Recent Activity

If you suspect you are suffering data theft, act quickly. Items such as recent file activity that are Windows stores and recently used file lists stored by other applications do not hang around for ever. Also be careful when doing your own investigation as if you change times and dates of recently accessed files, then it makes it hard for an investigator to track down when the original activity occurred.

Nigerian Money Scams

I used to laugh off Nigerian money scams - HA! Who would fall for such a badly worded email from General Booba Boobala. Well, aparantely Americans do to the tune of $1million per day. Yes per day, according to the following reputable source:

http://www.crimes-of-persuasion.com/Crimes/Business/nigerian.htm

Employee Theft - Forensics

There are many computer forensic companies that will tell you if data has been stolen by analyzing a PC. Sure, you may hit pay dirt on analyzing one computer, but when employees are colluding things get a little tricky, especially if they going about things in a crafty manner. A computer may just be a piece of the puzzle. Taking one piece of the puzzle, with another piece of information found elsewhere, plus the gossip you just picked up from the milkman and you may be able to form the complete picture. There are various sources that should be tapped for information and these may include:

• Phone Records
• Internet Browsing Records
• Email Patterns
• File Access Times & Dates
• Insertion Dates & Times of USB Media
• Alarm and Door Entry Times & Dates
• Discarded Media
• Trash Bins

Theft of company data can be a show stopper and you have to start thinking outside of the square to catch people. You have to profile the suspect to get an understanding of their technical ability? I have been told in the past, this person was a simple user, but when the PC was analyzed, wiping, cracks, encryption software and a myriad of burning and conversion tools were found. Take things with a grain of salt and proceed from there.

Good Luck,
Digital Investigations

Apple iPOD Forensics

Digital Investigations can now offer Apple iPOD Forensics. Consider the fact that an iPOD may contain an 80GB hard drive and that an employee may connect up an iPOD to a computer via a USB connection and "slurp" the data off onto the iPOD's hard drive.
We may be able to recover deleted files that may prove that the employee has downloaded sensitive corporate information. Here is a tip for a company. If they are going to allow users to connect up iPODs, then make sure they are company owned iPODs, then the company should have less of an issue when it comes to trying to investigate possible dubious activities with such a device. If the suspect has been using their own iPOD and you suspect that they have company data on it, obtaining the iPOD becomes a lot trickier.

When looking to see if an iPOD has been connected, one of the first giveaways is the Apple iTUNES software may have been installed on the suspect's computer.

Regards,
Digital Investigations

MYOB - Mind Your Own Business

The Mind Your Own Business (MYOB) suite of products is one of the most popular amongst small businesses in New Zealand. With products such as the MYOB PDF manager, you may have had a staff member sabotage or try and hide computer evidence. Digital Investigations may be able to help you recover said evidence.

New Year - Outlook

Well, not much blogging activity recently as I have been too busy. This new year has started off with a bang with us helping to obtain a conviction of movie piracy. Also working on an interesting case at the moment. Seems like data theft a rather prevalent activity at the moment.

I thought I'd mention a little bug in Outlook -- forgive me as I don't have references on hand, but when you open an attachment from within certain unpatched versions of Outlook, and close Outlook when the viewer is still open, then that file cannot be deleted from "secure" storage in /*/*/Temporary Internet Files/OL*
Have a look, you may find a wealth of attachments here.

Also, if you are using Exchange and do not have PST files on the local computers, you may not have record of internal email correspondence. I will leave you to think on this further....

Thank you,
Digital Investigations

Shared Computers

The New Zealand mentality seems to be to try and keep office costs down as much as possible. Real Estate agents share one PC that the receptionist uses, three person Lawyer offices have all information typed up by the receptionist at the front desk and they use this for browsing the internet when they need some research done when the receptionist is at lunch. All of this leads to one messy machine should an investigation be required. This not only complicates the investigation, but will increase the cost of said investigation.

Digital Investigations was called in to investigate an information leakage case happening at a prominent office, only to find after asking a few questions that this machine was shared by around seven people, including the suspect. Not only did they share the same machine, but they all ran out of one account – administrator. This makes it hard, if not impossible to track certain activities. Who can remember when Flossy was using the PC and when Harry was?

If you run a business where if data is leaked, could spoil court cases or sales for example, then preventative measures should be taken. Some sales are not small, for example, Real Estate sales comissions sit at around $15,000 and up and if you have a sales person leaking information to other vendors, you could easily lose many sales per year.

If you have limited resources, at least set up the PCs so that users have separate log ons and that passwords are not transferred. Reflect this in your IT Security Policy that an employee may be dismissed for activities such as revealing account information and passing on sensitive information.

What do you do when you come up against someone who you suspect is leaking information? The first thing to do is to obtain legal advice and the second thing is to call a specialist computer forensic firm such as Digital Investigations. New Zealand Employment Law can be an absolute minefield, so you do not want to approach the person and say, “We’re firing you for downloading pornography” or “We think you’ve been leaking information to Bob’s company. Goodbye!” If the person pleads not guilty, they are well within their rights to take you to task for unfair dismissal, especially when there is no proof and if you take eight months and can’t prove such charges, then you are up for some serious payout to your ex-employee.
Digital Investigations can assist by coming in when the employee is not present and imaging the hard drive. An investigation can begin without the suspect being any the wiser. We will then present a report to either confirm or disprove your suspicions. If evidence is found, then you can take this to your lawyer and then approach your staff member. Your staff member will more than likely admit guilt.

Once again, if this is an office with a shared computer, then the investigation may end up with holes in it. The employee may come up with excuses such as “Bob knew my password and uses my account.” If it is detailed in the IT Security policy that users cannot share accounts and passwords, otherwise legal action may be taken, you may have a back stop.

What can happen when multiple users share the same PC with the same username?

Ø Internet Investigation becomes more difficult
Ø Issues with shared email – who did send the email?
Ø Time and Date issues
Ø File Overwriting and Evidence Spoilage.
Ø Hard to track down misappropriation.
Ø Internet Usage hard to track.
Ø Pornography viewing hard to pin on a suspect.
Ø Makes intercepting private communications easier.
Ø Proving intrusion and invasion of privacy may be harder.
Ø Issues with private emails being sent to employees.

As can be seen the entanglement and issues from using shared computers and usernames makes it worthwhile re-thinking both your internal policies and procedures.

Thank you,

Digital Investigations
http://www.digitalinvestigations.co.nz

JDE PeopleSoft Oracle PUBLIC Security

JD Edwards PeopleSoft Security IssueHaving just performed a security audit for an ERP installation, it is obvious that the back end security on a JD Edwards ERP (PeopleSoft/Oracle) is lacking. JD Edwards assumes it is the be all and end all of the security of it's own little ERP world. It assumes incorrectly. When JDE uses Oracle as a backend, for every table that is created, JDE creates a set of back end rights on the Oracle database that grants select, insert, update, delete, etc on that schema and object to the Oracle user PUBLIC. This is supposed to allow JDE to be able to have free reign over the database. It is an issue.

