Chapter 5: Applied Scenario Example
Published: January 11, 2007 This scenario depicts unauthorized access to internal confidential information within a national financial institution—Woodgrove Bank. The scenario is fictional, as are the people and the organizations mentioned in the scenario. The scenario was designed to provide an overview of tools and technologies used for data collection and examination. In a real security breach situation, you should consult with appropriate management, legal, and law enforcement groups for advice about the appropriate investigative techniques to use. Also, although the authors recognize that imaging a suspect drive is important in investigative work, it is beyond the scope of this guide and only briefly mentioned during the data acquisition phase of the scenario. ScenarioIt has been brought to the attention of Ray Chow, the Enterprise Systems Administrator of Woodgrove National Bank, that someone was bragging about knowing the salary of many different bank employees. Ray learned the name of the employee who claimed to know this information—Mike Danseglio. Mike works in the loan department and should not have access to any Human Resources (HR) files. Woodgrove National Bank has a policy that relates to the proper use of bank computers. This policy states that there is no expectation of privacy when using company computers for any purpose, including e-mail services and access to Web sites. The policy also states that no programs will be loaded on any computers without the written permission of the IT Director, and that any attempts to circumvent passwords or obtain unauthorized access to bank files will be grounds for termination or legal prosecution. The policy also allows the IT staff to install any network monitoring devices, including sniffers or other packet capture devices, to maintain network security or to investigate possible abuses. Ray wants to ensure that he uses accepted computer investigation procedures to investigate this issue and report his findings. Ray believes that information might have been originally obtained from the HR file server and plans to follow the four-phase computer investigation model shown in the following figure: Figure 5.1. Computer investigation model overviewImportant See the "Applied Scenario Lab Configuration" section at the end of this chapter for information about how to emulate this scenario and follow along using the tools. Assess the SituationRay meets with management to assess the situation. Management indicates that unauthorized access to and distribution of confidential payroll information would be grounds for termination, but they will not prosecute an employee for such actions. Woodgrove National Bank policy states that management will consult with the internal legal department to check local laws and determine whether any other policies affect investigations about improper employee access to restricted computer systems. The Woodgrove National Bank legal department provides written permission for Ray to examine the contents of Mike Danseglio’s company computer. The legal and management teams ask to be informed of the investigation outcome. They also ask Ray to follow up with steps to protect sensitive data more effectively in the future if he finds that a breach occurred. Ray's first task is to identify the computers that are involved in the investigation and document the hardware configuration for each. After he completes this task, Ray draws a logical diagram of the involved computers, which is shown in the following figure. Figure 5.2. Logical diagram of computers involved in the investigationRay then considers different options for proceeding with the investigation. Because some of the information he needs to acquire is volatile data, Ray decides to begin the internal computer investigation by analyzing live data. He will then make an image of Mike Danseglio’s drive and examine the static evidence. Ray creates a USB drive that includes the appropriate investigative tools for a live investigation. (The "Tools" section in Appendix: Resources in this guide describes the tools that are referenced in this chapter.) Ray's next task is to duplicate the suspected party's hard disk in a way that protects and preserves the evidence if he locates information that requires him to report the case to law enforcement. Ray notes items of potential interest, documents what is needed to be able to identify and authenticate the collected evidence later in the investigation, and creates an audit log of actions performed during the investigation. Acquire Evidence of Confidential Data AccessWoodgrove National Bank management authorized Ray to examine the directory structure on the HR file server (WNB-HQ-FS1) and the payroll files to determine whether an unauthorized individual read the files. Ray could go to Mike Danseglio’s computer immediately and look for evidence, or he could begin at the server and try to locate evidence in the audit logs. Ray also wants to know what user rights Mike Danseglio has with regard to the HR folders. Ray decides to use the following two-step approach to acquire the evidence:
Ray interviews HR team members and examines the file server. He notes that payroll files are summarized once each month in spreadsheet files that are kept in the HR\Internal\Payroll folder. The HR MGRS group is the only group that should have read or write permissions to this folder, and Mike Danseglio is not a member of this group. Ray needs to determine whether it is possible for someone to access the HR Department folder that contains the salary information for bank employees. Ray views the event logs for the HR file server. He previously configured auditing on the HR\Internal folder so that he could track access failures and successes. Ray notes all the steps he takes to open and view the Security event log. Several entries in the event log stand out, such as the one shown in the following screen shot. A few entries indicate that a mdanseglio user account accessed the HR\Internal\Payroll\090806PR-A139.xls file. Figure 5.3. Security event log entries that indicate user account mdanseglio accessed the 090806PR-A139.xls file in the HR\Internal\Payroll folderFirst, Ray creates new \evidence and \tools folders on the USB drive. To ensure the integrity of the evidence files he creates, Ray will perform an MD-5 cryptographic hash on any files he copies from Mike’s computer to the evidence folder. MD-5 cryptographic hashes are created by running an algorithm on a file to create a unique 128-bit “fingerprint” of the contents of the file. If someone questions the integrity of the data collected by Ray (for example, to imply the file may have been edited at a later time), Ray can provide the original MD-5 checksum value for comparison and validation. Ray exports the log set to a USB drive that is labeled HR01. He will use this same USB drive for all his evidence collection. Note Connecting a USB drive to a Windows–based computer adds an entry to the Setupapi.log file and alters the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Storage\RemovableMedia Ray decides to determine what permissions are assigned to the HR\Internal folder by running the Windows Sysinternals AccessChk tool on the server. This tool shows what permissions the specified user or group has to files, registry keys, or Windows services. Ray runs the tool from his USB drive, which appears as drive F:, by typing the following at a command prompt: ``` f:\tools>accesschk mdanseglio c:\hr\internal ```Note The Sysinternals AccessChk tool requires an installation process and will leave a footprint on the local drive in the following registry key: HKEY_CURRENT_USER\Software\Sysinternals\AccessChk Ray notes that the mdanseglio user account has read and write permissions to the \Benefits, \Payroll, and \Reviews subfolders under \HR\Internal as shown in the following screen shot: Figure 5.4. AccessChk results that indicate user account mdanseglio has read and write permissions to the HR\Internal subfoldersRay suspects that errors in the configuration of the HR server permissions allowed Mike Danseglio to access the HR\Internal folder. Ray spends a few minutes investigating Mike Danseglio’s user rights and notices that he is a member of a group called branch01mgrs. This group has read and write permissions to the HR\Internal folders. Ray wants to know whether Mike Danseglio is currently logged on to any servers on the network. Ray uses PsLoggedOn, a tool that displays locally logged on users as well as users who are logged on through resources to either the local computer or a remote one. Ray inserts his USB stick into his computer and types the following at the command prompt: ``` f:\tools>psloggedon mdanseglio ```The results, shown in the following screen shot, indicate that Mike Danseglio is logged onto WNB-HQ-FS1 at this time. Figure 5.5. Psloggedon results indicating that user account mdanseglio is logged on to WNB-HQ-FS1Ray removes Mike Danseglio from the branch01mgrs group and rechecks his user rights to the HR\Internal folder. After further review of the Security event logs and the results of AccessChk to look for other possible incorrect permission configurations to the HR\Internal folder, Ray begins investigating the contents of Mike Danseglio’s computer using remote investigative techniques. Remote Evidence CollectionRay decides to gather information remotely from Mike Danseglio’s computer before he tries to gather information locally, and he comes into the office during a weekend to make a forensically sound copy of Mike’s hard disk. In an actual situation, Ray might perform his entire forensics investigation on a hard disk image of the suspected party's computer. However, this scenario depicts the use of tools and techniques to gather volatile evidence locally and remotely. Ray uses a USB drive connected to his own computer that contains numerous tools. The USB drive will store all evidence that he collects as well as a text file record of all commands he types. Ray uses the following basic procedure, which allows him to mark the time his examination starts, collect the evidence from Mike Danseglio’s computer across the network, record all his investigatory steps, and create an MD5 hash of the evidence he collects. Important Some Sysinternals tools, including PsExec, PsFile, and PsLogList, are blocked by the default Windows Firewall configuration. To follow along with this applied example and use these tools to examine what information can be gathered across the network, you need to click the Exceptions tab in Windows Firewall and enable File and Printer Sharing. However, you do NOT need to share anything. On target computers that have Windows Firewall enabled and File and Printer Sharing disabled (the default setting), the Systeminfo, Ipconfig, Arp, Netstat, Schtasks, PsFile, PsList, and PsLogList tools must be run directly on the target computer. In such a case, run each of these tools directly on the target system and pipe the results to the evidence2.txt file created in the "Local Evidence Collection" section later in this chapter.
Note Display limitations might cause the preceding command to display on more than one line. It should be entered as a single line at the command prompt.The FCIV tool computes and verifies cryptographic hash values. This tool is available through Microsoft Knowledge Base article 841290, . Ray wants to remotely review the folders on Mike Danseglio’s computer. To do so, he uses PsExec to open a command prompt on Mike's computer. At the command prompt, Ray enters the following commands: ``` psexec \\hqloan164 cmd cd c:\documents and settings\mdanseglio\my documents dir /s ```Although all users are required to keep documents on the network server, Ray notices that Mike Danseglio has a Personal folder on his computer. This folder includes a spreadsheet and a \xxxpixset subfolder. After remotely reviewing the folders on Mike's computer, Ray is ready to report his findings and move to Mike’s computer to investigate locally. Jill Shrader, the HR Department Manager, calls Ray on his cell phone and asks about the status of Ray’s investigation. Ray explains that he has collected the following information:
Local Evidence CollectionIdeally, computer investigations should be conducted on hard disk images. In this example, however, Ray runs a series of tools directly on Mike Danseglio’s computer. These tools are run from a USB drive and do not require installation on the local computer. However, as mentioned earlier in this chapter, the insertion of the USB drive will leave a footprint in the registry. Important If Mike Danseglio’s computer had Windows Firewall enabled with File and Printer Sharing disabled, Ray would run the Systeminfo, Ipconfig, Arp, Netstat, Schtasks, PsFile, PsList, and PsLogList tools locally on Mike’s computer. Ray would enter the commands listed in the "Remote Evidence Collection" section earlier in this chapter but remove the reference to \\hqloan164 before piping the results to the evidence2.txt file he creates in this section. Ray plans to perform the following tasks on Mike’s computer:
Ray logs on to Mike’s computer using the Administrator account to access Mike’s personal folder. Ray uses the following basic procedure after he connects the evidence collection USB drive to Mike’s computer:
Analyze Collected EvidenceRay has two evidence files: mdevidence.txt and mdevidence2.txt. He also has a copy of Mike Danseglio’s Personal folder. Ray uses the following procedure on his own computer to analyze the information contained in these files.
Report the EvidenceRay analyzes and correlates the evidence and then writes a report that summarizes his findings. A sample report is available in the materials that accompany this guide, which are referenced in the "Worksheets" section of Appendix: Resources In his report, Ray includes recommendations for securing confidential data from future breaches. Ray also performs data integrity checking on the evidence files and then stores the files appropriately by burning them and the final report to a CD. Ray’s report includes the following information:
After submitting his report, Ray waits for the authorization to perform additional investigatory steps or whatever other actions management might want him to perform. Note Every investigation may be different. You should use tools that are appropriate for the required task and that help you obtain the information you seek, but it is always a good idea to gather more evidence than you might need. Applied Scenario Lab ConfigurationTo emulate this applied scenario in a test lab environment, you will need to complete the following steps:
Deploy Computers and Create DomainThe following table lists the computers and operating systems you will need: Table 5.1. Computers and Operating Systems Used in the Applied Scenario Lab
After you install the operating system on each computer, run Dcpromo on WNB-HQ-DC to install Active Directory and DNS. Create Users and GroupsThe following table lists the groups and users that need to be defined in the Active Directory Users and Computers Microsoft Management Console (MMC): Table 5.2. Groups and Users Referenced in the Applied Scenario Lab
On the file server WNB-HQ-FS1, the Domain Admins group is added as a member of the local Administrators group. Create Folders and FilesThe following table lists device names, directory structures, and included files that you will need: Table 5.3. Devices, Folders, and Files Used in the Applied Scenario Lab
Assign Sharing and PermissionsThe following table lists the file folders and share permissions that are needed for file server WNB-HQ-FS1: Table 5.4. Folders and Share Permissions in the Applied Scenario Lab
Configure AuditingOn the domain controller WNB-HQ-DC, the Audit object access policy is configured to audit both Success and Failure. This configuration is set through the Domain Security Policy MMC and the Domain Controller Security Policy MMC. On the file server WNB-HQ-FS1, auditing is configured for the Domain Users group on the \HR\Internal folder. To achieve this configuration, right-click the folder and select Properties, Security, Advanced, and then Auditing. Then enter the Domain Users group. |
|