So are EnCase and FTK still the big forensics software packages these days, or has something else supplanted them?
(used to work for the computer forensics group of a nationally prominent mid-sized consulting firm, and while I concentrated more on forensic data mining and email e-discovery (reproducing exchange servers, and running a zillion PST files through various packages), we had a couple guys who were fully certified in both, which I gather is a fairly rare thing. We were an EnCase shop primarily, although we did have a FTK license that our guys used on occasion because FTK was better at some things).
If you use a good wiping utility like DBAN or something similar (I mentioned in another reply), and you overwrite the whole disk, then the data is gone and it’s not coming back. A simple format or fdisk operation won’t do the trick. If you just re-format a disk by booting to a Windows disk and doing a “format c:” or whatever, then the data is easily recoverable. But if you truly wipe the disk with a good wiping tool, it’s gone for good.
A while back, this guy whose name I can’t be bothered to look up right now hypothesized that you could use some esoteric techniques including electron microscopes to recover remnants of the previous contents of the drive after a wipe. But no one has ever demonstrated a method to do so. Wiped is wiped.
Yeah, that’s a big problem. When it comes to things on our LAN, I have the run of the place. But when the bad stuff happens on systems controlled by a partner/vendor/etc., we’re at their mercy. If we use an application provided by CloudCo, hosted on CloudCo servers in Bangalore, and something goes wrong, I can’t dig into their stuff. So if CloudCo is not doing a good investigation or not providing us the information we want, we can scream, threaten to take our business elsewhere, sue, but that’s about it. One good thing about working for a giant company is that when we threaten to take our business away, it usually gets their attention.
I can’t answer for your employer, of course. But if you worked at my company, I could tell how often you went to the SDMB. I could tally up every page visit. Minutes or hours would be a little harder. I could see clumps of page hits and infer you were actively surfing the SDMB during that time. But if you stopped on a single page for 10 minutes, it would be hard for me to know if you had stopped surfing or if you were reading a long page of text. But since people typically hop from page to page quickly, it’s usually pretty easy to determine the start and stop times of a single session of browsing.
As far as thread titles… the web proxy we use does not show the page title when I look at people’s browsing history (although some proxies do, I believe). In our system, I would see the URL, which on the SDMB just contains a thread ID. But all I’d have to do it go browse to that URL to learn of your interest in hot toddler sex.
Personally, I don’t care if people are screwing off at work. I care about people stealing from us. If someone is goofing off online all day, their manager needs to give them more work, not ask me to use investigative resources to see how much they’re goofing off.
Those are still the Coke and Pepsi of forensic packages. There are a lot of other tools out there, but EnCase and FTK are the big ones. I kind of like ProDiscover, which is a smaller player, but I find their tool to be intuitive and to show some file timestamps that EnCase strangely ignores (the $FILE_NAME attributes, for those who care. ProDiscover shows them right along with the other file metadata. EnCase is blissfully unaware of them.)
No matter what forensic package you use, you’ll wind up using a lot of other specialty tools for things the forensic package doesn’t do. My PC is cluttered with dozens of little tools I need to fill in the gaps that EnCase, ProDiscover, or whatever, don’t fill.
And even if it is possible, is anyone really going to go to that kind of lengths to get your data? Maybe, if you’re Vladimir Putin and the CIA has gotten ahold of your personal computer, or something like that… But for a used computer you sold to a friend for twenty bucks, not likely.
Do you get much pressure from low-level managers to use your spying tools to monitor employees’ job performance or other petty stuff like that? If so, what is the attitude of the Higher Powers about that?
Many companies, including the one I work for, employ a Data Loss Prevention (DLP) tool to monitor things like this. There are lots of DLP tools on the market. The DLP tool we use monitors every workstation, all outbound emails, uploads to websites, files copied to removable media, etc. The tool inspects files for content, patterns (like credit card numbers), or other characteristics. If you try to email or otherwise take away a file that triggers any of the criteria we have set up, the DLP tool might generate an alert for later review, or it might block the action entirely.
So, your company might have a DLP tool set up that says, “If anyone emails a drawing file to a personal webmail domain, generate an alert.” Then the person whose job is to monitor DLP alerts will look at the record of your email and take whatever action is required. For example, in my company, if we catch someone sending proprietary data out inappropriately, I gather a standard set of information and pass it on to the employee’s manager and HR rep, who then go and have a Serious Conversation with the person.
