifactsHow to determine where the data wentHow to detect which data has been taken on external devices
3. Stealing InformationTheft of corporate information by a (soon-to-be) ex-employee
4. How to look for patterns and identify artifacts
5. What Are We Looking For?Evidence of an employee stealingCorrespondenceCustomer contactsDrawingsContractsSpreadsheetsEmailsSource codeOther company-owned information
6. PatternsIncrease in user access to filesLarge number of files accessed in a single dayPerhaps another set the day afterFiles copied to removable storageUSB, FireWire, eSATA, etc.Or uploaded to file hosting or webmail sitesIf email is used, it won't be the corporate emailIt will be Yahoo! mail, Gmail, Hotmail, etc.
7. Email ArtifactsMost suspects believe that webmail leaves no trace on their computerCommercial forensic tools have webmail analysis and carving featuresSearch the drive image for the headers used by popular webmail systemsAcross active HTML files and deleted files
8. AJAX (Asynchronous JavaScript and XML) and JSON (JavaScript Object Notation)Can update just part of a page at a timeUsed in almost all Web 2.0 applicationsLess email can be recovered, because artifacts are rewritten more quickly
9. Artifacts and What They Tell YouWebmailIf suspect was sending attachments from the suspect's computer through a personal email accountLNK Files (Recent Items)Suspect was accessing files copied onto another driveShellbagsWhat other directories exist on other drives identified from the LNK files
10. Artifacts and What They Tell YouUSBSTOR Registry KeyMake, model and serial number of an external storage device, and when it was last plugged inSetupapi LogsThe first time a storage device was plugged inLog FragmentsText fragments in partially overwritten logsActivity showing what the suspect was taking
11. SetupAPI Logs in Windows 10 TP
12. Popular Webmail FindersThese products can help you find the most popular kinds of webmail for reviewThey search a forensic image and find all known webmail fragmentsInternet Evidence Finderfrom Magnet Forensics (link Ch 13a)Evidence CenterFrom Belkasoft (link Ch 13b)
13. Inbox ViewOften, one of the recovered HTML files will be the user's InboxTypically a static web pageWritten to disk in its entiretyShows sender, date, subject, and whether an attachment was included
14. LimitationsYou can only recover what the suspect received from the web serverYou cannot recover text typed into a form and sent up to the Web server
15. NetAnalysisExamines browser history and cacheLink Ch 13c
16. BCC:User may use corporate account but include BCC: copy to home accountEasily detected by examining Web serverSearch of Internet history will usually find their home accounts
17. How to determine where the data went
18. LNK Files (Recent Items)
19. LNK FilesCreated whenever files or folders (sometimes) are opened in Windows, with this informationFull path to the file, which can be on local drive, network share, removable media, etc.Type of drive the file is being accessed fromFile sizeVolume name and serial number of the drive from which the file is being accessed
20. Additional Information in LNK FilesMAC address of system where file is stored, if it's being accessed over the networkDate informationWhen the associated file was created, modified, and accessedWhen the LNK itself was created, modified, and accessed
21. Recovered LNK FilesLNK files are found in both the active file system and the free space on the driveCommercial forensic tools like FTK can recover LNK files from free space (Link Ch 13d)
22. Windows File AnalyzerLink Ch 13i
23. Demonstration of TimesCreate a folder and a fileWait a whileOpen it againExamine LNK file timestampsShows time LNK was created, accessed, modifiedAnalyze with Windows File AnalyzerShows time original file was created, accessed, modified
24. Folder and file created at 10:59No LNK file created at that timeFolder and file opened at 11:12LNK file created with timestamp 11:12
25. Windows File Analyzer shows the time the file was actually created: 10:59
26. ShellbagsRegistry entries that store user preferences for folder display in Windows ExplorerOnly folders that have been opened by the user appear in the shellbagsShellbags are part of the user's profile, in these files:NTUSER.DAT and USRCLASS.DAT
27. Shellbags in Windows 10 TP
28.
29. Shellbags v. LNK FilesLNK files show files that were opened, and possibly directoriesShellbags show every directory a user accessed whether the user opened a file or not
30. sbag (not free)
31. Images from SANS (link Ch 13k)
32. ShellBags ExplorerFreeLink Ch 13m
33. ShellBagsViewFreeLink Ch 13l
34. Case History
35. Web DeveloperWeb development company was losing a major client in 90 daysTo a different company, for a major upgradeWould lay off staffA developer wanted to jump ship to the new companyTo impress them, he downloaded the whole site by FTP to start working on it early
36. Customer DataHe also downloaded 100,000 customer records that were kept in archival files on the Web serverAutomatically generated each midnightHosting provider noticed the large amount of trafficNotified the owner, giving filenames and IP address of downloader
37. Court OrderCompany hired a law firm to get a court orderGot customer information from ISP, based on IP addressDeveloper denied downloading the filesAgreed to a forensic examination of his laptop
38. Search TermsArchival files had a standardized naming conventionUseful as search termsThousands of the names found in a partially overwritten log file for WS_FTP (the FTP client the developer used)
39. Authorized SeizureThis evidence was sufficient to get a judge to authorize seizure of all media at the developer's residence for analysisConcerns that the developer had copied the dataDeveloper admitted to the downloadUSB drive revealed that the files had been copied to it, but it was then reformattedRecovered more than 70,000 customer filesNo evidence of any other copies