I need to pick the brains of all of the resident computer gurus who are willing to help. Here is the situation......

I am working on a case where a group of people hacked into several computer systems, copied a bunch of proprietary information and then deleted the orginals. If you want to categorize this, its not exactly hacking but rather industrial sabotage/espionage.

The alleged perpetrators managed to do this in several steps, whereby they made unauthorized access from an internal computer and also remotely accessed the systems.

We have the ISP's that were used for the remote access, so I just need to subpoena the information. My questions are.....

1) What information would the ISP have that would sbow the access as well as any e-mails or other file transfers that were conducted?

2) Can you think of any way other than email, flash drives, laptops, portable hard drives, removable memory devices (CF/SD,xD,Memory sticks, zip drives, tape backup, DATs, minidisc, floppy, optical magnetic discs, cds, dvds, etc), PDAs, cell phone, and portable computers, to transfer large amounts of data? Obviousy FTP, IM data transfers as well.

3) Any way to see if those items were accessed? Such as a system log that would show a transfer via USB. What information can I get off their individual computers?

Any other ideas?


And for any of you "haxor elites" - this is an internal issue, with employees, so dont try to defend a fellow hacker because that isnt the case.

Thanks.

Not sure that I can answer any of your questions, but it might help to know what kind of a system they accessed (Winodws, Linux, Unix, etc...)

To my knowledge Windows.

Sounds like you need a computer forensics expert. My advice to you would be to get someone as quickly as possible, and don't touch any of the machines that were involved until they have a chance to look at them. If they're on, don't power them down. If they're off, don't turn them on.

There are LOTS of trails to search, but you really need an expert to track them all down. If you don't know what you're doing or what you're looking for, you could delete the tracks just by using the computer. So if it's important stuff & you really want to catch whoever did it, call in an expert ASAP.

:stupid: This is not a job for just anyone. You REALLY need to find an expert.

Ok, I should clarify. We ARE hiring an expert to do the actual forensic work. Unfortunately I need to make it so our expert has access to their computer. As such, I needed to draft a document whereby I ASK for access to EVERYTHING so we can get these people.

Think of it along the lines of fishing. I need to cast the net wide enough to get the fish that we want. Unfortunately, I need to set the net up as well.

Who are you requesting access from? Is this a company? University?

For something like this, you should get the dude to sign an NDA & the get him full domain admin access for the duration of his research.

I DID IT!!!! SEARCH NO MORE!!!! I've sold your information to many black market buyers. Though, many of the buyers were mad because all they got was porn.

but seriously...HDD keep ALL the information in it...even if it's been deleted. tracking...I don't know much about it. But I do know there is a bunch of freeware out there that can recover data. Though...If you're already hiring somebody to track stuff...I'm sure you guys have a budget to buy a program or hire another person to recover data thats WAY much better then freeware.

Ok, without breaking privilege, I can say the following:

My clients is suing ex-employees who broke a number of laws and agreements. I know that at least one of the computers has been "erased" with a "military level" eraser. I have used a similar program in the past and it was pretty thorough. In my instance, it erases everything, writes it all over with junk information, then erases again, repeating for a total of 7 times. Thus, even if they were somehow able to reassemble the information on the drive, it would be the junk that was rewritten.

When you are dealing with sophisticated parties, they tend to have a better grasp on how to eliminate tracks.

The other aspect that everyone seems to be missing is that when you request information in a legal proceeding, you need to be clear in what you are asking them to produce.

SO....I have drafted several different documents wherein I ask for the ISP to turn over all the information related to the ownership of a certain account, the date it was created, linked accounts, emails that were sent, emails that were received, tiimes it was accessed, IP address that was used to access, password/user that logged ino etc.

I figured that some people here might know what information an ISP might maintain on its users that might contain infomration I am entitled for.

Think of it this way....you cant get laid on a date unless someone asks someone to go out on a date.

They can file transfer through a number of options: running their own mail server going out, using the remote control software, sitting in the parking lot on a rogue wireless AP, through hidden shares and vpn tunneling, they could even disguise it as web traffic. Trying to figure that out without having the proper tools already in place at the time of the breach could be difficult.

They could have imaged the hard drive and taken it with them, for that matter.


This is above the knowledge I have, but I can tell you from a few security classes what seems to make sense here:

Preserve the chain of evidence. Don't let anyone touch the computers, secure the area they are in.
File a police report.
Let your expert get an image of every hard drive involved before you start working. Ship it off to a secure vault. It allows you to research on a machine without having to fear about more methods they used to cover their tracks (rootkits, timebombs and other malware.) It's also proof that you didn't alter the machine.

See what you can do about subpoening your suspects machines, ISP address logs and so forth.

Take steps to ensure this doesn't happen again. Link:
http://www.securityfocus.com/archive/104/443804/30/0/threaded

Read the chain of comments here:
http://www.securityfocus.com/archive/104/438947/30/0/threaded

Post your question to Security Focus's forensic's mailing list:
http://www.securityfocus.com/archive
These guys are pretty good, but you'll probably get conflicting advice on what to do first.

I hope they don't know that you post here....I don't think you'd have much of an advantage if they knew what you were up to.

OK, I see what you're looking for.

First, even when a drive has been wiped several times, it still leaves 'ghost' images that MAY be recovereable. I don't recall the exact science behind it - someone explained it to me once and it made sense at the time. You'll want to talk to someone with specific skills in data recovery, and it'll probably be expensive just to make the attempt (like a couple grand or so).

For the ISP, also check to see what log files they keep - especially if they're using a proxy server or filter. They may have a log of all sites visited by these guys.

I'm assuming some of this was done remotely from someone's house?

If so, what ISP are you requesting data from? You'll probably want it from the personal ISP of whoever was involved, as well as the company's service provider (in case they're monitoring incoming traffic).

How about devices on the company's side? Firewall, IPS, IDS - any type of security system should have logs of the IP addresses coming in & the machine they're connecting to.

Can you subpoena their personal machines? Lots of info to be gained from there as well...