Forensic software q...
 
Notifications
Clear all

Forensic software questions?

15 Posts
8 Users
0 Likes
1,714 Views
(@mfino)
Posts: 14
Active Member
Topic starter
 

I am trying to help a company in a case. I am an experienced IT Tech. I have been asked to scan a computer of an ex employee to see if she transfered any data to an external drive, printed any data, or sent data to their personal email using their personal webmail?

Currently I am making an image of the drive and will scan for the deleted data before restore. I am using Kali Linux the first program I will use is foremost.

Any help will be greatly appreciated THANK YOU!!

 
Posted : 17/08/2017 7:59 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Preliminary questions
1) What do you mean before restore? Do not modify the original, ever.
2) What outcome is the company hoping for?
3) Are you going to go to court as an expert witness?
4) Do you think that's a good idea?
5) What does the chain of custody look like?
6) Are you documenting everything you do?

I recommend you hand it off to someone who has experience. That's a self-interested statement and a little snotty, but you need to think long and hard about jumping into this. If the company sues this lady over your findings, you need to be right and you need to be prepared to defend your findings against an experienced attorney with a forensic expert on his side. If you're not willing to do that, document everything you've done so far and bow out.

If you're determined, start with Autopsy. You can use it to search for whatever files or keywords might exist on the system and carve for deleted files. It can also parse browser artifacts but, if you want to recover web mail, Magnet's Axiom/IEF products are probably your best bet (or Belkasoft). For USB transfers, you're going to want to find .lnk files that point to external drives + some other indicator that the file in question is company data. For printing, you will want to recover print spool files (.spl or .shd).

-tracedf

 
Posted : 17/08/2017 11:01 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Use log2timeline and Timeline Explorer for undestanding it

if she transfered any data to an external drive, printed any data, or sent data to their personal email using their personal webmail

tracedf Good advice !

 
Posted : 17/08/2017 11:02 am
(@mfino)
Posts: 14
Active Member
Topic starter
 

Preliminary questions
1) What do you mean before restore? Do not modify the original, ever.
2) What outcome is the company hoping for?
3) Are you going to go to court as an expert witness?
4) Do you think that's a good idea?
5) What does the chain of custody look like?
6) Are you documenting everything you do?

I recommend you hand it off to someone who has experience. That's a self-interested statement and a little snotty, but you need to think long and hard about jumping into this. If the company sues this lady over your findings, you need to be right and you need to be prepared to defend your findings against an experienced attorney with a forensic expert on his side. If you're not willing to do that, document everything you've done so far and bow out.

If you're determined, start with Autopsy. You can use it to search for whatever files or keywords might exist on the system and carve for deleted files. It can also parse browser artifacts but, if you want to recover web mail, Magnet's Axiom/IEF products are probably your best bet (or Belkasoft). For USB transfers, you're going to want to find .lnk files that point to external drives + some other indicator that the file in question is company data. For printing, you will want to recover print spool files (.spl or .shd).

-tracedf

1) I meant to say before the ex employee restored the drive. I know not to modify the original, that is why I made a digital image.
2) From my understanding the company is just trying to win their clients back. I think they are also looking to see if they can determine what caused the ex employee to take these actions.
3) I am able to go in as an expert witness if necessary.
4) I wouldn't be trying this if I didn't feel it was a good idea.
5) I have the chain of custody written logged.
6) Everything.. I have been in the IT career for a long time now, I would rather document more information to CMA than not enough if I do get questioned by the company or someone else of importance.

I appreciate your snotty comment, but that's only because it's an assumption. You do not know me or know what I know or the experience I have.

Yes i am determined. Autopsy will be used. Unfortunately, unless the company is willing to pay for tools for me to use, I need to find and use open source tools. Thank you for any and all of your advice in advance.

 
Posted : 17/08/2017 4:10 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

I appreciate your snotty comment, but that's only because it's an assumption. You do not know me or know what I know or the experience I have.