From: http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

"Revoke privileges on the more powerful database packages from the database server user group PUBLIC. PUBLIC acts as a default role granted to every user in an Oracle database. Any authenticated database user can exercise privileges that are granted to PUBLIC. "

"For applications that need these packages, create roles with privilege on the particular packages needed and assign those roles only to applications that specifically need to use them. Oracle intends to revoke such privileges from PUBLIC in subsequent releases. Grant a role to users only if they "

If I were to create a user called BOB as a back end database user and I only wanted BOB to have access to the Fxxx table and granted CREATE SESSION plus the SELECT right on the Fxxx table, this user will also have access to all of the other tables based on the inheritence of the Oracle public rights. This is not a database issue, it is the way that JDE assigns the rights. Why not have a role created called PSFT_ROLE and have all of the rights granted to this role, rather than public. The users that need the rights have this granted to them, and the ones that don't have restricted access.

The other users who have the role granted to them never get their password so cannot log on. This is known to Oracle, so why is it not fixed even in the latest JDE versions? Consider an environment where you want a back end user to have ODBC access for Crystal Reports or some such other activity. This user is restricted to their three tables, but with the PUBLIC nonsense JDE insists on doing, they now have full access to the payroll and other critical tables.

In an environment that may be regulated by Sarbanes-Oxley, how can such a product say they are SoX compliant. There is a way around it, which is revoking all of these rights and assigning them to a new role, but that has to be done after every new object has been created as each new object will have rights granted to the Oracle PUBLIC user (not to be confused with JDE's *PUBLIC which has a similar function).

Oracle's support site Metalink advises that tinkering with the PUBLIC rights is not a good thing. Come on PeopleSoft/JDE/Oracle, sort this one out.

Thank you, Digital Investigations

JD Edwards/PeopleSoft/Oracle PUBLIC User Security

Having just performed a security audit for an ERP installation, it is obvious that the back end security on a JD Edwards ERP (PeopleSoft/Oracle) is lacking.JD Edwards assumes it is the be all and end all of the security of it's own little ERP world. It assumes incorrectly. When JDE uses Oracle as a backend, for every table that is created, JDE creates a set of back end rights on the Oracle database that grants select, insert, update, delete, etc on that schema and object to the Oracle user PUBLIC. This is supposed to allow JDE to be able to have free reign over the database. It is an issue.
From:

http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf" target="_blank">http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

"Revoke privileges on the more powerful database packages from the database server user group PUBLIC. PUBLIC acts as a default role granted to every user in an Oracle database. Any authenticated database user can exercise privileges that are granted to PUBLIC. "
"For applications that need these packages, create roles with privilege on the particular packages needed and assign those roles only to applications that specifically need to use them. Oracle intends to revoke such privileges from PUBLIC in subsequent releases. Grant a role to users only if they "

If I were to create a user called BOB as a back end database user and I only wanted BOB to have access to the Fxxx table and granted CREATE SESSION plus the SELECT right on the Fxxx table, this user will also have access to all of the other tables based on the inheritence of the Oracle public rights. This is not a database issue, it is the way that JDE assigns the rights. Why not have a role created called PSFT_ROLE and have all of the rights granted to this role, rather than public. The users that need the rights have this granted to them, and the ones that don't have restricted access. The other users who have the role granted to them never get their password so cannot log on.

This is known to Oracle, so why is it not fixed even in the latest JDE versions? Consider an environment where you want a back end user to have ODBC access for Crystal Reports or some such other activity. This user is restricted to their three tables, but with the PUBLIC nonsense JDE insists on doing, they now have full access to the payroll and other critical tables. In an environment that may be regulated by Sarbanes-Oxley, how can such a product say they are SoX compliant.

There is a way around it, which is revoking all of these rights and assigning them to a new role, but that has to be done after every new object has been created as each new object will have rights granted to the Oracle PUBLIC user (not to be confused with JDE's *PUBLIC which has a similar function).

Oracle's support site Metalink advises that tinkering with the PUBLIC rights is not a good thing. Come on PeopleSoft/JDE/Oracle, sort this one out.

Thank you,
Digital Investigations

Microsoft Word Meta Data

For a little note on Revision Count under Microsoft Word, please check out:

http://digitalinvestigations.co.nz/forensics/content/view/82/78/

Evidence Contamination

For a small piece on Evidence Contamination, please check out:

http://digitalinvestigations.co.nz/forensics/content/view/81/78/

Secure USB

Kingston have released their USB traveller:

http://www.kingston.com/press/2006/flash/03a.asp

This will perform on the fly 128bit - AES encryption and does not require any additional software. There is a sophisticated password scheme and can perform lockout. This is great for travellers who carry confidential information and may do an absent minded professor and leave their USB key on an airplane somewhere.

Staff Interviewing

For information on staff interviewing, check out:

http://digitalinvestigations.co.nz/forensics/content/view/79/91/

New Look Site

Hi,

For our new look web site, please check out:

www.digitalinvestigations.co.nz

The "Other" Person

In matrimonial cases computer investigations go a long way into identifying the other person. In past cases we have identified pictures, rendezvous times, flight schedules, names and addresses of mistresses, etc. Computer Investigations can help time line activities, such as when did this affair likely start and how it progressed.

For more information on domestic work we get involved in, please check out:

http://digitalinvestigations.co.nz/forensics/content/view/78/90/

Tracing Emails

I have seen a number of enquiries recently into tracing emails. The key piece of information you require are the email headers. Most clients I am aware of have a reveal or show full headers option for displaying the path the email took to arrive at its destination. Without these headers, good luck......

Digital Investigations

Email Importance

More and more importance is being placed on email for both personal and business transactions and now courts have passed that email correspondence may amount to a written contract. We received a call the other day from a person asking for some help to retreive an email that he suspected was on their childs computer from the estranged mother and it held some information relating to a custody battle. Without giving too much away, the importance here is on email. If you are going through any proceedings then we suggest that you back the computer up regularly, especially if you suspect anyone is trying to tamper with your machine. Make this a full image and burn the image onto DVD so that the computer can be fully restored. If you are backing items up, make sure you get your email in the backup. To be ultra-careful, print out any emails that you are going to rely on later and keep them safe, maybe off site.

An email is a very small piece of data, sometimes 1K, many times more. A 1K deleted email can get "lost" very quickly when deleted.

Take care,
Digital Investigations

Image Analyzer

Mail Marshall Software has a new module for its web and mail marshall products that scans for pornographic images. It is supposed to recognize facial features and curvatures of bodies, etc. There has not been any technical details of the hows and wherefores as to how this module works and talking with the company, I have found that the software is in its infancy, which is no reason in itself not to test this module out for yourself. I think there are 30 day trials of the module. The module itself does not detect steg images and I am a little unsure as to how it would detect certain pornographic images, but it is in its infancy. Credit to the boys there for getting something out there on the market.

For more information, check out:

http://www.marshal.com/pages/newsitem.asp?article=10&section=news

"How does it work?
The technology utilises a number of proprietary algorithmic based modules to analyse images. Initially the engine eliminates features in the image based upon colour; removing areas of colour which the software understands cannot be associated with skin. This engine allows for regional skin colour variations such as Afro Caribbean, Asian etc. A further module then enhances areas of interest within the image and using edge, curvature and body size algorithms produces a probability output as to whether the image is potentially pornographic."

See the below links for some more information. I have never tested this and since many pornography investigations require viewing thumbnails, I am wondering if this tool will be handy or not. Hash sets would be quicker, but change one bit on a picture and the hash signature for that file changes.

http://www.image-analyzer.com/technology/index.php

http://www.image-analyzer.com/technology/test_results.php

The Informant

You may wish to check out John Dierckx's site at www.dierckx.co.nz. John has just launched an email newsletter called The Informant. John is a little like me when it comes to Desktop Publishing and he has had his little snags, but that is not our forte. This newsletter will be a regular occurrence from John, so if you are interested, please check out his web site. John will provide information about frauds, scams, things to look out for, general thoughts and musings from working in the trench as a fraud investigator. I seriously recommend this newsletter. The content will only become richer and juicier. I will more than likely be contributing an article to the next one, so I'd better pull finger and come up with something.

What I like about John is that he wants to share with people obstacles he has come across and things that may help you or save you a few dollars. Knowledge is not a closely guarded secret to him and he is only too happy to share information with you, although he has to make a buck now and again (especially with number three on the way....), so if you need any fraud investigation work done, I can't think of anyone better in New Zealand.

Small Business Server Disaster Recovery

Microsoft Small Business Server is becoming more and more prevalent in New Zealand. Even though we at Digitial Investigations are not SBS consultants we are sometimes horrified at the manner at the slapdash nature this product is both installed and consulted on. By nature, SBS is an all your eggs in one basket solution for the small business. This in itself starts going back to the mainframe centralization days. Is this bad, well, not if you have a good DR plan. And in most cases, NZ business do not.
A consultant installs SBS, next, next, next, sets up the backup and walks. Where is the reinstatement plan? Has a GHOST image been taken? If so, has a test restore been actioned? Many small companies are dependent on SBS for their day to day operations such as email and one mistake on the Active Directory area or ISA could see this server locked up to a point that is beyond use. I have seen companies struggle for a couple of days to restore a small business server.
Start thinking in terms of what is important to you. If you are storing WORD documents, then back these up and test restore. If email is not important to you, then your key concern may just be getting access to the Word documents. If this is the case then you need to consider the media that this data is backed up onto and can it be restored elsewhere in your organization. For example, is it backed up by Veritas Backup Exec? Will it require Backup Exec to restore the data?
How often will you be running the test restores? Once a month? Will you be performing it yourself or do you require a 3rd party?
Get the work double checked. If you are not certain of a consultant's work, it may be good to have a 3rd party come in and audit your DR requirements and to make sure that this consultant has met these requirements. Below is an example of a small plan (Source: Microsoft) for Small Business Sever.

A written statement of how long you expect recovery will take and how much data (defined in days or weeks) you can afford to lose.>

Current full and incremental data backups.

A current full system backup, including the Registry.

A complete checklist of all the hardware you are using (both clients and servers).

A list of the software versions and service packs you are using.

Centrally stored and easily accessible copies of software, service packs, and device drivers.

A plan to regularly check event logs to prevent potential problems.

Review any plans more than two years old for accuracy and completeness.

Good luck,Digital Investigations

Spam Spam Spam Spam....

Spamfighter now filters images, based on their "unique" DNA analysis of an image that provides an ID of the image. Read the below:
http://www.spamfighter.com/News_Read_Spamfighter.asp?UID=47

It is interesting how marketting departments can spin things. I would bet this is just a simple checksum such as MD5. I could do the same thing with an MD5 checksum on an image and create a unique fingerprint. Take an image and MD5sum it using a tool such as md5sum or md5sum.exe for windows and note the hash. Open the file with PAINT or similar and save it. Check to see that the hash is the same. Open the picture again and create a simple dot with the paint tool and save. Note how the checksum differs. Spammers would probably be able to get around this technology by changing the color pallete or adding a dot every now and again to the photo and the checksum would be different and unless a user marks this as SPAM then the image would filter on through.

Digital Investigations

3ZB Radio Interview

John Dierckx (http://www.dierckx.co.nz) was interviewed by John Dunne on Radio 3zB this morning at 7:40am (yawn!) on fake job postings on the net and what can be obtained from it. My comments would be that it is simple to pay $150 to post a job advert, or even a free one and have a fake email address. People submit their resumes. It is amazing what you can find out about someone with just their phone number and last name for details, but consider the information you may impart on a resume.

• Date of Birth
• Location of Birth
• Marital Status
• Social Security Number
• Hobbies
• Job History
• Education Details
• Ad infin...

All this can lead to Identity Theft. See both Digital Investigations (http://www.digitalinvestigations.co.nz) and Dierckx and Associates for information on how to prevent identity theft. If you think you have had your identity stolen, then practice some common sense and cancel your credit cards, all passwords, bank cards and account information to name a few.

Digital Investigations

FTK to be based around Oracle 10g

Access Data announced that the next generation of FTK, i.e. FTK 2.0 will be based around Oracle 10g. This will be a major improvement over the heinous back end that is slow and chunky. Perhaps, we will be allowed back end access to the database and be able to better optimize the Oracle instance to suit the workstations that we are running the forensic platform on. Will we have the ability to cache heavily hit tables? Create our own indexes? Will this be more open platform, giving us access into the back end data to create our own reports using standard SQL or a basic report writer (something I have not tried on the existing platform).
Depending on how things are set up, it may even allow Oracle to run on a separate server, with via Oracle's TNS SQL*NET connectivity. Chances are that they may be using the Oracle Personal Edition which is a free download from Oracle's web site.

Currently the personal edition has limitations such as 4GB database size and an allowance for 1GB of memory, but who knows what the restrictions will be or how Access Data have licensed the product. 1GB of memory is okay, but I would be a little concerned if the database size was fixed at 4GB.

A simple product comparison between the different versions of Oracle 10g can be found Here

Pirated Music for Music On Hold

You'll be surprised at the number of companies who are running pirated CDs for their Music on Hold Server. Whether you are getting your files from MP3, CD, DVD or USB Flash, you may be violating copyright. You may be violating copyright just by broadcasting them over your phone system. You may want to check this out.

Thank you,
Digital Investigations

Archiving Old Data

I have mentioned data security in the past, but along with data security and backups, data retention and archiving should be considered. Due to various legal constraints, companies are mandated to keep x number of years of data. How are you keeping this data and how are you storing it? Are you backing it up onto a 4mm DAT tape with a free Windows backup tool that will be obsolete in a number of years. When you are taking your data offsite you need to consider a number of different factors, that are not limited to, but include:

• How long does the data need to stay off site for?


• Will there ever be the need to restore data?


• What technologies are you using to back up the data?


• Where is the data stored - in a secure vault or up in your attic?


• Have test restores been performed?


• Should multiple technologies be used for storing off site backups?


• Consider the lifetime of the media that you are using? Media can deteriorate.


• What backup strategy will you be using? * See below

May companies retire media based on error rates, but when data is archived, then this should be based on age, rather than error rates. You may wish to consider having a report that brings tapes off of site each year and duplicates them, so you are storing not only the original, but a duplicate of the original, all off site. It would be prudent at this time to also run through a trial restore of the data you are bringing in from offsite, as how do you know you are not just duplicating rubbish.

You have to be careful to track which media is coming and going and if things begin to get too complicated then maybe you should be looking at a Vaulting set up.

With the backup strategy, the Meta Group Study, 2001 for the DLTtape platform indicate that 68% of all backups are full backups, whilst 18% are archives.

Digital Investigations

SPAM Filtering

A quick question. Would you consider filtering all emails coming into your company whose source email address contained a number, for example Humphrey_Jangles240@hotmail.com? Think about how many ligitimate companies have email addresses with numbers in them. Probably not too many. There could be an occasion where a large company may have two Joe Bloggs. I know of one company that blocks all incoming emails from @hotmail.com, @yahoo.com and @msn.com as their thought is anyone worth dealing with will have a corporate email address. This philospohy probably would not fit everyone, especially smaller companies, but food for thought....

