Go Premium for a chance to win a PS4. Enter to Win


Tech or Treat: The forensic investigation

Published on
3,288 Points
1 Endorsement
Last Modified:
Thomas Zucker-Scharff
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.

I am not overly religious, but I do take off for the Jewish High Holidays, which includes Yom Kippur.  The Director of the Office of Research Computing, a colleague of mine, emailed me on Yom Kippur of 2016 to ask me to shutdown my computer because:

"We are getting alerts that device CNCCR0J, which I believe is yours, is engaged in  activity that is abusing [institution name] Active Directory.  If you have  initiated this activity, then this activity must stop immediately.   If you have not engaged in this activity, then your computer is  infected and must be disconnected from the network immediately.  If I do  not hear back from you by 2:40 today, then we will disconnect the  computer.

If you did not engage in this activity, then we need to remove device CNCCR0J for forensic investigation."

I suggested the "activity" in question might be due to software I used to scan the network, but was assured that was not the case.

This was not a big deal for me in that I could easily remote in and perform a shutdown on the machine in question - my primary work machine.  I immediately did so and emailed back informing him that it was done.  Now came the start of a saga that lasted from 10/12/16 to 11/29/16.  Our parent company wanted to do a forensic analysis on the machine and needed to take it to their facility in Yonkers to do so.  I didn't think this would be a problem, except they didn't do a complete test until 11/01/16 when I received a notification, through TeamViewer, that the computer had come online.

The kicker here was that my computer is probably one of the most secure computers on campus.  Between the several anti-ransomware programs and monitoring apps, along with standard endpoint protection, I have never had a problem.  When I asked for the logs that would indicate why the machine was identified as causing a problem, I was told that only the Director of the Office of Research Computing could request these, and he refrained from doing so.

This was a nightmare if ever there was one.  I was lucky enough to have a spare laptop hanging around which I used while my primary machine was unavailable.  I wouldn't have been half as frustrated if something had indeed been found.

When I did finally get my machine back, nearly 2 months later, there was no discernible difference ( a friend kept telling me I would probably get it back wiped).  Some software had to be re-registered, for different reasons.  I never did find out why this all happened in the first place... 

I recently did an even more intrusive scan of our network using a Kali Linux machine and ran NMAP/Zenmap. This raised no flags.


Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Join & Write a Comment

This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month