Solved

Analysing what a sales rep had done to his laptop!

Posted on 2011-03-15
3
351 Views
Last Modified: 2012-05-11
odd request perhaps but we have had a situation where a sales rep has attempted to steal coompany data to a business competitor of ours.  The guy has been using his own personal webmail to email out documents and databases to himself and this other company.  As malicious as this is we cant see a way of being able to track what he has done with any real conviction.  The laptop runs Windows 7 and yes we have had a look at his internet history but what we really need is something that can prove that he has attempted to steal company files. Hindsight is a wonderful thing as we would have installed spy software to record such activities but is there anything that can be used to do something similar retrospectively..???

Any help here would be greatly appreciated.

Thanks.
0
Comment
Question by:philipgecko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 64

Expert Comment

by:btan
ID: 35143606
ideally you are looking at data loss prevention solution. there are many when you start googling this term, some include endpoint, server and network control and checks for such leakage. there can be content filtering at network not endpoint only for keyword to identify sensitive data and control the surfing, some are from blucoat k9, etc.

for your retrospective case, it is to establish chain of evidence. area to check out are minimally

a) window event log for audit (if enabled) to check who login, and file access.

http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx

b) establish browser history, site accessed

http://pentestit.com/2010/07/28/web-historian-tool-detailed-report-browser-history/

some ref on using tool to sieve out more info
http://symantec.com/connect/articles/web-browser-forensics-part-1
0
 
LVL 47

Accepted Solution

by:
David earned 250 total points
ID: 35144790
First, if you plan legal action then stop everything and call in a certified computer forensic pro.  But realistically, at this point you've tainted everything so it is certainly too late to be able to defend somebody that you set him up. As breadtan said there are just so many articles out there then you might as well be asking how to write a computer program.

So i'll think outside of the box and address a few things that are more vital ...

Take a binary image if the disk drive. then you can work on copies and preserve the original in case you need it later. (or what is left of the original). Make several copies.

You can't just boot an operating system and poke around to the booted drive.  In linux, for example, you can mount the entire disk read-only which will prevent you from mucking things up.

I'm thinking outside of the box, so I would contact a judge to get him/her get a warrant so you can take it to the ISP to get his email logs.  

Get a binary editor that can read the entire raw disk, and then search for strings such as some likely email addresses.   This will find files, bits of files, deleted files, and everything that is still on the HDD.  From there just look at it.  
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 35174250
Establishing timeline will be useful for the trails too. Check out these two links
@ https://computer-forensics.sans.org/community/downloads/#howto
@ http://blog.kiddaland.net/2010/05/timeline-analysis-101/

The second link  highlights the key parameters to look for out in the browsing activities. I see that if the browsing activities and the hash of the leaked files has close proximity to its access time and visit to particular website, there may be some correlation to be done. Though it does not mean that it is uploaded but it would be possible that each time user access a file through web browser, the browser caches or stores it. This normally makes it easier for the browser to retrieve data for a smoother experience while surfing the web.

See this (starting form slide 33)  https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-akin.pdf
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question