First published June 2010
by Sean McLinden
The focus of these stories was the risk to personal privacy, but to forensic examiners and eDiscovery personnel, there is a more significant issue which is, When does the data contained in such devices constitute evidence deserving of preservation and a possible subject of discovery? More importantly, perhaps, is determining when a thorough investigation demands the investigation of information contained in a peripheral not, normally, the subject of a forensic examination?
A couple of recent cases presented to our offices illustrate when and how such concerns arise.
Case 1: A branch office of a financial services company becomes concerned that confidential information is in the possession of unauthorized employees and outsiders. This arises after a client notices a securities trade that was undertaken on their behalf but without their knowledge or consent. Internal IT personnel examined each of the office computers and found no evidence of malware, keyloggers or possession of PII except by authorized personnel. An outside digital forensics (DF) firm was brought in to investigate and found no evidence of an intrusion or extrusion. A former IT administrator was the principle suspect but he had been gone for over 6 months and his account disabled. A second DF firm was brought in to confirm the findings of the original firm.
The second firm noticed, as did the first, that the small office used a Linksys wireless access point (WAP) in lieu of a wired network. Interviews with, then, current IT personnel and attempts to “sniff” the wireless network confirmed that WPA2-PSK was used and that the key was strong. The SSID was not advertised. Using the Web administrative console, the second DF firm determined that the firmware was not the Linksys default, but a modified kernel based upon Sveasoft Talisman. Further examination showed that it had been configured for port mirroring, something which was, also, not the default. The former IT administrator had set up a rogue access point which, effectively, doubled as the secure access point for the business.
Case 2: Another SOHO used a popular retail network attached storage (NAS) device for their Microsoft Windows® network. At issue was suspected unauthorized access to privileged information. While the network share appeared as a Windows® filesystem, the NAS OS was actually Linux running kernel 2.16 and SAMBA. Accessing the public share via Linux and root privileges by-passed Windows® authentication and nmap showed an unexpected open SSH port. Though root login was disabled, the system allowed authorized users to elevate privileges with sudo. In order to evade general detection, the miscreant had edited /etc/sudoers to restrict these permissions to a small number of accounts, nonetheless, once the appropriate credentials had been obtained, it was determined that the system had been altered in numerous ways to obfuscate records of outside access including iptables redirects and hacks to prevent logging of certain activities. One telling finding was the installation of the GNU C Compiler which was not the default for the firmware.
Note that both of these cases were initiated as computer forensic cases rather than what would be considered incident response. That there may have been an incident was only suspected.
Today, a number of USB and network attached devices, such as wireless modems, Bluetooth adapters and printers, accept CF disks, USB flash drives and mSDHC cards capable of storing up to 32 Gbytes. In the case of multifunction printers, a USB flash attached directly to the printer might appear in the registry as a network share rather than typical USB drive. What resources exist to identify the actual physical device attached in such a way?
Cases such as these illustrate the considerable complexity of performing a thorough digital forensic analysis given the ever expanding capabilities of even the “simplest” devices and the need for forensic investigators to thoroughly understand the enterprise; not just the computers, but any device for which the default configuration can be overridden by a user with no more sophistication than access to a Web browser and to the administrative console of the device, itself. Now, more than ever, there exists the need for digital investigators to think outside the “box.”
Click here to discuss this article.
Sean McLinden, MD, is the President and CEO of Outcome Technology Associates, Inc. (OTA), a provider of digital forensics, incident response., eDiscovery and litigation support services to clients in the US and abroad. Trained as a neurologist, McLinden applies the same methodologies he uses as a diagnostician to problems in digital forensics which includes the use of a probabilistic approach in determining the strategy by which to conduct an investigation. McLinden lives with his wife, also a forensic investigator, and son in a sleepy little Ohio River community near Pittsburgh, PA where, when he is not dabbling in forensics, he relaxes with his family on an vintage (1928) sternwheel paddleboat.