Solved

Analysing what a sales rep had done to his laptop!

Posted on 2011-03-15
3
338 Views
Last Modified: 2012-05-11
odd request perhaps but we have had a situation where a sales rep has attempted to steal coompany data to a business competitor of ours.  The guy has been using his own personal webmail to email out documents and databases to himself and this other company.  As malicious as this is we cant see a way of being able to track what he has done with any real conviction.  The laptop runs Windows 7 and yes we have had a look at his internet history but what we really need is something that can prove that he has attempted to steal company files. Hindsight is a wonderful thing as we would have installed spy software to record such activities but is there anything that can be used to do something similar retrospectively..???

Any help here would be greatly appreciated.

Thanks.
0
Comment
Question by:philipgecko
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
ideally you are looking at data loss prevention solution. there are many when you start googling this term, some include endpoint, server and network control and checks for such leakage. there can be content filtering at network not endpoint only for keyword to identify sensitive data and control the surfing, some are from blucoat k9, etc.

for your retrospective case, it is to establish chain of evidence. area to check out are minimally

a) window event log for audit (if enabled) to check who login, and file access.

http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx

b) establish browser history, site accessed

http://pentestit.com/2010/07/28/web-historian-tool-detailed-report-browser-history/

some ref on using tool to sieve out more info
http://symantec.com/connect/articles/web-browser-forensics-part-1
0
 
LVL 47

Accepted Solution

by:
dlethe earned 250 total points
Comment Utility
First, if you plan legal action then stop everything and call in a certified computer forensic pro.  But realistically, at this point you've tainted everything so it is certainly too late to be able to defend somebody that you set him up. As breadtan said there are just so many articles out there then you might as well be asking how to write a computer program.

So i'll think outside of the box and address a few things that are more vital ...

Take a binary image if the disk drive. then you can work on copies and preserve the original in case you need it later. (or what is left of the original). Make several copies.

You can't just boot an operating system and poke around to the booted drive.  In linux, for example, you can mount the entire disk read-only which will prevent you from mucking things up.

I'm thinking outside of the box, so I would contact a judge to get him/her get a warrant so you can take it to the ISP to get his email logs.  

Get a binary editor that can read the entire raw disk, and then search for strings such as some likely email addresses.   This will find files, bits of files, deleted files, and everything that is still on the HDD.  From there just look at it.  
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
Establishing timeline will be useful for the trails too. Check out these two links
@ https://computer-forensics.sans.org/community/downloads/#howto
@ http://blog.kiddaland.net/2010/05/timeline-analysis-101/

The second link  highlights the key parameters to look for out in the browsing activities. I see that if the browsing activities and the hash of the leaked files has close proximity to its access time and visit to particular website, there may be some correlation to be done. Though it does not mean that it is uploaded but it would be possible that each time user access a file through web browser, the browser caches or stores it. This normally makes it easier for the browser to retrieve data for a smoother experience while surfing the web.

See this (starting form slide 33)  https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-akin.pdf
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now