Thank you,
Digital Investigations

White Collar Crime & Forensics

I have just been reading the blog of John Dierckx an associate of mine. On his blog, nzpi.blogspot.com John talks about white collar crime and delves into the social aspect, especially in New Zealand. I would like to take what John has written and talk a little about the technical aspect, in this case Computer Forensics that can be used to help combat white collar crime.

Examples of white collar crime may be as follows:

• Computer Crime


• Embezzlement


• Medical Crimes


• Price Fixing


• Data Leakage


• Corporate Espionage


• Real Estate Fraud


• Bank Fraud


• Blackmail


• Bribery


• Cell Phone Fraud


• Counterfeiting


• Credit Card Fraud
C

• Point of Sale Fraud


• HealthCare Fraud


• Insider Trading


• Investment


• Kickback Schemes


• Pyramid & Multi-Level Marketing


• Tax Fraud


• Weights and Measures - e.g. skimming

In America companies are goverened by the Sarbanes-Oxley act, in an effort to prevent fraud within the company and directors producing fraudulent end of year financial reports, etc. To prevent fraud at this level, controls need to be enforced at the IT level, or in SoX's case, Section 404 of the act. SoX does not really tell you how to enforce your controls, but makes sure that you have adequate controls in place to prevent tampering with corporate data. Some of this is pure common sense, but you know what they say about common sense these days, is that it is not that common. Think about the basics like password length and rotation, log monitoring, etc. SoX also sees to ensure what is called Segregation of Duties, in where one administrator doesn't do or have access to everything. In New Zealand, a company of three hundred people may have a team of two administrators working and enforcing such segregation is difficult if not impossible.

Computer Forensics can come into play when deals are being made or a large sale has been closed. Companies such as Digital Investigations and Dierckx and Associates can be brought in to help check to make sure that there have been no irregularities as part of that sale. For example, we may check email history to make sure that no emails have been sent to and from the competitor prior to the sale.

Now, if think at the smaller company level, you may wish to have your MYOB files looked over by a 3rd party to make sure all of the checks and balances are in place. Even if you do not suspect any wrong doings, it is better to learn sooner or later if your books are in line. White collar crime does not have to be big Enron corporations. Let us use a couple of examples. Take Weights and Measures Fraud, or skimming. Consider the owner suspects a gas station manager of setting the pumps so that on every occasional day they short change the customer, by stopping five cents short of the keyed in amount. How many people will complain? Probably a few. The manager dismisses it as a dodgy pump, but at a busy gas station, the manager may pocket $150-$300 per day on this scheme.

Forensic & Fraud investigators can help unravel and lead you to the source of your fraud. A quick audit of a PC may bring up evidence concerning:

Credit Card Information
Correspondence
Dates and Times of activites
Intention
Recovered Files
Hidden Information

Part of the job of preventing white collar crime is having controls in place. If you are concerned about business fraud within New Zealand, I would suggest you contact John Dierckx, a specialist fraud investigator. John can be found at www.dierckx.co.nz. Many times on investigations, myself as a Computer Forensics Investigator work hand in hand with people such as John as the fraud investigator may find the need for a specialist company to help prove and give evidence to their theories.

Thank you,

Digital Investigations

Discovering Pornography in the Workplace

If you come across pornography on a computer in the workplace, there are some steps that should be taken. I am going to brush under the mat here reporting lines within a company and consider the fact that you are responsible for the PCs in the office environment. This also is New Zealand law biased, but hopefully my overseas readers will get something from this.
If the computer contains Child related images or beastiality, then this should be reported immediately to the Department of Internal Affairs (www.dia.govt.nz), more specifically to the Censorship department. If you are in the South Island, then there is a Southern Regional office based in Christchurch.
The DIA does not concern itself with articles of pornography that can be purchased over the counter, but may still violate your corporate policy and therefore becomes a dismissal offence. One has to obtain was this a deliberate offence, or was it just the one off picture that everyone gets sent now and again through their email by friends who think something may be hillarious. The key here may not be to alert the employee and action a covert scan of the computer where analysis can be done away from the suspect. Do not image this PC yourself as the image needs to be forensically sound in order to have a leg to stand on.

Care should be taken when getting information from your lawyer as a lot of lawyers within New Zealand do not understand the e-Discovery process. Copying files yourself may contaminate evidence and in the case of Child Pornography, you are yourself committing an offence in which you are making copies of said pictures for possible distribution. As mentioned by John Dierckx in his blog nzpi.blogspot.com, the New Zealand employment law can be a "legal minefield". We at Digital Investigations will work hand in hand with your legal team to provide you first a legitimate image of the computer and secondly a thorough forensic analysis and reporting on the findings. We are also an impartial party, so we hope to prove innocence as much as we do guilt. It may be wise at this time if reading this to bring this up with your I.T. Manager and ask them the question, "What would you do if pornography was reported on one of our workplace computers." and see what their response is. I have asked a few lawyers what they would do in this situation and they said - "Make a copy of the hard drive".

We at Digital Investigations do not profess to be experts in the legal matters of New Zealand Employment Law, but we can help you step through and address the process from a technical standpoint to make sure that you have the evidence you need, when you need it.

Thank you,

Digital Investigations

Backup Reviews

Maybe it is time to review your backup system, especially if it has been set up by a third party. I have seen on many occasions where 3rd parties have set up backup schemes in where the backup devices was incorrect, or the file systems or data files you thought were being backed up were not. One of the classics is to assume that a database can be backed up online with a regular file system backup agent. In most cases....WRONG! The fact that you are getting backups and your backup server is reporting a good backup does not mean anything until you proove that you can restore the backups in question. Reinstatement tests are invaluable and should be performed regularly. Don't put your faith in your system's verification function, or the fact that you can verify your tar archive. I have seen this before in where a company relied on a tar backup and verified it using the old "tvf" option. All this does is read the file listing off of tape. It in no way should be relied upon as a verification. More and more companies are under the pressure to keep data, so you need to make sure that your tape rotation cycles are correct for offsite storage. If you are under Sarbanes-Oxley, then you may be under pressure to perform regular test restores.

It should also be suggested, that if you are going to put your equipment under a Service Level Agreement (SLA), then you should add this as a condition to the SLA for your third party, that regular restoration tests are performed and make sure that they are signed off on at the end of the month or whenever they are performed. Restorations every six months may not be an option as six months between tests is a long time to realize that you are not backing up data properly.

Restoration tests will allow you to prove that your data can be returned. Digital Investigations can help you with your audits.

Body Language

On something completely different, when interviewing suspects or people, taking into account their body language is paramount. What made me blog about this? Well, I've been working in this office that overlooks a car sales yard and I have had a prime view of the site. It is very interesting to watch the sales person's body dynamics as opposed to the customers. Nine out of ten of the customers either have their arms folded or hands in their pockets. It is interesting to see the sales person close in and the customers back off. Should you end up interviewing people, I would seriously suggest, take a course in body language as I have or read up on anything by Alan Pease. You may want to check out www.peaseinternational.com

Company Bandwidth revisited

I have mentioned Company Bandwidth misuse previously. John Dierck mentions this on his blog too. Check it out at nzpi.blogspot.com

All Rise

It really bugs me how TV represents computer forensics. I mentioned previously about the CSI mentality. I was watching this program in where a judge had pornography planted on his computer so they hired some "geek" who copied everything apart from the said pornography onto a new hard drive. Okay, apart from the fact that he did it in five minutes (he obviously was not using a USB connection), he introduced some other errors. Now, without going into detail, this really bugs me. I know it would be the same for a commercial airline pilot watching Air Force One, ripping holes in the fact that the pilot's landing procedure was all astray.

