Published: January 11, 2007

This scenario depicts unauthorized access to internal confidential information within a national financial institution—Woodgrove Bank. The scenario is fictional, as are the people and the organizations mentioned in the scenario.

The scenario was designed to provide an overview of tools and technologies used for data collection and examination. In a real security breach situation, you should consult with appropriate management, legal, and law enforcement groups for advice about the appropriate investigative techniques to use. Also, although the authors recognize that imaging a suspect drive is important in investigative work, it is beyond the scope of this guide and only briefly mentioned during the data acquisition phase of the scenario.

Scenario

It has been brought to the attention of Ray Chow, the Enterprise Systems Administrator of Woodgrove National Bank, that someone was bragging about knowing the salary of many different bank employees. Ray learned the name of the employee who claimed to know this information—Mike Danseglio. Mike works in the loan department and should not have access to any Human Resources (HR) files.

Woodgrove National Bank has a policy that relates to the proper use of bank computers. This policy states that there is no expectation of privacy when using company computers for any purpose, including e-mail services and access to Web sites. The policy also states that no programs will be loaded on any computers without the written permission of the IT Director, and that any attempts to circumvent passwords or obtain unauthorized access to bank files will be grounds for termination or legal prosecution. The policy also allows the IT staff to install any network monitoring devices, including sniffers or other packet capture devices, to maintain network security or to investigate possible abuses.

Ray wants to ensure that he uses accepted computer investigation procedures to investigate this issue and report his findings. Ray believes that information might have been originally obtained from the HR file server and plans to follow the four-phase computer investigation model shown in the following figure:

Important See the "Applied Scenario Lab Configuration" section at the end of this chapter for information about how to emulate this scenario and follow along using the tools.

Assess the Situation

Ray meets with management to assess the situation. Management indicates that unauthorized access to and distribution of confidential payroll information would be grounds for termination, but they will not prosecute an employee for such actions.

Woodgrove National Bank policy states that management will consult with the internal legal department to check local laws and determine whether any other policies affect investigations about improper employee access to restricted computer systems.

The Woodgrove National Bank legal department provides written permission for Ray to examine the contents of Mike Danseglio’s company computer. The legal and management teams ask to be informed of the investigation outcome. They also ask Ray to follow up with steps to protect sensitive data more effectively in the future if he finds that a breach occurred.

Ray's first task is to identify the computers that are involved in the investigation and document the hardware configuration for each. After he completes this task, Ray draws a logical diagram of the involved computers, which is shown in the following figure.

Ray then considers different options for proceeding with the investigation. Because some of the information he needs to acquire is volatile data, Ray decides to begin the internal computer investigation by analyzing live data. He will then make an image of Mike Danseglio’s drive and examine the static evidence.

Ray creates a USB drive that includes the appropriate investigative tools for a live investigation. (The "Tools" section in Appendix: Resources in this guide describes the tools that are referenced in this chapter.)

Ray's next task is to duplicate the suspected party's hard disk in a way that protects and preserves the evidence if he locates information that requires him to report the case to law enforcement.

Ray notes items of potential interest, documents what is needed to be able to identify and authenticate the collected evidence later in the investigation, and creates an audit log of actions performed during the investigation.

Acquire Evidence of Confidential Data Access

Woodgrove National Bank management authorized Ray to examine the directory structure on the HR file server (WNB-HQ-FS1) and the payroll files to determine whether an unauthorized individual read the files. Ray could go to Mike Danseglio’s computer immediately and look for evidence, or he could begin at the server and try to locate evidence in the audit logs. Ray also wants to know what user rights Mike Danseglio has with regard to the HR folders.

Ray decides to use the following two-step approach to acquire the evidence:

1. Examine the HR file server to look for evidence of unauthorized access to confidential files and folders. This examination may or may not confirm management’s suspicion that Mike Danseglio accessed these files without proper authorization.
2. Examine the contents of Mike Danseglio’s drive locally and remotely to look for any confidential data. Ray plans to use a combination of native Microsoft® Windows® tools (including Ipconfig, Systeminfo, and Netstat) and Windows Sysinternals tools (including AccessChk, PsLoggedOn, and PsFile).

Ray interviews HR team members and examines the file server. He notes that payroll files are summarized once each month in spreadsheet files that are kept in the HR\Internal\Payroll folder. The HR MGRS group is the only group that should have read or write permissions to this folder, and Mike Danseglio is not a member of this group. Ray needs to determine whether it is possible for someone to access the HR Department folder that contains the salary information for bank employees.

Ray views the event logs for the HR file server. He previously configured auditing on the HR\Internal folder so that he could track access failures and successes. Ray notes all the steps he takes to open and view the Security event log.

Several entries in the event log stand out, such as the one shown in the following screen shot. A few entries indicate that a mdanseglio user account accessed the HR\Internal\Payroll\090806PR-A139.xls file.

First, Ray creates new \evidence and \tools folders on the USB drive. To ensure the integrity of the evidence files he creates, Ray will perform an MD-5 cryptographic hash on any files he copies from Mike’s computer to the evidence folder.

MD-5 cryptographic hashes are created by running an algorithm on a file to create a unique 128-bit “fingerprint” of the contents of the file. If someone questions the integrity of the data collected by Ray (for example, to imply the file may have been edited at a later time), Ray can provide the original MD-5 checksum value for comparison and validation.

Ray exports the log set to a USB drive that is labeled HR01. He will use this same USB drive for all his evidence collection.

Note Connecting a USB drive to a Windows–based computer adds an entry to the Setupapi.log file and alters the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Storage\RemovableMedia

Ray decides to determine what permissions are assigned to the HR\Internal folder by running the Windows Sysinternals AccessChk tool on the server. This tool shows what permissions the specified user or group has to files, registry keys, or Windows services. Ray runs the tool from his USB drive, which appears as drive F:, by typing the following at a command prompt:

f:\tools>accesschk mdanseglio c:\hr\internal

Note The Sysinternals AccessChk tool requires an installation process and will leave a footprint on the local drive in the following registry key: HKEY_CURRENT_USER\Software\Sysinternals\AccessChk

Ray notes that the mdanseglio user account has read and write permissions to the \Benefits, \Payroll, and \Reviews subfolders under \HR\Internal as shown in the following screen shot:

Ray suspects that errors in the configuration of the HR server permissions allowed Mike Danseglio to access the HR\Internal folder. Ray spends a few minutes investigating Mike Danseglio’s user rights and notices that he is a member of a group called branch01mgrs. This group has read and write permissions to the HR\Internal folders.

Ray wants to know whether Mike Danseglio is currently logged on to any servers on the network. Ray uses PsLoggedOn, a tool that displays locally logged on users as well as users who are logged on through resources to either the local computer or a remote one. Ray inserts his USB stick into his computer and types the following at the command prompt:

f:\tools>psloggedon mdanseglio

The results, shown in the following screen shot, indicate that Mike Danseglio is logged onto WNB-HQ-FS1 at this time.

Ray removes Mike Danseglio from the branch01mgrs group and rechecks his user rights to the HR\Internal folder.

After further review of the Security event logs and the results of AccessChk to look for other possible incorrect permission configurations to the HR\Internal folder, Ray begins investigating the contents of Mike Danseglio’s computer using remote investigative techniques.

Remote Evidence Collection

Ray decides to gather information remotely from Mike Danseglio’s computer before he tries to gather information locally, and he comes into the office during a weekend to make a forensically sound copy of Mike’s hard disk. In an actual situation, Ray might perform his entire forensics investigation on a hard disk image of the suspected party's computer. However, this scenario depicts the use of tools and techniques to gather volatile evidence locally and remotely.

Ray uses a USB drive connected to his own computer that contains numerous tools. The USB drive will store all evidence that he collects as well as a text file record of all commands he types.

Ray uses the following basic procedure, which allows him to mark the time his examination starts, collect the evidence from Mike Danseglio’s computer across the network, record all his investigatory steps, and create an MD5 hash of the evidence he collects.

Important Some Sysinternals tools, including PsExec, PsFile, and PsLogList, are blocked by the default Windows Firewall configuration. To follow along with this applied example and use these tools to examine what information can be gathered across the network, you need to click the Exceptions tab in Windows Firewall and enable File and Printer Sharing. However, you do NOT need to share anything. On target computers that have Windows Firewall enabled and File and Printer Sharing disabled (the default setting), the Systeminfo, Ipconfig, Arp, Netstat, Schtasks, PsFile, PsList, and PsLogList tools must be run directly on the target computer. In such a case, run each of these tools directly on the target system and pipe the results to the evidence2.txt file created in the "Local Evidence Collection" section later in this chapter.

1. Access the USB drive.Ray accesses the USB drive and the \tools folder that contains his command-line tools (including PsExec and the File Checksum Integrity Validator (FCIV) tool).

               j:
               cd tools
             

2. Note the examination start date and time. Ray pipes the results of the date and time commands to record the start time of his investigation into a new mdevidence.txt file that is created in the \evidence folder on his USB drive. (Ray will obtain the system time on Mike Danseglio’s computer in step 3.) In addition, Ray looks for any discrepancy between the BIOS date and time and the actual date and time.

               date /t > j:\evidence\mdevidence.txt
               time /t >> j:\evidence\mdevidence.txt
             

3. Obtain basic information about the target computer.Ray runs a series of native Windows commands to obtain information about Mike’s computer.

               j:
               cd tools
               psexec \\hqloan164 systeminfo >> j:\evidence\mdevidence.txt
               psexec \\hqloan164 ipconfig /all >> j:\evidence\mdevidence.txt
               psexec \\hqloan164 arp -a >> j:\evidence\mdevidence.txt
               psexec \\hqloan164 netstat -b >> j:\evidence\mdevidence.txt
               psexec \\hqloan164 schtasks >> j:\evidence\mdevidence.txt
             

   Note PsExec gathers information remotely by using services that are already on the target computer, such as Cmd and Ipconfig. PsExec can also be used to load services across the network to run on the target computer. Ray does not want to install any applications on Mike’s computer—he only runs services that are supported by the Windows XP operating system on Mike's computer.

4. Run remote tools that use local application programming interfaces (APIs).Ray now runs several tools to determine whether other computers have files open on Mike’s computer, the processes that are running on the computer, and to obtain the System and Security event logs from the computer.

               psfile \\hqloan164 >> j:\evidence\mdevidence.txt
               pslist -t \\hqloan164 >> j:\evidence\mdevidence.txt
               psloglist -s \\hqloan164 >> j:\evidence\mdevidence.txt
               psloglist -s sec \\hqloan164 >> j:\evidence\mdevidence.txt
             

   • PsFile shows files opened remotely. This tool uses remote Windows APIs and does not need to be loaded on the target computer.
   • PsList shows information about running processes and threads on a computer. This tool uses remote Windows APIs and does not need to be loaded on the target computer.
   • PsLogList dumps the contents of the computer's Event log by default—no additional parameter is needed. Ray runs this command with the sec parameter to obtain the Security event log.
5. Create a record of all tasks. Windows automatically tracks all the commands that are executed at a command prompt. Ray uses the Doskey command to capture this record and pipes the history information into a file called mdevidence-doskey.txt.

   doskey /h > j:\evidence\mdevidence-doskey.txt

6. Perform an MD5 checksum on the evidence files.Ray uses the FCIV tool to perform an MD5 checksum on the evidence files.

   fciv j:\evidence\mdevidence.txt >> j:\evidence\md5mdevidence.txt

Note Display limitations might cause the preceding command to display on more than one line. It should be entered as a single line at the command prompt.The FCIV tool computes and verifies cryptographic hash values. This tool is available through Microsoft Knowledge Base article 841290, .

Ray wants to remotely review the folders on Mike Danseglio’s computer. To do so, he uses PsExec to open a command prompt on Mike's computer. At the command prompt, Ray enters the following commands:

        psexec \\hqloan164 cmd
        cd c:\documents and settings\mdanseglio\my documents
        dir /s
      

Although all users are required to keep documents on the network server, Ray notices that Mike Danseglio has a Personal folder on his computer. This folder includes a spreadsheet and a \xxxpixset subfolder.

After remotely reviewing the folders on Mike's computer, Ray is ready to report his findings and move to Mike’s computer to investigate locally.

Jill Shrader, the HR Department Manager, calls Ray on his cell phone and asks about the status of Ray’s investigation. Ray explains that he has collected the following information:

• Mike Danseglio's user account had read and write permissions to the HR\Internal folder because he was mistakenly added to the branch01mgrs group, which has permissions to that folder and its subfolders.
• Mike's computer has a Personal folder on its hard disk that contains at least one spreadsheet.
• Mike's computer contains two unauthorized programs that enable him to monitor network traffic and scan the network for services and computers.
• Mike's computer has a large collection of image files on its hard disk that Ray suspects are pornographic images.

Local Evidence Collection

Ideally, computer investigations should be conducted on hard disk images. In this example, however, Ray runs a series of tools directly on Mike Danseglio’s computer. These tools are run from a USB drive and do not require installation on the local computer. However, as mentioned earlier in this chapter, the insertion of the USB drive will leave a footprint in the registry.

Important If Mike Danseglio’s computer had Windows Firewall enabled with File and Printer Sharing disabled, Ray would run the Systeminfo, Ipconfig, Arp, Netstat, Schtasks, PsFile, PsList, and PsLogList tools locally on Mike’s computer. Ray would enter the commands listed in the "Remote Evidence Collection" section earlier in this chapter but remove the reference to \\hqloan164 before piping the results to the evidence2.txt file he creates in this section.

