Tech or Treat: The forensic investigation

Thomas Zucker-ScharffSenior Data Analyst
CERTIFIED EXPERT
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
Published:
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.

I am not overly religious, but I do take off for the Jewish High Holidays, which includes Yom Kippur.  The Director of the Office of Research Computing, a colleague of mine, emailed me on Yom Kippur of 2016 to ask me to shutdown my computer because:


"We are getting alerts that device CNCCR0J, which I believe is yours, is engaged in  activity that is abusing [institution name] Active Directory.  If you have  initiated this activity, then this activity must stop immediately.   If you have not engaged in this activity, then your computer is  infected and must be disconnected from the network immediately.  If I do  not hear back from you by 2:40 today, then we will disconnect the  computer.


If you did not engage in this activity, then we need to remove device CNCCR0J for forensic investigation."


I suggested the "activity" in question might be due to software I used to scan the network, but was assured that was not the case.


This was not a big deal for me in that I could easily remote in and perform a shutdown on the machine in question - my primary work machine.  I immediately did so and emailed back informing him that it was done.  Now came the start of a saga that lasted from 10/12/16 to 11/29/16.  Our parent company wanted to do a forensic analysis on the machine and needed to take it to their facility in Yonkers to do so.  I didn't think this would be a problem, except they didn't do a complete test until 11/01/16 when I received a notification, through TeamViewer, that the computer had come online.


The kicker here was that my computer is probably one of the most secure computers on campus.  Between the several anti-ransomware programs and monitoring apps, along with standard endpoint protection, I have never had a problem.  When I asked for the logs that would indicate why the machine was identified as causing a problem, I was told that only the Director of the Office of Research Computing could request these, and he refrained from doing so.


This was a nightmare if ever there was one.  I was lucky enough to have a spare laptop hanging around which I used while my primary machine was unavailable.  I wouldn't have been half as frustrated if something had indeed been found.


When I did finally get my machine back, nearly 2 months later, there was no discernible difference ( a friend kept telling me I would probably get it back wiped).  Some software had to be re-registered, for different reasons.  I never did find out why this all happened in the first place... 


I recently did an even more intrusive scan of our network using a Kali Linux machine and ran NMAP/Zenmap. This raised no flags.



1
2,283 Views
Thomas Zucker-ScharffSenior Data Analyst
CERTIFIED EXPERT
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.