CHAPTER 1

INTRODUCTION

The advent and growth of Information Technology has made digital espionage a real and
potential danger of great magnitude. The effect of digital espionage due to the ignorance of the
average computer user has been enormous. Corporations and government agencies have been
the most hit.

A survey conducted by PricewaterhouseCoopers and the American Society for Industrial

Security (ASIS) revealed Fortune 1000 companies lost more than $45 billion in 1999 due to theft
of their proprietary information alone. These losses, the survey contends, hit the manufacturing
industries particularly hard.

What is perhaps more alarming than these statistics is the cumbersome response of companies.
The report concludes “The majority of companies responding to the survey have not effectively
met the challenge of providing a framework in which to safeguard proprietary information.”
They are failing to address the threat.

This report describes in details, the steps taken to investigate the case of employee
unauthorized access to sensitive company data. It outlines the forensically sound tools used
and makes appropriate security recommendations to prevent a reoccurrence.

1
 CHAPTER 2

EXECUTIVE SUMMARY

On the 24th of May, 2009, the Systems Administrator of TT Bank, Mr. Ali, with employee
number TT102 (herein referred to as ALI), was alerted of a possible unauthorized access to the
HR file server (evidence No. P001) containing employee payroll. ALI in turn, made an official
complaint to the Management, with Mr. Mike Brown, a member of staff at the loans
department, with employee number TT201 (herein referred to as MIKE) fingered as the possible
culprit.

According to Section 1a Of the Banks acceptable use policy (see Appendix), unauthorized access
to and distribution of confidential payroll information would be grounds for termination.
Further punitive measures (if any) are to be taken after due consultation with the banks
internal legal team, who in turn are to check existing laws to determine what policies exist with
regards to unauthorized access to computers by employees.

2.1 RISK ANALYSIS

Risk analysis, within the scope of this report, involves the identification and comprehensive
assessment of the impact of an insecure logical access control system on TT Bank as evident in
the given scenario and what kind of material or immaterial losses would potentially result from
such a security breach.

One major means through which MIKE could have had access to the Human Resource Payroll
files was by elevating his privilege to that of the Administrator.

2.1.1 Privilege Escalation

Privilege escalation means gaining privileges without being authorized to do so. If unauthorized
personnel are not able to gain privileges immediately when they access a system, they next

2
usually attempt to escalate privileges by running programs that exploit vulnerabilities. When
the intruder becomes a superuser, that person has complete control of the victim system (in
most operating systems). Worse yet, if trusted access mechanisms between hosts are in place,
the intruder might now be able to easily gain superuser access to other systems that trust the
original victim system.
The term ‘loss’, as defined in the U.S Senate Bill S2448, is any reasonable cost to any victim,
including the cost of responding to an offense, conducting a damage assessment, and restoring
the data, program, system, or information to its condition prior to the offense, and any revenue
lost, cost incurred, or other consequential damages incurred because of interruption of service;

Sources of estimated losses associated with the breach include:

 Sabotage of major network components

 Loss of employee confidence
 Loss of company proprietary information to competitors
 Network and User Downtime

A qualitative risk analysis as adopted from the an approach outlined by the National Institute of
Standard and Technology (NIST SP 800-30) and implemented in determining the associated
risks is shown in table 2.1.

3
 Table 2.1 Risk Analysis

Source Risk Type Risk Level Description

Sabotage of major Tangible Medium An intruder with administrative privilege can
network components prevent other users from carrying out their
legitimate functions, or outrightly cause significant
damage to the Server machine or its associated
components. This threat is considered a high risk
one since organizational operations and assets can
be adversely affected.
Loss of employee Intangible Medium Employees might lose confidence in the capability
confidence of the company to protect their private details and
this can affect productivity in the long run. This
threat-source is however considered medium
since controls are in place that may impede
successful exercise of the vulnerability.
Loss of company Tangible High Vital data such as a proposed financial solution can
proprietary be leaked to competitors. The impact can be quite
information to high as it can bring about major financial losses in
competitors the form of funds expended in research and
development, and a severe degradation in or loss
of mission capability.
Network and User Intangible Medium A significant amount of time might be spent by all
Downtime staff in cleaning up the damage to systems in the
affected area (e.g., analyzing what has occurred,
re-installing the operating system, restoring
installed programs and data files, etc.)