Everyone has something to hide except me and my monkey.

After talking with a PC rental company I asked just off the cuff how they image their machines. The crux of it was that they basically took the machine in and ghosted a Windows image over the top. This can be a bit of a problem, especially for example when you are putting a ghost of an 80GB drive over one that had just been ghosted with a 120GB image. There WILL be artifacts and items left in unallocated space. I have mentioned before that these devices need to be securely wiped and not just formatted or fdisked.

Consider a rental company who rents to Company B after just having the PC returned from Company A. A company B employee comes across some illegal items on the computer. This now becomes a finger pointing exercise and a though one at that. The rental companies practice will definately be put into question. I would suggest that rental companies do their job and in most cases do it extremely well, especially the ones I have dealt with, but if you do not wish to rely on them destroying data, then you as Company A, should securely wipe all of the data BEFORE your PC gets returned to the rental agency. This is not a complicated task and one that is fairly automated and requires kicking off a process, walking away and then checking on it when it is complete. An average wipe may take around the one hour mark, depending on the size of the drive.

I'll leave you to think of the type of information you could be passing on to someone who may be your competitor. Take the time to Google the studies actioned of information that has been found on hard drives that have been trashed, auctioned, abandoned, etc. In some cases there were identifiable patient health information and credit card names and numbers.

Thank you,
Digital Investigations

Webmail Artifacts

I was working a trust fund case and following the trail of a dubious husband by looking through some deleted Microsoft Outlook emails. He then told his online affair that he was communicating with that he was going to switch to Webmail as it would hide his tracks. This is true. Webmail will hide your tracks from the average user, even probably the most keen observer, but to a Computer Forensics Investigator, not really. Webmail artifacts, or traces can reside in the browser cache and provide interesting views into the suspect's email composition history and inbox activity. It is quite remarkable the time line that can be reconstructed from simple fragments.

The problem is that these artifacts may be short lived due to their size and may even fit inside the MFT, again due to their small size. If you suspect suspicious webmail activity, then it is suggested that you work quickly and call in an investigator before there is too much file activity that may blow holes in the data you wish to get back. The other issue is that if the suspect clears the browser cache, then the fragments go into unallocated space and then this makes time lining the activity harder. Webmail may be kind enough to leave times and dates within the fragment.

Digital Investigations

Webmail Artifacts

I was working a trust fund case and following the trail of a dubious husband by looking through some deleted Microsoft Outlook emails. He then told his online affair that he was communicating with that he was going to switch to Webmail as it would hide his tracks. This is true. Webmail will hide your tracks from the average user, even probably the most keen observer, but to a Computer Forensics Investigator, not really. Webmail artifacts, or traces can reside in the browser cache and provide interesting views into the suspect's email composition history and inbox activity. It is quite remarkable the time line that can be reconstructed from simple fragments.

The problem is that these artifacts may be short lived due to their size and may even fit inside the MFT, again due to their small size. If you suspect suspicious webmail activity, then it is suggested that you work quickly and call in an investigator before there is too much file activity that may blow holes in the data you wish to get back. The other issue is that if the suspect clears the browser cache, then the fragments go into unallocated space and then this makes time lining the activity harder. Webmail may be kind enough to leave times and dates within the fragment.

Digital Investigations

Using Company Bandwidth

For some initial thoughts on how company bandwidth may be being used in ways it should not, please check out:

http://digitalinvestigations.co.nz/forensics/content/view/76/85/

As the weeks progress, I will be drilling down more into this subject and ways to both monitor and control flagrant utilization of corporate bandwidth on company time.

Digital Investigations

Email Security

If you are going to have an email security filter, then make sure it works. Tests should be run for false positives and your IT administrators should be aware and run regular tests of internal emails going out. One case would be Mail Marshal which probably has the market share within New Zealand for email content filtering. Having experience with this product, it has its interesting points, but generally as a product, a lot of time and effort have gone into making it one of the better products (in this writer's opinion) on the market.

Even if you have an all singing and dancing product filtering your email, consider the fact that it may be doing the job too well. Ever wonder why you are not being paged any more? Quite possible (real case) is that your filtering software has just gone through an automatic update and is now marking critical mail as spam.

Mail management can be a time consuming task, with staff asking for items to be un-parked, new rules being added and yes, the most important, regular monitoring. Email can be a real blessing, but as you know it can be used for evil. It is not unknown for an opportunist to send an email from a co-workers unlocked workstation. Proving that the innocent employee didn't send this email becomes rather difficult, especially if the employee was only away from their desk for a few minutes. You may be able to tie door swipe records, proving the employee was away from their desk, but like the majority of computer systems within New Zealand, clocks can be anywhere from one minute through to a day out of sync from each other. This makes life very difficult.

For email offences, if there is no proper use policy, then how does the employee know that they are committing a wrong doing? This then brings up the question of monitoring employee's email. Content filtering software will log the coming and goings of all emails in and out of the bastion. This is where New Zealand's Privacy Act comes in. Monitoring employee activities may be allowed should it fall into certain areas and the company may be concerned with the disclosure of confidential information (or data leakage). If you are part of a company that is concerned about such leakage, then you may wish to sit down and define what information may constitute leakage and to what destinations you may wish to block. For example, you may block all emails coming and going from @competitor.com. You may define information being leaked as anything going out of the company's email system that is:

• Encrypted Content


• Contains in-house names for to products in design.


• Emails containing sensitive launch dates.

Again, the company has to have an acceptable use policy from which to base filtering rules on.

Digital Investigations

The Trojan Defence

Moving away from Amway for the moment, the discovery of viruses or trojans on a computer in for investigation can pose a number of issues. The first is that the defence may use it in their favour, for example, "The pornography was downloaded by the virus or trojan." This may be ludicrous in the case where there are 50,000 pornographic images on a computer, but it needs to be covered off. It may also be a valid point in if there are ten child exploitation images downloaded by such nefarious code. So, therefore when we discover a virus on a computer, we need to go through a number of steps to stop the defence shifting the blame off of their client and onto someone or something else.

We need to know the discovered nasty or nasties inside and out. How do they behave? What traces do they leave in the registry? Has the virus done what it set out to do?

You'll be surprised at the number of people who spend $100 per year on Norton Antivirus only to not bother updating their signatures. Money well spent....not.

Amway

I am surprised how Amway gets away with it. They now move from hassling your neighbours to hassling yourselves. Yes, their new model appears to be setting up your business as an Amway dealership and then YOU buy product off yourself. How the hell does this work? They promise get rich...what? If you have a budget of $400 per month for living expenses for example, and by buying Amway products, you save $50 per month over shopping retail, then yes you have reduced your cost of living, but in NO WAY are you going to get rich as their scheme still suggests.
One may as well just shop wholesale.

Amway is a name that has been around for years and they are working hard to get around the bad press about being a pyramid scheme, but from what I have gathered from those in the know, it is still a big fraud. Amway, like other pyramid schemes is doomed by nature to fail. Pyramid schemes assume that everyone will want their product and there is no taking into account market saturation. There are legitimate companies out there who hire high priced consultants to work out exactly what that saturation point is so that they are not left with three billion unsold widgets at the end of the season.

I would like to point to a site of an associate of mine, John Dierckx. John is Managing Director of John Dierckx & Associates. John delves into great detail on subjects such as Multi Level Marketting and Pyramid Schemes (one in the same? One may ask...). Check out nzpi.blogspot.com

A very interesting site is Steven Alan Hassan's Freedom of Mind Center, in which he lists cults in alphabetical order with plenty of links to other sites. The Amway one of interest is http://www.freedomofmind.com/resourcecenter/groups/a/amway/

I draw your attention to the link on the above page which points to Masters of Deception, from which a PDF book can be downloaded free of charge:

"A former high-level distributor reveals the alleged close ties of the multi-level marketing industry to the National Republican Party and directly to the current administration. Free downloadable book available on the site."

What is this doing on a Computer Forensics blog? Well, if you are a disgruntled Amway distributor, check us out at Digital Investigations and we will give you a SIGNIFICANT break on our rate to show our support for your cause. What can we do? If you have old correspondence in emails or documents that you need to find traces of on your computer, then we can help. If looking for an out, then we would suggest that you at least take precautions and back up all sensitive files on your computer and store this backup in a safe place.

If you are an employer and you have an employee that sells Amway on the side, this may turn this person into an all encompassed Amway seller, and may even use your company resources such as email, phone and time to sell Amway products. If you suspect such activity, then call us and we can confirm or deny these suspicions you may have.

Thank you,

Kyle
Digital Investigations

Forensic Work

We at Digital Investigations often get phone calls and talk with other computer consultants who are interested in getting in on Forensics. You have to excel at what you do in the technical arena. Being able to install Windows and generally snoop about does not cut it. Again with the glamour side that CSI may present, here's the facts Mam, and just the facts....

Very long hours.
Dealing with people on the edge with sometimes no one to lean on other than you.
Extremely tight deadlines.
Hostile Situations.
Unusual Hours
Sore Eyes.
In the middle of divorces, custody battles, etc.
High Running Costs

Why do we do this? Because in most cases we can help make the difference....

Incident Response

Companies can invest in firewalls such as Checkpoint(TM) or Cisco PIX (TM) which may alert when certain Intrusion Detection triggers get set off, but if they have not got the policies or incident support plans to support these automatic alerting then this devalues the investment.

I was at a company the other day and it so happened that there was an incident that involved one of the remote management tools in which administrator could take over a computer via remote control. The incident was that there was someone, other than the administrator controlling the computer. This caused concern and dare I say panic amongst the administrators. Not only did they not know what to do to quickly track down what may have been going on, but when the action stopped as mysteriously as it started, there was no autopsy in trying to track down what may have been going on. It was simply dismissed. I was not sure as to the thinking here as if this was a hacker, then well, they not only have access to the internal systems, but they can control PCs. Some training may have better equipped these staff. A simple "netstat -a" on a windows PC may have quickly identified the first place to look for the culprit, but more effective would have been an incident response plan. Lets look at some of the things that could have been in an IR plan.

• Password Changes


• Log Reviews


• Team Meeting


• Firewall Analysis


• Web Server Log Review


• Patch Review


• Lock Down All Remote Admin


• Organize a 3rd Party penetration test.


• Ad infin...

All these are just simple ideas, but they are effective. It boils down to:

• Incident Management


• Containment & Mitigation


• Reporting

A forensic scan of the PC in question would have been seriously recommended. What files may have been deleted? Changed? Any new files added? What network connections are open? Any rootkits added? And mismatched extensions or viruses added? These are just some questions a forensic audit could answer. The computer should have been locked down immediately. The other thought would be that chances are more likely that this threat could have come from within the organization and if this was the case then chances are that this person will try other things. Once the source has been tracked down, it would be advisable to lock down and image the suspect's computer and go from there.
What if this person were planting "dirt" on a rival employee's computer? Maybe they could have planted pornographic images?

Start thinking about Incident Response plans!

Ask the PI

John Dierckx is on the case again. Check out his new blog posting at Ask the PI
John never fails to amaze me with his knowledge and the detail he goes into.

Stolen Equipment

If your equipment has been stolen and returned to you, how do you know what activities may have gone on when the computer was in "enemy" hands. Did the opportunist get into the computer and then turn into an information broker by spotting some sensitive document that they may be able to sell to a competitor?
Did they get access to a password list or a list of customer accounts? Computer Forensics may be able to give you answers to these questions, but not with a 100% certainty. There will always be some doubt, but it can give you a peace of mind.

Forensics can tell for example:

• What files were written to disk?


• What programs were recently run?


• What documents have recently been opened?


• The most recently accessed documents?


• If any emails were sent from the accounts?


• What additional media may have been attached to the computer?

Again, the results are not a 100% guarantee. Any firm who offers this service and provides you with a report that says "Your computer has not been compromised", may not fully understand the basic principles of Computer Forensics. One can always add to protecting laptops and the like by following basic security procedures.

Stolenz.co.nz

Check out a great site. Stolenz.co.nz ---
This is a site "where Kiwis advertise their stolen property online."
This is a fantastic idea. Go get 'em!

CSI - Thanks!

CSI on the telly has a lot to answer for. As an associate said to me the other day, it sets people into the mode that everything can be solved in an hour. The general public do not understand that an initial scoping of a simple PC from acquisition through to report may take between eight and fifteen hours. This does not even begin to prove intent. There could be another week's worth of work in that. This is when the person on the other end of the phone says, "I'll have my mate Trev look at it as he's done a computing course at the tech."
Well, good luck to you as you'll probably a) blow your case and b) increase the cost of e-Discovery due to your tinkering.

The same can be said if you are a business. Do not have your IT staff perform an investigation. This is just plain legal suicide. You may as well just walk up to the PC or device and set it on fire. IT Staff are trained to do their job (a matter which is up for serious debate!) and not for investigative work.

Password Recovery

My wife likes to think of me as one of life's pessimists, but I look at myself as a realist and this helps when setting client's expectations. I never like to say, "Sure, that can be done." unless I have done it thousands of times before. With technology, I am too long in the tooth to know that things just don't work when you want them to and that certain jobs just may not be able to be accomplished.

In terms of password recovery for example, the password may be from an application that can be recovered instantly, and if that is the case, all well and good, but if it is not, then I will tell my client that there is a good chance that we may not be able to recover a password for a document, unless they are prepared to wait around for a possible one thousand and fourty eight years and oh, yes and eight days. I am not going to go into the mathematics, but on a standard fast PC, for a seven character random password, lock your computer in a cupboard, with a good UPS and a few snacks and then check it again in many hundreds of years.

When working with password recovery you have to be smarter to try and get around some of these passwords and reduce the search space. Joe Public is getting more and more aware that password protecting their data with "QWERTY" is not going to cut the mustard. A good forensic investigator has to profile and investigate the subject as much as he or she does the computer. This can pull up key words that they may like, "Golf", "Countryclub", "Caddyshack","Dumbledorf".....whatever. The password may be hidden somewhere on the drive in plain text. Who knows? It may be written down in their office, underlined in a manual, stored in their Palm Pilot which is not password protected. Ali Baba got it right. He didn't try millions of iterations to get into the cave, he eavesdropped. Think laterally and be realistic.

Log Reviewing

Getting to the bottom of log files can be a daunting task. But, don't fret, there is a tool that makes life helpful and believe it or not, it comes from the folks at Microsoft. Microsoft Log Parser which can be downloaded from here or the IIS Resource Kit, gives an administrator the ability to peruse logs using an SQL like query. Logs can then be sent to a spreadsheet in a specific format or to a graph. It even has the ability to query Windows Event logs. Very quickly an investigator can graph the number of bad log ons, etc.

Consider using this tool for:

• Sendmail Logs


• FTP Logs


• IIS Logs


• User Activity Tracking


• Oracle Alert Log Scanning

Rather than me re-invent the wheel, I will point you to an excellent Microsoft article on this subject here

Data Leakage

Data Leakage is when information makes its way out of your company and into the hands of an individual who may profit from it, or it could be information that may prove detrimental to the continued operation of your company. Companies spend a lot of money on firewalling to keep intruders from getting in, which is money well spent, but there has not been much thought on moving from perimeter security, towards stopping data getting out of your company.

What sort of information can be leaked from within a company?

• Intellectual Property


• Address Books


• Sales Forecasts


• Spreadsheets


• Staff Lists


• Rosters


• Passwords


• Blueprints

How can data make its way out of a company? There are many ways such as email, hidden data, USB keys, encrypted files and even good old pub gossip. Some of these can be prevented, whilst others are more difficult. Company policy should dictate how to close some of the technical holes such as email leakage. You may prevent emails being sent and received from the domain @competitor.co.nz or emails going out to webmail services. You may not allow encrypted traffic out of your network, for fear that it may contain hidden information.

Even the uninitiated may try and get information out of a company. I heard first hand of someone locally who was made redundant and he tried to email the entire contents of his 40GB hard drive through the mail server and the only way the company found out was because their Exchange Server crashed.

I had a bet on with an IT administrator that I could smuggle an agreed upon file out of his network via email. He took the bet and I won. I will not tell you how it was done, but it was done. Third parties should your companies firewall and mail filtering rules as well as any web access levels and restrictions. Rules should be validated against security policies if such things exist. For smaller companies it can be harder with every man and his dog dialing out via an ISP account and a modem. Now with the advent of Microsoft Small Business Server, it makes it slightly easier to control and filter activity using a central point.

A company can buy all sorts of tools, but unless they have identified the risks, how can they put in place controls to mitigate said risks. We have worked with companies helping them identify the risks and assisting their IT staff in putting controls in place.

Data can often be obtained from databases with minimal security. I cannot tell you how many Oracle installs I have seen with default login and passwords. This comes from developers who do not understand the database and IT administrators who understand it even less. JD Edwards installs where for example all of the rights on newly created objects get assigned to the Oracle PUBLIC user. This is fine until a back end reporting user requires access to all tables apart from payroll. Good luck! A simple ODBC connection is enough to start sucking out data. Data can also be modified. How do you know that Flossy has not been altering her pay data? You don't. Simple strategies such as database auditing and transaction monitoring may help.

"To grasp the scope of a problem, a recent study by the Ponemon Institute looked at 163 Fortune 1,000 companies. The study revealed that 75 percent of them reported a security breach in the prior 12 months. The leaks may have involved personal information about customers, personal information about employees, involved confidential business information, and intellectual property, including software source code. " - Lynn Haber - Datamation

In the U.S. organizations are being forced to comply with mandates such as Sarbanes-Oxley, HIPPA and the Patriot Act and it should be time that some of these measures be enforced on New Zealand businesses. The thing that scares me about this is that there will be an influx of auditors of the likes of the Big Five who seem to be able to audit anything that comes on the scene. I wonder if they have auditors for the Bird Flu? "Turn your head and cough please."

Pushing the bounds...

Here at Digital Investigations we pride ourselves in pushing the envelope. I get a little annoyed when I see advertisements for Private Investigators who claim to offer a computer forensics service. After a little time on the newsgroups you will see such companies popping up, asking the dumbest of questions that a first year computer student should know, yet alone an investigator.

We partner with investigative companies such as John Dierckx & Associates to bolster our offerings and support us in our investigations. John himself has a superb forensic and investigation background.

I am a little concerned about all of the forensic certifications starting to crop up nowadays, especially when I don't have one :-) If you look at the course material in some of these courses they offer the pure basics and experience is no substitute. You end up having investigators who rely on computer tools, rather than experience to obtain them the information and they do not think outside of the square.

May investigators are also limited to be able to analyze only the operating systems or file systems that their tool supports. Would they be able to analyze and investigate possible issues on some of the following:

• Enterprise class firewalls


• Cisco switches and Routes


• Proxy Servers


• Content Filters


• Network Traffic Patterns.


• Unix Servers


• Enterprise Databases such as Oracle or SQL Server.

You should also check the investigator's background out. What sort of technical background have they got? Do they have legal support? Make sure that they also have a clean background too. If you had an investigator represent you that has been prosecuted for fraud, would you hire them? I certainly wouldn't as they could only take the case so far and be discredited when it came to legal proceedings.

Key Loggers and other nefarious activities...

More than once we have been asked by an vindictive spouse to put some "spyware" onto their estranged husband's computer so that they can see what banking or social activities they are up to. The general public are starting to have an understanding about what key stroke loggers are. They ask us can we do this? This again is down to who owns the machine. Most of the time the person needing to be kept tabs on is remote and we are asked "Isn't there something you can deliver by email that will let me know what he is doing?"

Well, yes there is, but um, in New Zealand this activity isILLEGAL. Which in most legal parlance means that you cannot do it. Now, legalities aside, lets talk technical. Yes, payloads can be delivered via email and there are construction kits out there that will allow you to deliver such payloads. These can be downloaded via the internet and if you are foolish, you will use a credit card to pay for them.

That aside, these tools advertise that they are not able to be detected by spyware or anti-virus programs. Well, my way of thinking is that if a certain company advertised the "most popular" tool out there on the internet then surely they can be detected by a detector. You also have to get the person to open the email and unless the person is dumber than a bag of hammers, then chances are that this email will just get trashed.

I was bored one day and had watched my fill of daily soaps, so I set up a clean machine with Windows XP and the newest AVG Antivirus software with the latest updates on it. I downloaded three of these tools (which I will not name). Two of them were picked up straight away on installation, yet alone running. The second was picked up after installation. The remote payload feature failed to work, so that was a waste of time.

We have also been asked to "hack" into "my husband's webmail account.". Again in New Zealand, this is ILLEGAL, which to everyone except Martha Stewart and Robert Blake means you cannot do it. Legalities aside, yet again, let's look at the feasibility. It may be feasible to break a webmail password, but it is more than likely not practical. Consider a dictionary based attack of 70,000 words. If your cracker took 1 second to generate, try and wait for a response from the POP3 server, then you'd be waiting for almost a day to go through the dictionary. Also, if the ISP is worth their salt, then they'd be logging every unsuccessful attempt and may lock the account after so many attempts. Chances are you'd be traced if you were not crafty.

We would rather turn away business than get into some nefarious activity. It simply is not worth it!!! Now, if you own machine or you are a company wishing to keep track of an employees activities, this is another gray area, which hopefully I'll have time to blog about on another occasion.

Reducing Fraud

Consider that 50% of a company's expenditure may go into staffing costs. Think also that these staff may have access to confidential documents, files, emails, payroll, etc. Wouldn't you like to hire staff that appeared initially trustworthy? I would like to talk about IT staff. These are the people who have access to everything, especially in a smaller organization. Saying that, I have seen systems where databases had completely open payroll tables and any man and their dog could query them based on default accounts and if you found a dog who knew SQL, then they could quite possibly do it.

Even in a larger organization with multiple levels of administrators, there will always be someone with access to data. All IT staff I have ever hired, I have run through a background check. Now, this does not tell me if the person is honest or not, but at least I have hired someone with a clean background. I do not want to hire someone to work for me who has a fraud conviction or has done time for child molestation --- call me biased.

It is not only payroll tinkering that the malicious user can get involved in, but consider -

• Bribery


• Asset Misappropriation


• Software Piracy


• Pornography


• Espionage


• Crime

Going back to what I said in an earlier blog, policies and procedures are needed BUT this may not be enough to deter the user from committing fraud.

These background checks can be done simply, or can involve some detail. In New Zealand, the permission of the person has to be obtained to check into their background, but if they refuse....don't hire them.

Gartner states a figure which I now have completely forgotten that the majority of fraud comes from within the organization. Sarbanes-Oxley Section 404 has gone a long way to putting into place internal controls and holding the CEO and CFO responsible for the financial reports. Sarbanes is making its way into New Zealand companies and having consulted for some American owned companies in New Zealand, it leads to some formality within the IT process such as Change Controls and multiple approvers. Again, it is not be all and end all, but it is a start.

To prevent or reduce fraud your organization needs to be proactive in its approach. Here are some ideas on how you can be proactive:

• Regular Security Audits


• Point of Sale Audits


• Background Checks


• Log Reviews


• Forensic Workstation Analysis


• Auditing prior to large sales


• User Education about Internet SCAMS

Blocking Traffic & Monitoring Traffic

It is time to start getting smart about blocking child pornography sites from being accessed from within your business. How can these be identified? Are they not up for only periods of time and then taken down again? What are the URLs to block? One of the reasons that you should start blocking and monitoring would be legal reasons among others. If this media were to be found on computers in your office, then this could and probably would reach the press.

Consider a business who deals with selling widgets within New Zealand and nowhere else. Why do they need to give their employees free reign to the Internet? Let's look at this at a higher level. Consider the majority of the child exploitation sites are coming out of Russia. Why not just block anything with a Russian domain initially or IP addresses of major Russian ISPs?

People will find holes in these thoughts. They are food for thought rather than technical be all and end alls. I realize that extensions can be renamed, information hiding can be utilized, etc, etc. You have to start somewhere and if you start initially at a high level from a security plan and work from high level down to the nitty gritty then you won't tangle yourself up so much. In my experience, many companies do not have an IT policy, yet alone a security plan. You may consider any kind of pornography downloaded a dismissable offence, but if the employee has downloaded pornography that is readily available over the counter, you have an up hill battle. You should refer to illegal material, copyright violations, pornography (you will need to define...check the Department of Internal Affairs) for more information in an IT Security Policy and have the employee sign off the fact that he or she has read and agreed to such a policy.

When defining what to block, agree that that the business for example can indeed function without having web or FTP access to Russian sites. This may help stop some of this filth from filtering into your business. It is a start!!! You are possibly going to have smart cookies in your organization who can circumvent this, but you can show if an incident occurs that you have gone considerable way to help protect your organization from receiving such material and that they had to work to get around these measures.

If you have a proxy server, then start monitoring the logs on a daily and weekly basis. Consider a proxy server which can report on destination browsed, bandwidth used, etc. Ask yourself who really needs access to be able to download *.JPG or similar files and create business rules to support these security policies. Start reviewing your logs and you'll be surprised what you see. Start blocking based on what you are seeing in the logs. The Internet is a great tool, but it is amazing how much business time can be wasted on it.

Just some thoughts.....

Who owns the Data?

In New Zealand, if the data is on a company owned computer, then the company has the rights to check this data or scan it anytime they want to. In the case of spouse vs spouse, we have had a scourned wife wanting access to the husband's laptop. They were going through a divorce and the laptop was owned under his company's name. As an investigation company the only advice we can pass on is that we cannot analyze that computer, unless it is legally obtained via a court order.

If a company owns computer, then it is okay that they can scan the computer whenever they need to. This brings the questions, when should they scan? Consider an employee is about to be dismissed, the company may wish to call us in to image the laptop in a forensically sound manner and find out what the employee knows and does not know. Who were they emailing? What web pages were they viewing? What files have been deleted? The company may also wish to consider doing this after a dismissal.

We offer a quick scan package in where we can image the hard drive and scan for ten keywords. Consider you suspect an employee of leaking data to a newspaper. You may wish to scan for any emails to @newspaper.co.nz or to the reporter, maybe even key phrases that appear in the article. With this service you can determine if a further investigation is required. With a few terms and conditions, this service is offered at a fixed price.

What is on your computer?

During the course of many investigations, you may be interested to know what we have found on hard drives. Formatting a disk does not erase disk contents, it only reinitializes the FAT and Master File Tables. Data can still be retrieved. Also, FDISK, only removes partition information, which we can get back. Consider this when you donate your computer to a school auction or charity. Information may still be present, even if you have deleted the file or email first.

We were asked once to track a ex-husband's activity on a computer. He was suspect that his wife could read his email, so he switched to Webmail. We were able to reconstruct his activities through webmail artifacts, proving times and dates of sordid meetings, stock transfers and financial misappropriations. He thought he had covered his trail.

At this stage I should also mention that you should not conduct your own investigation. Doing so can contaminate time and date stamps that we may need to prove a timeline. If the case is to go in front of a court, special procedures need to be followed otherwise you may as well kiss your evidence goodbye.

We have had members of the public approach us with DVDs with pornography on it and ask us what we can do with this. All we may be able to do is to trace the source via hashing these images, but legally, we cannot do much to progress. The images may be enough to get the culprit to put their hands up, but if they deny it and you do not have access to the machine anymore, then these images are not worth much.

Digital Investigations - Introduction

Welcome to the first entry in this blog. I formed Digital Investigations (www.digitalinvestigations.co.nz a year ago to give some structure to my fight against child exploitation. In the US I had been involved in such cases as well as dismissals, hacking, email fraud and sabotage. It wasn't until the primary school principal from the school my daughter was about to go to the following year was arrested and dismissed from his station for downloading and viewing child pornography, did I decide to formally do something about this scurge.

Digital Investigations has since teamed with other New Zealand specialists, who just happen to reside in Christchurch, NZ. John Dierckx who runs John Dierckx and Associates and who runs "Ask the Private Investigator" http://nzpi.blogspot.com is one of New Zealand's foremost investigators. His page is http://www.dierckx.co.nz. I am proud to have a great working relationship with John.

Corporate Risks (SI), Ltd which is run by Pat Coady, provides great support to us. Pat is ex-police and is a well respected investigator. Along with this, Barry Brailey from England, now residing in Christchurch brings to this unique mix a strong military security & intelligence background. We are indeed a resource pool that until now has been unseen in New Zealand.

This blog has been set up to let people know of any situations that we may have encountered, some things to keep your eyes out for, maybe some scams that are going about.

Second Post

www.digitalinvestigations.co.nz

Initial Post

Welcome to this blog...