I don’t know what industry you’re in, or how big the company you work for is, but if people at your company are getting routinely gigged for sending files home to themselves, there’s a decent chance your employer has some kind if DLP tool in place.
One of the first things I did when I got to my current employer was to establish policies governing how we initiate investigations. Before anyone on my team goes and pulls someone’s internet history or looks at their emails or anything like that, we require approval from a VP. If a manager wants us to pull Leaffan’s web history to see how much time he spends on the SDMB, we politely respond that we need VP approval before we can do so. The same policy applies if the manager thinks Leaffan is doing something malicious. Get a VP in HR or Legal to send an email approving it, and we’ll launch an investigation.
We have also had conversations with HR to get them to see that we’re not here to manage a supervisor’s staff for them. So, I think setting that expectation with HR and raising the entry barrier for us to start an investigation has done a decent job of tamping down the petty requests like that. We see some, but not as many as I saw at other places I’ve worked.
By the way, I am an absolute ideologue about getting high-level approval before starting an investigation. Preventing petty requests is only one reason why. More important is that having documented approval of each investigation protects everyone. On the one hand, we want to make sure that people on my team aren’t using our investigative tools inappropriately. We don’t want Bob the Investigator to look at the browsing history of that girl he has a crush on or that guy in Accounting he doesn’t like. On the other hand, we want to make sure that when we are doing proper investigations, the subject can’t come back and say we were singling them out, or we were just going after them for the hell of it. Especially when I’m peering into the activities of the Sr. Director of Important Stuff, and he asks why some piss-ant security guy is looking at his Very Important Things, I can say, “I will refer your questions to the VP.”
At a previous employer, the guy in charge of security was caught looking at lots of people’s email for some reason. He claimed they were all approved investigations. He was not able to provide any documentation of that, and since the place was looking for a reason to fire him anyway, out the door he went. I’m going to make sure I avoid that fate.
How valuable is an average joe’s email account to a hacker, really? I got hacked once years ago, but it was a kid or something. They logged into my account and added their email address to CC anything I received. I still have that email address.
I’ve heard some disturbing reports that the government can take control of your phone and laptop remotely and use it to locate you or take snapshots from the built in cameras. True or false? I think this would be pretty difficult for them to do to my stuff since I’m rarely online.
Today, I’m pretty careful about what I write online, text message, or email. My personal rule is to write nothing that I wouldn’t be embarrassed about later or could be used in court. Today, I know that a lot of things are saved and archived somewhere and can be found. My question is: how far back does this go? Do I have to worry about stuff from the 80’s I wrote on prodigy? I think the entire Usenet was archived, but I was never on there.
What is a typical day like for you? Are you occupied with clearing a backlog of allegations, or do you also work on proactive defenses, sting operations, and proactively hunting/patroling for misconduct? If you aren’t working on investigating a specific case/allegation, what are you doing? e.g. can you sit back and watch cat videos until an alarm goes off, or are you expected to always be doing proactive stuff during business hours?
There are lots of different ways a bad guy can monetize a stolen email account. If you do online banking, for example, and you use the bank’s “forgot my password” function, the site may send you a temporary password to the email address on file. If a bad guy controls your email address, they can potentially use it to get access to your finances this way. Almost all of my online activity links up to my email in some way. If a bad guy got into my email, he could find out a lot about me and get control of many of my accounts.
Or, there might just be a lot of personal information sitting in your mailbox. Maybe you use a tax preparer, and you sent them your tax returns, including your SSN and everything, ane that bad guy can grab that. Or maybe there is some blackmail fodder in there. Cheating on your wife?
Or maybe the bad guy will use your email to impersonate you to your contacts and try to scam them. Send an email to everyone in your contact list claiming to be stuck in some foreign country and needing money wired ASAP to get home. That’s a pretty common scam.
If all else fails, they can use your account to send spam.
There is malware out there that can take control of a laptop and take pictures with the built-in camera. I presume there is malware that will do the same thing on at least some types of smart phones. I’m sure there is some for phones that can track your location as well. Criminals can use this malware for various schemes. I suppose a government agency could use something similar, but you’re at greater risk from run of the mill computer criminals than from the government (unless you’re a spy or a high level mafioso or something). In any case, whoever wants to spy on you would need to get the malware on your device. Your laptop or phone doesn’t come pre-packaged with the ability of the government to spy on you already built in (unless that’s just a tidbit Edward Snowden is waiting for the right time to tell us). Anyway, your cell carrier already knows where you are all the time. If the government wanted to find out, they’d probably go to the carrier to get that information rather then trying to drop malware on your phone.
