A mock case of IP theft

Greetings everyone. This post is going to be a mock digital forensics case and how I would go about answering the questions about an event that takes place on a computer system. First I’ll give you the case details:

XYZ corp has contacted me about an attempted cyber theft of sensitive company information. They believe that an administrator who works for the company is involved in the theft. They confiscated a personal USB drive that belonged to the employee in question. They believe this USB was used to steal the sensitive information. My job will be to confirm that the information is on the USB drive and that the USB was plugged into the work computer that contains the company’s information. I was told that the sensitive files are on his work computer and they have the words “secret” and “confidential” in their file names.

There are several questions I need to answer about the case:

  • Is the stolen data on the USB drive?
  • When was the data stolen?
  • When was the last time the USB drive was plugged into the computer?
  • What user account was logged into the computer at the time the data was stolen?

So the first step that I would take would be to take images of both the computer and the USB drive.

I used dd to take the image of the USB drive.
I used dd to take the image of the USB drive

Next I took a live image of the xyz computer.

I changed the power settings for both the machine being imaged and the forensic machine performing the imaging. I didn't either machine to go to sleep which the imaging was taking place.
I changed the power settings for both the machine being imaged and the forensic machine performing the imaging. I didn’t want either machine to go to sleep while the imaging was taking place.
Here is the settings I used for taking the image of the xyz computer. I didn't want to deal with a bunch of fragmented image files so I set the fragment size to zero.
Here is the settings I used for taking the image of the xyz computer. I didn’t want to deal with a bunch of fragmented image files so I set the fragment size to zero.
When the imaging finished FTK Imager automatically started to hash the image file and verify the hashes.
When the imaging finished FTK Imager automatically started to hash the image file and verify the hashes.
Both the MD5 and SHA-1 hashes verified. Now Im ready to prep both pieces of evidence for examination.
Both the MD5 and SHA-1 hashes verified. Now I’m ready to prep both pieces of evidence for examination.

The images I took above are the “best” evidence. A best practice is to never examine the original or “best” evidence. So in order to get the image files over to my forensic system I have two choices:

  • Copy the image files over using a normal copy method like drag and drop
  • Take an image of the best evidence and use that image as the “working” evidence or the evidence to be examined

I chose option two because with taking an image I’ll know for sure that the copies will be exactly the same bit for bit. With the drag and drop copy I won’t be sure if the operating system will make changes to the evidence.

Imaging working copy of xyz corp computer
So I took my forensic hard drive that contained the original evidence and mounted it to my forensic system. Then I rehashed the xyz computer image and took an image of the best evidence using the dcfldd tool.
Next I took a second image of the USB drive
Next I took a second image of the USB drive to use as the “working” evidence”
After both working copies were made I hashed both of them and compared them to the original evidence.
After both working copies were made I hashed both of them and compared them to the original evidence.

With both working copies made and the hashes checking out I move on to the examination of both pieces of evidence. The first question I want to answer is if the stolen data is on the USB drive. I have two ways of confirming this:

  • Mount the drive to the forensic system and see if the data is on the drive
  • Use the Autopsy forensic browser and run a keyword search

I decided to use Autopsy to run a Keyword search. Because I know that either the words “Confidential” or “Secret” is in the file names. I ran a search for both of these keywords.

Keyword search using Autopsy
Searching the USB for the word “confidential” on the USB drive
Search results for the keyword "Confidential"
Search results for the keyword “Confidential” on the USB drive
Searching for the keyword "secret"
Search results of Autopsy looking for the keyword “Secret” on the USB drive

So far these search results tell me that four hits were found for “confidential” and 3 hits were found for “secret”. This is a good indication that the stolen files are on the USB drive.

I did not want to base the answer to the question on the keyword search results alone so I used Autopsy to perform file analysis on the USB drive’s contents. This option will give me a list of what files are on the drive, if they are deleted or not, the file’s timestamps, and which metadata entry points to the file.

All of the stolen files are found. This answers the first question of the case.
All of the stolen files are found.

With this the first question of the case is answered. The stolen files are on the USB drive. There is something odd with the timestamps however. The time values in the yellow box are the written timestamps and the time values in the red box and the created timestamps. Under normal circumstances the creation time would be before the written time. But this clearly says the the last written time is before the created time. This is a clear indication that the files that were stolen were created on a different machine and moved to the USB drive. So the created time values are the times when the file’s were created on the USB drive. So each file’s creation time is when the file was stolen. This answers the second question.

  • Confidential file # 1
    • Stolen on 11/30/2014 at 13:06:11 EST
  • Secret File 1
    • Stolen on 11/30/2014 at 12:41:43 EST
  • Secret File 2
    • Stolen on 11/30/2014 at 12:41:43 EST
  • Secret File 3
    • Stolen on 11/30/2014 at 12:41:43 EST

Now that I have some time values I can check the computer image and see who was logged in at the time the files were stolen. Also I will check when the USB drive was plugged into the computer. I mounted the computer image file to my forensics system and ran a program that extracts data from the Windows registry. The program is called regripper. The registry is a series of database files that contain configuration information for the operating system. With Windows the registry is split into five hives:

  • Sam
  • Security
  • System
  • Software
  • NTUSER.DAT

Each user account on a computer has an NTUSER.DAT registry hive that is associated with it. The hives that contain the information I need to learn about the USB drive are located in the Software, System, and NTUSER.DAT hives. I first decided to rip the information from the System hive.

I used the losetup command along with the mount command for mounting the image file.
I used the mmls, losetup command, and  the mount command to mount the image file.
I used regripper to rip the information from the system hive. From this information I found the last time the USB was plugged into the computer
I used regripper to rip the information from the system hive. From this information I found the last time the USB was plugged into the computer

So this answers the third question: The USB was last plugged into the computer on Dec 2, 2014 at 01:09:07 UTC. Registry times are in UTC time or Zulu time. Since this computer was located on the east coast the time (which is 5 hours behind zulu time) is Dec 1 2014 at 22:09:07 EST. This is the last time the USB drive was plugged into the computer. Next I ripped the Software and the NTUSER.DAT registry hives for more information about the USB drive itself. I was able to find out several things about the USB drive from these hives:

  • Serial number
  • USB Vendor
  • Vendor ID
  • Product ID
  • Last drive letter the USB drive was assigned
  • Volume GUID (Globally unique identifier)
  • The user account which was logged in when the USB was plugged in

Once I found out the volume GUID I used this information to find out which user account was logged on when the USB was plugged in.

Once I ripped the NTUSER.DAT hive I searched for the volume GUID. Since the GUID is found it confirms that the account associated with this NTUSER.DAT hive was logged in when the USB was plugged in.
Once I ripped the NTUSER.DAT hive I searched for the volume GUID. Since the GUID is found it confirms that the account associated with this NTUSER.DAT hive was logged in when the USB was plugged in.

Now the final question is answered. This NTUSER.DAT hive belongs to the Admin account on the computer in question, so the Admin account was logged in when the USB drive was plugged in.

After the examination I would report to my mock client that I found evidence that the Admin account was logged in when the USB drive in question was plugged into the computer. Also that the sensitive company information was found on the USB drive. There was no need to find out if his account was compromised due to the fact that the suspect was seen plugging in his personal USB drive into the computer at the time of the theft. So with this evidence xyz corp woud make a decision based on the facts.

In the world of information security any number of cyber crimes can be committed against a person or an organization. This is one example of what can happen to a company. With that said always be careful with what you put on the internet. Thanks for reading!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s