Hello All! First time posting from this long time lurker. Please be kind if my question seems to be a no-brainer ?
I am a retired (january 2009) Federal Government computer forensics tech. and am now working in private industry as an Informatics Investigator. There is a 3 year gap in my active application of learned skills from 2006 to mid 2009. I have been using X-Ways Forensics for a couple of years now and in my governmnet service I used EnCase, I-Look and FTK extensively. I am currently working on a laptop that was reluctantly surrendered by the "bad guy" under threat of imminent incarceration by the local Law Enforcemnt folks. This is a case of a hostile termination and the employer, our client, simply wanted to get their computer back. Given the extreme fuss that the ex employee put up, our client has asked us to examine the laptop hard drive for files or documents that would be considered as illicit, illegal, prohibited or otherwise not in the best interests of the client.
I was able to find all kinds of images, including adult pornography and personal pictures taken by the ex employee that would have been of considerable embarassment to the client had they become public. It ia clear that the ex employee allowed his pre-teen/tween children to use the latop to surf the net as well. I also recovered numerous deleted files and e-mails that are of interest.
The perplexing thing is this Our client is convinced that the ex employee deleted folders and files from the computer on November 25th and 26th, 2009 and that the fellow may have been involved in some form of espionage against our client. I have searched this drive from beginning to end, slack space, free space, EOF etc. I have extracted the metadata for the files where possible and I have sorted and reviewed the dates of creation, modification and access from every possible angle that I can think of. I cannot find any files, not even one, dated after November 10th, 2009. I have run the searches uing both XWF and EnCase v6.15.
Finally, then, my question is this Have I missed or overlooked something in my efforts to recover all of the files from the HDD image? Particularly, is there a way that I can search the slack and free space for the date November 25th and 26th, 2009. My efforts simply entailed searching for the dates expressed as hex values using the format 0f mm/dd/yy. What else can I try?
Thanks for you help.
Mike
I obviously don't have the experience you have but just my thoughts maybe the perpetrator changed the dates on the operating system so the dates that you are looking for could be modified? I might and probably am wrong but can't hurt for a bit of brainstorming )
I would look closely at the registry and prefetch for any indication of file wiping tools having been run. Since you have recovered files from unallocated space, it does not appear that he ran any kind of free space wiper like cipher or sdelete, but he may have installed something like Erase which does a wipe on delete.
Also, you did not say which OS but if it is Vista or if he has disabled last access time, the files may have been viewed more recently than Nov 10, but this would not be timestamped (you may be able to find the information in the MRU list).
You can look for deleted INFO2 records.
And there may be some indication in the Restore Points, as well.
Since you have Encase, you can also use the LogFile parser and MFT record recovery scripts.
Finally, have you tried a different carving tool like PhotoRec or Scalpel? Sometimes I find things with these tools that I don't find with commercial tools.
Mike,
The perplexing thing is this Our client is convinced that the ex employee deleted folders and files from the computer on November 25th and 26th, 2009 and that the fellow may have been involved in some form of espionage against our client.
There are a couple of things here.
First off, what is the OS of the system being examined? When did you confiscate/acquire it?
Perhaps most importantly, have you nailed down what constitutes "espionage" to these folks? I ask, as in this line of work, we're often asked to "find anything suspicious", and in some cases, having tools like wget and pskill on a system is NOT suspicious, as it's part of the employee's job, whereas in other cases, it is.
My point is that one needs to nail down with the customer what the goals of the exam are.
Finally, then, my question is this Have I missed or overlooked something in my efforts to recover all of the files from the HDD image? Particularly, is there a way that I can search the slack and free space for the date November 25th and 26th, 2009. My efforts simply entailed searching for the dates expressed as hex values using the format 0f mm/dd/yy. What else can I try?
Again, when was the system confiscated? I see a great deal of old school, traditionalist forensics here, all of which is file focused. If this is a Windows system, have you looked at the last modification time on NTUSER.DAT hive files, and compared those to the LastShutdown time from the Registry, as well as any information regarding system activity from the Event Logs?
