Tech or Treat: The forensic investigation

Published on
3,668 Points
1 Endorsement
Last Modified:
Thomas Zucker-Scharff
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.

I am not overly religious, but I do take off for the Jewish High Holidays, which includes Yom Kippur.  The Director of the Office of Research Computing, a colleague of mine, emailed me on Yom Kippur of 2016 to ask me to shutdown my computer because:

"We are getting alerts that device CNCCR0J, which I believe is yours, is engaged in  activity that is abusing [institution name] Active Directory.  If you have  initiated this activity, then this activity must stop immediately.   If you have not engaged in this activity, then your computer is  infected and must be disconnected from the network immediately.  If I do  not hear back from you by 2:40 today, then we will disconnect the  computer.

If you did not engage in this activity, then we need to remove device CNCCR0J for forensic investigation."

I suggested the "activity" in question might be due to software I used to scan the network, but was assured that was not the case.

This was not a big deal for me in that I could easily remote in and perform a shutdown on the machine in question - my primary work machine.  I immediately did so and emailed back informing him that it was done.  Now came the start of a saga that lasted from 10/12/16 to 11/29/16.  Our parent company wanted to do a forensic analysis on the machine and needed to take it to their facility in Yonkers to do so.  I didn't think this would be a problem, except they didn't do a complete test until 11/01/16 when I received a notification, through TeamViewer, that the computer had come online.

The kicker here was that my computer is probably one of the most secure computers on campus.  Between the several anti-ransomware programs and monitoring apps, along with standard endpoint protection, I have never had a problem.  When I asked for the logs that would indicate why the machine was identified as causing a problem, I was told that only the Director of the Office of Research Computing could request these, and he refrained from doing so.

This was a nightmare if ever there was one.  I was lucky enough to have a spare laptop hanging around which I used while my primary machine was unavailable.  I wouldn't have been half as frustrated if something had indeed been found.

When I did finally get my machine back, nearly 2 months later, there was no discernible difference ( a friend kept telling me I would probably get it back wiped).  Some software had to be re-registered, for different reasons.  I never did find out why this all happened in the first place... 

I recently did an even more intrusive scan of our network using a Kali Linux machine and ran NMAP/Zenmap. This raised no flags.


Featured Post

Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

Join & Write a Comment

Learn how to collaborate with office 365 Office Online
If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month