Long post, question is at the end…
So I have my hands on a laptop that is assigned to a senior IT staffer accused of stealing IP. The subject is "tech-savvy" and uses full disk encryption. Step 1 was to separate him from his laptop, after he was logged on, so that we could take an image.
I watched him for a couple of days, and he seemed like he was in full swing and working each day by 10. He locked his desktop whenever he walked away or someone even came to talk with him. Today at 10, I started fiddling around under the cube next to him and struck up a conversation. He couldn't help but get up and see what I was doing with the wires under the desk, so he stood up to take a look. HR swooped in and I had an unlocked desktop.
I found he is using JungleDisk ( a front end to amazon S3), similar to something like x-drive or sky drives. There, on the jungle disk is everything that shouldn't be there. It's size is reported as 1Tb with 487 MB of active files.
Is there a concept of unallocated space on one of these drives, since it's actually a virtual drive?
I am imaging the whole TB now, but what should I expect to see? I am thinking just the active files but not really sure….Since this is a dynamic disk stored on a SAN at amazon.
Just wanted to see what you guys thought…
I think your corporate counsel should fire up the subpoenas and send one to JungleDisk.
So if you have the evidence are you just "piling-on" by searching unallocated space?
I am guessing it is much like a SAN in that you just image the relevant LUN. However not knowing the particulars about JungleDisk that is just speculation.
Thanks Bit Head,
True about the evidence existing in allocated space; not much to do for this investigation other than paperwork. Now I am just trying to learn something new.
Say I show up and the "virtual disk" is empty. I am going to look into some of the more popular ones (S3, Skydrive, X-Drive) and write something up for the forum.
In the case of jungle disk and AmazonS3, there is a client side cache.
c\ProgramData\JungleDisk\Cache
There are csv logfiles showing everything that was moved to the virtual disk and much more which I will post about soon. If anyone has more information (obviously I will be reading the manuals this weekend) just let me know.
Cheers.
I would probably guess that there is some "unallocated space" on the physical devices, but since we're basically talking about a "cloud" type infrastructure, anything that's deleted probably won't be around long enough for it to matter (or for you to get at it). You really don't have any idea how many people are sharing the same "space."
But I agree with BitHead, get the attorney's to contact Jungle Disk.
Tom
*From the Jungle Disk Website*
Jungle Disk uses AES-256 encryption – a government and industry standard that’s one of the most well-studied and most secure encryption algorithms available.
Jungle Disk uses a unique key for each file, and constructs the key using a HMAC file that helps protect against certain attacks. The master key is based on a password YOU choose, known only to you and not stored with Jungle Disk.
I'm not to sure serving legal process is going to reveal much. I am interested in hearing about how you did processing the info once you finish. Thank ahead of time.