2.2 Legal Warrants

4
On the 26th of May, 2008 at 115:00 GMT, the legal department of TT Bank, headed by Mr.
Anderson Smith, completed and handed in a Service Request Form (SRF) and a letter of
authorization for investigation to be carried out on the affected computer systems (see
Appendix) with a view to making recommendations on a framework to protect company
sensitive data in the future. The SRF and letter of authorization can be found in the Appendix.

2.3 Assumptions Made

1. TT Bank has an acceptable use policy which has been duly signed by all
members of staff including Mr. Mike Brown
2. There is a backup File Server of same configuration as the main centralized File
Server.
3. Centralized File Server has been configured for audit log capability.

5
 CHAPTER 3

EVIDENCE IDENTIFICATION

3.1 NETWORK ARCHITECTURE

The network topology documentation was obtained from the Systems Administrator on the 26 th
of May, 2008 at 14:00GMT. The following were identified as systems/devices of interest:

Date/TIme Item of Interest Serial Number Evidence Location State as at time of arrival
Number
26/05/2009 / DELL Optiplex PC D0012322OP TT001PC Loan’s Dept. Running
15:00GMT

26/05/2009 / Cisco 1200 Series C00231234I TT003RT Server Room Running

15:00GMT Router

26/05/2009 / DELL Power Edge D324453R TT002FS Server Room Running

15:00GMT T100 Centralized
File Server

Table 2.1 Items of Interest

The TT BANK Network involves a screening router that lies on the perimeter of the network to
filter packets from the Internet before they are delivered to the Local Area Network. The hosts
on the internal LAN are protected from compromise by an intruder. When a packet that claims
to be a response to a packet that was sent out from the local network is received, the packet
filter checks its tables to see that the packet is indeed a response to a request that was
previously sent out. Thus, making it difficult for a potential intruder to get a packet through that
contains forged addressing information. The second router, which connects the LAN to the
screened network segment, provides additional security because all traffic that flows between
the LAN clients and the server must first go through it.

6
The file server runs Windows Server 2003®, which is part of a Windows Domain. The domain
controller runs the Active Directory service which acts as a repository for directory objects.
Among these objects are user accounts. Further discussion with the Systems Administrator
revealed that employee payroll files were prepared in .xls format and stored in a folder called
HumanResources\records\emp_payroll. The only group with read or write permissions to the
folder is the HR_ADMIN group to which MIKE does not belong. It was therefore important to
determine the possibility and means of gaining access to the payroll files.

Screening Router Internet

Server

Centralized File Server

Administration Switch Sales and Marketing

Router

Human Resources
Corporate Services

Loans

Fig 1.0 TT Bank Network Architecture

Areas in yellow are identified areas of interest.

7
3.2 Chain of Custody

A chain of custody document was prepared to keep track of evidence from the time the investigator
gained possession of the item until it was released back to the owner.  This document contains the basic
information about the client, details about the media such as brand, type, serial number and other basic
information.  The form also kept track of each person who touched the media for such items as
collection, imaging and return of property.  A new line entry was made each time it was removed from a
media safe. Refer to Appendix… for chain of custody document.

8
 CHAPTER 4

EVIDENCE ACQUISITION

Evidence gathering was carried out according to RFC 3227 standard, “Guidelines for Evidence
Collection and Archiving”, which stipulates that evidence acquisition is supposed to be carried
out in an order of volatility proceeding from the volatile to the less volatile as shown below:

 Register, cache
 Routing table, ARP cache, process table, kernel statistics
 Memory
 Temporary filesystems
 Disk
 Remote logging and monitoring data that is relevant to the system in question
 Physical configuration, network topology
 Archival media

4.1 Live Data Acquisition

Date: 27th of May, 2009

Time: 13:00 GMT
In order to gain a snapshot of the state of the file server (P002) at the time of arrival, certain
data considered to be volatile (lost on turning off the machine) were captured. They include:
 System date and time
 Current network connections
 Current open ports and applications listening on those ports
 Applications currently running

The above information was gathered using the Netcat tool. Netcat is a utility that is able to
write and read data across TCP and UDP network connections. It was important to ensure that

9
the process of acquiring the evidence did not have any impact on the data of the system and so
a reliable TCP connection between the file Server (TT002FS) and a forensic workstation was
created (See Figure 3.1).

