Forensic Question

Arvean

Hey Guys,

I have a quick question that I hope somebody can answer.

Background:

Small real estate firm with WHS server ( less than 10 brokers), permissions set on folders to restrict access. Principal has a master password with access to every single folder

Event:

Person quits and there is a great suspicion that he copied entire server. Later I've learned that my boss shared his password, giving him unlimited access ( but no administrative privilages). They guys is not that smart, i think he just pluged in a flashdrive and copied.

Question:

How can I see if he did copy something? Any software etc?

Best,

Arv

dynamik

You'd have to have been auditing object access.

Arvean

dynamik wrote: »

You'd have to have been auditing object access.

Doesn't it do it automatically?

unsupported

Arvean wrote: »

Doesn't it do it automatically?

Not by default. This is why many companies are left scratching their heads after they discover a data breach. You may be able to search the registry for artifacts relating to the existence of a USB drive. Here is a thread with some more details about where you can find the information on EH-Net, The Ethical Hacker Network - Scenerio.

tiersten

Arvean wrote: »

Doesn't it do it automatically?

Enabling auditing for any OS incurs a big performance penalty. That is why it isn't on by default.

JDMurray

Adding/removing a plug-n-play device (like a USB drive) will appear in the Windows Security event log as object creation/deletion events, but only if the system is configured to specifically audit for those events--which Windows isn't by default.

If the suspect had sufficient access to make a full backup then he may have also had the access required to delete logs and disable/circumvent other system monitoring and safeguard software. If network operations isn't initially configured for the possibility of an insider attack then it can be very difficult to detect and almost impossible to prevent.

Arvean

JDMurray wrote: »

Adding/removing a plug-n-play device (like a USB drive) will appear in the Windows Security event log as object creation/deletion events, but only if the system is configured to specifically audit for those events--which Windows isn't by default.

If the suspect had sufficient access to make a full backup then he may have also had the access required to delete logs and disable/circumvent other system monitoring and safeguard software. If network operations isn't initially configured for the possibility of an insider attack then it can be very difficult to detect and almost impossible to prevent.

Thanks so much for your feedback guys. I'm really upset about the whole thing because after spending so much time to give appropriate permissions and access to folders, I learned it's all wasted because my boss shared his password....

This person was not a hacker, nor an experienced user. He was a "Mac-boy" having real difficulties to work on PCs. What I think happened he logged in my bosses computer, plugged the drive and copied the whole shared directory.... So there's no software to see that,huh?

tiersten

Arvean wrote: »

What I think happened he logged in my bosses computer, plugged the drive and copied the whole shared directory.... So there's no software to see that,huh?

If auditing isn't on then no...

cbigbrick

USBDeview - View all installed/connected USB devices on your system

Looks pretty cool. I've been playing with it in the lab.

LarryDaMan

Interesting thread and scenario, inside attacks have the potential to be real dangerous.

Off topic a little, but the more I read about the C|EH from the pen testing "community", the less I want to take the exam. Talk about no respect. It might as well be Hacker+ from CompTIA. There are many many examples of this, but here is one that I just read today.

"We all know that ISC2 and GIAC aren’t going anywhere. As to the others, I think we will see some of them stay around where others such as EC Council’s will disappear." Kevin Johnson, GCIA GCIH GCFA GWAS CISSP CEH IBM CSE Inet+

Granted the guy teaches for SANS, so he may be biased, but there doesn't seem to be a lot of love for the C|EH out there in general.

Full Interview of Kevin Johnson
The Ethical Hacker Network - Interview: Kevin Johnson of SANS, InGuardians

dynamik

Arvean wrote: »

What I think happened he logged in my bosses computer, plugged the drive and copied the whole shared directory.... So there's no software to see that,huh?

If that was the case, and even if you were auditing, it would just look like your boss copied the files himself. The sharing of the password undermined everything.

Arvean

cbigbrick wrote: »

USBDeview - View all installed/connected USB devices on your system

Looks pretty cool. I've been playing with it in the lab.

YOU ARE THE MAN!!!

This is exactly what I need. We have a policy in the office that nobody can use flash drives ( except for me, and I have only 2). I'll scan the office for any "hostile" flashdrives tomorrow...

Sounds like Friday Fun... I really want to get that guy... Don't you just hate when somebody messes with your system in such a rude way?

You guys are the best, thank you so much for all your feedback...

shednik

LarryDaMan wrote: »

Interesting thread and scenario, inside attacks have the potential to be real dangerous.

Off topic a little, but the more I read about the C|EH from the pen testing "community", the less I want to take the exam. Talk about no respect. It might as well be Hacker+ from CompTIA. There are many many examples of this, but here is one that I just read today.

"We all know that ISC2 and GIAC aren’t going anywhere. As to the others, I think we will see some of them stay around where others such as EC Council’s will disappear." Kevin Johnson, GCIA GCIH GCFA GWAS CISSP CEH IBM CSE Inet+

Granted the guy teaches for SANS, so he may be biased, but there doesn't seem to be a lot of love for the C|EH out there in general.

Full Interview of Kevin Johnson
The Ethical Hacker Network - Interview: Kevin Johnson of SANS, InGuardians

Go for the OSCP instead...more fun and more of a challenge!

LarryDaMan

shednik wrote: »

Go for the OSCP instead...more fun and more of a challenge!

It does look good, the course and certification are relatively cheap ($550-$700), and I can earn 40 CPEs towards CISSP recertification.

"The OSCP is one of very few certifications which actually proves practical ethical hacking skills."

Hmm...

tiersten

Arvean wrote: »

This is exactly what I need. We have a policy in the office that nobody can use flash drives ( except for me, and I have only 2). I'll scan the office for any "hostile" flashdrives tomorrow...

All it proves is that somebody plugged one in. It doesn't say who it was or what they did with the drive.

Arvean

tiersten wrote: »

All it proves is that somebody plugged one in. It doesn't say who it was or what they did with the drive.

True, but that's more than enough to know if something actually happened. We're a small office, nobody uses flash drives..

dynamik

LarryDaMan wrote: »

It does look good, the course and certification are relatively cheap ($550-$700), and I can earn 40 CPEs towards CISSP recertification.

"The OSCP is one of very few certifications which actually proves practical ethical hacking skills."

Hmm...

Yea, then you can do GPEN after that.