Do you find any indication of web activity after 10 Nov?
Someone raised the question of modification of the system time…this comes up quite a bit, but there are a number of ways to determine if this may have been the case; compare the sequence of Event Log records to the timegenerated value…both should progress in a sequential order. Check the Registry for indications of any user accessing the DateTime Control Panel applet. There are other indicators, as well, but those may be the most helpful.
Have you conducted a full timeline analysis? By full, I mean, not just the file MACE times, but including other data (Event Logs, AV logs, Registry, Recycle Bin, Prefetch (if XP) files, etc.)?
There may end up being enough indications that the system wasn't even enabled after 10 Nov…it's entirely possible.
The perplexing thing is this Our client is convinced that the ex employee deleted folders and files from the computer on November 25th and 26th, 2009 and that the fellow may have been involved in some form of espionage against our client.
Is it a rational belief? If that happened, and nothing else, you should have directories with last modification dates from that period. If you don't, either no files or directories were deleted, or time or timestamps have been tweaked. But I'd want to be pretty certain that the belief is rational before I went looking for what might not amount to more than coincidences in another setting. Be careful of any CISO's ideas of what might have happened some of them seem very apt to go for the absolute worst case, and ignore simpler explanations. This goes in spades if they've read one of Ira Winkler's books recently.
Was system clock changed before deletion? In a corporate environment, with a Windows domain, that would probably leave traces in file server logs (authentications would fail with clock out of synch). Also make sure that the user had the privileges to change system clock in Windows – if he hadn't, I guess some kind of ', shut down, change clock in BIOS, and reboot without network connected' might do the trick. But that would still leave some traces of the logout/shutdown elsewhere. You'd also find the system itself in such 'external' logs, so you may want to ensure that those logs are secured domain controller, file servers, web proxies, antivirus server, etc.
But if you can't demonstrate that the system was even switched on after November the 10th, it doesn't seem to matter what is supposed to have happened on the 26th, say.
I assume you created the image file yourself, so that there are no doubts that it was taken after November 26th? Last login as local admin? If local LE is involved … are you looking at a system that has been returned from LE to the company? Any contraband removed? No, it would take longer time. (I'm looking for any possible explanation why there may not be anything left from that date.)
In espionage cases, you'd certainly be interested in email, IM and the mounting of portable storage devices, as well as any Web activity involving "cloud" storage/backup services. Print/fax/modem services are also important. Ditto, remote access services.
As such (and for other reasons), analysis of servers (especially logs) and other network appliances (firewalls, etc.) is often more fruitful than target system analysis, and on the target system, Registry analysis is often more fruitful than file system analysis.
A good starting point is to determine what security policies are/were in place and what legitimate privileges this individual had - both on his system and on the company network - and to look for evidence that he circumvented those privileges, elevated his user status, etc., or attempted to do so.
If there had really been a strong suspicion of industrial espionage with this employee (yes, I know all about hindsight!), it's rather too bad that the company didn't engage in some live activity monitoring (and other investigative work) before firing him. With some luck, however, there might still be traces of his activities out on the network.
Last, but not least, consider whether physical security and CCTV systems might not have some information about this individual's activities that supports (or refutes) the espionage hypothesis such as coming on-site at odd hours, weekends,etc. While "professionals" are usually careful to avoid such obvious give-aways, many wannabe spies are not pro's; they're just disgruntled or greedy employees.
FYC… Is there any network infastructure you can access logs from? I.E. Firewall, Web Proxies, Mail Proxies, etc…
Is there other client software running on the machine that may have transmitted to a server on the network? (check local vs. server logs)
Also, what about any AAA infrastructure in the environment?
Just some thoughts…
Have you accounted for all space on the HDD? Hidden partition…..???
Finally, then, my question is this Have I missed or overlooked something in my efforts to recover all of the files from the HDD image? Particularly, is there a way that I can search the slack and free space for the date November 25th and 26th, 2009. My efforts simply entailed searching for the dates expressed as hex values using the format 0f mm/dd/yy. What else can I try?
Mike