Fig 4.1 Connecting the Forensic Workstation to the File Server

Data was transferred across the network to the forensics laptop (as shown in figure 4.1)
because it not only minimized the impact on the victim machine itself, but it also lowered the
chance of compromising the forensics laptop. Using a USB drive for example, would have forced
the system to load drivers, altering the kernel by adding an entry to the setupapi.log file and
the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Storage\RemovableMedia
registry key.

The following steps were taken:

1. An MD5 sum file, “c:\TT_Bank\Tools”, with the checksums of each tool to be used was
created as shown below:
Command: md5sum –b c:\TT_Bank\Tools> tools.md5

Start Time Tool MD 5 Sum Comments

16:00 GMT Netcat 636DA7022B926A6483F033BE0D3290DA
16:10 GMT NTLast 526EB8033C037B7594E033BE0D32821E
B
16:15 GMT Dumpel 414EB6132C817B6483F033FE0B32190EA
16:20 GMT MD5sum 526EB8033C037B7594E033BE0D32821E

10
 B

2. A Netcat listener was initiated on the forensic workstation and all incoming traffic were
directed to a file “c:\TT_Bank\network_data”. Figure 3.2 illustrates the forensic
workstation listening for incoming connections on port 2222. Information received on
port 2222 were written to the specified file.

Command: nc –v –l –p 2222> c:\TT_Bank\network_data.txt

Fig 4.2 Setting up the Netcat listener on the forensic Workstation

3. Date /t & time /t - This was to correlate the system logs, as well as to mark the times at
which the response was performed. The time and date commands are a part of the
cmd.exe application. Figure 3.3 illustrates the execution of the date command,
redirecting the output to a file called c:\TT_Bank\date.txt on the forensic workstation.
The second command in the figure uses the append operator (>>) to add the output to
the time command to the c:\TT_Bank\date.txt file.

Fig 4.3 Obtaining System Date and Time

4. Current and Recent Connections - Netstat was used to determine current connections
and the remote IP addresses of those current connections, and to view recent
connections
Command: netstat –an

5. LOGIN ATTEMPTS
Since we were dealing with a case of unauthorized file access, it was important to first examine
what user privileges were configured by the Systems Administrator on the HR file server
(TT002FS).

11
 Event logs of the file server were viewed using the NTLast tool. With the NTLast tool, successful
and failed logon attempts were monitored with the server’s logon and logoff auditing turned on.

Commands Used

 C:\NTLast>ntlast /f – Used to enumerate failed console logon attempts.

 C:\NTLast>ntlast /r – Used to track all successful logon attempts from remote systems
 C:\NTLast>ntlast /f /r – Used to enumerate failed remote logon attempts.
 C:\NTLast>ntlast –m\\server-file c:\log\sec.evt – Used to copy security audit events
from HR file server
 C:\NTLast>ntlast -file \\server\log\sec.evt

Fig 4.4 Successful Logons

Fig 4.5 Failed Logons

Results show that on the 23rd of February at 10:31:54am, 10:31:49am and 12:05:25am a
Mike_Brown attempted to login as administrator but failed (Assumption).

6. The dumpel tool was used to retrieve the logs for offline analysis. Dump Event Log is a
command-line tool that dumps an event log for a local system or a remote system into a

12
 tab-separated text file. This tool can also be used to filter for or filter out certain event
types. The retrieved logs were saved in the c:\TT_Bank\network_data file in the remote
forensic machine.

Command Used

 dumpel –l security –t dumps the entire Security log, with tabs as delimiters, to
any file you specify.

7. MD5 cryptographic checksum of collated information was carried out to ensure the
integrity

MD5 cryptographic hashes of the identified files were made to ensure their integrity. An MD5 hash
consists of a 128-bit (16-byte) checksum -- also known as a "digest" -- that is generated cryptographically
by using the contents of the file. Table… shows the collected files and their MD5 sums.

4.2 Disk Imaging

Date: 28th May, 2009

Time: 13:00 GMT
Creating a bit stream image of the disks was to ensure that the data on the original devices
were not altered during the analysis. It was therefore necessary to isolate the original infected
computer from the disk image in order to extract the evidence that could be found on the
electronic storage device.
Disk imaging was carried out in line with the U.S Federal Rules of Evidence (FRE) 1001-3:

 FRE 1001-3, Definitions and Duplicates: “If data are stored by computer or similar
device, any printout or other output readable by sight, shown to reflect the data
accurately is an original.”

13
  FRE 1003, Admissibility of Duplicates: “A duplicate is admissible to the same extent as an
original unless (1) a genuine question is raised as to the authenticity of the original or (2)
in the circumstances it would be unfair to admit the duplicate in lieu of the original.”

Conducting investigations on the disk image was to enable the following:

1. Preservation of the digital crime-scene,

2. Obtaining of the information in slack space,
3. Access to unallocated space, free space, and used space
4. Recovery of file fragments, hidden or deleted files and directories
5. Viewing the partition structure and
6. Getting date-stamp and ownership of files and folders.

Images of the following hard disks were obtained:

File Server (Evidence tag number: TT002HDD) and MIKE’s computer hard disk (Evidence tag
number: TT001HDD). A controlled boot disk was placed in the computer’s CD Rom drive. The
computer was powered on, and the BIOS setup program was entered.

The BIOS information was documented, and the system time was compared to a trusted time
source and documented. The boot sequence was checked and documented; the system was
already set to boot from the CD-ROM drive first. The desktop computer was powered off
without making any changes to the BIOS.

The following information regarding the disk was taken:

 Make: Seagate
 Model: Barracuda®XT
 Serial Number: SB1002342XT
 Evidence Tag number: TT001HDD
 Capacity: 160GB
 Physical Location: DELL Latitutde desktop PC with evidence number: TT002PC (MIKE’s PC)

14
  Make: Seagate
 Model: Barracuda®XT
 Serial Number: SB2113442XT
 Evidence Tag number: TT002HDD
 Capacity: 200GB
 Physical Location: DELL Power Edge T100 Centralized File Server: TT002FS (MIKE’s PC)

Acquisition of a forensic duplicate of the disk was carried out using the following:

1. A read-only Firewire-to-IDE module

2. A read-write Firewire-to-IDE module
3. An external power supply
4. Power cables
5. Two power switches
6. Firewire cables
7. 2.5” to 3.5” laptop drive IDE converter
8. PCMCIA firewire card for acquisition with forensic laptop

The storage location of the disk image was wiped in a forensically sound manner using Active@
KillDisk® software. This was in accordance with U.S Department of Defense clearing and
sanitizing standard DoD 5220.22-M which recommends the approach "Overwrite all
addressable locations with a character, its complement, then a random character and verify"
for clearing and sanitizing information on a writable media.

After assembling the apparatus, the evidence drive was connected to the read-only module.
This was to ensure that no data is written to it. The storage drive was connected to the read-
write module and the jumpers were set to “Master”. The forensic workstation was booted up
and FTK was started.

15
4.2.1 Acquiring Disk Image Using FTK

FTK acquires forensic duplication in three formats:

 EnCase Evidence Files (.E01)

 Raw Disk Image (dd)
 SMART format

The evidence drive (TT001HDD) was duplicated in the dd format. This was because using the dd
format makes it possible for the image to be in nearly any forensic toolkit. The screenshots
below shows details.

Fig 4.1 Evidence Acquired using FTK Imager

4.3 Ensuring Evidential Integrity

For security consideration, internal verification was carried out. This was to verify the imaging
procedures and to check if there were any changes during the imaging process. FTK imager

16
generated a log file which contains all records of the parameter of the process such as disk
geometry, interface health and packet checksums, case details such as date and time.

Cryptographic checksums (MD5 and SHA1 hash) were also carried out on both disks
(TT001HDD and TT002HDD) as way of checking the validity of the copy from the original drive.
A cryptographic checksum applies mathematical algorithms to the information stored and the
output gives a unique output. BY having the same checksums between the original and
duplicate, we can confirm that an exact copy was produced

17
 CHAPTER 5
EVIDENCE ANALYSIS
Evidence TT001HDD (from MIKE’s PC) and evidence TT002HDD (from File Server) were added to
FTK. Details as obtained from the case log as show below:

5.1 ADDING EVIDENCE TT002HDD TO FTK

Name/Number: File Server Disk / TT002HDD
Location: C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001

Display name: HR_Server\Part_1\NONAME-NTFS

Type: Raw Drive Image, Partition, NTFS
Comment: None

Evidence-specific Case Refinement Settings: Add all files

Evidence-specific Index Refinement Settings: Index all files

05/27/2009 9:21:06 PM -- Starting to add evidence items...

