I don't work in law enforcement but I do a small amount of forensics for work when needed mainly for disciplinary's etc. A situation has arisen that is a little out of our depth.
One of our network admins (with full domain admin rights) has been found with some pictures he shouldn't have. We have obviously taken his PC away from him (now suspended) so we can image and analyse it. Our concern is with his level of admin rights on the network. He has the ability to store pictures really anywhere on the network to hide them, he could also use encrypted volumes or containers or virtual machines to hide is data anywhere on the network excluding his PC.
This is something we have never faced before and was hoping for some advice on the best way to deal with this. How can we effectively and efficiently trawl the network for these types of picture or Virtual machines or encrypted containers.
What type of logging do you have in place on the network?
Can you see his network traffic of web traffic?
What Drives did he map that are not mapped?
Can you see where he uploaded/downloaded the pics from?
When you saw pictures he should not have are the models over 18? If not then you are calling Law Enforcement.
If you are not firing the Admin, than make it a stipulation of keeping his job that he gives you all locations.. Once he gets back his machine track ALL movements and it might help in finding more…
On a personal note -
DO NOT give him special treatment because of his position..
I worked for a company on the help desk, we had a similar thing were the guy violated multiple acceptable usage policies (one being a porn site), 3 of the 10 contained the wording immediate termination for violating the policies, because of who he was and position they did not follow through.. a few weeks later someone in my area was caught on a porn site and they fired him immediately.
The sole source for answers to this question come from an investigation of which the forensics is but a part (for example interviews are needed).
Regarding the forensics, I suggest recreating employee behavior from the computer to the best of your ability. Anything more special than simple copy-and-store of data to network shares should be evident on the seized computer.
In regards to Patories' comment, I recommend you do handle this with special treatment. In my experience, system administrators are given the 'fear of god' speech - they have an additional responsibility because of their position and that policy infractions are met with a sterner consequence. That being said, if there is no special policy or code-of-ethics to be signed, this is all fluff ) But hey, I'll include it for the audience.
How big is the enterprise? Searching for data 'owned' by the SID of the administrators' account is one option. Time consuming to be sure, but about as all-conclusive as can be expected.
Also, does he collaborate with others? This is where interviews come in handy. I hope your investigator, (HR or whatever) is working closely with you.
algecan - how big is the site (servers / desktops / vm's / backup devices)
how many users ?
how long has he worked there ?
Is it primarily a MS site or are there other OS's in play ?
What is the level of logging on AD ?
Was he involved in Desktop build / rollouts ?
What's the USB Device policy ?
how many 'user' accounts does he have access to ?
so many questions - you need to build a profile of the site before you can start to evaluate how to catalog it.
Finally I presume you have locked out his remote access and changed passwords on all Services / Admin accounts.
On a personal note -
DO NOT give him special treatment because of his position..
I worked for a company on the help desk, we had a similar thing were the guy violated multiple acceptable usage policies (one being a porn site), 3 of the 10 contained the wording immediate termination for violating the policies, because of who he was and position they did not follow through.. a few weeks later someone in my area was caught on a porn site and they fired him immediately.
Well, there is porn and pr0n (that's what the who/position guy was probably looking at) wink
Example 😯
hxxp//
@algecan
Seriously, if you suspect a CP case call the Police, NOW.
If it's "legit porn", (i.e. >18) you can deal with the issue.
There are so many ways to "hide" or "embed" a picture or video that it is already very difficult to be sure to have found "everything" on a very limited (and confined) space such as a desktop or laptop hard disk.
A network admin normally also has access to user accounts/passwords, so it is possible that whatever is stored on the network is under some other people's name, who are in perfect good faith and unknowing, that they host that stuff.
As a semi-random thought, in one of the companies I worked with the "normality" was, when - for whatever reason - an employee resigned (or was fired), his account remained "existing", with the network Admin having access to it to forward documents/old projects to the person requesting it.
If you have tens or hundreds users, it will take TIME to scan "everything"….
