I have been provided with a laptop from a corporate environment and asked to report on any evidence of "data leakage". I have been given no clue as to the type or volume of data, or details of the user.
My first thoughts are;
Lnk files / jump lists
USB History
Email attachments
Mapped drives /UNC paths
Access to web sites such as dropbox etc.
FTP sessions.
zip files
Anyone got any further ideas?
So you are asked to identify something that you do not know how to identify, as you have no reference?
Sounds simple. mrgreen
My suggestion is to go back to the folks who assigned/handed this to you and ask for some clarification.
What constitutes "data" in this case? What data do they think may have been leaked, and what makes them think that? Was it something in web proxy logs?
Interestingly enough, this is a very common occurrence in IR…when responders are called, there are often very loose and ill-fitting descriptions of what might have occurred, and as such, ambiguous terms are used.
So…once you determine what data may have been leaked, try to get an idea or description of how the incident was identified. Don't be afraid to ask clarifying questions…the person with whom you're speaking may get frustrated, so you'll need to guide them through this process.
The alternative is that you could spend a great deal of time and effort, and never find anything.
My suggestion is to go back to the folks who assigned/handed this to you and ask for some clarification.
What constitutes "data" in this case? What data do they think may have been leaked, and what makes them think that? […]
I have received similar requests.
The problem of doing anything before having the answers to the above questions is with scope and effort justification.
In my experience, when I allowed myself to be pulled into similar situations, it always ended uncomfortably with the client.