05/27/2009 9:44:06 PM -- Successfully created HTML file listing during case pre-processing.
05/27/2009 9:44:07 PM -- Loading case
05/27/2009 9:44:07 PM -- Updating Overview Cache
05/27/2009 9:44:07 PM -- Filtering file list
05/27/2009:44:07 PM -- Initializing thumbnail view
05/27/2009 9:44:08 PM -- Resetting search terms list
05/27/2009 9:44:08 PM -- Building the indexed search results tree...
05/27/2009 9:44:08 PM -- Building the live search results tree...
05/27/2009 9:44:08 PM -- Building the bookmark tree

05/27/2009 12:55:40 AM -- Opened case: C:\Documents and Settings\Sword\Desktop\TT Bank\ using FTK
version 1.50 build 04.08.23

5.2 ADDING EVIDENCE TT001HDD TO FTK

18
 Name/Number: MIKE PC Disk Image/ TT001HDD
Location: C:\Documents and Settings\All Users\Documents\File Server Image\Mike_PC Img.001

Display name: Mike_PC\Part_1\NONAME-NTFS

Type: Raw Drive Image, Partition, NTFS
Comment: None

Evidence-specific Case Refinement Settings: Add all files

Evidence-specific Index Refinement Settings: Index all files

05/27/2009 9:21:06 PM -- Starting to add evidence items...

05/27/2009 9:44:06 PM -- Successfully created HTML file listing during case pre-processing.
05/27/2009 9:44:07 PM -- Loading case
05/27/2009 9:44:07 PM -- Updating Overview Cache
05/27/2009 9:44:07 PM -- Filtering file list
05/27/2009 9:44:07 PM -- Initializing thumbnail view
05/27/2009 9:44:08 PM -- Resetting search terms list
05/27/2009 9:44:08 PM -- Building the indexed search results tree...
05/27/2009 9:44:08 PM -- Building the live search results tree...
05/27/2009 9:44:08 PM -- Building the bookmark tree

05/27/2009 12:55:40 AM -- Opened case: C:\Documents and Settings\Sword\Desktop\TT Bank\ using FTK
version 1.50 build 04.08.23

5.3 RECOVERING DELETED AND HIDDEN FILES

5.3.1 Deleted Files

To avoid having a duplication of analysis steps, deleted files were first recovered. This
was however done automatically by FTK on adding the raw image to the case. The
screenshot below shows all deleted files including their creation date, last modification,
category etc.

19
 Recovered Files From Evidence Number TT001HDD (MIKE PC Disk Image).

The following recovered files were considered to be of evidential value were found:

C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001

C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001

C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001

C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001

Fig 5.1 Deleted Files

5.3.2 Alternate Data Streams (ADS)

In addition to deleted files, hidden files from Alternate Data Streams were also checked.
The Ads spy tool was used. Ads spy is a tool used to list view or delete Alternate Data
Streams (ADS) on Windows machines with NTFS file systems. It was used to run a search
on all the folders in the root directory of the evidence files and the following results were
obtained:

20
 ADS Found in Evidence Number TT001HDD (MIKE PC Disk Image).

31 hits were obtained from evidence number Files and fragments of evidential value
were documented. The image file was therefore searched for files containing or having
the filename “Payroll”.

7 hits were received, showing 7 .xls files as shown below in table 5.1.

The MD5 values of the files found were made and the files were saved in the
“c:\TT_Bank\Evidence” folder.
Fig… shows a screenshot of the result

Fig 5.2 Recovered Alternate Data Streams (MIKE PC)

21
ADS Found in Evidence Number TT002HDD (File Server Disk Image)

Searching for Alternate Data Streams in the file server image was particularly important because of the
possibilities of malicious files or applications being hidden in unsuspicious files. It gave an insight into the
method of compromise.

Results obtained using the Ads Spy utility shows 8 hidden files in c:\Windows\System32\calc.exe
directory.

Fig 5.3 Recovered Alternate Data Streams (File Server)

The following files were found to be hidden in “c:\Windows\System32\calc.exe” directory.

6 Genhash.exe
7 Iam.exe
8 Iamdll.dll
9 Iam-alt.exe

22
10 Pth.dll
11 Whosthere.exe
12 Whosthere-alt.exe

Further analysis revealed that the recovered Alternate Data Streams are file components of the
Pass-the-hash toolkit.