IF the case is NOT a "criminal" one, looking for cooperation from the ex-admin seems like a very sensible advice.
jaclaz
algecan, some further observations for you.
The replies above are useful and the posters have been generous with their info. To add to what has already been suggested, perhaps you may wish to consider bringing in an outsider who is experienced in this particular area of investigation on corporate networks. I am not offering you my services because I work in a different technology area. To be aware of some pitfalls that can be experienced by those new in having to deal with the type of 'viewing' (your post maybe suggesting); if it is IIoC material then three pillars of evidence you may be required to prove
1) Mens Rea (intention)
2) Actus Reus (the act - conduct/outward set of events)
3) the tools that bring about 'viewing' -> 'making', 'being in possession' etc
It doesn't automatically follow that intention has to arrive before the act. There is an old english case of a driver of a mini where the wheel of the mini accidently rolled onto a policeman's foot. When the officer pointed out that the wheel was on his foot and 'instructed' the driver to remove it, the driver failed to move the car wheel off the officer's foot and the obvious consequences that would follow from that event. The court determined at the point of failing to move the wheel (driver's conduct) the driver's mind was sufficiently engaged to comprehend the consequences of the act and to continue on with the act, gave rise to the 'intention' of the driver. The principle being that actus reus does not necessarily have to occur at the same time as mens rea. (I am not a lawyer and I am not giving you legal advice).
If your polices, practices and procedures expressly state what may not be viewed on the corporate system and the person can be shown to have known, understood, observed, and read them then you have 'instruction'. That would need to balanced with a claim of why the person was 'unaware' of what was taking place.
There are plenty of very skilled people out there in this area who should be able to help you if you need it.
Thanks for all the help guys, really useful.
Its all >18 so no need for the police at this time.
The guy has had all his access removed inc remote access. He has also provided us with all the passwords for the servers..
As for the network it is MS based with a fair few thousand users but we are not sure what logging takes place so it will be something we need to look into.
We have seized his PC and also a fair few external HDDs and usb drives to make a start. One of the things that we have noticed is that TrueCyrpt is installed. So at the moment that is our main focus.
Do you have specific file names ?
if so File Locator can be used to scan entire networks.
He has the ability to store pictures really anywhere on the network to hide them, he could also use encrypted volumes or containers or virtual machines to hide is data anywhere on the network excluding his PC.
Is there anything within the image of his system that would indicate that he did any of this? Has your analysis provided any indication of remote access (mapping drives, RDP, VNC, etc.) to other systems? Have you found any indications of access to encrypted containers (perhaps via the MountedDevices key)?
For example, if your admin created an encrypted (TrueCrypt) volume on another system, two ways to access it are to
a. Get up and walk over to that system to access it; and
b. Access it remotely.
For a., go to the system and see if there's anything installed for creating and maintaining encrypted containers.
For b., check the acquired system for indications that it was used to access encrypted containers.
How can we effectively and efficiently trawl the network for these types of picture or Virtual machines or encrypted containers.
Trawling the network for pictures, VMs, and encrypted containers is one thing…and a pretty trivial thing, at that. For pictures, you can script mapping a drive, running 'dir /s *.jpg', and then deal with all of the data. For VMs, you can search for installed applications as well as the file types in question (.vmdk, .vhd, etc.).
For access to encrypted containers, I'd look initially to the MountedDevices key…this can be scripted, as well.
I guess the question I would ask is, how would you then go about tying any of what you found to the dismissed admin?
HTH
(Presuming not CP)
We interrogate the individual and then fire the person.
We do a basic scan of the infrastructure where the individual had access, but ultimately the horse left the barn, past a certain point of size and level of access.
That is, some infrastructures are so large and complex, a high level administrator can stash things pretty much anywhere. After all, how long would it take to locate a 2TB drive in 5 acres of cabinets across multiple facilities?
The 2TB drive sooner and later will pop up on patching, asset tag review, physical inventory or device failure - then we clean up.
Additionally, if the person is more tech savvy, they tend to keep their "