Incident Response & IP Theft – Guide for IT, HR Departments and Business Owners

WARNING: This is a general guide of what to expect when an investigation is needed. Do not open up anything, browse, boot up any closed down system or switch off anything unless you are sure what you are doing!

Introduction

So you are work in human resources, or you are a business owner and are concerned that an incident has occurred or may have occurred? Data may have been emailed or taken out from an ex-employee, or you may have even been hacked. Your first instinct may be some actions or non-actions such as: calling the IT department, pull the plug on the item, leaving the piece on and networked, hire “Bob the computer expert” from down the road or even to have a look at the computer or phone yourself. Any of these options may end in disaster through accidental evidence deletion, evidence destruction and you may be liable having to explain your wrong actions in court or a tribunal.

The IT staff may be in on the incident or involved so with this in mind be sure to investigate a ‘need to know’ basis.

Pulling the plug, as what was done in the past, this may mean the loss of vital encryption keys in the RAM (the computers volatile working memory that is lost when switched off) on Macs, Linux and Windows machines.

Leaving the computer on the network may expose the device to being wiped remotely by the culprit. The assumption here is: The IT department or the director is not forensically trained and neither are you so leave well alone unless you know what you are doing!

Real Case Example Disaster – The Client that Installed Programs on the System to Perform the Themselves

I have experienced cases where the IT department has installed a data recovery program such as Recuva to the disk they wanted to recover from and had the recovered files outputted to that same disk. The actions as mentioned earlier caused the areas that could be retrieved from to fill up with the recovered data and the newly installed program, defeating the purpose of recovery! Not only did they lose valuable data, the recruitment firm’s client list on that computer, The organisation, but also had to explain why they meddled with the system after the event to the opposing parties team in the tribunal. Lucky it was discovered that a list matching the name and size was emailed out. Additionally, a fragment of that list was found in the file slack of another file. The file slack is akin to the unused space at the end of a physical file size space that hasn’t thoroughly been wiped over by the new logical file, invisible to most users. The spreadsheet didn’t exist in its live form, but the fragments and metadata were also discovered using an advanced forensic search.

Evidence Tampering.Deletion by the Culprit

If you are aware, the culprit has tried to format the disk or use wiping software such as CCleaner don’t worry a computer forensics expert should have experienced any number of these occurrences on a weekly basis and is trained to deal with them. Chances are you will make things worse by trying yourself. More often than not their tampering leads to more evidence against them of a cover-up!

Commencement of Search and Seizure

Data exists on computers, external drives, DVD’s, CD’s, mobile phones, memory cards, memory sticks and a plethora of other potential digital media. Make sure you don’t overlook anything in your search. Make a list of the time and date you seized these items along with some photos, videos, serial numbers and any other identifying features you can record. Don’t make anyone aware until you are sure the data is onsite and right before the seizure.

Tip: Sweep your Offices for Hardware Keyloggers and Voice Recording Devices in your

Concerned about intellectual property walking out of your organisation? Often people may not have the skill to hack or install software keyloggers. Hardware keyloggers such as KeyGrabber can log every keystroke, and they appear as innocuous devices on the back of tower computers that plugin easily behind the keyboards. Fig 1 is an example of such a keylogger.

Fig 1 Keylogger Plugged into the Posterior of a Computer Tower

Other Devices

Unscrupulous individuals and gangs have been known to put voice/SMS/telephone bugs in bins or under desks to record conversations. Don’t overlook this. I have come across this in an insider trading investigation where nothing was found on the actual computer, but the office was bugged. Remember there are many ways to steal IP (intellectual property). More advanced bugs now exist that act as a WIFI dongle record traffic such as passwords and then email the booty to the culprit. Even worse is the KeyGrabber module, this is actual implanted inside the computer and are nigh on impossible to spot to the uninitiated. If a logger is discovered, hand this device over to the professional digital investigator.

Protecting the Integrity of the Digital Evidence

It is important not to leave the device anywhere it can be tampered with by the unscrupulous. The culprit or sympathetic co-worker could access the item and tamper with the data. If possible lock the room with the items in, make sure only you have access.

Disabling Network Access on the Computer

If the evidence is a Laptop unplug the network cable at the posterior of the computer, switch off the WIFI switch if there is one showing the WIFI symbol or physically pop out the PCI network card with the computer on. You may also switch off disable the adaptors in the settings if possible. Make sure the item is plugged in and switched on so it doesn’t power off. Try to disable sleep and auto lock in settings or control panel on the system if possible.

If the evidence is a computer Tower  is switched on and logged in disable auto lock and sleep in the control panel. Pull the network cable from the back, pull any WIFI dongle, unscrew the aerial from any protruding card and disable WIFI if it exists on the tower. Try to keep the tower on and not networked if possible. Logout and shutdown only if you are sure there is no BitLocker, FileVault or Trucrypt encryption on the devices. Make notes with times and dates of your specific actions.

If you are not sure about this, please contact a computer forensic expert at Compute Forensics or another organisation proficient to do this. At this stage, it is important to recognise you are just protecting the computer from:

a) Physical Tampering

b) Remote Tampering until an expert arrives on the scene.

Note: if you are sure a cryptovirus or another tool is working in the background on the machine and you know the BitLocker, FileVault or Truecrypt/VeraCrypt password or key or that there isn’t one then it is probably wise to unplug the computer from the power cord or remove the battery. An incident response expert can then attempt to salvage what hasn’t been decrypted and decrypt what has been.

The reason for leaving the system on is at a later stage, and if the computer is on, the digital forensic expert would image the RAM as well as locked registry files and indeed the unencrypted logical image of the unlocked hard disk if the disk is encrypted. Then the examiner would go on to take a full physical copy of the device to follow proper practice procedures. If the item encrypted and off then the examiner may have to crack the password.

Damaged Drive?

Don’t be tempted to use recovery software. The more you use a faulty disk, the less likely a successful recovery will occur. Our experts have been known to image faulty devices while onsite successfully. More often than not the equipment isn’t defective but has just been formatted or modified by the culprit.

Mobile Device Forensic Imaging

If you find a phone on site, put it into aeroplane mode as to stop any remote tampering or switch it off. A Logical image (just the filesystem) and the holy grail of forensics ‘the complete physical image’ (included files system and deleted areas) can be taken when the examiners are onsite.

Don’t worry if this isn’t possible. Backups often exist unwittingly on the suspect’s computer. The data discovered can often yield as much or often more than the live phone data.

Call the Computer Forensic Expert

It is now the incident response experts turn to arrive on the scene take notes and forensically collect the data. The basic premise is that where ever possible the computer forensic expert would collect the data without changing it, along with contiguous notes that can confront rigorous testing in court. Using a forensic blocking device, a forensic Linux distribution or a remote method the expert would then go on to collect the data for analysis and output this verified copy to an encrypted disk.

What Happens Next?

The computer forensic examiner would then go on to examine the forensic copies, not the original disks. This technique is to preserve the integrity of the evidence and not to damage the originals.

A robust digital timeline would probably be needed to be produced to examine the chain of events that occurred. Computer Registry in Windows or Plist files and logs in Mac would generally be probed to discover when programs were run, what was connected to the system and much more. The timeline goes into every event log, internet history and registry item and outputs the results as a table. This table can be painstakingly analysed to correlate the suspect wrongdoings against times and other evidence such as CCTV.

Internet history, chat and email can be recovered using data recovery techniques along with deleted files such as Word and Excel documents. Along with the files, useful metadata can tell us which user the item was last saved by and when the article was copied to a particular location and much more.

The drive can be indexed to allow powerful keyword searches across the data. This searching can search inside files content, its metadata as well as deleted fragments. Powerful searches are not standard for Windows or Macs! Preparation by HR of keywords, dates and times aids the examiner considerably.

Malware can be discovered by scanning the mounted disk using powerful anti-virus software as well as by manual more time-consuming methods such as reverse engineering and running the item in s safe environment.

Using what was found the events can be put together into an expert technical report to ascertain what had happened and possibly reprimand the suspect.

Written by Alistair Ewing of Compute Forensics

______________________________________________________________________

Contact us and we can provide a training solution for your IT department in evidence handling, forensic imaging of ex-employees devices and legal admissibility standards. If you are worried about security consult with us in regards to our pen testing options.

The sooner data is collected, the better. It is better the examiner has experience as an expert witness and is Sweet, and Maxwell vetted rather than hiring someone that is just IT savvy.

Please don’t hesitate to email us at expert@compute-forensics.com or call +44 (0)203 5989658 now should you have an incident.