Hi everyone
My first post on the forum. I have a case where
I am trying to find out if my company data has been
Transferred via an email account not internal exchange server
Rather a hotmail gmail account etc web based.
Also trying to find out if files were transfered to an external USB device.
Is there any software which can assist in this. Machine in question is running windows xp and the other is running windows 7?
Any advice on this would be greatly appreciated
Thank you
Samantha
There is no "find all evidence" software. Engage the services of a properly trained and experienced computer forensic examiner. Unless of course you understand internet history parsing, deleted file recovery, registry inspection, link file analysis and chain of custody.
Agree with Tony - what you are looking for involves the experience and skill set of someone who deals with this regularly as a professional. There are so many areas to look servers, clients, routers, etc. -each with their own unique and respective artifacts. You need someone to come in do a top down evaluation to understand how data moves around, in and out of the network to develop an investigation plan. What you are asking essentially is akin to walking in to a hardware store and saying I want to buy some tools and materials to build a house. The first thing you would be asked is where are the architect's drawings; where are the professionally developed plans?
I am not saying you can't be that person but it will require some homework on techniques and methodology - not necessarily tools. This can take time and if it is a time sensitive project its best to call in professionals. A few areas to learn about though would be in this case (as in Tony's post) are browser artifacts, reg hives, LNK files and unallocated space which can have a ton of information.
Guys thank you for the replies.
Samantha
Hello Samantha,
As the others have said, there is no magic bullet I'm afraid. I have done a few of these kind of investigations in the past so here are some of the things which have helped me
1. If the content was posed to the internet from via a proxy of some kind (most corporates have one) then assuming you know the source IP's used by your subject then check out the logs for the attachment processing pages used by Hotmail, Gmail, Facebook etc… The amount of data transferred, as shown by the byte count, would have to be greater than the size of the content you suspect has been leaked.
2. Do the same as the above for Dopbox, SkyDrive and similar sites.
3. In general any activity where the byte count is greater than the size of the data is worth reviewing.
4. If you suspect a USB drive was used then check out USBSTOR and the usual locations to find references to newly created entries for USB drives. Don't forget that the registry maintains metadata so you can get date and owner information for any keys (although not so easy in EnCase).
5. Check out the MRU for any compression tools. Invariably the content was compressed before it was sent so you may get an MRU entry and/or you could find deleted MFT records for the temporary files created by the compression tool.
Hope this helps.
Alan
Hi Alan,
Thank you for your ideas, they are very useful. I am already investigating the proxy to check for unusual byte count. I have had a look at the USBSTOR to get an idea of what devices where attached. But is there anyway of using the registry information to tell us when it was last used or what may have been transfered to it?
Thank you
Samantha
Unless you have auditing enabled then there is not going to be any trace of file movement I'm afraid. Just in case you did not know, file level auditing is disabled by default as the overhead is too high. (http//
You should check out the event logs to see if there is any uPNP services entries created by the insertion/removal of any devices. If you have AV software installed then this my generate it's own log of files that were scanned which also may prove helpful depending on what policies are in place.
The copy operation itself will not leave any trace other than altering the last access time of the source unless you have file level auditing enabled. If the copy occured on a network then the servers may track file activity but again this is due to what policy is in place.
AV software might be your best source of data here as most of them scan both incoming and outgoing files.
If I think of anything else tonight I will post an update.
Alan
Alan
Thank you again. I have server information and some other useful information. I know that auditing carries a high overhead so we never turn it on either.
If there is anything you can think of to add to the list that would be great )
Samantha
Well, if you are looking for application for checking Registry information ,
1) first extract the Registry files from the HD image,
2)then you need an application to read them. Download REGLOOKUP, and run it in a Linux machine or VM.
For events analysis a well known windows tool is LOGPARSER.
cheers
I don't mean to rain on lucpel's parade here BUT neither REGLOOKUP or LOGPARSER is going to place the data in context.
The absolute best place to look at a registry hive is in the registry on a live machine. You can load a hive into the a sandbox machine under a different root but be careful as it is very easy to toast the machine if you get it wrong (
Don't get me wong, LOGPARSER is a great tool BUT when you view an event log the EVENTVWR.EXE utilises system/application specific DLL's to render the content in order to give the numbers meaning. To get an accurate view you need to use a sandbox machine with the same OS and applications so that you get the messages translated for you. Trust me it can save you a lot of time in the long run.
Sorry I have racked my brain and I cannot think of any other trace data that a file copy would leave behind, save what I mentioned in my earlier post. Hopefully what data you do get will be supplemented from external sources which will allow you to put it into context.
Good luck.
Alan