Forums
Main Category
General (Technical,...
Suggestions for rem...
 
Notifications
Clear all

Suggestions for remote forensics

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jhup 16 years ago
20 Posts
11 Users
0 Reactions
1,233 Views
RSS
 reverendlex
(@reverendlex)
Eminent Member
Joined: 21 years ago
Posts: 23
Topic starter 28/05/2007 7:09 am  

Hey all-

I've got a client who suspects a few of their employees of accessing a manager's email without permission, and we've been asked to investigate.

The project lead has asked me to evaluate Paraben's Enterprise Shuttle, which I'm not too impressed with- it seems unreliable even on my simple test network.

Any recommendations for doing remote forensically sound captures?

(btw- We have permission from the owner on this- I wouldn't risk my bar ticket on that)


   
Quote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
28/05/2007 8:03 am  

Are you looking for a product that just does remote captures or more of an incident response tool?

Have you checked out ProDiscover IR?


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
28/05/2007 8:54 pm  

Given the situation, what would a remote, forensically sound capture give you? What specific artifacts or proof would you hope to find within the images you acquire?

I'd suggest that under the circumstances, one place you'd want to look is logs on the email server. Of course, this really depends a great deal on what type of email client/server config you have (Outlook/Exchange, Eudora/POP, etc) as well as how the server itself is configured to log things such as accesses to mailboxes.

If OutLook is used, see what the drop-down menu showing the list of profiles shows on each employee's computer.

The reason I mention this is that back in 2001 when a major telecomm that I worked for was going out of business, there was a great deal of concern from across the infrastructure that the VP of HR's email had been "hacked". The concern was that lists of names of folks being laid off were considered extremely sensitive, but ended up being printed on Doomedcompany.com and it's sister site several days prior to the actual layoff. Given Accam's Razor, it turned out that what had really happened is that some lower leve HR employees had said something that were overheard, as well as left documents that they'd printed sitting in the printer long enough for someone to come along and get a look at.

HTH,

Harlan


   
ReplyQuote
 reverendlex
(@reverendlex)
Eminent Member
Joined: 21 years ago
Posts: 23
Topic starter 28/05/2007 10:34 pm  

Given the situation, what would a remote, forensically sound capture give you? What specific artifacts or proof would you hope to find within the images you acquire?

I'd suggest that under the circumstances, one place you'd want to look is logs on the email server

Harlan

Agreed. However we have two layers of bureaucracy to deal with the client's and my own company's. I'm not yet authorized to talk to the client and ask the obvious questions (what kind of email server, why do they suspect this is happening, what is logged…)

We don't even have a decent theory of how they're accessing the email- it it's via the web interface of Outlook, by VNC'ng into the target computer, sniffing traffic, or the old-fashioned method of going to the bosses' computer and reading email.

I'm going to argue that we need more than a forensic image of the suspects' computers- we need keystroke loggers on all the machines, look at IDS and mail server logs, and perhaps logs of physical access, if any.

I thank BitHead for the suggestion. I'm going to start checking that out next. I'm unimpressed with the Paraben solution.


   
ReplyQuote
DoDForensics
 DoDForensics
(@dodforensics)
Active Member
Joined: 18 years ago
Posts: 16
29/05/2007 3:22 am  

If your looking to do a remote capture, I would suggest ProDiscover IR over Encase Enterprise any day of the week. Not only is ProDiscover A LOT cheaper, but it provides the very same functionality.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
29/05/2007 3:34 am  

DoDForensics,

I prefer ProDiscover IR for remote work, including live acquisitions, over EnCase.

I've looked at the EnCase Enterprise product sheet, and I have to ask…does EnCase allow for the acquisition of physical memory, rather than just volatile data? How about acquisition of BIOS?

H


   
ReplyQuote
 secret_squirrel
(@secret_squirrel)
Eminent Member
Joined: 20 years ago
Posts: 38
29/05/2007 7:25 am  

Rev,

If you suspect this activity is on going, how about changing his password and monitor for failed attempts?

Also, some versions of VNC will log to the event log.

Apache/IIS logs should also be of help, if the account was accessed via OWA. How many IP's accessed that account? (IIS log parser is good finding that fast)

Ill bet you could find some perl scripts to do it also. 😉

HTH
-ss


   
ReplyQuote
iruiper
 iruiper
(@iruiper)
Estimable Member
Joined: 19 years ago
Posts: 145
29/05/2007 10:45 pm  

If you just wanted to make an image I'd suggest R-Studio, since the evaluation version allows you to do this at no cost at all!

If, on the contrary, you intend to carry out some kind of live investigation, I'm afraid this tool won't be of much use. Maybe in that case you should try the famous ProDiscover. I haven't tested it myself yet, but most people use it for live investigations.


   
ReplyQuote
 Charityhope
(@charityhope)
New Member
Joined: 19 years ago
Posts: 2
31/05/2007 10:50 pm  

Have you taken a look at Cyber Securities OnlineDFS?

http//www.cyberstc.com/products.asp


   
ReplyQuote
 Forensicon
(@forensicon)
Active Member
Joined: 19 years ago
Posts: 17
01/06/2007 1:04 am  

Have you taken a look at Cyber Securities OnlineDFS?

http//www.cyberstc.com/products.asp

Is that the same tool as LiveWire? Just wondering because I noticed that it links to their page under the law enforcement section.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: