Hi,
I'm trying to learn about forensics to perform corporate investigations.
I noticed that "malware infection" and "i have been hacked" are often brought up as excuses to justify misconducts in the corporate environment.
During the investigation should i take a proactive approach and look for signs of malware and intrusion or should i wait until the employee brings up this?
Thank you for your answers.
Think about it this way
Your job is to seek the truth. How do you know malware or hacking wasn't what really happen, unless you confirm or refute that hypothesis?
You are not for the corporation, nor are you against the accused. You are for the facts. The end. Without actually uncovering the facts, how can you possibly know what they are.
As a side note
Malware is not an 'excuse'. Malware is real, and many people have been accused (probably even convicted of wrongdoing) because of malware. The correct term is 'malware defense'.
Thanks twjolson.
Sorry for the use of the word "excuse", i'm still a beginner, i'm not yet fully familiar with the appropriate vocabulary. The word "defense" is indeed more appropriate.
So, if i understand correctly, i should be proactive and look into these hypothesis during my investigation, right?
Thanks twjolson.
Sorry for the use of the word "excuse", i'm still a beginner, i'm not yet fully familiar with the appropriate vocabulary. The word "defense" is indeed more appropriate.
So, if i understand correctly, i should be proactive and look into these hypothesis during my investigation, right?
Yupp, it is advisable find it, hash it, search for it, identify its capabilities.
It you find nothing or just ordinary adware - the malware defence is not applicable.
If you find a trojan with the capabilities to do what the accused claims - then it has merit.
So, if you already know that there is no trojan, actively installed, or deleted on any media, in the pagefile or hidden somewhere - you can directly counter any claims made by the accused and say that "we have already examined A, B, C and D and found nothing".
"Yupp, it is advisable find it, hash it, search for it, identify its capabilities."
Also, you need to determine if the malware actually executed. Having a copy of a Trojan sitting within a system image is one thing…but an executable file sitting in the file system without ever having been executed is simply dormant and harmless.
Your analysis should always start with goals…specifically, what are you attempting to prove or disprove? In the course of your analysis, your findings may obviate the "malware" argument all together; for example, if you find that the individual viewed those files that they weren't supposed to be looking at, and did so repeatedly, then it's really not so much a matter of "the malware put the images there and I had no idea….".
In these types of investigations, your first goal is usually to find out if the computer was used to do bad things (e.g. visit porn sites at work) or has bad things on it (porn, pirated software, etc.). If you find something, your second goal is to provide context. How did the bad stuff get there? What site did it come from? When was it accessed? How was it accessed? The more context you can provide to explain the user's activities, the harder it is to refute.
Depending on how strong your case is, it may or may not be easy to claim that some other dude did it–a trojan, previous user, etc. If your case is very strong, e.g. you have pornographic images in unallocated space, the same images in the thumbnail cache, a shellbag entry for E\misc\bobspornstash, a bunch of MRU entries for various JPG images in that folder, plus a scandalous browser history then the pattern already indicates pretty strongly that some user had knowledge of these files and it was not malware so you may not feel the need to spend a lot of time eliminating that possibility.
Many cases, however, are not that strong. Suppose all you have are some images in unallocated space and some browser artifacts carved out of memory/the pagefile/unallocated. Maybe the user went to the sites on purpose, maybe they had adware that was spewing up ads for porn sites, maybe they clicked a link in a sketchy email. Who knows? You need to flesh out your case! It's worth examining running processes (if you have a memory dump), looking at autostart locations, scanning the drive with an AV tool or two, excluding known good files and identifying any installed browser add-ons/extensions. In most internal investigations, you're uncovering evidence that will be used to suspend or fire the employee and negatively impact their livelihood. Spending a couple of extra hours to cover the trojan defense is time well spent.
TLDR once you find the bad stuff, your job is to explain how it got there. You can rule out malware by searching for it directly or by providing sufficient context to show that a human user had knowledge of the activity/contraband. You'll probably do some of both.
You should find this paper interesting