Lol welcome to the Forensicfocus forums - the heavy hitters haven't even weighed in yet.

Unless some specific DLP software is installed, there are no definitive windows artifacts that will show what, if anything, was transferred to USB removable media. People are going to come in here and suggest shellbags, jumplists etc, but without a specific mechanism in place to record which files, files sizes, names etc are being transferred, you can at best surmise that such a copy took place.

For printing - you'll need to get to print server logs. There is a local event log, Win7+ called PrintService (Admin and Operational) but unless a local/group policy has flipped that bit to track the data…

For email, your best bet are the email server logs, OST/PST/local email datastores, network traffic from your environment etc. If she took the laptop home and emailed from there, then you're looking at decoding browsing history, and that's almost 100% HTTPS for email services nowadays.

 
Posted : 17/08/2017 6:34 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

1) I meant to say before the ex employee restored the drive. I know not to modify the original, that is why I made a digital image.

Not to nitpick, but just to be sure, even if you don't have write-blocking tools at hand, I recommend you validate the image you took as well through some hashing format and keep that with your documentation. Any analysis should be done on a validated copy of the image so that your original copy is preserved.

Also recommended to verify and document OS information, system information, time zone details, list of logged in users or accounts, last login activity, NTUSER.dat and other registry details, etc…. even if you're looking at USB data, you want to tie it to a story or timeline of events that support your findings.

Hash any file or item you export as well. You need to verify it is unchanged from its original in the image.

Finally, here's a reference guide that may assist your analysis.
https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download

Best of luck.

 
Posted : 17/08/2017 7:18 pm
(@mfino)
Posts: 14
Active Member
Topic starter
 

So I am able to recover documents etc., Is there any quick way to go through all of this data? When I recover the deleted files they do not recover with their saved file name or date of creation. Is there a way to retrieve that information or simply go through the data for faster investigation?

 
Posted : 28/08/2017 2:22 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

When I recover the deleted files they do not recover with their saved file name or date of creation. Is there a way to retrieve that information or simply go through the data for faster investigation?

What tool did you use to recover these files? Were they recovered from non-overwritten MFT entries or carved from unallocated space? If they were carved, then the original names and time stamps are gone.

The methods depend on the tool, but you should have search capabilities in the tool you're using and the ability to bookmark interesting items for later analysis or reporting.

You said that your client just wants to win their customer back but this really sounds like something that could end up in court. For this case, you ultimately want to be able to conclude and testify about the defendant's activity including whether she accessed certain files, whether she transferred them off the computer, and how she transferred them (e.g. USB, email). If and when you make these conclusions, you need to be sure and you may need to testify in court, under oath. You'll have to go through voir dire (questioning) to verify your credentials/experience as an expert in computer forensics and then undergo cross-examination where an attorney (possibly with help from his own expert) will question potentially every step you took and conclusion you made. Are you sure you want to do that? Do you think it's what is best for your client?

 
Posted : 28/08/2017 3:32 pm
(@mfino)
Posts: 14
Active Member
Topic starter
 

I am 99.9% sure this case will not go to court. Let's not worry about where this case goes and how it get's there. Though I do appreciate you looking out for my clients best interest as well as my own. Can we concentrate on helping me learn more while i have the opportunity. As I think i have mentioned before, i am not sure if this computer has been restored, or if the data was just deleted before the ex-employee handed it in.

I used Foremost in Kali to recover whatever files I could from a .dd image I made using dcfldd.

I really appreciate the good input and help in advance.

Thank you

 
Posted : 28/08/2017 3:49 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

I haven't used Foremost, but it looks like a carving tool (searches for files in unallocated space by looking for known headers/footers). That means you won't get the original filenames and other metadata. You may be able to compare the contents to other live documents (e.g. on a file share accessible to the user) to figure out what the original filenames were and then look at artifacts such as .lnk files and recent file lists to show where these were copied to.

 
Posted : 28/08/2017 4:04 pm
Page 1 / 2
Share: