Archive for March, 2014

Is there a nephologist in the building?

Cloud computing

Nephologist  (nɪˈfɒlədʒɪst)
-noun (rare)
(meteorology) an expert or specialist in the study of clouds

The advent of cloud computing and cloud storage has undoubtedly had a huge impact on the business and forensic stratosphere. An increasingly common answer to the question “where is your data stored?” is a shrug of the shoulders and a point to the sky.

This can have a serious impact on the security of an organisation’s data and on any subsequent forensic investigation. No longer is the dishonest employee required to employ cloak and dagger tactics to smuggle hardware from the premises. No longer are we called upon to investigate physical items that can be removed to a secure lab and, as such, Computer Forensic investigators are becoming nephologists.

Data can be transferred, synced and/or downloaded outside the firewall in minutes, so it is more important than ever to know what data is vital to your business and who can access it. We recently undertook an investigation where an employee in a data sensitive industry had installed a well-known cloud storage facility, transferred thousands of files and then Google searched “how to uninstall [cloud storage facility]”. The elapsed time from install to uninstall was a little more than 4 minutes, and if the internet history for the device had not been available, the outcome of that matter could have been very different.

There are clearly huge business advantages associated with the cloud, however, bearing in mind the strapline for the cloud service of a leading provider: “your stuff, anywhere”, the prudent business owner must exercise caution when choosing the right cloud service for business sensitive data.

If you do fancy a bit of atmospheric storage, Kroll Ontrack’s team of experienced ‘techno-nephologists’ are able to assist you in implementing a bespoke Forensic Readiness Plan to ensure that you are perfectly placed to prevent the loss of key data, and also on hand to help uncover key evidence if an incident does occur.

Into the Shadows

Into the Shadows

Some time ago, we received a request for digital forensic work. The scope of the enquiry was “a network administrator is under investigation and has deleted all of their email from the Exchange server, destroyed the backups, purged the dumpster, deleted their localised Outlook email content and then wiped all of the free space on their laptop. Can you find their email please?” Impossible?  Well, maybe not, because if you look in the darkest recesses of a computer you might get lucky; some data might be lurking in the ‘shadows’.

The Volume Shadow Copy service on Windows based computers (available in Windows Vista through to Windows 7) is ‘on’ by default. It ultimately offers the user the ability to restore previous versions of files or carry out complete restoration of previous configurations that the Windows OS has ‘conveniently’ backed up on the local drive. In Windows 8 this service is still present but is now called ‘File History’.

Whilst these ‘shadows’ are not accessible via normal analysis tools they can be accessed using forensic tools and can include Internet history, pictures, documents and complete email containers (OST’s) that may have been since deleted from the ‘live’ files of a user. Consequently, it was time to get out the forensic toolkit!

After a few hours of analysis, we recovered the complete OST email container of the network administrator that totaled 2.5GB in capacity and held over 3,000 emails that ranged over 2 years. It included the incriminating evidence that the client wanted (and the administrator had tried to hide) which showed that the administrator had been accessing other people’s email accounts in an unauthorized manner, and collating sensitive HR material within their own email account.

In conclusion, when all else fails and you think there is no hope, have someone train a light on the shadows, you might be in luck.

About Julian Sheppard

Julian has extensive experience with a broad spectrum of criminal and data breach investigations, computer security compliance and auditing. With a counter-intelligence background specialising in information systems and document security, he is trained and certified in digital forensic examination techniques by various government, local and international law enforcement agencies. Prior to joining Kroll Ontrack, Julian spent 22 years serving as a member of the Royal Air Force Police serving within the SIB Computer Forensics Unit dealing with indigenous military and civilian police investigations. Since leaving the military Julian has worked as a digital forensic specialist working on several high-profile criminal cases for law enforcement and civil cases. Julian has experience presenting in court as an expert witness and is an EnCase Certified Examiner (EnCE).