|
A client recently called me with some bad news. "Our CFO's laptop was just stolen!" he told me - "What should we do?". My immediate response (and out-loud I'm afraid) was "Fire up the Delorean, go back in time and encrypt the drive". Needless to say, he wasn't keen on my response, even though I offered up a spare flux capacitor - maybe his Delorean was in the shop.
His response actually suprised me "We're actually in the middle of a WDE (WHole Disk Encryption) project. The CFO's laptop was scheduled for next week (delayed at his request)". But no matter how good that project is, it wasn't helping us today.
The challenge we then had was to prove to the CFO, one way or the other, that sensitive data did or did not exist on the laptop. Having just taken SANS FOR408, I know for a fact that even if he didn't save anything to the laptop, the presense of files and either parts of or full files are strewn across the file structure, registry and a kazzilion other locations on the machine. Let's assume that the user didn't download anything to the "downloads" directory, and didn't have "I don't know where I saved that file" files strewn across his local profile and drive (even though that's extremely likely)
I'll update this story in a week or so with how the story played out, and how we made the point to the CFO.
=============== |
Rob VandenBrink 572 Posts ISC Handler Jul 12th 2013 |
| Thread locked Subscribe |
Jul 12th 2013 8 years ago |
|
Follow the bread crumbs...I mean .lnk files on the hard drive. Also, look for any/all "saved passwords" in Internet Explorer. Look at file cache as well- there may be some partial file content there and deleted files for sure. Happy hunting!
|
Anonymous |
| Quote |
Jul 12th 2013 8 years ago |
|
Firefox profile may contain stored passwords. It will contain cookies (perhaps login cookies which won't prompt for auth for a given amount of time). Irrigardless, all of his accounts should require password changes.
Firefox and OS/IE may contain user Certificates - all of these should be revoked and reissued. A proper Document Management / DLP system would be able to track exactly what was checked out to his laptop. Outside of the DM offline storage, no documents/files should be allowed to be created or stored by the user. |
Anonymous |
| Quote |
Jul 12th 2013 8 years ago |
|
There were a few different things that came to mind when I read the posting, but the one that immediately came to mind would be the CFO's local email storage. If his company is using Outlook and had offline email enabled, any attachments would be available or any emails detailing access that he'd been granted. There is also the possibility that he would have intentionally created PST archives or unintentionally if auto archiving was enabled.
|
Anonymous |
| Quote |
Jul 13th 2013 8 years ago |
|
Is it just me, or are others receiving multiple notifications of this story. I've gotten 17, since 8:15PM CST.
|
Dan 9 Posts |
| Quote |
Jul 13th 2013 8 years ago |
|
We're experiencing a system glitch, which is sending out multiple notifications by mistake. We're investigating the issue to stop this.
|
Lenny 216 Posts |
| Quote |
Jul 13th 2013 8 years ago |
|
This may sound lazy but I would just fire up Recuva. Afterwards I would go the prefetch/.lnk route to chase down artifacts that were still present.
|
jono 11 Posts |
| Quote |
Jul 13th 2013 8 years ago |
|
If the user saved a file to the Windows "Desktop", and "System Restore" was enabled (as it is by default), then each saved checkpoint will save a copy of that file.So, fire-up the Delorean, and press the System Restore button to take the computer back in time.
Of course, this "trick" also works if the user has deleted the file, and then had a "oh-no-second" moment of regret, and calls the IT Help Desk to see if they can restore the file. |
Anonymous |
| Quote |
Jul 13th 2013 8 years ago |
|
If it's a Windows 7 box I would start with taking an image of the disk (point in time) and then look into Volume Shadow Copies - surely cheaper than getting Delorean running again
 Next: scalpel/foremost to see what was there, browser caches, registry scan for USB media used and finding that media to see contents. BTW anybody remembers the scripts someone created to inspect shadow copies in a more efficient way? I remember it was discussed about 2 years ago on some podcast... |
Tomasz 3 Posts |
| Quote |
Jul 15th 2013 8 years ago |
|
How often does the CFO empty his recycle bin...
|
Nicolas 4 Posts |
| Quote |
Jul 15th 2013 8 years ago |
|
Am I missing something? How would you be able to do any of the above if his laptop (read: hard drive) was stolen. How do you system restore something you don't have in your possession? How do you view local browser activity when most of that stuff is stored locally.
Wouldn't you be limited to the server end of things here? For example web server access/error logs, data server logs, web filter logs, etc? If he was utilizing Firefox's sync feature you might be able to see his history/favorites etc that way; and retrace his steps and show how just accessing these files through a web browser leaves data behind. Does the client use roaming profiles? If so, logging into another machine with his profile then logging off and scrape for any juicy data might be another avenue to pursue. Was his machine or machine data backed up to any kind of remote storage? |
Nicolas 3 Posts |
| Quote |
Jul 15th 2013 8 years ago |
|
nunya - assuming the CFO's laptop is being backed up, one could simply restore the the most recent backup somewhere. Then you could start poking around in the restored system to see if there was anything sensitive stored on the now stolen drive.
|
Brent 127 Posts |
| Quote |
Jul 15th 2013 8 years ago |
|
Being a unix geek, in addition to all of the things mentioned above, one might (after recovering files from the CFO's laptop backups) run find and egrep to look for any file containing what looked like a social security number or credit-card number. If you know what the bank account numbers are, one could grep for those too. That might be a quick way to find files to then take a closer look at with Word or Excel or whatever tool reads that particular format of file.
|
Brent 127 Posts |
| Quote |
Jul 15th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