5.3.3 Server Log Analysis

Date: 28th May, 2009

Time: 14:00 GMT
Event logs of the File Server were reviewed since the Network Administrator had earlier
configured auditing on Windows Server 2003 running on the machine. Reviewing the logs was
particularly important as it enabled the tracking of access failures and successes.

The directory “c:\Windows\System32\config\SecEvent.evt” was exported from the TT002HDD

(File Server) image file to the “c:\TT_Bank\evidence” folder and reviewed using event viewer
for Windows Server 2003. It was discovered that a Mike_Brown account accessed the folders
below. Fig 5.4 shows successful and failed access attempts.
C:\Documents and Settings\All Users\Documents\File Server Image\Payroll1.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll2.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll3.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll4.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll5.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll5.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll6.xlsx

23
 Fig 5.4 Event Log of TT002HDD (File Server)

Table 5.1 Computed Hash Values of Recovered Files of Interest

File Name Creation Date Last Modified MD5 Hash

C:\Documents and Settings\All 13/04/2008 17/04/2008 636DA7022B926A6483F033BE0D3290DA

Users\Documents\File Server 13:00 GMT 14:00 GMT

Image\Payroll1.xlsx

C:\Documents and Settings\All 13/04/2008 17/04/2008 427EB61339937B6483F033BA1E3290EB

Users\Documents\File Server 13:30 GMT 14:00 GMT
Image\Payroll2.xlsx

C:\Documents and Settings\All 13/04/2008 17/04/2008 547AB6235A714E6483F033BE0D3290AB

Users\Documents\File Server 13:35 GMT 14:00 GMT
Image\Payroll3.xlsx

C:\Documents and Settings\All 13/04/2008 17/04/2008 636DA7022B926A6483F033BE0D3290DA

24
 Users\Documents\File Server 13:40 GMT 14:00 GMT
Image\Payroll4.xlsx

C:\Documents and Settings\All 13/04/2008 17/04/2008 636DA7022B926A6483F033BE0D3290DA

Users\Documents\File Server 13:41 GMT 14:00 GMT
Image\Payroll5.xlsx

C:\Documents and Settings\All 13/04/2008 17/04/2008 636DA7022B926A6483F033BE0D3290DA

Users\Documents\File Server 13:00 GMT 14:00 GMT
Image\Payroll6.xlsx

C:\Documents and Settings\All 13/04/2008 17/04/2008 547AB6235A714E6483F033BE0D3290AB

Users\Documents\File Server 13:43 GMT 14:00 GMT
Image\Payroll7.xlsx

Genhash.exe 13/04/2008 427EB61339937B6483F033BA1E3290EB

13:43 GMT
Iam.exe 13/04/2008 547AB6235A714E6483F033BE0D3290AB

13:43 GMT
Iamdll.dll 13/04/2008 547AB6235A714E6483F033BE0D3290AB
13:43 GMT
Iam-alt.exe 13/04/2008 636DA7022B926A6483F033BE0D3290DA

13:43 GMT
Pth.dll 13/04/2008 427EB61339937B6483F033BA1E3290EB
13:43 GMT
Whosthere.exe 13/04/2008 547AB6235A714E6483F033BE0D3290AB

13:43 GMT
Whosthere-alt.exe 13/04/2008 547AB6235A714E6483F033BE0D3290AB
13:43 GMT

5.3.4 TIME STAMPS AND OTHER METADATA

Metadata from all files that exist in the evidence – deleted and logical were acquired
before they were exported. This included full filenames, file sizes, MD5 hashes etc. The
metadata was particularly useful for filename searches, timeline analysis and reporting. By

25
having the metadata, the number of files needed for analysis was reduced significantly.
Fig… shows filenames, time stamps and there MD5 and SHA1 values.

CHAPTER 6

CONCLUSION
1. The recovered files on MIKE’s PC revealed a possible security breach since only the Admin and members
of the payroll department had access rights to those documents.

26
 2. The Pass-The-Hash Toolkit recovered using Ads Spy utility raised further insight as to
the possible mode of compromise. This is because the toolkit contains utilities to
manipulate the Windows Logon Sessions maintained by the LSA (Local Security
Authority) component. These tools allow the intruder to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote
Desktop/Terminal Services), and also change in runtime the current username, domain
name, and NTLM hashes.
It is suspected that this toolkit was used to gain administrator privilege while the
Network administrator was logged in via remote desktop which gave unfettered access
to the HR payroll files.

3. The event logs obtained also shows that a MIKE_Brown account had administrator privilege at various
times (as shown in Fig 5.4). This account, according to the Bank’s Systems administrator, Mr. Ali (TT102)
was originally set to “user”.

6.1 RECOMMENDATIONS

In order to mitigate the the possibility of any of the systems being compromised, the
administrator should severely limit who has Administrative or elevated privileges to computers
in the trusted domains and forests, and to minimize the chances that any of those privileged
accounts will be logged on. The level of success, regarding this, is dependent on well
architected computer management strategies.

The following are some characteristics of good management strategies.

 Management tools that run agents locally on each managed workstation/server should
be used to minimize the need for accounts that have elevated privileges to a large number of
computers. (These agents would typically run under system or network service, would
therefore have elevated privileges only to that computer, and would occasionally contact a
central management server for instructions on what to do.)

27
 The Network Administrator must ensure that services never run under administrator
accounts

 Least privileges should always be used in delegation.

 Domain admin accounts should logon, directly, only to domain controllers.

 Local admin password should be unique for every managed computer.

 Activities such as browsing the web, or reading emails or other internet activities should
not be done using administrator accounts.

 Make sure to use antivirus/antimalware protection, and stay updated on security

patches for all software.

 Minimize the use of administrator accounts.

28
 APPENDIX A

CHAIN OF CUSTODY FORM

Evidence Acquisiti Acquisition Acquired from Acquired Storage location
description/nu on date location from
mber (signature)
Seagate 26/05/20 Loans Mr. ALI (TT102) Loans Department,
09 Department TT Bank
Barracuda®XT, , TT Bank

Serial Number: Transfer Transferre Now in custody Now in Storage location

date d to of custody of
SB1002342XT (location) (signature)
26/05/20 Platinum Anthony Iwuagwu, Platinum Lab
/ TT001HDD 09 Lab Lead Investigator

Evidence Acquisiti Acquisition Acquisiti Acquired Acquired Storage location

description/nu on date location on from from
mber method (signatur
e)
Seagate 26/05/20 Server Legal Mr. ALI Loans
09 Room, TT Warrant (TT102) Department, TT
Barracuda®XT, Bank Bank

Serial Number: Transfer Transferre Transfer Now in Now in Storage location

date d to reason custody of custody
SB2113442XT (location) of
(signatur
e)
/ TT002HDD
26/05/20 Platinum Forensic Anthony Platinum Lab
09 Lab Investigati Iwuagwu, Lead
on Investigator

29
 APPENDIX B

PLATINUM SECURITY INC.

SERVICE REQUEST FORM

Company Name : TT Bank

Contact Name: Mr. Ali
Mailing Address: TT Bank Bhd, 57000, Bukit Jalil

City: Kuala Lumpur State: Selangor

Phone: 0172132323 Country: Malaysia
E-Mail: tt_bank@gmail.com Fax: 09022344

Description of Needs and Comments

Investigation into an alleged unauthorized access to Human Resource files and folders by TT Bank
Employee.

Signature:_____________________________________________________
Date:_________________________________________________________

REFERENCES

30
Keith J.Jones et al (2006), “Real Digital Forensics, Computer Security and Incident
Response”,Prentice Hall

Kevin Mandia et al (2005), “Incident Response and Computer Forensics”, McGraw Hill

Harlan Carvey (2004), “Windows Forensics and Incident Recovery”, Addison Wesley

Basic Principles of Information Protection: A consideration surrounding the study of protection

[Online], http://web.mit.edu/Saltzer/www/publications/protection/Basic.html [Accessed 13th
August, 2008]

A Systems Approach to Security Design: Adopting an Inclusive View [Online]

http://transit-
safety.volpe.dot.gov/security/SecurityInitiatives/DesignConsiderations/CD/sec2.htm [Accessed
13th August, 2008]

Tab Systems Inc.“Controlling your business” [Online] .

http://www.tab-systems.com/attendance.php [Accessed 13th August, 2008]

National Industrial Security Program, “Clearing and Sanitizing matrix” [Online]

http://www.dtic.mil/whs/directives/corres/html/522022m.htm [Accessed 28th September, 2009]

31