Hmm - where did I save those files?
A client recently called me with some bad news. "Our CFO's laptop was just stolen!" he told me - "What should we do?". My immediate response (and out-loud I'm afraid) was "Fire up the Delorean, go back in time and encrypt the drive". Needless to say, he wasn't keen on my response, even though I offered up a spare flux capacitor - maybe his Delorean was in the shop.
His response actually suprised me "We're actually in the middle of a WDE (WHole Disk Encryption) project. The CFO's laptop was scheduled for next week (delayed at his request)". But no matter how good that project is, it wasn't helping us today.
This client is under both NERC and PCI regulation, so I asked the obvious "did he have any financial data on his machine? Do you need to disclose the theft as a breach?". The response was an immediate "he says not". Since the answer wasn't a definite "no", I asked the obvious - "Do you believe him?" The answering pause really said it all.
The challenge we then had was to prove to the CFO, one way or the other, that sensitive data did or did not exist on the laptop. Having just taken SANS FOR408, I know for a fact that even if he didn't save anything to the laptop, the presense of files and either parts of or full files are strewn across the file structure, registry and a kazzilion other locations on the machine.
So the scenario and a fun forensics question to end your week is:
A Windows 7 laptop, fully patched with Office 2010 installed
The corporate browser is IE10, but Firefox is also installed
Using our comment form, share where you would look for sensitive files, fragments of files or indicators of the presence of files.
Passwords, links and other sensitive information are all in play.
Be sure to include the tool or method you would use to find any evidence - duplicate "findings" are perfectly fine, as long as the tool or method is different.
Let's assume that the user didn't download anything to the "downloads" directory, and didn't have "I don't know where I saved that file" files strewn across his local profile and drive (even though that's extremely likely)
I'll update this story in a week or so with how the story played out, and how we made the point to the CFO.
Happy forensicating everyone!
===============
Rob VandenBrink
Metafore
Comments
Lisa G.
Jul 12th 2013
1 decade ago
Firefox and OS/IE may contain user Certificates - all of these should be revoked and reissued.
A proper Document Management / DLP system would be able to track exactly what was checked out to his laptop. Outside of the DM offline storage, no documents/files should be allowed to be created or stored by the user.
Jason R
Jul 12th 2013
1 decade ago
John K.
Jul 13th 2013
1 decade ago
Dan B.
Jul 13th 2013
1 decade ago
Lenny
Jul 13th 2013
1 decade ago
jono
Jul 13th 2013
1 decade ago
Of course, this "trick" also works if the user has deleted the file, and then had a "oh-no-second" moment of regret, and calls the IT Help Desk to see if they can restore the file.
Melvin
Jul 13th 2013
1 decade ago
Next: scalpel/foremost to see what was there, browser caches, registry scan for USB media used and finding that media to see contents.
BTW anybody remembers the scripts someone created to inspect shadow copies in a more efficient way? I remember it was discussed about 2 years ago on some podcast...
Tomasz
Jul 15th 2013
1 decade ago
Nicolas
Jul 15th 2013
1 decade ago
Wouldn't you be limited to the server end of things here? For example web server access/error logs, data server logs, web filter logs, etc? If he was utilizing Firefox's sync feature you might be able to see his history/favorites etc that way; and retrace his steps and show how just accessing these files through a web browser leaves data behind. Does the client use roaming profiles? If so, logging into another machine with his profile then logging off and scrape for any juicy data might be another avenue to pursue. Was his machine or machine data backed up to any kind of remote storage?
nunya
Jul 15th 2013
1 decade ago