Not writing anything you’d be embarrassed by is a good rule in general. As far as how much of old content is available, who knows? What were the retention practices of the entity that owned the servers? Did that entity get sold, and the content transferred to someone else? Did a service like archive.org capture it? Is there some guy who was just copying all that content to disks in his basement? It might exist somewhere but just be impossible to find. It’s anybody’s guess.
We get reports of suspected incidents a few different ways.
First, we have a log management system that collects logs from a huge number of our servers and network devices and generates alerts based on certain rules. For example, if the log management system sees a certain machine generating a bunch of traffic on unexpected ports, it will create a ticket in our incident management system, and we’ll look at it as soon as it comes in.
We have other systems that we review manually on a schedule and enter tickets into our incident management system when we see something suspicious.
We also frequently get reports from employees by email. “I got this suspicious email. What do I do?” is a common one.
All of our investigations get assigned to someone on our team, and we spend most of our time working the tickets in our queue. We have a meeting every day where we discuss the status of all open investigations and get advice and assistance from the team.
If an investigation looks like it could be a major breach, we all drop our other work and jump in on the incident response. If it’s something like a single machine with malware, one person on our team just handles it. If it looks like an intruder got access to a web server, we all call for our brown trousers and initiate a major response.
At my employer, other teams handle setting up defenses, maintaining firewalls, making sure systems get patched, etc. We don’t do much proactive hunting for misconduct. The tools we have do a decent job of keeping us busy with stuff they find without us going out to look for more.
We all have additional project work, adminsitrative tasks, routine meetings, and whatnot. So when we’re not working on an active investigation, there is plenty to do. (I’m on my lunch now :).)
Who is responsible for adjudicating responsibility? E.g. if you detect that an employee mailed sales data to a private email address, do you simply report that fact up to management or would you also determine culpability and/or punishment? E.g. “In the case of James Jones sent q3 sales data to an external email address with intent to assist a competitor, guilty, 1 week suspension without pay, 10% pay cut, and six months employee probation” vs “In the case of James Jones sent q3 sales data to an external email address with intent to assist a competitor, not guilty, External address belonged to Mary Smith in Engineering, Employee sent file to external address in order to bypass 10mb incoming file limit on the corporate mail server.”
My first exposure to network security was years ago (Windows 2000 and XP SP1 era) when I was on the IT helpdesk. We had a supervisor in the financial department whose PC was crawling with all kinds of malware and it had been a recurring issue with us for some time. It got to the point where he demanded that we provide him with a second PC under his desk that he could switch to when his number one PC goes down because of the problems. My cohort at the helpdesk (I’ll call him Miguel) spent the better part of the day working his way through his issues and things got ugly and escalated fairly quickly. It got to the point where our manager asked for a report on his web browsing activities from the LAN team and Miguel was handed a stack of papers showing everything the guy did, including all of the sports betting and fantasy football sites he spent his time on. The sites were blocked, his PC was wiped, and he was told to knock it off. That kind of stuff actually gave us an amusing changeup from the norm.
I actually had a network security concentration when I worked on my masters degree but I am a very reluctant networking guy and have since moved out of IT (so that degree in IT management really comes in handy when I’m in neither IT nor management. But it’s all about the journey). I’ve spoken with the admins on our security team but they way it was described to me was that there was a LOT of off hours work responding to a lot of probes and alerts. Do you see a lot of that in your work or in the industry at all? When I heard that I thought Screw that crap, I want my nights and weekends.
As investigators, our job is strictly fact finding. We uncover what happened, gather data and artifacts, and present findings to the decision makers (usually HR and a manager). We can explain the evidence and help the manager/HR understand how the evidence shows a policy violation, and we can explain how a certain finding suggests intent, but we don’t get involved in decisions regarding discipline. HR, Legal, and folks like that are the ones who are supposed to be experts in handing out punishments, complying with labor laws, and so on. My team are experts in technology.
I’m a stickler for separating fact finding from decision making. I think it helps to ensure a fair process and prevents us techies from getting involved in areas we are just not qualified to deal with.