Ray plans to perform the following tasks on Mike’s computer:

• Search the drive for evidence of confidential files.
• Acquire copies of any suspect files.
• Examine the files.

Ray logs on to Mike’s computer using the Administrator account to access Mike’s personal folder. Ray uses the following basic procedure after he connects the evidence collection USB drive to Mike’s computer:

1. Access Mike Danseglio’s Personal folder.Ray accesses Mike's Personal folder with the following commands.

               c:
               cd "documents and settings\mdanseglio\my documents\personal"
             

2. Note examination start date and time. Ray pipes the results of the Date and Time commands to record the start time of his investigation. He pipes the results into a new mdevidence2.txt file that is created in the \evidence folder on the USB drive.

               date /t > f:\evidence\mdevidence2.txt
               time /t >> f:\evidence\mdevidence2.txt
             

   Note The USB drive is designated as drive F: on Mike’s computer.

3. Acquire directory structure information.Ray uses the Dir command to examine the contents of Mike’s Personal folder. First, Ray pipes the results to the screen to view the results and notices a spreadsheet file and the \xxxpixset folder. Then Ray pipes the results of the Dir command to the evidence file using three different parameters: /tc to show creation time, /ta to show last accessed time and /tw to show last written time.

               dir /ta >> f:\evidence\mdevidence2.txt
               dir /tc >> f:\evidence\mdevidence2.txt
               dir /tw >> f:\evidence\mdevidence2.txt
             

4. Access the USB drive.Ray accesses the USB drive and the \tools folder that contains his command-line tools.

               f:
               cd tools
             

5. Gather Mike Danseglio's file information. Ray uses the Du utility to examine the contents of Mike Danseglio’s My Documents folder and any subfolders. He uses the –l 5 parameter to search to a depth of five folders. First, Ray examines the results on the screen (shown in the following screen shot) before he pipes the evidence to the mdevidence2.txt file.

               du –l 5
               du –l 5 >> f:\evidence\mdevidence2.txt
             

   

   Figure 5.6. Results of running the Du utility

6. Copy suspect files to the \evidence_files folder. Although Ray created an image of Mike Danseglio’s entire drive, he decides to copy the files in Mike Danseglio’s Personal folder to a new folder named evidence_files that he creates on the USB drive. He will examine the folder and files during the analysis process.

   Note Ray obtained a copy of the original file during the imaging process. He can perform a hash on the original file found on the live drive if he wishes to compare this file to the copy of the file on his USB drive.

   Ray uses the Xcopy command with the /s parameter to copy subfolders, the /e parameter to copy subfolders even if they are empty, the /k parameter to retain the read-only attribute on destination files if present on the source files, and the /v parameter to verify each file as it is written to the destination file to make sure that the destination files are identical to the source files.

               f:
               md evidence_files
               c:
               cd \documents and settings\mdanseglio\my documents\personal
               xcopy *.* f:\evidence_files /s /e /k /v
             

7. Examine the contents of the Recycle Bin.Ray quickly reviews the contents of the Recycle Bin on Mike Danseglio's computer, which contains numerous deleted files as shown in the following figure. Ray knows the drive image process obtained a copy of these files if he wants to review the files later. After he notes the contents of the Recycle Bin, Ray is ready to review the evidence he collected remotely and locally.

   

   Figure 5.7. Several image files located in the Recycle Bin

Analyze Collected Evidence

Ray has two evidence files: mdevidence.txt and mdevidence2.txt. He also has a copy of Mike Danseglio’s Personal folder. Ray uses the following procedure on his own computer to analyze the information contained in these files.

1. Analyze the process information. Ray reviews the mdevidence.txt file. The results of PsList are very interesting, because they indicate that Mike Danseglio is running some unauthorized applications, including Wireshark and nMapWin, as shown in the following screen shot. Ray knows it is not unusual to find unrelated violations when performing an investigation on a suspect computer. Ray also understands that not all applications will be easily recognized (such as the ones listed in this scenario) and that it is also possible they were installed without Mike's knowledge.

   

   Figure 5.8. Results of running Pslist on Mike Danseglio's computer

2. Access the USB drive.Ray accesses the USB drive and the \tools folder that contains his command-line tools.

               j:
               cd tools
             

3. Look for suspect strings in the spreadsheet file.Ray looks for the string “confidential” in his copies of the files from Mike’s Personal folder. To do so, he uses the Find command with the /I parameter (this parameter ignores the case of characters when searching for the string) and the /c parameter (this parameter provides the number of lines that contain the string). First, Ray pipes the results to the screen. It appears that the 090806PR-A139.xls file contains a match, as shown in the following screen shot. Therefore Ray runs the command a second time to pipe the results to an mdevidence-review.txt file.

               j:
               cd \evidence_files
               find /i /c "confidential" *.*
               find /i /c "confidential" *.* > j:\evidence\mdevidence-review.txt
             

   Note Display limitations might cause the preceding command to display on more than one line. It should be entered as a single line at the command prompt.

   

   Figure 5.9. Results of the search for “confidential,” found in 090806PR-A139.XLS

4. Ray first copies 090806PR-A139.xls to the \evidence_files folder and then uses the Strings tool to list ASCII and Unicode strings contained in the spreadsheet file.

   strings j:\evidence_files\090806PR-A139.xls

   The results (shown in the following screen shot) indicate that the spreadsheet file contains payroll information. Ray runs the Strings tool again and pipes the results into his mdevidence-review.txt file.

   strings j:\evidence_files\090806PR-A139.XLS >> j:\evidence\mdevidence-review.txt

   Note Display limitations might cause the preceding command to display on more than one line. It should be entered as a single line at the command prompt.

   

   Figure 5.10. Results of running the Strings utility on the spreadsheet file
   Ray feels confident that he has located an unauthorized copy of an HR payroll file on Mike Danseglio’s computer.

Report the Evidence

Ray analyzes and correlates the evidence and then writes a report that summarizes his findings. A sample report is available in the materials that accompany this guide, which are referenced in the "Worksheets" section of Appendix: Resources In his report, Ray includes recommendations for securing confidential data from future breaches. Ray also performs data integrity checking on the evidence files and then stores the files appropriately by burning them and the final report to a CD.

Ray’s report includes the following information:

• Purpose of Report. The report's purpose is to advise Woodgrove Bank management about the incident and state how the results of the investigation can be used to prevent future security breaches.
• Author of Report. Ray identifies himself, provides his title, and states that he performed technical lead responsibilities.
• Incident Summary. This section lists the initial suspicions and the business impact of the incident.
• Evidence. This section includes the list of running processes, the personal directory found on Mike Danseglio's computer, the explicit images that were found, the list of unacceptable applications that were running, and the location of a confidential file that contains payroll information.
• Analysis. This section includes the results of the local and remote investigations, which prove that sexually explicit images were downloaded, permissions were incorrectly configured, and a confidential file that contains payroll information was accessed.
• Conclusion. This section summarizes the outcome of the investigation and includes recommendations to avoid similar incidents in the future.
• Supporting documents. This section includes network diagrams and a list of the computer investigation procedures and technologies used in the investigation.

After submitting his report, Ray waits for the authorization to perform additional investigatory steps or whatever other actions management might want him to perform.

Note Every investigation may be different. You should use tools that are appropriate for the required task and that help you obtain the information you seek, but it is always a good idea to gather more evidence than you might need.

Applied Scenario Lab Configuration

To emulate this applied scenario in a test lab environment, you will need to complete the following steps:

1. Deploy computers and create an Active Directory® directory service domain.
2. Create users and groups in Active Directory.
3. Create folders and files on specific computers.
4. Assign sharing and permissions.
5. Configure auditing.

Deploy Computers and Create Domain

The following table lists the computers and operating systems you will need:

Table 5.1. Computers and Operating Systems Used in the Applied Scenario Lab

After you install the operating system on each computer, run Dcpromo on WNB-HQ-DC to install Active Directory and DNS.

Create Users and Groups

The following table lists the groups and users that need to be defined in the Active Directory Users and Computers Microsoft Management Console (MMC):

Table 5.2. Groups and Users Referenced in the Applied Scenario Lab

On the file server WNB-HQ-FS1, the Domain Admins group is added as a member of the local Administrators group.

Create Folders and Files

The following table lists device names, directory structures, and included files that you will need:

Table 5.3. Devices, Folders, and Files Used in the Applied Scenario Lab

Assign Sharing and Permissions

The following table lists the file folders and share permissions that are needed for file server WNB-HQ-FS1:

Table 5.4. Folders and Share Permissions in the Applied Scenario Lab

Configure Auditing

On the domain controller WNB-HQ-DC, the Audit object access policy is configured to audit both Success and Failure. This configuration is set through the Domain Security Policy MMC and the Domain Controller Security Policy MMC.

On the file server WNB-HQ-FS1, auditing is configured for the Domain Users group on the \HR\Internal folder. To achieve this configuration, right-click the folder and select Properties, Security, Advanced, and then Auditing. Then enter the Domain Users group.